A Tutorial on 5G Positioning

The widespread adoption of the fifth generation (5G) of cellular networks has brought new opportunities for the development of localization-based services. High-accuracy positioning use cases and functionalities defined by the standards are drawing the interest of vertical industries. In the transition towards the deployment, this paper aims to provide an in-depth tutorial on 5G positioning, summarizing the evolutionary path that led to the standardization of cellular-based positioning, describing the localization elements in current and forthcoming releases of the Third Generation Partnership Project (3GPP) standard, and the major research trends. By providing fundamental notions on wireless localization, comprehensive definitions of measurements and architectures, examples of algorithms, and details on simulation approaches, this paper is intended to represent an exhaustive guide for researchers and practitioners. Our approach aims to merge practical aspects of enabled use cases and related requirements with theoretical methodologies and fundamental bounds, allowing to understand the trade-off between system complexity and achievable, i.e., tangible, benefits of 5G positioning services. We analyze the performance of 3GPP Rel-16 positioning by standard-compliant simulations in realistic outdoor and indoor propagation environments, investigating the impact of the system configuration and the limitations to be resolved for delivering accurate positioning solutions.


I. Introduction
The recent enhancement of the fifth generation (5G) of cellular communications unveiled an era of unprecedented connectivity, embracing altogether the enhanced mobile broadband (eMBB), ultra-reliable low-latency communications (URLLC) and massive machine-type communication (mMTC) scenarios [1].
H. Huang and H. Wymeersch are with the Department of Electrical Engineering, Chalmers University of Technology, Göteborg, Sweden.(e-mail: huiping@chalmers.se,henkw@chalmers.se).application area that is benefiting from the adoption of the 5G technology is the Internet of things (IoT) [5], [6], where the high density of connected devices calls for the design of enhanced radio access methodologies for mutual coordination [7].In the IoT, 5G connectivity enables real-time data analytics [8], representing a game changer for industries [9] and redesigning the business models of vendors [10].Visions on the IoT ecosystem expect a growing impact from beyond 5G (B5G) communication technologies [11], [12].The empowered 5G connectivity will bring major enhancements in mobility, including road vehicles [13], trains [14], and drones [15], with 5G vehicle-to-everything (V2X) communications [16]- [18] are fostering the rollout of enhanced automotive services demanding for high-speed data transfer.Major impact is also expected in healthcare services [19], [20] and large-scale network automation [21]- [23].
Within such an evolution for the telecommunication market, 5G positioning stands out as a key fundamental enabler that promises to unlock and revolutionize location-based services [24], [25].Positioning has been a desired feature of cellular communications since the second generation (2G) [26]; however, with the deployment of 5G networks, it has undergone a paradigm shift, leveraging the unique capabilities of this new wireless technology in providing unprecedented location accuracy [27], [28], navigation augmentation capabilities and competitiveness against other technologies [29].
The popularity of positioning is remarked by the significant efforts in technological research frontiers about ultra-wideband (UWB) [30], [31], millimeter wave (mmWave) [32]- [34], teraHertz (THz) [35]- [38] and wireless optical networks [39], [40] that allow improving positioning services by exploring larger signal bandwidths.Improvements in positioning are also being investigated by developing new technologies that allow to control of the interaction of the radio signal with the propagation environment by reconfigurable intelligent surfaces (RISs) [41], [42].

A. Related work on 5G positioning
A first investigation of the potentials of 5G positioning is in [85], where the authors highlight how mmWave and massive multiple-input multiple-output (MIMO) technologies represent key enablers for localization.They discuss general concepts of location-aware communications and use path-loss models to motivate the need for beamforming to counteract the high propagation losses at mmWave.The performed simulations, using angle of departure (AOD), angle of arrival (AOA), and time of arrival (TOA) measurements extracted from large bandwidth (600 MHz) signals at mmWave (60 GHz), prove an achievable cm-level positioning accuracy.
More recent studies addressed the topic of 5G positioning, focusing on cellular positioning architectures, algorithms and envisioned applications [86]- [109].The work in [86] provides a concise and thorough analysis of how cellular systems have changed from the first generation (1G) to the fourth generation (4G), also offering a basic introduction to the architecture and security protocols employed in each generation.A more detailed review of the architecture evolution and the positioning technologies is in [87].Key enablers are discussed in [88], where the authors give an overview of 5G massive MIMO localization, with a main focus on mmWave frequencies.They discuss channel modeling and localization algorithms, outlining possible research directions.A comprehensive explanation of the 5G positioning signals and methodologies, with some insights into the architectures, is provided in [89].Non-standardized, e.g., machine learning (ML)-based algorithms, are discussed in [90] and compared (from a theoretical perspective) with conventional (i.e., non ML-based) algorithms.Given the lack of a unified platform to support the research on 5G localization algorithms, authors in [91] introduce a link-level simulator for channel state information (CSI)-based localization in 5G networks, which can realistically depict physical behaviors of the system.
Moving to application-oriented works, the main interest is in the potential of 5G positioning, especially in terms of accuracy and latency in vehicular networks.Therein, the 5G hardware can act as an additional sensor of the vehicular onboard sensor suite, providing communication, positioning, and sensing functionalities [92].In the vehicular context, 5G mmWave positioning was shown to provide high-accuracy localization, thanks to the large bandwidth [93], [94], provided that the communication beams are correctly steered [95].This can be achieved with the assistance of onboard navigation sensors [96], [97].The 5G technology has also been used for pedestrian positioning [98], also complementing global navigation satellite system (GNSS) [99], [100] in outdoor positioning and navigation.
Another main context for research is indoor positioning, whose evolution and applications are studied in [101] and further investigated in the fields of IoT and device-free localization [102]- [104] where deep shadowing and dense multipath represent severe impairments for positioning.Authors in [105], [106] have proposed techniques to efficiently remove outliers for 5G indoor positioning in smart factories.Multipath is being exploited as a friend instead of a foe [107] by gaining insightful information for positioning from wall reflections.Third Generation Partnership Project (3GPP) standardcompliant simulations are carried out in [108], [109], where the positioning capabilities of 3GPP Rel-16 have been investigated in the urban micro (UMi), urban macro (UMa), and indoor open office (IOO) scenarios, considering multicell round-trip time (RTT), downlink (DL)-time difference of arrival (TDOA), and uplink (UL)-AOA positioning.Lastly, 5G, WiFi and their fusion are compared in [110] for fingerprinting with incomplete maps.
Concerning experimental validation, at present, most of the experiments have been performed using software-defined receiver (SDR) with long term evolution (LTE) [111] or 5G [112]- [114].SDRs have been used for positioning purposes by extracting CSI [115], [116] or channel impulse response (CIR) parameters [117], [118], resulting into timedomain techniques.SDR hardware such as universal software radio peripheral (USRP) can also be used for phase tracking, reaching a sub-meter positioning accuracy in indoor environments [119].
A main topic of research is positioning augmentation in harsh environments with low base stations (BSs) visibility and multipath exploitation.Authors in [120] combine AOD with multi-RTT to cope with a limiting number of visible BSs, still neglecting reflections and scattering due to the absence of ray tracing (RT) simulations.In an urban environment, authors in [121] exploit the difference of received signal strength (DRSS) to avoid dealing with synchronization issues.Further studies on 5G positioning in harsh environments can be found in [122]- [126].The work in [122] provides a theoretical analysis of the position and orientation accuracy achieved by harnessing non-line of sight (NLOS) components.In [123], the concept of blockage intelligence is introduced, showing that a probabilistic description of the propagation environment (especially indoors, such as factories) can be profitably embedded into positioning algorithms.Authors of [125] demonstrate that joint synchronization, positioning, and mapping are possible even when the line of sight (LOS) path is blocked, and the reflecting surfaces are only characterized by diffuse scattering.Lastly, in [126], the feasibility of localizing a user equipment (UE) with one BS under NLOS conditions is shown by exploiting the reflections from a RIS in near-field propagation regime.
Most of the other existing surveys and tutorials currently available in the literature are not fully focused on 5G positioning; still, they cover a variety of related topics.The Outdoor Indoor [1] 2017 Symbol ✓ indicates that the work fully covers the topic, while ✓ indicates a partial coverage of the topic.Symbol ✗ specifies the topic is not addressed.
tutorial in [127] focuses on beam management procedures for mmWave cellular networks.Mobile traffic and its characterization according to the application are discussed in [128].The visions on B5G drivers, use cases, requirements, key performance indicators (KPIs), architectures, enabling technologies, and algorithms given in [129], [130], [133] attempt to shape the forthcoming revolution brought by sixth generation (6G) technology.Specifically, authors in [129] provide a general view by explaining the motivation for the advent of 6G; the work in [130] is dedicated to the application of IoT in the contexts of cellular, wide-area, and non-terrestrial networks (NTNs); while [133] is focused on deep neural network (DNN) application for cell-free massive MIMO.Looking towards 6G, tutorials on mmWave and THz communication and localization have been proposed [131], [132]; the former work is focused on mathematical modeling, while the latter is shaped with an application-oriented perspective and compares mmWave and THz technologies on the achievable localization performances.
Previous works highlight the necessity for a comprehensive guideline on 5G positioning, guiding the reader from the fundamentals of positioning to the latest literature enhancements, complemented by a side vision of the evolution of the standards and applications.We acknowledge a gap in developing realistic environment-dependent simulations through RT tools, which are essential for accurately accounting for the presence of obstacles impacting the UE-BS visibility.Most of the prior art is typically focused on a single scenario; thus, the findings have poor generalization.Here, we exhaustively analyze several combinations of environments, mobility conditions, visibility, and 5G signal configurations, offering a thorough set of outcomes and conclusions encompassing a complete vision of the potential of 5G positioning.
A comparison of this work with respect to existing surveys and tutorials available in the literature is summarized in Table I, where we highlight the contents of each reference in terms of the cellular technology addressed, use case descriptions and requirements, discussion of the positioning architecture and methods, and types of simulation analyses.

B. Contribution
By proceeding over the survey in [26], which provides an historical overview of cellular positioning from 1G to 3GPP Rel-15, this tutorial paper aims to provide the reader a comprehensive and accessible reference guideline to the convoluted world of 5G positioning, by offering a short summary of historical developments, contextualization of the current state of research, and an outlook over future developments.It is designed to cater to a diverse audience, ranging from researchers and engineers seeking an in-depth understanding of the subject to practitioners looking for practical insights into harnessing 5G positioning for real-world applications.With this approach, we characterize the maturity level of the technology and analyze the enabled use cases.We also discuss the main industrial and technological trends, as well as research advances inherited by previous generations of cellular networks.By providing an overview of standardization activities and highlighting fundamental research, we define potential directions of forthcoming B5G systems and their associated breakthrough applications.We also review experimental positioning activities by analyzing state-of-the-art solutions and algorithms.At the same time, this work presents a thorough assessment of 5G positioning capabilities under different system configurations that are useful to understand the achievable performance by varying the settings.
The main contributions are the following: • We provide an overview of the evolution of cellular positioning, from the first development until the current 5G version, with an overlook over the forthcoming releases, analyzing the enhancements introduced over the generations and the current innovation trends; This involves an exploration of the specific features of these signals and their role in enabling accurate and efficient positioning; • We conduct a thorough examination of 5G positioning architectures and methods by discussing the various solutions that can be employed to achieve precise positioning; • We carry out extensive 5G positioning simulations in outdoor and indoor scenarios that are relevant for challenging use cases such as automotive or industrial automation.We consider both static and mobile UE positioning, analyzing different system parameters and configurations such as numerology, positioning methodology, and antenna array configuration; • We discuss the current limitations of 5G positioning by providing the reader an easy understanding of the main challenges that research and industry are addressing for releasing cellular-based location services.Lastly, we delineate potential avenues for future research in cellular positioning.

C. Tutorial organization
As highlighted in the mind map in Fig. 1, this tutorial is organized as follows: Section II starts by motivating why 5G positioning is useful in exemplary use cases taken from industrial and automotive domains, and then presents the evolution of cellular positioning from a historical perspective from 1G to the latest releases, diving into the future of B5G trends.In Section III, we first review the fundamentals of wireless localization, describing the different classes of positioning measurements and positioning/tracking algorithms.Section IV is devoted to the description of the 5G positioning architecture, the associated reference signals, as well as the 5G positioning methods.Section V focuses on simulation analyses, with a description of performance metrics, the simulation environment, and parameters, and achieved results for a number of different system configurations.Section VI analyzes the results, highlighting the lessons learned in the previous sections and delineating current limitations impairing cellular positioning.Concluding remarks and future directions are discussed in Section VII.

D. Notation
Vectors are denoted by boldface lower-case letters (e.g., ) and matrices by boldface upper-case letters (e.g., ).The number of elements of an array, i.e., the cardinality, is indicated by ||, while ∥ ∥ denotes the l2-norm of .The transpose of a matrix  is written as  T , its Hermitian as  H , while  −1 denotes the inverse operation.The notation diag() is used to denote a diagonal matrix with vector  as its main diagonal, tr( ) is the trace of matrix .In this section, we provide an overview of cellular positioning, starting from the targeted use cases to the technological evolution put in place to satisfy the performance requirements of such use cases, with a closer look at the latest 5G releases and future trends.Section II-A investigates the positioning use case requirements; Section II-B summarizes the evolution of the technology from the early days of analog cellular networks to the modern era of 5G positioning; Section II-C discusses the specific features of 5G positioning, from the first release of 5G (3GPP Rel-15) up to the forthcoming Rel-19.By the end of this section, the reader should have a better understanding of the evolution of cellular positioning and the advancements conceived in the design of 5G positioning.

A. Cellular positioning use cases
5G positioning targets a wide range of use cases with highly different performance requirements.Main positioning KPIs includes accuracy, availability, latency, coverage, energy consumption, and update rate, which contribute to determining the feasibility (or not) of a specific service.To this extent, the document [134] specifies seven service levels to be guaranteed by 5G positioning systems.Regarding the association between positioning accuracy and the standard releases, we report that Rel-16 for commercial use cases aims to guarantee 3 m for horizontal accuracy [135], while in Rel-17 it is set to 20 cm.Other safety-critical metrics to be taken into account are reliability and integrity, which are related to the degradation of the positioning accuracy and the trustworthiness of the positioning system [92].
Among the verticals that would benefit from 5G positioning, a critical one is the automotive sector, where the enhancements on automated (and autonomous) services call for highly accurate positioning with ultra-low latency and high reliability [136], [137].A description of the envisioned automotive use cases as prescribed by the 5G Automotive Association (5GAA) [138], [139] with associated positioning accuracy is reported in Table II.These requirements were already envisioned in [93], where 5G is indicated as the most promising technology able to meet all of them.
Another major class of use cases refers to indoor positioning, which has been widely studied and discussed due to the necessity to guarantee safety for clients and workers such as in hospital [140]- [142] or workspace [143], [144].In particular, we can distinguish between consumer applications and industrial services.The former can tolerate relatively low positioning accuracy (3 m) and high latency (1 s), while the latter has stricter requirements.Specifically, most of the industrial needs are related to asset tracking [145], where positioning accuracy in the order of centimeters and latency in the order of milliseconds is requested [134], [146].Table III reports some indoor use cases, specifying horizontal accuracy, maximum UE speed, and latency.
The reported use cases for cellular V2X (C-V2X) and indoor services are recognized as benchmarks and contain valuable information for the research and industries.Notice that a critical aspect of the specification of requirements (especially for safetyrelated constraints) is also attributable to the speed of involved terminals, which affects positioning accuracy, latency, and integrity.Guaranteeing the same level of positioning accuracy requirement at higher speeds poses a greater challenge compared to nearly-static mobility conditions.

B. Evolution of cellular positioning technology from 1G to 4G
Localization functionalities were introduced for the first time in cellular networks in the mid-1990s due to the specific requirements issued by enhanced emergency call services in the United States (US) [26].Even if localization procedures were not mentioned in the early cellular standards, localization solutions had been adopted since 1G to target the UE position, particularly for vehicles.In the beginning, only methods based on signal strength were used, although the idea of exploiting a coarse AOA estimation by directive antennas had been raised [147].
The enhanced 911 (e991) requirements approved by the Federal Communications Commission (FCC) [148] encouraged the study for more accurate localization methods in 2G cellular systems, introduced with the global system for mobile communications (GSM) standard.In 2G systems, while the primary focus was on UL-TDOA for localization, the framework also acknowledged the potential of AOA, fingerprinting, and other methods.Indeed, further studies demonstrated the feasibility of AOA estimation with GSM network by using DRSS [149].
With the introduction of the third generation (3G) and the globalization of cellular communications driven by the 3GPP, cellular localization methods initiated a standardization process.The goal of 3GPP was to support emergency services and foster location-based applications.With the advent of 3G,  the following network-based localization solutions have been introduced: TOA, TDOA, AOA, cell-ID (CID), fingerprinting, and hybrid methods [150].Moreover, 3G was used to augment global positioning system (GPS) with differential corrections, providing a navigation message to reduce the time-to-firstfix (TTFF) and facilitate tracking.This method was already standardized in 2G under the name of assisted-GPS (A-GPS).
The universal mobile telecommunications system (UMTS), as the successor of GSM, was one of the candidate technologies to define an international standard for 3G networks.UMTS was delineated by 3GPP and its main air interface was called universal terrestrial radio access (UTRA).
Transitioning from 3G to 4G, the LTE standard marked the progression from GSM and UMTS, introducing the evolved UTRA (E-UTRA) air interface.E-UTRA is based on orthogonal frequency-division multiple access (OFDMA) in DL and singlecarrier frequency-division multiple access (SC-FDMA) in UL.One of the objectives of LTE localization was to act as a backup to the A-GPS when satellite visibility is not ensured.Therefore, a positioning reference signal (PRS) was designed for DL purposes.With Rel-9 in 2009, LTE positioning had a major breakthrough.Multiple positioning methods were defined, such as enhanced cell-ID (eCID) and observed TDOA (OTDOA), adopting the newly designed PRS.Moreover, the LTE positioning protocol (LPP) was defined in 3GPP technical specification (TS) 36.355[151], and assisted-GNSS (A-GNSS) was included in 3GPP TS 36.305[152].
From Rel-10, the standardization of LTE advanced (LTE-A) starts to include the UL-TDOA method based on sounding reference signals (SRSs) to complement A-GNSS.Further-more, an improvement of PRSs was proposed to increase the hearability.The hearability problem arises when a user needs to communicate with multiple BSs and differentiate the communication systems from positioning systems.In Rel-13, a further enhancement has been made with the LTE-A Pro, mainly addressed for strict indoor environments.Two of the main improvements referred to OTDOA enhancement (new PRS patterns and bandwidth extension) and MIMO introduction (multi-antenna arrays for beamforming).The introduction of 3GPP Rel-14, as well as continuing the LTE evolution, also sets the starting point for 5G [153].

C. 5G positioning from Rel-15 to Rel-19
Between 2017 and 2018, Rel-15 established the 5G technology foundation [154], which includes a range of features and capabilities designed to improve the performance and functionality of cellular networks.Rel-15, also known as 5G Phase 1, supports the use of both sub-6 GHz and millimeterwave bands for 5G communications and defines the following main use cases: • eMBB: designed to support data rates of up to several gigabits per second and to enable the use of high-bandwidth applications; • mMTC: designed to support a large number of connected devices and to enable low-power, low-cost communication for these devices; • URLLC: designed to support latency of less than 1 ms and reliability of up to 99.999%.Rel-15 mainly focuses on the first use case, also thanks to the introduction of network slicing, which allows different parts of a 5G network to be configured and optimized for specific use cases, allowing for higher flexibility and supporting a wider range of services.Moreover, the adoption of mobile edge computing is able to improve the performance of 5G networks and reduce latency [155].Lastly, it includes enhanced V2X communications, enabling vehicles to communicate with each other and with infrastructure elements, such as road-side units (RSUs).Since Rel-15 primarily lays the foundations for the 5G new radio (NR) technology, no further positioning enhancements have been developed with respect to LTE.
5G Phase 2 starts with Rel-16 at the end of 2018, which is built on the characteristics of Rel-15 and includes additional features and enhancements.In particular, it focuses on URLLC and mMTC use cases and includes support for the 6 GHz bands [156].From a positioning point of view, Rel-16 is one of the most valuable releases.First of all, 3GPP Rel-16 sets the basis for the 5G location services (LCSs) in the TS 23.273 [157].Then, using older signals as a basis, Rel-16 defines DL-PRS and UL-SRS signals, i.e., the enhanced versions of PRS in LTE and SRS of Rel-15, respectively.For this reason, throughout this tutorial, they will be referred to as PRS and SRS.These new reference signals improve the positioning accuracy and lower the communication overhead.In fact, PRSs have the capability to report TOAs from multiple gNodeBs (gNBs) simultaneously, and, together, they can be employed to compute RTT.Furthermore, Rel-16 supports operations in the frequency range (FR)1 and FR2, covering the ranges of 410 MHz -7.125 GHz and 24.25 -52.6 GHz, respectively, where larger bandwidths are available, thus enhancing the ranging accuracy.In Rel-16, 3GPP also mentions the possibility of introducing a new FR (unofficially referred to as FR3) to enable cellular communication in the range between 7 and 24 GHz [158].Its standardization is expected to be included in future releases.
At the end of 2020, 3GPP published Rel-17 based on the features proposed in the previous release.Key contributions for 5G positioning are the introduction of the support for 2.5 GHz and 4.5 GHz bands, the increased gNBs' coverage, and the improvements related to edge computing, network slicing, and V2X communications.Moreover, FR2 is extended up to 71 GHz.The main positioning improvements include [159]: • Timing delay correction at transmitter (Tx) and receiver (Rx) sides: Tx/Rx timing delay is a problem affecting ranging measurements, and it involves the generation, transmission, and reception of PRS and SRS.This error persists even after the internal calibration of UE and transmissionreception point (TRP), and the accuracy of timing-related positioning methods may be significantly affected, as reported in 3GPP technical report (TR) 38.857 [160].Rel-17 introduces timing error groups (TEGs) in order to mitigate this phenomenon [161].When multiple signals are sent from the same TRP, they are expected to have a similar Tx error; therefore, they are associated with the same group.Instead, signals from different TRPs should have a different Tx error and may belong to different groups.Therefore, associating the TEG identifier to the signal could be helpful for reducing Tx/Rx timing delay error [160], [161].
• UL-AOA and DL-AOD enhancements: UL-AOA enhance-ments include additional assistance data, such as expected AOA and its uncertainty through a search window, and multi-angle reporting.In particular, this last feature permits to discern the LOS within a group of multipath components that exhibit similar delay profiles.Rel-17 also introduces the UL-SRS reference signal received path power (RSRPP), which indicates the power of the received SRS for a given path.On the other hand, DL-AOD is based on DL-PRS reference signal received power (RSRP), which is the measurement used to select the best AOD.However, this measurement also takes into account multipath components, which are undesirable.Therefore, as for its UL counterpart, Rel-17 introduces the DL-PRS RSRPP, which is a measurement associated with the path and not with the entire channel, as well as the search window for DL-AOD.
• Multipath mitigation: it consists of reporting not only a single path but also additional paths (up to 8) as a part of timing estimation.• LOS/NLOS identification: it is provided using additional information, such as LOS/NLOS indicators, which could be a boolean value (i.e., 0 or 1) or a likelihood (between 0 and 1 with a step of 0.1) [162].
Moreover, the concept of position integrity is improved over Rel-15, and the positioning integrity monitoring, already supported by GNSS, is included in Rel-17 [160].The following KPIs are defined: • Alert limit (AL): The maximum positioning error allowed for the specific use case; • Time-to-alert (TTA): The maximum elapsed time to provide an alert when the positioning error exceeds the AL; • Target integrity risk (TIR): The probability that the positioning error exceeds the AL without warnings within the TTA.
In June 2021, at the 3GPP radio access network (RAN) Rel-18 Workshop, the concept of 5G Advanced was proposed with the aim of paving the way for 6G.Rel-18 is expected to bring further enhancements over the previous releases and introduce more intelligence into the wireless cellular network, with pervasive AI solutions spread over different network layers [163].The main focus of Rel-18 is to enhance network energy savings, coverage, mobility support, MIMO evolution, multicast and broadcast service, and positioning [164].Related to positioning, it should accommodate for carrier phase positioning (CPP), a GNSSnative technology capable of reaching cm-level accuracy [119], [165] but limited to outdoor applications, adapting the already standardized signals.Open challenges and potential solutions for indoor scenarios are provided in [166].At the same time, Rel-18 will support low-power high-accuracy positioning (LPHAP) requirements and positioning functionalities for reduced capacity (RedCap) UEs.Moreover, the enhanced support for AI and ML solutions is driving researchers to revolutionize beam management through spatial and temporal prediction, as well as to improve positioning directly (e.g., fingerprinting) or by using ML models to infer and refine measurements [167], [168].Lastly, Rel-18 reports the requirements for sidelink (SL) positioning and the implementation of ad-hoc SL signals based on PRS and SRS, called SL-PRS [169].
The timeline of standardization bodies will periodically foresee new releases, starting with Rel-19 (work activities opened since mid-2021 [134]) and proceeding over advanced standards defining the evolution of cellular networks.The new studies involving Rel-19 address the industrial needs not considered in the previous releases.Examples include metaverse services and energy harvesting for IoT-enabled factories.Both topics are strongly related to positioning: the estimate of user position and orientation is essential for the representation and interaction of the avatars [170], and energy-harvesting tags are a cost-effective way for asset tracking [171].To better support the applications of AI/ML, future cellular releases will aim to decentralize intelligence across devices rather than confining it solely to the network infrastructure.Therefore, data and models will be shared directly between devices without traversing the 5G core network [172].Consequently, objectives involve researching potential service and performance requirements necessary to facilitate efficient AI/ML operations via direct device connections.During a recent 3GPP meeting held in May 2024, the primary objective was to enhance positioning using AI/ML.Building on the Rel-18 baseline, the discussions focused on assisted and direct AI/ML positioning, improved beam management, and CSI feedback enhancements [173].
Fig. 2 shows the 5G evolution timeline, with a recap of the main positioning enhancements.

D. Positioning trends beyond 5G
The advent of B5G will represent a significant transformation for wireless communications [174].With the potential to revolutionize location-based services, the forthcoming cellular technology will ensure unprecedented positioning accuracy and high-speed connectivity.In this subsection, we briefly discuss the foreseen innovations related to technological and methodological aspects, covering topics such as the use of THz bands, RIS, CPP, near-field communication (NFC), distributed MIMO (D-MIMO), NTN, UAV, integrated sensing and communications (ISAC), six-dimensional (6D) positioning and orientation, SL and cooperative positioning (CP), and lastly AI.These aspects are summarized in Fig. 3 and described in the following.
1) THz bands: Even though the challenges of 5G are still to be resolved, research on B5G systems has already started [175].In particular, the next-generation of cellular networks taps into the THz spectrum, a frequency band with the availability of larger bandwidths, enabling higher data rates, lower latency, and enhanced positioning accuracy [176].The unique propagation characteristics of the THz band allow for an improved ability to determine the precise location of devices and users.This is thanks to the two-fold effect of (i) larger available bandwidth at such frequencies, providing improved delay resolution, and (ii) miniaturization possibilities, allowing packing of more antennas in a small area, improving angular resolution [132].Moreover, leveraging THz imaging and high-frequency simultaneous localization and mapping (SLAM), a high-accuracy positioning is expected in the coming decades, also leveraging NLOS scenario involving multipath reflections [177].On the other hand, the use of THz also comes with major challenges, such as high path loss (limiting the coverage) and sensitivity to atmospheric conditions [178] that call for enhanced precoding strategies [179] to avoid loss of connection.
2) RIS: B5G systems are expected to standardize and introduce in the market the concept of RIS [180] (also referred to as reconfigurable intelligent meta-surface (RIM) [181], [182]), which leverages the deployment of programmable surfaces with electromagnetic properties that can be controlled by software [183].These surfaces can manipulate the wireless signal environment [184], facilitating better signal quality and enabling precise positioning also when LOS path is not guaranteed [185].The adoption of RIS will improve UE positioning as it will behave as a multipath controller [186], which may provide both new location references and new measurements (e.g., angles, delays).Every single antenna of the surface can be treated as a local emitter, which makes the BS-UE link more robust even in poor propagation conditions [187], [188].Further advances on smart surfaces include transparent intelligent surfaces (TISs) (which support both outdoor and indoor positioning by adopting semi-transparent antennas) [189], spacetime modulated metasurfaces [190], and fully-passive, flexible, and chipless smart skins [191].The installation of RIS can be constrained by the physical properties of the objects: conformal metasurfaces can aid the installation over curved surfaces, such as over vehicles [192].The research on RIS suggests an ever-increasing interest in controlling electromagnetic waves, allowing to shape the environment according to the desired purposes.As a result, full control and exploitation of the wireless link enables holographic localization (HL), where RISs or large intelligent surfaces (LISs) [193], [194] together with NFC provide a great opportunity to move towards the ultimate capacity limit of the wireless channel [195] and enhance positioning capabilities [196] even in NLOS conditions [197].
3) CPP: The absolute phase of a signal, which relates to the distance between a transmitter and receiver, is used in CPP.In [198], CPP signals have been used for highly accurate positioning, with the potential for orders-of-magnitude performance improvements compared to standard TDOA positioning.Recent studies have explored CPP in cellular positioning, both integrated with GNSS and as a stand-alone solution, examining its application in different frequency ranges, its challenges, and its potential in various configurations like massive MIMO [119].
4) NTN: An NTN refers to a novel communication infrastructure that extends beyond Earth's surface, encompassing communication links established through satellites, drones, and other space-based platforms [199].These networks have gained prominence as a potential solution to address connectivity gaps in remote and underserved regions, offering improved global coverage and high-speed data transmission [200].The NTN technology leverages advancements in satellite technology, inter-satellite links, and emerging concepts like constellations of low Earth orbit satellites to create a seamless and interconnected network that can support various applications, from broadband internet access to IoT connectivity and emergency communication services [130].From the positioning perspective, NTN has been investigated in [201], and it was shown to have the potential to improve positioning accuracy by using the Cramér-Rao bound (CRB) analysis.5) UAV: UAV 5G positioning leverages the capabilities of 5G networks to enhance the accuracy and reliability of UAV navigation and location tracking.By utilizing the high data rates, the low latency, and the extensive coverage of 5G networks, a joint design of passive beamforming, blocklength, and UAV positioning has been developed in [202], which has excellent positioning precision.This technology enables UAVs to perform tasks that demand cm-level accuracy, such as aerial mapping, surveying, and critical infrastructure inspection.UAV was studied in [203] for autonomous positioning based on supervised DNN and reinforcement learning approaches.The integration of 5G positioning not only improves the UAV's ability to maintain its intended flight path but also enhances the safety and efficiency of operations, making it a crucial advancement in the realm of UAV-based applications [204].
6) NFC: The effect of near-field communications should be taken into account in situations where extremely large antenna arrays, RISs and/or D-MIMO are adopted [205]- [207].NFC mainly contains three features: spherical wavefront, spatial non-stationarity, and beam squint effect.Enhanced positioning capabilities can be achieved by incorporating these features and using specialized signal processing methods [208].For example, the authors in [209] derived the posterior CRB (PCRB) and discussed how the loss of positioning information outside the Fresnel region results from an increase of the ranging error rather than from inaccuracies of angular estimation.This provides means to position devices using very limited bandwidth, though often at a high complexity cost.
7) D-MIMO: D-MIMO is another key technology shaping B5G positioning.Unlike conventional MIMO, where multiple antennas are placed close together on a single device, in the D-MIMO paradigm, antennas are placed on separate phasecoherent devices distributed over a geographical area [210].A substantial body of literature on D-MIMO in B5G has been introduced in the community.For example, [211] demonstrated the potential of integrating fiber technologies with D-MIMO for precise localization, while [212] explored D-MIMO systems for joint radar and communication functionalities, proposing a strategy that optimizes both sensing and communication.The challenge of deploying D-MIMO in underwater environments was addressed in [213].Surveys in [214]- [217] discussed the scalability, performance improvements, and future outlook of cell-free massive MIMO systems, emphasizing their role in enhancing user experience, network efficiency, and meeting the ambitious goals of future wireless communications.[218] highlighted the paradigm shift towards cell-free massive MIMO, underlining its transformative potential for next-generation networks.Note that in some literature, such as [219] and [220], multi-array positioning has been considered, where multiple antenna arrays (placed in different locations) were used as Tx and/or Rx for radio positioning, revealing increased positioning accuracy, with respect to the 3GPP studies, along with improved robustness and multipath mitigation.The same concept is also referred to as distributed antenna system (DAS), especially in the vehicular context [221], indicating the installation of multiple antenna panels at different locations (e.g., one for each side of the vehicle).Compared to a single antenna, the redundancy of panels and their spatial distribution increase the quality of communication links by minimizing blockage conditions.Moreover, with two or more antennas, a single BS is sufficient for TDOA positioning.Although a new paradigm is required, the use of DAS is expected to improve positioning performance [222] and spectral efficiency [223].A distributed arrangement of arrays enhances spatial diversity and provides a better channel matrix, leading to improved signal quality, enhanced network capacity, and more accurate positioning [224].Many methods have been proposed to achieve this advantage, including graph-based methods, linear minimum mean square error (MMSE), sequential MMSE, zero-forcing (ZF), among others [216], [217], [224].D-MIMO is especially useful in highdensity environments, such as urban settings and large public venues, where accurate positioning is critical [225].While D-MIMO is often operated in phase-coherent mode, at higher frequencies, frequency-coherent D-MIMO is more practical to implement, leading to separate channels per antenna [226].Phase-coherent and frequency-coherent D-MIMO are both attractive for positioning, though with different benefits.
8) ISAC: ISAC involves merging sensor networks and communication systems to gather real-time data and facilitate seamless information exchange.This integration greatly benefits B5G positioning by enabling multi-sensor fusion for more accurate positioning, providing redundancy for reliability, and supporting adaptive algorithms that respond to changing conditions [227], [228].ISAC will not only provide new sensing functions (both radar-like and spectroscopy-like), but integrated sensing enhances existing positioning and localization techniques, contributing to highly accurate and resilient positioning solutions in various scenarios and environments [92], [229]- [231].The authors in [231] extended the classic probabilistic data association SLAM mechanism to achieve UE localization, using ISAC systems and showing better performance without any prior information.Besides, in [92], a case study for ISAC using experimental data showcased the potential of the new enablers that are paving the way toward enhanced road safety in B5G scenarios.Finally, the ISAC paradigm also provides enhancements for communication itself, as time-consuming beam training and handover can be avoided.9) 6D positioning: The significance of joint 3D position and 3D orientation estimation, commonly referred to as 6D localization, cannot be overstated [232].While 5G mmWave primarily focused on UE position estimation, the demands of B5G necessitate comprehensive 6D information.This encompasses both 3D positioning and 3D orientation, often termed pose in robotics.For instance, cooperative intelligent transport systems (C-ITS) require vehicle position and heading for advanced features like driving assistance and platooning.In assisted living environments, a resident's pose can offer insights into their health.Similarly, UAVs in search-and-rescue missions rely on precise pose data for effective operations.Typical 6G applications such as VR, augmented reality, robot interactions, and digital twins will further underscore the need for 6D localization [233], [234].While external systems, like the fusion of GNSS (for positioning) and internal measurement unit (IMU) (for orientation), offer solutions, they have limitations like indoor inefficiencies or error accumulation.A more integrated approach would harness existing cellular infrastructure for 6D localization, utilizing multiple BSs for accurate UE orientation and position estimation.
10) SL and CP: In B5G systems, the development of direct device-to-device communication is fundamental to lower latency and guarantee the service even in out-of-coverage conditions (i.e., areas without cellular BSs) [235].This is facilitated through SL communications (e.g., vehicle-to-vehicle (V2V) communications [236]), which allow to bypass the traditional routing through a BSs and core network [237], enhancing the reliability of positioning service, reducing latency, and enabling accurate relative positioning in proximity [238].Sidelink communications can also benefit from a-priori knowledge of digital maps or channel information for a more efficient link [239].The evolution of 3GPP standards looks towards the development of a unique technology jointly guaranteeing SL communications and positioning, like for uplink and downlink, complying with the convergence of communication, localization, and sensing in forthcoming 6G networks [240].These features are inherently suited for the rise of CP solutions [241]- [245].In CP, signal processing techniques operate on either centralized or distributed network architectures and typical application domains include IoT [246]- [250], C-ITS [137], [251]- [255], maritime surveillance [256], [257], collaborative robotics [258], drones or UAVs [259]- [261].These systems critically necessitate sensing agents perceiving the environment in proximity and making informed decisions based on the data received from both individual sensors and communication links.The collaboration among distributed agents also enhances situational awareness, allowing for improved localization resolution of both agents and potential obstacles or targets [262]- [266].In this framework, the use of RIS working as anchor nodes with known positions has been recently proposed [267].

11) AI:
The role of AI is already emerging to a certain extent for Rel-18, but its pervasive realization will rise only with the advent of 6G [268].The first expected AI applications within next 3GPP releases refer to resource block allocation and mobility management [269], channel estimation [270], scheduling policies [271], and beam management [272].Regarding positioning, ML algorithms can be divided into AI/MLassisted positioning and direct AI/ML positioning [164].The former category includes the methods to improve conventional geometric-based algorithms.Examples are the geometric measurements estimation and corrections [273]- [275], the improvement of Bayesian tracking filters [14], CSI prediction and compression [276].The latter category focuses on the design of algorithms that learn the relation between the channel characteristics (i.e., fingerprint) and the UE position [277], [278].By directly addressing the positioning problem with AI, the focus is given to the generalization capabilities [279] and the type of input features [280].
Regarding the adopted AI algorithms, a variety of methods are present in the literature, ranging from conventional ML [275], [281] to DNNs [282], [283], graph neural networks (GNNs) [284], federated learning (FL) [285]- [287], and Bayesian neural networks (BNNs) [288], [289].In [275] and [281], support vector machine (SVM) and relevance vector machine (RVM) are employed for NLOS identification and correction with CSI features, such as time of flight (TOF), energy and kurtosis.To avoid limiting the performances with hand-crafted features, DNN methods, such as convolutional neural networks (CNNs) or auto-encoder (AE) [290]- [292], can be used to directly estimate the position from the full CIR.Examples can be found in both indoor [293]- [295] and outdoor [282], [296] environments.Regarding the FL paradigm to improve the location estimate while maintaining the privacy of locally stored data, authors in [285] introduce a framework for map matching, enabling multiple data sources to train a shared model collaboratively without exchanging raw data.
When dealing with out-of-distribution areas, it is important to have a reliability measure of the model's output.To this concern, recently BNNs have been adopted for producing static point estimates with related uncertainties in mmWave MIMO scenarios [288].BNNs have also been integrated into tracking filters to provide mobile positioning under NLOS conditions [289].
For a more in-depth analysis of these topics, we refer to the surveys in [294], [296]- [298] which provide comprehensive insights on the role of AI, ML, and FL in enhancing positioning accuracy and improving localization techniques, also outlining key challenges and open issues.

III. Fundamentals of Wireless Positioning
In this section, we provide the fundamentals of network positioning, starting from the model of the wireless channel (Section III-A) and the location-related measurements that can be extracted from it for localization purposes (Section III-B).Then, we discuss techniques allowing the estimation of the UE position from such measurements, with a focus on snapshot algorithms (Section III-C) and tracking filters (Section III-D).

A. Wireless channel model
We consider a time-slotted UL wireless MIMO orthogonal frequency-division multiplexing (OFDM) communication system, as the one used in 5G, with  tx transmit and  rx receiving antenna elements.We assume a block-fading timeinvariant channel response, i.e., constant within an OFDM symbol, with maximum delay contained within the cyclic prefix  cp .Let the matrix H  ∈ C  rx ×  tx represent the -th tap of the equivalent base-band MIMO channel response, the signal received at discrete time  = 1, 2, . . .,  (sampled at symbol time   ), denoted as   ∈ C  rx ×1 , is modeled as where   ∈ C  tx ×1 is the transmitted signal and   ∈ C  rx ×1 the background noise.It is common in the literature to assume the noise as spatially and temporally uncorrelated zero-mean complex Gaussian.Non-diagonal covariance can be considered to model the presence of directional interference.
The MIMO channel within a generic OFDM symbol time can be modeled as a combination of  paths as follows: where path  is characterized by the complex fading amplitude   , the transmitting antenna array response  tx (•) ∈ C  tx ×1 to the azimuth ( tx,  ) and elevation ( tx,  ) AODs, the receiving antenna array response  rx (•) ∈ C  rx ×1 to the azimuth ( rx,  ) and the elevation ( rx,  ) AOAs, and the pulse waveform g(•) delayed by the path delay   , with max  (  ) ≤  cp .We consider the fading amplitudes   as OFDM-block-fading, while delays and angles are assumed to be constant over a number of OFDM symbol transmissions.Characterization of the antenna array responses depends on the antenna configuration geometry and design method [299].
Fig. 4 shows two examples of MIMO channels, represented in terms of power-angle (left) and power-angle-delay (right) profiles for LOS (Fig. 4a) and NLOS (Fig. 4b) propagation conditions.The communication system considers a 16 × 16 planar antenna array at both the Tx and Rx devices.Fig. 4a illustrates a scenario where the Tx and the Rx are in LOS, separated by a distance of 100 m, with azimuth AOA and AOD of -30 deg and 30 deg, respectively.Fig. 4b) provides a more complex scenario characterized by the absence of a direct path between the Tx and the Rx.The figures display the different multipath components of the channel, facilitating the identification of the dominant channel paths, their power, AOA, AOD, and delay.We can observe that the channel carries relevant information for positioning: in LOS condition, the first received signal peak corresponds to the direct path, which, besides carrying power information, allows the estimate of the angle and distance with respect to the Tx, enabling localization.In NLOS conditions, instead, gathering position measurements is more intricate, and the usage of advanced algorithms is necessary (see Section IV-F1).The following section delves into the modeling of the positioning measurements extracted from the received signal (1) exploiting the location features embedded in the wireless channel.

B. Location measurements from cellular signals
Let us consider a UE, connected to a number of cellular BSs.The UE location can be estimated by extracting different types of measurements from the radio signals (1), either in UL (at the BS) or in DL (at the UE).Typical measurements include distance, angle, or power.
The distance can be measured by computing the delay or the power loss experienced by the signal during the propagation from the BS and the UE (or viceversa).The delay, referred to as TOF, is the time difference between the TOA and the transmission time.The difference between two TOAs, instead, is the TDOA, while the RTT is a two-way TOA obtained as detailed later in this section.The power measurement is obtained by reading the received signal strength (RSS) at the Rx side.
The angle measurement refers to the main direction from which the signal ( 1) is received or transmitted, and it is denoted as AOA or AOD, accordingly.It is obtained by employing directional or MIMO antenna systems.A typical condition in cellular networks involves BSs with many antennas and UEs with only one (or limited, e.g., 2 × 2 MIMO) antenna.It follows that the AOD coincides with the direction of beam pointing, i.e., where the BS emits most of its radiation beam pattern.
We denote with  = [      ] the unknown 3D UE location, and with   = [ ,  ,  , ] the 3D coordinate of the -th BS, with  = 1, ...,  BS , defined in a convenient spatial reference system (e.g., a Cartesian, ellipsoidal or geographic coordinate system).We indicate with   the single measurement generated or collected by BS , defined as where ℎ  (•) is a known non-linear function that deterministically relates the measured parameter to the positions of the BS (  ) and the UE ();   is an additive term describing the measurement error.Vector   =   (  , ) +   aggregates all the measurements (e.g., TOA, AOA, TDOA, RSS) generated by the (  , ) pair.The overall vector of measurements for all the  BS BSs is indicated with where collect all the BS locations and measurement noises, respectively.The overall number of measurements is  = | |.
Depending on the available hardware technology, protocol, or signal, different definitions hold for the model (3) [300].In the following, we introduce the models used for the cases of interest in cellular localization systems, whereas the methods for extracting such measurements are detailed later in Section IV-F, with specific reference to 5G radio systems.An illustrative example of UE localization with four BSs is reported in Fig. 5, where we represent the spatial information carried by the main types of measurements.
1) TOF measurement: A radio signal can be used to estimate the distance between a Tx and a Rx, knowing the propagation speed of the radio wave and measuring the travel time.In order to obtain the TOA (which identifies a circular set of candidate UE locations, see Fig. 5a) at the Rx side, a replica of the (known) transmitted signal is needed to compute the cross-correlation with the received signal.In ideal LOS additive white Gaussian noise (AWGN) channels, the optimal TOA estimate is obtained by searching the peak of the cross-correlation output [89].
Assuming a DL measurement (i.e., the signal is sent by the BS and received by the UE) and indicating with  rx, the TOA at the UE of a signal transmitted by BS  at time  tx, , the measured TOF is: where   is the length of the propagation path traveled by the signal at speed .
The resulting TOF measurement relating the UE and BS  is: Note that an analogous disclosure is also applicable in UL (i.e., the BS measures the TOA of a signal transmitted by the UE) and for RTT.
A major problem for TOF-based localization is that a precise measurement of  tx, must be available at the Rx side, and the internal clocks of Tx and Rx must be synchronized [301].Typically, the clock of the UE has a poorer quality compared to the one of the BS; thus, it can introduce large errors in the TOF measurement.To bypass the low quality of UE hardware, TDOA measurements can be used.
2) TDOA measurement: DL-TDOA is the measurement of the difference between the arrival times of the signals transmitted simultaneously by two distinct BSs and received by the UE, i.e., the TDOA is the difference between two TOA measurements.It results that TDOA measurements draw a hyperbolic line in space (see Fig. 5b).Unlike TOA measurements, transmitted signals are not requested to carry any time stamp, and the Rx does not need to be synchronized with the Txs [89].On the other hand, the involved BSs need a precise synchronization.This feature allows overcoming the errors due to the clock offset at the UE (which typically has lower quality hardware compared to the BSs).For the computation of TDOA measurements, a BS has to be selected as a reference (e.g., in Fig. 5b the BS on the left is chosen as reference), and thereby the number of available TDOA measurements reduces to  BS − 1.A possible choice for the selection of the reference BS is to take the BS with the highest signal-to-noise ratio (SNR) after the cross-correlation, although different selection criteria exist [302]- [304].
Indicating the reference BS with index  = 1, the TDOA for BS  ≠ 1 is computed as and the TDOA measurement  TDOA  as For an accurate measurement, the synchronization offset between the BSs, i.e.,  tx, −  tx,1 , has to be negligible or known.3) RTT measurement: RTT is a ranging technique which involves both UL and DL measurements.It is also known as two-way TOA because the TOA measurement is provided by both the initiating device and the responding device.
The initiating device (either a BS  or the UE) transmits a signal at time  0 , which is received by the responding device (UE or BS) at time  1 =  0 +   .After a time interval  ,reply due to internal processing and switch from transmission to reception, the responding device sends another signal at time  2 , which arrives at time  3 =  2 +  at the initiating device.The overall RTT over link  is computed at the initiating device as the difference between its own transmit and receive times as Assuming perfect knowledge of the reply time (computed at the responding device as  ,reply =  2 −  1 and included in the payload, or known a priori) the TOF   can be then extracted as The resulting RTT measurement  RTT  can be modeled similar to (5).Different from TDOA measurements, the RTT measurement does not require synchronized BSs, as the time differences involve only the local clock of the devices.

4) AOA/AOD measurement:
The AOA indicates the spatial direction of the UL signal sent by the UE and received by the BS.It can be estimated using directional antennas, such as phased arrays, which allow steering the radio signal over confined spatial directions called beams [305].Conventional methods estimate the AOA by performing beamforming over various directions and selecting the beam with the highest received power.Higher resolution can be obtained by maximum-likelihood or subspacebased algorithms (e.g., estimation of signal parameters through rotational invariance technique (ESPRIT), multiple signal classification (MUSIC) [305], [306]).The main drawback is the high hardware-software complexity (and cost) required to get precise angular information (i.e., small beamwidth or equivalently large number of antennas), the high sensitivity to multipath, as well as the increasing location uncertainty with the distance (see Fig. 5c).On the other hand, synchronization among BSs is not required, and high-precision localization can be achieved when large arrays are available.
The AOA is defined as the 3D direction of the LOS link to the -th BS, which includes the azimuth   and the elevation   .This is estimated by the BS in a local reference system ( ′ ,  ′ ,  ′ ) referred to the antenna array (see Fig. 6) and then converted into the global one for UE positioning.We denote with Δ  , Δ  , Δ  the orientation of the array, where Δ  , Δ  and Δ  are respectively the rotation over the axis ,  and  and known as yaw, pitch and roll.Assuming a null pitch (Δ  = 0), the AOA measurement ∠( ′ −  ′  ) extracted by the antenna array is rotated through a rotation matrix   that combines the rotations around the  ′ and  ′ axes as follows [307]: and the AOA is obtained as ∠  ( ′ −  ′  ).The resulting azimuth (  ) and elevation (  ) angles are: with . Note that this is true only for Δ  = 0, otherwise additional algebraic transformations are requested.
The AOA measurement vector is finally modeled as which includes the measurement error  AOA  .On the other hand, AOD measurements use DL signals, which are sent by the BS and received by the UE.Still, the resulting angle is with respect to the BS array; therefore, the AOD measurement vector is modeled similarly to the AOA. 6. UE and BS LOS geometry in a 3D Cartesian coordinate system with a focus on the BS array orientation.

5) RSS measurements:
Distance information can also be obtained from power-based measurements, which are easy to extract, both in DL and UL.According to the path-loss model [308]- [311], the average power received over link  (expressed in logarithmic scale) can be related to the distance as where  0 is the power received at a reference distance  0 , while  is the path-loss index that depends on the propagation environment.The RSS measurement is then defined as where  RSS  accounts for shadowing fluctuations and measurement errors.
Unfortunately, power-based measurements reveal reasonable distance indicators only if the BSs is near to the UE, as shadowing and multipath fading significantly affect the power values, and the propagation environment needs to be accurately modeled.The latter aspect can be really complex to achieve, as calibration procedures have to be performed and repeated anytime the environment changes.Overall, analytical modeling tends to be unrealistic in environments with severe multipath and obstructions.It results that RSS-based positioning method is more suited, and generally used, for proximity detection and fingerprinting [312]- [315].
6) Digital maps and AI-based fingerprints: Fingerprinting localization is employed in complex multipath environments where analytical models are not able to describe the locationmeasurement relation.The analytical function ℎ  (  , ) is thus replaced by a digital map built ad-hoc during a training phase.A database D  =  ()  ,  ()  =1 is created by collecting channel fingerprints  ()  over  locations  () in the area of interest, for each BS .The channel measurements can be derived from the CIR (e.g., TOA, AOA, TDOA, RSS) or can be represented by the whole CIR.Examples in this direction are the channelfrequency response matrix (CFRM) [316], [317] or angle-delay channel power matrix (ADCPM) [282], [283], [318], which encode all the essential information of the environment, i.e., TOF, AOA, and RSS for each path.
Once the position-referenced dataset is available, according to the type of channel measurement, different algorithms can be adopted for real-time localization.In the case of RSS measurements, algorithms like HORUS [319] or RADAR [320], based on probabilistic methods and k-nearest neighbors (KNN), respectively, have been proposed in the past.With the advent of AI, AE-based structures, which are already foreseen in future 3GPP releases [321], allow to encode the input channel measurements into compressed versions, called latent features.This permits the reduction of the input dimensionality and performs feature extraction for subsequent position estimation through DNN algorithms [282].In case the database is incomplete, spectrum cartography techniques for estimating missing values and reconstructing the whole RSS map can be used [322], [323].For incomplete full-CIR measurements, semi-supervised learning methods [291], [292] or generative adversarial network (GAN) [324] can be adopted to limit the necessary labels information or generate new data, respectively.

C. Positioning algorithms
Estimation of the UE position  from the collected measurements  (delay, angle, power parameters, or any combination of them) can be obtained by conventional inference algorithms [325], [326].The estimation problem amounts to solving a system of non-linear equations in the unknown location  by minimizing a cost function embedding the difference between the available measurements and the related analytical models.Different cost functions are used according to the selected optimization criteria [327].
A popular approach in positioning systems is the non-linear least squares (NLS) [328], [329], a non-probabilistic method minimizing the square difference between the measurements and the corresponding models as An extension of NLS is the weighted NLS (WNLS) [330], which takes into account the different degrees of reliability of the measurements (i.e., different statistics) by weighting the error terms as follows: where  = Cov( ).Under the assumption of uncorrelated measurements, the measurement covariance matrix  reduces to a diagonal matrix.In general, there is no closed-form solution to the nonlinear optimization, and thereby, numerical search methods are used.Iterative NLS estimation is obtained by initializing the location with a starting guess û0 and refining the estimate over the iterations by local linearization and linear resolution.Indicating with  the single iteration, the update is in the form

Method
of û+1 = û + Δ û , where  = 0, 1, ..., , with  the maximum number of iterations, and Δ û the correction.Within the iterative NLS category, different implementations exist, such as the Gauss-Newton and Levenberg-Marquardt algorithms [331]- [333].Linearization involves the computation of the Jacobian matrix   ≜   (  ) to be performed at each -th iteration as follows: The element of the Jacobian matrix   for each type of measurement considered in this tutorial are reported in Table IV (Fig. 6 is taken as a reference for notation).
Depending on the algorithm implementation, the update function of UE estimate can slightly differ.As an example, considering the Gauss-Newton algorithm, the update rule for the iterative NLS is the following: where  is a step-size scaling parameter and Δ =  − (, û ) the residual error.Similarly, the update for the iterative WNLS with Gauss-Newton implementation becomes: An alternative implementation of iterative NLS is by the Levenberg-Marquardt algorithm, which uses the Hessian matrix instead of the Jacobian one, i.e., considering the second-order derivative of the measurement model (, ) [334].
The accuracy of any unbiased positioning algorithm is lower bounded by the CRB [335].Denoting the covariance of the location estimate as  = Cov() = E[( û − ) ( û − ) T ], the CRB specifies that  ⪰  CRB =  −1 (), where () is the Fisher information matrix (FIM).For Gaussian measurements, the FIM can be expressed in closed form as () =  T  −1 , with  defined as in Table IV [335].The CRB represents a useful benchmark for designing localization algorithms and provides a practical tool for optimizing the BS deployment.Furthermore, it is the performance reached asymptotically (i.e., for a large number of measurements or large SNR) when the maximum likelihood estimation algorithm is adopted.Indeed, in this specific case, the location estimate is û ∼ N (, () −1 ) [336].

D. Bayesian tracking filters
As an alternative to NLS solutions which do not include a-priori knowledge of the UE dynamics, Bayesian tracking methods can be implemented to improve positioning accuracy over a trajectory, as well as to embed tracking of higher order kinematic quantities (such as velocity and acceleration).In addition to the measurement model (see Section III-B), Bayesian tracking also requires a dynamic system model describing the evolution of the UE location over the time .Overall, the two following models are considered: where   and   are the vectors of the state (collecting all the relevant kinematic parameters) and the observation vectors at time , respectively,   is the driving process accounting for model uncertainties,   is the measurement error,   (•) and   (•) are non-linear functions describing the state evolution in time and mapping the state to the measurement, respectively.The definition of the function   (•) depends on the type of available measurement (see Table IV).
One of the most widely-used algorithms in mobile positioning is the extended Kalman filter (EKF).The basic principle of EKF is to convert a non-linear system into a system of linear equations by focusing on the first-order Taylor expansion of the estimate [337].Other Bayesian solutions include the Unscented Kalman filter [338], the cubature Kalman filter [339], the particle filter [340], [341], and the belief propagation [342].
Starting from an initialization of the estimated state mean x0 and covariance  0 , at the successive time instants  > 0 the EKF performs a prediction and update steps for tracking the UE state   .The prediction step uses the state transition model (21) to predict the next state mean  −  and covariance  −  , as follows: where and   = Cov(  ).The update step first requires the computation of the so-called Kalman gain defined as where followed by the update of state mean and covariance estimates as As for the stationary case, fundamental performance bounds can be computed by deriving the CRB for mobile positioning employing Bayesian tracking.This holds true as the CRB considers asymptotic information and is, therefore, also conservative in filtering.The CRB for the dynamic case, also known as Bayesian or PCRB, can be derived as in [327] and varies according to the motion model used in (21).In the case of random walk, the lower bound at time  is   = Cov( x ) ⪰   with   given by [327]: The selection and calibration of the most suitable model of dynamics depend on the considered problem, which might require (or not) the tracking of position, velocity, acceleration, or other kinematic parameters.Examples of motion models are given in [327].Note that it is also possible to merge more than one model for a quicker reaction to unpredictable motion or to better adhere to highly predictable conditions, such as by interactive multiple model (IMM) filtering [343].

IV. 5G Positioning Technology (Rel-16)
In this section, we discuss various aspects of 5G positioning.We start with the description of the 5G positioning architecture (Section IV-A), then we detail the 5G frame structure (Section IV-B) highlighting its impact on the positioning accuracy compared to LTE (Section IV-C).In Section IV-D, we describe the different signals for 5G positioning, both for UL and DL; the associated positioning methods are in Section IV-E.Lastly, we explain how to extract positioning measurements from the 5G signals (Section IV-F).

A. 5G positioning architectures
The general architecture of a 5G network is shown in Fig. 7a.Main components are the 5G core network (5GCN) and the RAN [89].The 5GCN is built on a service-based architecture (SBA), which guarantees the network functionalities using a set of network functions (NFs).Functions can interact with each other using the service-based interface (SBI).The main NFs are the location management function (LMF) and the access and mobility management function (AMF).The LMF is in charge of all the procedures regarding the UE localization, such as selection of the positioning method, resource scheduling, and overall coordination, and it is responsible for broadcasting the assistance data to the UEs.The AMF, instead, supports location services, including emergency calls and initiating a localization request for a UE.Generally, it can be considered an intermediary node between the LMF and the RAN or the UE.
The RAN is involved in the handling of the positioning procedures, and it has the duty of transferring messages between the UE and the AMF or LMF, such as positioning messages or broadcast assistance data.The RAN, or next generation RAN (NG-RAN), is formed by an ng-eNB for LTE access and a BS for NR access, as shown in Fig. 7b.
Differently from the monolithic building block of the 4G RAN architecture, i.e., eNodeB (eNB), the architecture of 5G BS can be split into a gNB central unit (gNB-CU) and one or more gNB distributed units (gNB-DUs), as shown in Fig. 7c.The gNB can transmit a signal in DL or measure a signal in UL, enabling the implementation of the various positioning methods.This twofold feature is possible thanks to the TRP, which acts as a transmission point (TP), a reception point (RP), or both.

B. 5G frame structure
The physical layer of 5G is characterized by a frame of duration of 10 ms, as for LTE.However, the frame structure differs in the two protocols.In LTE, the frame is divided into 10 sub-frames of 1 ms, each being composed of 2 slots of 7 OFDM symbols in time and occupying 12 subcarriers in the frequency domain.In 5G, each frame is divided into 10 subframes of 1 ms duration, and each sub-frame is divided into slots, containing  slot symb = 14 OFDM symbols each.The number of slots is variable and depends on the sub-carrier spacing (SCS), which is univocally defined by the numerology, indicated with .Table V reports the numerology , the number of slots for each sub-frame  slot = 2  , the SCS Δ  = 15 •  slot (in kHz), the FR, the maximum bandwidth (in MHz), the average symbol duration  symb = 1 Δ  s, and the cyclic prefix length  cp .Moreover, we associated each numerology with a theoretical ranging accuracy computed as ≈ /BW.
In LTE, the numerology was limited to  = 0.The 3GPP Rel-15 extended it up to numerology  = 4 [347], and the latest 3GPP Rel-17 has further enhanced the numerology up to  = 6 [345].While the maximum supported channel bandwidth for LTE is 20 MHz, in 5G it is 100 MHz for FR1 [348], 400 MHz for FR2 in Rel-16 and 2 GHz for FR2 in Rel-17 [345].Note that numerology  = 4 is not intended to support data transmission [346], but only synchronization.On the contrary, numerology  = 2 only supports data transmission and not synchronization.
Fig. 8 defines the resource grid in the time and frequency domain.A resource block (RB) is a set of  RB SC = 12 sub-carriers inside a slot of 14 OFDM symbols.A resource element (RE) is the smallest unit in the resource grid, constituted by a single symbol in time and a single sub-carrier in frequency.Gathering all the parameters, the signal bandwidth is computed as  where  RB is the number of utilized RBs, and the data rate (in Mbps) is [349]: where  is the number of aggregated component carriers in a band,  max = 948 1024 ,  ,layers is the maximum number of supported layers (8 in DL, 4 in UL),  , is the maximum supported modulation order,   ∈ {1, 0.8, 0.75, 0.4} is a scaling factor,  symb is the average OFDM symbol duration in a subframe for numerology  [344], [345], and   is the overhead which can take the following values: •   = 0.14, for FR1 in DL, •   = 0.18, for FR2 in DL, •   = 0.08, for FR1 in UL, •   = 0.10, for FR2 in UL.

C. Time-domain accuracy: LTE vs NR
With the addition of FR2 bands, larger signal bandwidths and higher data rates are available.Larger signal bandwidth is the key to unlocking high-accuracy positioning, as the resolution in delay estimation, which is roughly equal to the inverse of the bandwidth (i.e., the sampling time), improves and enhances the capability to resolve multipath.
To highlight the improvement brought by 5G NR with respect to LTE, we analyze the following: the temporal resolution of the different numerologies and the corresponding ranging accuracy.The minimum sampling time is: with   as the number of Fourier points, which provides a granularity in the ranging domain Δ =   • .For LTE (numerology  = 0), we get the following delay and range resolution: while for 5G Rel-16 ( = 3) it is: Instead, taking into consideration the highest numerology introduced by Rel-17 ( = 6), we obtain: The finer granularity of 5G NR compared to LTE highlights the huge potential in accurate positioning of 5G at mmWaves [350].
On the other hand, the coverage of a BS transmitting in FR2 is highly reduced, leading to a densification of BS installations.This is not necessarily a drawback.Indeed, while adding more BSs will cost more from the cellular operators' point of view, it also allows greater frequency reuse.Moreover, smaller cell size might provide satisfactory positioning performance even using the basic CID method, which can be used for non-critical applications such as geo-marketing.

D. 5G positioning signals
In Rel-16, the 3GPP standard updates and redefines two reference signals in order to overcome the positioning problems of previous releases [351].Former signals, such as CSI reference signal (CSI-RS) and synchronization signal (SS) (which composes the synchronization signal blocks (SSBs)), were not designed specifically for positioning because of the following limitations.A first major limitation is their inability to solve the hearability issue arising from interference by neighboring cells [352].This is crucial for positioning, as the UE must receive signals simultaneously from multiple BSs to perform multi lateration/angulation.On the other hand, signals from nearby cells shadow weak signals coming from far-away cells, making their detection difficult at the UE.Lastly, CSI-RSs and SSs have weak correlation properties due to low density of REs and their pattern.Therefore, they might not spread well across all of the sub-carriers in the frequency-domain.For these reasons, the PRS for DL transmission and the SRS for UL transmission have been introduced in Rel-16 with the aim of allowing precise positioning by the 5G cellular network.
In the following, we describe the features of SSB, CSI-RS, PRS, and SRS, whose main differences affecting positioning are summarized in Table VI.The number of beams for SRS and PRS are associated with the number of RE in a slot.

1) SSB:
The SSB consist of the SS, downlink physical broadcast channel (PBCH), and demodulation reference signal (DMRS).SSBs are periodically transmitted in broadcast by a TRP within spatially contained bursts (SS burst set) in a beam sweeping pattern (i.e., each SSB over a specific spatial beam).The main objectives of the SSB, also known as SS/PBCH  block, are the following.To have an active 5G connection, an UE has to perform a cell-search procedure to identify, locate, and synchronize with a TRP.The cell-search during the initial access is conducted through the use of primary synchronization signal (PSS) and secondary synchronization signal (SSS), which constitute the SS.Additionally, the UE uses DL signals such as the physical downlink shared channel (PDSCH) and PBCH to obtain the necessary system parameters for the connection.The UE also detects the DMRS, which acts as a reference signal for decoding the PDSCH and PBCH.Each SSB is sent over a different spatial direction at different timing by the TRP, and the UE measures the signal strength of each SSB.Based on the measuring results, the UE can determine and report to the TRP the index of the strongest (in terms of power) SSB.The structure of the SSB is reported in Fig. 9.It is constituted by 20 RBs and 4 OFDM symbols in the frequency and time domains, respectively.Depending on the adopted carrier frequency   , different numbers of consecutive SSBs ( SSB ) compose an SS burst set.Intuitively, the higher the carrier frequency, the narrower and more directive the beam will be.For frequency below 3 GHz,  SSB = 4; for frequency between 3 and 6 GHz  SSB = 8; and for frequency between 6 and 52.6 GHz  SSB = 64.Depending on the SCS and carrier frequency, the starting OFDM symbol of the SSB varies according to a specific pattern, as described by 3GPP specification in [353], [354].Patterns are categorized as Case A, B, C, D, and E, and they mainly differ according to the SCS and carrier frequency   as indicated in Table VII.Fig. 10 depicts every SSB pattern and demonstrates how TRPs operating at higher frequencies (such as millimeter waves) employ more beams overall.A TRP's ability  Fig. 10.SSB pattern cases according to the different carrier frequency, as described by 3GPP Rel-15 [353], [354].
to comprehensively scan the spatial domain using more directed beams is indicated by a higher  SSB .
2) CSI-RS: CSI-RS were introduced in Rel-10 with the aim of acquiring the channel state information.In order to support up to eight layers of spatial multiplexing, the configuration of CSI-RSs can be defined accordingly with the same number of signals for a TRP.In time-domain, the CSI-RS periodicity can be configured such that there can be from 2 to 8 CSI-RSs in every frame.For a given periodicity, it is also possible to configure the subframe offset.The CSI-RS is transmitted in every RB in the frequency-domain.In this way, CSI-RS can cover the entire cell bandwidth.The REs actually used depend on the defined CSI-RS configuration.In addition to conventional CSI-RS, also known as non-zero-power CSI-RS (NZP-CSI-RS), it is possible to configure zero-power CSI-RS (ZP-CSI-RS) with the same structure [355].
3) PRS: PRS, also known as DL-PRS, is similar to the homonym LTE DL signal and it is specifically designed to allow the UE receiving signals from multiple BSs.A key feature of PRSs is the improved hearability thanks to the muting concept: multiple BSs can transmit the PRS in a coordinated way by literally muting less relevant PRS transmissions to avoid interferences.Furthermore, the staggered pattern of the PRS REs results into better correlation properties that facilitate the peak   RRC ∈ {0, . . ., 67} is an additional circular frequency-domain offset of SRS, as a multiple of 4 RBs.These properties determine the actual frequency-domain location of the SRS.

E. 5G positioning methods
In this section, we detail the main 5G positioning methods relying on the delay and angular measurements described in Section III.In particular, the outlined methods are: DL-TDOA, DL-AOD, UL-AOA and multi-RTT.
1) DL-TDOA: DL-TDOA is similar to OTDOA in LTE, as they are both based on TOA measurements of DL signals from multiple TRPs.The TDOA is computed as the difference between two TOA measurements.Considering two BSs  and  ′ , with  being the reference BS, the following three quantities are associated to the DL-TDOA: • reference signal time difference (RSTD):  rx, ′ − • geometric time difference (GTD): , where   and   ′ are respectively the lengths of the propagation paths between the UE and the BSs  and  ′ , respectively.It represents the ideal hyperbolic line of position.In a noiseless scenario, the following relationship holds [89]: In simulation analyses, perfect synchronization between BSs is typically assumed, i.e., all BSs transmit exactly in the allocated time slots, and no clock offset contributes to the measurement error.On the other hand, in real operating conditions with the currently deployed 5G network, synchronization errors leads to major bias in ranging measurements, up to hundreds of meters [113], [357].This is a primary limitation of 5G precise positioning at present (more details are provided in Section VI-B).As a matter of fact, current 5G networks implement a master-and-slave-based precision time protocol (PTP) [358] protocol which only achieves a synchronization that is accurate up to ±1.5 µs, as recommended by the International Telecommunication Union (ITU) [359].This converts to a distance error of about ±450 m, hugely limiting the positioning performance.
2) DL-AOD: DL-AOD positioning can be obtained thanks to the computation of DL RSRP measurements of beams by the UE.The BSs may transmit signals in a beam-sweeping manner that can be measured by the UE.The more the beam is directed to the UE and not impaired by obstacles, the higher the RSRP.The resulting vector of all RSRP measurements (one for each beam) could be considered as a radio frequency (RF) fingerprint and used to perform positioning by a patternmatching approach [360].
Another solution, which is also the one adopted in this work, is the beam management procedure [127].This procedure is used to acquire and maintain a link pair between the UE and a BS.3GPP TR 38.802 [158, section 6.1.6.1],defines the beam management as the combination of the following three procedures: P1) This procedure focuses on the initial acquisition based on SSB and it employs analog beamforming.During the initial acquisition, beam sweeping takes place at both transmit and receive ends to select the best beam pair based on the RSRP measurement.In general, the selected beams are wide and may not be optimally paired for data transmission and reception.P2) This procedure, which is referred to as beam refinement, focuses on transmit-end beam refinement, where beam sweeping is performed at the transmit side while keeping the receive beam fixed.The procedure is based on NZP-CSI-RS for DL transmit-end beam refinement and SRS for UL transmit-end beam refinement.P2 makes use of digital beamforming.P3) This procedure focuses on receive-end beam adjustment, where the beam sweeping happens at the receiving end given the current transmit beam.This process aims to find the best receive beam.For this procedure, a set of reference signal resources are transmitted with the same transmit beam, and the UE or BS receives the signal using different beams from different directions covering an angular range.Finally, the best receive beam is selected based on the RSRP measurements on all receive beams.
The technical report defining beam management refers to Rel-14, where NZP-CSI-RS is mentioned for the P2 procedure in DL.However, in Rel-16, NZP-CSI-RS is no longer used for positioning purposes.In the analyses and results presented in this tutorial, we consider the P2 procedure in DL based on PRS.Moreover, we are interested only in the first two phases of the procedure to obtain the AOD.The P3 procedure could be used for AOA estimation only in the case of a large antenna array available to the UE side.However, most likely scenarios include a UE device with one or very few antennas due to size, battery, and weight constraints (e.g., a smartphone).For this reason, estimating the AOA at the UE side is very challenging at present.
After the initial beam establishment, obtaining a unicast data transmission with high directivity requires a beam much finer than the SSB beam.Therefore, a set of PRS resources are configured and transmitted over different directions by using finer beams within the angular range of the beam from the initial acquisition process.Then, the UE measures all these beams by capturing the signals with a fixed receive beam.The best transmit beam is selected using PRS-RSRP measurements (defined in 3GPP TS 38.215 [361,Section 5.1.28])on all the transmit beams, which allow to determine the best AOD.Lastly, the AOA measurements needed for positioning with NLS are derived from the AODs.Fig. 12 illustrates the beam refinement with an example.The orange beam is selected during P1 at the UE end, while all the colored beams refer to the PRS resources sent in DL by the BS.The straight blue line identifies the direct path that links UE and BSs, and it shows clearly that the PRS with the highest RSRP will be the one with index 1 (light green) because is the one with more directivity to the UE.The number of finer beams depends on the number of PRS resources employed.Since in our work, all the PRSs are delivered in a single slot, the maximum number of beams is 12.In Fig. 13, we show an RB with the set of PRS in use, which is an example of comb 12 with 12 OFDM symbols and 12 resources.A critical aspect of beam selection is related to the duration of the beam searching procedure, which reduces the data rate of the link, especially if exhaustive searches are carried out.For this reason, literature works have proposed to speed up the searching procedure by exploring in-band signalling [362], [363] or the repeatability of the wireless environment to learn the geo-referenced optimal beams [364], [365].
3) UL-AOA: UL-AOA is a network-based positioning method where the BS exploits the signals transmitted by the UE, i.e., the SRS, to determine the AOA both in zenith and azimuth directions.As for the DL-AOD, a directional antenna is required to calculate the AOA.This is somehow a usual assumption given that 5G NR supports multi-antenna transmission and reception.According to the standard, there are several methods for determining the AOA.
Classical AOA estimation is performed with conventional beamforming, as described by procedure P3 in Section IV-E2.These methods do not make any assumptions about how the incoming signal and noise should be modeled.They require electrically pointing beams in every direction (or a predetermined selection of directions) and looking for power output peaks.The beamforming is achieved by applying a Fourier-based spectrum analysis to the spatio-temporal received samples.However, with these methods, the beamwidth of the array limits the angular resolution, necessitating a large number of antenna components to attain high precision.
Other more advanced techniques are high-resolution subspace-based methods like MUSIC [366] and ESPRIT [367].This family of methods is better suited for lower frequencies, i.e., FR1, where digital beamformers are more widely accessible.They process the eigenstructure of the incident signal by computing spatial covariance matrices using digital samples from each antenna element output.Due to the array aperture's modest size at lower frequencies, the spatial resolution is only moderate, i.e., beams are relatively broad.As a result, contrary to conventional beamforming, high-resolution approaches are particularly useful at lower frequencies because they may reduce the angular resolution to values smaller than the array's beamwidth without requiring the array aperture to be expanded.With the former technique, we are able to extract the AOA measurement, i.e., the angle between the UE and a BS, while with the latter type of technique, we analyze the received signal.4) Multi-RTT: DL-TDOA requires precise synchronization among the BSs, which is not obvious in a real scenario.RTT does not require any synchronizations, even if a coarse time synchronization is desirable to increase hearability from multiple BSs.The synchronization accuracy needed for TDOA is in nanoseconds, while for RTT, it is enough to be in microseconds [89].For this reason, an RTT measurement would be a more suitable choice for the currently deployed networks.Similar to TDOA, the basic measurement is TOA, one in UL based on SRS and one in DL based on PRS, as shown in Fig. 14.The two-time differences used to compute the RTT value are referred to as the same clock:  3 −  0 is referred to as the UE clock, while  2 −  1 is referred to as the BS one.Thanks to this, synchronization is not needed anymore.However, in multi-RTT, several BSs are involved simultaneously, and, with a microsecond level synchronization, it is possible to send back the signals in different time slots or in the same time slot with different frequency offsets.With a static UE, it is possible to send the signal of each BS in different time slots.In the case of mobile positioning, this choice would lead to higher measurement errors.Generally, all the measurements need to be concurrently made to mitigate the errors.

F. Extraction of 5G positioning measurements
In this section, we provide examples of how it is possible to address NLOS detection (Section IV-F1), and we describe the selected procedure used to extract the positioning measurements from the 5G signals, considering both DL (Section IV-F2) and UL (Section IV-F3).

1) NLOS detection:
The identification of NLOS propagation condition refers to algorithms able to detect whether the radio signal has been received from reflected paths rather than the direct link.This allows to properly account for possible excess delay in ranging measurement at the tracking algorithm, thus improving the final localization performance [368]- [370].Furthermore, knowing the environmental map of the area (also known as high-definition (HD) map) could give insights about possible reflectors or virtual anchors; such a-priori information can be exploited together with multipath and NLOS measurements into positioning algorithms [371].The same concept can be applied to RIS, where the reflectors are actively identified and exploited for positioning and velocity estimation [197].Rel-17 includes the capability to indicate whether the received signal is received over a direct or reflected path.However, the standard currently lacks detailed technical specifications regarding its implementation.
In the literature, several NLOS detection and mitigation techniques have been developed in the past.We here report some of them, including statistical methods and ML solutions [372].The oldest prior art is well-summarized in [373], which includes relaxed constrained localization, identify and discard, and weighted least square (LS)-based techniques.Constrained localization is based on quadratic programming techniques, where the constraints can be relaxed to include NLOS measurements.Identification and discard consists of considering sub-groups of BSs to discern the LOS and NLOS ones.Lastly, from LS-based techniques, the residual error in output from the algorithm can be used to detect NLOS measurements.Regarding more recent works, instead, the authors in [374] designed nonparametric techniques utilizing LS-SVM to discriminate LOS from NLOS conditions (classification) and mitigate the biases of NLOS range estimates (regression).The selected features are mainly the power and the maximum amplitude of the received signal and the mean excess delay.Different mitigation strategies are proposed based on BSs NLOS probability and the number of BSs in LOS, outperforming previous state-ofthe-art techniques.In [375], DNN methods were employed, combining CNN and long short-term memory (LSTM) networks to solve the classification problem.The results demonstrate a classification accuracy above 80%.In [376], a Bayesian filter that jointly tracks the time-varying visibility conditions and the UE motion has been proposed, and it is demonstrated to efficiently handle NLOS in harsh industrial environments with an accuracy of ≈50 cm in 95% of the cases.In [377], the environmental conditions are predicted by exploiting the information of vehicle onboard sensors; the so-called dynamic LOS-map is used to improve the V2X performance by selecting optimal relays.In [292], a semi-supervised anomaly detection technique was used to identify NLOS conditions by means of an AE structure applied to the full CIR.A neuralenhanced sum-product algorithm using an ad-hoc factor graph has been designed in [378], employing a channel estimation and detection algorithm for the measurements and an AE for features extraction.The method therein demonstrates highly robust positioning and tracking capability while attaining the PCRB even when the training data is confined to local regions.In [379], an automatic optimization for transfer learning has been recently proposed for NLOS error detection and correction for feature and CIR data.With the CIR-based approach, the results reveal 93% of NLOS detection capability and positioning accuracy of ≈10 cm, unlocking a high-precision positioning for UWB systems.Lastly, [380] describes various statistical and optimization techniques for NLOS error estimation.While the most promising methods in the literature rely on integrating RSS measurements, the authors propose a novel distance-dependent uncertainty model for dynamic NLOS environments.This model shows promising results, achieving an error of less than 1 m without requiring prior information.
2) Downlink: For DL positioning, we proceed according to the block diagram illustrated in Fig. 15, where the blocks pertaining to the BS are colored in blue, while the UE is in orange.Two types of signals are used: SSBs and PRSs.SSBs are generated to perform the procedure P1, while PRSs are used for the procedure P2 (see Section IV-E2) and the timing estimation.After SSB and DMRS generation, both the Tx BS and Rx UE perform beam sweeping over all the configured angular domain.Typical conditions include an omnidirectional UE and a trisector BS, although many other configurations are possible.Signals are generated according to an OFDM modulation, and after channel propagation, they are demodulated, and the channel is estimated.The beam determination is then performed at the Rx UE side by selecting the beam pair with the highest received power.
Recalling  [306], [381], [382].Before transmitting the signal across the wireless channel, the discrete signal can be oversampled during the inverse fast Fourier transform (IFFT) process, followed by the addition of a cyclic prefix.After the propagation, a first coarse synchronization is performed, usually detecting the PSS of the SSB in the time-domain [383].Then, before the FFT, the cyclic prefix is removed.Moreover, in the context of multi-link communications, it becomes essential to differentiate between various BSs based on their respective Cell-IDs and the corresponding  PRS offset, RE .For timing estimation, one PRS is modulated, and the TOA is estimated at the UE side by computing a cross-correlation between the received waveform and the replica of the transmitted waveform at the Rx.Recalling the Tx and Rx signal   ∈ C  tx ×1 and   ∈ C  rx ×1 from (1), which are sampled with sample time   = 1/(Δ  •   ), we define the cross-correlation   as where   is the number of samples.Then, the highest peak of the cross-correlation can be used to detect the TOA, even if the use of advanced techniques for first peak detection is advisable to ensure more accurate results [384]- [387].This is particularly pertinent in scenarios with significant multipath effects, as the primary peak associated with the first path may be weaker, with the strongest peak potentially originating from a signal reflection.The TOA can be later employed for TDOA or RTT estimate.
3) Uplink: For UL positioning, we proceed according to the block diagram illustrated in Fig. 16 In UL positioning, only SRS signals are employed.For both time and angle estimation, the first three steps are the same as for DL, i.e., SRS and physical uplink shared channel (PUSCH) generation, OFDM modulation, and channel propagation.Afterward, TOA estimation follows the same rules described in Section IV-F2.Instead, for angles, we demodulate the signal, and then a high-resolution MUSIC algorithm is used (see Section IV-E3).MUSIC algorithm enables an accurate estimate of AOA of signals in cases when the Rx is equipped with MIMO technology.The process of applying the MUSIC algorithm in the UL scenario can be described as follows.
After OFDM demodulation and noise-filtering, the sample covariance matrix of the data is computed.By taking into account the time correlation between different antenna-element readings, the covariance matrix allows for an effective separation between signal and noise.Indeed, subsequently, the covariance matrix is decomposed into its eigenvectors and eigenvalues, where eigenvectors corresponding to the largest eigenvalues form the signal subspace, while those corresponding to smaller eigenvalues form the noise subspace.Lastly, the algorithm searches over a specified grid of AOAs, identifying the arrival vectors whose projection into the noise subspace is minimal.This information is used to estimate the AOA.

V. Simulation Experiments
In this section, we provide a thorough analysis of the performance of 5G positioning assessed over multiple scenarios and with different system configurations.We start by defining the adopted performance metrics in Section V-A, then we present the simulation environments in Section V-B, and the system settings in Section V-C.The simulations consider the use of PRS, SRS, and SSB as defined in Section IV-D.Lastly, numerical results are reported in Section V-D.

A. Performance metrics
We analyze the positioning performance in terms of the accuracy of the location estimate, i.e., in terms of the 2D location estimate error Δ = û−, whose l2 norm Δ = ∥Δ∥ represents the distance between the true and the estimated UE locations.
We consider several accuracy metrics (averaged over the UE positions and Monte Carlo iterations), including the bias vector  = E[Δ], with  = ∥∥ representing the distance between the mean location fix and the true location, the root mean square error (RMSE) (also known as root mean square distance) defined as RMSE = √︁ E[Δ 2 ], and the mean absolute error (MAE) defined as MAE = E[Δ] (mean distance between the location fix and the true location).In addition to the mentioned average metrics, we also consider the cumulative density function (CDF) and the probability density function (PDF) of Δ.We also report the position error bound (PEB) value computed from the CRB, recalling that RMSE ≥ √︁ tr( () −1 ) and PEB . The location accuracy is known to depend on two main factors: the statistics of the measurement errors   in (3) and the geometric arrangement of the BSs with respect to the UE, referred to as geometric factor [388].In our analyses, we investigate both of them by analyzing the measurement statistics and the variation of the location error ellipse over the space.

B. Simulation environment
The RT tool provided by Matlab ® [389] is used to perform the 5G positioning simulations.It allows to faithfully model the PRS and SRS signals according to 3GPP Rel-16 and propagate them over a 3D environment accounting for the presence of buildings and associated multipath effects.The propagation model can be designed with an arbitrary number of reflections, depending on the context.The 3D environment is modeled with the Site Viewer feature, which, combined with RT, allows to recreate realistic scenarios for performance analyses.An example of a simulation environment in Matlab ® is shown in Fig. 17, where a UE (green marker) is placed in the middle of a courtyard and it is surrounded by three BSs (blue markers).The drawn rays represent the signal propagation paths computed by the RT for each BS, colored according to the path loss value and showing both LOS and NLOS conditions.
We perform 5G positioning simulations in both outdoor (Fig. 18) and indoor (Fig. 20) environments, with static and dynamic UE conditions.In particular, we consider an outdoor urban area around the Politecnico di Milano Leonardo campus (see the satellite view in Fig. 18a), representative of an urban mobility use case, and an indoor environment within the Politecnico di Milano Bovisa Durando campus , representative of an industrial use case (see the photo in Fig. 19a), inside the MADE Competence Center, a laboratory facility on Industry 4.0 that simulates a digital factory and hosts a wide range of industrial machinery.For the former, OpenStreetMap files containing the geographical information about buildings have been imported in Matlab ® ; for the latter, we imported a 3D lidar scanning of the MADE Competence Center.
The outdoor scenario consists of a 1 km 2 outdoor urban area, in which we deployed 15 5G sites (see Fig. 18b), each composed of 3 antenna panels oriented at 0°, 120°, and -120°with respect to East, at a height of 4 m from the support point.Despite the fact that this deployment does not match the current installation of mobile operators in the area, as they do not guarantee enough density and multi-BS visibility for cellular positioning, it is selected as a trade-off between the needs of guaranteeing enough BSs visibility and limiting the overall number of BSs.More efficient deployments can be designed using optimization algorithms [390], while higher performances can be achieved by further increasing the BS density.The visibility map for the considered deployment over the simulated UE trajectory is shown in Fig. 21.Note that for mmWave urban scenarios, the 3GPP standard recommends a dense deployment similar to the proposed one with a distance of 200 m between each BS [391], as confirmed by further coverage studies in the literature [392].
The 3D rendering resulting from the lidar acquisition of the indoor scenario is reported in Fig. 19b, where the two considered sub-areas representative of an office area and a factory area are highlighted.A more detailed visualization of such areas is shown in Fig. 20a and Fig. 20b, respectively.For the office room, we placed a single tri-sectorial cell, while in the industrial area, we deployed 4 BSs in the four edges near the columns, pointing towards the center.
The simulated radio devices employ a uniform rectangular array (URA), defined by the tuple (  ,   ,   ,   , ), where   is the number of panels in the vertical plane,   the number of panels in the horizontal plane,   the number of antenna elements in the vertical plane,   the number of antenna elements in the horizontal plane, and  the polarization of the antenna panel ( ∈ {0, 1}) [309].In the considered experiments, the UE has an antenna array defined by the tuple (1, 1, 2, 2, 1), while BSs default configuration is (1, 1, 4, 4, 1) for ranging measurements and (1, 1, 8, 8, 1) for angles.Each BS is 3GPP standard compliant [309] and is configured with 33 dBm of transmission power for the outdoor scenario and 23 dBm in indoor [158], [393].The use of MIMO systems allows the implementation of the MUSIC for an accurate estimate of AOAs, which is more effective at the BS side rather than at the UE as the number of antennas is higher.
The channel is modeled according to the standard using a clustered delay line (CDL) impulse response for NLOS profiles, which can be defined up to a maximum bandwidth of 2 GHz [309].The CDL model adopted for the simulations is the customized one, where channel parameters can be adapted to the RT [394] multipath configuration.The number of path reflections is set to two with the shooting and bouncing rays (SBR) method.
The noise power spectral density ( 0 ) is modeled as follows: with  B as the Boltzmann constant [JK −1 ],  the bandwidth [Hz], and   =  ant + 290(  − 1) the noise temperature [K], where  ant is the temperature [K], and   is the linearized noise figure, both referring to the receive antenna.For DL measurements,   = 9 dB in FR1 and   = 10 dB in FR2, while for UL measurements,   = 5 dB in FR1 and   = 7 dB in FR2.Instead,  ant = 298 K (25°C) [160].
The PRSs are defined for ranging measurements with  PRS offset, RE = 0, and starting symbol index  0 = 0;  size = 12 and  slot symb = 12 without muting;  PRS rep = 1 slot and  PRS per = 10240 slots.Each BS sends a PRS with  PRS offset = 2 slots with respect to the other BSs in order to avoid overlaps [351].For the beam refinement procedure, we need to use more REs since each RE corresponds to a beam.Therefore, with a comb-12 pattern, we are able to create a maximum of 12 beams all at once beamformed in frequency.Alternatively, it might be feasible to increase the number of beams while reducing the number of REs through the implementation of time-based beamforming.To accomplish this task, our settings consider  PRS per = 10240 slots, while  PRS offset and the RE offset  PRS offset, RE are 1 × 12 arrays, the former has the same value repeated (as before each BS has an offset of 2 slots with respect to the others), and the latter has incremental values between 0 and 11.All the other values are unchanged.
The SRSs, instead, need to be configured for 3GPP Rel-16 positioning, with  slot symb = 8 and  size = 8, starting frequency index  0 = 0, starting symbol index  0 = 0, and  RRC = 0, which is an additional offset from  0 specified in blocks of 4 RBs.For the bandwidth configuration, we set the values  SRS = 0 and  SRS = 63 to unlock the maximum bandwidth (i.e.,  SRS = 272), and  hop = 0 to disable the frequency hopping.We also enable the periodic resource type with period and repetition as  SRS per = 10240 and  SRS rep = 2 slots [356].For the data transmission, we define the PDSCH and PUSCH, assuming to have a single transmission layer.
Regarding the algorithm implementations, the NLS is implemented by setting the step-size scaling parameter  = 0.01, a maximum of 1000 iterations, and a stopping condition of ∥ û − û−1 ∥ < 10 −4 m.While the NLS is generally used for static UE positioning, the EKF is preferable to estimate mobile UE.The mobility model is a random walk, and the driving process covariance matrix is defined as   = diag  2  ,  2  ,  2  , where the diagonal entries denote the uncorrelated standard deviations along the three axes, respectively.

D. Numerical results
In the following, we evaluate the accuracy performance of 5G positioning in the selected outdoor and indoor environments, with various configurations of system parameters.The code used for the simulation in the outdoor scenario is publicly available1.
1) Outdoor environment: For the outdoor case, we first present a statistical analysis of the location-related measurements extracted from the 5G radio signals.We then consider a static positioning use case (green pin in Fig. 18) where we assess the effect of the numerology, the type of measurements, and the BS antenna array configuration using as positioning algorithm the NLS with Gauss-Newton implementation (see Section III-C).Finally, we discuss a dynamic use-case with the UE moving along the red trajectory in Fig. 18, where we assess the tracking performance of EKF localization (see Section III-D) using different types and numbers of measurements.
a) 5G measurement accuracy: Before assessing the performance of 5G positioning, it is worth analyzing the statistics of the location measurements extracted from the received 5G radio signals.They will then be used for multi-lateration/angulation.We recall that signal propagation from the Tx to the Rx is simulated using the Matlab ® RT tool.
We report in Fig. 22 the PDF of the measurement error in (3), i.e., (  ), that is observed by collecting the location parameters along the red trajectory of the dynamic scenario in Fig. 18.We analyze the measurement errors obtained with the numerology  = 1 on the azimuth AOA (Fig. 22a), elevation AOA (Fig. 22b), and TOA (Fig. 22c), distinguishing between LOS and NLOS conditions.Regarding the azimuth AOA, we observe a symmetric distribution of the errors centered around 0 deg, with larger support for the NLOS case.The symmetry, on the other hand, is not observed on the elevation angle in NLOS conditions, as most of the errors are negatively biased in elevation due to the terrain reflections, whereas ranging inaccuracies are mostly positive since the TOF is usually the first peak in the cross-correlation.Therefore, in the case of peaks generated by multipath or NLOS measurements, the range estimate is higher than the real distance.
b) Impact of the numerology: As first assessment of 5G positioning, we evaluate the impact of the numerology  ∈ {0, 3} (i.e., both FR1 and FR2) in static conditions, using DL-TDOA measurements.The static positioning outdoor scenario is characterized by an open area (i.e., a running track) surrounded by four BSs.This emulates a condition where no obstacles are present, resulting in a nearly ideal LOS environment for positioning.
As a first example, Fig. 23a shows the scatter plot of the location fixes obtained by the NLS algorithm and the associated error ellipses for all the considered numerology, i.e.,  = 0 in 1Link to the public code repository: https://github.com/Ita97/A-tutorial-on-5G-positioningblue,  = 1 in orange,  = 2 in yellow and  = 3 in purple.A first takeaway is related to the non-recommended use of the lowest numerology for positioning tasks, as such configuration leads to large positioning errors, even in ideal LOS conditions.A more detailed comparison of the positioning performances given in terms of CDF of the UE position error in Fig. 23b.
A quantitative summary of performance metrics is reported in Table X, in terms of measurement accuracy  TDOA , twodimensional (2D) RMSE, MAE and bias.Analyzing the values in the table for  = 3 and  = 0, we quantify an improvement of 97.3% on the 2D RMSE.c) Impact of measurement type: We extend the analysis on static UE positioning by focusing on numerology  = 1 and evaluating the effect of the measurement type on the positioning performance.This comparison includes DL-TDOA, multi-RTT,  UL-AOA and DL-AOD methodologies.Dealing with angle estimation, note that the MUSIC algorithm used in UL estimation is more prone to the multipath effect than the beam management procedure employed for DL-AOD estimate due to the finer beam resolution.The critical determination of whether the signal is received via indirect propagation paths holds significant importance in identifying unreliable measurements that should be discarded.To this aim, a strategy could be to inspect the residual error Δ of the NLS algorithm.For the considered static outdoor positioning test, the PDF of the mean absolute residual error is reported in Fig. 24, which exhibits a clear bi-modal shape.The second peak (at around 15-20 deg) comes from the contributions of indirect paths; thus, it is possible to identify a threshold (red dashed line) discriminating between UL-AOA from LOS and NLOS paths.The implication of using such a threshold is highlighted in Fig. 25, in which we show the position estimated and associated error ellipse with and without discarding UL-AOA NLOS measurements.In case we do not detect NLOS measurements, i.e., we equally consider all the UL-AOAs, the error ellipse is quite high (red ellipse).On the other hand, by detecting the NLOS measurements and discarding them (shown in purple), the final error ellipse (in blue) is smaller and centered around the true UE position.
Table XI reports the results of the comparison between the different methods in terms of the standard deviation of measurement error ( TDOA ,  RTT , and  AOA ), and the following positioning metrics: 2D RMSE, MAE and bias.Focusing only on angle-based positioning, our observations reveal that the DL-AOD positioning approach, executed via the beam management procedure, yields to high positioning errors despite its reduced susceptibility to multipath interference.Instead, the UL-AOA positioning methodology exhibits a heightened susceptibility to the multipath phenomenon.The removal of NLOS measurements results into a notable enhancement in positioning accuracy.Specifically, the mean of the positioning estimates closely approximates the true UE position.Lastly, we point out that ranging-based methodologies, i.e., DL-TDOA and multi-RTT, yield superior accuracy in terms of RMSE and MAE compared to their angle-based counterparts, as they are less impacted by the incorrect geometrical information coming from multipath.Moreover, the degree of error induced by the angles is highly dependent on the distance and the BS array configuration.Among the ranging-based approaches, multi-RTT measurements demonstrate a higher level of accuracy compared to DL-TDOA.This advantage is justified by the fact that, at first, we do not account for synchronization errors at the UE side and assume perfect knowledge regarding the reply time.Then, it is also explained by the additive property of the variance of measurement noise on the two communication links  involved in a TDOA computation.
A comparison of all the four considered positioning methodologies is given in Fig. 26 in terms of PDFs of UE positioning error.The colored histograms reveal that ranging-based methodologies have a support of less than 3 m, while anglebased methods exhibit errors exceeding 10 m.However, it is noteworthy that the UL-AOA approach achieves an error peak close to one meter, similar to the performance of TDOAs and RTTs.By contrast, the DL-AOD method exhibits a conspicuous bias, evidenced by a peak error of approximately 10 m. d) Impact of BS antenna configuration: As a last analysis on static UE positioning, we analyze the impact of different configurations of BS antennas in UL-AOA measurements in FR1 ( = 1).Specifically, the communication hardware at BSs is compared for the following tuples: (1, 1, 4, 4, 1), (1, 1, 8, 8, 1), and (1,1,16,16,1).This analysis aims to evaluate the impact of the number of MIMO antennas in accurately estimating the AOA.Table XII reports  2 m using only UL-AOA information.
e) Outdoor mobile scenario: This analysis aims to assess the tracking performance of a 5G mobile positioning system based on EKF in mixed LOS/NLOS conditions with a variable number of visible BSs.The UE mobility model is a random walk [327] with a sampling time of 0.7134 s, according to the PRS periodicity  PRS rep .We consider 5G signals in FR1 with numerology  = 1, and the use of DL-TDOA, UL-AOA and the combination of the two types of measurement.
The 5G positioning results are first analyzed with the heatmap of the positioning error in Fig. 27, complemented with the associated CDFs in Fig. 28 and the summary in Table XIII.Looking at the heatmaps in Fig. 27 trajectory, where the visibility is poor, i.e., no LOS BSs or at most one are present (see Fig. 21).The areas well covered by many BSs, such as the top-left and bottom-right portions of the trajectory, guarantee better positioning.We recall that at least two BSs are required to have one TDOA measurement; thus, having poor visibility conditions is detrimental to DL-TDOA methodology.On the other hand, AOA-based methods are highly susceptible to multipath, and the method of residuals described in Section V-D1c cannot be employed within the EKF.Overall, the joint use of DL-TDOA and UL-AOA leads to better positioning, as the tracking algorithm is frequently updating the estimate with measurements, minimizing outage conditions and avoiding to rely on motion model prediction over long time periods.Table XIII depicts the overall accuracy of the trajectory, showing the need for higher BS density to attain satisfactory results when solely relying on 5G measurements.A breakdown of the achieved UE position error according to the number of available DL-TDOA measurements  is reported in Fig. 29.Notice that with only one or two TDOA measurements, the results are very poor as the information gain provided by the measurements in the EKF is limited by the weak geometric condition.By increasing the number of simultaneously available measurements, as expected, the positioning accuracy improves.Having a number of measurements higher than 3 guarantees good accuracy (≈ 1 m).This confirms the importance of guaranteeing good visibility and coverage conditions for unlocking precise positioning services.
2) Indoor environment: For the indoor environment (Fig. 20), we focus on two scenarios: an office with a single BS and an industrial area full of metallic objects (e.g., machinery and robots).This selection allows us to assess the 5G capabilities for a perspective consumer application (e.g., smartphone location-based services with FR2 support), as well as to analyze the introduction of 5G positioning into industrial production  and manufacturing environments (e.g., by a 5G private network providing positioning services inside a factory).a) Office area: In the office scenario illustrated in Fig. 20a, we focus on static UE positioning with a single BS using the NLS algorithm.We consider RTT and UL-AOA measurements extracted from PRS and SRS.An FR2 communication link is simulated with numerology  = 3 ( = 400 MHz).For the ranging measurements, we adopt a parabolic interpolation [395] to improve the cross-correlation peak detection at the Rx side.The antenna array is configured with the tuple (1, 1, 8, 8, 1).
In this small environment, we observed a measurement accuracy equal to  AOA, az =  AOA, el = 3.44 deg,  RTT = 0.32 m, while the results for UE positioning indicate a 2D RMSE of 0.66 m and an MAE of 0.52 m, with bias of 0.38 m.
The location fixes provided by the different positioning methods are shown in Fig. 30.The presence of multiple clusters manifests the ambiguities generated by multipath on angle estimation.The multipath detection method on residual error (presented in Section V-D1c) remains constrained when restricted to two measurements.As a matter of fact, the NLS will always converge with low Δ.Nevertheless, opportunities for mitigating this error still exist, especially through the incorporation of supplementary information such as architectural floor plans.Practically, embedding physical constraints on the position estimates will enforce the positioning algorithm to provide outcomes falling within the office area, rejecting estimates falling outside.An example of such a process is shown in Fig. 30, where the estimated positions that fall outside the office room are highlighted in pink, while those inside are in blue.The goal of the figure is to point out the improvements that can be obtained by discarding outside estimates in terms of error ellipse: the ellipse is larger in case the room information is not embedded.By incorporating side information on the room map, the achieved positioning has a 2D RMSE of 0.49 m and an MAE of 0.41 m, with a bias of 0.31 m.
b) Industrial area: In the industrial area (Fig. 20b), we placed 4 tri-sectorial cells in the corners near the columns.The simulations refer to a worker walking around the area over a Ushaped trajectory.A peculiarity of the scene is the high density of metallic surfaces, which produce strong multipath effects.As for the tracking in Section V-D1, we employed the EKF with a sampling time of 0.7134 s, according to the PRS periodicity  PRS rep , and the antenna array is defined by the tuple (1, 1, 4, 4, 1).Also in this case, we adopted numerology  = 3 and the parabolic interpolation for TOA peak detection.
The analysis is focused on assessing the tracking ability when using DL-TDOA measurements, comparing the case where the positioning system is able to accurately detect and discard NLOS measurements (green curve) with a solution that uses all TDOAs regardless of the visibility condition (red curve).
The estimated trajectories are reported in Fig. 31, which shows remarkable improvements brought by an NLOS identifi- cation algorithm in discarding unreliable measurements, even in the presence of strong multipath caused by metallic objects and surfaces.Fig. 32 reports the heatmap of the positioning error, observing that the large positioning errors for the EKF that uses all DL-TDOA measurements are mainly present near the obstacles that prevent direct BSs visibility.Overall, we achieve a mean accuracy of 1.97 m for the EKF without NLOS mitigation and of 0.28 m for the EKF discarding NLOS measurements.
Most of the primary challenges we encountered are addressed in the 3GPP releases following the Rel-16.In Rel-17, NLOS detection will be enhanced by specifying whether each received signal arrives via a direct or reflected path.Additionally, each signal will be characterized by its TOF after applying the TEG timing correction.The introduction of path-based received power will further refine angle measurements by distinguishing multipath components.In Rel-18, the network is expected to become more intelligent with the integration of AI/ML and advanced positioning techniques, such as CPP, unlocking high accuracy positioning even with lower bandwidths and lowpowered devices (i.e., LPHAP).
As final remarks on the enabled positioning services described in Table II and Table III, we point out that when relying solely on 5G positioning, without any advanced filtering technique, in outdoor dynamic scenarios only the vehicle decision assist V2X service with required accuracy of 150 cm can be supported when  = 1.On the other hand, considering the context of indoor industrial use cases, all the services except goods storage are feasible.

VI. Lessons Learned and Open Issues
In the previous sections, we highlighted the importance of cellular positioning, starting with a historical overview, outlining the major trends of the research (Section II), providing examples of measurements and algorithms (Section III and detailing the latest standard for cellular positioning (Section IV) with associated simulations and performance analyses (Section V).In this section, we discuss the simulation results along with the lessons learned (Section VI-A), and we highlight the current limitations of 5G positioning (Section VI-B).

A. Lessons Learned
In Section V-D, we conducted extensive simulation experiments to explore the capability of the 5G technology in providing accurate positioning services.The objective was to provide quantitative results on the achievable performance for varying 5G numerology, type of measurements (DL-TDOA, multi-RTT, UL-AOA, or DL-AOD), BS antenna configuration, and BS visibility.The findings confirm that augmenting the bandwidth and the antenna array aperture enhances the positioning accuracy, as expected.Additionally, the quantity of BSs in visibility is shown to play a pivotal role in achieving high positioning accuracy.Overall, the fusion of multiple and heterogeneous 5G measurements and the strategic application of tracking filters represent a viable strategy for overcoming the BS visibility issue.
The numerical results suggest that in dynamic outdoor scenarios, a mobile device is not yet capable of using 5G DL-TDOA to localize itself with a sub-meter accuracy and meet the requirements of the precise positioning services in Table II.For enhancing the positioning performance, it is recommended to use more sophisticated algorithms (e.g., tracking filters and NLOS detection techniques), integrate multiple types of measurements, increase the number of BSs in visibility, or even combine 5G with additional localization technologies (e.g., GNSS or inertial units).On the other hand, in indoor scenarios, 5G mmWave positioning is shown to successfully achieve the cm-level accuracy, meeting the stringent requirements of the industrial use cases outlined in Table III.
Main lessons learned from the above performance analyses are as follows: • Channel estimation complexity: CDL channel estimation requires high computational complexity that grows with the number of antennas, rays, reflections, and diffractions.
In this tutorial, we used MIMO antenna arrays in all the simulations to ensure high fidelity and realism in the simulated scenario.However, in the case of ranging only, it is possible to reduce the computational complexity by using an equivalent single-input single-output (SISO) channel with a higher Tx power that compensates for the MIMO beamforming gain.≈10 cm accuracy, compared with ≈30 cm obtained in our simulations.This is achievable due to the higher bandwidth (≥500 MHz) [379] that is not yet available in 3GPP Rel-16.Most of the primary challenges we encountered are addressed in the 3GPP releases following the Rel-16.In Rel-17, NLOS detection will be enhanced by specifying whether each received signal arrives via a direct or reflected path.Additionally, each signal will be characterized by its TOF after applying the TEG timing correction.The introduction of path-based received power will further refine angle measurements by distinguishing multipath components.In Rel-18, the network is expected to become more intelligent with the integration of AI/ML and advanced positioning techniques, such as CPP, unlocking high accuracy positioning even with lower bandwidths and lowpowered devices (i.e., LPHAP).
As final remarks on the enabled positioning services described in Table II and Table III, we point out that when relying solely on 5G positioning, without any advanced filtering technique, in outdoor dynamic scenarios only the vehicle decision assist V2X service with required accuracy of 150 cm can be supported when  = 1.On the other hand, considering the context of indoor industrial use cases, all the services except goods storage are feasible.

B. Open Issues
While technical concepts and architectures are well defined from a theoretical point of view, practical implementation in commercial systems is still restrained.The discussion in the following sections is thus focused on current impairments that still limit the pervasive adoption of cellular positioning technologies.

1) Antenna position and orientation:
Accurate cellular positioning strictly needs a precise knowledge of the true location of each antenna panel of the BS in terms of latitude, longitude, and altitude.At present, the information about the BS location is very approximate, e.g., based on GNSS surveys, and typically, with no indication of the exact positions of distributed panels, i.e., only one location information is available for each BS.Considering that there are sites with non-co-located panels (possible distances of tens of meters between different panels), a lack of this information unavoidably introduces errors in timebased positioning measurements.It follows that precise mapping surveys are needed to build a reliable database of the antenna positions for each BS, and this operation can be tedious, timeconsuming, and complex due to (not so rare) impervious sites.
In addition to the antenna position, precise tilting information is also required to guarantee reliable angular information.Manual tilting measurements are subject to errors, and also, in this case, the operations can be risky and complex, even more than measuring the position.Clearly, the antenna supports need to be highly stable to avoid slight rotations over time, i.e., they should be resistant to severe weather conditions.Furthermore, accurate calibration procedures are requested to guarantee optimal performance of the antenna arrays at BSs.
Lastly, exact knowledge of cable length from the antenna to the signal source generator (typically at the baseband unit) and cabling material is required to precisely measure the TOF.
2) Synchronization error: While the recommendation for communication of ITU indicates a tolerable synchronization error of ±1.5 s [359], the requirements for positioning are much stricter.As a matter of fact, a synchronization error of ±3 ns results into a positioning error of ≈1 m, and the upper bound of ±1.5 s, corresponding to ≈450 m of ranging error, is clearly incompatible with most of the 5G positioning use case requirements (see Section II-A), preventing any precise positioning service.At present, 5G networks use GNSS-based synchronization or packet-based synchronization with IEEE 1588v2 PTP [396], but these standards cannot provide an accuracy close to 1 ns.Reaching a near-zero nanosecond error is challenging, but research demonstrates that fiber-based solutions such as the White Rabbit protocol [397] can reach synchronization error values of 1 ns or even less [398].Having a precisely synchronized 5G network will ensure a common scanning of the time domain for all BSs, which would exactly transmit in the allocated time slot, limiting the interference and avoiding introducing degrading effects on time-domain measurements due to clock drifts.

3) BS density:
The foreseen density of 5G BSs in urban scenarios is one BS every 200 m [391].If having such a high number of BSs increases the investment costs of operators, on the other side, it brings a significant improvement on the cellular positioning use case, boosting the roll-out of commercial services.We demonstrated that it is possible to localize a UE with a single BS in LOS; thus, a high density of BSs would minimize blind areas and NLOS conditions, allowing for a precise cellular positioning service to the users.Clearly, the coverage of a single BS would be limited to a few tens of meters, thus demanding the network to perform handover procedures quickly.The advantage of having close BSs is that it facilitates the indoor/outdoor transition, guaranteeing a seamless positioning service.
4) Hardware availability: As of today, experimental activities on 5G positioning are slowed down by a lack of commercial-ready hardware allowing the extraction of physical level parameters.As a matter of fact, current practical works mainly adopt modified commercial devices [399], [400] or adhoc hardware [401], [402] which rarely permit the exploitation of raw measurements.So far, the only research paper that measures raw 5G TOF is [113].However, the expensive cost of the hardware and non-compact size, together with the not-soeasy accessibility and usability, produce an inevitable slowdown of the research and testing procedures.The above limitations are valid for both FR1 and FR2 bands and are further exacerbated for the latter.This lack, which is going to be resolved soon due to the high push from industries, prevents a pervasive assessment of 5G positioning potentialities at mmWave and large bandwidths, which would unleash the rollout of advanced and precise cellular-based location services.The last desired feature is also limited by a restricted deployment of public mmWave BSs.

5) Deployment of private networks:
An additional notable issue pertains to the indoor 5G positioning domain and it revolves around the current state of private networks.As of today, it is observed that private networks have not been widely integrated into industrial settings despite the positioning opportunities they hold (see Section V-D2).This deficiency in the deployment has prompted industries to seek alternative technologies to fulfill their specific connectivity and positioning requirements.One such alternative that has gained considerable attention is UWB technology, particularly in industrial facilities where precise positioning is requested for the automation of workflows [31].

VII. Conclusion and Future Research
This tutorial paper on 5G positioning aims to serve as a trusted reference for understanding the potentialities and limitations of the latest cellular localization technology.We covered a journey to explore the fundamental concepts, techniques, and challenges associated with 5G positioning, delving into the technical underpinnings of 5G networks and how they can enable accurate positioning.After summarizing the transition from 1G to 4G, we detailed the 5G evolution across the releases of the 3GPP standard, and we explored the major research trends towards 6G.We delved into an explanation of the 5G positioning system and its associated capabilities, as defined by current industry standards, and highlighted how the latest technological enhancements could bring new possibilities for the roll-out of commercial cellular positioning services.
This tutorial is designed to be a valuable resource not only for academic audiences but also for professionals and businesses operating in or considering entry into the market of positioning services.To this extent, we presented results from extensive simulations designed to assess the positioning performance in diverse settings, including outdoor and indoor environments.Several analyses have been conducted to motivate the adoption of 5G technology for industrial positioning, revealing its appeal for indoor applications while simultaneously highlighting the inherent current limitations in outdoor contexts.
The findings revealed the superior accuracy of ranging measurements compared to angle-based methods.Specifically, UL-AOA positioning can be susceptible to the multipath effect, although it is worth noting that the angle accuracy is significantly linked to the dimensions of the antenna array.Moreover, integrating multipath detection techniques offers the potential to mitigate this influence by eliminating anomalous positioning estimations, yielding refined results.The simultaneous utilization of angle and ranging measurements proves advantages for achieving precise positioning, particularly in areas characterized by a low density of BSs.Additionally, we illustrated the methodology for conducting position estimation using a single BS, obtaining promising results.Furthermore, tracking filters demonstrate their efficacy in environments characterized by multipath interference and limited measurement data, such as indoor and urban scenarios.Compared to urban settings, more reliable outcomes are observed in restricted environments, such as industrial areas.This discrepancy may be attributed to several factors, including the proximity of BSs to the user, the consistent presence of at least three BSs in LOS, as well as the availability of larger bandwidth (100 vs 400 MHz).
Future research in cellular positioning should focus on enhancing the accuracy and reliability of the positioning service, pushing the boundaries of current capabilities, and providing a cm-level accuracy even in challenging environments.To this extent, the integration with other localization technologies is highly recommended, as well as the use of AI-powered techniques.A transversal aspect covering all the positioning processes is related to data privacy and security, which call for safe measures preserving UE location data.The design and implementation of secure positioning protocols are mandatory.Their adoption can also be functional for the implementation of dedicated privacy-preserving algorithms, e.g., FL.This implies the involvement of standardization bodies and dedicated efforts contributing to the enhancement of cellular positioning.The innovation also includes industrial collaboration in offering open-source development platforms facilitating testing and implementation with hardware.
5G positioning is still in its early stages of development and, most importantly, deployment.Despite its challenges, positioning in 5G (and the forthcoming 6G) networks holds high potential to revolutionize various industries and applications, especially in autonomous mobility, UAVs, NTNs, asset tracking and logistics, VR, and metaverse.The use cases in these areas define stringent requirements for positioning, but at the same time, they unlock new possibilities for location-based services.Undoubtedly, most of the existing works dealing with 5G positioning consider simulation environments or ad-hoc limited hardware (e.g., SDR).The verification of 5G potentialities with real networks should be a high-priority objective of incoming research, validating the impact of BSs density, propagation conditions, interference, and hardware impairments.
Advancing 5G positioning requires integrated cooperation of different partners (e.g., universities, industry players, policymakers, and standardization bodies), whose collaboration should drive technological innovation and economic growth.The definition of clear value propositions and cost-effective deployments, tailored to the specific use cases and industrial needs, is a non-trivial task for enterprises that require economic feasibility of implementation.From this perspective, agreeing on standardization and regulations that address privacy concerns and guarantee interoperability across several technologies is central for a large-scale adoption in the industry.Still, companies can deploy private networks and offer communication and positioning services internally, with optimized deployment according to the defined KPIs and services.
Given the increasing demand for precise and reliable positioning in various applications, we can envision a promising future for 5G positioning technologies.The progress made in this field, as outlined in this tutorial, underscores the potential for transformative changes in various sectors.We hope that this tutorial serves as a valuable resource for researchers, engineers, and innovators, contributing to the continued evolution and widespread adoption of 5G positioning solutions, ultimately enhancing our daily lives and driving innovation across industries.

List of
This work was partially funded by the European Union-NextGenerationEU under the National Sustainable Mobility Center CN00000023, Italian Ministry of University and Research (MUR) Decree n. 1033-17/06/2022 (Spokes 6 and 9), and under the MUR Decree n. 352-09/04/2022, by the Vinnova B5GPOS Project under Grant 2022-01640, and by the Swedish Research Council (VR grant 2022-03007).
[ ] ,  indicates the -th row and -th column of the matrix , and [ ]

𝑖 1 :
2 ,  1 :  2 indicates the selection of the matrix rows between indices  1 and  2 and matrix columns between indices  1 and  2 .Cov(•) denotes the covariance and E[•] the expected value.When vector  follows a Gaussian distribution, it is referred to as  ∼ N (E[], Cov()).R and C indicate the sets of real and complex numbers, respectively.II.5G Positioning: History, Present, and Future

Fig. 2 .
Fig. 2. Timeline of cellular communication reporting the phases of 5G evolution, the associated 3GPP releases, and the main positioning enhancements.

Fig. 4 .
Fig. 4. Beam space representation of a MIMO channel.(a) LOS channel; (b) NLOS channel.On the left, spatial representation of the normalized received power versus the azimuth AOAs and AODs.On the right, power-angle-delay profile of the received signal, with path delay converted into distance for an easier interpretation.

Fig. 12 .
Fig. 12. Beam refinement phase within the beam management procedure for DL-AOD estimation with  PRS = 12.In the example, 12 different Tx spatial PRS beams are formed over different angles in a confined angular domain.The beam with the highest RSRP is chosen by the UE.The blue line indicates the direct path; the best beam is the light green one.

Fig. 13 .
Fig. 13.PRS resource set employed for beam generation in the beam refinement procedure.Each color represents a different PRS RE.

Fig. 14 .
Fig.14.TOF estimation via multi-RTT procedure in 5G using UL and DL measurements.The procedure starts with the UE sending an SRS to the BS, which responds with a PRS.The overall RTT is computed at UE side, knowing the reply time of BS.

Fig. 15 .Fig. 16 .
Fig. 15.DL block diagram for location measurement extraction.Top row represents the beam pair selection in DL-AOD estimation; whereas the bottom one reports the angle refinement and TOF extraction.BS, propagation channel and UE are indicated with blue, white, and orange colors, respectively.The OFDM Demodulation block includes the channel estimation.

Fig. 17 .
Fig. 17.Snapshot of Matlab ® RT tool for a scenario with three BSs (blue markers) and one UE (green marker) at Politecnico di Milano Leonardo campus.

Fig. 18 .
Fig. 18.Outdoor urban scenario in Politecnico di Milano, Leonardo campus.(a) 3D satellite view of the area (Map data: ©2023 Google Earth).(b) BSs deployment, coverage, and UE locations.Blue markers indicate the positions of 5G BSs, green marker the UE position used for static experiments, while red circles the UE trajectory for mobile simulations.

Fig. 21 .
Fig. 21.Outdoor urban scenario -Visibility map along the trajectory.For each of 15 BSs, red area refer to NLOS condition, while green ones are for LOS condition.The first subplot refers to the aggregated number of LOS BSs.

Fig. 24 .Fig. 25 .
Fig. 24.Static outdoor positioning -multipath detection on the residual error.PDF of the mean absolute residual error of NLS estimation using UL-AOA measurements.The red dashed line represents the threshold to discriminate multipath-affected positioning outputs.

Fig. 26 .
Fig. 26.Static outdoor positioning -PDFs of the positioning error for different types of measurement.

Fig. 28 .
Fig. 28.Outdoor mobile positioning -CDF of the UE positioning error using an EKF with different types of measurements.

5 𝑀Fig. 29 .
Fig. 29.Outdoor mobile positioning -breakdown of the UE position accuracy according to the number of DL-TDOA measurements .

Fig. 30 .
Fig. 30.Indoor single-BS positioning -scatterplot of position estimates and error ellipse.Comparison of embedding (blue) or not (pink) information about the room physical dimension.

Fig. 31 .Fig. 32 .
Fig.31.Indoor mobile positioning with DL-TDOA measurements.Comparison between an EKF that is able to identify and discard NLOS measurements (green) and an EKF that uses all the available measurements regardless of the visibility condition (red).

TABLE I
Comparison of existing surveys and tutorials on cellular positioning Mind map visualizing the contents of this manuscript and the associated sections.
• We provide a detailed description of the standardized 5G positioning signals as foreseen by the 3GPP standard, specifying their configuration parameters and usability.

TABLE IV Measurement
models and entries of the Jacobian matrix for 3D localization algorithms.Angles are referred to the UE.
63}.These values control the bandwidth allocated to the SRS.The number of RBs is given by the specific value denoted as  SRS in the table mentioned above.The frequency hopping of SRS is configured by the parameter SRS ∈ {0, . . ., hop ∈ {0, 1, 2, 3}.With  hop ≥  SRS = 0, the frequency hopping is disabled.In Rel-16, frequency hopping is not supported; however, part of its parameters are bandwidth indications, which are still applicable.At last, rx, , where  rx, and  rx, ′ are the reception time instants of signals from BSs  and  ′ , respectively.The RSTD defines the time interval observed by the UE between the reception of DL reference signals from two different BSs; • real-time difference (RTD):  tx, ′ −  tx, , where  tx, and  tx, ′ are the transmit time instants of signal from BS  and  ′ , respectively.The RTD denotes the synchronization between two BSs, i.e., if two RTDs are perfectly synchronized, the RTD is 0; (2) channel matrix H  from(2), by defining the beam codebooks comprising  and  candidate beamforming vectors at Rx and Tx sides respectively as W rx = { rx,1 , ...,  rx, } ∈ C  rx × and W tx = { tx,1 , ...,  tx, } ∈ C  tx × , the selection of the optimal beam pair follows an optimization problem defined as  PRS narrow beams are shot within the spatial domain selected in the SSB reporting (see Fig.12).Since  PRS =  slot symb and they can be steered in azimuth and elevation, we define the number of steering vectors in azimuth as PRS and the number of steering vectors in elevation as  PRS  .Therefore, we can depict the PRS resolution for azimuth and elevation respectively as  PRS RES =  SSB RES / PRS s.t. rx,ℓ ∈ W rx , with ℓ = 1, . . ., , s.t. tx, ∈ W tx , with  = 1, . . .,  . and  PRS RES =  SSB RES / PRS  .Since OFDM signals are employed, it is worth delving into a more comprehensive exploration of the techniques for effectively managing them

TABLE X
Summary of results for static UE outdoor positioning with DL-TDOA measurements using different numerologies

TABLE XII Static
outdoor positioning -Impact of BSs array size in UE positioning with UL-AOA measurements at FR1 ( = 1) 4 × 4 8 × 8 16 × 16 The geometric factor of the network deployment highly affects the positioning results, particularly when a mobile UE is involved, and the visibility conditions change over time.In these cases, a selection algorithm that automatically identifies the optimal set of BSs for positioning is recommended.In TDOA-based positioning, the selection should also account for the geometry of the TDOA hyperbola, guaranteeing a choice of the reference measurement that avoids ill-conditioned geometrical configurations.is obstructed by a building, the ideal direct path of about 100 m can be confused with a path in NLOS of 150 m, resulting in an overall positioning error of about 50 m.NLOS detection and mitigation techniques are almost a requirement for precise positioning services, especially in urban areas where the density of BS deployment cannot guarantee a continuous LOS condition in any location.
• BS selection: • NLOS impact: UE positioning in the presence of NLOS BSs is hard even with tracking filters, resulting in high accuracy errors.Ranging measurements from NLOS BSs overestimate the UE, while NLOS angle measurements misrepresent the spatial direction of the UE.A single NLOS TOF can bring severe degradation if it is used as reference measurement in TDOA-based methods.Intuitively, if the direct path