Safety analysis of a vehicle equipped with Cooperative Adaptive Cruise Control

15th IFAC Symposium on Control in Transportation Systems 15th 15th IFAC IFAC Symposium Symposium on on Control Control in in Transportation Transportation Systems Systems June 6-8, 2018. Savona, Italy 15th IFAC IFAC Symposium on Control in in Transportation Transportation Systems 15th Symposium on Control Systems June 6-8, 2018. Savona, Italy Available online at www.sciencedirect.com June 6-8, 2018. Savona, Italy 15th IFAC Symposium on Control in Transportation Systems June 6-8, 2018. Savona, Italy June 6-8, 2018. Savona, Italy June 6-8, 2018. Savona, Italy

ScienceDirect

IFAC PapersOnLine 51-9 (2018) 367–372

Safety Safety analysis analysis of of a a vehicle vehicle equipped equipped with with Safety analysis of a vehicle equipped with Cooperative Cruise Control Safety analysis Adaptive of a vehicle equipped with Cooperative Cooperative Adaptive Adaptive Cruise Cruise Control Control Cooperative Adaptive Cruise Control ∗,∗∗ , Jeroen Ploeg ∗,∗∗ ∗,∗∗ Jeroen A. J. Ligthart ∗,∗∗

Jeroen A. J. Ligthart ∗,∗∗ , Jeroen Ploeg ∗,∗∗ ∗,∗∗ ∗,∗∗ ∗∗ ∗∗,∗∗∗ ∗,∗∗ ∗∗,, Jeroen ∗∗,∗∗∗ , Elham Semsar-Kazerooni Mauro Fusco Jeroen A. J. Ligthart ∗,∗∗ Ploeg ∗∗ ∗∗,∗∗∗ ∗,∗∗ Elham Semsar-Kazerooni Mauro Fusco ∗,∗∗ ∗∗,, Jeroen ∗∗,∗∗∗ , ∗ Jeroen A. J. Henk Ligthart Ploeg ∗∗ ∗∗,∗∗∗ Elham Semsar-Kazerooni , Mauro Fusco , ∗ ∗ Henk Nijmeijer Nijmeijer ∗∗ ∗ Elham Semsar-Kazerooni , Mauro Fusco ∗∗,∗∗∗ , ∗ Henk Nijmeijer Henk Nijmeijer ∗Eindhoven University of ∗ ∗ ∗ Department Department of of Mechanical Mechanical Engineering, Engineering, Eindhoven University of ∗ ∗ Technology, Eindhoven, Netherlands Department ofTechnology, MechanicalEindhoven, Engineering, Eindhoven University of ∗ Netherlands ∗∗ Department ofTechnology, Mechanical Engineering, Eindhoven University of ∗∗ Integrated Vehicle Safety Department, TNO, Helmond, Eindhoven, Netherlands ∗∗ Vehicle Safety Department, TNO, Helmond, Netherlands Netherlands ∗∗ ∗∗∗ Technology, Eindhoven, Netherlands ∗∗ Integrated Integrated Vehicle Safety Department, TNO, Helmond, Netherlands ∗∗∗ ∗∗∗ Corresponding Corresponding author author (e-mail: (e-mail: [email protected]) [email protected]) ∗∗ ∗∗∗ Integrated Vehicle Safetyauthor Department, Helmond, Netherlands ∗∗∗ Corresponding (e-mail:TNO, [email protected]) ∗∗∗ Corresponding author (e-mail: [email protected]) Abstract: Abstract: Stability Stability and and string string stability stability of of platoons platoons equipped equipped with with Cooperative Cooperative Adaptive Adaptive Cruise Cruise Abstract: Stability and string stabilityinofliterature. platoons equipped with Cooperative Adaptive Cruise Control (CACC) is widely discussed However, safe behavior of aa vehicle in Control (CACC) is widely discussed in literature. However, safe behavior of vehicle in aa Abstract: Stability and string stability of platoons equipped with Cooperative Adaptive Cruise platoon, i.e., making sure that a vehicle is not involved in a collision with its preceding vehicle, Control (CACC) is widely discussed in literature. However, safe behavior of a vehicle in a platoon, i.e., making sure that a vehicleinisliterature. not involved in a collision with its preceding vehicle, Control (CACC) is widely discussed However, safe from behavior of a set vehicle in to a is not to large extent. This exploits techniques platoon, i.e., making a vehicle not involved a collision withinvariant its preceding vehicle, is not considered considered to aasure largethat extent. This ispaper paper exploits in techniques from invariant set theory theory to platoon, i.e., making sure that a vehicle ispaper notininvolved in aHere, collision withinvariant itsthe preceding vehicle, is not considered to a large extent. This exploits techniques from set theory to perform a safety analysis of vehicle behavior a platoon. regions in state space are perform a safety analysis of vehicle behavior in a platoon. Here, regions in the state space are is not considered to a large extent. This paperinexploits techniques fromThese invariant set theory to determined that behavior of for all all future time. so-called safe sets sets perform a safety analysis ofsafe vehicle behavior a platoon. Here, time. regions in the state space are for future These so-called safe determined that guarantee guarantee safe behavior of aa vehicle vehicle perform a safety analysis of vehicle behavior in a platoon. Here, time. regions inand the state space are are determined for CACC under various circumstances, in particular with without wireless determined that guarantee safe behavior of a vehicle for all future These so-called safe sets are determined for CACC under various of circumstances, in particular with andso-called without safe wireless determined that guarantee safe behavior asafety vehicle for all future time. These sets are determined for CACC under circumstances, in particular and without wireless inter-vehicle communication. The proposed framework supports real-time safety inter-vehicle communication. Thevarious proposed safety analysis analysis frameworkwith supports real-time safety are determined for CACC under various circumstances, in particular with and without wireless inter-vehicle communication. The proposed safety analysis framework supports real-time safety monitoring in vehicles. monitoring in vehicles. inter-vehicle The proposed safety analysis framework supports real-time safety monitoring incommunication. vehicles. © 2018, IFAC Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. monitoring in(International vehicles. Keywords: Keywords: Safety Safety analysis, analysis, Vehicle Vehicle control, control, Cooperative Cooperative control, control, Invariant Invariant set set theory. theory. Keywords: Safety analysis, Vehicle control, Cooperative control, Invariant set theory. Keywords: Safety analysis, Vehicle control, Cooperative control, Invariant set theory. 1. Ploeg, 1. INTRODUCTION INTRODUCTION Ploeg, 2015). 2015). Recent Recent developments developments in in longitudinal longitudinal control control 1. INTRODUCTION Ploeg, 2015). Recent developments in longitudinal control for CACC consider for example nonlinear vehicle-following for CACC consider for example nonlinear vehicle-following 1. INTRODUCTION Ploeg, 2015). Recent in longitudinal control CACC consider fordevelopments example nonlinear controller design et al., controller design (Semsar-Kazerooni (Semsar-Kazerooni et vehicle-following al., 2017), 2017), fault fault There is is an an interest interest to to decrease decrease the the time time gap gap between between for There for CACCof consider for example nonlinear vehicle-following controller design (Semsar-Kazerooni et al., 2017), fault tolerance the controller (van Nunen et al., 2013), and There is an interest to decrease the time gap between tolerance of the controller (van Nunen et al., 2013), and vehicles on the road, since this potentially imposes a devehicles on the road, since this potentially imposes a de- tolerance controller design (Semsar-Kazerooni etetal., 2017), fault of the controller (van Nunen al., 2013), and review of string stability (Dey et al., 2016; Ploeg, 2014). There is an interest to decrease the time gap between vehicles on the road, since this potentially imposes a decrease in fuel consumption and, simultaneously, increases review of string stability (Dey et al., 2016; Ploeg, 2014). crease in fuel consumption and, simultaneously, increases review of the stability controller(Dey (vanetNunen et al., 2013), and of string al., 2016; Ploeg, 2014). vehicles theconsumption road,throughput since this a de- tolerance crease inon fuel and, potentially simultaneously, increases the maximal road (van Arem imposes et al., al., 2006; String stability is an important aspect of CACC design. the maximal road throughput (van Arem et 2006; review of string stability (Dey et al., 2016; Ploeg, 2014). String stability is an important aspect of CACC design. crease in 1993). fuel consumption and,that simultaneously, increases the maximal road throughput (van et al., Varaiya, A technology technology is Arem developed for2006; that String stability is an string important aspect of CACC design. If aa platoon exhibits stable behavior, the of Varaiya, 1993). A that is developed for that If platoon exhibits string stable behavior, the effect effect of the maximal road throughput (van Arem et al., 2006; Varaiya, 1993). A technology that is developed String stability is an important aspect ofnot CACC design. purpose is Cooperative Adaptive Cruise Control (CACC), for that a platoon exhibits string stable behavior, the effect of disturbances at the front of the string are amplified in purpose is Cooperative Adaptive Cruise Control (CACC), If disturbances at the front of the string are not amplified in Varaiya, 1993). A technology that is developed for that purpose If a platoon exhibits string stable behavior, the effect of which is is is anCooperative extension of ofAdaptive AdaptiveCruise CruiseControl Control(CACC), (ACC). disturbances at the front of the string are not amplified in upstream Undoubtedly, to collisions at which an extension Adaptive Cruise Control (ACC). upstream direction. direction. Undoubtedly, to avoid avoid collisions at the the purpose which is is anCooperative extension ofAdaptive AdaptiveCruise CruiseControl Control(CACC), (ACC). disturbances at the front of the string are not amplified in upstream direction. Undoubtedly, to avoid collisions at the tail of the string, string stability becomes more important In ACC, theextension velocity ofof ofAdaptive vehicleCruise is adapted adapted such that tail of the direction. string, string stability becomes more important which is an Control (ACC). In ACC, the velocity aa vehicle is such that upstream Undoubtedly, to avoid collisions at the tail of athe string, string stability becomes more important when large number of vehicles are platooning. However, In ACC, the velocity of a vehicle is adapted such that its preceding vehicle is kept at a fixed distance or time when a large number of vehicles are platooning. However, its preceding vehicle is kept at a fixed distance or time when tail of the string, string stability becomes more important a large number of vehicles are platooning. However, In ACC, the vehicle velocity a 1993). vehicle istime adapted such that even its preceding isofkept at a A fixed or time even when when aa platoon platoon is is string string stable, stable, collisions collisions can can occur occur gap (Ioannou and Chien, Chien, A gap is is defined gap (Ioannou and 1993). timedistance gap defined when when aet large number of vehicles are platooning. However, a platoon is string stable, collisions can occur (Alam al., 2014). Therefore, it is desired to be able to its the preceding vehicle is kept at a A fixed distance or time even gap (Ioannou and Chien, 1993). time gap is defined (Alam et al., 2014). Therefore, it is desired to be able to as inter-vehicle distance divided by the host vehicle as the inter-vehicle distance divided by the host vehicle (Alam even when a platoon is string stable, collisions can occur et al., 2014). Therefore, it is desired to be able to guarantee that a vehicle does not cause a collision with its gap (Ioannou and Chien, 1993). A time gap is defined as the inter-vehicle distance divided by the host vehicle velocity. For implementing ACC, the vehicle should be guarantee that a vehicle does not cause a collision with its velocity. For implementing ACC, the vehicle should be guarantee (Alam et al., Therefore, is desired toofbeawith able to that2014). a vehicle does notitsafe cause a collision its vehicle, i.e., behavior vehicle as the inter-vehicle distance divided byvehicle the host vehicle velocity. For ACC, thethe equipped withimplementing sensors that measure measure the relative velocity should be preceding preceding vehicle, i.e., guarantee guarantee safe behavior of awith vehicle equipped with sensors that relative velocity guarantee that a vehicle does not cause a collision its preceding vehicle, i.e., guarantee safe behavior of a vehicle in velocity. For ACC,is the should equipped withimplementing sensors thatACC measure thevehicle relative velocity in aa platoon. platoon. and inter-vehicle distance. ACC mainly marketed asbe and inter-vehicle distance. is mainly marketed as aa in preceding vehicle, i.e., guarantee safe behavior of a vehicle a platoon. equipped with sensors that measure the relative velocity and inter-vehicle distance. ACC is mainly marketed as a comfort and convenience option; it is neither designed for the notion comfort and convenience option; it is neither designed for Whereas in a platoon. Whereas the notion of of string string stability stability is is regularly regularly touched touched and inter-vehicle distance. ACC is mainly marketed as a comfort and behavior, convenience it is neither for Whereas fuel optimal optimal behavior, noroption; for increasing increasing road designed throughput, the notion of string stability is regularly touched upon in literature, safe vehicle behavior is not studied fuel nor for road throughput, upon in literature, safe vehicle behavior is not studied comfort and convenience option; it is neither designed for fuel behavior, nor for increasing throughput, Whereas notion of string stability isis regularly sinceoptimal the standardized standardized minimum time road gap is is not suffisuffi- upon in the literature, safe vehicle behavior is not touched studied in detail. However, some literature devoted to since the minimum time gap not in detail. However, some literature is devoted to this this fuel optimal behavior, nor forobtain increasing road throughput, since the standardized minimum gapfuel is not suffi- in upon in literature, safe vehicle behavior isetnot studied ciently small if one one wants wants to notable reduction detail. However, some literature is devoted to this topic, such as Alam et al. (2014); Nilsson al. (2014); ciently small if to obtaintime notable fuel reduction topic, such as Alam et al. (2014); Nilsson et al. (2014); since the standardized minimum gapfuel is reduction notetsufficiently small if one wants to obtaintime notable in detail. However, is devoted to this or traffic throughput (Abou-Jaoude, 2003; Alam al., topic, such as Alam some et al. literature (2014); Nilsson et al. (2014); Tomlin et where regions in space are or traffic throughput (Abou-Jaoude, 2003; Alam et al., Tomlin et al. al.as(2000), (2000), where regions Nilsson in the the state state space are ciently small if one wants to uses obtain notable fuel reduction or traffic throughput (Abou-Jaoude, 2003; Alam et al., topic, such Alam et al. (2014); et al. (2014); 2010). However, if a vehicle communication to notify Tomlin et al. (2000), where regions in the state space are for which aa collision is inevitable in case of 2010). However, if a vehicle uses communication to notify determined determined for which collision is inevitable in case of or traffic throughput (Abou-Jaoude, 2003; Alam et al., 2010). However, if a vehicle uses communication to notify Tomlin et al.for (2000), regions ininevitable the statein space other vehicles vehicles of of its its intentions intentions or or state state parameters, parameters, this this determined whichwhere a collision is the caseare of an emergency braking maneuver of preceding vehicle. other an emergency braking maneuver of the preceding vehicle. 2010). However, a vehicle communication to notify other vehicles ofifits intentions state et parameters, this determined forbraking which a collision inevitable in vehicle. case of can permit smaller time uses gapor (Ploeg et al., 2014). 2014). In an emergency maneuver ofis the There, the analysis considers aapreceding follower vehicle can permit aa smaller time gap (Ploeg al., In There, the safety safety analysis considers follower vehicle. vehicle otherpermit vehicles of its intentions or state is parameters, this can a smaller time gap (Ploeg et al., 2014). In an emergency braking maneuver of the preceding CACC, communication between vehicles used to extend the safety analysismaneuver. considers On that applies aa full-braking the hand, CACC, communication between vehicles is used to extend There, a follower hand, that applies full-braking maneuver. On the other othervehicle can capabilities permit a smaller gap vehicles (Ploeg is et used al., to 2014). In that CACC, communication between There, the safety analysis considers a follower the of ACC. ACC.time extend applies a full-braking maneuver. On the of other hand, Kianfar et al. (2013) analyze safe behavior aa vehicle vehicle the capabilities of Kianfar et al. (2013) analyze safe behavior of vehicle CACC, communication the capabilities of ACC.between vehicles is used to extend Kianfar that applies a full-braking maneuver. OnHere, the reachability other hand, (2013)controller analyze safe behavior a vehicle imposed. which has hasetits itsal.CACC CACC controller imposed. Here, of reachability Research regarding CACC has has been been ongoing ongoing for for many many which the capabilities of ACC. Research regarding CACC Kianfar etitsal.CACC (2013) analyze safe behavior of a vehicle which has controller imposed. Here, reachability theory methods are used to determine the minimal Research regarding CACC has ongoing many theory methods are used to determine the minimal interyears, where where the technology technology has been set large large stepsfortowards towards interyears, the has set steps which has its CACC controller imposed. Here, reachability methods are used tosafe determine the minimal intervehicle distance that yields behavior, when the vehicle Research regarding CACC has been ongoing for many theory years, where the technology has set large steps towards commercial implementation. implementation. Recent Recent work work discusses discusses many many vehicle distance that yields safe behavior, when the vehicle commercial theory methods are used tosafe determine themaneuver minimal interdistance that behavior, the vehicle ahead an emergency braking until years, where the technology hasasset largediscusses stepsoftowards commercial implementation. Recent work many vehicle ahead performs performs an yields emergency braking when maneuver until aspects of the the technology, such coordination CACC aspects of technology, such as coordination of CACC vehiclestill. distance that yields safe behavior, when the vehicle ahead performs an emergency braking maneuver until stand Additionally, in Kianfar et al. (2013), invariant commercial implementation. Recent work discusses many aspects of the technology, such of CACC platoons (van de Hoef et al., 2017), design of CACC comas coordination stand still. Additionally, in Kianfar et al. (2013), invariant platoons (van de Hoef et al., 2017), design of CACC com- stand ahead performs an are emergency braking maneuver until still. Additionally, in Kianfar et al. (2013), invariant theory methods to regions in aspects of(van the technology, such of CACC platoons de Hoef et(Dey al., 2017), design of CACC com- set munication frameworks (Dey et as al.,coordination 2016), and and maneuverset theory methods are used used to determine determine regions in the the munication frameworks et al., 2016), maneuverstand still. Additionally, in Kianfar et al. (2013), invariant set theory methods are used to determine regions in the platoons (van de(Bevly Hoef et al., design of CACC communication frameworks et al.,Semsar-Kazerooni 2016), and maneuverstate space space for for which which safe safe vehicle vehicle behavior behavior is is guaranteed guaranteed ing of platoons platoons et(Dey al., 2017), 2016; Semsar-Kazerooni and state ing of (Bevly et al., 2016; and set theory methods are used to determine regions in the munication frameworks et al.,Semsar-Kazerooni 2016), and maneuvering of platoons (Bevly et(Dey al., 2016; and state space for which safe vehicle behavior is guaranteed state space for which safe vehicle behavior is guaranteed ing of platoons (Bevly et al., 2016; Semsar-Kazerooni and 2405-8963 © 2018, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved.

Copyright © 2018 367 Copyright © under 2018 IFAC IFAC 367 Control. Copyright © 2018 IFAC 367 Peer review responsibility of International Federation of Automatic Copyright © 367 Copyright © 2018 2018 IFAC IFAC 367 10.1016/j.ifacol.2018.07.060 Copyright © 2018 IFAC 367

2018 IFAC CTS 368 6-8, 2018. Savona, Italy June

Jeroen A.J. Ligthart et al. / IFAC PapersOnLine 51-9 (2018) 367–372

for all future time. The results that are obtained with this analysis are not discussed to a large extent in the work, since the main contribution there is to provide the safety analysis tool. This paper elaborates upon a safety analysis of the longitudinal behavior of a vehicle in a platoon based on invariant set methods. Here, the closed-loop behavior of a vehicle is considered, i.e., a vehicle which has its CACC controller imposed. Therewith, this paper creates a better insight in safe behavior in a longitudinal CACC system. The contribution of this paper is the detailed discussion of the potential, shortcomings, and results that are obtained with the invariant set methods. This contribution is novel, since other literature that discusses a safety analysis based on invariant set methods focuses on the safety analysis methodology, in contrast to analyzing the results for the vehicle platooning application. This paper is organized as follows. The vehicle dynamics and controller synthesis are discussed in Section 2. Section 3 considers the theoretical framework on which the invariant set calculations are based. The safety analysis framework is discussed in Section 4, after which the results are presented in Section 5. Finally, Section 6 summarizes the conclusions. 2. CACC DYNAMICS This section presents the longitudinal vehicle dynamics, and the controller synthesis. 2.1 Vehicle dynamics Each vehicle in a platoon is denoted by an index i ∈ N+ , which increases in upstream direction. The following vehicle model is adopted from (Ploeg et al., 2011): s˙ i (t) = vi (t) v˙ i (t) = ai (t) (1) 1 a˙ i (t) = (ui (t) − ai (t)) , τ where si is the rear-bumper position of the vehicle, vi is the vehicle velocity, ai is the vehicle acceleration, ui is the vehicle control input, and τ is the vehicle dynamics time constant. 2.2 Controller synthesis The main control objective of each vehicle is to follow its preceding vehicle at the desired distance dr,i (t). This desired distance is defined by a constant time gap policy, formulated as dr,i (t) = r + hvi (t), (2) where h is the time gap constant, and r is the standstill distance. The actual inter-vehicle distance di (t) is determined as di (t) = si−1 (t) − si (t) − Li , (3) where Li is the vehicle length. For controller synthesis, a state vector is defined in which the distance error ei = di − dr,i is included. This vector is referred to as the error state vector, and defined as follows:     si−1 − si − Li − r − hvi ei vi−1 − vi − hai i = e˙ i = . (4) e¨i ai−1 − ai − h/τ (ui − ai ) 368

Note that the time dependency of the signals is omitted to simplify notation. Based on this state vector, the error dynamics are derived as     0 1 0 0 i + 0 (ui−1 − u ¯i ) , (5) ˙i = 0 0 1 1/τ 0 0 − 1/τ where ui−1 is the control input of the preceding vehicle, acting as a disturbance, and the new control input u ¯i , which is used for controller synthesis, is defined as u ¯i := ui + hu˙ i . (6) The linear controller that is used to meet the main control objective is chosen as u ¯i = kp ei + kd e˙ i + ui−1 , (7) where the term ui−1 only appears when feedforward is imposed. A CACC vehicle which has this controller imposed, is referred to as a PD-CACC vehicle. The closed-loop dynamics are derived as     0 0 1 0 0     ˙i 0 1 0  i 0  0 +   ui−1 . =  − kp − kd − 1 0 /τ /τ 0  ui /τ u˙ i 1/h kp/h kd/h 0 −1/h (8) In Ploeg et al. (2011), it is concluded that a proper choice of the controller gains yields individual vehicle stability for these dynamics. 3. PRELIMINARIES Some mathematical definitions are stated in this section, which are used in the safety analysis. These definitions are adopted from Borrelli et al. (2017). Definition 1. Polytope P ⊆ Rn denotes an intersection of a finite set of closed halfspaces in Rn : P = {x ∈ Rn | Gx ≤ h} , (9) for state vector x, matrix G ∈ Rm×n , and vector h ∈ Rm . Definition 2. The Minkowski difference of two polytopes P ⊆ Rn and Q ⊆ Rn is P  Q = {x ∈ Rn | x + q ∈ P, ∀q ∈ Q} , (10) for vector q ∈ Rn . Definition 3. The composition of polytope P with mapping x → Ax, where A ∈ Rn×n , is P ◦ A = {x ∈ Rn | GAx ≤ h} . (11) Definition 4. The composition of mapping x → Ax, where A ∈ Rm×n , with polytope P is A ◦ P = {z ∈ Rm | z = Ax, Gx ≤ h} . (12) Definition 5. A linear discrete-time system x(k + 1) = Ax(k) + Ew(k) is considered, where the disturbance is w ∈ W with polytope W ⊆ Rd . The one-step robust controllable set with respect to this system is denoted by Pre (P, W) = (P  (E ◦ W)) ◦ A (13) = {x ∈ Rn | Ax + Ew ∈ P, ∀w ∈ W} , which defines all states x that evolve into P in one iteration of the dynamics, for all disturbances w ∈ W. This equation is determined using the following intermediate step: P  (E ◦ W) = {x ∈ Rn | x + Ew ∈ P, ∀Ew ∈ E ◦ W}, (14) where x + Ew ∈ P implies that G (x + Ew) < h ⇐⇒ Gx < h − GEw. (15)

2018 IFAC CTS June 6-8, 2018. Savona, Italy

Jeroen A.J. Ligthart et al. / IFAC PapersOnLine 51-9 (2018) 367–372

4. SAFE SET DEFINITIONS AND COMPUTATION This section proposes set definitions for the safety analysis. Also, the computation methods that are used in the safety analysis are discussed. First of all, the global definition of each safe set S is stated as follows. Definition 6. If the initial state of a PD-CACC vehicle lies in a safe set S, safe vehicle behavior is guaranteed for all future time. Safe behavior of a vehicle means that the vehicle does not collide with its preceding vehicle, subject to certain constraints on the input. The safe sets are determined with invariant set theory methods. The positive invariance property states that if a system’s initial state lies in an invariant set, all its future states lie in that set (Borrelli et al., 2017). Thus, the safe set is a positive invariant set by definition. If a disturbance is active, this positive invariance property is satisfied for all disturbance signals. Then, the positive invariant set is called a robust set. Multiple safe sets can be defined, where each set is subject to other conditions, such as the inclusion or exclusion of communication and feedforward, or the specific CACC scheme that is imposed. Before exact definitions of such safe sets are given, two other sets that are important when considering safe behavior of a vehicle are defined. First, the collision set is defined. Definition 7. The collision set U 0 defines the state space in which a collision occurs, i.e., it satisfies the relation di = si−1 − si − Li ≤ 0. Second, the admissible set A is introduced, as being the intersection of 1) the complement of the collision set, and 2) the set of physically possible states. The physically possible states are defined by intervals, whose limits are denoted with a plus or minus superscript for respectively an upper bound and a lower bound. Definition 8. The admissible set A satisfies the constraints of the state variables of the vehicles, i.e., − + + 0 ≤ vk ≤ vk+ , a− k ≤ ak ≤ ak , uk ≤ uk ≤ uk , for k ∈ {i, i − 1}, while not intersecting with the collision set, i.e., di = si−1 − si − Li > 0. The positive invariant subset of the admissible set, if any, is the safe set.

A suitable state vector must be chosen based on which the safe sets are determined. If i is used for this cause, the admissibility of the terms in this vector must be defined, which is unpractical for e˙ i and e¨i . Therefore, a different state vector is chosen. 4.1 State vector and dynamics The state vector based on which the safe sets are determined, is defined as     x1 si−1 − si − Li − r − hvi x2    vi−1 − vi     ai x = x3  =  (16) . x    ui 4 x5 ai−1 369

369

In this state vector, no absolute velocity or position terms are present, because these enforce poles at zero in the closed-loop dynamics. This means that, in case of a constant nonzero input, such terms grow unbounded as time goes to infinity. Since the safe sets satisfy the invariance property, this imposes that no safe sets exist based on a state vector that includes absolute velocity or position terms. Since the vehicle velocity vi is not included in the state vector, the error term ei = si−1 − si − Li − r − hvi must be included. Otherwise, the control input cannot be determined based on x, see (7). The original closed loop dynamics (8) are of order 4. However, to formulate the dynamics of the first two states in (16), the preceding vehicle acceleration ai−1 is required. Adding ai−1 to the state vector yields a 5th-order model. The state x is subject to the following dynamics:       0 1 −h 0 0 0 0 0 0 −1 0 0 0 1        0 x +  0 u x˙ = 0 0 −1/τ 1/τ ¯i +  0  ui−1 , 0 0 0 −1/h 0  1/h 0 1/τ 0 0 0 0 0 −1/τ (17) where the PD-CACC control input (7) can now be formulated as u ¯i = kp x1 + kd x2 − hkd x3 + ui−1 .

(18)

Here, the term ui−1 only appears when feedforward is imposed. The resulting closed-loop dynamics of x are determined as     0 1 −h 0 0 0  0 0 0 −1 0 1      0  x +  0  ui−1 , (19) 0 −1/τ 1/τ x˙ =  0 kp/h kd/h −k −1/h 0  1/h d 1 1/τ 0 0 0 0 − /τ       E (FF)

A

where A is the state matrix, and E is the disturbance matrix, in which the term 1/h is only present when feedforward is imposed. With feedforward imposed, the FF superscript is included in the notation of the disturbance matrix E. The invariant set methods that are used in the safety analysis rely on discrete-time dynamics. Thus, the dynamics (19) are approximated in discrete-time with a zero-order hold assumption. The discretization timestep is denoted by ∆t, yielding the discretized dynamics (FF)

x(k + 1) = Ad x(k) + Ed

ui−1 (k),

(20)

where Ad = eA∆t 

(FF) Ed

=

∆t

0

As

e



ds E (FF) ,

(21)

are respectively the discrete-time state and disturbance matrix. Again, the FF superscript is only included in the notation of the disturbance matrix when feedforward is imposed. The discretization timestep must be chosen notably smaller than the vehicle dynamics time constant τ , such that discretization errors are negligible.

2018 IFAC CTS 370 6-8, 2018. Savona, Italy June

Jeroen A.J. Ligthart et al. / IFAC PapersOnLine 51-9 (2018) 367–372

4.2 Dimension reduction Since the dimension of the state vector is 5, it is our aim to reduce this dimension for visualization of the safe sets and discussion of the results. The 5D sets should be used for monitoring of the vehicle state, nonetheless. For visualization, it is proposed to preserve the first two state components, since these state components are the most relevant from a safety analysis perspective. The reduced sets are determined in two different ways. Considering a point x in safe set x ∈ S ⊆ R5 , the reduced sets Sini ⊆ R2 and Sbound ⊆ R2 , described by state variables x1 and x2 , are defined as      x3 x1 | ∀ x4 , x ∈ S , Sini = x2 x5 (22)      x3 x1 Sbound = | ∃ x4 , x ∈ S , x2 x5 where Sini is the smallest projection of S to the twodimensional space spanned by x1 and x2 , whereas Sbound is the largest two-dimensional projection of S to this space. Hence, Sini ⊆ Sbound . 4.3 Safe set definitions Now that the state vector x is defined, the admissible set A (Definition 8) can be formulated with respect to this vector, as  A = x ∈ R5 | x1 + r > 0 −∆vmax ≤ x2 ≤ ∆vmax + a− (23) i ≤ x3 ≤ ai − + ui ≤ x4 ≤ ui  − , ai−1 ≤ x5 ≤ a+ i−1 where ∆vmax is the relative velocity limit.

Here, the constraint x1 + r = si−1 − si − Li − hvi > 0 is imposed to satisfy the relation si−1 − si − Li > 0. This conservative relation is imposed since vi is not included in x. Thus, the actual relation cannot be described by the vector x. Next, three specific safe sets are defined based on the global safe set definition 6. In the first safe set definition, ai−1 = ui−1 = 0 is assumed, i.e., considering a preceding vehicle which drives with a constant velocity. The set is called a positive invariant safe set, and is defined as follows. Definition 9. The set S i is a positive invariant safe set if it satisfies x(0) ∈ S i ⊆ A =⇒ x(k) ∈ S i , subject to x(k + 1) = Ad x(k), k ∈ N, where ai−1 = ui−1 = 0. In the definition of the remaining two safe sets, as defined below, a disturbance is present. Therefore, the robustness property is included in the safe set definition, which means that the invariance property needs to hold for any disturbance value. Furthermore, in these two sets, communication is respectively excluded and included. Definition 10. The set S ri is a robust positive invariant safe set without feedforward if it satisfies 370

x(0) ∈ S ri ⊆ A =⇒ x(k) ∈ S ri , ∀ui−1 ∈ V i−1 , subject to x(k + 1) = Ad x(k) + Ed ui−1 (k), k ∈ N,

+ where V i−1 = [u− i−1 , ui−1 ].

Definition 11. Set S riFF is a robust positive invariant safe set with feedforward if it satisfies x(0) ∈ S riFF ⊆ A =⇒ x(k) ∈ S riFF , ∀ui−1 ∈ V i−1 , subject to x(k + 1) = Ad x(k) + EdF F ui−1 (k), k ∈ N.

4.4 Safe set computation method For numerically computing the (robust) positive invariant safe sets, the following property of these sets is used. A set S is a (robust) positive invariant safe set if it satisfies (Borrelli et al., 2017)   Pre S, V i−1 ∩ S = S, (24) where the Pre set is defined in Definition 5. For V i−1 = ∅, the set is called robust, since a disturbance is present.

The (robust) positive invariant safe sets are determined by the recursion (Borrelli et al., 2017)   (25) Ωk+1 = Pre Ωk , V i−1 ∩ Ωk , where Ω0 = A is the admissible set. The recursion is terminated when Ωk+1 = Ωk , with termination index k = k ∗ , such that S = Ωk∗ is the (robust) positive invariant safe set. Based on (25), together with the termination constraint, it is concluded that each recursion step, the set Ωk either decreases in size, or remains the same size, in which case the recursion terminates. Therefore, the recursion will always converge, possibly to Ωk∗ = ∅, if no (robust) positive invariant safe set exists. These calculations are performed numerically with the Multi-Parametric Toolbox for Matlab (Kvasnica et al., 2015). 5. SAFE SET ANALYSIS In this section, the safe sets are determined and the results are discussed. First, a positive invariant safe set S i , i.e., assuming ai−1 = ui−1 = 0, is determined (see Definition 9). The parameters for which the safe set is determined, are: τ = 0.1 s, h = 0.5 s, r = 5 m, kp = 0.2 s−2 , 2

2

+ kd = 0.7 s−1 , a− i = −6 m/s , ai = 3.5 m/s , − + + u− i = ai , ui = ai , ∆vmax = 40 m/s, ∆t = 0.02 s, where the controller gains and vehicle time constant are adopted from Ploeg et al. (2011). The other parameters and constraints are chosen in consideration of nominal vehicle characteristics.

It must be noted that the limits of ui are chosen equal to the limits of ai , whereas these can also be chosen different. This choice is made since it reduces the complexity of the results. Simulations are performed to validate the determined positive invariant safe set S i . For many different initial states  i (x1 (0) x2 (0)) that lie in Sini , the closed-loop trajectories are determined based on the continuous-time dynamics

2018 IFAC CTS June 6-8, 2018. Savona, Italy

Jeroen A.J. Ligthart et al. / IFAC PapersOnLine 51-9 (2018) 367–372

(19). These trajectories are determined for multiple initial values for ai and ui , i.e., the third and fourth state. The positive invariant safe set and the simulated trajectories are visualized in Fig. 1, which shows x2 versus x1 .

Fig. 1. Positive invariant safe set S i and simulation results for PD-CACC, with r = 5 m.

371

the preceding vehicle, the relative velocity becomes strictly negative, meaning that the inter-vehicle distance decreases until the state leaves the admissible set. This means that the PD controller provides a too small deceleration to avoid the vehicle state from moving out of the admissible set. For safe set S riFF , this result is not seen, since the preceding vehicle acceleration is taken into account in the control law by means of the applied feedforward. If one wants to determine a safe set S ri which is nonempty, either the controller gains or the reference time gap parameters should be increased. To show the influence of such a change, the safe sets are also determined based on the increased standstill distance r = 21 m, and visualized in Fig. 3. This figure also shows x2 versus x1 , as in Fig. 1. Now, since the inter-vehicle distance reference is larger, the controller imposes a large enough deceleration at the boundary of the admissible set ri (kp · −r = −4.2 < a− is nonempty. This i−1 ), such that S change in reference parameter r is an example of how the invariant set safety analysis can support a proper choice of controller parameters.

From Fig. 1, it is concluded that the safety constraint from the admissible set x1 + r > 0 is indeed satisfied by every trajectory. It is seen that point α = (x1 , x2 ) = (40, 0) does not lie in the positive invariant safe set. Intuitively however, it might have been expected for this point to lie in the safe set. The reason that this point is not part of the safe set is as follows. For the system with accelerations 2 zero, the control input at point α is u ¯i = kp ·40 = 8 m/s > u+ i . This means that the state does not lie in the positive invariant safe set, because the control input causes ui to lie outside its admissible interval. If, in a real application, the vehicle state lies at point α, the control input is saturated at its bound u+ i . These bounds are not taken into account in the safe set computation (25). Therefore, they are also not included in the model that is used to compute the state trajectories in Fig 1. Thus, it cannot be concluded based on these results whether a vehicle with its state at point α moves into the safe set, or that a collision occurs.

Fig. 2. (Robust) positive invariant safe sets for PD-CACC, with r = 5 m.

Next under investigation are the robust positive invariant safe sets. Definition 10 defines the robust safe set where the CACC controller uses no feedforward. The robust safe set where the controller uses feedforward is stated in Definition 11. These safe sets are determined for the same parameters as mentioned in the beginning of this chapter, while 2 2 + a− i−1 = −4 m/s , ai−1 = 2 m/s .

It is seen that the bounds of the disturbance ai−1 are chosen smaller than the bounds of the vehicle acceleration ai . Otherwise, there exists a control action for the preceding vehicle that causes the relative velocity to grow unbounded, such that no safe sets exist.

The robust positive invariant safe sets are visualized in Fig. 2; again showing x2 versus x1 , as in Fig. 1. The safe set S ri (not including feedforward) is empty, which has the following reason. When the vehicle state lies at the boundary of the admissible set, i.e., x1 = −r, then the 2 control input is u ¯i = kp · −r = −1 m/s (for ai = vi−1 − − vi = 0). Then, if ai−1 = ai−1 < −1, i.e., full braking of 371

Fig. 3. (Robust) positive invariant safe sets for PD-CACC, with r = 21 m. In Fig. 3, it is seen that S ri spans further than S riFF , which is, when considering safe vehicle behavior, a counterintuitive result. Literature has shown persistently that using inter-vehicle communication is effective for obtaining string-stable behavior, thus, for obtaining safe vehicle behavior (Ploeg, 2014). The result is obtained nonetheless, provoked by the admissibility intervals of ai and ui as

2018 IFAC CTS 372 6-8, 2018. Savona, Italy June

Jeroen A.J. Ligthart et al. / IFAC PapersOnLine 51-9 (2018) 367–372

follows. When feedforward is imposed, the disturbance has a more immediate effect on the control input, therewith, yielding larger changes in acceleration when the disturbance changes promptly. This causes the acceleration and control input at many points in the state space to become larger than their admissible limits, which results in a rather small safe set. If the invariant set computations can be performed with respect to a vehicle model that considers control saturation, these shortcomings can be overcome, which improves the quality of the results. However, that requires work on nonlinear invariant set computations, which lies beyond the scope of this paper. 6. CONCLUSIONS The method as presented in this paper can be used for analyzing safe behavior of vehicles equipped with CACC. If the model describes the vehicle behavior accurately enough, the analysis can be used for real-time safety monitoring of vehicles. Safe sets are determined under different conditions, e.g., inclusion or exclusion of feedforward. This reveals that, in the case of exclusion of feedforward, a much larger standstill distance is required for a robust positive invariant safe set to exist, compared to the system with inclusion of feedforward. Thus, dependent on the conditions, different CACC parameters are required for being able to guarantee safety of the vehicle behavior. There exists some conservatism in the results from the safety analysis, since, on a large part of the state space, the controller imposes control inputs that lie outside the allowed control input range. This causes the vehicle acceleration and control input to lie outside their permissible intervals, such that those state values lie outside the safe set. This conservatism can be overcome by applying nonlinear invariant set methods in the safety analysis. Future work will reveal the result of a nonlinear safety analysis of the behavior of a CACC vehicle, based on invariant set theory. REFERENCES Abou-Jaoude, R. (2003). ACC radar sensor technology, test requirements, and test solutions. IEEE Trans. Intell. Transp. Syst., 4(3), 115–122. Alam, A., Gattami, A., Johansson, K.H., and Tomlin, C.J. (2014). Guaranteeing safety for heavy duty vehicle platooning: Safe set computations and experimental evaluations. Control Engineering Practice, 24, 33–41. Alam, A.A., Gattami, A., and Johansson, K.H. (2010). An experimental study on the fuel reduction potential of heavy duty vehicle platooning. In 13th Int. IEEE Conf. Intelligent Transportation Systems (ITSC), 306–311. Bevly, D., Cao, X., Gordon, M., Ozbilgin, G., Kari, D., Nelson, B., Woodruff, J., Barth, M., Murray, C., Kurt, A., Redmill, K., and Ozguner, U. (2016). Lane change and merge maneuvers for connected and automated vehicles: A survey. IEEE Trans. Intell. Veh., 1(1), 105– 120. Borrelli, F., Bemporad, A., and Morari, M. (2017). Predictive Control for Linear and Hybrid Systems. Cambridge University Press, Cambridge. 372

Dey, K.C., Yan, L., Wang, X., Wang, Y., Shen, H., Chowdhury, M., Yu, L., Qiu, C., and Soundararaj, V. (2016). A review of communication, driver characteristics, and controls aspects of cooperative adaptive cruise control (CACC). IEEE Trans. Intell. Transp. Syst., 17(2), 491– 509. Ioannou, P.A. and Chien, C.C. (1993). Autonomous intelligent cruise control. IEEE Trans. Veh. Technol., 42(4), 657–672. Kianfar, R., Falcone, P., and Fredriksson, J. (2013). Safety verification of automated driving systems. IEEE Intell. Transp. Syst. Mag., 5(4), 73–86. Kvasnica, M., Tak´acs, B., Holaza, J., and Ingole, D. (2015). Reachability analysis and control synthesis for uncertain linear systems in MPT. IFAC-PapersOnLine, 48(14), 302–307. ¨ Nilsson, J., Fredriksson, J., and Odblom, A.C.E. (2014). Verification of collision avoidance systems using reachability analysis. In Proc. 19th IFAC World Congress, 10676–10681. Ploeg, J. (2014). Analysis and design of controllers for cooperative and automated driving. Ph.D. thesis, Eindhoven University of Technology, The Netherlands. Ploeg, J., Scheepers, B.T.M., van Nunen, E., van de Wouw, N., and Nijmeijer, H. (2011). Design and experimental evaluation of cooperative adaptive cruise control. In 14th Int. IEEE Conf. Intelligent Transportation Systems (ITSC), 260–265. Ploeg, J., van de Wouw, N., and Nijmeijer, H. (2014). Lp string stability of cascaded systems: Application to vehicle platooning. IEEE Trans. Control Syst. Technol., 22(2), 786–793. Semsar-Kazerooni, E., Elferink, K., Ploeg, J., and Nijmeijer, H. (2017). Multi-objective platoon maneuvering using artificial potential fields. In Proc. 20th IFAC World Congress, 15571–15576. Semsar-Kazerooni, E. and Ploeg, J. (2015). Interaction protocols for cooperative merging and lane reduction scenarios. In 18th Int. IEEE Conf. Intelligent Transportation Systems (ITSC), 1964–1970. Tomlin, C.J., Lygeros, J., and Sastry, S.S. (2000). A game theoretic approach to controller design for hybrid systems. Proc. IEEE, 88(7), 949–970. van Arem, B., van Driel, C.J.G., and Visser, R. (2006). The impact of cooperative adaptive cruise control on traffic-flow characteristics. IEEE Trans. Intell. Transp. Syst., 7(4), 429–436. van de Hoef, S., Johansson, K.H., and Dimarogonas, D.V. (2017). Efficient dynamic programming solution to a platoon coordination merge problem with stochastic travel times. In Proc. 20th IFAC World Congress, 4312– 4317. van Nunen, E., Ploeg, J., Medina, A.M., and Nijmeijer, H. (2013). Fault tolerancy in cooperative adaptive cruise control. In 16th Int. IEEE Conf. Intelligent Transportation Systems (ITSC), 1184–1189. Varaiya, P. (1993). Smart cars on smart roads: Problems of control. IEEE Trans. Autom. Control, 38(2), 195–207.