Unreliable V2X Communication in Cooperative Driving: Safety Times for Emergency Braking

Cooperative driving is a promising paradigm to improve traffic efficiency and safety. In congested traffic scenarios, such cooperation allows for safe maneuvering and driving with small inter-vehicle spatial gaps. The vehicles involved coordinate their movements in real-time and continuously update each other about their maneuver execution status by means of Vehicle-to-Everything (V2X) communication. However, unreliable V2X communication increases the Age of Information (AoI) of vehicles’ status updates, posing a challenge in situations where emergency braking is required during cooperative maneuvering. To address the interplay between unreliable V2X communication and the resulting impact on traffic safety, we introduce a so-called safety time function, specifically designed for cooperative driving use-cases. The safety time function provides the time available for a vehicle to react to an unexpected event of another vehicle – such as emergency braking to avoid a collision. We provide a computationally efficient algorithm for the computation of safety time functions, which allows for efficient and safe cooperative maneuver planning – even in dense traffic scenarios with many vehicles involved.We show the applicability of our proposed safety time function based on the assessed communication quality for IEEE 802.11p-based V2X communication to meet safety constraints in dense vehicular traffic.


I. INTRODUCTION
Cooperative driving [1] is a novel approach, addressing two key problems of nowadays urban road traffic: insufficient safety and elevated congestion. Human errors due to incorrect interpretations of other road users' intentions may cause numerous types of accidents [2]. Furthermore, traffic congestion has increased over the past years [3], negatively impacting travel time and fuel consumption. By using Vehicle-to-Everything (V2X) communications to coordinate driving ma-neuvers cooperatively, traffic safety, and especially efficiency can be improved.
Cooperating vehicles exchange information about their status and intentions via broadcast messages (such as Cooperative Awareness Messages -CAMs and Maneuver Coordination Messages -MCM) [4]. Efficient cooperation require up-to-date information about the cooperation partners and other traffic participants. In other words, sufficiently low Age of Information (AoI) of status updates should be maintained [5]. However, wireless V2X communication is prone to path loss, shadowing, and multi-path propagation, degrading the range and the reliability of the communication [6]- [8]. Furthermore, when, e. g., the well-known IEEE 802.11p V2X technology is used, channel congestion causes message collisions and induces communication delays, reducing the communication quality of V2X networks [9], [10]. These general issues are also present in other communication technologies such as 5G [11], [12]. Power allocation via active learning of network dynamics has recently been proposed to reduce AoI violation probability [13]. Furthermore, scenarios and modelling can be extended to cover for example meta-surfaces [14].
Challenges of cooperative maneuvering can be illustrated through the example of left-turn cooperative coordination at a congested intersection [15]. In a traditional uncoordinated approach, a vehicle turning left is forced to wait in the middle of the intersection until a sufficiently large gap opens in the oncoming traffic. In contrast, leveraging V2X communication, the left-turning vehicle can ask an oncoming vehicle for cooperation. Then, the latter will create a sufficiently large gap to its predecessor so that the left turn can be accomplished without waiting at the intersection. If the gap cannot be created, the vehicle turning left needs to be notified, posing a safety risk if the communication is unreliable. Understanding the safety constraints for unreliable V2X communication is the focus of this paper.
Ideally, there is no need for real-time adjustments of chosen trajectories after their coordination during the execution of a cooperative maneuver. However, continuous monitoring of cooperative maneuver execution is required to react to unexpected events, e. g., emergency braking of another vehicle in the vicinity and collision avoidance [16], [17]. In the left-turn scenario, a cooperative vehicle might not maintain a sufficiently large gap to the vehicle in front due to, e. g., a pedestrian unexpectedly crossing the road further onward, triggering emergency braking along the string.
Therefore, cooperative coordination of driving maneuvers relies on high communication quality [18] to coordinate early, monitor cooperation partners while executing the maneuver, and optionally abort the maneuver in time. A low communication quality degrades the monitoring capabilities of the maneuvering vehicles since increased AoI results in tracking errors, which negatively impacts the ability to react to unexpected events. Also, if the V2X communication is unreliable, the messages to abort the cooperative maneuver might not reach the requesting vehicle in time. Hence, the requesting vehicle cannot properly adjust to the changed road situation and will further follow the formerly agreed maneuver, potentially causing a collision at the intersection.
We propose a generalized model to account for cooperative driving safety aspects. We model what we refer to as the safety time function, which provides a minimum time until a re-planning or reaction is needed to avoid a potential collision between the cooperating vehicles in case of an unexpected event such as emergency braking. The safety time function is obtained for pairs of vehicles' trajectories (the own and each of the other vehicle's trajectories) and provides the safety time along the vehicle's trajectory (corresponding to the vehicle's position along its trajectory). For each pair of cooperating vehicles, we can ensure safety if the AoI of the respective vehicle does not exceed the safety time function during the entire execution of the maneuver.
The safety time allows for two complementing perspectives: From the networking perspective, adaptive dissemination strategies can lower the AoI to allow for shorter safety times, increasing vehicular traffic efficiency at higher communication costs. In this paper, we merely use the left-turn scenario as an example to illustrate our proposed framework and, later on, discuss additional use-cases for cooperative driving. The key property shared amongst all scenarios is that relations can be narrowed down to pairs of vehicles. In a scenario involving multiple vehicles, multiple such pairwise relations can be considered.
The related work has discussed traffic safety considering unreliable communication for collective perception [19], [20]. For the safety evaluation in [19], the Environmental Risk Awareness (ERA) is introduced. In [21], a first discussion is provided towards safety for cooperative driving. However, there is a lack of an in depth analysis on how to consider unexpected events such as emergency braking. We extend our approach from [22], where two orthogonal strings of vehicles passing an intersection are considered and the bounds for crash probability as a function of inter-vehicular communication links quality and braking capacities are provided. The latter work can be seen as an extension of the one-dimensional case (i. e., platooning) presented in [23]. In short, state-of-the-art literature does not analyze the impact of unexpected events considering unreliable communication or focus on a specific cooperative driving scenario; frameworks presented for specific scenarios cannot be applied to generic use-cases.
The rest of this paper is structured as follows: Section II outlines our preliminaries and describes our problem formulation. Section III introduces the analytic forms of safety times and safety time functions. In Section IV, we introduce the discrete safety time function and an efficient algorithm for its computation. Section IV-B illustrates, via a left-turn scenario, on how to use the algorithm. Section VI continues with the same example as in Section IV-B, showing how the computed safety time functions can be used with a realistic AoI computed for the IEEE 802.11p V2X-communication model. Finally, the paper is concluded in Section VII, where we emphasize future research directions to apply our framework to improve traffic safety and efficiency for cooperative driving for unreliable V2X communication.

II. PRELIMINARIES AND PROBLEM FORMULATION
We consider a general problem, where two vehicles collaboratively choose trajectories to handle a traffic situation. The design of such trajectories is subject to constraints. To begin with, the two vehicles are not allowed to be inside a predefined region at the same time to avoid a collision. We refer to this region as the infeasible region. The scenario is illustrated in Fig. 1 for a left-turn scenario. Vehicle 1, green, is not allowed to be inside the gray infeasible region at the same time as Vehicle 2, blue. We will use this scenario for illustration purposes but later show how our framework can be applied to other traffic situations.
Some further clarifications are needed. By saying that a vehicle "is not allowed to be inside the gray region", we mean that a predefined position at the vehicle (e. g., the center of gravity) is not inside the gray region. In the considered scenario, one can choose the gray region large enough to avoid collisions under this definition of vehicle being inside the region. Furthermore, the paths of the trajectories of the two vehicles, illustrated as black arrows, correspond to the time-evolution of the positions of the vehicles. Now, we require, as a necessary condition, that the vehicles' trajectories are not inside the gray region at the same time. An obvious consequence is that one of the two vehicles needs to pass the gray region before the other one does (if they are both passing and do not stop before). Without loss of generality, we henceforth assume that Vehicle 1 passes the gray region before Vehicle 2.
Given this setting, the problem we address is the following: We want the trajectories to be safe in the context of emergency braking, where Vehicle 1 needs to brake, e. g., due to a suddenly appearing pedestrian on the road. More precisely, suppose Vehicle 1 starts to emergency brake with its maximum deceleration capacity at some point along its trajectory and then follows its intended path until it stops. We need to determine an efficient way to compute a bound on the allowed safety time for Vehicle 2, such that Vehicle 2 can still perform an emergency brake with its maximum deceleration capacity (and then follows its intended path until it stops) and the two vehicles are not inside the gray region at any time. Furthermore, we also require that Vehicle 2 cannot enter the infeasible (gray) region before Vehicle 1. One may view this safety time as a reaction time for the vehicle when seen as an agent. In essence, the vehicle needs to react within the safety time to avoid a collision.
The safety time, in turn, depends on time; at different times, the vehicles are positioned at different distances from the gray region and naturally, the safety time may be different. Hence we want to derive and compute a safety time function τ (t), which is a function of the time t.
With this overall formulation of the problem, we now introduce notation and definitions in order to make this problem formulation more precise.

Paths
Each vehicle has a path, which is a simple twice continuously differential curve in R 2 parameterized by arc length. We define these two paths as wherep 1 is the path for Vehicle 1,p 2 is the path for vehicle 2, and l 1 and l 2 are the lengths of the respective paths. For example, for any l such that 0 ≤ l ≤ l 1 , it holds thatp 1 (l) is the two-dimensional position for Vehicle 1 at distance l along the path from the start of the path. Explicit forms for arc-length parameterized curves are not obtainable in general. If we cannot obtain an explicit form for the arc-length parameterized curve, we have to settle VOLUME 4, 2016 for numerical solutions. In line with our illustrative left-turn example, we can, e. g., assume the following explicit forms (to better illustrate the concept).
where l to parameterizes distance traveled; e 1 = [1, 0] T and e 2 = [0, 1] T are the unit vectors, representing the x-and y-direction, respectively; r is the turning radius of at the intersection;p 0 1 andp 0 2 are the positions at l = 0 forp 1 (l) andp 2 (l), respectively; α is the distance traveled as turning starts and β is the distance traveled as the turning ends. All variables and parameters, that is l, l 1 , l 2 , α, β and r, represent distance in meters.
The three segments of the arc-length parameterized pathp 2 for vehicle 2, given by (4), are illustrated in Fig. 2. The first, brown, starts at the position of the vehicle and ends at the beginning of turning at distance α; the second, orange, represents the segment of turning and ends at distance β; the third, pink, represents the last straight segment. These segments are represented by the three cases in the definition ofp 2 (l). For an arc-length parameterized continuously differentiable path (or curve) p(l) it holds that dp dl = 1.

Trajectories
So far, we have only considered arc-length parameterized paths. We now explain how these paths should be traversed. We introduce the following functions wheret 1 andt 2 are positive times that represent the lengths of the time intervals during which the respective pathsp 1 andp 2 are traversed. The functionsx 1 andx 2 are two times continuously differentiable and strictly monotonically increasing. Since thep i 's are parameterized by arc-length, one can think of thex i 's, providing positions along the corresponding paths; they specify how the vehicles follow the paths as a function of time. We define velocities w. r. t. thex i 's and say thatṽ 1 =ẋ 1 andṽ 2 =ẋ 2 .

Infeasible region
We refer to the infeasible region as S p , being a subset of R 2 . We make the following restriction on S p . We require S p  (4) to be firstly compact and secondly such that the following Due to this restriction, for the feasible region S p , there is a corresponding feasible region S x for thex i 's that comprises a rectangle. This is illustrated in Fig. 3, where we see that a non-rectangular infeasible region S p is mapped to a rectangular region S x . Note that, in Fig. 1, S p was also rectangular, which might be a more natural choice than the one in Fig. 3. However, with the example in Fig. 3, we want to illustrate that the approach allows for more general infeasible regions.
The choice of the infeasible region is determined by the respective scenario. In the left-turn scenario (considered for illustration), the infeasible region is positioned, in some suitable way, around the intersection point of the trajectories. In other scenarios, the trajectories might not even intersect and the infeasible region could be constructed by two disconnected sets. One could, e. g., consider a scenario where two vehicles are not allowed to be beside each other at some location along a highway. Essentially, the setting allows for flexibility when it comes to considered scenarios.
For a given S x , we define (x 1 ,x 2 ) as the two-dimensional midpoint of S x . Furthermore, we define s 1 as half the width of the rectangle S x and s 2 as half the height of the rectangle S x . This means that For simplicity of notation in the coming analysis in the subsequent section, we center the paths and the trajectories atx 1 andx 2 . We do so by defining and These entities are the ones used henceforth (instead of thẽ -variables). However, they depend on S x . If we change the infeasible region, they need to be redefined for the new S x . Instead of explicitly parameterizing these entities by S x , we omit to explicitly do so in order to keep the notation simple.
We now formulate the following constraint on traversal of the infeasible region.
Constraint 1: The two vehicles cannot be in the infeasible region at the same time and Vehicle 2 cannot enter the infeasible region before Vehicle 1.
We choose to formulate this constraint using words instead of a more formal (but more restrictive) definition involving x 1 , x 2 , and S x . The reason is that we are to consider emergency braking scenarios, where vehicles change x 1 or x 2 in response to a dangerous traffic situation. Under such conditions, we still want the constraint to hold for the changed trajectories.

Emergency braking
As mentioned before, we assume that an order has been defined for traversing the infeasible region. Without loss of generality, it is assumed that Vehicle 1 passes the infeasible region before Vehicle 2 does (otherwise, swap names of the vehicles). We differentiate between two different modes of operation: • Normal mode. In this mode, the two vehicles follow their paths as intended, i.e., at time t, the position of Vehicle 1 is p 1 (x 1 (t)) and the position of Vehicle 2 is p 2 (x 2 (t)).
• Emergency braking mode. In this mode, Vehicle 1 brakes with maximum deceleration capacity until standing still. It moves forward along the path p 1 until stopping.
Emergency braking could happen if, e. g., a pedestrian suddenly appears on the road. If Vehicle 2 starts to emergency brake with its maximum deceleration capacity, then Vehicle 1 can continue in normal mode and safely pass the infeasible region before Vehicle 2 does. The critical case to analyze is when Vehicle 1 emergency brakes. In the following, when we say that one of the two vehicles emergency brakes at a time t, we mean that the respective vehicle starts to decelerate with maximum deceleration capacity at time t and follows its path until it stops. We denote by y 1 (t) and y 2 (t) the maximum deceleration capacities at time t of Vehicle 1 and Vehicle 2, respectively. We assume that these functions are well-behaved and integrable. If Vehicle i (where i ∈ {1, 2}) starts to emergency brake at time t and continues to do so until stand still, it holds that fort ≥ t such that the vehicle has not stopped.

Safety times
We say that is a safety time function if the following holds. Suppose Vehicle 1 emergency brakes at time t.
• If τ (t) ∈ R + . Then, for any non-negativet ≤ τ (t), if Vehicle 1 emergency brakes at time t and Vehicle 2 emergency brakes at time t +t, Constraint 1 is satisfied.
• If τ (t) = +∞. Then, if Vehicle 1 emergency brakes at time t, Vehicle 2 does not need to emergency brake, Constraint 1 is satisfied anyway. An alternative interpretation is that Vehicle 2 can emergency brake at any timē t ≥ t and Constraint 1 is satisfied for any sucht.
To understand this definition, we recall the fact that the functions x 1 (t) and x 2 (t) are supposed to be strictly monotonically increasing on their domains. Suppose emergency braking occurs at time t for Vehicle 1 and at time t +t for Vehicle 2 and Constraint 1 holds. Then, Constraint 1 holds if emergency braking would, alternatively, occur at time t for Vehicle 1 and at any time in [t,t] for Vehicle 2. Given a safety time function τ , we know that the maximum safety time at time t for Vehicle 2 (before it can emergency brake and not violate Constraint 1) is not smaller than τ (t).

Problem formulation
Given all the above, the problem addressed is the following: We want to compute, if exists, a safety time function τ (t) for Vehicle 2.
It is important to note that such a safety time function may not exist. It depends on deceleration capacities, velocities, inter-vehicle spacing etc. But, for a given pair of trajectories, we seek sufficient conditions for existence of safety time functions and efficient computation thereof.

III. DERIVATION OF SAFETY TIME FUNCTION
The objective of this section is to derive a safety time function τ (t). We introduce a 1 and a 2 , where a 1 is an upper bound on the maximum deceleration capacity for Vehicle 1 and a 2 is a lower bound on the maximum deceleration capacity for Vehicle 2. This means that during emergency braking mode, the deceleration of Vehicle 1 is not larger than a 1 and the deceleration of Vehicle 2 is larger than a 2 . We could assume that these bounds are tight, but in general, maximum deceleration is a nonlinear function of the time since the onset of deceleration. The parameters a 1 and a 2 could be adaptive and dependent on road conditions, type of vehicles etc.
Furthermore, we assume that there is a functionτ (t) that bounds τ (t) from above. The interpretation is that we have a system requirement that the vehicle must react withinτ (t) seconds. Please note thatτ (t) is a function that is not calculated but assumed to be given. However, our results allow to setτ (t) to +∞, for all t, effectively the same as not having an upper bound on τ (t). However, choosingτ (t) to, e. g., a positive constant for all t, helps improving the calculated τ (t) in the analysis to come; it increases the minimum value of τ (t) at the expense of a smaller maximum value of τ (t) (due to the upper boundτ (t)).
We definev for use in the subsequent formulas. This is the maximum velocity of Vehicle 2 during the time period [t, t +τ (t)].
We continue by assuming in what follows thatt 1 =t 2 . We furthermore assume x 1 and x 2 are defined on extended versions of their earlier domains. The domain for x 1 and x 2 is [0, +∞). We assume that v 1 (t) = v 1 (t 2 ) and v 2 (t) = v 2 (t 2 ) for t ∈ [t 2 , +∞). This extension does not affect the result, as it only involves points in time when both vehicles have passed the infeasible region S x . It is introduced to enable a feasible treatment in the analysis.

Safety time function
The equation (14) below introduces an explicit form of a candidate safety time function and Proposition 1 further down provides the guarantee that this is indeed a safety time function as long as it is is positive for all times t. The safety time function given by (14) will later be used in the main algorithm, Algorithm 1, presented in Section IV. After the introduction of the explicit safety time function in (14), we provide a brief explanation of the different cases for the values it attains. More insight is later provided in the proof of Proposition 1. where In the definition of f (t) above, g(t) and h(t) are defined as wheret 6 VOLUME 4, 2016 It should be noted that g(t) andt(t) are not defined for all times t and possible choices of parameters. However, these functions are properly defined in the context they are used inside the definition of f (t).
The safety time function τ (t) either attains the value ofτ or that of f . The function f , in turn, can attain at time t one of three different values. This value is either +∞ or given by g or given by h. Furthermore, in g, there is an additional functiont used. The inequality constraints in the definition of f specify in which situation, the respective values +∞, g(t) or h(t) should be used.
We now provide a brief explanation of these entities. Additional insight will be gained in the proof of Proposition 1.
• The valuet(t), when it exists and is real-valued (i.e., not complex), defines a time when Vehicle 1 has left the infeasible region S x . This means that it is a lower bound on the time until Vehicle 1 leaves the infeasible region. If Vehicle 1 does not leave the infeasible region,t(t) is complex-valued and not used.
• The value g(t) provides a lower bound on the longest time Vehicle 2 can wait before emergency braking such that it enters the infeasible region as Vehicle 1 leaves it.
• The value h(t) provides a lower bound on the longest time Vehicle 2 can wait before emergency braking such that it stops at the boundary of the infeasible region but not enter (its interior).
• f (t) attains the value +∞ if Constraint 1 is satisfied nomatter when Vehicle 2 emergency brakes after time t.
Proposition 1: If τ (t), defined in (14), is strictly greater than 0 for all t ∈ [0,t 2 ], then it is a safety time function.
Proof: Suppose there is a vehicle, referred to as Vehicle A, that follows the trajectory x 1 and emergency brakes with deceleration −a 1 at time t until it stops (along the path or its continuation). Compared to this Vehicle A, Vehicle 1 would certainly leave the infeasible region earlier (since it brakes faster). Suppose a vehicle, referred to as Vehicle B, follows the trajectory x 2 and emergency brakes with deceleration −a 2 at time t until it stops (along the path or its continuation). As compared to Vehicle 2, Vehicle B would certainly enter the infeasible region earlier (since it brakes slower).
We can use these alternative vehicles A and B to derive bounds for the safety times. At each time t, we derive a bound for the maximal safety time using these alternative vehicles. This bound is the value τ (t). We furthermore assume, at time t, that Vehicle B continues to drive with the constant velocitȳ v 2 (t) until it emergency brakes. If it emergency brakes within the time period [t, t +t(t)], it will reach the infeasible region earlier than Vehicle 2 would. This approach allows for analytical solutions of the trajectories for vehicles A and B during the emergency braking mode. These solutions are expressed by quadratic functions. Now, there are different cases that need to be handled for the emergency braking initiated at time t for vehicle A. These cases are described below and visually illustrated in Fig. 4 for a left-turn example.
• Case 1: Vehicle B will not reach the infeasible region before Vehicle A has left it. If Vehicle B continues with velocityv 2 (t) and does not even start to emergency brake at any time, it will still not reach the infeasible region before Vehicle A has left it. This could, for example, happen, as shown in Fig. 4 top, when Vehicle A starts emergency braking after it has left the infeasible region; the blue dot shows the start of the emergency braking and the red dot shows the stop of the emergency braking, and the green segment shows the the part of the path traversed during emergency braking mode. Besides this situation, it could also be the case, for example, that Vehicle A is inside the infeasible region at time t but certainly has left it before Vehicle B enters.
• Case 2: Vehicle A has not left the infeasible region at time t but leaves it before stopping. If Vehicle B does not emergency brake, Vehicle A and Vehicle B will be inside the infeasible region simultaneously at some time. In this case, Vehicle B needs to start emergency braking early enough to be outside (or at the boundary of) the infeasible region when Vehicle A leaves it. This is illustrated in the middle of Fig. 4, where purple dots show the positions of the two vehicles when Vehicle A leaves the infeasible region. Vehicle B started to emergency brake while performing its left turn so that it did not enter the infeasible region before Vehicle A left it.
• Case 3: Vehicle A stops before leaving the infeasible region. In this case, since we cannot violate Constraint 1, Vehicle B has to stop before it reaches the infeasible region. Such a situation is illustrated at the bottom of Fig. 4.
In what follows, we construct the function f (t), used in (14). This defines the maximum safety time for Vehicle B, which is a lower bound on the maximum safety time for Vehicle 2. We do so by considering the three cases above one by one. All expressions that are not explicitly derived are readily provided by a simple calculation. We choose to keep the explanations on a sufficiently high level to avoid obfuscating the main ideas by technical derivations.

Case 1
If x 1 (t) ≥ s 1 , Vehicle A (and Vehicle 1) has passed the infeasible region when emergency braking starts. Thus, we can set f (t) = +∞.  Suppose x 1 (t) < s 1 . It holds that t +t (if it exists, i.e., is not complex) is the time when Vehicle A leaves the infeasible region, wherē Ift does not exist (is complex), Vehicle B does not leave the infeasible region before stopping (Case 3). For Case 1, we need to assure that Vehicle A leaves the infeasible region at some point -namely The maximum safety time (if it exists for Vehicle B, such that Vehicle B does not enter the infeasible region before t+t) is g, given by (16). The solution for (16) does not exist, i.e., is real valued, only if Otherwise, we enter Case 2.

Case 2
For this case, Vehicle B leaves the infeasible region at some point, which means that It furthermore holds that i. e., there is a maximum safety time for Vehicle B needed to avoid violation of Constraint 1. This safety time is given by g.

Case 3
In this case, Vehicle A does not leave the infeasible region before stopping. This means that We claim that the maximum safety time for Vehicle B is given by h in (17). The expression for h does not involve any square roots and its derivation might require a more detailed coverage. Vehicle A never leaves the infeasible region and Vehicle B is required not to enter the infeasible region before Vehicle A leaves it. This implies that Vehicle B cannot enter the infeasible region. We assume that the solution trajectory for Vehicle B is denoted as x(t). It holds that forτ ≤t ≤τ +v 2(t) a2 , whereτ ≥ 0 is a safety time. Vehicle B stops at time t +τ +v 2(t) a (at which point its velocity is zero). We need to ensure that x(t +τ +v 2(t) a2 ) ≤ −s 2 . By solving the equation one obtains the expression on the right-hand side of (17) after replacement of x by x 2 .
Finally, we note that if f (t) is smaller thanτ (t), it is a lower bound on the safety time for Vehicle 2. However, if f (t) is larger thanτ (t), we no longer know if this is the case and we have to useτ (t) instead (which will be a feasible safety time in this case).

IV. A GENERALLY APPLICABLE ALGORITHM FOR COMPUTING SAFETY TIME FUNCTIONS
In Section III, we provided the candidate safety time function (14), which, according to Proposition 1, was ensured to be a safety time function if positive for all times. Now, the function τ is continuous and there is a need for an efficient discrete computable approximation thereof for use in practice.

A. TIME-DISCRETIZATION: MAIN ALGORITHM
According to Proposition 1, τ (t), defined in (14), is a feasible safety time function if it is strictly greater than 0 on [0,t 2 ]. However, τ (t) is (when not +∞) in general only piecewise continuous and is not generally convex where it is continuous. If we were to compute the min t∈[0,t2] τ (t), a solution would be hard to obtain in closed form and depends on the form of x 1 and x 2 .
Instead of such an analytical treatment of the continuous τ (t), we consider N discrete time points wheret The last two explained:t(t) is the most significant discrete time point smaller or equal to t; δ(t) is equal to t − t i if and Proposition 2: Ifτ (t), defined in (26), is strictly greater than 0 for all t ∈ [0,t 2 ], then it is a feasible safety time function.
Proof: We adopt the same framework as in Proposition 1, where we assumed two alternative vehicles A and B with some given properties. Now, suppose that Vehicle A emergency brakes at time t ∈ [t i , t i+1 ]. The largest feasible safety time for Vehicle B at time t is larger than it would have been if Vehicle A braked at time t i . This can be deduced as a consequence of the strict monotonicity of x 1 .
Thus, we can consider the situation where Vehicle A emergency braked at time t i and vehicle B continued along x 2 until time t before any reaction is possible. We can thus simply subtract t − t i from the safety time at τ (t) at time t.
We summarize the discretization procedure in the following algorithm.
Algorithm 1 is efficient as it has computational time O(N ). For N discretization times considered, at each such discrete Algorithm 1: Procedure of computing feasible safety time functionτ . Input: time instant, an evaluation of a set of formulas is conducted in constant time. Thus, the procedure has the potential to be applied in real-time and complex traffic situations involving a multitude of vehicles where pairwise safety time functions are computed in parallel.

B. GENERALITY OF THE FRAMEWORK
To understand the generality of this framework, i.e., for what scenarios Algorithm 1 can be used, we here show three additional scenarios (besides the left-turn scenario). These scenarios are illustrated in Fig. 6

Lane merging
Suppose the two vehicles are driving along two parallel lanes initially. After some time, one of the vehicles decides to change the lane such that both vehicles drive on the same lane. We refer to this as a lane merging scenario. For specified pathsp 1 andp 2 , we can design an infeasible region S p , overlapping the region where the two paths merge and both vehicles cannot be at the same time. VOLUME 4, 2016 Same lane In the lane merging scenario, the vehicles will continue to drive along the same path, after merging of paths. If there are multiple vehicles following the same path, we end up in a platooning-like situation. In this case, it is pertinent that these two subsequent vehicles do not collide at some future point. We could address this situation by making a large infeasible region for the entire path, i. e., one vehicle drives along the entire path before the next enters it. This is not very efficient, as the path could be long (perhaps multiple kilometers). Instead, one could have multiple smaller overlapping infeasible regions. This is illustrated in the middle of Fig. 6. In that example, we have eight overlapping infeasible regions, where the first, S x p , has a red boundary for illustration purposes only. In this situation, we solve 8 different problems in essence and take the smallest safety time for each of the infeasible regions.

Parallel lanes
As additional examples, we might consider various types of constraints. For example, suppose (for some reason) that we do not want the two vehicles to pass each other at some specified region along the road when driving along a twolane road. In this case, we can construct an infeasible region S p , as shown at the bottom of Fig. 6.

V. USING THE FRAMEWORK
To illustrate how Algorithm 1 can be used we consider a left-turn example, which has been the main scenario for illustration throughout. We begin by explicitly providing the p i -functions, i. e., the arc-length parametrized paths. We then continue by showing how Algorithm 1 is used.
In our left-turn scenario, we assume arc-length parameterized paths as follows.
Both l and r represent distance in meters. Now we apply Algorithm 1. It is important to note that the arc-length parameterized trajectories p 1 and p 2 are not used in Algorithm 1, only a 1 , a 2 , x 1 , x 2 , v 1 , v 2 , s 1 , and s 2 are used. However, p 1 and p 2 are necessary to define in order to map the positions x 1 and x 2 to physical positions. Furthermore, p 1 and p 2 are used when computing relative distances, which are needed for further analysis in the subsequent section. In the following example, time is defined in seconds (s), the distances in meters (m), velocities in m s and accelerations in m s 2 . To simplify notation, we do not write these units explicitly in the mathematical formulas however.
We consider the time interval [0, 100] and assume that the velocities of the vehicles are positive but oscillating. We could assume something different instead, e. g., piece-wise linear velocities. However, we make this choice to get some possible more interesting behavior. The velocities are v 1 (t) = 12 + 2 cos(t/5), (31) v 2 (t) = 12 + 2 cos(t/5 − 0.7). (32) The positions are

VI. CONNECTING TO AGE OF INFORMATION
In the previous section, we have shown how our proposed Algorithm 1 can be applied to a left-turn example, yielding the safety time function for the vehicle's respective trajectory. This section shows how we can use that safety time function in scenarios with unreliable communication to ensure safety, even if other vehicles are forced to emergency brake. We do so by ensuring the Age-of-information AoI is bounding the safety time function from above.
We begin by introducing an unreliable communication channel, where messages are lost because of signal attenuation in the communication channel (path loss and fading) and packet collisions because of channel congestion.
In [15], we have used a generic log-normal model to obtain the reliability caused by path loss and fading in a stochastic manner as where P r,dBm (d) is the packet reception power at distance d, P dBm (d 0 ) is the reception power at the reference distance d 0 , γ is the path loss exponent, and X σ is a normally-distributed random variable to account for stochastic fading with the standard deviation σ and expectation µ(d) at distance d.

Packet delivery ratio (PDR)
In order to define Age-of-information AoI, which will be compared to the safety time function, we now introduce the packet delivery ratio (PDR). This is the ratio between number of packets received at the destination node and the number of packets sent at the source node. We assume two independent contributions to PDR: one due to to path loss and one due to interference. We obtained the PDR ρ PL (d) caused by path loss with the threshold transmission power P th,dBm as The parameters for (35) and (36) are taken from [15]. We can follow [24] to obtain the PDR for message collision ρ MC in a IEEE 802.11p based Vehicle-to-Everything (V2X) network, giving where p r is the probability to send in a randomly chosen time slot using a Markov Chain model and N V are the number of vehicles accessing the V2X communication channel. We can obtain p r from [25] for safety broadcast messages, giving where W constitutes the back-off counter, q is the load equation, and p o is the probability that the channel is occupied. For a detailed derivation of the IEEE 802.11p load equation model, the interested reader is referred to [15], [25]. We assume that the PDRs are independent of each other (homogeneous vehicle density) because of path loss and message collisions such that we obtain the PDR ρ = ρ PL · ρ MC . Figure 7 depicts the PDR as a function of the relative distance between two vehicles for different channel busy ratios CBRs. The CBRs is the ratio between the time channel is busy and the total observation time.
To obtain different CBRs, we adapted the number of vehicles N V , which all send with the same message frequency. From Figure 7, we see that IEEE 802.11p has high reliability for a distance up to 200 m. We also observe that a CBR higher than 0.4 severely degrades the reliability.

Age-of-inforation (AoI)
Like [15], we can obtain the AoI induced by unreliable V2X communication w. r. t. a specific message frequency. For the considered safety scenario introduced before, we require the correct reception of at least one message of the first emergency-braking vehicle. The probability to receive at least one of i messages with the given PDR ρ is We can transform (39) to a number of sent messages i and multiply with the inverse of the message frequency λ to get the time we wait to receive at least one message with the probability p. Let us assume that we have reliable communication, i. e., ρ = 1. In this case and considering (39), the term (1 − ρ) i converges to 0, i. e., we immediately receive a message with p = 1. However, the vehicle having an emergency case might just have sent a message and we need to wait for the next message cycle to receive the subsequent message. Hence, we also need to consider the message frequency when obtaining the AoI ∆. Finally, we get where λ is the message frequency. The first summand in (40) considers unreliable communication induced by the PDR ρ and the desired probability p and the second summand considers the average message frequency of the other vehicle.

Safety by jointly using AoI and safety time function
We can now compare the AoI in our considered left-turn scenario with the safety time function, depending on the distance between both vehicles, for different message frequencies and CBRs. In contrast to Figure 7, we only consider the scenario when both vehicles approach the intersection, i. e., t < 50 s. Figure 8 depicts the safety time function and AoI for a message frequency of 5 and 10 Hz as well as for a CBR of 0,0.4, and 0.8. The solid dotted line represents the safety time functionτ computed from Algorithm 1; the dotted line represents the AoI for message frequency of 5Hz; and the dotdashed line represents the AoI for message frequency of 10Hz. Both the safety time function and the AoIs for 5Hz and 10Hz represent time in seconds.
In the most left of Figure 8, we can see that the AoI for 5 and 10 Hz is always below the safety time function, meaning we can always react to unexpected events such as an emergency braking in our considered scenario. For a CBR of 0.4 in the middle of Figure 8, we see that with a message frequency of 10 Hz, we can still react to unexpected events. However, for a message frequency of 5 Hz, the AoI is expected to be higher than the safety time function, meaning that we might not be informed about an unexpected event. In this case, both vehicles either need to increase their message frequency or select a more conservative trajectory. In the most right scenario of Figure 8, we see that both the message frequencies with 5 Hz and 10 Hz are not always expected to be below the safety time function because of a congested channel with a CBR of 0.8. In this scenario, both vehicles need to adapt their trajectories and select more conservative trajectories, allowing for a larger gap when passing the intersection after each other.

Discussion on alternative communication technologies
This section provided an analysis on how to connect AoI with safety time function to provide safety guarantees. A specific left-turn scenario served as a use case. The comparison was done for IEEE 802.11p. However, other V2X access technologies could also be used. We would like to emphasize that the safety time function is independent of the choice of communication protocol and the communication model behind it. Our safety time function specifies a time interval during which a received message guarantees safety.
In future work, we can also apply our proposed safety time function to other promising V2X access technologies. For this purpose, one has to model the communication quality for the considered V2X access technology as AoI to compare it with our proposed safety time function. In the literature, communication models to obtain the PDR have been proposed for C-V2X mode 4 in [26], [27] and can be integrated into our AoI model in (40).

VII. CONCLUSION AND OUTLOOK
In this paper, we analyzed the safety perspective of cooperative driving. The main problem was avoiding a collision when a collaborating vehicle -connected with other vehicles over the unreliable Vehicle-to-Everything (V2X) network -starts emergency braking.
We defined, derived, and provided an algorithm for the efficient computation of a safety time function. A safety time is the length of a time interval during which it is safe to brake to avoid a collision. The framework is applicable to many traffic situations. We used a left-turn intersection traversal as an illustrative example and later showed other use cases.
The relationship between the Age of Information (AoI) of status updates between the vehicles and the safety time function provides insights on the influence of V2X communication on the safety of cooperative driving. Since our algorithm for the safety time function calculation is computationally efficient, the proposed framework is potentially applicable not only for the cooperative driving safety analysis, but also for real-time trajectory adjustment and overall cooperative maneuver planning. Finally, note that the computation of the safety time function is decoupled from the actual choice of the V2X communication technology. We provided an example for the IEEE 802.11p protocol, but our framework can be coupled with the models of other V2X technologies, e. g., 5G NR, which will be the subject of our future work.