String Stable and Collision-Safe Model Predictive Platoon Control

Automated vehicle platooning bears high potential to increase traffic efficiency, improve road safety, and reduce fuel consumption. To realize platoons with small inter-vehicle distances, collision safety is the most crucial concern and needs to be considered carefully. Moreover, it is desired to attenuate disturbances along the platoon which is known as string stability. While model predictive control concepts achieve efficient, situation-aware, and safe platooning, establishing string stability properties is difficult. In this work string stability is characterized for a generic feedback setting. A workflow to design an extended time gap spacing policy is proposed for a safety-extended distributed model predictive platooning controller. It provides safe, tightly-packed platoon operation with robust string stability near steady-state even without vehicle-to-vehicle- V2V-communication. Platoon performance is further improved by exploiting V2V-communication. Finally, the resulting closed-loop platoon dynamics are validated in a high-fidelity co-simulation study.


I. INTRODUCTION
A LREADY today, highway capacity poses limits on traffic systems, regularly leading to traffic jams. One solution to improve traffic safety and efficiency, as well as reduce energy consumption and emissions, is to utilize state-of-the-art vehicle automation technologies to realize vehicle platooning. A platoon is a closely-spaced group of vehicles that safely drives in a controlled way to increase traffic throughput and road capacity, reduce fuel consumption, as well as provide collision safety. An experimental validation of achieved platooning benefits is given in [1] and [2]. Vehicle platooning improves the utilization of existing road infrastructure and capacity as stated in [3]- [5]. This is mainly achieved by smaller intervehicle spacing, reducing congestion and associated delays [6]. Platooning of trucks (heavy-duty vehicles, HDVs), usually achieved using cooperative adaptive cruise control (CACC) systems, by itself increases roadway capacity significantly as validated in [7]. In [8]- [11] it is further pointed out that particularly in the HDV context, platooning has the potential to reduce aerodynamic drag and thereby fuel consumption. Manuscript  When investigating the dynamic behavior of platoons, string stability is the property that disturbances are attenuated as they propagate along the string of interconnected vehicles [12]. Classical stability of each platooning vehicle itself does not imply string stability, so the latter has to be ensured separately [13]. Many variants of string stability definitions exist in literature as surveyed in [14] and [15].
In terms of traffic flow, consequences of non-stringstable system dynamics are negative effects on overall traffic safety [16] and the well-known phantom traffic jams as investigated in [17]. In [18] and [19] it is shown that automated vehicles can compensate the unstable behavior of humandriven vehicles. Finally, in [16] and [20] it has been found that today's commercial adaptive cruise control (ACC) systems often show non-string-stable properties, acknowledging the difficulties of realizing string stability properties in practice.
It is important to note that neither stability nor string stability guarantees safety against collisions [21]. Indeed, collision safety has to be ensured separately through appropriate constraints to retain the feasibility of collision-free braking maneuvers at all times, see [22].
Vehicle-to-vehicle-(V2V-)communication plays a vital role in cooperative platooning and allows efficient maneuver coordination. When incorporating information about the acceleration of the preceding car, usually realized via direct V2V-communication, string stability for tightly-spaced platoons can be achieved by CACC under ideal information conditions as shown in [23] and [24]. However, it is crucial to guarantee these vital platoon properties, collision safety and string stability, even without access to V2V-communication while maintaining tight inter-vehicle spacing.
Model-predictive control (MPC) concepts allow to inherently consider input and state constraints, so these concepts prove highly useful to realize platoon control with safety guarantees. The idea of distributed model predictive control (DMPC), in particular, is to split the platoon-wide optimal control problem into interconnected local MPC problems focusing on each individual vehicle. This yields a scalable control structure and local control laws with smaller computational effort and low communication requirements as shown in [22]. A related approach is to use centralized MPC for the platoon leader (assuming ideal follower behavior) and local linear CACC for the other vehicles of the platoon, as proposed in [25].
While collision-safe platooning can be solved well via corresponding constraints in an MPC framework [22], string stability cannot directly be addressed. One way to tackle this problem is to enforce string stability by adding explicit constraints to the optimization problem as done in [26]- [29]. This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ However, these string stability constraints significantly limit the dynamic performance of the platoon in terms of error rejection and closed-loop dynamics and additionally require active V2V-communication. A less restrictive approach is to relate string stability criteria formulated (for linear system dynamics) in the frequency domain to unconstrained and therefore linear MPC operations. This is done in [30] by tuning a model predictive controller with regards to a linear controller that achieves string stability. This approach also relies on active V2V-communication, namely transmission of the acceleration of the preceding vehicle. Since all of the above discussed algorithms depend on active V2V-communication to achieve string stable platoon dynamics, it is of interest to achieve this goal even without this prerequisite.
Thus, the aim of this work is to design a robust platooning control concept that provides collision safety guarantees, a flexible tracking goal formulation, as well as string stability properties without the need of active V2V-communication and overly severe restrictions on dynamic performance. This is accomplished by utilizing a newly developed design workflow applied to an adapted DMPC architecture developed in [22]. The following main contributions are developed hereafter: 1) Based on a newly developed string stability proof, novel string stability analysis criteria are formulated for a general feedback system structure without V2V-communication. 2) A robust design workflow for a platooning DMPC with safety and string stability guarantees is proposed. Robustness with respect to given actuator dynamics is considered. 3) An extended time gap tracking formulation for the platooning DMPC is proposed that allows to realize small inter-vehicle distances, only limited by collision-safety requirements. It is shown that even in decentralized control without V2V-communication, string-stable behavior close to steady-state platoon operation is achieved. The effects of sudden, finite, transient braking maneuvers on steady-state string stability properties are evaluated, and the interaction with collision safety constraints is demonstrated. 4) A study of the effects of predecessor-to-follower V2V-communication on string stability properties for transient maneuvers is conducted. Methods to reduce communication efforts are proposed and characterized and the influence of imperfect communications on string stability properties is investigated. 5) The proposed concepts are validated for the exemplary case of HDV platooning. This is done by realistic co-simulations with IPG TruckMaker ® , an industrystandard high-fidelity vehicle dynamics simulation software. String stability, control performance, and safety are assessed with realistic platoon dynamics. The remainder of this paper is structured as follows: In Section II the system model, including the extended time gap tracking formulation, is introduced. String stability is characterized for a general state vector feedback control structure in Section III. Section IV presents the applied distributed platooning MPC architecture, its string stability properties, as well as the design workflow that robustly achieves string stable system behavior around steady-state operation. Feasibility of the concept and safety aspects are discussed in Section V. Section VI investigates the incorporation of V2V-communication in the predictive platoon control task and its impact on string stability. The paper is concluded with a validation of the performance of the proposed design workflow and control structure in realistic platoon co-simulations in Section VII.

A. Model-Predictive Platoon Control Goals
Control design for vehicle platooning needs to address the following goals: (i) Small inter-vehicle distances and efficient driving behavior must be realized to improve fuel consumption, road capacity, and ride comfort, (ii) collision safety has to be guaranteed at all times, (iii) disturbances should be attenuated along the platoon to avoid dangerous interactions with follow-up traffic and phantom traffic jams, and (iv) platoon maneuvers should be enabled in a flexible way by integrating additional knowledge, for example via V2V-communication.
In this work we employ a collision-safety-enhanced DMPC architecture for longitudinal platoon control as it is well-suited to address all mentioned aspects efficiently. String stability properties, however, are difficult to assess in a classical MPC formulation. Therefore, a systematic design workflow is proposed to successfully incorporate string stability in a robust way into such a design.

B. Review of Selected String Stability Analysis Methods
Many quantitative characterizations of string stability exist in literature, as surveyed in [14]. An illustration of L 2 and L ∞ string stability definitions and a thorough comparison are given in [31] and [32]. In this work two qualitative definitions of string stability are used.
Strong string stability denotes the property that state disturbances do not amplify as they propagate along a string of vehicles from any vehicle to its successor [10], [33].
Weak string stability requires disturbance attenuation only between the lead car and the last platoon vehicle, which is a less stringent condition [10].
Sufficient conditions for strong string stability in the design of distributed receding-horizon control algorithms for vehicle platooning are presented in [26]. The basic idea is to add a move-suppression constraint in each local optimal control problem that successively reduces actuation authority for each car down the string of vehicles. This approach severely restricts platoon dynamics, degrades control performance and relies on active V2V-communication.
Another commonly-applied sufficient condition for strong string stability of controlled linear platoon dynamics follows in the H ∞ sense to G P (z) ∞ ≤ 1, in which G P (z) is the closed-loop z-domain transfer function from a perturbation of the predecessor's position error to the ego vehicle's position error [10]. For homogeneous platoon configurations, as investigated in this work, this is equivalent to require the velocity perturbations v pre and v to fulfill [34] While the H ∞ criterion (1) is straightforward to evaluate in the frequency-domain, it cannot be applied to nonlinear MPC directly. Analysis of closed-loop frequency-domain properties of MPC that behaves in the unconstrained case like a linear controller is suggested in [35]. This approach is utilized in [30] to tune an MPC with regards to a linear controller that is tuned to achieve string stable system dynamics. The MPC therefore inherits the small-signal properties of the linear control design and still optimally deals with constraints during transients.
In this work a similar approach as described in [30] is adopted to utilize the frequency-domain string stability condition (1) for an MPC control law that behaves linearly for small perturbations around steady state operation. We choose the classical H ∞ characterization and treat collision safety explicitly via MPC constraints. We make string stability accessible by creating a design workflow that incorporates the string stability property close to steady-state operation into the MPC design process.

C. Vehicle Model
For each platoon vehicle the longitudinal kinematics are described focusing on the ego vehicle, as illustrated in Fig. 1. Its predecessor is indicated by superscript pre while quantities without superscript refer to the ego vehicle. Absolute position, velocity and acceleration of the ego vehicle at time t are denoted as p(t), v(t) and a(t) respectively. The inter-vehicle distance between the ego vehicle and its predecessor is given by where L pre is the predecessor vehicle's length. It is well known in automated driving control literature that time-gap policies can achieve string stability with sufficiently large time gaps [10], [33], [36]- [38] without V2V-communication.
Notably, utilizing a time-gap policy based on absolute velocity allows to achieve string stability, compare remark in [39]. Such a policy aims to track an inter-vehicle distance of h ·v which is the distance covered by the ego vehicle at constant current ego velocity v over a time span of duration h. The position error is therefore defined as wherein an additional offset g is utilized to modify the distance d in steady-state as illustrated in Fig. 1. In the scope of this work g is assumed to be constant. The relative velocity is given by The longitudinal dynamics of the ego vehicle encompass tire forces, rolling resistance forces, aerodynamic drag forces,  gravitational forces, and engine, drivetrain and tire dynamics [34], [40]. System analysis can be facilitated by applying a state vector feedback structure using input-output linearization on the resulting complex nonlinear model [23], [34], [41], [42]. Assuming the desired acceleration a(t) is built up through first-order dynamics with dead time [34], [40], [43] where τ represents an engine time constant and t d an actuation dead-time, then yieldṡ with the state vector x(t) = p(t), v(t), a(t) T [34].
Note that due to such a feedback linearization technique as in [23], [34], [41] and [42], the dynamics in (6) are independent of the particular vehicle parameters (e.g., vehicle mass, drivetrain dynamics) [42]. Instead the lumped surrogate parameters τ and n d aim to capture the remaining behavior. Therefore, this approach is also suited for modeling nonhomogeneous platoons. However, in practice a certain degree of uncertainty will occur.
We adopt a discrete-time formulation as follows: Based on (6) we define the discrete time dynamics of the ego vehicle as shown in Fig. 2. It consists of the kinematic plant model G plant (z) which is driven by the acceleration output of the actuator dynamics G act (z). The state-space representation of G plant (z) is with sampling time T s , discrete time index k ∈ N 0 and state vector x k = p k , v k T . Without loss of generality, the predecessor vehicle's length L pre is set to 0 since it no longer appears in the definition of the position error (3). Of course, knowledge of the vehicle lengths is necessary to determine the total platoon length. The acceleration a k applied to the plant model (7) follows from the actuator dynamics described by where τ represents an engine time constant and n d T s a discrete actuation dead-time (n d ∈ N 0 ) analogous to (6). We will utilize G act (z) in the next section to test the robustness of string stability properties with respect to model perturbations in (τ , n d ).

III. STABILITY AND STRING STABILITY ANALYSIS
In this section stability and string stability properties are analyzed for a general state vector feedback control structure as depicted in Fig. 3. This is done analytically for the case of ideal actuator dynamics (G act (z) = 1). The case of realistic actuator dynamics (G act (z) = 1) is characterized for various actuator parameter values τ and n d numerically. The underlying feedback structure occurs locally in unconstrained predictive vehicle control strategies, e.g. DMPC [30], [44], as will be elaborated later in this work.

A. Analytical Characterization of String Stability for Idealized System Dynamics
For the case of ideal actuator dynamics G act (z) = 1 (τ = 0, n d = 0) the closed-loop dynamics with the feedback gains k T = [k 1 , k 2 ] can be represented as Theorem 1: The system under consideration (9) is asymptotically stable if the following conditions are met: Proof of Theorem 1: Necessary conditions for stability follow from the characteristic polynomial of (9) [45]: Applying the Jury criterion [45] yields the sufficient stability condition This concludes the proof that fulfilling (10) results in a stable system for the case of ideal actuator dynamics.
Theorem 2: The system under consideration (9) is strongly string stable if it fulfills Theorem 1 (asymptotically stable) and if the following conditions are met: The proof of Theorem 2 is given in Appendix A. Fig. 4 illustrates the regions for stability and strong string stability for exemplary values for h and T s according to Theorems 1 and 2. For the rest of this work a sampling time T s = 0.1 s is used.

B. Numerical Characterization of String Stability Under Realistic Actuator Dynamics
Now the string stability properties under the presence of actuator dynamics τ and n d are investigated (G act (z) = 1). Although this can also be done analytically similar to above for particular actuator dynamics, the string stability conditions quickly become cumbersome, so an empiric characterization is given here to construct criteria for robust string stability.
Definition 1: We define the set of string stable feedback gains Numerical results for the case of additional actuator dynamics covering a typical range of HDV parameters are shown in Fig. 5. It is evident that the region of string-stable feedback gains K ss typically shrinks with increasing model errors. The actuator dynamics (8) can be calibrated by investigating the system responses to applied test signals, e.g. acceleration steps. This is done for validation in Section VII. In literature, engine time constants ranging from 0.2 s to 0.3 s are used for passenger cars [34], [46], [47] while for HDVs, typical values were found as τ = 0.26 s and n d T s = 0.045 s [48], [49]. For the rest of this work we consider vehicles comprising actuator dynamics (8) with τ = 0.2 s and n d = 0.
Remark 1: The mentioned time constants are related to internal combustion engine powered vehicles and will be considerably lower for electric driven vehicles. Fig. 6 shows the frequency response magnitude |G V (z, θ)| for z = exp(jωT s ), for different values of time gap h at steady-state with constant predecessor velocity v pre . String stability is attained for h > h crit ≈ 1.75 s. A straightforward bisection algorithm can be applied to find h crit to within a given tolerance.
Remark 2: It is evident that as h → ∞, the robustness of the string stability property increases because the resulting bandwidth decreases with 1/ h, and the considered class of actuator uncertainties behaves as G act (z)| z=1 = 1. It is thus always possible to achieve robust string stability by choosing a sufficiently large time gap h.

IV. SAFE AND STRING STABLE MPC DESIGN
In the following, we present a distributed model-predictive control architecture for efficient string-stable platooning, which utilizes a novel time gap formulation and provides collision safety at all times. The critical properties -string stability and collision safety-are realized even without V2V-communication. It is noted that close to steady-state operation, the resulting closed-loop dynamics are locally linear and of the same form as the ones analyzed in Section III. Thus, the developed Theorems 1 and 2 and string stability parameter maps as seen in Fig. 5 can be used to design string stable closed-loop dynamics near the steady-state. The validity region of this locally linear behavior is quantified as a positively invariant set. For intense transient maneuvers, the interaction with safety constraints is demonstrated. The mentioned investigations are collected into a design workflow that delivers string-stable and safe predictive platoon control robustly for a given set of model error cases if the time gap h is chosen large enough. We illustrate this methodology with a selected set of parameters (τ = 0.2 s, n d = 0), but the design workflow allows to consider multiple model error cases.

A. Distributed Model-Predictive Platoon Control Architecture
A distributed model-predictive platoon controller which efficiently tracks desired platoon configurations while guaranteeing collision safety has been proposed in [22]. This DMPC-architecture is extended and modified to additionally Fig. 7. Local MPC from [22]: Coupling of tracking and fail-safe problems for at least one sample (n tol ≥ 1, T tol = n tol T s ). p fs is the bounding trajectory obtained by modeling an emergency brake-to-standstill maneuver of the predecessor vehicle, see (28).
provide string stability properties. In the following, we summarize the key aspects of the novel control strategy.
In the DMPC design, G plant (z) as described in (7) is used as a design model. The uncertain actuator dynamics G act (z) are deliberately excluded from the MPC design model to prevent the controller from inverting these dynamics [50]. Hence the MPC design assumes G act (z) = 1 and thus u k = a k to hold. This choice has shown good robustness properties, but of course the design model could also include actuator dynamics if they are known sufficiently accurately for the considered vehicle to improve performance further. Unless noted otherwise, each controlled vehicle is assumed to only know its own state and the relative position and velocity of its predecessor (decentralized setting, platoon without V2V-communication). A constant-velocity prediction of the predecessor v pre = const. is applied if no V2V-communication is available.
Remark 3: The simple MPC design model is chosen for clarity while illustrating the workflow concept. It also robustifies the MPC design against uncertain model errors. A robustification against possible (uncertain) occurrence of actuator dynamics around a selected operation point is achieved by the proposed workflow below.
The basic idea of the collision safety concept is to formulate two predictive control problems, the tracking problem and the fail-safe problem, representing two possible future trajectory realizations, see Fig. 7. This way the tracking control design, which aims at establishing a given time gap h, is separated from realizing the collision safety measures. The recurring optimal control problems are formulated from the current time t k up to the horizon t k+N−1 .
The tracking problem utilizes a novel formulation of the position error (3) as quadratic tracking objective. Its cost function is of the form with scalar tuning parameters q > 0 and r > 0 which are combined in the ratio r/q. Relevant constraints on control inputs and velocities are considered by formulating corresponding input/state sets regarding the ego vehicle: The fail-safe problem guarantees collision safety at all times by implementing a non-collision constraint. This safety constraint is formulated with respect to the worst-case bounding trajectory obtained by modeling a sudden full-stop emergency braking maneuver of the predecessor vehicle. The guaranteed lower acceleration limit of the predecessor is assumed to be known to the ego vehicle (or a conservative bound can be used).
The control task at time t k is to find the optimal input and state sequences which minimize the weighted total cost of the tracking and fail-safe problems which are coupled for the first n tol ≥ 1 samples, see Fig. 7 and compare (30d). The detailed formulation of the resulting convex quadratic programming optimization problem is completed in Appendix B.
For a sufficiently large time gap h > h crit , string stability is expected close to steady-state operation. However, the value of h crit also depends on the ratio r/q (i.e., controller aggressiveness). For an offset of g = 0 and h > h crit , the realized inter-vehicle gaps are typically undesirably large, so that any platooning benefits such as increased road capacity or reduced air drag would be lost. This is especially true in the decentralized setting without V2V-communication. In turn, exploiting V2V-communication with one or more predecessors can decrease the critical time gap h crit . This basic trade-off is derived and discussed in [51]. Choosing a negative offset g < 0 at a considered constant design velocity v des allows to realize arbitrarily small inter-vehicle gaps with effective desired time gaps h des at steady state operation. This approach can lead to string-stable dynamics for small disturbances around the steady-state, as will be characterized in the following section. However, in this case, it is necessary to ensure safe operation by implementing appropriate safety constraints. Remark 4: Except for the co-simulation part the DMPC controller is tested against a vehicle model incorporating the actuator dynamics (8) with τ = 0.2 s and n d = 0 as mentioned in Section III-B.

B. String Stability Properties Close to Steady-State Operation
The proposed, globally nonlinear collision-safe control law can be represented close to a steady-state operation (that is, in the unconstrained case) as a locally linear feedback law with the feedback gains k T mpc = [k 1 , k 2 ]. This linear control architecture is of the same form as discussed in Section III, Fig. 3. Therefore we can utilize our previous findings to characterize string stability locally (for small perturbations around steady-state operation) for cases with and without model errors τ and n d . The region of feedback gains yielding string stability will provide guidance for MPC design tuning as discussed below in Section IV-C.
To illustrate the validity region of the local linear control law (17), the set of admissible initial states is formulated so that the emanating closed-loop state trajectories fulfill all relevant constraints over all times. This set is found as the positively invariant state set X PI for the local closed-loop dynamics about a steady-state determined by a constant predecessor velocity v pre , the control parameters above, and the relevant constraints. These constraints encompass (15a), (15b). Additionally, the collision safety constraints have to be expressed. To clearly illustrate the collision safety constraints in the two error states (p, v) only, a simplified form is considered for the construction of X PI for illustration here. First, the ego vehicle has to be located behind the predecessor vehicle at the current time step (compare Fig. 1): Moreover, after a full-stop emergency braking maneuver, collisions must be avoided: pre min x pre (19) where x and x pre are the distances to standstill for an ideal deceleration maneuver starting at velocity v k (v pre k ) with constant acceleration a min < 0 (a pre min < 0) for the ego and the predecessor vehicles, respectively [9]. Constraint (19) is quadratic in v k , but it is convex and can be approximated from the inside by linear inequality constraints as illustrated in Fig. 8. Therein, both, the state constraints ensuring the validity of the linear MPC law (17), as well as the positively invariant state set X PI are plotted. For an initial state x 0 ∈ X PI , the closed-loop state trajectory always remains inside X PI , and thus linear system dynamics are guaranteed. Therefore the string stability analysis method developed in Section III can be utilized to design string stable closed-loop dynamics near steady-state operation. This design workflow will be presented in the next section.
Remark 5: For states that lie outside of X PI no guarantee for string stability can be given since they result in active constraints and therefore a (nonlinear) MPC control law that differs from (17). However, an active safety constraint or (18) indicates that safety is endangered and string stability is of subordinate importance. Under active input constraints (15a) the control signal is saturated and string stability cannot be guaranteed by any controller [44].
Note that X PI is illustrated here with the simplification v pre = const., but robust string stability is also fulfilled for time-varying v pre in a bounded neighborhood of v des .

C. Design Workflow
We now summarize our findings in a systematic design workflow that achieves platoon string stability around steady-state operation while providing collision safety at all times. We assume that model errors are sufficiently small so that string-stable platoon dynamics can be achieved robustly. The proposed design workflow is given in Algorithm 1. Fig. 9 illustrates regions of string stable feedback gains K ss (h = 2 s, τ i , n d,i ) for a typical set of Within X PI , strong string stability is guaranteed for constant predecessor velocity v pre = 80 km/h.

Algorithm 1 Design Workflow for Robustly String Stable
Platooning MPC 1) define set of representative model error cases (τ, n d ) 2) choose h 3) utilize K ss (h, τ i , n d,i ) (Def. 1) to characterize feedback gain regions k 1 , k 2 which provide robust string stability (rss): if K rss (h) = ∅, choose larger h and re-evaluate 4) characterize r/q, h with respect to K rss (h) 5) design MPC: calculate g to achieve desired inter vehicle distance d des via (16), choose r/q appropriately 6) characterize positively invariant state set X PI (local string stability validity in steady state) 2 s, 0),(0.4 s, 0),(0.4 s,1)} validated through co-simulation in Section VII-A. The intersection of K ss (h = 2 s, τ i , n d,i ) yields K rss (h = 2 s). String stability can be achieved by the chosen design weighting ratio r/q = 20.
Remark 6: Reference [30] provides a control matching method to obtain MPC design weightings that lead to desired feedback gains in the unconstrained case and apply this technique to design string-stable MPCs. This method could also be applied here, however, the presented design workflow in the present work allows to directly incorporate a set of model error cases and is simple to use and interpret. In particular, our approach retains interpretability of the design weightings and gives a clear representation of state feedback gains achieving robust string stability.
The influence of a broader range of model errors/actuator dynamics on achievable string stable behavior are depicted in Fig. 10. Fig. 11 left shows the critical time gap h crit for Fig. 9.
The intersection of regions of string stable feedback gains K ss (h = 2 s, τ i , n d,i ) for the model errors identified in Fig. 15 yields K rss (h = 2 s).  different values of the actuator time constant τ . In Fig. 11 right, h crit is plotted for different weightings r/q in the controller's objective function. It is seen that less aggressive control laws lead to a larger critical time gap h crit but also accept larger model errors without losing string stability. For the rest of this work a weight ratio r/q = 20 is chosen. The proposed design workflow in Algorithm 1 enables a collision safe DMPC design that maintains string stability for small disturbances around steady-state operation. The system response to strong disturbances and feasibility aspects are discussed in the next section.

V. MPC FEASIBILITY, STABILITY, AND PERFORMANCE ANALYSIS
The proposed DMPC law is designed to provide strong string stability close to steady state operation, as well as collision safety. However, the aspects of feasibility and closed-loop stability of an MPC closed-loop system require deeper analysis. Also, the guaranteed collision safety is observed more closely, and the notion of local robust string stability is discussed. Finally, the impact of small and large disturbances and the resulting interaction of the control with the safety constraint are illustrated in two test maneuvers.

A. MPC Feasibility and Stability
Techniques to ensure MPC feasibility and closed-loop stability are non-trivial but well-studied. First, the (mathematical) feasibility of the considered DMPC optimization problem (30), i.e. the existence of a solution that satisfies all constraints, is always given in the present formulation. The safety constraint (29) is implemented as a soft constraint, so it is always possible to select a (sufficiently large) slack variable s to fulfill the safety constraint formally. The only actual inequality constraints (15) are always satisfied with the trivial solution U = U fs = 0. Of course, this solution does not provide collision safety, but its existence shows guaranteed feasibility.
Standard modifications of the MPC problem can be applied to achieve rigorous closed-loop stability guarantees. These involve choosing appropriate terminal cost terms (e.g., Riccati costs) and terminal state constraints as (robust) control-invariant state sets [52]. The set of initial states for which the constrained terminal state set can be reached, called the N-step admissible set, can be characterized via available tools, e.g. MPT3 [53]. Under suitable assumptions, recursive (or: persistent) feasibility is guaranteed, which then also implies stability. For details, the reader is referred to [54].
The present DMPC problem utilizes "soft" constraints to ensure formal feasibility also in the presence of model errors. As shown in [55], such MPC problems also provide closed-loop stability for at least marginally stable open-loop systems.

B. Collision Safety
Assuming that the modeled deceleration bounds of the preceding vehicle are never violated and that no model error exists, the collision safety constraint (27) remains feasible in a "hard" formulation (r s → ∞) if it is initially feasible with s = 0, as detailed in [22]. To ensure collision safety in the presence of model errors, (i) the predecessor deceleration bounds should be chosen sufficiently large in magnitude, (ii) safety buffer distances can be considered to cover actuator dynamics model errors in the achievable braking distance as shown in [22], and (iii) the slack cost coefficient r s should be chosen sufficiently large. These parameter choices are verified in validation (co-)simulations, as also shown below.

C. Interpretation of Local, Robust String Stability
The proposed DMPC design provides string stability in the neighborhood of the design steady-state velocity, as the proposed definition of the position error (3) depends on the current velocity of the ego vehicle v(t). To adapt to other steady-state velocities, the offset g can be adjusted appropriately (out of scope of this work). The set of error states (p, v) for which string stability is guaranteed is illustrated in Fig. 8 for the case v pre = const.. However, the string stability property is of course formulated for time-varying v pre (compare (9)) and remains fulfilled also for sufficiently small deviations of v pre from the design velocity v des .
This characterization is tackled in [30] by assuming a bounded predecessor acceleration disturbance, however, only requiring a (time-invariant) interval bound on persistent predecessor acceleration disturbances is not a suitable disturbance model here, because its integration -the predecessor velocity v pre -would generally not be confined to any bounded interval. A more elaborate disturbance model (such as combined interval bounds on a pre and v pre would be needed, but this would lead to a much more complex characterization of possible disturbance trajectories and the DMPC's reaction, which is out of scope in this work. Instead, two illustrative disturbance cases (test maneuvers) are investigated in the following: a light and a strong braking pulse, followed by returning to the original velocity level.

D. Impact of Small and Large Disturbances
In the following, the effect of the collision safety constraints on the platoon behavior and its string stability properties are illustrated for the test maneuvers (A1), and (A2) defined in Appendix C (weak and strong braking pulses of an external vehicle). The platoon realizes a desired inter-vehicle distance d des = h des v des = 11.1 m corresponding to an effective time gap of h des = 0.5 s. A string stable time gap h = 2 s is chosen which results in an offset g = −33.3 m according to (16). Figure 12 shows the resulting inter-vehicle distances d, velocities v, and phase diagrams in (p, v) for the considered platoon. Bulletpoints • indicate samples at which the safety constraint is active for the associated vehicle.
For the weak braking maneuver (A1), see Fig. 12 left, the safety constraints never become active, so the unconstrained and therefore linear MPC controller guarantees strongly string stable platoon dynamics. For such string-stable behavior, it is also observed that the phase plots of subsequent vehicles do not intersect.
During the strong braking maneuver (A2), see Fig. 12 right, the safety constraints become active for the first two platoon vehicles. Dashed lines indicate vehicle trajectories that would arise without consideration of safety constraints. While the unconstrained controller guarantees strongly string stable platoon dynamics, it would lead to unacceptably small inter-vehicle distances d. Under active constraints the control law is not represented by (17) any more, and the string stability guarantees are thus generally lost as also discussed in [30] and [31]. Here, maneuver (A2) is still realized in a strongly string stable manner, however with significantly different behavior. It is further observed that (i) the further tail-wards, the less time is spent by the vehicle in the safety-constrained situation, (ii) from vehicle 3 on, the safety constraint never becomes active, and (iii) the phase plots of the first three vehicles intersect, whereas those of the following vehicles do not.
More intense braking maneuvers resulting in extensive interaction with the safety constraints (not only the first few cars) yield weak string stability (not shown here).
Remark 7: The transient maneuvers discussed in this section do not fulfill the assumption v pre = const. made in Section III. The different class of disturbances was chosen to empirically illustrate the influence of active safety constraints on string stability properties.

VI. ACHIEVING STRING STABILITY IN TRANSIENT MANEUVERS THROUGH V2V-COMMUNICATION
Until now, the platoon has been considered without V2V-communication capabilities. In that case, the predecessor's position trajectory prediction had to be constructed based on a constant-velocity prediction. Enabling the platoon members to exchange the relevant predicted position trajectories is expected to yield better performance regarding string stability under reduced inter-vehicle spacing [10], [24], [26], [56]. Therefore, in this section communication is implemented in the sense that the preceding platoon vehicle transmits its predicted position trajectory to the ego vehicle in every time step. This unidirectional communication approach yields far better control performance and string stability properties than the estimation of the predecessor position based on the constant-velocity prediction used beforehand.
Maneuver (A2) defined in Appendix C is now performed with and without V2V-communication for a time gap of h = h des = 0.5 s (g = 0 m). Without communication, the system dynamics are clearly not string stable, as can be observed from the increasing amplitudes of oscillations in relative positions and velocities in Fig. 13. For the case of activated communication, as expected, the performance regarding string stability is enhanced: The platoon dynamics are strongly string stable, which is indicated by decreasing d-and v-trajectories in Fig. 13. However, it has to be noted that the safety constraints of several vehicles become active.
As an indicator of (loss of) string stability in transient test cases, we utilize the following L 2 -norm definition of the discrete-time velocity deviation signals for each vehicle as for k = 0, 1, . . and v 0 = 80 km/h and show them in Fig. 14 left for different time gaps under full V2V-communication.
It can be seen that for maneuver (A2), strong string stability can be achieved with h > 0.36 s and weak string stability with h > 0.27 s.

A. Measures to Reduce Communication Efforts
It is often desirable to reduce the utilization of the used communication channel, also reducing packet loss and transmission delays as stated in [12] and [24]. Therefore, instead  of communicating N samples every time step, reduced communication is investigated, and its impact on string stability tested.
One possibility to reduce transmitted data is to send a simplified trajectory to the following car. This can be done by only communicating the first n com samples of the position trajectory while the missing information is extrapolated linearly, i.e., by constant-velocity prediction. It is observed that by transmitting only the first 20 samples (2 s) string stability in v is still achieved.
Another way of reducing the amount of communicated samples would be to transmit only every m com -th sampling point. The missing position data is then efficiently reconstructed by linear interpolation performed by the ego vehicle. Simulations show that the maneuver under investigation is robust to coarser sampling times up to communicating only every 16-th sample.
Communication efforts can be even further reduced by implementing event-triggered communication as suggested in [22].

B. Performance Under Imperfect V2V-Communication
Firstly, the impact of a total loss of communication on the system dynamics is investigated. The worst case is investigated: A communication blackout exactly one sample before the braking maneuver of the external vehicle starts. Secondly, packet loss is modeled as the probability of successful communication, which is determined at each time step for each vehicle individually [57], [58]. Monte-Carlo simulations show that communication probabilities of at least 18% assure strongly string-stable platoon behavior for the investigated maneuver (A2). Simulations show robust behavior of the proposed control scheme with respect to packet loss compared to e.g., the CACC system investigated in [59].
Delayed communication can be treated like packet loss since it is assumed that the delayed information packages can be identified by their checksums and substituted by e.g., a constant-velocity prediction.

VII. CO-SIMULATION BASED VALIDATION
Finally, the proposed concepts and control structures are validated via realistic co-simulation of high fidelity vehicle dynamics for the exemplary case of HDV platooning. Therefore, each individual vehicle is simulated by the vehicle dynamics simulation software IPG TruckMaker ® , while MATLAB ® provides the simulation environment and Simulink ® is used as communication interface between the individual vehicle instances.
TruckMaker ® is an industry-standard high-fidelity vehicle dynamics simulation software used in development and analysis of HDV related driving systems and vehicle dynamics. It simulates detailed vehicle dynamics including multi-body dynamics of masses and chassis, as well as parameterized gear box, clutch, engine, and tire component models. The real-time capable simulation models are validated by field studies in [60] and [61], further references are given in [62]. The Demo2AxleSemiTruck4×2_Volvo model is used analogous to [22].
Co-simulation architecture: The dynamics of each HDV is simulated by an individual instance of TruckMaker ® online at every time step. All vehicle simulation instances are coordinated and synchronized by a central MATLAB ® session which establishes global time stepping. This results in a fullycoupled, online high fidelity co-simulation.
Optimization software: The MPC optimization problems have been formulated and solved by quadratic programming utilizing the Yalmip toolbox [63] and the commercial solver Gurobi ® [64]. The computation of the MPC control actions is carried out by the central MATLAB ® session.
Vehicle control interface: The desired accelerations are tracked by a low-level acceleration PI controller. The low-level controller does not consider the dead times or non-linear behavior of the controlled drive train and its parameters have been chosen trivially. This is done on purpose to test the proposed DMPC concept with respect to model imperfections since the low-level dynamics influence string stability significantly as shown in [65]. The detailed vehicle dynamics simulated by IPG TruckMaker ® in combination with the trivially designed low-level acceleration controller result in a system behavior that deviates from the linear vehicle model (7), (8) introduced in Section II-C. We address this model error by considering multiple actuator dynamics parameter cases in the proposed design workflow. This is detailed in Section VII-A.
Further measures to robustify the co-simulation include the formulation of dynamical constraints for regularization analogous to [22] and the adjustment of the braking bound regarding the predecessor to a pre min = −8 m/s 2 . Remark 8: Safe inter-vehicle distances amount to about 15 m at a velocity of 80 km/h. Inter-vehicle distances could be significantly reduced by substituting the low-level PI controller by a model-based feed-forward control architecture as discussed in Section II-C (out of scope).
In the following co-simulation studies we show that the proposed vehicle model structure introduced in II-C represents the actual/real response characteristic of a HDV well with appropriately chosen parameters. The in this way parameterized model predictive controller is validated for selected test maneuvers. Relevant parameter values for these studies are given in Appendix C Table I.

A. Parameterization of Modeled Actuator Dynamics
The real vehicle dynamics represented here via IPG Truckmaker ® is significantly more complex than the vehicle model structure consisting of a kinematic plant (7) and actuator dynamics model (8) introduced in Section II-C. However, we use this substitute vehicle model with representative parameters M pert to appropriately constrain the system behavior and thus perform the robust MPC design according to the presented workflow.  (8) and (20). The identified actuator dynamics parameters are in agreement with the parameters obtained through field tests in [30].

B. Validation of Braking Pulse Maneuvers
In this section, the observations regarding the influence of the collision safety constraints on the string stability properties made in Section V-D are studied under realistic conditions. Therefore the test maneuvers (A1) and (A2) are considered, Fig. 15. Simulated acceleration step responses obtained in IPG Truckmaker ® with representative actuator dynamics G act,i ∈ M pert , here illustrated for a starting velocity of 60 km/h. whereby the desired steady-state inter-vehicle distances d des are varied. Given definition (16) this corresponds to varied effective time gaps h des . Also, a performance comparison against a CACC concept is given. To assess the string stability properties, the L 2 -norms of the velocity deviations (22) are utilized.
In the case of the weak braking pulse maneuver (A1), strong string stability is observed for a platoon driving at inter-vehicle distances d des = 22.2 m (h des = 1 s) without V2V-communication, as shown in Fig. 16. Active communication boosts performance even further, as can be observed from the L 2 -norms of the velocity deviations. Fig. 16 also shows the results of the CACC-system proposed in [23], which relies on active V2V-communication. This CACC concept has been validated in field studies in [23]. It can be seen that the DMPC concept outperforms the CACC-system even without incorporation of active V2V-communication while ensuring collision safety at all times.
Reducing the desired inter-vehicle distances to d des = 15 m (h des = 0.68 s) yields non-string-stable behavior due to increased interactions with the collision safety constraints, as shown in Fig. 17 for maneuver (A1). As discussed in Section VI, string stability is retained by utilizing full V2V-communication, compare Fig. 17.
In the case of the strong braking pulse maneuver (A2), larger inter-vehicle distances are needed to obtain the same propositions regarding string stability as for maneuver (A1). E.g., a platoon driving at d des = 25 m (h des = 1.1 s) without communication shows string stable behavior.

VIII. CONCLUSION
The main idea of this paper is to provide a robust design method to establish string stability in the context of predictive platoon control of automated vehicles. To do so, a general result on string stability under state feedback control has been formulated and proven in a new way.
This enables a design workflow to synthesize a distributed model-predictive controller in which string stability properties are achieved and robustified with respect to a relevant class of actuation uncertainties. An extended time-gap spacing formulation in a distributed platooning MPC architecture with collision safety guarantees has been proposed. Factors affecting string stability and control performance, including model errors, disturbance maneuver properties, as well as communication abilities, have been analyzed and addressed. In contrast to existing MPC designs which utilize controller matching to achieve string stability close to steady state, our design workflow accomplishes this while maintaining interpretable MPC design weightings. A concluding validation with realistic vehicle dynamics co-simulations showed good performance of the proposed control concepts and their successful realization under severe model imperfections.

APPENDIX A
Proof of Theorem 2: To prove the strong string stability condition (1), it is sufficient to prove that (i) G V (z) is asymptotically stable, (ii) G V (z)| z=1 = 1 holds, and (iii) |G V (z)| < 1 holds for z = exp (jωT s ) , ωT s ∈ (0, π]. These steps are shown in the following, inspired by the proof technique shown in [34]. Conditions (i) and (ii) are readily fulfilled by assumption and as seen from (9). To verify (iii), we proceed analogous to [34] as follows: First, the magnitude of G V (z) in (9) is expressed for z = exp (jωT s ) in the form |G V (z)| = √ a/ (a + b). The resulting terms a, b, obtained by algebraic manipulation and simplification, read with the terms Analyzing (23), we show that the inequality a > 0 is always fulfilled by investigating the extremal cases cos (ωT s ) = ±1. The case cos (ωT s ) = 1 yields the condition 2 T 2 s k 2 1 > 0, and the case cos (ωT s ) = −1 results in 8 k 2 2 > 0. If a > 0 for cos (ωT s ) = ±1, then a is also positive for the entire range of cos (ωT s ) because a is a linear function in cos (ωT s ) ∈ [−1, 1]. Hence, a > 0 holds for Subsequently, analyzing (24), the inequality b > 0 is treated similarly via case distinction. The case (1 − cos (ωT s )) = 0 for ωT s = 2 k π with k ∈ Z is of no further interest since it corresponds to z = 1 (condition (ii)). Otherwise, (1 − cos (ωT s )) > 0 holds, and (24) can be divided by the term 4 (1 − cos (ωT s )), yielding Proceeding as above, the extremal case cos (ωT s ) → 1 yields in which the facts T s , h > 0, k 1 < 0 have been exploited. This condition amounts to the right inequality in (12b). It remains to verify the other extremal case of (25) for cos (ωT s ) = −1: It is noted that the expression C is a divisor of the righthand side, and the sign of C determines the sign of the inequality. The only case compatible with preconditions (10) is k 1 > −2/(T s h), which yields corresponding to the left inequalities in (12a) and (12b). This completes the proof of Theorem 2 on strong string stability for the case of ideal actuator dynamics.

APPENDIX B SAFETY-EXTENDED DMPC CONCEPT FOR PLATOON CONTROL
This section details the utilized safety-extended distributed MPC concept for platoon control originally developed in [22]. Section IV-A outlines the basic MPC structure comprised of two modeled trajectories, the tracking and the fail-safe problems, both formulated over a horizon of N time steps. The current and future input values are stacked into the input sequence U = [u k , u k+1 , . . . , u k+N−1 ] T . The current state x k is considered to be known. The future states, predicted via G plant (z) (7) using the initial state x k and the input sequence U, are stacked into the state sequence X = [x T k+1 , x T k+2 , . . . , x T k+N ] T . 1) Fail-Safe Problem: The fail-safe problem (whose quantities are indicated by the superscript fs) utilizes a cost function of the form where the weight q fs > 0 is chosen to achieve sufficient regularization of the problem, however, its specific value plays no role in this problem setting. The non-collision requirement is modeled as where p fs k+ j is the bounding trajectory obtained by modeling an emergency brake-to-standstill maneuver of the predecessor vehicle (modeled analogously via (7)) with acceleration input [9] a pre (t) = a pre min if v pre (t) ≥ 0 0 else. t ≥ t k (28) The guaranteed lower acceleration limit of the predecessor a pre min is assumed to be known to the ego vehicle. Equation (27) is realized in the fail-safe problem by formulating the state set X p ( p fs k+ j ) = {x : p ≤ p fs k+ j − L pre }.

APPENDIX C PLATOON CONFIGURATION AND TEST MANEUVERS
An exemplary platoon of 10 heavy-duty vehicles is utilized to study, test and illustrate the control performance, collision safety and string stability. The test maneuvers that are considered throughout this work, all start with the platoon driving At t = 2 s the external vehicle issues a short (weak, maneuver (A1), respectively strong, maneuver (A2)) braking pulse which lasts t brake = 1 s. Then it re-accelerates up to its initial velocity with acceleration a acc = 1 m/s 2 . The simulation parameters are listed in Table I.