Towards a Complete Safety Framework for Longitudinal Driving

Formal models for the safety validation of autonomous vehicles have become increasingly important. To this end, we present a safety framework for longitudinal automated driving. This framework allows calculating minimum safe inter-vehicular distances for arbitrary ego vehicle control policies. We use this framework to enhance the Responsibility-Sensitive Safety (RSS) model and models based on it, which fail to cover situations where the ego vehicle has a higher decelerating capacity than its preceding vehicle. For arbitrary ego vehicle control policies, we show how our framework can be applied by substituting real (possibly computationally intractable) controllers with upper bounding functions. This comprises a general approach for longitudinal safety, where safety guarantees for the upper-bounded system are equivalent to those for the original system but come at the expense of larger inter-vehicular distances.


I. INTRODUCTION
Despite the tremendous progress in machine learning, computer vision, localization, vehicular communications, and other enablers for automated driving (AD), the adoption of autonomous vehicles (AVs) on public roads is still rather limited [1]. One of the aspects which becomes increasingly important for future market deployment of AVs is their safety validation [2], [3]. It is evident that statistical approaches based on, for example, on-road testing, do not scale well, which makes it important to design formal models for the safety analysis [4].
One of the well-known examples of such a model is Responsibility-Sensitive Safety (RSS) [5]. Particularly, it provides minimum inter-vehicle distances (IVDs), which are safe to keep, for given braking capabilities of the vehicles. For the case of connected vehicles, where braking relies on vehicle-tovehicle (V2V) communications, safe IVDs are also dependent Manuscript  on the qualities of inter-vehicular radio links [6]. Recent related efforts in the context of the RSS model are in the direction of overcoming its assumptions on the longitudinal behavior by reachable set based worst-case predictions [7], finding its reasonable parameters based on real traffic data [8], [9] or providing methods to automatically explore the performance limits of AV safety models [10].
Limitations of the RSS model have been investigated and reported in [9], [11], [12], [13]. Specifically, due to improper choice of model parameters, the minimum distance provided by the RSS can become unnecessarily large, which has a negative effect on road efficiency [12]. In [12], an attempt to optimize the RSS model is made in order to achieve a trade-off between safety and efficiency. The proposed models are assessed by numerical simulations.
Our work not only proposes a theoretical approach to overcome the conservative results in RSS but also shows an explicit parameter interval where the RSS distance is insufficient to guarantee safety. Such a special case where safety cannot be guaranteed with the original RSS model has been previously reported in [4]. However, the domain for this special case was not completely described and lacked one condition. Without this condition, as we show by an example, the safe IVDs become unnecessarily large. In our work, compared to [4], this condition is present, and results are presented comprehensively and explicitly.
In this paper, we focus on longitudinal AD with short IVD, which is foreseen to be a common scenario for future AVs. An incentive for driving close comes both from better road utilization and also, in certain cases, from the fuel-saving effect [14]. Recently, we derived minimum safe distances for a special scenario where the follower vehicle uses an adaptive cruise control (ACC) [15]. To calculate those distances, we introduced and applied a novel 3-step methodology [15] that allowed us to handle the considered safety analysis problem effectively. The three steps can be summarized as follows: 1) A so-called minimum safe braking set is specified. Upon reaching this set, the follower vehicle has to emergency brake immediately to avoid a rear-end collision. 2) Trajectories of the two considered vehicles are obtained on the time interval [0; τ ], where τ is referred to as a response time. During the first τ seconds, the follower vehicle is unaware of the emergency braking situation ahead and continues to move forward according to its control law. 3) The minimum initial distance between vehicles is found such that trajectories obtained in the second step reach the minimum safe braking set exactly at τ seconds. In this paper, we expand on this methodology by explicitly applying it to a special scenario of the RSS model on the one hand and addressing more general cases with arbitrary acceleration/deceleration profiles of the follower vehicle on the other. We extend both [5] and [15], and present two novel contributions: r First, in Section II we demonstrate how the 3-step methodology can be applied to the setting considered in the RSS model, where the ego vehicle accelerates or moves with a constant velocity until switching to the emergency braking mode by applying its maximum possible decelerationā 2 . We show that RSS-based IVDs become insufficient when the ego vehicle has a higher decelerating capacityā 2 than its preceding vehicleā 1 , and present the comprehensive formula and the explicit conditions when such a formula should be applied.
r Second, in Section III we provide a procedure for calculation of minimum safe IVDs versus the response time for follower vehicle with an arbitrary control law. We show that for a function bounding the controller from above, the methodology results in distances with higher safety guarantees compared to the ones corresponding to the real controller. A tighter limiting function results in a tighter bound and thus shorter IVD. Several examples are presented in Section IV illustrating how the appropriate choice of bounding function makes it easier to calculate sufficient safe minimum distances. Our contributions are also applicable for the safety analysis of V2V-enabled cooperative AD [14]. Indeed, if the decision for emergency braking can be made with some probability P during the response time, then the chosen IVD can guarantee no-collision behavior with a probability no less than P . In such a setting, the probability of the decision to brake would correspond to the probability of receiving at least one braking message by the ego vehicle from the preceding vehicle during interval [0; τ ].

A. Safety Analysis
We consider two vehicles, which we call a leader and a follower, moving along the road with a short IVD. At some point, the leader abruptly emergency brakes with its maximum braking capacityā 1 (e.g., due to a pedestrian appearing on the road), and the follower has to brake in response to avoid a rear-end collision. During the response time τ , the following vehicle is unaware of the preceding vehicle's critical braking and keeps moving with a constant speed or even accelerates with maximum possible acceleration a ac 2 (in the pessimistic case). Once the response time τ passes, the decision of emergency braking is made by the follower, and it applies maximum possible deceleration a 2 . Note that by decelerationā i we refer to the amplitude of negative acceleration. The problem that we tackle here is to find a minimum safe distance that guarantees collision-free behavior. Such distance is dependent on the response time τ and the controller that the follower is using during this time.
Below, we apply the 3-step methodology in order to find minimum safe distances in the considered scenario. The "minimum safe braking set" required by the first step can be directly obtained from [15]. However, derivations in steps 2 and 3 differ from [15] due to different assumptions of the follower's controller.
Step 1: The "minimum safe braking set" comprises a twodimensional hyper-surface in a 3-dimensional space [15]: where v 1 and v 2 are velocities of the leader and follower, respectively; d is IVD; and superscript * denotes the corresponding variable at time τ . If the dynamic parameters of the vehicles, i.e., d, v 1 , and v 2 attain values in this set, the follower has to apply the maximum possible decelerationā 2 immediately in order to avoid a rear-end crash.
The explicit form of f is given below [15]: Here We recall that this set was obtained by considering both vehicles braking with their maximum possible decelerations, i.e.,ẍ i = −ā i , starting with initial velocities v * i = v i (τ ) and initially placed exactly on the distance d * . The necessary and sufficient condition for avoiding a collision is that the distance Note, x 1 (t) and x 2 (t) are coordinates of the leader's rear end and the follower's forward end, respectively. If the leader is still moving at t = v * 2 a 2 , the IVD will be only increasing for a 1 , and thus this interval is out of our interest. Ifā 1 ≥ā 2 , it is enough to check the distance between vehicles at the moment when the following vehicle has stopped, i.e., at t = v * 2 a 2 . Ifā 1 <ā 2 , the IVD comprises a parabola with branches up. Thus, there can be a case when x 1 (t) − x 2 (t) decreases up to the vertex and then increases again. For such a case, it is not sufficient to consider only the distance at t = v * 2 a 2 . Instead, it is crucial to ensure that at the parabola's vertex, the IVD is equal to zero, i.e., only touching occurs. This condition leads to a second equation in formula (3). All possible cases corresponding to formulas (2)-(3) are shown in Fig. 1 for an illustration purpose.
Step 2: Now, let us consider the motion of the two considered vehicles during the first τ seconds when the follower accelerates with a ac 2 ≥ 0:ẋ Fig. 1. Different cases of IVD evolution needed for "minimum braking set" derivation. Here, the case "i.j" corresponds to equation "j" in the formula "i". Thus, the more interesting case "3.2" corresponds to the second equation in formula (3).ẋ with initial conditions a 1 is the time when the leader comes to a full stop.
The solution of (4) at the time point τ has the form below: Step 3: Now, we combine steps 1 and 2 such that , v 2 (τ )). Obviously, we also take into account that d 0 ≥ 0. Having this, we obtain the following: Here, [x] + denotes max{x, 0}.
It can be explicitly shown that the scalar product of the normal vector to the surface (2)-(3) and the tangent vector of the system trajectories (5) at the point of the surface's punch always has a negative sign. Thus, trajectories can punch the surface only once, at the moment τ . Also, it is worth noting that (6)- (7) is a monotonically increasing function of a ac 2 . Thus, the bigger acceleration a ac 2 during the first τ seconds, the bigger distance required to ensure safe braking.

B. Comparison With RSS Models
Formulas (6)-(7) provide a full and comprehensive recipe for calculating minimum safe longitudinal distances. They comprise a generalization of our previous results [6], [14] where the follower is moving with a constant velocity, i.e., a ac 2 = 0, during the response time τ . In [5], safe longitudinal distance was received under the assumption that the follower accelerates with a ac 2 ≥ 0 during the response time τ before switching to emergency braking by applying maximum decelerationā 2 , i.e., the same setting as considered in Section II. The provided results [5] coincide with (6) covering only the caseā 1 ≥ā 2 , which intuitively can be thought of as the worst-case scenario since the follower has lower braking capability than the leader. Thus, the assumption could be that formula (6) provides distances no shorter than those required for the caseā 1 <ā 2 , and thus it can be used forā 1 <ā 2 as well. However, in the caseā 1 <ā 2 , longer safe distances can be required than those provided by the original RSS (6). This comes from the fact that for some initial distances, the trajectories of the two vehicles can come to touch, after which the IVD increases again. Such a special case where safety cannot be guaranteed with the original RSS distances is reported in [4]. However, the resulting formulas [4] are missing one important condition which defines when this special case should be applied. In more detail, according to [4], the original RSS formulas can not guarantee non-collision behavior if: r the follower vehicle braking capability greater than the leader vehicle braking:ā 2 >ā 1 ; r at the end of the response time τ , the follower moves faster than the leader, i.e., v 0 2 + a ac −v 0 2 a ac 2 +ā 2 , is missing. In Fig. 2, the minimum safe distance is plotted versus the delay τ for different combinations ofā 1 andā 2 . As can be seen, for τ between 0.45 s and 1.3 s, longer minimum safe distances are required for the caseā 1 <ā 2 (yellow line) than those resulting from the original RSS equation (6) (blue dashed line). The black line represents the solution presented in [4]. As can be seen, the missed condition leads to unnecessary long distances for τ > 1.3 s. Thus, for the presented example, the minimum distance corresponding to τ = 2 s equals 32.2 m whereas solution [4] proposes 38.2 m, which is a more pessimistic and unnecessary requirement. In other words, for such parameters, distances obtained through solution [4] are safe but can not be called minimum. Compared to those in [5] and [4], formulas (6)-(7) allows for correct calculating of minimum safe distances for any parameters, including any combinations ofā 1 andā 2 , and any values of τ . We emphasize that our formulas were obtained with our 3-step methodology that allowed us to receive results in an easy way without missing any conditions.

III. GENERAL CASE
Now, we generalize the results above for follower's controller given by h(t), where h(t) is a well-behaved twice integrable bounded function: −ā 2 ≤ h(t) ≤ a ac 2 for ∀t where a ac 2 -the maximum possible acceleration. In other words, during the delay τ , the follower's acceleration/deceleration changes by the law: The solution of the system at the time point τ has the form below: where Again, by combining (9) with the minimum braking set, we obtain the formulas for calculating the minimum safe distance. We summarize the obtained results in Prop. 1 below: Proposition 1: Assume the following is given: τ -the response time during which the follower is unaware of emergency braking and uses the controller h(t); v 0 1 , v 0 2 -the initial velocities of vehicles;ā 1 ,ā 2 -the maximum deceleration capacities of vehicles. Then the minimum safe distance required to avoid a rear-end collision is given by: Here, we require, H 1 (τ ) + v 0 2 ≥ 0 since this is exactly the follower's velocity at time τ . Now let us assume that there exists a well-behaved function Moreover, Furthermore, ifā 1 <ā 2 and v 1 (τ ) ≤ v 2 (τ ) ≤ā 2 a 1 v 1 (τ ), then: Proposition 2: Assume the following is given: τ -the response time during which the follower is unaware of emergency braking and uses the controller h(t); v 0 1 , v 0 2 -the initial velocities of vehicles;ā 1 ,ā 2 -the maximum deceleration capacities of vehicles. Furthermore, there exists a well-behaved function g(t) such that h(t) ≤ g(t) for all interval [0; τ ]. Then, the minimum safe distance required to avoid collisions using the real controller h(t) is no longer than the distance required for the controller g(t): Proof: The proof follows directly from formulas (10)-(11) for the minimum safe distance and inequalities (12)- (15).
Thus, we can bound the follower's controller with some wellbehaved function g(t) and receive a guaranteed estimation of the minimum safe distance. Substituting the real controller h(t) with computationally more tractable function g(t) increases the required minimum safe distance, but can allow for an elegant form of d 0 . The closer function g(t) to h(t), the closer obtained bound to the real one. The function g(t) can have discontinues as long as the condition of twice integrability is fulfilled. Fig. 3. The follower's controller and two bounding above functions. The ACC controller is given as It is worth mentioning that the controller h(t) can be dependent on time through other variables, i.e., h(t) = h(x 1 (t), x 2 (t), v 1 (t), v 2 (t)). If we have some knowledge about functionh and it is possible to find g(t) such that , then the results above are valid, and function g(t) can be used to obtain bounds on the minimum safe distance.

IV. NUMERICAL RESULTS
The scope of the general case presented in Section III is very wide. It is comprehensive and includes such special cases as the RSS scenario where the follower accelerates with constant acceleration or moves with a constant speed during the response time, or, as considered in [15], ACC with a constant distance policy. Among all possible special cases that can be handled with the presented in Section III formulas, the RSS assumptions can always be taken as the worst-case scenario. It means that for any follower's control law −ā 2 ≤ h(t) ≤ a ac 2 , we can take the bounding function g(t) = a ac 2 and calculate safe distances with formulas (6)- (7). However, such distances are, in general, larger than necessary. It is more realistic to assume that, before reaching the maximum possible decelerationā 2 , the follower's controller is not constantly equal to the maximum possible acceleration a ac 2 . Knowledge of the follower's controller, such as intervals of accelerating/decelerating and jerk, allows for smaller safe IVDs as compared to those obtained under the RSS assumptions.
In [15], we used the 3-step approach to calculate minimum safe distances for the case when the follower uses ACC controller with a constant distance policy. Obviously, the controller is dependent on time through the relative distance x 1 (t) − x 2 (t) and velocity v 1 (t) − v 2 (t). In Fig. 3, the value of the follower's controller h(t) is plotted versus time with 'ACC' label. Here, one of the possible options for an above-bounding can be a linear function in the form kτ + b (red line) or 0 (green line) corresponding to the assumption of a constant velocity during the response time. Note that at τ = 0.83, ACC controller comes  to the saturation point as well as the linear bounding function kτ + b. In the case of the 0 bounding function, for consistent comparison, it is also assumed that the bounding controller switches to −ā 2 at the same moment. Corresponding minimum distances calculated by the proposed approach are depicted in Fig. 4. As can be seen, the higher the bounding function lies, the bigger distances are received. The closer the bounding function to the real controller, the tighter the bound is. Formulas (10)- (11) in Section III assume that at the response time τ , the follower's controller reaches its lower limit, i.e., the maximum possible deceleration. However, all obtained results can be extended to a more realistic setting when after the follower made a decision to emergency brake at τ 2 , it takes some time, T lag , for the follower's controller to reach the maximum possible decelerationā 2 . In such assumptions, τ = τ 2 + T lag , and an immediate decision to brake, i.e., τ 2 = 0, corresponds to τ = T lag .
In the next example, during the response time τ 2 , the follower's acceleration changes from a ac 2 to 0 in a parabolic manner. In the described assumptions, the controller h(t) consists of two parts as shown in Fig. 5. We consider four different bounding functions for the controller h(t): f 1 (t) = a ac 2 for 0 ≤  for 0 ≤ t ≤ τ 2 and f 2 (t) = 0 for τ 2 ≤ t ≤ τ 2 + T lag ; f 3 (t) coincides with f 1 (t) and f 2 (t) on the interval [0; τ 2 ] whereas comprises a tighter bound for τ 2 ≤ t ≤ τ 2 + T lag in the form of a linear function; f 4 (t) is a piece-wise linear function of three parts and comprises the tightest bound from all the considered. In Fig. 5, h(t) and all four bounding functions are shown for T lag = 0.4 s [16] and τ = 1 s (τ 2 = 0.6 s). The minimum safe distances corresponding to the real controller h(t) and four considered bounding controllers were calculated according to formulas (10)- (11) and are plotted in Figs. 6-7 for different initial velocities. As can be seen, the tighter the bounding function, the shorter safe distance corresponds to it. Thus, the function f 1 (t), which has the same assumptions as the RSS law, corresponds to the highest required distances. The tightest bound f 4 (t) gives the closest distances to the ones required by the real controller h(t). It is worth noting that since functions f 3 (t) and f 4 (t) coincide during the period required for the controller to reach its saturation −ā 2 , they require the same distance for τ 2 = 0. However, since for τ 2 > 0, f 3 (t) > f 4 (t), it follows that d 0 (τ 2 , f 3 (t)) > d 0 (τ 2 , f 4 (t)).

V. CONCLUSION
We present novel contributions on the way toward the development of a complete safety framework for longitudinal driving. We extend safety analysis from [15], where a typical ACC controller with a constant space policy is assumed, by considering an arbitrary control law used by the follower during the response time. Furthermore, we enhance the RSS model [5], [4] by constructing safe IVDs for general scenarios with arbitrarily chosen deceleration capacities.