Efficiently Bounding the Probabilities of Vehicle Collision at Intelligent Intersections

Intelligent intersections have the potential to serve as an integral part of tomorrow’s traffic infrastructure. Wireless communication is key to enabling such technology. We consider a scenario where two flows of vehicles traverse an intelligent intersection. We investigate safety in emergency braking scenarios, where one of the vehicles in a flow suddenly decides to emergency brake and emergency braking messages are broadcast to affected vehicles. We provide a framework for computing lower bounds on probabilities for safe braking – collisions between vehicles are to be avoided. If we require that a crash or collision, for example, occurs at most once in a million scenarios, our approach allows for computation of lower bounds on the time-varying (or distance-varying) packet loss probabilities to ensure this. One of the benefits of the proposed framework is that the computational time is reduced; eliminating, for example, the need for time-consuming Monte Carlo simulations.


I. INTRODUCTION
I NTELLIGENT intersections have the potential to serve as an integral part of tomorrow's transport infrastructure as well as forming a key component of cooperative intelligent transportation systems (C-ITS). At such intersections steering patterns and trajectories can be designed and allocated to autonomous (or highly automated) vehicles with the aim of optimizing traffic throughput subject to traffic safety constraints. Wireless communications, specifically vehicular communications (V2X), are crucial to realizing such strategies; without them, vehicles must resort to using local measurements obtained by on-board sensors (radar, camera, etc.).
The review of this article was arranged by Associate Editor Peter Han Joo Chong.
We consider two flows of vehicles traversing an intersection. In this setting we introduce a strategy for computing lower bounds on the probability of safe braking (no collisions) by coupling vehicle dynamics and packet loss probabilities.
This work focuses on the design and evaluation of C-ITS in the context of safety hazards which result from the technological shortcomings. The recently established and currently being developed ISO 21448 standard -Safety of Intended Functionality for Road Vehicles (SOTIF)-aims at providing guidance on the design of vehicles from this perspective. This includes the unpredictability of Artificial Intelligence (AI) as well as the unreliability of the underlying communication network. The ISO 21448 standard is differentiated from the ISO 26262 standard. The latter covers functional safety in the event of system failures and lies outside the scope of the current study. Our focus is confined to the safety hazards resulting from V2X wireless communications unreliability.
The setting under study is as follows. Two flows of vehicles move along two different roads, which intersect. The vehicles in the two flows are to traverse the intersection of the roads in such a manner that if any of the vehicles must suddenly emergency brake, there is enough time to broadcast an emergency message to all other vehicles and ensure they brake without causing any collisions between any pair of vehicles.
We make this more formal by differentiating between two modes of operation at the intersection. The first is referred to as normal mode, and the second as emergency braking mode. In normal mode, the vehicles pass the intersection in a determined order. After each vehicle in each flow there is a vehicle passing from the other flow. This is like the zipper principle for lane merging. This means that we circumvent the scheduling problem that is a key source of complexity in smart intersection management. The gaps between the vehicles (relative positions) are set so that the vehicles pass the intersection without colliding. In emergency braking mode, one of the vehicles in a flow is suddenly forced to emergency brake, perhaps due to the sudden appearance of a Vulnerable Road User (VRU) such as a pedestrian. Thereafter, emergency messages to brake are broadcast to the affected vehicles. Note that vehicles in front of this vehicle do not need to emergency brake.
The objective of this article is to propose a framework for safe operation in these modes, where the framework for the emergency braking comprises the contribution.
In normal mode, we assume that the vehicles in each flow travel at the same constant speed. In emergency braking mode the vehicles brake with constant deceleration until stationary. Each vehicle has its own braking capacity (which need not be equal amongst the vehicles). Communication during emergency braking mode is done by sending packages containing warning messages with a fixed repetition period.
The modelling assumptions can be summarized as follows. Let the position along the road for a vehicle be x and its braking capacity (in absolute terms) a. The assumed dynamical equation capturing both modes of operation is x = 0 in normal mode, −a in emergency braking mode.
The probability of receiving a package at each transmission is p. The probability of receiving a package during a time period [T s , T f ] with T f > T s is where T is the message repetition period and the operation T f −T s T is the largest integer smaller than T f −T s T . Initially, the models above might be considered simplistic. However, by using these models we can couple the dynamics of the vehicles to the probabilities of receiving packages and explicitly compute lower bounds on the probabilities of safe braking, i.e., no collisions at the intersection.
The general framework is now developed based on these assumptions. We also provide explanations of how the proposed framework can be used in practice, such as how we can bound nonlinearities in the vehicle dynamics by adding additional time-delays, etc.
Initially, it may seem that the assumptions for the V2X communication are overly general. In the framework we make no assumptions on how the probability p varies with time or distance (relative to the center of the intersection); how it depends on interference from other transmitters, etc.
The contributions of the paper are set out below: • Given the order of passing the intersection and the dynamical mode, we identify the largest region of time delays for the vehicles to start braking to avoid collisions. For each vehicle we compute the greatest time-invariant and distance invariant lower bound on the time delay. • We provide an efficient way to compute lower bounds on the probability of safe braking (for each time or equivalent set of positions when the vehicles traverse the intersection). • We provide a way to compute lower bounds on the packet delivery probabilities as a function of distance and time (these bounds could later be used when designing the communication infrastructure).

A. RELATED WORK
The literature on intelligent intersection management is extensive. A recent literature review on the subject [1] classifies "safety" as one of five subcategories or subgoals within this literature. In addition, within studies on "safety", there are also two main directions: "collision avoidance" [2] and "resolving conflict" [3], [4]. It is an NP hard problem to determine the largest set of states for multiple vehicles passing an intersection, for which there are controllers such that collisions are avoided [5]. Heuristics such as the model-based ones described in [6], have been successfully proposed. A major difficulty is to schedule the order at which vehicles pass the intersection under general assumptions on vehicle dynamics, which could be noisy and nonlinear [7]. Various optimization and approximation schemes have been proposed for collision avoidance, employing, for example, optimal control, model predictive control and mixed integer programming [8], [9], [10], [11]. The procedures can be centrally planned [9] or distributed (local decision making within each vehicle) [11], [12].
In [13] a framework is proposed on how communication resources can be distributed amongst the vehicles. Those vehicles in critical configurations, where collisions are most likely, are prioritized. Critical regions are identified and Monte Carlo simulations are provided to show performance.
Communication aspects are central in the management of intelligent intersections [6], [13], [14]. In one of the earlier contributions on collision avoidance [14], the authors adopt a hybrid approach that involves both centralized and individual decision making. Advanced scenarios such as turning vehicles at the intersection are addressed. However, performance criteria are not derivable explicitly and simulations are used to illustrate the performance. An approach to estimate a crash probability at an intersection based on the information exchanged by the communicated vehicles is validated by simulations in [15].
Emergency braking in C-ITS is addressed in [16], where the relevance of the content of emergency braking messages for the recipient vehicle is evaluated using a machine learning approach. In [17] a path prediction algorithm for vehicles is proposed for use in an emergency braking scenario. The objective is to calculate the safe trajectory of the vehicle behind based on the information received via a communication system that uses the proposed path prediction algorithm. Communication packet losses are, however, outside the scope of the study.
Safe braking has been widely studied for vehicle platoon formations. In [18] safe braking of platooning is analysed under an assumption of constant communication delays. In [19] a similar assumption is used, where the vehicles simultaneously start to brake some milliseconds after the first vehicle brakes. Stochastic nature of packet losses is incorporated into the safety analysis for emergency braking for two vehicles in [20] and for arbitrary platoon length in [21]. The present paper can be viewed as an extension of [21] to a two-dimensional case.

II. PRELIMINARIES
We consider two platoons, 1 containing N 1 , and N 2 vehicles, respectively. The two platoons drive along two different roads that cross (at an intersection). The vehicles in the first platoon are indexed by tuples (i, 1), where i = 1, 2, . . . , N 1 . The first vehicle is (1, 1), the second is (2, 1) and so on. The analogous convention is used for the vehicles in the second platoon i.e., (i, 2), where i = 1, 2, . . . , N 2 .
We are considering two scenarios referred to as normal mode and emergency braking mode, respectively. In the normal mode the vehicles drive with constant velocity, possibly differing between the two platoons, but equal within each platoon. At the intersection, after each vehicle in the first platoon there is a vehicle passing from the second platoon through the gap to the subsequent vehicle in the first platoon. This is similar to the zipper principle for lane merging. The gaps between the vehicles (relative positions) are set so that the vehicles cross the intersection without colliding, see Section III.
The vehicles in the first platoon move at a constant speed v 0,1 , and likewise the vehicles in the second platoon drive at a constant (but possibly different from v 0,1 ) speed v 0,2 . The vehicles are numbered from the front of the platoon, starting with 1 and ending with N 1 and N 2 for the two platoons, respectively. The midpoint or center of the intersection serves as the origin of a two-dimensional Euclidean coordinate system, where the roads are aligned with the two axes. Strictly speaking, since the roads need not be perpendicular 1. By "platoons", we mean a string of vehicles driving after each other. The notion of "platoon" is used to simplify exposition and notation, but one could also think it as a streams of vehicles passing the intersection. nor straight, points along the two axes should in general be seen to represent distances along the road (positive or negative) to the midpoint of the intersection. The positive direction of the two axes is aligned with the movement direction of the respective platoons. The axis corresponding to the first platoon is denoted by x and the axis corresponding to the second platoon is denoted as y. In Figure 1, the center of the intersection is shown by a red dot and the so-mentioned coordinate system is centered at this point.
The positions along the road (or the equivalent positions along the corresponding axis) for the vehicles in the first platoon are denoted by x i,1 (t), for all i ∈ {1, 2, . . . , N 1 }. Likewise, the vehicles in the second platoon are denoted by x i,2 (t), for all i ∈ {1, 2, . . . , N 2 }. By "positions" in this context, we mean the midpoint or center point of the respective vehicles; see the black dots at the center points of the vehicles shown in Figure 1. We usually use the letter i to refer to a vehicle. In what follows, when we write that something holds "for all i" or "for each i", we mean that i belongs to either {1, 2, . . . , N 1 }, {1, 2, . . . , N 2 }, {1, 2, . . . , N 1 − 1} or {1, 2, . . . , N 2 −1}; the case should be clear from the context. We sometimes emphasize a particular case by writing "for all feasible i". We usually apply the letter j for indexing platoons. Thus, we write (i, j) to denote an arbitrary vehicle i in the platoon j.
The symbols x ij 's represent functions of time, i.e., they change as the vehicles move along the roads at constant speeds. They also represent entities defined in the global coordinate system (with center in the intersection). To simplify the notation, we usually omit the explicit time dependence. In addition to these variables, we have introduced the parameters v 1 0 and v 2 0 , defining the constant speeds of the vehicles in the two platoons. Besides these two parameters, we also introduce d i,1 for each vehicle i ≥ 2 in the first platoon and d i,2 for each vehicle i ≥ 2 in the second platoon. Each represent the distance from the rear of vehicle i − 1 to the front of vehicle i when driving in normal mode. These are also referred to as inter-vehicle distances (IVD's).
In addition, we introduce the parameters l i,j , a i,j for each vehicle (i, j). The former is the length from the center of the vehicle i to the front (or equally the rear), whereas the latter defines the deceleration capacity in absolute terms that can be deployed in an emergency braking scenario. See Figure 1 on how the x i,j 's the l i,j 's and the d i,j 's relate to each other.

A. VEHICLE MODEL
The dynamical equations governing the time-evolution of the vehicles in normal mode or emergency braking mode are given bÿ In normal mode, u i,j = 0, whereas in emergency braking mode u i,j = −a i,j . No other choices for u i,j are considered in the safety analysis in this article. However, it assumed that the vehicles have been controlled in such a fashion that they are passing the intersection safely in normal mode. Section III below describes how feasible inter-vehicle distances and speeds are determined so that this is satisfied.

B. COMMUNICATION MODEL
Each vehicle is equipped with a radio transceiver. In an emergency braking scenario, it receives packages with a certain probability (packet loss occurs) transmitted with an inter-package time period T (i.e., frequency f = 1/T). The transmission could be either directly between the vehicles or via a roadside unit installed at the intersection. Vehicle (i, j) either receives the package with probability p i,j or does not receive it with probability 1 − p i,j . One can note that the assumptions on the communication are fairly general. In the framework we make no assumptions on how the probability p i,j varies with time or distance (relative to the center of the intersection); how it depends on fading and interference, etc. We provide examples on the effect of keeping the p i,j 's constant, but the more interesting results of the proposed framework are that it can be used to provide sufficient conditions on how the p i,j 's need to behave as a function of distance or time to ensure safe braking with a certain confidence. We provide a way to derive lower bounds on the p i,j 's as a function of distance and time. Then these bounds can be used subsequently when designing the communication infrastructure. Further details are explained in the analysis in Section V.

III. SAFETY ANALYSIS FOR NORMAL MODE
In this section we provide a strategy for how the two platoons 2 cross the intersection whilst traveling at constant speeds v 0,1 and v 0,2 , respectively. We assume that the vehicles in the two platoons pass the intersection in the following manner: first vehicle 1 of the first platoon passes, then vehicle 1 of the second platoon passes, then vehicle 2 of the first platoon passes, then vehicle 2 of the second platoon passes, and so on. We want to determine the d i 's and initial values 2. By "platoons", we mean a string of vehicles driving one behind the other. The notion of "platoon" is used to simplify exposition and notation, but one could also think it as a stream of vehicles passing the intersection.
of the x i,1 (0)'s and x i,2 (0)'s, such that the vehicles cross the intersection safely. The d i 's we determine are the smallest ones that satisfy a safety requirement.
As mentioned earlier, the midpoint of the intersection is assumed to be at the point (0, 0) of the global coordinate system. We impose the safety requirement that for all times t, it should hold that where s 1 is a distance to the midpoint of the intersection, and , the Euclidean norm of the vector corresponding to the positions of (x i,1 (t), x i,2 (t)) in the global coordinate system. Thus, the constraints (4)-(5) state that pairs of vehicles passing the intersection after each other must not be closer than the distance s 1 from the midpoint of the intersection. This region is the interior of the circle shown in Fig. 2.
In what follows, we assume (without loss of generality for the implications of the analysis) that x 1,1 (0) = 0, i.e., the first vehicle of the first platoon is at the center of the intersection at time 0. First we determine the x 1,2 (0) with the smallest absolute value in such a way that (4) is satisfied. The value of x 1,2 (0) must be negative, since the corresponding vehicle (1, 2) will pass the intersection after the vehicle (1, 1). If x 1,2 (0) is chosen such that |x 1,2 (0)| is the smallest value guaranteeing that (4) is satisfied, then if we choose 2 's are the smallest inter-vehicle distances possible to select for the vehicles in the second platoon. This is because the same rule applies for any pair of vehicles (i, 1), (i, 2) from the two platoons. By setting x 1,2 (0) = 0, and determining x 2,1 (0) = 0, one can draw the analogous conclusion that 2 's are the smallest inter-vehicle distances that can be selected for the vehicles in the second platoon. Now, the smallest d i,1 's and d i,2 's are given by: We define The derivation of these expressions can be done in a simple way by using geometry, see Fig. 2. In a two dimensional coordinate system centered at the midpoint of the intersection (red box), the point ( If this blue box is extended along the horizontal axis any further, the trajectory, which comprises a straight line, will intersect the interior of the circle with radius s 1 . Thus,  (4). Now, we can use trigonometric relations to derive the desired result. The results would be the same, if we were to use (5) as a starting point for our analysis.
As an example, when assuming l i,j = 0, we can express the positions of x i,1 (0) for all i and x i,2 (0) for all i as follows Also, given the initial conditions above, the positions at time t (including negative such times) are given bẏ These equations provide the optimal strategy in terms of minimal IVD's for passing the intersection under the proposed constraints.

IV. SAFETY ANALYSIS IN EMERGENCY BRAKING MODE: MAXIMUM TIME-DELAYS A. SAFETY WITHIN PLATOONS
We begin this section with a result from [21]. The result provides the feasible region of delays when only collisions between vehicles within a single platoon are considered. We begin by defining where j ∈ {1, 2} denotes which of the two platoons is being considered. The Boolean expression in the if-condition should be interpreted as false when a i,j − a i−1,j < 0. The τ i ip,j , provides the maximum time-period after vehicle i − 1 has started braking, during which vehicle i can start braking without colliding with vehicle i − 1. "ip" is an abbreviation (in lower case) of "In Platoon" and is a reference to the fact that we only consider collisions that occur between consecutive vehicles within a particular platoon. Now we provide the following result, which is a rephrased version of the result in [21]. Proposition 1: When only considering collisions within each of the two platoons, i.e., ignoring such collisions that occur when a vehicle in one platoon collides with a vehicle in the other, the feasible region of delays which guarantee safe-braking is , 2} denotes which of the two platoons are being considered.

B. SAFETY BETWEEN PLATOONS AT THE INTERSECTION
The primary goal of this section is to determine maximum time-delays for each vehicle in the two platoons to avoid collision with vehicles from the other platoon at the intersection. The strategy will ensure that the determined order at which the vehicles cross the intersection in normal mode is also preserved during the emergency braking mode (i.e., for the vehicles that enter the intersection). We denote these maximum time-delays by τ 1 bp,j 's for all i and j ∈ {1, 2}. We introduce a safety requirement for avoiding a collision between the two vehicles at the intersection. For all times t it must hold that In Fig. 3, the non-feasible region given by the constraints (13)- (14) is shown, red box. This region is also shown in relation to the region, depicted by the circle with radius s 1 , used in Section III. It is important that the latter contains the former in the interior, otherwise no safe braking strategy would be possible to derive and the normal mode strategy would even be unsafe to deploy. The geometric shapes of the regions stem from the chosen norms, where the Euclidean norm is used in Section III and the L 0 norm is used here. The choices strongly affect the structure of the derived maximum delays. Any choice of norm that provides guarantees for the time delays works: these particular choices were made to simplify the analysis. BETWEEN (i, 1) AND (i, 2) Here we consider how to avoid a crash between vehicle (i, 1) and (i, 2) for feasible i, and then draw general conclusions VOLUME 2, 2021 51 For Case 1, there are no imposed constraints on τ 1 bp,2 (it can be set to +∞). For Case 2, we need to make sure that x i,2 (t) is smaller than −s 0 for all time t such that x i,1 (t) ≤ s 0 . For Case 3 and Case 4, we need to choose τ i bp,2 in such a way that x i,2 (t) is strictly smaller than −s 0 for all t.

1) AVOIDING A CRASH
In what follows, to simplify notation and avoid introducing an offset time, we assume that emergency braking in the platoons starts at time 0. It should be noted that the initial position of vehicle (1, 1) does not need to be at the center of the intersection as was the case in Section III. We now describe the cases 1-4 in terms of the system's parameters as well as x i,1 (0). We lump Case 3-4 into a single constraint, because we do not need to differentiate between them in the analysis that follows. If vehicle (i, 1) does not pass the intersection (Case 4), we can say that the order of crossing at the intersection is still preserved if vehicle (i, 2) does not cross the intersection. The constraints are given as follows: These constraints are readily obtained by using the explicit solution of x i,1 (t). We omit this explicit derivation. Before we continue, we introducē Thist i,1 is a function of v 0,1 , a i,1 , s 0 and x i,1 (0) (as well as (i, 1)) and represents the first time (if it exists) when x i,1 is equal to s 0 after the onset of braking. Basically,t i,1 exists only for Case 2. Note that this time only exists, i.e., is not (16) and (17)).
By using the explicit solution of x i,2 (and by usingt), we now obtain the following expressions for τ i bp,2 for the different cases.
For Case 1: For Case 2: For Case 3-4: For Case 2, the condition s 0 + x i,2 (0) + v 0,2t ≤ 0 goes from the fact that x i,2 (t i,1 ) ≤ −s 0 even without braking. So, the vehicle (i, 2) does not need to brake to satisfy condition (13). For cases (3)(4), (22) follows from the condition It should be noted that if τ i bp,2 is negative, there will be a crash if vehicle (i, 1) starts to brake immediately once the platoons are in emergency braking mode. This means that the system parameters of the platoons should be chosen in a different way so that this does not occur.

2) AVOIDING A CRASH BETWEEN (i, 2) AND (i + 1, 1)
So far, we have studied safety between vehicle (i, 1) and vehicle (i, 2) at the intersection (for all i). However, the analogous result holds when considering (i, 2) and (i + 1, 1). Four cases are considered (or rather three) as before. We use the same notation as above (overriding, e.g.,t, and letting the context determine which definition should be used further on).
We define in this contextt as The following expressions hold for τ i+1 bp,1 for the different cases.

3) LOWER BOUNDS ON MINIMUM TIME-DELAYS
In the previous section the τ i ip,j 's computed via (12) could be negative, which means that safe braking is not possible. The same may hold for τ i bp,j 's. It should be noticed, however, that the τ i bp,j 's depend mon the x i,j (0)', which the τ i ip,j 's do not. It might be the case that the τ i bp,j 's are all positive (i.e., safe braking is possible) for a certain choice of the x i,j (0)'s. However, if the platoons were to travel a bit further before entering emergency braking mode, all the τ i bp,j 's would not be positive at that point.
Considering safe braking at any time-point in normal mode, is the same as considering safe braking for anyt, where the initial positions of the vehicles have been translated as x i,j (0) =x i,1 +tv 0,j . The translation of x i,1 (0) is, in general, different from that of x i,2 (0) (since, in general, v 0,1 = v 0,2 ).
We say that safe braking is possible for all times for a choice of initial conditions x i,j (0) =x i,j for all i and all j ∈ {1, 2}, if there are positiveτ i bp,j 's such that for allt, it holds that τ i bp,j ≥τ i bp,j (where we include the case τ j bp,i = +∞) when x i,1 (0) =x i,1 +tv 0,j . This must be ensured for all pairs of vehicles crossing the intersection consecutively.
In what follows, we derive theτ i bp,2 's, and then simply state the equivalent expressions for theτ i bp,1 's. It holds that where and The two objective functions in the optimization problems are obtained by replacing (20) and (22), respectively. The constraints are obtained by considering (16), (17) and the constraint in the if-statement above (20) (with the same replacement of x i,1 (0) and x i,2 (0)). The second optimization problem is a linear, and the solution can be found trivially as: where Before we continue, we note that a lower bound onτ i bp,2 is given byT i,2 , which is obtained as a relaxed version of the optimization problem for T i,2 above.
The solution is obtained as: The existence of a positiveT i,2 is hence a sufficient condition for safe braking. To illustrate this, we consider the following example, where v 0,1 = v 0,2 = 10, a 2,1 = 0.1, a 1,2 = 1, s 1 = 15, s 0 = 10. The IVD's have been chosen according to the procedure in Section III, andx i,1 = 0. In Fig. 5, we see τ 2 bp,2 plotted as a function oft (for τ 2 bp,2 < +∞). The lower bound on τ 2 bp,2 is marked by a red dot, whereasT i,2 is marked by a black dot. The value ofT i,2 is clearly lower. Another observation from the plot is that the green line is always below the blue line (or tangential), i.e.,T i,2 indeed bounds the values of τ 2 bp,2 from below. We now address the optimization problem for T i,1 . An initial observation is that this problem is (in general) not a convex optimization problem. As a starting point we want to determine the feasible region fort. The second and the third constraints in the optimization problem are linear int and can be reformulated as: The first constraint is not linear. We address this constraint as follows. First we findt for which equality holds, and note that this equality must hold when squaring the left-hand side and the righthand side. After simplifying the expressions, we obtain the following equation: which has the following two solutions If we look at the objective function in the optimization problem for T i,2 , we see that ast increases, t 3 is the first point at whicht =t(t), provided this actually happens. t 4 should not be included when deriving the feasible region fort. Given t 1 , t 2 and t 3 , we want to determine t low and t high , such that the feasible region is given by the interval [t low , t high ]. Then we want to determine, T i,1 . In the following procedure, by a "feasible" timet, we mean that the constraints in the optimization problem for T i,1 are satisfied.
Procedure to determine t low and t high : : t low ← t 1 , : If t 2 is feasible : t high ← t 2 , : Else : After the determination of t low and t high , the original optimization problem for T i,1 has been reduced to the following one Now, this optimization problem should only be solved if t high > t low , otherwise T i,1 is set to +∞. If the objective function is concave on the interval, then However, this is not always the case, it might for example be convex for a certain choice of parameters. One can either solve the problem by finding extreme points symbolically or solve the problem numerically. We settle for the latter here. We consider some different choices of parameters and show graphically in Fig. 6 the computed T 2,1 , in a setting where N 1 ≥ 2 and N 2 ≥ 2. a) v 0,1 = v 0,2 = 30, a 2,1 = 1, and a 2,2 = 1. b) v 0,1 = v 0,2 = 10, a 2,1 = 0.1, and a 2,2 = 1. c) v 0,1 = 30, v 0,2 = 60, a 2,1 = 1, a 2,2 = 1. d) v 0,1 = v 0,2 = 10, a 2,1 = 0.1, a 2,2 = 1. For all cases, s 1 = 15, and s 0 = 10. The IVD's have been chosen according to the procedure in Section III, and x i,1 = 0. The vertical axis represents τ 2 bp,2 , whereas the horizontal axis representst. If the blue curve, τ 2 bp,2 , enters the red region (at any point), i.e., becomes negative, safe braking is not possible. The red dot shows the point at which T 2,1 is obtained. It is computed by solving the optimization problem above. We see that in b) there is no red dot, and T 2,1 = +∞. In all four plots, there is linear behavior initially. This is the region where T 2,2 is computed. After this linear behavior, one enters the region where the optimization problem for T 2,1 is solved (for all plots except plot b)).
In c) the function (i.e., the objective function of the optimization problem above) is convex on this region, in d) it is concave, and in a) it is neither convex, nor concave. In a) and d) the optimum is found at t low , whereas in c) it is found in the interior. For all points where there is no curve, τ 2 bp,2 is +∞. In all plots, the dashed line shows The entities t low,1 , t low,2 , t high,1 , t high,2 are computed as follows.
Procedure to determine t low,j and t high,j : Proposition 3: A necessary and sufficient condition for no collision at the intersection is that theτ i bp,j 's defined below are positive. For each vehicle (i, j),τ i bp,j provides a tight lower bound for τ i bp,j and are given as follows: and +∞, else.

C. COMBINED SAFETY
Now, given the results in the previous two subsections, we state the following results, which provide the safe regions of feasible time-delays considering both collisions within a platoon and collisions between platoons in the intersection. Proposition 4: The feasible region of delays which guarantee safe braking is The following set˜ tot comprises a subset of tot . 1 , τ 3,1 , . . . , τ N 1 ,1 , τ 1,2 , τ 2,2 , . . . , τ N 2 ,2 ] T : 0 ≤ τ i,j ≤ min{τ i ip,j , τ i bp,j } for j ∈ {1, 2} and for all feasible choices of i.
The sets tot ,˜ tot are defined for specific choices of the x i,j (0) =x i,j , where braking starts at time 0 (this dependence is not written out explicitly in the definitions to simplify notation). However, for¯ tot braking is assumed to occur at any point and the smallest feasible time-delays for all such cases are used. Hence¯ tot provides a conservative estimate for the feasible region of time delays. The benefit, however, is that this region can be computed by using Proposition 3.

D. PRACTICAL CONSIDERATIONS: NONLINEAR DYNAMICS
Here we provide a brief discussion on how to handle braking patterns with non-constant deceleration. When braking, it is not physically reasonable that any vehicle (i, j) starts decelerating immediately with deceleration −a i,j . However, it is reasonable to assume that its deceleration is no more than a certain value. It is also reasonable (mostly), that after some time, its deceleration is larger than a certain value. Let us suppose that j = 1, i.e., we consider a vehicle (i, 1). For the subsequent vehicle (i + 1, 1) in the first platoon and for the vehicle (i, 2) in the second platoon, it is assumed that (i, 1) starts braking immediately with deceleration −a i,j . However, when computing the maximum time-delay for vehicle (i, 1), we assume that this is not τ i,1 anymore but instead τ i,1 − τ start . Essentially, we assume that the vehicle, after receiving a message to start braking, waits for an additional time τ start before starting to brake. In practice it obviously starts braking as soon as it can, but by making this assumption we can bound the nonlinear effects in the braking process such as the build-up of braking pressure in the wheels. This is illustrated in Fig. 7. The monotonicity of the solutions guarantees that the "true solution of x i,1 (t)" corresponding to the velocity depicted by the red curve, is bounded from below, at all times, by the solution corresponding to the velocity depicted by the blue curve, and bounded from above, at all times, by the solution corresponding to the velocity depicted by the green curve. Thus, by choosing the grey region in Fig. 7 to be sufficiently large, one could bound nonlinear braking patterns, and simply subtract a corresponding τ start -value for each vehicle.
where, Q is the probability of safe braking,Q is a lower bound to Q, andQ is a lower bound toQ. It holds that Below we describe how to useQ andQ to obtain the requirements on the communication performance/capability of the system. We start in the first subsection by assuming that the p i,j 's, i.e., the probabilities of receiving packages, are constant and show, by example, how different values of those correspond toQ i,j (andQ i,j ), which we define later. We then describe, in the second subsection, how sufficient conditions are derived from the p i,j 's to guarantee specified lower bounds onQ.

A. CONSTANT P i,j
Here, we consider the case where the probabilities of receiving packages, i.e., the p i,j 's, are constant. Even though this is a simplistic assumption, the results can still be useful in practice which we now explain. If the system is designed in such a way that packet loss probability is less than a certain threshold for a region around the intersection, then we can choose the p i,j 's accordingly to that threshold. If computed probability of safe braking is 0.9999, then the actual probability of safe braking is higher. This means that our computed probability of safe braking serves as a lower bound for the actual one. In scenarios where the p i,j 's are time varying or distance varying (due to interference and other noise factors), if we can ensure that there is lower bound on the p i,j 's, our approach can be used.
For this setting we now want to compute the probabilities of safe braking for any timet, positive or negative, when x i,j (t) =x ij + v 0,jt for all i, j. Before we proceed, we refer to Fig. 8, which shows the lower bound on τ 2 bp,2 given by Proposition 2, black dot, andτ 2 bp,2 , red dot. In our example here, the black dot is within the infeasible region, and this lower bound tells us that safe braking is not possible. The value ofτ 2 bp,2 on the other hand is positive, so this tight lower bound tells us that safe braking is possible. Compare this to the example in Fig. 6, where the bounds were closer to each other and positive. The dashed line in the plot shows t i,2 (t) on its domain. We see that the lower bound given by Proposition 2 as a function oft is defined on the same domain ast(t) i,2 , whereas theτ 2 bp,2 , blue line, is only defined until f i,2 (t) =t i,2 (t).
Now, in Fig. 9 and Fig. 10, we showQ as a function of t where all 1-p i,j range from 0.005 (blue) to 0.045 (green) in Fig. 9 and from 0.05 (blue) and 0.13 (green) in Fig. 10. In Fig. 9, the black line corresponds toQ for p i,j 's equal to 0.045 and the dashed black line corresponds toQ for p i,j 's equal to 0.045. In Fig. 10 the black line corresponds toQ for p i,j 's equal to 0.13 and the dashed black line corresponds tō Q for p i,j 's equal to 0.13. We see that there are seven local minima in the two figures, which correspond to the most critical times when the seven vehicles pass the intersection after vehicle (1, 1).

B. BOUNDING P i,j
In this section we take a different perspective from that in the previous section. Essentially, we seek to find values of p i,j 's (as a function of time or function of distance) such that the lower bound on the probability of safe brakingQ is greater than a certain (positive) constant valueQ low for all times (positive and negativet). We provide sufficient conditions for the p i,j 's to achieve this.
Suppose that a vehicle (k, l) initiates emergency braking, where k ∈ {1, 2, . . . , N 1 } and l ∈ {1, 2, . . . , N 2 }. Let the integer M be the number of vehicles that should pass the intersection after (k, l) in normal mode in the absence of emergency braking. We definẽ A sufficient condition for guaranteeingQ ≥Q low is that M . For notational convenience we restrict the following analysis and only consider vehicles (i, 2). The equivalent analysis applies to (i, 1)-vehicles. Furthermore, it is assumed vehicle (1, 1) initiates emergency braking.
Our starting point is whereτ i,j and alsoQ i,j is a function of time (or equivalently distance relative to the center of the intersection), even though this is not explicitly shown in the formula. We can easily solve for p i,j as where we also defined the lower boundp i,j on p i,j . Now let us revisit the example in the previous Section V-A, where v 0,1 = v 0,2 = 10. We change the a i,j 's so that they are all equal to 5 (instead of 0.5). This means that once any vehicle starts braking, it will stand still after 10 meters. We take vehicle (2, 2) as an example. We assume vehicle (1, 1) initiates the braking, forcing all other vehicles to also brake. This means that for vehicle (2,2), the integer M in (43) is chosen to be 3 (since (2, 2) is the third vehicle to pass the intersection after vehicle (1, 1)).
Now, let us say that we want to ensure that no more than once in a million times the two platoons pass the intersection can there be a crash if vehicle (1, 1) enters emergency braking mode. This is ensured ifQ low = (1 − 10 −6 ). What does this imply for the choice of p 2,2 ?
In Fig. 11, we show howτ 2,2 varies as a function of the time at which emergency braking starts (upper left) and howτ 2,2 varies as a function of the distance relative to the center or midpoint of the intersection, upper right. We also show howp 2,2 varies as a function of the time at which emergency braking starts, lower left, and howp 2,2 varies as a function of the distance relative to the center or midpoint of the intersection, lower right. The distance plots (upper right and lower left) are perhaps more interesting since the peaks in curves in the graphs (negative or positive) occur at the same distances for all the vehicles, due to the a i,j 's being equal (i.e., we could have chosen an other vehicle than (2,2) and would observe that the peaks in the rightmost two plots are at the same positions). The location of the peaks in the leftmost two plots, depend on the initial conditions of the vehicles. For example, they would have been translated to the right, had we considered vehicle (3, 2) instead of vehicle (2, 2).
The peaks or dips in the plots are explained as follows. As the vehicle (2, 2) is far from the intersection the τ 2 ip,2 is smaller than τ 2 bp,2 , i.e., crashing into the vehicle in front, i.e., (1,2), in the same platoon is a bigger problem than crashing into vehicle (2, 1) from the first platoon at the intersection. Furthermore, τ 2 ip,2 is constant. But then at a certain distance from the intersection τ 2 bp,2 becomes smaller than τ 2 ip,2 , and τ 2 bp,2 is not constant but decreases, until it increases again and becomes +∞. We see from the bottom two plots that if p i,j ≥ 0.025 for all distances, we guarantee that the probability of a crash is less than once in a million. In practice we have to restrict ourselves to some region around the intersection for example a radius of 500 meters. Note that for most distances p 2,2 only "needs" to be greater than 0.01. We write "needs", since we only provide sufficient conditions on p 2,2 and the value for p 2,2 actually needed might be smaller.

VI. CONCLUSION
This article introduces a safety framework for traversing and emergency braking at smart intersections. The setting assumes two flows of vehicles traveling on two different roads that intersect. Emergency braking occurs as one vehicle suddenly brakes. A message to brake is broadcast to vehicles behind in both flows. We derive maximum timedelays during which the vehicles need to receive such a message and start to brake. We use these time-delays, computed by using explicit solutions for the vehicles' dynamics, to compute lower bounds on the probability of safe braking. For example, suppose we want a crash to occur in at most once in a million (or perhaps once in a billion) scenarios, then the proposed framework can be used to provide parameters that guarantee this.
One of the strengths of the approach is that all entities are either directly computable or derived through low-cost simulation. There is, for example, no need of Monte-Carlo simulations. The approach relies on a simple double integrator model for the vehicle dynamics; however, we show how one can modify the computed delays to account for nonlinear dynamical behavior and hence obtain a smaller lower bound on the probability of safe braking. We abstract from a specific V2X communications technology and perform generic analysis. If needed, the model can be parameterized for the evaluation of the IEEE 802.11p; an approach to calculate probabilities p i,j can be taken from [22]. Future work will be directed to the safety analysis of other cooperative manoeuvres at intelligent intersections, for example, a left turn [23], and more complex traffic scenarios.