Characterization of Transient Communication Outages Into States to Enable Autonomous Fault Tolerance in Vehicle Platooning

The benefits of platooning, e.g., fuel efficiency, road throughput enhancement, driver offload, etc., have sparked an interest in a more connected, intelligent, and sustainable transportation ecosystem. However, efficient platooning is realized through wireless communications, characterized by transient connectivity, which is caused by occasional packet losses. Being a safety-critical system of systems, a platoon must be fail-operational even during transient connectivity. Moreover, a platoon should be capable of transitioning into a fail-safe state upon encountering a hazard. To this end, we propose a strategy for classifying the transient communication outages incurred by platooning vehicles into states. Furthermore, a state machine using these states to enable safe automated platooning is proposed that also defines the transitions between the states based on the nature and levels of transient connectivity and hazards. To achieve this, a graceful degradation and upgradation method is proposed, such that the platoon can remain fail-operational by adjusting, e.g., the automated controller and/or the inter-vehicle gaps based on the current communication quality. An emergency braking strategy is also proposed to enable a fast transition into a fail-safe state, should the platoon encounter a hazard. Rigorous simulation studies show that the proposed strategies enable fault-tolerant automated platooning also during transient connectivity.


I. INTRODUCTION
A GROUP of highly automated and connected vehicles forms a platoon by autonomously following a Lead Vehicle (LV) and maintaining short inter-vehicle distances by means of wireless vehicular communications and onboard sensors. Vehicle-to-Vehicle (V2V) communication is a key enabling technology in platooning, and it is tightly coupled with vehicle dynamics, control, and computing technologies [1]. However, the wireless communication quality typically varies, causing transient errors that may significantly affect the platooning operations, e.g., joining, merging, splitting, maintaining, braking, etc. The challenges should always be ensured [4]. In order to facilitate the failoperational state, the platooning vehicles should gracefully degrade their performance in terms of, e.g., fuel efficiency, during runtime in a way that is proportionally related to the level of transient communication errors [5]. Graceful degradation is of the essence here because communication errors are usually transient, and declaring one or more communication links as failed can be premature [6]. In platooning, performance degradation implies increasing the inter-vehicle gaps and/or switching to a more suitable controller that regulates the consensual speed and desired gap between the platooning vehicles in a different way, which is better given the currently experienced communication quality.
Another important component of fault tolerance is a failsafe state, which becomes crucial in platooning applications when a platoon encounters an irrecoverable failure or a hazard. The fail-safe design principle widely used in aviation safety states that "an inspection method must easily detect a hazard or failure during runtime, and the system must sustain the hazard for an adequate time before safety is compromised" [7]. A hazard in platooning can be caused by scenarios such as the sudden appearance of animals or debris, a stalled vehicle on the highway, abrupt emergency braking by a vehicle or platoon in front, road closure due to accidents or weather conditions, etc. In these scenarios, simply steering away by changing lanes is often not an option as the visibility or road monitoring capabilities of the Following Vehicles (FVs) in the platoon typically are obstructed by the LV [8]; hence, autonomous emergency braking is of the essence here. To attain the fail-safe design principles in the context of platooning, the hazard must be detected in time, and the platoon must perform emergency braking sufficiently fast such that the stopping distance of the LV is short enough to avoid the hazard while collisions within the platoon are avoided. Consequently, the aim is to ensure a fail-safe state such that, in the event of a hazard or a failure, the platoon responds in a way that will cause minimal or no harm to other equipment, the environment, or people.
Most previous work on platooning addresses performance degradation in case of transient connectivity and emergency braking due to a hazard as two separate problems [9], [10], [11], [12], [13]. However, these two events are tightly coupled. For instance, when a hazard is encountered, a platoon might be in any degraded state due to previously encountered communication errors. Therefore, a platoon must be capable of performing emergency braking to reach a fail-safe state at all degraded modes and all wireless connectivity conditions. As stated previously, to perform emergency braking, the platooning vehicles are required to brake hard, avoid collisions, and the LV needs to minimize its stopping distance to circumvent the hazard that triggered the emergency braking. However, in most recent works, only collision avoidance within the platoon is regarded as emergency avoidance or considered to be fail-safe [14], [15]. Sustaining large gaps after a full stop has also been emphasized in some recent works [14], [16], [17]. However, it is not beneficial to maintain large inter-vehicle gaps when in a fail-safe state if it takes longer time to reach it or if it causes the LV to traverse longer. In [10], [13], [18], and [19], the authors focus on precisely this: minimizing the stopping distance of the platoon. However, until now, reaching the fail-safe state from any degraded but fail-operational state due to previously encountered problems with the wireless connectivity has not been considered. In addition, many recent works propose control approaches for switching communication topologies, assuming that wireless connectivity is either present or not, e.g., [20], [21], [22], [23]. However, this is an oversimplification as wireless communication outages are transient, and the communication quality fluctuates due to occasional channel access delays, packet drops, fading, path loss, etc.
The main contribution of this paper is twofold: first and foremost, the classification of transient communication outages into different states enabling the good, fair, and poor communication thresholds. Furthermore, we propose a state machine for automated platooning that captures these various degraded communication states. The state machine also includes emergency braking as a function of the experienced communication quality levels. The level of instantaneous communication quality regulates the autonomous switching between different platooning modes in the state machine. Secondly, we conduct a literature review to analyze, categorize and assign other relevant studies to the different states of the proposed state machine. In order to enable fault tolerance in automated platooning, a Graceful Degradation and Upgradation (GDU) method is proposed that keeps the automated platoon fail-operational or fail-safe by continuously monitoring the presence of hazards and the current communication quality during runtime and autonomously switching between the states. Note that the platoon vehicles can change states in the state machine based on the individually experienced communication quality. This enables both that we can aim at being as fuel-efficient as the communication quality currently allows and that the state machine works for both homogeneous and heterogeneous platoon vehicles. Finally, we provide a general framework for evaluating different types of automated emergency braking strategies based on the instantaneous communication quality and the source of information needed for and available on braking. Using this framework and the state machine, the Enhanced Synchronized Braking (ESB) strategy is proposed as a failsafe measure which can autonomously adjust such that it can perform emergency braking for all levels of available communication quality. The ESB strategy focuses on avoiding collisions between the platooning vehicles, minimizing the stopping distance of the LV, and transitioning the whole platoon into a fail-safe state fast by enabling as high deceleration rate as the communication quality allows.
To the best of our knowledge, our work is the first of its kind that proposes to classify transient communication outages into different levels instead of simply declaring communication as either present or absent between two vehicles and introduces the idea of heterogeneous controllers in a platoon. The fine-grained characterization of communication quality allows us to decentralize platoon control and keep the platooning vehicles fault-tolerant by assigning different controllers and/or gaps as a function of the experienced communication quality levels. Related works such as [21], [22], and [23] propose to switch between different communication topologies but not switching controllers. Further, the topology is changed based on whether the communication is absent or present between two vehicles.
We have conducted rigorous simulation studies to evaluate the state-of-the-art control algorithms that are used as the states in the GDU method, i.e., the GDU method governs the switching between these controllers based on the experienced communication quality. The evaluation of the controllers is carried out in terms of safety, fuel efficiency, string stability, and LV tracking ability. Furthermore, we evaluate the proposed GDU method under the same simulation scenarios and criteria to understand the benefits of classifying wireless connectivity into good, fair, and poor qualities and performing switching between different controllers and/or adjusting inter-vehicle gaps to keep a platoon fault-tolerant. In addition, the proposed GDU method and the ESB strategy are evaluated in terms of their fail-operational and fail-safe conditions under challenging scenarios, e.g., time-varying communication delays, short inter-vehicle gaps, high speed, and strong deceleration. Finally, based on the obtained simulation results, we define a set of safety contracts that captures the component behavior of the system given the input conditions such as active controller, experienced communication quality, deceleration rate, etc.
The rest of the paper is structured as follows: Section II reviews related works on platooning and details the stateof-the-art controller properties, whereas the description of the proposed state machine is presented in Section III. In Sections IV and V, the state machine is split into two main parts, i.e., platoon cruising, including fail-operational states in one part and emergency braking and fail-safe states in the other part, with the relevant studies from the literature attributed to the different states. In Section VI, the simulation scenario, traffic model, and metrics used to evaluate the proposed approaches are described. Next, the evaluation results of failoperational and fail-safe automated platooning in the light of the proposed state machine are presented first separately in Sections VII and VIII respectively, and then together in Section IX. Based on the proposed GDU method and the evaluation results, some safety contracts are suggested in Section X that capture the operation modes of the system components. Finally, Section XII concludes the paper.

II. BACKGROUND AND RELATED WORKS
This section describes the state-of-the-art works on fault tolerance in platooning and details the properties of different types of controllers for vehicle strings and automated platooning suggested to be used in different states of the state machine proposed in this paper.
Most modern vehicles are already equipped with Adaptive Cruise Control (ACC) that enables a vehicle to maintain the desired speed or if that is not possible, follow the preceding vehicle by adjusting to its relative speed and distance measured by radar or lidar sensors. However, a vehicle string in which each vehicle uses an ACC controller lacks string stability due to the engine lag, sensor detection, processing, and actuation delay propagated downstream [24]. The ability to maintain string stability is a property of the controller that attenuates the spacing errors as they propagate from the head to the tail of a vehicle string [25]. The efficacy of a controller that regulates a vehicle string is usually assessed by its ability to maintain string stability, use short gaps, and avoid inter-vehicle collisions during platooning. Using Cooperative Adaptive Cruise Control (CACC) or applying a so-called PLATOON controller tackles the problem of sensor detection and processing delays by adding V2V communications to an existing ACC. In contrast to most previous works, Shladover et al. suggest using the terms CACC and PLATOON distinctively in [24]. The authors reason that a PLATOON is a closely coupled system of systems in which the vehicles follow a Constant Distance Gap (CDG) policy, offering both lateral and longitudinal controls. On the other hand, a CACC string of vehicles relies on a Constant Time Gap (CTG) policy facilitating longitudinal control only. A time gap is the elapsed time from when the preceding vehicle's rear bumper traverses a reference point on the road to when the ego vehicle's front bumper traverses the same point. Following a CTG policy, the vehicles increase the inter-vehicle gaps as a function of speed, whereas with a CDG, the gaps between the vehicles are kept the same despite speed changes. To enable the CDG policy in a PLATOON of vehicles, the FVs require periodic updates from both the LV and the preceding vehicle (leader-predecessor following strategy). On the other hand, the vehicles in a CACC string can maintain longitudinal control upon receiving periodic updates from their respective predecessors only, i.e., predecessor following strategy. Note that a PLATOON following the CDG policy may enable inter-vehicle gaps as short as 5 meters [26], implying higher fuel efficiency and enhancement of road throughput. However, as all the FVs require periodic updates from the LV and the gaps are short, temporary communication outage is more severe from a safety point of view when using a PLATOON controller [24], especially for the rear vehicles in the platoon which are farthest away from the LV. In the remainder of this paper, the terms CACC and PLATOON are used distinctively to denote controllers for a string of vehicles and a platoon, respectively.
The information required for automated platooning is disseminated via V2V communications, using some type of periodic messages, e.g., Cooperative Awareness Messages (CAMs) [27] that contain necessary parameters for lateral and longitudinal control. In addition, when a hazard or an event of common interest occurs, the LV, an FV, and/or a roadside unit may broadcast event-driven messages, e.g., Decentralized Environmental Notification Messages (DENMs) [28] for the duration of the event, instructing the vehicle string to react, e.g., by performing emergency braking.
Since sensor systems and wireless communications, the key enabling technologies for automated platooning, are never completely error-free [29], fault tolerance mechanisms in platooning have received significant research attention. In [30], a graceful degradation algorithm is proposed that takes the inaccuracies caused by radar sensor failure in a CACC-based system as input, and a safe time headway is chosen dynamically. The results show that a vehicle maintains a longer safe distance upon detecting a radar fault. Yu et al. [12] are addressing performance degradation and communication interruption, but only on the string stability and fuel efficiency in a fleet of ten vehicles. Ploeg et al. [9] propose graceful degradation of platooning functions by transitioning from CACC to "degraded CACC" (dCACC) mode when a host vehicle experiences communication latency. The criteria for switching between CACC and dCACC based on the experienced communication delay are also provided in [9]. However, exactly how this transition and graceful degradation should be performed in case of irregular packet losses rather than a slowly varying communication delay is directed toward future investigations. Kaiser et al. propose a canonical approach to design degradation cascades in automated systems [31]. A state machine is also proposed to demonstrate how a degradation cascade can be used in the event of failures. Sljivo et al. also propose a degradation cascade capturing various failure modes in vehicle platooning and derive a set of safety contracts based on that [20]. However, in both [31] and [20], the authors do not consider transient connectivity errors of varying levels during cruising or emergency braking.
van Nunen et al. propose fault-tolerant and fail-safe mechanisms following the V-model of the system development process in [32]. A set of safety measures is defined, based on dictated by the control algorithm. The aim is to keep the platoon fail-operational in terms of safety by degrading the performance in terms of fuel efficiency and string stability when required.
As mentioned above, V2V communication is crucial for emergency braking of platooning vehicles traveling with short inter-vehicle gaps. Alkim et al. showed in their simulation studies that if the FVs in a platoon are V2V-enabled, they could respond to the hazard much faster [36]. However, this study does not consider the communication latency incurred by the neighboring vehicles. In our previous work [19], we showed that this communication latency must be accounted for to avoid collisions within the platoon during emergency braking in a dense vehicle scenario that induces both high levels of data and road traffic. Murthy and Masrur propose leveraging the space buffer between vehicles in a heterogeneous platoon during emergency braking on a flat road [10] or in a downhill [18]. To this end, the authors propose that if a platooning vehicle cannot brake at its assigned deceleration rate on a downhill road, it sends distress messages so that the other vehicles can adapt their deceleration rates to the one under distress. However, safe braking is not guaranteed if the number of distress messages lost is greater than a threshold. Moreover, if the number of CAMs lost exceeds a threshold, the authors propose to dissolve a platoon. In contrast, instead of dissolving the platoon, we propose to switch between controllers and/or adjust inter-vehicle gaps proportionally with the levels of communication outages in this paper. The works in [10], [19], and [18] emphasize minimizing the stopping distance of the LV in addition to avoiding collisions between the FVs to attain a fail-safe state. However, to the best of our knowledge, the transition from fail-operational states to emergency braking states leading to a fail-safe state is not considered in previous works.
The vast majority of the works in the literature either focus on degradation algorithms to maintain certain platoon functionalities even in the presence of transient errors or they focus on emergency braking strategies. However, a detailed picture of both fail-operational and fail-safe algorithms, together with their inter-dependencies under varying communication errors and delays, is missing in the literature, which is why this aspect is addressed here.

III. STATE MACHINE FOR AUTOMATED PLATOONING
In Figure 1, we propose a state machine that demonstrates how to transition between platoon forming, cruising, emergency braking, and dissolving to tackle the challenges imposed by transient communication errors of different lengths also when coupled with the requirement to enable emergency braking in case of a hazard. An initial concept of the state machine was first proposed in a technical report by the authors [37]. In this section, the states in Figure 1 are first defined, and then the state transitions are explained. We formulate three research questions based on the proposed state machine and address them in the remainder of this paper.

A. STATE DEFINITIONS
The state machine is divided into Platoon forming, Cruising, Emergency Braking, Fail-Safe, and Dissolve platoon states. In addition to the states mentioned here, there can also be other platooning states, such as platoon joining, merging, cut-in, cut-out, etc., under the same communication constraints as in Figure 1. However, since this paper focuses on the fail-operational and fail-safe states caused by hazards and communication errors, we do not consider these general cruising scenarios separately. Nevertheless, we note that a cut-in scenario, e.g., a non-platooning vehicle changes lanes to place itself between the platooning vehicles, can be considered a platoon-related hazard, potentially leading to strong deceleration while cruising at high speed.
Platoon Forming: This is the starting state in which a platoon is formed when there exists an intention to collaborate. Instructions regarding platoon formation, such as route planning, platoon size, inter-vehicle distances, speed, etc., are given from, e.g., a fleet operating control center through Vehicle-to-Everything (V2X) communications.
Cruising States: In the Cruising States, the platooning vehicles cruise obeying a control law with a given speed and inter-vehicle gaps dictated by the controller and communication quality. The cruising states are subdivided into fuel-efficient and fail-operational states.
• Fuel-Efficient State: State 2 in Figure 1 represents the fuel-efficient state. In this state, the platooning vehicles maintain short inter-vehicle gaps following the CDG policy to enable fuel efficiency by reducing the aerodynamic drag. Moreover, due to the good communication quality in State 2, string stability can be maintained while still providing the required level of safety. In addition, the communication quality and the presence of potential road hazards or external instructions are monitored. • Fail-Operational States: States 3 and 4 in Figure 1  -State 3: In this state, performance is degraded in terms of fuel efficiency by increasing the intervehicle gaps and/or performing controller switching due to experiencing a deteriorated communication quality. If the controller is exchanged to CACC, the CTG policy is adopted instead of the CDG. Obviously, a sufficient level of safety and string stability is still targeted, but at the expense of fuel efficiency by changing the communication topology and distance policy and/or increasing the inter-vehicle gaps. -State 4: Due to the poor communication quality in State 4, the vehicle string no more relies on V2V communications and collaboration. Instead, a radar or lidar-based controller such as the ACC is adopted, which requires longer inter-vehicle gaps and adoption of the CTG policy. Safety takes precedence over fuel efficiency and string stability in this state.
Emergency Braking States: A platoon transitions into one of the emergency braking states from the cruising states upon receiving instructions from the ego vehicle using local sensors, from another vehicle through V2V communications, or remotely through V2X communications to initiate an emergency braking since a hazard has been detected. It is clear that when a hazard is encountered, the communication quality can be either good, fair, or poor. The platooning vehicles monitor the instructions from the LV or Adjacent Vehicles (AVs) and their distance to the preceding vehicle to adjust their deceleration rates. Note that fuel efficiency and string stability are of no concern during emergency braking. Fail-Safe State: State 8 in Figure 1 represents the Fail-Safe state. The platooning vehicles have come to a complete standstill in this state by performing emergency braking. All platooning vehicles must avoid collisions to satisfy the conditions of a fail-safe state, e.g., no harm done to people, environment, or equipment. In addition, the lead vehicle is required to traverse a sufficiently short distance to avoid the hazard that caused the emergency braking [10], [13], [19]. The inter-vehicle gap at a complete standstill is of no concern in this scenario, and the communication quality does not need to be monitored. The conditions of a fail-safe state are formulated in more detail in Section V. From here, the platooning vehicles await instructions on whether to reform the platoon or dissolve it.
Dissolve Platoon: The platooning vehicles may have reached the Dissolve platoon state, State 9 in Figure 1, either by doing an emergency braking using State 5, 6, or 7 and then transferring to State 8 as soon as the speed is zero, or by simply having received instructions to stop collaborating when in one of the Cruising states, State 2, 3, or 4. The inter-vehicle distance during cruising may or may not have been retained when the platoon dissolves.

B. STATE TRANSITIONS
Before we describe the state transitions, it is important to note that different platooning vehicles can experience different levels of communication quality, e.g., good, fair, or poor, at a particular time instance. Especially, the tail vehicles in the platoon experience more packet losses compared to the vehicles in the front when communicating with the LV due to path loss and shadowing effects [19]. When a vehicle is increasing its gap to the vehicle in front, it can in turn deteriorate the communication quality experienced by the other FVs even further. Since all the platooning vehicles adjust the gap to the vehicle in front and/or perform controller switching in a distributed way, it is possible that, for instance, the second vehicle in the platoon is in State 2, while the last vehicle is in State 4 due to experiencing poor communication quality. The state machine proposed in Figure 1 works both in cases where all the platoon members do and where they do not experience the same communication quality. However, for States 1, 8 and 9, the platoon acts as one entity rather than a system of collaborating autonomous systems. This is because the platoon vehicles cannot transition to State 2 until they have agreed to collaborate, are connected by V2V communications, and have formed the platoon in State 1. Similarly, the fail-safe state is not reached until all platoon vehicles have stopped. Nor can the platoon be said to have dissolved until all the vehicles receive instructions to stop collaborating.
Once the decision to form a new platoon is made (State 1) and good communication quality can be established between all vehicles, the platoon can adjust the vehicle gaps according to CDG and transition to the fuel-efficient and safe platooning state (State 2).
The transitions between the Cruising States, i.e., States 2, 3, and 4 are regulated by the communication qualities perceived by each vehicle. We divide the communication quality into three levels, i.e., good, fair, and poor. When the communication quality is good, fuel-efficient and safe platooning is enabled, State 2. The inter-vehicle distances are short in State 2, and the communication quality is monitored periodically. If the communication quality deteriorates to fair, the platoon vehicle transitions into the fuel suboptimal, string stable and safe state, State 3. From this state, the vehicle can switch back to State 2 once the communication quality becomes good again (performance upgradation). However, if the communication quality further worsens to poor, the vehicle adopts a radar or lidar-based controller, e.g., ACC, to maintain safe but minimal platooning functionalities, State 4 (performance degradation). In this state, the inter-vehicle gaps are further increased according to the CTG approach to ensure safety. Neither fuel efficiency nor string stability is the primary goal at this stage; instead, the vehicle monitors the V2V communication links to see if fair communication can be reestablished.
The transitions to the emergency braking states, States 5, 6, or 7 occur when a hazard is encountered. The transitions in-between States 5, 6, and 7 are regulated by the presence of a hazard and the experienced communication quality. When a hazard is detected in State 2, the CDG is short, and the communication quality is good. However, if the communication quality becomes fair shortly after, the platooning vehicle transitions from State 5 to State 6. In such a scenario, it is required to perform emergency braking with fair communication quality, but the vehicle may still have a short gap which was inherited from State 2. However, note that in general, short gaps imply better communication quality as the path loss is lower. Hence, it is crucial that the communication-assisted automated emergency braking strategy is tailored to the communication quality experienced and the inter-vehicle gaps used, taking into account that the braking causes an increased communication load as several vehicles may broadcast hazard warnings, but also that a shorter range usually improves the communication quality. Finally, we note that if instructions are received that emergency braking is no longer needed, the platoon can switch back to State 2, 3, or 4 depending on the instantaneous communication quality. From the Emergency Braking States, a platoon is said to have transitioned into the Fail-Safe state if there are no collisions and all vehicles in the platoon are at a standstill (zero speed). Clearly, inter-vehicle collisions must also be avoided if and when decelerating in States 2, 3, and 4 or if stopping due to dissolving the platoon in State 9, but in these cases, it is not necessary to minimize the stopping distance of the LV.
A platoon can transition from the Fail-Safe state (State 8) to the Dissolve platoon state (State 9) if instructions to stop collaborating have been received. Similarly, a platoon can be formed again (State 1) if instructions to do so are received, in which case the communication quality will be monitored again. Note that a platoon can also transition to the Dissolve platoon state from the Cruising States when receiving instructions that collaboration is no longer desired. Finally, the platooning vehicles can transition to State 1 from the Fail-Safe or from the Dissolve platoon states, e.g., upon receiving teleoperated instructions from a control center.
Based on the discussion above, it is clear that all the platooning vehicles need to agree on the state machine, such as the one in Figure 1, and certain parameters while collaborating. For instance, once the decision of collaboration is made, the vehicles must agree on the good, fair, and poor communication thresholds, constant distance gaps, constant time gaps, and the factor by which the inter-vehicle gaps are to be adjusted in case of fair communication quality in order to form a platoon. Moreover, vehicle kinematic parameters, such as speed, position, steering angle, and acceleration, are required to be communicated. Note that the platoon does not need to be homogeneous, as, e.g., different deceleration capabilities can be handled given that different platoon vehicles can be in different states -but the prerequisites need to be known, and the instantaneous conditions are required to be communicated in order to select values of different parameters which are safe enough. In the emergency braking states, all the platooning vehicles must be aware of the nature, severity, and distance to the hazard, as well as the detection time of the hazard. In addition, if the LV detects the hazard, it must also inform the other platoon members when and how to perform the braking maneuver and the deceleration rates to be pursued. In other words, given that the weight, length, inter-vehicle gaps, and braking capacities of the individual platooning vehicles are known and agreed upon, the proposed state machine is applicable for both homogeneous and heterogeneous platoons.
The following Research Questions (RQs) can be derived based on the state machine above: • RQ1: How can automated platooning be maintained in the presence of transient communication errors, i.e., fail-operational, and with the aim of using short intervehicle distances and high vehicle speed while assuring safety? • RQ2: How does the mapping between the duration of transient communication outages and the good, fair, or poor thresholds which dictate the autonomous transition between the states impact platoon safety, fuel efficiency, string stability, and lead vehicle tracking? • RQ3: In case of emergencies caused by road hazards, how should the platoon coordinate to perform its emergency braking maneuver to transition into a fail-safe state fast given different qualities experienced on the communication links and different inter-vehicle gaps?

IV. CRUISING STATES
This section describes the cruising states, including the two fail-operational states. First, the conditions for attaining the fail-operational states are given. Then the control algorithms available in the literature are described, and appropriate control laws are attributed to the cruising states, i.e., States 2, 3, and 4 in Figure 1. Finally, the proposed GDU method is presented, which facilitates autonomous controller switching based on the experienced communication quality to the LV and/or the vehicle in front.

A. FAIL-OPERATIONAL CONDITIONS
The most obvious way for a platoon to be fail-operational in case of transient communication errors is to increase the inter-vehicle gaps. However, the fuel efficiency constraint should still be considered if possible, and the inter-vehicle gap and communication quality must match the requirements of the control law under consideration. To this end, we define the following conditions of a fail-operational state: 1) Regardless of the control law being used, we consider the safety condition in States 2, 3, and 4 to be that the measured inter-vehicle distance between any two platooning vehicles is greater than 0 meters for all conditions, i.e., no collisions. 2) String stability takes precedence over fuel efficiency. This is to ensure that individual vehicles do not prioritize their own fuel efficiency over the platoon fuel efficiency. Similarly, safety takes precedence over both string stability and fuel efficiency according to the definition of a fail-operational state. This is to make sure safety to all always comes first for all vehicles.
3) The selected control law and inter-vehicle distance should be adapted to the instantaneous communication quality of the link to the LV, the vehicle in front, and the immediate FV. Moreover, the platoon should autonomously close the inter-vehicle gaps and adopt a more fuel-efficient controller when the communication quality improves.

B. CONTROL ALGORITHMS
According to the ACC controller proposed by Ioannou and Chien in [38], the control law of the i th vehicle can be given byẍ where i and i − 1 denote the ego and the preceding vehicles, respectively. Further,ẍ i_des is the desired acceleration of the i th vehicle, λ is a design parameter, T is the time gap, δ i is the spacing error, i.e., the difference between the measured distance x i − x i−1 + l i−1 to the front vehicle and the desired distance Tẋ i . Finally,ε i is the relative speed between the ego and front vehicles. A string of vehicles using the ACC controller requires fairly long time gaps due to the detection, processing, and actuation delay that propagates downstream [39]. For State 4 in Figure 1, the ACC controller represented by Equation (1) can be used, as the state assumes poor communication quality and stipulates a long time gap. Several CACC controllers are proposed in the literature, all of which are aiming at string stability and minimizing the inter-vehicle gaps. Santini et al. propose a consensus controller in which the vehicles' data to be used for computing the actuation of the ego vehicle is determined based on network characteristics during runtime [40]. The most straightforward CACC controller facilitating longitudinal control is likely the one in which the ego vehicle calculates its acceleration using the preceding vehicle's intended acceleration obtained through V2V communications, e.g., the CACC controller proposed by Ploeg et al. in [41]. The relative speed and distance data are obtained through the radar sensor as in ACC. The control law of the Ploeg CACC is defined aṡ where u i−1 is the intended acceleration of the preceding vehicle that is communicated to the ego vehicle through V2V communications, and k p and k d are the controller gains. The Ploeg CACC controller exhibits better fuel efficiency and string stability than the ACC controller by minimizing the inter-vehicle gaps since the FVs can learn their predecessors' intentions even before they actuate. Moreover, the PLOEG CACC controller only requires feedback information from the preceding vehicle and relies on the CTG policy; hence, the control law represented by Equation (4) can be attributed to State 3 in Figure 1. Milanés et al. propose two control algorithms for addressing the smooth gap-closing maneuver in a cut-out scenario and the car following maneuver in a platoon [42]. Ali et al. propose a modification of the CTG policy in which the inter-vehicle gaps are changed based on the speed difference between the ego vehicle and the reference speed of a string of collaborating vehicles [43]. The authors also propose to switch to the classical CTG policy in case of communication loss. The strategies proposed in [42] and [43] can be used in State 3 in Figure 1, as well as in State 4 in case a previously agreed speed has been communicated and agreed on before the communication quality deteriorated.
Lee et al. propose distinctive controllers for longitudinal and lateral control; a headway controller for longitudinal control and a magnetic sensor-based controller for lateral control [44]. The PLATOON controller proposed by Rajamani also provides both lateral and longitudinal control by using the leader-predecessor following strategy and the CDG policy [25]. Due to the requirement of good communication quality with the LV and the immediate predecessor, the PLATOON controller proposed by Lee et al. in [44] and by Rajamani in [25] is suitable for State 2 in Figure 1.
Liu et al. define a control law that uses the feedback information from both the LV and the preceding vehicle [45]. In addition, they found that asynchronous actions, e.g., immediate acceleration changes upon reception of a CAM packet, lead to string instability due to the propagation of the error in the platoon's downstream direction. Hence, Liu et al. [45] propose that the vehicles delay their actions until all the vehicles have received the CAMs to cancel out the effect of communication latency on string stability. Fernandes and Nunes also show that delayed action can improve string stability in a leader-predecessor following strategy when the FVs in a platoon hold their actuation until having received 'anticipatory information' from the LV [46]. Both [45] and [46] are suitable for State 2 in Figure 1.
The PLATOON controller by Rajamani in [25] facilitates inter-vehicle gaps as short as 5 m [47], and thereby higher fuel efficiency due to its reliance on the CDG policy and receiving feedback information directly from the LV in addition to the vehicle in front. Using the PLATOON controller [25], the desired acceleration of the ego vehicle can be given bÿ where the spacing error ε i = x i −x i−1 +l i−1 +gap des , gap des is the desired gap in meters, and V l is the lead vehicle's longitudinal velocity. Further, C 1 is the weighting factor between the data from the lead vehicle and the preceding vehicle, ξ is the damping ratio, and ω n is the controller bandwidth.
The value of C 1 plays an important role in string stability. Fernandes and Nunes show that the tracking error approaches zero as the value of C 1 approaches one [46]. The authors suggest using C 1 values between 0.5 and 0.7 so that the platooning vehicles do not need to rely only on the lead vehicle's data in the cases it is not available due to transient communication errors. In summary, the ACC [38], CACC [41], and PLATOON [25] control laws represented by Equations (1), (4), and (5) can be attributed to States 4, 3, and 2 in Figure 1, respectively. In the simulations carried out in this paper, we chose the controller parameters based on the research results from state-of-the-art works. For instance, the values of the parameters, e.g., gap des = 5 m, C 1 = 0.5, ξ = 1, and ω n = 0.2 Hz, in the PLATOON controller are motivated by the arguments in [46], [48], and [26]. Ploeg et al. in [41] suggest suitable values for the CACC controller parameters, e.g., k p = 0.2, k d = 0.7, T = 0.5 s. In addition, Segata shows that a string of vehicles with an ACC controller behaves safely when a time gap T = 1.2 s is maintained [26].

C. TRANSITIONING BETWEEN THE CRUISING STATES USING DEGRADATION CASCADES
So far, we have introduced the Cruising states that include fuel-efficient and fail-operational states and assigned some state-of-the-art controllers to different cruising states based on their suitability in terms of communication requirements. Now, we propose a Graceful Degradation and Upgradation method considering the controller requirements, such as available links and communication quality, and settings such as CTG and CDG.

1) PERFORMANCE DEGRADATION EMPLOYING SAFETY CONTRACTS
Runtime monitoring of a safety critical system of systems, e.g., a platoon, is necessary to design appropriate system responses in case of transient errors; for instance, graceful performance degradation proportionally to the level of system component failure. The SafeCOP runtime monitoring architecture [49] introduces a Runtime Manager (RTM) concept that builds upon contract-based safety assurance of the components in a cooperative system. A safety contract C = <A, G> of a system component can be defined as a pair of assertions in which the component behavior is guaranteed according to the Guarantee G, given that the Assumptions A are fulfilled [50]. In other words, a contract reflects the performance that is guaranteed at a particular degraded mode, given that the assumptions on the system environment are fulfilled.
In the degraded states in Figure 1, i.e., States 3 and 4, different levels of transient connectivity can be defined to form an ordered set of degraded operation modes, termed degradation cascade [20]. At various levels in the hierarchy of the degradation cascade, we can define the requirements on the controllers that the platooning vehicles should adopt and/or the extent to which the inter-vehicle distances should be increased. Based on the performance goals of the different levels of such a degradation cascade, a set of safety contracts can be derived. For instance, Sljivo et al. in [20] propose a set of safety contracts obtained from a state machine that represents a degradation cascade for different failure modes in car platooning. The authors then instantiate arguments to assure that the contracts sufficiently address the failure modes of the degradation cascade. Girs et al. [6] build upon the RTM concept and also define safety contracts to capture different operation modes, e.g., normal, degraded, and full-stop, in a cooperative cyber-physical system, e.g., a platoon. The definition of the safety contracts in [6] is preceded by safety analyses which describe the reasons for communication failure in a cooperative function and identify two parameters to detect the failure, i.e., Packet Delivery Ratio (PDR) and the number of consecutive packet losses. However, we have chosen not to use PDR to assess communication quality since it is an average measure that does not cover the instantaneous communication quality experienced by the platooning vehicles. The number of consecutive packet losses, however, is used as this defines the duration of an outage and relates to the good, fair, and poor thresholds. In our previous work [5], we proposed a set of conditions that defines performance degradation in platooning in the events of transient errors. The preliminary results demonstrate how a platooning vehicle switches between different controllers and manages to avoid collisions in dense data and road traffic scenarios.
However, none of the works in [5], [6], [20] investigate the impact of packet losses on different communication quality levels that dictates the upgradation or degradation chains. Moreover, should a hazard or a permanent failure be encountered, the way emergency braking should be performed from different Cruising States is not addressed either.

2) GRACEFUL DEGRADATION AND UPGRADATION (GDU) METHOD
Now, we present the proposed GDU method that aims to keep a platoon fail-operational. The GDU method builds upon the RTM concept introduced in [49] and is depicted with the help of a state machine that considers the communication quality in combination with the platoon safety requirements, Figure 2. To construct the proposed GDU method, high-level and straightforward safety requirements were first defined based on a literature review. Next, the requirements were updated and adjusted to build requirement cascades and set safety targets. Rigorous simulation studies and analyses facilitated the adjustments of the requirements. For brevity, the safety requirements are not separately elaborated in this paper. However, in Section X, we present a set of safety contracts in which the Guarantees G i must fulfill the safety requirements on the component level, i.e., the Guarantees reflect the safety requirements. A requirement cascade that defines a hierarchy such as "System shall do X; if X cannot be done, the system shall do Y, and so on" is the basis of designing a degradation cascade [31].
As communication errors cannot be anticipated during design time, the GDU method aims to select a safe state autonomously based on the perceived communication quality during runtime. Moreover, the state should be as efficient as possible, given the occurrence of communication errors. Suppose the communication quality with the LV or the immediately preceding vehicle has changed. The GDU method then upgrades or degrades the platooning vehicle's performance by adjusting the gap to the vehicle in front and/or adopting a suitable controller with the corresponding gap policy (i.e., CDG or CTG), which is based on more or less input from the LV and/or the vehicle in front or behind, given the safety contracts.
When using the GDU method, the connection to lead (c2l) vehicle and connection to front (c2f) vehicle are monitored during runtime. 1 These connection types are further classified into good, fair, and poor communication qualities, which have already been discussed within the scope of the state machine in Figure 1. The GDU state machine depicted in Figure 2 is a more detailed version of the Cruising States presented in Figure 1. States 2, 3, and 4 in Figure 1 are represented by the PLATOON, CACC, and ACC states in Figure 2. In addition, there are two intermediate states named 1. In a platoon, the connection to the immediately following vehicle also need to be monitored for safety reasons. However, the data that needs to be exchanged using this link refers mostly to braking, and thus for brevity, we exclude this link when discussing the cruising states and return to it when discussing the emergency braking states below. PLATOON & GA and CACC & GA, which represent the Gap Adjustment (GA) functions of the GDU method. The aim of the GA states is to facilitate graceful degradation, i.e., first increasing the inter-vehicle gap slightly when a connectivity error is noticed and only switching to a less fuel-efficient controller when the specific communication requirements no longer can be fulfilled using the current controller. A slightly increased gap enables better string stability than controller switching. In addition, transitioning to the GA states before controller switching facilitates graceful acceleration or deceleration, which can, e.g., enhance passenger comfort. To this end, the GDU method presented in Figure 2 offers three types of operation modes to enable performance degradation and upgradation, i) switching between the PLATOON, CACC, and ACC controllers, which implies changing control topology and gap strategy, ii) maintaining the same controller but adjusting the gap to the vehicle in front, or iii) changing controller and adjusting the gap.
A vehicle using the PLATOON state requires good c2f and good c2l to facilitate a short inter-vehicle gap according to the CDG policy in order to enable high fuel efficiency. However, should the c2l deteriorate to fair, the vehicle can transition to the PLATOON & GA state by slightly increasing the distance to the vehicle in front. When delaying the change of controllers by first increasing the gap, more graceful degradation is obtained, which leads to better string stability. The rationale behind increasing the gap is due to safety, e.g., the potential risk of not being able to receive emergency braking messages from the LV in time, and thus a larger gap can maintain safety. If the c2l becomes poor, but the c2f remains good, the vehicle transitions to the CACC state in which the CTG policy is followed, and thereby the inter-vehicle gaps are much longer at high speeds than in the PLATOON state. In Figure 2, transitions to the CACC & GA are possible from all other states. The reason is that if the c2f becomes fair, the vehicle must increase the gap to the vehicle in front regardless of the communication quality with the LV. If the c2f further deteriorates and becomes poor, the vehicle adopts the ACC controller regardless of the quality of the c2l. Recall that all vehicles periodically monitor the communication quality to see if performance can be upgraded due to an improvement in communication quality. For instance, when the ACC controller is active in a vehicle and a packet is received from the vehicle in front such that the communication quality improves, the vehicle transitions to the CACC & GA state. In the next monitor interval, if the communication quality to the vehicle in front improves further to the good-threshold, the vehicle transitions to the CACC state even if no packet is yet received from the LV. Note that the states in Figure 2 represent various levels of the degradation/upgradation cascade from which a set of contracts can be derived. The current controller and the current communication quality are considered as the assumptions in a contract, and the degraded or upgraded operation mode is the guarantee. We carry out rigorous simulation studies to define the degraded modes based on the levels of communication quality, and the results are presented in Sections VII and IX. The derived safety contracts then appear in Section X since the guarantees reflect some quantitative target values obtained from the simulation studies.
The good, fair, and poor communication quality thresholds are defined by the number of consecutive packet losses, i.e., the duration of the transient communication outage on a specific link. The occurrence of a communication outage which makes the communication quality transition from good to fair to poor on a particular link will depend on a multitude of factors, some of which are analyzed further in Section VII-D. Classifying the communication quality into different levels and assigning a degraded mode based on these levels is one of the core contributions of this paper. This approach prevents aggravated degradation and facilitates the possibility of returning to the original mode (upgradation) in a short time.

V. EMERGENCY BRAKING STATES LEADING TO THE FAIL-SAFE STATE
In this section, the conditions for attaining a fail-safe state are first defined. Next, a state machine representing a general framework for emergency braking strategies is presented. Then the state-of-the-art braking strategies are analyzed in terms of the fail-safe conditions and their placement in the proposed state machine. Finally, the proposed Enhanced Synchronized Braking strategy is presented.

A. FAIL-SAFE CONDITIONS
An emergency braking strategy must fulfill two criteria: first, it must enable reaching a state which satisfies the conditions of being fail-safe. Second, it must be able to autonomously adjust to the changing quality of the wireless connectivity, e.g., by satisfying the communication requirements of States 5, 6, and 7 in Figure 1. We define the conditions for attaining the fail-safe state as follows: 1) The actual gap at a complete standstill must be d i,stop > 0, i.e., no collisions have occurred between the vehicles even when the platoon completely stops. 2) Further, d L < d hazard , where d L is the stopping distance of the LV since the detection of the hazard and d hazard is the distance from the place where the hazard was detected to the actual hazard. This condition is to ensure that the hazard that triggered the emergency braking is avoided. It should be noted that whether or not the LV is able to fulfill the condition d L < d hazard at all times depends on the distance to the hazard once it occurs or is detected. This in turn depends both on the sensors of the LV and the actual location of the occurrence of the hazard. 3) Finally, the whole platoon transitions to the safe state sufficiently fast.

B. STATE MACHINE FOR EMERGENCY BRAKING
In the Cruising States, depending on the quality of the connectivity, fuel efficiency, string stability, and safety have different priorities. However, safety is the only concern in the Emergency Braking states according to the fail-safe conditions defined above. To this end, in Figure 3, we propose a state machine that elaborates the Emergency Braking states in Figure 1 and serves as a general framework for different types of braking strategies. For convenience, the states of the state machine in Figure 3 are abbreviated depending on if deceleration has been initiated or not together with the availability of information about other vehicles. In the No deceleration, full information available (NDFI) state, full information on braking is available from the LV and the AVs regarding, e.g., deceleration rate to be used, distance to the hazard (d hazard ), when to start braking, braking intention of the immediately preceding and following vehicles (AVs), etc. However, in the No deceleration, partial information available (NDPI) state, information from either the LV or the AVs is missing due to packet losses. Further, the No deceleration, only onboard information available (NDOI) state represents that information regarding the AVs is only available through sensors, and information from the LV and AVs communicated through V2V communications is missing. These three states, i.e., NDFI, NDPI, and NDOI, originate from the Cruising States 2, 3, and 4 of Figure 1 upon encountering a hazard. The vehicles have not started decelerating in the NDFI, NDPI, or NDOI states. The bottom three states in Figure 3 represent that deceleration has been initiated with either full (DFI), partial (DPI), or only onboard information (DOI) available.
The horizontal transitions between the states in Figure 3 depend on whether the information is available or missing from the LV and/or the AVs. Information is said to be missing when a vehicle does not receive packets from the LV and/or AVs for a period of time. The length of the period of time depends on the nature and severity of the hazard encountered and the braking strategy being pursued. The vertical transitions from the NDFI, NDPI, and NDOI states to the DFI, DPI, and DOI states, respectively, indicate the starting of the braking maneuver based on information received through V2V communications and/or onboard sensors. Moreover, suppose the vehicles receive instructions that braking is no longer needed. In that case, they can transition back to the NDFI, NDPI, or NDOI states and eventually to the Cruising States in Figure 1 again. Note that during emergency braking, which is event-driven, it could be the case that only one packet regarding the braking information is sufficient, unlike the Cruising States where periodic packets are likely required to maintain string stability which is of the essence here. However, with some braking strategies, how and when the platooning vehicles actually start emergency braking depends on whether the event-driven messages are received from the LV or from one or more adjacent vehicles.

C. STATE-OF-THE-ART BRAKING STRATEGIES
Next, we analyze several state-of-the-art braking strategies in terms of the fail-safe conditions and discuss in which states they fit in the state machine presented in Figure 3.
The most obvious and straightforward emergency braking strategy is that the FVs in a platoon perform emergency braking as soon as a hazard is detected (a DENM is received from the LV or the vehicle in front) [36]; we denote this as Normal Braking (NB). Performing emergency braking with a high deceleration rate as soon as a DENM is received can be problematic since, if we are in the DPI or DOI states in Figure 3, not all FVs may have received the DENMespecially since the inter-vehicle distances are longer in these states, which aids safety but worsens communication quality.
Magdici and Althoff [51] propose to increase the deceleration rate exponentially until the maximum deceleration rate is reached in a braking scenario. This control design helps to ensure that the inter-vehicle gap remains greater than a minimum safe distance at all times. However, the authors do not consider V2V communications, i.e., the strategy is designed for use with an ACC controller and the DOI state in Figure 3. Ligthart et al. [52] elaborate this gradual deceleration approach by formulating a collision avoidance controller mathematically in conjunction with a nominal CACC controller. Their simulation results demonstrate that emergency braking with gradual deceleration can avoid collisions in a two-vehicle platoon, while sudden full-deceleration cannot. The authors use a constant duration of gradual deceleration (0.2 s). As [51] is improved in [52] to be used in conjunction with the CACC controller where information from the AVs and onboard sensors is available, it is suitable for the DPI and DOI states, but not the DFI state. Note that the braking strategies in [51] and [52] are evaluated only in terms of collision avoidance in a two-vehicle braking scenario. However, in a longer platoon, the tail vehicles are more prone to collisions due to higher communication latency and propagation of errors in the downstream direction. The front-most vehicles would require decelerating slower to avoid such collisions, imperiling the second and third conditions of the fail-safe state.
In [11], the authors propose a Coordinated Emergency Brake Protocol (CEBP) in which the last vehicle brakes first and the lead vehicle brakes last. A platooning vehicle starts braking upon receiving an acknowledgment from its immediate successor only, i.e., using a successor following strategy. Miekautsch et al. [13] propose to adjust the communication topology in a platoon depending on the scenarios such as cut-in or emergency braking. The authors analyze collision avoidance and stopping distance of the LV using a reverse leader-predecessor following strategy, i.e., a vehicle receives its braking instructions from the last vehicle and the immediate FV. In both [11] and [13], emergency braking is initiated by the last vehicle. However, the last vehicle in the platoon is located furthest away from the LV and therefore, has the communication link with the lowest quality due to path loss and fading effects. This implies that it will more often be in the DOI state of Figure 3 unless instructions from the LV are forwarded by its successors, in which case a higher delay is instead experienced. In addition, the propagation of the braking message from the last vehicle to the LV incurs additional delay as the braking messages are required to be relayed by all the FVs, which also includes multiple transmission attempts in case of packet losses. Therefore, the stopping distance of the LV and the whole platoon can be considerably high with the braking strategies proposed in [11] and [13]. Another reason for a possible higher stopping distance with these braking strategies is that the first DENM received from the LV is not sufficient to start the braking maneuver; additional information from one or more adjacent vehicles is required, causing further delay. Considering the communication topology, the CEBP strategy [11] can be attributed to the DPI state in Figure 3 as braking starts when a packet is received from the immediate FV, whereas the reverse leader-predecessor following strategy [13] can be placed in the DFI state. However, it is not clear if and how these braking strategies can adjust autonomously to the communication requirements of the different states, especially if not all vehicles are in the same state.
Liu et al. in [45] and Fernandes and Nunes in [46] show that delaying the actions of the vehicles in a platoon for a short period can help achieve synchronization, which leads to string stability in the cruising states. Murthy and Masrur also use the concept of delayed action for achieving synchronization [10], [18]; however, in the context of emergency braking rather than string stability. The authors propose that all vehicles in a platoon should wait for 20 ms before braking simultaneously. Such simultaneous braking facilitates a high deceleration rate, reducing the stopping distance of the LV and the whole platoon. However, the assumption of a 20 ms waiting time before braking is based only on controller feedback delay, but the possibility of time-varying communication delay is not considered. In [19], we evaluate the effects of delayed actions in the context of platoon emergency braking using IEEE 802.11p, which is the basis for both the U.S. standard DSRC and the EU standard ITS-G5. As both channel quality and channel access delay are unpredictable with IEEE 802.11p [34], rather than using a fixed period, we instead propose to continuously monitor the communication latency and use the obtained average latency as the waiting period after which all the platooning vehicles should perform Synchronized Braking (SB) in the event of a hazard. In [19], we performed simulation studies to demonstrate how SB can be used in conjunction with the PLATOON, CACC, and ACC controllers to avoid collisions but still enable a high deceleration rate which reduces the stopping distance of the LV. The SB strategy can be adjusted to the communication requirements of the DFI and DPI states in Figure 3 as the waiting time varies with the level of communication delay. It can also be used in the DOI state if the vehicles have been made aware of the hazard, as the waiting period based on the long-term average delay can be calculated and stored locally. However, in a dense data and road traffic scenario with high communication delay, the waiting period required in SB can lead to a long stopping distance despite the high deceleration rate it facilitates, which contradicts the second condition of a fail-safe state.
The braking strategies discussed above mainly focus on homogeneous platoons, i.e., the physical properties and dynamics of all the vehicles are the same. Emergency braking in a heterogeneous platoon has also received significant research attention. For instance, Zheng et al. in [14], [53] propose that the last vehicle in a platoon should brake at the highest deceleration rate, and the rate should gradually decrease in the upstream direction. The authors conduct experimental studies under the assumption that braking is performed manually by the human drivers; hence, this braking strategy does not exactly fit in the state machine in Figure 3 that assumes automated braking. However, it should also be noted that a human driver would brake differently given full, partial, or no information available about the hazard and the strategies of the other drivers. Murthy and Masrur propose the law of the weakest, i.e., the whole platoon should tune its maximum deceleration to the one with the weakest braking capacity [54]. As the authors use predecessor following communication topology, the law of the weakest strategy can be placed in the DPI or the DOI state in Figure 3. Thunberg et al. propose an analytical model that determines a feasible region of communication latency within which the platooning vehicles are guaranteed to perform safe braking [55]. Sidorenko et al. in [56] present a mathematical model to determine the minimum safe distance between two vehicles that are required to perform safe braking in a multi-brand platoon. In both [55] and [56], the authors consider leader following communication topology, i.e., partial information available; hence, these works can be attributed to the DPI and DOI states in Figure 3.
If different platoon members are in different Cruising States when a hazard occurs, they may learn about the hazard at different times, either through V2V communications or through distance sensors when communication is not sufficient. A good emergency braking strategy should take this into account by continuously adjusting the deceleration rates to the state of the ego vehicle and to the reported states of the other platooning vehicles. Considering the benefits and drawbacks of the different emergency braking strategies outlined above together with the criteria that an emergency braking strategy must enable, i.e., fulfilling the fail-safe conditions in Section V-A and adjusting to the instantaneous communication quality as outlined in Figure 3, we propose an improvement of the previously suggested SB strategy which is presented below.

D. ENHANCED SYNCHRONIZED BRAKING TO ATTAIN THE FAIL-SAFE STATE
In this paper, we propose the Enhanced Synchronized Braking (ESB) strategy to further improve the SB strategy proposed in [19]. With SB, all vehicles wait a predefined period of time (τ wait ) before braking all at once (synchronized) at a much higher deceleration rate than what would be possible given the short inter-vehicle distances. This enables using a higher deceleration rate which in most cases leads to a reduced stopping distance of the LV. However, our research shows that τ wait can be considerably higher in dense data and road traffic scenarios which instead can increase the stopping distance of the LV, imperiling the second condition of the fail-safe state, i.e., d L < d hazard . To circumvent this, using the ESB strategy, all platooning vehicles, except the last one, instead perform soft-braking immediately upon receiving a DENM. Once the agreed waiting time τ wait has passed, full deceleration is then performed synchronously. Unlike with SB, the last vehicle in the platoon does not wait until τ wait has passed before acting. It performs braking at a full deceleration as soon as it receives a DENM. The ESB strategy is represented by a flowchart in Figure 4.
With the ESB strategy, the LV starts soft-braking as soon as it detects a hazard and broadcasts DENMs. The DENMs are constructed according to the specifications of the ETSI DEN basic service [28]. Among other data, the DENMs contain τ wait and detectionTime that specify the waiting time before full deceleration and the event detection time, respectively. Moreover, upon detecting a hazard, the LV starts the T_O_Validity and T_Repetition timers which signify the validity duration of the DENMs and the DENM repetition interval. The LV broadcasts DENMs at an interval of T_Repetition until the T_O_Validity timer expires. However, the LV can reset the T_O_Validity timer in case it detects the absence of hazards or learns that the hazard duration has increased. According to the ETSI DEN basic service [28], the T_O_Validity timer is set to 600 s from the event detec-tionTime by default. The LV starts full-deceleration when its τ wait timer expires. The FVs learn about the τ wait time from the LV upon receiving a DENM. Although different FVs can receive the DENMs at different times, the synchronization of the full-deceleration action is performed using the detection-Time timer (event detection time). Here, note that we assume that the clocks of the platooning vehicles are synchronized. Each vehicle, except the last vehicle, starts full-deceleration at detectionTime + τ wait , given that they received any DENM successfully. The soft-braking is not synchronized, i.e., the vehicles start soft-braking immediately upon reception of a DENM. However, during asynchronous soft-braking, the following vehicle using ESB has more time to react to the predecessor's speed change compared to when using SB due to slow deceleration. As a result, the following vehicle can start soft-braking using the radar sensor even if it has not yet received a DENM. Compared to an immediate fulldeceleration, the same vehicle would not have enough time to react using the radar sensor only unless the inter-vehicle distance is sufficiently large [19].
In the context of the state machine proposed in Figure 3, the vehicles using the ESB strategy stay in the NDFI, NDPI, or NDOI states until braking information is received via V2V communications and/or sensors. Next, the vehicles transition to the DFI, DPI, or DOI states, which include both the softbraking and full deceleration. Different vehicles can be in different states during soft-braking, e.g., in DFI, DPI, or DOI. However, switching to full deceleration requires the vehicles to be in either DFI or DPI. If no DENM has been received, a vehicle will simply adjust its distance to the vehicle in front. We note that as the inter-vehicle distances reduce during soft-braking, the communication quality improves, as does the likelihood of receiving a DENM. We also note that as the detectionTime (event detection time) is included in the DENM, a vehicle that receives a DENM will know exactly when to start braking hard. With proper selection of the deceleration rates, the ESB strategy is, therefore, possible to use in all three states NDFI, NDPI, and NDOI, in contrast to the SB strategy which is problematic if some vehicles are in the NDOI state.
It should be noted that the soft braking proposed in this paper is different from the gradual deceleration proposed in [51] and [52] as a very low deceleration rate, e.g., −2, −3 ms −2 is maintained during the waiting period using ESB, whereas with gradual deceleration, the deceleration rate increases exponentially until the maximum deceleration is reached. This has several benefits, as we will see in the simulations conducted for performance evaluation of the ESB strategy in Section VIII. Note that in the simulations, we consider homogeneous braking capabilities of the vehicles under the assumption that all the platooning vehicles tune their deceleration rates to the vehicle with the weakest braking capacity as proposed by Murthy and Masrur in [54]. Also, external disturbances, e.g., wind drag force, rolling resistance, variation in road slope, or vehicle mass, are not considered in the evaluation.

VI. SIMULATION SCENARIO, SETTINGS, AND EVALUATION CRITERIA
In this section, the evaluation metrics to analyze the Cruising, Emergency Braking, and Fail-Safe states are first defined. After that, we describe the simulation settings and traffic scenarios.

A. EVALUATION CRITERIA
The following criteria are used to evaluate the platoon performance in terms of fuel efficiency, string stability, and safety: • Minimum inter-vehicle distance d i,min : The minimum gap between any pair of vehicles while cruising or after the platoon completely stops is greater than zero, i.e., d i,min > 0 m. We assume that the maintained gap at a complete standstill is irrelevant as long as collision is avoided (from a fail-safe point of view). This is to evaluate the first condition in both the fail-safe and the fail-operational states. • Stopping distance of the LV (d L ): The distance traversed by the lead vehicle from the time it detects a hazard until it comes to a complete standstill. This is to evaluate if the state fulfills the second condition of being fail-safe, d L < d hazard . • Total time to stop (t total ): The total time required by the whole platoon to come to a complete standstill. This metric assesses the third condition of the fail-safe state. • Inter-vehicle distance during cruising: The inter-vehicle distance measured between any pair of vehicles while cruising is less than a threshold to enable fuel efficiency.
The inter-vehicle distance should always be greater than zero to ensure safety, see above. To be string stable, a controller should attenuate the spacing variations from the head to the tail of a platoon. • Speed profiles: The speed profiles of the platooning vehicles can be used to evaluate string stability and fuel efficiency by analyzing the variation of speed and tracking error with respect to the LV. The following criteria are used to evaluate the communication quality: • good, fair, and poor -thresholds: This metric defines the number of packet losses that should be attributed to the good, fair, and poor communication thresholds to control the state switching in Figures 1 and 2 during cruising of a platoon. Hence, they are also needed to evaluate the third condition of being fail-operational. These thresholds can also be expressed in terms of the duration of temporary communication outages. For instance, poor = 4 implies that a vehicle did not receive any CAM for the last 400 ms, given that the CAM update frequency is 10 Hz.

B. SIMULATION SETTINGS AND TRAFFIC MODEL
To facilitate the evaluation of the states and the transitions between them in Figure 1, we have extended the Plexe simulator [48]. Plexe is an OMNeT++-based simulator that is built on top of Veins [57], which is a VANET simulator. In addition, Plexe extends the road traffic simulator SUMO [58] to provide realistic traffic models, vehicle dynamics, and controller implementations, e.g., PLATOON [25], CACC [41], ACC [38]. A SUMO vehicle in the Plexe simulator has a corresponding node in OMNeT++, and they communicate through TraCI interface [59], a Transmission Control Protocol (TCP) based client/server interface. As an extension of the Plexe simulation framework, we have developed two separate modules named Runtime Manager (RTM) and Cooperative Emergency Braking (CEB). The RTM module is responsible for performing the switching between the states in the GDU method (see Figure 2) based on experienced communication quality, whereas the selected emergency braking strategies, e.g., Normal Braking (NB), SB, ESB, are implemented in the CEB module. These two modules can be activated together or separately to evaluate emergency braking strategies without activating the GDU method or vice versa. This helps us compare and contrast the braking strategies independently of the GDU method as well as together with it. A platoon of seven vehicles is simulated (the LV and last vehicle indices are V 0 and V 6 , respectively). The platooning vehicles are inserted into the simulation at 1 second, and they reach the desired CDG or CTG 50 s into the simulation time. Further, 400 non-platooning vehicles are inserted in three additional left lanes to generate a challenging road and data traffic scenario, inducing high communication delays required for evaluating the robustness of the proposed GDU method and the ESB strategy. The non-platooning vehicles are injected 50 s into the simulation time with different initial positions and 50 meters inter-vehicle distances so that the platoon is in the interference range of the maximum number of neighboring vehicles; this is to avoid edge effects on the simulation results. In order to consider high-speed vehicles, all the simulations carried out in this paper use 100 kmh −1 speed for both the platooning and non-platooning vehicles. The channel models used to account for the path loss and fading effects are the free space path loss model with α = 2 and the Nakagami-m fading model with m = 1.86, respectively. Cheng et al. in [60] report that fading due to increasing vehicle separations can be modeled by a Nakagami distribution, and the free space model with path loss exponent α = 2 can be used to represent the line of sight propagation of signals in a freeway scenario [16]. The values of the parameters α and m are chosen to represent an outdoor freeway environment such as the one considered in this paper. The IEEE 802.11p and IEEE 1609.4 models that the Plexe simulator inherits from the Veins simulator simulate the PHY and MAC layers. The parameters such as transmit power, sensitivity, thermal noise, frequency band, etc., follow the IEEE 802.11p standard specifications [61]. As discussed before, the values of the controller parameters are taken from the literature, e.g., [26], [46], [48]. Table 1 summarizes the simulation parameters used in this research.
In this paper, we first conduct simulation studies with the RTM module based on the suggested parameter values in the literature. Then the efficacy of the proposed GDU method is evaluated by considering even shorter time gaps than what is suggested in the literature. Moreover, rigorous simulations have been performed with various fair and poor thresholds to understand their effects on the fail-operational and emergency braking states in platooning. Moreover, the simulations have been carried out for various CTGs used by the ACC and CACC controllers and CDGs used by the PLATOON controller. Table 2 presents a conversion table that shows CTGs in meters for various speeds. During emergency braking, the speed and the deceleration rate play crucial roles in collision avoidance and stopping distance. In the simulations performed in this paper, we consider a high speed (100 kmh −1 ) and a strong deceleration rate (-8 ms −2 ) to test the braking strategies in a challenging scenario. To this end, we simulate two scenarios, denoted sinusoidal scenario and braking scenario: • Sinusoidal scenario: The LV oscillates at a frequency of 0.2 Hz with an amplitude of 10 kmh −1 for 100 s, and the FVs try to follow the LV according to the control law. The purpose of oscillating is to introduce periodic acceleration and deceleration on the LV motion to evaluate how well the FVs can track the leader under such disturbances [40]. • Braking scenario: The LV initiates emergency braking upon detecting an imaginary road hazard 70 s into the simulation time.
In the subsequent sections, the efficacy of the proposed GDU method and the ESB strategy in maintaining

TABLE 2. Inter-vehicle gaps in meters for various CTGs and speeds. This is applicable for ACC and CACC controllers that rely on CTG policy.
fail-operational and fail-safe states are first evaluated independently using the RTM and CEB modules; then, they are evaluated together.

VII. EVALUATION OF THE CRUISING STATES
This section begins with the evaluation of the PLATOON, CACC, and ACC controllers in terms of fuel efficiency, string stability, and Lead Vehicle (LV) tracking ability. Next, the simulation results related to the cruising of a platoon or vehicle string without activating the RTM module are presented. Then the GDU method proposed in this paper is analyzed using the RTM module. The aim is to understand the efficiency of the GDU method in maintaining fail-operational states for various fair and poor communication thresholds. Moreover, the evaluation results regarding the fair and poor communication thresholds that dictate the transition between the cruising states are presented in this section as well. In our previous work [5], we showed how the RTM governs the switching between different controllers to avoid collisions for some selected fair and poor thresholds.

A. EVALUATION OF FUEL EFFICIENCY AND STRING STABILITY
Recall from Section III that fuel efficiency, string stability, and safety are the primary goals of State 2 in Figure 1, that string stability and safety are the main focus in State 3, and finally, that safety is the key concern in State 4. Fuel efficiency is evaluated under the assumption that the controller facilitating the shortest longitudinal gap enables the highest fuel efficiency. This is motivated by the fact that the longitudinal gap between the vehicles is one of the major influencing factors on fuel efficiency [62]. Therefore, shorter gaps enable higher fuel efficiency due to the reduction of aerodynamic drag. In addition, when the FVs in a platoon experience tracking error with respect to the LV due to its speed variation, the resultant uneven inter-vehicle gaps may affect the overall fuel efficiency in the platoon. To this end, we examine the speed profiles of the vehicles in a sinusoidal scenario to evaluate the string stability, fuel efficiency, and LV tracking ability of the FVs. Figure 5 shows the speed profiles of the vehicles using the sinusoidal scenario with inter-vehicle distances obtained from the literature, i.e., ACC CTG = 1.2 s (35.35 m at 100 kmh −1 ), CACC CTG = 0.5 s (15.89 m at 100 kmh −1 ), and PLATOON CDG = 5 m. The results of one representative simulation run are presented for brevity. Note that the RTM module is not activated here because we are interested in the performance of the different control algorithms. The speed profiles with the ACC controller show that the FVs can attenuate the speed variations of the LV, i.e., the platoon exhibits string stability when a 1.2 s time gap is maintained. However, for shorter time gaps than 1.2 s, the ACC controller does not demonstrate string stability [25], [26]. Although the ACC controller exhibits string stability with a 1.2 s time gap, the ability of the FVs to track the LV diminishes in the downstream direction of the vehicle string. Moreover, the last vehicle has at least one complete cycle phase lag compared to the LV due to the amplification of the sensor detection, processing, and actuation delays from the head to the tail of the vehicle string. Therefore, the ACC controller exhibits string stability when the gap is 35.35 m at 100 kmh −1 but demonstrates less fuel efficiency and LV tracking ability. This situation is somewhat alleviated when the CACC controller is used as V2V communication is then added to the ACC controller. During the first 50 s, there is no interference from the non-platooning vehicles. As a result, the vehicles exhibit string stable behavior for the first 50 s. However, the speed error is amplified downstream when non-platooning vehicles start generating interference (during the period 50-100 s), causing high communication delays. Despite this, it is still better than ACC in terms of LV tracking and phase lag. The vehicles exhibit highly string stable behavior with the PLATOON controller when there is no interference from the non-platooning vehicles, as can be seen by the speed of the vehicles for the first 50 s with the PLATOON controller. However, also in this case, the string stability of the rear vehicles eventually diminishes due to long channel access delays and packet drops induced by the data traffic of the neighboring vehicles (50-100 s). A closer look at the speed profiles between 50-100 s reveals that the tail vehicles in the platoon experience more tracking error and string instability with respect to the LV compared to the vehicles in the head of the platoon. Such situations are more hazardous with the PLATOON controller than with the CACC controller because we use a considerably shorter inter-vehicle gap with the PLATOON controller (5 m), which means less time to react in case of speed changes. In such a scenario, the GDU method, if in use, would instruct the tail vehicles to increase the gap to the vehicle in front or switch to the CACC or ACC controller based on the experienced communication quality with the LV and the preceding vehicle. However, the front vehicles which experience good or fair communication quality with the LV would use the PLATOON controller to facilitate better fuel efficiency, string stability, and LV tracking. The idea of the GDU method is that all the platooning vehicles do not need to adopt a less fuel-efficient and less string-stable controller when only the last one or two vehicles experience poor communication quality.
Based on the simulations, we can conclude that the PLATOON controller is more fuel-efficient, string stable, and exhibits better LV tracking ability than the CACC and ACC controllers. However, the PLATOON controller has high requirements on the attainable communication quality in order to maintain sufficient safety. The communication quality with the LV is essential, especially if braking should be necessary, as the inter-vehicle gaps are small. Next, we evaluate the safety aspects of the different controllers, which is the top priority in all the states in Figure 1.

B. EVALUATION OF SAFETY WITHOUT STATE SWITCHING
In this part, we focus on evaluating the safety of the PLATOON, CACC, and ACC controllers by examining their inter-vehicle distances in the sinusoidal scenario to see if the benefits in terms of fuel efficiency from Figure 5 are obtained at the expense of safety. Figure 6(a) presents the platooning vehicles' distance profiles using the PLATOON controller with 5 m CDG and no RTM in play, following the sinusoidal scenario. Five simulation runs with different seeds are shown for the same scenario. In three out of the five runs, the last vehicle in the platoon undergoes collisions: in runs no. 1, 2, and 4, the collisions happen at 80, 70, and 96 s of the simulation time. The main reason for the collisions is the communication delays due to packet drops and channel access delays caused by the many neighboring vehicles used in the simulation setting. Moreover, the last vehicle experiences the highest delay due to path loss and fading effects as it is the farthest away from the LV. As the vehicles are using the PLATOON controller and the weighting factor C 1 is 0.5 (see Equation (5)), the platoon's following vehicles require CAMs from the LV to continue platooning. An average of 100 simulation runs shows that the last vehicle experiences a 432.97 ms delay in this scenario (these results are not presented here for brevity). In this case, the logical thing would be to increase the gap and use a predecessor following strategy (C 1 = 0) like the CACC controller. For instance, the vehicles do not collide under the same network load when the CACC controller is used with a 0.5 s CTG, i.e., 15.89 m at 100 kmh −1 (see Figure 6(b)). This is precisely what the GDU method does; it monitors the LV's and the front vehicle's communication quality and chooses an appropriate controller or gap adjustment during runtime. Our simulations also show that there are no collisions when using the ACC controller when longer CTGs are used, e.g., 1.2 s. In [26] and [25], the authors also show that a vehicle string can avoid collisions during cruising with 1.2 s CTG using the ACC controller (35.35 m gap at 100 kmh −1 speed).
In order to provide an acceptable trade-off between fuel efficiency and safety, it is necessary to allow switching between different controllers, given the instantaneous communication quality. Moreover, it is important to allow different vehicles to be in different states based on the information at hand. The PLATOON controller is sufficiently safe as long as updated data from the LV is available, but this may not be the case for the last vehicle in the platoon in a dense data traffic scenario. Still, this should not prevent vehicles located closer to the LV from selecting a fuel-efficient controller.

C. EVALUATION OF PERFORMANCE WHEN ALLOWING AUTONOMOUS SWITCHING BETWEEN STATES
The same scenario as in Figures 5 and 6 is now simulated with the RTM module (implying that autonomous switching between the PLATOON, CACC, and ACC controllers can be made) for various combinations of fair and poor thresholds, see Figure 7. This section thereby addresses RQ1. More specifically, we chose 13 combinations of (fair, poor) thresholds taking the Cartesian product of sets A = {1, 2, 3, 4} and B = {3, 4, 5, 6} such that Table 1 that the CAM frequency is 10 Hz; hence, the (fair, poor) thresholds, e.g., (2,5) can be translated as temporary communication outages for 200 and 500 ms, respectively.
The RTM uses ACC CTG = 1.2 s which corresponds to 35.35 meters at 100 kmh −1 , CACC CTG = 0.5 s which is 15.89 meters at 100 kmh −1 , and PLATOON CDG = 5 m and switches in-between based on the communication quality. Moreover, in the Gap Adjustment (GA) states, the gaps are increased or decreased by 25% of the original gaps. For brevity, the speed and distance profiles of all the combinations of fair and poor thresholds are not presented here. Our simulations show that the RTM can successfully help the platoon avoid collisions during cruising for all 13 combinations. Let us first look at the inter-vehicle distance profiles in Figure 7. It is evident that the collision cases shown in Figure 6(a) with a PLATOON controller are avoided here when GDU is applied. The reason is that when the vehicles experience temporary communication outages for the duration dictated by the selected fair or poor thresholds, they adjust the gaps or switch to the CACC or ACC controller based on the rules defined in the state machine in Figure 2. Moreover, recall that we may also keep the same controller but increase the inter-vehicle distance, i.e., the intermediate states with GA, as proposed in Figure 2. These gap adjustments can be made with higher or lower granularity to maintain better string stability and/or fuel efficiency. The size of the GA can also be adjusted depending on the selected update rate of the communicated packets (the CAM rate), as this affects the fair and poor threshold values. Note that the CAM update rate can change with, e.g., the mobility parameters of the vehicles or when the Decentralized Congestion Control (DCC) mechanism [63] instructs the vehicles to update the CAM frequency. For an ego vehicle to be able to detect the packet losses with its predecessor and the LV, the platooning vehicles should include their currently used packet update rates in the CAMs. The simulation results suggest that the RTM is very robust in terms of collision avoidance in the fail-operational states for all choices of fair and poor threshold values. This is because the RTM decentralizes the platoon such that even when exposed to transient errors, it ascertains the appropriate control law for the individual platooning vehicles based on their respective communication qualities. However, to attain good fuel efficiency and string stability, the choice of fair, poor thresholds matters.
We can see that even if the selected inter-vehicle distances for the different controllers and the thresholds used for deciding when to change states are not optimized, the platoon vehicles still manage to attain better fuel efficiency without compromising safety when allowing autonomous switching between states using the state machine we propose. The PLATOON controller is tractable to use as the speed profiles and inter-vehicle distances enable efficiency, but unfortunately, it is not sufficiently safe during transient communication outages. The ACC controller, in turn, is not fuel-efficient and thereby does not add many benefits except driver offload despite adding complexity. Using the GDU and allowing the communication quality to be classified with better granularity as opposed to the traditional way of declaring it as working or failed provides significant gains. However, it should be noted that too frequent changes to the vehicle speed are also not fuel-efficient, even if the inter-vehicle gaps are small. Hence, next, we attempt to determine to what extent the selected levels of the fair and poor thresholds affect the performance.

D. IMPACTS OF FAIR, POOR THRESHOLDS ON STRING STABILITY AND FUEL EFFICIENCY
The same scenario as in Figure 7 is used to analyze the impacts of fair, poor-thresholds. This section thereby addresses RQ2.
The speed profiles in Figure 7 demonstrate that the tail vehicles, i.e., V 5 , and V 6 , undergo frequent state switching when the (fair, poor) thresholds are (1, 3) and (2,3). When the fair threshold is small, e.g., outage for 100 or 200 ms, which is likely to happen rather frequently, the vehicles increase the gap to their respective front vehicles more frequently while in the PLATOON and CACC states. Also, due to small poor thresholds, e.g., outage for 300 ms, the vehicles switch between PLATOON and CACC controllers more frequently. It should be noted that too frequent state switching causes the inter-vehicle gaps to change frequently, which is less fuel efficient and less string stable, e.g., the rear vehicles' gaps toggle between 10-15 m in Figure 7. We can prevent too frequent state switching by increasing the (fair, poor) thresholds. For instance, the platooning vehicles exhibit better string stability and LV tracking for the thresholds (2, 6), (3,5), (3,6), (4,5), and (4,6); see the speed profiles in Figure 7. The corresponding distance profiles show that the inter-vehicle gaps are between 5-10 m for all except the last two vehicles. This implies that the tail vehicles are less fuel-efficient, which is acceptable since safety takes precedence over fuel efficiency. The tail vehicles in the platoon have longer gaps due to experiencing poor communication quality with the LV. Hence, the tail vehicles toggle between the CACC and CACC & GA states most of the time. On the contrary, vehicles V 1 and V 2 in the platoon (d 1 and d 2 in the distance profiles) maintain short inter-vehicle gaps during the entire time when fair, poor thresholds are higher. The reason is that the front vehicles have fair or good communication quality with the LV, which is required to use the PLATOON controller. V 3 and V 4 can also maintain comparatively shorter distances for higher thresholds for the same reason.
To better understand how the RTM governs switching between the states in Figure 2, let us take a closer look at the distance profiles of vehicle 6 (d 6 ) with thresholds (2,3) and (4,6) Figure 2 dictates that a vehicle should adopt the PLATOON & GA state when c2l is fair and c2f is good. To this end, vehicle 6 upgrades its performance by adopting the PLATOON & GA state, and d 6 becomes 6.25 m at around 73 s, continuing until 78 s. Then communication with the LV becomes poor again, and vehicle 6 increases its gap to degrade its performance in order to prioritize safety over fuel efficiency by adopting the CACC state. Notice that the tail vehicles in Figure 7 do not maintain a stable distance in one particular state due to frequent state switching caused by the time-varying communication quality. We also note that with a higher poor threshold, the platooning vehicles rarely transition to the ACC state as it requires a higher number of packet losses with respect to the vehicle in front. For this reason, we do not see the inter-vehicle gaps reaching up to 35.35 m, which is the gap considered for the ACC controller in the simulations of Figure 7. This indicates that the thresholds should possibly be selected or adjusted based on a vehicle's position within the platoon.
In summary, the more frequent state switching that can be observed with smaller fair, poor thresholds cause intervehicle distances to vary frequently, affecting communication quality. However, there are fewer state transitions for higher values of the fair and poor thresholds. This aids fuel efficiency, string stability, and the ability to track the LV by preventing too frequent changes in communication topology. Note that the observations above are made in the context of dense data and road traffic scenarios. A reader may wonder how the GDU method would perform in a sparse data and road traffic scenario in which the PLATOON controller by itself would show good performance, i.e., no switching. To this end, we simulate a sparse data traffic scenario by considering 250 neighboring vehicles instead of 400, a vehicle density of 65 vehicles/km instead of 95 vehicles/km, and the neighboring vehicles now have 25 Hz beacon frequency instead of 50 Hz. To put things into perspective, the neighboring vehicles generate 1,625 beacons s −1 km −1 in the sparse scenario compared to 4,750 beacons s −1 km −1 in the dense scenario. The simulation results with thresholds (1, 5), (2,6), (3,6), and (4, 6) using the GDU method under the considered sparse scenario are presented in Figure 8. The speed profiles in Figure 8(a) show that the vehicles exhibit excellent performance in terms of safety, string stability, and LV tracking. In this case also, the higher fair, poor thresholds are safe and efficient because there are fewer packet losses in a sparse data and road traffic scenario. The corresponding inter-vehicle distance profiles in Figure 8(b) show that the vehicles can maintain stable gaps around 5 meters with higher fair, poor thresholds in the sparse scenario as well, which enables high fuel efficiency. Therefore, it is safe to conclude that the GDU method performs as good as the PLATOON controller by itself in a sparse scenario. However, in a dense traffic scenario under transient communication outages in which the PLATOON, CACC, and ACC controllers by themselves either lack safety, fuel efficiency, string stability, or LV tracking, the GDU method provides a balanced trade-off by degrading the performance of only those vehicles which experience temporary communication outage.
In concluding remarks, Figure 7 shows that the GDU method tackles the safety concern of the PLATOON controller, i.e., inter-vehicle collisions, by temporarily degrading the fuel efficiency and string stability of the last two vehicles that cause collisions in Figure 6(a). However, the front five vehicles exhibit highly string-stable behavior and maintain short inter-vehicle gaps. In addition, the GDU method inherits the LV tracking capability of the PLATOON controller, which the CACC and ACC controllers lack (see Figure 5). Furthermore, compared to the CACC and ACC controllers in which all the vehicles are less fuel-efficient due to longer gaps, only the rear vehicles that experience more communication outages are less fuel-efficient with the GDU method. Therefore, the GDU method exhibits safe platoon cruising by facilitating a balanced trade-off with string stability, fuel efficiency, and LV tracking.

VIII. EVALUATION OF EMERGENCY BRAKING
In this section, the Enhanced Synchronized Braking (ESB) strategy is evaluated without RTM in terms of the fail-safe conditions (see Section V) and compared to the Synchronized Braking (SB) and Normal Braking (NB) strategies. To this end, the braking scenario is used in which the vehicles cruise using the PLATOON, CACC, or ACC controllers, and 70 s into the simulation, the vehicles transition into the NDFI, NDPI, or NDOI states in Figure 3 upon encountering an imaginary road hazard. Note that the evaluation is conducted under the assumption that an emergency may arise from any of the States 2, 3, or 4 in Figure 1. This implies that if a vehicle is at the NDFI state, it is possible to transition to the NDOI state while still maintaining the short gap from State 2 of Figure 1. This section elaborates on RQ3. Table 3 presents the minimum inter-vehicle gaps at a complete standstill using the ESB, SB, and NB strategies in the ACC, CACC, and PLATOON states. Five simulation runs are shown for various CTGs and CDGs. We have chosen not to use the same CTGs for ACC and CACC states, respectively. This is because different controllers facilitate different time gaps, e.g., ACC is not suitable for having a 0.2 s time gap due to its reliance on onboard sensors. The negative values in Table 3 represent collision cases. The vehicle string or platoon exhibits poor performance in terms of collision avoidance while using the NB strategy; see Table 3. On the contrary, the SB strategy alleviates the performance drastically compared to the NB strategy. However, there are still collision cases with the SB strategy for various CTGs and CDGs in some simulation runs. The reason is that if a vehicle does not receive a DENM within the τ wait time with the SB strategy, then a full deceleration by the predecessor comes as a surprise, and the vehicle cannot avoid collisions unless the gap is adequate. The ESB strategy exhibits only two collision cases with 0.5 s CTG and 6 m CDG in the ACC and PLATOON states, respectively. This is due to an unusually long DENM delay experienced by the last vehicle, which is higher than the average waiting time. In general, there are fewer collision cases with the ESB strategy than with the SB strategy. The reason is that a vehicle can start soft-braking using the onboard sensors despite not receiving a DENM with the ESB strategy. The soft-braking gives a deceleration edge to a vehicle while using the ESB strategy compared to the SB strategy. However, if the DENM delay is too high and the gap is not sufficiently long, a collision occurs, which is why it is important to adjust the controller to the communication quality using the GDU method or something similar. Table 3 shows that the ESB strategy can avoid collisions in most situations, even with short CTGs and CDGs under dense data and road traffic scenarios. Table 4 presents the stopping distance of the LV (m) for various τ wait times and soft-deceleration rates (ESB only) using the ESB and SB strategies. Note that the stopping distance of the LV with NB strategy is fixed and equal to 60.82 m at 100 kmh −1 . The ESB strategy demonstrates shorter stopping distances compared to the SB strategy. For instance, with the    Table 3).

B. STOPPING DISTANCE OF THE LV
ESB strategy, the LV traverses 12.84 meters less than with the SB strategy when τ wait = 1.12 s (the waiting time at 0.5 s CTG). For a shorter waiting time, which is preferred in light data and road traffic scenarios, the difference in stopping distance with ESB and SB strategies is not significant, e.g., 1.05 m for τ wait = 0.1 s. Nevertheless, every meter counts in a safety-critical system. Moreover, recall that the ESB strategy shows better performance in terms of collision avoidance. On the other hand, the stopping distance of the LV is shorter with the NB strategy (60.82 m) compared to the ESB and SB strategies, as there is no waiting before emergency braking for synchronization purposes. However, platooning vehicles using normal braking requires decelerating slower to avoid collisions which ultimately increases the stopping distance of the LV significantly [19]. Table 5 presents the average total time to stop the whole platoon t total (s) for the same configurations as in Tables 3 and 4. The ESB strategy enables the platoon to transition into the fail-safe state faster than the SB and NB strategies due to soft-braking before full deceleration. In general, for all the braking strategies, the platoon requires a longer time to stop when in the ACC state compared to the CACC and PLATOON states. Moreover, it takes longer time to stop for longer time gaps and distance gaps as the tail vehicles experience more delays. Although the vehicles perform synchronized braking, if a vehicle does not receive a DENM within the τ wait period, it starts braking later, and the total time to stop the whole platoon thereby increases. However, while braking from the PLATOON state, the total time to stop is significantly lower than the ACC and CACC states due to shorter CDGs that allow lower DENM delays.

IX. EVALUATION OF AUTONOMOUS TRANSITIONS BETWEEN ALL STATES IN THE STATE MACHINE
So far, the GDU method and the selected braking strategies, e.g., NB, SB, and ESB, have been evaluated separately with or without the RTM and CEB modules. In this section, the GDU method and the selected braking strategies  for various fair, poor-thresholds, and braking scenario-1 and braking scenario-2. are evaluated together using the RTM and CEB modules of the extended Plexe simulator that we have developed. The aim is to evaluate the transition from cruising states to the fail-safe state through the emergency braking states.
We consider a scenario in which a platoon starts cruising using the PLATOON controller, and then the vehicles switch controllers and/or adjust gaps according to the GDU method based on experienced communication quality and fair, poorthresholds. Also in this case, the platoon performs emergency braking 70 s into the simulation time upon encountering an imaginary road hazard using either of the NB, SB, or ESB strategies (braking scenario). We simulate three different settings named braking scenario-1, braking scenario-2, and braking scenario-3. Braking scenario-1 has PLATOON CDG = 5 m, CACC CTG = 0.5 s, and ACC CTG = 1.2 s, i.e., using the values as suggested in the literature. Braking scenario-2 uses PLATOON CDG = 10 m, CACC CTG = 1.0 s, and ACC CTG = 1.2 s, i.e., less fuel-efficient intervehicle distances. Finally, braking scenario-3 uses a more challenging configuration, e.g., PLATOON CDG = 5 m, CACC CTG = 0.3 s, and ACC CTG = 0.4 s. The fulldeceleration rate is -8 ms −2 , the soft-deceleration rate is -3 ms −2 (for ESB only), and the speed is 100 kmh −1 . Table 6 summarizes the results of braking scenario-1 and braking scenario-2 for 13 combinations of fair and poor thresholds. It shows which combinations exhibit collisions together with the colliding vehicles. If we carefully look for a pattern in this table, it is evident that there are no collisions when the threshold fair = 1 is used in braking scenario-1, and as the fair threshold increases, more collision cases can be noticed. In contrast, when the fair threshold is small in braking scenario-2, the platooning vehicles undergo collisions. These results suggest that when an initial intervehicle distance as short as 5 m is used, the RTM must react to packet losses fast by increasing the distance to the front vehicle. To this end, a small value for fair threshold should be chosen, e.g., (1,3), (1,4), (1,5), (1,6) when the inter-vehicle distances are small. However, when the initial CDG is larger, e.g., 10 m, increasing the intervehicle distance too early further increases packet losses due to path loss and fading effects and eventually causes the adoption of the ACC controller. As the ACC controller does not perform well with a normal braking strategy unless the gap is sufficiently high, collisions may occur. There are two important observations that these results suggest. First, although braking scenario-1 avoids collisions when using a fair threshold of 1, such a threshold is not suitable for string stability and fuel efficiency for the considered scenario, as discussed in Section VII-D. Second, normal braking exhibits poor performance in terms of collision avoidance despite using the GDU method. Moreover, the simulation results corresponding to braking scenario-2 suggest that using longer inter-vehicle gaps does not necessarily ensure collision avoidance with normal braking when the platoon requires to decelerate stronger in a dense data and road traffic scenario. Note that the collision cases presented in Table 6 happen during emergency braking, not while the platoon is cruising, i.e., the GDU method is still robust at avoiding collisions during cruising.
As braking scenario-3 is more challenging compared to the other two in terms of inter-vehicle gaps, we use this scenario to put the proposed GDU method and ESB strategy to the test and also compare them with the other braking strategies, i.e., NB and SB. Table 7 shows the number of collisions out of five simulation runs for 13 different combinations of fair and poor thresholds (total 65 simulation runs for each braking strategy). We can see that both the SB and ESB strategies can avoid collisions for 64 out of 65 simulation runs. However, with (fair, poor)-thresholds (2,6), there is one collision case caused by the last vehicle in the platoon. This is due to a high DENM delay (1.6 s and 2.8 s in the ESB and SB strategies, respectively) and a high poor threshold that generates less state switching and results in inadequate inter-vehicle distances considering collision avoidance. Moreover, notice that the inter-vehicle distances used in braking scenario-3 are shorter than what is recommended in the literature. These simulation results suggest that the selection of the good, fair, and poor thresholds should be adjusted to the deceleration capacity of the vehicles and the selected inter-vehicle distances in the different states, in order to always prioritize safety over fuel efficiency. The normal braking strategy exhibits many collision cases with braking scenario-3 as seen in Table 7. However, these collision cases are not during platoon cruising but instead during emergency braking.
To better highlight the strategy of the ESB protocol, Figure 9 presents the acceleration and distance profiles with the SB and ESB strategies for one representative simulation run (fair = 3, poor = 6) as an example. The acceleration profiles for the ESB strategy show that vehicle 6 brakes at a full-deceleration rate as soon as it receives a DENM without waiting until the τ wait period as per the ESB algorithm. The other vehicles perform soft-deceleration until the τ wait time is reached and then brake at the full-deceleration rate   simultaneously. As vehicle 6 brakes long before the other vehicles, it leaves a very high inter-vehicle gap at a complete standstill; see the ESB distance profiles in Figure 9(b). Due to higher fair, poor thresholds, we do not see the vehicles adjusting the inter-vehicle gaps too frequently. In the SB case, all the vehicles receive the DENMs within τ wait and brake at the full-deceleration rate simultaneously.
Please notice the frequent acceleration change between 50-70 s. This is because the RTM instructs the vehicles to accelerate or decelerate to attain the state and controllerspecific gaps based on the experienced communication quality levels.

X. ASSUME/GUARANTEE CONTRACTS
In Section IV-C, we discussed safety contracts that capture the operation modes of the system components in a degradation cascade. In this part, we derive a set of safety contracts based on the GDU method presented in Figure 2, the safety requirements, and the simulation results obtained above. Initially, the safety contracts suggested in [20], which are proposed based on domain knowledge, were taken as benchmarks. These were then refined and fine-tuned based on rigorous simulation studies of the controllers, as well as communications and vehicle kinematic parameters. First, a set of strong contracts are defined that represent the overall safety goal, Table 8. The strong contracts C strong = <A, G> signify that the assumptions A i shall always be met AND the guarantees G i shall always hold. On the other hand, the weak contracts C weak i = <B, H> imply that the guarantees H i only require holding when the assumptions B i are fulfilled, and the weak assumptions are not always required to hold [64]. For brevity, only the weak contracts related to the degradation cascade are presented in Table 9.
The weak assumptions present input conditions in the PLATOON, CACC, and ACC modes, and the guarantees address the system component behaviors, which also represent the safety requirements. Based on the communication quality with the vehicle in front or the LV, a vehicle can degrade its performance by either increasing the gap to the vehicle in front and/or switching to a more suitable controller. The act of increasing the gap first as a response to fair communication quality with the lead vehicle is regarded as graceful degradation. Note that we suggest some numbers, such as 5 m CDG for the PLATOON controller, 0.3 s CTG for the CACC controller, and 0.4 s CTG for the ACC controller, etc., while defining the guarantees in Tables 8 and 9. These are not randomly chosen but instead obtained from extensive simulation studies (see the simulation results in Section IX). However, these assume/guarantee pairs do not necessarily mean that such constant distance gaps or time gaps cannot be used unless the specified assumptions are fulfilled [64]. These contracts rather represent the fact that the component behaviors (Guarantees) are known, given that the assumptions are satisfied.

XI. DISCUSSIONS
In this section, we provide an analysis of the control algorithms and our proposed approaches, e.g., the GDU method and the ESB strategy, based on the simulation parameters and the obtained simulation results. The analysis is made in terms of platoon safety, fuel efficiency, string stability, and the ability to track the LV. To evaluate the robustness of our proposed approaches, we selected two challenging simulation scenarios, one for cruising and one for braking, both of which use high speed (100 kmh −1 ) and shorter inter-vehicle gaps than what is recommended in the literature. Moreover, the simulations are performed under a dense data and road traffic scenario with 400 additional non-platooning vehicles, which contribute to high communication delays.
When the state-of-the-art controllers, e.g., PLATOON [25], CACC [41], or ACC [38], are used independently, the platooning vehicles either lack safety, string stability, fuel efficiency, or LV tracking ability. More specifically, the tail vehicles in the platoon using the PLATOON controller undergo collisions due to transient communication outages with the LV and the short inter-vehicle gaps (5 m). However, the PLATOON controller enables high fuel efficiency, string stability, and LV tracking. Note that the PLATOON controller does not necessarily exhibit safe behavior if longer gaps are used, e.g., 10 m, because the rear vehicles experience even more communication outages as they are further away from the LV. In addition, string stability and fuel efficiency become worse with longer gaps when using the PLATOON controller. On the other hand, the CACC controller exhibits moderate string stability but high tracking error with the LV and the vehicles are less fuel-efficient due to the requirement of using longer gaps (15.89 m). The ACC controller is even less fuel-efficient and exhibits tracking error when maintaining 35.35 m gaps at 100 kmh −1 . The proposed GDU method ameliorates the overall performance of the platoon by degrading the fuel efficiency and string stability of only a subset of the vehicles, the rear vehicles in the platoon, when these experience communication outages and would cause collisions in case the PLATOON controller was used. Using the GDU method, these rear vehicles either increase the gap to the vehicle in front or adopts the CACC controller to provide a sufficient level of safety. However, the front vehicles inherit the fuel efficiency, string stability, and LV tracking ability of the PLATOON controller while maintaining safety. Moreover, the performance degradation of the rear vehicles is temporary, just like the temporary communication outage; the GDU method adopts the PLATOON controller again or reduces the gap when the communication quality improves. Our simulation results show that when higher values for the fair, poor thresholds are used in the GDU method, the vehicles demonstrate better string stability, fuel efficiency, and LV tracking ability. On the other hand, lower fair, poor thresholds cause too frequent state switching, which aids safety but worsens fuel efficiency and string stability. However, the state machine and the autonomous transitions using the GDU method can avoid collisions during cruising for all simulations conducted in this paper for all choices of the fair, poor thresholds. Therefore, the GDU method is very robust in maintaining platoon safety, which is the primary concern. Moreover, the GDU method uses the best of the PLATOON, CACC, and ACC controllers to provide a balanced tradeoff between safety, fuel efficiency, string stability, and LV tracking.
The ESB strategy shows good performance in attaining the fail-safe state both in terms of avoiding collisions and stopping the platoon fast. In 64 out of 65 simulation runs, the platoon avoids collisions during emergency braking when using GDU and ESB together. The collision experienced in one simulation run occurs due to a high communication delay coupled with a high selected value of the poor threshold (six consecutive packet losses). There are 44 collision cases out of 65 simulation runs with the normal braking strategy despite using the GDU method. Note that these collisions happen during emergency braking, not while the platoon is cruising. Therefore, the normal braking strategy is unsuitable for emergency braking in a challenging scenario, whereas the SB and ESB strategies are efficient at collision avoidance. In addition to collision avoidance, the proposed ESB strategy exhibits 12.84 meters shorter stopping distance of the LV than its predecessor SB strategy.
Finally, the safety contracts derived from the simulation results concerning the GDU method suggest some quantitative performance targets on the inter-vehicle distances while cruising with the PLATOON, CACC, and ACC controllers. The vehicles can maintain gaps, e.g., 5, 10.33, and 13.11 meters with PLATOON, CACC, and ACC controllers, respectively, while cruising at a speed of 100 kmh −1 , given the switching conditions between the states in GDU method are known.

XII. CONCLUSION AND FUTURE WORK
In this paper, we propose a strategy for classifying the transient communication outages in vehicle platooning into states in a state machine that captures different platooning modes and performance levels as a function of the communication quality levels. In order to keep a platoon fail-operational, a Graceful Degradation and Upgradation (GDU) method has also been proposed that regulates the transitions between different cruising states during transient connectivity problems. Instead of the traditional way of classifying wireless connectivity as successful or failed, the GDU method considers good, fair, and poor communication qualities with the LV and the vehicle in front to facilitate the transitions between the states in the state machine. We have performed a detailed analysis of how the fair, poor communication thresholds can be selected and how they can be used to keep a platoon failoperational in terms of safety while facilitating a sufficient level of fuel efficiency, string stability, and LV tracking. Moreover, an emergency braking strategy named Enhanced Synchronized Braking (ESB) is proposed and evaluated, aiming to facilitate the transition of the platooning vehicles from any of the cruising states to a fail-safe state even during challenging communication scenarios. Last but not least, we derive a set of safety contracts that capture the operation modes of the GDU method.
The rigorous simulation studies we have conducted demonstrate that the GDU method can keep a platoon failoperational in the presence of transient connectivity problems and that the ESB strategy can avoid collisions and reduce the stopping distance of the platoon also under dense data and road traffic scenarios. The best performance in terms of fuel efficiency, string stability, and safety is achieved when the ESB strategy and the GDU method are combined with insightfully selected values of the communication thresholds, which are adapted to the CAM rate and the deceleration capabilities of the vehicles. Hence, the suggested state machine can enable automated platooning while ensuring fault tolerance during transient connectivity problems.
In this paper, we analyze the effects of fair, poor thresholds on safety, string stability, fuel efficiency, and LV tracking ability and provide some guidelines on the choice of the thresholds in both dense and sparse traffic scenarios. Exactly how these thresholds should be adjusted for different inter-vehicle gaps with different controllers is left for future investigation. In particular, since the communication outage can be caused artificially in situations when DCC algorithms, which cause a reduction in the CAM rate, are mandatory. Furthermore, it would be worth investigating the performance of the GDU method by assigning different fair, poor thresholds to different vehicles based on needs and distances to the vehicle in front and the LV. Moreover, how the fair, poor thresholds can be adapted to the changes in the vehicles' mobility parameters, e.g., acceleration change, is worth investigating. In addition, theoretical studies on how the platoon members functioning in a distributed manner with different types of CACC controllers and different gap policies should pursue a global stabilizing condition require research attention from a control theory perspective. Furthermore, it could be beneficial to relay the packets from the LV when the platoon is long. Moreover, an in-depth comparative analysis of the state-of-the-art emergency braking strategies in terms of fail-safe conditions is required.