software requirements specification (srs) cooperative

1

Software Requirements Specification (SRS)

Cooperative Adaptive Cruise Control : Team 2

Authors:

Alex Crimin, Project Manager

Joseph Hollopter, Customer Liaison

Roy Barnes, Artifacts Manager

Chengzhu Jin, Project Facilitator

Jimmy Mkude, Security Engineer

Customer:

Mr. Bill Milam, Ford Motor Company

Instructor:

Dr. Betty Cheng

1 Introduction Cooperative Adaptive Cruise Control (CACC) is a system that Ford Motor

Company will be utilizing in their commercial vehicles to provide increased

convenience and safety for drivers using cruise control. Cooperative Adaptive

Cruise Control allows the vehicle to communicate with other similarly equipped

vehicles. They can share up-coming road conditions, current speeds, and

directions of travel. This is information that can help the vehicle to adjust its speed

autonomously. With this system, vehicles can move as one platoon. As a group,

they can adjust and maintain their speed. This SRS will detail how the system

functions and thoroughly model the system with various diagrams.

1.1 Purpose To clearly communicate with the customer all requirements that need to be

satisfied for the embedded CACC system to operate as intended. This SRS will

show a clear indication of how the different subsystems of the CACC system

should interact with one another. This will give Ford Motor Company developers a

point of reference to begin designing and building the CACC system.

1.2 Scope Cooperative Adaptive Cruise Control (CACC) assists the driver of the vehicle it is

embedded in by supplying information about impending road conditions, and taking

autonomous actions in response to these conditions. CACC is an embedded

automotive system, which allows for the system to make real-time decisions and

control the vehicle in a timely fashion. The GPS Network System of CACC is used

to collect information from and transmit information to other vehicles on the road

that are near. The radar sensing, radio communication, and forward-looking

2

camera are sensors that the system uses to absorb information about the

surrounding environment. An electronic throttle and vehicle brakes are the

actuators used to maintain the speed of the vehicle, as well as slow or stop the

vehicle in emergency situations. The vehicle controller will coordinate these

subsystems, retrieving input from the sensors, processing the information, and

sending appropriate signals to the actuators.

1.3 Definitions, Acronyms, and Abbreviations The following table includes descriptions of keywords and acronyms used in this

document.

Table 1 : Definitions

Name Definition

ABS Anti-Lock Brake System. This is a pre-existing subsystem in the

vehicle that actuates the brakes when there is a dangerous loss of

wheel traction.

ACC Adaptive Cruise Control. This is a subsystem of CACC that allows

the vehicle to autonomously adjust its speed when obstacles are

detected using radar and camera sensors.

BER Bit Error Ratio. This is a measure of performance for the GPS

network system. See [1] in section 6 (References) for more

information.

BSM Basic Safety Message. A type of message that may be transmitted

from vehicle-to-vehicle between embedded CACC network

transmitters in the form of an identification key. This type of message

key is used to notify following vehicles of impending safety issues.

See [11] in section 6 (References) for more information.

CACC Cooperative Adaptive Cruise Control. This is the embedded automotive system being described by this document.

CAM Cooperative Awareness Message. A type of message that may be

transmitted from vehicle-to-vehicle between embedded CACC

network transmitters in the form of an identification key. This type of

message key is used as general communication between vehicles.


DSRC standards

Dedicated Short Range Communications standards. See [5] in

section 6 (References) for more information.

eHSM embedded Hardware Security Module. This module verifies the

authenticity of incoming network message keys. See [11] in section 6

3

(References) for more information.

Following Vehicle

This is a CACC enabled vehicle directly behind the vehicle.

GPS Global Positioning System. This is used to get the current position

and velocity of vehicle. See [4] in section 6 (References) for more

information.

IMF Independent Monitoring Function. This is function of the CACC system vehicle controller that monitors the successful completion of OS tasks.

Leading Vehicle

This is a vehicle at the front of a platoon.

mHz megaHertz

mph miles-per-hour. All relative speeds in the system will be in units of

mph.

OS Operating System. This Provides the environment for which the

programs of the system can run. See [2] in section 6 (References) for

more information.

Platoon A collection of 2-8 vehicles that are all communicating using the

CACC system.

ppm parts-per-million

Target Vehicle

This refers to the vehicle directly in front of the vehicle that the CACC

system detects.

UI User Interface. This is where the user interacts with the CACC

system.

VC Vehicle Controller. This is the system controller. It is composed of the main, speed, and platoon controllers.

V2X Standards

Standardized methods for secure vehicle-to-vehicle communication.


4

1.4 Organization The following is the table of contents for this SRS document.

2 Overall Description…………………………………………..….…...Page 5

2.1 Product Perspective………………………………………Page 5

2.2 Product Functions………………………………………...Page 5

2.3 User Characteristics……………………………………...Page 5

2.4 Constraints………………………………………………...Page 6

2.5 Assumptions and Dependencies………………………..Page 7

3 Specific Requirements.……………………………………………...Page 7

Functional Requirements……………………………………...Page 7-13

Nonfunctional Requirements………………………………….Page 13

4 Modeling Requirements……………………………………………..Page 14

Use-Case Diagram……………………………………………..Page 15

Use-Case Diagram Documentation…………………………..Page 16 - 22

Domain Model (Class Diagram)…………………………...….Page 23

Class Diagram Data Dictionary…………………………...…..Page 24 - 35

Scenarios and Sequence Diagrams………………………….1 - 43

State Diagram …………………………..……………………...Page 39 - 43

State Diagram Textual Description…………………………...Page 44 - 51

Prototype…………………………..…………………………..………...Page 52 - 55

References…………………………..…………………………………..Page 56

Point of Contact….……..………..…………………………..………….Page 57

5

2 Overall Description In this section, certain background information that is needed to understand the

functionality of the CACC system is outlined. The context of the product, the goal of

product functions, expectations for users, possible constraints, assumptions about the

environment, and potential future features are all addressed.

2.1 Product Perspective The CACC system will be embedded in certain automotive vehicles. It is a standalone

system, although it is part of the vehicle as a whole. It comprises various subsystems,

such as an existing ACC system, and an array of sensors and actuators that may be

used by other systems in the vehicle, such as the rain sensing wipers. It is not a

system that can be retroactively added to a vehicle that was previously unequipped

with CACC. The CACC system is to be used at speeds greater than or equal to 25

mph, and it is meant to be used in the presence of other vehicles, where lateral

control from the driver is only required during emergency situations. As such, the

CACC system is most well suited for usage on main highways and freeways.

2.2 Product Functions This is a summarization of the major functions that the CACC system will perform.

● Maintain a constant forward speed, as specified by the driver. [8]

● Detect vehicles or objects ahead, and adjust the forward speed accordingly.

● Effectively communicate with other CACC-equipped vehicles.

● Join or create new platoons.

● Leave or disband platoons.

2.3 User Characteristics Users are expected to be licensed drivers. Users are expected to be able to operate a

vehicle. Users are expected to know how to communicate with and use the CACC

system, so they must have knowledge of the dashboard display output, and input

methods, such as steering wheel buttons. Users are not expected to have any sort of

knowledge about the internal workings of the CACC system. Users do not need to

possess any specialized skills for the operation of the CACC system.

6

2.4 Constraints The following are the safety and functional constraints that have been applied to the

design of the CACC system.

● The platoon size will not exceed eight vehicles.

● A platoon must contain at least two vehicles.

● CACC will not be enabled at speeds less than 25 mph, and there is no upper

bound on the speed it may be set to.

● If there is a subsystem failure, the full system will be disabled (see section 3,

Specific Requirements, for more details).

● All local traffic laws must be obeyed, except for speed limits. The vehicle driver will

command the speed.

● The system may not cause the vehicle to behave in a reckless or dangerous

manner, which could possibly cause harm to the driver, or others on the road.

● Braking and acceleration force will not exceed the vehicle limits as defined in its

performance envelope.

● Damage must be mitigated in the event of an impending collision. (see section 3,

Specific Requirements, for more details).

● The system must be able to effectively communicate messages to the driver

through the dashboard screen, never sending ambiguous messages.

● The driver must be able to effectively communicate with the CACC system through

user input.

● The system must retain user privacy, but still effectively communicate necessary

information. Transmitted message keys must always be anonymous.

● Fuel must be conserved whenever possible. Coasting is always preferable over

acceleration or braking.

● GPS Data transmission will be operating on radio frequencies in the 5.8 GHz Short

Range Devices frequency band. [5]

● The radio receiver degradation limit is a maximum allowed BER of 0.020 for a wanted radio signal. [5]

● The relative radio frequency error for GPS communication is +/- 5 ppm (frequency

control devices specify their frequency variation in units of parts per million). [5]

● The electrical field strength limit is 0.21 V/m near the radio antenna. [5] ● The power density limit is -129 dBm/MHz near the radio antenna. [5] ● The safe vehicle-to-vehicle following distance must be a length of 1, 2, or 3 car

lengths. ● The vehicle’s braking and acceleration limits will be stored in units of G, for Gravity.

7

2.5 Assumptions and Dependencies Assumptions made about the hardware and software components, the

environments, and the user interaction of the CACC system.

● The vehicle should be fully functional, with a working throttle and braking

system.

● When in perfect factory condition, the CACC system will function as

intended.

● Sensors will be able to effectively gather information that is relevant to the

CACC system.

● Actuators will effectively be able to execute their required functions.

● The hardware should possess enough memory to properly allow the

software function. Memory will not be dynamically allocated. [8]

● The CACC system will be embedded in the vehicle, and therefore may

continue to function as ACC in the case of GPS network subsystem failure.

● Operations will be able to be completed in real-time.

3 Specific Requirements Below are the enumerated specific requirements for the CACC system. The

requirements are first organized by functional requirements, and then by

nonfunctional requirements. Functional requirements are organized by how to collect

environmental information, activate and control the system, autonomously adjust the

vehicle speed, handle the vehicle-to-vehicle GPS communication, maintain a safe

following distance, handle performance envelopes, form a platoon, divert the driver,

and handle adverse road conditions.

I. Functional Requirements The functional requirements of the CACC system pertaining to vehicle manipulation and GPS network communication. This section defines the functional requirements of the controllers, actuators, and sensors of the system.

FR0. Collect Environmental Information FR0 describes how information about the vehicle’s physical environment or surroundings is collected and how this information is handled.

FR0.1 Camera Sensor

Visually identify the target vehicle, determine current distance from the target vehicle, and estimate the relative speed to the target vehicle. There is one camera sensor on the front of the vehicle.

FR0.2 Radar Sensors There are three radars in the system, one in the front of the vehicle, and one on each side of the vehicle. The radars detect physical obstacles that may be in the path of the moving vehicle. The side radars are only used when the system is urging the driver to divert to an adjacent lane and must ensure that the maneuver is safe for the driver.

FR0.3 Dashboard Screen Sensor/Actuator

8

There is one dashboard screen in the vehicle, which is used to communicate with the driver. Messages will be prompted on the screen for the driver to review. The screen will actuate the VC’s message communication, as well as sense for driver input.

FR0.4 Monitor Sensor Information The VC shall receive the information collected from the camera and radar sensors to be interpreted.

FR0.5 Independent Monitoring Function The VC’s independent monitoring function will always be monitoring OS tasks, especially in association with the camera, radar, and dashboard screen input handling, and brake, throttle, and dashboard screen actuation. If any task fails to start, fails to end, or consistently extends its intended timestamp, then the system will need to deactivate and reactivate. If this reset does not fix the issue, then the system will be disabled and the driver will be notified.

FR1. Activation and Control of the System FR1 describes how the driver is able to activate, enable, and control the system. FR1.1 Activate System

The CACC system will be activated when the driver turns on the vehicle. The system will be able to collect data from radars and the camera, and maintain this information in the VC. The system will not be able to command the vehicle until the driver enables CACC.

FR1.2 CACC Lower Speed Limit The CACC system will not be eligible to be enabled until it is moving faster than its lower speed limit. The lower speed limit is 25 mph.

FR1.3 Enable System The CACC system will be enabled when the vehicle is turned on, it is moving faster than 25 mph, and the driver selects Enable on the vehicle’s steering wheel. When the system is enabled, the speed of the vehicle at that time will be saved as the commanded cruising speed in the VC.

FR1.4 Cancel System The driver may always override the enabled CACC system by either selecting the cancel button on the steering wheel, or by putting pressure on the brake pedal. If either of these two actions are taken, the CACC system will be disabled. If the system is canceled with the brake, the previous cruise speed will be kept in the VC.

FR1.5 Resume System If CACC has been disabled with the brake, the driver may resume the previous cruising speed by selecting the “Resume” button on the steering wheel.

FR1.6 Increase Cruise Speed If CACC is enabled, the driver may increase the commanded cruising speed by holding down the Acceleration button on the steering wheel until the vehicle has reached their desired speed.

FR1.7 Decrease Cruise Speed If CACC is enabled, the driver may decrease the commanded cruising speed by holding down the Deceleration button on the steering wheel

9

until the vehicle has reached their desired speed over 25 mph. Commanded cruise deceleration will stop at 25 mph.

FR2. Adjust Vehicle Speed FR2 describes how the system adjusts the vehicle’s speed to maintain the commanded cruising speed or maintain a safe vehicle-to-vehicle following distance behind a target vehicle.

FR2.1 Electronic Throttle Deceleration Regulate vehicle speed by removing power from the existing vehicle throttle system, in order to slow down the vehicle smoothly. The VC must send a signal to the throttle system.

FR2.2 Electronic Throttle Acceleration Regulate vehicle speed by adding power to the throttle system to bring the vehicle to the speed commanded by the driver, if there are no vehicles or other fixed objects in the way. The VC must send a signal to the throttle system.

FR2.3 Brake by Wire Regulate vehicle speed by applying force to the existing braking system in order to avoid a crash with another vehicle or fixed target in front of the vehicle. Braking will be used when deceleration of the vehicle is not efficient enough to slow the vehicle to a safe speed in time. The VC must send a signal to the braking system.

FR2.4 Emergency Brake If the VC determines that a crash is imminent and the vehicle will not be able to properly slow down in time to avoid it, the VC will max out the vehicle’s braking force in order to mitigate the crash as best it possibly can.

FR2.5 Software Fault Tolerance Architecture The VC logic that determines the arbitration between opposing vehicle commands. Uses current vehicle state, environmental inputs, and the system context to prioritize these commands and determine which action is the most appropriate.

FR3. Handle GPS Communication FR3 describes how the system receives, sends, and processes the GPS/radio communication information.

FR3.1 Maintain Vehicle Information The VC shall maintain accurate vehicle location, speed, directional information, and information about the state of other vehicle systems (tire pressure, rain-sensing wiper activation, ABS wheel speed differentials etc.) at all times.

FR3.2 Receive GPS Information Using DSRC standards, the network receiver shall receive information about the current location, speed, and directional information of CACC vehicles ahead. This information will be maintained in the VC.

FR3.3 Broadcast GPS Information

10

Using DSRC standards, the network transmitter will send information from the VC about the current vehicle location, speed, and directional information to other CACC vehicles that are near.

FR3.4 Form the Vehicle Platoon Using the GPS information from surrounding vehicles, establish a functional platoon. There will be a lead vehicle, and safe spacing between each successive vehicle in the platoon.

FR3.5 Communicate with Infrastructure The GPS system will need to communication with VC, so that radio communication information can be safely stored.

FR3.6 DSRC Radio Communication Standards All vehicle-to-vehicle GPS/radio communication will be using Dedicated Short-Term Communications standards as developed by the European Committee for Standardization. Data transmission will be operating on radio frequencies in the 5.8 GHz Short Range Devices frequency band [7].

FR3.7 Monitor Relative Radio Frequency Error The VC will monitor the relative frequency error to detect issues with network receivers and transmitters. As defined by DSRC standards, the relative frequency error is measured as, “the difference between the frequency at which the transmitter outputs its largest carrier signal level in its unmodulated mode of operation and the corresponding nominal carrier frequency.” If the error exceeds +/- 5 ppm, the radio communication will be considered compromised, the GPS subsystem will be disabled, and the system will function as ACC [7].

FR3.8 Blocking Unwanted Radio Signals The network receiver has the capability to receive wanted signal input without exceeding degradation limits under DSRC standards. The degradation limit is defined by the maximum allowed BER of 0.020 for a wanted radio signal. If this limit is exceeded then unwanted signals may pose a buffer overflow threat, the GPS subsystem will be disabled due to radio failure, and the system will function as ACC [7].

FR3.9 Signal Interference Detection Continuous interference signals will be harmful to signal receiving if the electrical field strength exceeds 0.11 V/m. Continuous linear polarized interfering signals will be considered harmful to signal transmission if the electrical field strength exceeds 0.21 V/m near the radio antenna, and the power density does not exceed -129 dBm/MHz. If any of these levels are exceeded the GPS subsystem will be disabled due to radio failure, and the system will function as ACC [7].

FR3.10 Vehicle-to-Vehicle Message Verification In order to increase security in vehicle message verification, without compromising on system performance, an eHSM will be used to ensure that message keys longer than the standard 256 bits can be interpreted in real-time. CAM and BSM messages will be sent and received with complete anonymity using the “cryptographic agility” of standardized V2X methods [8].

FR4. Maintain a Safe Vehicle-to-Vehicle Distance

FR4 describes how the VC determines and adjusts to the safe vehicle-to-vehicle following distance.

11

FR4.1 Determine Speed Differential

The VC shall combine GPS information from the vehicle ahead (if the target is a CACC equipped vehicle), as well as information collected from the radar and camera sensors to determine the speed differential between the target and the vehicle.

FR4.2 Command Throttle and Brakes The VC will command the vehicle’s throttle and brakes to appropriately slow down the vehicle to match the previously determined speed differential.

FR4.3 Efficiency Management Architecture The VC will need to determine if slowing the vehicle by throttle deceleration will be sufficient enough, or if brake pressure will need to be applied. It will also need to determine if coasting is efficient enough to speed up the vehicle while going down a hill, or if acceleration will be required. This is important because deceleration and coasting are much more energy efficient than braking and acceleration.

FR4.4 Setting Safe Following Distance The driver may set the preferred safe vehicle-to-vehicle following distance by accessing the system configuration settings through the dashboard screen. The driver may set this distance to increments of 1, 2, or 3 car lengths.

FR5. Performance Envelope Sharing FR5 describes the GPS-shared vehicle performance envelope, and how this envelope is handled.

FR5.1 Maintain Performance Envelope The VC shall keep a detailed description of the vehicle’s braking and acceleration capabilities to be shared with other platoon vehicles. Both will be in units of G for Gravity. This performance envelope will be included in the VC’s operating environment information.

FR5.2 Determine Braking and Acceleration Maneuvers The VC should consider the performance envelopes for all platoon vehicles to coordinate the braking and acceleration maneuvers that the platoon can perform. These maneuvers will determine the timing and strength of deceleration, acceleration, and braking force for each vehicle during the maneuvers.

FR6. Forming A Platoon FR6 describes how a platoon is formed and handled.

FR6.1 Forming Potential Platoon If the vehicle comes within close proximity to another CACC enabled vehicle in front of it, and the vehicle is not already in a platoon of max capacity, at eight vehicles, then the VC will ask the driver if they would like to join in a platoon with this vehicle.

FR7. Diverting the Driver FR7 describes how and when a driver should be diverted while driving with CACC enabled.

12

FR7.1 Ensuring Diversion Safety

If the VC determines that a crash is pending but not imminent based on the information provided from the front radar and camera, the VC will use the side radars to determine if it is safe for the driver to move to an adjacent lane or the side of the road. Side radars will only be activated and used under this emergency situation.

FR7.2 Warning the Driver of Diversion If the VC determines that the vehicle can safely be diverted to an empty adjacent lane, the driver will be notified of this on the dashboard screen. A message will appear, along with a right arrow or a left arrow to communicate the direction the driver should move.

FR7.3 Communicating with Lane Keeping/Lane Centering If the VC is alerting the driver to change lanes or pull over on the side of the road, the Lane Keeping/Lane Centering must be disabled so that vehicle is not pushed back in the lane when they attempt to quickly move over.

FR8. Adverse Road Conditions

FR8 describes how the system monitors road conditions, and actions that may be taken in the case of adverse road conditions.

FR8.1 Monitor ABS The Main Controller of the system will monitor wheel speed differentials that are being measured by the vehicle’s pre-existing ABS system. A dangerous wheel speed differential may be a sign of poor road conditions

FR8.2 Monitor Rain-Sensing Wipers The Main Controller will monitor the vehicle’s pre-existing Rain-Sensing Wipers that will determine if there is precipitation coming down, which may be a sign of poor road conditions.

FR8.3 Monitor Tire Pressure The Main Controller will monitor the tire pressures being measured by the vehicle’s pre-existing Tire Pressure Sensors. A drastic drop in tire pressure may signal the vehicle has a flat tire.

FR8.4 Regain Wheel Traction If ABS determines there is a dangerous wheel speed differential due to poor road conditions, the Speed Controller will slow down the vehicle until the wheel speed differential nears zero.

FR8.5 When to Retest Wheel Speed Differential If the Rain-Sensing Wipers were activated when the Speed Controller slowed the system due to loss of wheel traction, the Speed Controller will begin testing the traction when the wipers deactivate (if the wipers were not activated, then the wheel traction will be tested every thirty seconds).

FR8.6 How to Retest Wheel Speed Differential The wheel speed differential needs to be tested by increasing the speed by one mph at a time, and monitoring the ABS system’s wheel speed differential measurements. If the differential increases again, then the vehicle should slow back down, if it does not then the system can

13

continue to increase the speed and test the differential until the vehicle returns to the commanded cruising speed.

II. Nonfunctional Requirements

NR1. Consistency

The system should always be striving to maintain a steady and constant forward driving speed.

NR1.1 Maintain Vehicle Speed Maintain a constant forward vehicle speed at all times. The driver will provide the vehicle speed.

NR1.2 Consistent Acceleration, Deceleration, and Braking When the VC must command the throttle and brakes, it should be done so at a consistent rate.

NR3. Safety Requirements

The system should always be operating as safely as possible.

NR3.1 Differentiate Vehicle Targets and Fixed Objects Always be able to determine if a target is a moving vehicle. It is crucial for safety that vehicles never target fixed objects. If the speed differential information retrieved from the camera is equivalent to the vehicle speed, then the target is not moving, and the vehicle may need to come to an emergency stop.

NR3.2 Prioritize Feature Actions When two different features of the CACC system are attempting to contradict each other with their vehicle control, the VC must be able to use the software fault tolerance architecture to prioritize which action is more appropriate, and command it to the brake and throttle actuators. This logic must be accurate every time to maintain driver safety.

NR3.3 Do Not Exceed Performance Envelope Never brake or accelerate the vehicle more than the performance envelope has allowed. This could result in unexpected and potentially dangerous behavior from the vehicle.

NR3.4 Avoid Crashes The system must be able to accurately predict an imminent crash with the vehicle controller, and be able to take appropriate actions to avoid it. If it is not possible to lower the vehicle’s speed fast enough to avoid the collision then the driver will need to be advised to divert the vehicle to the left or the right based on road conditions. If this is not possible, then max out the braking force to decelerate the vehicle as much as possible.

NR3.5 Diverting the Driver Safely The system will never attempt to divert a driver into an adjacent lane if there is anything in the way that may endanger the driver or anyone else around the vehicle.

14

4 Modeling Requirements This section provides the modeling diagrams for the system. The use-case, class,

sequence, and state diagrams cohesively represent the behavior of the system and

the required elements of the system.

15

Use-Case Diagram

Cooperative Adaptive Cruise Control

Below is the use-case diagram for the CACC system. This diagram represents the observable

functionality of the system. The use-case documentation is included in the following pages.

16

Use-Case Diagram Documentation


The following is the use-case diagram documentation for the CACC system. This

documentation describes the use-cases of the system, their interaction with entities outside

the system, and their cross-references with the specific requirements section of this document

(see section 3).

Use Case: Activate the Vehicle

Actors: Driver

Description: In order to activate the system, the driver must turn on the vehicle. This will turn on all sensors, the camera, the dashboard screen, and the system controller, though no actions will be taken for the system to control the vehicle yet (not until the CACC system is enabled).

Type: Primary, Essential

Cross-refs: FR1.1, FR0.1, FR0.2, FR0.3, FR0.4

Use Case: Change Cruise Speed

Actors: Driver

Description: If the driver has already enabled the cruise control, the driver may change the commanded cruising speed. The driver may increase the speed, or decrease the speed down to as low as 25 mph.

Type Secondary

Includes: Increase Cruise Speed, Decrease Cruise Speed

Cross-refs: FR1.6, FR1.7, FR1.2

Use-Cases: Must perform Activate System and Enable Cruise use-cases first.

Use Case: Increase Cruise Speed

Actors: Driver

Description: If the driver has already enabled the cruise control, the driver may increase the commanded cruising speed by holding down the Accelerate button on the steering wheel until the desired speed is reached.

Type Secondary

Cross-refs FR1.6

Use Cases Must perform Activate System and Enable Cruise use-cases.

17

Use Case: Decrease Cruise Speed

Actors: Driver

Description: If the driver has already enabled the cruise control, the driver may decrease the commanded cruising speed by holding down the Decelerate cruise button on the steering wheel until the desired speed is reached. The speed will only decrease to a minimum of 25 mph.

Type: Secondary

Cross-refs: FR1.7, FR1.2

Use Cases: Must perform Activate System and Enable Cruise use-cases first.

Use Case: Set Safe Distance

Actors: Driver

Description: The driver may access the CACC configuration settings through the dashboard screen, and set the safe vehicle-to-vehicle following distance to increments of 1, 2, or 3 car lengths. This will be the safe following distance the system will use when the CACC system is enabled.

Type: Secondary

Cross-refs: FR4.4

Use Cases: Must perform Activate System first to access the dashboard screen.

Use Case: Resume Cruise

Actors: Driver

Description: If the driver has activated the system, enabled cruise control, and disabled the cruise control by using the vehicle’s brake, the driver may resume their previous cruising speed by selecting the Resume button on the steering wheel.

Type: Secondary

Cross-refs: FR1.5

Use Cases: Must perform Activate System, Enable Cruise, and Disable Cruise with Brake first.

Use Case: Enable Cruise

Actors: Driver

Description: When the driver selects the Enable button on the vehicle’s steering wheel, the vehicle controller will determine if the current vehicle speed is above 25 mph. If this is true, then the CACC system will be fully activated, and the vehicle’s current speed will be the commanded cruising speed to be maintained.

Type: Primary


Use Cases: Must perform Activate System use-case first.

18

Use Case: Disable Cruise

Actors: Driver

Description: The driver always has the option to manually override by disabling the CACC system with the cancel button on the steering wheel, or by pressing down on the vehicle’s brake pedal.

Type Primary

Includes: Disable Cruise With Brake, Disable Cruise With Button

Cross-refs: FR1.4

Use Cases: Must perform Activate System and Enable Cruise first.

Use Case: Disable Cruise With Button

Actors: Driver

Description: If the driver has activated the system and enabled cruise control, they may disable CACC by pressing down on the Cancel button on the steering wheel.

Type: Primary

Cross-refs: FR1.4


Use Case: Disable Cruise With Brake

Actors: Driver, Vehicle Braking System

Description: If the driver has activated the system and enabled cruise control, they may disable CACC by pressing down on the vehicle’s brake pedal.

Type: Primary

Cross-refs: FR1.4


Use Case: Adjust Speed

Description: When the system controller determines that a speed adjustment is needed to maintain the commanded cruising speed, the controller will command either the throttle to accelerate or decelerate the vehicle smoothly, or the brakes to decelerate the vehicle quicker.

Type: Primary and Essential

Includes: Decrease Speed, Accelerate Throttle

Cross-refs: FR2.1, FR2.2, FR2.3, FR2.4, FR2.5, FR4.1, FR4.2, FR4.3


Use Case: Decrease Speed

Description: When a decrease in the vehicle’s speed is required to maintain the driver’s commanded speed or to avoid colliding with an obstacle in front of the vehicle, the controller must determine if deceleration of the throttle is sufficient in slowing the vehicle fast enough, or if the braking system must be used to slow the vehicle faster.


Includes: Decelerate Throttle, Apply Brakes


Use Cases: Must perform Activate System, Enable Cruise, and Adjust Speed first.

19

Use Case: Apply Brakes

Actors: Vehicle Braking System

Description: If braking deceleration is required to decrease the vehicle’s speed, the vehicle controller will send a signal to the Vehicle Braking System to apply the brakes smoothly.


Cross-refs: FR2.3, NR1.1, NR1.2

Use Cases: Must perform Activate System, Enable Cruise, and Decrease Speed first. Emergency Brake extends this use-case.

Use Case: Emergency Brake

Actors: Vehicle Braking System

Description: If a collision is imminent, the vehicle controller will send a signal to the Vehicle Braking System to max out the braking force in order to mitigate the crash as best as possible.

Type: Primary

Extends: Apply Brakes

Cross-refs: FR2.4

Use Cases: Must perform Activate System, Enable Cruise, and Decrease Speed first.

Use Case: Accelerate Throttle

Actors: Vehicle Throttle System

Description: When an increase in the vehicle’s speed is required to maintain the driver’s commanded speed, the controller must send a signal to the vehicle’s throttle actuating system.


Cross-refs: FR2.2

Use Cases: Must perform Activate System, Enable Cruise, and Adjust Speed first.

Use Case: Decelerate Throttle

Actors: Vehicle Throttle System

Description: If throttle deceleration is required to decrease the vehicle’s speed, the vehicle controller will send a signal to the Vehicle Throttle System.


Cross-refs: FR2.1

Use Cases: Must perform Activate System, Enable Cruise, and Decrease Speed first.

Use Case: Display Message

Actors: Driver

Description: If the driver must be communicated with, a clear and appropriate message will be displayed on the dashboard screen for them to review.

Type: Secondary

Cross-refs: FR0.3

Use-Cases: Activate System must occur first.

20

Use Case: Disable System

Description: If the IMF determines that there is an issue with a system task, while tasks are being monitored, and the controller determines that the system is too unstable to maintain functionality safely, then the full CACC system will be disabled until the issue can be resolved and the driver will be warned of this issue with a message displayed on the dashboard screen.

Type: Primary

Includes: Display Message

Cross-refs: FR3.8, FR3.9, FR3.7, FR0.5

Use-Cases: Activate System must be performed first.

Use Case: Invite to Platoon

Actors: Driver

Description: If the VC determines that there is a target vehicle in front of the vehicle, while CACC is enabled, then the controller will invite the driver to either join the target vehicle’s platoon, or form a new platoon with this vehicle if it is alone. The controller will negotiate a speed between the two vehicles and send a message to the driver on the dashboard screen.


Includes: Display Message, Accept Platoon, Reject Platoon



Use Case: Accept Platoon

Actors: Driver

Description: If the VC invites the driver to join a platoon, and the driver selects Accept on the dashboard screen, then the vehicle will join the platoon.

Type: Primary

Cross-refs: FR5.2

Use Cases: Must perform Activate System, Enable Cruise, and Invite to Platoon first.

Use Case: Reject Platoon

Actors: Driver

Description: If the VC invites the driver to join a platoon, and the driver selects Reject on the dashboard screen, then the driver will not join a platoon but will continue driving with CACC.

Type: Secondary


Use Cases: Must perform Activate System, Enable Cruise, and Invite to Platoon first.

21

Use Case: Exit Platoon

Actors: Vehicle Turn Signal, Lane Keeping/Centering System

Description: If the driver is currently in a platoon, and decides to leave the platoon they must select the cancel platoon button on the dashboard screen, and/or turn on their turn signal to leave the formation. If the turn signal is engaged, then the lane keeping/lane centering system will allow the driver to exit the lane of the platoon without pushing them back.

Type: Secondary

Cross-refs: FR 1.3

Use Cases: Must perform Activate System, Enable Cruise, and Accept Platoon first.

Use Case: Divert Driver

Actors: Lane Keeping/Centering System

Description: While the system is monitoring the vehicle’s surroundings, if it determines that a crash is imminent, the system will attempt to mitigate the situation by diverting the driver to adjacent lanes or the side of the road. The system will communicate this suggestion to the driver on the dashboard screen. If the system is attempting to divert the driver, it will need to communicate with the existing lane keeping/lane centering system as well to ensure that the vehicle is not pushed backed into the lane while the driver is getting over.

Type: Primary

Includes: Display Message

Cross-refs: FR4.5, FR6.1, FR7.2, FR7.3

Use-Cases: Activate System must be performed first.

Use Case: Adverse Conditions

Actors: Vehicle Rain Sensing Wiper System, Vehicle Anti-Lock Brake System, Vehicle Tire Pressure Sensors

Description: If any of the monitored systems show signs of adverse road conditions, the vehicle will slow down, alert the driver, and alert the driver of the following CACC vehicle.

Type: Secondary

Includes: Display Message, Warn Following Vehicle

Cross-refs: FR1.1,FR1.2

Use Cases: Activate System and Enable Cruise must occur first.

22

Use Case: Warn Following Vehicle

Actors: Following Vehicle

Description: If the vehicle is facing adverse road conditions, or experiences a malfunction, if there is a following CACC vehicle, the following driver will be alerted of these issues. The VC will use radio communication to send this message

Type: Secondary

Cross-refs: FR1.2

Use Cases: Must perform Activate System and Adverse Conditions first.

Use Case: Receive GPS Information

Actors: Following Vehicle, Target Vehicle

Description: The radio receiver will receive GPS information from other CACC vehicles that are near. This information will be maintained in the VC.

Type: Primary, essential

Cross-refs: FR3.2, FR3.6, FR3.5, FR3.7, FR3.8, FR3.9, FR3.10


Use Case: Send GPS Information

Actors: Following Vehicle, Target Vehicle

Description: The radio transmitter will send GPS information to other CACC vehicles that are near.

Type: Primary, essential

Cross-refs: FR3.1, FR3.3, FR3.6, FR3.5, FR5.1


23

Class Diagram - Domain Model Cooperative Adaptive Cruise Control

Below is the class diagram for the CACC system. This diagram represents the physical

objects of the system and the different relationships between them. The main components of

embedded automotive systems are actuators, controllers, and sensors. The textual

description follows the diagram in the form of a data dictionary.

24

Class Diagram Data Dictionary


The following is the class diagram data dictionary for the CACC system. This is textual

description for the class diagram on the previous page.

Element Name Description

Accelerate Button

This is a button on the steering wheel that may be held by the driver, and acts as a sensor to detect how much the driver would like to increase the commanded cruising speed.

Operations

accelPressed()

Indicates when the driver begins pressing on the accelerate button on the steering wheel.

accelReleased() Indicates when the driver has released the accelerate button on the steering wheel.

Relationships Aggregates Steering Buttons, and is a subclass of Button.

Element Name

Description

Actuator These are the components of the system that can affect the environment. They all take signals/commands from the Controllers and carry out their tasks as specified by the controller. These have the most visible effects of the system as they affect the environment directly.

Operations

disable( ) Deactivate the actuator from CACC system control.

Relationships Superclass of Throttle, Dashboard Screen, Brakes, and Network Transmitter.

Element Name

Description

Actuators These are the components of the system that can affect the environment. They all take signals/commands from the Controllers and carry out their tasks as specified by the controller. These have the most visible effects of the system as they affect the environment directly.

Relationships Composes CACC System. Aggregated by the Brakes, Throttle, Dashboard Screen, and Network Transmitter.

25

Element Name

Description

Brakes The vehicle’s primary brakes, and they are crucial in stopping and slowing down the vehicle. The Controller sends signals to this actuator in the event that the vehicle needs to slow down or stop quickly due to obstacle(s) ahead, in order to avoid a collision.

Operations

brakeOn( int )

Brake the vehicle with the amount of force indicated by the input.

enable( ) Activate the control of the vehicle’s brakes. brakeOff( ) Turn off the braking that was previously actuated.

brakePressed( ) Indicates when the driver has pressed the brake pedal. eBrake( ) Activates max braking for an emergency situation.

Relationships Aggregates the Actuators.

Element Name

Description

Button These are the sensors in the system that are physical buttons that may be pressed or held down by the driver of the vehicle to signal an intended action.

Operations

enable( ) Activates the button.

disable( ) Deactivates the button.

Relationships Superclass for Vehicle Switch, Accelerate Button, Enable Button, Cancel Button, Decelerate Button, and Resume Button.

Element Name

Description

CACC System The Cooperative Adaptive Cruise Control system which is composed of sensors in the form of buttons, radars, a camera, a dashboard screen and a network receiver, main, platoon, cruise, and speed controllers, and actuators in the form of brakes, the throttle, a dashboard screen, and a network transmitter. The CACC system enhances cruise control by featuring autonomous vehicle speed control, and adding the ability to form moving vehicle platoons.

Relationships Composed of Actuators, Controllers, and Sensors. Associated with a Driver.

26

Element Name

Description

Camera This is the camera sensor placed at the front of the vehicle to detect the distance and speed differential between the vehicle and obstacles surrounding the vehicle. It constantly sends signals to the Controller, notifying the system of the state of the environment at that point in time.

Attributes

differential : integer This is the speed differential with respect to the obstacle in front of the vehicle.

Operations

cameraOn( )

Activate the camera.

cameraOff( ) Deactivate the camera. checkCamera( ) Check the surroundings for obstacles with

slower speeds. reportCamera(integer) Record the speed differential between the object

and the vehicle, by setting differential.

Relationships Aggregates the Sensors.

Element Name

Description

Cancel Button This is a button on the steering wheel that may be pressed by the driver, and acts as a sensor to detect when the CACC System should be disabled.

Operations

cancelPressed( ) Indicates when the driver has selected the cancel button on the steering wheel.


Element Name

Description

Controller This is the brain of the system. It takes in information about the environment from sensors, processes that information, decides on the right course of action, and sends the signals to the actuators.

Attributes

speed : int The current speed of the vehicle. cruiseSpeed : int The commanded cruising speed.

Operations

enable( ) Activate the controller. disable( ) Deactivate the controller.

Relationships Superclass of Main Controller, Speed Controller, Cruise Controller, and Platoon Controller.

27

Element Name

Description

Controllers This is the brain of the system. It takes in information about the environment from all the sensors, processes that information with either the Main Controller, Platoon Controller, Cruise Controller,, or Speed Controller, decides on the right course of action to take, and sends the signals to the vehicle actuators.

Relationships Composed of a Main Controller, Speed Controller, Cruise Controller, and Platoon Controller


Cruise Controller

This is the controller that takes input from sensors to control the appropriate commanded cruising speed.

Attributes

differential : int The speed differential between the vehicle and detected obstacle.

emergency : int The differential threshold limit for emergency braking.

brake : int The differential threshold limit for regular braking.

Operations

accelPressed( ) Indicates when the driver begins holding the accelerate button on the steering wheel.

accelReleased( ) Indicates when the driver has released the accelerate button on the steering wheel

decelPressed( ) Indicates when the driver begins holding the decelerate button on the steering wheel.

decelReleased( ) Indicates when the driver has released the decelerate button on the steering wheel

respondCamera(int) Sets differential to the value given from the camera sensor.

returnCruise( ) Returns the cruise control to the speed that was previously set by the driver before the system was disabled.

Relationships Aggregates Controllers, and is a subclass of Controller.

28


Dashboard Screen

This is the dashboard screen actuator that is embedded in the vehicle. This screen allows the system to communicate with the driver by displaying messages.

Operations

invitePlatoon( )

Displays an invitation to join platoon message on the dashboard screen for the driver to view.

noPressed( ) Indicates the driver has selected the no screen button.

yesPressed( ) Indicates the driver has selected the yes screen button. cancelPressed( ) Indicates the driver has selected the cancel screen button.

eBrake( ) Display a message to the driver on the dashboard screen indicating that there is an emergency situation.

brakeOff( ) Remove the emergency message on the dashboard screen because the vehicle is no longer emergency braking.



Decelerate Button

This is a button on the steering wheel that may be held by the driver, and acts as a sensor to detect how much the driver would like to decrease the commanded cruising speed.

Operations

decelPressed()

Indicates when the driver begins pressing on the decelerate button on the steering wheel.

decelReleased() Indicates when the driver has released the decelerate button on the steering wheel.



Driver The operator of the vehicle that is equipping the system.

Relationships Association with CACC System.

29


Electronic Hardware Security Module

This is an embedded Hardware Security Module (eHSM) that takes the message keys that are sent by other vehicles and are received by the Network Receiver and determines their validity.

Attributes

secure : bool Indicates whether the input message keys are secure.

Operations

checkHSM( double[ ] )

Determine if the received message key from another vehicle is valid and secure.

reportHSM(bool) Sets secure to true if the tested message keys are secure, and false if they are not.

Relationships Aggregates the Network Receiver.

Element Name

Description

Enable Button This is a button on the steering wheel that may be pressed by the driver, and acts as a sensor to detect when CACC should be enabled.

Operations

enablePressed( ) Indicates when the enable button has been pressed on the steering wheel.


30

Element Name

Description

Main Controller

This is the controller that will maintain the operating environment information. This controller will constantly be monitoring for system and subsystem failure based on input from the radars, camera, network receiver, braking and acceleration performance. This controller will also monitor other vehicle systems, such as the ABS, for signs of adverse road conditions. The controller will determine vehicle actuation limits based on this information.

Attributes

obstacle : bool Indicates if there is an obstacle in front of the vehicle.

Operations

checkSpeed( ) : int

Return the current speed of the vehicle, which is maintained under the operating environment information.

activate( ) Activates the CACC system. Does not enable the system.

deactivate( ) Deactivates the CACC system.

cancelPressed( ) Indicates if the cancel button was selected on the steering wheel.

resumePressed( ) Indicates that the resume button was selected on the steering wheel.

returnRadar(bool) Sets obstacle to true if their is an obstacle present, and false if there is not


31

Element Name

Description

Network Receiver

This is the network component of the system that receives information, in the form of message keys, from other CACC vehicles to enable communication between vehicles. The security module verifies the keys, and then the network receiver sensor forwards the secure information to the Controller to be processed.

Attributes

keys : double [ ] An array of message keys received from other CACC enabled vehicles that are near.

Operations

receiverOn( ) Activates the network receiver.

receiverOff( ) Deactivates the network receiver.

reportKeys(double[ ]) This sets keys with the received message keys. Empty if no message keys are received.

disable( ) Deactivates the network receiver if the system is disabled.

receive( ) Attempts to receive message keys sent from other CACC enabled vehicles that are near.

Relationships Aggregates Sensors. Aggregated by the electronic Hardware Security Module.


Network Transmitter

This is the system’s network component that enables the vehicle to be able to communicate with another vehicle in the platoon. It enables the vehicle to send GPS information to their respective trailing and leading vehicles. This actuator is sent signals and information from the Controller.

Operations

transmit(double)

Transmit the vehicle’s message key to nearby CACC enabled vehicles.

transmitterOn( ) Activates the network transmitter.

transmitterOff( ) Deactivates the network transmitter.


32

Element Name

Description

Platoon Controller

This is the controller that takes input from the radar, camera, and network receiver, and actuates the network transmitter, and dashboard screen. The platoon controller will determine if there are nearby CACC enabled vehicles, it will form potential platoons with these vehicles and determine braking and acceleration maneuvers.

Attributes

keys : double[ ] Array of vehicle keys for every vehicle in the current platoon.

obstacle : bool Indicates if there is an obstacle in front of the vehicle.

info : double The message key containing the vehicle information to be transmitted.

secure : bool Indicates if incoming message keys are secure.

response : string The response given by the driver with the screen buttons. Remains null if there is no response.

Operations

formPlatoon( )

Forms appropriate braking and acceleration maneuvers for the vehicle if it is in a platoon.

respondHSM(bool) Sets secure to true if received message keys are secure, and false if they are not.

returnRadar(bool) Sets obstacle to true if there is an obstacle in front of the vehicle, and false if there is not.

respondKeys(double[ ]) Sets keys to the secure message keys that are received.

returnCruise( ) Returns the cruise control to the speed that was previously set by the driver before the system was disabled.

examinePlatoon(double[ ]) Determines if the vehicle is eligible to join the platoon in front.

answer(string) Sets response to the answer the driver has indicated using the screen buttons.


33

Element Name

Description

Radar These are the three radar sensors that are placed around the vehicle in order to detect obstacles surrounding the vehicle. There is one on the front, and one on each side. They constantly send signals to the Controller, notifying the system of the state of the environment in that point in time.

Attributes

obstacle : bool Indicates whether or not there is an obstacle in the way of the vehicle.

Operations

radarOn( ) Activates the radar. radarOff( ) Deactivate the radar.

reportRadar(bool) The radar will report the surroundings by setting obstacle to true if there is an obstacle, and false if there is not.

checkRadar( ) The radar will sense the surroundings.

Relationships Three radars aggregate the Sensors.

Element Name

Description

Resume Button

This is a button on the steering wheel that may be pressed by the driver, and acts as a sensor to detect when the driver would like to resume cruise control.

Operations

resumePressed( ) Indicates when the driver has selected the resume button on the steering wheel.


34

Element Name

Description

Screen Buttons These are sensors that are on the dashboard screen as buttons that the driver may select to appropriate an intended system action.

Attributes

response : string This is the recorded response from the driver.

Operations

disable( ) Disable the screen buttons.

checkAnswer( ) Sense the screen for driver input.

report Answer( ) Record the input from the driver by setting response.

Relationships Aggregates Sensors.


Sensors These are the mode of input for the system. They enable the system to perceive essential parts of the environment around the vehicle and make intelligent decisions based on this information. They route the input sensor signals to the Controllers.

Relationships Aggregated by a Camera, three Radars, Screen Buttons, a Network Receiver, and Steering Buttons.


Speed Controller

This controller will take input from the radars, camera, and Steering Buttons to maintain a safe vehicle speed by actuating the vehicle’s brakes and throttle.

Operations

resumeCruise( )

Indicates when the resume button is selected on the steering wheel

brake(int) Actuate the brakes with the input force amount.

checkCruise( ) : int Return the current speed of the vehicle, to be compared to the set cruising speed.

brakeOff( ) Turn the emergency brakes off.


35


Steering Buttons

These are the sensors of the system that are buttons on the steering wheel that may be pressed by the driver

Relationships Aggregates Sensors, and is aggregated by Accelerate Button, Decelerate Button, Cancel Button, and Enable Button, Resume Button, and Vehicle Switch..

Element Name

Description

Throttle This actuator is used to adjust the speed of the vehicle electronically. It controls how fast the vehicle accelerates or decelerates within the vehicle’s capability. It receives input from the Speed Controller, after the controller has processed input from the Sensors, and accelerates or decelerates the vehicle as specified by the controller.

Operations

accel( ) Activates the throttle. decel( ) Deactivates the throttle.


Element Name

Description

Vehicle Switch This is the button that the driver may press to start the vehicle. This button acts as a sensor to detect when CACC should be activated.

Operations

keyPressed( ) Indicates when the vehicle has been activated or deactivated.

Relationships Aggregates Sensors, and is a subclass of Button.

36

Sequence Diagrams


Below are the sequence diagrams for the CACC system. These diagrams represent the

sequential behavior of the system. The sequence diagrams are modeled after system

scenarios.

1. Scenario 1: The driver activates the vehicle, and increases their speed manually until they

reach 66 mph. The driver presses the enable button on the steering wheel, enabling

cruise. The vehicle’s cruising speed is set to the current vehicle speed. The driver holds

the accelerate button to increase the cruising speed to 70 mph. There is a platoon ahead

of the vehicle going slower. The system decelerates the throttle to match their speed,

which is currently 65 mph. A message is displayed on the dashboard screen to invite the

driver to join the platoon. The driver selects accept platoon on the dashboard screen. The

driver decides to exit the platoon, selecting cancel platoon on the dashboard screen, and

maneuvering to an adjacent lane. The system accelerates the throttle to return to the

commanded speed of 70 mph, which was set before the driver joined the platoon.

37

2. Scenario 2: The driver is driving down a highway, and engages CACC. This sets the

ACC speed of the vehicle to the current speed. As the vehicle continues, it approaches

a different vehicle, which is moving at a slower speed. The slower vehicle is not

equipped with a CACC system, so neither vehicle is prompted to join a platoon.

Instead, the normal ACC system of the faster vehicle decelerates the vehicle to the

speed of the slower vehicle in front. The trailing vehicle will match the speed of the

vehicle in front, unless it exceeds the set speed of the trailing vehicle’s ACC system.

3. Scenario 3: The driver’s vehicle is in a platoon of four vehicles, being second to last in

line. The vehicle in front of the driver engages its turn signal, and leaves the platoon,

breaking the platoon into two smaller parts. The driver is now the lead vehicle of a

smaller platoon, consisting of the driver’s vehicle, and the vehicle behind. If this

platoon catches up to the original lead vehicle, then the driver is prompted to join a

platoon with the vehicle in front. If both vehicles have agreed, then the original lead

vehicle once again becomes the lead vehicle, and the driver’s vehicle, and the vehicle

behind the driver are integrated into the platoon.

38

4. Scenario 4: The driver is driving down a highway with CACC engaged, without being

part of a platoon. The driver is approaching a slower vehicle in front. There is another

vehicle in an adjacent lane that is moving closer to the driver’s set speed, so the driver

changes lanes to be behind that vehicle instead. The vehicle in front also has CACC,

so the driver is prompted to join a platoon. The driver was not prompted to join a

platoon with this vehicle before, because the vehicles were in different lanes. The

driver declines. After passing the original slower vehicle, both the driver and the

vehicle in front move back into the other lane. Both drivers are now prompted to join a

platoon again, due to the lane change.

5. Scenario 5: The driver’s vehicle is in a platoon of four vehicles, being second to last in

line. A vehicle suddenly and dangerously cuts in front of the driver’s vehicle. The

original platoon of four vehicles is split into two separate platoons of two vehicles by

the intrusion. The platoon of two vehicles in front of the incident continues on normally.

However, the platoon of two vehicles behind the incident needs to take emergency

action. If the driver’s vehicle detects that any adjacent lanes are clear, it will prompt the

driver to change lanes. If a lane change is not possible, the vehicle will automatically

hard-brake to mitigate damage from the impending collision.

39

State Diagram


Below is the state diagram for the CACC system. This diagram represents the functional

states of the system, and the appropriate events that cause transitions between these states.

There is a textual description following the diagram.

Figure 1: The state diagram for the Speed Controller.

Figure 2: The state diagram for the Main Controller.

40

Figure 3: The state diagram for the Cruise Controller.

Figure 4: The state diagram for the Platoon Controller.

41

Figure 5: The state diagrams for the radar, camera, screen buttons, receiver, and electronic

Hardware Security Module Sensors.

42

Figure 6: The state diagram for the steering wheel buttons.

43

Figure 7: The state diagram for CACC actuators.

44

State Diagram Textual Description The following is the textual description for the CACC State Diagram. These are the descriptions for

each functional state of the system that are shown in the state diagrams on the last page, and the

events that cause transitions between these states.

1. Main Controller

a. All-Off - The main controller will begin in this state.

i. When the vehicle is turned on, the controller will transition to the “All-On”

state, and activate the radar and camera.

b. All-On - The main controller, radar, and camera are all activated.

i. When checkSpeed( ) is called, the controller will transition to the “CACC

Enabled” state if the vehicle’s current speed is above 25 mph, and enable the

CACC system.

ii. When the vehicle is turned off, the controller will transition back to the “All-

Off” state.

c. CACC Enabled - The full CACC system is enabled.

i. The controller will check the radar constantly and remain in the “CACC

Enabled” state.

ii. If the CACC system is disabled, the controller will return to the “All-On” state.

iii. If the radar returns a true value, indicating that there is an obstacle in front of

the vehicle, the controller will transition to the “Vehicle-Obstructed” state,

and check the camera.

iv. If the cancel button on the steering wheel is selected by the driver, the

controller will transition to the “CACC-Disabled” state, and disable the CACC

system.

d. CACC Disabled - The cruise control has been disabled by the cancel steering wheel

button since the last time the system was enabled.

i. If the vehicle is turned off, the controller will transition to the “All-Off” state.

ii. If the resume button is pressed on the steering wheel, the system will be

enabled, the previous cruise control speed will be commanded, and the

controller will transition to the “CACC Enabled” state.

e. Vehicle-Obstructed - The vehicle is currently obstructed by an obstacle, and will not

be able to travel at the commanded speed.

i. The controller will constantly check the radar and remain in the “Vehicle-

Obstructed” state.

ii. If the radar determines that there is no longer an obstacle in front of the

vehicle, the controller will transition back to the “CACC Enabled” state.

iii. If the system is disabled, the controller will transition back to the “All-On”

state.

45

iv. If the radar determines that there is still an obstacle in front of the vehicle,

the system will check the camera and remain in the “Vehicle-Obstructed”

state.

v. If the cancel button on the steering wheel is pressed, the system will disable

and the controller will transition to the “CACC Disabled” state.

2. Speed Controller

a. Off - the speed controller will begin in the “Off” state.

i. When the CACC system is enabled, the controller will set the cruise speed to

the current vehicle speed, and transition to the “On” state.

ii. If the cruise control is being resumed, the controller will transition to the “On”

state and set the cruise speed to the previous cruising speed.

b. On - the speed controller is activated.

i. If the CACC system is disabled, the speed controller will transition to the “Off”

state.

ii. If the emergency brakes are activated, the speed controller will transition to

the “Emergency-Brake” state.

iii. The controller will constantly check the speed of the vehicle and remain in the

“On” state.

iv. If the speed of the vehicle is less than the commanded cruising speed, the

controller will transition to the “Speed-Low” state, and the throttle will be

activated.

v. If it is determined that braking is required, the brakes will be actuated and the

system will stay in the “On” state.

c. Speed-Low - the vehicle is accelerating.

i. The controller will constantly check the current speed of the vehicle and

remain in the “Speed-Low” state.

ii. If it is determined that the current speed of the vehicle is greater than the

commanded cruising speed, the controller will transition to the “On” state,

and deactivate the throttle.

iii. If the system is disabled, the controller will transition to the “Off” state.

iv. If the system is emergency braking, the controller will transition to the

“Emergency-Brake” state.

d. Emergency-Brake - the vehicle is emergency braking.

i. If the system is disabled, the controller will transition to the “Off” state.

ii. If the brakes are turned off, the controller will return to the “On” state.

3. Cruise Controller

a. Off - The cruise controller will begin in the “Off” state.

i. If the CACC system is enabled, the controller will transition to the “On” state.

b. On - The cruise controller is activated.

i. If the CACC system is disabled, the controller will transition to the “Off” state.

ii. If the acceleration button is pressed, the controller will transition to the

“Increase-Cruise” state.

46

iii. If the deceleration button is pressed, the controller will transition to the

“Decrease-Cruise” state.

iv. If the camera is checked, and the speed differential between the vehicle and

the obstacle is less than zero, the controller will transition to the “Obstacle-

Cruise” state.

c. Increase-Cruise - the commanded cruising speed is being increased by the driver.

i. If the acceleration button is released by the driver, the controller will

transition to the “On” state.

ii. The controller will increment the commanded cruising speed by one every

millisecond.

iii. If the CACC system is disabled, the controller will transition to the “Off” state.

d. Decrease-Cruise - the commanded cruising speed is being increased by the driver.

i. If the deceleration button is released by the driver, the controller will

transition to the “On” state.

ii. The controller will decrement the commanded cruising speed by one every

millisecond.

iii. If the CACC system is disabled, the controller will transition to the “Off” state.

e. Obstacle-Cruise - the vehicle is traveling at a speed slower than the commanded

cruising speed because there is an obstacle present.

i. If the camera determines that the speed differential is less than zero and

greater than the braking threshold, then the controller will lower the cruising

speed by the differential.

ii. If the camera determines that the speed differential is less than or equal to

the braking threshold and greater than the emergency threshold, then the

controller will brake.

iii. If the camera determines that the speed differential is less than or equal to

the emergency threshold, then the controller will emergency brake and

transition to the “Emergency-Cruise” state.

iv. If the controller is commanded to return it’s cruise, then it will transition back

to the “On” state.

f. Emergency-Cruise - the vehicle is emergency braking.

i. If the camera determines that the speed differential with the obstacle is

greater than the braking threshold, and the vehicle speed is above or equal to

25 mph, then the brakes will be turned off, and the controller will transition

back to the “Obstacle-Cruise” state.

ii. If the camera determines that the speed differential with the obstacle is

greater than the braking threshold, and the vehicle speed is less than 25 mph,

then the CACC system will be disabled, and the controller will return to the

“Off” state.

iii. The controller will be constantly checking the camera.

iv. If the CACC system is disabled, the controller will transition back to the “Off”

state.

47

4. Platoon Controller

a. Off - The controller will begin in the “Off” state.

i. If the system is enabled, the controller will transition to the “On” state and

turn on the receiver and transmitter.

b. On - The controller is activated

i. If the system is disabled, the controller will transition back to the “Off” state.

ii. If the radar determines that there is an obstacle, the controller will transition

to the “Checking-Obstacle” state and transmit and receive network message

keys.

c. Checking-Obstacle - there is an obstacle present, and the controller must determine if

it is a CACC enabled vehicle.

i. If the vehicle returns to the previous cruise speed, the controller will return to

the “On” state.

ii. If the network receiver receives message keys, the controller will transition to

the “Checking-Message-Security” state, and the received keys will be sent to

the eHSM.

d. Checking-Message-Security - the received message keys are being validated.

i. If the eHSM determines the message keys are secure, the controller will

transition to the “Creating Platoon” state.

ii. If the eHSM determines the message keys are not secure, the controller will

transition to the “Off” state and turn off the receiver and transmitter.

e. Creating Platoon - the controller is forming a potential platoon for the vehicle.

i. If the controller determines that the platoon is full, it will transition back to

the “On” state.

ii. If the controller determines that the platoon is not full, it will transition to the

“Inviting Platoon” state.

f. Inviting Platoon - the controller is inviting the driver to join the formed platoon.

i. The controller will constantly check for a response from the driver.

ii. If the system is disabled, the controller will transition back to the “Off” state.

iii. If the driver selects no, the controller will transition to the “Platoon Idle”

state, and the transmitter and receiver will be turned off.

iv. If the driver selects yes, the controller will transition to the “In-Platoon” state,

and the platoon will be formed.

g. Platoon Idle - the platoon capabilities have been rejected by the driver, and cannot be

reactivated until the system is disabled and reenabled.


h. In-Platoon - The vehicle is in a platoon formation.


ii. If the driver selects cancel on the dashboard screen, the controller will

transition to the “Platoon Idle” state, and the transmitter and receiver will be

turned off.

48

iii. The controller will be constantly transmitting and receiving information from

other platoon vehicles, and checking for a cancellation from the dashboard

screen.

iv. If the controller receives message keys, it will transition to the “Verify

Security” state.

i. Verify Security - the controller is verifying the security of incoming message keys.


ii. If the message keys are not secure, the controller will transition to the “Off”

state.

iii. If the message keys are secure, the controller will transition to the “In-

Platoon” state, and the platoon formation will be updated.

5. Steering Buttons

a. Vehicle-Off - the buttons will begin in this state.

i. If the vehicle is turned on, the buttons will transition to the “Vehicle-On”

state, and the CACC system will be activated.

b. Vehicle-On - the vehicle is on and the system is activated.

i. If the vehicle is turned off, the buttons will transition to the “Vehicle-Off”

state and the system will be deactivated.

ii. If the enable button is pressed, the vehicle speed will be checked.

iii. If the system is enabled, the buttons will transition to the “CACC-enabled”

state.

c. CACC-Enabled - the CACC system is enabled

i. If the system is disabled, the buttons will transition to the “Vehicle-On” state.

ii. If the deceleration button is pressed, the buttons will transition to the

“Holding-Decel” state.

iii. If the acceleration button is pressed, the buttons will transition to the

“Holding-Accel” state.

iv. If the cancel button is pressed, the buttons will transition to the “CACC-

Canceled” state.

d. Holding-Decel - the deceleration button is being held.


ii. If the deceleration button is released, the buttons will transition to the “CACC-

Enabled” state.

e. Holding-Accel - the acceleration button is being held.


ii. If the acceleration button is released, the buttons will transition to the “CACC-

Enabled” state.

f. CACC-Canceled - the CACC system is canceled, and may be resumed.

i. If the vehicle is turned off, the buttons will transition to the “Vehicle-Off”

state and the system will be deactivated.

ii. If the enable button is pressed, the vehicle speed will be checked.

49

iii. If the system is enabled, the buttons will transition to the “CACC-enabled”

state.

iv. If the resume button is pressed, the buttons will transition to the “CACC-

enabled” state.

6. Radar

a. Idle - The radar will begin in the “Idle”state

i. If the radar is turned on, it will transition to the “On” state.

b. On - the radar is turned on.

i. If the radar is turned off, it will transition to the “Off” state.

ii. If the radar is checked, it will transition to the “Checking-Radar” state.

c. Checking-Radar - the radar is being checked.

i. The radar will report and respond about the surrounding obstacles and return

to the “On” state.

7. Camera

a. Idle - The camera will begin in the “Idle”state

i. If the camera is turned on, it will transition to the “On” state.

b. On - the camera is turned on.

i. If the camera is turned off, it will transition to the “Idle” state.

ii. If the camera is checked, it will transition to the “Checking-Camera” state.

c. Checking-Camera - the camera is being checked.

i. The camera will report and respond about the surroundings and return to the

“On” state.

8. Screen Buttons

a. Idle - The buttons will begin in the “Idle” state.

i. If there is a request to check for user input, the buttons will transition to the

“Check-Answer” state.

b. Check-Answer - The screen buttons are checking for user input.

i. If the system is disabled, the buttons will transition to the “Idle” state.

ii. The buttons will report and respond with the user input, and return to the

“Idle” state”

9. Receiver

a. Idle - The receiver will begin in the “Idle” state.

i. If the receiver is turned on, it will transition to the “On” state.

b. On - The receiver is activated.

i. If there is a request to receive message keys, the receiver will transition to the

“Receiving” state.

ii. If the receiver is turned off, it will transition to the “Idle” state.

iii. If the system is disabled, the receiver will transition to the “Idle” state.

c. Receiving - the receiver is receiving vehicle message keys.

i. If the system is disabled, the buttons will transition to the “Idle” state.

ii. The receiver will report and respond with the message keys and return to the

“On” state.

50

10. electronic Hardware Security Module

a. Idle - The eHSM will begin in the “Idle” state.

i. If there is a request to check message key validity, the eHSM will transition to

the “Validate Key Security” state.

b. Validate Key Security - the message keys are being checked for security.

i. The eHSM will report and respond with the security of the incoming message

keys.

11. Network Transmitter

a. Idle - The transmitter will begin in the “Idle” state.

i. If the transmitter is turned on, it will transition to the “On” state.

b. On - The transmitter is activated.

i. If there is a request to transmit the vehicle’s message key, the transmitter will

transmit the info and remain in the “On” state.

ii. If the transmitter is turned off, it will transition to the “Idle” state.

iii. If the system is disabled, the transmitter will transition to the “Idle” state.

12. Brakes

a. Idle - The brakes will begin in the “Idle” state.

i. If the system is enabled they will transition to the “Monitoring” state.

b. Monitoring - the brakes are monitoring for manual pressure from the driver.

i. If the driver presses the brakes, the brakes will transition to the “Idle” state.

ii. If the system is disabled, the brakes will transition to the “Idle” state.

iii. If there is a request for brake pressure, the brakes will be applied and remain

in the “Monitoring” state.

iv. If the emergency brakes are requested, the brakes will transition to the

“Emergency-Brake” state.

c. Emergency-Brake - the vehicle is emergency braking.

i. If there is a request to turn the brakes off, the brakes will transition back to

the “Monitoring” state.

ii. If the system is disabled, the brakes will transition to the “Idle” state.

13. Throttle

a. Idle - The throttle will begin in the “Idle” state.

i. If the throttle is activated, it will transition to the “On” state.

b. On - The throttle is activated.

i. If the system is disabled, the throttle will transition to the “Idle” state.

ii. If the throttle is deactivated, it will transition to the “Idle” state.

14. Dashboard Screen

a. Idle - The dashboard screen will begin in the “Idle” state.

i. If there is a platoon invitation, the screen will transition to the “Invite-

Displayed” state.

ii. If the emergency brakes are activated, the screen will transition to the

“Emergency-Displayed” state.

b. Invite-Displayed - the platoon invitation is displayed on the screen.

51

i. If no is selected, the screen will transition to the “Idle” state.

ii. If the system is disabled, the screen will transition to the “Idle” state.

iii. If yes is selected, the screen will transition to the “Cancel-Displayed” state.

iv. If the emergency brakes are activated, the screen will transition to the


c. Emergency Displayed - an emergency warning is displayed on the screen.

i. If the brakes are turned off, the screen will transition to the “Idle” state.


d. Cancel-Displayed - a cancel platoon message is displayed on the screen.

i. If the emergency brakes are activated, the screen will transition to the



iii. If the cancel button is pressed, the screen will transition to the “Idle” state.

52

5 Prototype The CACC2 prototype models the basic executable functionality of the system. The

user interface will allow the user to activate and deactivate the vehicle, enable and

disable the CACC system, increase and decrease the speed of the vehicle, increase

and decrease the commanded cruising speed, and accept from the vehicle’s

dashboard. The platoon interface will model the interactions the vehicle has with other

vehicles on the road. It will allow the user to enable/disable the CACC system and set

the cruise speed. The arrow keys on the keyboard can control accelerating, braking

and steering of the vehicle. Thus the Prototype has 2 PARTS. The FIRST PART is the Dashboard

Demonstration, it can be found on this page,

http://www.cse.msu.edu/~cse435/Projects/F2016/Groups/CACC2/web/prototype1.php,

this part focuses on the driver's interaction with the vehicle and the CACC system from

the vehicle's dashboard.

The SECOND PART of this prototype is the Platoon Demonstration. It

demonstrates how different vehicles with the CACC system enabled would interact in

various executable scenarios. This part can be accessed through this link

http://www.cse.msu.edu/~cse435/Projects/F2016/Groups/CACC2/Prototype/LatestRel

ease/index.html . After clicking on the link, the scene will show up and the user will be

able to control the red car using keyboard arrow keys.

In the platoon demonstration, every vehicle in the scenario is CACC enabled

and drivers are always willing to form a platoon. The only vehicle that can disable

CACC is the main vehicle that the user controls. The user can experiment with

different settings to see how the CACC system will behave in various scenarios.

5.1 How to Run The Prototype Both of the UIs described above are web based, and can be viewed and executed

by anyone with access to the internet.

The prototype interface and system configuration for the interior of the vehicle may

be accessed at,

http://www.cse.msu.edu/~cse435/Projects/F2016/Groups/CACC2/web/protot

ype1.php

The prototype interface and system configuration for the exterior of the vehicle may

be viewed at,

http://www.cse.msu.edu/~cse435/Projects/F2016/Groups/CACC2/Prototype/

LatestRelease/index.html

http://www.cse.msu.edu/~cse435/Projects/F2016/Groups/CACC2/web/prototype1.php

http://www.cse.msu.edu/~cse435/Projects/F2016/Groups/CACC2/Prototype/LatestRelease/index.html







53

5.2 Sample Scenarios Part 1: The following is a sample scenario of execution Part 1 of the CACC prototype,

Figure 8: The CACC dashboard prototype upon initialization.

● On the interior UI select “Start Engine”

i. The state of the Engine will turn ON

● Select “CACC On”

i. The state of the CACC will remain OFF

● Select “Throttle” 26 times.

i. The Speed of the system will be 26 mph

● Select “CACC On”

i. The state of the CACC will turn ON

Figure 9: The CACC dashboard prototype after the system is enabled

54

● Select “Brakes”

i. The state of the CACC will turn OFF

ii. The Speed will decrease to 25 mph.

● Select “Brakes” 25 times

i. The Speed will be 0mph

● Select “Engine Off”

i. The Engine will turn OFF

Part 2: Below is a sample scenario of the execution of Part 2 of the CACC Prototype.

● Start the simulation and let it run for a few seconds. You should have a

platoon/s forming in the simulation like in the image below. The two black

striped vehicles are in a platoon with the red car.

Figure 10: The CACC platoon prototype upon initialization.

55

● The user can control the main vehicle (the red car) using the arrow keys on

their keyboard. They can also use the user interface buttons to experiment with

different execution scenarios. Below is an experiment scenario where CACC

system was disabled by clicking on the “CACC” button on the user interface,

and the driver of the red car did not brake. As a result the red car crashed the

black vehicle’s rear.

Figure 11: The CACC dashboard prototype upon crashing.

56

6 References

[1] Baldman, Andy. (March 2003). Bit Error Ratio Testing: How Many Bits Are

Enough? UNH InterOperability Lab. Retrieved from

https://www.iol.unh.edu/sites/default/files/knowledgebase/ethernet/BER-

How_Many_Bits_18Mar2003.pdf

[2] Bell, John. (2006). Operating Systems Structures. University of Illinois Chicago.

Retrieved from

https://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/2_Structures.html

[3] Chan, Eric, et al. Cooperative Control of SARTRE Automated Platoon Vehicles.

Vienna, 19th ITS World Conference, 26 Oct. 2012.

[4] Dana, Peter H. (1994). Global Positioning System Overview. University of Texas.

Retrieved from http://www.colorado.edu/geography/gcraft/notes/gps/gps_f.html

[5] "DSRC." ETSI. N.p., n.d. Web. 10 Nov. 2016.

[6] "Dynamic Radar Cruise Control (DRCC)." Toyota Global Site. N.p., n.d. Web. 20

Oct. 2016.

[7] "EyeSight." Subaru. N.p., n.d. Web. 20 Oct. 2016.

[8] Milam, William. Cooperative Adaptive Cruise Control. N.p.: Ford Motor, 2016.

Print.

[9] "Office of Operations Research and Development (R&D)." Federal Highway

Administration Research and Technology. N.p., 24 Sept. 2015. Web. 20 Oct. 2016.

[10] Omae, Manabu, Ryoko Ogitsu, and Wen-Po Chiang. "Control Procedures and

Exchanged Information for Cooperative Adaptive Cruise Control of Heavy-Duty

Vehicles Using Broadcast Inter-Vehicle Communication." International Journal of

Intelligent Transportation Systems Research 12.3 (2014): 84-97. SpringerLink. 05

Feb. 2014. Web. 20 Oct. 2016.

[11] "V2X Communication Security Technical Brief." (n.d.): n. pag. Truly Secure V2X.

Autotalks. Web. 10 Nov. 2016.

57

7 Point of Contact For further information regarding this document and project, please contact Prof. Betty

H.C. Cheng at Michigan State University (chengb at cse.msu.edu). All materials in this

document have been sanitized for proprietary data. The students and the instructor

gratefully acknowledge the participation of our industrial collaborators.

software requirements specification (srs) cooperative

Documents