Conference PaperPDF Available

A First Step Towards Holistic Trustworthy Platoons

Authors:

Abstract and Figures

Truck platooning is a form of convoy cooperative driving of connected trucks assisted by a lead truck. The aim is to reduce the fuel and driving costs, improve road safety, and reduce CO2 emission. Being semi-autonomous, platoons must be trustworthy in many perspectives. This paper presents a high-level trustworthy requirements analysis on three key perspectives: driver, communication, and security. In addition, we observed that any trustworthy requirement analysis is incomplete if perspectives are addressed independently. Therefore, we propose a simple holistic methodology that addresses the different perspectives as well as their dependencies, and we exemplify the use of the methodology with two use cases presented in the paper. However, we draw attention to the importance of more research to drive a more exhaustive and validated methodology.
Content may be subject to copyright.
A First Step Towards Holistic Trustworthy Platoons
Ali Shoker
VORTEX Co-Lab
Portugal
ali.shoker@vortex-colab.com
Peter Moertl
V2C2
Austria
peter.moertl@v2c2.at
Ramiro Robles
ISEP
Portugal
rasro@isep.ipp.pt
AbstractTruck platooning is a form of convoy cooperative
driving of connected trucks assisted by a lead truck. The aim is
to reduce the fuel and driving costs, improve road safety, and
reduce CO2 emission. Being semi-autonomous, platoons must be
trustworthy in many perspectives. This paper presents a high-
level trustworthy requirements analysis on three key
perspectives: driver, communication, and security. In addition,
we observed that any trustworthy requirement analysis is
incomplete if perspectives are addressed independently.
Therefore, we propose a simple holistic methodology that
addresses the different perspectives as well as their
dependencies, and we exemplify the use of the methodology with
two use cases presented in the paper. However, we draw
attention to the importance of more research to drive a more
exhaustive and validated methodology
1
.
Keywordstrustworthiness, automotive, V2X, cybersecurity
I. INTRODUCTION
Truck platooning has got the attention of the automotive
industry driven by the fast evolution of software-based
vehicles and the Vehicle-to-Everything (V2X) wireless
communications. A platoon is a semi-autonomous convoy of
wirelessly connected trucks traveling in the same direction
and doing coordinated movements as a single system.
Typically, the first truck is actively driven by a human driver,
whereas the following ones are controlled by automation and
humans, i.e., performing various levels of supervisory tasks
depending on the ACEA platoon automation level [25].
Moreover, truck platooning has many benefits like reduced
fuel consumptionby creating an efficient airflow for the
trucks behind [1], improving transportation safety, and
reducing driving costs. Simulations have also shown the
advantages of platoons in urban environments [5].
Future trucks (and vehicles) are expected to have a substantial
software-base, sensing capabilities, as well as connectivity of
many forms (e.g., V2X, LTE, 5G, etc.). This makes them
smart things in the Internet of Things (IoT) ecosystem. Given
this, in addition to semi-automation, truck platoons have high
trustworthy requirements. The European Union (EU) gives
guidelines and requirements (see Fig.1(a)) for the
development of trustworthy smart things [18], including, not
only technical, but also individual, societal organizational,
and legal framework considerations. In contrast, Fig.1(b)
conveys the five trustworthiness pillars to be considered in a
smart system according to the definition adopted by the
ISO/EC 20924:2018 standard for trustworthiness of IoT
1
This research leading to these results was done within the InSecTT project
funded through the ECSEL Joint Undertaking (JU), supported by EU
Horizon 2020, under grant agreement No 876038. The document reflects
systems, and the Industrial Internet Consortium (IIC)
[12,13]: “property of deserving of trust or confidence within
the entire lifecycle of an Internet of Things implementation
to ensure information security, privacy, safety, reliability and
resiliency”. Unfortunately, the state of the art [2-8] has not
yet addressed this topic in a systematic way, considering the
dependencies that exist between the different platoon
perspectives, layers, and components.
(a) (b)
Fig. 1: The overlap and differences of trustworthiness pillars of the ISO/EC
20924:2018 and the EU regulations for Trustworthy AI.
This paper presents a high-level trustworthy platoon
requirements analysis from three key perspectives: drivers,
communications, and security. Our workconducted within
the frame of the InSecTT project (https://www.insectt.eu/)—
is motivated by driving a comprehensive platoon
trustworthiness approach, given the several dependencies in
platoon trustworthy requirements. We concluded that any
trustworthiness requirements study will be incomplete if
there is no holistic view that considers the different pillars,
aspects, and components. Consequently, we proposed a first-
step holistic methodology for iterative requirements study.
We show how this methodology can be used with two cases
on platoons, and we present our observations and takeaways.
Although our work is preliminary, we believe the idea of
integrated trustworthiness is of considerable importance and
should not be overlooked by the community. This is
especially important when different researchers and
architects design and analyze systems independently. We
also think that this approach can be generalized to other
modern automotive applications beyond platooning.
Specifically, the ISO/IEC 20924:2018 standard does not yet
address all the areas that the EU guideline states. In particular,
transparency, diversity, human oversight, societal wellbeing
and accountability are not included. We appeal for more
only the author’s view and the Commission is not responsible for any use
that may be made of the information it contains
research to consider these aspects in platooning (and
automotive) trustworthiness analysis.
The rest of the paper is organized as follows. Section II gives
a short background on platoons. The following three sections
present the trustworthiness requirements analysis from the
three perspectives: drivers, communication, and security.
Section VI presents the preliminary methodology we
propose, followed by some conclusions in Section VII.
II. BACKGROUND ON PLATOONING
Platooning is a convoy-style coordination of connected
vehicles, mainly trucks, aimed at reduced costs (driving and
fuel) as well as safety. A platoon leader truck usually leads
the following trucks to a common destinationin one or
more trips, respecting the platoon application semantics,
protocols, and road safety regulations. The state-of-the-art
Ensemble platooning project [4] adopts the layered
architecture presented in Fig. 2. The typical use of each layer
is as follows: the (cloud) services and strategic layers are used
for logistic and non-frequent platoon planning (platoon
discovery, tracking, speed optimization, trajectory definition,
etc.). The tactical layer is where actual maneuvering
protocols run (e.g., join, leave, overtake, split). Part of the
platoon management can occur at this layer as well. The
operation layer is more concerned with the vehicle actuator
control (e.g., accelerating, braking, steering).
Platoon trucks usually have similar routes or destinations.
From a communication point of view, this makes traffic-flow
and network management (V2X) more efficient as vehicles
arranged in platoons can reduce processing complexity by
offloading functionalities to lead cars and/or edge/cloud
vehicular servers. One key enabler of platoons is the
coordination and reliable (real-time) exchange of information
between contiguous vehicles or between vehicles and
edge/cloud servers. Therefore, three communication patterns
can be identified in a vehicle platoon: Vehicle-to-Vehicle
(V2V), Vehicle-to-Infrastructure (V2I), and Vehicle-to-
Network (e.g., Internet). The former two patterns can be used
together to improve reliability at the tactical and operational
layers, while the latter is less critical being used at the
Services and Strategic layers.
Fig. 2: Platoon layers (Ensemble project [4]).
To describe the functionality requirements, we make use of a
model that combines the benefits of multiple other standards,
such as the ISO [19, 22], ITU [20], AIOTI [23], and IEEE
reference IoT architecture [21] standards. This functionality
model is depicted in its high-level view in Fig. 3, using four
main horizontal layers (device or DL, network or NL, service
or SL and application or AL). Each use case will organize
their specific functionalities in a functional stack model as the
one shown in Fig.3. For the platoon use case we address, the
figure shows a preliminary overview of the different
functionalities associated to all communications and
control/operation of different platoon scenarios.
Fig. 3: IoT-based platoon functional model.
III. DRIVER TRUSTWORTHINESS
Driver trustworthiness is here understood as ...the attitude
that an agent will help achieve an individual’s goals in a
situation characterized by uncertainty and vulnerability.”
[24]. Accordingly, trustworthiness are characteristics of a
system and its environment that help a human stakeholder to
form appropriate levels of trust.
In terms of truck platooning, we investigated those features
of a platooning system that may be necessary to achieve the
trust of truck drivers and therefore increase the likelihood of
sustained and acceptable platooning operations. Per-
categorization of truck platooning operations in [3], we
differentiate platooning operations at ACEA level 2 [25]
where the driver is still ready to intervene. (We leave level 3
where the driver of a trailing truck can rest for future work.)
These two types are presented in Fig. 4.
Fig. 4: Phases of two types platooning from a driver perspective. The green
boxes refer to level 2.
The general difference between these two types is not only on
the level of involved automation but also on the role of the
human driver. In the assisted driving, the automation is
restricted to specific applicability conditions and is supposed
to be continuously monitored by the human driver. Thereby,
the driver is challenged to monitor and supervise the
automated driving system while maintaining readiness to
intervene when needed. Such role of the human driver has
found to be a challenge in extensive research and therefore
stands against operational trustworthiness [10, 11]. Finally,
in Table 1, a high-level overview of the driver-based
trustworthiness requirements is given, based on a review
presented in [3]; whereas, level 3 is left as a future work.
Device layer
Massive MIMO
NOMA
V2x (5g, NB-IoT, WiMAX)
802.11p, G5
Beamforming Sensors
Vehicle control
SIC-RD
Network layer
Smart Routing Scheduling, adaptaion
Forwarding Anomaly detection
Network Security
Authentication
Service, security and Virtualization. layer
Smart Routing
Platoon servicesEncryption
Network Security V2x service resource orchestration
Cloud and application layer
Smart platoon Routing
Vehicular applicationsEDGE URLLC
Platoon operations control Traffic management
Safety control
Security, trustworthiness management
Cross-layer management
IV. COMMNUNICATION TRUSTWORTHINESS
In this section we present the trustworthy requirements from
a communication perspective. The requirements for
trustworthiness also consider a system-level network
perspective of platoon communications. The platoon
coordination and control system heavily depends on the
performance of the V2X communication technology. Any
issue in the links between the entities of the platooning
system is translated into a potential safety problem of the
whole system and therefore a perceived lack of
trustworthiness for the end users of the platoon.
A. Latency
The communications between the platoon elements need to
comply with certain levels of latency for different types of
platoon messaging. The latency bound for message
dissemination will determine the maximum or minimum
inter-vehicular distance, or speed limits, and the size of the
platoon under different traffic and channel conditions. In
general, V2V links can provide low latency for small size of
the platoon. Latency bounds are also needed to give enough
time for the truck driver to react given a road traffic event or
make a decision due to platoon splitting or reforming.
B. Outage
Signal outage is one of the main issues that platoon
communications will face. The loss of messages and their
retransmissions are key to design the system reliability and
latency bounds under different types of road and channel
conditions. A highly-reliable platooning system must ensure
some levels of outage probability to avoid communication
and coordination issues between the vehicles of the platoon
or between the platoon and the vehicular cloud servers.
Outage is translated into information availability and
integrity issues as trustworthiness metrics defined by the ISO
standard for trustworthiness IoT systems [19, 22].
C. Interference
Interference is a major issue in environments with multiple
platoons and co-channel users. In this aspect, V2I has the
advantage to provide city coverage with a centralized
interference management or control. On the other hand, V2V
technology is more prone to this type of impairment.
Solutions in both types of system exist and rely on different
control mechanisms, such as multiple antennas, orthogonal
signal waveform allocation, interference free scheduling,
successive interference cancellation, etc.
D. Multiple Antennas
Multiple antennas are perhaps the main improvement in the
new generation of wireless networks. Their importance stems
from their ability to increase capacity with limited bandwidth
expenditure. Multiple algorithms for beamforming, multiuser
detection and interference control can be used to ensure
signal quality over a range of different platooning scenarios.
Multiple antenna processing can also reduce jamming attacks
that can seriously affect the control of the platoons, but also
high-level vulnerabilities and other attacks such as Man-in-
the-Middle (MITM), spoofing and even Denial of Service
(DoS). Multiple antennas at the vehicles of the platoon
promise to efficiently counteract shadowing, fading, and
interference, while at the same time provide detection of
obstacles and challenging environments such as rain road
conditions, tunnel signal interference, etc.
E. LOS vs NLOS
Platoon communications must operate in a variety of channel
conditions, mainly Line and Non-Line of Sight (LOS/NLOS)
situations, which determine many of the properties of V2V
and V2I links. Modulation schemes such as OFDM and
CDMA can deal with some NLOS degrading scenarios [27].
The channel conditions highly determine the outcome of the
control communication of the platoon subsystem. The
platoon configuration and its vehicles can be modelled as a
connection matrix with NLOS and LOS indicators.
Therefore, particularly in platoon situations where no cellular
coverage is present, V2V-based communication must deal
with multiple links, some in LOS and others with NLOS
conditions depending on the configuration. This situation
may change with different platoon maneuvers, and therefore
the awareness of LOS and NLOS link status can be used also
as a detection mechanism of platoon spatial configuration
changes in case of platoon configuration detection alarms.
V. SECURITY TRUSTWORTHINESS REQUIREMENTS
Security is a key pillar of a trustworthy platoon being a semi-
autonomous intelligent system [12,13]. In general, a secure
platoon must satisfy the AIC triad requirements [13] in face
of (cyber)security threats. Truck platoons inherit the security
TABLE 1. ASSISTED SAFETY TRUSTWORTHINESS FROM A DRIVER PERSPECTIVE
threats and cyber-attacks of modern software-based
connected vehicles [15] due to their large attack surface and
connectivity (e.g., via V2X, 5G, Bluetooth, etc.) to the
surrounding smart ecosystem (vehicles, pedestrians,
infrastructure, etc.). These threats can compromise the
expected function of the platoon, and consequently leave
serious safety ramifications if the right countermeasures and
mitigations are not implemented.
Nevertheless, although considering security in trustworthy
V2X systems is not new [14,15], there are particular
considerations to secure platoon systems given the sticky and
group-based cooperation patterns. This paper only focuses on
filling this gap due to the size limits. (Interested readers can
refer to state of the art work of generic trustworthy V2X.) In
particular, we will present the security requirements in light
of the AIC triad model, while we refer to the STRIDE threat
model to discuss the possible (cyber)security threats [16].
A. Availability
A platoon is initiated by having at least two platoon-able
trucks identifiable via V2X Public Key Infrastructure
(PKI)—defined by IEEE 1609.2 [29] and ETSI TS 102 941
[30]for safety and legal reasons. From there onward, new
trucks cannot join the platoon without having a platoon
identification (ID) that must be associated to one or more PKI
keys (e.g., the leader); otherwise, a malicious/compromised
truck can spoof the platoon ID and take control of the platoon.
Similarly, a following platoon can drive an elevation of
privilege attack by taking over the leader's role using a
platoon ID that is not-linked to any PKI certificate.
To reduce the cryptographic overhead (of authentication and
encryption), group-based crypto schemes are used to allow
for in-platoon message broadcast. Maintaining this scheme
requires to consider a centralized group-key generation and
revocation (a leaving truck can authenticate via the group key
until it is revoked). Nevertheless, this raises the classical
centralization issue as single point of failure prone to DoS
attacks, and thus calls for novel decentralized solutions at the
platoon management and security levels. As in other V2X
systems, platooning trucks are assumed to have a modern AI-
assisted Intrusion Detection System (IDS) and firewalls to
detect DoS attacks [28]. However, a trustworthy platoon must
at least detect a DoS attack to be able to fail-safe: dissolve
itself. An advanced AI-based IDS is also required to guard
against Sybil attacks [17]. A vehicle/truck is often supplied
with tens or hundreds of PKI keys that are used with some
key rotation scheme to obfuscate its identity and mitigate
traceability. In V2X applications, this makes the truck prone
to Sybil attacks; however, since platoon trucks expect
frequent messages from their counterparts in the platoon, a
malicious truck could drive an internal Sybil attack, e.g.,
against the leader, while the latter could not easily
differentiate between a Sybil attack or a legitimate message.
This requires an AI-assisted technique to differentiate
malicious from legitimate messaging patterns.
B. Integrity
Integrity requirement govern platoon software and data at rest
and in transit. Any firmware/software updates must be
secured, as in other V2X applications. However, the effect
here is on the platoon level since a malicious software (e.g.,
leader application) can violate the application semantics and
regulations, and thus drive the platoon to unexpected
situations. This requires secure wireless diagnostic and Over-
the-Air (OTA) updates that work together with the firewall
and IDS to protect the software and data from tampering
attacks and malwares. In the same vein, integrity measures
(e.g., signatures and hash digests) must be implemented in the
platoon message exchange protocols to prevent
compromising the entire platoon due to MITM attacks and in-
transport message tampering [16]. Future platoons with more
autonomy and decentralization will require additional
consideration to data integrity among platoon trucks and non-
repudiation.
C. Confidentiality
Confidentiality requirements specific to platooning span the
platoon specific data and communication pattern. Platoon
applications are expected to incur more information about the
truck manufacturers, suppliers, and cargo operators (e.g.,
speed and acceleration limits, wireless quality, cargo weight,
destinations, etc.). This may require encrypting the data and
communication channels to defend external eavesdroppers.
However, being a cooperative system, an in-platoon trusted-
but-curious model can be assumed, and thus truck
manufacturers and operators must consider this cooperative
model while defining their data disclosure level.
VI. A METHODOLOGY PROPOSAL
In this section, we present a preliminary methodology for
requirement definition of holistic trustworthy platoons. We
aim for an improved and validated methodology in future
work. The motivation is based on our observation from the
three aspects we presented that platoon trustworthy
requirements are incomplete if analyzed from independent
perspectiveslikely by different analyst’s expertise. This
called for the need to address a holistic requirement analysis
by studying the dependencies of the involved perspectives,
layers, and components in a platoon system.
The methodology we propose is composed of two phases:
Definition and Iteration. We specify these phases in the
following, and we exemplify using two “instances” from the
requirements we defined in the previous sections.
A. Definition Phase
This phase starts by defining the dimensions to be considered
in the study, involving:
Pill: the five trustworthiness pillars (e.g., Safety);
Pers: the perspective in each pillars (e.g., driver);
Sys: the system view of a platoon (e.g., tactical);
Lay: the software layer (e.g., OSI stack layer).
Based on these dimensions, the general framework used to
define the trustworthiness requirement follows a conjunction
of instances of the form:
Pill(Pers.Sys.Lay).
To drive a comprehensive requirement analysis, different
levels of granularity can be addressed. A simple approach is
to pick each dimension, break it down into components,
exclude the non-considered ones (assumed trustworthy), and
then break down the component into sub-component. This
forms a tree-like structure where all non-excluded branches
are considered as instances to be analyzed.
B. Iteration Phase
In the Iteration phase, the analyst performs requirement
analysis in many iterative steps until all requirements are
covered at all dimensions defined in the Definition phase. We
propose in Fig. 5 a simple three-step iterative methodology,
based on the trustworthiness pillars, is followed per each
instance. The methodology starts with the functional
specification of the instance as a prerequisite. As shown in
Fig.5, each step defines the relevant requirement by
addressing the defined dimensions and considering the
requirements of the preceding step. In the case, at any step,
the trustworthy requirements cannot be satisfied, an Update
to the instance is made, e.g., modifying a technique or
functional requirements, adding a new component, etc., and
the iteration is repeated from step 1 until the requirements are
settled at all considered pillars. In Fig.5, safety and privacy
are chosen for step 1 being the most critical pillars pertinent
to the human or environment. As for step 2, in general,
reliability can be tackled before resilience since the latter is
considered a "backup" solution when reliability under normal
conditions is impossible. However, the dependency between
these two pillars may necessitate their joint consideration in
a solution. In step 3, the security analysis explicitly targets
reliability and resilience pillars (in step 2); further
investigation is required to ensure that the privacy and safety
are implicitly covered.
Fig. 5. Iterative methodology flowchart
C. Usage Examples
We demonstrate the methodology proposed in this paper by
giving two examples using the presented requirement
analysis in previous sections. We select the Conduct of
Platooning and “Emergency exiting and maneuvering”
presented in Table 1. Notice that the second case incurs
additional iterations since security requirements could not be
satisfied with the given communication requirements.
1) Dimension definition:
Pill: Safety; Reliability; Security;
Pers: driver; communication (comm);
Sys: operational; tactical; strategic;
Lay: OSI [1 to 7]; 0 means irrelevant; x means all.
2) Conduct of Platooning instance
Safety(driver.tactical.0) & Reliability(comm.tactical.1234)
& Security (comm.tactical.4567)
3) Emergency exiting and maneuvering instance
Safety(driver.tactical.0) & Reliability(comm.tactical.1234)
& Security (comm.tactical.4567)
D. Observations and Future Directions
The above methodology is a first step towards holistic
platoon trustworthy requirement analysis. It emphasizes the
need to address the dependencies across the different
dimensions and layers. We do not present an assessment to
the methodology, but we do provide some interesting
observations appealing for a more comprehensive and
systematic methodology in the future, together with a
convenient evaluation.
A key observation is the need to consider additional
trustworthiness pillars to ISO/IEC 20924:2018 (shown in Fig.
1) to bridge the gap between EU guidelines toward building
trustworthy AI [12, 18, 26]. Specifically, the role of the
human is not sufficiently addressed in current trustworthiness
considerations, both in terms of individual users and as
societal implications. As an example, the role of human
autonomy in platooning operations would prohibit systems
that require the human to monitor, for hours, a platooning
system in order to respond in split-seconds to a
disengagement. Such considerations are not visible from the
perspective of technical components and subcomponents and
therefore need to be taken into consideration of the planning
and designing process.
On the other hand, although the presented methodology
covers the dependencies across pillars for a single instance,
there is a need for more research to extend the methodology
to the transversal dependencies across different instances. We
also call for a more systematic approach for exhaustive and
rigorous trustworthy platoon analysis and evaluation. We
plan to address these open points in a future work.
VII. CONCLUSIONS
In this paper, we outlined three types of trustworthiness for
platooning operations that at first sight appear to be relatively
independent. In fact, these aspects of trustworthiness are
highly dependent on each other as they build on each other.
This drives towards a first-step methodology to consider
trustworthiness at a holistic platoon level. We present a
simple methodology in that direction. We consider extending
this into a more exhaustive approach with some validation.
Importantly, we draw the attention to this challenge, and in
particular, to bridge the gap between the ISO/IEC
20924:2018 and the EU guidelines of Trustworthy AI.
VIII. REFERENCES
[1] A. Fleury, M. Ackermann, F. Leonardi, and A. de Souza Mendes,
“Heavy-duty Truck Platooning: A Review,” presented at the 24th
ABCM International Congress of Mechanical Engineering, 2017, doi:
10.26678/ABCM.COBEM2017.COB17-0843.
[2] S. C. Calvert, G. Mecacci, D. D. Heikoop, and F. S. de Sio, “Full platoon
control in Truck Platooning: A Meaningful Human Control
perspective,” in 2018 21st International Conference on Intelligent
Transportation Systems (ITSC), Maui, HI, Nov. 2018, pp. 33203326,
doi: 10.1109/ITSC.2018.8570013.
[3] S.-M. Castritius, X.-Y. Lu, C. Bernhard, M. Liebherr, P. Schubert, and
H. Hecht, “Public acceptance of semi-automated truck platoon driving.
A comparison between Germany and California,” Transportation
Research Part F: Traffic Psychology and Behaviour, vol. 74, pp. 361
374, Oct. 2020, doi: 10.1016/j.trf.2020.08.013.
[4] ENSEMBLE, “Functional Specification for white-label truck.” 2019,
Accessed: Mar. 15, 2021. [Online]. Available:
https://www.acea.be/uploads/publications/ACEA_Automated_Driving
_Roadmap.pdf.
[5] J. Axelsson, “Safety in Vehicle Platooning: A Systematic Literature
Review,” IEEE Transactions on Intelligent Transportation Systems, vol.
18, no. 5, pp. 10331045, May 2017, doi: 10.1109/TITS.2016.2598873.
[6] B. Zhang, E. S. Wilschut, D. M. C. Willemsen, T. Alkim, and M. H.
Martens, “The Effect of See-Through Truck on Driver Monitoring
Patterns and Responses to Critical Events in Truck Platooning,” in
Advances in Human Aspects of Transportation, vol. 597, N. A. Stanton,
Ed. Cham: Springer International Publishing, 2018, pp. 842852.
[7] T. Robinson and E. Coelingh, “Operating Platoons On Public
Motorways: An Introduction To The SARTRE Platooning Programme,”
p. 11.
[8] US. Department of Transportation, “Cooperative Adaptive Cruise
Control: Human Factors Analysis.,” FHWA-HRT-13-045, p. 48, 2013.
[9] ACEA, “Automated Driving: Roadmap for the deployment fo
automated driving in the European Union,” 2019.
https://www.acea.be/uploads/publications/ACEA_Automated_Driving
_Roadmap.pdf (accessed Mar. 15, 2021).
[10] P. A. Hancock, “Some pitfalls in the promises of automated and
autonomous vehicles,” Ergonomics, pp. 117, Jan. 2019, doi:
10.1080/00140139.2018.1498136.
[11] M. R. Endsley, “From Here to Autonomy: Lessons Learned From
HumanAutomation Research,” Human Factors: The Journal of the
Human Factors and Ergonomics Society, vol. 59, no. 1, pp. 527, Feb.
2017, doi: 10.1177/0018720816681350.
[12] ISO/IEC, “Internet of Things (IoT) - Vocabulary”, ISO/IEC
20924:2018 International Standard. Available:
https://webstore.iec.ch/publication/60582 (accessed Mar. 22, 2021).
[13] M. Buchheit, F. Hirsch, and S. Schrecker, “A Short Introduction into
Trustworthiness.” Industrial Internet Consortium (IIC) Journal of
Innovation. White paper. (accessed Mar. 22, 2021).
[14] Schmidt, Teresa, Ralf Philipsen, and Martina Ziefle. "From v2x to
control2trust." International Conference on Human Aspects of
Information Security, Privacy, and Trust. Springer, Cham, 2015.
[15] Ghosal, Amrita, and Mauro Conti. "Security issues and challenges in
V2X: A Survey." Computer Networks 169 (2020): 107093.
[16] Shostack, Adam. Threat modeling: Designing for security. John Wiley
& Sons, 2014.
[17] Douceur, John R. "The sybil attack." International workshop on peer-
to-peer systems. Springer, Berlin, Heidelberg, 20.
[18] High-Level Expert Group on Artificial Intelligence. "Ethics Guidelines
for Trustworthy AI", Brussels, 2019.
[19] ISO/IEC 29182, Information technology - Sensor networks: Sensor
Network Reference Architecture (SNRA)- Part 1 to 7
[20] ITU- Y.2060: Overview of the Internet of things (Reference
Architecture). Available online at https://www.itu.int/rec/T-REC-
Y.2060-201206-I.29.
[21] IEEE. “IEEE 2413-2019 IEEE Standard for an Architectural
Framework for the Internet of Things (IoT) Available:
https://standards.ieee.org/standard/2413-2019.html, 2019.
[22] ISO/IEC 30141, Internet of Things (IoT) Reference architecture
[23] Alliance for Internet of Things innovation http://www.aioti.eu/. Last
accessed April 2020
[24] Lee, John D., and Katrina A. See. "Trust in automation: Designing for
appropriate reliance." Human factors 46.1 (2004): 50-80.
[25] European Automobile Manufacturers’ Association (ACEA). "EU
Roadmap for Truck Platooning.", 2017. Available:
https://www.acea.be/publications/article/infographic-eu-roadmap-for-
truck-platooning
[26] ISO/IEC, “InternetInformation technology Artificial intelligence
Overview of trustworthiness in artificial intelligence”, ISO/IEC TR
24028:2020 International Standard. Available:
https://www.iso.org/standard/77608.html (accessed on May, 2021).
[27] Schulze, Henrik, and Christian Lüders.Theory and applications of
OFDM and CDMA: Wideband wireless communications”. John Wiley
& Sons, 2005.
[28] El-Rewini, Zeinab, et al. "Cybersecurity challenges in vehicular
communications." Vehicular Communications 23 (2020): 100214.
[29] IEEE. “IEEE 1609.2-2016 - IEEE Standard for Wireless Access in
Vehicular Environments--Security Services for Applications and
Management Messages”. Available:
https://standards.ieee.org/standard/1609_2-2016.html (accessed on
May, 2021).
[30] ETSI.ETSI TS 102 941 V1.4.1. Intelligent Transport Systems (ITS);
Security; Trust and Privacy Management”, Jan., 2021.
... Shoker, et al. [10] define truck platooning as a form of convoy cooperative driving of connected trucks assisted by a lead truck. The objective is to reduce fuel and driving costs, improve road safety, and reduce CO 2 emission [10]. ...
... Shoker, et al. [10] define truck platooning as a form of convoy cooperative driving of connected trucks assisted by a lead truck. The objective is to reduce fuel and driving costs, improve road safety, and reduce CO 2 emission [10]. ...
Conference Paper
Autonomous follower truck convoy (AFTC) is a concept that addresses the major shortage of truck drivers and increasing transport costs. The AFTC concept can be described as a vehicle convoy concept consisting of two or more vehicles where the first, lead vehicle has a human driver and where the following vehicles in the convoy are driverless. The argument is made that this technology is less technically complex than single autonomous vehicles and targets higher economic values compared to driver-assisted platooning functions. The contribution of this paper is a viability study of the AFTC concept. The conclusions from the study are that the concept viability depends on the continuous evolvement of three main factors. The emergence of autonomous capabilities, legal frameworks, and logistics actors' interest in adapting current processes and infrastructure to meet the operational limitations of the concept.
Article
div>Automated vehicles (AVs) can get additional information from infrastructure and other vehicles via vehicle-to-everything (V2X) communication. However, how can an AV decide if the surrounding V2X field can reliably provide qualitative, relevant, and trustworthy information? Related research analyzes V2X performance from various angles. However, not only are there identified open gaps in the analysis of loaded channels, but there has also not yet been an effort to design a lightweight metric for rating the quality of the surrounding V2X field. Hence, this work aims to close this existing performance measurement gap and develop a metric for rating the quality of the surrounding V2X field. This article first highlights the gaps identified in performance analysis before closing them with a dedicated measurement campaign. Next, it combines these findings with related research to design a straightforward V2X field rating metric. The resulting V2X field rating metric is a starting point for the AD system to decide if sensor information from the V2X field should be directly incorporated or handled with care.</div
Article
Truck platooning technology has been widely studied for its advantages in traffic efficiency and energy savings. Although recent studies have made significant progress in specific scenarios, research on merging ramp trucks into the main road truck platoons remains insufficient. This paper proposes an innovative cooperative control method for merging ramp trucks and main road truck platoons based on vehicle-to-everything (V2X) technology. The method integrates the intelligent driver model (IDM), acceleration control logic for merging trucks before merging, lane-changing decision logic, steering control methods, and on-board unit (OBU) and roadside unit (RSU) communication technologies. This ensures that autonomous merging trucks can smoothly join the main road truck platoon under various insertion positions and acceleration lane lengths. After successfully joining the platoon, the merging trucks can maintain appropriate spacing and high speed, thereby improving overall traffic efficiency. Further analysis on different insertion positions and acceleration lane lengths reveals that when using the proposed method, merging trucks have the least impact on the overall platoon when they join at the head or tail of the main road truck platoon. Although the proposed method performs better with longer acceleration lanes, these lanes are costly to construct. The proposed method can also enable successful platoon joining with shorter acceleration lanes, optimizing the use of acceleration lanes to some extent.
Conference Paper
Full-text available
Cooperative awareness (CA) and collective perception (CP) deal with the exchange of perception data within vehicle-to-everything (V2X). The achievable and needed accuracy is not yet analyzed in detail. The baseline for accuracy is the data from simulations, recommendations provided by standards, or various perception datasets with a disconnect between localization accuracy and perception accuracy. We extended a state-of-the-art (SOTA) automated driving (AD) platform with CA/CP functionality in our work. We then deployed it on two street-legal AD demonstrators (ADDs) and did an extensive field test to acquire data. With the data, we show the achievable accuracy of SOTA systems and discuss the requirements for future implementations.
Preprint
Cooperative awareness (CA) and collective perception (CP) deal with the exchange of perception data within vehicle-to-everything (V2X). The achievable and needed accuracy is not yet analyzed in detail. The baseline for accuracy is the data from simulations, recommendations provided by standards, or various perception datasets with a disconnect between localization accuracy and perception accuracy. We extended a state-of-the-art (SOTA) automated driving (AD) platform with CA/CP functionality in our work. We then deployed it on two street-legal AD demonstrators (ADDs) and did an extensive field test to acquire data. With the data, we show the achievable accuracy of SOTA systems and discuss the requirements for future implementations.
Article
Full-text available
Automated vehicles and vehicle-to-everything (V2X) communication open the window for sharing of sensor data. This paper aims to provide a systematic view of the delay chain involved. We implemented collective perception (CP) into two street legal automated driving demonstrators (ADDs) to provide insight into the components’ delay. The implementation allowed us to gather highly accurate Quality of Service (QoS) measurements for V2X communication in practical field environments and to gather a set of delay measurements for a working CP system, accompanied by scalability discussions. The results provide a basis for evaluating the delay impact of single components and the applicability of CP use cases from the perspective of time advantage.
Article
Full-text available
In its latest report, the United States National Highway Traffic Safety Administration (NHTSA) registered some 37,300 fatalities for the yearly victims of motor vehicle accidents in 2017. Vehicle-to-everything (V2X) is playing an important role in improving road safety, traffic efficiency and infotainment systems. With the growth of the connected vehicle technology, V2X is emerging as a key component in the rapid rise of this technology. Therefore, researchers think that development of robust wireless communication through efficient V2X technologies can significantly improve the vehicular environment. The highly dynamic environment and the mobility factor appear to be challenging for implementation of V2X technology. Similar to other wireless technology, the security issues are also key concerns in V2X. In this survey, we highlight and discuss the main security issues of V2X. Particularly, the main objective of this survey is providing for a comprehensive and structured outline of different research directions and approaches, mostly emphasizing on the security issues and challenges in V2X communication technologies. At first, we discuss the key features of V2X and focus on the standardization techniques used for communication technologies. Then, we introduce the security challenges and requirements of V2X. We also classify present state-of-the-art works dealing with implementing different secured techniques in V2X. We further discuss the project implementation that concentrated on the various applications in V2X. Finally, we identify possible future research directions of V2X, particularly in the area of security.
Article
Full-text available
As modern vehicles are capable to connect to an external infrastructure and Vehicle-to-Everything (V2X) communication technologies mature, the necessity to secure communications becomes apparent. There is a very real risk that today's vehicles are subjected to cyber-attacks that target vehicular communications. This paper proposes a three-layer framework (sensing, communication and control) through which automotive security threats can be better understood. The sensing layer is made up of vehicle dynamics and environmental sensors, which are vulnerable to eavesdropping, jamming, and spoofing attacks. The communication layer is comprised of both in-vehicle and V2X communications and is susceptible to eavesdropping, spoofing, man-in-the-middle, and sybil attacks. At the top of the hierarchy is the control layer, which enables autonomous vehicular functionality, including the automation of a vehicle's speed, braking, and steering. Attacks targeting the sensing and communication layers can propagate upward and affect the functionality and can compromise the security of the control layer. This paper provides the state-of-the-art review on attacks and threats relevant to the communication layer and presents countermeasures.
Conference Paper
Full-text available
This paper presents a review of theoretical and experimental works related to heavy-duty truck platooning. The platoon formation is characterized by the string of vehicles traveling with small separation distances. Only the first vehicle is driven by a human driver while the followers are assisted by the control system. The main goal of this approach is to reduce fuel consumption and greenhouse gas emissions. This is achieved because the proximity of the vehicles in this configuration provides a more efficient airflow around the set of trucks reducing the overall energy consumption. In addition, the platoon configuration allows the increase of road safety, transport capacity, driver comfort and reduce congestion and personnel cost due to the lack of human intervention in the following vehicles. The academic studies related to heavy-duty truck platooning are reviewed according to three research areas: fuel consumption in truck platoons, maintenance of platoon formation and truck coordination. In this paper, the state of the art in each of these areas is presented, the related publications are categorized according to their focus of contribution and potential future research directions are discussed.
Article
Platooning technology aims at achieving fuel savings by reducing the distance between two or more electronically coupled vehicles. This technology has recently been tested on public highways with heavy trucks in Germany and California. The objective of this study is to assess the level of acceptance among other road users as well as influencing factors of acceptance. An online questionnaire was administered in Germany and California with a total of N = 536 participants. They received information about truck platoon driving (level-1 and level-2 automation) and answered questions about their attitudes towards the technology as well as their behavioral intention to cooperate with the truck platoons. The overall results showed that 70% of respondents indicated acceptance towards the technology, with acceptance rates being significantly higher in California than in Germany. German respondents were more willing to drive into the gap of platoon vehicles and preferred larger platooning gaps. An adaption of the Technology Acceptance Model (TAM) showed that the expected usefulness, and the expected ease of sharing the highway, were the strongest predictors for the behavioral intention to cooperate with platoon vehicles. However, the intention to cut in between platoon vehicles could not be predicted by these variables. Cut-in vehicles are a potential safety risk and decrease the efficiency of platoon driving. Therefore, future research should focus on finding behavioral countermeasures.
Article
Differing forms of self-operating transportation are already among us and some have been in operation now for an extended period of time. From elevators and escalators to airport transit trams we already use many fully automatic systems. Now such technologies are very publicly and prominently penetrating into the on-road environment of everyday personal vehicle usage. The present paper raises and addresses a number of the specific and more general human factors/ergonomic issues associated with such an evolutionary step. One particular concern is that of identified responsibility when such systems fail to perform flawlessly. The ways in which this (r)evolution will impact the social and cultural fabric of affected societies is also considered. Further observations as to the vector of the future characteristics of these vehicular forms and how they and other autonomous systems will affect our world are examined. The very future of the human experience depends upon the ways in which such systems are designed, enacted, and integrated into everyday life and these are fundamentally ergonomic endeavours.
Conference Paper
Automated platooning of trucks has its beneficial effects on energy saving and traffic flow efficiency. The vehicles in a platoon, however, need to maintain an extremely short headway to achieve these goals, which will result in a heavily blocked front view for the driver in a following truck. Monitoring surrounding traffic environment and foreseeing upcoming hazardous situations becomes a difficult, yet safety-critical task. This exploratory study aims to investigate whether providing platoon drivers with additional visual information of the traffic environment can influence their monitoring pattern and increase awareness of the upcoming situation. 22 professional truck drivers participated in the driving simulator experiment, either following a see-through lead truck (i.e., with projection of forward scene attached to the rear of the lead truck), or a normal lead truck until the automation system failed unexpectedly in a critical situation. Results showed that when provided with front view projection, the participants spent 10% more time monitoring the road, and responded less severely to a critical situation, suggesting a positive effect of the “see-through” technology.
Article
As autonomous and semiautonomous systems are developed for automotive, aviation, cyber, robotics and other applications, the ability of human operators to effectively oversee and interact with them when needed poses a significant challenge. An automation conundrum exists in which as more autonomy is added to a system, and its reliability and robustness increase, the lower the situation awareness of human operators and the less likely that they will be able to take over manual control when needed. The human-autonomy systems oversight model integrates several decades of relevant autonomy research on operator situation awareness, out-of-the-loop performance problems, monitoring, and trust, which are all major challenges underlying the automation conundrum. Key design interventions for improving human performance in interacting with autonomous systems are integrated in the model, including human-automation interface features and central automation interaction paradigms comprising levels of automation, adaptive automation, and granularity of control approaches. Recommendations for the design of human-autonomy interfaces are presented and directions for future research discussed.
Article
Vehicle platooning has been studied for several decades, with objectives such as improved traffic throughput on existing infrastructure or reduced energy consumption. All the time, it has been apparent that safety is an important issue. However, there are no comprehensive analyses of what is needed to achieve safety in platooning, but only scattered pieces of information. This paper investigates, through a systematic literature review, what is known about safety for platooning, including what analysis methods have been used, what hazards and failures have been identified, and solution elements that have been proposed to improve safety. Based on this, a gap analysis is performed to identify outstanding questions that need to be addressed in future research. These include dealing with a business ecosystem of actors that cooperate and compete around platooning, refining safety analysis methods to make them suitable for systems-of-systems, dealing with variability in vehicles, and finding solutions to various human factors issues.
Book
Theory and Applications of OFDM and CDMA is an ideal foundation textbook for those seeking a sound knowledge of this fast-developing field of wideband communications. The advanced transmission techniques of OFDM, applied in wireless LANs and in digital and video broadcasting, and CDMA, the foundation of 3G mobile communications, have been part of almost every communication system that has been designed in recent years, with both offering a high degree of flexibility in adjusting the system to the requirements of the application and to the impairments caused by the transmission channel. Starting from the basics of digital transmission theory, the reader gains a comprehensive overview of the underlying ideas of these techniques and their strengths and weaknesses under various conditions. In this context, the specific requirements of the mobile radio channel and their relevance for the design of digital transmission systems are discussed and related to the items of channel coding and modulation. Clear explanation of the basics of digital communications, mobile radio channels, coding and modulation, OFDM as a multicarrier system and CDMA as an application of spread spectrum techniques. Discusses the most important mobile radio and digital broadcasting systems that use OFDM and CDMA, and explains in detail the underlying ideas for the choice of system parameters. Progresses from the fundamentals of wideband communication through to modern applications. Includes a Companion Website featuring a solutions manual, electronic versions of the figures and other useful resources This volume will be an invaluable resource to advanced undergraduate students and first/second year postgraduates of electrical and engineering and telecommunications. It will also appeal to practising engineers, researchers and those in academia who wish to expand their knowledge on modern aspects of digital communications and systems in a mobile radio environment.