Longitudinal Control for Connected and Automated Vehicles in Contested Environments

: The Society of Automotive Engineers (SAE) deﬁnes six levels of driving automation, ranging from Level 0 to Level 5. Automated driving systems perform entire dynamic driving tasks for Levels 3–5 systems. Proposed vehicle-following model and longitudinal control functions are veriﬁed for fourteen vehicle models, operating in manual, automated, and cooperative automated modes over two driving schedules under three malicious fault magnitudes on transmitted accelerations.


SAE defines six levels of driving automation •
Level 0: drivers perform entire dynamic driving tasks; • Level 1: driver assistance systems execute either longitudinal or lateral vehicle motion control subtask, and drivers perform all remaining dynamic driving tasks; • Level 2: driver assistance systems execute both longitudinal and lateral vehicle motion control subtasks, and drivers perform all remaining dynamic driving tasks; • Levels 3-5: automated driving systems perform entire dynamic driving tasks [1].
Dynamic driving tasks are real-time operational (e.g., longitudinal and lateral vehicle motion control) and tactical (e.g., object and event detection, recognition, classification, and response preparation) functions required to operate a vehicle. Delegating dynamic driving tasks to automated driving systems can eliminate 94% of crashes attributed to driver errors [2].
Cooperative driving automation enables cooperation among road users, intending to enhance dynamic driving task performance, safety, and traffic operations. Cooperative driving automation can prevent 439,000 to 615,000 crashes, save 987 to 1366 lives, reduce 305,000 to 418,000 maximum abbreviated injury scale 1-5 injuries, and eliminate 537,000 to 746,000 property damage only vehicles annually [3]. Vehicles equipped with cooperative automated driving systems can also follow their leaders at shorter gaps and with less variation in acceleration than vehicles dedicated to automated driving systems. SAE defines four classes of cooperative driving automation cooperation: Class A (status-sharing), Class B (intent-sharing), Class C (seeking-agreement), and Class D (prescriptive) [4]. Classes C-D cooperative driving automation cooperation can be achieved at Levels 3-5 driving automation.
Cooperative automated driving systems can be simulated using a vehicle dynamics simulation tool (e.g., CarMaker and CarSim) or a traffic microsimulation tool (e.g., Vissim and Aimsun). Vehicle dynamics simulation tools are mainly used to simulate longitudinal, lateral, and vertical dynamics on a small scale, while traffic microsimulation tools are mainly used to simulate vehicle-following, lane-changing, and gap-acceptance behaviors on a large scale.

•
Verification scale: Vehicle dynamics simulation tools cannot simulate many vehicles in each scenario. • Verification resolution: Conventional traffic microsimulation tools cannot estimate microscopic (e.g., reduction in distance gaps and time gaps) or macroscopic (e.g., increase in road capacity) benefits associated with driving automation or cooperative driving automation with reasonable accuracy; • Vehicle powertrain (i.e., engine, transmission, and driveline): Conventional traffic microsimulation tools do not simulate vehicle powertrain; • Maximum acceleration and maximum deceleration: Conventional traffic microsimulation tools estimate or use constant maximum accelerations and maximum decelerations. Aimsun considers maximum acceleration of 8.2 ft/s 2 and maximum deceleration of 6.6 ft/s 2 as default [5]. Vissim estimates maximum acceleration as a max (t) ≈ 3.5(1 − v(t)/40) and maximum deceleration as d max (t) ≈ 20(1 − v(t)/800), where a max is maximum acceleration (m/s 2 ), v is speed (m/s), and d max is maximum deceleration (m/s 2 ) [5]-since all units in Vissim User Manual are metric, metric units are preferred to report these regression models with full precision. However, maximum acceleration and maximum deceleration are sensitive to vehicle model, grade, pavement conditions, and traffic conditions; • Longitudinal control variables: Conventional longitudinal control functions (e.g., Adaptive Cruise Control (ACC), Cooperative Adaptive Cruise Control (CACC)) rely on constant distance gaps, time gaps, and controller coefficients, potentially sacrificing safety (i.e., when short gaps are set) or reducing road capacity (i.e., when long gaps are set). Conventional traffic microsimulation tools rely on user inputs for distance gap, time gap, and longitudinal controller coefficients (e.g., proportional, integral, and derivative) to simulate vehicles in a platoon or string. However, distance gap, time gap, and longitudinal controller coefficients are sensitive to driver characteristics, vehicle model, grade, pavement conditions, operating mode, malicious fault magnitude, and traffic conditions. • Contested environments: Onboard sensor measurements and transmitted messages are inherently prone to noise, natural fault, and malicious fault. Minor faults may lead to malfunction or even failure if not responded promptly. A single cyberattack can cost an average original equipment manufacturer $1.6 billion a year, assuming one individual recall costs $800 [6]. From 2010 to 2021, 367 cyberattacks on connected vehicles have been reported [6].
A cyberattack can exploit one user application's vulnerabilities (e.g., spoofing, data falsification, and replay attacks) or multiple user application vulnerabilities (e.g., denial-of-service attack), leading to severe consequences for vehicle and potentially its operating environment [7]. Spoofing, data falsification, replay, and denial-of-service attacks are common cyberattacks on connected vehicles [8]. Spoofing attack is when hackers steal authentication credentials or use a legitimate vehicle's identity to send unchanged or manipulated messages to other vehicles; data falsification attack is when hackers read, insert, or modify transmitted messages; replay attack is when hackers copy a message stream between two vehicles and repeat that stream to other vehicles; denial-of-service attack is when hackers prevent or interfere with target vehicles from receiving specific messages. Conventional fault detection methods are broadly classified into model-driven and data-driven methods [9]. Model-driven methods (e.g., unknown input observer and Kalman filter) require partial plant model; data-driven methods (e.g., neural network) require measured inputs and outputs under normal and faulty conditions to derive plant model. Model-driven methods are more computationally intensive but more accurate than data-driven methods [10]. Conventional traffic microsimulation tools do not simulate contested environments. A simple strategy is to rely on onboard sensor measurements when there is a significant discrepancy between onboard sensor measurements and transmitted messages [11].
Our traffic microsimulation tool is superior to vehicle dynamics simulation tools and conventional traffic microsimulation tools because it can achieve these objectives Contested environments: employ a reduced-order Kalman filter unknown input observer to estimate distance gap, speed, and acceleration with reasonable accuracy at each simulation time step for vehicles dedicated to automated driving systems or equipped with cooperative automated driving systems under noise (e.g., measurement noise and process noise) and unknown inputs (e.g., noise with unknown statistics, natural fault, and malicious fault).

Literature Review
Longitudinal control variables are mostly treated as constant parameters (see Tables 1 and 2) or variables estimated using empirical or simplified mechanistic models. However, maximum acceleration, maximum deceleration, minimum safe distance gap, and minimum safe time gap are sensitive to driver characteristics, vehicle model, grade, pavement conditions, operating mode, and traffic conditions. Akçelik and Besley (2001) empirically estimated maximum acceleration and maximum deceleration based on initial speed and final speed for passenger cars, and based on initial speed, final speed, power-to-weight ratio, and grade for trucks [14]. Ahn et al. (2002) generated a lookup table to identify maximum acceleration over 17 driving schedules (see Table 3) [15]. Fang and Elefteriadou (2005) recommended a maximum acceleration and a maximum deceleration for each vehicle classification (i.e., passenger car and truck), interchange configuration (i.e., Single-Point Urban Interchange (SPUI) and diamond), and traffic microsimulation tool (i.e., Vissim, Aimsun, and CORSIM) (see Table 4) [16]. Kuriyama et al. (2010) considered aerodynamic resistance, rolling resistance, and grade resistance in calculating acceleration and deceleration for electric vehicles [17]. Maurya and Bokare (2012) generated a lookup table to identify maximum deceleration for each vehicle classification at each speed range (see Table 5) [18]. Lee et al. (2013) considered a higher maximum acceleration (13.1 ft/s 2 vs. 10.0 ft/s 2 ) and a lower maximum deceleration (9.8 ft/s 2 vs. 15.0 ft/s 2 ) for connected vehicles than the Federal Highway Administration's recommended maximum acceleration and maximum deceleration [19]. Anya et al. (2014) believed vehicle-following, lane-changing, travel time, and queue discharge had an impact on maximum acceleration and maximum deceleration [20]. Song et al. (2015) empirically estimated maximum acceleration based on speed [21]. Bokare and Maurya (2017) generated two lookup tables to identify maximum acceleration and maximum deceleration for each vehicle classification (i.e., diesel car, petrol car, and truck) at each speed range (see Table 6) [22]. Ramezani et al. (2018) generated a lookup table to identify maximum acceleration for trucks in CACC mode at each speed range (see Table 7) [23]. Shladover et al. (2010) identified that drivers maintain 2.2 s, 1.6 s, and 1.1 s time gaps for 31.1%, 18.5%, and 50.4% of their vehicle-following time in ACC mode, respectively, and drivers maintain 0.6 s, 0.7 s, 0.9 s, and 1.1 s time gaps for 57%, 24%, 7%, and 12% of their vehicle-following time in CACC mode, respectively [24]. Willigen et al. (2011) recommended a distance headway and a time headway for each platoon size (i.e., 20 and 30) and operating mode (i.e., ACC, CACC with transmitted accelerations, and CACC with estimated accelerations) (see Table 8) [25]. Horiguchi and Oguchi (2014) calculated distance gap for vehicles in CACC mode based on minimum safe distance gap, follower's speed, leader's speed, maximum acceleration, and maximum deceleration [26]. Flores et al. (2017) calculated time gap based on minimum safe time gap, desired time gap, and speed, and calculated distance gap based on actuator delay, speed, maximum deceleration, and maximum jerk [27]. Askari et al. (2017) calculated distance gap based on minimum safe distance gap, follower's speed, reaction time, leader's speed, maximum acceleration, and maximum deceleration [28]. Flores and Milanés (2018) recommended a time gap for each controller type (i.e., fractional-order proportional derivative and integer-order proportional derivative), desired performance (i.e., ensuring loop bandwidth, phase margin, and string stability), and operating mode (i.e., ACC and CACC) (see Table 9) [29]. Chen et al. (2019) calculated time gap for vehicles in ACC and CACC modes based on jam density, free-flow speed, follower's speed, follower's acceleration, and leader's acceleration [30]. Bian et al. (2019) recommended a time headway for each platoon size (i.e., 1, 3, 10, 20, and 30) and controller type (i.e., linear, nonlinear, and nonlinear subject to communication delay) (see Table 10) [31].
Conventional traffic microsimulation tools (1) should be integrated with a vehicle dynamics simulation tool to simulate vehicle powertrain [32], (2) employ kinematics to estimate quantities associated with motion [33], (3) automatically confine accelerations and decelerations to constant (e.g., Aimsun and MITSIM) or estimated (e.g., Vissim and INTE-GRATION) maximum accelerations and maximum decelerations, and (4) rely on constant distance gaps and time gaps to simulate longitudinal control for automated vehicles in a platoon or string. This research proposes a traffic microsimulation tool that can estimate maximum acceleration, maximum deceleration, minimum safe distance gap, and minimum safe time gap with reasonable accuracy at each simulation time step for convectional vehicles, vehicles dedicated to automated driving systems, and vehicle equipped with cooperative automated driving systems, considering driver characteristics (see Section 3.1), vehicle model (see

Proposed Traffic Microsimulation Tool
Our traffic microsimulation tool enables users to customize driver (see Section 3.1), vehicle (see Section 3.2), road (see Section 3.3), cyberattack (see Section 3.4), and operating mode (see Section 3.5) modules separately. Our traffic microsimulation tool contains ten driver types (conservative to aggressive), fourteen vehicle models (i.e., ten passenger car models and four truck configurations), two driving schedules (i.e., US06 and Cycle D), three malicious fault magnitudes (i.e., malicious increases of 1, 3, and 5 ft/s 2 in transmitted accelerations), and three operating modes (i.e., cooperative automated, automated, and manual) as default to simulate many vehicles with reasonable accuracy at each simulation time step under noise and unknown inputs. Vehicles in manual mode require driver, vehicle, and road modules; vehicles in automated mode require vehicle and road modules; vehicles in cooperative automated mode require vehicle, road, and cyberattack modules to be implemented (see Figure 1).

Driver Module
Ten driver types are considered as default (based on an assumed value in CORSIM-a traffic microsimulation tool): type 1 is a conservative driver; type 10 is an aggressive driver. Each driver type is associated with a speed multiplier, an acceleration multiplier, a deceleration multiplier, and a percentage included in traffic which follows a normal distribution as default [63]. Each vehicle is associated with a torque map, a drag coefficient, a width, a height, a weight, a wheelbase length, a wheel radius, a differential gear ratio, a drive axle slippage, a drivetrain efficiency, a transmission gear ratio, shift up speeds, shift down speeds, and a percentage included in traffic which follows a normal distribution as default [63]. Vehicle module contains vehicle generation, reference speed profiles, and vehicle dynamics submodules: Vehicle dispatching model in Section 3.2.1 is intended to generate many vehicles at an assumed entrance under steady-state conditions; platoon leaders are assumed to follow US06 and Cycle D driving schedules (see Section 3.2.2); maximum acceleration, maximum deceleration, minimum safe distance gap, and minimum safe time gap are estimated based on vehicle dynamics (see Section 3.2.3).

Vehicle Generation
Entry headways follow shifted negative-exponential distribution where f is probability density function, h is entry headway (s/veh), h min is minimum entry headway (s/veh), λ is distribution parameter (veh/s) calculated as 1/(h − h min ),h is average entry headway (s/veh) calculated as 3600/q, and q is flow rate (veh/h).

Reference Speed Profiles
US06 and Cycle D driving schedules are used as reference speed profiles. US06 driving schedule is designed to test passenger cars, representing an 8-mile route with average speed of 70.4 ft/s, maximum speed of 117.8 ft/s, maximum acceleration of 12.3 ft/s 2 , maximum deceleration of 10.1 ft/s 2 , and 600 s duration. Cycle D driving schedule is designed to test trucks, representing a 5.6-mile route with average speed of 27.6 ft/s, maximum speed of 85.1 ft/s, maximum acceleration of 6.4 ft/s 2 , maximum deceleration of 6.8 ft/s 2 , and 1060 s duration.

Vehicle Dynamics
Conventional longitudinal control functions control accelerations and decelerations using throttle and brake inputs to maintain a constant distance gap in a platoon (e.g., truck platooning) or a constant time gap in a string (e.g., ACC and CACC). Commanded accelerations and decelerations are automatically confined to maximum accelerations and maximum decelerations specific to vehicle model, grade, pavement conditions, and traffic conditions. Longitudinal controller coefficients can be tuned to achieve desired performance. Conventional traffic microsimulation tools require user inputs for maximum acceleration, maximum deceleration, distance gap, time gap, and longitudinal controller coefficients to simulate vehicles in a platoon or string.
Our traffic microsimulation tool follows these steps at each simulation time step to simulate vehicles in a platoon or string: (1) estimating maximum acceleration and maximum deceleration for each vehicle, considering vehicle model, grade, pavement conditions, and traffic conditions, (2) estimating minimum safe distance gap and minimum safe time gap for each vehicle dedicated to automated driving systems or equipped with cooperative automated driving systems, considering vehicle model, grade, pavement conditions, operating mode, vehicle-to-vehicle communication vulnerabilities, and traffic conditions, (3) checking preset distance gaps and preset time gaps with minimum safe distance gaps and minimum safe time gaps, (4) estimating accelerations and decelerations, considering operating mode, and (5) confining accelerations and decelerations to maximum accelerations and maximum decelerations.
Three significant forces against vehicle motion are aerodynamic resistance, rolling resistance, and grade resistance. Aerodynamic resistance can be calculated as where R a is aerodynamic resistance (lb), ρ is air density (slugs/ft 3 ), C D is drag coefficient (unitless), A f is vehicle frontal area (ft 2 ) calculated as vehicle width (ft) × vehicle height (ft), v is speed (ft/s), and [k] denotes simulation time step. Rolling resistance can be estimated as where R rl is rolling resistance (lb), f rl is rolling resistance coefficient (unitless) estimated as 0.01(1 + v[k]/147) for vehicles operating on paved surfaces [64], and W is vehicle weight (lb). Grade resistance can be calculated as where R g is grade resistance (lb), and θ is grade (unitless). Tractive effort available to overcome resistance and to provide acceleration can be calculated as where F is available tractive effort (lb), F max is maximum tractive effort (lb), and F e is engine-generated tractive effort (lb). Maximum tractive effort can be calculated as where µ is road adhesion coefficient (unitless), l r is distance from rear axle to gravity center (ft), h is vehicle height (ft), L is wheelbase length (ft), and l f is distance from front axle to gravity center (ft). Engine speed can be calculated as where n e is engine speed (revs/s), 0 is overall gear reduction ratio (unitless), calculated as transmission gear ratio (unitless), selected based on vehicle speed) × differential gear ratio (unitless), r is wheel radius (ft), and i is drive axle slippage (unitless). Engine power can be calculated as where hp e is engine power (hp), and M e is torque (ft-lb). Engine-generated tractive effort can be calculated as where η d is drivetrain efficiency (unitless). Maximum braking force can be calculated as where B max is maximum braking force (lb), and η b is braking efficiency (unitless). Maximum acceleration can be estimated as where a max is maximum acceleration (ft/s 2 ), and γ m is mass factor (untiless) estimated as 1.04 + 0.0025 2 0 [k] [64], accounting for rotational inertia during acceleration. Maximum deceleration can be estimated as [63] where d max is maximum deceleration (ft/s 2 ), and γ b is mass factor (unitless), accounting for rotational inertia during deceleration. Minimum safe distance gap can be estimated as [63] where S min is minimum safe distance gap (ft), τ s is sensing delay (s), τ c is communication delay (s), subscript/superscript i + 1 denotes follower, subscript/superscript i denotes leader, and S stop is minimum stopping distance (ft) estimated as Minimum safe time gap can be estimated as [63] T where T min is minimum safe time gap (s), and τ lag is lag in tracking desired deceleration (

Road Module
Any desired freeway segment with a single lane can be simulated. Each freeway segment is associated with a grade, a road adhesion coefficient, and a free-flow speed.

Cyberattack Module
Three malicious fault magnitudes are assumed as default: 1, 3, and 5 ft/s 2 malicious increase in transmitted accelerations. Each malicious fault magnitude is associated with a percentage injected on traffic which follows a normal distribution as default.

Operating Mode Module
Three operating modes are considered as default: manual, automated, and cooperative automated. Each operating mode is associated with a percentage included in traffic which follows a normal distribution as default. This section proposes a vehicle-following model for vehicles in manual mode and longitudinal control functions for vehicles in automated and cooperative automated modes.

Manual Mode
Levels 1 and 2 automated vehicles are assumed to have a vehicle-following model similar to the Improved Intelligent Driver Model (IIDM) where n is acceleration multiplier (unitless), C s is distance gap coefficient (unitless) calcu- m is speed multiplier (unitless), FFS is free-flow speed (ft/s), q is deceleration multiplier (unitless), and α and β are calibration parameters (unitless). IIDM has fewer calibration parameters and demonstrates a more stable performance than Wiedemann model (i.e., vehicle-following model used in Vissim) [68].
Assumption 2. There are three significant components underpinning a traffic microsimulation tool (i.e., vehicle-following, lane-changing, and gap-acceptance models). This research mainly focuses on vehicle-following models, assuming vehicles drive in a single lane, and there is no lane-change maneuver (i.e., lane-changing and gap-acceptance models are not required). However, a lane-change maneuver can temporarily affect vehicle-following behaviors (e.g., drivers speed up or slow down to align with acceptable gaps in target lanes; drivers temporarily adopt shorter gaps after a lane-change maneuver; drivers temporarily adopt shorter gaps after a vehicle merges in front).

Automated Mode
When (1) a vehicle dedicated to automated driving systems approaches a vehicle, or (2) a vehicle equipped with cooperative automated driving systems approaches a vehicle not equipped with cooperative automated driving systems, a longitudinal control function similar to ACC is activated [69] where K p,a is proportional gain in automated mode (s −2 ), e x is distance gap error (ft) calculated as , T set is preset time gap (s), K d,a is derivative gain in automated mode (s −1 ), and e v is speed error (ft/s) calculated as . When no leader is detected, a longitudinal control function similar to cruise control is activated where K p,cr is proportional gain in cruise mode (s −1 ). K p,a and K d,a should satisfy (18) to maximize road capacity without compromising safety [63]

Cooperative Automated Mode
When a vehicle equipped with cooperative automated driving systems approaches another vehicle equipped with cooperative automated driving systems, a longitudinal control function similar to CACC is activated [69] where K p,c is proportional gain in cooperative automated mode (s −1 ), K i,c is integral gain in cooperative automated mode (s −2 ), and K d,c is derivative gain in cooperative automated mode (unitless).

Assumption 3. Class B cooperative driving automation cooperation is utilized.
Assumption 4. x i and v i are prone to measurement noise and process noise, and a i is prone to measurement noise, process noise, natural fault, and malicious fault (i.e., x i and v i are known state subvectors, and a i is an unknown state subvector).

State and Unknown Input Estimation
Consider a state-space model in which unknown inputs can be modeled as an additive term where x ∈ R n is state vector, A ∈ R n×n is state matrix, B ∈ R n×p is input matrix, u ∈ R p is input vector, D ∈ R n×q is unknown input matrix, d ∈ R q is unknown input vector, ξ ∈ R n is process noise, z ∈ R m is measurement vector, C ∈ R m×n is measurement matrix, and θ ∈ R m is measurement noise.

Assumption 5. D is full column rank.
Assumption 6. rank CD = rank D.

Let us define x[k]
where x 1 ∈ R n−q is known state subvector, x 2 ∈ R q unknown state subvector, Remark 5. D is full column rank, rank CD = rank D, and rank [72].
State vector can be decoupled into known and unknown state subvectors. Known state subvector can be estimated aŝ wherex 1 ∈ R n−q is known state estimator (x 1 [k] →x 1 [k] as k → ∞), L * [k] L[k]U 2 + E 1 , L * ∈ R (n−q)×m , and L ∈ R (n−q)×(m−q) is Kalman gain, calculated as where Σ ∈ R (n−q)×(n−q) can be recursively calculated as Unknown state subvector can be estimated aŝ wherex 2 ∈ R q is unknown state estimator (x 2 [k] →x 2 [k] as k → ∞). Unknown input vector can be estimated aŝ whered ∈ R q is unknown input estimator, G d,1 ∈ R q×(n−q) , G d,2 ∈ R q×m , and G d,3 ∈ R q×p . A controller can be further designed based ond, z, and x des , where x des ∈ R n is our desired state vector [73][74][75][76][77].

Test Scenario
Let us consider a traffic with ten driver types and fourteen vehicle models operating in manual, automated, and cooperative automated modes over US06 and Cycle D driving schedules with given conditions in Table 11 under malicious increases of 1 ft/s 2 , 3 ft/s 2 , and 5 ft/s 2 in transmitted accelerations, where

Results
Distance gap, speed, and acceleration profiles are shown in Figures 2-4 (2) vehicles over Cycle D driving schedule are more sensitive to fault magnitude than vehicles over US06 driving schedule (see Table 15), since vehicles over Cycle D driving schedule have lower average speeds and, therefore, maintain shorter time gaps than vehicles over US06 driving schedule; (3) passenger cars are more sensitive to fault magnitude than trucks, particularly at lower magnitude faults (see Table 15), since passenger cars maintain shorter time gaps than trucks; (4) errors in distance gap, speed, and acceleration are proportional to fault magnitude (see Tables 12-14); (5) errors in distance gap, speed, and acceleration are not sensitive to driving schedule; (6) distance gap is most sensitive state; (7) acceleration is least sensitive state; (8) adding 3.4 ft to estimated distance gaps, deducting 2.6 ft/s from estimated speeds, or deducting 0.8 ft/s 2 from estimated accelerations can mitigate impacts of up to malicious increase of 5 ft/s 2 in transmitted accelerations (as a hypothesis) (see Tables 12-14), (9) higher magnitude faults lead to earlier crashes (see Table 15).    (j) 1998 Chevy S10 Blazer.  (l) 1998 Chevy S10 Blazer.    (j) 1998 Chevy S10 Blazer. (l) 1998 Chevy S10 Blazer.        (j) 1998 Chevy S10 Blazer. (l) 1998 Chevy S10 Blazer.
where v normal is speed in normal conditions, and v f aulty is speed in faulty conditions, ** in absence of our proposed state and unknown input estimation model. , where a normal is acceleration in normal conditions, and a f aulty is acceleration in faulty conditions, ** in absence of our proposed state and unknown input estimation model. Levels 1 and 2 automated vehicles are assumed to maintain minimum safe distance gap in a string; vehicles dedicated to automated driving systems and vehicles equipped with cooperative automated driving systems are assumed to maintain minimum safe time gap in a string; vehicles are assumed to maintain minimum safe distance gap in a platoon at each simulation time step to maximize road capacity without compromising safety or string stability. Therefore, increasing demand up to road capacity would not impact outputs (e.g., distance gap, time gap, speed, and acceleration) significantly. Demands exceeding road capacity will spill back behind entrance.

Discussion
Existing simulation tools may overestimate safety and road capacity improvements associated with cooperative driving automation due to not considering vehicle model and vehicle-to-vehicle communication vulnerabilities on a large scale. This research modifies a vehicle-following model for conventional vehicles, a longitudinal control function for vehicles dedicated to automated driving systems, and a longitudinal control function for vehicles equipped with cooperative automated driving systems, considering vehicle model and vehicle-to-vehicle communication vulnerabilities to maximize road capacity without compromising safety or string stability. Our proposed traffic microsimulation tool can be used to verify automated driving systems and cooperative automated driving systems in contested environments.
Drivers are assumed to drive in a single lane, and there is no lane-change maneuver, while a lane-change maneuver can temporarily affect vehicle-following behaviors. Future work can model other significant components underpinning a traffic microsimulation tool (i.e., lane-changing and gap acceptance) • model motivation for mandatory, active, and discretionary lane-change maneuvers; • model mandatory, active, and discretionary lane-change gap acceptance; • model before lane-change, after lane-change, receiving, and yielding vehicle-following for each facility type (e.g., on-ramp and off-ramp); • model lateral control for autonomous vehicles; • model string operations (e.g., maximum platoon size, inter-platoon time gap, and cut-in and cut-out maneuvers).
Microscopic measures (e.g., distance headway and time headway) can be aggregated to macroscopic measures (e.g., density and flow) as k 1/s and q = 3600 ×h, where k is density (veh/ft), ands is average distance headway (ft/veh). Future work can estimate macroscopic benefits associated with cooperative driving automation (e.g., increase in lane capacity) under various market penetration for autonomous and connected autonomous vehicles. Table 16 recommends potential improvements to our proposed longitudinal controller. Table 16. Recommended control designs.

Future Work Description
Formulation Fault and Delay Most common cyberattacks can be modeled as fault (e.g., data falsification and spoofing attacks) or delay (e.g., denial-of-service attack).

Detection Kalman Filter & Neural Network
Conventional fault-resilient longitudinal controllers are model-driven or data-driven, but not combined, potentially sacrificing accuracy or simulation speed.

Compensation
Adaptive Controller Estimated distance gaps can be increased in proportion to cyberattack magnitude.