Modelling and Analysis of Adaptive Cruise Control System Based on Synchronization Theory of Petri Nets

: The ACC (adaptive cruise control) system has developed rapidly in recent years, and its reliability and safety have also attracted a lot of attention. The ACC system can realize automatic driving following the vehicle in the longitudinal range, and its reliability is closely related to the synchronization between two vehicles. Combined with formal modelling methods, this paper analyzes and detects the logical ﬂaw that is poor synchronization in the following process of the ACC system from the perspective of synchronization. Aiming at avoiding this kind of logical ﬂaw, this paper presents a novel optimized modelling solution based on the synchronization theory of Petri nets and further improves the calculation method of the synchronic distance. The simulation results reduce the token accumulation by an average of 91.357%, which demonstrates that the improved model can effectively improve reliability and reduce the risk of rear-end collision.


Introduction
Adaptive cruise control (ACC) systems are developed to improve traffic resource utilization and reduce traffic accident rates [1][2][3][4]. The two basic functions in the ACC system are following other vehicles and driving at a constant speed. On this basis, the safety purpose of the ACC system is to avoid traffic accidents as much as possible and protect the lives of drivers and passengers. However, in a recent study, it was found that the ACC system has a certain risk of rear-end collision when following other vehicles [1,5]. This risk causes the driver to steer the vehicle in dangerous situations. Furthermore, such ACC system safety flaws may cause serious economic losses and living costs.
At present, the common methods for reliability analysis of ACC systems are test case analysis and driving scenario simulation [6,7]. However, testing and simulation methods are not comprehensive enough for the safety analysis of ACC systems, which may bring serious safety hazards [1,3,5]. In addition, this kind of safety verification method requires a large amount of test data, which leads to huge consumption of test costs and lower test efficiency.
Compared with above methods, formal modelling methods can be utilized to model systems from a mathematical point of view, and the system models can be strictly accorded with formal specifications. In addition, the formal modelling method can conduct a more comprehensive safety analysis of the ACC system, which is an effective supplement to the software simulation and testing methods [8,9]. Hence, it is very important to carry out formal verification in the early stage of ACC system design and development, which can avoid related safety flaws and improve the reliability of the ACC system [10,11].
There are barrier certificates in the formal method, which are used to prove the impossibility of transition from a dangerous state to a safe one [1]. Refs. [12,13] apply barrier certificates to the safety verification of the ACC system and proves its effectiveness through experiments. Reachability analysis is a commonly used method for safety verification among formal modelling methods [9,[14][15][16][17]. Its main working principle is to calculate all the state sets generated during the operation of the system and check whether the state set has a dangerous state. If there is no dangerous state in the state sets of the ACC system, the safety and correctness of the corresponding system model can be guaranteed. Since most system operations are concurrent and complex, this inevitably leads to an exponential increase in the number of states in the state set.
Although the formal method can completely verify the safety of the ACC system, the formal method also faces many limitations, such as state explosion [8,9,18]. Therefore, avoiding the issue of state explosion is very important and meaningful.
In the above research, neither the software testing method nor the formal method is used to verify the safety of the ACC system from a synchronous perspective. Through the process of the ACC system and the vehicle driving, it is not difficult to find that the process is essentially a synchronization of the speeds of the two vehicles. To guarantee stability following the vehicle, when the speed of the front vehicle changes, the rear vehicle needs to make the same speed adjustment in time to maintain the stability of the distance from the front vehicle. The degree of synchronization between the two will directly affect the possibility of a rear-end collision.
Petri net is a graphical formal model, which can intuitively reveal the essence of the system operation process with a suitable modelling scheme [19][20][21]. Regarding complex concurrent systems such as ACC systems. Petri nets can not only depict the structure of the system hierarchically but also intuitively and dynamically depict the concurrency and conflict phenomena in the running process of the system. Lomazova et al. studied the adaptive process based on nested Petri nets and obtained good results [22]. Ref. [23] proposes a new approach to simulation of manufacturing processes based on the mathematical apparatus of extended Petri nets. In addition, Petri nets also have the classical synchronization model theory, which is suitable for modelling synchronization phenomena. The above characteristics of Petri nets are helpful for developers to further improve the reliability of the ACC system. Based on the above research, it is easy to find that the running principle of the ACC system is essentially a synchronous process. However, as far as we know, the reliability analysis of ACC systems from a synchronization perspective is still open. In addition, most of the rear-end collisions under the ACC system are due to poor synchronization. Reliability analysis of ACC system based on synchronization can reduce the possibility of rear-end collision from the root cause, and this direction has great research value in the reliability analysis. This paper formulates the control principle of the ACC system. The Petri model is established based on the high synchronization characteristics of the ACC system in the process of following the vehicle, then the reliability of the ACC system is further analyzed and improved. The main contributions of this papers are summarized as follows: We proposed a novel modelling solution for reliability analysis of the ACC systems from perspective of synchronization.

2.
We established a formal synchronization model of the ACC system, which can accurately depict the synchronization of the ACC system in the process of following the vehicle.

3.
We extend the calculation method of the synchronic distance, and further supplement the synchronization theory of Petri nets.
The rest of this paper is organized as follows. Section 2 introduces the concepts of related terms mentioned in this paper. Section 3 presents the complete Petri net model of the ACC system from the perspective of synchronization. Section 4 provides risk analysis method and simulation result. Finally, Section 5 concludes this paper.

Related Concepts
In this section, we give some basic concepts as follows.

Definition 1 ([24]). A place/transition system is a six-tuple
S is a finite set of places, which represents the state of system. 2.
T is a finite sets of transitions, which represents the actions of system, where S ∩ T = ∅.
K → S is a capacity function, which defines the capacity of the place. 5.
W → F is a weighted function, which defines the token passed by the arc. 6.
M is marking of Σ, which represents the state of the Petri net, where ∀s ∈ S : M(s) ≤ K(s), M 0 is an initial marking.

Definition 3. General Marking T-Graph.
Marking T-Graph N is a special kind of Petri net N = (S, T, F, K, W, M), where ∀s ∈ S : | • s| = |s • |. It can be simplified as a directed graph. This reflects the advantages of Petri net graph storage to a certain extent.

Definition 4 ([24]). Fairness of Petri nets.
Let Σ = (S, T, F, K, W, M) is a Petri net, t 1 , t 2 ∈ T, #(t i /σ) represents the number of times the transition t i appears in the transition sequence σ. If there exists a positive integer k, which make ∀M ∈ R(M 0 ) and ∀σ ∈ T * : M[σ > meet: , then t 1 and t 2 are fair. if ∀t i , t j ∈ T are fair, then Σ is fair.
is a Petri Net, for t 1 , t 2 ∈ T, the Synchronic distance t 1 and t 2 is:

Modelling Scheme
Before modelling the process of the ACC system following the vehicle, we need to abstract the essence of the process. Figure 1 shows the adjustment of speed and spacing by the ACC system during the process of following the vehicle. This process is essentially the synchronization of the following vehicle to the front vehicle. When the speed of the front vehicle changes, the distance between the two vehicles also changes accordingly. In order to keep the distance between the two vehicles relatively constant, the following vehicle needs to make the same speed adjustment as the front vehicle. The synchronization degree of the process directly affects the risk of rear-end collision. If the synchronization of the process is high, the distance between the two vehicles will vary within a constant range. Otherwise, the change in the distance between the two vehicles is extremely sharp, which is very likely to cause a rear-end collision. This needs to be reflected in the model. The properties and structure of Petri nets can depict the concurrency and synchronization relationship of systems, which is very suitable for modelling this process. Then, we give the relevant modelling rules.

1.
The place in the Petri net is used to represent the state of the speed difference between the two vehicles or the difference between the actual distance and the safe one.

2.
The transition in the Petri net is used to represent the switching of the vehicle states during the following process. 3.
The arcs in the Petri net are used to represent the transmission of synchronization information during the following process. According to the above modelling rules, we can give the following process model of the ACC system, in which main elements and meanings are shown in Table 1. In the longitudinal range, the main actions of the vehicle are acceleration and deceleration. Therefore, we divide the states of the vehicle into three states: lowspeed, bu f f ering and highspeed. When the vehicle transitions from a low-speed state to a high-speed one, it needs to pass through a buffer state. Similarly, when the vehicle transitions from a high-speed state to a low-speed one, it also needs to go through a buffer state.
In Figure 2, the models of the front and current vehicles are connected by signal places S 3 and S 4 . At this time, the front vehicle is in a low speed state, and the transition T 2 can fire, which means that the front vehicle can accelerate to a high-speed state. After the transition T 2 fires, the front vehicle completes the acceleration, and the signal place S 3 obtains a token. The token in the signal repository S 3 makes the transition T 5 in the enabled state, which indicates that the current vehicle receives the acceleration information of front vehicle. The current vehicle needs to accelerate the same as front vehicle to keep the distance between the two vehicles constant, which can avoid rear-end collisions caused by excessive distance changes. Therefore, transition T 5 and T 3 are in a synchronous relationship. Similarly, other transitions are also in such a sequential synchronous relationship. Consequently, the Petri net of the process of following the vehicle in ACC system can be constructed.  The synchronous signal places S 3 and S 4 can reflect the strength of above synchronous relationships in Petri Net of ACC. The more tokens accumulated in the signal place, the worse the synchronization of the two vehicles. The model accurately depicts the concurrency, sequence and synchronization of the ACC system in the process of following the vehicle. This lays a solid foundation for the analysis of rear-end risk from the perspective of synchronization theory in the next section.

Risk Analysis
In this section, we will perform a risk analysis on the Petri net model of the ACC system formulated in the above subsection and further improve it. By analyzing the Petri net in Figure 2, it is easy to find that the number of states in the reachable marking graph of the Petri net model is infinite, which is due to the unboundedness of the signal place. Infinite states necessarily lead to state explosion. To represent the infinite states in a finite form, we use a coverability marking graph instead. Figure 3 shows the coverability marking graph corresponding to the Petri net model of the ACC system. Furthermore, the infinite states also show that the relationship between transitions in the model is unfair. According to Definition 3, the synchronic distance of an unfair transition relationship is infinite. The larger the synchronic distance between transitions, the lower the synchronization. Therefore, the synchronization of transitions in the ACC model is low, and it has certain risks as shown in Figure 2. On the other hand, the unboundedness of the signal place will lead to the occurrence of risk accidents. Algorithm 1 shows the relevant risk detection methods, where M.5 presents the fifth component of M. When the speed of front vehicle changes frequently, the amount of signals received by the signal place will increase. At this time, the capacity of the signal place will be unbounded, which will lead to poor synchronization between the two vehicles during the following process. The poor synchronization of the two vehicles will lead to risk accidents. Therefore, ensuring the boundedness of the signal place is the key to reducing risk accidents. Combined with the above analysis, we add two places to the model to ensure the boundedness of the signal place, as shown in Figure 4. Next, we conduct a risk analysis on the improved Petri net of ACC.

1.
Fairness Let IPN (Improved Petri Net) = (S, T, F, K, W, M) be the improved Petri net of ACC.
According to Definition 4, ∀t 1 , t 2 ∈ T in IPN are fair. Therefore, IPN is a fair net, which guarantees that the transition synchronic distance in improved Petri net will not be infinite.

Boundedness
In IPN, for ∀s ∈ S, B(s) = min{B|∀M ∈ R(R(M 0 )) : M(s) ≤ B} = 1. The bound of each place in IPN is 1. B(BFN) = max{B(s)|∀s ∈ S} = 1. According to Definition 5, IPN is bounded and safe. This can also be reflected in the finiteness of reachable marking graph in IPN.

3.
Synchronic distance In IPN, for ∀s ∈ S, | • s| = |s • |. According to Definition 3, the IPN is a general marking T-graph. The following theorem can be obtained for the calculation of the synchronic distance between transitions in the general marking T-graph. Theorem 1. Let Σ = (S, T, F, K, W, M) is a live general marking T-graph, ∀C ∈ {S * ∪ T * } is any directed loop in Σ, t i , t j ∈ T, then where α(t i , t j ) is the synchronic distance between transitions t i and t j .
Proof. We discuss it in the following two cases.

1.
If t i ∈ C 1 ∧ t j / ∈ C 1 or t j ∈ C 2 ∧ t i / ∈ C 2 , then C 1 = C 2 , t j and t i are not in the same directed loop. Σ is live, for any positive integer k, ∃σ ∈ T * : M 0 [σ > and #(t i /σ) = 0 ∧ #(t j /σ) ≥ k. Therefore, t i and t j are unfair. According to Definition 4, α(t i , t j ) = ∞.

2.
If there exists a directed loop C in Σ, it goes through both t i and t j , then #(t i /σ) = 0 ∧ #(t j /σ) ≤ ∑ s∈C M(s) = α(t i , t j ). If there are multiple loops C going through t i and Theorem 1 holds.
IPN is a typical live general marking T-graph. According to Theorem 1, in IPN, for ∀t 1 , t 2 ∈ T, α(t 1 , t 2 ) = 1. This reflects the extremely high synchronization between transitions in the IPN.
In Figure 5, it can be seen that the number of states of the improved Petri net of ACC is effectively reduced and is no longer infinite. The token value in the signal place will not accumulate to avoid the deterioration of the synchronization of the improved Petri net of ACC. In addition, the synchronic distance between the transitions of the improved Petri net will not be infinite but remains a constant value within a certain range, which also shows that the synchronization of the improved Petri net has been greatly improved.  Table 2 gives the average number of tokens each place in Petri net of ACC after simulation. Except for places S 3 and S 4 , the average number of tokens in the other places is almost the same. As the number of simulations increases, the number of tokens in places S 3 and S 4 is also increasing, which shows that the pre-transition sets of places S 3 and S 4 can be firing infinitely. According to Definition 4 and Theorem 1, the Petri net of ACC is unfair and has infinite synchronic distance. This reveals that the current ACC system has poor synchronization in the process of following the vehicle, and there is a risk of rear-end collision.  Table 3 shows the average number of tokens of each place in the improved ACC Petri net after simulation. Obviously, the number of tokens in all places is almost the same. With the increase in the number of simulations, the average number of tokens in each place has no obvious change. Therefore, in IPN , the firing of the pre-transition set of any one place is finite. The IPN is fair and has excellent synchronization, and the risk of rear-end collision with the corresponding ACC system is also greatly reduced. Figure 6 further visualizes the changes in the average number of tokens in places S 3 and S 4 . The pink part represents the model before improvement. The blue part shows the improved model. The improved model has good stability and can effectively avoid the accumulation of tokens. As the number of simulations increases, the tokens in Places S 3 and S 4 have accumulated in the Petri net of ACC. However, the number of tokens in places S 3 and S 4 has always remained within a stable range in the improved Petri net of ACC. The number of tokens in places S 3 and S 4 is reduced by 91.357% on average, which effectively improves the synchronization of the ACC system. The above conclusion has been proved by the output of Algorithm 1. In the early stage of the design and development of the ACC system, improving the synchronization can effectively improve its reliability and reduce the risk of rear-end collision during the actual following process.

Discussion
This paper extracts the essential characteristic that is synchronicity of the vehiclefollowing cruise for reliability analysis. The Petri net model is an abstraction of the running logic of the actual ACC system, which can reflect the logical flaws of the actual ACC system. Therefore, it is necessary to use Petri net to analyze the reliability of ACC system. The results in this paper are fundamentally different from the existing works. The existing research focuses on data analysis and failure analysis, which can improve the reliability of ACC system. However, the above research requires a large amount of data, which will consume high research costs.
In this paper, the formal verification of the running process of the ACC system is carried out at the logic level, which can effectively avoid the logic flaw in the process of following the vehicle from the perspective of synchronization. This research achievements can reduce the research cost of the existing ACC system reliability analysis methods of ACC systems. In turn, the existing research can prove the validity of the research results in this paper. These two types of research are from different perspectives to analyze the reliability of the ACC system, and the two are complementary to improve the reliability together.

Conclusions
In this paper, the reliability of the ACC system is analyzed from a novel angle of synchronization theory, which is combined with formal modelling methods. The validity and correctness of the modelling method are verified by the reachable marking graph. In addition, a potential logic flaw that the ACC system has poor synchronization in the process of following the vehicle is found. In this regard, combined with the synchronization theory of Petri nets, this paper proposes a novel modelling solution to improve synchronization. In this regard, combined with the synchronization theory of Petri nets, this paper proposes a novel method that can improve the fairness of transition by place structure. In addition, this paper develops a calculation method for the synchronization distance of a general marking T-graph that is a special subclass of Petri nets. The simulation results show that this modelling solution has improved synchronization and reduced the risk of rear-end collision. The infinite number of states in the reachable marking graph becomes finite, and the number of tokens in the signal place is no longer accumulated. The synchronization of the model has been greatly improved, and the rear-end risk during the process of the following vehicle is effectively reduced. In the future, we will further improve our work and extend the applications of the synchronization theory of Petri nets.