GUARANTEED MESSAGE LATENCIES FOR DISTRIBUTED
SAFETY-CRITICAL HARD REAL-TIME CONTROL NETWORKS1
Ken Tindell, Alan Burns
Real-Time Systems Research Group,
Department of Computer Science,
University of York, YO1 5DD, England
Analysis is presented that enables the worst case latencies for Controller Area
Network (CAN) messages to be predicted. The analysis is illustrated in terms of
the Intel 82527 controller and applied to a SAE benchmark. This benchmark
contains some 53 message types; all of which are analysed for various transmission
rates. Techniques are presented that enables the temporal behaviour of a CAN
system to be improved. In particular the impact of message ?piggybacking? is
assessed. The paper concludes by considering error recovery, and presents a
framework into which different failure models can be incorporated and analysed (in
terms of the impact failures have on message latencies).
A recent trend in many control systems is to connect distributed elements of a control system via a shared broadcast bus instead of using point-to-point links . However, there are fundamental differences between a shared bus and point-to-point links. Firstly, because the bus is shared between a number of subsystems, there is contention for access to the bus, which must be resolved using a protocol. Secondly, transmission of a signal or data is not virtually instantaneous; different signals will be able to tolerate different latencies. Therefore there is a fundamental need for scheduling algorithms to decide how contention is resolved in such a way that all latency requirements are met.
There are a number of existing bus technologies, but in this paper we are concerned with Controller Area Network (CAN) , and for comparison the Time Triggered Protocol (TTP) . These two buses differ in the way that they are scheduled: CAN takes a dynamic approach, using a priority-based algorithm to decide which of the connected stations is permitted to send data on the bus. TTP uses a static approach, where each station is permitted a fixed time slice in which to transmit data. A common misconception within the automotive industry is that while CAN is very good at transmitting the most urgent data, it is unable to provide guarantees that deadlines are met for less urgent data [3, 5]. This is not the case: the dynamic scheduling algorithm used by CAN is virtually identical to scheduling algorithms commonly used in real-time systems to schedule computation on processors. In fact, the analysis of the timing behaviour of such systems can be applied almost without change to the problem of determining the worst-case latency of a given message queued for transmission on CAN.
1The authors can be contacted via e-mail as firstname.lastname@example.org; copies of York technical reports cited in this paper are available via FTP from minster.york.ac.uk in the directory /pub/realtime/papers