Controller Area Network (CAN) Schedulability Analysis with FIFO queues

Robert I. Davis Steffen Kollmann, Victor Pollex, Frank Slomka

Real-Time Systems Research Group, Institute of Embedded Systems / Real-Time Systems
Department of Computer Science, Ulm University, Albert-Einstein-Allee 11, 89081 Ulm,
University of York, YO10 5DD, York, UK Germany
[email protected] {steffen.kollmann, victor.pollex, frank.slomka} @uni-ulm.de

Abstract 1.1. Related work

Controller Area Network (CAN) is widely used in In 1994, Tindell et al. showed how research into fixed
automotive applications. Existing schedulability analysis for priority scheduling for single processor systems could be
CAN is based on the assumption that the highest priority adapted and applied to the scheduling of messages on CAN.
message ready for transmission at each node on the network The analysis of Tindell et al. provided a method of
will be entered into arbitration on the bus. However, in calculating the maximum queuing delay and hence the
practice, some CAN device drivers implement FIFO rather worst-case response time of each message on the network.
than priority-based queues invalidating this assumption. In Tindell et al. [30], [31], [32] also recognised that with fixed
this paper, we introduce response time analysis and optimal priority scheduling, an appropriate priority assignment
priority assignment policies for CAN messages in networks policy is key to obtaining effective real-time performance.
where some nodes use FIFO queues while other nodes use Tindell et al. suggested that messages should be assigned
priority queues. We show, via a case study and experimental priorities in ‘Deadline minus Jitter’ monotonic priority order
evaluation, the detrimental impact that FIFO queues have [33].
on the real-time performance of CAN. The seminal work of Tindell et al. lead to a large body of
research into scheduling theory for CAN [5], [6], [7], [8],
Revision: This technical report was revised in April 2011 to [17], [18], [25], [26], [27], [28], and was used as the basis
include a section on experimental evaluation. for commercial CAN schedulability analysis tools [9].
In 2007, Davis et al. [11] found and corrected significant
1. Introduction flaws in the schedulability analysis given by Tindell et al.
Controller Area Network (CAN) [3], [21] was designed [30], [31], [32]. These flaws could potentially result in the
as a simple, efficient, and robust, broadcast communications original analysis providing guarantees for messages that
bus for in-vehicle networks. Today, typical mainstream could in fact miss their deadlines during network operation.
family cars contain 25-35 Electronic Control Units (ECUs), Further, Davis et al. [11] showed that the ‘Deadline minus
many of which communicate using CAN. As a result of this Jitter’ monotonic priority ordering, claimed by Tindell et al.
wholesale adoption of CAN by the automotive industry, to be optimal for CAN, is not in fact optimal; and that
annual sales of CAN nodes (8, 16 and 32-bit micro- Audsley’s Optimal Priority Assignment (OPA) algorithm
controllers with on-chip CAN controllers) have grown from [1], [2] is required in this case.
under 50 million in 1999 to around 750 million in 20101 Prior to the advent of schedulability analysis and
CAN is an asynchronous multi-master serial data bus appropriate priority assignment policies for CAN, message
that uses Carrier Sense Multiple Access / Collision IDs were typically assigned simply as a way of identifying
Resolution (CSMA/CR) to determine access to the bus. The the data and the sending node. This meant that only low
CAN protocol requires that nodes wait for a bus idle period levels of bus utilisation, typically around 30%, could be
before attempting to transmit. If two or more nodes attempt obtained before deadlines were missed. Further, the only
to transmit messages at the same time, then the node with means of obtaining confidence that message deadlines
the message with the lowest numeric CAN Identifier will would not be missed was via extensive testing. Using the
win arbitration and continue to send its message. The other systematic approach of schedulability analysis, combined
nodes will cease transmitting and must wait until the bus with a suitable priority assignment policy, it became
becomes idle again before attempting to re-transmit their possible to engineer CAN based systems for timing
messages. (Full details of the CAN physical layer protocol correctness, providing guarantees that all messages would
are given in [3], with a summary in [11]). In effect CAN meet their deadlines, with bus utilisations of up to about
messages are sent according to fixed priority non-pre- 80% [13], [9].
emptive scheduling, with the identifier (ID) of each message
acting as its priority. 1.2. Motivation
Engineers using schedulability analysis to analyse
network / message configurations must ensure that all of the
assumptions of the specified scheduling model hold for their
1
Figures from the CAN in Automation (CiA) website www.can-cia.org particular system. Specifically, when using the analysis
given by Davis et al. in [11], it is important that each CAN nodes that use priority queues.
controller and device driver is capable of ensuring that 1.3. Organisation
whenever message arbitration starts on the bus, the highest The remainder of this paper is organised as follows: In
priority message queued at that node is entered into section 2, we introduce the scheduling model, notation, and
arbitration. This behaviour is essential if message terminology used in the rest of the paper. In section 3 we
transmission is to take place as if there were a single global recap on the sufficient schedulability analysis for CAN
priority queue and for the analysis to be correct. given in [11]. Section 4 then extends this analysis to
As noted by Di Natale [15], there are a number of networks where some nodes implement priority-based
potential issues that can lead to behaviour that does not queues while others implement FIFO queues. Section 5
match that required by the scheduling model given in [11]. discusses priority assignment for mixed sets of FIFO-
For example, if a CAN node has fewer transmit message queued and priority-queued messages. Section 6 presents
buffers than the number of messages that it transmits, then the results of a case study exploring the impact of FIFO
the following properties of the CAN controller hardware can queues on message response times and network
prove problematic: schedulability. Section 7 further evaluates the effect of
(i) internal message arbitration based on transmit priority assignment and FIFO queues on the maximum
buffer number rather than message ID (Fujitsu achievable network utilisation. Finally, section 8 concludes
MB90385/90387, Fujitsu 90390, Intel 87C196 with a summary and recommendations.
(82527), Infineon XC161CJ/167 (82C900));
(ii) non-abortable message transmission (Philips 2. System model, notation and terminology
82C200) [16]; In this section we describe a system model and notation
(iii) less than 3 transmit buffers [24] (Philips 8xC592 that can be used to analyse the worst-case response times of
(SJA1000), Philips 82C200). messages on CAN. This model is based on that used in [11]
CAN controllers which avoid these potential problems with extensions to describe FIFO queues.
include, the Atmel AT89C51CC03 / AT90CAN32/64 the The system is assumed to comprise a number of nodes
Microchip MPC2515, and the Motorola MSCAN on-chip (microprocessors) connected to a single CAN bus. Nodes
peripheral, all of which have at least 3 transmit buffers, are classified according to the type of message queue used
internal message arbitration based on message ID rather in their device driver. Thus FQ-nodes implement a FIFO
than transmit buffer number, and abortable message message queue, whereas PQ-nodes implement a priority
transmission. queue. PQ-nodes are assumed to be capable of ensuring that,
The CAN device driver / software protocol layer at any given time when bus arbitration starts, the highest
implementation also has the potential to result in behaviour priority message queued at the node is entered into
which does not match that required by the standard arbitration. FQ-nodes are assumed to be capable of ensuring
scheduling model [11]. Issues include, delays in refilling a that, at any given time when bus arbitration starts, the oldest
transmit buffer [20], and FIFO queuing of messages in the message in the FIFO queue is entered into arbitration.
device driver or CAN controller (The BXCAN and BECAN The system is assumed to contain a static set of hard
for the ST7 and ST9 Microcontrollers from real-time messages, each statically assigned to a single node
STMicroelectronics include hardware support for both on the network. Each message m has a fixed Identifier (ID)
priority-queued and FIFO-queued message transmission and hence a unique priority. As priority uniquely identifies
[29]). each message, in the remainder of the paper we will
Di Natale [15] notes that using FIFO queues in CAN overload m to mean either message m or priority m as
device drivers / software protocol layers can seem an appropriate. We use hp(m) to denote the set of messages
attractive solution “because of its simplicity and the illusion with priorities higher than m, and similarly, lp(m) to denote
that faster queue management improves the performance of the set of messages with priorities lower than m.
the system”. This is unfortunate, because FIFO message Each message m has a maximum transmission time of
queues undermine the priority-based bus arbitration used by C m (see [11] for details of how to compute the maximum
CAN. They can introduce significant priority inversion and transmission time of messages on CAN, taking into account
result in degraded real-time performance. Nevertheless, the number of data bytes and bit-stuffing).
FIFO queues are a reality in some commercial CAN device The event that triggers queuing of message m is assumed
drivers / software protocol layers. to occur with a minimum inter-arrival time of T m , referred
As far as we are aware, there is no published research2 to as the message period. Each message m has a hard
integrating FIFO queues into response time analysis for deadline D m , corresponding to the maximum permitted
CAN. This paper focuses on the issue of FIFO queues. We time from occurrence of the initiating event to the end of
provide response time analysis and appropriate priority successful transmission of the message, at which time the
assignment policies for Controller Area Networks message data is assumed to be available on the receiving
comprising some nodes that use FIFO queues and other nodes that require it. Tasks on the receiving nodes may
place different timing requirements on the data, however in
2
The commercial tool NETCAR-Analyzer (www.realtimeatwork.com) such cases we assume that D m is the shortest such time
claims to address the case of FIFO queues.
constraint. We assume that the deadline of each message is priority-based arbitration. For a FIFO-queued message f m
less than or equal to its period ( D m ≤ Tm ). Each message m equates to the time from the message being entered into the
is assumed to be queued by a software task, process or FIFO queue to it becoming the oldest message in that queue.
interrupt handler executing on the sending node. This task is For a priority-queued message f m = 0 .
either invoked by, or polls for, the event that initiates the As well as determining message schedulability given a
message, and takes a bounded amount of time, between 0 particular priority ordering, we are also interested in
and J m , before the message is in the device driver queue effective priority assignment policies.
available for transmission. J m is referred to as the queuing Definition 1: Optimal priority assignment policy: A priority
jitter of the message and is inherited from the overall assignment policy P is referred to as optimal with respect to
response time of the task, including any polling delay3. The a schedulability test S and a given network model, if and
transmission deadline E m of message m is given only if there is no set of messages that are compliant with
by E m = D m − J m , and represents the maximum permitted the model that are deemed schedulable by test S using
time from the message being queued at the sending node to another priority assignment policy, that are not also deemed
it being received at other nodes on the bus. schedulable according to test S using policy P.
The maximum queuing delay w m , corresponds to the
We note that the above definition is applicable to both
longest time that message m can remain in the device driver
sufficient schedulability tests such as those given in sections
queue or CAN controller transmit buffers, before
3 and 4, as well as exact schedulability tests.
commencing successful transmission on the bus.
In this paper4, we define the worst-case response time 3. Schedulability Analysis with Priority Queues
R m of a message m as the maximum possible transmission In this section, we recapitulate the simple sufficient
delay from the message being queued until it is received at schedulability analysis given in [11]. For networks of PQ-
the receiving nodes. Hence: nodes, complying with the scheduling model given in
R m = wm + C m (1) section 2, CAN effectively implements fixed priority non-
As noted by Broster [7], receiving nodes can access pre-emptive scheduling. In this case, Davis et al. [11]
message m following the end of (message) frame marker showed that an upper bound on the response time R m of
and before the 3-bit inter-frame space. The analysis given in each message m can be found by computing the maximum
the remainder of this paper is therefore slightly pessimistic queuing delay w m using the following fixed point iteration:
in that it includes the 3-bit inter-frame space in the ⎡ wmn + J k + τ bit ⎤
computed worst-case response times. To remove this small
degree of pessimism, it is valid to simply subtract 3 τ bit
wmn +1 = max( Bm , C m ) + ∑ ⎢
∀k∈hp ( m ) ⎢
Tk
⎥C k
⎥
(2)

from the computed response time values, where τ bit is the where τ bit is the transmission time for a single bit, and B m
transmission time for a single bit on the bus. is the blocking factor described below. Iteration starts with a
A message is said to be schedulable if its worst-case suitable initial value such as wm0 =C m , and continues until
response time is less than or equal to its transmission either wmn+1 + C m > E m in which case the message is not
deadline ( R m ≤ E m ) . A system is said to be schedulable if schedulable, or wmn +1 = wmn in which case the message is
all of the messages in the system are schedulable. schedulable and its worst-case response time is given by:
The following additional notation is used to describe the
R m = wmn+1 + C m (3)
properties of a set of messages that are transmitted by the
same FQ-node and so share a FIFO queue. The FIFO group As CAN message transmission is non-pre-emptable, the
M (m) is the set of messages that are transmitted by the FQ- transmission of a single lower priority message can cause a
node that transmits message m. The lowest priority of any delay of up to B m (referred to as direct blocking) between
message in the FIFO group M (m) is denoted by Lm . message m being queued and the first time that message m
C mMAX and C mMIN are the transmission times of the longest could be entered into arbitration on the bus. B m represents
and shortest messages in the FIFO group, while C mSUM is the maximum blocking time due to lower priority messages:
the sum of the transmission times of all of the messages in B m = max (C k ) (4)
∀k∈lp ( m )
the group. E mMIN is the shortest transmission deadline of any
message in the group. Alternatively, in some cases, the transmission of the
We use f m to denote the maximum buffering time from previous instance of message m could delay transmission of
message m being queued until it is able to take part in a higher priority message causing a similar delay (referred
to as push-through blocking5) of up to C m . Both direct and
push-through blocking are accounted for by the 1st term on
3
In the best case, the task could arrive the instant the event occurs and
the RHS of (2). The 2nd term represents interference from
queue the message immediately, whereas in the worst-case, there could be higher priority messages that can win arbitration over
a delay of up to the task’s period before it arrives and then a further delay message m and so delay its transmission. Note that once
of up to the task’s worst-case response time before it queues the message. message m starts successful transmission it cannot be pre-
4
Note this is a different way of defining response time to that used in [11]
which includes queuing jitter. To compensate for not including queuing
jitter in the response time, in this paper we compare response times with
5
transmission deadlines to determine schedulability. See [11] for an explanation of why push-through blocking is important.
empted, so the message’s overall response time is simply interference on lower priority messages, a FIFO-queued
the queuing delay plus its transmission time (given by (3)). message k can be viewed as if it were a priority-queued
Using (2) and (3), engineers can determine upper message with its jitter increased by f k . (Note, we will
bounds6 on worst-case response times and hence the return to how f k is calculated for FIFO-queued messages
schedulability of all messages on a network comprising later). An upper bound on the queuing delay for a priority-
solely PQ-nodes. Although the analysis embodied in (2) and queued message m can therefore be calculated via the fixed
(3) is pseudo-polynomial in complexity in practice it is point iteration given by (5).
tractable on a desktop PC for complex systems with ⎡ w n + J k + f k + τ bit ⎤
hundreds of messages. (A number of techniques are also wmn+1 = max( Bm , C m ) + ∑ ⎢ m ⎥C k (5)
available for increasing the efficiency of such fixed point ∀k∈hp ( m ) ⎢ Tk ⎥
iterations [12]). As with (3), iteration starts with a suitable initial value such
as wm0 =C m , and continues until either wmn+1 + C m > E m in
4. Schedulability Analysis with FIFO Queues which case the message is not schedulable, or wmn +1 = wmn in
In this section, we derive sufficient schedulability which case its response time is given by:
analysis for messages on networks with both PQ-nodes and
FQ-nodes. The analysis we introduce is FIFO-symmetric, by R m = wmn+1 + C m (6)
this we mean that the same worst-case response time is Note that the queuing delay and response time are only
attributed to all of the messages in a FIFO group. We note valid with respect to the values of f k used. We return to
that FIFO-symmetric analysis incurs some pessimism in this point later.
terms of the worst-case response time attributed to the 4.2. FIFO-queued messages
higher priority messages in a FIFO group; however, in We now derive an upper bound on the worst-case
practice this pessimism is likely to be small. This is because queuing delay for a FIFO-queued message m, in a system
the order in which messages are placed in a FIFO queue is with both PQ-nodes and FQ-nodes.
undefined, and so in the worst case, the highest priority As our analysis is FIFO-symmetric, we will attribute the
message in a FIFO group has to wait for an instance of each same upper bound response time to all of the messages sent
lower priority message in the group to be transmitted. by the same FQ-node. Our analysis derives this sufficient
4.1. Priority-queued messages response time by considering an arbitrary message from the
We now derive an upper bound on the worst-case FIFO group M (m) . For the sake of simplicity, we will still
queuing delay for a priority-queued message m, in a system refer to this message as message m; however our analysis
with both PQ-nodes and FQ-nodes. will be independent of the exact choice of message from the
In the case of systems with only PQ-nodes, Davis et al. FIFO group. At each stage in our analysis we will make
[11] showed that the worst-case queuing delay for a priority- worst-case assumptions, ensuring that the derived response
queued message m occurs for an instance of that message time is a correct upper bound. For example, we will frame
queued at the beginning of a priority level-m busy period7 our calculation of the queuing delay wm by assuming the
that starts immediately after the longest lower priority lowest priority Lm of any message in the FIFO group.
message begins transmission. Further, this maximal busy As every message j in M (m) has D j ≤ T j then in a
period begins with a so-called critical instant where schedulable system, when any arbitrary message from
message m is queued simultaneously with all higher priority M (m) is queued, there can be at most one instance of each
messages and then each of these higher priority messages is of the other messages in M (m) ahead of it in the FIFO
subsequently queued again after the shortest possible time queue. The maximum transmission time of these messages,
interval. Equation (2) provides a sufficient upper bound on and hence the maximum interference on an arbitrary
this worst-case queuing delay. message m, due to messages sent by the same FQ-node, is
The analysis embodied in (2) assumes that higher therefore upper bounded by:
priority messages are able to compete for access to the bus C mSUM − C mMIN (7)
(i.e. enter bus arbitration) as soon as they are queued; Indirect blocking could also occur due to the non-pre-
however, this assumption does not hold for FIFO-queued emptive transmission of a previous instance of any one of
messages. Instead a FIFO-queued message k may have to the messages in M (m) . This indirect blocking is upper
wait for up to a maximum time f k before it becomes the bounded by C mMAX . As an alternative, direct blocking could
oldest message in its FIFO queue, and can enter priority- occur due to transmission of any of the messages of lower
based arbitration. A FIFO-queued message k can therefore priority than Lm sent by other nodes. Finally, in terms of
be thought of as becoming priority queued after an interference from higher priority messages sent by other
additional delay of f k . Stated otherwise, in terms of its FQ-nodes and PQ-nodes, the argument about increased jitter
made in the previous section applies, and so the interference
6
Equation (2) is sufficient rather than exact due to the fact that push term from (5) can again be used.
through blocking may not necessarily be possible.
7
Considering all of the above, an upper bound on the
A priority level-m busy period is a contiguous interval of time during queuing delay for an arbitrary message m belonging to the
which there is always at least one message of priority m that has not yet
completed transmission. FIFO group M (m) is given by the solution to the following
fixed point iteration: decreasing with respect to the response times calculated via
wmn+1 = max( B L , C mMAX ) + (C mSUM − C mMIN ) + (8) & (9). Hence by using an outer loop iteration, and
m repeating response time calculations until the buffering
⎡ wmn + J k + f k + τ bit ⎤ times no longer change, we can compute correct upper
∑ ⎢
Tk
⎥C k (8) bound response times and hence schedulability for all
∀k∈hp ( Lm ) ∧ k∉M ( m ) ⎢ ⎥ messages, as shown in Algorithm 1. (Note, to speed up the
Iteration starts with a value of wm0 = max( B L , C mMAX ) schedulability test, for each message m, the value of wm
m
+ (C mSUM − C mMIN ) and continues until either computed on one iteration of the while loop (lines 3 to 23)
n +1 MIN MIN
wm + C m > E m in which case the set of messages can be used as an initial value on the next iteration).
M (m) is declared unschedulable, or wmn +1 = wmn in which 1 repeat = true
case all of the messages in M (m) are deemed to have a 2 initialise all f k = 0
response time of: 3 while(repeat){
R m = wmn +1 + C mMIN (9) 4 repeat = false
Equations (8) and (9) make the worst-case assumption 5 for each priority m, highest first{
that interference from higher priority messages can occur up 6 if (m is FIFO-queued){
to a time C mMIN before transmission of message m 7 calc Rm according to Eqs (8) & (9)
completes. We note that this is a pessimistic assumption 8 if( Rm > E mMIN ) {
with respect to those messages belonging to the FIFO group 9 return unschedulable
that have transmission times8 longer than C mMIN . 10 }
11 if( f m ! = wm ){
4.3. Schedulability test with arbitrary priorities 12 f m= wm
We now derive a schedulability test from (5) & (6) and 13 repeat = true;
(8) & (9). The basic idea is to avoid having to consider the 14 }
potentially complex interactions between the FIFO queues 15 }
of different nodes. This is achieved by abstracting the FIFO 16 else {
behaviour of messages sent by other nodes as simply 17 calc Rm according to Eqs (5) & (6)
MIN
additional jitter f k before each message k can enter priority 18 if( Rm > E m ) {
based arbitration on the bus. When calculating the response 19 return unschedulable
time of a given message, we therefore need only consider 20 }
the behaviour of the node that sends that message (PQ-node 21 }
or FQ-node) and the buffering delays of messages sent by 22 }
other nodes9. 23 }
An upper bound on the buffering time f m of a FIFO- 24 return schedulable
queued message m is: Algorithm 1: FIFO Symmetric Schedulability Test
f m = Rm − C mMIN (10) Algorithm 1 provides a sufficient schedulability test for
When the priorities of messages in different FIFO FIFO-queued and priority-queued messages in any arbitrary
groups are interleaved, this leads to an apparently circular priority ordering.
dependency in the response time calculations. For example, 4.4. Partial priority ordering within a FIFO group
let m and k be the priorities of messages in two different In this section, we consider an appropriate priority
FIFO groups with interleaved priorities (i.e. k ∈ hp ( Lm ) ordering for messages within a FIFO group.
and m ∈ hp ( Lk ) ). The response time Rk of message k, and
hence its buffering time f k , depend on the buffering time Definition 2: A FIFO-adjacent priority ordering is any
f m of message m as m ∈ hp ( Lk ) ; however, the buffering priority ordering whereby all of the messages sharing a
time f m of message m depends on its response time Rm FIFO queue are assigned adjacent priorities.
which in turn depends on f k as k ∈ hp ( Lm ) . This apparent Theorem 1: If a priority ordering Q exists that is
problem can be solved by noting that the response times schedulable according to the FIFO-symmetric schedulability
calculated via (5) & (6) and (8) & (9) are monotonically analysis of Algorithm 1 then a schedulable FIFO-adjacent
non-decreasing with respect to the buffering times, and that priority ordering P also exists.
the buffering times given by (10) are monotonically non- Proof: Let m be a FIFO-queued message that is not the
lowest priority message in its FIFO group. Now consider a
8
In practice all messages sent on CAN often have the maximum length (8 priority transformation whereby message m is shifted down
data bytes) so as to minimise the relative overheads of the other fields in in priority so that it is at a priority level immediately above
the message (ID, CRC etc). In this case, no additional pessimism is that of the lowest priority message in its FIFO group. We
introduced by this assumption. will refer to the old priority ordering as Q and the new
9
If the message belongs to a PQ-node, then the other messages sent by the
same node have buffering delays of zero, if it belongs to an FQ-node, then priority ordering as Q’.
the buffering delays for other messages sent by the same node are not We observe from (5) and (8), that given the same fixed
needed in the calculations (8) &(9).
set of buffering times f k , then (i) the response time levels is all that is needed to determine schedulability. In
computed for message m is the same for both priority other words, lines 11-14 of Algorithm 1 can be omitted
orderings, and (ii) the response times computed for all other when considering FIFO-adjacent priority orderings. This
messages are no larger in priority ordering Q’ than they are revised schedulability test therefore dominates the test given
in priority ordering Q. Due to the mutual monotonically in section 4.3 (i.e. Algorithm 1 with lines 11-14 present).
non-decreasing relationship between message buffering The simplified analysis given in this section is similar to
times and response times, and the fact that Algorithm 1 that provided for FP/FIFO scheduling of flows in [23] and
starts with all the buffering times set to zero, this means that for OSEK/VDX tasks in [4], [19].
on every iteration of Algorithm 1, the response times and
buffering times computed for each message under priority 5. Priority Assignment Policies
ordering Q’ are no larger than those computed on the same The schedulability test presented in section 4.5 is
iteration for priority ordering Q. Hence if priority ordering applicable irrespective of the overall priority ordering,
Q is schedulable, then so is priority ordering Q’. provided that messages sharing the same FIFO queue are
Applying the priority transformation described above to assigned adjacent priorities. Choosing an appropriate
every FIFO-queued message that is not the lowest priority priority ordering among the priority-queued messages and
message in its FIFO group transforms any schedulable the FIFO groups is however an important aspect of
priority ordering Q into a FIFO-adjacent priority ordering P, achieving overall schedulability and hence effective real-
without any loss of schedulability □ time performance.
In this section, we consider the assignment of messages
Theorem 1 tells us that regardless of the priority assignment
to priority bands, where a priority band comprises either a
applied to priority-queued messages, we should ensure that
single priority level containing one priority-queued
all of the messages that share a single FIFO queue have
message, or a number of adjacent priority levels containing
adjacent priorities. In terms of CAN message IDs we note
a FIFO group of messages. We derive priority assignment
that this does not require that consecutive values are used
policies that are optimal with respect to the schedulability
for the IDs, only that there is no interleaving with respect to
analysis given in section 4.5.
the priorities of other messages. In practice message IDs can
be chosen to meet these requirements, while also providing 5.1. Optimal priority assignment
appropriate bit patterns for message filtering. Davis et al. [11], showed that, assuming solely priority
queuing, Audsley’s Optimal Priority Assignment (OPA)
4.5. Schedulability test for FIFO-adjacent priorities
algorithm [1], [2] provides the optimal priority assignment
In this section, we derive an improved schedulability
for CAN messages. We now show that with an appropriate
test that is only valid for FIFO-adjacent priority orderings.
modification to handle FIFO groups, Audsley’s algorithm is
Recall that Davis et al. [11] showed that the worst-case
also optimal with respect to the schedulability test given in
queuing delay for a priority-queued message m occurs
section 4.5. The pseudo code for this OPA-FP/FIFO
within the priority level-m busy period that starts with a
algorithm is given in Algorithm 2. Note that only one
critical instant. Provided that a FIFO-adjacent priority
message from each FIFO group is considered in the initial
ordering is used, then the same situation also represents the
list, as once this message is assigned to a priority band, then
worst-case scenario when higher priority messages are sent
so are the other messages in the same FIFO group.
by either PQ-nodes or FQ-nodes. This can be seen by
considering the interference on a priority-queued message m for each priority band k, lowest first
from a higher priority FIFO-queued message k. As message {
for each message msg in the initial list {
k is of higher priority than message m, then so are all of the if msg is schedulable in priority band k according to
other messages in the same FIFO group (i.e. M (k ) ). Thus schedulability test S with all unassigned priority-
any message in M (k ) that is queued prior to the start of queued messages / other FIFO groups assumed to be
transmission of message m will be sent on the bus before in higher priority bands {
message m, irrespective of the order in which the messages assign msg to priority band k
in M (k ) are placed in the FIFO queue. In effect all of the if msg is part of a FIFO group {
additional jitter on message k is already accounted for by assign all other messages in the FIFO group
interference on message m from other messages in the same to adjacent priorities within priority band k
}
FIFO group ( M (k ) ). In this case, there is no additional break (continue outer loop)
jitter on message k caused by messages of lower priority }
than m. Hence for each FIFO message k, we can set f k = 0, }
and use (5) & (6) to calculate the queuing delay and worst- return unschedulable
case response time of each message m. The same argument }
applies when we consider the schedulability of a FIFO- return schedulable
queued message m. In this case we can use (8) & (9) to Algorithm 2: Optimal Priority Assignment
calculate the queuing delay and worst-case response time, (OPA-FP/FIFO)
with all buffering times f k = 0. Further, as the buffering
times are all fixed at zero, a single pass over the priority In [14] Davis and Burns showed that Audsley’s OPA
algorithm is optimal with respect to any schedulability test larger with increasing priority this is always counteracted by
that meets three specific conditions. According to a decrease in interference that is at least as large; hence the
Theorem 1, we need only consider the priority bands length of the queuing delay cannot increase with increasing
assigned to each priority-queued message, and each FIFO priority, and so neither can the response time □
group (as all messages in a FIFO group have adjacent For N priority-queued messages / FIFO groups, the
priorities in an optimal priority ordering). We therefore re- OPA-FP/FIFO algorithm performs at most N(N-1)/2
state these three conditions in the context of priority-queued schedulability tests and is guaranteed to find a schedulable
messages and FIFO groups. priority assignment if one exists. It does not however
The three conditions refer to properties or attributes of specify an order in which messages should be tried in each
the messages. Message properties are referred to as priority band. This order heavily influences the priority
independent if they have no dependency on the priority assignment chosen if there is more than one ordering that is
assigned to the message. For example the longest schedulable. In fact, a poor choice of initial ordering can
transmission time, deadline, and minimum inter-arrival time result in a priority assignment that leaves the system only
of a message are all independent properties, while the worst- just schedulable. We suggest that, as a useful heuristic,
case response time typically depends on the message’s priority-queued messages and FIFO groups are tried at each
priority and so is a dependent property. priority level in order of transmission deadline (i.e. E m or
Condition 1: The schedulability of a message / FIFO group E mMIN ), largest value first. This will result in a priority
identified by m, may, according to test S, depend on any ordering reflecting transmission deadlines if such an
independent properties of other messages / FIFO groups in ordering is schedulable. Alternatively, approaches which
higher priority bands than m, but not on any properties of result in a robust priority assignment can be developed from
those messages / FIFO groups that depend on their relative the techniques described in [13].
priority ordering. 5.2. TDMO-FP/FIFO priority assignment
Condition 2: The schedulability of a message / FIFO group In industrial practice, CAN configurations are often
identified by m may, according to test S, depend on any designed such that all of the messages are of the same
independent properties of the messages / FIFO groups in maximum length (8 data bytes). This is done to ameliorate
lower priority bands than m, but not on any properties of the effects of the large overhead of the other fields
those messages / FIFO groups that depend on their relative (arbitration, CRC etc) in each message.
priority ordering. Definition 3: Transmission deadline monotonic priority
Condition 3: When the priorities of any two adjacent ordering for FP/FIFO (TDMPO-FP/FIFO) is a priority
priority bands are swapped, then the message / FIFO group assignment policy that assigns priority bands to priority
being assigned the higher priority band cannot become queued messages and FIFO groups according to their
unschedulable according to test S, if it was previously transmission deadlines; with a shorter transmission deadline
schedulable in the lower priority band. (As a corollary, the implying a higher priority. (Recall that the transmission
message / FIFO group being assigned the lower priority deadline of a FIFO group is given by the shortest
band cannot become schedulable according to test S, if it transmission deadline of any message in that group).
was previously unschedulable in the higher priority band). Figure 1 illustrates the TDMPO-FP/FIFO priority
Theorem 2: The OPA-FP/FIFO algorithm is an optimal assignment policy.
priority assignment algorithm with respect to the FIFO- Theorem 3: TDMPO-FP/FIFO is an optimal policy for
symmetric schedulability test of section 4.5 (Algorithm 1 assigning priority-queued messages and FIFO groups to
with lines 11-14 omitted). priority bands, with respect to the sufficient schedulability
Proof: It suffices to show that conditions 1-3 hold with test given in section 4.5 (Algorithm 1 with lines 11-14
respect to the schedulability test given by Algorithm 1 with omitted), provided that all messages have the same worst-
lines 11-14 omitted. case transmission time.
Condition 1: Inspection of (5) & (6) and (8) & (9), assuming Proof: See Appendix A.
all f k are fixed at zero, shows that the response time of
each message m is dependent on the set of messages in Corollary 1: For the case where all nodes use priority
higher priority bands, but not on their relative priority queues and all messages have the same worst-case
ordering. transmission time, TDMPO-FP-FIFO reduces to
Condition 2: Inspection of (5) & (6) and (8) & (9), shows transmission deadline monotonic priority ordering, which is
that the response time of each message m is dependent on therefore an optimal priority assignment policy with respect
the set of messages in lower priority bands via the direct to the sufficient schedulability test given by Davis et al. in
blocking term, but not on their relative priority ordering. [11] (recapitulated in section 3).
Condition 3: Inspection of (5) & (6) and (8) & (9), assuming Note that transmission deadline (i.e. Deadline minus
all f k are fixed at zero, shows that increasing the priority Jitter) monotonic priority ordering has also been shown to
band of message m cannot result in a longer response time. be an effective heuristic policy in the general case with
This is because although the direct blocking term can get mixed length messages [13].
5.3. Priority inversion schedulability analysis work with a real application we
All of the messages in a FIFO group need to have analysed a CAN bus architecture from the automotive
sufficiently high priorities that the message with the shortest domain, first presented in [22]. Figure 2 shows this
transmission deadline in the group can still meet its architecture. The system consists of a 500 kBit/s CAN bus
deadline. We have shown that with the FIFO-symmetric connecting 10 ECUs. There are a total of 85 messages sent
schedulability analysis introduced in this paper, the most on the bus. The number of messages sent by each ECU is
effective way to achieve this is to assign adjacent priorities given by the annotations in Figure 2. All messages are sent
to all of the messages in a FIFO group. Despite this, we note strictly periodically and have no offsets with respect to each
that the use of FIFO queues still typically results in priority other. We assumed that the queuing jitter for each message
inversion with respect to the priority assignment that would was 1% of its period.
be used if all nodes implemented priority queues.
The problem of priority inversion can be seen by
considering priority assignment according to the TDMPO-
FP/FIFO policy, see Figure 1 below. With only PQ-nodes,
the priority assigned to each message would depend only on
its transmission deadline, with a longer deadline implying
lower priority. With FIFO queues, there are two forms of Figure 2: CAN bus architecture
priority inversion: internal and external. Internal priority
inversion takes place within a FIFO queue when messages We compared five different configurations of the system:
with longer transmission deadlines enter the queue before, Expt. 1: All ECUs used priority queues.
and so are transmitted ahead of, messages with shorter Expt. 2: ECU3 and ECU6 used FIFO queues and the
transmission deadlines. External priority inversion occurs remaining ECUs used priority queues.
because all of the messages in a FIFO group effectively Expt. 3: All ECUs used FIFO queues.
obtain priorities based on the shortest transmission deadline Expt. 4: All ECUs used priority queues, but the priority
of any message in that group. This has the effect of creating ordering was that established by Expt 3.
priority inversion with respect to messages sent by other Expt. 5: All ECUs used priority queues, but the priority
nodes that have transmission deadlines between the ordering used was random.
maximum and minimum transmission deadlines of In each experiment we determined the lowest bus speed
messages in the FIFO group. This is illustrated in Figure 1, commensurate with a schedulable system. The minimum
where messages causing external priority inversion are bus speed was found by a binary search with the message
shaded in grey. priorities assigned according to the OPA-FP/FIFO algorithm
(Algorithm 2) using transmission deadline monotonic
PQ-msg1: E = 5
priority ordering as the reverse ordering for the initial list.
FIFO group1 PQ-msg2: E = 10 (For each FIFO group, only the message with the shortest
FQ-msg1: E = 10 Higher
FQ-msg2: E = 25 FQ-group1: EMIN = 10 priority transmission deadline was included in the initial list). Based
FQ-msg3: E = 100 on the priority ordering obtained, we analysed and simulated
PQ-msg3: E = 20
FIFO group2
the system assuming a 500 kBit/s bus. The simulated
FQ-msg4: E = 50
PQ-msg4: E = 50 network operating time was 1 hour. We used the
FQ-msg5: E = 100
FQ-msg6: E = 1000
FQ-group2: EMIN = 50 commercial simulator chronSIM from Inchron [10] to
FQ-msg7: E = 1000
PQ-msg5: E = 100
produce the simulation results.
FQ-msg8: E = 1000
There are four lines plotted on each of the graphs. The
PQ-msg6: E = 250 Lower
priority lines give the following information for each message:
PQ-msg7: E = 250 (i) transmission deadline;
PQ-msg8: E = 500 (ii) worst-case response time computed using the
analysis given in section 4.5, assuming a
Figure 1: TDMPO-FP/FIFO priority ordering 500 Kbit/s bus;
(iii) maximum observed response time found by
In Figure 1, observe that the messages within each simulation, assuming a 500 Kbit/s bus, and
FIFO group have their priorities assigned according to (iv) worst-case response time computed using the
transmission deadline monotonic priority assignment. We analysis given in section 4.5, assuming the
recommend this approach as although it does not alter the minimum schedulable bus speed for the
sufficient worst-case response times of the messages as configuration.
calculated by our analysis, in practice it could result in All of this data is plotted in ms on the y-axis using a
lower actual worst-case response times for those messages logarithmic scale. The x-axis on the graphs represents the
in the group that have shorter transmission deadlines. priority order of the messages. Hence data for the message
assigned the highest priority in a particular configuration
6. Case Study: Automotive appears on the LHS of the graph, while data for the lowest
To show that our priority assignment policies and
priority message appears on the RHS. Note the priority
order is different in each experiment.
Figure 3 depicts the results of Expt. 1, where all ECUs
used priority queues. In this case, the minimum bus speed
was 277 kBit/s, and the corresponding bus utilisation 84.5%.
We observe that with this bus speed, the 26th highest priority
message only just meets its deadline. Further, the results of
analysis and simulation for a 500 kBit/s bus are close
together. This is because the messages have no offsets, and
all of the ECUs used priority-based queues, hence there is
very little pessimism in the analysis, and the simulation
captures the worst-case scenario well.
Figure 4 depicts the results of Expt. 2, where ECU3 and
ECU6 used FIFO queues and the other ECUs used priority
queues. In this case, the minimum bus speed was 389 kBit/s,
and the corresponding bus utilisation 60.1%. Our analysis
attributes the same worst-case response time to all of the Figure 4: Response Times (FQ and PQ)
messages in a FIFO queue; this results in the horizontal
segments of the analysis lines in Figure 4. The first FIFO
queue is the 12 messages sent by ECU3, and the second, the
6 messages sent by ECU6. The minimum transmission
deadline for both FIFO queues was 13.8 ms. Observe that in
Figure 4 the results of analysis and simulation are close
together for the messages sent via priority queues, whereas
for the messages sent via FIFO queue there are larger gaps.
These gaps are predominantly due to the simulation not
capturing the worst-case scenario for all of the FIFO-queued
messages. This is evident from the variability of the
maximum response times obtained via simulation for
messages in the same FIFO group.

Figure 5: Response Times (FQ only)

Figure 3: Response Times (PQ only)

Figure 6: Response Times (PQ only, FQ priorities)

 ECU, or indeed any other metric that has little or no
correlation with message transmission deadlines. In this
case, the mean value for the minimum bus speed required
was 731 kBit/s (min. 618 kBit/s, max. 750 kBit/s), and the
corresponding bus utilisation 32.0% (max. 37.8%, min.
31.2%). Figure 7 depicts the results of Expt. 5 for the worst
of the random priority orderings, which required a minimum
bus speed of 750 kBit/s to be schedulable. It is clear from
the graph, that it is the assignment of a low priority (80th
highest priority) to a message with a short transmission
deadline that results in the need for such a high bus speed.
Expt. 5 is directly comparable with Expt. 1 and shows the
importance of appropriate priority assignment. In this case,
arbitrary priority assignment increased the minimum bus
speed required by 163% while reducing the maximum
schedulable bus utilisation from 84.5% to 32.0% (figures for
Figure 7: Response Times (PQ only, random the average case).
priorities) The results of the experiments are summarised in
Figure 5 depicts the results of Expt. 3, where all ECUs Table 1 below.
used FIFO queues. In this case, the minimum bus speed was Table 1: Case Study: Summary of results
654 kBit/s, and the corresponding bus utilisation only
35.8%. In contrast to the Expt. 1 & 2, this configuration was Expt. Node Priority order Min bus Max
not schedulable at a bus speed of 500 kBit/s. At 500 kBit/s, type speed bus util.
the 54 highest priority messages were found to be 1 All PQ OPA 277 Kbit/s 84.5%
schedulable by the analysis. For the remaining lower 2 2 FQ, OPA-FP/FIFO 389 Kbit/s 60.1%
8 PQ
priority messages, some appear to have worst-case response
3 All FQ OPA-FP/FIFO 654 Kbit/s 35.8%
times that are less than their deadlines; however, this does
4 All PQ Priority ordering 608 Kbit/s 38.5%
not imply that such messages are schedulable. Once a single from Expt. 3
higher priority message is unschedulable, then the 5 All PQ Random10 731 Kbit/s 32.0%
assumptions made by the analysis may be broken and the
computed worst-case response times no longer valid. For 7. Experimental evaluation
example, the analysis assumes that due to constrained In this section we explore further the effects that FIFO
deadlines at most one instance of each of the other messages queues and priority assignment policies have on the
in the same FIFO group may be ahead of a particular maximum bus utilisation. Our experimental evaluation
message in the queue. If one of the messages in a FIFO examined a system with 8 nodes and 80 messages connected
group cannot meet its deadline then this assumption may no via a single CAN bus. We considered five different
longer hold. In Expt. 3, some of the maximum response configurations of this network. In configuration #1, all of
times observed in the simulation are very low compared to the nodes used priority queues. Configurations #2, #3, and
the worst-case response times computed by the analysis. #4 increased the number of nodes using FIFO queues from
This is caused by differences in the order in which messages 2, to 4 to 8 respectively. In configurations #1–#4, message
enter the FIFO queues in the simulation, compared to the priorities were assigned according to the TDMPO-FP/FIFO
assumptions made by the analysis. policy as depicted in Figure 1. (As all the messages were of
Figure 6 depicts the results of Expt. 4 which used the the same length, this priority ordering was optimal). In
priority ordering obtained in Expt. 3, but assumed priority contrast, in configuration #5, message priorities were
queues rather than FIFO queues. In this case, the minimum assigned at random, and all nodes used priority queues.
bus speed required was 608 kBit/s, and the corresponding To examine the performance of these five
bus utilisation 38.5%. Comparison of these results with configurations, we randomly generated 10,000 sets of
those from Expt. 1 and Expt. 3 shows that the majority of messages as follows:
the performance degradation caused by using FIFO queues o The period of each message was chosen according to a
occurs as a result of unavoidable external priority inversion log-uniform distribution from the range 10-1000ms;
in the form of a disrupted priority ordering, rather than as a thus generating an equal number of messages in each
consequence of internal priority inversion or pessimistic time band (e.g. 10-100ms, 100-1000 ms etc.).
schedulability analysis for FIFO queues. o The deadline of each message was equal to its period.
Finally, Expt. 5 examined 1000 random priority o The jitter of each message was chosen according to a
orderings with no correlation between message priority and uniform random distribution in the range 2.5ms to 5ms.
transmission deadline. This experiment simulates assigning
priorities to messages on the basis of the type of data or 10
Values are the average for 1000 random orderings.
o Each message contained 8 data bytes. degradation caused by the FIFO queues due to internal
o Each message was randomly allocated to one of the 8 priority inversion (i.e. priority inversion with respect to
nodes on the network, thus on average, each node messages sent by the same node), and also potential
transmitted 10 messages. pessimism in the schedulability analysis for FIFO queues.
o All messages were assumed to have 11-bit identifiers. As expected, the degradation in performance due to external
For each configuration, we computed the maximum bus priority inversion is much larger than that due to internal
utilisation for each message set. This was done via a binary priority inversion, which affects only a limited number of
search combined with the schedulability analysis given in messages.
sections 3 and 4. We repeated our experimental evaluation of an 8 node
The solid lines in Figure 8 illustrate the frequency system for message sets of size 20 and 40. The form of the
distribution of the maximum bus utilisation across the results and the broad conclusions that can be drawn from
10,000 message sets for each of the five configurations. them remained the same as with message sets of size 80.
From Figure 8, it is clear that the use of FIFO queues However, with fewer messages to randomly allocate to each
significantly degrades the real-time performance of the node, the performance degradation due to each FIFO queue
network. With all eight nodes using priority queues (#1), the became somewhat smaller. (This is expected as in the limit,
mean value of the maximum bus utilisation was 89.5%. with just one message per node, FIFO and priority queues
With two nodes using FIFO queues (#2), this reduced to are equivalent). Results for message sets of sizes 20, 40 and
62.7%, and with four nodes using FIFO queues (#3) it 80 are summarised in Table 2 and depicted in Figure 8,
further reduced to 44.9%. Finally, with all eight nodes using Figure 9, and Figure 10 respectively.
FIFO queues (#4) the mean value of the maximum bus
utilisation degraded to just 28.4%. Worse still was random Table 2: Evaluation: Message sets of size 20
priority assignment (# 5) with a mean value of just 18.4%; Config Node Priority Mean of Max. bus util.
despite using priority queues. type order n=20 n=40 n=80
Figure 8 also shows results for the priority orderings 1 All PQ TDMPO 86.8% 88.4% 89.5%
obtained from configurations #2, #3, and #4, but assuming 2 2 FQ, TDMPO- 72.7% 68.1% 62.7%
that all nodes use priority queues. These results are labelled 8 PQ FP/FIFO
#2a, #3a, and #4a respectively (dashed lines). The difference 3 4 FQ, 4 TDMPO- 61.6% 53.6% 44.9%
between configurations #1, #2a, #3a, and #4a is indicative PQ FP/FIFO
of the performance degradation caused by the FIFO queues 4 All FQ TDMPO- 46.5% 36.9% 28.4%
due to external priority inversion (i.e. priority inversion with FP/FIFO
respect to messages sent by other nodes). By contrast, the 5 All PQ Random 26.1% 21.5% 18.4%
difference between the pairs of configurations #2–#2a, #3–
#3a, and #4–#4a is indicative of the performance

1600
5. PQ - Random Priorities
1. PQ (No FIFO nodes)
4. FQ (All FIFO nodes)
1400 4a. PQ (Priorities from 4.)
3. FQ and PQ (Four FIFO nodes)
1200 3a. PQ (Priorities from 3.)
5. PQ - Random Priorities 2. FQ and PQ (Two FIFO nodes)
2a. PQ (Priorities from 2.)
1000 1. PQ (No FIFO nodes)
4. FQ (All FIFO nodes)
Frequency

800

3. FQ and PQ (Four FIFO

600
nodes)
2. FQ and PQ (Two FIFO
nodes)
400

200

0
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95
Breakdown Utilisation

Figure 8: Frequency distribution of max. bus utilisation (8 nodes, 80 messages, 10,000 message sets)
 1200
5. PQ - Random Priorities
4. FQ (All FIFO nodes)
1. PQ (No FIFO nodes)
4a. PQ (Priorities from 4.)
1000
3. FQ and PQ (Four FIFO nodes)
3a. PQ (Priorities from 3.)
2. FQ and PQ (Two FIFO nodes)
800 2a. PQ (Priorities from 2.)
5. PQ - Random Priorities 1. PQ (No FIFO nodes)
Frequency

4. FQ (All FIFO nodes)

600

3. FQ and PQ (Four FIFO 2. FQ and PQ (Two FIFO

400
nodes) nodes)

200

0
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95
Breakdown Utilisation

Figure 9: Frequency distribution of max. bus utilisation (8 nodes, 40 messages, 10,000 message sets)
1000
5. PQ - Random Priorities
900 4. FQ (All FIFO nodes)
4a. PQ (Priorities from 4.) 1. PQ (No FIFO nodes)
800 3. FQ and PQ (Four FIFO nodes)
3a. PQ (Priorities from 3.)
700 2. FQ and PQ (Two FIFO nodes)
2a. PQ (Priorities from 2.)
600 1. PQ (No FIFO nodes)
Frequency

5. PQ - Random Priorities
500
4. FQ (All FIFO nodes) 2. FQ and PQ (Two FIFO
nodes)
400 3. FQ and PQ (Four FIFO
nodes)
300

200

100

0
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95
Breakdown Utilisation

Figure 10: Frequency distribution of max. bus utilisation (8 nodes, 20 messages, 10,000 message sets)

sending node until it is received by other nodes on the bus)

8. Summary and Conclusions to all of the messages that share the same FIFO. For this
The major contribution of this paper is the derivation of schedulability analysis, we proved that it is optimal to
sufficient response time analysis for CAN where some of assign adjacent priorities to messages that share the same
the nodes on the network implement FIFO queues, while FIFO. We modified Audsley’s Optimal Priority Assignment
others implement priority queues. This analysis is FIFO- algorithm to provide an overall priority assignment policy
symmetric in that it attributes the same worst-case response (OPA-FP/FIFO) that is optimal with respect to our analysis
time (measured from the time a message is queued in the for both priority-queued messages and groups of messages
that share a FIFO. Further, we showed that a simple policy ECUs that act as a gateway from one CAN bus to another
based on transmission deadlines (TDMPO-FP/FIFO), and thus have a large number of messages to transmit, if a
depicted in Figure 1, is optimal with respect to our analysis priority queue implementation is not possible, then system
for the specific case when all messages are of the same designers may wish to consider using multiple FIFO queues
length. each utilising a separate hardware transmit buffer. An
Although this paper provides schedulability analysis for allocation of messages to these multiple FIFO queues can
CAN assuming FIFO queues, we cannot recommend the use then aim to avoid assigning messages with widely differing
of such queues. By comparison with priority queues, FIFO transmission deadlines to the same FIFO queue, while also
queues inevitably cause priority inversion which is keeping the number of messages in each FIFO queue
detrimental to real-time performance. relatively small. This approach can result in significantly
The use of FIFO queues increases the minimum bus higher network performance than the alternative of using a
speed necessary to ensure that all deadlines are met. This single FIFO queue. The schedulability analysis and priority
was illustrated in our case study where allowing just two assignment policies given in this paper provide the tools
ECUs (sending 18 out of the 85 messages) to use FIFO necessary to investigate such tradeoffs.
queues increased the minimum bus speed required from Finally, both our case study and experimental
277 kBit/s with priority queues to 389 kBit/s, a 40% evaluation confirmed that appropriate priority assignment is
increase. With all ECUs using FIFO queues, the minimum vital to obtaining effective real-time performance from
bus speed required increased to 654 kBit/s; an increase of Controller Area Networks. Using a random priority
over 130%. Using FIFO queues reduces the maximum bus assignment policy, representative of priority assignment
utilisation achievable before any deadlines are missed, thus based on the type of data and ECU, or indeed any other
limiting the scope for extending a system by adding further metric that has little or no correlation with transmission
messages without having to increase bus speed. In our case deadlines, increased the minimum bus speed required from
study, the maximum bus utilisation with priority queues was 277 kBit/s to 731 kBit/s, and reduced the maximum bus
84.5%, this reduced to 60.1% when two ECUs used FIFO utilisation from 84.5% to just 32.0% in the case study, as
queues, and to just 35.8% when all of the ECUs used FIFO compared to an optimal priority assignment policy. This
queues. These figures were backed-up by our experimental data was backed up by our experimental evaluation of an
evaluation of an eight node system with 80 messages. This eight node system with 80 messages. Here, for message sets
evaluation of 10,000 randomly generated message sets of size 80, such a priority assignment policy resulted in
showed a degradation in the mean value of the maximum values for the maximum bus utilisation, for 10,000
bus utilisation from 89.5% with all nodes using priority randomly generated message sets, in the range 8% to 45%
queues, to 62.7% with two nodes using FIFO queues, to with a mean of just 18.4%, compared to a range of 69% to
44.9% with four nodes using FIFO queues, to just 28.4% 96% and a mean of 89.5% when an optimal priority
with all eight nodes using FIFO queues. Such reductions in assignment policy was used. We therefore strongly
achievable utilisation not only increase the minimum bus recommend that in Controller Area Networks, message IDs
speed required to obtain a schedulable network, but also are assigned using an optimal or near optimal priority
decrease the robustness of the network to errors that result ordering reflecting message transmission deadlines.
in message re-transmission.
We recommend that CAN device drivers / software Acknowledgements
protocol layers implement priority-based queues, rather than The authors would like to thank Alan Burns for his
FIFO queues whenever possible. FIFO queues are appealing comments on a previous draft of this paper. This work was
because they are simpler to implement and make the device partially funded by the UK EPSRC funded Tempo project
driver appear more efficient; however, this perceived local (EP/G055548/1), the EU funded ArtistDesign Network of
gain typically comes at the expense of undermining the Excellence, the German Research Foundation, and the Carl
priority-based message arbitration scheme used by CAN, Zeiss Foundation.
and significantly degrading the overall real-time
performance capability of the network.
9. References
[1] N.C. Audsley, "Optimal priority assignment and feasibility of static
We note that the degree of priority inversion caused and priority tasks with arbitrary start times", Technical Report YCS 164, Dept.
hence the degradation in performance due to using FIFO Computer Science, University of York, UK, Dec. 1991.
queues is lower when only a few messages use each FIFO [2] N.C. Audsley, “On priority assignment in fixed priority scheduling”,
queue or alternatively when the messages that use each Information Processing Letters, 79(1): 39-44, May 2001.
[3] Bosch. “CAN Specification version 2.0”. Robert Bosch GmbH,
FIFO queue have similar transmission deadlines. Under Postfach 30 02 40, D-70442 Stuttgart, 1991.
these circumstances, the use of FIFO queues along with [4] F. Bimbard and L. George. “FP/FIFO feasibility conditions with
appropriate priority assignment may result in a satisfactory kernel overheads for periodic tasks on an event driven OSEK system”. In
solution. If on the other hand, FIFO queues are used for Proceeding of ISORC, 2006.
large numbers of messages with a wide range of [5] I. Broster, A. Burns , G. Rodríguez-Navas, “Probabilistic Analysis of
CAN with Faults”, In Proceedings of the 23rd IEEE Real-Time Systems
transmission deadlines, then this can be expected to have a Symposium (RTSS'02), pp. 269-278, December, 2002.
significant detrimental impact on network performance. For
[6] I. Broster and A. Burns. “An Analysable Bus-Guardian for Event- International Symposium on Fault-Tolerant Computing (FTCS’98). pp.
Triggered Communication”. In Proceedings of the 24th Real-time Systems 150-159, June 1998.
Symposium, pp. 410-419, IEEE Computer Society Press, December 2003. [29] STMicroelectronics, “AN1077 Application note. Overview of
[7] I. Broster. “Flexibility in dependable communication”. PhD Thesis, enhanced CAN controllers for the ST7 and ST9 MCUS” 2001 (available
Department of Computer Science, University of York, UK, August 2003. from www.st.com).
[8] I. Broster, A. Burns and G. Rodriguez-Navas, “Timing analysis of [30] K.W. Tindell and A. Burns. “Guaranteeing message latencies on
real-time communication under electromagnetic interference”, Real-Time Controller Area Network (CAN)”, In Proceedings of 1st International CAN
Systems, 30(1-2) pp. 55-81, May 2005. Conference, pp. 1-11, September 1994.
[9] L. Casparsson, A. Rajnak, K. Tindell, and P. Malmberg. “Volcano - a [31] K.W. Tindell, A. Burns, and A. J. Wellings. “Calculating Controller
revolution in on-board communications”. Volvo Technology Report, Area Network (CAN) message response times”. Control Engineering
1998/1. Practice, 3(8): 1163-1169, August 1995.
[10] chronSIM. http://www.inchron.com [32] K.W. Tindell, H. Hansson, and A.J. Wellings. “Analysing real-time
[11] R.I. Davis, A. Burns, R.J. Bril, and J.J. Lukkien. “Controller Area communications: Controller Area Network (CAN)”. In Proceedings 15th
Network (CAN) Schedulability Analysis: Refuted, Revisited and Revised”. Real-Time Systems Symposium (RTSS’94), pp. 259-263. IEEE Computer
Real-Time Systems, Volume 35, Number 3, pp. 239-272, April 2007. Society Press, December 1994.
[12] R.I. Davis, A. Zabos, A. Burns, "Efficient Exact Schedulability Tests [33] A. Zuhily and A. Burns, “Optimality of (D-J)-Monotonic Priority
for Fixed Priority Real-Time Systems”. IEEE Transactions on Computers Assignment”. Information Processing Letters, no. 103, pp. 247-250, Apr.
IEEE Computer Society Digital Library. IEEE Computer Society, 2007.
September 2008 (Vol. 57, No. 9) pp. 1261-1276.
[13] R.I. Davis, A. Burns "Robust priority assignment for messages on Appendix A: Transmission deadline monotonic
Controller Area Network (CAN)”. Real-Time Systems, Volume 41, Issue 2, priority assignment
pages 152-180, February 2009.
[14] R.I. Davis and A. Burns, "Improved Priority Assignment for Global In this appendix, we show that the TDMPO-FP/FIFO
Fixed Priority Pre-emptive Scheduling in Multiprocessor Real-Time priority assignment policy is optimal, with respect to the
Systems”. Real-Time Systems, Volume 47, Issue 1, pages 1-40, 2010. sufficient schedulability test given in section 4.5 (i.e.
[15] M. Di Natale, “Understanding and using the Controller Area network” Algorithm 1 with lines 11-14 omitted) when all messages
inst.eecs.berkeley.edu/~ee249/fa08/Lectures/ handout_canbus2.pdf.
have the same worst-case transmission time (C).
[16] M. Di Natale, “Evaluating message transmission times in Controller
Area Networks without buffer preemption”, In 8th Brazilian Workshop on Corollary A.1: For networks where all of the message
Real-Time Systems, 2006. transmission times are the same, then the blocking factor,
[17] J. Ferreira, A. Oliveira, P. Fonseca, J. A. Fonseca. “An Experiment to used in both the sufficient schedulability test given by Davis
Assess Bit Error Rate in CAN”. In Proceedings of 3rd International
Workshop of Real-Time Networks (RTN2004), pp. 15-18, Cantania, Italy.
et al. in [11] (recapitulated in section 3) and the sufficient
June 2004. schedulability tests given in section 4 of this paper, is the
[18] H. Hansson, T. Nolte, C. Norstrom, and S. Punnekkat. “Integrating same for every message, and is equal to the worst-case
Reliability and Timing Analysis of CAN-based Systems”. IEEE message transmission time (C).
Transaction on Industrial Electronics, 49(6): 1240-1250, December 2002.
[19] P. Hladik, A. Deplanche, S. Faucou, and Y. Trinquet, “Schedulability Lemma A.1: For a set of messages that all have the same
analysis of OSEKNVDX applications”. In Proceedings RTNS, 2007. worst-case transmission time (C). Let i and j be the indices
[20] D.A. Khan, R.J. Bril, N. Navet, "Integrating hardware limitations in of two adjacent priority bands in a priority ordering that is
CAN schedulability analysis," IEEE International Workshop on Factory schedulable according to the sufficient schedulability test
Communication Systems (WFCS) pp.207-210, 18-21 May 2010. doi:
10.1109/WFCS.2010.5548604.
given in section 4.5 (i.e. Algorithm 1 with lines 11-14
[21] ISO 11898-1. “Road Vehicles – interchange of digital information – omitted). Assume that i is of higher priority than j, and that
controller area network (CAN) for high-speed communication”, ISO the transmission deadline E X of the priority-queued
Standard-11898, International Standards Organisation (ISO), Nov. 1993. message / FIFO group (X) initially in priority band i is
[22] S. Kollmann, V. Pollex, K. Kempf, F. Slomka, M. Traub, T. Bone, J. longer than the transmission deadline EY of priority-queued
Becker (2010). "Comparative Application of Real-Time Verification
Methods to an Automotive Architecture, " In Proceedings of the 18th
message / FIFO group (Y) initially in priority band j. If the
International Conference on Real-Time and Network Systems, Nov. 2010. priorities of X and Y are swapped, so that X is in the lower
[23] S. Martin, P. Minet, L. George, “Non pre-emptive Fixed Priority priority band j, and Y is in the higher priority band i, then X
scheduling with FIFO arbitration: uniprocessor and distributed cases”, remains schedulable.
Technical Report No. 5051, INRIA Rocquencourt, Dec. 2007.
[24] A. Meschi, M. DiNatale, and M. Spuri, “Priority inversion at the Proof: Let RY , j be the response time of Y in priority band j,
network adapter when scheduling messages with earliest deadline (with X in the higher priority band i). Similarly, let R X , j be
techniques,” in Proceedings of Euromicro Conference on Real-Time the response time of X in priority band j, (with Y in the
Systems, June 12-14 1996. higher priority band i). As Y is schedulable when it is in the
[25] T. Nolte. “Share-driven scheduling of embedded networks”, PhD lower priority band, then, RY , j ≤ EY , thus as EY < E X , it
Thesis, Malardalen University Press, May 2006.
[26] T. Nolte, H. Hansson, and C. Norstrom. “Minimizing CAN response- follows that to prove the Lemma, we need only show that
time analysis jitter by message manipulation”. In Proceedings 8th IEEE R X , j ≤ RY , j . Further, as all messages have the same worst-
Real-Time and Embedded Technology and Applications Symposium case transmission time (C), and so the response times are
(RTAS'02), pp 197-206, September 2002. equal to the queuing delays plus C, we need only compare
[27] T. Nolte, H. Hansson, and C. Norstrom, "Probabilistic worst-case the two queuing delays, referred to for convenience as w X , j
response-time analysis for the Controller Area Network." In Proceedings of
the 9th IEEE Real-Time and Embedded Technology and Applications and wY , j . Below we give formulae for w X , j and wY , j
Symposium (RTAS'03), pp. 200-207, May 2003. based on (5) & (6) and (8) & (9). We have separated out the
[28] J. Rufino, P. Verissimo, G. Arroz, C. Almeida, and L. Rodrigues. interference terms for X and Y. Further, we use B( j ) to
“Fault-tolerant broadcasts in CAN”. In Digest of Papers, The 28th IEEE represent the blocking factor, and I (i, w) to represent the
interference from messages in higher priority bands. priority band i is longer than the transmission deadline EY
B ( j ) = max( B j , C ) = C of the priority-queued message / FIFO group (Y) in priority
band j.
⎡ w n + J k + τ bit ⎤ We now consider what happens to the schedulability of
I (i, w) = ∑ ⎢
Tk
⎥C all of the messages in the system when we swap the
∀k∈hp (i ) ⎢
⎢ ⎥⎥ priorities of X and Y (i.e. when we place X in the lower
(i) Queuing delay w X , j (simplified by cancelling out the priority band j, and Y in the higher priority band i) to create
blocking factor C and the –C from ( C XSUM − C )) is given priority ordering Q’. There are four cases to consider:
by: 1. Priority bands with higher priority than i ( h ∈ hp (i ) ):
Inspection of (5) & (6) and (8) & (9) shows that the
⎡ w nX , j + J k + τ bit ⎤
w Xn+,1j = C XSUM + ∑ ⎢ ⎥C + I (i, w) (A.1) response times of each of the messages in these bands is
∀k∈Y ⎢ Tk ⎥⎥ the same in priority ordering Q’ as it is in priority
⎢
ordering Q. This is because the priority ordering of the
Note, in (A.1), if X is a priority-queued message, then
messages with higher priorities than h is unchanged and
C XSUM = C , also, if Y is a priority-queued message, then
the direct blocking factor due to the set of messages
there is only one message k ∈ Y present in the summation
with lower priority than h depends only on the set of
term; similarly for (A.2) below.
messages lp(h) and not on their relative priority
(ii) Queuing delay wY , j :
ordering, and is in any case equal to C for all priority
⎡ wYn , j + J k + τ bit ⎤ bands. All of the messages in bands with priorities
wYn+, j1 = CYSUM + ∑ ⎢ ⎥C + I (i, w) (A.2) higher than j are therefore schedulable in priority
∀k∈X ⎢ Tk ⎥⎥
⎢ ordering Q’.
We can simplify (A.2) by noting that as Y is schedulable 2. Priority band i: Y was previously schedulable in the
according to the assumption given in the Lemma, then lower priority band j. Shifting Y up in priority above X
wY , j + C ≤ EY < E X = min( Dk − J k ) ≤ min(Tk − J k ) results in no change to the blocking factor, but removes
∀k∈X ∀k∈X interference due to X, hence the worst-case response
Hence, at most one instance of each message in X can time for Y can be no greater than it was in priority
contribute to the interference term and so we have: ordering Q, Y is therefore schedulable in priority
wYn +, j1 = CYSUM + C XSUM + I (i, w) (A.3) ordering Q’.
3. Priority band j: Lemma A.1 proves that X is
Now let us consider the iterative solution to (A.1), for all
schedulable in priority band j.
values of
4. Priority bands with lower priority than j ( l ∈ hp ( j ) ):
w X , j ≤ EY − C < min(Tk − J k )− τ bit , Inspection of (5) & (6) and (8) & (9) shows that the
∀k∈X
only one instance of each message in Y can contribute to the response times of each of these messages is the same in
interference term. Hence for w X , j ≤ EY − C , (A.1) reduces priority ordering Q’ as it is in priority ordering Q. This
to: is because the set of messages in higher priority bands
is the same in both orderings, and the interference due
w Xn +,1j = C XSUM + CYSUM + I (i, w) (A.4) to higher priority messages does not depend on their
Equations (A.3) and (A.4) are the same, hence as we relative priority ordering. Further, the blocking factor
know that (A.3) converges on a value wY , j ≤ EY − C , then due to the set of messages with lower priority than l
(A.4) must also converge on the same value, hence depends only on the set of messages lp (l ) and not on
w X , j = wY , j , and so R X , j = RY , j □ their relative priority ordering, and is in any case equal
Theorem 3: TDMPO-FP/FIFO is an optimal policy for to C for all priority bands. All of the messages in bands
assigning priority-queued messages and FIFO groups to with priorities lower than j are therefore schedulable in
priority bands, with respect to the sufficient schedulability priority ordering Q’.
test given in section 4.5 (Algorithm 1 with lines 11-14 By repeatedly swapping the priorities of any two
omitted), provided that all messages have the same worst- adjacent priority bands that are not in TDMPO-FP/FIFO
case transmission time. priority order, any arbitrary schedulable priority ordering Q
can be transformed into a TDMPO-FP/FIFO priority
Proof: We prove the theorem by showing that any ordering ordering without any loss of schedulability □.
Q of priority bands that is schedulable according to the
sufficient schedulability test given in section 4.5 can be
transformed into a TDMPO-FP/FIFO priority ordering
without any loss of schedulability.
Let i and j be the indices of two adjacent priority bands
in an ordering that is schedulable according to the sufficient
schedulability test given in section 4.5. Assume that i is of
higher priority than j, and that the transmission deadline
E X of the priority-queued message / FIFO group (X) in