388 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 5, NO. 4, NOVEMBER 2009 Stochastic Analysis of CAN-Based Real-Time Automotive Systems Haibo Zeng, Marco Di Natale, Member, IEEE, Paolo Giusto, and Alberto Sangiovanni-Vincentelli, Fellow, IEEE Abstract—Many automotive applications, including most of those developed for active safety and chassis systems, must comply with hard real-time deadlines, and are also sensitive to the average latency of the end-to-end computations from sensors to actuators. A characterization of the timing behavior of functions is used to estimate the quality of an architecture configuration in the early stages of architecture selection. In this paper, we extend previous work on stochastic analysis of response times for software tasks to controller area network messages, then compose them with sampling delays to compute probability distributions of end-to-end latencies. We present the results of the analysis on a realistic complex distributed automotive system. The distributions predicted by our method are very close to the probability of latency values measured on a simulated system. However, the faster computation time of the stochastic analysis is much better suited to the architecture exploration process, allowing a much larger number of configurations to be analyzed and evaluated. Index Terms—Controller area network (CAN), distributed sys- tems, stochastic analysis. I. INTRODUCTION T HE complexity of automotive electronic systems is rapidly growing. A modern vehicle contains between 20 and 100 electronic control units (ECUs), with several million lines of embedded software code, networked over standard communication buses. Controller area networks (CANs, up to 10) are the majority of the links. Furthermore, many automo- tive electronic systems involve real-time control of mechanical parts, such as chassis, powertrain, and active safety. Car electronic architectures need to be defined, evaluated, and selected years in advance, when the functions they will sup- port are only partly defined. This stage is of enormous impor- tance for its implications on cost, performance and extensibility. Currently, it is driven by a what-if iterative process. First, a set of metrics and constraints is defined; then, a few candidate ar- chitectures are evaluated based on the analysis results, and a so- lution is selected. In this work, we focus on the stochastic analysis of the timing performance of distributed automotive architecture with priority-based scheduling, i.e., OSEK compliant operating Manuscript received December 14, 2008; revised April 20, 2009 and Au- gust 14, 2009. First published September 29, 2009; current version published November 06, 2009. Paper no. TII-08-12-0213.R2. H. Zeng and P. Giusto are with General Motors R&D, Palo Alto, CA 94360 USA (e-mail: haibo.zeng@gm.com; paolo.giusto@gm.com). M. Di Natale is with Scuola Superiore S. Anna, Via Moruzzi, 1, 56127 Pisa, Italy (e-mail: marco@sssup.it). A. Sangiovanni-Vincentelli is with the Department of Electrical Engineering and Computer Sciences, University of California at Berkeley, Berkeley, CA 94720 USA (e-mail: alberto@eecs.berkeley.edu). Digital Object Identifier 10.1109/TII.2009.2032067 systems [3] and the CAN bus protocol [2]. The communication model considered in this research is the periodic activation model, where all tasks are activated periodically, and commu- nicate by means of asynchronous buffers preserving the latest value written on them. This model is supported by AUTOSAR, the open standard for the description of automotive software ar- chitectures [1]. Message transmission is triggered periodically and each message contains the latest values of the signals that are mapped into it. At each stage, the consumer of the data may need to wait up to an entire period (sampling delay) to get the latest data in the buffer. A. Research Motivation The work presented in this paper is motivated by the study of current and future active safety functions. These functions gather a 360 view of the environment via radars and cameras, and require several processing stages before the actuation sig- nals are produced, including sensor fusion, object detection, control and arbitration layers. Examples are Adaptive Cruise Control (ACC) or Lane Keeping Systems. In an active cruise control system, a set of radars (or other sensors) scans the road in front of the car to ensure that there are no other cars or ob- jects moving at a lower speed or even stopped in the middle of the lane. If such an object is detected, the system lowers the target speed of the cruise control until it matches the speed of the detected obstacle. A hard deadline can be defined for such a system (the worst case reaction time that allows preventing a collision), but clearly a faster average reaction time is always preferable and the de- signer can leverage additional knowledge on the probability dis- tribution of the function response times. End-to-end latencies for computations that span over several ECUs and CAN buses are a function of task response times, message response times, and communication delays. If the com- munication model is by periodic sampling, then the latter de- pends on the relative phases of task and messages. Worst case analysis based on schedulability theory al- lows to compute the contribution of tasks and messages [6] to end-to-end latencies and provides the architecture designer with a set of values (one for each end-to-end path) on which he/she can check correctness of an architecture solution. However, worst case analysis should be complemented by probabilistic analysis for two main reasons. • Many applications are not time-critical, but the perfor- mance of the controls depend on the average response time, which needs to be analyzed and minimized. This is true also for many time-critical functions. • In the periodic activation model, each time a message is transmitted or received, a task (message) may need to wait 1551-3203/$26.00 © 2009 IEEE