Copyright © IFAC Information Control in Manufacturing, Nancy - Metz, France, 1998 DESIGN OF RELIABLE REAL-TIME APPLICATIONS DISTRIBUTED OVER CAN (CONTROLLER AREA NETWORK) N. Navet Y.-Q. Song LORIA - CNRS UMR 7503 ENSEM - 2, Avenue de la fore! de Haye F-54516 Vandoeuvre-Ies-Nancy {nnavet , song}@loria.fr Abstract: Real-time applications distributed over the CAN network are character- ized by stringent temporal and dependability constraints. Our goal is to take account of transmission errors in the design of real-time distributed applications because in practice the consequences of such disturbances are potentially disastrous. In the paper, we propose, on the one hand , a method for computing for each message the tolerable threshold of transmission errors guaranteeing the timing constraints to be met. On the other hand , we also suggest an error model enabling us to consider both error frequency and error gravity. Our error model follows a generalized poisson process and its stochastic parameters have been derived. The analysis has been applied to an industrial case-study to compute the probability that the deadlines will be respected. Copyright © 1998lFAC Keywords: Local area network, Error probability, Fault tolerance, Embedded Systems , Safety-critical. 1. INTRODUCTION Distributed applications (embedded applications, process control) increasingly use CAN network for transmitting real-time information between sen- sors, actuators and control devices (computers, PLC , ... ). Such applications are characterized by the obligation to respect stringent temporal con- straints and to provide dependability. One of the main preoccupations with the de- sign activity of distributed real-time application (DRTA) is the verification of the respect of tem- poral constraints. This implies being able to eval- uate the performance of the application and es- pecially the message response time when trans- mission errors occur. It appears essential to us to take seriously account of transmission errors in the performance evaluation of DRTA using CAN, considering, on the one hand , the existence of such disturbances (mainly caused by electromagnetic fields) and, on the other hand, the potentially 415 disastrous consequences of failing to respect the time constraints (e.g. the transmitting data in a vehicle frequently represents information vital to the safety of the passengers) . The criticality of the constraints led us to assess the 'worst-case' performance. Assuming that only periodic messages have strin- gent timing requirements (hard real-time) and assuming a reliable medium, Wang & al. (1992) have proposed a solution for calculating an up- per bound on frame response times (defined as the interval between the transmission request and the complete reception of the message). Tindell & Burns (1994b) have also proposed a similar solution and have applied it on the SAE bench- mark (SAE, 1993) . Tindell & al have extended their previous works (1995) to transmission errors by considering a deterministic error model with which they can actually calculate an upper limit to the response time. Their error model makes