Prevention of Sequential Message Loss in CAN Systems

Preventon of Sequental Message Loss n CAN Systems Shengbng Jang Electrcal & Controls Integraton Lab GM R&D Center, MC: 480-106-390 30500 Mound Road, Warren, MI 48090 shengbng.jang@gm.com Ratnesh Kumar Electrcal & Computer Engneerng Iowa State Unversty 2215 Coover Hall, Ames, IA 50011-3060 rumar@astate.edu Abstract More and more advanced features such as adaptve cruse control, collson avodance, and stablty control are beng mplemented n vehcles. These features are usually mplemented as dstrbuted CAN (controller area networ) systems rght now. In a CAN system, normally there s no cloc synchronzaton among the ECU (electronc control unt) nodes connected by the CAN bus. Wthout synchronzaton, the clocs of those ECU nodes could drft away from each other. A typcal cloc drft rate of 30 ppm (parts per mllon) could cause a cloc to drft by 108 mllseconds n one hour. The cloc drft ths large could cause problems n those advanced vehcle control systems. In fact, a sequence of messages could get lost n a dstrbuted CAN system due to the combnaton of cloc drft, transmsson jtter, and fnte buffer sze. To solve the above problem, nstead of performng hgh overhead cloc synchronzaton n the CAN system, ths paper provdes an economcal soluton for the preventon of the above message loss problem. The dea s to synchronze the tas actvatons on dfferent ECU nodes and such synchronzatons are performed only when necessary. An analyss method s developed for the determnaton of the synchronzaton frequency; and an algorthm s provded for the tas actvaton synchronzaton. 1. Introducton More and more features such as adaptve cruse control, collson avodance, and stablty control are adopted n automotve vehcles. These features currently are mplemented n dstrbuted CAN systems. In a CAN system, normally there s no cloc synchronzaton among the ECU nodes connected by the CAN bus. Wthout synchronzaton, the clocs of those ECU nodes could drft away from each other. Typcally, a cloc drft rate s ±30 ppm (parts per mllon) at standard temperature (77 F) [2], whch means a cloc could drft by 108 mllseconds n one hour (3.6 10 6 30 10 6 = 108). The cloc drft of ths large could cause problems n the vehcle control systems. Actually, as descrbed n the next secton we have dentfed that a sequence of messages could get lost n a dstrbuted CAN systems due to the combnaton of cloc drft, transmsson jtter, and fnte buffer sze. Ths message loss problem needs to be solved. To solve the above message loss problem, one approach s to perform over samplng n the system so that a sngle message loss may not cause any problem, whch s the current practce. But ths approach cannot be used to tolerate a sequence of message losses. Ths s because n order to tolerate a sequence of n message losses the samplng rate as well as the software tas executon perod shall be n tmes faster; and ths s generally mpossble for n 3 because of large consumpton of resources and hardware restrctons. Another soluton to the above message loss problem s to perform cloc synchronzaton on top of CAN [6]. Ths soluton by cloc synchronzaton may have a hgh overhead because those synchronzatons are usually performed around every 15ms for a drft rate of ±30 ppm and some synchronzaton mechansms requre specfc hardware crcuts. For the above cloc synchronzaton approach, there s also another ssue on how to prevent message losses by usng the synchronzed cloc. Note that the above synchronzaton only provdes a dgtal cloc (v.s. the orgnal quartz crystal cloc) for each ECU node. In order to prevent the message losses, we need to use ths dgtal cloc for the actvaton of software tas executon on the ECU node. Currently the cloc for the actvaton of tas executon s provded by the Operatng System and t s based on the quartz crystal cloc of the ECU node. It s not clear how to use the dgtal cloc for the tas actvaton wthout changng the Operatng System; and because of the reasons le standardzaton and reusablty, a customzed Operatng System s not a good soluton. In ths paper, we provde an economcal soluton for the preventon of the above message loss problem n CAN systems. The dea s to synchronze the tas actvatons on dfferent ECU nodes. Such tas actvaton synchronzatons are performed only when necessary and there s no need of a synchronzed dgtal cloc. An analyss method s developed to determne the synchronzaton frequency and an algorthm s provded for the tas actvaton synchronzaton. The rest of the paper s organzed as follows. Secton 2 descrbes the message sequence loss problem caused by cloc

drft, transmsson jtter, and fnte buffer sze. Secton 3 presents the soluton by tas actvaton synchronzaton to the message loss problem. Secton 4 concludes the paper. 2. Problem Descrpton Consder the followng example. Example 1: Gven a tas chan that ncludes four tass (t 0 t 1 t 2 t 3 ), as shown n Fgure 1, where each tas t s allocated to a dfferent ECU node, and the four ECU nodes are connected by a CAN bus. Suppose the common perod of the tass s 10 mllseconds and the release phase for every tas s zero. On each ECU node, the tas t s released/actvated perodcally accordng to the common perod measured by the local cloc. There are three buffers: b, =1, 2, 3, to store the messages from t 1 to t. Assume the sze of every buffer s one. If a new message arrves nto a buffer, then the old message n the buffer s replaced by the new message no matter whether the old message has been consumed or not, and the replacement of an unconsumed old message by a new message ndcates a message loss. To capture the transmsson jtter, we assume that the best case and worst case executon tme (ncludng the message transmsson tme to the buffer of next tas) of every tas are 4.9 and 5.1 mllseconds respectvely. nput node 0 t 0 node 1 b 1 t 1 For each tas: perod=10ms; phase=0ms; best case executon tme=4.9ms; worst case executon tme=5.1ms. For each buffer: sze=1. node 2 node 3 b 2 b 3 t 2 t 3 Fgure 1. An llustratve example output CAN bus To llustrate the effect of message losses, we consder a sampled nput sequence of (I 0 =0, I 1 =1, I 2 =1, I 3 = 1, I 4 =0)to tas t 0, and assume that each tas just outputs what t receves but the best and worst cases executon tme are stll honored. It s not dffcult to fnd out that when there s no cloc drft among the clocs of the four ECU nodes, the output sequence of the tas t 3 would be (O 0 =0, O 1 =1, O 2 = 1, O 3 =1, O 4 =0)after a delay of three perods plus the executon tme of t 3. Now we consder the case that there are cloc drfts among the clocs of the four ECU nodes because these clocs are not synchronzed on the CAN bus. Suppose at a certan pont of tme, there s a 5 mllseconds cumulatve cloc drft between node and node +1 for each ( =0, 1, 2) and every executon of every tas t taes the best case tme of 4.9 mllseconds except that the second executon of t 0, the thrd executon of t 1, and the fourth executon of t 2 tae the worst case tme of 5.1 mllseconds. If the nput sequence of (I 0 =0, I 1 =1, I 2 =1, I 3 = 1, I 4 =0)s suppled to tas t 0 at ths pont of tme, then we can fnd out that the output sequence of the tas t 3 would be (O 0 =0, O 1 =0, O 2 =0, O 3 =0, O 4 =0)after some delay,.e., three consecutve messages correspondng to the nputs of (I 1 =1,I 2 =1,I 3 =1)are lost, as shown n Fgure 2. Input actvaton tme of t 0 output tme to buffer b 1 actvaton tme of t 1 output tme to buffer b 2 actvaton tme of t 2 output tme to buffer b 3 actvaton tme of t 3 output tme of t 3 Output 0 1 1 1 X Wth cloc drft 0 5 10 15 20 25 30 35 40 45 50 55 60 X: message loss due to overwrtng : message reuse X 0 0 0 0 0 Fgure 2. Losses of consecutve messages 0 X tme (ms) It s clear that the above loss of sequental messages s caused by the combnaton of cloc drft, transmsson jtter, and fnte buffer sze. It s very dffcult to run nto the above stuaton n a test. But t could happen n real operatons and could cause the loss of certan mportant messages or result n longer reacton tme of the system. For nstance, f the nput sequence (I 1,I 2,I 3 ) n the above example represents the occurrence of certan mportant event then ths event occurrence report would get lost n the system; or even f I 4 =1and O 4 =1n the above example, whch means that the occurrence of the event s reported contnuously (such as the object detecton n certan applcatons) and ths occurrence s eventually transmtted to the requred destnaton, but an extra delay of three perods s added to the reacton tme (defned as the tme nterval between I 1 =1and O 4 =1) because of the loss of the sequence (I 1,I 2,I 3 ), and ths may cause the system not reactng n tme for the object detected. Note that the above message loss due to overwrtng cannot be prevented by smply ncreasng the buffer sze. To see ths more clearly, let us consder a buffer wth a sze of N and let T 1 and T 2 be the perods of the nput and output tass for the buffer respectvely; here T 1 T 2 because of the cloc drft and we assume that T 1 <T 2.NowafterT tme unts, the nput tas would generate T/T 1 messages and the output tas would consume T/T 2 messages; and there are T/T 1 T/T 2 =(T (T 2 T 1 ))/(T 1 T 2 ) messages left

n the buffer. It s clear that f T>N T 1 T 2 /(T 2 T 1 ) then a message loss would happen. For the above example, we could have T 1 = 10 10 30 10 6 (ms) and T 2 =10+10 30 10 6 (ms) by assumng a cloc drft rate of 30 ppm, then after a smple calculaton we now that there would be a message loss after N 2.8 mnutes,.e., a message loss could stll happen no matter how large the buffer sze N s. 3. Tas Actvaton Synchronzaton To solve the message loss problem, we propose to synchronze the tas actvaton at dfferent ECU nodes. A master-slave approach s used for the synchronzaton. More precsely, one ECU node s the master node, whch s usually the ECU node of the frst tas n the tas chan, and all the other ECU nodes are slave nodes. The master node perodcally sends out a synchronzaton frame that contans the nformaton of the tas actvaton tme on the master node, and upon recevng the synchronzaton frame each slave node adjusts ts tas actvaton tme accordng to the receved tas actvaton tme on the master node. There are two questons here: how frequently the synchronzaton shall be performed and how exactly the tas actvatons on dfferent nodes are synchronzed. We wll answer these two questons below. 3.1. Synchronzaton Frequency Determnaton Note that our goal here s to prevent the message losses due to cloc drft, transmsson jtter, and fnte buffer sze. So the synchronzaton frequency shall be chosen n such a way that there s no message loss f the tas actvatons are synchronzed accordng to the chosen frequency. Here the synchronzaton frequency s represented by 1/N, where N s an nteger, whch means the synchronzaton shall be performed every N tas perods,.e., every N T tme unts, where T s the common perod of the gven tas chan. In order to acheve the above goal, we frst model the whole system ncludng the effects of cloc drft, transmsson jtter, fnte buffer sze, and the synchronzaton of tas actvatons; and then startng from an ntal synchronzaton frequency, whch s the hghest frequency that we can accept under the gven system resource constrants, perform formal verfcaton for the system model to see whether a message loss could happen or not; f a message loss could happen then we stop and output that no frequency s found, whch means that the system schedule needs to be revsed because the schedule tself s not robust enough and a small cloc drft could cause the message losses; f a message loss could not happen then we decrease the synchronzaton frequency and repeat the process untl fndng the lowest synchronzaton frequency wthout message loss. The algorthm s gven below. Algorthm 1: Synchronzaton Frequency Determnaton 1) Model the whole system as a lnear hybrd automaton that ncludes the behavor of cloc drft, transmsson jtter, fnte buffer sze, and the synchronzaton of tas actvatons. 2) Choose an ntal synchronzaton frequency 1/N = 1/N 0, where N 0 s a predefned smallest value and normally N 0 =1. 3) Verfy the system for message loss wth the gven frequency 1/N. If there s a message loss then stop and output that no frequency s found; otherwse go to next step. 4) Let N = N 2 and verfy the system wth the new frequency 1/N. If there s a message loss then stop and output 2/N as the synchronzaton frequency dentfed; otherwse repeat ths step. In the above algorthm, we model the system as a lnear hybrd automaton [3] and verfy the system for message losses. The message loss verfcaton problem turns out to be a reachablty problem for the lnear hybrd automaton model, whch wll be clear from the model derved below. A lnear hybrd automaton (LHA) conssts of a fnte transton graph whose nodes are called locatons, and whose edges are called dscrete transtons together wth a set V of real varables. The contnuous dynamcs wthn each locaton are subject to a constant polyhedral dfferental ncluson (also called flow condton),.e., dynamcs of the form A v b, where A s a matrx, b s a vector, and v s the vector of the frst dervatves of varables n V. Dscrete dynamcs are modeled by the dscrete transtons, each of whch has a guard condton and a jump condton over V. A dscrete transton s enabled f and only f ts guard condton s satsfed and after the occurrence of a dscrete transton the varable values are determned by the jump condton of the dscrete transton. The reachablty problem of LHA can be descrbed as: gven a LHA and a set of bad locatons, to chec whether the bad locaton set s reachable or not,.e., to chec whether there s a run n the LHA such that a bad locaton could be reached by the run. The formal defnton of LHA can be found n [3] and s omtted here. For reachablty analyss of lnear hybrd automaton, there are several tools avalable [4], [1] as well as a new approach that was developed recently n [5]. In ths paper we wll not descrbe the technques for the reachablty analyss of lnear hybrd automaton, we only descrbe how to model the system as LHA. We use Example 1 to llustrate how to model the system as LHA. We assume that node 0 s the master node and all the other nodes are slave nodes. Let 1/N be the synchronzaton frequency, then node 0 wll send out a synchronzaton frame to all the other slave nodes every N perods. We have one component LHA model for the executon of each tas and one component LHA model for the synchronzaton

operaton of each node. For Example 1, we have eght component LHA models n total and the LHA model for the whole system s derved by the composton of the eght component models as descrbed n [3]. In the followng, these component LHA models are provded and the whole system LHA model s omtted. For the executon of tas t 0 on the master node 0,wehave a LHA model as shown n Fgure 3. Intally, tas t 0 s n the Suspended cloc wth drft: 1-E dc 0/dt 1+E guard: C 0 = T 0 jump: C 0= 0 Intalzaton: C 0=T 0-R 0 Actvated cloc wth drft: 1-E dc 0/dt 1+E Message loss at buffer b 1 guard: [B 0 C 0 W 0] [f 1=0] jump: f 1=1 guard: [B 0 C 0 W 0] [f 1=1] Fgure 3. LHA model for tas t 0 C 0: local cloc varable T 0: perod, T 0=10ms R 0: release phase, R 0=0ms E: cloc drft rate B 0: best case executon tme, B 0=4.9ms W 0: worst case executon tme, W 0=5.1ms f 1: freshness bt for buffer b 1, f 1=1 ndcates the data n buffer b 1 s not used and f 1=0 ndcates the data s already used; ntally f 1=0 suspended state,.e., at the Suspended dscrete locaton, and the cloc varable has a value of C 0 = T 0 R 0 wth T 0 beng the perod and R 0 beng the release phase. The cloc has a drft rate of E. So the flow functon for the cloc s 1 E dc 0 /dt 1+E. After the release phase of R 0 tme unts, the cloc varable value s T 0,.e., the guard condton of the transton from the Suspended locaton to the Actvated locaton s satsfed and the transton s enabled and upon the executon of the transton the value of C 0 s reset to zero accordng to the jump condton. In the actvated state, where the tas could go through the watng and the executon processes, after B 0 and before W 0 tme unts the tas t 0 could fnsh ts executon and output a message to buffer b 1. If the old message n buffer b 1 s already consumed by the tas t 1,.e., the freshness bt f 1 =0, then the guard condton of the transton from Actvated to Suspended s satsfed and the transton s enabled, and upon the executon of the transton the freshness bt f 1 s set to one; otherwse, the guard condton from Actvated to Message loss at buffer b 1 s satsfed, whch means a message loss at buffer b 1 occurs due to the overwrtng of the old unused message n buffer b 1.Note that n the above the best and the worst case executon tme B 0 and W 0 nclude both the executon tme of tas t 0 and the message transmsson tme from node 0 to node 1,.e., the tme from the actvaton of t 0 untl the arrval of the output at buffer b 1. For the executon of tas t 1 as well as t 2,wehavethe LHA model as shown n Fgure 4. The model s smlar to the model of t 0 except that once the tas t ( =1, 2) s actvated, t could be executed mmedately and the message n buffer b wll be consumed. As a result, the freshness bt of Suspended cloc wth drft: 1-E dc /dt 1+E guard: C = T jump: [C =0] [f =0] Intalzaton: C =T -R Actvated cloc wth drft: 1-E dc /dt 1+E Message loss at buffer b +1 guard: [B C W ] [f +1=0] jump: f +1=1 guard: [B C W ] [f +1=1] C : local cloc varable T : perod, ntally T =10ms R : release phase, R =0ms E: cloc drft rate B : best case executon tme, B =4.9ms W : worst case executon tme, W =5.1ms f : freshness bt for buffer b, ntally f =0 Fgure 4. LHA model for tas t ( =1, 2) buffer b s reset to zero upon the executon of the transton from Suspended to Actvated. For the executon of the last tas t 3,wehavetheLHA model as shown n Fgure 5. The model s smlar to the Suspended cloc wth drft: 1-E dc 3/dt 1+E guard: C 3 = T 3 jump: [C 3=0] [f 3=0] Intalzaton: C 3=T 3-R 3 guard: B 3 C 3 W 3 Actvated cloc wth drft: 1-E dc 3/dt 1+E Fgure 5. LHA model for tas t 3 C 3: local cloc varable T 3: perod, ntally T 3=10ms R 3: release phase, R 3=0ms E: cloc drft rate B 3: best case executon tme, B 3=4.9ms W 3: worst case executon tme, W 3=5.1ms f 3: freshness bt for buffer b 3, ntally f 3=0 model of t 1 as well as t 2 except that there s no buffer after t 3 and as a result, there s no message loss n the model. For the synchronzaton operaton for the master node 0, we have the LHA model as shown n Fgure 6. Intally, jump: S=0 flow functon: ds/dt=dc 0/dt guard: S=N*T 0 jump: S=0 S: varable for the tme between two synchronzatons Sync: event ndcatng the synchronzaton 1/N: synchronzaton frequency T 0: perod, T 0=10ms C 0: cloc varable of master node 0 Fgure 6. LHA model for master node 0 the frst synchronzaton frame s sent out by the master node 0 denoted by the event Sync and the varable S s set to zero. Next, every N T 0 tme unts (measured by the local cloc C 0 as ndcated n the model by the flow functon ds/dt = dc 0 /dt), the master node 0 sends out a synchronzaton frame as ndcated n the model by the selfloop transton. For the synchronzaton operaton for the slaves node ( =1, 2, 3), we have the LHA model as shown n Fgure 7. In the model, when a slave node receves a synchronzaton frame, t calculates the actvaton tme drft of tas t wth respect to tas t 0, whch s represented n the model by

jump: S =(R -R 0)-(C 0-C )+δ jump: [T =T +S /N] [S =(R -R 0)-(C 0-C )+δ] S : actvaton tme drft of tas t wth respect to tas t 0 R : release phase of t, R =0ms 1/N: synchronzaton frequency Sync: synchronzaton event T : perod; ntally T =10ms C : local cloc varable δ: system mplementaton error, and δ 20 mcroseconds Fgure 7. LHA model for slaves node ( =1, 2, 3) S =(R R 0 ) (C 0 C )+δ, and ths drft wll be used to adjust the actvaton perod of t n the next synchronzaton round. Some explanaton for S s gven below. We now that R 0 and R would be the respectve values of frst actvatons of t 0 and t, t mples that the tme dfference between the subsequent actvatons of t and t 0 because of the release phases would be (R R 0 ). In the above calculaton of S, C 0 and C are the respectve values of tme that has passed snce the last actvaton of t 0 and t untl the current synchronzaton pont, so T 0 C 0 and T C would be the respectve values of next actvatons of t 0 and t, whch further mples that (T C ) (T 0 C 0 )=(C 0 C )+(T T 0 ) s the tme dfference between the next actvatons of t and t 0.Sothe actvaton drft would be (R R 0 ) (C 0 C ) (T T 0 ). Note the actual recordngs of the above C 0 and C are performed by the master node 0 upon the successful transmsson of the synchronzaton frame and the slave node upon recevng the synchronzaton frame respectvely, so these two recordngs may not happen smultaneously. There would be a system mplementaton error δ. So the actvaton tme drft would be S =(R R 0 ) (C 0 C )+δ, where (T T 0 ) s a part of the error δ. Once the above drft S s calculated, t wll be used to adjust the actvaton perod of tas t so that the drft could be reduced. Ths s acheved by T = T + S /N n the model. Note that the drft S s amortzed over N perods nstead of one perod to avod a possble bg leap n the perod T because S represents the cloc drfts between two synchronzatons,.e., over N perods. Also note that n the model the drft S at one synchronzaton pont s used for the perod adjustment at the next synchronzaton pont. Ths s because n the actual mplementaton, the value of C 0 n the calculaton of S recorded by node 0 at one synchronzaton pont can only be transmtted to node n the next synchronzaton frame. Once we have the component LHA models for each tas and each node, we can compose them together to obtan the LHA model for the whole system, and verfy the system LHA model for the reachablty of the Message loss locatons. If a message loss locaton s reachable then t means that a message loss could happen n the system. 3.2. Tas Actvaton Synchronzaton After the synchronzaton frequency s determned, we need to perform the tas actvaton synchronzaton. The actual synchronzaton process s clear from the synchronzaton models for the master and slave nodes n Secton 3.1. The detaled algorthm s provded below. Gven a tas chan of (t 0 t 1 t n ) wth a common perod of T tme unts, where each tas t s allocated to a dfferent ECU node and has a release phase of R, and each node has a cloc drft rate E; suppose node 0 s the master node and all other nodes are slave nodes; let 1/N be the dentfed synchronzaton frequency, then we have the followng algorthm for the tas actvaton synchronzaton. Algorthm 2: Tas Actvaton Synchronzaton The master node 0 sends out a synchronzaton frame every N perods,.e., every N T tme unts. The synchronzaton frame contans the followng nformaton: (, V 0 ), where =0, 1,,K 1 (K s a predefned nteger) s the sequence number of the frame, V 0 s the value of tme that has passed snce the last actvaton of tas t 0 untl the tme pont that the frame 1 s successfully transmtted by the master node 0. In other words, upon successful transmsson of frame,the master records the tme that has passed snce the last actvaton of tas t 0 as the tme value for frame +1. For the ntal frame, =0and V 0 = 1. Upon recevng a synchronzaton frame wth the sequence number and tme value V 0, each slave node does the followng: 1) Record the tme C that has passed snce the last actvaton of tas t and save the sequence number and C as Seq new = and V new = C.Ifthe frame receved s the ntal frame (.e., V 0 = 1) then go to Step 6; otherwse go to next step. 2) Chec whether Seq old = 1. If the answer s no then t means somethng s wrong and the actvaton synchronzaton wll not be performed n ths round and go to Step 6 drectly; otherwse =0for every slave node. 3) Calculate the actvaton tme drft of tas t wth go to next step. Intally, Seq old respect to tas t 0 as S =(R R 0 ) (V 0 V old ), where R and R 0 are the release phases of t and t 0 respectvely, V 0 s the tme value n frame just receved, and V old s the tme value recorded by the slave upon recevng frame 1. Intally, V old =0for every slave node. 4) Chec whether S B, where B =2 E N T + δ s the drft bound between the master and slave nodes between two synchronzatons, and E s the cloc drft rate, N T s the tme nterval between two synchronzatons, δ s the

mplementaton error and δ 20 mcroseconds n general. If the answer s no then t means somethng s wrong and the actvaton synchronzaton wll not be performed n ths round and go to Step 6 drectly; otherwse go to next step. 5) Adjust the perod of tas t as T = T +S /N and tas t s actvated accordng to the new perod T. Intally, T = T for every slave node. 6) Let Seq old = Seq new and V old = V new 3.3. Synchronzaton Through Gateways. Sometmes, the gven tas chan s allocated to systems connected by multple CAN buses and these CAN buses are connected through gateways. In such cases, the tas actvaton synchronzaton shall be performed for every ndvdual CAN bus because one synchronzaton frame cannot be receved smultaneously by ECU nodes on dfferent CAN buses connected by gateways. To llustrate how to perform tas actvaton synchronzaton across multple CAN buses, suppose we have a tas t 2 +1 t2 n) and two CAN buses, where the set of tass {t 1 0,t 1 1,,t (1,2) } s allocated to one CAN bus (called the frst CAN bus) and chan of (t 1 0 t 1 1 t (1,2) the set of tass {t (1,2),t 2 +1,,t2 n} s allocated to the other CAN bus (called the second CAN bus), and note that the tas t (1,2) s allocated to the gateway node so t s on both CAN buses. For the above tas chan, the tas actvaton synchronzaton shall be performed for each ndvdual CAN bus. More precsely, for synchronzaton on the frst CAN bus, node 0 s the master node and all the other nodes {node 1,,node } are slave nodes, and Algorthm 2 s performed accordngly on the frst CAN bus; for synchronzaton on the second CAN bus, the gateway node s the master node and all the other nodes {node +1,,node n } are slave nodes, and Algorthm 2 s performed accordngly on the second CAN bus. Note that n the above the tas actvatons on nodes {node +1,,node n } are synchronzed to the tas actvaton on the gateway node, whch tself s synchronzed to the master node 0 on the frst CAN bus. In other words, the nodes {node +1,,node n } on the second CAN bus are synchronzed to the master node 0 on the frst CAN bus ndrectly. Also note that n order to derve the correct synchronzaton frequency, we shall capture the above synchronzaton across multple CAN buses n the system model. Snce the model for the above synchronzaton across multple CAN buses s a smple extenson of the one n Secton 3.1, t s omtted here. 4. Conclusons The combnaton of fnte buffer sze, transmsson jtter, and cloc drfts could cause the loss of a sequence of messages n CAN systems. To prevent the above message loss, nstead of performng a hgh overhead cloc synchronzaton n the CAN system, n ths paper we developed a low overhead approach based on tas actvaton synchronzaton, whch s performed only when necessary. Further experments wll be carred out for the evaluaton of the approach. References [1] G. Frehse. PHAVer: Algorthmc Verfcaton of Hybrd Systems past HyTech. In Proceedngs of the Ffth Internatonal Worshop on Hybrd Systems: Computaton and Control (HSCC), Lecture Notes n Computer Scence 3414, Sprnger- Verlag, 2005, pp. 258-273. [2] W. Henderson, D. Kendall, and A. Robson. Accountng for cloc frequency varaton n the analyss of dstrbuted factory control systems. In Proc. of 2000 IEEE Internatonal Worshop on Factory Communcaton Systems, Porto, Portugal, 2000, pp. 51-58. [3] T. Henznger. The theory of hybrd automata. In Proceedngs of the 11th Annual Symposum on Logc n Computer Scence (LICS), IEEE Computer Socety Press, 1996, pp. 278-292. [4] T. Henznger, P. Ho, and H. Wong-To. HyTech: A model checer for hybrd systems. Software Tools for Technology Transfer, 1:110-122, 1997. [5] S. Jang. Reachablty Analyss Of Lnear Hybrd Automata By Usng Counterexample Fragment Based Abstracton Refnement. In Proceedngs of 2007 Amercan Control Conference, New Yor, USA, July 2007. [6] G. Rodrguez-Navas and J. Proenza. Cloc Synchronzaton n CAN Dstrbuted Embedded Systems. In Proc. of 2004 Internatonal Worshop on Real-Tme Networs, Catana, Italy, 2004, pp. 35-38.