iCC 2005 CAN in Automation

Thread prioritization for an embedded CANopen master stack with web interface

D. M. Armenis and J. S. Smith Department of Electrical Engineering and Electronics The University Of Liverpool

As Tele-robotics continuously receives industrial attention, an embedded CANopen Master Stack, accessible via the Internet, is proposed. A configurable real-time operating system permits multi-threaded development whilst PLD technology ensures system evolution. The impact thread prioritization has on system performance is investigated, whilst initial design considerations are also presented.

Introduction priority interrupt is used as a pulse generator. It is responsible for distributing Multi-threaded, real-time, control a pulse, with fixed width, to the stepper processes introduce synchronization motors commanding them to advance. and timing issues, unknown to many The lower priority interrupt is used to embedded applications [1,2]. The scope of transmit the EMCY PDO during an the presented work is both to identify the emergency. In the Encoder Node, the last reasons for prioritizing control over safety slave node in the system, the higher threads and to determine their minimum priority interrupt is used as the SYNCH request period during normal operation of producer for the network. The lower an embedded CANopen Stack with Web priority interrupt is used for the EMCY Interface. The results of this study provide event as in the Drive Nodes. As a result, a clear indication of the schedulability of both time depended protocols and CAN the proposed system. The determinism of bus receivers are left unsupported. While the stack can also be improved, a required the CAN bus registers can be monitored property for bridging real-time Ethernet [3] by a polling procedure, the mandatory with CAN. Initially, the Stack was Error Control Services can only be composed of two transceiver threads, realised by the CANopen Master under the three communication threads and two Node Guarding Protocol. As expected, the databases implemented in eCos [4,5]. Node Guarding event can be attained Three monitoring threads, for guarding the by a timed, interrupt-based operation. functionality of the two required Motor Nevertheless, the delay introduced by the CANopen (Drive) Slave Nodes and the pooling procedure, at the slave nodes, will optional CANopen Encoder Slave Node manifest certain jitter effects during control [6,7,8], were added to the second version. directives, which deem this approach In its current version three control threads inappropriate for the proposed system. and two user interface threads, were Consequently, the Node Guarding added as shown in figure 1. The Protocol was accommodated in the stack, developed system has been applied to an implemented under the one-thread-per- Unmanned Underwater Vehicle (UUV) [9]. slave philosophy, with a lower priority than the control threads. Explicitly in this case, Timing Issues the designer is facing periodic, hard, real time schedulability issues as a Extension of the system to accommodate consequence of delays introduced by the more slave devices, raise some very control threads duration throughout normal interesting synchronization questions. manoeuvring. It is therefore vital to identify Suppose that a network is composed of the relationship between the Guard Slave slave nodes incapable of serving more Thread Priority (GSTP) and Life Time than two interrupts levels (e.g. slave nodes Value (LTV) [8] in an attempted to based on PIC18F453 devices). In the two decouple the system control effort from the mandatory slave (Drive) nodes, the higher Node Guarding Protocol.

10-16 iCC 2005 CAN in Automation

Communication Controls Web Page Web Page

Start Stop Reverse Direction Thread Distance Thread Thread SDO commands PDO Commands

SDO read MASTER OD Read/Write Slave OD SDO Serving PDO producer Thread Serving Thread

MASTER OBJECT SDO write to MASTER OD DICTIONARY PDO variables access [1:2] SDO Slave acknowledgment PDO attributes access [1:1]

Guard Slave n PDO static LIST

Guard Slave 2 CAN Receive PDO consumer Serving Thread Guard Slave 1 Thread Translate RPDO

Send PDO CAN Send Thread 1

CANopen Slave CANopen Slave

CAN bus

CANopen Slave CANopen Slave

Figure 1: Run-Time Threads

Leung [10] states that a decrease in the Transmit Requests to occur at random GSTP (priority) can be achieved by intervals during the Node Life Time. This increasing the LTV (deadline) under optimizes the Node Guarding time to the the notion of the deadline monotonic best functional time interval. In the scheduling scheme. As such, a following sections, two guarantees are considerable increase in the Node proposed that ensures at least one Guarding Time (period) would have been Remote Transmit Request before the able to accommodate the maximum Node Life Time expires. Both approaches system delay. Then again, a defective try to minimize the LTV until the system node must be identified instantly, in an reaches the CPU’s maximum utilization attempt to contain the problem and ensure limit. the system’s graceful degradation, this is The remainder of the paper is organized in provided by a small Node Guarding the following manner. Synchronization period. In the current stage of the Techniques for the Node Guarding UUV development, where there is no Threads are identified in the next section. Deliberative Module, the user can send This is followed by the Priority low level commands to the robot on an Assignment Calculations section where irregular basis making the whole system the schedulability of the system is tested. sporadic. Assuming a fixed time interval The methodology for the proposed tests is where at least one command will be then presented. Subsequently, in the issued, the system becomes periodic. Discussion section, the worst case results Therefore the proposed work differentiates are considered. The paper concludes by slightly from the Node Guarding Protocol highlighting the importance of this work to by permitting the Node Guarding Remote the field of UUVs.

10-17 iCC 2005 CAN in Automation

Synchronization Techniques GSTP n Assuming one or more slave nodes, the developer might face the dilemma of LTV 1 GSTP 1 LTV n LTV organizing the Node Guarding Threads in one of four different ways as described in table 1.

Table 1: Synchronization Methods Figure 2: Sync method I Synchronization Same Same II. In this scenario the nodes all have the Methods GSTP for LTV for same LTV but a different GSTP. This all slaves all slaves min case is illustrated in figure 3. The I difference from method I is that all II _ threads must satisfy equation (3), to III _ ensure normal operation during a delay. IV _ _ min = + − ⋅ LTV D (2n 1) Cguard (3) I. In this method, the GSTP can be Although (3) makes the system decreased by increasing the LTV independent of the time the delay occurs, individually for each node. Neither the it introduces a uniform approach for the priority nor the LTV is the same for any LTV which might not be desirable in slave as shown in figure 2. Assuming some implementations. that the constant C guard, is the time necessary for a guard slave thread to be completed. If no higher priority thread is GSTP n active this is subject only to code length and the processor speed,. It is also the GSTP 1 same for all guard slave threads. Let n n LTV LTV 1 be the number of all mandatory Node Guarding Threads during the application. The minimum period for the highest T min = n ⋅ C priority thread is guard so that Figure 3: Sync method II there is enough time for every thread to be completed before the first thread is III. In the third method all the threads have overdue. Let D be an unexpected system the same priority. Again the minimum delay (i.e. a higher priority thread = ⋅ LTV is LTVmin n Cguard but many becomes active) such that threads do accommodate larger values C < D < T min guard . Then for every thread as shown in figure 4. In an event of a p with: system delay only the threads that have ⋅ > ⋅ + < ⋅ + will fail regardless n Cguard p Cguard D (1) LTV Cguard a D where p ∈[1..n] , the minimum LTV can of the time that the delay occurred. be equal to the minimum period Tmin. Alternatively, the minimum LTV is: min = + + − ⋅ LTVp D (n p 1) Cguard (2) This equation is subject to the time the LTV n LTV 1 LTV GSTP n delay occurred. As the delay approaches GSTP 1 the lowest priority threads, the minimum LTV increases for all the system except for those threads that satisfy relationship (1). Figure 4: Sync method III

10-18 iCC 2005 CAN in Automation

IV. In the last method, all the threads are will not be executed more than once sharing both the same priority and the during their deadline. same LTV as illustrated in figure 5. If the delay satisfies the relationship 3000 ⋅ < 2500 n Cguard D , all threads will fail but if ⋅ ≥ 2000 n Cguard D all threads will succeed. 1500

Time (ms) 1000

500 LTV n LTV

0 Thread 1 Thread

LTV 1 LTV 5 15 25 35 45 55 65 75 85 95 Degrees to turn

Figure 5: Sync method IV 5000 4000 Priority Assignment Calculations 3000 Timing trials of the control application 2000 Time (ms) determined the direction deadline on the 1000 UUV system. This is the maximum time of 0

processor usage from the higher priority 5 15 25 35 45 55 65 75 85 95 threads. It was found that 4350 ms was Degrees to turn necessary for the UUV robot to execute a turn of 45 degrees from rest. This is the Figure 6: Turn duration travelling at maximum permitted rotation angle for the full speed (top) and from rest (bottom) vehicle due to its dynamics constraints. The two graphs shown in figure 6 illustrate Methodology the introduced delays. The worst case scenario is covered under the assumption To obtain the necessary values for the that the CAN bus is inaccessible to the tests, a hardware timer, normally the one Guard Slaves Threads for the duration of used to drive the real-time clock, was the turn. In any other case the delay is used. Generally, this timer can be read reduced considerably but jitter effects may with a resolution typically in the range of a appear to the Drive Nodes. The timing of few _s. For each measurement, the the deadline is mainly related to the operation was repeated a number of acceleration and deceleration coefficients times. Time stamps were obtained at the of the motor drives. Figure 6 depicts the beginning and at the end of each thread calculated time duration for turning the and they were analyzed, generating vehicle with the current settings of the average (mean), maximum and minimum acceleration and deceleration coefficients. values. The sample variance (a measure There are two main characteristics in such of how close most samples are to the a system that must be accounted for in an mean) was also calculated. accurate schedulability analysis. 1. There are only two groups of threads According to [11,12] the schedulability of a running during normal operation, the system can be measured by simple control threads and the Guard Slave procedures, based upon the concept of Threads. They are not related and their critical instants [1]. Namely, they represent access to the CAN bus is buffered the times when all processes are released under a FIFO policy, therefore they are simultaneously. For a system, this is the asynchronous. time of the worst-case processor demand. 2. They are both sporadic in the sense If all threads can meet their deadlines at a that their execution interval is related to critical instant then the system is said to the user’s unpredictable input but they be schedulable. For the system to be

10-19 iCC 2005 CAN in Automation schedulable any of the following equations with its current priorities assignment. If must hold. more slaves are added to the system then for n Guard Slave Threads we have: I t0 C   guard + guard ≤ x = x ⋅ 1 (4) I guard   Cdir t0 t0 Tsys  = + where t0 Cdir Cguard = + + − ⋅ whereTsys (Cdir Cdistance (n 1) Cguard ) I t1 C guard + guard ≤ 1 (5) t t Combining the above equations with 1 1 equations (4) and (5), the schedulability of t = 0 + where t1 I guard Cguard the system is proved once more.

  Discussion x = x ⋅ With I guard   Cdir (6) Tdir  With reference to the aforementioned and x ∈[t ,t ] synchronization techniques, the 0 1 advantages of having the same priority and different life time values can be Where x is the space of critical instances, clarified. When the Guard Slave Threads the times when the threads are being have different priorities, the system is released. prone to the duration of the delay as well as to the time the delay occurred. On the Given that the Direction Thread must have other hand when the same priorities a higher priority than the Guard Slave are assumed the system performance Threads, if the later is not to interfere with depends solely on the duration of the the control procedure, the deadline of the interrupt. Direction thread must be less than the deadline of the Guard Slave Threads. The In real-time operating systems, such as following properties were therefore eCos [5], it is possible to calculate the assigned to the study: maximum delay of the system but it is impossible to determine the time of the For the Direction Thread: occurrence due to user unpredictability. Additionally, devices of different Direction Thread Computation Time functionality often have different (Cdir) = deadline (Ddir) < period(Tdir) requirements for their life circle, thus each Cdir = 4350ms, thread can be tailor-made to map the Cdistance= 50ms, requirements of the relative slave node. Tdir = (Cdir + Cdistance) Following the worst case delay of the UUV system and assuming full exploitation of By incrementing the period of the Direction the CAN bus with 127 slave nodes, the Thread beyond its deadline, by a time calculated LTVmin is given by: equal to the Distance Thread computation time, distance commands can be issued LTV = 14.47sec for n = 127 (7) between turns. min

For the Guard Slave Thread: In any case this is the theoretically maximum delay. If the acceleration and Guard Thread Computation Time declaration coefficients were increased then the LTV will be reduced due to the (Cguard) < deadline (LTV) = period quicker response from the slave. Similarly Cguard = 40ms if they were decreased, the improved idle Substituting the above values into time for the direction thread could result in equation (4) and (5) proves that the a lower bus load, therefore permitting the system satisfies the equality for one Guard Guard Slave Threads to run even sooner. Slave Thread, therefore it is schedulable

10-20 iCC 2005 CAN in Automation

Conclusion 8. CAN in Automation e.V., “CANopen- Application Layer and Communication The work presented was motivated by Profile”, CiA Draft Standard 301, research in the autonomous UUV field. In Version 4.01. such systems the early diagnosis of faulty 9. Evans J.C., Smith J.S., Martin P., and nodes can result in quick recovery Wong Y.S. “Beach And Near-Shore procedures thus avoiding damaging the Crawling UUV for Oceanographic vehicle or losing it into the sea. Several Measurements” IEEE Int. Conf. threads with different priorities are Oceans '99 Seattle, USA. pp 1300-6 common to this kind of embedded 10. Leung, J.Y.T., and J. Whitehead. application so precise timing is always a (1982). “On the Complexity of Fixed- concern. Consequently a customized Priority Scheduling of Periodic, Real- CANopen Mater Stack was developed and Time Tasks.” Perf. Eval. implemented by means of both PLD (Netherlands), 2, pp. 237-250. technology and a real-time, multi-threading 11. Audsley, N.C., Burns, A., Richardson, operating system. Industrial CANopen M.F., and Wellings, A.J., (1991) “Hard Master Stacks [13], can benefit from the RealTime Scheduling: The Deadline functionality introduced by this approach. Monotonic Approach.” In Proc. of the Among other developmental variations, Eighth Workshop on Real-Time the Node Guarding capabilities were Operating Systems and Software, realized as individual threads, sharing the pages 133--138, Atlanta, GA, USA. same priority but with distinctive tailor- 12. Audsley, N.C. (1990). “Deadline made Life Times as is dictated by the Monotonic Scheduling.” YCS 146, second synchronization paradigm. It is Dept. of Comp. Sci., Univ. of York. believed that in the near future similar 13. Etschberger K., Schlegel C. applications will appear in the emerging CANopen-based distributed intelligent field of Tele-embodiment [14,15]. automation systems, Proceeding of the 8th International CAN Conference, References Las Vegas, USA, 2002. 14. Goldberg K., Siegwart R., Beyond 1. Liu, J. and Lee, E. (2003): “Timed Webcams: An Introduction to Online multitasking for real-time embedded Robots, MIT Press, 2002. software”, IEEE Control Systems 15. Goldberg K., The Robot in the Magazine, 23:1. Garden: Telerobotics and 2. Wittenmark B., J. Nilsson and M. T Telepistemology in the Age of the rngren. (1995) “Timing Problems in Internet, MIT Press, 2000 Real-Time Control Systems”. Proc. Of the American Control Conference. Dimitris Armenis US. Department of Electrical Engineering and 3. Schneider S. Making Ethernet work Electronics. real-time. Sensors Magazine, 2000. The University of Liverpool 4. Dallaway, J., Garnett, N., Larmour, J., Brownlow Hill Lunn, A., Thomas, G., Veer, B., Liverpool, L69 3GJ, UK (2004), “RedBoot User's Guide”, Red Tel: 44 151 794 4602 Hat Inc. Fax: 44 151 794 4540 5. Garnett, N., Larmour, J., Lunn, A., E.Mail: [email protected] Thomas, G., Veer, B., (2003), “eCos Reference Manual”, Red Hat Inc. Jeremy S. Smith 6. CAN in Automation e.V., “CANopen- Department of Electrical Engineering and Device Profile for Encoders”, CiA Electronics. Draft Standard Proposal 406, Version The University of Liverpool 2.0. Brownlow Hill 7. CAN in Automation e.V., “CANopen- Liverpool, L69 3GJ, UK Device Profile for Drives and Motion Tel: 44 151 794 4514 Control”, CiA Draft Standard Proposal Fax: 44 151 794 4540 DSP-402, Version 1.1. E.Mail: [email protected]

10-21