The article proposes a methodical approach to designing secure adaptive embedded systems which is based on their ability to restore their proper functionality by way of reconfiguring hardware components, this process being based on the results of self-control. This approach includes two stages. The first stage involves the initial allocation of tasks to a system's hierarchy levels and nodes followed by their reallocation caused by the system failure in the wake of adverse exposure. The second stage sees the reconfiguration of the system implemented to restore its proper functionality by reprogramming.
controlled by them [1].
Embedded Systems are specialised microprocessor-based systems whose development concept is based on their interaction with a controlled object and which are immediately built into the device
At present embedded systems are widely used in various fields of activity such as mechanical
2022 Copyright for this paper by its authors. may draw a conclusion that the development of modern embedded systems is a process of designing proper components and using standard digital components of intellectual property that serve not only as circuit design description, but are in effect full form documents for functional and parametric modelling, verification and production with modern technologies being used [4].
At present the questions relating to the designing of dedicated microprocessor systems receives a lot of scientific attention. So, paper [5] examines the issue of improving the performance of microprocessors used in access control systems. The paper outlines the requirements and proposes a set of commands required for quality microprocessor designs based on residue number systems and used for access control. Paper [6] provides a review of facilities for designing embedded microprocessor systems relying on programmable logic devices and examines software debugging tools for microprocessor systems based on such core families as Pico Blaze, Micro Blaze and Power PC. Paper [7] reviews the issues of regularising embedded microprocessor systems as well as the synthesis of hardware componentof embedded systems by means of variable logic with the program-controlled automaton model being used. The paper [8] examines the need to ensure prompt (crisis) response to cyber incidents within a limited time frame and determines the improvement of the information decision-making model.
However, the analysis carried out shows that as of today, the issues relating to health assessment of embedded systems have not been dealt with exhaustingly as regards their proper functionality in the event of adverse exposure (e.g. one producing ionising and electromagnetic effects, cyber-attacks by hardware and software Trojan horses, network worms, DDoS attacks etc.), the same applying to issues of automatic online restore of the system in question which is based on self-checking results.
Considering the above, the purpose of this article is to develop a methodological approach to designing adaptive embedded systems which are able to work when adversely exposed and which are based on integral circuits with soft structures.
Adaptation is understood as a change of parameters and structure of the system and, possibly, of management action based on processing data which is implemented with the purpose of achieving a certain optimal system status with initial uncertainty under changing working conditions [9].
The use of the adaptivity principles allows: the designing of the system in compliance with the requirement as to its quality when the initial (a priori) information about controlled objects and exposure is limited;
correspondence of control quality to the specified requirements when the system in the controlled object is working and receiving exposure, this being done via rational adaptation of the system to changing conditions [10].
Figure 1 shows the generalised structure of the adaptive system, which can be represented as a two-level construction.
Adaptive device Control device exposure Controlled
object inlet outlet
The lower level represents the master control system made up of the control object and control device. The upper level is the combination of devices used to modify the properties of the master control systemas required by the stated adaptation aims. The adaptation device that constitutes the upper level of the construction and receives data about exposure, system statusand monitoring signalsfrom the control object's inlet. On analysing this data, it establishes how much the quality criterionfor the basic system corresponds to the requirements applicable toit. If the quality criterion for these requirements is not met, the adaptation device generates commands that change the structure and parameters or only parameters of the device in such a way that the quality criterion is harmonised with the existing requirements.
If one examines the adaptation of embedded systems to adverse exposure, one can see that is directly associated with such a property of complex systems as survivability. The property that is activated (by a properly organised structure and via its operation) to withstand adverse exposure and implement its functions in specified exposure conditionsis referred to as the system survivability [11]. Owing to this property, the failure of any subsystem or section of the system results in its reduced performance rather than the failure of the whole system. When evaluating the survivability of hierarchy structures, we assume the existence of a certain degree of functional, structural and information redundancy. According to [12], the maintenance and enhancement of survivability of complex hierarchic technical systems is provided by advanced mechanisms for recognition, counteraction and restore, as well as by special means of adaptation, reconstruction, reconfiguration and reorganisation.
Papers [4, 13] propose the use of crash-proof programmable microprocessor systems as hardware components, which belong to the class of reconfiguration devices and are able to employ system-onchip technologies. Apart from that, paper [14] proposes the use of the service processor for diagnosing and automatic restorationof microprocessor systems. Here the main function of the service processor is to diagnose a microprocessor system and make decisions based on troubleshooting informationfor the reconfiguration of the system via reprogramming integrated-circuit logic, this beingcarried out to restore proper functionality. Thus, the service processor combined with the embedded system effectively serves as a closed cycle of the adaptive microprocessor.
It is to be noted that the latest time has seen the arrival of a new type of control systems, namely distributed microprocessor-based control systems. In numerous cases, the architecture of these systems does have a central processing unit as all control functions are implemented on-device by local control cells based on microprocessors (often built into core process equipment). Frequently, in structural terms distributed (spatially) microprocessor-based control systems are hierarchic control systems. Notably, the upper-level control functions can be implemented both by a personal computer and microprocessor.
In designing such systems, a major task is to synthesise the structure which defines the internal organisation of and relatively stable dependency between the elements of the system. When solving this problem, we will use the fundamental principles of the decomposition-aggregation approach [15]. According to this approach, the synthesis of the distributed microprocessor-based control system is understood as a successive solution to problems relating to the synthesis of the main elements and parts of the system which includes: determining the number of a system's hierarchy levels and nodes; task allocation (reallocation) to a system's hierarchy levels and nodes; a choice of computing systems capable of reconfiguring the underlying hardware structure.
An embedded system is a microprocessor-based control system whose elements are spatially distributed between separate components of the complex controlled technological process. For this reason, the organisational design of the system is to be created in conformity with the principle of compatibility between its design and the organisational structure of the controlled technological process. In other words, based on the necessity of some or other equipment having a microprocessor system, one needs to build the map : N M N1 M1 , where N , M is the number of hierarchy levels of the design of controlling elements and the number of these elements whereas N1, M1 is the number of hierarchy levels and nodes of the embedded system.
Task allocation (reallocation) to a system's hierarchy levels and nodes consists of the following subtasks: ones involving initial allocation and ones involving reallocation in the wake of adverse exposure.
Task allocation to a system's hierarchy levels and nodes is a typical task for designing complex technical systems. To minimise the time spent on the exchange of information between the system levels, the standard practice is to allocate to each level the tasks that have maximum interdependency when the system is at work [16].
Now we will pose an allocation problem. Let there be given a set of problems F fi , 1, n of the embedded system which has m levels. Any of tasks fi F F can be performed only on one level, with F being a set of tasks that have already been allocated.
We will introduce the allocation parameter xik :
1, iftask i - th task is implemente d at the k - th level, k 1, m, xik 0, alternatively .
n The fulfilment of condition xik 1, k 1, m, i 1, n is mandatory, this meaning that every i1 task can be allocated only to one level.
Then we will use aij to represent the algorithmic connection of task i -th with task j -th (relative frequency of the executing task f i on completing task f j ), Bi is the memory space necessary for executing task i , B (k) is the available memory space of the computing tools at level k .
With the designations given above, task allocation can be represented as the linear integer programming problem coming below: to find with constraints
m n min aij xij ,
k 1 i 1 n n Bi xik B(k) , k 1, m, xik 1, xik 0,1.
i 1 i 1
The problem solution will be a cluster of vectors x1 (x11, ..., xi1, ..., xn1) ; x2 (x12 , ..., xn2 ) ; …;
xm (x1m , ..., xnm ) ; with the corresponding ones xik 0,1, which ensure the implementation of (
This problem can be interpreted as that of partition of the apex-directed weighted graph
G Y , V , where the memory space occupied by task i -th Bi is placed in correspondence with
apexes Y and the algorithmic connection of task i -th with j -th aij is made congruent with the set of
circular-arc graphs V . The solution to the problem lies in partitioning graph G into k m of sub
m m
graph Gk that meet conditions Y Yk ; Yk and the requirements of the minimum
k 1 k 1
objective function (
The application of one or another method to solving this problem largely depends on the number
of apexes of the graph. The graph dimension is conventionally defined as small ( n 6 number of
apexes); middle ( 6 n 30 ) and high ( n 30 ) [17]. As for small-dimension graphs, it is expedient
that exhaustive algorithms are applied to them. The branch-and-bounds method works best with
middle-dimension graphs. As regards higher-dimension graphs, these methods if applied to them take
much time. On account of this, the methods that are most used for partitioning middle-dimensionand,
all the more, higher-dimension graphs (this corresponding to embedded system graphs) are heuristic
algorithms proposed in [18].
(
The second subtask is the reallocation of tasks a system's hierarchy levels and nodes in the wake of their failure. As of today, there are two approaches applied to organising task reallocation in a system in the event of node failures. The first approach, a static one, assumes that a subset S s of system states for which task reallocation is necessary is known and it is required to find a set Г G of task allocations where each allocation G , which corresponds to state s , satisfies the requirements for the chosen indicators. In this case, the optimal allocations G for all states s S are available when designing the system, and each node when building the system is provided with resources necessary to perform tasks both in state s0 and in each of states s S as pursuant to allocation G . When the system is changed to state s S and a failure is detected in all the operable nodes of the system, the tasks corresponding to allocation G are getting started.
The second approach, which is referred to as a dynamic approach, is based on the fact that the task of finding the optimal allocation G for state s is performed each time (with the help of a special solver, i.e. service processor) when the system enters state s and its result may depend on the previous states of the system. In general, in both static and dynamic approaches, obtaining an optimal allocation may require task reallocation of both failed and operable nodes.
Let us consider a static approach to organising task reallocation, assuming that only failed nodes are reallocated when the system enters state s [19].
For each state s S , find the allocation G satisfying the conditions:
max ; C C addit , Ti Ti addit , i 1, ..., gv , where С is the consumption required for the transfer of tasks carried out by failed nodes to operable ones state s ; Ti is the average time for handling the declaration in node M i
C addit , Ti addit are permissible values of the specified indicators for state s . which is in state s ;
We shall designate task j which is to be executed at the initial allocation to node M i , as ji . Let the initial allocations G0 be assigned by matrix ji , j 1, ..., L , i 1, ..., n . Element ji is the weight of the task j , performed with the initial allocation given to node M i , defined as ji ji , where Fji sji is a set of production processes which requires task ji to be s sjiF ji s performed; sji is the weight of the production process ji , s 1, ..., h ji , h ji F ji . Let Df M l , Dr M i be sets of failed and operable nodes to be applied to state s ; Af is a set of all tasks performed node M l Df in state s0 .
Then the equation used to determine the system efficiency in state s , which is defined by the performance of the operable nodes in state ji Af , can be expressed as f jl Af
b jl il , where b jl 1, if task jl is otherwise performed by one of the operable nodes b jl 0 when being in state s . f
Let C( jl )i be the consumption required to implement the transfer of task jl ( jl A ) to some node M i , where M i Dr and values C( jl )i , are independent of l and allocated by matrix C ji .
Then the consumption required to implement the transfer of a fixed task jl to any of the operable nodes in state s is
C ( jl)
MiDr d ijlC( jl)i , where d ijl 1, if task jl is otherwise transferred to node M i , d ijl 0 .
In the event of failure of node M l , its task jl can either be discarded, i.e. not transferred to any of the operable nodes, or assigned to only one of the nodes of set Dr . In the former case d ijl 0 for all M i Dr and b jl 0 , in the second case only one of the values d ijl 1 and hence b jl 1.
Therefore,
g b jl d ijl ,
i 1 where d ijl 0, 1 and b jl 0, 1 are valid. as
The total consumption required to implement the reallocation of all tasks jl Af , is expressed C
jl Af
C( jl )
d ijl C( jl )i .
jl Af M i Dr
expression which is in state s is determined by the Ti Ti0
d ijl T( jl )i jl Af where T( jl )i is the increment of the average time for handling declaration in the operable node M i f with a task jl being transferred to it, where jl A ; values T( jl )i being independent of l are assigned by matrix T jl .
Thus, finding the optimal allocation of tasks C in the system for a fixed state s boils down to solving an integer linear programming problem, which consists in finding a set of values of variables d ijl , where d ijl 0, 1 , at which the maximum value of the functions is achieved
g f d ijl jl
i1 jlAf with the following constraints:
g C d ijl C( jl )i C addit ;
i 1 jl Af Ti Tio d ijl T( jl )i Tiaddit , i 1, 2, ..., g
jl Af .
This problem can be solved by any of the known methods of integer linear programming.
Once the set Г G of optimal task allocation for the assigned subset S s of system states is found, the set of tasks to be performed in state s0 and in all states s S is to be found for each node of the system. Also, it is necessary to compute the total consumption required for implementing the resulting allocation set Г G, as well as the average time for handling a declaration in each node and the system performance for each state of the assigned set S s .
We shall describe the optimal allocation of tasks determined for each state s S ( 1, ..., r) by using matrix
A jl , whose lines correspond to tasks j ( j 1, ..., L) , and columns to nodes M i (i 1, ..., n) , A ji represents some subsets of tasks determined below. As regards the columns corresponding to operable nodes M i in state s , Aji jl jl i , where ji is the task performed in M i in state s0 , here jl i is the set jl transferred to M i in state s .
As for the columns corresponding to failures M i , Aji Ø, let us construct for them the resulting r matrix Aji , where Aji Aji .
1
The matrix Aji defines for each node M i , (i 1, ..., n) a set of tasks for whose completion it has to have the necessary resources in order that each of the corresponding system states might achieve the maximum value of its efficiency with the constraints imposed on the node performance and additional consumption. This matrix can be used to calculate the above-mentioned system performance.
Thus, the application of the proposed approaches towards reallocating tasks to a system's hierarchy levels and nodes allows both the embedded system and the whole system of controlling compound elementsand complex processes to remain functional when a failure stems from adverse exposure.
The choice of computing systems is meant to single out from the options for organising computing systems those which hold the most potential for the future and are capable of reconfiguring the underlying structure in the wake of adverse exposure. It is to be noted that the issue of choosing a computing system occurs is to be solved at the beginning stage of designing. This means that it is solved before the development of functional subsystems of the system for controlling compound elements and complex technological processes has been completed. Therefore some requirements posed to the system intrinsically lack clarity and lucidity. Fuzzy input calls for adequate decisionmaking methods based on imprecise expert evaluation as regards the tasks relating to input data and result presentation.
Now let us introduce the composite linguistic variable computing system and narrow down the task of choosing a computing system to determining the compliance (of the meaning) of this variable with technical requirements posed to it [20]. The constraints imposed by the technical requirements represent clear or unclear relationshipsassigned by a universal set of values of the composite linguistic variable computing system. This set consists of the values making up the linguistic variable, each of them corresponding to a particular hardware-software module.
The statement computing system must have a high-performance processor is to be interpreted in the following way. The name computing system is regarded as a name of the composite linguistic variable whose components are linguistic variables such as processor, random-access memory, external storageand others. The statement in question assigns the value high-performance processor to the linguistic variable processor.
The value high-performance processor is to be interpreted as a name of some fuzzy constraintimposed on the basic variableprocessor, with the meaning of this constraint being defined by its membership function. For example, as pursuant to the value meaning, the linguistic value highperformance processor leaves only four processors as to generating computing system variants: Intel Core i5-12600K, Intel Core i9-12900K, AMD Ryzen 5 5600X и AMD Ryzen 9 5900X. In the same way, one can evaluate other linguistic variables. Now we shall give a formal description of the approach in question.
Suppose the linguistic variable value computing system is assigned through a tuple of the constituent terms X i , each of them naming a particular functional characteristic of the computing system. The values of the corresponding terms X i (i 1, m) of the linguistic variable are taken from the corresponding subsets T i of the term set of the linguistic variable, whose elements are assigned by way of enumerating all values accepted by the given characteristic of the computing system. With the concept of the linguistic variable employed, requirements are to be interpreted as an equation for allocating the linguistic variable computing system of some linguistic value from an allocated term set. In this case, the linguistic variable computing system is assigned a value which is the constituent term t representing the tuple of the constituent terms: computing system t , where t X1, X 2 , ..., X m , t T . withthe membership function vt (v1t , v2t , ..., vnt ) allocated to the universal set U The meaning of the concrete value t of the linguistic variable computing system is the fuzzy set U t which includes all accessible computing systems. The value vit indicates the computing system's compliance j -tn with a set of characteristics formulated by term t . The semantical rule for determining the meaning of each value of the linguistic variable is to be represented as follows:
m
jt ijti , j 1, n, i 1, m, t T , (
i1 where i is the importance factor i -tn of the functional characteristic; ijt is the compliance of the computing system j -tn with the functional characteristic i -tn (the degree of its implementation, with 0 ijt 1). Values i и ijt are to be given expert evaluation as regards each functional
The process of choosing a computing system algorithm (Fig. 2). characteristic and each computing system in question by way of averaging evaluations given by each expert group.
In this case, (
i can be represented by the following
STEP 1 Formulation of requirements for the embedded system
STEP 2 Formulation of requirements for the computing system
STEP 3 Development of computing system variants meeting
system requirements
Any equal computer
based systems? ye s
STEP 4
Choice of the rational computing system variant no
Finish
Steps 1 and 2, which represent the algorithm for choosing a computing system, map the designing of a set of requirements for an embedded system formulated in the technical requirements for developing this system for the set of valid values of the computing system's output characteristics. The mapping of requirements for an embedded system for the set of valid values of the computing system's output characteristics is implemented via the tasks assigned to the system and represents the main goal as to the development of embedded systems: enhancing the survivability of the system for controlling compound elements and technological processes. These are system requirements posed to a computing system which include requirements for productivity, reliability, adjustability, costs, proper functionality etc.
As for Step 3, it is about determining the importance factor i , compliance ijt , priority vector
vt and choosing a rational computing system as pursuant to (
If vector vt has one maximum value, a corresponding computing system will be one that meets the assigned requirements in the best way. Otherwise, when taking Step 4, of all computing systems that have the highest values vit , with local characteristics of functional subsystems taken account of, one is to choose a rational computing system by way of using a group method for handling the superiority of alternatives [21, 22].
As of today, computing systems that have the properties for changing algorithms of control instructions and architectures include microcontrollers (PIC, AVR, MSP430, STM32, Cortex-M, TSP32 and others), programmable logic devices (CPLD, FPGA) and single-board computers Raspberry Pi. A distinctive feature of the computing systems in question is that microcontrollers and single-board computers do not allow the change of internal links between primitive elements in contrast to programmable logic devices where programming provides a basis for administering links between logical elements in order that a necessary architecture may be obtained. As well as that, microcontrollers and Raspberry Pi computers are not able to process data externally because of fixedblock architectures and fixed instruction set.
Thus, it can be concluded that programmable logic devices are computing systems that hold the most potential for the future and can reconfigure the underlying structure of the embedded system hardware components via programming.
As is mentioned above, that programmable logic devices are computing systems that hold the most potential for the future and can reconfigure the underlying structure of the embedded system via changing internal links between its logical elements. However, it is to be taken into account that reconfiguration of the system structure requires substantial redundancy as each logical element or IP software module (intellectual property) in programmable logic devices (hereinafter referred to as the module) is to ensure the implementation of any function with the corresponding system signal being supplied [23]. Therefore, when implementing one function i , each module is to have j -fold redundancy ( j is the number of modules implementing a particular function. Figure 3 features structure redundancy of the device having j -fold redundancy. As a result, a small part of the general module structure is employed. This redundancy is not always acceptable. It more expedient to employ the primary module structure which is capable of keying out its certain segments in the event of their failure.
x 1
Figure 4 features a flowgraph of the non-redundant device with non-uniform modules. If a module containing nodes А1 Aj implements function y, it will implement the disturbed function y in the event of failure. In this case there arises a task of restoring the assigned function y. This task can be fulfilled by way of replacing device A j with a backup device, which in fact is parallel reservation. ... ... ...
... ...
Ai Aj ...
Ai Aj x y y recurs, it renders the whole module inoperative. To repair a recurring failure, it is necessary to provide n -fold module reservation.
Now let us define the problem in the following way: the keying out of any faulty node can be compensated without intervening in the underlying module structure (in devices with inaccessible structures). One of the options for solving this problem is to finda redundant structure Bi which restores the functional characteristics of module A when connected to the inlet of module A (with the faulty node A j switched off) (Fig. 6).
Now we shall consider module A which is made up of a set of discrete components ai . The module implements the function Yn1 0 ( X n , Yn ) ,
(
B1 ...
It is necessary to synthesise some system S A which implements function 0 ( X n , Yn ) in the event of failure of any subsystem
The extraction of any subsystem of matrix М А results in the formation of the error-correcting matrix М А0 j , A0 j ( A0 \ Ai ) , which generates a set of new functions М 0 j ( X n , Yn ).
In order to restore the functional characteristics of the system (implementation of function Y), it is necessary to create the restorative matrix М B j . In this case, each subsystem B j of matrix М B j is to be connected to the inlet of subsystem error-correctingmatrix М 0 j ( X n , Yn ). Normally, all Bi have the structural intersection i Bi B1B2 ... B j , whose functional characteristics are shared by all B1, B2 ..., B j or by most of them. As well as that, there may be some structures that do not contain intersections. In this case, for every failure and switch-off system the redundant structure Bi is created by way of connecting corresponding input X and output Z signals of this module on the basis of the generic unit Bi (Fig. 7). i ...
...
Ai
Aj
The essence of the synthesis of system A0 which is considered lies in defining rule for describing subsystem B j of matrix М B j .when extracting any subsystem A j of matrix М А .
Thus, rule is to induce the restorative subsystems B j on A0 j :
B j A0 j , (
М B j M Aj. (
Now let us consider the problem for formalizing the induction rule . Subsystem A0 j of the
error-correcting matrix М А0 j forms a segment of system А0 and is described by function (
A0 B j j Aojin ratio j . (
Ratio j is assigned by the connector for systems A0 j и B j or by the relation of equivalence between the output subset Z X oj of subsystem B j and subset X oj of subsystem A0 j . The connector assigns the functional relationship between indices i and outlets of subsystem B j with indices k for outlets of subsystem A0 j :
i j (, , k) , (9) where is a parameter characterising the number of inlets A0 j employed by subsystem B j ; is a parameter assigning the relationship between inlets and outlets according to .
As stated above, the outlet Z B j X n of the restorative subsystem B j implements the function Z f j ( X n , Yn ) .
In order to determine B j or f j according to (
0 j ( X , Y , Z ) 0 ( X n , Yn ) ,
which functionally reflects the right part of ratio (
Then the equation
0 j (, X , Y , Z ) 0 ( X n , Yn ) will determine Z , i.e. it will describe the subsystem (10)
Thus, by means ratio (11) function assigns the rule for inducing the restorative subsystems B j for all j J .
Hereinafter the paper propose that that the suggested approach to designing embedded adaptive systems should be implemented with CAD software produced by Intel PSG (Altera) for designing the SOPC (System-On-a-Programmable-Chip) on the basis of programmable logic devices and NIOS II processor core [24, 25]. This core contains enclosing packages Quartus II (PLD), SOPC Builder (a configurable processor core), NIOS II IDE (software) and other extensions (DSP Builder, C-toHardware Compiler and others).The equivalent powerful instrumental complexes are produced by such companies as Xilinx, Cypress (PSoC Designer), Actel (Smart Design) and some others.
To sum up what is stated above, we may say that unlike multiple reservationof system elements, the proposed reconfiguration of the embedded system not only allows the compensation of recurring failures and fault conditions, but also provides the necessary levels of survivability as regards the system for controlling compound objects and complex processes.
The article proposes a methodical approach to designing secure adaptive embedded systems based on the ability of the microprocessor-based system to restore the system's proper functionality affected by adverse exposure by implementing automatic reconfiguration of the underlying structure, the procedure being based on self-checking results. What underlies this approach is the completion of systematically-related tasks of synthesising key elements and parts of distributed microprocessor control systems, which includes the determination of the number of a system's hierarchy levels and nodes, allocation (reallocation) of tasks to a system's hierarchy levels and nodes, as well as the choice of computing systems capable of reconfiguring underlying structures of hardware components. All this makes it possible to enhance survivability of the embedded system affected by adverse exposure, as well as the survivability of the whole system for controlling compound elements and technological processes.