In order to provide Quality of Service (QoS) 
INTRODUCTION
Real-time embedded systems have become pervasive, in that they can be found in various systems, ranging from safety-critical such as avionics to consumer electronics, mobile phones and waging machines [1] . Over 90% of the embedded microcontrollers are used to control the physical processes and devices [3] . Due to the large number of real time constraints and requirements, embedded computing systems are becoming increasingly complex. Scheduling is the key lever in these computing systems for system performance and resource usage. Classical real time scheduling algorithms used in the embedded system design are Rate Monotonic (RM) and Earliest Deadline First (EDF). From the control perspective all these classical scheduling algorithms are open loop [10] . Also, these algorithms are designed based on the assumption that mapping of the jobs/tasks is known a priori, and that the worst case execution time (WCET) of jobs is known prior to the execution. Due to the open and uncertain environments in which embedded systems are often deployed, the execution time of jobs can vary, such that it is very difficult to accurately predict the timing constraints, such as WCET, of the job before execution. To avoid this uncertainty, feedback control theory is integrated with embedded computing systems [11] [12] [13] [14] . Some embedded systems, such as in avionics or cars, have both safety critical and non-safety critical requirements. Faults happening in such systems can occur either in hardware or in software. These faults are further categorised into transient faults and permanent faults [4] . Transient faults occur only for a short period of time whereas permanent faults affect the system forever. To tolerate faults in such systems, fault tolerant (FT) schemes are implemented [5] . Traditionally, FT schemes are based on some notion of redundancy. In real-time systems, hardware redundancy [2] is used to tolerate transient or permanent faults. However, replication method incurs high hardware cost for fault tolerance.
To design for fault tolerance, error detection and an error correction mechanism is required. Some of the most popular FT schemes are: (i) Active replication, Fig. 1(a) : In this scheme, a job is replicated on different processors and the replicas perform the required services [6] , (ii) Primary backup, Fig. 1(b) : in this scheme, each job has a backup which is executed whenever a fault is detected, and (iii) Re-execution, Fig. 1(c) : in re-execution, when a fault is detected in an executing task, the task is re-executed from the start. This scheme works only if the fault disappears during re-execution. Each of the above scheme provides fault tolerance, under specific assumptions and failure scenarios, e.g. replication with three 3 replicas will allow for detection and correction, whereas duplication will only allow for detection, and the technique needs to be integrated with a mechanism that allows for error correction. (iv) Check pointing Fig. 1(d) : in check pointing [7] , a job is divided into n sub jobs and each sub job contains a checkpoint appended by either a programmer [8] or by the compiler [9] , where the state of the system is saved. A fault is detected when the outputs of the two replicas are compared. There is no agreement between the outputs and correction is obtained based on the checkpoints.
Selection of the best suitable FT scheme is based on the system requirements and constraints. However, each FT scheme introduces a delay in the execution time of the task, e.g. i) Constants delays: With check pointing (FT scheme), the state of the task is compared for error at each check point. These checkpoints introduce a constant time delay in the execution time of the task. These check points are appended by either a programmer or compiler. Due to the large number of real time constraints, the choice of constant time delays becomes restrictive and less relevant when it comes to the systems having distributed environment where the delays are induced by network. ii) Bounded time-varying delays: With re-execution (FT scheme), when a fault is detected the execution of the task starts from the beginning. This FT scheme introduces bounded time-varying delays in the system. Such delays are very common in the systems using networks such as I2C, CAN [24] and flex ray [25] and can be represented as;
. iii) Interval time-varying delays: With the combination of two or more FT schemes such as; Re-execution with check pointing, the time delays introduced in the execution time of the task varies only for a short period of time from one check point to another check point. By saving the state of the task at each check point, unbounded time variations can be minimized. iv) Delays with constraints on their first derivative: For network stability, numerous stability conditions require that the delays functions can vary arbitrarily e.g. the function is strictly increasing. v) Piece-wise time varying delays: With networked control systems, the delay functions are not continuous and can be visualised as piece-wise time varying delay. In this paper we have integrated re-execution with check pointing (FT scheme) to provide both error detection and error correction. Table 1 shows the execution of the task at two different processor nodes N0 and N1. 
Node

RELATED WORK
Feedback performance control for computing systems is presented in [16] which primarily focus on applying control theory to real time scheduling and utilization control. For the real time systems with unknown execution time, a state of the art feedback control scheduling algorithm is presented in [17] which provide the performance guarantee for hard real time tasks. Feedback Dynamic Voltage Scaling (DVS) method to select proper frequency and voltage for Fault tolerant hard real time embedded system is presented in [33] [34] [35] . Author also tries to provide QoS by reducing energy consumption and satisfying hard real time constraints in presence of fault. It also provides a technique to integrate DVS and Feedback control theory for hard real time systems. An analysis of distributed control with shared communication and resources utilization for real time system is addressed in [19] . FT scheme check pointing for real time embedded systems is integrated in [7] but this work doesn't talk about control scheduling co-design. A perspective on integrating control and computing for control scheduling co-design is presented [18] . Control design for networked control system; a novel approach for designing control scheduling for the networked systems, is addressed in [20, 28] . An adaptive neural network based feedback control scheduling for soft real time embedded systems is addressed in [13, 14] . In [11] Author provides an approach to recover system from fault mode for parallel systems using check pointing FT scheme and control theory. Trade-offs between reliability/FT and control theoretical methods is addressed in [38] . In [15] author uses a double feedback based control scheduling approach for real time systems to achieve high performance. A control system scheduling for hard real time systems is addressed in [18] , but this work doesn't address the Fault detection and Fault recovery mechanism together with feedback control theory. Feedback based control scheduling co-design approach for real time embedded system is presented in [29] . This work shows that closed loop systems are not hard real time systems, although control systems are more robust in nature and uncertain to time variations, but they also suffers from time jitters and data loss. Author also provides different techniques to model time delays in system suffering from data loss over network. In [22, 23] author tries to capture the time variation of Safety Critical (SC) tasks over network for better resource management and bandwidth utilization in correspondence with sampling intervals and time delays to achieve QoS. System response in presence of transient fault and FT schemes for hard real time systems to achieve dependability in X-by-Wire (XBW) systems is addressed in [26 and 27] . A fault tolerant scheduling for hard real time systems is addressed in [38] , but this work only focuses on maintaining CPU scheduling with specified scheduling bound by making sure that SC tasks will meet their deadlines. Moreover, this work doesn't capture the task state in fault mode and provides less information about data loss.
Up to date control scheduling algorithms based on Fuzzy logic controller network control is presented in [12] . Author provides a Feedback based Scheduling Control (FCS) framework for adaptive real time systems by developing dynamic model of real time systems. Author demonstrates the robustness of the tuned FCS algorithms when the task execution time varies as much as 100% from the initial estimate. The existing FCSA design technologies only focus on the use of feedback control theory and do not consider the integration of Fault tolerant schemes. To the best of our knowledge, this is the first work that presents the integration of fault tolerant schemes integration with feedback control scheduling algorithms for real time embedded systems.
PROBLEM STATEMENT
Due to the increasing design complexity of embedded system, it is very common that several control tasks have to compete for one embedded processor. Therefore, the overall system performance not only depends on the design of control algorithms but also rely on the efficient scheduling of shared computing resources. Unfortunately, the design of embedded control systems is often based on the principle of separation of concerns [15] of control and computing.
This separation is based on the assumption that feedback controllers can be modelled and implemented as periodic tasks that have a fixed time period, a hard deadline, and a known WCET. These assumptions have also been widely adopted by control community for developing sampled control theory which allows the control community to focus on its own problem. For instance, faults associated to embedded control systems can occur at any time, due to which the control task execution time increases than estimated and the control tasks started missing their deadlines. Also many control loop deadlines are not always hard. Instead most practical control systems can tolerate occasional deadline misses due to fault. As a result, the resulting Quality of Control (QoC) of real-time control systems that are designed based on this separation of concerns of control and computing would be worse than possible, and in extreme cases unacceptable with instability. In order to cope with this problem fault tolerant scheme has to be integrated with feedback control scheduling algorithm. In this paper, a novel approach to integrate the FT schemes with FCSA is presented and stability of the system is analysed in the presence of faults. Finally, the verification of this novel approach is investigated on Crane Control System.
FEEDBACK CONTROL SCHEDULING ALGORITHM (FCSA)
Feedback scheduler controls the processor utilization by assigning task periods that optimize the overall control performance. This approach is well suited for a "quasi-continuous" variation of the sampling periods of real-time tasks under control of a preemptive Real-Time Operating System (RTOS). Feedback scheduling is a dynamic approach allowing a better using the computing resources, particularly when the workload changes. Fig. 3 gives an overview of a feedback scheduler architecture where control inputs are the periods of the control tasks and output is the measures CPU utilization. CPU activity is controlled according to the resource availability by adjusting scheduling parameters (i.e. periods of the control tasks). An outer loop (the scheduling controller) adapts in real-time scheduling parameters from measurements taken on the computer's activity, e.g. the computing load. FCSA works periodically at a rate larger than the sampling periods of the plant control tasks. System structure evolves along a discrete time scale upon occurrence of events, e.g. for new tasks admission or exception handling. The off-line iterative optimization is used to compute an adequate setting of periods, gains and latencies resulting in a requested control performance according to the available computing resource and implementation constraints. The optimal control is achieved by computing the new tasks periods by the rescaling:
(1
Where is the utilization set-point, is the period of task at time is the estimated CPU load and is the new period of task at time . Processor load induced by a task is defined by Where and are the execution time and period of the task respectively.
Estimated processor load induced by a task for each period of the scheduling controller is defined as: (2) Where is the sampling frequency currently assigned to the plant control task (i.e. at each sampling instant ) and is the mean of its measured job execution-time. is a forgetting factor used to smooth the measure.
is the processor load induced by task at time and period . Due to the execution time variation of the task in the presence of faults, estimated CPU load is defined as a function of task periods as: (3) Where is the frequency of the task i. A single control task system is given in Fig. 4 where the estimated execution-times are used on-line to adapt the gain of the controller for the original CPU system (3) (this allows to compensate the variations of the job execution time). With this control scheme, design of controller K can be made any control methodology at hand.
As depends on the run-time environment (e.g. processor speed, task jitter) a "normalized" linear model of the task (i.e depend on the execution time), is used for the scheduling controller synthesis where is omitted and will be compensated by on-line gain-scheduling ( ) as shown below.
(4)
Fuzzy Logic Controller based feedback scheduler is showed in Fig. 5 where U(k) is the total CPU load measured for each period of scheduling task, M(k) is the task deadline miss ratio. Ud is the desired load. Md is the controller variable, to control the task deadline miss ratio. Adding Feedforward admission controller allows future tasks cost anticipation and for enhanced transient behaviour. 
SYSTEM ARCHITECTURE AND IMPLEMENTATION
FT based FCS is implemented by using the crane control system. System architecture of crane control system constitutes a distributed shared hardware platform with a network topology where every hardware node can communicate with every other node. Fig. 6 shows the high level model of the system architecture and resources elaborating the partitioning concepts. It also describes the application execution environment where nodes are connected through a network bus. Each node has two partitions. Partition A is dedicated for the safety critical jobs and partition B contains non-Safety critical jobs, with shared processor running mixed criticality applications. Node resource consists of a CPU, I/O controller; sensors and actuators, RAM, ROM and a CPU utilization monitor. Every node in the system integrated architecture utilizes the same configuration. Crane control system consists of two major parts; an Operator control unit (OCU) and a Machine Control Unit (MCU) [36] [37] [38] . Both OCU and MCU contain two microcontrollers Renesas M16C62p [30] , which is the most popular microcontroller used in motor industry for industrial automation and it contains a built-in I2C for multi-processor communication. OCU has multi-level push button keypad installed at the outer surface. Each button is a three steps press push button, to control the speed of the machine attached with MCU. There are some Safety Critical (SC) and non-SC tasks associated to this system. Degree of the task replication depends upon the safety level of the SC task and is defined by Safety Integrity Level (SIL) [31] . Based on this Simulink model a C code is generated with is then integrated with the system code implemented on industrial standards MISRA C in High performance Embedded Workshop (HEW). Transient faults are injected in the system by using test scripts at software level. Steady state response of the system is investigated through Matlab and actual CPU execution time is monitored by using a software time.
EXPERIMENT
The purpose of first experiment is to test the robustness (variation of tasks execution in the presence of faults) of the system with and without FT integration. One microcontroller is configured as the master controller and the second microcontroller served as the slave controller. For this experiment, two SC telegram mapping tasks are considered. Both controllers map their own telegrams independently and compare at different sampling intervals using I2C bus network to validate the correctness of the telegram. For this experiment two sampling intervals for each tasks is allocated and a software timer is used to calculate maximum time elapsed (actual execution time) between the two sampling intervals. CPU utilization is monitored both with and without FT integration. Estimated values are verified using Matlab. Aggregate error for the each CPU utilization is calculated by using the equation below when the system is in steady state [21] ;
The purpose of second experiment is to investigate the maximum schedulable limit and upper bound of check points. For this experiment, ten SC tasks are considered. Apart from that 30 non-SC tasks on the master processor and 20 non-SC tasks on the slave processor are allocated. Three checkpoints for each SC task are allocated. In this experiment the maximum utilization bound of processor is tested. The purpose of third experiment is to investigate the trade-offs of using fault tolerant based feedback control scheduler against open loop EDF scheduler. For this purpose, four periodic SC tasks are considered. Task T1 scans the keypad associated to OCU. Task T2 and T3 are associated to telegram building. Task T4 is associated to inter-processor communication (I2C read/write). The QoC of the system is investigated by introducing faults in the system at the software level (using test scripts). These faults will eventually increase the execution time of the tasks. Also, if a task is in search for a resource which is occupied by another task then that particular task may miss its deadline. Table 3 shows the values of CPU utilization with and without FT scheme integration of experiment 1. With FT scheme integration, CPU is slightly over utilized, which suggests that SC tasks take more time to execute than estimated. Ratio between the estimated execution time and the actual execution time g is calculated with the help of software timer. For Master microcontroller, CPU utilization turns out to be g=(0. For the second experiment, execution variation g=(2.0-2.40) for master microcontroller, which means actual execution time for SC task with FT scheme integration is 2.0 -2.40 times more than estimated completion execution time. Also there are 10 SC tasks are scheduled on the master microcontroller. On slave microcontroller g=(1.8-2.2) which means that actual execution time for SC tasks with FT scheme is 1.8-2.2 times more than estimated completion execution time. Also there are 10 SC tasks are scheduled on the slave microcontroller. It is also observed that beyond g=6.98 the scheduler becomes instable and after g=7.0 CPU waveform starts to oscillate (showing instability of scheduler) as shown in Fig. 10 . actual CPU utilization exceeds the desired set point, this means a task is taking too much time to execute (because the fault introduced in the system has increases the completion time of the task) as in the case of task T4 at time step 3.25 µsec. When actual CPU utilization is below the desired set point, this means task has completed its execution before its estimated completion time as happened at time step 3.625 µsec. Task T2 has completed its execution before estimated time. Figure 12: Scheduling of four tasks (T1-T4) using closed loop FCS. At time step 3.25 when Task T4 is introduced feedback based control scheduler activates and schedules task T4 immediately. At time step 3.25 µsec when task T4 is introduced, the feedback based control scheduler gets activated and instead of suspending the task execution, the task period is updated such that task T4 gets a chance to execute as soon as it is introduced. Also between time steps 3.50-4.0 µsec CPU utilization waveform is much more stable.
RESULTS
SC Tasks
Non
CONCLUSION
This paper provides a novel technique of integrating FT scheme with feedback control scheduling algorithms. System architecture presented in this paper is more robust in terms of the execution variation (CPU utilization) of tasks (schedulable) to a great extent. It is also evident from the experiments that in order to achieve a system with higher reliability and fault tolerant, tradeoffs have to make between the CPU utilization and the number of SC tasks to be scheduled on a particular processor. It is also observed that from g=0.05-7.0, integrated fault tolerant FCSA remains robust (schedulable) after that the number of sampling intervals exceeds the upper bound. The completion time of SC tasks exceeds their WCET and SC tasks started missing their deadlines. Greater number of sampling intervals leads to higher reliability and FT but on the other hand the task execution time increases. Increasing sampling intervals beyond required bound can also leads to network instability. To achieve high QoS (CPU utilization and resource allocation) a balance has to be made by the designer between the numbers of SC tasks to be scheduled on a particular processor, the check-points(sampling intervals) assigned for each SC task, CPU utilization and bandwidth utilization of communication network.
FUTURE CONSIDERATIONS A. Timing delay models:
In this paper delay time is modelled as the bounded time varying delay, however if sampling intervals are known such that there exists two scalar values d1 and d2 and the variation exists between these two scalar values then this kind of delays can be modeled as Interval time varying delay.
Also if the sample interval time function varies in a piecewise manner than Piecewise time varying delay model will be very helpful. For example an increasing sequence of signal can be seen as a delayed signal with;
.
B. Heterogeneous System:
This paper only focuses on the system having the identical processor and same CPU utilization model is adapted for both processors. However, if system has different hardware nodes in terms of processor speed, power and dedicated ASIC application, then time delay model has to capture these constraints as well while keeping the system stability intact.
