Automation has rapidly increased across multiple industries worldwide (Guo et al., 2021; Khastgir et al., 2021). Unmanned systems, including aerial and underwater variants (Zhao et al., 2023; Chen et al., 2024), not only enhance performance in various fields but also provide significant economic and environmental benefits. However, with these advancements comes increased complexity, leading to a rise in accidents and safety concerns (Chen et al., 2025; de Koning et al., 2024). Ensuring the safety of the intended functionality (SOTIF) has become crucial as functional inadequacies and performance

limitations of unmanned systems become more apparent. Although the ISO/PAS 21448 standard for “Road Vehicles Safety of the Intended Functionality” was introduced in 2019, it lacks specific technical guidance, underscoring the need for further research (Schnellbach and Griessnig, 2019).

The SOTIF process is a hot topic for unmanned systems which mainly deals with the unreasonable risk due to those hazards caused by performance limitations. Some recent fatalaccidents involving autonomous vehicles have revealed that unmanned systems are highly sensitive to safety hazards due to performance limitations rather than traditional hardware or software faults or errors (Board, 2019; Pimentel, 2019). In these accidents, the performance boundary is exceeded at a certain point, namely the unmanned system is no longer competent for itscurrent job. However, users are often much overconfident in these smart unmanned systems and thus neglect the signs of danger.With the large-scale use of intelligent technology, similar risks are increasingly troubling designers. Therefore, it is vital to answer the question of whether the intended function of an unmanned system could be declared safe, which is exactly the ultimate goal of SOTIF design. More and more researchers are starting to delve into the SOTIF field. Kinalzyk (2021) detailed the differences between SOTIF and traditional functional safety work and proposed an integrated analysis approach. Skoglund et al. (2021) comprehensively analyzed the work process and focusedon three types of problems: SOTIF, functional safety, and information security, and provided a safety work arrangement for the entire development cycle of the system. Chelouati et al. (2023) explored the case of automatic train safety and security and proposed a GSN-based high-level framework. Grabbe et al. (2020) recommended using FRAM for risk assessment in developing highly automated vehicles, aiming to provide system design suggestions and insights for validation work. Overall, this study aims to extend the existing safety work process to cover the research scope of SOTIF. Similar work generally emphasizes the non-fault features of SOTIF-related hazards, which has reference significance for a deeper understanding of the SOTIF mechanism.

In addition, many researchers are currently committed to analyzing the SOTIF of an unmanned system through case testing. For example, Neurohr et al. (2020) proposed 16 factors to consider in scenario-based unmanned driving testing, including scenario generation, requirement generation, testing bias, testing execution, and testing confirmation. Zhou et al. (2022a) proposed a unified scenario description language and evaluation standard, which can support the expansion of test scenarios and improve data utilization efficiency. In analyzing SOTIF based on case testing, most studies use statistical indicators such as accident rates and takeover request frequencies (corresponding to situations where the system’s intended functionality is insufficient) as the basis for the final judgment. Birch et al. (2020) proposed a state machine to structure an argument concerning SOTIF. Cai et al. (2023) predicted the motion behavior of the preceding vehicle based on historical data and improved Markov model. Collin et al. (2020) linked the Rulebooks framework and the SOTIF process. Hu et al. (2022) proposed a novel and implementation-independent SOTIF validation strategy through real-world examples. Jiménez et al. (2023) demonstrated how the integration of the SOTIF process within an existing validation tool suite can be achieved. However, Kalra and Paddock (2016) have proven that at least 100 unmanned systems must be driven continuously for 12.5 years to demonstrate that unmanned systems have the same safety level as existing vehicles. Although many efforts have been made to improve case testingefficiency, the cost of analyzing SOTIF through pure experimental means is prohibitively high. There is a strong demand for considering SOTIF requirements in forward design of the unmanned systems.

Meanwhile, many research scholars have focused on SOTIF and its association with human-machine interactions. For example, Yan et al. (2021) proposed a SOTIF evaluation strategy for safety supervision to support the evaluation of driver errors and lane deviation risks caused by driver errors. Zhang et al. (2021) discussed the effectiveness of system theoretical process analysis and cognitive task analysis methods in addressing SOTIF issues in human factors engineering. Abdulazim et al. (2021) proposed a contextual-based predictive ML model to monitor the intervention between the driver and lane keep assist system. Rau et al. (2019) reviewed the SOTIF process, which described the development of a framework for deriving scenarios. It should be noted that SOTIF issues related to human-machine interaction usually only exist in low-level unmanned systems, which do not apply to high-level unmanned driving (SAE L4 and L5) because the necessary takeover actions by human drivers are no longer required when the unmanned driving function is activated.

SOTIF refers to the state description of whether the unmanned capability meets the actual operating needs under non-fault conditions.Thus, research on operating capabilities in specific operating tasks can also be classified into the scope of consideration for SOTIF. For example, Esterle et al. (2019) used linear logic to judge driving decisions during the operational phase to monitor whether they comply with preset traffic rules.Wang et al. (2022) proposed a robust non-fragile fault-tolerant control strategy as a quantitative risk method for the adaptive cruise control function for ensuring SOTIF. Chu et al. (2023) proposed a method to evaluate SOTIF-oriented perception effectiveness for forward obstacle detection of unmanned systems. Zhang et al. (2019) proposed intended safety systems for intelligent driving, incorporating SOTIF concepts to analyze and evaluate the driving scene and system safety. Luo et al. (2022) proposed a fuzzy reasoningevaluation method based on an analysis of scenarios and elements. Zhou et al. (2022b) investigated the safety of autonomous emergency braking (AEB) perception systems, providing crucial insights for optimizing AEB perception system parameters.

Briefly, the SOTIF concept is a challenging field that is directly related to the type of function being considered in unmanned systems. Although there are many conceptual discussions about SOTIF, there are relatively few forward design methods for specific functions.This paper presents an SOTIF analysis and optimization for unmanned systembased on computational resource allocation, the main contributions of this study are summarized as follows:

1) Computational resource allocation scheme modeling with multidimensional SOTIF constraints based on graph and set theory: This study constructs a comprehensive model for computational resource allocation in unmanned systems using graph and set theory. It considers task relationships, communication requirements, and SOTIF constraints, enabling a systematic analysis to ensure safety.

2) Optimization method for computational resource selection based on Forward Checking: This study introduces an optimization method for computational resource selection using Forward Checking. It boosts efficiency by narrowing the search space and swiftly identifying optimal allocation schemes that meet SOTIF constraints.

3) Optimization method for computational resource allocation based on NSGA-II: This study uses NSGA-II to optimize computational resource allocation, considering various objectives, such as load distribution and communication cost, while meeting SOTIF constraints. The NSGA-II generates Pareto-optimal solutions, enabling efficient resource use and safety.

This study introduces an innovative framework for analyzing and optimizing computational resource allocation in unmanned systems, enhancing both their efficiency and safety. The paper is organized as follows: Section 2 outlines the objectives and problem definition. Section 3 discusses the SOTIF analysis method based on computational power requirements. Section 4 details the comprehensive optimization methods for resource selection considering SOTIF and computational power costs. Section 5 details the comprehensive optimization method for resource allocation considering SOTIF and rational computational power allocation. Section 6 presents a case study, and Section 7 concludes the study with key findings.

Unmanned systems are intelligent systems that perceive their environment and make driving decisions autonomously. For specific unmanned driving tasks, the resource entities involved can be categorized into four types: sensors, communication units, processors, and actuators, as shown in Fig. 1. During task execution, sensors capture and preprocess environmental data. This data is transmitted through communication units to processors, where specific applications perform further computations. After multiple processing stages, driving commands are sent via communication units to actuators, which adjust the vehicle’s behavior in real-time.

The design process for the computational resource allocation scheme in unmanned systems is illustrated in Fig. 2. It begins with a functional logic model derived from breaking down the driving tasks, which defines the target functions and their interactions. Various applications and messages within this model act as virtual resources deployed on computational platforms, serving as key inputs for the allocation scheme. Additionally, information about available hardware resources is a critical input for this design process. Based on these foundations, the computational resource allocation design can be divided into two key challenges:

1) Hardware Resource Selection Problem: This involves selecting an appropriate combination of hardware entities from the available resource pool to form a computational platform system. This system must support at least one configuration that satisfies SOTIF requirements.

2) Functional Logic Architecture and Computational Platform Mapping Problem: This focuses on balancing multiple design objectives to find the optimal allocation among all configurations that meet SOTIF requirements.

To address these challenges, this study proposes a computational resource allocation method based on graph and set theory. The method leverages functional logic and resource entity models to evaluate resource sharing and constraints related to SOTIF. The optimization process is divided into two stages: resource selection and allocation scheme optimization. Forward Checking and NSGA-II algorithms are employed for optimization. Comprehensive case studies validated the method’s effectiveness, demonstrating significant improvements in resource allocation efficiency.

This section performs formal modeling for the computational resource allocation scheme and its related SOTIF requirements to support the subsequent analysis and optimization work for SOTIF requirements.

After decomposing and integrating into reusable functions, autonomous driving tasks are represented as a series of executable applications. Communication between these applications ensures task progress. As shown in Fig. 3, a typical functional logic model depicts these relationships. In this study, a quintuple ⟨F,M,E,FM,MF⟩ represents the functional logic relationship for autonomous driving tasks, as follows:

where F represents the set of functions F_i to be executed; M represents the set of communications M_j to be transmitted; E is the communication cost matrix between functions, where e_{p,q} denotes the bandwidth required to send a message from function F_p to F_q, with main diagonal elements always 0; FM and MF are communication-sending and receiving matrices, respectively. In FM, {fm}_{p,q}=1 if function F_p sends communication requirement M_q, else {fm}_{p,q}=0; in MF, {mf}_{p,q}=1 if function F_q receives communication requirement M_p, else {mf}_{p,q}=0.

Furthermore, each functionF_ican be decomposed into a series of real-time application requirements, defined as follows:

where {RR}_i represents the memory requirements for executing function F_i; {\mathrm{\Gamma }}_i represents the set of application programs within F_i, assumed to be numbered by priority. Each application program {\tau }_{i,r} is characterized by its worst-case execution time C_{i,r}, deadline D_{i,r}, and arrival period T_{i,r}. The worst-case execution time C_{i,r} depends on the processing resource capability used. Similarly, each communication requirement M_j is decomposed into a series of messages, defined as follows:

where m_{j,s} represents the information within the communication requirement M_j, numbered by priority. Each information m_{j,s} is described by six parameters: communication cost {BW}_{m_{j,s}}, worst-case transmission time C_{m_{j,s}}, transmission deadline D_{m_{j,s}}, message period T_{m_{j,s}}, source application program {Pre}_{m_{j,s}}, and target application program {Sub}_{m_{j,s}}. The worst-case transmission time C_{m_{j,s}} is dependent on the communication resource capability.

As shown in Fig. 4, the types of resource entities included in the computing platform system can be divided into processor and communication resources. The resource entity model is represented by a triple ⟨N,Bus,A⟩, whichis defined as follows:

where N represents the set of processor resources, and its element N_i is used to refer to the processor entity included in the platform; Bus represents the set of communication resources, and its element {Bus}_j is used to refer to the communication bus included in the platform; A is the connection matrix, and its element a_{p,q} represents the connection relationship between processor N_p and communication bus {Bus}_q. When processor N_p is connected to communication bus {Bus}_q, a_{p,q}=1, indicating that data transmission can take place.

The basic performance of any processing resource node is characterized by the memory constraint {RAM}_i, input/output communication bandwidth constraint {BW}_i, and computing power {Cal}_i. Additionally, for a running processor, its energy consumption per unit time includes both static and dynamic energy components (Collin et al., 2019):

where thestatic power consumption, denoted as {Power}^{\mathrm{i}\mathrm{d}\mathrm{l}\mathrm{e}}, encompasses power consumed by the clock circuit during processor core execution, multi-threaded dynamic scheduling control, on-chip bus communication, and other overheads provided by the processor manufacturer. Dynamic power consumption, denoted as {Power}^{\mathrm{r}\mathrm{u}\mathrm{n}\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}}, primarily arises from computing and storage units, varying with the executed program. To approximate dynamic power consumption, two parameters, P_i^{\mathrm{m}\mathrm{e}\mathrm{m}\mathrm{o}\mathrm{r}\mathrm{y}} for storage space operations and P_i^{\mathrm{c}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{u}\mathrm{t}\mathrm{e}} for time computing operations, are agreed upon. The calculation method for the dynamic power consumption is as follows:

where memory represents the size of memory occupied by the program during execution; TimeRate represents the occupancy rate of the effective time of program execution, determined by the ratio of actual execution time to arrival time interval.

Based on this, any processor resource N_i can be represented by the following six-tuple:

Similarly, communication resources can be characterized using basic performance parameters such as communication bandwidth {BW}_{Bus}, and communication capability {Com}_{Bus}. Unlike processor resources, the energy consumption related to access operations can be ignored when considering communication resource consumption, and instead, static power consumption P_{Bus}^{\mathrm{i}\mathrm{d}\mathrm{l}\mathrm{e}} and power consumption per unit time for transmission operation P_{Bus}^{\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{n}\mathrm{s}\mathrm{m}\mathrm{i}\mathrm{t}} are used to characterize communication resource performance. Therefore, any communication resource {Bus}_j can be represented using the following four-tuple:

Considering the computing power of different processor resources directly impacts the estimation of worst-case execution time for application programs. This paper simplifies this consideration by using relative capacity values. A reference processor is chosen in the computing platform system, with its processing capacity set to 1. The processing capacity parameter of other processors is the ratio of their processing capacity to that of the reference processor. Similarly, relative communication capabilities were used to describe the performance of the communication buses in this study.

Based on the definitions of the functional logical and resource entity models mentioned above, the following two allocation matrices can be used to characterize the mapping relationship between the application program and messages with their corresponding entity resources:

where X represents the function allocation matrixand Y represents the communication allocation matrix, where the corresponding elements satisfy:

Note that the functionality allocation matrix X, communication allocation matrix Y and the resource connectivity matrix A described in section 3.2 are inherently correlated. Equations (11) and (12) provide the mathematical relationship between the three matrices from the sending and receiving communication perspective, respectively:

where s,t=1,2,\dots ,\left|N\right|, q=1,2,\dots ,\left|Bus\right|. Combining Eqs. (11)and (12), the following identity can be derived.

where \mathrm{m}\mathrm{a}\mathrm{x}(\cdot ) and \mathrm{m}\mathrm{i}\mathrm{n}(\cdot ) representing taking the maximum/minimum value bitwise.

On this basis, this study considers a configuration scheme ⟨X,Y⟩ to be compliant with SOTIF requirements if and only if it satisfies the following conditions simultaneously:

1) Uniqueness requirement for function and communication allocation

All functions F_i are assigned to one and only one corresponding processor resource entity:

When the sending and receiving functions are located on different processor resources, the communication requirement M_i is sent and received by one and only one corresponding communication resource. When the sending and receiving functions are located on the same processor resource, the communication requirement M_i can be directly fulfilled by accessing the memory of the processor:

2) The configuration scheme satisfies the real-time constraints of all application executions

In an effective configuration scheme, each application {\tau }_{i,r} needs to complete execution before its corresponding deadline D_{i,r}. Considering the computational characteristics of processor resource N_j when application {\tau }_{i,r} is deployed on processor resource N_j its corresponding equivalent worst-case execution time is C_{i,r}/{Cal}_j. We use the worst-case task response time R_{i,r} to represent the upper limit of the time required to complete application {\tau }_{i,r}. The scheduling mode of programs on processor resources will directly affect their corresponding worst-case task response time. In this article, we consider the most common fixed-priority scheduling mode. Based on this, it can be determined that:

where \lceil \cdot \rceil denotes rounding up; hp({\tau }_{i,r}) represents the set of applications with higher priorities than {\tau }_{i,r} running on the same processor. Equation (17) reflects the worst-case response time of a task, which consists of the worst-case execution time and the time preempted by higher-priority tasks running on the same processor.

In computing resource sharing, partition scheduling is a widely used mechanism where the rotation period for running partitions on a processing resource module is denoted as RL. The proportion of the total period that an application {\tau }_{i,r} corresponding to functionality F_i occupies in its partition is denoted as {\alpha }_i (referred to as the partition coefficient). Considering the inherent mechanism of mutually exclusive partition scheduling, other partitions can be regarded as a cyclic task with higher priority, having a period of RL and execution time of \left(1-{\alpha }_i\right)RL when computing the worst-case response time R_{i,r} of the application {\tau }_{i,r}. Based on this, Eq. (18) can be reformulated:

It is known that the partition rotation period RL is a predetermined positive actual number. If RL\to 0, it follows that:

According to Eq. (18):

And thus satisfy:

For application {\tau }_{i,r}, It satisfies the real-time requirement if and only if the response time R_{i,r} is not greater than the deadline D_{i,r} (i.e. R_{i,r}\le D_{i,r}) which is equivalent to Eq. (22):

Therefore, it can be considered that the real-time requirements of all applications in the partition where function F_i is located can be met as long as they satisfy:

where {\alpha }_i^{lb} is defined to constrain the lower bound of the partition coefficient {\alpha }_i, which is only related to the function F_i.

Thus, the real-time requirements related to the application can be expressed in the scheduling scheme as follows: “For any processor resource, there exists a feasible combination of partition coefficients, such that each application within each partition is schedulable and the sum of all partition coefficients does not exceed 1.” In other words, it satisfies:

3) The configuration scheme meets the real-time constraints of all message transmissions

When the communication requirement M_j is assigned to the communication resource {Bus}_q, the worst-case transmission time of message M_j in m_{j,s} on the bus can be represented as follows:

where hp(m_{j,s}) represents the set of messages with higher priority than m_{j,s} on the same data bus; since there is actually no direct priority relationship between different communication requirements M_j, whenever considering the communication requirement M_j in this paper, it is assumed conservatively that other communication requirements M_k (k\ne j) have higher priority than M_j; B_{m_{j,s}} represents the maximum blocking time, which is equivalent to the blocking caused by the longest transmission time of the low-priority message:

Similarly, according to Eq. (25), it can be inferred that:

After simplification:

In summary, to strictly ensure that the worst-case transmission time R_{m_{j,s}} is not greater than the deadline D_{m_{j,s}}, a feasible approach is to make sure that:

For simplicity, concerning any communication requirement M_k(k=1,2,\dots ,\left|M\right|), two related variables are defined in this paper, the values of which are solely dependent on the communication requirement M_k:

Therefore, Eq. (29) is equivalent to:

where {\beta }_{m_{j,s}} is defined by Eq. (32), and its value is only related to the message m_{j,s}.

It should be noted that although Eq. (31) can provide the most accurate real-time guarantee for transmission delay, it needs to be calculated separately for each message, which poses a huge challenge for practical analysis. To simplify the calculation, the communication requirement M_j, is defined as:

On this basis, the requirement that “the scheduling scheme can meet the real-time constraints of all message transmissions” can be expressed as:

where Eq. (35) is a sufficient condition for Eq. (31) to hold, i.e., Eq. (35) can provide a stronger feasibility guarantee.

4) The processing capacity requiredunder the maximum processing resources that a processor can provide

For any processor resource module, the application resource requirements deployed on it do not exceed its inherent memory, output bandwidth, and input bandwidth capabilities. It satisfies:

5) The communication capacity requiredunder the maximum communication resources that can be provided

For any communication resource module, the sum of the required communication bandwidths corresponding to all messages transmitted through the communication resource by the processors connected does not exceed its inherent communication bandwidth capacity limit. This includes both input bandwidth requirements and output bandwidth requirements, where:

6) All processor resource power consumption under the threshold

High-performance processor resources enhance the performance of unmanned driving tasks but often result in increased energy consumption and heat dissipation. Processor power consumption comprises static and dynamic components, with the dynamic component further divided into computational and storage operations. A reasonable and safe configuration scheme should ensure that the total power consumption of all processor resources remains within a predefined threshold, as follows:

7) Power consumption of all communication resources under the thresholds

Similarly, the working power consumption of all communication resources must not exceed a specified threshold. This paper primarily addresses the static power consumption and data transmission power consumption of communication resources, with the following requirements:

8) Preset feature allocation mutual exclusion requirements

In designing a shared configuration scheme, it is essential to consider preset allocation constraints and correlations between different functions and between functions and processor resources, as required by unmanned driving tasks.

Mutual exclusion in allocation means that “two target functions cannot be deployed on the same processor resource.” This requirement is satisfied by:

when F_i and F_k are preset as mutually exclusive functions.

Allocated correlation means that “two target functions must be deployed on the same processing resource.” This requirement is satisfied by:

when F_i and F_k are preset as correlated functions.

In summary, Eqs. (14)–(16), (24), (35)–(44) collectively constitute the constraint criteria for the feasibility of the configuration ⟨X,Y⟩. To facilitate batch operation analysis, this paper introduces auxiliary matrices listed in Table 1, which enable a vectorized representation of each constraint.

On this basis, SOTIF constraints of the configuration scheme can be reorganized into the following matrix expression:

where diag(\cdot ) denotes the operation of transforming a column vector into a diagonal matrix, while rdiag(\cdot ) denotes the operation of extracting the diagonal elements of a square matrix to form a column vector. Equation (46) provides examples of the operations of these two operators; Constraints Con01, Con02 and Con03 correspond to uniqueness requirements; constraints Con04 and Con05 correspond to temporal requirements; constraints Con06, Con07, Con08, Con09, Con10 correspond to capability requirements; constraints Con11 and Con12 correspond to energy consumption limit requirements; and constraints Con13 and Con14 correspond to mutual exclusion and correlation requirements.

This section presents a method for optimizing SOTIF and computational power costs for unmanned systems under varying computational power conditions. It introduces Constraint Satisfaction Problems (CSP) and a forward-checking algorithm, illustrating how hardware resource selection can be addressed through CSP construction.

CSP has been applied to many practical problems since Mackworth (1977) first developed it. Classic examples include map coloring, job scheduling, and the n-queens problem. A formally defined CSP consists of a set of variables, each assigned values from a specific domain, and a set of constraints that must be simultaneously satisfied. This can be represented as the following triple:

where X=\left\{x_1,\dots ,x_n\right\} represents a set of variables; D=\left\{D_1,\dots ,D_n\right\} represents the corresponding domain of variables, and each element D_i (i=1,\dots ,n) reflects all possible values for each variable x_1\in X; C=\left\{c_1,\dots ,c_n\right\} represents a finite set of constraints that limit feasible values for each group of variables.

A feasible solution for a CSP is a set of specific assignments \left\{x_1=a_1,\dots ,x_n=a_n\right\}, from the variable domains, which guarantees that all constraints are not violated. Solving a CSP involves assigning values to variables to find feasible solutions. If at least one solution exists, the CSP is considered satisfiable; otherwise, it is unsatisfiable. There are two main approaches to solving a CSP: backtracking search and constraint propagation. Backtracking systematically explores all possible value combinations, often using depth-first search, to identify feasible solutions. In contrast, constraint propagation narrows the range of valid variable values by enforcing “local compatibility” through continuous reasoning. Haralick and Elliott combined these methods into the Forward Checking algorithm Kondrak and Van Beek (1997), which prunes the search tree early to reduce the number of nodes visited, minimizing the search effort.

Table 2 presents the pseudocode for the main program using Forward Checking. It integrates two heuristic techniques: ‘Select-Unassigned-Variable’ and ‘Order-Domain-Values.’ These heuristics allow for efficient variable and value ordering based on the problem’s requirements, improving search performance. Common heuristic methods include minimum remaining values, minimum degree, and minimum constraint values, among others.

Figure 5 illustrates the process of optimizing compute resource selection. This involves constructing a CSP in a limited search space and ensuring it meets SOTIF requirements using the forward-checking algorithm. The ‘compute resource selection’ challenge is divided into two stages: ‘processor resource selection’ and ‘communication resource selection’. The goal is to create a cost-effective plan that fulfills all SOTIF requirements.

In addressing the “processor resource selection” problem, communication resource constraints are temporarily ignored, assuming sufficient communication resources for message transmission. In Eq. (45), the constraints directly related to processor resources include eight items: Con01, Con04, Con06, Con07, Con08, Con11, Con13, Con14. These are used as criteria to assess the feasibility of processor resource combinations. For all processing resource sets AR=\left\{{AR}_i|1\le i\le \left|AR\right|\right\} in the resource library, a processing resource combination can be defined by the following variables:

where {numAR}_i represents the number of resources selected for the ith candidate processing resource type {AR}_i.

This study defines the relationship between the processor resource combination scheme, NumAR, and the processor resource set N=\left\{N_i|1\le i\le \left|N\right|\right\} in the resource entity model, as illustrated in Fig. 6. The elements in both sets satisfy the following criteria:

Designers can set an acceptable upper limit on the number of processor resources, {numAR}^{ub}, in advance, due to the constraints of onboard space. Additionally, a conservative constraint is that the number of processor resources will not exceed the number of target functions, since the worst-case scenario would involve assigning each task to a different processing resource. Thus, {numAR}^{ub}\le \left|F\right|. Inspired by the memory resource capacity constraint in Eq. (36), it can be determined for the final resource entity scheme ⟨N,Bus,A⟩ that:

The constraint Con15 is a necessary condition for constraint Con06, which is independent of the allocation of functions and can support rapid prunin search space pruning. According to Eq. (50), it can be determined that:

Based on this, the “processor resource selection” problem can be formulated as the following optimization problem:

where X represents the mapping relationship between functions and processing resources, defined by Eq. (9).

In fact, due to the constraint that {numAR}^{ub}\ge \sum _{i=1}^{\left|NumAR\right|}{numAR}_i\ge {numAR}^{lb}({numAR}_i is a positive integer), Eq. (52) can be understood as a finite-state search problem. By considering only the feasible domain and constraint Con15, we can easily obtain all potential solutions and calculate the corresponding design costs. We use RegionAR=\left\{{RegionAR}_i|1\le i\le \left|RegionAR\right|\right\} to represent the set of all potential solutions, where the solutions are numbered in ascending order of cost, i.e., Cost\left({RegionAR}_i\right)\le Cost({RegionAR}_j) (when i\le j). After determining RegionAR, Eq. (52) can be solved by sequentially checking whether a feasible allocation scheme X.