H2-1 · Definition & Boundary: What “Edge Site Env & Security” Owns

An Edge Site Env & Security node is a field-proof monitoring endpoint for edge/MEC sites. It converts environmental and physical events into low-false-alarm alerts and evidence-grade records that remain trustworthy even during network instability and power interruptions.

Owned event types (with engineering meaning)

• Temperature: over-temperature, abnormal ramp-rate, sensor fault detection (open/short, out-of-range).
• Humidity: sustained high RH and condensation risk based on trends (not a single-point RH threshold).
• Door / panel / tamper: open/close, contact bounce, wiring disturbance, enclosure-open detection.
• Vibration / tilt: movement, shock, sustained vibration; separation of “structural resonance” vs “real handling/intrusion”.
• Optional intrusion signals: wire-cut/short detect, sensor bypass attempts, local tamper switch events.

Deliverables (what success looks like)

• Two data products: (1) periodic telemetry for trends, (2) event evidence with pre/post context for audits and root-cause.
• Reliability invariant: local evidence commit happens before network reporting (offline does not equal “lost event”).
• Field tuning hooks: debounce windows, feature windows, re-arm timing, suppression/maintenance modes—without code rewrite.
• Integrity: monotonic sequence IDs + CRC + optional hash chaining for tamper-evident records.

Boundary with sibling pages (explicit exclusions)

• Not a power front-end: no 48V hot-swap / eFuse / backup energy design; only a node-level power interface and low-power states.
• Not a rack BMC/OOB system: no chassis-wide inventory or PDU metering; only “publish alerts & evidence” upward.
• Not a security gateway datapath: no firewall/IPS/ZTNA forwarding pipeline; only device trust and tamper-evident logs.
• Not a timing grandmaster: no PTP/SyncE architecture; timestamps rely on RTC + drift handling and sequence ordering.

Practical KPI framing: false alarms and missed events are typically driven by placement, EMI/ESD coupling, contact bounce, threshold strategy, and event windowing—more than raw sensor resolution.

H2-2 · System Architecture: Sensing → Event Engine → Backhaul → Evidence

The architecture is organized around two data paths and five engineering domains. This structure keeps field debugging deterministic: every symptom maps to a domain boundary and a data path.

Two data paths (why both exist)

• Telemetry path (slow): periodic, low-bandwidth summaries for trends and health (minutes to hours cadence).
• Evidence path (event-driven): prioritized event records with pre/post context; designed for auditability and root-cause.

Design invariant: event evidence is committed locally first, then queued for reporting. Reporting failures must not erase events.

Five domains (each with common field failure modes)

• Sensor domain: placement and mechanics (bounce, resonance, thermal time constants) dominate false alarms.
• AFE/ADC domain: ESD/EMC coupling, protection capacitance, sampling windows, and reference noise shift thresholds.
• MCU/event domain: debounce rules, window features, re-arm timing, and rate limiting prevent alert storms.
• Storage/logging domain: crash-safe ring buffer, sequence ordering, CRC, and integrity metadata preserve evidence.
• Backhaul domain: link state, retry/backoff, dedup keys, and offline queue depth decide whether alerts arrive on time.

Key interfaces (kept at device-side depth)

• GPIO / IRQ: wake sources for door/tamper and vibration; requires layered debounce (hardware + software) for stability.
• I²C / SPI: digital sensors (humidity, accelerometer); requires bus recovery and timeouts to avoid “stuck bus” deadlocks.
• ADC: analog sensors and discrete tamper lines; requires protection + filtering without creating slow, laggy triggers.
• UART / USB (modem): cellular reporting; requires priority queues and backoff to avoid power blow-up under poor signal.
• RMII / RGMII: Ethernet PHY; requires deterministic link-down detection and controlled reconnect behavior.

Evidence record contract (what must always be present)

• Identity: device ID + firmware version + monotonic sequence number.
• Time: RTC timestamp (with drift metadata if available) + relative time since boot as a fallback.
• Event summary: type, severity, duration, and key features (peak, count, window energy, slope).
• Integrity: CRC for storage correctness; optional hash chaining for tamper evidence.

H2-3 · Sensor & Placement Engineering: Temp/Humidity/Door/Vibration Done Right

Field false alarms are most often caused by placement, mechanics, and cabling rather than sensor “specs”. This section turns sensor selection and installation into engineering acceptance criteria so deployments remain stable across airflow changes, door bounce, vibration coupling, and seasonal humidity swings.

Temperature (air vs chassis vs heatsink)

• Air temperature reflects site conditions (venting, outdoor exposure). Place near airflow path, away from hotspots and metal masses.
• Chassis/heatsink temperature reflects device heat load. Place on the intended surface with consistent contact pressure.
• Thermal time constant matters: mounting on thick metal increases lag. Slow sensors benefit from ramp-rate alarms and longer persistence timers.
• Common artifact: “late alarm” or “missed peak” due to thermal lag; “early alarm” if placed next to local hotspot (VRM, radio PA, DC/DC area).
• Acceptance test: apply a controlled airflow or load step and record response; tune filter/persistence so alarms track the true variable, not short gusts.

Humidity (RH pitfalls and condensation risk)

• RH is relative: temperature swings can move RH quickly even without moisture ingress; single-point RH thresholds often misfire.
• Condensation risk is driven by RH trend + temperature gradient + cold surfaces (metal panels, intake edges, night cooling).
• Placement rule: measure where condensation forms first (cold surfaces/edges), not only in free air volume.
• Common artifact: RH spikes during rapid cool-down; treat as “risk” only if sustained and consistent with falling temperature or cold-surface conditions.
• Acceptance test: simulate cool-down (door open to cold air / airflow shift) and verify the risk alarm requires persistence (time + trend), not a single spike.

Door / tamper (mechanics, wiring, and fault detectability)

• Mechanical bounce produces short pulses and bursty transitions; use layered debounce (fast edge suppression + stable-state confirmation).
• Long cables are antennas: route away from power switching nodes and motor/fan wiring; add strain relief to avoid intermittent opens.
• NO vs NC selection: choose based on fault detectability (open-wire detection, short detection) and operational tolerance to nuisance alarms.
• Common artifact: repeated “door open” events during vibration or wind load. Root cause is often mechanical coupling, not software.
• Acceptance test: perform controlled “tap/shake” without opening door; verify no alarm. Then open/close door repeatedly; verify stable detection and re-arm behavior.

Vibration / tilt (switch vs MEMS, orientation, and resonance)

• Vibration switches can be ultra-low-power but provide limited information; nuisance alarms are harder to suppress.
• MEMS accelerometers enable windowed features (peak, energy, count, duration) that can separate resonance from true movement.
• Mounting is the sensor: loose mounting creates “secondary structures” and false high-frequency content.
• Resonance false alarms typically correlate with fan PWM, traffic vibration, or cabinet mounting geometry; narrow-band patterns appear repeatedly.
• Acceptance test: run fan speed sweep or controlled vibration; verify alarm logic rejects steady resonance but triggers on handling/shock patterns.

H2-4 · Analog Front-End Patterns (AFE): Accuracy, Noise, and Protection

The AFE is where the field becomes a waveform. Protection choices trade survivability for trigger fidelity. A robust design treats each input as a threat model (ESD, surge, cable pickup, leakage) and uses repeatable patterns so thresholds remain stable over temperature, humidity, and site wiring variation.

Input protection patterns (what to protect, and what it breaks)

• ESD/surge entry is strongest at external connectors and long cable runs; place protection at the entry and manage return paths.
• R-series + RC/π filtering suppress fast spikes, but excessive capacitance creates lag and “stretched pulses” that look like real events.
• TVS capacitance is not free: it can slow edges, shift sampling, and introduce leakage that biases high-impedance sensors.
• Rule of thumb: protect against the worst-case transient while keeping the signal bandwidth consistent with the event time scale.

Sensor front-ends (device-side design rules)

• Temperature (NTC/RTD): choose divider vs constant-current based on drift and self-heating risk; sample only after excitation settles to avoid “false ramps”.
• Humidity: treat contamination and drift as normal; use stable sampling cadence and avoid trigger logic based on single samples.
• Door/tamper inputs: define hardware vs software debounce boundary—hardware removes sub-millisecond spikes, software confirms stable state.
• Vibration (accelerometer): align anti-alias filtering, sampling rate, and feature windows; watch low-frequency bias drift that moves thresholds.

ADC & reference: why resolution does not equal correct alarms

• Threshold stability depends on reference noise, ground movement, and sampling windows—not just ADC bits.
• Reference noise can turn into threshold jitter, creating repeated near-threshold toggles (classic nuisance alarm pattern).
• Validation target: the “no-event” baseline should remain inside a narrow band across temperature and EMI stress.

Common symptoms → likely AFE root causes

• Door opens “for seconds” but physically never opened → edge stretched by capacitance or slow RC + insufficient stable-state logic.
• Humidity alarms during quick cool-down → single-sample triggers + RH swing; require persistence + trend.
• Vibration alarms correlate with fan speed → resonance captured as “energy”; apply window features or band-limits matched to real handling patterns.
• Random intermittent toggles → reference/ground noise or high impedance leakage; tighten bias paths and validate baseline under EMI stress.

H2-5 · Event Engine: Debounce, Windows, Features, and Threshold Strategy

A reliable event engine is a verifiable rule system, not a vague “AI”. Each event type is handled by a rule chain: filter → trigger gate → time window → features → severity → suppression → evidence commit. Stability comes from explicit tunable parameters and repeatable validation steps.

Door / tamper rules (debounce + min duration + re-arm)

• Debounce (t_db): require a stable input state for a defined time before accepting transitions; reject bursty bounce patterns.
• Minimum duration (t_hold): only promote an “open” to an event if it persists long enough to represent a real action, not a tap or cable spike.
• Re-arm / holdoff (t_rearm): after a confirmed event, suppress repeated triggers for a window to avoid alert storms from chatter.
• Fault classification: stuck-high/stuck-low and unstable wiring should be logged as input fault, not as repeated security events.

Vibration / tilt rules (multi-level thresholds + windowed features)

• Two severity levels: set warning and alarm thresholds; use warning to track site activity without escalating incidents.
• Window features: compute Peak (impulse), Energy (sustained motion), and Count (repeated bursts) over a time window.
• Resonance suppression: long, steady patterns with repeatable structure (often fan/PWM or mounting resonance) should downgrade to “resonance”.
• Validation: sweep known resonance sources (fan speed steps) and confirm downgrade; apply handling/impact and confirm alarm triggers with features captured.

Temperature / humidity rules (slow variables: trend + persistence)

• Filtering: maintain a slow baseline and a faster track; derive slope and “deviation from baseline” without reacting to single-sample noise.
• Ramp-rate alarms: detect “temperature rising too fast” using slope thresholds plus persistence time, which is often more actionable than absolute thresholds.
• Condensation risk: treat as a trend + duration rule (RH conditions sustained with consistent cooling/cold-surface conditions), not as a single RH point.
• Validation: cold-air transient should not immediately escalate; sustained high-risk conditions should trigger with duration and trend recorded.

False-alarm governance (rule-level only)

• Blackout windows: suppress external alerts during known operations (maintenance, commissioning) while still recording evidence locally.
• Maintenance mode: authenticated, time-bounded mode that downgrades events to logs/counters to prevent alert storms during planned work.
• Parameter profiles: store named profiles (e.g., “quiet”, “storm”, “high-sensitivity”) with audit logs of who/when changed them.

H2-6 · Ultra-Low-Power Operation: Sleep/Wake and Tiered Sampling

Ultra-low-power operation is achieved by an event-driven system, not by hardware alone. The design uses a three-state model—deep sleep, periodic check, and event burst—so high-cost actions (high-rate sampling and radio connectivity) run only when evidence quality requires them.

Three-state power model (why it stays efficient)

• S0: Deep sleep — only RTC and selected IRQ lines remain active; the event engine wakes the system for meaningful edges.
• S1: Periodic check — low-rate sampling for temperature/humidity trends, health counters, and baseline updates.
• S2: Event burst — high-rate sampling and feature extraction with pre/post buffering; evidence is committed locally before any reporting.

Wake sources and priority (prevent wake storms)

• Door/tamper IRQ: fastest wake; requires debounce gating to avoid bounce-driven wake storms.
• Vibration IRQ: can be noisy; apply threshold gating and re-arm rules so resonance does not keep the system awake.
• RTC: deterministic wake for periodic checks and clock/health maintenance.
• Optional comparator wake: extremely low-power “threshold wake” path; used only as a coarse gate before full sampling.

Tiered sampling with pre/post trigger evidence

• Low-rate patrol: slow variables and health; produces trends and summaries rather than raw data.
• High-rate capture: activated only on qualified events; captures pre/post context using a ring buffer and extracts features for classification.
• Radio-on policy: connectivity is triggered by severity and queue conditions; send in batches, wait for ACK, then return to sleep.

Offline tolerance (device-side only)

• Local-first: evidence and metadata are committed locally before reporting; network outages never erase events.
• Queue priorities: tamper/door incidents outrank periodic humidity updates; low-priority telemetry can be dropped or summarized under pressure.
• Backoff discipline: when the link is poor, retry windows expand to prevent energy blow-up; evidence remains stored for later catch-up.

H2-7 · Backhaul Engineering: Ethernet & Cellular Without Losing Evidence

Field networks are often unstable: link drops, weak coverage, and strict NAT paths can break sessions. A robust device must keep the system contract: evidence is committed locally first, then delivery is handled by priority queues, batch upload, and idempotent ACK/dedupe semantics—so alerts stay reachable without duplicates.

Ethernet strategy (link vs path, reconnect windows)

• Link down: physical disconnect or PHY state changes trigger fast interface recovery and short retry loops.
• Path down: link is up but server unreachable (DNS, routing/NAT constraints, TLS failures); shift to controlled backoff and batch mode.
• Isolation: reporting tasks must not block event capture; evidence commits proceed even when the path is unstable.
• Upgrade windows: firmware updates run in a bounded window while evidence logging stays active; upgrade actions remain auditable.

Cellular strategy (weak-signal cost, power-aware retries)

• Energy risk: repeated attach/handshake/retry cycles extend radio-on time and can dominate power consumption under weak coverage.
• Priority queue: severe incidents (tamper/door alarms) are sent before periodic telemetry; large evidence fragments are deferred.
• Backoff discipline: exponential retry with a radio-on budget; retries widen when failures repeat to prevent energy blow-ups.
• Degrade gracefully: under persistent failures, send event summaries first, then upload evidence fragments when conditions improve.

Device-side protocol layers (heartbeat, summary, fragments)

• Heartbeat: small periodic message containing status, queue depth, firmware version, and last committed sequence number.
• Event summary: one summary per incident: event_id, type, severity, key features (peak/energy/count or trend/duration), and active parameter profile.
• Evidence fragments: chunked uploads with fragment_id, offsets, and CRC for resume; uploaded on-demand or when the queue allows.

Reliability semantics (idempotent delivery)

• event_id (stable) is distinct from message_id (attempt-specific) so retries can be tracked without duplicating events.
• ACK: confirm received event_id and fragment_id ranges; allow the device to drop confirmed items from the offline queue.
• Dedupe: store an ACK cache / sent map so retransmissions are safe across reboots and reconnection cycles.
• Offline queue: enqueue-to-disk before sending; if storage pressure occurs, retain high-priority summaries longer than bulk fragments.

H2-8 · Evidence-Grade Logging: Crash-Safe Ring Buffer, Integrity, and Audit

Evidence-grade logging means the device can survive resets and power loss while preserving a verifiable record. The core is a crash-safe ring buffer with two-phase commit, fast validation (CRC), and minimal integrity controls (hash chaining) so records stay tamper-evident and auditable.

Log layers (what gets stored, and why)

• Runtime log: state transitions, link changes, retry/backoff status, and upgrade actions.
• Event log: one record per incident with event_id, severity, extracted features, and parameter profile.
• Evidence fragments: optional short windows or sensor snapshots stored as chunked records linked by event_id.

Crash safety (two-phase commit + validation)

• Prepare: write header + payload + CRC without marking the record valid.
• Commit: atomically set a commit marker or update a page header; only committed records are replayed.
• Recovery scan: on boot, scan forward until the first CRC failure or missing commit marker, then reclaim space safely.
• Write amplification control: buffer small updates and commit in bounded batches; protect summaries before large fragments.

Retention and wear strategy (keep what matters)

• Ring overwrite: older pages are overwritten automatically; retention depends on event rate and record size.
• Priority retention: preserve high-severity summaries longer than bulk evidence fragments under pressure.
• Wear leveling awareness: use page-based appends and avoid hot-spot small writes to extend flash lifetime.

Integrity and audit (tamper-evident, not a full crypto suite)

• Hash chain: each record includes prev_hash so removal or modification breaks continuity.
• Audit events: parameter profile changes, maintenance-mode transitions, upgrades/rollbacks, and boot reasons are logged as first-class records.
• Minimal signing: critical summaries can be signed or MACed for stronger integrity without expanding into full PKI discussion.

Timebase handling (no PTP dependency)

• Dual time: store wall time (if available) plus monotonic uptime.
• Ordering guarantee: use strict seq numbers so event ordering is reconstructable even if RTC drifts.
• Calibration trace: record when the device updates wall time so later analysis can explain offsets.

H2-9 · Device Security & Tamper: Protect the Monitor Itself

Edge monitoring nodes often sit outside controlled server rooms. The security target here is the device itself: boot integrity, identity and key boundaries, and tamper/bypass detectability. Security events must be treated like any other evidence: committed locally first, then linked into the same audit trail as operational incidents.

Secure & measured boot chain (ROM → bootloader → application)

• Root of trust: immutable ROM verifies the first-stage boot code; each stage verifies the next before execution.
• Anti-rollback: enforce a monotonic version policy so older vulnerable images cannot be loaded after an update.
• A/B images: keep two images with a bounded rollback rule (only to the most recent known-good build), and log every switch.
• Measured boot (optional): hash critical components and record the measurement summary for audit correlation.

Identity & keys: TPM / secure element usage boundaries

• Device identity: stable identity for enrollment and audit correlation; avoid mixing identity with “gateway policy” scope.
• TLS private key: generated and stored inside TPM/SE; the private key does not leave hardware protection.
• Log signing: sign or MAC high-value event summaries (tamper, boot anomalies, configuration changes) to strengthen integrity.
• Randomness: use hardware RNG for nonces/session keys so replays are harder and session uniqueness is guaranteed.

Tamper and bypass detection (case, cables, sensor-path plausibility)

• Case open: lid switch or equivalent input creates a first-class tamper event with minimum duration and re-arm rules.
• Cable cut/short: supervised inputs classify normal / open / short / unstable using window thresholds.
• Sensor bypass: detect “too-perfect” or stuck outputs (flat-lines, missing noise texture, unrealistic step response).
• Cross-signal plausibility: correlate door/vibration/environment to flag unlikely combinations (rule-based, not an AI black box).

Security events into the evidence chain (closed loop with logging)

• Boot events: boot reason, image slot, version, and measurement summary are logged as evidence records.
• Tamper events: source, decision (warn/alarm/lockdown/record-only), and evidence references are stored with sequence ordering.
• Key/config events: certificate rotation, signing failures, parameter profile changes, and maintenance-mode transitions are auditable.

H2-10 · Environmental Robustness: EMC/ESD/Surge, Drift, and Calibration

Lab passes do not guarantee field stability. Real edge sites add long cables, uncontrolled discharge paths, temperature gradients, contamination, and structural resonances. Robust operation requires mapping entry points to symptom signatures, then enforcing self-test, drift monitoring, and a repeatable field validation playbook.

ESD/surge entry points (where energy couples into the node)

• Door lines: long runs behave like antennas; contact discharge and induced surge can create false toggles.
• External probes: mismatched references and shield terminations inject common-mode disturbances into the AFE.
• Chassis discharge: uncontrolled return paths create ground bounce that shifts thresholds and references.

Drift mechanisms (why readings “look stable” but are wrong)

• Humidity contamination: slower response, hysteresis growth, and long-term offset after dust/chemical exposure.
• Temperature self-heating: excitation or sampling behavior can bias local temperature above ambient.
• Accelerometer bias: low-frequency offset drifts with temperature; thresholds must consider baseline motion and bias tracking.

Calibration & self-test (boot-time and periodic)

• Boot self-test: validate sensor presence, bus health, and basic plausibility ranges before arming alarms.
• Periodic self-test: detect flat-line sensors, growing noise floors, out-of-range windows, and abnormal time constants.
• Open/short criteria: classify supervised inputs as normal / open / short / unstable and log raw evidence.
• Evidence linkage: self-test failures are logged with sequence ordering and references, just like alarms.

Field validation playbook (repeatable tests)

• Temperature/humidity steps: apply controlled changes and measure response time, hysteresis, and trend alarms.
• Door jitter simulation: induce bounce and cable disturbances; verify debounce, minimum duration, and fault classification.
• Vibration sweep: vary mounting/fastening and excitation frequency to reveal resonances and false-trigger bands.

H2-11 · Commissioning & Ops Playbook: Threshold Tuning and False-Alarm Reduction

Commissioning is the control loop that turns raw sensors into reliable site evidence. The goal is a repeatable process: install correctly, set safe initial thresholds, run a learning + trial window, then converge false alarms without losing forensic traceability.