Protective Wraer Develoment: A Cae Study Tom Anderon, Mei eng, Steve Riddle, Alexander Romanovky School of Comuting Science Univerity of Newcatle uon Tyne, Newcatle uon Tyne, NE 7RU, UK Abtract. We have recently rooed a general aroach to engineering rotective wraer a a mean of detecting error or unwanted behaviour in ytem emloying an OTS Off-The-Shelf item, and launching aroriate recovery action. Thi aer reent reult of a cae tudy in rotective wraer develoment, uing a Simulink model of a team boiler ytem together with an OTS PID Proortional, Integral and Derivative controller. The rotective wraer are develoed for the model of the ytem in uch a way that they allow detection and tolerance of tyical error caued by unavailability of ignal, violation of contraint, and ocillation. Introduction There are many economical reaon why integration of Off-The-Shelf OTS comonent into ytem with high deendability requirement including the afety-critical one i becoming a viable otion for ytem develoer ee, for examle, []. The main obtacle i that emloying uch comonent can undermine overall ytem deendability unle ecial care i taken. Coniderable evidence uort the judgement that comlex ytem built uing OTS comonent could have a higher rik of failure. Thi i due to a number of reaon: OTS comonent are tyically aimed at a ma-market and are often of a lower quality than beoke comonent; OTS comonent are eldom intended for the ecific etting and environment in which they are emloyed - conequently a ytem in which an OTS comonent i integrated may miue or miinterret it; information about the COTS item which the ytem integrator ha at hi/her dioal i often incomlete, ambiguou or, even, erroneou; We take a ragmatic view in develoing our aroach by acceting that, in ite of all effort to imrove the quality of OTS comonent and of the ytem in which they are to be integrated, their ue will be a ource of failure. The olution we are advocating i a defenive trategy of emloying ecialied fault tolerance technique during ytem integration.. Protective Wraer ault tolerance [2] a a general mean for imroving overall ytem deendability ha been an area of very active reearch and develoment over the lat 3 year. Many fault tolerance technique roceed by emloying redundant oftware in ome form; for examle, recovery block, N-verion rogramming, excetion handling [3, 4]. The main hae of roviding fault tolerance are error detection, error diagnoi and error recovery [5]. At the firt hae an erroneou tate i identified a uch; after that error diagnoi i ued to examine the damaged area to allow it to be relaced by an error-free tate during error recovery. Emloying roer ytem tructuring technique e.g. clae, rocee, layer, module i vital for achieving fault tolerance becaue it allow erroneou information to be contained within tructural unit. Our work aim to aly thee general fault tolerance technique in the context of integrating OTS item into comlex ytem. Comonent wraing i an etablihed technique ued to intercet data and control flow between a comonent and it environment [6]. Tyical alication include adding data cacheing and buffering, imlifying the comonent interface, and roviding tranarent comonent relication. In a comonent-baed ytem develoment the OTS item are natural unit of ytem tructuring. Unfortunately, a we have exlained above, they uually do not rovide enough aurance of correct behaviour. In reviou work [7] we rooed the develoment of rotective wraer a art of ytem integration activitie. A rotective wraer i a iece of redundant, beoke oftware interceting all
information going to and from the OTS item. Such a wraer may detect error or uiciou activitie, and initiate aroriate recovery when oible. A wraer i a iece of oftware and, clearly, may contain oftware defect itelf. Deloying a wraer to erform rotection function oblige u to take coniderable care over iue uch a relative comlexity and common-mode failure between the wraer and the wraed comonent. or thi reaon, wraer mut be rigorouly ecified, develoed and executed a a mean of rotecting OTS item againt fault in the Ret Of the Sytem ROS, and the ROS againt fault in OTS item. Information required for wraer develoment i obtained by analying everal ource of information [7], including: Secification of the OTS item behaviour, a rovided by both the item deigner and the integrated ytem deigner. The latter characterie the behaviour the ytem deigner require of the OTS item in order to integrate it with the ytem. Erroneou behaviour of the OTS item, for examle a known failure to react to timuli a ecified by the item deigner thee may be known, for examle, from teting or from reviou exerience in uing the OTS item, or behaviour which the ytem deigner eecially want to rotect againt. Secification of the correct behaviour of the ROS with reect to the OTS item..2 Cae Study In thi aer we reort the reult of alying the rooed aroach to develoing a rotective wraer for an Off-The-Shelf PID Proortional, Integral and Derivative controller. It i our intention to demontrate how the aroach could be alied in ractice. The reult of thi tudy will be ued to aid the develoment of a generic aroach for wraing OTS item. Rather than conduct an exeriment with rotective wraing in the real world environment, with all the aociated cot and otential damage to equiment and life, we have emloyed oftware model of the PID controller and of the team boiler ytem in which it i to be integrated. Emloying oftware model of the controller and the boiler ytem i an active area of R&D carried out by many leading control roduct comanie including Honeywell [8]. We believe that the deciion to ue a third-arty model add credibility to our reult. A related cae tudy in team boiler control ecification wa examined at the Dagtuhl eminar on Method for Semantic and Secification [9]; the eminar wa run a a cometition to how the trength and weaknee of articular formal method. Rather than adat thi ecification to our need, we choe to ue a model develoed within a reearch roject conducted by Honeywell for their control roduct [8]. Thi model imulate a real controller and the controlled team boiler ytem, enabling u to invetigate the effect of wraing with a more rereentative model than the idealied ecification emloyed at Dagtuhl. In the coure of our work we extended the Honeywell model by incororating rotective wraer..3 Roadma The remainder of thi aer i organied a follow. In the following ection we decribe the imulation environment, the controller and the boiler model we are uing, and our aroach to monitoring the model variable. Section 3 dicue the requirement for a rotective wraer and outline the categorie of error to be detected and tolerated at the level of the wraer. The next ection outline deign and imlementation of the wraer to detect thee categorie of error. Section 5 conclude the aer by ummariing the reult, dicuing the limitation of our aroach, and indicating avenue for future work. 2 Simulation 2. Simulink Simulink Mathwork [] i one of the built-in tool in MATLAB, roviding a latform for modelling, imulating and analying dynamical ytem. It uort linear and nonlinear ytem modelled in continuou time or amled time, a well a a hybrid of the two. Sytem can alo be multi-rate, i.e., have different art that are amled or udated at different rate. Simulink contain a
comrehenive block library of ink, ource, linear and nonlinear comonent, and connector to allow modelling of very ohiticated ytem. Model can alo be develoed through elf-defined block by mean of the S-function feature of Simulink or by invoking MATLAB function. After a model ha been defined, it can be imulated and, uing coe and other dilay block, imulation reult can be dilayed while the imulation i running. Simulink rovide a ractical and afe latform for imulating the boiler ytem and it PID control ytem, for detecting oerational error when boiler and control ytem interact, and for develoing and imlementing a rotective wraer dealing with uch error. 2.2 The Structure of the Model The abtract tructure of the ytem we are modelling i hown in ig.. The overall ytem ha two rincial comonent: the boiler ytem and the control ytem. In turn, the control ytem comrie a PID controller the OTS item, and the ROS which i imly the remainder of the control ytem. The ROS conit of : the boiler enor. Thee are mart enor which monitor variable roviding inut to the PID controller: Drum Level, Steam low, Steam Preure, Ga Concentration and Coal eeder Rate; actuator. Thee device control a heating burner which can be ON/O, and adjut inlet/outlet valve in reone to outut from the PID controller: eed Water low, Coal eeder Rate and Air low; configuration etting. Thee are the et-oint for the ytem: Oxygen and Bu Preure, which mut be et u in advance by the oerator. Smart enor and actuator interact with the PID controller through a tandard rotocol. Drum Level, Steam low, Steam Preure, Ga Concentration and Coal eeder Rate O 2 et oint and reure et oint Control Sytem ROS Configuration Coal Quality Steam Load Boiler Sytem Senor Actuator Inut to OTS Outut from OTS PID controller OTS item eed Water low, Coal eeder Rate and Air low ig.. Boiler Sytem and Control Sytem including the PID Controller Simulink outut block can be introduced into the model in uch a way that the variable of the MATLAB working ace can be controlled a neceary. Working with the Simulink model we were able to erform reeatable exeriment by maniulating any of the changeable variable and the connection between ytem comonent o a to roduce and analye a range of oible error that would be reaonably tyical for the ytem we are imulating. 2.3 The Simulink Model The Simulink model hown in ig. 2 actually rereent the OTS item a three earate PID controller that handle the feed water flow, the coal feeder rate and the air flow. Thee controller outut three eonymou variable: eed Water low wf, Coal eeder Rate Cfr and Air low
Airf; thee three variable, together with two external variable Coal Quality and Steam Load contitute the arameter which determine the behaviour of the boiler ytem. There are alo everal internal variable generated by the mart enor; ome of thee, together with the configuration etoint, rovide the inut to the PID controller. Table lit all of the variable ued in the model. The Simulink model wa develoed on the bai of the et of mathematical relationhi hown in Aendix. wf wf Coal Quality Dl Sf Dl Sf Dl Sf wf wf PID Controller for eed Water low Coal Quality Cfr Cfr Pd Pb Pd Pb Pref Pb Pref Pb Cfr Cfr PID Controller 2 for Coal eeder rm Steam Load Airf Steam Load Airf O2eco COeco NOxeco O2eco COeco NOxeco O2ref Cfr O2ref Airf O2eco Cfr Airf PID Controller 3 for Air low Boiler Sytem ig. 2. Simulink Model of the Boiler Sytem with PID Controller 2.4 Variable Monitoring Simulink coe and other dilay block enable u to develo modelling comonent that monitor the intermediate reult while the imulation i running. In our exeriment we can monitor and dilay a total of 5 variable, comriing all the variable lited in Table excet for the two et-oint, lu three internal variable which rereent two internal air flow and one internal team flow. The imulation time for all of our exeriment i et to 2 te. Some monitoring reult are reented in ig. 3 and full reult including all of the monitored variable are howed in Aendix 2. Thi articular chart demontrate the behaviour of the three PID outut and two external inut of the boiler ytem when at te 2 the team load i increaed, and at te 5 the coal quality change: in both thee cenario the boiler ytem return to teady oeration reaonably oon. Table. Variable ued in the model Variable Rereentation Variable Rereentation Steam Load Steam load, ton er hour Dl Drum level Coal Quality Coal quality, fraction of ure combutible Sf Steam flow wf eed water flow Pd Steam reure /drum Cfr Coal feeder rate Pb Steam reure / bu Airf Air flow controlled air O2eco O2 concentration at economizer Pref Bu reure et-oint COeco CO concentration at economizer O2ref O2 et-oint NOxeco NOx concentration at economizer
three PID outut and team load coal feeder rate.65 team load 9.64 8 7 coal quality.63 6.62 5 air flow.6 4.6 3.59 2 feed water flow.58.57 2 4 6 8 2 Simulation Ste Coal Quality ig. 3. Normal Performance of the Boiler Sytem with PID Controller 2.5 Proertie of the Boiler Sytem and the PID Controller In thi ection we ummarie the information which we collected to guide u in develoing the rotective wraer. The baic boiler ecification rovide information on team flow, bu reure, outut temerature and coal calorific value. A the OTS item the PID controller i treated a a black box, any information about it roertie mut be deduced from the interface or from relevant ource where available. In an ideal world the ytem deigner will have a comlete and correct ecification of the boiler ytem, the PID controller and the ROS. Unfortunately, we only had acce to limited information about the boiler ytem and the ROS which i tyical for many ractical ituation. rom an invetigation of the boiler model and information acquired from all available ource, we have formulated the following decrition. Information from the documentation available to u i: Outut temerature 54 deg C Coal calorific value 6-8 MJ/kg Steam load 5-25 ton/hour Coal quality i meaured a a fraction of ure combutible where ure ; actual value about.55-.7 Three controlled outut wf, Cfr, Airf are each given a a ercentage Information obtained by analying the interface and by invetigating the imulated model: Set-oint of bu reure range from to 2 actual value about 9.4 Set-oint of O2 concentration at economier range from to. actual value about.3 Internal variable inut to PID controller: Drum level: outut value between - and actual value cloe to Steam low: to 25 Bu reure: to 2 O2 concentration at economier: to.5 3 Requirement for a Protective Wraer In the reviou ection we reented an outline ecification of the modelled boiler ytem, a deduced from the model and other ource. In thi ection we conider the error which could arie from
integrating an OTS PID controller in the ytem, in order to derive the requirement for a rotective wraer. We make the following aumtion: The value of each variable can be detected intantaneouly through microroceor. In articular, we aume that the value of inut and outut variable of the PID controller are detected intantaneouly. Thi highly imlifying aumtion enable u to illutrate the method for rotective wraer develoment without regard to iue relating to reone time. The wraer rogram can be inerted into the control ytem, either by a artial hardware imlementation which intercet the hyical connection, or urely in oftware. We are not concerned at thi tage with the detail of thi imlementation. In order to clarify the requirement for a rotective wraer, it i neceary to form a view of what the PID controller and the ROS can, and cannot, do at their hared interface. Thi view can be formulated a a collection of Accetable Behaviour Contraint ABC [7] defined from the erective of the ytem integrator. Once defined, thee ABC can be thought of a contract [] which a ytem deigner could ue a the bai for defining a rotective wraer, which would emloy conventional mechanim for error detection, containment and recovery [2]. 3. Tye of cue, and examle or our cae tudy, Table 2 rovide a lit of error ymtom cue and aociated action, following a tructural analyi of the oible error detectable at the interface between the ROS and the PID controller. Since the OTS PID controller i a black box item we can only reaon about error concerning the inut and outut to the PID from the ROS. Thi give four grou for the cue, a hown in firt column of the table. The econd column claifie the tye of error we are concerned with, and the third column give an examle of each tye of error. The recovery action given in the fourth column i a uggeted action which a rotective wraer could be deigned to launch; we do not claim that thee illutrative action are the mot aroriate in each cae. The cue highlighted in bold i elected a an examle for further dicuion. Table 2. Cue for rotective wraer Tye of cue Examle Action Error in PID inut w.r.t. ROS outut contraint Error in PID inut w.r.t. PID contraint Error in PID outut w.r.t. PID contraint Error in PID outut w.r.t. ROS inut contraint Illegal outut from ROS according to ROS ecification Outut from ROS i detectably erroneou Outut from ROS i illegal w.r.t. the ytem deigner ecification of ytem oeration Inut to PID i illegal according to PID ecification Inut to PID that i uect Inut to PID which i known to be untrutworthy Illegal outut from PID according to PID ecification Illegal inut to ROS according to ROS ecification Inut to ROS i illegal w.r.t. the ytem deigner ecification of ytem oeration An outut from ROS i diconnected from PID ROS amling rate uddenly exceed the normal rate A ROS outut i outide the enveloe of value anticiated by the ytem deigner Set-oint value are mi-configured and violate the PID ecification The meaured derivative of a PID inut exceed the maximum level for which it ha been teted A PID inut or it derivative i cloe to the boundary ecified for the PID, at a level which i known to create roblem An outut from PID i diconnected from ROS The PID controller change it rate of roceing and end meage to ROS too frequently A PID outut i outide the enveloe of value anticiated by the ytem deigner Shutdown Shutdown
The examle, Inut to PID which i known to be untrutworthy, i illutrated in ig. 4. Steam load i ket contant at 7.8 ton er hour during the oeration. After 5 imulation te, the coal quality i increaed from.5 to an artificial value jut under 3, and a a conequence ome inut to the OTS would aroach untrutworthy value which are cloe to the boundary of the PID controller' ractical ecification. The curve hown on ig. 4 converge to a teady tate, but if the overhoot of the initial ocillation were of greater magnitude than the ecification of the boiler ytem ermit, or the ocillation ket going longer than the boiler ytem can uort, the ituation would be regarded a critical. 8 coal feeder rate 3.5 6 4 3. three PID outut 2-2 -4-6 feed water flow coal quality air flow 2.5 2..5. coal quality -8 -.5-2. 2 4 6 8 2 imulation te ig. 4. Inut to the PID for which it i known to be untrutworthy: a PID inut exceed the boundary ecified for the PID controller A more extreme verion of thi examle i hown in ig. 5. Here, the coal quality not hown on the igure i increaed unrealitically to almot 4.5 at te, with team load contant a before. The curve are no longer convergent, leading to a dangerouly untable ituation. 5 4 air flow 3 three PID outut 2 feed water flow - coal feeder rate -2 2 4 6 8 2 imulation te ig. 5. Inut to the PID for which it i known to be untrutworthy: a more extreme examle leading to dangerou ocillation
3.2 Summary Analyi Error may occur anywhere in the boiler ytem or the PID. However, a rotective wraer for the OTS PID controller can only check for error condition a cue at the PID/ROS interface. In the reviou ubection we have characterized thee cue in term of their ource, but the wraer can only detect them by their behavioural attribute. We have therefore laced the cue into three ditinguihable categorie:. Unavailability of inut/outut to/from the PID controller Either the PID controller crahe, reulting in no outut from the PID controller to the ROS and beyond, or the boiler ytem or ROS or ome connection between thee and the PID i diruted, o that inut to the PID controller are unavailable. 2. Violation of ecification of monitored variable Set-oint to the PID controller, or any monitored variable, violate their ecification. 3. Ocillation in monitored variable Monitored variable, and their derivative, take on exceive and raidly changing value. Thi categorization of error tye inform the deign of a rotective wraer, which i addreed in the next ection. 4 Deign and Imlementation of a Wraer 4. Deign of Wraer In thi ection we addre the deign of a wraer to be imlemented uing MATLAB function. The main function of the wraer i to cyclically check for each tye of error identified in the reviou ection 3.2. It ue two ub-function: noignalalarm, to check for abence of a ignal after a given eriod of time checkocillate, to check whether ocillating variable revert to a table tate before a maximum number of ocillation. The given eriod of time and maximum number of ocillation referred to here hould in general be determined after conulting the ecification of the ytem. Since thi information wa not available, we have et the number of te for detecting abence of ignal to the imulation itelf run for 2 te, a thi erve to illutrate the rotective wraer deign. The wraer imlement a number of ABC baed on the roertie dicued in Section 2.5 of inut and outut variable wf, Cfr, Airf, Dl, Sf, Pb, Pref, O2eko and O2ref, with an addition of two more ABC tating that the ignal cannot be lot and that the variable cannot ocillate beyond the maximum number of ocillation. we view thee a dangerou condition which have to be revented. If the ignal do not violate any of the ABC they go through the wraer unchanged otherwie an alarm i raied, or the ytem i hut down. Thu, in thi cae we are adoting an elementary monitoring and alerting trategy, a an obviou tarting oint on the way to the develoment of a more general engineering methodology for wraer deign. Our aroach, a outlined in Section 3 above, i to derive wraer requirement from a conideration of oible interface error claified by their ymtom cue; thi lead to the formulation of a et of ABC. We touch on more general iue in [7] but clearly there i coniderable coe for further reearch. 4.2 Wraer Imlementation Although there are many ragmatic conideration to be addreed in order to achieve an effective imlementation of wraer technology, the choice of the aroriate mechanim will be largely determined by the environment. A more detailed dicuion i reented in [7]. 4.3 Examle We now illutrate the oeration of the wraer for the error dicued in Section 3. ig. 4, due to ocillation of ignal. ig. 6 demontrate the cae where the boiler ytem can only withtand three ocillation in ignal. Thi i the ame ituation a wa reented in ig. 4.
coal feeder rate, feed water flow and air flow coal feeder 8 6 4 2-2 -4-6 -8 - -2 feed water flow coal quality 2 3 4 5 6 7 imulation te air flow.65.64.63.62.6.6.59.58.57 coal quality ig. 6. Demontration for wraer working on ignal ocillation A maximum eak lu one minimum eak i counted a one ocillation. After the forth ocillation wa generated, the wraer hut down the boiler ytem. 5 Concluion Thi aer ha invetigated the tye of error which can occur in the modelled boiler ytem Section 3.2 and then addreed the deign of a wraer to detect thee error. We would like to emhaie that thi work focue on error detection and error recovery reventing ytem from failure rather than on fault diagnoi and fault treatment [2]. The rotective wraer detect erroneou information going to and coming from the PID controller and erform recovery action raiing alarm or hutting the ytem down. In real ytem emloying PID controller uch error can be clearly caued by variou reaon fault, uch a deign fault in the PID or in the ytem emloying it, mimatche between thee two entitie in which cae it may be imoible to identify the fault location, failure of the underlying hardware, etc. The error were categoried a:. Unavailability of ignal to/from PID controller, either through the controller themelve not working or a fault in the boiler ytem 2. Violation of limitation ecified for variable, due to a fault in the boiler ytem or miconfigured et-oint 3. Ocillation in the value of ome variable A imle wraer to check for thee error and take aroriate action ha been deigned and demontrated Section 4.2 for a rereentative examle. Ue of Simulink to rogram the wraer ha ome diadvantage. Simulink i not a exreive a conventional object-oriented rogramming language, uch a C, a it i ecifically deigned to allow mathematical modelling and analyi without the full range of general uroe rogramming feature. Model of ytem are aembled from a limited library of block. Uer can define their own block uing S-function, but thee are contrained by mean of a temlate which uer mut adhere to. In ite of thi limitation, Simulink i till a ractical and intuitive latform to demontrate and invetigate indutrial roce ytem, uch a the team boiler ytem conidered in thi aer. Ue of modelling and imulation i commonlace in the deign of rotection ytem, and for thi reaon we have not felt that the aroach taken here i unrealitic. However, a further iece of work will be to conider a more real-world cenario. Thi would in turn require an extended wraing trategy which take account of a wider range of action to be taken if an error ha been detected. In addition, future work will develo more generic monitoring activitie uing a combination of error detection and fault injection technique, to meaure the effect a wraer ha on the overall ytem deendability. Other avenue could include invetigating the otential ue of wraer to cature behaviour that ha not been exlicitly ecified.
Acknowledgement Thi work i uorted by the UK EPSRC roject DOTS: Diverity with Off-The-Shelf Comonent www.cr.ncl.ac.uk/dot. A. Romanovky i uorted by the Euroean IST roject DSoS: Deendable Sytem of Sytem. We are grateful to Vladimir Havlena for haring with u ome of the reult of hi reearch, and to Prof. Lorenzo Strigini for comment on an early draft of thi aer. Reference. IEEE Comuter, Secial iue on COTS, IEEE Comuter, 36, 998. 2. P. A. Lee, T. Anderon, ault Tolerance: Princile and Practice, Wien - New York, Sringer-Verlag, 99. 3. M. R. Lyu. Software ault Tolerance. John Wiley and Son, 995. 4. A. Romanovky. Excetion Handling in Comonent-Baed Sytem Develoment. 25th Int. Comuter Software and Alication Conference COMPSAC 2, Chicago, IL, October, 2.. 58-586. 5. J.-C. Larie. Deendable Comuting: Concet, Limit, Challenge. Secial Iue of the 25th International Symoium On ault-tolerant Comuting. IEEE Comuter Society Pre. Paadena, CA. June 995.. 42-54 6. J. Voa. Certifying Off-The-Shelf Software Comonent. IEEE Comuter, 36, 998, 53-59. 7. P. Poov, S. Riddle, A. Romanovky, L. Strigini. On Sytematic Deign of Protector for Emloying OTS Item. In Proc. of the 27th Euromicro conference. Waraw, Poland, Setember 2 IEEE CS..22-29. 8. V. Havlena, Develoment of ACC Controller with MATLAB/SIMULINK. MATLAB '99. Praha: VSCHT - Utav fyziky a merici techniky, 999,. 52-59. 9. J-R. Abrial, E. Börger, H. Langmaack. ormal Method for Indutrial Alication: Secifying and Programming the Steam Boiler Control. LNCS 65, Sringer Verlag, October 996.. Mathwork, Uing Simulink: reference guide, htt://www.mathwork.com. B. Meyer. Programming by Contract. In D. Mandrioli, B. Meyer ed., Advance in Object-Oriented Software Engineering. Prentice Hall, 992.
Aendix Mathematical Relationhi inide the Boiler Sytem and PID Controller Qir eta eff Qir Quality Coal Qir Quality Coal t V alha alha kom NOx alha eta t V raek tot alha alha alha kom O alha kom CO 27.5 8.48.47.87.6..89, max 4.8.6, max.25.25 2.8,.8 max 4.64 2 { } { } { }, 27, 27, 27 < > if ab if ab if ab berna kotel Load Steam kotel berna b P kotel vyvin kotel d P kotel f S 25 36 57 5 5 36.343 % 5 ± P uhli raek l 6.2457 raek eff Qir vyvin 5.74.74, 36 6 PID mer P mer 2.3.75 mer celk tot.4 7 2 vyvin wf l D 4 4 4 4 4 4 2 2 2 2 2 kom NOx NOxeko kom CO COeko kom O eko O
PID Controller: 44.4.75 2.3 4.93.2.9536 2 5 2 2 fr C mer O ref O f Air 53 5 72 mer ref fr C b l wf 75.4 7 2 vyvin wf l D
Aendix 2 Normal erformance of boiler ytem with PID controller