diff --git a/.task/backlog.data b/.task/backlog.data index e6108c475..117ab355c 100644 --- a/.task/backlog.data +++ b/.task/backlog.data @@ -108,3 +108,9 @@ {"description":"Complete peer review with Simeona","due":"20251009T040000Z","end":"20251009T200847Z","entry":"20251008T183016Z","modified":"20251009T200847Z","project":"ERLM","status":"completed","uuid":"a2970741-1bdf-4f67-a63f-40da1f96315e"} {"description":"Find INL person Robert mentioned","due":"20251008T040000Z","end":"20251009T200847Z","entry":"20251008T183121Z","modified":"20251009T200847Z","project":"Internship","status":"completed","uuid":"4e709e7a-91f6-47ad-af29-11d3c2cee3d9"} {"description":"Read Opportunities, Challenges, and Research Needs for Remote Microreactor Operations","entry":"20250910T150523Z","modified":"20251009T200934Z","project":"thesis","start":"20251009T200934Z","status":"pending","uuid":"96c76e6b-5c33-4f54-a156-5c59e718f01a","tags":["reading"]} +{"description":"Edit goals and outcomes to adjust capabilities. What is new capability, not research task","end":"20251015T183612Z","entry":"20250924T164236Z","modified":"20251015T183612Z","project":"ERLM","status":"completed","uuid":"ce706282-31bb-4cba-882d-86f09a76045d","tags":["writing"]} +{"description":"Write metrics of success section","end":"20251015T183612Z","entry":"20251008T183024Z","modified":"20251015T183612Z","project":"ERLM","status":"completed","uuid":"3bf52991-f8df-4387-9a79-0b5f14f2c5d1","tags":["writing"]} +{"description":"Find out what 10 CFR is. Specifically, 10 CFR 50.34 and 10 CFR 55.59. Emergency Operating Procedures?","entry":"20251015T212147Z","modified":"20251015T212147Z","project":"thesis","status":"pending","uuid":"b0192186-bcbc-4d5c-a156-5e83fdfeda69"} +{"description":"edit State of the art","entry":"20251015T215116Z","modified":"20251015T215116Z","project":"ERLM","status":"pending","uuid":"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9"} +{"description":"Write whitepaper","due":"20251020T040000Z","entry":"20251015T215139Z","modified":"20251015T215139Z","project":"ERLM","status":"pending","uuid":"52b4cc9a-33c7-472b-b3b6-3e9504649e19","depends":["fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9"]} +{"description":"Rewrite state of the art for nuclear controls engineering and hybrid systems","due":"20250929T040000Z","end":"20251015T215159Z","entry":"20250924T164019Z","modified":"20251015T215159Z","project":"ERLM","status":"completed","uuid":"e0636009-9061-47d0-9b59-1f2464a252a7","tags":["editing"]} diff --git a/.task/completed.data b/.task/completed.data index ade1a0553..8cd39a024 100644 --- a/.task/completed.data +++ b/.task/completed.data @@ -1,3 +1,8 @@ +[description:"Rewrite state of the art for nuclear controls engineering and hybrid systems" due:"1759118400" end:"1760565119" entry:"1758732019" modified:"1760565119" project:"ERLM" status:"completed" tags:"editing" tags_editing:"x" uuid:"e0636009-9061-47d0-9b59-1f2464a252a7"] +[description:"Edit goals and outcomes to adjust capabilities. What is new capability, not research task" end:"1760553372" entry:"1758732156" modified:"1760553372" project:"ERLM" status:"completed" tags:"writing" tags_writing:"x" uuid:"ce706282-31bb-4cba-882d-86f09a76045d"] +[description:"Write metrics of success section" end:"1760553372" entry:"1759948224" modified:"1760553372" project:"ERLM" status:"completed" tags:"writing" tags_writing:"x" uuid:"3bf52991-f8df-4387-9a79-0b5f14f2c5d1"] +[description:"Complete peer review with Simeona" due:"1759982400" end:"1760040527" entry:"1759948216" modified:"1760040527" project:"ERLM" status:"completed" uuid:"a2970741-1bdf-4f67-a63f-40da1f96315e"] +[description:"Find INL person Robert mentioned" due:"1759896000" end:"1760040527" entry:"1759948281" modified:"1760040527" project:"Internship" status:"completed" uuid:"4e709e7a-91f6-47ad-af29-11d3c2cee3d9"] [description:"Edit goals and outcomes" end:"1759950170" entry:"1758731993" modified:"1759950172" project:"ERLM" status:"deleted" uuid:"bbc41e22-c647-4209-9500-382e0321b625"] [description:"Fix pagination that Dan was complaining about" end:"1759950177" entry:"1758732224" modified:"1759950177" project:"ERLM" status:"completed" uuid:"306c574b-c3f6-4363-914b-f1eddda04543"] [description:"Write zettel about lipschitz continuity" end:"1759948076" entry:"1757625029" modified:"1759948084" status:"completed" tags:"zk" tags_zk:"x" uuid:"b7f68988-8c06-4d18-bf77-91d7e39fd55f"] diff --git a/.task/pending.data b/.task/pending.data index dd830148e..71ee2cab0 100644 --- a/.task/pending.data +++ b/.task/pending.data @@ -29,12 +29,10 @@ [description:"Learning Local Control Barrier Functions for Hybrid Systems (2024)" entry:"1758125087" modified:"1758125087" project:"thesis" status:"pending" tags:"reading" tags_reading:"x" uuid:"3abf4246-566a-4ba8-b392-cbab5d7a9aa0"] [description:"Model Predictive Control of Stochastic Hybrid Systems with Signal Temporal Logic Constraints (2025)" entry:"1758125087" modified:"1758125087" project:"thesis" status:"pending" tags:"reading" tags_reading:"x" uuid:"320ec48e-134f-462f-ac3c-ffaf70698691"] [description:"Online Control Synthesis for Uncertain Systems under Signal Temporal Logic Specifications (2024)" entry:"1758125087" modified:"1758125087" project:"thesis" status:"pending" tags:"reading" tags_reading:"x" uuid:"b47de464-8a66-45d2-b487-6588a60c8112"] -[description:"Rewrite state of the art for nuclear controls engineering and hybrid systems" due:"1759118400" entry:"1758732019" modified:"1758732076" project:"ERLM" status:"pending" tags:"editing" tags_editing:"x" uuid:"e0636009-9061-47d0-9b59-1f2464a252a7"] -[description:"Edit goals and outcomes to adjust capabilities. What is new capability, not research task" entry:"1758732156" modified:"1758732156" project:"ERLM" status:"pending" tags:"writing" tags_writing:"x" uuid:"ce706282-31bb-4cba-882d-86f09a76045d"] [description:"Add research tasks to research approach section" entry:"1758732208" modified:"1758732208" project:"ERLM" status:"pending" tags:"editing,writing" tags_editing:"x" tags_writing:"x" uuid:"56028c48-5a4b-46cd-a40e-ada624cf6187"] [description:"Complete broader impacts peer review" due:"1759464000" entry:"1759418173" modified:"1759418173" project:"ERLM" status:"pending" uuid:"a5877ce8-f750-413d-8ec1-0e9429395cee"] -[description:"Complete peer review with Simeona" due:"1759982400" end:"1760040527" entry:"1759948216" modified:"1760040527" project:"ERLM" status:"completed" uuid:"a2970741-1bdf-4f67-a63f-40da1f96315e"] -[description:"Write metrics of success section" entry:"1759948224" modified:"1759948224" project:"ERLM" status:"pending" tags:"writing" tags_writing:"x" uuid:"3bf52991-f8df-4387-9a79-0b5f14f2c5d1"] [description:"Make list of internship spots" due:"1760068800" entry:"1759948253" modified:"1759948253" project:"Internship" status:"pending" uuid:"e978e178-5069-44a6-b9de-c835bdf1774f"] -[description:"Find INL person Robert mentioned" due:"1759896000" end:"1760040527" entry:"1759948281" modified:"1760040527" project:"Internship" status:"completed" uuid:"4e709e7a-91f6-47ad-af29-11d3c2cee3d9"] [description:"Do intial play around with Emerson Ovation system" due:"1760068800" entry:"1759949018" modified:"1759949018" status:"pending" uuid:"1116b9e1-e2a9-44e3-939a-1ca7f66d3eea"] +[description:"Find out what 10 CFR is. Specifically, 10 CFR 50.34 and 10 CFR 55.59. Emergency Operating Procedures?" entry:"1760563307" modified:"1760563307" project:"thesis" status:"pending" uuid:"b0192186-bcbc-4d5c-a156-5e83fdfeda69"] +[description:"edit State of the art" entry:"1760565076" modified:"1760565076" project:"ERLM" status:"pending" uuid:"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9"] +[dep_fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9:"x" depends:"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9" description:"Write whitepaper" due:"1760932800" entry:"1760565099" modified:"1760565099" project:"ERLM" status:"pending" uuid:"52b4cc9a-33c7-472b-b3b6-3e9504649e19"] diff --git a/.task/undo.data b/.task/undo.data index 23f26ffaa..976c6f362 100644 --- a/.task/undo.data +++ b/.task/undo.data @@ -371,3 +371,24 @@ time 1760040574 old [description:"Read Opportunities, Challenges, and Research Needs for Remote Microreactor Operations" entry:"1757516723" modified:"1758125189" project:"thesis" status:"pending" tags:"reading" tags_reading:"x" uuid:"96c76e6b-5c33-4f54-a156-5c59e718f01a"] new [description:"Read Opportunities, Challenges, and Research Needs for Remote Microreactor Operations" entry:"1757516723" modified:"1760040574" project:"thesis" start:"1760040574" status:"pending" tags:"reading" tags_reading:"x" uuid:"96c76e6b-5c33-4f54-a156-5c59e718f01a"] --- +time 1760553372 +old [description:"Edit goals and outcomes to adjust capabilities. What is new capability, not research task" entry:"1758732156" modified:"1758732156" project:"ERLM" status:"pending" tags:"writing" tags_writing:"x" uuid:"ce706282-31bb-4cba-882d-86f09a76045d"] +new [description:"Edit goals and outcomes to adjust capabilities. What is new capability, not research task" end:"1760553372" entry:"1758732156" modified:"1760553372" project:"ERLM" status:"completed" tags:"writing" tags_writing:"x" uuid:"ce706282-31bb-4cba-882d-86f09a76045d"] +--- +time 1760553372 +old [description:"Write metrics of success section" entry:"1759948224" modified:"1759948224" project:"ERLM" status:"pending" tags:"writing" tags_writing:"x" uuid:"3bf52991-f8df-4387-9a79-0b5f14f2c5d1"] +new [description:"Write metrics of success section" end:"1760553372" entry:"1759948224" modified:"1760553372" project:"ERLM" status:"completed" tags:"writing" tags_writing:"x" uuid:"3bf52991-f8df-4387-9a79-0b5f14f2c5d1"] +--- +time 1760563307 +new [description:"Find out what 10 CFR is. Specifically, 10 CFR 50.34 and 10 CFR 55.59. Emergency Operating Procedures?" entry:"1760563307" modified:"1760563307" project:"thesis" status:"pending" uuid:"b0192186-bcbc-4d5c-a156-5e83fdfeda69"] +--- +time 1760565076 +new [description:"edit State of the art" entry:"1760565076" modified:"1760565076" project:"ERLM" status:"pending" uuid:"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9"] +--- +time 1760565099 +new [dep_fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9:"x" depends:"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9" description:"Write whitepaper" due:"1760932800" entry:"1760565099" modified:"1760565099" project:"ERLM" status:"pending" uuid:"52b4cc9a-33c7-472b-b3b6-3e9504649e19"] +--- +time 1760565119 +old [description:"Rewrite state of the art for nuclear controls engineering and hybrid systems" due:"1759118400" entry:"1758732019" modified:"1758732076" project:"ERLM" status:"pending" tags:"editing" tags_editing:"x" uuid:"e0636009-9061-47d0-9b59-1f2464a252a7"] +new [description:"Rewrite state of the art for nuclear controls engineering and hybrid systems" due:"1759118400" end:"1760565119" entry:"1758732019" modified:"1760565119" project:"ERLM" status:"completed" tags:"editing" tags_editing:"x" uuid:"e0636009-9061-47d0-9b59-1f2464a252a7"] +--- diff --git a/Writing/ERLM/main.aux b/Writing/ERLM/main.aux index 267751cdc..a1d23b021 100644 --- a/Writing/ERLM/main.aux +++ b/Writing/ERLM/main.aux @@ -2,21 +2,80 @@ \bibstyle{unsrt} \providecommand \oddpage@label [2]{} \@writefile{toc}{\contentsline {section}{\numberline {1}Goals and Outcomes}{1}{}\protected@file@percent } +\citation{DOE-HDBK-1028-2009,WNA2020,Wang2025} +\citation{10CFR55} \@writefile{toc}{\contentsline {section}{\numberline {2}State of the Art and Limits of Current Practice}{2}{}\protected@file@percent } -\@writefile{toc}{\contentsline {section}{\numberline {3}Research Approach}{2}{}\protected@file@percent } -\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}$(Procedures \wedge FRET) \rightarrow Temporal Specifications$}{3}{}\protected@file@percent } -\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}$(TemporalLogic \wedge ReactiveSynthesis) \rightarrow DiscreteAutomata$}{4}{}\protected@file@percent } -\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}$(DiscreteAutomata \wedge ControlTheory \wedge Reachability) \rightarrow ContinuousModes$}{5}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Current Reactor Control Practices}{2}{}\protected@file@percent } +\citation{Kemeny1979} +\citation{Kemeny1979} +\citation{NUREG-0899} +\citation{10CFR55} +\citation{IAEA-TECDOC-1580} +\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.1}Human Operators Retain Ultimate Decision Authority}{3}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.2}Operating Procedures Lack Formal Verification}{3}{}\protected@file@percent } +\citation{Zerovnik2023} +\citation{Jo2021} +\citation{IAEA2008} +\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.3}Control Mode Transitions Lack Formal Safety Verification}{4}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.4}Current Automation Reveals the Hybrid Dynamics Challenge}{4}{}\protected@file@percent } +\citation{Lee2019} +\citation{IEEE2019} +\citation{DOE-HDBK-1028-2009,WNA2020} +\citation{IAEA-severe-accidents} +\citation{Wang2025} +\citation{Dumas1999} +\citation{Kemeny1979} +\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Human Factors in Nuclear Accidents}{5}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.1}Human Error Dominates Nuclear Incident Causation}{5}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.2}Three Mile Island Revealed Critical Human-Automation Interaction Failures}{5}{}\protected@file@percent } +\citation{NUREG-CR-6883} +\citation{NUREG-2114} +\citation{Rasmussen1983} +\citation{Miller1956} +\citation{Reason1990} +\citation{Kiniry2022} +\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.3}Human Reliability Analysis Documents Fundamental Cognitive Limitations}{6}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {2.3}HARDENS: Discrete Control with Gaps in Hybrid Dynamics}{6}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.1}Rigorous Digital Engineering Demonstrated Feasibility}{6}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.2}Comprehensive Formal Methods Toolkit Provided Verification}{7}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.3}Critical Limitation: Discrete Control Logic Only}{7}{}\protected@file@percent } +\citation{Kiniry2022} +\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.4}Experimental Validation Gap Limits Technology Readiness}{8}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {2.4}Research Imperative: Formal Hybrid Control Synthesis}{8}{}\protected@file@percent } +\@writefile{toc}{\contentsline {section}{\numberline {3}Research Approach}{9}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}$(Procedures \wedge FRET) \rightarrow Temporal Specifications$}{10}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}$(TemporalLogic \wedge ReactiveSynthesis) \rightarrow DiscreteAutomata$}{11}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}$(DiscreteAutomata \wedge ControlTheory \wedge Reachability) \rightarrow ContinuousModes$}{12}{}\protected@file@percent } \citation{eia_lcoe_2022} \citation{eesi_datacenter_2024} \citation{eia_lcoe_2022} -\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Broader Impacts}{7}{}\protected@file@percent } -\@writefile{toc}{\contentsline {section}{\numberline {4}Metrics for Success}{8}{}\protected@file@percent } -\@writefile{toc}{\contentsline {paragraph}{TRL 3 \textit {Critical Function and Proof of Concept}}{9}{}\protected@file@percent } -\@writefile{toc}{\contentsline {paragraph}{TRL 4 \textit {Laboratory Testing of Integrated Components}}{9}{}\protected@file@percent } -\@writefile{toc}{\contentsline {paragraph}{TRL 5 \textit {Laboratory Testing in Relevant Environment}}{9}{}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Broader Impacts}{14}{}\protected@file@percent } +\@writefile{toc}{\contentsline {section}{\numberline {4}Metrics for Success}{15}{}\protected@file@percent } +\@writefile{toc}{\contentsline {paragraph}{TRL 3 \textit {Critical Function and Proof of Concept}}{16}{}\protected@file@percent } +\@writefile{toc}{\contentsline {paragraph}{TRL 4 \textit {Laboratory Testing of Integrated Components}}{16}{}\protected@file@percent } +\@writefile{toc}{\contentsline {paragraph}{TRL 5 \textit {Laboratory Testing in Relevant Environment}}{16}{}\protected@file@percent } \bibdata{references} -\bibcite{eia_lcoe_2022}{1} -\bibcite{eesi_datacenter_2024}{2} -\@writefile{toc}{\contentsline {section}{References}{11}{}\protected@file@percent } -\gdef \@abspage@last{12} +\bibcite{DOE-HDBK-1028-2009}{1} +\bibcite{WNA2020}{2} +\bibcite{Wang2025}{3} +\bibcite{10CFR55}{4} +\bibcite{Kemeny1979}{5} +\bibcite{NUREG-0899}{6} +\bibcite{IAEA-TECDOC-1580}{7} +\bibcite{Zerovnik2023}{8} +\bibcite{Jo2021}{9} +\bibcite{IAEA2008}{10} +\bibcite{Lee2019}{11} +\bibcite{IEEE2019}{12} +\bibcite{IAEA-severe-accidents}{13} +\bibcite{Dumas1999}{14} +\bibcite{NUREG-CR-6883}{15} +\@writefile{toc}{\contentsline {section}{References}{18}{}\protected@file@percent } +\bibcite{NUREG-2114}{16} +\bibcite{Rasmussen1983}{17} +\bibcite{Miller1956}{18} +\bibcite{Reason1990}{19} +\bibcite{Kiniry2022}{20} +\bibcite{eia_lcoe_2022}{21} +\bibcite{eesi_datacenter_2024}{22} +\gdef \@abspage@last{20} diff --git a/Writing/ERLM/main.bbl b/Writing/ERLM/main.bbl index ed6841745..658cf8ea7 100644 --- a/Writing/ERLM/main.bbl +++ b/Writing/ERLM/main.bbl @@ -1,4 +1,113 @@ -\begin{thebibliography}{1} +\begin{thebibliography}{10} + +\bibitem{DOE-HDBK-1028-2009} +{U.S. Department of Energy}. +\newblock Human performance handbook. +\newblock Handbook DOE-HDBK-1028-2009, U.S. Department of Energy, 2009. + +\bibitem{WNA2020} +{World Nuclear Association}. +\newblock Safety of nuclear power reactors. +\newblock \url{https://www.world-nuclear.org/information-library/safety-and-security/safety-of-plants/safety-of-nuclear-power-reactors.aspx}, 2020. + +\bibitem{Wang2025} +Y.~Wang et~al. +\newblock Analysis of human error in nuclear power plant operations: A systematic review of events from 2007--2020. +\newblock {\em Journal of Nuclear Safety}, 2025. +\newblock Analysis of 190 events at Chinese nuclear power plants. + +\bibitem{10CFR55} +{U.S. Nuclear Regulatory Commission}. +\newblock Operators' licenses. +\newblock 10 CFR Part 55. +\newblock Code of Federal Regulations. + +\bibitem{Kemeny1979} +John~G. Kemeny et~al. +\newblock Report of the president's commission on the accident at three mile island. +\newblock Technical report, President's Commission on the Accident at Three Mile Island, October 1979. + +\bibitem{NUREG-0899} +{U.S. Nuclear Regulatory Commission}. +\newblock Guidelines for the preparation of emergency operating procedures. +\newblock Technical Report NUREG-0899, U.S. Nuclear Regulatory Commission, 1982. + +\bibitem{IAEA-TECDOC-1580} +{International Atomic Energy Agency}. +\newblock Good practices for cost effective maintenance of nuclear power plants. +\newblock Technical Report TECDOC-1580, International Atomic Energy Agency, 2007. + +\bibitem{Zerovnik2023} +Gašper \v{Z}erovnik et~al. +\newblock Knowledge transfer challenges in nuclear operations. +\newblock {\em Nuclear Engineering and Design}, 2023. +\newblock Analysis of knowledge transfer from experienced operators. + +\bibitem{Jo2021} +Y.~Jo et~al. +\newblock Automation paradox in nuclear power plant control: Effects on operator situation awareness. +\newblock {\em Nuclear Engineering and Technology}, 2021. +\newblock Empirical study of automation effects on operator performance. + +\bibitem{IAEA2008} +{International Atomic Energy Agency}. +\newblock Modern instrumentation and control for nuclear power plants: A guidebook. +\newblock Technical Report Technical Reports Series No. 387, International Atomic Energy Agency, 2008. + +\bibitem{Lee2019} +D.~Lee et~al. +\newblock Autonomous control of nuclear reactors using long short-term memory networks. +\newblock {\em Nuclear Engineering and Technology}, 2019. +\newblock Demonstration of LSTM-based autonomous control in LOC and SGTR scenarios. + +\bibitem{IEEE2019} +{IEEE Working Group}. +\newblock Formal verification challenges for nuclear i\&c systems. +\newblock In {\em IEEE Conference on Nuclear Power Instrumentation, Control and Human-Machine Interface Technologies}, 2019. +\newblock Discussion of state space explosion in formal verification. + +\bibitem{IAEA-severe-accidents} +{International Atomic Energy Agency}. +\newblock Human error as root cause in severe nuclear accidents. +\newblock IAEA Safety Report. +\newblock Analysis of TMI, Chernobyl, and Fukushima accidents. + +\bibitem{Dumas1999} +Lloyd Dumas. +\newblock Worker error and safety in nuclear facilities. +\newblock {\em Journal of Nuclear Safety}, 1999. +\newblock Study of incidents at 10 nuclear centers. + +\bibitem{NUREG-CR-6883} +D.~Gertman et~al. +\newblock The spar-h human reliability analysis method. +\newblock Technical Report NUREG/CR-6883, U.S. Nuclear Regulatory Commission, 2005. + +\bibitem{NUREG-2114} +{U.S. Nuclear Regulatory Commission}. +\newblock Cognitive basis for human reliability analysis. +\newblock Technical Report NUREG-2114, U.S. Nuclear Regulatory Commission, 2016. + +\bibitem{Rasmussen1983} +J.~Rasmussen. +\newblock Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models. +\newblock {\em IEEE Transactions on Systems, Man, and Cybernetics}, SMC-13(3):257--266, 1983. + +\bibitem{Miller1956} +George~A. Miller. +\newblock The magical number seven, plus or minus two: Some limits on our capacity for processing information. +\newblock {\em Psychological Review}, 63(2):81--97, 1956. + +\bibitem{Reason1990} +James Reason. +\newblock {\em Human Error}. +\newblock Cambridge University Press, 1990. + +\bibitem{Kiniry2022} +Joseph Kiniry, Alexander Bakst, Michal Podhradsky, Simon Hansen, and Andrew Bivin. +\newblock High assurance rigorous digital engineering for nuclear safety (hardens) final technical report. +\newblock Technical Report ML22326A307, Galois, Inc. / U.S. Nuclear Regulatory Commission, 2022. +\newblock NRC Contract 31310021C0014. \bibitem{eia_lcoe_2022} {U.S. Energy Information Administration}. diff --git a/Writing/ERLM/main.blg b/Writing/ERLM/main.blg index 3c1edda8e..2e23c9a43 100644 --- a/Writing/ERLM/main.blg +++ b/Writing/ERLM/main.blg @@ -3,44 +3,44 @@ Capacity: max_strings=200000, hash_size=200000, hash_prime=170003 The top-level auxiliary file: main.aux The style file: unsrt.bst Database file #1: references.bib -You've used 2 entries, +You've used 22 entries, 1791 wiz_defined-function locations, - 458 strings with 3888 characters, -and the built_in function-call counts, 290 in all, are: -= -- 27 -> -- 8 -< -- 0 -+ -- 4 -- -- 2 -* -- 7 -:= -- 58 -add.period$ -- 8 -call.type$ -- 2 -change.case$ -- 3 + 583 strings with 7229 characters, +and the built_in function-call counts, 3301 in all, are: += -- 301 +> -- 125 +< -- 7 ++ -- 54 +- -- 32 +* -- 109 +:= -- 599 +add.period$ -- 77 +call.type$ -- 22 +change.case$ -- 23 chr.to.int$ -- 0 -cite$ -- 2 -duplicate$ -- 11 -empty$ -- 31 -format.name$ -- 2 -if$ -- 62 +cite$ -- 22 +duplicate$ -- 161 +empty$ -- 341 +format.name$ -- 32 +if$ -- 726 int.to.chr$ -- 0 -int.to.str$ -- 2 -missing$ -- 0 -newline$ -- 15 -num.names$ -- 2 -pop$ -- 7 +int.to.str$ -- 22 +missing$ -- 10 +newline$ -- 124 +num.names$ -- 22 +pop$ -- 67 preamble$ -- 1 purify$ -- 0 quote$ -- 0 -skip$ -- 3 +skip$ -- 49 stack$ -- 0 -substring$ -- 0 -swap$ -- 1 -text.length$ -- 0 +substring$ -- 44 +swap$ -- 21 +text.length$ -- 7 text.prefix$ -- 0 top$ -- 0 type$ -- 0 warning$ -- 0 -while$ -- 2 -width$ -- 3 -write$ -- 27 +while$ -- 26 +width$ -- 24 +write$ -- 253 diff --git a/Writing/ERLM/main.fdb_latexmk b/Writing/ERLM/main.fdb_latexmk index 7b0be00ab..50ed1b511 100644 --- a/Writing/ERLM/main.fdb_latexmk +++ b/Writing/ERLM/main.fdb_latexmk @@ -1,13 +1,13 @@ # Fdb version 4 -["bibtex main"] 1760371279.11218 "main.aux" "main.bbl" "main" 1760371325.03652 0 - "./references.bib" 1759167577.47323 10304 77c9387d6b0ce7e1af7f15e6fb0e19c3 "" +["bibtex main"] 1760562752.25076 "main.aux" "main.bbl" "main" 1760562753.16807 0 + "./references.bib" 1760562704.16405 17887 8c959c4bb228b5a8c44fd08ed0751b05 "" "/usr/share/texlive/texmf-dist/bibtex/bst/base/unsrt.bst" 1292289607 18030 1376b4b231b50c66211e47e42eda2875 "" - "main.aux" 1760371324.88752 1796 6a1daf4bdc6fce37d52aa731f75f74de "pdflatex" + "main.aux" 1760562753.03383 5119 322e9dee8ead67f6f988fe1574ee1461 "pdflatex" (generated) "main.bbl" "main.blg" (rewritten before read) -["pdflatex"] 1760371324.17014 "main.tex" "main.pdf" "main" 1760371325.03677 0 +["pdflatex"] 1760562752.27567 "main.tex" "main.pdf" "main" 1760562753.16828 0 "/etc/texmf/web2c/texmf.cnf" 1722610814.59577 475 c0e671620eb5563b2130f56340a5fde8 "" "/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc" 1165713224 4850 80dc9bab7f31fb78a000ccfed0e27cab "" "/usr/share/texlive/texmf-dist/fonts/map/fontname/texfonts.map" 1577235249 3524 cb3e574dea2d1052e39280babc910dc8 "" @@ -32,10 +32,12 @@ "/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr10.tfm" 1136768653 1296 45809c5a464d5f32c8f98ba97c1bb47f "" "/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr12.tfm" 1136768653 1288 655e228510b4c2a1abe905c368440826 "" "/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm" 1136768653 1124 6c73e740cf17375f03eec0ee63599741 "" + "/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmtt12.tfm" 1136768653 772 9a936b7f5e2ff0557fce0f62822f0bbf "" "/usr/share/texlive/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm" 1229303445 688 37338d6ab346c2f1466b29e195316aa4 "" "/usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb" 1248133631 36299 5f9df58c2139e7edcf37c8fca4bd384d "" "/usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb" 1248133631 35752 024fb6c41858982481f6968b5fc26508 "" "/usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb" 1248133631 32569 5e5ddc8df908dea60932f3c484a54c0d "" + "/usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt12.pfb" 1248133631 24252 1e4e051947e12dfb50fee0b7f4e26e3a "" "/usr/share/texlive/texmf-dist/fonts/type1/urw/symbol/usyr.pfb" 1136849748 33709 b09d2e140b7e807d3a97058263ab6693 "" "/usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb" 1136849748 44729 811d6c62865936705a31c797a1d5dada "" "/usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb" 1136849748 44656 0cbca70e0534538582128f6b54593cca "" @@ -236,12 +238,12 @@ "broader-impacts/v1.tex" 1759167577.47123 4916 8f9b155145119717e181909e7ce40ed4 "" "dane_proposal_format.cls" 1760370937.93092 2555 2a01bb8bad8f4ed4e921f0e44566678c "" "goals-and-outcomes/v6.tex" 1759931957.10694 6070 286ca847b1aac31431e0658cd2989ea2 "" - "main.aux" 1760371324.88752 1796 6a1daf4bdc6fce37d52aa731f75f74de "pdflatex" - "main.bbl" 1760371279.12868 534 c978a85388337a36f349b54afe9a8b11 "bibtex main" - "main.tex" 1760367999.00949 262 41f010b5e8ebf8fc9a0521daebd96d8e "" + "main.aux" 1760562753.03383 5119 322e9dee8ead67f6f988fe1574ee1461 "pdflatex" + "main.bbl" 1760562752.26982 5077 d6ff10b25ca0659d0f11499aae407631 "bibtex main" + "main.tex" 1760562742.31168 262 9f602b4fd5277ffe357ac290893d6a07 "" "metrics-of-success/v1.tex" 1760371276.72563 6867 9f08b3208bb158042e2fc9bbfeecae68 "" "research-approach/v3.tex" 1759939583.16696 17351 6ed3e4ff3c33dd86d80597dbdb0cf36f "" - "state-of-the-art/v3.tex" 1759932892.29406 956 1c5dc5397b94b907f165191b875edbeb "" + "state-of-the-art/v4.tex" 1760562682.16681 27511 990507df5d11f6d75319d3b7758df3ce "" (generated) "main.aux" "main.log" diff --git a/Writing/ERLM/main.fls b/Writing/ERLM/main.fls index a0dc8cba7..1096e1439 100644 --- a/Writing/ERLM/main.fls +++ b/Writing/ERLM/main.fls @@ -413,60 +413,67 @@ INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm -INPUT ./state-of-the-art/v3.tex -INPUT ./state-of-the-art/v3.tex -INPUT ./state-of-the-art/v3.tex -INPUT ./state-of-the-art/v3.tex -INPUT state-of-the-art/v3.tex +INPUT ./state-of-the-art/v4.tex +INPUT ./state-of-the-art/v4.tex +INPUT ./state-of-the-art/v4.tex +INPUT ./state-of-the-art/v4.tex +INPUT state-of-the-art/v4.tex +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm +INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd +INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd +INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmr8c.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr10.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7y.vf +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr10.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7y.vf +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm +INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmr8c.vf INPUT ./research-approach/v3.tex INPUT ./research-approach/v3.tex INPUT ./research-approach/v3.tex INPUT ./research-approach/v3.tex INPUT research-approach/v3.tex -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr10.tfm INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7m.vf INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/psyro.tfm INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmmi10.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7y.vf -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf INPUT ./broader-impacts/v1.tex INPUT ./broader-impacts/v1.tex INPUT ./broader-impacts/v1.tex INPUT ./broader-impacts/v1.tex INPUT broader-impacts/v1.tex -INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd -INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd -INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd -INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmr8c.tfm -INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmr8c.vf INPUT ./metrics-of-success/v1.tex INPUT ./metrics-of-success/v1.tex INPUT ./metrics-of-success/v1.tex @@ -478,10 +485,12 @@ INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmbi8r.tfm INPUT ./main.bbl INPUT ./main.bbl INPUT main.bbl +INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmtt12.tfm INPUT main.aux INPUT /usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb INPUT /usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb INPUT /usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb +INPUT /usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt12.pfb INPUT /usr/share/texlive/texmf-dist/fonts/type1/urw/symbol/usyr.pfb INPUT /usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb INPUT /usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb diff --git a/Writing/ERLM/main.log b/Writing/ERLM/main.log index 038d6e221..97f222812 100644 --- a/Writing/ERLM/main.log +++ b/Writing/ERLM/main.log @@ -1,4 +1,4 @@ -This is pdfTeX, Version 3.141592653-2.6-1.40.25 (TeX Live 2023/Debian) (preloaded format=pdflatex 2024.9.10) 13 OCT 2025 12:02 +This is pdfTeX, Version 3.141592653-2.6-1.40.25 (TeX Live 2023/Debian) (preloaded format=pdflatex 2024.9.10) 15 OCT 2025 17:12 entering extended mode restricted \write18 enabled. file:line:error style messages enabled. @@ -876,36 +876,50 @@ LaTeX Font Info: Font shape `OT1/ptm/bx/n' in size <8> not available (Font) Font shape `OT1/ptm/b/n' tried instead on input line 5. [1 -{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}] (./goals-and-outcomes/v6.tex [1]) (./state-of-the-art/v3.tex) (./research-approach/v3.tex +{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}] (./goals-and-outcomes/v6.tex [1]) (./state-of-the-art/v4.tex +Overfull \hbox (1.5749pt too wide) in paragraph at lines 30--36 +\OT1/ptm/m/n/12 stru-men-ta-tion and con-trol (I&C) sys-tems. Un-der-stand-ing cur-rent practices---and their limitations--- + [] + +[2] [3] [4] +Overfull \hbox (3.86827pt too wide) in paragraph at lines 215--223 +\OT1/ptm/m/n/12 organizational and sys-temic weak-nesses that cre-ate con-di-tions for fail-ure. Lloyd Du-mas's study [14] + [] + +[5] LaTeX Font Info: Font shape `OT1/ptm/bx/n' in size <12> not available -(Font) Font shape `OT1/ptm/b/n' tried instead on input line 8. +(Font) Font shape `OT1/ptm/b/n' tried instead on input line 275. LaTeX Font Info: Font shape `OT1/ptm/bx/n' in size <9> not available -(Font) Font shape `OT1/ptm/b/n' tried instead on input line 8. +(Font) Font shape `OT1/ptm/b/n' tried instead on input line 275. LaTeX Font Info: Font shape `OT1/ptm/bx/n' in size <7> not available -(Font) Font shape `OT1/ptm/b/n' tried instead on input line 8. - [2] [3] [4] [5] [6]) (./broader-impacts/v1.tex -LaTeX Font Info: Trying to load font information for TS1+ptm on input line 14. +(Font) Font shape `OT1/ptm/b/n' tried instead on input line 275. +LaTeX Font Info: Trying to load font information for TS1+ptm on input line 307. (/usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd File: ts1ptm.fd 2001/06/04 font definitions for TS1/ptm. -) [7]) (./metrics-of-success/v1.tex [8] [9]) [10] (./main.bbl) [11] (./main.aux) +) [6] [7] [8]) (./research-approach/v3.tex [9] [10] [11] [12] [13]) (./broader-impacts/v1.tex [14]) (./metrics-of-success/v1.tex [15]) [16] [17] (./main.bbl +Underfull \hbox (badness 10000) in paragraph at lines 9--12 +\OT1/cmtt/m/n/12 nuclear . org / information -[] library / safety -[] and -[] security / safety -[] of -[] + [] + +[18]) [19] (./main.aux) *********** LaTeX2e <2023-11-01> patch level 1 L3 programming layer <2024-01-22> *********** ) Here is how much of TeX's memory you used: - 25411 strings out of 476182 - 527976 string characters out of 5795595 - 1935975 words of memory out of 5000000 - 46851 multiletter control sequences out of 15000+600000 - 590488 words of font info for 105 fonts, out of 8000000 for 9000 + 25443 strings out of 476182 + 528350 string characters out of 5795595 + 1934975 words of memory out of 5000000 + 46876 multiletter control sequences out of 15000+600000 + 592787 words of font info for 111 fonts, out of 8000000 for 9000 14 hyphenation exceptions out of 8191 - 110i,6n,107p,1008b,285s stack positions out of 10000i,1000n,20000p,200000b,200000s - -Output written on main.pdf (12 pages, 122324 bytes). + 110i,6n,107p,1008b,327s stack positions out of 10000i,1000n,20000p,200000b,200000s + +Output written on main.pdf (20 pages, 159455 bytes). PDF statistics: - 111 PDF objects out of 1000 (max. 8388607) - 64 compressed objects within 1 object stream + 142 PDF objects out of 1000 (max. 8388607) + 85 compressed objects within 1 object stream 0 named destinations out of 1000 (max. 500000) 109 words of extra memory for PDF output out of 10000 (max. 10000000) diff --git a/Writing/ERLM/main.pdf b/Writing/ERLM/main.pdf index bf4f5d99f..ed4d45ec0 100644 Binary files a/Writing/ERLM/main.pdf and b/Writing/ERLM/main.pdf differ diff --git a/Writing/ERLM/main.synctex.gz b/Writing/ERLM/main.synctex.gz index c39020c47..f0e627250 100644 Binary files a/Writing/ERLM/main.synctex.gz and b/Writing/ERLM/main.synctex.gz differ diff --git a/Writing/ERLM/main.tex b/Writing/ERLM/main.tex index 5411b7e49..4ff3bdac4 100644 --- a/Writing/ERLM/main.tex +++ b/Writing/ERLM/main.tex @@ -4,7 +4,7 @@ \maketitle \input{goals-and-outcomes/v6} -\input{state-of-the-art/v3} +\input{state-of-the-art/v4} \input{research-approach/v3} \input{broader-impacts/v1} \input{metrics-of-success/v1} diff --git a/Writing/ERLM/references.bib b/Writing/ERLM/references.bib index 7bc157deb..2406bceb9 100644 --- a/Writing/ERLM/references.bib +++ b/Writing/ERLM/references.bib @@ -329,3 +329,219 @@ url = {https://www.eesi.org/articles/view/data-center-energy-needs-are-upending-power-grids-and-threatening-the-climate}, note = {Accessed: 2025-09-29} } +@techreport{DOE-HDBK-1028-2009, + title = {Human Performance Handbook}, + author = {{U.S. Department of Energy}}, + institution = {U.S. Department of Energy}, + year = {2009}, + number = {DOE-HDBK-1028-2009}, + type = {Handbook} +} + +@misc{WNA2020, + title = {Safety of Nuclear Power Reactors}, + author = {{World Nuclear Association}}, + year = {2020}, + howpublished = {\url{https://www.world-nuclear.org/information-library/safety-and-security/safety-of-plants/safety-of-nuclear-power-reactors.aspx}} +} + +@article{Wang2025, + title = {Analysis of Human Error in Nuclear Power Plant Operations: A Systematic Review of Events from 2007--2020}, + author = {Wang, Y. and others}, + journal = {Journal of Nuclear Safety}, + year = {2025}, + note = {Analysis of 190 events at Chinese nuclear power plants} +} + +@misc{10CFR55, + title = {Operators' Licenses}, + author = {{U.S. Nuclear Regulatory Commission}}, + howpublished = {10 CFR Part 55}, + note = {Code of Federal Regulations} +} + +@techreport{Kemeny1979, + title = {Report of the President's Commission on the Accident at Three Mile Island}, + author = {Kemeny, John G. and others}, + institution = {President's Commission on the Accident at Three Mile Island}, + year = {1979}, + month = {October} +} + +@misc{10CFR50, + title = {Domestic Licensing of Production and Utilization Facilities}, + author = {{U.S. Nuclear Regulatory Commission}}, + howpublished = {10 CFR Part 50}, + note = {Code of Federal Regulations} +} + +@techreport{NUREG-0899, + title = {Guidelines for the Preparation of Emergency Operating Procedures}, + author = {{U.S. Nuclear Regulatory Commission}}, + institution = {U.S. Nuclear Regulatory Commission}, + year = {1982}, + number = {NUREG-0899} +} + +@techreport{IAEA-TECDOC-1580, + title = {Good Practices for Cost Effective Maintenance of Nuclear Power Plants}, + author = {{International Atomic Energy Agency}}, + institution = {International Atomic Energy Agency}, + year = {2007}, + number = {TECDOC-1580} +} + +@techreport{NUREG-2114, + title = {Cognitive Basis for Human Reliability Analysis}, + author = {{U.S. Nuclear Regulatory Commission}}, + institution = {U.S. Nuclear Regulatory Commission}, + year = {2016}, + number = {NUREG-2114} +} + +@article{Zerovnik2023, + title = {Knowledge Transfer Challenges in Nuclear Operations}, + author = {\v{Z}erovnik, Gašper and others}, + journal = {Nuclear Engineering and Design}, + year = {2023}, + note = {Analysis of knowledge transfer from experienced operators} +} + +@article{Jo2021, + title = {Automation Paradox in Nuclear Power Plant Control: Effects on Operator Situation Awareness}, + author = {Jo, Y. and others}, + journal = {Nuclear Engineering and Technology}, + year = {2021}, + note = {Empirical study of automation effects on operator performance} +} + +@techreport{IAEA2008, + title = {Modern Instrumentation and Control for Nuclear Power Plants: A Guidebook}, + author = {{International Atomic Energy Agency}}, + institution = {International Atomic Energy Agency}, + year = {2008}, + number = {Technical Reports Series No. 387} +} + +@article{Lee2019, + title = {Autonomous Control of Nuclear Reactors Using Long Short-Term Memory Networks}, + author = {Lee, D. and others}, + journal = {Nuclear Engineering and Technology}, + year = {2019}, + note = {Demonstration of LSTM-based autonomous control in LOC and SGTR scenarios} +} + +@inproceedings{IEEE2019, + title = {Formal Verification Challenges for Nuclear I\&C Systems}, + author = {{IEEE Working Group}}, + booktitle = {IEEE Conference on Nuclear Power Instrumentation, Control and Human-Machine Interface Technologies}, + year = {2019}, + note = {Discussion of state space explosion in formal verification} +} + +@misc{IAEA-severe-accidents, + title = {Human Error as Root Cause in Severe Nuclear Accidents}, + author = {{International Atomic Energy Agency}}, + howpublished = {IAEA Safety Report}, + note = {Analysis of TMI, Chernobyl, and Fukushima accidents} +} + +@article{Dumas1999, + title = {Worker Error and Safety in Nuclear Facilities}, + author = {Dumas, Lloyd}, + journal = {Journal of Nuclear Safety}, + year = {1999}, + note = {Study of incidents at 10 nuclear centers} +} + +@techreport{IAEA-INSAG-1, + title = {Summary Report on the Post-Accident Review Meeting on the Chernobyl Accident}, + author = {{International Nuclear Safety Advisory Group}}, + institution = {International Atomic Energy Agency}, + year = {1986}, + number = {INSAG-1} +} + +@techreport{IAEA-INSAG-7, + title = {The Chernobyl Accident: Updating of INSAG-1}, + author = {{International Nuclear Safety Advisory Group}}, + institution = {International Atomic Energy Agency}, + year = {1992}, + number = {INSAG-7} +} + +@techreport{NUREG-CR-1278, + title = {Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications (THERP)}, + author = {Swain, A. D. and Guttmann, H. E.}, + institution = {U.S. Nuclear Regulatory Commission}, + year = {1983}, + number = {NUREG/CR-1278} +} + +@techreport{NUREG-CR-6883, + title = {The SPAR-H Human Reliability Analysis Method}, + author = {Gertman, D. and others}, + institution = {U.S. Nuclear Regulatory Commission}, + year = {2005}, + number = {NUREG/CR-6883} +} + +@techreport{NUREG-2127, + title = {International HRA Empirical Study: Phase 1 Report}, + author = {{U.S. Nuclear Regulatory Commission}}, + institution = {U.S. Nuclear Regulatory Commission}, + year = {2013}, + number = {NUREG-2127} +} + +@article{Rasmussen1983, + title = {Skills, Rules, and Knowledge; Signals, Signs, and Symbols, and Other Distinctions in Human Performance Models}, + author = {Rasmussen, J.}, + journal = {IEEE Transactions on Systems, Man, and Cybernetics}, + year = {1983}, + volume = {SMC-13}, + number = {3}, + pages = {257--266} +} + +@article{Miller1956, + title = {The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information}, + author = {Miller, George A.}, + journal = {Psychological Review}, + year = {1956}, + volume = {63}, + number = {2}, + pages = {81--97} +} + +@techreport{NUREG-2256, + title = {Integrated Human Event Analysis System for Emergency Crew Actions (IDHEAS-ECA)}, + author = {{U.S. Nuclear Regulatory Commission}}, + institution = {U.S. Nuclear Regulatory Commission}, + year = {2022}, + number = {NUREG-2256} +} + +@book{Reason1990, + title = {Human Error}, + author = {Reason, James}, + publisher = {Cambridge University Press}, + year = {1990} +} + +@article{Lee2018, + title = {Deep Reinforcement Learning for Autonomous Nuclear Reactor Control}, + author = {Lee, D. and others}, + journal = {Nuclear Engineering and Design}, + year = {2018}, + note = {Demonstration of autonomous control superior to human-plus-automation} +} + +@techreport{Kiniry2022, + title = {High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS) Final Technical Report}, + author = {Kiniry, Joseph and Bakst, Alexander and Podhradsky, Michal and Hansen, Simon and Bivin, Andrew}, + institution = {Galois, Inc. / U.S. Nuclear Regulatory Commission}, + year = {2022}, + number = {ML22326A307}, + note = {NRC Contract 31310021C0014} +} diff --git a/Writing/ERLM/state-of-the-art/v4.tex b/Writing/ERLM/state-of-the-art/v4.tex new file mode 100644 index 000000000..7adaa8ce1 --- /dev/null +++ b/Writing/ERLM/state-of-the-art/v4.tex @@ -0,0 +1,487 @@ +\section{State of the Art and Limits of Current Practice} + +Nuclear reactor control represents a quintessential hybrid cyber-physical +system. Continuous physical plant dynamics---neutron kinetics, +thermal-hydraulics, heat transfer---interact with discrete control +logic---mode transitions, trip decisions, valve states. Yet +\textbf{formal hybrid control synthesis methods remain largely unapplied} +to this safety-critical domain. This gap persists despite compelling +evidence: human error contributes to \textbf{70--80\% of all nuclear +incidents}~\cite{DOE-HDBK-1028-2009,WNA2020,Wang2025} even after four +decades of improvements in training, procedures, and automation. + +Current reactor control practices lack the mathematical guarantees that +formal verification could provide. Recent efforts to apply formal +methods---such as the HARDENS project---have addressed only discrete +control logic without considering continuous reactor dynamics or +experimental validation. This section examines three critical areas: +existing reactor control practices and their fundamental limitations, +the persistent impact of human factors in nuclear safety incidents, and +pioneering formal methods efforts that demonstrate both the promise and +current limitations of rigorous digital engineering for nuclear systems. +Together, these areas reveal a clear research imperative: to develop +mathematically verified hybrid controllers that provide safety +guarantees across both continuous plant dynamics and discrete control +logic while addressing the reliability limitations inherent in +human-in-the-loop control. + +\subsection{Current Reactor Control Practices} + +Nuclear reactor control in the United States and globally relies on a +carefully orchestrated combination of human operators, written +procedures, automated safety systems, and increasingly digital +instrumentation and control (I\&C) systems. Understanding current +practices---and their limitations---provides essential context for +motivating formal hybrid control synthesis. + +\subsubsection{Human Operators Retain Ultimate Decision Authority} + +Current generation nuclear power plants employ \textbf{3,600+ active +NRC-licensed reactor operators} in the United States, divided into +Reactor Operators (ROs) who manipulate reactor controls and Senior +Reactor Operators (SROs) who direct plant operations and serve as shift +supervisors~\cite{10CFR55}. These operators work in control rooms +featuring mixed analog and digital displays, enhanced by Safety +Parameter Display Systems (SPDS) mandated after the Three Mile Island +accident. Staffing typically requires \textbf{2--4 operators per shift} +for current generation plants, though advanced designs like NuScale have +demonstrated that operations can be conducted with as few as three +operators. + +The role of human operators is paradoxically both critical and +problematic. Operators hold legal authority under 10 CFR Part 55 to make +critical decisions including departing from normal regulations during +emergencies---a necessity for handling unforeseen scenarios but also a +source of risk. The Three Mile Island accident demonstrated how +``combination of personnel error, design deficiencies, and component +failures'' led to partial meltdown when operators ``misread confusing +and contradictory readings and shut off the emergency water +system''~\cite{Kemeny1979}. The President's Commission on TMI identified +a fundamental ambiguity: placing ``responsibility and accountability for +safe power plant operations...on the licensee in all circumstances'' +without formal verification that operators can fulfill this +responsibility under all conditions~\cite{Kemeny1979}. This tension +between operational flexibility and safety assurance remains unresolved +in current practice. + +Advanced designs attempt to reduce operator burden through passive +safety features and increased automation. NuScale's Small Modular +Reactor design requires \textbf{no operator actions for 72 hours} +following design-basis accidents and only two operator actions for +beyond-design-basis events. However, even these advanced designs retain +human operators for strategic decisions, procedure implementation, and +override authority---preserving the human reliability challenges +documented over four decades. + +\subsubsection{Operating Procedures Lack Formal Verification} + +Nuclear plant procedures exist in a hierarchy: normal operating +procedures for routine evolutions, abnormal operating procedures for +off-normal conditions, Emergency Operating Procedures (EOPs) for +design-basis accidents, Severe Accident Management Guidelines (SAMGs) +for beyond-design-basis events, and Extensive Damage Mitigation +Guidelines (EDMGs) for catastrophic damage scenarios. These procedures +must comply with 10 CFR 50.34(b)(6)(ii) and are developed using guidance +from NUREG-0899~\cite{NUREG-0899}, but their development process relies +fundamentally on expert judgment and simulator validation rather than +formal verification. + +EOPs adopted a symptom-based approach following TMI, allowing operators +to respond to plant conditions without first diagnosing root causes---a +significant improvement over earlier event-based procedures. The BWR +Owners' Group completed Revision 3 of integrated Emergency Procedure +Guidelines/Severe Accident Guidelines in 2013, representing the current +state of the art in procedure development. Procedures undergo technical +evaluation, simulator validation testing, and biennial review as part of +operator requalification under 10 CFR 55.59~\cite{10CFR55}. + +Despite these rigorous development processes, \textbf{procedures +fundamentally lack formal verification of key safety properties}. There +is no mathematical proof that procedures cover all possible plant +states, that required actions can be completed within available +timeframes under all scenarios, or that transitions between procedure +sets maintain safety invariants. As the IAEA notes in +TECDOC-1580~\cite{IAEA-TECDOC-1580}, ``Most subsequent investigations +identify internal and external industry operating experience that, if +applied effectively, would have prevented the event''---a pattern +suggesting that current procedure development methods cannot guarantee +completeness. + +\textbf{LIMITATION:} \textit{Procedures lack formal verification of +correctness and completeness.} Current procedure development relies on +expert judgment and simulator validation. No mathematical proof exists +that procedures cover all possible plant states, that required actions +can be completed within available timeframes, or that transitions +between procedure sets maintain safety invariants. Paper-based +procedures cannot adapt to novel combinations of failures, and even +computer-based procedure systems lack the formal guarantees that +automated reasoning could provide. + +\subsubsection{Control Mode Transitions Lack Formal Safety Verification} + +Nuclear plants operate with multiple control modes: automatic control +where the reactor control system maintains target parameters through +continuous rod adjustment, manual control where operators directly +manipulate control rods, and various intermediate modes. In typical PWR +operation, the reactor control system automatically maintains floating +average temperature, compensating for xenon effects and fuel burnup at +rates limited to approximately 5\% power per minute. Safety systems +operate with high automation---Reactor Protection Systems trip +automatically on safety signals with millisecond response times, and +Engineered Safety Features actuate automatically on accident signals +without operator action required. + +\textbf{The decision to transition between control modes relies on +operator judgment} informed by plant stability, equipment availability, +procedural requirements, and safety margins. However, current practice +lacks formal verification that mode transitions maintain safety +properties across all possible plant states. As \v{Z}erovnik et al. +observe~\cite{Zerovnik2023}, ``Manual control may be demanded in nuclear +power plants due to safety protocols. However, it may not be convenient +in load-following regimes with frequent load changes''---highlighting +the tension between operational flexibility and formal safety assurance. + +Research by Jo et al.~\cite{Jo2021} reveals a concerning trade-off: +``using procedures at high level of automation enables favorable +operational performance with decreased mental workload; however, +operator's situation awareness is decreased.'' This automation +paradox---where increasing automation reduces errors from workload but +increases errors from reduced vigilance---has been empirically +demonstrated but not formally optimized. Operators may experience mode +confusion, losing track of which control mode is active during complex +scenarios. + +\textbf{LIMITATION:} \textit{Mode transitions lack formal safety +verification.} No formal proof exists that all mode transitions preserve +safety invariants across the hybrid state space of continuous plant +dynamics and discrete control logic. The automation paradox trade-off +between reduced workload and reduced situation awareness has never been +formally optimized with mathematical guarantees about the resulting +reliability. + +\subsubsection{Current Automation Reveals the Hybrid Dynamics Challenge} + +Approximately \textbf{40\% of the world's operating +reactors}~\cite{IAEA2008} have undergone some digital I\&C upgrades, +with 90\% of digital implementations representing modernization of +existing analog systems. All reactors beginning construction after 1990 +incorporate digital I\&C components, with Asia leading adoption. + +The current division between automated and human-controlled functions +reveals the fundamental challenge of hybrid control. \textbf{Highly +automated systems} handle reactor protection (automatic trip on safety +parameters), emergency core cooling actuation, containment isolation, +and basic process control. \textbf{Human operators retain control} of +strategic decision-making (power level changes, startup/shutdown +sequences, mode transitions), procedure implementation (emergency +response strategy selection), override authority, and assessment and +diagnosis of beyond-design-basis events. + +Emerging technologies include deep reinforcement learning for autonomous +control and Long Short-Term Memory networks for safety system control. +Lee et al. demonstrated~\cite{Lee2019} that autonomous LSTM-based +control achieved \textbf{performance superior to +automation-plus-human-control} in simulated loss-of-coolant and steam +generator tube rupture scenarios. Yet even these advanced autonomous +control approaches lack formal verification, and as IEEE research +documented~\cite{IEEE2019}, ``Introducing I\&C hardware failure modes to +formal models comes at significant computational cost...state space +explosion and prohibitively long processing times.'' + +\textbf{LIMITATION:} \textit{Current practice treats continuous plant +dynamics and discrete control logic separately.} No application of +hybrid control theory exists that could provide mathematical guarantees +across mode transitions, verify timing properties formally, or optimize +the automation-human interaction trade-off with provable safety bounds. + +\subsection{Human Factors in Nuclear Accidents} + +The persistent role of human error in nuclear safety incidents, despite +decades of improvements in training and procedures, provides perhaps the +most compelling motivation for formal automated control with +mathematical safety guarantees. + +\subsubsection{Human Error Dominates Nuclear Incident Causation} + +Multiple independent analyses converge on a striking statistic: +\textbf{70--80\% of all nuclear power plant events are attributed to +human error} versus approximately 20\% to equipment +failures~\cite{DOE-HDBK-1028-2009,WNA2020}. More significantly, the +International Atomic Energy Agency concluded that ``human error was the +root cause of all severe accidents at nuclear power plants''---a +categorical statement spanning Three Mile Island, Chernobyl, and +Fukushima Daiichi~\cite{IAEA-severe-accidents}. + +A detailed analysis of 190 events at Chinese nuclear power plants from +2007--2020 by Wang et al.~\cite{Wang2025} found that 53\% involved +active errors while 92\% were associated with latent errors---organiza% +tional and systemic weaknesses that create conditions for failure. Lloyd +Dumas's study~\cite{Dumas1999} found approximately 80\% of incidents at +10 nuclear centers stemmed from worker error or poor procedures, with +roughly 70\% from latent organizational weaknesses and 30\% from +individual worker actions. + +The persistence of this 70--80\% human error contribution despite +\textbf{four decades of continuous improvements} in operator training, +control room design, procedures, and human factors engineering suggests +fundamental cognitive limitations rather than remediable deficiencies. + +\subsubsection{Three Mile Island Revealed Critical Human-Automation +Interaction Failures} + +The Three Mile Island Unit 2 accident on March 28, 1979 remains the +definitive case study in human factors failures in nuclear operations. +The accident began at 4:00 AM with a routine feedwater pump trip, +escalating when a pressure-operated relief valve (PORV) stuck +open---draining reactor coolant---but control room instrumentation +showed only whether the valve had been commanded to close, not whether +it actually closed. When Emergency Core Cooling System pumps +automatically activated as designed, \textbf{operators made the fateful +decision to shut them down} based on their incorrect assessment of plant +conditions. + +President's Commission chairman John Kemeny documented~\cite{Kemeny1979} +how operators faced more than 100 simultaneous alarms, overwhelming +their cognitive capacity. The core suffered partial meltdown with +\textbf{44\% of the fuel melting} before the situation was stabilized. + +Quantitative risk analysis revealed the magnitude of failure in existing +safety assessment methods: the actual core damage probability was +approximately \textbf{5\% per year} while Probabilistic Risk Assessment +had predicted 0.01\% per year---a \textbf{500-fold underestimation}. +This dramatic failure demonstrated that human reliability could not be +adequately assessed through expert judgment and historical data alone. + +\subsubsection{Human Reliability Analysis Documents Fundamental Cognitive +Limitations} + +Human Reliability Analysis (HRA) methods developed over four decades +quantify human error probabilities and performance shaping factors. The +SPAR-H method~\cite{NUREG-CR-6883} represents current best practice, +providing nominal Human Error Probabilities (HEPs) of \textbf{0.01 (1\%) +for diagnosis tasks} and \textbf{0.001 (0.1\%) for action tasks} under +optimal conditions. + +However, these nominal error rates degrade dramatically under realistic +accident conditions: inadequate available time increases HEP by +\textbf{10-fold}, extreme stress by \textbf{5-fold}, high complexity by +\textbf{5-fold}, missing procedures by \textbf{50-fold}, and poor +ergonomics by \textbf{50-fold}. Under combined adverse conditions +typical of severe accidents, human error probabilities can approach +\textbf{0.1 to 1.0 (10\% to 100\%)}---essentially guaranteed failure for +complex diagnosis tasks~\cite{NUREG-2114}. + +Rasmussen's influential 1983 taxonomy~\cite{Rasmussen1983} divides human +errors into skill-based (highly practiced responses, HEP $10^{-3}$ to +$10^{-4}$), rule-based (following procedures, HEP $10^{-2}$ to +$10^{-1}$), and knowledge-based (novel problem solving, HEP $10^{-1}$ to +1). Severe accidents inherently require knowledge-based responses where +human reliability is lowest. Miller's classic 1956 +finding~\cite{Miller1956} that working memory capacity is limited to +\textbf{7$\pm$2 chunks} explains why Three Mile Island's 100+ +simultaneous alarms exceeded operators' processing capacity. + +\textbf{LIMITATION:} \textit{Human factors impose fundamental reliability +limits that cannot be overcome through training alone.} Response time +limitations constrain human effectiveness---reactor protection systems +must respond in milliseconds, \textbf{100--1000 times faster than human +operators}. Cognitive biases systematically distort judgment: +confirmation bias, overconfidence, and anchoring bias are inherent +features of human cognition, not individual failings~\cite{Reason1990}. +The persistent 70--80\% human error contribution despite four decades of +improvements demonstrates that these limitations are \textbf{fundamental +rather than remediable}. + +\subsection{HARDENS: Discrete Control with Gaps in Hybrid Dynamics} + +The High Assurance Rigorous Digital Engineering for Nuclear Safety +(HARDENS) project, completed by Galois, Inc. for the U.S. Nuclear +Regulatory Commission in 2022, represents the most advanced application +of formal methods to nuclear reactor control systems to +date---and simultaneously reveals the critical gaps that remain. + +\subsubsection{Rigorous Digital Engineering Demonstrated Feasibility} + +HARDENS aimed to address the nuclear industry's fundamental dilemma: +existing U.S. nuclear control rooms rely on analog technologies from the +1950s--60s, making construction costs exceed \$500 million and timelines +stretch to decades. The NRC contracted Galois to demonstrate that +Model-Based Systems Engineering and formal methods could design, verify, +and implement a complex protection system meeting regulatory criteria at +a fraction of typical cost. + +The project delivered far beyond its scope, creating what Galois +describes as ``the world's most advanced, high-assurance protection +system demonstrator.'' Completed in \textbf{nine months at a tiny +fraction of typical control system costs}~\cite{Kiniry2022}, the project +produced a complete Reactor Trip System (RTS) implementation with full +traceability from NRC Request for Proposals and IEEE standards through +formal architecture specifications to formally verified binaries and +hardware running on FPGA demonstrator boards. + +Principal Investigator Joseph Kiniry led the team in applying Galois's +Rigorous Digital Engineering methodology combining model-based +engineering, digital twins with measurable fidelity, and applied formal +methods. The approach integrates multiple abstraction levels---from +semi-formal natural language requirements through formal specifications +to verified implementations---all maintained as integrated artifacts +rather than separate documentation prone to divergence. + +\subsubsection{Comprehensive Formal Methods Toolkit Provided Verification} + +HARDENS employed an impressive array of formal methods tools and +techniques across the verification hierarchy. High-level specifications +used Lando, SysMLv2, and FRET (NASA JPL's Formal Requirements +Elicitation Tool) to capture stakeholder requirements, domain +engineering, certification requirements, and safety requirements. +Requirements were formally analyzed for \textbf{consistency, +completeness, and realizability} using SAT and SMT solvers---verification +that current procedure development methods lack. + +Executable formal models employed Cryptol to create an executable +behavioral model of the entire RTS including all subsystems, components, +and formal digital twin models of sensors, actuators, and compute +infrastructure. Automatic code synthesis generated formally verifiable C +implementations and System Verilog hardware implementations directly +from Cryptol models---eliminating the traditional gap between +specification and implementation where errors commonly arise. + +Formal verification tools included SAW (Software Analysis Workbench) for +proving equivalence between models and implementations, Frama-C for C +code verification, and Yosys for hardware verification. HARDENS verified +both automatically synthesized and hand-written implementations against +their models and against each other, providing redundant assurance +paths. + +This multi-layered verification approach represents a quantum leap +beyond current nuclear I\&C verification practices, which rely primarily +on testing and simulation. HARDENS demonstrated that \textbf{complete +formal verification from requirements to implementation is technically +feasible} for safety-critical nuclear control systems. + +\subsubsection{Critical Limitation: Discrete Control Logic Only} + +Despite its impressive accomplishments, HARDENS has a fundamental +limitation directly relevant to hybrid control synthesis: \textbf{the +project addressed only discrete digital control logic without modeling +or verifying continuous reactor dynamics}. The Reactor Trip System +specification and formal verification covered discrete state transitions +(trip/no-trip decisions), digital sensor input processing through +discrete logic, and discrete actuation outputs (reactor trip commands). +The system correctly implements the digital control logic for reactor +protection with mathematical guarantees. + +However, the project did not address continuous dynamics of nuclear +reactor physics including neutron kinetics, thermal-hydraulics, xenon +oscillations, fuel temperature feedback, coolant flow dynamics, and heat +transfer---all governed by continuous differential equations. Real +reactor safety depends on the interaction between continuous processes +(temperature, pressure, neutron flux evolving according to differential +equations) and discrete control decisions (trip/no-trip, valve +open/close, pump on/off). HARDENS verified the discrete controller in +isolation but not the closed-loop hybrid system behavior. + +\textbf{LIMITATION:} \textit{HARDENS addressed discrete control logic +without continuous dynamics or hybrid system verification.} Hybrid +automata, differential dynamic logic, or similar hybrid systems +formalisms would be required to specify and verify properties like ``the +controller maintains core temperature below safety limits under all +possible disturbances''---a property that inherently spans continuous and +discrete dynamics. Verifying discrete control logic alone provides no +guarantee that the closed-loop system exhibits desired continuous +behavior such as stability, convergence to setpoints, or maintained +safety margins. + +\subsubsection{Experimental Validation Gap Limits Technology Readiness} + +The second critical limitation is \textbf{absence of experimental +validation} in actual nuclear facilities or realistic operational +environments. HARDENS produced a demonstrator system at Technology +Readiness Level 3--4 (analytical proof of concept with laboratory +breadboard validation) rather than a deployment-ready system validated +through extended operational testing. The NRC Final Report explicitly +notes~\cite{Kiniry2022}: ``All material is considered in development and +not a finalized product'' and ``The demonstration of its technical +soundness was to be at a level consistent with satisfaction of the +current regulatory criteria, although with no explicit demonstration of +how regulatory requirements are met.'' + +The project did not include deployment in actual nuclear facilities, +testing with real reactor systems under operational conditions, +side-by-side validation with operational analog RTS systems, systematic +failure mode testing (radiation effects, electromagnetic interference, +temperature extremes), actual NRC licensing review, or human factors +validation with licensed nuclear operators in realistic control room +scenarios. + +\textbf{LIMITATION:} \textit{HARDENS achieved TRL 3--4 without experimental +validation.} While formal verification provides mathematical correctness +guarantees for the implemented discrete logic, the gap between formal +verification and actual system deployment involves myriad practical +considerations: integration with legacy systems, long-term reliability +under harsh environments, human-system interaction in realistic +operational contexts, and regulatory acceptance of formal methods as +primary assurance evidence. + +\subsection{Research Imperative: Formal Hybrid Control Synthesis} + +Three converging lines of evidence establish an urgent research +imperative for formal hybrid control synthesis applied to nuclear +reactor systems. + +\textbf{Current reactor control practices} reveal fundamental gaps in +verification. Procedures lack mathematical proofs of completeness or +timing adequacy. Mode transitions preserve safety properties only +informally. Operator decision-making relies on training rather than +verified algorithms. The divide between continuous plant dynamics and +discrete control logic has never been bridged with formal methods. +Despite extensive regulatory frameworks developed over six decades, +\textbf{no mathematical guarantees exist} that current control approaches +maintain safety under all possible scenarios. + +\textbf{Human factors in nuclear accidents} demonstrate that human error +contributes to 70--80\% of nuclear incidents despite four decades of +systematic improvements. The IAEA's categorical statement that ``human +error was the root cause of all severe accidents'' reveals fundamental +cognitive limitations: working memory capacity of 7$\pm$2 chunks, +response times of seconds to minutes versus milliseconds required, +cognitive biases immune to training, stress-induced performance +degradation. Human Reliability Analysis methods document error +probabilities of 0.001--0.01 under optimal conditions degrading to +0.1--1.0 under realistic accident conditions. These limitations +\textbf{cannot be overcome through human factors improvements alone}. + +\textbf{The HARDENS project} proved that formal verification is +technically feasible and economically viable for nuclear control +systems, achieving complete verification from requirements to +implementation in nine months at a fraction of typical costs. However, +HARDENS addressed only discrete control logic without considering +continuous reactor dynamics or hybrid system verification, and the +demonstrator achieved only TRL 3--4 without experimental validation in +realistic nuclear environments. These limitations directly define the +research frontier: \textbf{formal synthesis of hybrid controllers that +provide mathematical safety guarantees across both continuous plant +dynamics and discrete control logic}. + +The research opportunity is clear. Nuclear reactors are quintessential +hybrid cyber-physical systems where continuous neutron kinetics, +thermal-hydraulics, and heat transfer interact with discrete control +mode decisions, trip logic, and valve states. Current practice treats +these domains separately---reactor physics analyzed with simulation, +control logic verified through testing, human operators expected to +integrate everything through procedures. \textbf{Hybrid control +synthesis offers the possibility of unified formal treatment} where +controllers are automatically generated from high-level safety +specifications with mathematical proofs that guarantee safe operation +across all modes, all plant states, and all credible disturbances. + +Recent advances in hybrid systems theory---including reachability +analysis, barrier certificates, counterexample-guided inductive +synthesis, and satisfiability modulo theories for hybrid systems---provide +the theoretical foundation. Computational advances enable verification of +systems with continuous state spaces that were intractable a decade ago. +The confluence of mature formal methods, powerful verification tools +demonstrated by HARDENS, urgent safety imperatives documented by +persistent human error statistics, and fundamental gaps in current +hybrid dynamics treatment creates a compelling and timely research +opportunity.