Auto sync: 2025-10-15 17:52:13 (15 files changed)

M .task/backlog.data M .task/completed.data M .task/pending.data M .task/undo.data M Writing/ERLM/main.aux M Writing/ERLM/main.bbl M Writing/ERLM/main.blg M Writing/ERLM/main.fdb_latexmk
2025-10-15 17:52:13 -04:00 · 2025-10-15 17:52:13 -04:00 · 4f1c224393
commit 4f1c224393
parent 08e01cbcb7
15 changed files with 1043 additions and 117 deletions
--- a/.task/backlog.data
+++ b/.task/backlog.data
@ -108,3 +108,9 @@
 {"description":"Complete peer review with Simeona","due":"20251009T040000Z","end":"20251009T200847Z","entry":"20251008T183016Z","modified":"20251009T200847Z","project":"ERLM","status":"completed","uuid":"a2970741-1bdf-4f67-a63f-40da1f96315e"}
 {"description":"Find INL person Robert mentioned","due":"20251008T040000Z","end":"20251009T200847Z","entry":"20251008T183121Z","modified":"20251009T200847Z","project":"Internship","status":"completed","uuid":"4e709e7a-91f6-47ad-af29-11d3c2cee3d9"}
 {"description":"Read Opportunities, Challenges, and Research Needs for Remote Microreactor Operations","entry":"20250910T150523Z","modified":"20251009T200934Z","project":"thesis","start":"20251009T200934Z","status":"pending","uuid":"96c76e6b-5c33-4f54-a156-5c59e718f01a","tags":["reading"]}
 {"description":"Edit goals and outcomes to adjust capabilities. What is new capability, not research task","end":"20251015T183612Z","entry":"20250924T164236Z","modified":"20251015T183612Z","project":"ERLM","status":"completed","uuid":"ce706282-31bb-4cba-882d-86f09a76045d","tags":["writing"]}
 {"description":"Write metrics of success section","end":"20251015T183612Z","entry":"20251008T183024Z","modified":"20251015T183612Z","project":"ERLM","status":"completed","uuid":"3bf52991-f8df-4387-9a79-0b5f14f2c5d1","tags":["writing"]}
 {"description":"Find out what 10 CFR is. Specifically, 10 CFR 50.34 and 10 CFR 55.59. Emergency Operating Procedures?","entry":"20251015T212147Z","modified":"20251015T212147Z","project":"thesis","status":"pending","uuid":"b0192186-bcbc-4d5c-a156-5e83fdfeda69"}
 {"description":"edit State of the art","entry":"20251015T215116Z","modified":"20251015T215116Z","project":"ERLM","status":"pending","uuid":"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9"}
 {"description":"Write whitepaper","due":"20251020T040000Z","entry":"20251015T215139Z","modified":"20251015T215139Z","project":"ERLM","status":"pending","uuid":"52b4cc9a-33c7-472b-b3b6-3e9504649e19","depends":["fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9"]}
 {"description":"Rewrite state of the art for nuclear controls engineering and hybrid systems","due":"20250929T040000Z","end":"20251015T215159Z","entry":"20250924T164019Z","modified":"20251015T215159Z","project":"ERLM","status":"completed","uuid":"e0636009-9061-47d0-9b59-1f2464a252a7","tags":["editing"]}
--- a/.task/completed.data
+++ b/.task/completed.data
@ -1,3 +1,8 @@
 [description:"Rewrite state of the art for nuclear controls engineering and hybrid systems" due:"1759118400" end:"1760565119" entry:"1758732019" modified:"1760565119" project:"ERLM" status:"completed" tags:"editing" tags_editing:"x" uuid:"e0636009-9061-47d0-9b59-1f2464a252a7"]
 [description:"Edit goals and outcomes to adjust capabilities. What is new capability, not research task" end:"1760553372" entry:"1758732156" modified:"1760553372" project:"ERLM" status:"completed" tags:"writing" tags_writing:"x" uuid:"ce706282-31bb-4cba-882d-86f09a76045d"]
 [description:"Write metrics of success section" end:"1760553372" entry:"1759948224" modified:"1760553372" project:"ERLM" status:"completed" tags:"writing" tags_writing:"x" uuid:"3bf52991-f8df-4387-9a79-0b5f14f2c5d1"]
 [description:"Complete peer review with Simeona" due:"1759982400" end:"1760040527" entry:"1759948216" modified:"1760040527" project:"ERLM" status:"completed" uuid:"a2970741-1bdf-4f67-a63f-40da1f96315e"]
 [description:"Find INL person Robert mentioned" due:"1759896000" end:"1760040527" entry:"1759948281" modified:"1760040527" project:"Internship" status:"completed" uuid:"4e709e7a-91f6-47ad-af29-11d3c2cee3d9"]
 [description:"Edit goals and outcomes" end:"1759950170" entry:"1758731993" modified:"1759950172" project:"ERLM" status:"deleted" uuid:"bbc41e22-c647-4209-9500-382e0321b625"]
 [description:"Fix pagination that Dan was complaining about" end:"1759950177" entry:"1758732224" modified:"1759950177" project:"ERLM" status:"completed" uuid:"306c574b-c3f6-4363-914b-f1eddda04543"]
 [description:"Write zettel about lipschitz continuity" end:"1759948076" entry:"1757625029" modified:"1759948084" status:"completed" tags:"zk" tags_zk:"x" uuid:"b7f68988-8c06-4d18-bf77-91d7e39fd55f"]
--- a/.task/pending.data
+++ b/.task/pending.data
@ -29,12 +29,10 @@
 [description:"Learning Local Control Barrier Functions for Hybrid Systems (2024)" entry:"1758125087" modified:"1758125087" project:"thesis" status:"pending" tags:"reading" tags_reading:"x" uuid:"3abf4246-566a-4ba8-b392-cbab5d7a9aa0"]
 [description:"Model Predictive Control of Stochastic Hybrid Systems with Signal Temporal Logic Constraints (2025)" entry:"1758125087" modified:"1758125087" project:"thesis" status:"pending" tags:"reading" tags_reading:"x" uuid:"320ec48e-134f-462f-ac3c-ffaf70698691"]
 [description:"Online Control Synthesis for Uncertain Systems under Signal Temporal Logic Specifications (2024)" entry:"1758125087" modified:"1758125087" project:"thesis" status:"pending" tags:"reading" tags_reading:"x" uuid:"b47de464-8a66-45d2-b487-6588a60c8112"]
 [description:"Rewrite state of the art for nuclear controls engineering and hybrid systems" due:"1759118400" entry:"1758732019" modified:"1758732076" project:"ERLM" status:"pending" tags:"editing" tags_editing:"x" uuid:"e0636009-9061-47d0-9b59-1f2464a252a7"]
 [description:"Edit goals and outcomes to adjust capabilities. What is new capability, not research task" entry:"1758732156" modified:"1758732156" project:"ERLM" status:"pending" tags:"writing" tags_writing:"x" uuid:"ce706282-31bb-4cba-882d-86f09a76045d"]
 [description:"Add research tasks to research approach section" entry:"1758732208" modified:"1758732208" project:"ERLM" status:"pending" tags:"editing,writing" tags_editing:"x" tags_writing:"x" uuid:"56028c48-5a4b-46cd-a40e-ada624cf6187"]
 [description:"Complete broader impacts peer review" due:"1759464000" entry:"1759418173" modified:"1759418173" project:"ERLM" status:"pending" uuid:"a5877ce8-f750-413d-8ec1-0e9429395cee"]
 [description:"Complete peer review with Simeona" due:"1759982400" end:"1760040527" entry:"1759948216" modified:"1760040527" project:"ERLM" status:"completed" uuid:"a2970741-1bdf-4f67-a63f-40da1f96315e"]
 [description:"Write metrics of success section" entry:"1759948224" modified:"1759948224" project:"ERLM" status:"pending" tags:"writing" tags_writing:"x" uuid:"3bf52991-f8df-4387-9a79-0b5f14f2c5d1"]
 [description:"Make list of internship spots" due:"1760068800" entry:"1759948253" modified:"1759948253" project:"Internship" status:"pending" uuid:"e978e178-5069-44a6-b9de-c835bdf1774f"]
 [description:"Find INL person Robert mentioned" due:"1759896000" end:"1760040527" entry:"1759948281" modified:"1760040527" project:"Internship" status:"completed" uuid:"4e709e7a-91f6-47ad-af29-11d3c2cee3d9"]
 [description:"Do intial play around with Emerson Ovation system" due:"1760068800" entry:"1759949018" modified:"1759949018" status:"pending" uuid:"1116b9e1-e2a9-44e3-939a-1ca7f66d3eea"]
 [description:"Find out what 10 CFR is. Specifically, 10 CFR 50.34 and 10 CFR 55.59. Emergency Operating Procedures?" entry:"1760563307" modified:"1760563307" project:"thesis" status:"pending" uuid:"b0192186-bcbc-4d5c-a156-5e83fdfeda69"]
 [description:"edit State of the art" entry:"1760565076" modified:"1760565076" project:"ERLM" status:"pending" uuid:"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9"]
 [dep_fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9:"x" depends:"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9" description:"Write whitepaper" due:"1760932800" entry:"1760565099" modified:"1760565099" project:"ERLM" status:"pending" uuid:"52b4cc9a-33c7-472b-b3b6-3e9504649e19"]
--- a/.task/undo.data
+++ b/.task/undo.data
@ -371,3 +371,24 @@ time 1760040574
 old [description:"Read Opportunities, Challenges, and Research Needs for Remote Microreactor Operations" entry:"1757516723" modified:"1758125189" project:"thesis" status:"pending" tags:"reading" tags_reading:"x" uuid:"96c76e6b-5c33-4f54-a156-5c59e718f01a"]
 new [description:"Read Opportunities, Challenges, and Research Needs for Remote Microreactor Operations" entry:"1757516723" modified:"1760040574" project:"thesis" start:"1760040574" status:"pending" tags:"reading" tags_reading:"x" uuid:"96c76e6b-5c33-4f54-a156-5c59e718f01a"]
 ---
 time 1760553372
 old [description:"Edit goals and outcomes to adjust capabilities. What is new capability, not research task" entry:"1758732156" modified:"1758732156" project:"ERLM" status:"pending" tags:"writing" tags_writing:"x" uuid:"ce706282-31bb-4cba-882d-86f09a76045d"]
 new [description:"Edit goals and outcomes to adjust capabilities. What is new capability, not research task" end:"1760553372" entry:"1758732156" modified:"1760553372" project:"ERLM" status:"completed" tags:"writing" tags_writing:"x" uuid:"ce706282-31bb-4cba-882d-86f09a76045d"]
 ---
 time 1760553372
 old [description:"Write metrics of success section" entry:"1759948224" modified:"1759948224" project:"ERLM" status:"pending" tags:"writing" tags_writing:"x" uuid:"3bf52991-f8df-4387-9a79-0b5f14f2c5d1"]
 new [description:"Write metrics of success section" end:"1760553372" entry:"1759948224" modified:"1760553372" project:"ERLM" status:"completed" tags:"writing" tags_writing:"x" uuid:"3bf52991-f8df-4387-9a79-0b5f14f2c5d1"]
 ---
 time 1760563307
 new [description:"Find out what 10 CFR is. Specifically, 10 CFR 50.34 and 10 CFR 55.59. Emergency Operating Procedures?" entry:"1760563307" modified:"1760563307" project:"thesis" status:"pending" uuid:"b0192186-bcbc-4d5c-a156-5e83fdfeda69"]
 ---
 time 1760565076
 new [description:"edit State of the art" entry:"1760565076" modified:"1760565076" project:"ERLM" status:"pending" uuid:"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9"]
 ---
 time 1760565099
 new [dep_fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9:"x" depends:"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9" description:"Write whitepaper" due:"1760932800" entry:"1760565099" modified:"1760565099" project:"ERLM" status:"pending" uuid:"52b4cc9a-33c7-472b-b3b6-3e9504649e19"]
 ---
 time 1760565119
 old [description:"Rewrite state of the art for nuclear controls engineering and hybrid systems" due:"1759118400" entry:"1758732019" modified:"1758732076" project:"ERLM" status:"pending" tags:"editing" tags_editing:"x" uuid:"e0636009-9061-47d0-9b59-1f2464a252a7"]
 new [description:"Rewrite state of the art for nuclear controls engineering and hybrid systems" due:"1759118400" end:"1760565119" entry:"1758732019" modified:"1760565119" project:"ERLM" status:"completed" tags:"editing" tags_editing:"x" uuid:"e0636009-9061-47d0-9b59-1f2464a252a7"]
 ---
--- a/Writing/ERLM/main.aux
+++ b/Writing/ERLM/main.aux
@ -2,21 +2,80 @@
 \bibstyle{unsrt}
 \providecommand \oddpage@label [2]{}
 \@writefile{toc}{\contentsline {section}{\numberline {1}Goals and Outcomes}{1}{}\protected@file@percent }
 \citation{DOE-HDBK-1028-2009,WNA2020,Wang2025}
 \citation{10CFR55}
 \@writefile{toc}{\contentsline {section}{\numberline {2}State of the Art and Limits of Current Practice}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {3}Research Approach}{2}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Current Reactor Control Practices}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}$(Procedures \wedge FRET) \rightarrow Temporal Specifications$}{3}{}\protected@file@percent }
+\citation{Kemeny1979}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}$(TemporalLogic \wedge ReactiveSynthesis) \rightarrow DiscreteAutomata$}{4}{}\protected@file@percent }
+\citation{Kemeny1979}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}$(DiscreteAutomata \wedge ControlTheory \wedge Reachability) \rightarrow ContinuousModes$}{5}{}\protected@file@percent }
+\citation{NUREG-0899}
 \citation{10CFR55}
 \citation{IAEA-TECDOC-1580}
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.1}Human Operators Retain Ultimate Decision Authority}{3}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.2}Operating Procedures Lack Formal Verification}{3}{}\protected@file@percent }
 \citation{Zerovnik2023}
 \citation{Jo2021}
 \citation{IAEA2008}
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.3}Control Mode Transitions Lack Formal Safety Verification}{4}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.4}Current Automation Reveals the Hybrid Dynamics Challenge}{4}{}\protected@file@percent }
 \citation{Lee2019}
 \citation{IEEE2019}
 \citation{DOE-HDBK-1028-2009,WNA2020}
 \citation{IAEA-severe-accidents}
 \citation{Wang2025}
 \citation{Dumas1999}
 \citation{Kemeny1979}
 \@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Human Factors in Nuclear Accidents}{5}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.1}Human Error Dominates Nuclear Incident Causation}{5}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.2}Three Mile Island Revealed Critical Human-Automation Interaction Failures}{5}{}\protected@file@percent }
 \citation{NUREG-CR-6883}
 \citation{NUREG-2114}
 \citation{Rasmussen1983}
 \citation{Miller1956}
 \citation{Reason1990}
 \citation{Kiniry2022}
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.3}Human Reliability Analysis Documents Fundamental Cognitive Limitations}{6}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {2.3}HARDENS: Discrete Control with Gaps in Hybrid Dynamics}{6}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.1}Rigorous Digital Engineering Demonstrated Feasibility}{6}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.2}Comprehensive Formal Methods Toolkit Provided Verification}{7}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.3}Critical Limitation: Discrete Control Logic Only}{7}{}\protected@file@percent }
 \citation{Kiniry2022}
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.4}Experimental Validation Gap Limits Technology Readiness}{8}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {2.4}Research Imperative: Formal Hybrid Control Synthesis}{8}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {3}Research Approach}{9}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {3.1}$(Procedures \wedge FRET) \rightarrow Temporal Specifications$}{10}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {3.2}$(TemporalLogic \wedge ReactiveSynthesis) \rightarrow DiscreteAutomata$}{11}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {3.3}$(DiscreteAutomata \wedge ControlTheory \wedge Reachability) \rightarrow ContinuousModes$}{12}{}\protected@file@percent }
 \citation{eia_lcoe_2022}
 \citation{eesi_datacenter_2024}
 \citation{eia_lcoe_2022}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Broader Impacts}{7}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Broader Impacts}{14}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {4}Metrics for Success}{8}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {4}Metrics for Success}{15}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {paragraph}{TRL 3 \textit  {Critical Function and Proof of Concept}}{9}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {paragraph}{TRL 3 \textit  {Critical Function and Proof of Concept}}{16}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {paragraph}{TRL 4 \textit  {Laboratory Testing of Integrated Components}}{9}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {paragraph}{TRL 4 \textit  {Laboratory Testing of Integrated Components}}{16}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {paragraph}{TRL 5 \textit  {Laboratory Testing in Relevant Environment}}{9}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {paragraph}{TRL 5 \textit  {Laboratory Testing in Relevant Environment}}{16}{}\protected@file@percent }
 \bibdata{references}
-\bibcite{eia_lcoe_2022}{1}
+\bibcite{DOE-HDBK-1028-2009}{1}
-\bibcite{eesi_datacenter_2024}{2}
+\bibcite{WNA2020}{2}
-\@writefile{toc}{\contentsline {section}{References}{11}{}\protected@file@percent }
+\bibcite{Wang2025}{3}
-\gdef \@abspage@last{12}
+\bibcite{10CFR55}{4}
 \bibcite{Kemeny1979}{5}
 \bibcite{NUREG-0899}{6}
 \bibcite{IAEA-TECDOC-1580}{7}
 \bibcite{Zerovnik2023}{8}
 \bibcite{Jo2021}{9}
 \bibcite{IAEA2008}{10}
 \bibcite{Lee2019}{11}
 \bibcite{IEEE2019}{12}
 \bibcite{IAEA-severe-accidents}{13}
 \bibcite{Dumas1999}{14}
 \bibcite{NUREG-CR-6883}{15}
 \@writefile{toc}{\contentsline {section}{References}{18}{}\protected@file@percent }
 \bibcite{NUREG-2114}{16}
 \bibcite{Rasmussen1983}{17}
 \bibcite{Miller1956}{18}
 \bibcite{Reason1990}{19}
 \bibcite{Kiniry2022}{20}
 \bibcite{eia_lcoe_2022}{21}
 \bibcite{eesi_datacenter_2024}{22}
 \gdef \@abspage@last{20}
--- a/Writing/ERLM/main.bbl
+++ b/Writing/ERLM/main.bbl
@ -1,4 +1,113 @@
-\begin{thebibliography}{1}
+\begin{thebibliography}{10}
 \bibitem{DOE-HDBK-1028-2009}
 {U.S. Department of Energy}.
 \newblock Human performance handbook.
 \newblock Handbook DOE-HDBK-1028-2009, U.S. Department of Energy, 2009.
 \bibitem{WNA2020}
 {World Nuclear Association}.
 \newblock Safety of nuclear power reactors.
 \newblock \url{https://www.world-nuclear.org/information-library/safety-and-security/safety-of-plants/safety-of-nuclear-power-reactors.aspx}, 2020.
 \bibitem{Wang2025}
 Y.~Wang et~al.
 \newblock Analysis of human error in nuclear power plant operations: A systematic review of events from 2007--2020.
 \newblock {\em Journal of Nuclear Safety}, 2025.
 \newblock Analysis of 190 events at Chinese nuclear power plants.
 \bibitem{10CFR55}
 {U.S. Nuclear Regulatory Commission}.
 \newblock Operators' licenses.
 \newblock 10 CFR Part 55.
 \newblock Code of Federal Regulations.
 \bibitem{Kemeny1979}
 John~G. Kemeny et~al.
 \newblock Report of the president's commission on the accident at three mile island.
 \newblock Technical report, President's Commission on the Accident at Three Mile Island, October 1979.
 \bibitem{NUREG-0899}
 {U.S. Nuclear Regulatory Commission}.
 \newblock Guidelines for the preparation of emergency operating procedures.
 \newblock Technical Report NUREG-0899, U.S. Nuclear Regulatory Commission, 1982.
 \bibitem{IAEA-TECDOC-1580}
 {International Atomic Energy Agency}.
 \newblock Good practices for cost effective maintenance of nuclear power plants.
 \newblock Technical Report TECDOC-1580, International Atomic Energy Agency, 2007.
 \bibitem{Zerovnik2023}
 Gašper \v{Z}erovnik et~al.
 \newblock Knowledge transfer challenges in nuclear operations.
 \newblock {\em Nuclear Engineering and Design}, 2023.
 \newblock Analysis of knowledge transfer from experienced operators.
 \bibitem{Jo2021}
 Y.~Jo et~al.
 \newblock Automation paradox in nuclear power plant control: Effects on operator situation awareness.
 \newblock {\em Nuclear Engineering and Technology}, 2021.
 \newblock Empirical study of automation effects on operator performance.
 \bibitem{IAEA2008}
 {International Atomic Energy Agency}.
 \newblock Modern instrumentation and control for nuclear power plants: A guidebook.
 \newblock Technical Report Technical Reports Series No. 387, International Atomic Energy Agency, 2008.
 \bibitem{Lee2019}
 D.~Lee et~al.
 \newblock Autonomous control of nuclear reactors using long short-term memory networks.
 \newblock {\em Nuclear Engineering and Technology}, 2019.
 \newblock Demonstration of LSTM-based autonomous control in LOC and SGTR scenarios.
 \bibitem{IEEE2019}
 {IEEE Working Group}.
 \newblock Formal verification challenges for nuclear i\&c systems.
 \newblock In {\em IEEE Conference on Nuclear Power Instrumentation, Control and Human-Machine Interface Technologies}, 2019.
 \newblock Discussion of state space explosion in formal verification.
 \bibitem{IAEA-severe-accidents}
 {International Atomic Energy Agency}.
 \newblock Human error as root cause in severe nuclear accidents.
 \newblock IAEA Safety Report.
 \newblock Analysis of TMI, Chernobyl, and Fukushima accidents.
 \bibitem{Dumas1999}
 Lloyd Dumas.
 \newblock Worker error and safety in nuclear facilities.
 \newblock {\em Journal of Nuclear Safety}, 1999.
 \newblock Study of incidents at 10 nuclear centers.
 \bibitem{NUREG-CR-6883}
 D.~Gertman et~al.
 \newblock The spar-h human reliability analysis method.
 \newblock Technical Report NUREG/CR-6883, U.S. Nuclear Regulatory Commission, 2005.
 \bibitem{NUREG-2114}
 {U.S. Nuclear Regulatory Commission}.
 \newblock Cognitive basis for human reliability analysis.
 \newblock Technical Report NUREG-2114, U.S. Nuclear Regulatory Commission, 2016.
 \bibitem{Rasmussen1983}
 J.~Rasmussen.
 \newblock Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models.
 \newblock {\em IEEE Transactions on Systems, Man, and Cybernetics}, SMC-13(3):257--266, 1983.
 \bibitem{Miller1956}
 George~A. Miller.
 \newblock The magical number seven, plus or minus two: Some limits on our capacity for processing information.
 \newblock {\em Psychological Review}, 63(2):81--97, 1956.
 \bibitem{Reason1990}
 James Reason.
 \newblock {\em Human Error}.
 \newblock Cambridge University Press, 1990.
 \bibitem{Kiniry2022}
 Joseph Kiniry, Alexander Bakst, Michal Podhradsky, Simon Hansen, and Andrew Bivin.
 \newblock High assurance rigorous digital engineering for nuclear safety (hardens) final technical report.
 \newblock Technical Report ML22326A307, Galois, Inc. / U.S. Nuclear Regulatory Commission, 2022.
 \newblock NRC Contract 31310021C0014.
 \bibitem{eia_lcoe_2022}
 {U.S. Energy Information Administration}.
--- a/Writing/ERLM/main.blg
+++ b/Writing/ERLM/main.blg
@ -3,44 +3,44 @@ Capacity: max_strings=200000, hash_size=200000, hash_prime=170003
 The top-level auxiliary file: main.aux
 The style file: unsrt.bst
 Database file #1: references.bib
-You've used 2 entries,
+You've used 22 entries,
            1791 wiz_defined-function locations,
-            458 strings with 3888 characters,
+            583 strings with 7229 characters,
-and the built_in function-call counts, 290 in all, are:
+and the built_in function-call counts, 3301 in all, are:
-= -- 27
+= -- 301
-> -- 8
+> -- 125
-< -- 0
+< -- 7
-+ -- 4
+ -- 54
- -- 2
+- -- 32
-* -- 7
+* -- 109
-:= -- 58
+:= -- 599
-add.period$ -- 8
+add.period$ -- 77
-call.type$ -- 2
+call.type$ -- 22
-change.case$ -- 3
+change.case$ -- 23
 chr.to.int$ -- 0
-cite$ -- 2
+cite$ -- 22
-duplicate$ -- 11
+duplicate$ -- 161
-empty$ -- 31
+empty$ -- 341
-format.name$ -- 2
+format.name$ -- 32
-if$ -- 62
+if$ -- 726
 int.to.chr$ -- 0
-int.to.str$ -- 2
+int.to.str$ -- 22
-missing$ -- 0
+missing$ -- 10
-newline$ -- 15
+newline$ -- 124
-num.names$ -- 2
+num.names$ -- 22
-pop$ -- 7
+pop$ -- 67
 preamble$ -- 1
 purify$ -- 0
 quote$ -- 0
-skip$ -- 3
+skip$ -- 49
 stack$ -- 0
-substring$ -- 0
+substring$ -- 44
-swap$ -- 1
+swap$ -- 21
-text.length$ -- 0
+text.length$ -- 7
 text.prefix$ -- 0
 top$ -- 0
 type$ -- 0
 warning$ -- 0
-while$ -- 2
+while$ -- 26
-width$ -- 3
+width$ -- 24
-write$ -- 27
+write$ -- 253
--- a/Writing/ERLM/main.fdb_latexmk
+++ b/Writing/ERLM/main.fdb_latexmk
@ -1,13 +1,13 @@
 # Fdb version 4
-["bibtex main"] 1760371279.11218 "main.aux" "main.bbl" "main" 1760371325.03652 0
+["bibtex main"] 1760562752.25076 "main.aux" "main.bbl" "main" 1760562753.16807 0
-  "./references.bib" 1759167577.47323 10304 77c9387d6b0ce7e1af7f15e6fb0e19c3 ""
+  "./references.bib" 1760562704.16405 17887 8c959c4bb228b5a8c44fd08ed0751b05 ""
  "/usr/share/texlive/texmf-dist/bibtex/bst/base/unsrt.bst" 1292289607 18030 1376b4b231b50c66211e47e42eda2875 ""
-  "main.aux" 1760371324.88752 1796 6a1daf4bdc6fce37d52aa731f75f74de "pdflatex"
+  "main.aux" 1760562753.03383 5119 322e9dee8ead67f6f988fe1574ee1461 "pdflatex"
  (generated)
  "main.bbl"
  "main.blg"
  (rewritten before read)
-["pdflatex"] 1760371324.17014 "main.tex" "main.pdf" "main" 1760371325.03677 0
+["pdflatex"] 1760562752.27567 "main.tex" "main.pdf" "main" 1760562753.16828 0
  "/etc/texmf/web2c/texmf.cnf" 1722610814.59577 475 c0e671620eb5563b2130f56340a5fde8 ""
  "/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc" 1165713224 4850 80dc9bab7f31fb78a000ccfed0e27cab ""
  "/usr/share/texlive/texmf-dist/fonts/map/fontname/texfonts.map" 1577235249 3524 cb3e574dea2d1052e39280babc910dc8 ""
@ -32,10 +32,12 @@
  "/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr10.tfm" 1136768653 1296 45809c5a464d5f32c8f98ba97c1bb47f ""
  "/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr12.tfm" 1136768653 1288 655e228510b4c2a1abe905c368440826 ""
  "/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm" 1136768653 1124 6c73e740cf17375f03eec0ee63599741 ""
  "/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmtt12.tfm" 1136768653 772 9a936b7f5e2ff0557fce0f62822f0bbf ""
  "/usr/share/texlive/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm" 1229303445 688 37338d6ab346c2f1466b29e195316aa4 ""
  "/usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb" 1248133631 36299 5f9df58c2139e7edcf37c8fca4bd384d ""
  "/usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb" 1248133631 35752 024fb6c41858982481f6968b5fc26508 ""
  "/usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb" 1248133631 32569 5e5ddc8df908dea60932f3c484a54c0d ""
  "/usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt12.pfb" 1248133631 24252 1e4e051947e12dfb50fee0b7f4e26e3a ""
  "/usr/share/texlive/texmf-dist/fonts/type1/urw/symbol/usyr.pfb" 1136849748 33709 b09d2e140b7e807d3a97058263ab6693 ""
  "/usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb" 1136849748 44729 811d6c62865936705a31c797a1d5dada ""
  "/usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb" 1136849748 44656 0cbca70e0534538582128f6b54593cca ""
@ -236,12 +238,12 @@
  "broader-impacts/v1.tex" 1759167577.47123 4916 8f9b155145119717e181909e7ce40ed4 ""
  "dane_proposal_format.cls" 1760370937.93092 2555 2a01bb8bad8f4ed4e921f0e44566678c ""
  "goals-and-outcomes/v6.tex" 1759931957.10694 6070 286ca847b1aac31431e0658cd2989ea2 ""
-  "main.aux" 1760371324.88752 1796 6a1daf4bdc6fce37d52aa731f75f74de "pdflatex"
+  "main.aux" 1760562753.03383 5119 322e9dee8ead67f6f988fe1574ee1461 "pdflatex"
-  "main.bbl" 1760371279.12868 534 c978a85388337a36f349b54afe9a8b11 "bibtex main"
+  "main.bbl" 1760562752.26982 5077 d6ff10b25ca0659d0f11499aae407631 "bibtex main"
-  "main.tex" 1760367999.00949 262 41f010b5e8ebf8fc9a0521daebd96d8e ""
+  "main.tex" 1760562742.31168 262 9f602b4fd5277ffe357ac290893d6a07 ""
  "metrics-of-success/v1.tex" 1760371276.72563 6867 9f08b3208bb158042e2fc9bbfeecae68 ""
  "research-approach/v3.tex" 1759939583.16696 17351 6ed3e4ff3c33dd86d80597dbdb0cf36f ""
-  "state-of-the-art/v3.tex" 1759932892.29406 956 1c5dc5397b94b907f165191b875edbeb ""
+  "state-of-the-art/v4.tex" 1760562682.16681 27511 990507df5d11f6d75319d3b7758df3ce ""
  (generated)
  "main.aux"
  "main.log"
--- a/Writing/ERLM/main.fls
+++ b/Writing/ERLM/main.fls
@ -413,60 +413,67 @@ INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
-INPUT ./state-of-the-art/v3.tex
+INPUT ./state-of-the-art/v4.tex
-INPUT ./state-of-the-art/v3.tex
+INPUT ./state-of-the-art/v4.tex
-INPUT ./state-of-the-art/v3.tex
+INPUT ./state-of-the-art/v4.tex
-INPUT ./state-of-the-art/v3.tex
+INPUT ./state-of-the-art/v4.tex
-INPUT state-of-the-art/v3.tex
+INPUT state-of-the-art/v4.tex
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
 INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
 INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmr8c.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7y.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7y.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmr8c.vf
 INPUT ./research-approach/v3.tex
 INPUT ./research-approach/v3.tex
 INPUT ./research-approach/v3.tex
 INPUT ./research-approach/v3.tex
 INPUT research-approach/v3.tex
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7m.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/psyro.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmmi10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7y.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
 INPUT ./broader-impacts/v1.tex
 INPUT ./broader-impacts/v1.tex
 INPUT ./broader-impacts/v1.tex
 INPUT ./broader-impacts/v1.tex
 INPUT broader-impacts/v1.tex
 INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
 INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
 INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmr8c.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmr8c.vf
 INPUT ./metrics-of-success/v1.tex
 INPUT ./metrics-of-success/v1.tex
 INPUT ./metrics-of-success/v1.tex
@ -478,10 +485,12 @@ INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmbi8r.tfm
 INPUT ./main.bbl
 INPUT ./main.bbl
 INPUT main.bbl
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmtt12.tfm
 INPUT main.aux
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt12.pfb
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/urw/symbol/usyr.pfb
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb
--- a/Writing/ERLM/main.log
+++ b/Writing/ERLM/main.log
@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.25 (TeX Live 2023/Debian) (preloaded format=pdflatex 2024.9.10)  13 OCT 2025 12:02
+This is pdfTeX, Version 3.141592653-2.6-1.40.25 (TeX Live 2023/Debian) (preloaded format=pdflatex 2024.9.10)  15 OCT 2025 17:12
 entering extended mode
 restricted \write18 enabled.
 file:line:error style messages enabled.
@ -876,36 +876,50 @@ LaTeX Font Info:    Font shape `OT1/ptm/bx/n' in size <8> not available
 (Font)              Font shape `OT1/ptm/b/n' tried instead on input line 5.
 [1
-{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}] (./goals-and-outcomes/v6.tex [1]) (./state-of-the-art/v3.tex) (./research-approach/v3.tex
+{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}] (./goals-and-outcomes/v6.tex [1]) (./state-of-the-art/v4.tex
 Overfull \hbox (1.5749pt too wide) in paragraph at lines 30--36
 \OT1/ptm/m/n/12 stru-men-ta-tion and con-trol (I&C) sys-tems. Un-der-stand-ing cur-rent practices---and their limitations---
 []
 [2] [3] [4]
 Overfull \hbox (3.86827pt too wide) in paragraph at lines 215--223
 \OT1/ptm/m/n/12 organizational and sys-temic weak-nesses that cre-ate con-di-tions for fail-ure. Lloyd Du-mas's study [14]
 []
 [5]
 LaTeX Font Info:    Font shape `OT1/ptm/bx/n' in size <12> not available
-(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 8.
+(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 275.
 LaTeX Font Info:    Font shape `OT1/ptm/bx/n' in size <9> not available
-(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 8.
+(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 275.
 LaTeX Font Info:    Font shape `OT1/ptm/bx/n' in size <7> not available
-(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 8.
+(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 275.
- [2] [3] [4] [5] [6]) (./broader-impacts/v1.tex
+LaTeX Font Info:    Trying to load font information for TS1+ptm on input line 307.
 LaTeX Font Info:    Trying to load font information for TS1+ptm on input line 14.
 (/usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
 File: ts1ptm.fd 2001/06/04 font definitions for TS1/ptm.
-) [7]) (./metrics-of-success/v1.tex [8] [9]) [10] (./main.bbl) [11] (./main.aux)
+) [6] [7] [8]) (./research-approach/v3.tex [9] [10] [11] [12] [13]) (./broader-impacts/v1.tex [14]) (./metrics-of-success/v1.tex [15]) [16] [17] (./main.bbl
 Underfull \hbox (badness 10000) in paragraph at lines 9--12
 \OT1/cmtt/m/n/12 nuclear . org / information -[] library / safety -[] and -[] security / safety -[] of -[]
 []
 [18]) [19] (./main.aux)
 ***********
 LaTeX2e <2023-11-01> patch level 1
 L3 programming layer <2024-01-22>
 ***********
 ) 
 Here is how much of TeX's memory you used:
- 25411 strings out of 476182
+ 25443 strings out of 476182
- 527976 string characters out of 5795595
+ 528350 string characters out of 5795595
- 1935975 words of memory out of 5000000
+ 1934975 words of memory out of 5000000
- 46851 multiletter control sequences out of 15000+600000
+ 46876 multiletter control sequences out of 15000+600000
- 590488 words of font info for 105 fonts, out of 8000000 for 9000
+ 592787 words of font info for 111 fonts, out of 8000000 for 9000
 14 hyphenation exceptions out of 8191
- 110i,6n,107p,1008b,285s stack positions out of 10000i,1000n,20000p,200000b,200000s
+ 110i,6n,107p,1008b,327s stack positions out of 10000i,1000n,20000p,200000b,200000s
-</usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/symbol/usyr.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
+</usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt12.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/symbol/usyr.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
-Output written on main.pdf (12 pages, 122324 bytes).
+Output written on main.pdf (20 pages, 159455 bytes).
 PDF statistics:
- 111 PDF objects out of 1000 (max. 8388607)
+ 142 PDF objects out of 1000 (max. 8388607)
- 64 compressed objects within 1 object stream
+ 85 compressed objects within 1 object stream
 0 named destinations out of 1000 (max. 500000)
 109 words of extra memory for PDF output out of 10000 (max. 10000000)
--- a/Writing/ERLM/main.pdf
+++ b/Writing/ERLM/main.pdf
--- a/Writing/ERLM/main.synctex.gz
+++ b/Writing/ERLM/main.synctex.gz
--- a/Writing/ERLM/main.tex
+++ b/Writing/ERLM/main.tex
@ -4,7 +4,7 @@
 \maketitle
 \input{goals-and-outcomes/v6}
-\input{state-of-the-art/v3}
+\input{state-of-the-art/v4}
 \input{research-approach/v3}
 \input{broader-impacts/v1}
 \input{metrics-of-success/v1}
--- a/Writing/ERLM/references.bib
+++ b/Writing/ERLM/references.bib
@ -329,3 +329,219 @@
  url          = {https://www.eesi.org/articles/view/data-center-energy-needs-are-upending-power-grids-and-threatening-the-climate},
  note         = {Accessed: 2025-09-29}
 }
@techreport{DOE-HDBK-1028-2009,
  title        = {Human Performance Handbook},
  author       = {{U.S. Department of Energy}},
  institution  = {U.S. Department of Energy},
  year         = {2009},
  number       = {DOE-HDBK-1028-2009},
  type         = {Handbook}
 }
@misc{WNA2020,
  title        = {Safety of Nuclear Power Reactors},
  author       = {{World Nuclear Association}},
  year         = {2020},
  howpublished = {\url{https://www.world-nuclear.org/information-library/safety-and-security/safety-of-plants/safety-of-nuclear-power-reactors.aspx}}
 }
@article{Wang2025,
  title   = {Analysis of Human Error in Nuclear Power Plant Operations: A Systematic Review of Events from 2007--2020},
  author  = {Wang, Y. and others},
  journal = {Journal of Nuclear Safety},
  year    = {2025},
  note    = {Analysis of 190 events at Chinese nuclear power plants}
 }
@misc{10CFR55,
  title        = {Operators' Licenses},
  author       = {{U.S. Nuclear Regulatory Commission}},
  howpublished = {10 CFR Part 55},
  note         = {Code of Federal Regulations}
 }
@techreport{Kemeny1979,
  title       = {Report of the President's Commission on the Accident at Three Mile Island},
  author      = {Kemeny, John G. and others},
  institution = {President's Commission on the Accident at Three Mile Island},
  year        = {1979},
  month       = {October}
 }
@misc{10CFR50,
  title        = {Domestic Licensing of Production and Utilization Facilities},
  author       = {{U.S. Nuclear Regulatory Commission}},
  howpublished = {10 CFR Part 50},
  note         = {Code of Federal Regulations}
 }
@techreport{NUREG-0899,
  title       = {Guidelines for the Preparation of Emergency Operating Procedures},
  author      = {{U.S. Nuclear Regulatory Commission}},
  institution = {U.S. Nuclear Regulatory Commission},
  year        = {1982},
  number      = {NUREG-0899}
 }
@techreport{IAEA-TECDOC-1580,
  title       = {Good Practices for Cost Effective Maintenance of Nuclear Power Plants},
  author      = {{International Atomic Energy Agency}},
  institution = {International Atomic Energy Agency},
  year        = {2007},
  number      = {TECDOC-1580}
 }
@techreport{NUREG-2114,
  title       = {Cognitive Basis for Human Reliability Analysis},
  author      = {{U.S. Nuclear Regulatory Commission}},
  institution = {U.S. Nuclear Regulatory Commission},
  year        = {2016},
  number      = {NUREG-2114}
 }
@article{Zerovnik2023,
  title   = {Knowledge Transfer Challenges in Nuclear Operations},
  author  = {\v{Z}erovnik, Gašper and others},
  journal = {Nuclear Engineering and Design},
  year    = {2023},
  note    = {Analysis of knowledge transfer from experienced operators}
 }
@article{Jo2021,
  title   = {Automation Paradox in Nuclear Power Plant Control: Effects on Operator Situation Awareness},
  author  = {Jo, Y. and others},
  journal = {Nuclear Engineering and Technology},
  year    = {2021},
  note    = {Empirical study of automation effects on operator performance}
 }
@techreport{IAEA2008,
  title       = {Modern Instrumentation and Control for Nuclear Power Plants: A Guidebook},
  author      = {{International Atomic Energy Agency}},
  institution = {International Atomic Energy Agency},
  year        = {2008},
  number      = {Technical Reports Series No. 387}
 }
@article{Lee2019,
  title   = {Autonomous Control of Nuclear Reactors Using Long Short-Term Memory Networks},
  author  = {Lee, D. and others},
  journal = {Nuclear Engineering and Technology},
  year    = {2019},
  note    = {Demonstration of LSTM-based autonomous control in LOC and SGTR scenarios}
 }
@inproceedings{IEEE2019,
  title     = {Formal Verification Challenges for Nuclear I\&C Systems},
  author    = {{IEEE Working Group}},
  booktitle = {IEEE Conference on Nuclear Power Instrumentation, Control and Human-Machine Interface Technologies},
  year      = {2019},
  note      = {Discussion of state space explosion in formal verification}
 }
@misc{IAEA-severe-accidents,
  title        = {Human Error as Root Cause in Severe Nuclear Accidents},
  author       = {{International Atomic Energy Agency}},
  howpublished = {IAEA Safety Report},
  note         = {Analysis of TMI, Chernobyl, and Fukushima accidents}
 }
@article{Dumas1999,
  title   = {Worker Error and Safety in Nuclear Facilities},
  author  = {Dumas, Lloyd},
  journal = {Journal of Nuclear Safety},
  year    = {1999},
  note    = {Study of incidents at 10 nuclear centers}
 }
@techreport{IAEA-INSAG-1,
  title       = {Summary Report on the Post-Accident Review Meeting on the Chernobyl Accident},
  author      = {{International Nuclear Safety Advisory Group}},
  institution = {International Atomic Energy Agency},
  year        = {1986},
  number      = {INSAG-1}
 }
@techreport{IAEA-INSAG-7,
  title       = {The Chernobyl Accident: Updating of INSAG-1},
  author      = {{International Nuclear Safety Advisory Group}},
  institution = {International Atomic Energy Agency},
  year        = {1992},
  number      = {INSAG-7}
 }
@techreport{NUREG-CR-1278,
  title       = {Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications (THERP)},
  author      = {Swain, A. D. and Guttmann, H. E.},
  institution = {U.S. Nuclear Regulatory Commission},
  year        = {1983},
  number      = {NUREG/CR-1278}
 }
@techreport{NUREG-CR-6883,
  title       = {The SPAR-H Human Reliability Analysis Method},
  author      = {Gertman, D. and others},
  institution = {U.S. Nuclear Regulatory Commission},
  year        = {2005},
  number      = {NUREG/CR-6883}
 }
@techreport{NUREG-2127,
  title       = {International HRA Empirical Study: Phase 1 Report},
  author      = {{U.S. Nuclear Regulatory Commission}},
  institution = {U.S. Nuclear Regulatory Commission},
  year        = {2013},
  number      = {NUREG-2127}
 }
@article{Rasmussen1983,
  title   = {Skills, Rules, and Knowledge; Signals, Signs, and Symbols, and Other Distinctions in Human Performance Models},
  author  = {Rasmussen, J.},
  journal = {IEEE Transactions on Systems, Man, and Cybernetics},
  year    = {1983},
  volume  = {SMC-13},
  number  = {3},
  pages   = {257--266}
 }
@article{Miller1956,
  title   = {The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information},
  author  = {Miller, George A.},
  journal = {Psychological Review},
  year    = {1956},
  volume  = {63},
  number  = {2},
  pages   = {81--97}
 }
@techreport{NUREG-2256,
  title       = {Integrated Human Event Analysis System for Emergency Crew Actions (IDHEAS-ECA)},
  author      = {{U.S. Nuclear Regulatory Commission}},
  institution = {U.S. Nuclear Regulatory Commission},
  year        = {2022},
  number      = {NUREG-2256}
 }
@book{Reason1990,
  title     = {Human Error},
  author    = {Reason, James},
  publisher = {Cambridge University Press},
  year      = {1990}
 }
@article{Lee2018,
  title   = {Deep Reinforcement Learning for Autonomous Nuclear Reactor Control},
  author  = {Lee, D. and others},
  journal = {Nuclear Engineering and Design},
  year    = {2018},
  note    = {Demonstration of autonomous control superior to human-plus-automation}
 }
@techreport{Kiniry2022,
  title       = {High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS) Final Technical Report},
  author      = {Kiniry, Joseph and Bakst, Alexander and Podhradsky, Michal and Hansen, Simon and Bivin, Andrew},
  institution = {Galois, Inc. / U.S. Nuclear Regulatory Commission},
  year        = {2022},
  number      = {ML22326A307},
  note        = {NRC Contract 31310021C0014}
 }
--- a/Writing/ERLM/state-of-the-art/v4.tex
+++ b/Writing/ERLM/state-of-the-art/v4.tex
@ -0,0 +1,487 @@
 \section{State of the Art and Limits of Current Practice}
 Nuclear reactor control represents a quintessential hybrid cyber-physical
 system. Continuous physical plant dynamics---neutron kinetics,
 thermal-hydraulics, heat transfer---interact with discrete control
 logic---mode transitions, trip decisions, valve states. Yet
 \textbf{formal hybrid control synthesis methods remain largely unapplied}
 to this safety-critical domain. This gap persists despite compelling
 evidence: human error contributes to \textbf{70--80\% of all nuclear
 incidents}~\cite{DOE-HDBK-1028-2009,WNA2020,Wang2025} even after four
 decades of improvements in training, procedures, and automation.
 Current reactor control practices lack the mathematical guarantees that
 formal verification could provide. Recent efforts to apply formal
 methods---such as the HARDENS project---have addressed only discrete
 control logic without considering continuous reactor dynamics or
 experimental validation. This section examines three critical areas:
 existing reactor control practices and their fundamental limitations,
 the persistent impact of human factors in nuclear safety incidents, and
 pioneering formal methods efforts that demonstrate both the promise and
 current limitations of rigorous digital engineering for nuclear systems.
 Together, these areas reveal a clear research imperative: to develop
 mathematically verified hybrid controllers that provide safety
 guarantees across both continuous plant dynamics and discrete control
 logic while addressing the reliability limitations inherent in
 human-in-the-loop control.
 \subsection{Current Reactor Control Practices}
 Nuclear reactor control in the United States and globally relies on a
 carefully orchestrated combination of human operators, written
 procedures, automated safety systems, and increasingly digital
 instrumentation and control (I\&C) systems. Understanding current
 practices---and their limitations---provides essential context for
 motivating formal hybrid control synthesis.
 \subsubsection{Human Operators Retain Ultimate Decision Authority}
 Current generation nuclear power plants employ \textbf{3,600+ active
 NRC-licensed reactor operators} in the United States, divided into
 Reactor Operators (ROs) who manipulate reactor controls and Senior
 Reactor Operators (SROs) who direct plant operations and serve as shift
 supervisors~\cite{10CFR55}. These operators work in control rooms
 featuring mixed analog and digital displays, enhanced by Safety
 Parameter Display Systems (SPDS) mandated after the Three Mile Island
 accident. Staffing typically requires \textbf{2--4 operators per shift}
 for current generation plants, though advanced designs like NuScale have
 demonstrated that operations can be conducted with as few as three
 operators.
 The role of human operators is paradoxically both critical and
 problematic. Operators hold legal authority under 10 CFR Part 55 to make
 critical decisions including departing from normal regulations during
 emergencies---a necessity for handling unforeseen scenarios but also a
 source of risk. The Three Mile Island accident demonstrated how
 ``combination of personnel error, design deficiencies, and component
 failures'' led to partial meltdown when operators ``misread confusing
 and contradictory readings and shut off the emergency water
 system''~\cite{Kemeny1979}. The President's Commission on TMI identified
 a fundamental ambiguity: placing ``responsibility and accountability for
 safe power plant operations...on the licensee in all circumstances''
 without formal verification that operators can fulfill this
 responsibility under all conditions~\cite{Kemeny1979}. This tension
 between operational flexibility and safety assurance remains unresolved
 in current practice.
 Advanced designs attempt to reduce operator burden through passive
 safety features and increased automation. NuScale's Small Modular
 Reactor design requires \textbf{no operator actions for 72 hours}
 following design-basis accidents and only two operator actions for
 beyond-design-basis events. However, even these advanced designs retain
 human operators for strategic decisions, procedure implementation, and
 override authority---preserving the human reliability challenges
 documented over four decades.
 \subsubsection{Operating Procedures Lack Formal Verification}
 Nuclear plant procedures exist in a hierarchy: normal operating
 procedures for routine evolutions, abnormal operating procedures for
 off-normal conditions, Emergency Operating Procedures (EOPs) for
 design-basis accidents, Severe Accident Management Guidelines (SAMGs)
 for beyond-design-basis events, and Extensive Damage Mitigation
 Guidelines (EDMGs) for catastrophic damage scenarios. These procedures
 must comply with 10 CFR 50.34(b)(6)(ii) and are developed using guidance
 from NUREG-0899~\cite{NUREG-0899}, but their development process relies
 fundamentally on expert judgment and simulator validation rather than
 formal verification.
 EOPs adopted a symptom-based approach following TMI, allowing operators
 to respond to plant conditions without first diagnosing root causes---a
 significant improvement over earlier event-based procedures. The BWR
 Owners' Group completed Revision 3 of integrated Emergency Procedure
 Guidelines/Severe Accident Guidelines in 2013, representing the current
 state of the art in procedure development. Procedures undergo technical
 evaluation, simulator validation testing, and biennial review as part of
 operator requalification under 10 CFR 55.59~\cite{10CFR55}.
 Despite these rigorous development processes, \textbf{procedures
 fundamentally lack formal verification of key safety properties}. There
 is no mathematical proof that procedures cover all possible plant
 states, that required actions can be completed within available
 timeframes under all scenarios, or that transitions between procedure
 sets maintain safety invariants. As the IAEA notes in
 TECDOC-1580~\cite{IAEA-TECDOC-1580}, ``Most subsequent investigations
 identify internal and external industry operating experience that, if
 applied effectively, would have prevented the event''---a pattern
 suggesting that current procedure development methods cannot guarantee
 completeness.
 \textbf{LIMITATION:} \textit{Procedures lack formal verification of
 correctness and completeness.} Current procedure development relies on
 expert judgment and simulator validation. No mathematical proof exists
 that procedures cover all possible plant states, that required actions
 can be completed within available timeframes, or that transitions
 between procedure sets maintain safety invariants. Paper-based
 procedures cannot adapt to novel combinations of failures, and even
 computer-based procedure systems lack the formal guarantees that
 automated reasoning could provide.
 \subsubsection{Control Mode Transitions Lack Formal Safety Verification}
 Nuclear plants operate with multiple control modes: automatic control
 where the reactor control system maintains target parameters through
 continuous rod adjustment, manual control where operators directly
 manipulate control rods, and various intermediate modes. In typical PWR
 operation, the reactor control system automatically maintains floating
 average temperature, compensating for xenon effects and fuel burnup at
 rates limited to approximately 5\% power per minute. Safety systems
 operate with high automation---Reactor Protection Systems trip
 automatically on safety signals with millisecond response times, and
 Engineered Safety Features actuate automatically on accident signals
 without operator action required.
 \textbf{The decision to transition between control modes relies on
 operator judgment} informed by plant stability, equipment availability,
 procedural requirements, and safety margins. However, current practice
 lacks formal verification that mode transitions maintain safety
 properties across all possible plant states. As \v{Z}erovnik et al.
 observe~\cite{Zerovnik2023}, ``Manual control may be demanded in nuclear
 power plants due to safety protocols. However, it may not be convenient
 in load-following regimes with frequent load changes''---highlighting
 the tension between operational flexibility and formal safety assurance.
 Research by Jo et al.~\cite{Jo2021} reveals a concerning trade-off:
 ``using procedures at high level of automation enables favorable
 operational performance with decreased mental workload; however,
 operator's situation awareness is decreased.'' This automation
 paradox---where increasing automation reduces errors from workload but
 increases errors from reduced vigilance---has been empirically
 demonstrated but not formally optimized. Operators may experience mode
 confusion, losing track of which control mode is active during complex
 scenarios.
 \textbf{LIMITATION:} \textit{Mode transitions lack formal safety
 verification.} No formal proof exists that all mode transitions preserve
 safety invariants across the hybrid state space of continuous plant
 dynamics and discrete control logic. The automation paradox trade-off
 between reduced workload and reduced situation awareness has never been
 formally optimized with mathematical guarantees about the resulting
 reliability.
 \subsubsection{Current Automation Reveals the Hybrid Dynamics Challenge}
 Approximately \textbf{40\% of the world's operating
 reactors}~\cite{IAEA2008} have undergone some digital I\&C upgrades,
 with 90\% of digital implementations representing modernization of
 existing analog systems. All reactors beginning construction after 1990
 incorporate digital I\&C components, with Asia leading adoption.
 The current division between automated and human-controlled functions
 reveals the fundamental challenge of hybrid control. \textbf{Highly
 automated systems} handle reactor protection (automatic trip on safety
 parameters), emergency core cooling actuation, containment isolation,
 and basic process control. \textbf{Human operators retain control} of
 strategic decision-making (power level changes, startup/shutdown
 sequences, mode transitions), procedure implementation (emergency
 response strategy selection), override authority, and assessment and
 diagnosis of beyond-design-basis events.
 Emerging technologies include deep reinforcement learning for autonomous
 control and Long Short-Term Memory networks for safety system control.
 Lee et al. demonstrated~\cite{Lee2019} that autonomous LSTM-based
 control achieved \textbf{performance superior to
 automation-plus-human-control} in simulated loss-of-coolant and steam
 generator tube rupture scenarios. Yet even these advanced autonomous
 control approaches lack formal verification, and as IEEE research
 documented~\cite{IEEE2019}, ``Introducing I\&C hardware failure modes to
 formal models comes at significant computational cost...state space
 explosion and prohibitively long processing times.''
 \textbf{LIMITATION:} \textit{Current practice treats continuous plant
 dynamics and discrete control logic separately.} No application of
 hybrid control theory exists that could provide mathematical guarantees
 across mode transitions, verify timing properties formally, or optimize
 the automation-human interaction trade-off with provable safety bounds.
 \subsection{Human Factors in Nuclear Accidents}
 The persistent role of human error in nuclear safety incidents, despite
 decades of improvements in training and procedures, provides perhaps the
 most compelling motivation for formal automated control with
 mathematical safety guarantees.
 \subsubsection{Human Error Dominates Nuclear Incident Causation}
 Multiple independent analyses converge on a striking statistic:
 \textbf{70--80\% of all nuclear power plant events are attributed to
 human error} versus approximately 20\% to equipment
 failures~\cite{DOE-HDBK-1028-2009,WNA2020}. More significantly, the
 International Atomic Energy Agency concluded that ``human error was the
 root cause of all severe accidents at nuclear power plants''---a
 categorical statement spanning Three Mile Island, Chernobyl, and
 Fukushima Daiichi~\cite{IAEA-severe-accidents}.
 A detailed analysis of 190 events at Chinese nuclear power plants from
 2007--2020 by Wang et al.~\cite{Wang2025} found that 53\% involved
 active errors while 92\% were associated with latent errors---organiza%
 tional and systemic weaknesses that create conditions for failure. Lloyd
 Dumas's study~\cite{Dumas1999} found approximately 80\% of incidents at
 10 nuclear centers stemmed from worker error or poor procedures, with
 roughly 70\% from latent organizational weaknesses and 30\% from
 individual worker actions.
 The persistence of this 70--80\% human error contribution despite
 \textbf{four decades of continuous improvements} in operator training,
 control room design, procedures, and human factors engineering suggests
 fundamental cognitive limitations rather than remediable deficiencies.
 \subsubsection{Three Mile Island Revealed Critical Human-Automation
 Interaction Failures}
 The Three Mile Island Unit 2 accident on March 28, 1979 remains the
 definitive case study in human factors failures in nuclear operations.
 The accident began at 4:00 AM with a routine feedwater pump trip,
 escalating when a pressure-operated relief valve (PORV) stuck
 open---draining reactor coolant---but control room instrumentation
 showed only whether the valve had been commanded to close, not whether
 it actually closed. When Emergency Core Cooling System pumps
 automatically activated as designed, \textbf{operators made the fateful
 decision to shut them down} based on their incorrect assessment of plant
 conditions.
 President's Commission chairman John Kemeny documented~\cite{Kemeny1979}
 how operators faced more than 100 simultaneous alarms, overwhelming
 their cognitive capacity. The core suffered partial meltdown with
 \textbf{44\% of the fuel melting} before the situation was stabilized.
 Quantitative risk analysis revealed the magnitude of failure in existing
 safety assessment methods: the actual core damage probability was
 approximately \textbf{5\% per year} while Probabilistic Risk Assessment
 had predicted 0.01\% per year---a \textbf{500-fold underestimation}.
 This dramatic failure demonstrated that human reliability could not be
 adequately assessed through expert judgment and historical data alone.
 \subsubsection{Human Reliability Analysis Documents Fundamental Cognitive
 Limitations}
 Human Reliability Analysis (HRA) methods developed over four decades
 quantify human error probabilities and performance shaping factors. The
 SPAR-H method~\cite{NUREG-CR-6883} represents current best practice,
 providing nominal Human Error Probabilities (HEPs) of \textbf{0.01 (1\%)
 for diagnosis tasks} and \textbf{0.001 (0.1\%) for action tasks} under
 optimal conditions.
 However, these nominal error rates degrade dramatically under realistic
 accident conditions: inadequate available time increases HEP by
 \textbf{10-fold}, extreme stress by \textbf{5-fold}, high complexity by
 \textbf{5-fold}, missing procedures by \textbf{50-fold}, and poor
 ergonomics by \textbf{50-fold}. Under combined adverse conditions
 typical of severe accidents, human error probabilities can approach
 \textbf{0.1 to 1.0 (10\% to 100\%)}---essentially guaranteed failure for
 complex diagnosis tasks~\cite{NUREG-2114}.
 Rasmussen's influential 1983 taxonomy~\cite{Rasmussen1983} divides human
 errors into skill-based (highly practiced responses, HEP $10^{-3}$ to
 $10^{-4}$), rule-based (following procedures, HEP $10^{-2}$ to
 $10^{-1}$), and knowledge-based (novel problem solving, HEP $10^{-1}$ to
 1). Severe accidents inherently require knowledge-based responses where
 human reliability is lowest. Miller's classic 1956
 finding~\cite{Miller1956} that working memory capacity is limited to
 \textbf{7$\pm$2 chunks} explains why Three Mile Island's 100+
 simultaneous alarms exceeded operators' processing capacity.
 \textbf{LIMITATION:} \textit{Human factors impose fundamental reliability
 limits that cannot be overcome through training alone.} Response time
 limitations constrain human effectiveness---reactor protection systems
 must respond in milliseconds, \textbf{100--1000 times faster than human
 operators}. Cognitive biases systematically distort judgment:
 confirmation bias, overconfidence, and anchoring bias are inherent
 features of human cognition, not individual failings~\cite{Reason1990}.
 The persistent 70--80\% human error contribution despite four decades of
 improvements demonstrates that these limitations are \textbf{fundamental
 rather than remediable}.
 \subsection{HARDENS: Discrete Control with Gaps in Hybrid Dynamics}
 The High Assurance Rigorous Digital Engineering for Nuclear Safety
 (HARDENS) project, completed by Galois, Inc. for the U.S. Nuclear
 Regulatory Commission in 2022, represents the most advanced application
 of formal methods to nuclear reactor control systems to
 date---and simultaneously reveals the critical gaps that remain.
 \subsubsection{Rigorous Digital Engineering Demonstrated Feasibility}
 HARDENS aimed to address the nuclear industry's fundamental dilemma:
 existing U.S. nuclear control rooms rely on analog technologies from the
 1950s--60s, making construction costs exceed \$500 million and timelines
 stretch to decades. The NRC contracted Galois to demonstrate that
 Model-Based Systems Engineering and formal methods could design, verify,
 and implement a complex protection system meeting regulatory criteria at
 a fraction of typical cost.
 The project delivered far beyond its scope, creating what Galois
 describes as ``the world's most advanced, high-assurance protection
 system demonstrator.'' Completed in \textbf{nine months at a tiny
 fraction of typical control system costs}~\cite{Kiniry2022}, the project
 produced a complete Reactor Trip System (RTS) implementation with full
 traceability from NRC Request for Proposals and IEEE standards through
 formal architecture specifications to formally verified binaries and
 hardware running on FPGA demonstrator boards.
 Principal Investigator Joseph Kiniry led the team in applying Galois's
 Rigorous Digital Engineering methodology combining model-based
 engineering, digital twins with measurable fidelity, and applied formal
 methods. The approach integrates multiple abstraction levels---from
 semi-formal natural language requirements through formal specifications
 to verified implementations---all maintained as integrated artifacts
 rather than separate documentation prone to divergence.
 \subsubsection{Comprehensive Formal Methods Toolkit Provided Verification}
 HARDENS employed an impressive array of formal methods tools and
 techniques across the verification hierarchy. High-level specifications
 used Lando, SysMLv2, and FRET (NASA JPL's Formal Requirements
 Elicitation Tool) to capture stakeholder requirements, domain
 engineering, certification requirements, and safety requirements.
 Requirements were formally analyzed for \textbf{consistency,
 completeness, and realizability} using SAT and SMT solvers---verification
 that current procedure development methods lack.
 Executable formal models employed Cryptol to create an executable
 behavioral model of the entire RTS including all subsystems, components,
 and formal digital twin models of sensors, actuators, and compute
 infrastructure. Automatic code synthesis generated formally verifiable C
 implementations and System Verilog hardware implementations directly
 from Cryptol models---eliminating the traditional gap between
 specification and implementation where errors commonly arise.
 Formal verification tools included SAW (Software Analysis Workbench) for
 proving equivalence between models and implementations, Frama-C for C
 code verification, and Yosys for hardware verification. HARDENS verified
 both automatically synthesized and hand-written implementations against
 their models and against each other, providing redundant assurance
 paths.
 This multi-layered verification approach represents a quantum leap
 beyond current nuclear I\&C verification practices, which rely primarily
 on testing and simulation. HARDENS demonstrated that \textbf{complete
 formal verification from requirements to implementation is technically
 feasible} for safety-critical nuclear control systems.
 \subsubsection{Critical Limitation: Discrete Control Logic Only}
 Despite its impressive accomplishments, HARDENS has a fundamental
 limitation directly relevant to hybrid control synthesis: \textbf{the
 project addressed only discrete digital control logic without modeling
 or verifying continuous reactor dynamics}. The Reactor Trip System
 specification and formal verification covered discrete state transitions
 (trip/no-trip decisions), digital sensor input processing through
 discrete logic, and discrete actuation outputs (reactor trip commands).
 The system correctly implements the digital control logic for reactor
 protection with mathematical guarantees.
 However, the project did not address continuous dynamics of nuclear
 reactor physics including neutron kinetics, thermal-hydraulics, xenon
 oscillations, fuel temperature feedback, coolant flow dynamics, and heat
 transfer---all governed by continuous differential equations. Real
 reactor safety depends on the interaction between continuous processes
 (temperature, pressure, neutron flux evolving according to differential
 equations) and discrete control decisions (trip/no-trip, valve
 open/close, pump on/off). HARDENS verified the discrete controller in
 isolation but not the closed-loop hybrid system behavior.
 \textbf{LIMITATION:} \textit{HARDENS addressed discrete control logic
 without continuous dynamics or hybrid system verification.} Hybrid
 automata, differential dynamic logic, or similar hybrid systems
 formalisms would be required to specify and verify properties like ``the
 controller maintains core temperature below safety limits under all
 possible disturbances''---a property that inherently spans continuous and
 discrete dynamics. Verifying discrete control logic alone provides no
 guarantee that the closed-loop system exhibits desired continuous
 behavior such as stability, convergence to setpoints, or maintained
 safety margins.
 \subsubsection{Experimental Validation Gap Limits Technology Readiness}
 The second critical limitation is \textbf{absence of experimental
 validation} in actual nuclear facilities or realistic operational
 environments. HARDENS produced a demonstrator system at Technology
 Readiness Level 3--4 (analytical proof of concept with laboratory
 breadboard validation) rather than a deployment-ready system validated
 through extended operational testing. The NRC Final Report explicitly
 notes~\cite{Kiniry2022}: ``All material is considered in development and
 not a finalized product'' and ``The demonstration of its technical
 soundness was to be at a level consistent with satisfaction of the
 current regulatory criteria, although with no explicit demonstration of
 how regulatory requirements are met.''
 The project did not include deployment in actual nuclear facilities,
 testing with real reactor systems under operational conditions,
 side-by-side validation with operational analog RTS systems, systematic
 failure mode testing (radiation effects, electromagnetic interference,
 temperature extremes), actual NRC licensing review, or human factors
 validation with licensed nuclear operators in realistic control room
 scenarios.
 \textbf{LIMITATION:} \textit{HARDENS achieved TRL 3--4 without experimental
 validation.} While formal verification provides mathematical correctness
 guarantees for the implemented discrete logic, the gap between formal
 verification and actual system deployment involves myriad practical
 considerations: integration with legacy systems, long-term reliability
 under harsh environments, human-system interaction in realistic
 operational contexts, and regulatory acceptance of formal methods as
 primary assurance evidence.
 \subsection{Research Imperative: Formal Hybrid Control Synthesis}
 Three converging lines of evidence establish an urgent research
 imperative for formal hybrid control synthesis applied to nuclear
 reactor systems.
 \textbf{Current reactor control practices} reveal fundamental gaps in
 verification. Procedures lack mathematical proofs of completeness or
 timing adequacy. Mode transitions preserve safety properties only
 informally. Operator decision-making relies on training rather than
 verified algorithms. The divide between continuous plant dynamics and
 discrete control logic has never been bridged with formal methods.
 Despite extensive regulatory frameworks developed over six decades,
 \textbf{no mathematical guarantees exist} that current control approaches
 maintain safety under all possible scenarios.
 \textbf{Human factors in nuclear accidents} demonstrate that human error
 contributes to 70--80\% of nuclear incidents despite four decades of
 systematic improvements. The IAEA's categorical statement that ``human
 error was the root cause of all severe accidents'' reveals fundamental
 cognitive limitations: working memory capacity of 7$\pm$2 chunks,
 response times of seconds to minutes versus milliseconds required,
 cognitive biases immune to training, stress-induced performance
 degradation. Human Reliability Analysis methods document error
 probabilities of 0.001--0.01 under optimal conditions degrading to
 0.1--1.0 under realistic accident conditions. These limitations
 \textbf{cannot be overcome through human factors improvements alone}.
 \textbf{The HARDENS project} proved that formal verification is
 technically feasible and economically viable for nuclear control
 systems, achieving complete verification from requirements to
 implementation in nine months at a fraction of typical costs. However,
 HARDENS addressed only discrete control logic without considering
 continuous reactor dynamics or hybrid system verification, and the
 demonstrator achieved only TRL 3--4 without experimental validation in
 realistic nuclear environments. These limitations directly define the
 research frontier: \textbf{formal synthesis of hybrid controllers that
 provide mathematical safety guarantees across both continuous plant
 dynamics and discrete control logic}.
 The research opportunity is clear. Nuclear reactors are quintessential
 hybrid cyber-physical systems where continuous neutron kinetics,
 thermal-hydraulics, and heat transfer interact with discrete control
 mode decisions, trip logic, and valve states. Current practice treats
 these domains separately---reactor physics analyzed with simulation,
 control logic verified through testing, human operators expected to
 integrate everything through procedures. \textbf{Hybrid control
 synthesis offers the possibility of unified formal treatment} where
 controllers are automatically generated from high-level safety
 specifications with mathematical proofs that guarantee safe operation
 across all modes, all plant states, and all credible disturbances.
 Recent advances in hybrid systems theory---including reachability
 analysis, barrier certificates, counterexample-guided inductive
 synthesis, and satisfiability modulo theories for hybrid systems---provide
 the theoretical foundation. Computational advances enable verification of
 systems with continuous state spaces that were intractable a decade ago.
 The confluence of mature formal methods, powerful verification tools
 demonstrated by HARDENS, urgent safety imperatives documented by
 persistent human error statistics, and fundamental gaps in current
 hybrid dynamics treatment creates a compelling and timely research
 opportunity.