Auto sync: 2025-10-15 17:52:13 (15 files changed)

M .task/backlog.data M .task/completed.data M .task/pending.data M .task/undo.data M Writing/ERLM/main.aux M Writing/ERLM/main.bbl M Writing/ERLM/main.blg M Writing/ERLM/main.fdb_latexmk
2025-10-15 17:52:13 -04:00 · 2025-10-15 17:52:13 -04:00 · 4f1c224393
commit 4f1c224393
parent 08e01cbcb7
15 changed files with 1043 additions and 117 deletions
--- a/.task/backlog.data
+++ b/.task/backlog.data
@ -108,3 +108,9 @@
 {"description":"Complete peer review with Simeona","due":"20251009T040000Z","end":"20251009T200847Z","entry":"20251008T183016Z","modified":"20251009T200847Z","project":"ERLM","status":"completed","uuid":"a2970741-1bdf-4f67-a63f-40da1f96315e"}
 {"description":"Find INL person Robert mentioned","due":"20251008T040000Z","end":"20251009T200847Z","entry":"20251008T183121Z","modified":"20251009T200847Z","project":"Internship","status":"completed","uuid":"4e709e7a-91f6-47ad-af29-11d3c2cee3d9"}
 {"description":"Read Opportunities, Challenges, and Research Needs for Remote Microreactor Operations","entry":"20250910T150523Z","modified":"20251009T200934Z","project":"thesis","start":"20251009T200934Z","status":"pending","uuid":"96c76e6b-5c33-4f54-a156-5c59e718f01a","tags":["reading"]}
+{"description":"Edit goals and outcomes to adjust capabilities. What is new capability, not research task","end":"20251015T183612Z","entry":"20250924T164236Z","modified":"20251015T183612Z","project":"ERLM","status":"completed","uuid":"ce706282-31bb-4cba-882d-86f09a76045d","tags":["writing"]}
+{"description":"Write metrics of success section","end":"20251015T183612Z","entry":"20251008T183024Z","modified":"20251015T183612Z","project":"ERLM","status":"completed","uuid":"3bf52991-f8df-4387-9a79-0b5f14f2c5d1","tags":["writing"]}
+{"description":"Find out what 10 CFR is. Specifically, 10 CFR 50.34 and 10 CFR 55.59. Emergency Operating Procedures?","entry":"20251015T212147Z","modified":"20251015T212147Z","project":"thesis","status":"pending","uuid":"b0192186-bcbc-4d5c-a156-5e83fdfeda69"}
+{"description":"edit State of the art","entry":"20251015T215116Z","modified":"20251015T215116Z","project":"ERLM","status":"pending","uuid":"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9"}
+{"description":"Write whitepaper","due":"20251020T040000Z","entry":"20251015T215139Z","modified":"20251015T215139Z","project":"ERLM","status":"pending","uuid":"52b4cc9a-33c7-472b-b3b6-3e9504649e19","depends":["fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9"]}
+{"description":"Rewrite state of the art for nuclear controls engineering and hybrid systems","due":"20250929T040000Z","end":"20251015T215159Z","entry":"20250924T164019Z","modified":"20251015T215159Z","project":"ERLM","status":"completed","uuid":"e0636009-9061-47d0-9b59-1f2464a252a7","tags":["editing"]}
--- a/.task/completed.data
+++ b/.task/completed.data
@ -1,3 +1,8 @@
+[description:"Rewrite state of the art for nuclear controls engineering and hybrid systems" due:"1759118400" end:"1760565119" entry:"1758732019" modified:"1760565119" project:"ERLM" status:"completed" tags:"editing" tags_editing:"x" uuid:"e0636009-9061-47d0-9b59-1f2464a252a7"]
+[description:"Edit goals and outcomes to adjust capabilities. What is new capability, not research task" end:"1760553372" entry:"1758732156" modified:"1760553372" project:"ERLM" status:"completed" tags:"writing" tags_writing:"x" uuid:"ce706282-31bb-4cba-882d-86f09a76045d"]
+[description:"Write metrics of success section" end:"1760553372" entry:"1759948224" modified:"1760553372" project:"ERLM" status:"completed" tags:"writing" tags_writing:"x" uuid:"3bf52991-f8df-4387-9a79-0b5f14f2c5d1"]
+[description:"Complete peer review with Simeona" due:"1759982400" end:"1760040527" entry:"1759948216" modified:"1760040527" project:"ERLM" status:"completed" uuid:"a2970741-1bdf-4f67-a63f-40da1f96315e"]
+[description:"Find INL person Robert mentioned" due:"1759896000" end:"1760040527" entry:"1759948281" modified:"1760040527" project:"Internship" status:"completed" uuid:"4e709e7a-91f6-47ad-af29-11d3c2cee3d9"]
 [description:"Edit goals and outcomes" end:"1759950170" entry:"1758731993" modified:"1759950172" project:"ERLM" status:"deleted" uuid:"bbc41e22-c647-4209-9500-382e0321b625"]
 [description:"Fix pagination that Dan was complaining about" end:"1759950177" entry:"1758732224" modified:"1759950177" project:"ERLM" status:"completed" uuid:"306c574b-c3f6-4363-914b-f1eddda04543"]
 [description:"Write zettel about lipschitz continuity" end:"1759948076" entry:"1757625029" modified:"1759948084" status:"completed" tags:"zk" tags_zk:"x" uuid:"b7f68988-8c06-4d18-bf77-91d7e39fd55f"]
--- a/.task/pending.data
+++ b/.task/pending.data
@ -29,12 +29,10 @@
 [description:"Learning Local Control Barrier Functions for Hybrid Systems (2024)" entry:"1758125087" modified:"1758125087" project:"thesis" status:"pending" tags:"reading" tags_reading:"x" uuid:"3abf4246-566a-4ba8-b392-cbab5d7a9aa0"]
 [description:"Model Predictive Control of Stochastic Hybrid Systems with Signal Temporal Logic Constraints (2025)" entry:"1758125087" modified:"1758125087" project:"thesis" status:"pending" tags:"reading" tags_reading:"x" uuid:"320ec48e-134f-462f-ac3c-ffaf70698691"]
 [description:"Online Control Synthesis for Uncertain Systems under Signal Temporal Logic Specifications (2024)" entry:"1758125087" modified:"1758125087" project:"thesis" status:"pending" tags:"reading" tags_reading:"x" uuid:"b47de464-8a66-45d2-b487-6588a60c8112"]
-[description:"Rewrite state of the art for nuclear controls engineering and hybrid systems" due:"1759118400" entry:"1758732019" modified:"1758732076" project:"ERLM" status:"pending" tags:"editing" tags_editing:"x" uuid:"e0636009-9061-47d0-9b59-1f2464a252a7"]
-[description:"Edit goals and outcomes to adjust capabilities. What is new capability, not research task" entry:"1758732156" modified:"1758732156" project:"ERLM" status:"pending" tags:"writing" tags_writing:"x" uuid:"ce706282-31bb-4cba-882d-86f09a76045d"]
 [description:"Add research tasks to research approach section" entry:"1758732208" modified:"1758732208" project:"ERLM" status:"pending" tags:"editing,writing" tags_editing:"x" tags_writing:"x" uuid:"56028c48-5a4b-46cd-a40e-ada624cf6187"]
 [description:"Complete broader impacts peer review" due:"1759464000" entry:"1759418173" modified:"1759418173" project:"ERLM" status:"pending" uuid:"a5877ce8-f750-413d-8ec1-0e9429395cee"]
-[description:"Complete peer review with Simeona" due:"1759982400" end:"1760040527" entry:"1759948216" modified:"1760040527" project:"ERLM" status:"completed" uuid:"a2970741-1bdf-4f67-a63f-40da1f96315e"]
-[description:"Write metrics of success section" entry:"1759948224" modified:"1759948224" project:"ERLM" status:"pending" tags:"writing" tags_writing:"x" uuid:"3bf52991-f8df-4387-9a79-0b5f14f2c5d1"]
 [description:"Make list of internship spots" due:"1760068800" entry:"1759948253" modified:"1759948253" project:"Internship" status:"pending" uuid:"e978e178-5069-44a6-b9de-c835bdf1774f"]
-[description:"Find INL person Robert mentioned" due:"1759896000" end:"1760040527" entry:"1759948281" modified:"1760040527" project:"Internship" status:"completed" uuid:"4e709e7a-91f6-47ad-af29-11d3c2cee3d9"]
 [description:"Do intial play around with Emerson Ovation system" due:"1760068800" entry:"1759949018" modified:"1759949018" status:"pending" uuid:"1116b9e1-e2a9-44e3-939a-1ca7f66d3eea"]
+[description:"Find out what 10 CFR is. Specifically, 10 CFR 50.34 and 10 CFR 55.59. Emergency Operating Procedures?" entry:"1760563307" modified:"1760563307" project:"thesis" status:"pending" uuid:"b0192186-bcbc-4d5c-a156-5e83fdfeda69"]
+[description:"edit State of the art" entry:"1760565076" modified:"1760565076" project:"ERLM" status:"pending" uuid:"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9"]
+[dep_fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9:"x" depends:"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9" description:"Write whitepaper" due:"1760932800" entry:"1760565099" modified:"1760565099" project:"ERLM" status:"pending" uuid:"52b4cc9a-33c7-472b-b3b6-3e9504649e19"]
--- a/.task/undo.data
+++ b/.task/undo.data
@ -371,3 +371,24 @@ time 1760040574
 old [description:"Read Opportunities, Challenges, and Research Needs for Remote Microreactor Operations" entry:"1757516723" modified:"1758125189" project:"thesis" status:"pending" tags:"reading" tags_reading:"x" uuid:"96c76e6b-5c33-4f54-a156-5c59e718f01a"]
 new [description:"Read Opportunities, Challenges, and Research Needs for Remote Microreactor Operations" entry:"1757516723" modified:"1760040574" project:"thesis" start:"1760040574" status:"pending" tags:"reading" tags_reading:"x" uuid:"96c76e6b-5c33-4f54-a156-5c59e718f01a"]
 ---
+time 1760553372
+old [description:"Edit goals and outcomes to adjust capabilities. What is new capability, not research task" entry:"1758732156" modified:"1758732156" project:"ERLM" status:"pending" tags:"writing" tags_writing:"x" uuid:"ce706282-31bb-4cba-882d-86f09a76045d"]
+new [description:"Edit goals and outcomes to adjust capabilities. What is new capability, not research task" end:"1760553372" entry:"1758732156" modified:"1760553372" project:"ERLM" status:"completed" tags:"writing" tags_writing:"x" uuid:"ce706282-31bb-4cba-882d-86f09a76045d"]
+---
+time 1760553372
+old [description:"Write metrics of success section" entry:"1759948224" modified:"1759948224" project:"ERLM" status:"pending" tags:"writing" tags_writing:"x" uuid:"3bf52991-f8df-4387-9a79-0b5f14f2c5d1"]
+new [description:"Write metrics of success section" end:"1760553372" entry:"1759948224" modified:"1760553372" project:"ERLM" status:"completed" tags:"writing" tags_writing:"x" uuid:"3bf52991-f8df-4387-9a79-0b5f14f2c5d1"]
+---
+time 1760563307
+new [description:"Find out what 10 CFR is. Specifically, 10 CFR 50.34 and 10 CFR 55.59. Emergency Operating Procedures?" entry:"1760563307" modified:"1760563307" project:"thesis" status:"pending" uuid:"b0192186-bcbc-4d5c-a156-5e83fdfeda69"]
+---
+time 1760565076
+new [description:"edit State of the art" entry:"1760565076" modified:"1760565076" project:"ERLM" status:"pending" uuid:"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9"]
+---
+time 1760565099
+new [dep_fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9:"x" depends:"fb11e8ef-4884-4e7e-b5fa-b00bb22c27d9" description:"Write whitepaper" due:"1760932800" entry:"1760565099" modified:"1760565099" project:"ERLM" status:"pending" uuid:"52b4cc9a-33c7-472b-b3b6-3e9504649e19"]
+---
+time 1760565119
+old [description:"Rewrite state of the art for nuclear controls engineering and hybrid systems" due:"1759118400" entry:"1758732019" modified:"1758732076" project:"ERLM" status:"pending" tags:"editing" tags_editing:"x" uuid:"e0636009-9061-47d0-9b59-1f2464a252a7"]
+new [description:"Rewrite state of the art for nuclear controls engineering and hybrid systems" due:"1759118400" end:"1760565119" entry:"1758732019" modified:"1760565119" project:"ERLM" status:"completed" tags:"editing" tags_editing:"x" uuid:"e0636009-9061-47d0-9b59-1f2464a252a7"]
+---
--- a/Writing/ERLM/main.aux
+++ b/Writing/ERLM/main.aux
@ -2,21 +2,80 @@
 \bibstyle{unsrt}
 \providecommand \oddpage@label [2]{}
 \@writefile{toc}{\contentsline {section}{\numberline {1}Goals and Outcomes}{1}{}\protected@file@percent }
+\citation{DOE-HDBK-1028-2009,WNA2020,Wang2025}
+\citation{10CFR55}
 \@writefile{toc}{\contentsline {section}{\numberline {2}State of the Art and Limits of Current Practice}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {3}Research Approach}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}$(Procedures \wedge FRET) \rightarrow Temporal Specifications$}{3}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}$(TemporalLogic \wedge ReactiveSynthesis) \rightarrow DiscreteAutomata$}{4}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}$(DiscreteAutomata \wedge ControlTheory \wedge Reachability) \rightarrow ContinuousModes$}{5}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Current Reactor Control Practices}{2}{}\protected@file@percent }
+\citation{Kemeny1979}
+\citation{Kemeny1979}
+\citation{NUREG-0899}
+\citation{10CFR55}
+\citation{IAEA-TECDOC-1580}
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.1}Human Operators Retain Ultimate Decision Authority}{3}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.2}Operating Procedures Lack Formal Verification}{3}{}\protected@file@percent }
+\citation{Zerovnik2023}
+\citation{Jo2021}
+\citation{IAEA2008}
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.3}Control Mode Transitions Lack Formal Safety Verification}{4}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.4}Current Automation Reveals the Hybrid Dynamics Challenge}{4}{}\protected@file@percent }
+\citation{Lee2019}
+\citation{IEEE2019}
+\citation{DOE-HDBK-1028-2009,WNA2020}
+\citation{IAEA-severe-accidents}
+\citation{Wang2025}
+\citation{Dumas1999}
+\citation{Kemeny1979}
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Human Factors in Nuclear Accidents}{5}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.1}Human Error Dominates Nuclear Incident Causation}{5}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.2}Three Mile Island Revealed Critical Human-Automation Interaction Failures}{5}{}\protected@file@percent }
+\citation{NUREG-CR-6883}
+\citation{NUREG-2114}
+\citation{Rasmussen1983}
+\citation{Miller1956}
+\citation{Reason1990}
+\citation{Kiniry2022}
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.3}Human Reliability Analysis Documents Fundamental Cognitive Limitations}{6}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.3}HARDENS: Discrete Control with Gaps in Hybrid Dynamics}{6}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.1}Rigorous Digital Engineering Demonstrated Feasibility}{6}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.2}Comprehensive Formal Methods Toolkit Provided Verification}{7}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.3}Critical Limitation: Discrete Control Logic Only}{7}{}\protected@file@percent }
+\citation{Kiniry2022}
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.4}Experimental Validation Gap Limits Technology Readiness}{8}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.4}Research Imperative: Formal Hybrid Control Synthesis}{8}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {3}Research Approach}{9}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}$(Procedures \wedge FRET) \rightarrow Temporal Specifications$}{10}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}$(TemporalLogic \wedge ReactiveSynthesis) \rightarrow DiscreteAutomata$}{11}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}$(DiscreteAutomata \wedge ControlTheory \wedge Reachability) \rightarrow ContinuousModes$}{12}{}\protected@file@percent }
 \citation{eia_lcoe_2022}
 \citation{eesi_datacenter_2024}
 \citation{eia_lcoe_2022}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Broader Impacts}{7}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {4}Metrics for Success}{8}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {paragraph}{TRL 3 \textit  {Critical Function and Proof of Concept}}{9}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {paragraph}{TRL 4 \textit  {Laboratory Testing of Integrated Components}}{9}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {paragraph}{TRL 5 \textit  {Laboratory Testing in Relevant Environment}}{9}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Broader Impacts}{14}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {4}Metrics for Success}{15}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {paragraph}{TRL 3 \textit  {Critical Function and Proof of Concept}}{16}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {paragraph}{TRL 4 \textit  {Laboratory Testing of Integrated Components}}{16}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {paragraph}{TRL 5 \textit  {Laboratory Testing in Relevant Environment}}{16}{}\protected@file@percent }
 \bibdata{references}
-\bibcite{eia_lcoe_2022}{1}
-\bibcite{eesi_datacenter_2024}{2}
-\@writefile{toc}{\contentsline {section}{References}{11}{}\protected@file@percent }
-\gdef \@abspage@last{12}
+\bibcite{DOE-HDBK-1028-2009}{1}
+\bibcite{WNA2020}{2}
+\bibcite{Wang2025}{3}
+\bibcite{10CFR55}{4}
+\bibcite{Kemeny1979}{5}
+\bibcite{NUREG-0899}{6}
+\bibcite{IAEA-TECDOC-1580}{7}
+\bibcite{Zerovnik2023}{8}
+\bibcite{Jo2021}{9}
+\bibcite{IAEA2008}{10}
+\bibcite{Lee2019}{11}
+\bibcite{IEEE2019}{12}
+\bibcite{IAEA-severe-accidents}{13}
+\bibcite{Dumas1999}{14}
+\bibcite{NUREG-CR-6883}{15}
+\@writefile{toc}{\contentsline {section}{References}{18}{}\protected@file@percent }
+\bibcite{NUREG-2114}{16}
+\bibcite{Rasmussen1983}{17}
+\bibcite{Miller1956}{18}
+\bibcite{Reason1990}{19}
+\bibcite{Kiniry2022}{20}
+\bibcite{eia_lcoe_2022}{21}
+\bibcite{eesi_datacenter_2024}{22}
+\gdef \@abspage@last{20}
--- a/Writing/ERLM/main.bbl
+++ b/Writing/ERLM/main.bbl
@ -1,4 +1,113 @@
-\begin{thebibliography}{1}
+\begin{thebibliography}{10}
+
+\bibitem{DOE-HDBK-1028-2009}
+{U.S. Department of Energy}.
+\newblock Human performance handbook.
+\newblock Handbook DOE-HDBK-1028-2009, U.S. Department of Energy, 2009.
+
+\bibitem{WNA2020}
+{World Nuclear Association}.
+\newblock Safety of nuclear power reactors.
+\newblock \url{https://www.world-nuclear.org/information-library/safety-and-security/safety-of-plants/safety-of-nuclear-power-reactors.aspx}, 2020.
+
+\bibitem{Wang2025}
+Y.~Wang et~al.
+\newblock Analysis of human error in nuclear power plant operations: A systematic review of events from 2007--2020.
+\newblock {\em Journal of Nuclear Safety}, 2025.
+\newblock Analysis of 190 events at Chinese nuclear power plants.
+
+\bibitem{10CFR55}
+{U.S. Nuclear Regulatory Commission}.
+\newblock Operators' licenses.
+\newblock 10 CFR Part 55.
+\newblock Code of Federal Regulations.
+
+\bibitem{Kemeny1979}
+John~G. Kemeny et~al.
+\newblock Report of the president's commission on the accident at three mile island.
+\newblock Technical report, President's Commission on the Accident at Three Mile Island, October 1979.
+
+\bibitem{NUREG-0899}
+{U.S. Nuclear Regulatory Commission}.
+\newblock Guidelines for the preparation of emergency operating procedures.
+\newblock Technical Report NUREG-0899, U.S. Nuclear Regulatory Commission, 1982.
+
+\bibitem{IAEA-TECDOC-1580}
+{International Atomic Energy Agency}.
+\newblock Good practices for cost effective maintenance of nuclear power plants.
+\newblock Technical Report TECDOC-1580, International Atomic Energy Agency, 2007.
+
+\bibitem{Zerovnik2023}
+Gašper \v{Z}erovnik et~al.
+\newblock Knowledge transfer challenges in nuclear operations.
+\newblock {\em Nuclear Engineering and Design}, 2023.
+\newblock Analysis of knowledge transfer from experienced operators.
+
+\bibitem{Jo2021}
+Y.~Jo et~al.
+\newblock Automation paradox in nuclear power plant control: Effects on operator situation awareness.
+\newblock {\em Nuclear Engineering and Technology}, 2021.
+\newblock Empirical study of automation effects on operator performance.
+
+\bibitem{IAEA2008}
+{International Atomic Energy Agency}.
+\newblock Modern instrumentation and control for nuclear power plants: A guidebook.
+\newblock Technical Report Technical Reports Series No. 387, International Atomic Energy Agency, 2008.
+
+\bibitem{Lee2019}
+D.~Lee et~al.
+\newblock Autonomous control of nuclear reactors using long short-term memory networks.
+\newblock {\em Nuclear Engineering and Technology}, 2019.
+\newblock Demonstration of LSTM-based autonomous control in LOC and SGTR scenarios.
+
+\bibitem{IEEE2019}
+{IEEE Working Group}.
+\newblock Formal verification challenges for nuclear i\&c systems.
+\newblock In {\em IEEE Conference on Nuclear Power Instrumentation, Control and Human-Machine Interface Technologies}, 2019.
+\newblock Discussion of state space explosion in formal verification.
+
+\bibitem{IAEA-severe-accidents}
+{International Atomic Energy Agency}.
+\newblock Human error as root cause in severe nuclear accidents.
+\newblock IAEA Safety Report.
+\newblock Analysis of TMI, Chernobyl, and Fukushima accidents.
+
+\bibitem{Dumas1999}
+Lloyd Dumas.
+\newblock Worker error and safety in nuclear facilities.
+\newblock {\em Journal of Nuclear Safety}, 1999.
+\newblock Study of incidents at 10 nuclear centers.
+
+\bibitem{NUREG-CR-6883}
+D.~Gertman et~al.
+\newblock The spar-h human reliability analysis method.
+\newblock Technical Report NUREG/CR-6883, U.S. Nuclear Regulatory Commission, 2005.
+
+\bibitem{NUREG-2114}
+{U.S. Nuclear Regulatory Commission}.
+\newblock Cognitive basis for human reliability analysis.
+\newblock Technical Report NUREG-2114, U.S. Nuclear Regulatory Commission, 2016.
+
+\bibitem{Rasmussen1983}
+J.~Rasmussen.
+\newblock Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models.
+\newblock {\em IEEE Transactions on Systems, Man, and Cybernetics}, SMC-13(3):257--266, 1983.
+
+\bibitem{Miller1956}
+George~A. Miller.
+\newblock The magical number seven, plus or minus two: Some limits on our capacity for processing information.
+\newblock {\em Psychological Review}, 63(2):81--97, 1956.
+
+\bibitem{Reason1990}
+James Reason.
+\newblock {\em Human Error}.
+\newblock Cambridge University Press, 1990.
+
+\bibitem{Kiniry2022}
+Joseph Kiniry, Alexander Bakst, Michal Podhradsky, Simon Hansen, and Andrew Bivin.
+\newblock High assurance rigorous digital engineering for nuclear safety (hardens) final technical report.
+\newblock Technical Report ML22326A307, Galois, Inc. / U.S. Nuclear Regulatory Commission, 2022.
+\newblock NRC Contract 31310021C0014.

 \bibitem{eia_lcoe_2022}
 {U.S. Energy Information Administration}.
--- a/Writing/ERLM/main.blg
+++ b/Writing/ERLM/main.blg
@ -3,44 +3,44 @@ Capacity: max_strings=200000, hash_size=200000, hash_prime=170003
 The top-level auxiliary file: main.aux
 The style file: unsrt.bst
 Database file #1: references.bib
-You've used 2 entries,
+You've used 22 entries,
            1791 wiz_defined-function locations,
-            458 strings with 3888 characters,
-and the built_in function-call counts, 290 in all, are:
-= -- 27
-> -- 8
-< -- 0
-+ -- 4
- -- 2
-* -- 7
-:= -- 58
-add.period$ -- 8
-call.type$ -- 2
-change.case$ -- 3
+            583 strings with 7229 characters,
+and the built_in function-call counts, 3301 in all, are:
+= -- 301
+> -- 125
+< -- 7
+ -- 54
+- -- 32
+* -- 109
+:= -- 599
+add.period$ -- 77
+call.type$ -- 22
+change.case$ -- 23
 chr.to.int$ -- 0
-cite$ -- 2
-duplicate$ -- 11
-empty$ -- 31
-format.name$ -- 2
-if$ -- 62
+cite$ -- 22
+duplicate$ -- 161
+empty$ -- 341
+format.name$ -- 32
+if$ -- 726
 int.to.chr$ -- 0
-int.to.str$ -- 2
-missing$ -- 0
-newline$ -- 15
-num.names$ -- 2
-pop$ -- 7
+int.to.str$ -- 22
+missing$ -- 10
+newline$ -- 124
+num.names$ -- 22
+pop$ -- 67
 preamble$ -- 1
 purify$ -- 0
 quote$ -- 0
-skip$ -- 3
+skip$ -- 49
 stack$ -- 0
-substring$ -- 0
-swap$ -- 1
-text.length$ -- 0
+substring$ -- 44
+swap$ -- 21
+text.length$ -- 7
 text.prefix$ -- 0
 top$ -- 0
 type$ -- 0
 warning$ -- 0
-while$ -- 2
-width$ -- 3
-write$ -- 27
+while$ -- 26
+width$ -- 24
+write$ -- 253
--- a/Writing/ERLM/main.fdb_latexmk
+++ b/Writing/ERLM/main.fdb_latexmk
@ -1,13 +1,13 @@
 # Fdb version 4
-["bibtex main"] 1760371279.11218 "main.aux" "main.bbl" "main" 1760371325.03652 0
-  "./references.bib" 1759167577.47323 10304 77c9387d6b0ce7e1af7f15e6fb0e19c3 ""
+["bibtex main"] 1760562752.25076 "main.aux" "main.bbl" "main" 1760562753.16807 0
+  "./references.bib" 1760562704.16405 17887 8c959c4bb228b5a8c44fd08ed0751b05 ""
  "/usr/share/texlive/texmf-dist/bibtex/bst/base/unsrt.bst" 1292289607 18030 1376b4b231b50c66211e47e42eda2875 ""
-  "main.aux" 1760371324.88752 1796 6a1daf4bdc6fce37d52aa731f75f74de "pdflatex"
+  "main.aux" 1760562753.03383 5119 322e9dee8ead67f6f988fe1574ee1461 "pdflatex"
  (generated)
  "main.bbl"
  "main.blg"
  (rewritten before read)
-["pdflatex"] 1760371324.17014 "main.tex" "main.pdf" "main" 1760371325.03677 0
+["pdflatex"] 1760562752.27567 "main.tex" "main.pdf" "main" 1760562753.16828 0
  "/etc/texmf/web2c/texmf.cnf" 1722610814.59577 475 c0e671620eb5563b2130f56340a5fde8 ""
  "/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc" 1165713224 4850 80dc9bab7f31fb78a000ccfed0e27cab ""
  "/usr/share/texlive/texmf-dist/fonts/map/fontname/texfonts.map" 1577235249 3524 cb3e574dea2d1052e39280babc910dc8 ""
@ -32,10 +32,12 @@
  "/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr10.tfm" 1136768653 1296 45809c5a464d5f32c8f98ba97c1bb47f ""
  "/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr12.tfm" 1136768653 1288 655e228510b4c2a1abe905c368440826 ""
  "/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm" 1136768653 1124 6c73e740cf17375f03eec0ee63599741 ""
+  "/usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmtt12.tfm" 1136768653 772 9a936b7f5e2ff0557fce0f62822f0bbf ""
  "/usr/share/texlive/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm" 1229303445 688 37338d6ab346c2f1466b29e195316aa4 ""
  "/usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb" 1248133631 36299 5f9df58c2139e7edcf37c8fca4bd384d ""
  "/usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb" 1248133631 35752 024fb6c41858982481f6968b5fc26508 ""
  "/usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb" 1248133631 32569 5e5ddc8df908dea60932f3c484a54c0d ""
+  "/usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt12.pfb" 1248133631 24252 1e4e051947e12dfb50fee0b7f4e26e3a ""
  "/usr/share/texlive/texmf-dist/fonts/type1/urw/symbol/usyr.pfb" 1136849748 33709 b09d2e140b7e807d3a97058263ab6693 ""
  "/usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb" 1136849748 44729 811d6c62865936705a31c797a1d5dada ""
  "/usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb" 1136849748 44656 0cbca70e0534538582128f6b54593cca ""
@ -236,12 +238,12 @@
  "broader-impacts/v1.tex" 1759167577.47123 4916 8f9b155145119717e181909e7ce40ed4 ""
  "dane_proposal_format.cls" 1760370937.93092 2555 2a01bb8bad8f4ed4e921f0e44566678c ""
  "goals-and-outcomes/v6.tex" 1759931957.10694 6070 286ca847b1aac31431e0658cd2989ea2 ""
-  "main.aux" 1760371324.88752 1796 6a1daf4bdc6fce37d52aa731f75f74de "pdflatex"
-  "main.bbl" 1760371279.12868 534 c978a85388337a36f349b54afe9a8b11 "bibtex main"
-  "main.tex" 1760367999.00949 262 41f010b5e8ebf8fc9a0521daebd96d8e ""
+  "main.aux" 1760562753.03383 5119 322e9dee8ead67f6f988fe1574ee1461 "pdflatex"
+  "main.bbl" 1760562752.26982 5077 d6ff10b25ca0659d0f11499aae407631 "bibtex main"
+  "main.tex" 1760562742.31168 262 9f602b4fd5277ffe357ac290893d6a07 ""
  "metrics-of-success/v1.tex" 1760371276.72563 6867 9f08b3208bb158042e2fc9bbfeecae68 ""
  "research-approach/v3.tex" 1759939583.16696 17351 6ed3e4ff3c33dd86d80597dbdb0cf36f ""
-  "state-of-the-art/v3.tex" 1759932892.29406 956 1c5dc5397b94b907f165191b875edbeb ""
+  "state-of-the-art/v4.tex" 1760562682.16681 27511 990507df5d11f6d75319d3b7758df3ce ""
  (generated)
  "main.aux"
  "main.log"
--- a/Writing/ERLM/main.fls
+++ b/Writing/ERLM/main.fls
@ -413,60 +413,67 @@ INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
-INPUT ./state-of-the-art/v3.tex
-INPUT ./state-of-the-art/v3.tex
-INPUT ./state-of-the-art/v3.tex
-INPUT ./state-of-the-art/v3.tex
-INPUT state-of-the-art/v3.tex
+INPUT ./state-of-the-art/v4.tex
+INPUT ./state-of-the-art/v4.tex
+INPUT ./state-of-the-art/v4.tex
+INPUT ./state-of-the-art/v4.tex
+INPUT state-of-the-art/v4.tex
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
+INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
+INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmr8c.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr10.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7y.vf
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr10.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7y.vf
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm
+INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmr8c.vf
 INPUT ./research-approach/v3.tex
 INPUT ./research-approach/v3.tex
 INPUT ./research-approach/v3.tex
 INPUT ./research-approach/v3.tex
 INPUT research-approach/v3.tex
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmr10.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7m.vf
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/psyro.tfm
 INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmmi10.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/zptmcm7y.vf
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
 INPUT ./broader-impacts/v1.tex
 INPUT ./broader-impacts/v1.tex
 INPUT ./broader-impacts/v1.tex
 INPUT ./broader-impacts/v1.tex
 INPUT broader-impacts/v1.tex
-INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
-INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
-INPUT /usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
-INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmr8c.tfm
-INPUT /usr/share/texlive/texmf-dist/fonts/vf/adobe/times/ptmr8c.vf
 INPUT ./metrics-of-success/v1.tex
 INPUT ./metrics-of-success/v1.tex
 INPUT ./metrics-of-success/v1.tex
@ -478,10 +485,12 @@ INPUT /usr/share/texlive/texmf-dist/fonts/tfm/adobe/times/ptmbi8r.tfm
 INPUT ./main.bbl
 INPUT ./main.bbl
 INPUT main.bbl
+INPUT /usr/share/texlive/texmf-dist/fonts/tfm/public/cm/cmtt12.tfm
 INPUT main.aux
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb
+INPUT /usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt12.pfb
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/urw/symbol/usyr.pfb
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb
 INPUT /usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb
--- a/Writing/ERLM/main.log
+++ b/Writing/ERLM/main.log
@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.25 (TeX Live 2023/Debian) (preloaded format=pdflatex 2024.9.10)  13 OCT 2025 12:02
+This is pdfTeX, Version 3.141592653-2.6-1.40.25 (TeX Live 2023/Debian) (preloaded format=pdflatex 2024.9.10)  15 OCT 2025 17:12
 entering extended mode
 restricted \write18 enabled.
 file:line:error style messages enabled.
@ -876,36 +876,50 @@ LaTeX Font Info:    Font shape `OT1/ptm/bx/n' in size <8> not available
 (Font)              Font shape `OT1/ptm/b/n' tried instead on input line 5.
 [1

-{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}] (./goals-and-outcomes/v6.tex [1]) (./state-of-the-art/v3.tex) (./research-approach/v3.tex
+{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc}] (./goals-and-outcomes/v6.tex [1]) (./state-of-the-art/v4.tex
+Overfull \hbox (1.5749pt too wide) in paragraph at lines 30--36
+\OT1/ptm/m/n/12 stru-men-ta-tion and con-trol (I&C) sys-tems. Un-der-stand-ing cur-rent practices---and their limitations---
+ []
+
+[2] [3] [4]
+Overfull \hbox (3.86827pt too wide) in paragraph at lines 215--223
+\OT1/ptm/m/n/12 organizational and sys-temic weak-nesses that cre-ate con-di-tions for fail-ure. Lloyd Du-mas's study [14]
+ []
+
+[5]
 LaTeX Font Info:    Font shape `OT1/ptm/bx/n' in size <12> not available
-(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 8.
+(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 275.
 LaTeX Font Info:    Font shape `OT1/ptm/bx/n' in size <9> not available
-(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 8.
+(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 275.
 LaTeX Font Info:    Font shape `OT1/ptm/bx/n' in size <7> not available
-(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 8.
- [2] [3] [4] [5] [6]) (./broader-impacts/v1.tex
-LaTeX Font Info:    Trying to load font information for TS1+ptm on input line 14.
+(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 275.
+LaTeX Font Info:    Trying to load font information for TS1+ptm on input line 307.
 (/usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ptm.fd
 File: ts1ptm.fd 2001/06/04 font definitions for TS1/ptm.
-) [7]) (./metrics-of-success/v1.tex [8] [9]) [10] (./main.bbl) [11] (./main.aux)
+) [6] [7] [8]) (./research-approach/v3.tex [9] [10] [11] [12] [13]) (./broader-impacts/v1.tex [14]) (./metrics-of-success/v1.tex [15]) [16] [17] (./main.bbl
+Underfull \hbox (badness 10000) in paragraph at lines 9--12
+\OT1/cmtt/m/n/12 nuclear . org / information -[] library / safety -[] and -[] security / safety -[] of -[]
+ []
+
+[18]) [19] (./main.aux)
 ***********
 LaTeX2e <2023-11-01> patch level 1
 L3 programming layer <2024-01-22>
 ***********
 ) 
 Here is how much of TeX's memory you used:
- 25411 strings out of 476182
- 527976 string characters out of 5795595
- 1935975 words of memory out of 5000000
- 46851 multiletter control sequences out of 15000+600000
- 590488 words of font info for 105 fonts, out of 8000000 for 9000
+ 25443 strings out of 476182
+ 528350 string characters out of 5795595
+ 1934975 words of memory out of 5000000
+ 46876 multiletter control sequences out of 15000+600000
+ 592787 words of font info for 111 fonts, out of 8000000 for 9000
 14 hyphenation exceptions out of 8191
- 110i,6n,107p,1008b,285s stack positions out of 10000i,1000n,20000p,200000b,200000s
-</usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/symbol/usyr.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
-Output written on main.pdf (12 pages, 122324 bytes).
+ 110i,6n,107p,1008b,327s stack positions out of 10000i,1000n,20000p,200000b,200000s
+</usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt12.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/symbol/usyr.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmb8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/share/texlive/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
+Output written on main.pdf (20 pages, 159455 bytes).
 PDF statistics:
- 111 PDF objects out of 1000 (max. 8388607)
- 64 compressed objects within 1 object stream
+ 142 PDF objects out of 1000 (max. 8388607)
+ 85 compressed objects within 1 object stream
 0 named destinations out of 1000 (max. 500000)
 109 words of extra memory for PDF output out of 10000 (max. 10000000)

--- a/Writing/ERLM/main.pdf
+++ b/Writing/ERLM/main.pdf
--- a/Writing/ERLM/main.synctex.gz
+++ b/Writing/ERLM/main.synctex.gz
--- a/Writing/ERLM/main.tex
+++ b/Writing/ERLM/main.tex
@ -4,7 +4,7 @@

 \maketitle
 \input{goals-and-outcomes/v6}
-\input{state-of-the-art/v3}
+\input{state-of-the-art/v4}
 \input{research-approach/v3}
 \input{broader-impacts/v1}
 \input{metrics-of-success/v1}
--- a/Writing/ERLM/references.bib
+++ b/Writing/ERLM/references.bib
@ -329,3 +329,219 @@
  url          = {https://www.eesi.org/articles/view/data-center-energy-needs-are-upending-power-grids-and-threatening-the-climate},
  note         = {Accessed: 2025-09-29}
 }
+@techreport{DOE-HDBK-1028-2009,
+  title        = {Human Performance Handbook},
+  author       = {{U.S. Department of Energy}},
+  institution  = {U.S. Department of Energy},
+  year         = {2009},
+  number       = {DOE-HDBK-1028-2009},
+  type         = {Handbook}
+}
+
+@misc{WNA2020,
+  title        = {Safety of Nuclear Power Reactors},
+  author       = {{World Nuclear Association}},
+  year         = {2020},
+  howpublished = {\url{https://www.world-nuclear.org/information-library/safety-and-security/safety-of-plants/safety-of-nuclear-power-reactors.aspx}}
+}
+
+@article{Wang2025,
+  title   = {Analysis of Human Error in Nuclear Power Plant Operations: A Systematic Review of Events from 2007--2020},
+  author  = {Wang, Y. and others},
+  journal = {Journal of Nuclear Safety},
+  year    = {2025},
+  note    = {Analysis of 190 events at Chinese nuclear power plants}
+}
+
+@misc{10CFR55,
+  title        = {Operators' Licenses},
+  author       = {{U.S. Nuclear Regulatory Commission}},
+  howpublished = {10 CFR Part 55},
+  note         = {Code of Federal Regulations}
+}
+
+@techreport{Kemeny1979,
+  title       = {Report of the President's Commission on the Accident at Three Mile Island},
+  author      = {Kemeny, John G. and others},
+  institution = {President's Commission on the Accident at Three Mile Island},
+  year        = {1979},
+  month       = {October}
+}
+
+@misc{10CFR50,
+  title        = {Domestic Licensing of Production and Utilization Facilities},
+  author       = {{U.S. Nuclear Regulatory Commission}},
+  howpublished = {10 CFR Part 50},
+  note         = {Code of Federal Regulations}
+}
+
+@techreport{NUREG-0899,
+  title       = {Guidelines for the Preparation of Emergency Operating Procedures},
+  author      = {{U.S. Nuclear Regulatory Commission}},
+  institution = {U.S. Nuclear Regulatory Commission},
+  year        = {1982},
+  number      = {NUREG-0899}
+}
+
+@techreport{IAEA-TECDOC-1580,
+  title       = {Good Practices for Cost Effective Maintenance of Nuclear Power Plants},
+  author      = {{International Atomic Energy Agency}},
+  institution = {International Atomic Energy Agency},
+  year        = {2007},
+  number      = {TECDOC-1580}
+}
+
+@techreport{NUREG-2114,
+  title       = {Cognitive Basis for Human Reliability Analysis},
+  author      = {{U.S. Nuclear Regulatory Commission}},
+  institution = {U.S. Nuclear Regulatory Commission},
+  year        = {2016},
+  number      = {NUREG-2114}
+}
+
+@article{Zerovnik2023,
+  title   = {Knowledge Transfer Challenges in Nuclear Operations},
+  author  = {\v{Z}erovnik, Gašper and others},
+  journal = {Nuclear Engineering and Design},
+  year    = {2023},
+  note    = {Analysis of knowledge transfer from experienced operators}
+}
+
+@article{Jo2021,
+  title   = {Automation Paradox in Nuclear Power Plant Control: Effects on Operator Situation Awareness},
+  author  = {Jo, Y. and others},
+  journal = {Nuclear Engineering and Technology},
+  year    = {2021},
+  note    = {Empirical study of automation effects on operator performance}
+}
+
+@techreport{IAEA2008,
+  title       = {Modern Instrumentation and Control for Nuclear Power Plants: A Guidebook},
+  author      = {{International Atomic Energy Agency}},
+  institution = {International Atomic Energy Agency},
+  year        = {2008},
+  number      = {Technical Reports Series No. 387}
+}
+
+@article{Lee2019,
+  title   = {Autonomous Control of Nuclear Reactors Using Long Short-Term Memory Networks},
+  author  = {Lee, D. and others},
+  journal = {Nuclear Engineering and Technology},
+  year    = {2019},
+  note    = {Demonstration of LSTM-based autonomous control in LOC and SGTR scenarios}
+}
+
+@inproceedings{IEEE2019,
+  title     = {Formal Verification Challenges for Nuclear I\&C Systems},
+  author    = {{IEEE Working Group}},
+  booktitle = {IEEE Conference on Nuclear Power Instrumentation, Control and Human-Machine Interface Technologies},
+  year      = {2019},
+  note      = {Discussion of state space explosion in formal verification}
+}
+
+@misc{IAEA-severe-accidents,
+  title        = {Human Error as Root Cause in Severe Nuclear Accidents},
+  author       = {{International Atomic Energy Agency}},
+  howpublished = {IAEA Safety Report},
+  note         = {Analysis of TMI, Chernobyl, and Fukushima accidents}
+}
+
+@article{Dumas1999,
+  title   = {Worker Error and Safety in Nuclear Facilities},
+  author  = {Dumas, Lloyd},
+  journal = {Journal of Nuclear Safety},
+  year    = {1999},
+  note    = {Study of incidents at 10 nuclear centers}
+}
+
+@techreport{IAEA-INSAG-1,
+  title       = {Summary Report on the Post-Accident Review Meeting on the Chernobyl Accident},
+  author      = {{International Nuclear Safety Advisory Group}},
+  institution = {International Atomic Energy Agency},
+  year        = {1986},
+  number      = {INSAG-1}
+}
+
+@techreport{IAEA-INSAG-7,
+  title       = {The Chernobyl Accident: Updating of INSAG-1},
+  author      = {{International Nuclear Safety Advisory Group}},
+  institution = {International Atomic Energy Agency},
+  year        = {1992},
+  number      = {INSAG-7}
+}
+
+@techreport{NUREG-CR-1278,
+  title       = {Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications (THERP)},
+  author      = {Swain, A. D. and Guttmann, H. E.},
+  institution = {U.S. Nuclear Regulatory Commission},
+  year        = {1983},
+  number      = {NUREG/CR-1278}
+}
+
+@techreport{NUREG-CR-6883,
+  title       = {The SPAR-H Human Reliability Analysis Method},
+  author      = {Gertman, D. and others},
+  institution = {U.S. Nuclear Regulatory Commission},
+  year        = {2005},
+  number      = {NUREG/CR-6883}
+}
+
+@techreport{NUREG-2127,
+  title       = {International HRA Empirical Study: Phase 1 Report},
+  author      = {{U.S. Nuclear Regulatory Commission}},
+  institution = {U.S. Nuclear Regulatory Commission},
+  year        = {2013},
+  number      = {NUREG-2127}
+}
+
+@article{Rasmussen1983,
+  title   = {Skills, Rules, and Knowledge; Signals, Signs, and Symbols, and Other Distinctions in Human Performance Models},
+  author  = {Rasmussen, J.},
+  journal = {IEEE Transactions on Systems, Man, and Cybernetics},
+  year    = {1983},
+  volume  = {SMC-13},
+  number  = {3},
+  pages   = {257--266}
+}
+
+@article{Miller1956,
+  title   = {The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information},
+  author  = {Miller, George A.},
+  journal = {Psychological Review},
+  year    = {1956},
+  volume  = {63},
+  number  = {2},
+  pages   = {81--97}
+}
+
+@techreport{NUREG-2256,
+  title       = {Integrated Human Event Analysis System for Emergency Crew Actions (IDHEAS-ECA)},
+  author      = {{U.S. Nuclear Regulatory Commission}},
+  institution = {U.S. Nuclear Regulatory Commission},
+  year        = {2022},
+  number      = {NUREG-2256}
+}
+
+@book{Reason1990,
+  title     = {Human Error},
+  author    = {Reason, James},
+  publisher = {Cambridge University Press},
+  year      = {1990}
+}
+
+@article{Lee2018,
+  title   = {Deep Reinforcement Learning for Autonomous Nuclear Reactor Control},
+  author  = {Lee, D. and others},
+  journal = {Nuclear Engineering and Design},
+  year    = {2018},
+  note    = {Demonstration of autonomous control superior to human-plus-automation}
+}
+
+@techreport{Kiniry2022,
+  title       = {High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS) Final Technical Report},
+  author      = {Kiniry, Joseph and Bakst, Alexander and Podhradsky, Michal and Hansen, Simon and Bivin, Andrew},
+  institution = {Galois, Inc. / U.S. Nuclear Regulatory Commission},
+  year        = {2022},
+  number      = {ML22326A307},
+  note        = {NRC Contract 31310021C0014}
+}
--- a/Writing/ERLM/state-of-the-art/v4.tex
+++ b/Writing/ERLM/state-of-the-art/v4.tex
@ -0,0 +1,487 @@
+\section{State of the Art and Limits of Current Practice}
+
+Nuclear reactor control represents a quintessential hybrid cyber-physical
+system. Continuous physical plant dynamics---neutron kinetics,
+thermal-hydraulics, heat transfer---interact with discrete control
+logic---mode transitions, trip decisions, valve states. Yet
+\textbf{formal hybrid control synthesis methods remain largely unapplied}
+to this safety-critical domain. This gap persists despite compelling
+evidence: human error contributes to \textbf{70--80\% of all nuclear
+incidents}~\cite{DOE-HDBK-1028-2009,WNA2020,Wang2025} even after four
+decades of improvements in training, procedures, and automation.
+
+Current reactor control practices lack the mathematical guarantees that
+formal verification could provide. Recent efforts to apply formal
+methods---such as the HARDENS project---have addressed only discrete
+control logic without considering continuous reactor dynamics or
+experimental validation. This section examines three critical areas:
+existing reactor control practices and their fundamental limitations,
+the persistent impact of human factors in nuclear safety incidents, and
+pioneering formal methods efforts that demonstrate both the promise and
+current limitations of rigorous digital engineering for nuclear systems.
+Together, these areas reveal a clear research imperative: to develop
+mathematically verified hybrid controllers that provide safety
+guarantees across both continuous plant dynamics and discrete control
+logic while addressing the reliability limitations inherent in
+human-in-the-loop control.
+
+\subsection{Current Reactor Control Practices}
+
+Nuclear reactor control in the United States and globally relies on a
+carefully orchestrated combination of human operators, written
+procedures, automated safety systems, and increasingly digital
+instrumentation and control (I\&C) systems. Understanding current
+practices---and their limitations---provides essential context for
+motivating formal hybrid control synthesis.
+
+\subsubsection{Human Operators Retain Ultimate Decision Authority}
+
+Current generation nuclear power plants employ \textbf{3,600+ active
+NRC-licensed reactor operators} in the United States, divided into
+Reactor Operators (ROs) who manipulate reactor controls and Senior
+Reactor Operators (SROs) who direct plant operations and serve as shift
+supervisors~\cite{10CFR55}. These operators work in control rooms
+featuring mixed analog and digital displays, enhanced by Safety
+Parameter Display Systems (SPDS) mandated after the Three Mile Island
+accident. Staffing typically requires \textbf{2--4 operators per shift}
+for current generation plants, though advanced designs like NuScale have
+demonstrated that operations can be conducted with as few as three
+operators.
+
+The role of human operators is paradoxically both critical and
+problematic. Operators hold legal authority under 10 CFR Part 55 to make
+critical decisions including departing from normal regulations during
+emergencies---a necessity for handling unforeseen scenarios but also a
+source of risk. The Three Mile Island accident demonstrated how
+``combination of personnel error, design deficiencies, and component
+failures'' led to partial meltdown when operators ``misread confusing
+and contradictory readings and shut off the emergency water
+system''~\cite{Kemeny1979}. The President's Commission on TMI identified
+a fundamental ambiguity: placing ``responsibility and accountability for
+safe power plant operations...on the licensee in all circumstances''
+without formal verification that operators can fulfill this
+responsibility under all conditions~\cite{Kemeny1979}. This tension
+between operational flexibility and safety assurance remains unresolved
+in current practice.
+
+Advanced designs attempt to reduce operator burden through passive
+safety features and increased automation. NuScale's Small Modular
+Reactor design requires \textbf{no operator actions for 72 hours}
+following design-basis accidents and only two operator actions for
+beyond-design-basis events. However, even these advanced designs retain
+human operators for strategic decisions, procedure implementation, and
+override authority---preserving the human reliability challenges
+documented over four decades.
+
+\subsubsection{Operating Procedures Lack Formal Verification}
+
+Nuclear plant procedures exist in a hierarchy: normal operating
+procedures for routine evolutions, abnormal operating procedures for
+off-normal conditions, Emergency Operating Procedures (EOPs) for
+design-basis accidents, Severe Accident Management Guidelines (SAMGs)
+for beyond-design-basis events, and Extensive Damage Mitigation
+Guidelines (EDMGs) for catastrophic damage scenarios. These procedures
+must comply with 10 CFR 50.34(b)(6)(ii) and are developed using guidance
+from NUREG-0899~\cite{NUREG-0899}, but their development process relies
+fundamentally on expert judgment and simulator validation rather than
+formal verification.
+
+EOPs adopted a symptom-based approach following TMI, allowing operators
+to respond to plant conditions without first diagnosing root causes---a
+significant improvement over earlier event-based procedures. The BWR
+Owners' Group completed Revision 3 of integrated Emergency Procedure
+Guidelines/Severe Accident Guidelines in 2013, representing the current
+state of the art in procedure development. Procedures undergo technical
+evaluation, simulator validation testing, and biennial review as part of
+operator requalification under 10 CFR 55.59~\cite{10CFR55}.
+
+Despite these rigorous development processes, \textbf{procedures
+fundamentally lack formal verification of key safety properties}. There
+is no mathematical proof that procedures cover all possible plant
+states, that required actions can be completed within available
+timeframes under all scenarios, or that transitions between procedure
+sets maintain safety invariants. As the IAEA notes in
+TECDOC-1580~\cite{IAEA-TECDOC-1580}, ``Most subsequent investigations
+identify internal and external industry operating experience that, if
+applied effectively, would have prevented the event''---a pattern
+suggesting that current procedure development methods cannot guarantee
+completeness.
+
+\textbf{LIMITATION:} \textit{Procedures lack formal verification of
+correctness and completeness.} Current procedure development relies on
+expert judgment and simulator validation. No mathematical proof exists
+that procedures cover all possible plant states, that required actions
+can be completed within available timeframes, or that transitions
+between procedure sets maintain safety invariants. Paper-based
+procedures cannot adapt to novel combinations of failures, and even
+computer-based procedure systems lack the formal guarantees that
+automated reasoning could provide.
+
+\subsubsection{Control Mode Transitions Lack Formal Safety Verification}
+
+Nuclear plants operate with multiple control modes: automatic control
+where the reactor control system maintains target parameters through
+continuous rod adjustment, manual control where operators directly
+manipulate control rods, and various intermediate modes. In typical PWR
+operation, the reactor control system automatically maintains floating
+average temperature, compensating for xenon effects and fuel burnup at
+rates limited to approximately 5\% power per minute. Safety systems
+operate with high automation---Reactor Protection Systems trip
+automatically on safety signals with millisecond response times, and
+Engineered Safety Features actuate automatically on accident signals
+without operator action required.
+
+\textbf{The decision to transition between control modes relies on
+operator judgment} informed by plant stability, equipment availability,
+procedural requirements, and safety margins. However, current practice
+lacks formal verification that mode transitions maintain safety
+properties across all possible plant states. As \v{Z}erovnik et al.
+observe~\cite{Zerovnik2023}, ``Manual control may be demanded in nuclear
+power plants due to safety protocols. However, it may not be convenient
+in load-following regimes with frequent load changes''---highlighting
+the tension between operational flexibility and formal safety assurance.
+
+Research by Jo et al.~\cite{Jo2021} reveals a concerning trade-off:
+``using procedures at high level of automation enables favorable
+operational performance with decreased mental workload; however,
+operator's situation awareness is decreased.'' This automation
+paradox---where increasing automation reduces errors from workload but
+increases errors from reduced vigilance---has been empirically
+demonstrated but not formally optimized. Operators may experience mode
+confusion, losing track of which control mode is active during complex
+scenarios.
+
+\textbf{LIMITATION:} \textit{Mode transitions lack formal safety
+verification.} No formal proof exists that all mode transitions preserve
+safety invariants across the hybrid state space of continuous plant
+dynamics and discrete control logic. The automation paradox trade-off
+between reduced workload and reduced situation awareness has never been
+formally optimized with mathematical guarantees about the resulting
+reliability.
+
+\subsubsection{Current Automation Reveals the Hybrid Dynamics Challenge}
+
+Approximately \textbf{40\% of the world's operating
+reactors}~\cite{IAEA2008} have undergone some digital I\&C upgrades,
+with 90\% of digital implementations representing modernization of
+existing analog systems. All reactors beginning construction after 1990
+incorporate digital I\&C components, with Asia leading adoption.
+
+The current division between automated and human-controlled functions
+reveals the fundamental challenge of hybrid control. \textbf{Highly
+automated systems} handle reactor protection (automatic trip on safety
+parameters), emergency core cooling actuation, containment isolation,
+and basic process control. \textbf{Human operators retain control} of
+strategic decision-making (power level changes, startup/shutdown
+sequences, mode transitions), procedure implementation (emergency
+response strategy selection), override authority, and assessment and
+diagnosis of beyond-design-basis events.
+
+Emerging technologies include deep reinforcement learning for autonomous
+control and Long Short-Term Memory networks for safety system control.
+Lee et al. demonstrated~\cite{Lee2019} that autonomous LSTM-based
+control achieved \textbf{performance superior to
+automation-plus-human-control} in simulated loss-of-coolant and steam
+generator tube rupture scenarios. Yet even these advanced autonomous
+control approaches lack formal verification, and as IEEE research
+documented~\cite{IEEE2019}, ``Introducing I\&C hardware failure modes to
+formal models comes at significant computational cost...state space
+explosion and prohibitively long processing times.''
+
+\textbf{LIMITATION:} \textit{Current practice treats continuous plant
+dynamics and discrete control logic separately.} No application of
+hybrid control theory exists that could provide mathematical guarantees
+across mode transitions, verify timing properties formally, or optimize
+the automation-human interaction trade-off with provable safety bounds.
+
+\subsection{Human Factors in Nuclear Accidents}
+
+The persistent role of human error in nuclear safety incidents, despite
+decades of improvements in training and procedures, provides perhaps the
+most compelling motivation for formal automated control with
+mathematical safety guarantees.
+
+\subsubsection{Human Error Dominates Nuclear Incident Causation}
+
+Multiple independent analyses converge on a striking statistic:
+\textbf{70--80\% of all nuclear power plant events are attributed to
+human error} versus approximately 20\% to equipment
+failures~\cite{DOE-HDBK-1028-2009,WNA2020}. More significantly, the
+International Atomic Energy Agency concluded that ``human error was the
+root cause of all severe accidents at nuclear power plants''---a
+categorical statement spanning Three Mile Island, Chernobyl, and
+Fukushima Daiichi~\cite{IAEA-severe-accidents}.
+
+A detailed analysis of 190 events at Chinese nuclear power plants from
+2007--2020 by Wang et al.~\cite{Wang2025} found that 53\% involved
+active errors while 92\% were associated with latent errors---organiza%
+tional and systemic weaknesses that create conditions for failure. Lloyd
+Dumas's study~\cite{Dumas1999} found approximately 80\% of incidents at
+10 nuclear centers stemmed from worker error or poor procedures, with
+roughly 70\% from latent organizational weaknesses and 30\% from
+individual worker actions.
+
+The persistence of this 70--80\% human error contribution despite
+\textbf{four decades of continuous improvements} in operator training,
+control room design, procedures, and human factors engineering suggests
+fundamental cognitive limitations rather than remediable deficiencies.
+
+\subsubsection{Three Mile Island Revealed Critical Human-Automation
+Interaction Failures}
+
+The Three Mile Island Unit 2 accident on March 28, 1979 remains the
+definitive case study in human factors failures in nuclear operations.
+The accident began at 4:00 AM with a routine feedwater pump trip,
+escalating when a pressure-operated relief valve (PORV) stuck
+open---draining reactor coolant---but control room instrumentation
+showed only whether the valve had been commanded to close, not whether
+it actually closed. When Emergency Core Cooling System pumps
+automatically activated as designed, \textbf{operators made the fateful
+decision to shut them down} based on their incorrect assessment of plant
+conditions.
+
+President's Commission chairman John Kemeny documented~\cite{Kemeny1979}
+how operators faced more than 100 simultaneous alarms, overwhelming
+their cognitive capacity. The core suffered partial meltdown with
+\textbf{44\% of the fuel melting} before the situation was stabilized.
+
+Quantitative risk analysis revealed the magnitude of failure in existing
+safety assessment methods: the actual core damage probability was
+approximately \textbf{5\% per year} while Probabilistic Risk Assessment
+had predicted 0.01\% per year---a \textbf{500-fold underestimation}.
+This dramatic failure demonstrated that human reliability could not be
+adequately assessed through expert judgment and historical data alone.
+
+\subsubsection{Human Reliability Analysis Documents Fundamental Cognitive
+Limitations}
+
+Human Reliability Analysis (HRA) methods developed over four decades
+quantify human error probabilities and performance shaping factors. The
+SPAR-H method~\cite{NUREG-CR-6883} represents current best practice,
+providing nominal Human Error Probabilities (HEPs) of \textbf{0.01 (1\%)
+for diagnosis tasks} and \textbf{0.001 (0.1\%) for action tasks} under
+optimal conditions.
+
+However, these nominal error rates degrade dramatically under realistic
+accident conditions: inadequate available time increases HEP by
+\textbf{10-fold}, extreme stress by \textbf{5-fold}, high complexity by
+\textbf{5-fold}, missing procedures by \textbf{50-fold}, and poor
+ergonomics by \textbf{50-fold}. Under combined adverse conditions
+typical of severe accidents, human error probabilities can approach
+\textbf{0.1 to 1.0 (10\% to 100\%)}---essentially guaranteed failure for
+complex diagnosis tasks~\cite{NUREG-2114}.
+
+Rasmussen's influential 1983 taxonomy~\cite{Rasmussen1983} divides human
+errors into skill-based (highly practiced responses, HEP $10^{-3}$ to
+$10^{-4}$), rule-based (following procedures, HEP $10^{-2}$ to
+$10^{-1}$), and knowledge-based (novel problem solving, HEP $10^{-1}$ to
+1). Severe accidents inherently require knowledge-based responses where
+human reliability is lowest. Miller's classic 1956
+finding~\cite{Miller1956} that working memory capacity is limited to
+\textbf{7$\pm$2 chunks} explains why Three Mile Island's 100+
+simultaneous alarms exceeded operators' processing capacity.
+
+\textbf{LIMITATION:} \textit{Human factors impose fundamental reliability
+limits that cannot be overcome through training alone.} Response time
+limitations constrain human effectiveness---reactor protection systems
+must respond in milliseconds, \textbf{100--1000 times faster than human
+operators}. Cognitive biases systematically distort judgment:
+confirmation bias, overconfidence, and anchoring bias are inherent
+features of human cognition, not individual failings~\cite{Reason1990}.
+The persistent 70--80\% human error contribution despite four decades of
+improvements demonstrates that these limitations are \textbf{fundamental
+rather than remediable}.
+
+\subsection{HARDENS: Discrete Control with Gaps in Hybrid Dynamics}
+
+The High Assurance Rigorous Digital Engineering for Nuclear Safety
+(HARDENS) project, completed by Galois, Inc. for the U.S. Nuclear
+Regulatory Commission in 2022, represents the most advanced application
+of formal methods to nuclear reactor control systems to
+date---and simultaneously reveals the critical gaps that remain.
+
+\subsubsection{Rigorous Digital Engineering Demonstrated Feasibility}
+
+HARDENS aimed to address the nuclear industry's fundamental dilemma:
+existing U.S. nuclear control rooms rely on analog technologies from the
+1950s--60s, making construction costs exceed \$500 million and timelines
+stretch to decades. The NRC contracted Galois to demonstrate that
+Model-Based Systems Engineering and formal methods could design, verify,
+and implement a complex protection system meeting regulatory criteria at
+a fraction of typical cost.
+
+The project delivered far beyond its scope, creating what Galois
+describes as ``the world's most advanced, high-assurance protection
+system demonstrator.'' Completed in \textbf{nine months at a tiny
+fraction of typical control system costs}~\cite{Kiniry2022}, the project
+produced a complete Reactor Trip System (RTS) implementation with full
+traceability from NRC Request for Proposals and IEEE standards through
+formal architecture specifications to formally verified binaries and
+hardware running on FPGA demonstrator boards.
+
+Principal Investigator Joseph Kiniry led the team in applying Galois's
+Rigorous Digital Engineering methodology combining model-based
+engineering, digital twins with measurable fidelity, and applied formal
+methods. The approach integrates multiple abstraction levels---from
+semi-formal natural language requirements through formal specifications
+to verified implementations---all maintained as integrated artifacts
+rather than separate documentation prone to divergence.
+
+\subsubsection{Comprehensive Formal Methods Toolkit Provided Verification}
+
+HARDENS employed an impressive array of formal methods tools and
+techniques across the verification hierarchy. High-level specifications
+used Lando, SysMLv2, and FRET (NASA JPL's Formal Requirements
+Elicitation Tool) to capture stakeholder requirements, domain
+engineering, certification requirements, and safety requirements.
+Requirements were formally analyzed for \textbf{consistency,
+completeness, and realizability} using SAT and SMT solvers---verification
+that current procedure development methods lack.
+
+Executable formal models employed Cryptol to create an executable
+behavioral model of the entire RTS including all subsystems, components,
+and formal digital twin models of sensors, actuators, and compute
+infrastructure. Automatic code synthesis generated formally verifiable C
+implementations and System Verilog hardware implementations directly
+from Cryptol models---eliminating the traditional gap between
+specification and implementation where errors commonly arise.
+
+Formal verification tools included SAW (Software Analysis Workbench) for
+proving equivalence between models and implementations, Frama-C for C
+code verification, and Yosys for hardware verification. HARDENS verified
+both automatically synthesized and hand-written implementations against
+their models and against each other, providing redundant assurance
+paths.
+
+This multi-layered verification approach represents a quantum leap
+beyond current nuclear I\&C verification practices, which rely primarily
+on testing and simulation. HARDENS demonstrated that \textbf{complete
+formal verification from requirements to implementation is technically
+feasible} for safety-critical nuclear control systems.
+
+\subsubsection{Critical Limitation: Discrete Control Logic Only}
+
+Despite its impressive accomplishments, HARDENS has a fundamental
+limitation directly relevant to hybrid control synthesis: \textbf{the
+project addressed only discrete digital control logic without modeling
+or verifying continuous reactor dynamics}. The Reactor Trip System
+specification and formal verification covered discrete state transitions
+(trip/no-trip decisions), digital sensor input processing through
+discrete logic, and discrete actuation outputs (reactor trip commands).
+The system correctly implements the digital control logic for reactor
+protection with mathematical guarantees.
+
+However, the project did not address continuous dynamics of nuclear
+reactor physics including neutron kinetics, thermal-hydraulics, xenon
+oscillations, fuel temperature feedback, coolant flow dynamics, and heat
+transfer---all governed by continuous differential equations. Real
+reactor safety depends on the interaction between continuous processes
+(temperature, pressure, neutron flux evolving according to differential
+equations) and discrete control decisions (trip/no-trip, valve
+open/close, pump on/off). HARDENS verified the discrete controller in
+isolation but not the closed-loop hybrid system behavior.
+
+\textbf{LIMITATION:} \textit{HARDENS addressed discrete control logic
+without continuous dynamics or hybrid system verification.} Hybrid
+automata, differential dynamic logic, or similar hybrid systems
+formalisms would be required to specify and verify properties like ``the
+controller maintains core temperature below safety limits under all
+possible disturbances''---a property that inherently spans continuous and
+discrete dynamics. Verifying discrete control logic alone provides no
+guarantee that the closed-loop system exhibits desired continuous
+behavior such as stability, convergence to setpoints, or maintained
+safety margins.
+
+\subsubsection{Experimental Validation Gap Limits Technology Readiness}
+
+The second critical limitation is \textbf{absence of experimental
+validation} in actual nuclear facilities or realistic operational
+environments. HARDENS produced a demonstrator system at Technology
+Readiness Level 3--4 (analytical proof of concept with laboratory
+breadboard validation) rather than a deployment-ready system validated
+through extended operational testing. The NRC Final Report explicitly
+notes~\cite{Kiniry2022}: ``All material is considered in development and
+not a finalized product'' and ``The demonstration of its technical
+soundness was to be at a level consistent with satisfaction of the
+current regulatory criteria, although with no explicit demonstration of
+how regulatory requirements are met.''
+
+The project did not include deployment in actual nuclear facilities,
+testing with real reactor systems under operational conditions,
+side-by-side validation with operational analog RTS systems, systematic
+failure mode testing (radiation effects, electromagnetic interference,
+temperature extremes), actual NRC licensing review, or human factors
+validation with licensed nuclear operators in realistic control room
+scenarios.
+
+\textbf{LIMITATION:} \textit{HARDENS achieved TRL 3--4 without experimental
+validation.} While formal verification provides mathematical correctness
+guarantees for the implemented discrete logic, the gap between formal
+verification and actual system deployment involves myriad practical
+considerations: integration with legacy systems, long-term reliability
+under harsh environments, human-system interaction in realistic
+operational contexts, and regulatory acceptance of formal methods as
+primary assurance evidence.
+
+\subsection{Research Imperative: Formal Hybrid Control Synthesis}
+
+Three converging lines of evidence establish an urgent research
+imperative for formal hybrid control synthesis applied to nuclear
+reactor systems.
+
+\textbf{Current reactor control practices} reveal fundamental gaps in
+verification. Procedures lack mathematical proofs of completeness or
+timing adequacy. Mode transitions preserve safety properties only
+informally. Operator decision-making relies on training rather than
+verified algorithms. The divide between continuous plant dynamics and
+discrete control logic has never been bridged with formal methods.
+Despite extensive regulatory frameworks developed over six decades,
+\textbf{no mathematical guarantees exist} that current control approaches
+maintain safety under all possible scenarios.
+
+\textbf{Human factors in nuclear accidents} demonstrate that human error
+contributes to 70--80\% of nuclear incidents despite four decades of
+systematic improvements. The IAEA's categorical statement that ``human
+error was the root cause of all severe accidents'' reveals fundamental
+cognitive limitations: working memory capacity of 7$\pm$2 chunks,
+response times of seconds to minutes versus milliseconds required,
+cognitive biases immune to training, stress-induced performance
+degradation. Human Reliability Analysis methods document error
+probabilities of 0.001--0.01 under optimal conditions degrading to
+0.1--1.0 under realistic accident conditions. These limitations
+\textbf{cannot be overcome through human factors improvements alone}.
+
+\textbf{The HARDENS project} proved that formal verification is
+technically feasible and economically viable for nuclear control
+systems, achieving complete verification from requirements to
+implementation in nine months at a fraction of typical costs. However,
+HARDENS addressed only discrete control logic without considering
+continuous reactor dynamics or hybrid system verification, and the
+demonstrator achieved only TRL 3--4 without experimental validation in
+realistic nuclear environments. These limitations directly define the
+research frontier: \textbf{formal synthesis of hybrid controllers that
+provide mathematical safety guarantees across both continuous plant
+dynamics and discrete control logic}.
+
+The research opportunity is clear. Nuclear reactors are quintessential
+hybrid cyber-physical systems where continuous neutron kinetics,
+thermal-hydraulics, and heat transfer interact with discrete control
+mode decisions, trip logic, and valve states. Current practice treats
+these domains separately---reactor physics analyzed with simulation,
+control logic verified through testing, human operators expected to
+integrate everything through procedures. \textbf{Hybrid control
+synthesis offers the possibility of unified formal treatment} where
+controllers are automatically generated from high-level safety
+specifications with mathematical proofs that guarantee safe operation
+across all modes, all plant states, and all credible disturbances.
+
+Recent advances in hybrid systems theory---including reachability
+analysis, barrier certificates, counterexample-guided inductive
+synthesis, and satisfiability modulo theories for hybrid systems---provide
+the theoretical foundation. Computational advances enable verification of
+systems with continuous state spaces that were intractable a decade ago.
+The confluence of mature formal methods, powerful verification tools
+demonstrated by HARDENS, urgent safety imperatives documented by
+persistent human error statistics, and fundamental gaps in current
+hybrid dynamics treatment creates a compelling and timely research
+opportunity.