Obsidian/Writing/ERLM/state-of-the-art/v6.tex

\section{State of the Art and Limits of Current Practice}

The principal aim of this research is to create autonomous reactor control
systems that are tractably safe. But, to understand what exactly is being
automated, it is important to understand how nuclear reactors are operated
today. First, the reactor operator themselves is discussed. Then, operating
procedures that we aim to leverage later are examined. Next, limitations of
human-based operation are investigated, while finally we discuss current formal
methods based approaches to building reactor control systems.

\subsection{Current Reactor Procedures and Operation}

Current generation nuclear power plants employ 3,600+ active NRC-licensed
reactor operators in the United States. These operators are divided into Reactor
Operators (ROs) who manipulate reactor controls and Senior Reactor Operators
(SROs) who direct plant operations and serve as shift
supervisors~\cite{10CFR55}. Staffing typically requires 2+ ROs with at least one
SRO for current generation units. To become a reactor operator, an individual
might spend up to six years to pass required training~\cite{princeton}.

The role of human operators is paradoxically both critical and
problematic. Operators hold legal authority under 10 CFR Part 55 to make
critical decisions including departing from normal regulations during
emergencies. The Three Mile Island (TMI) accident demonstrated how
``combination of personnel error, design deficiencies, and component
failures'' led to partial meltdown when operators ``misread confusing
and contradictory readings and shut off the emergency water
system''~\cite{Kemeny1979}. The President's Commission on TMI identified
a fundamental ambiguity: placing ``responsibility and accountability for
safe power plant operations...on the licensee in all circumstances''
without formal verification that operators can fulfill this
responsibility under all conditions~\cite{Kemeny1979}. This tension
between operational flexibility and safety assurance remains unresolved
in current practice.

Nuclear plant procedures exist in a hierarchy: normal operating procedures for
routine operations, abnormal operating procedures for off-normal conditions,
Emergency Operating Procedures (EOPs) for design-basis accidents, Severe
Accident Management Guidelines (SAMGs) for beyond-design-basis events, and
Extensive Damage Mitigation Guidelines (EDMGs) for catastrophic damage
scenarios. These procedures must comply with 10 CFR 50.34(b)(6)(ii) and are
developed using guidance from NUREG-0899~\cite{NUREG-0899}, but their
development process relies fundamentally on expert judgment and simulator
validation rather than formal verification. Procedures undergo technical
evaluation, simulator validation testing, and biennial review as part of
operator requalification under 10 CFR 55.59~\cite{10CFR55}. Despite these
rigorous development processes, procedures fundamentally lack formal
verification of key safety properties. There is no mathematical proof that
procedures cover all possible plant states, that required actions can be
completed within available timeframes under all scenarios, or that transitions
between procedure sets maintain safety invariants. 

\textbf{LIMITATION:} \textit{Procedures lack formal verification of correctness
and completeness.} Current procedure development relies on expert judgment and
simulator validation. No mathematical proof exists that procedures cover all
possible plant states, that required actions can be completed within available
timeframes, or that transitions between procedure sets maintain safety
invariants. Paper-based procedures cannot ensure correct application, and even
computer-based procedure systems lack the formal guarantees that automated
reasoning could provide.

Nuclear plants operate with multiple control modes: automatic control where the
reactor control system maintains target parameters through continuous rod
adjustment, manual control where operators directly manipulate control rods, and
various intermediate modes. In typical pressurized water reactor operation, the
reactor control system automatically maintains a floating average temperature,
compensating for changes in power demand with reactivity feedback loops alone.
Safety systems instead operate with implemented automation. Reactor
Protection Systems trip automatically on safety signals with millisecond
response times, and engineered safety features actuate automatically on accident
signals without operator action required.

The current division between automated and human-controlled functions
reveals the fundamental challenge of hybrid control. Highly
automated systems handle reactor protection like automatic trips on safety
parameters, emergency core cooling actuation, containment isolation,
and basic process control. Human operators, however, retain control of
strategic decision-making such as power level changes, startup/shutdown
sequences, mode transitions, and procedure implementation. %%%NEED MORE

\textbf{LIMITATION:} \textit{Current practice treats continuous plant
dynamics and discrete control logic separately.} No application of
hybrid control theory exists that could provide mathematical guarantees
across mode transitions, verify timing properties formally, or optimize
the automation-human interaction trade-off with provable safety bounds.


\subsection{Human Factors in Nuclear Accidents}
The persistent role of human error in nuclear safety incidents, despite
decades of improvements in training and procedures, provides perhaps the
most compelling motivation for formal automated control with
mathematical safety guarantees.

Multiple independent analyses converge on a striking statistic: 70--80\%
of all nuclear power plant events are attributed to human error versus
approximately 20\% to equipment failures~\cite{DOE-HDBK-1028-2009,WNA2020}. More
significantly, the International Atomic Energy Agency concluded that ``human
error was the root cause of all severe accidents at nuclear power plants''---a
categorical statement spanning Three Mile Island, Chernobyl, and Fukushima
Daiichi~\cite{IAEA-severe-accidents}. A detailed analysis of 190 events at
Chinese nuclear power plants from 2007--2020~\cite{Wang2025} found that 53\% of
events involved active errors while 92\% were associated with latent errors
(organizational and systemic weaknesses that create conditions for failure). The
persistence of this 70--80\% human error contribution despite four decades of
continuous improvements in operator training, control room design, procedures,
and human factors engineering. This suggests fundamental cognitive limitations
rather than remediable deficiencies.

The Three Mile Island Unit 2 accident on March 28, 1979 remains the definitive
case study in human factors failures in nuclear operations. The accident began
at 4:00 AM with a routine feedwater pump trip, escalating when a
pressure-operated relief valve (PORV) stuck open---draining reactor
coolant---but control room instrumentation showed only whether the valve had
been commanded to close, not whether it actually closed. When Emergency Core
Cooling System pumps automatically activated as designed, operators made the
fateful decision to shut them down based on their incorrect assessment of plant
conditions. The result was a massive loss of coolant accident and the core
quickly began to overheat. During the emergency, operators faced more than 100
simultaneous alarms, overwhelming their cognitive capacity~\cite{Kemeny1979}.
The core suffered partial meltdown with 44\% of the fuel melting before the
situation was stabilized. Quantitative risk analysis revealed the magnitude of
failure in existing safety assessment methods: the actual core damage
probability was approximately 5\% per year while Probabilistic Risk Assessment
had predicted 0.01\% per year---a 500-fold underestimation. This
dramatic failure demonstrated that human reliability could not be adequately
assessed through expert judgment and historical data alone.

\textbf{LIMITATION:} \textit{Human factors impose fundamental reliability
limits that cannot be overcome through training alone.} Response time
limitations constrain human effectiveness---reactor protection systems
must respond in milliseconds, 100--1000 times faster than human
operators. Cognitive biases systematically distort judgment:
confirmation bias, overconfidence, and anchoring bias are inherent
features of human cognition, not individual failings~\cite{Reason1990}.
The persistent 70--80\% human error contribution despite four decades of
improvements demonstrates that these limitations are fundamental
rather than remediable part of human-driven control.

\subsection{HARDENS and Formal Methods}

The High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
project represents the most advanced application of formal methods to nuclear
reactor control systems to date. HARDENS aimed to address the nuclear industry's
fundamental dilemma: existing U.S. nuclear control rooms rely on analog
technologies from the 1950s--60s. This technology is woefully out of date
compared to modern control technoligies, and incurs significant risk and cost to
plant operation. The NRC contracted Galois to demonstrate that Model-Based
Systems Engineering and formal methods could design, verify, and implement a
complex protection system meeting regulatory criteria at a fraction of typical
cost. The project delivered a Reactor Trip System (RTS) implementation with full
traceability from NRC Request for Proposals and IEEE standards through
formal architecture specifications to formally verified binaries and
hardware running on FPGA demonstrator boards.

HARDENS employed an array of formal methods tools and techniques across the
verification hierarchy. High-level specifications used Lando, SysMLv2, and FRET
(NASA JPL's Formal Requirements Elicitation Tool) to capture stakeholder
requirements, domain engineering, certification requirements, and safety
requirements. Requirements were formally analyzed for consistency, completeness,
and realizability using SAT and SMT solvers. Executable formal models employed
Cryptol to create an executable behavioral model of the entire RTS including all
subsystems, components, and limited digital twin models of sensors, actuators,
and compute infrastructure. Automatic code synthesis generated formally
verifiable C implementations and System Verilog hardware implementations
directly from Cryptol models---eliminating the traditional gap between
specification and implementation where errors commonly arise.

Despite its accomplishments, HARDENS has a fundamental limitation directly
relevant to hybrid control synthesis: the project addressed only discrete
digital control logic without modeling or verifying continuous reactor dynamics.
The Reactor Trip System specification and formal verification covered discrete
state transitions (trip/no-trip decisions), digital sensor input processing
through discrete logic, and discrete actuation outputs (reactor trip commands).
However, the project did not address continuous dynamics of nuclear reactor
physics. Real reactor safety depends on the interaction between continuous
processes (temperature, pressure, neutron flux evolving according to
differential equations) and discrete control decisions (trip/no-trip, valve
open/close, pump on/off). HARDENS verified the discrete controller in isolation
but not the closed-loop hybrid system behavior.

\textbf{LIMITATION:} \textit{HARDENS addressed discrete control logic without
continuous dynamics or hybrid system verification.} Verifying discrete control
logic alone provides no guarantee that the closed-loop system exhibits desired
continuous behavior such as stability, convergence to setpoints, or maintained
safety margins.

HARDENS produced a demonstrator system at Technology Readiness Level 2--3
(analytical proof of concept with laboratory breadboard validation) rather than
a deployment-ready system validated through extended operational testing. The
NRC Final Report explicitly notes~\cite{Kiniry2022}: ``All material is
considered in development and not a finalized product'' and ``The demonstration
of its technical soundness was to be at a level consistent with satisfaction of
the current regulatory criteria, although with no explicit demonstration of how
regulatory requirements are met.'' The project did not include deployment in
actual nuclear facilities, testing with real reactor systems under operational
conditions, side-by-side validation with operational analog RTS systems,
systematic failure mode testing (radiation effects, electromagnetic
interference, temperature extremes), actual NRC licensing review, or human
factors validation with licensed nuclear operators in realistic control room
scenarios.

\textbf{LIMITATION:} \textit{HARDENS achieved TRL 2--3 without experimental
validation.} While formal verification provides mathematical correctness
guarantees for the implemented discrete logic, the gap between formal
verification and actual system deployment involves myriad practical
considerations: integration with legacy systems, long-term reliability
under harsh environments, human-system interaction in realistic
operational contexts, and regulatory acceptance of formal methods as
primary assurance evidence.