Obsidian/Writing/ERLM/state-of-the-art/v4.tex

\section{State of the Art and Limits of Current Practice}

Nuclear reactor control represents a quintessential hybrid cyber-physical
system. Continuous physical plant dynamics---neutron kinetics,
thermal-hydraulics, heat transfer---interact with discrete control
logic---mode transitions, trip decisions, valve states. Yet
\textbf{formal hybrid control synthesis methods remain largely unapplied}
to this safety-critical domain. This gap persists despite compelling
evidence: human error contributes to \textbf{70--80\% of all nuclear
incidents}~\cite{DOE-HDBK-1028-2009,WNA2020,Wang2025} even after four
decades of improvements in training, procedures, and automation.

Current reactor control practices lack the mathematical guarantees that
formal verification could provide. Recent efforts to apply formal
methods---such as the HARDENS project---have addressed only discrete
control logic without considering continuous reactor dynamics or
experimental validation. This section examines three critical areas:
existing reactor control practices and their fundamental limitations,
the persistent impact of human factors in nuclear safety incidents, and
pioneering formal methods efforts that demonstrate both the promise and
current limitations of rigorous digital engineering for nuclear systems.
Together, these areas reveal a clear research imperative: to develop
mathematically verified hybrid controllers that provide safety
guarantees across both continuous plant dynamics and discrete control
logic while addressing the reliability limitations inherent in
human-in-the-loop control.

\subsection{Current Reactor Control Practices}

Nuclear reactor control in the United States and globally relies on a
carefully orchestrated combination of human operators, written
procedures, automated safety systems, and increasingly digital
instrumentation and control (I\&C) systems. Understanding current
practices---and their limitations---provides essential context for
motivating formal hybrid control synthesis.

\subsubsection{Human Operators Retain Ultimate Decision Authority}

Current generation nuclear power plants employ \textbf{3,600+ active
NRC-licensed reactor operators} in the United States, divided into
Reactor Operators (ROs) who manipulate reactor controls and Senior
Reactor Operators (SROs) who direct plant operations and serve as shift
supervisors~\cite{10CFR55}. These operators work in control rooms
featuring mixed analog and digital displays, enhanced by Safety
Parameter Display Systems (SPDS) mandated after the Three Mile Island
accident. Staffing typically requires \textbf{2--4 operators per shift}
for current generation plants, though advanced designs like NuScale have
demonstrated that operations can be conducted with as few as three
operators.

The role of human operators is paradoxically both critical and
problematic. Operators hold legal authority under 10 CFR Part 55 to make
critical decisions including departing from normal regulations during
emergencies---a necessity for handling unforeseen scenarios but also a
source of risk. The Three Mile Island accident demonstrated how
``combination of personnel error, design deficiencies, and component
failures'' led to partial meltdown when operators ``misread confusing
and contradictory readings and shut off the emergency water
system''~\cite{Kemeny1979}. The President's Commission on TMI identified
a fundamental ambiguity: placing ``responsibility and accountability for
safe power plant operations...on the licensee in all circumstances''
without formal verification that operators can fulfill this
responsibility under all conditions~\cite{Kemeny1979}. This tension
between operational flexibility and safety assurance remains unresolved
in current practice.

Advanced designs attempt to reduce operator burden through passive
safety features and increased automation. NuScale's Small Modular
Reactor design requires \textbf{no operator actions for 72 hours}
following design-basis accidents and only two operator actions for
beyond-design-basis events. However, even these advanced designs retain
human operators for strategic decisions, procedure implementation, and
override authority---preserving the human reliability challenges
documented over four decades.

\subsubsection{Operating Procedures Lack Formal Verification}

Nuclear plant procedures exist in a hierarchy: normal operating
procedures for routine evolutions, abnormal operating procedures for
off-normal conditions, Emergency Operating Procedures (EOPs) for
design-basis accidents, Severe Accident Management Guidelines (SAMGs)
for beyond-design-basis events, and Extensive Damage Mitigation
Guidelines (EDMGs) for catastrophic damage scenarios. These procedures
must comply with 10 CFR 50.34(b)(6)(ii) and are developed using guidance
from NUREG-0899~\cite{NUREG-0899}, but their development process relies
fundamentally on expert judgment and simulator validation rather than
formal verification.

EOPs adopted a symptom-based approach following TMI, allowing operators
to respond to plant conditions without first diagnosing root causes---a
significant improvement over earlier event-based procedures. The BWR
Owners' Group completed Revision 3 of integrated Emergency Procedure
Guidelines/Severe Accident Guidelines in 2013, representing the current
state of the art in procedure development. Procedures undergo technical
evaluation, simulator validation testing, and biennial review as part of
operator requalification under 10 CFR 55.59~\cite{10CFR55}.

Despite these rigorous development processes, \textbf{procedures
fundamentally lack formal verification of key safety properties}. There
is no mathematical proof that procedures cover all possible plant
states, that required actions can be completed within available
timeframes under all scenarios, or that transitions between procedure
sets maintain safety invariants. As the IAEA notes in
TECDOC-1580~\cite{IAEA-TECDOC-1580}, ``Most subsequent investigations
identify internal and external industry operating experience that, if
applied effectively, would have prevented the event''---a pattern
suggesting that current procedure development methods cannot guarantee
completeness.

\textbf{LIMITATION:} \textit{Procedures lack formal verification of
correctness and completeness.} Current procedure development relies on
expert judgment and simulator validation. No mathematical proof exists
that procedures cover all possible plant states, that required actions
can be completed within available timeframes, or that transitions
between procedure sets maintain safety invariants. Paper-based
procedures cannot adapt to novel combinations of failures, and even
computer-based procedure systems lack the formal guarantees that
automated reasoning could provide.

\subsubsection{Control Mode Transitions Lack Formal Safety Verification}

Nuclear plants operate with multiple control modes: automatic control
where the reactor control system maintains target parameters through
continuous rod adjustment, manual control where operators directly
manipulate control rods, and various intermediate modes. In typical PWR
operation, the reactor control system automatically maintains floating
average temperature, compensating for xenon effects and fuel burnup at
rates limited to approximately 5\% power per minute. Safety systems
operate with high automation---Reactor Protection Systems trip
automatically on safety signals with millisecond response times, and
Engineered Safety Features actuate automatically on accident signals
without operator action required.

\textbf{The decision to transition between control modes relies on
operator judgment} informed by plant stability, equipment availability,
procedural requirements, and safety margins. However, current practice
lacks formal verification that mode transitions maintain safety
properties across all possible plant states. As \v{Z}erovnik et al.
observe~\cite{Zerovnik2023}, ``Manual control may be demanded in nuclear
power plants due to safety protocols. However, it may not be convenient
in load-following regimes with frequent load changes''---highlighting
the tension between operational flexibility and formal safety assurance.

Research by Jo et al.~\cite{Jo2021} reveals a concerning trade-off:
``using procedures at high level of automation enables favorable
operational performance with decreased mental workload; however,
operator's situation awareness is decreased.'' This automation
paradox---where increasing automation reduces errors from workload but
increases errors from reduced vigilance---has been empirically
demonstrated but not formally optimized. Operators may experience mode
confusion, losing track of which control mode is active during complex
scenarios.

\textbf{LIMITATION:} \textit{Mode transitions lack formal safety
verification.} No formal proof exists that all mode transitions preserve
safety invariants across the hybrid state space of continuous plant
dynamics and discrete control logic. The automation paradox trade-off
between reduced workload and reduced situation awareness has never been
formally optimized with mathematical guarantees about the resulting
reliability.

\subsubsection{Current Automation Reveals the Hybrid Dynamics Challenge}

Approximately \textbf{40\% of the world's operating
reactors}~\cite{IAEA2008} have undergone some digital I\&C upgrades,
with 90\% of digital implementations representing modernization of
existing analog systems. All reactors beginning construction after 1990
incorporate digital I\&C components, with Asia leading adoption.

The current division between automated and human-controlled functions
reveals the fundamental challenge of hybrid control. \textbf{Highly
automated systems} handle reactor protection (automatic trip on safety
parameters), emergency core cooling actuation, containment isolation,
and basic process control. \textbf{Human operators retain control} of
strategic decision-making (power level changes, startup/shutdown
sequences, mode transitions), procedure implementation (emergency
response strategy selection), override authority, and assessment and
diagnosis of beyond-design-basis events.

Emerging technologies include deep reinforcement learning for autonomous
control and Long Short-Term Memory networks for safety system control.
Lee et al. demonstrated~\cite{Lee2019} that autonomous LSTM-based
control achieved \textbf{performance superior to
automation-plus-human-control} in simulated loss-of-coolant and steam
generator tube rupture scenarios. Yet even these advanced autonomous
control approaches lack formal verification, and as IEEE research
documented~\cite{IEEE2019}, ``Introducing I\&C hardware failure modes to
formal models comes at significant computational cost...state space
explosion and prohibitively long processing times.''

\textbf{LIMITATION:} \textit{Current practice treats continuous plant
dynamics and discrete control logic separately.} No application of
hybrid control theory exists that could provide mathematical guarantees
across mode transitions, verify timing properties formally, or optimize
the automation-human interaction trade-off with provable safety bounds.

\subsection{Human Factors in Nuclear Accidents}

The persistent role of human error in nuclear safety incidents, despite
decades of improvements in training and procedures, provides perhaps the
most compelling motivation for formal automated control with
mathematical safety guarantees.

\subsubsection{Human Error Dominates Nuclear Incident Causation}

Multiple independent analyses converge on a striking statistic:
\textbf{70--80\% of all nuclear power plant events are attributed to
human error} versus approximately 20\% to equipment
failures~\cite{DOE-HDBK-1028-2009,WNA2020}. More significantly, the
International Atomic Energy Agency concluded that ``human error was the
root cause of all severe accidents at nuclear power plants''---a
categorical statement spanning Three Mile Island, Chernobyl, and
Fukushima Daiichi~\cite{IAEA-severe-accidents}.

A detailed analysis of 190 events at Chinese nuclear power plants from
2007--2020 by Wang et al.~\cite{Wang2025} found that 53\% involved
active errors while 92\% were associated with latent errors---organiza%
tional and systemic weaknesses that create conditions for failure. Lloyd
Dumas's study~\cite{Dumas1999} found approximately 80\% of incidents at
10 nuclear centers stemmed from worker error or poor procedures, with
roughly 70\% from latent organizational weaknesses and 30\% from
individual worker actions.

The persistence of this 70--80\% human error contribution despite
\textbf{four decades of continuous improvements} in operator training,
control room design, procedures, and human factors engineering suggests
fundamental cognitive limitations rather than remediable deficiencies.

\subsubsection{Three Mile Island Revealed Critical Human-Automation
Interaction Failures}

The Three Mile Island Unit 2 accident on March 28, 1979 remains the
definitive case study in human factors failures in nuclear operations.
The accident began at 4:00 AM with a routine feedwater pump trip,
escalating when a pressure-operated relief valve (PORV) stuck
open---draining reactor coolant---but control room instrumentation
showed only whether the valve had been commanded to close, not whether
it actually closed. When Emergency Core Cooling System pumps
automatically activated as designed, \textbf{operators made the fateful
decision to shut them down} based on their incorrect assessment of plant
conditions.

President's Commission chairman John Kemeny documented~\cite{Kemeny1979}
how operators faced more than 100 simultaneous alarms, overwhelming
their cognitive capacity. The core suffered partial meltdown with
\textbf{44\% of the fuel melting} before the situation was stabilized.

Quantitative risk analysis revealed the magnitude of failure in existing
safety assessment methods: the actual core damage probability was
approximately \textbf{5\% per year} while Probabilistic Risk Assessment
had predicted 0.01\% per year---a \textbf{500-fold underestimation}.
This dramatic failure demonstrated that human reliability could not be
adequately assessed through expert judgment and historical data alone.

\subsubsection{Human Reliability Analysis Documents Fundamental Cognitive
Limitations}

Human Reliability Analysis (HRA) methods developed over four decades
quantify human error probabilities and performance shaping factors. The
SPAR-H method~\cite{NUREG-CR-6883} represents current best practice,
providing nominal Human Error Probabilities (HEPs) of \textbf{0.01 (1\%)
for diagnosis tasks} and \textbf{0.001 (0.1\%) for action tasks} under
optimal conditions.

However, these nominal error rates degrade dramatically under realistic
accident conditions: inadequate available time increases HEP by
\textbf{10-fold}, extreme stress by \textbf{5-fold}, high complexity by
\textbf{5-fold}, missing procedures by \textbf{50-fold}, and poor
ergonomics by \textbf{50-fold}. Under combined adverse conditions
typical of severe accidents, human error probabilities can approach
\textbf{0.1 to 1.0 (10\% to 100\%)}---essentially guaranteed failure for
complex diagnosis tasks~\cite{NUREG-2114}.

Rasmussen's influential 1983 taxonomy~\cite{Rasmussen1983} divides human
errors into skill-based (highly practiced responses, HEP $10^{-3}$ to
$10^{-4}$), rule-based (following procedures, HEP $10^{-2}$ to
$10^{-1}$), and knowledge-based (novel problem solving, HEP $10^{-1}$ to
1). Severe accidents inherently require knowledge-based responses where
human reliability is lowest. Miller's classic 1956
finding~\cite{Miller1956} that working memory capacity is limited to
\textbf{7$\pm$2 chunks} explains why Three Mile Island's 100+
simultaneous alarms exceeded operators' processing capacity.

\textbf{LIMITATION:} \textit{Human factors impose fundamental reliability
limits that cannot be overcome through training alone.} Response time
limitations constrain human effectiveness---reactor protection systems
must respond in milliseconds, \textbf{100--1000 times faster than human
operators}. Cognitive biases systematically distort judgment:
confirmation bias, overconfidence, and anchoring bias are inherent
features of human cognition, not individual failings~\cite{Reason1990}.
The persistent 70--80\% human error contribution despite four decades of
improvements demonstrates that these limitations are \textbf{fundamental
rather than remediable}.

\subsection{HARDENS: Discrete Control with Gaps in Hybrid Dynamics}

The High Assurance Rigorous Digital Engineering for Nuclear Safety
(HARDENS) project, completed by Galois, Inc. for the U.S. Nuclear
Regulatory Commission in 2022, represents the most advanced application
of formal methods to nuclear reactor control systems to
date---and simultaneously reveals the critical gaps that remain.

\subsubsection{Rigorous Digital Engineering Demonstrated Feasibility}

HARDENS aimed to address the nuclear industry's fundamental dilemma:
existing U.S. nuclear control rooms rely on analog technologies from the
1950s--60s, making construction costs exceed \$500 million and timelines
stretch to decades. The NRC contracted Galois to demonstrate that
Model-Based Systems Engineering and formal methods could design, verify,
and implement a complex protection system meeting regulatory criteria at
a fraction of typical cost.

The project delivered far beyond its scope, creating what Galois
describes as ``the world's most advanced, high-assurance protection
system demonstrator.'' Completed in \textbf{nine months at a tiny
fraction of typical control system costs}~\cite{Kiniry2022}, the project
produced a complete Reactor Trip System (RTS) implementation with full
traceability from NRC Request for Proposals and IEEE standards through
formal architecture specifications to formally verified binaries and
hardware running on FPGA demonstrator boards.

Principal Investigator Joseph Kiniry led the team in applying Galois's
Rigorous Digital Engineering methodology combining model-based
engineering, digital twins with measurable fidelity, and applied formal
methods. The approach integrates multiple abstraction levels---from
semi-formal natural language requirements through formal specifications
to verified implementations---all maintained as integrated artifacts
rather than separate documentation prone to divergence.

\subsubsection{Comprehensive Formal Methods Toolkit Provided Verification}

HARDENS employed an impressive array of formal methods tools and
techniques across the verification hierarchy. High-level specifications
used Lando, SysMLv2, and FRET (NASA JPL's Formal Requirements
Elicitation Tool) to capture stakeholder requirements, domain
engineering, certification requirements, and safety requirements.
Requirements were formally analyzed for \textbf{consistency,
completeness, and realizability} using SAT and SMT solvers---verification
that current procedure development methods lack.

Executable formal models employed Cryptol to create an executable
behavioral model of the entire RTS including all subsystems, components,
and formal digital twin models of sensors, actuators, and compute
infrastructure. Automatic code synthesis generated formally verifiable C
implementations and System Verilog hardware implementations directly
from Cryptol models---eliminating the traditional gap between
specification and implementation where errors commonly arise.

Formal verification tools included SAW (Software Analysis Workbench) for
proving equivalence between models and implementations, Frama-C for C
code verification, and Yosys for hardware verification. HARDENS verified
both automatically synthesized and hand-written implementations against
their models and against each other, providing redundant assurance
paths.

This multi-layered verification approach represents a quantum leap
beyond current nuclear I\&C verification practices, which rely primarily
on testing and simulation. HARDENS demonstrated that \textbf{complete
formal verification from requirements to implementation is technically
feasible} for safety-critical nuclear control systems.

\subsubsection{Critical Limitation: Discrete Control Logic Only}

Despite its impressive accomplishments, HARDENS has a fundamental
limitation directly relevant to hybrid control synthesis: \textbf{the
project addressed only discrete digital control logic without modeling
or verifying continuous reactor dynamics}. The Reactor Trip System
specification and formal verification covered discrete state transitions
(trip/no-trip decisions), digital sensor input processing through
discrete logic, and discrete actuation outputs (reactor trip commands).
The system correctly implements the digital control logic for reactor
protection with mathematical guarantees.

However, the project did not address continuous dynamics of nuclear
reactor physics including neutron kinetics, thermal-hydraulics, xenon
oscillations, fuel temperature feedback, coolant flow dynamics, and heat
transfer---all governed by continuous differential equations. Real
reactor safety depends on the interaction between continuous processes
(temperature, pressure, neutron flux evolving according to differential
equations) and discrete control decisions (trip/no-trip, valve
open/close, pump on/off). HARDENS verified the discrete controller in
isolation but not the closed-loop hybrid system behavior.

\textbf{LIMITATION:} \textit{HARDENS addressed discrete control logic
without continuous dynamics or hybrid system verification.} Hybrid
automata, differential dynamic logic, or similar hybrid systems
formalisms would be required to specify and verify properties like ``the
controller maintains core temperature below safety limits under all
possible disturbances''---a property that inherently spans continuous and
discrete dynamics. Verifying discrete control logic alone provides no
guarantee that the closed-loop system exhibits desired continuous
behavior such as stability, convergence to setpoints, or maintained
safety margins.

\subsubsection{Experimental Validation Gap Limits Technology Readiness}

The second critical limitation is \textbf{absence of experimental
validation} in actual nuclear facilities or realistic operational
environments. HARDENS produced a demonstrator system at Technology
Readiness Level 3--4 (analytical proof of concept with laboratory
breadboard validation) rather than a deployment-ready system validated
through extended operational testing. The NRC Final Report explicitly
notes~\cite{Kiniry2022}: ``All material is considered in development and
not a finalized product'' and ``The demonstration of its technical
soundness was to be at a level consistent with satisfaction of the
current regulatory criteria, although with no explicit demonstration of
how regulatory requirements are met.''

The project did not include deployment in actual nuclear facilities,
testing with real reactor systems under operational conditions,
side-by-side validation with operational analog RTS systems, systematic
failure mode testing (radiation effects, electromagnetic interference,
temperature extremes), actual NRC licensing review, or human factors
validation with licensed nuclear operators in realistic control room
scenarios.

\textbf{LIMITATION:} \textit{HARDENS achieved TRL 3--4 without experimental
validation.} While formal verification provides mathematical correctness
guarantees for the implemented discrete logic, the gap between formal
verification and actual system deployment involves myriad practical
considerations: integration with legacy systems, long-term reliability
under harsh environments, human-system interaction in realistic
operational contexts, and regulatory acceptance of formal methods as
primary assurance evidence.

\subsection{Research Imperative: Formal Hybrid Control Synthesis}

Three converging lines of evidence establish an urgent research
imperative for formal hybrid control synthesis applied to nuclear
reactor systems.

\textbf{Current reactor control practices} reveal fundamental gaps in
verification. Procedures lack mathematical proofs of completeness or
timing adequacy. Mode transitions preserve safety properties only
informally. Operator decision-making relies on training rather than
verified algorithms. The divide between continuous plant dynamics and
discrete control logic has never been bridged with formal methods.
Despite extensive regulatory frameworks developed over six decades,
\textbf{no mathematical guarantees exist} that current control approaches
maintain safety under all possible scenarios.

\textbf{Human factors in nuclear accidents} demonstrate that human error
contributes to 70--80\% of nuclear incidents despite four decades of
systematic improvements. The IAEA's categorical statement that ``human
error was the root cause of all severe accidents'' reveals fundamental
cognitive limitations: working memory capacity of 7$\pm$2 chunks,
response times of seconds to minutes versus milliseconds required,
cognitive biases immune to training, stress-induced performance
degradation. Human Reliability Analysis methods document error
probabilities of 0.001--0.01 under optimal conditions degrading to
0.1--1.0 under realistic accident conditions. These limitations
\textbf{cannot be overcome through human factors improvements alone}.

\textbf{The HARDENS project} proved that formal verification is
technically feasible and economically viable for nuclear control
systems, achieving complete verification from requirements to
implementation in nine months at a fraction of typical costs. However,
HARDENS addressed only discrete control logic without considering
continuous reactor dynamics or hybrid system verification, and the
demonstrator achieved only TRL 3--4 without experimental validation in
realistic nuclear environments. These limitations directly define the
research frontier: \textbf{formal synthesis of hybrid controllers that
provide mathematical safety guarantees across both continuous plant
dynamics and discrete control logic}.

The research opportunity is clear. Nuclear reactors are quintessential
hybrid cyber-physical systems where continuous neutron kinetics,
thermal-hydraulics, and heat transfer interact with discrete control
mode decisions, trip logic, and valve states. Current practice treats
these domains separately---reactor physics analyzed with simulation,
control logic verified through testing, human operators expected to
integrate everything through procedures. \textbf{Hybrid control
synthesis offers the possibility of unified formal treatment} where
controllers are automatically generated from high-level safety
specifications with mathematical proofs that guarantee safe operation
across all modes, all plant states, and all credible disturbances.

Recent advances in hybrid systems theory---including reachability
analysis, barrier certificates, counterexample-guided inductive
synthesis, and satisfiability modulo theories for hybrid systems---provide
the theoretical foundation. Computational advances enable verification of
systems with continuous state spaces that were intractable a decade ago.
The confluence of mature formal methods, powerful verification tools
demonstrated by HARDENS, urgent safety imperatives documented by
persistent human error statistics, and fundamental gaps in current
hybrid dynamics treatment creates a compelling and timely research
opportunity.