Polytopic (Nagumo face-by-face LP check) and SOS polynomial
(Prajna-Jadbabaie w/ CSDP) barrier attempts on operation mode.
**Polytopic (barrier_polytopic.jl):** the naive check on
inv2_holds ∩ precursor_tube_bounds fails — 16 of 18 faces can be
crossed under A_cl. This is EXPECTED: safety halfspaces alone form
a set too big for LQR to contract from everywhere. The correct
approach is Blanchini's pre-image iteration (max robustly controllable
invariant set). Sketched in the script; 2-3 days to implement properly.
**SOS (barrier_sos_2d.jl):** a working proof of concept.
CSDP returns OPTIMAL on a 2-state projection of the operation mode
(dn, dT_c) with:
X_entry = |dn| ≤ 0.01, |dT_c| ≤ 0.1
X_unsafe = dn ≥ 0.15 (high-flux-trip direction)
Dynamics = reduced 2×2 A_cl after LQR.
No disturbance (B_w projects to 0 in this subset).
Global decrease condition (-(∇B·f) SOS) instead of Putinar ∂{B=0}.
Result: a degree-4 polynomial B(x) satisfying all three barrier
conditions. Coefficients printed. First non-quadratic barrier
artifact for this plant.
Caveats:
- 2D projection loses precursor coupling.
- Disturbance ignored in this projection.
- Global-decrease is stronger than the Putinar ∂{B=0} condition;
the latter requires bilinear σ_b·B formulation (BMI) and
iterative solvers. Deferred.
- Scaling to 10-state degree-4 gives SDP ~ 1000×1000; CSDP may
choke. Mosek or MOSEK-free SDP (SCS) might handle.
JuMP, HiGHS, SumOfSquares, DynamicPolynomials, CSDP all added to
Project.toml.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
reach_heatup_pj_tight_full.mat now has per-timestep envelopes
(Tc_lo_ts, Tc_hi_ts, Tf_lo_ts, ..., rho_lo_ts, rho_hi_ts) for
12932 reach-sets over 300 s, 200s wall time.
plot_reach_tubes.jl produces four-panel overlay figures for both
operation and heatup PJ modes. Two figures saved:
docs/figures/reach_operation_tubes.png (operation LQR)
docs/figures/reach_heatup_pj_tubes.png (heatup PJ tight entry)
Each shows:
- T_c / T_hot / T_cold tubes overlaid on one axis
- ΔT_core = T_hot - T_cold (power proxy; right axis MW)
- rho envelope in dollars, ±1$ prompt-critical lines
- n envelope
Finding worth flagging: heatup PJ tight tube shows rho in
[-0.25 $, -0.05 $] throughout — always subcritical. The controller
is driving rho negative because T_ref starts at T_standby=275 but
X_entry has T_c in [285, 291]. So the ramp reference is BELOW the
current T_c and the FL controller commands cooling. n decays from
[0.001, 0.002] to near zero.
PJ validity trivially satisfied (rho stays well below +beta).
But the physics being captured is "plant cooling back to ramp
reference," not "plant heating to operating temp." For a real
heatup tube we'd need ref.T_start aligned with X_entry's T_c
midpoint, or X_entry pinned at T_standby.
Logged as apass in journal for next pass; morning's priority list
(polytopic/SOS barriers, Tikhonov bound) takes precedence.
OVERNIGHT_NOTES.md flags the blocked remote push — gitea URL is
agent-inferred from submodule submodule.thesis.url pattern, harness
(correctly) refused the exfiltration risk.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Following user's review feedback (point 1):
prompt_critical_margin_heatup: a new entry under safety_limits that
proves the PJ reduction's validity condition (beta - rho > 0 with
margin) rather than hand-waving it. Controller-specific
specialization for heatup: under feedback linearization,
rho_total = Kp*(T_ref - T_c), so rho ≤ 0.5*beta iff T_c ≥ T_ref -
32.5. Worst-case T_ref = T_c0 at ramp end, so T_c ≥ 275.85 is
sufficient, which our tight-entry reach clears trivially.
Conjoined into inv1_holds. Safety proofs now target BOTH the
physical bounds AND the conditions that make the PJ approximation
sound. Saves Dane's rigor-over-vibes instinct (saved to memory).
plot_reach_tubes.jl: four-panel visualization of a reach-result .mat:
(1) T_c / T_hot / T_cold envelopes overlaid
(2) ΔT_core = T_hot - T_cold (power proxy, right-axis MW)
(3) rho envelope in dollars, with ±1$ prompt lines
(4) n envelope
Operation-mode plot saved to docs/figures/reach_operation_tubes.png.
Heatup PJ version pending — needs full per-step data from the
running reach_heatup_pj_tight_full.jl.
reach_heatup_pj.jl + reach_heatup_pj_tight_full.jl now save
per-timestep envelopes (t_arr, Tc_lo_ts, Tc_hi_ts, ...) so the
plotting script can overlay tubes vs time.
Next up: polytopic / SOS barriers, Tikhonov error bound for PJ.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Second heatup PJ probe with tightened X_entry (T_c width 6K vs
baseline 14K) gives:
T=60s: 5710 sets in 101s — T_c envelope [281.05, 291.0] ✅
T=300s: 12932 sets in 206s — T_c envelope [281.05, 291.0] ✅
T_c envelope STABLE (identical at 60s and 300s) — the tube reached
steady shape and stopped growing. Low-T_avg trip (280) cleared at
lower bound 281.05, ~1K margin.
**First sound nonlinear reach-avoid proof for any mode of this plant:**
for the tightened entry and T = 300s, every inv1_holds halfspace
holds along the tube. Sound w.r.t. PJ dynamics (<= 0.1% error vs
full state).
The baseline wider-entry run was loose on T_c low bound (272.4),
confirming that the looseness was entry-box-width driven (14K too
wide for TMJets + orderQ=2) rather than intrinsic to the method.
Entry splitting / refinement is the path to the full baseline set.
Also: LaTeX preamble now has the unicode-to-math literate map
attached to the listing STYLES themselves (not just global \lstset),
so terminal-output listings pasted from Julia with Δ, ≥, °, ✅ etc.
render correctly. Journal 34 pages, clean build.
OVERNIGHT_NOTES.md updated with tight-entry win.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Scram reach via PJ model runs cleanly through all three probe
horizons:
T=10s: 6919 sets in 118s — n ∈ [0.0347, 0.0355]
T=30s: 9900 sets in 156s — n ∈ [0.0153, 0.0156]
T=60s: 12340 sets in 198s — n ∈ [0.00682, 0.00698]
Factor-of-two power decay per 30s matches the delayed-neutron group
structure (lambda_1=0.0124, half-life ~56s). At t=0 the algebraic n
drops from 1.0 → 0.15 (prompt jump captured as an instantaneous
algebraic adjustment); then tails off on precursor timescales.
Scram reach is completely sound across the full 60s horizon — no
step-budget truncation, unlike heatup beyond 300s.
HOWEVER: X_exit(scram) = n ≤ 1e-4 is not reached in 60s (current
n ~ 7e-3). This is a T_max vs plant-decay-rate mismatch, not a
control failure. Options documented in journal: redefine X_exit in
terms of shutdown margin (industry standard), extend T_max to 600s,
or loosen to n ≤ 0.05. Flagged for Dane's review.
Scram envelope summaries saved to reach_scram_pj_result.mat.
Journal now 33 pages, still compiles clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- OVERNIGHT_NOTES.md: read-this-first TL;DR for morning review.
Points at journal.pdf (32 pages, latest entry has all results),
validate_pj_heatup.png, and the Pluto app. Lists priority-1 actions
(look at data, decide on refinement vs accept-300s-tube) and
priority-2 followups (scram reach ingestion, entry refinement,
saturation hybrid, SOS barriers, alpha parametric).
- reach_heatup_pj_tight.jl: script committed but not yet run tonight.
Tighter X_entry on T_c (width 6 K vs baseline 14 K) to test whether
the low-T_avg-trip tube-looseness is entry-box-width driven or
reach-growth driven.
Scram PJ still compiling as of this commit; will land separately
when it completes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Updates reachability/WALKTHROUGH.md's "What's next" section with:
- PJ reduction approach + validation (0.1% max error on n over 50 min)
- Concrete reach horizons: 60s and 300s clean, 1800s+ partial
- Per-halfspace pass/fail against inv1_holds at T=300s
- Low-T_avg-trip tube looseness flagged as over-approximation, not
physical failure
- 30x horizon improvement framing
Also: refresh reach_operation_result.mat so the Pluto app has live data
to ingest (ran reach_operation.jl; six halfspace margins match the
MATLAB/Julia baseline, all discharged).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Results from the overnight TMJets run with the prompt-jump model:
T=60s: PASSES (10,044 reach-sets, 205 s wall)
T=300s: PASSES (27,375 reach-sets, 591 s wall)
T=1800s+: partial — exhausts 100k step budget past ~300s
At T=300s the envelope is:
n: [-0.00156, 0.0103] (slightly negative = sound overapprox)
T_c: [272.4, 295.0] C
T_f: [261.2, 302.7] C
T_cold: [270.0, 289.5] C
Discharges 5/6 inv1_holds safety halfspaces at 300s:
fuel_centerline: +897 K margin ✓
t_avg_high_trip: +25 K margin ✓
t_avg_low_trip: VIOLATED (tube dips to 272.4, limit 280)
n_high_trip: huge margin ✓
cold_leg_subcooled: +15 K margin ✓
The low_trip violation is TUBE looseness, not physical — nominal sim
only dips to ~280 transiently. Fixable by tighter X_entry, higher
orderQ, or refinement. Open item.
Journal updated with full results table + limitation box. scram PJ
reach ready to run but not yet executed (structure similar, simpler).
Fix: siunitx \degreeFahrenheit, \degree, \microsecond now work via
\DeclareSIUnit in preamble. UTF-8 passthrough in listings via
literate= map for Δ, λ, μ, α, β, ρ, Σ, Λ, ≤, ≥, →, ±, °, ×, ε.
Journal now compiles clean: 32 pages, 0 errors.
App v2 Pluto cells land under §§9b–9d: live reach-result ingestion
with computed per-halfspace margins, 2D projection chooser, PJ-reach
overlay placeholder.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Singular-perturbation reduction of the PKE+T/H system: set dn/dt=0,
solve algebraically n = Λ·Σλ_i·C_i / (β-ρ). State drops 10 -> 9 (no
n), removes Λ⁻¹ stiffness. Validated against full state on the heatup
scenario:
t [s] |Δn|/n_full T_c err [K]
60 3.7e-5 4e-6
300 3.8e-4 1.9e-4
1200 1.0e-3 2.2e-3
3000 5.0e-4 7.2e-3
Maximum relative error 0.1% on n, peak 7 mK on temperatures over
50 minutes. PJ approximation is excellent for slow heatup transients
(sub-prompt-critical regime).
Files:
- code/src/pke_th_rhs_pj.jl: reduced 9-state RHS
- code/scripts/validate_pj.jl: side-by-side sim
- code/scripts/reach_heatup_pj.jl: TMJets reach with PJ model
(probing T = 60, 300, 1800, 5400 s)
App v2 (Pluto):
- §9b: live ingestion of reach_operation_result.mat with per-
halfspace margins computed from JSON-defined inv2_holds.
- §9c: 2D projection chooser (n, T_f, T_c, T_cold) with reach
tube envelope overlay.
- §9d: PJ heatup reach summary (placeholder until first run lands).
Journal:
- Added 2026-04-20-overnight-prompt-jump.tex with PJ derivation,
validation table, soundness ledger update. apass markers for
the in-progress reach results.
This commit captures state mid-run; next commit will add the
populated reach results once TMJets returns.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two fixes for clean local builds:
1. journal/.latexmkrc — sets pdf_mode=1, max_repeat=5,
silence_logfile_warnings=1, force_mode=1. Without this, latexmk
bails on first-pass undefined-reference errors before getting to
the second pass that would resolve them. Standard issue with
pdfLaTeX in nonstopmode.
2. Replaced the literal U+1F98E lizard glyph in
2026-04-20-evening-mega-session.tex with a textual description.
pdfLaTeX with default inputenc can't render U+1F98E; XeLaTeX or
LuaLaTeX could but switching toolchains is a bigger change than
the issue warrants. The lizard stays in markdown / Pluto where
it works fine.
Final state: 26 pages, 744 KB, no Reference/LaTeX/Unicode errors in
the log.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Records the journal scaffold + retroactive-entries + Julia migration
+ Pluto app work, with \apass{} markers for content that should be
expanded in a later A-pass. Keeps the discipline going from the
night the journal stood up.
Easter eggs:
- ASCII reactor + primary loop in journal/README.md (subtle, shows
where Q_sg flows in as a disturbance).
- Garden-lyric reference embedded in pke_params.jl docstring
("looks ordinary on the surface but is something else underneath")
— same lyric as the preamble.tex comment, referencing the name
behind Split. Hacker-Split's signature.
- 🦎 in the Pluto notebook header + closer.
Nothing functional, nothing that clutters the substance.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The hybrid-systems-group tab for FRET, as a stand-alone Pluto
notebook. Reads reachability/predicates.json and renders:
- Plant-derived constants (T_c0, T_standby, etc.)
- All operational deadbands with concretization
- All safety limits as one-sided halfspaces with meanings
- Mode invariants (inv1_holds, inv2_holds) as conjunctions
- Per-mode entry/safe/exit/time tables
- 2D projection of operating polytope (T_avg x n)
- Reach-traceability table — what's covered, by which artifact
- Edit-UX preview with sliders that don't actually write back
Run with:
cd app
julia --project=. -e 'using Pkg; Pkg.instantiate()' # first time
julia --project=. -e 'using Pluto; Pluto.run()'
V2 will add write-back to predicates.json. V3 (the dream) is FRET-spec
driven derivation of halfspaces from a structured vocabulary of
physical bounds.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Full toolchain port. Numerical equivalence verified against MATLAB:
- main_mode_sweep.jl: every mode's final state matches MATLAB to 3-4 dp
- reach_operation.jl: per-halfspace margins match MATLAB exactly
- barrier_lyapunov.jl: per-halfspace bounds match (best Qbar from sweep
yields max|dT_c| = 33.228 K either side)
- barrier_compare_OL_CL.jl: OL gamma 1.038e13, CL gamma 1.848e4
matching the MATLAB result; LQR helps by ~20,000x on every halfspace.
Phase summary:
Phase 1: pke_solver.jl, plot_pke_results.jl (Plots.jl), main_mode_sweep.jl
Phase 2: reach_linear.jl, reach_operation.jl, barrier_lyapunov.jl,
barrier_compare_OL_CL.jl, load_predicates.jl
Phase 3 (this commit): delete plant-model/ entirely, delete reach
code from reachability/ keeping predicates.json + docs,
git mv julia-port/ -> code/, update root README + CLAUDE,
write code/CLAUDE.md and code/README.md, update reach
README + WALKTHROUGH file paths, journal preamble note
that pre-port entries reference MATLAB paths.
Why now: prompt-neutron stiffness in nonlinear reach made it clear we
need TMJets, which is Julia. Already had the Julia plant model
working and matching MATLAB. Two languages = two sources of truth =
two places to drift. One language, one truth.
Manifest.toml gitignored. .mat results gitignored.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
journal/ directory, LaTeX-based, dated entries, callout boxes for
derivations / decisions / dead ends / limitations, plus an \apass{}
macro for in-line markers when a later deep-pass is needed.
Retroactive A-style entries for 2026-04-17 (controllers, linearization,
LQR, operation-mode linear reach, Lyapunov barrier) and 2026-04-20
(predicates restructure into deadbands+safety+invariants, OL-vs-CL
barrier analysis, mode-obligation taxonomy, heatup-rate-as-halfspace,
mode_boundaries, first Julia nonlinear reach attempt).
Both entries include derivations written out in math, dead-ends I
hit, code snippets with commentary, figure embeds, and terminal
output where it changed what we did next. The goal is invention-log
depth — readable 4 years from now without the git history to help.
journal/README.md documents the conventions. journal.tex aggregates
all entries into one PDF via latexmk.
Kept claude_memory/ separate as per earlier agreement — those are
short AI-context notes, different audience.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
First working nonlinear reach artifact for the PWR model. TMJets
Taylor-model scheme on the full 10-state closed-loop (unsaturated
ctrl_heatup, ramp reference via augmented time state x[11]).
Status:
T=10s : SUCCESS. 10583 reach-sets. T_c envelope [274.45, 295] C,
n envelope [-5.2e-4, 5.01e-3]. Over-approximation visible
(n can't be negative physically) but tube is sound and
bounded.
T=60s+ : FAILED. Exhausts 50k step budget then hits NaN in
precursor-decay term.
Root cause: prompt-neutron stiffness. Lambda=1e-4s forces TMJets'
adaptive stepper to ~1ms steps to resolve fast dynamics. 10583 steps
for 10s of sim time means we get ~10s/50000 = 2s horizon max before
step budget exhausts — inadequate for heatup's 5-hour obligation.
Remedy (next session): singular-perturbation reduction of the
neutronics. Treat n as quasi-static algebraic function of (T, C, rho)
rather than a dynamic state. Replaces stiff dn/dt with algebraic
relation, removes fast timescale from reach problem. Standard in
reactor-kinetics reach literature.
What this does prove:
- Julia/TMJets framework works for this system (previous
scaling-issue failure is gone with @taylorize'd RHS).
- Bilinear n*rho term handled correctly by Taylor models.
- Ramp reference via augmented time state x[11] is a workable
pattern for time-varying controller references in reach.
What this does NOT prove:
- Anything about heatup safety — 10s horizon is nowhere near the
mode's 5-hour obligation.
Includes sim_heatup.jl, a Rodas5 baseline using the same @taylorize-
able RHS form, for cross-validation of the reach tube against a
nominal trajectory once longer horizons are reachable.
WALKTHROUGH.md updated with the finding.
Hacker-Split: got partway up the Julia reach ladder, identified the
physical bottleneck (stiffness), named the fix (reduced-order PKE).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds mode_boundaries to predicates.json: per-DRC-mode X_entry, X_safe,
X_exit, T_max/T_min with the equilibrium-vs-transition taxonomy the
user articulated during walkthrough. T_max values are engineering-
reasonable guesses (5 hr heatup, 60 s scram); T_min = 7714 s for
heatup is physical floor from 28 C/hr rate limit over 60 F span.
WALKTHROUGH.md is a standalone document — read it cold without needing
the transcript. Covers:
- Per-mode reach-obligation taxonomy (eq. vs trans.)
- Formal reach-avoid claim per mode
- Mode boundary concretizations (X_entry/X_safe/X_exit/T_max)
- File-by-file code walkthrough of every reach artifact
- Results: operation reach passes all 6 inv2 halfspaces; Lyapunov
barrier fails all 6 (fundamental anisotropy limitation, quantified
via the OL/CL comparison)
- Caveats: soundness, alpha drift, saturation, DNBR, cold-shutdown
- Next: nonlinear reach via JuliaReach TMJets
This is the 'prelim example' doc; thesis defense will need real tech-
spec numbers replacing the placeholders.
Hacker-Split: user asked for standalone walkthrough capturing the
analysis step-by-step with figures embedded. This is that.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Earlier placeholder claimed ramp-rate limits weren't expressible as
state halfspaces without augmentation. That was wrong: dT_c/dt is
linear in (T_f, T_c, T_cold) directly from pke_th_rhs (no neutronics
coupling), so |dT_c/dt| <= r_max is two clean halfspaces over x.
Coefficients from pke_params:
a_f = hA / (M_c*c_c) = +0.4587 /s
a_c = -(hA + 2*W*c_c)/(M_c*c_c) = -0.9587 /s
a_cold = 2*W*c_c / (M_c*c_c) = +0.5000 /s
Sum = 0 exact (equilibrium when all T's equal).
Limit chosen: +/- 50 C/hr (tech-spec 28 C/hr + transient overshoot
budget). Verified on actual heatup sim: max dT_c/dt = 48.5 C/hr, min
= 0 C/hr. Passes our placeholder but tight — a strict 28 C/hr tech-
spec invariant would be violated by current ctrl_heatup tuning
(overshoot factor ~1.7x during mid-ramp).
Generalized load_predicates.m to accept multi-coefficient halfspace
rows via "row": [[state_idx, coeff], ...] format, in addition to the
existing single-coefficient {state_index, coeff} form. Backward
compatible.
inv1_holds now conjoins fuel_centerline, cold_leg_subcooled, and the
two rate halfspaces. DNBR still not modeled (would need an
augmented predicate with a correlation-based safety margin).
Hacker-Split: Dane asked about heatup rate invariant; realizing
my earlier 'needs state augmentation' claim was wrong and the rate
constraint is already linear. Fix it, verify against actual sim.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Per Dane's question: does LQR actually factor into the 2364x barrier
on n_high_trip, or is that just open-loop plant?
Answer: LQR IS included (A_cl = A - B*K), and the open-loop version is
catastrophically worse. Results on inv2_holds halfspaces:
open-loop LQR closed-loop
fuel_centerline 26.9M K bound 1137 K bound
t_avg_high_trip 788220 K bound 33.2 K bound
n_high_trip 27.4M x bound 1242 x bound
cold_leg_subcooled 1.8M K bound 77.8 K bound
gamma (level) 1.04e13 1.85e4
LQR improves every bound by ~20,000x — dramatic help — but the bounds
are still physically meaningless. The ceiling is set by plant anisotropy
(Lambda=1e-4 vs thermal timescales ~ seconds) forcing P to be
ill-conditioned regardless of LQR tuning. mu (slowest V-decay rate)
barely moves between OL and CL because both share the same slowest
thermal mode.
Clean motivation for the thesis chapter's move to polytopic / SOS
barriers: quadratic Lyapunov hits an anisotropy ceiling that no amount
of controller work can fix.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previously conflated two different kinds of constraint:
- operational deadbands (|T_c - T_c0| <= 5 F) used by the DRC for mode
transitions. Symmetric bands around setpoint. Violating these is an
operator/operational issue, not a safety issue.
- safety limits (T_f <= 1200 C, T_c <= 320 C, n <= 1.15, etc.) are
hard one-sided halfspaces corresponding to physical damage mechanisms
or reactor-trip setpoints. THESE are what a safety barrier/reach must
discharge.
predicates.json now has three groups:
- operational_deadbands (t_avg_above_min, t_avg_in_range, p_above_crit)
- safety_limits (fuel_centerline, t_avg_high_trip, t_avg_low_trip,
n_high_trip, n_low_operation, cold_leg_subcooled)
- mode_invariants (inv1_holds, inv2_holds as conjunctions of safety_limits)
reach_operation.m and barrier_lyapunov.m both now report halfspace-by-
halfspace margins against inv2_holds. Attributable failure analysis:
we can see WHICH limit is tightest.
Reach tube (under +/-15% Q_sg load): passes all 6 safety halfspaces.
Tightest margin is n_high_trip at +0.138 (12% from trip). Temperature
directions have 10-870 K margin.
Lyapunov barrier (same): fails all 6. Worst is n_high_trip with -2365
margin — the ellipsoid says n could deviate by +/-2364, which is
physically meaningless. Anisotropy cost made visible per-direction.
Motivates SOS / polytopic barriers for the thesis chapter.
load_predicates.m now returns .operational_deadbands, .safety_limits,
and .mode_invariants. Existing callers that only used .constants or
.t_avg_in_range still work because those live under the old keys.
Hacker-Split: user caught that the barrier was checking the wrong
invariant; safety limits != operating deadband. Restructured so the
proof target matches the physical claim.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
predicates.json is the single source of truth for concretizing the
FRET-spec predicates (t_avg_above_min, t_avg_in_range, p_above_crit,
inv1_holds, inv2_holds) as polytopes {x : A x <= b}. Until now these
were abstract booleans in the synthesis spec; reach analysis
re-invented ad-hoc thresholds that weren't tied to the spec. Closes
the Thrust-1-meets-Thrust-3 seam.
T_standby now defined as T_c0 - 60 F = 275 C (from user review).
Replaces the earlier simplification where shutdown IC held all temps
at T_cold0. 275 C is inside the model's +/-50 C trust region around
operating point and above coolant saturation at reduced pressure.
load_predicates.m in MATLAB reads the JSON and resolves rhs_expr
strings (which reference plant-derived constants like T_c0, T_cold0,
T_standby) into numeric bounds. Returns per-predicate (A_poly, b_poly)
plus a constants struct.
main_mode_sweep.m now pulls T_standby from predicates and uses it
for shutdown + heatup ICs. Heatup horizon extended to 90 min to
cover the wider 60 F -> operating range at 28 C/hr tech-spec limit.
reach_operation.m reads delta_safe_Tc from the t_avg_in_range
halfspace instead of hardcoding +/-5 K. Current concretization is
+/-2.78 C (~5 F); LQR reach still shows 28x margin.
inv1_holds and inv2_holds are marked PLACEHOLDER in the JSON —
engineering best guesses, not derived from a specific plant's tech
specs or a DNBR correlation. Revisit before thesis defense.
Hacker-Split: single-source concretization for FRET predicates,
end seam with reach.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three caveats surfaced during walkthrough lived only in the
conversation transcript before this commit. Now they live where
future agents and future-me will actually see them:
- reach_operation.m and reachability/README.md state prominently that
the current reach tube is an over-approximation of the LINEAR
model, not a sound tube for the nonlinear plant. Thesis-blocking
for a real safety claim. Upgrade paths documented.
- ctrl_heatup.m header and plant-model/CLAUDE.md note that the
feedback-linearization u_ff assumes exact alpha_f, alpha_c. Real
plants drift (burnup ~20%, boron ~10x, xenon). Robust treatment =
parametric reach with alpha as an interval.
- ctrl_heatup.m header and plant-model/CLAUDE.md note that sat() is
formally a 3-mode piecewise-affine sub-system. Operation-mode LQR
is dormant (trivially); heatup will need either a dormancy proof
or explicit hybrid modeling.
README.md top-level now has a run-commands table for the reach
artifacts and a pointer to the soundness status.
Hacker-Split: raise caveats from transcript to artifact so the work
is actually reviewable by people who weren't in the room.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Captures what landed, the model-validity / heatup / PID-vs-P findings,
why the quadratic Lyapunov barrier is fundamentally loose here (thin-
slab safety in anisotropic state space), why ReachabilityAnalysis.jl
needs state rescaling, and loose ends for the next session.
Hacker-Split: leave a clean handoff for Split's next wrap.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Port pke_params, pke_th_rhs, pke_linearize, and all five controllers
to Julia. sim_sanity.jl reproduces the MATLAB main.m operation-mode
scenario (100%->80% Q_sg step) and matches final state to 3 decimals
across n, T_f, T_avg, T_cold, u.
reach_operation.jl is a stub: ReachabilityAnalysis.jl (LGG09, GLGM06,
BFFPSV18) numerically explodes on the raw stiff system — envelopes of
1e14 K to 1e37 K instead of the known-tight 0.03 K. Almost certainly
a state-scaling issue: precursors C_i ~ 1e5, temperatures ~ 300,
eigvals span 5000x. Diagonal scaling + retry is planned; left for the
next pass since the hand-rolled MATLAB reach already discharges the
operation-mode obligation.
Project.toml pins OrdinaryDiffEq >= 6.111 (the one that precompiled
cleanly on first instantiate). Manifest gitignored.
Hacker-Split: Julia path open, reach side needs a scaling pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Stand up reachability/ with a hand-rolled zonotope propagator for
linear closed-loop systems (reach_linear.m: axis-aligned box hull,
augmented-matrix integration for the disturbance convolution). Use it
in reach_operation.m to discharge the operation-mode safety obligation:
from a +/-0.1 K box on T_avg, under Q_sg in [85%, 100%]*P0, LQR keeps
T_c within 0.03 K of setpoint over 600 s. Safety band is +/-5 K, so
the obligation is satisfied with five orders of margin.
barrier_lyapunov.m attempts the analytic counterpart via a weighted
Lyapunov function. Sweeping the Qbar(T_c) weight, the best quadratic
barrier allows ~33 K deviation on the gamma level set — still outside
the 5 K safety band. This is a fundamental limitation of quadratic
barriers for anisotropic safety specs (thin-slab safe set in a
precursor-heavy state space). Documented in the file: next step for a
tight analytic certificate is SOS polynomial or polytopic barrier,
which need solvers we don't have locally yet.
reach_linear.m started out with a halfwidth-propagation bug (signed
A_step instead of |A_step|); fixed before commit after noticing the
reach envelope exactly matched the initial box on T_c.
Figures saved to docs/figures/. .mat result files gitignored — they
are regenerated in <1s.
Hacker-Split: first end-to-end per-mode reachability artifact.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fill out the DRC mode set with ctrl_shutdown (u = -5*beta), ctrl_scram
(u = -8*beta), and ctrl_heatup (feedback-linearizing P on ramped T_avg
reference, saturated u, no integrator). Add ctrl_operation_lqr as a
full-state-feedback counterpart to ctrl_operation — K cached, closed-loop
essentially perfect under the 100%->80% Q_sg step where plain P has ~5F
overshoot.
Add pke_linearize for numerical (A, B, B_w) Jacobians at any operating
point; test_linearize confirms ~4e-4 rel err vs nonlinear sim for a
5% Q_sg step. Extend pke_solver with an optional x0 argument so each
mode can start from a plausible IC.
main_mode_sweep.m exercises all five modes back-to-back and saves the
4-panel plots. CLAUDE.md updated with model-validity-range note (trust
region is ~+/-50C around operating point; true cold shutdown is out of
scope for the linear feedback coefficients).
Hacker-Split: build out control layer end-to-end for reachability.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Folds three previously-separate pieces into one preliminary-example repo
for the HAHACS thesis:
- thesis/ (submodule) → gitea Thesis.git — the PhD proposal
- fret-pipeline/ — FRET requirements to AIGER controller (was
~/Documents/fret_processing/; prior single-commit history abandoned
per user decision)
- plant-model/ — 10-state PKE + lumped T/H PWR model (was
~/Documents/PKE_Playground/; never version-controlled before)
- presentations/2026DICE/ (submodule) → gitea 2026DICE.git
- reachability/, hardware/ — empty placeholders for Thrust 3 and HIL
- docs/architecture.md — how the discrete and continuous layers compose
- claude_memory/ — session notes and scratch knowledge pattern
Plant model refactored to thesis naming (x, plant, u, ref); pke_th_rhs
now takes u as an explicit arg instead of reading rho_ext from the
params struct. First two controllers built to the contract
u = ctrl_<mode>(t, x, plant, ref): ctrl_null (baseline) and
ctrl_operation (stabilizing, proportional on T_avg). Validated under a
100% -> 80% Q_sg step: ctrl_operation reduces steady-state T_avg drift
~47% vs. the unforced plant.
Root CLAUDE.md emphasizes that CLAUDE.md files are living documents and
that any knowledge not captured before a session ends is lost forever;
claude_memory/ holds the session-level notes that haven't stabilized
enough to graduate into a CLAUDE.md.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
