Updates reachability/WALKTHROUGH.md's "What's next" section with:
- PJ reduction approach + validation (0.1% max error on n over 50 min)
- Concrete reach horizons: 60s and 300s clean, 1800s+ partial
- Per-halfspace pass/fail against inv1_holds at T=300s
- Low-T_avg-trip tube looseness flagged as over-approximation, not
physical failure
- 30x horizon improvement framing
Also: refresh reach_operation_result.mat so the Pluto app has live data
to ingest (ran reach_operation.jl; six halfspace margins match the
MATLAB/Julia baseline, all discharged).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Full toolchain port. Numerical equivalence verified against MATLAB:
- main_mode_sweep.jl: every mode's final state matches MATLAB to 3-4 dp
- reach_operation.jl: per-halfspace margins match MATLAB exactly
- barrier_lyapunov.jl: per-halfspace bounds match (best Qbar from sweep
yields max|dT_c| = 33.228 K either side)
- barrier_compare_OL_CL.jl: OL gamma 1.038e13, CL gamma 1.848e4
matching the MATLAB result; LQR helps by ~20,000x on every halfspace.
Phase summary:
Phase 1: pke_solver.jl, plot_pke_results.jl (Plots.jl), main_mode_sweep.jl
Phase 2: reach_linear.jl, reach_operation.jl, barrier_lyapunov.jl,
barrier_compare_OL_CL.jl, load_predicates.jl
Phase 3 (this commit): delete plant-model/ entirely, delete reach
code from reachability/ keeping predicates.json + docs,
git mv julia-port/ -> code/, update root README + CLAUDE,
write code/CLAUDE.md and code/README.md, update reach
README + WALKTHROUGH file paths, journal preamble note
that pre-port entries reference MATLAB paths.
Why now: prompt-neutron stiffness in nonlinear reach made it clear we
need TMJets, which is Julia. Already had the Julia plant model
working and matching MATLAB. Two languages = two sources of truth =
two places to drift. One language, one truth.
Manifest.toml gitignored. .mat results gitignored.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
First working nonlinear reach artifact for the PWR model. TMJets
Taylor-model scheme on the full 10-state closed-loop (unsaturated
ctrl_heatup, ramp reference via augmented time state x[11]).
Status:
T=10s : SUCCESS. 10583 reach-sets. T_c envelope [274.45, 295] C,
n envelope [-5.2e-4, 5.01e-3]. Over-approximation visible
(n can't be negative physically) but tube is sound and
bounded.
T=60s+ : FAILED. Exhausts 50k step budget then hits NaN in
precursor-decay term.
Root cause: prompt-neutron stiffness. Lambda=1e-4s forces TMJets'
adaptive stepper to ~1ms steps to resolve fast dynamics. 10583 steps
for 10s of sim time means we get ~10s/50000 = 2s horizon max before
step budget exhausts — inadequate for heatup's 5-hour obligation.
Remedy (next session): singular-perturbation reduction of the
neutronics. Treat n as quasi-static algebraic function of (T, C, rho)
rather than a dynamic state. Replaces stiff dn/dt with algebraic
relation, removes fast timescale from reach problem. Standard in
reactor-kinetics reach literature.
What this does prove:
- Julia/TMJets framework works for this system (previous
scaling-issue failure is gone with @taylorize'd RHS).
- Bilinear n*rho term handled correctly by Taylor models.
- Ramp reference via augmented time state x[11] is a workable
pattern for time-varying controller references in reach.
What this does NOT prove:
- Anything about heatup safety — 10s horizon is nowhere near the
mode's 5-hour obligation.
Includes sim_heatup.jl, a Rodas5 baseline using the same @taylorize-
able RHS form, for cross-validation of the reach tube against a
nominal trajectory once longer horizons are reachable.
WALKTHROUGH.md updated with the finding.
Hacker-Split: got partway up the Julia reach ladder, identified the
physical bottleneck (stiffness), named the fix (reduced-order PKE).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds mode_boundaries to predicates.json: per-DRC-mode X_entry, X_safe,
X_exit, T_max/T_min with the equilibrium-vs-transition taxonomy the
user articulated during walkthrough. T_max values are engineering-
reasonable guesses (5 hr heatup, 60 s scram); T_min = 7714 s for
heatup is physical floor from 28 C/hr rate limit over 60 F span.
WALKTHROUGH.md is a standalone document — read it cold without needing
the transcript. Covers:
- Per-mode reach-obligation taxonomy (eq. vs trans.)
- Formal reach-avoid claim per mode
- Mode boundary concretizations (X_entry/X_safe/X_exit/T_max)
- File-by-file code walkthrough of every reach artifact
- Results: operation reach passes all 6 inv2 halfspaces; Lyapunov
barrier fails all 6 (fundamental anisotropy limitation, quantified
via the OL/CL comparison)
- Caveats: soundness, alpha drift, saturation, DNBR, cold-shutdown
- Next: nonlinear reach via JuliaReach TMJets
This is the 'prelim example' doc; thesis defense will need real tech-
spec numbers replacing the placeholders.
Hacker-Split: user asked for standalone walkthrough capturing the
analysis step-by-step with figures embedded. This is that.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Earlier placeholder claimed ramp-rate limits weren't expressible as
state halfspaces without augmentation. That was wrong: dT_c/dt is
linear in (T_f, T_c, T_cold) directly from pke_th_rhs (no neutronics
coupling), so |dT_c/dt| <= r_max is two clean halfspaces over x.
Coefficients from pke_params:
a_f = hA / (M_c*c_c) = +0.4587 /s
a_c = -(hA + 2*W*c_c)/(M_c*c_c) = -0.9587 /s
a_cold = 2*W*c_c / (M_c*c_c) = +0.5000 /s
Sum = 0 exact (equilibrium when all T's equal).
Limit chosen: +/- 50 C/hr (tech-spec 28 C/hr + transient overshoot
budget). Verified on actual heatup sim: max dT_c/dt = 48.5 C/hr, min
= 0 C/hr. Passes our placeholder but tight — a strict 28 C/hr tech-
spec invariant would be violated by current ctrl_heatup tuning
(overshoot factor ~1.7x during mid-ramp).
Generalized load_predicates.m to accept multi-coefficient halfspace
rows via "row": [[state_idx, coeff], ...] format, in addition to the
existing single-coefficient {state_index, coeff} form. Backward
compatible.
inv1_holds now conjoins fuel_centerline, cold_leg_subcooled, and the
two rate halfspaces. DNBR still not modeled (would need an
augmented predicate with a correlation-based safety margin).
Hacker-Split: Dane asked about heatup rate invariant; realizing
my earlier 'needs state augmentation' claim was wrong and the rate
constraint is already linear. Fix it, verify against actual sim.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Per Dane's question: does LQR actually factor into the 2364x barrier
on n_high_trip, or is that just open-loop plant?
Answer: LQR IS included (A_cl = A - B*K), and the open-loop version is
catastrophically worse. Results on inv2_holds halfspaces:
open-loop LQR closed-loop
fuel_centerline 26.9M K bound 1137 K bound
t_avg_high_trip 788220 K bound 33.2 K bound
n_high_trip 27.4M x bound 1242 x bound
cold_leg_subcooled 1.8M K bound 77.8 K bound
gamma (level) 1.04e13 1.85e4
LQR improves every bound by ~20,000x — dramatic help — but the bounds
are still physically meaningless. The ceiling is set by plant anisotropy
(Lambda=1e-4 vs thermal timescales ~ seconds) forcing P to be
ill-conditioned regardless of LQR tuning. mu (slowest V-decay rate)
barely moves between OL and CL because both share the same slowest
thermal mode.
Clean motivation for the thesis chapter's move to polytopic / SOS
barriers: quadratic Lyapunov hits an anisotropy ceiling that no amount
of controller work can fix.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previously conflated two different kinds of constraint:
- operational deadbands (|T_c - T_c0| <= 5 F) used by the DRC for mode
transitions. Symmetric bands around setpoint. Violating these is an
operator/operational issue, not a safety issue.
- safety limits (T_f <= 1200 C, T_c <= 320 C, n <= 1.15, etc.) are
hard one-sided halfspaces corresponding to physical damage mechanisms
or reactor-trip setpoints. THESE are what a safety barrier/reach must
discharge.
predicates.json now has three groups:
- operational_deadbands (t_avg_above_min, t_avg_in_range, p_above_crit)
- safety_limits (fuel_centerline, t_avg_high_trip, t_avg_low_trip,
n_high_trip, n_low_operation, cold_leg_subcooled)
- mode_invariants (inv1_holds, inv2_holds as conjunctions of safety_limits)
reach_operation.m and barrier_lyapunov.m both now report halfspace-by-
halfspace margins against inv2_holds. Attributable failure analysis:
we can see WHICH limit is tightest.
Reach tube (under +/-15% Q_sg load): passes all 6 safety halfspaces.
Tightest margin is n_high_trip at +0.138 (12% from trip). Temperature
directions have 10-870 K margin.
Lyapunov barrier (same): fails all 6. Worst is n_high_trip with -2365
margin — the ellipsoid says n could deviate by +/-2364, which is
physically meaningless. Anisotropy cost made visible per-direction.
Motivates SOS / polytopic barriers for the thesis chapter.
load_predicates.m now returns .operational_deadbands, .safety_limits,
and .mode_invariants. Existing callers that only used .constants or
.t_avg_in_range still work because those live under the old keys.
Hacker-Split: user caught that the barrier was checking the wrong
invariant; safety limits != operating deadband. Restructured so the
proof target matches the physical claim.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
predicates.json is the single source of truth for concretizing the
FRET-spec predicates (t_avg_above_min, t_avg_in_range, p_above_crit,
inv1_holds, inv2_holds) as polytopes {x : A x <= b}. Until now these
were abstract booleans in the synthesis spec; reach analysis
re-invented ad-hoc thresholds that weren't tied to the spec. Closes
the Thrust-1-meets-Thrust-3 seam.
T_standby now defined as T_c0 - 60 F = 275 C (from user review).
Replaces the earlier simplification where shutdown IC held all temps
at T_cold0. 275 C is inside the model's +/-50 C trust region around
operating point and above coolant saturation at reduced pressure.
load_predicates.m in MATLAB reads the JSON and resolves rhs_expr
strings (which reference plant-derived constants like T_c0, T_cold0,
T_standby) into numeric bounds. Returns per-predicate (A_poly, b_poly)
plus a constants struct.
main_mode_sweep.m now pulls T_standby from predicates and uses it
for shutdown + heatup ICs. Heatup horizon extended to 90 min to
cover the wider 60 F -> operating range at 28 C/hr tech-spec limit.
reach_operation.m reads delta_safe_Tc from the t_avg_in_range
halfspace instead of hardcoding +/-5 K. Current concretization is
+/-2.78 C (~5 F); LQR reach still shows 28x margin.
inv1_holds and inv2_holds are marked PLACEHOLDER in the JSON —
engineering best guesses, not derived from a specific plant's tech
specs or a DNBR correlation. Revisit before thesis defense.
Hacker-Split: single-source concretization for FRET predicates,
end seam with reach.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three caveats surfaced during walkthrough lived only in the
conversation transcript before this commit. Now they live where
future agents and future-me will actually see them:
- reach_operation.m and reachability/README.md state prominently that
the current reach tube is an over-approximation of the LINEAR
model, not a sound tube for the nonlinear plant. Thesis-blocking
for a real safety claim. Upgrade paths documented.
- ctrl_heatup.m header and plant-model/CLAUDE.md note that the
feedback-linearization u_ff assumes exact alpha_f, alpha_c. Real
plants drift (burnup ~20%, boron ~10x, xenon). Robust treatment =
parametric reach with alpha as an interval.
- ctrl_heatup.m header and plant-model/CLAUDE.md note that sat() is
formally a 3-mode piecewise-affine sub-system. Operation-mode LQR
is dormant (trivially); heatup will need either a dormancy proof
or explicit hybrid modeling.
README.md top-level now has a run-commands table for the reach
artifacts and a pointer to the soundness status.
Hacker-Split: raise caveats from transcript to artifact so the work
is actually reviewable by people who weren't in the room.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Stand up reachability/ with a hand-rolled zonotope propagator for
linear closed-loop systems (reach_linear.m: axis-aligned box hull,
augmented-matrix integration for the disturbance convolution). Use it
in reach_operation.m to discharge the operation-mode safety obligation:
from a +/-0.1 K box on T_avg, under Q_sg in [85%, 100%]*P0, LQR keeps
T_c within 0.03 K of setpoint over 600 s. Safety band is +/-5 K, so
the obligation is satisfied with five orders of margin.
barrier_lyapunov.m attempts the analytic counterpart via a weighted
Lyapunov function. Sweeping the Qbar(T_c) weight, the best quadratic
barrier allows ~33 K deviation on the gamma level set — still outside
the 5 K safety band. This is a fundamental limitation of quadratic
barriers for anisotropic safety specs (thin-slab safe set in a
precursor-heavy state space). Documented in the file: next step for a
tight analytic certificate is SOS polynomial or polytopic barrier,
which need solvers we don't have locally yet.
reach_linear.m started out with a halfwidth-propagation bug (signed
A_step instead of |A_step|); fixed before commit after noticing the
reach envelope exactly matched the initial box on T_c.
Figures saved to docs/figures/. .mat result files gitignored — they
are regenerated in <1s.
Hacker-Split: first end-to-end per-mode reachability artifact.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
