Per Dane's question: does LQR actually factor into the 2364x barrier
on n_high_trip, or is that just open-loop plant?
Answer: LQR IS included (A_cl = A - B*K), and the open-loop version is
catastrophically worse. Results on inv2_holds halfspaces:
open-loop LQR closed-loop
fuel_centerline 26.9M K bound 1137 K bound
t_avg_high_trip 788220 K bound 33.2 K bound
n_high_trip 27.4M x bound 1242 x bound
cold_leg_subcooled 1.8M K bound 77.8 K bound
gamma (level) 1.04e13 1.85e4
LQR improves every bound by ~20,000x — dramatic help — but the bounds
are still physically meaningless. The ceiling is set by plant anisotropy
(Lambda=1e-4 vs thermal timescales ~ seconds) forcing P to be
ill-conditioned regardless of LQR tuning. mu (slowest V-decay rate)
barely moves between OL and CL because both share the same slowest
thermal mode.
Clean motivation for the thesis chapter's move to polytopic / SOS
barriers: quadratic Lyapunov hits an anisotropy ceiling that no amount
of controller work can fix.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previously conflated two different kinds of constraint:
- operational deadbands (|T_c - T_c0| <= 5 F) used by the DRC for mode
transitions. Symmetric bands around setpoint. Violating these is an
operator/operational issue, not a safety issue.
- safety limits (T_f <= 1200 C, T_c <= 320 C, n <= 1.15, etc.) are
hard one-sided halfspaces corresponding to physical damage mechanisms
or reactor-trip setpoints. THESE are what a safety barrier/reach must
discharge.
predicates.json now has three groups:
- operational_deadbands (t_avg_above_min, t_avg_in_range, p_above_crit)
- safety_limits (fuel_centerline, t_avg_high_trip, t_avg_low_trip,
n_high_trip, n_low_operation, cold_leg_subcooled)
- mode_invariants (inv1_holds, inv2_holds as conjunctions of safety_limits)
reach_operation.m and barrier_lyapunov.m both now report halfspace-by-
halfspace margins against inv2_holds. Attributable failure analysis:
we can see WHICH limit is tightest.
Reach tube (under +/-15% Q_sg load): passes all 6 safety halfspaces.
Tightest margin is n_high_trip at +0.138 (12% from trip). Temperature
directions have 10-870 K margin.
Lyapunov barrier (same): fails all 6. Worst is n_high_trip with -2365
margin — the ellipsoid says n could deviate by +/-2364, which is
physically meaningless. Anisotropy cost made visible per-direction.
Motivates SOS / polytopic barriers for the thesis chapter.
load_predicates.m now returns .operational_deadbands, .safety_limits,
and .mode_invariants. Existing callers that only used .constants or
.t_avg_in_range still work because those live under the old keys.
Hacker-Split: user caught that the barrier was checking the wrong
invariant; safety limits != operating deadband. Restructured so the
proof target matches the physical claim.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
predicates.json is the single source of truth for concretizing the
FRET-spec predicates (t_avg_above_min, t_avg_in_range, p_above_crit,
inv1_holds, inv2_holds) as polytopes {x : A x <= b}. Until now these
were abstract booleans in the synthesis spec; reach analysis
re-invented ad-hoc thresholds that weren't tied to the spec. Closes
the Thrust-1-meets-Thrust-3 seam.
T_standby now defined as T_c0 - 60 F = 275 C (from user review).
Replaces the earlier simplification where shutdown IC held all temps
at T_cold0. 275 C is inside the model's +/-50 C trust region around
operating point and above coolant saturation at reduced pressure.
load_predicates.m in MATLAB reads the JSON and resolves rhs_expr
strings (which reference plant-derived constants like T_c0, T_cold0,
T_standby) into numeric bounds. Returns per-predicate (A_poly, b_poly)
plus a constants struct.
main_mode_sweep.m now pulls T_standby from predicates and uses it
for shutdown + heatup ICs. Heatup horizon extended to 90 min to
cover the wider 60 F -> operating range at 28 C/hr tech-spec limit.
reach_operation.m reads delta_safe_Tc from the t_avg_in_range
halfspace instead of hardcoding +/-5 K. Current concretization is
+/-2.78 C (~5 F); LQR reach still shows 28x margin.
inv1_holds and inv2_holds are marked PLACEHOLDER in the JSON —
engineering best guesses, not derived from a specific plant's tech
specs or a DNBR correlation. Revisit before thesis defense.
Hacker-Split: single-source concretization for FRET predicates,
end seam with reach.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three caveats surfaced during walkthrough lived only in the
conversation transcript before this commit. Now they live where
future agents and future-me will actually see them:
- reach_operation.m and reachability/README.md state prominently that
the current reach tube is an over-approximation of the LINEAR
model, not a sound tube for the nonlinear plant. Thesis-blocking
for a real safety claim. Upgrade paths documented.
- ctrl_heatup.m header and plant-model/CLAUDE.md note that the
feedback-linearization u_ff assumes exact alpha_f, alpha_c. Real
plants drift (burnup ~20%, boron ~10x, xenon). Robust treatment =
parametric reach with alpha as an interval.
- ctrl_heatup.m header and plant-model/CLAUDE.md note that sat() is
formally a 3-mode piecewise-affine sub-system. Operation-mode LQR
is dormant (trivially); heatup will need either a dormancy proof
or explicit hybrid modeling.
README.md top-level now has a run-commands table for the reach
artifacts and a pointer to the soundness status.
Hacker-Split: raise caveats from transcript to artifact so the work
is actually reviewable by people who weren't in the room.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Captures what landed, the model-validity / heatup / PID-vs-P findings,
why the quadratic Lyapunov barrier is fundamentally loose here (thin-
slab safety in anisotropic state space), why ReachabilityAnalysis.jl
needs state rescaling, and loose ends for the next session.
Hacker-Split: leave a clean handoff for Split's next wrap.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Port pke_params, pke_th_rhs, pke_linearize, and all five controllers
to Julia. sim_sanity.jl reproduces the MATLAB main.m operation-mode
scenario (100%->80% Q_sg step) and matches final state to 3 decimals
across n, T_f, T_avg, T_cold, u.
reach_operation.jl is a stub: ReachabilityAnalysis.jl (LGG09, GLGM06,
BFFPSV18) numerically explodes on the raw stiff system — envelopes of
1e14 K to 1e37 K instead of the known-tight 0.03 K. Almost certainly
a state-scaling issue: precursors C_i ~ 1e5, temperatures ~ 300,
eigvals span 5000x. Diagonal scaling + retry is planned; left for the
next pass since the hand-rolled MATLAB reach already discharges the
operation-mode obligation.
Project.toml pins OrdinaryDiffEq >= 6.111 (the one that precompiled
cleanly on first instantiate). Manifest gitignored.
Hacker-Split: Julia path open, reach side needs a scaling pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Stand up reachability/ with a hand-rolled zonotope propagator for
linear closed-loop systems (reach_linear.m: axis-aligned box hull,
augmented-matrix integration for the disturbance convolution). Use it
in reach_operation.m to discharge the operation-mode safety obligation:
from a +/-0.1 K box on T_avg, under Q_sg in [85%, 100%]*P0, LQR keeps
T_c within 0.03 K of setpoint over 600 s. Safety band is +/-5 K, so
the obligation is satisfied with five orders of margin.
barrier_lyapunov.m attempts the analytic counterpart via a weighted
Lyapunov function. Sweeping the Qbar(T_c) weight, the best quadratic
barrier allows ~33 K deviation on the gamma level set — still outside
the 5 K safety band. This is a fundamental limitation of quadratic
barriers for anisotropic safety specs (thin-slab safe set in a
precursor-heavy state space). Documented in the file: next step for a
tight analytic certificate is SOS polynomial or polytopic barrier,
which need solvers we don't have locally yet.
reach_linear.m started out with a halfwidth-propagation bug (signed
A_step instead of |A_step|); fixed before commit after noticing the
reach envelope exactly matched the initial box on T_c.
Figures saved to docs/figures/. .mat result files gitignored — they
are regenerated in <1s.
Hacker-Split: first end-to-end per-mode reachability artifact.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fill out the DRC mode set with ctrl_shutdown (u = -5*beta), ctrl_scram
(u = -8*beta), and ctrl_heatup (feedback-linearizing P on ramped T_avg
reference, saturated u, no integrator). Add ctrl_operation_lqr as a
full-state-feedback counterpart to ctrl_operation — K cached, closed-loop
essentially perfect under the 100%->80% Q_sg step where plain P has ~5F
overshoot.
Add pke_linearize for numerical (A, B, B_w) Jacobians at any operating
point; test_linearize confirms ~4e-4 rel err vs nonlinear sim for a
5% Q_sg step. Extend pke_solver with an optional x0 argument so each
mode can start from a plausible IC.
main_mode_sweep.m exercises all five modes back-to-back and saves the
4-panel plots. CLAUDE.md updated with model-validity-range note (trust
region is ~+/-50C around operating point; true cold shutdown is out of
scope for the linear feedback coefficients).
Hacker-Split: build out control layer end-to-end for reachability.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Folds three previously-separate pieces into one preliminary-example repo
for the HAHACS thesis:
- thesis/ (submodule) → gitea Thesis.git — the PhD proposal
- fret-pipeline/ — FRET requirements to AIGER controller (was
~/Documents/fret_processing/; prior single-commit history abandoned
per user decision)
- plant-model/ — 10-state PKE + lumped T/H PWR model (was
~/Documents/PKE_Playground/; never version-controlled before)
- presentations/2026DICE/ (submodule) → gitea 2026DICE.git
- reachability/, hardware/ — empty placeholders for Thrust 3 and HIL
- docs/architecture.md — how the discrete and continuous layers compose
- claude_memory/ — session notes and scratch knowledge pattern
Plant model refactored to thesis naming (x, plant, u, ref); pke_th_rhs
now takes u as an explicit arg instead of reading rho_ext from the
params struct. First two controllers built to the contract
u = ctrl_<mode>(t, x, plant, ref): ctrl_null (baseline) and
ctrl_operation (stabilizing, proportional on T_avg). Validated under a
100% -> 80% Q_sg step: ctrl_operation reduces steady-state T_avg drift
~47% vs. the unforced plant.
Root CLAUDE.md emphasizes that CLAUDE.md files are living documents and
that any knowledge not captured before a session ends is lost forever;
claude_memory/ holds the session-level notes that haven't stabilized
enough to graduate into a CLAUDE.md.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
