{
  "_comment": [
    "Concretization of the FRET-spec predicates AND the hard safety limits.",
    "Two categories kept distinct:",
    "  - operational_deadbands: soft bands around setpoint used by the DRC for",
    "    mode transitions (t_avg_in_range etc.).  Violating these does not",
    "    cause damage, it just triggers a mode change or operator action.",
    "  - safety_limits: hard one-sided halfspaces corresponding to physical",
    "    damage mechanisms or reactor-trip setpoints.  Barrier certificates",
    "    and reach-set safety checks should target THESE, not the deadbands.",
    "",
    "The FRET-spec invariants inv1_holds, inv2_holds are concretized as the",
    "conjunction of relevant safety_limits for each mode."
  ],
  "_units": {
    "temperatures": "degrees Celsius (SI, internal model units)",
    "n": "normalized power, 1.0 = full power"
  },
  "references": {
    "T_c0": "308.35 C — full-power avg coolant (from pke_params.m)",
    "T_f0": "328.35 C — full-power fuel",
    "T_cold0": "290.0 C — full-power cold leg",
    "T_standby": "275.02 C — hot standby T_avg, defined as T_c0 - 33.33 C (= T_c0 - 60 F)"
  },
  "derived": {
    "T_standby_offset_F": -60.0,
    "T_standby_offset_C": -33.333333333,
    "t_avg_in_range_halfwidth_F": 5.0,
    "t_avg_in_range_halfwidth_C": 2.777777,
    "t_avg_above_min_margin_F": 10.0,
    "t_avg_above_min_margin_C": 5.555555,
    "p_above_crit_threshold_n": 1.0e-4,
    "T_fuel_limit_C": 1200.0,
    "T_c_high_trip_C": 320.0,
    "n_high_trip": 1.15,
    "T_cold_subcooling_margin_C": 15.0
  },

  "operational_deadbands": {
    "_comment": "Soft bands. Used by the DRC for mode switching, not for safety proofs.",
    "t_avg_above_min": {
      "meaning": "Coolant warmed above cold-start threshold — shutdown may transition to heatup.",
      "concretization": "T_c >= T_standby + 5.556 C (hot-standby + 10 F buffer)",
      "halfspaces": [
        { "state_index": 9, "coeff": -1.0, "rhs_expr": "-(T_standby + 5.556)" }
      ]
    },
    "t_avg_in_range": {
      "meaning": "Average coolant in tight operating band — used for heatup->operation transition.",
      "concretization": "|T_c - T_c0| <= 2.778 C (~5 F deadband)",
      "halfspaces": [
        { "state_index": 9, "coeff":  1.0, "rhs_expr": "T_c0 + 2.778" },
        { "state_index": 9, "coeff": -1.0, "rhs_expr": "-(T_c0 - 2.778)" }
      ]
    },
    "p_above_crit": {
      "meaning": "Reactor power in the 'power range' instrumentation regime.",
      "concretization": "n >= 1e-4",
      "halfspaces": [
        { "state_index": 1, "coeff": -1.0, "rhs_expr": "-1.0e-4" }
      ]
    }
  },

  "safety_limits": {
    "_comment": [
      "Hard one-sided halfspaces. Exceeding any of these is damage or trip.",
      "All are asymmetric — the plant is not equally vulnerable on both sides",
      "of the setpoint.  Values are representative of a 2-loop Westinghouse-",
      "class PWR; calibrate to specific plant tech specs before defense."
    ],
    "fuel_centerline": {
      "meaning": "Fuel centerline temperature below design limit to prevent UO2 melt.",
      "concretization": "T_f <= 1200 C (conservative; actual melt ~2800 C)",
      "halfspaces": [
        { "state_index": 8, "coeff": 1.0, "rhs_expr": "1200.0" }
      ]
    },
    "t_avg_high_trip": {
      "meaning": "High-T_avg reactor trip. Typical PWR: ~612-616 F = 322-324 C.",
      "concretization": "T_c <= 320 C (conservative)",
      "halfspaces": [
        { "state_index": 9, "coeff": 1.0, "rhs_expr": "320.0" }
      ]
    },
    "t_avg_low_trip": {
      "meaning": "Low-T_avg reactor trip.  Typical PWR: ~540 F = 282 C.",
      "concretization": "T_c >= 280 C",
      "halfspaces": [
        { "state_index": 9, "coeff": -1.0, "rhs_expr": "-280.0" }
      ]
    },
    "n_high_trip": {
      "meaning": "High-flux reactor trip.  Typical PWR: 118%% of rated.",
      "concretization": "n <= 1.15",
      "halfspaces": [
        { "state_index": 1, "coeff": 1.0, "rhs_expr": "1.15" }
      ]
    },
    "n_low_operation": {
      "meaning": "Operation mode is only valid at power (avoids intermediate-range instrumentation).",
      "concretization": "n >= 0.15 (15%% of rated)",
      "halfspaces": [
        { "state_index": 1, "coeff": -1.0, "rhs_expr": "-0.15" }
      ]
    },
    "cold_leg_subcooled": {
      "meaning": "Cold leg stays subcooled with margin against loss-of-pressure events.",
      "concretization": "T_cold <= T_cold0 + 15 (roughly saturation margin at operating pressure)",
      "halfspaces": [
        { "state_index": 10, "coeff": 1.0, "rhs_expr": "T_cold0 + 15.0" }
      ]
    }
  },

  "mode_invariants": {
    "_comment": [
      "Per-DRC-mode invariants: conjunctions of relevant safety_limits.",
      "This is the target of per-mode reach and barrier analysis."
    ],
    "inv1_holds": {
      "meaning": "Heatup mode safety envelope.",
      "conjunction_of": ["fuel_centerline", "cold_leg_subcooled"],
      "_placeholder_note": "Ramp-rate limit and DNBR not expressible as state halfspaces without augmentation."
    },
    "inv2_holds": {
      "meaning": "Operation mode safety envelope.",
      "conjunction_of": [
        "fuel_centerline",
        "t_avg_high_trip",
        "t_avg_low_trip",
        "n_high_trip",
        "n_low_operation",
        "cold_leg_subcooled"
      ]
    }
  },

  "_placeholder_warning": [
    "Numerical values in safety_limits are representative (2-loop Westinghouse-",
    "class PWR tech-spec ranges) but NOT calibrated to a specific plant.",
    "Calibrate against a real plant's tech specs before defense."
  ]
}