PWR-HYBRID-3/claude_memory/2026-04-17-controllers-linearization-and-first-reach.md

# Session 2026-04-17 — controllers, linearization, first per-mode reach, barrier attempt

## Context

Pre-lunch discussion: reachability thrust is empty, controllers missing
for three of four DRC modes, tool choice (CORA vs JuliaReach) open.
Dane stepped away for lunch with instructions to "let me rip" on the
whole pipeline. Auto-mode on.

## What landed

1. **Three new controllers** in `plant-model/controllers/`:
   - `ctrl_shutdown.m` — constant `u = -5*beta` (passive hot standby).
   - `ctrl_scram.m` — constant `u = -8*beta` (max rod worth).
   - `ctrl_heatup.m` — feedback-linearizing P on a ramped `T_avg`
     reference, with saturated `u`.  No integrator state on purpose
     (see below).
2. **`pke_linearize.m`** — numerical Jacobians via central finite
   differences.  At the operating point the linear model agrees with
   the nonlinear simulation to ~4e-4 relative error for a 5% `Q_sg`
   step over 60 s.  Eigenvalues span `[-65.93, -0.0124]` — stiff by a
   factor of ~5000.
3. **`ctrl_operation_lqr.m`** — full-state LQR around `x_op`.
   Closed-loop T_avg tracking is essentially perfect under the same
   `Q_sg` step that makes the plain P controller overshoot by ~5 F.
   Cost: requires `lyap`/`icare` (base MATLAB, no Control Toolbox).
4. **`main_mode_sweep.m`** — drives all five modes back-to-back from
   plausible ICs, saves 6 figures to `docs/figures/mode_sweep_*.png`.
5. **Hand-rolled zonotope reach** in `reachability/reach_linear.m`
   plus `reach_operation.m` end-to-end.  Over-approximates with
   axis-aligned box hull + elementwise-abs matrix propagation.
   Result for operation mode under `Q_sg ∈ [85%, 100%]·P0` and an
   initial ±0.1 K box on T_avg: max `|T_c - T_c0| = 0.1 K` over 600 s.
   Safety band is ±5 K.  **Operation-mode obligation discharged.**
6. **Lyapunov-ellipsoid barrier** in `reachability/barrier_lyapunov.m`.
   **Does NOT certify safety** — the tightest quadratic bound we can
   get (over a sweep of `Qbar(9,9)` from 10 to 1e6) yields max
   `|dT_c| ≈ 33 K`, far outside the 5 K band.  This is a fundamental
   limitation of quadratic Lyapunov for highly anisotropic problems:
   the ellipsoidal invariant is fat in the precursor/thermal
   directions and can't be made tight only along T_c.  **For an
   analytic barrier cert here we'd need SOS polynomial barriers or a
   polytopic invariant.**  Numerical zonotope reach still proves
   safety; the analytic cert is a "nice to have".
7. **Julia port** in `julia-port/`.  Plant parameters, RHS, linearize,
   all five controllers, LQR factory.  `scripts/sim_sanity.jl`
   matches MATLAB to 3 decimals on the standard operation test.
   `scripts/reach_operation.jl` is a stub — ReachabilityAnalysis.jl's
   LGG09, GLGM06, BFFPSV18 all numerically explode on the unscaled
   stiff system (envelopes of 1e14 K or worse).  Fix is diagonal
   state-scaling; didn't get to it this session.

## Key findings worth carrying forward

### The model doesn't support true cold shutdown

`alpha_f`, `alpha_c` are linearized at `(T_f0, T_c0)` = (328 C, 308 C).
Extrapolating to `T = 50 C` gives intrinsic feedback of ~5 $ which is
unphysical — real temperature coefficients saturate/flip at low temp.
**Trust range: ±50 C from operating point.**  "Shutdown" in this demo
means hot standby (290 C, n≈0), not cold shutdown.  Documented in
`plant-model/CLAUDE.md`.  To properly support cold shutdown we'd need
piecewise-linear or table-lookup coefficients — separate modeling task.

### Heatup overshoot is a controller-design signal, not a physics bug

First heatup pass started from `n=1e-6` and produced a ~20-minute lag
(reactor rebuilds power from decay-heat level) followed by a ~7 K
overshoot (thermal inertia + no derivative term).  Fixed by:
(a) saturating `|u|` at 0.5·beta so rho stays subcritical-prompt,
(b) starting heatup from `n=0.001` (0.1% power, already critical),
which matches real plant practice — criticality is achieved in
shutdown before DRC transitions to heatup.

### PID not a good idea here

The plant has intrinsic integrators (thermal mass).  Adding PI:
- Increments state dim 10→11 (cheap for CORA, ok for JuliaReach).
- Anti-windup saturation turns each "continuous mode" into a hybrid
  mode inside itself — more transitions, more reach-set bookkeeping.
- Integrator drift under persistent disturbance inflates the reach
  set over long horizons.

Stuck with P + feedforward; if needed we can promote to PI with eyes
open about the hybrid-mode cost.

### LQR is dramatically better than P for operation mode

Same operating point, same Q_sg step: LQR holds T_avg essentially at
setpoint; plain P has 5 F overshoot and ~0.8 F steady-state lag.  LQR
adds zero state.  The only downside: K is tuned around one operating
point — off-point robustness would need gain scheduling or MPC.

### Hand-rolled reach beats ReachabilityAnalysis.jl out of the box

The stiff, poorly-scaled nature of this system (eig span 5000x, state
magnitudes spanning 10 orders) breaks ReachabilityAnalysis.jl with
default settings.  Hand-rolled MATLAB reach with augmented-matrix
integration trick + elementwise-abs box propagation was ~50 lines and
produced a tight, trustworthy result immediately.  **Lesson: for
well-structured linear reach, don't reach for a toolbox.**

### The analytic barrier problem is anisotropy-limited

Safety set is a thin slab `|T_c - T_c0| <= 5 K` in a 10D state space.
Lyapunov ellipsoids that contain an initial box + robust invariant
are necessarily fat in the *uncontrolled* directions (slow
precursors), and no rescaling of the Lyapunov weight can pull them
tight *only* along T_c without blowing out the other directions.
**Logical next step for a thesis-strength barrier: SOS polynomial
barriers or polytopic (halfspace-intersection) invariants.**

## Soundness, α-drift, saturation — the three "this isn't actually rigorous yet" flags

Dane caught these during walkthrough.  All three now documented in the
relevant file headers so they don't live only in the transcript:

- **Soundness**: `reachability/reach_operation.m` and
  `reachability/README.md` now prominently state the current reach
  tube is over-approximation of the LINEAR model, not the nonlinear
  plant.  Upgrade paths: nonlinear reach (CORA/JuliaReach
  nonlinearSys) or linear reach + Taylor-remainder inflation.  Either
  is thesis-blocking for a real safety claim.
- **α-drift**: `ctrl_heatup.m` header and `plant-model/CLAUDE.md` now
  note that the feedback-linearization cancellation assumes exact
  α_f, α_c.  Real reactors have α drifting (burnup ~20%, boron ~10x,
  xenon).  Robust treatment = α as interval, parametric reach.
- **Saturation semantics**: `ctrl_heatup.m` header now notes the
  sat() is piecewise affine and must be either proven dormant or
  modeled as a hybrid sub-mode in reach.  Operation-mode LQR is
  dormant (trivially); heatup will need explicit treatment.

Documented in `README.md` top-level under the reach commands too.

## Loose ends for the next session

- Julia reach needs state rescaling. `S = diag(...)` chosen so all
  states have O(1) magnitude, then run reach in scaled coords.
- Heatup reach: the ramped reference makes `x*(t)` time-varying, so
  LQR-around-x_op isn't directly applicable.  Options: trajectory-LQR
  (time-varying K), or tube MPC.
- Predicate thresholds still not pinned in the FRET spec.  `t_avg_in_range`
  currently = ±5 K in the reach code but not reflected in the spec JSON.
  Need to sync.
- Shutdown and scram modes don't have reach analysis yet.  They're
  trivial (constant u) but the safety claim for scram — "reactor
  reaches subcritical decay in bounded time from any operating IC" —
  is actually a nice bounded-time reachability problem.

## Commit

Committed as two or three logical chunks.  See git log.