72143bcff5
Earlier placeholder claimed ramp-rate limits weren't expressible as
state halfspaces without augmentation. That was wrong: dT_c/dt is
linear in (T_f, T_c, T_cold) directly from pke_th_rhs (no neutronics
coupling), so |dT_c/dt| <= r_max is two clean halfspaces over x.
Coefficients from pke_params:
a_f = hA / (M_c*c_c) = +0.4587 /s
a_c = -(hA + 2*W*c_c)/(M_c*c_c) = -0.9587 /s
a_cold = 2*W*c_c / (M_c*c_c) = +0.5000 /s
Sum = 0 exact (equilibrium when all T's equal).
Limit chosen: +/- 50 C/hr (tech-spec 28 C/hr + transient overshoot
budget). Verified on actual heatup sim: max dT_c/dt = 48.5 C/hr, min
= 0 C/hr. Passes our placeholder but tight — a strict 28 C/hr tech-
spec invariant would be violated by current ctrl_heatup tuning
(overshoot factor ~1.7x during mid-ramp).
Generalized load_predicates.m to accept multi-coefficient halfspace
rows via "row": [[state_idx, coeff], ...] format, in addition to the
existing single-coefficient {state_index, coeff} form. Backward
compatible.
inv1_holds now conjoins fuel_centerline, cold_leg_subcooled, and the
two rate halfspaces. DNBR still not modeled (would need an
augmented predicate with a correlation-based safety margin).
Hacker-Split: Dane asked about heatup rate invariant; realizing
my earlier 'needs state augmentation' claim was wrong and the rate
constraint is already linear. Fix it, verify against actual sim.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Reachability
Continuous-mode verification for the PWR_HYBRID_3 hybrid controller.
Soundness status: APPROXIMATE
The current reach_operation.m result is not a sound reach tube for
the physical plant. It is a sound over-approximation of the
linearized closed-loop system (A_cl = A - BK around x_op) under
bounded disturbance. The linear model is itself an approximation of
the nonlinear plant (../plant-model/pke_th_rhs.m), and that
approximation error is not currently bounded or inflated into the tube.
Two paths to upgrade to a sound result:
- Nonlinear reach directly — CORA
nonlinearSys, JuliaReachBlackBoxContinuousSystem, or equivalent. More expensive but the honest answer. - Linear reach + Taylor-remainder inflation — compute an upper
bound on
||f_nl(x, u) - (A x + B u)||over the reach set (via Hessian norm estimate on each component off_nl) and inflate the linear tube by that bound. Less expensive, still rigorous.
Both are thesis-blocking for any safety claim. Deferred only until the per-mode plumbing is solid; it is not a "nice to have".
The current 5-orders-of-margin buffer (reach envelope ~0.03 K against a 5 K safety band) means linearization error would have to be huge to invalidate the conclusion, but that is vibes, not a proof.
Related open issues
- Saturation semantics.
ctrl_heatup.musessat(u, u_min, u_max). Saturation is formally a 3-mode piecewise-affine system. For heatup reach this has to be handled as (a) hybrid locations, or (b) proven dormant via reach onu_unsat. Not modeled in the current artifacts (operation-mode LQR saturation is dormant in practice but the proof is implicit). - Parametric uncertainty in α_f, α_c. Real plants have α drift
with burnup (~20%), boron (α_c ranges 10×), xenon. The
feedback-linearization in
ctrl_heatup.massumes exact α; a robust treatment would make α an interval and propagate parametric reach. Currently idealized — flag in the chapter.
What's here
Per-mode only. Following the compositionality argument in the thesis: verify each continuous mode separately, let the DRC handle discrete switching. Current focus: operation mode under LQR feedback.
What's here
linearization_at_op.mat— A, B, B_w and reference point, generated by../plant-model/test_linearize.m.reach_linear.m— box-zonotope propagation of the closed-loop linear model under bounded disturbance. Pure MATLAB, no external toolbox.barrier_lyapunov.m— Lyapunov-ellipsoid barrier certificate for the closed-loop linear system. Solves a Lyapunov equation, reports the smallest sub-level set containing the initial set and closed under the disturbance.reach_operation.m— end-to-end operation-mode reach: linearize at x_op, compute LQR gain, propagate zonotope reach set, check against thet_avg_in_rangepredicate.figures/— generated plots.
Running
From MATLAB:
cd reachability
reach_operation % computes reach set + plots
barrier_lyapunov % solves Lyapunov, reports invariant ellipsoid
Tool choice
Currently using a hand-rolled zonotope reach because:
- Avoids a ~0.5 GB CORA install for a first-pass result.
- Linear reach with bounded disturbance has a clean analytic form (matrix exponential on the state, integral of e^(A(t-s))·B_w·w ds for the disturbance).
- Stays inside MATLAB, which is where the plant model lives.
If we need nonlinear reach (and we will, for non-LQR controllers or larger reach sets where linearization error matters), the planned options are CORA (MATLAB) or JuliaReach (port the plant to Julia).
What this does NOT do yet
- Any sound reach tube (see top of this file).
- Nonlinear reach for the original P controller on operation.
- Heatup reach (ramped reference makes x* time-varying — needs trajectory-LQR or a different formulation, and the saturation semantics need to be made explicit).
- Shutdown, scram, initialization reach.
- Hybrid-system level verification (mode switching validity).
- Parametric robustness to α_f, α_c drift.