72143bcff5
Earlier placeholder claimed ramp-rate limits weren't expressible as
state halfspaces without augmentation. That was wrong: dT_c/dt is
linear in (T_f, T_c, T_cold) directly from pke_th_rhs (no neutronics
coupling), so |dT_c/dt| <= r_max is two clean halfspaces over x.
Coefficients from pke_params:
a_f = hA / (M_c*c_c) = +0.4587 /s
a_c = -(hA + 2*W*c_c)/(M_c*c_c) = -0.9587 /s
a_cold = 2*W*c_c / (M_c*c_c) = +0.5000 /s
Sum = 0 exact (equilibrium when all T's equal).
Limit chosen: +/- 50 C/hr (tech-spec 28 C/hr + transient overshoot
budget). Verified on actual heatup sim: max dT_c/dt = 48.5 C/hr, min
= 0 C/hr. Passes our placeholder but tight — a strict 28 C/hr tech-
spec invariant would be violated by current ctrl_heatup tuning
(overshoot factor ~1.7x during mid-ramp).
Generalized load_predicates.m to accept multi-coefficient halfspace
rows via "row": [[state_idx, coeff], ...] format, in addition to the
existing single-coefficient {state_index, coeff} form. Backward
compatible.
inv1_holds now conjoins fuel_centerline, cold_leg_subcooled, and the
two rate halfspaces. DNBR still not modeled (would need an
augmented predicate with a correlation-based safety margin).
Hacker-Split: Dane asked about heatup rate invariant; realizing
my earlier 'needs state augmentation' claim was wrong and the rate
constraint is already linear. Fix it, verify against actual sim.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
164 lines
6.5 KiB
JSON
164 lines
6.5 KiB
JSON
{
|
|
"_comment": [
|
|
"Concretization of the FRET-spec predicates AND the hard safety limits.",
|
|
"Two categories kept distinct:",
|
|
" - operational_deadbands: soft bands around setpoint used by the DRC for",
|
|
" mode transitions (t_avg_in_range etc.). Violating these does not",
|
|
" cause damage, it just triggers a mode change or operator action.",
|
|
" - safety_limits: hard one-sided halfspaces corresponding to physical",
|
|
" damage mechanisms or reactor-trip setpoints. Barrier certificates",
|
|
" and reach-set safety checks should target THESE, not the deadbands.",
|
|
"",
|
|
"The FRET-spec invariants inv1_holds, inv2_holds are concretized as the",
|
|
"conjunction of relevant safety_limits for each mode."
|
|
],
|
|
"_units": {
|
|
"temperatures": "degrees Celsius (SI, internal model units)",
|
|
"n": "normalized power, 1.0 = full power"
|
|
},
|
|
"references": {
|
|
"T_c0": "308.35 C — full-power avg coolant (from pke_params.m)",
|
|
"T_f0": "328.35 C — full-power fuel",
|
|
"T_cold0": "290.0 C — full-power cold leg",
|
|
"T_standby": "275.02 C — hot standby T_avg, defined as T_c0 - 33.33 C (= T_c0 - 60 F)"
|
|
},
|
|
"derived": {
|
|
"T_standby_offset_F": -60.0,
|
|
"T_standby_offset_C": -33.333333333,
|
|
"t_avg_in_range_halfwidth_F": 5.0,
|
|
"t_avg_in_range_halfwidth_C": 2.777777,
|
|
"t_avg_above_min_margin_F": 10.0,
|
|
"t_avg_above_min_margin_C": 5.555555,
|
|
"p_above_crit_threshold_n": 1.0e-4,
|
|
"T_fuel_limit_C": 1200.0,
|
|
"T_c_high_trip_C": 320.0,
|
|
"n_high_trip": 1.15,
|
|
"T_cold_subcooling_margin_C": 15.0
|
|
},
|
|
|
|
"operational_deadbands": {
|
|
"_comment": "Soft bands. Used by the DRC for mode switching, not for safety proofs.",
|
|
"t_avg_above_min": {
|
|
"meaning": "Coolant warmed above cold-start threshold — shutdown may transition to heatup.",
|
|
"concretization": "T_c >= T_standby + 5.556 C (hot-standby + 10 F buffer)",
|
|
"halfspaces": [
|
|
{ "state_index": 9, "coeff": -1.0, "rhs_expr": "-(T_standby + 5.556)" }
|
|
]
|
|
},
|
|
"t_avg_in_range": {
|
|
"meaning": "Average coolant in tight operating band — used for heatup->operation transition.",
|
|
"concretization": "|T_c - T_c0| <= 2.778 C (~5 F deadband)",
|
|
"halfspaces": [
|
|
{ "state_index": 9, "coeff": 1.0, "rhs_expr": "T_c0 + 2.778" },
|
|
{ "state_index": 9, "coeff": -1.0, "rhs_expr": "-(T_c0 - 2.778)" }
|
|
]
|
|
},
|
|
"p_above_crit": {
|
|
"meaning": "Reactor power in the 'power range' instrumentation regime.",
|
|
"concretization": "n >= 1e-4",
|
|
"halfspaces": [
|
|
{ "state_index": 1, "coeff": -1.0, "rhs_expr": "-1.0e-4" }
|
|
]
|
|
}
|
|
},
|
|
|
|
"safety_limits": {
|
|
"_comment": [
|
|
"Hard one-sided halfspaces. Exceeding any of these is damage or trip.",
|
|
"All are asymmetric — the plant is not equally vulnerable on both sides",
|
|
"of the setpoint. Values are representative of a 2-loop Westinghouse-",
|
|
"class PWR; calibrate to specific plant tech specs before defense."
|
|
],
|
|
"fuel_centerline": {
|
|
"meaning": "Fuel centerline temperature below design limit to prevent UO2 melt.",
|
|
"concretization": "T_f <= 1200 C (conservative; actual melt ~2800 C)",
|
|
"halfspaces": [
|
|
{ "state_index": 8, "coeff": 1.0, "rhs_expr": "1200.0" }
|
|
]
|
|
},
|
|
"t_avg_high_trip": {
|
|
"meaning": "High-T_avg reactor trip. Typical PWR: ~612-616 F = 322-324 C.",
|
|
"concretization": "T_c <= 320 C (conservative)",
|
|
"halfspaces": [
|
|
{ "state_index": 9, "coeff": 1.0, "rhs_expr": "320.0" }
|
|
]
|
|
},
|
|
"t_avg_low_trip": {
|
|
"meaning": "Low-T_avg reactor trip. Typical PWR: ~540 F = 282 C.",
|
|
"concretization": "T_c >= 280 C",
|
|
"halfspaces": [
|
|
{ "state_index": 9, "coeff": -1.0, "rhs_expr": "-280.0" }
|
|
]
|
|
},
|
|
"n_high_trip": {
|
|
"meaning": "High-flux reactor trip. Typical PWR: 118%% of rated.",
|
|
"concretization": "n <= 1.15",
|
|
"halfspaces": [
|
|
{ "state_index": 1, "coeff": 1.0, "rhs_expr": "1.15" }
|
|
]
|
|
},
|
|
"n_low_operation": {
|
|
"meaning": "Operation mode is only valid at power (avoids intermediate-range instrumentation).",
|
|
"concretization": "n >= 0.15 (15%% of rated)",
|
|
"halfspaces": [
|
|
{ "state_index": 1, "coeff": -1.0, "rhs_expr": "-0.15" }
|
|
]
|
|
},
|
|
"cold_leg_subcooled": {
|
|
"meaning": "Cold leg stays subcooled with margin against loss-of-pressure events.",
|
|
"concretization": "T_cold <= T_cold0 + 15 (roughly saturation margin at operating pressure)",
|
|
"halfspaces": [
|
|
{ "state_index": 10, "coeff": 1.0, "rhs_expr": "T_cold0 + 15.0" }
|
|
]
|
|
},
|
|
"heatup_rate_upper": {
|
|
"meaning": "Coolant heatup rate does not exceed tech-spec limit + overshoot margin.",
|
|
"concretization": "dT_c/dt = a_f*T_f + a_c*T_c + a_cold*T_cold <= 0.01389 C/s (50 C/hr; tech-spec 28 C/hr + transient overshoot budget)",
|
|
"_derivation": "dT_c/dt is linear in (T_f, T_c, T_cold) from pke_th_rhs.m: a_f=hA/(M_c*c_c)=+0.4587/s, a_c=-(hA+2*W*c_c)/(M_c*c_c)=-0.9587/s, a_cold=2*W*c_c/(M_c*c_c)=+0.5000/s. Coefficients sum to zero by construction (equilibrium when all T's equal).",
|
|
"halfspaces": [
|
|
{ "row": [[8, 0.4587], [9, -0.9587], [10, 0.5000]], "rhs_expr": "0.01389" }
|
|
]
|
|
},
|
|
"heatup_rate_lower": {
|
|
"meaning": "Coolant cooldown rate during heatup doesn't exceed -50 C/hr (flag runaway cooldown).",
|
|
"halfspaces": [
|
|
{ "row": [[8, -0.4587], [9, 0.9587], [10, -0.5000]], "rhs_expr": "0.01389" }
|
|
]
|
|
}
|
|
},
|
|
|
|
"mode_invariants": {
|
|
"_comment": [
|
|
"Per-DRC-mode invariants: conjunctions of relevant safety_limits.",
|
|
"This is the target of per-mode reach and barrier analysis."
|
|
],
|
|
"inv1_holds": {
|
|
"meaning": "Heatup mode safety envelope.",
|
|
"conjunction_of": [
|
|
"fuel_centerline",
|
|
"cold_leg_subcooled",
|
|
"heatup_rate_upper",
|
|
"heatup_rate_lower"
|
|
],
|
|
"_note": "dT_c/dt is linear in (T_f, T_c, T_cold), so ramp-rate halfspace has 3 nonzero coefficients per row. DNBR not modeled — would need an augmented correlation-based predicate."
|
|
},
|
|
"inv2_holds": {
|
|
"meaning": "Operation mode safety envelope.",
|
|
"conjunction_of": [
|
|
"fuel_centerline",
|
|
"t_avg_high_trip",
|
|
"t_avg_low_trip",
|
|
"n_high_trip",
|
|
"n_low_operation",
|
|
"cold_leg_subcooled"
|
|
]
|
|
}
|
|
},
|
|
|
|
"_placeholder_warning": [
|
|
"Numerical values in safety_limits are representative (2-loop Westinghouse-",
|
|
"class PWR tech-spec ranges) but NOT calibrated to a specific plant.",
|
|
"Calibrate against a real plant's tech specs before defense."
|
|
]
|
|
}
|