a20d2a05e9
Previously conflated two different kinds of constraint:
- operational deadbands (|T_c - T_c0| <= 5 F) used by the DRC for mode
transitions. Symmetric bands around setpoint. Violating these is an
operator/operational issue, not a safety issue.
- safety limits (T_f <= 1200 C, T_c <= 320 C, n <= 1.15, etc.) are
hard one-sided halfspaces corresponding to physical damage mechanisms
or reactor-trip setpoints. THESE are what a safety barrier/reach must
discharge.
predicates.json now has three groups:
- operational_deadbands (t_avg_above_min, t_avg_in_range, p_above_crit)
- safety_limits (fuel_centerline, t_avg_high_trip, t_avg_low_trip,
n_high_trip, n_low_operation, cold_leg_subcooled)
- mode_invariants (inv1_holds, inv2_holds as conjunctions of safety_limits)
reach_operation.m and barrier_lyapunov.m both now report halfspace-by-
halfspace margins against inv2_holds. Attributable failure analysis:
we can see WHICH limit is tightest.
Reach tube (under +/-15% Q_sg load): passes all 6 safety halfspaces.
Tightest margin is n_high_trip at +0.138 (12% from trip). Temperature
directions have 10-870 K margin.
Lyapunov barrier (same): fails all 6. Worst is n_high_trip with -2365
margin — the ellipsoid says n could deviate by +/-2364, which is
physically meaningless. Anisotropy cost made visible per-direction.
Motivates SOS / polytopic barriers for the thesis chapter.
load_predicates.m now returns .operational_deadbands, .safety_limits,
and .mode_invariants. Existing callers that only used .constants or
.t_avg_in_range still work because those live under the old keys.
Hacker-Split: user caught that the barrier was checking the wrong
invariant; safety limits != operating deadband. Restructured so the
proof target matches the physical claim.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
145 lines
5.5 KiB
JSON
145 lines
5.5 KiB
JSON
{
|
|
"_comment": [
|
|
"Concretization of the FRET-spec predicates AND the hard safety limits.",
|
|
"Two categories kept distinct:",
|
|
" - operational_deadbands: soft bands around setpoint used by the DRC for",
|
|
" mode transitions (t_avg_in_range etc.). Violating these does not",
|
|
" cause damage, it just triggers a mode change or operator action.",
|
|
" - safety_limits: hard one-sided halfspaces corresponding to physical",
|
|
" damage mechanisms or reactor-trip setpoints. Barrier certificates",
|
|
" and reach-set safety checks should target THESE, not the deadbands.",
|
|
"",
|
|
"The FRET-spec invariants inv1_holds, inv2_holds are concretized as the",
|
|
"conjunction of relevant safety_limits for each mode."
|
|
],
|
|
"_units": {
|
|
"temperatures": "degrees Celsius (SI, internal model units)",
|
|
"n": "normalized power, 1.0 = full power"
|
|
},
|
|
"references": {
|
|
"T_c0": "308.35 C — full-power avg coolant (from pke_params.m)",
|
|
"T_f0": "328.35 C — full-power fuel",
|
|
"T_cold0": "290.0 C — full-power cold leg",
|
|
"T_standby": "275.02 C — hot standby T_avg, defined as T_c0 - 33.33 C (= T_c0 - 60 F)"
|
|
},
|
|
"derived": {
|
|
"T_standby_offset_F": -60.0,
|
|
"T_standby_offset_C": -33.333333333,
|
|
"t_avg_in_range_halfwidth_F": 5.0,
|
|
"t_avg_in_range_halfwidth_C": 2.777777,
|
|
"t_avg_above_min_margin_F": 10.0,
|
|
"t_avg_above_min_margin_C": 5.555555,
|
|
"p_above_crit_threshold_n": 1.0e-4,
|
|
"T_fuel_limit_C": 1200.0,
|
|
"T_c_high_trip_C": 320.0,
|
|
"n_high_trip": 1.15,
|
|
"T_cold_subcooling_margin_C": 15.0
|
|
},
|
|
|
|
"operational_deadbands": {
|
|
"_comment": "Soft bands. Used by the DRC for mode switching, not for safety proofs.",
|
|
"t_avg_above_min": {
|
|
"meaning": "Coolant warmed above cold-start threshold — shutdown may transition to heatup.",
|
|
"concretization": "T_c >= T_standby + 5.556 C (hot-standby + 10 F buffer)",
|
|
"halfspaces": [
|
|
{ "state_index": 9, "coeff": -1.0, "rhs_expr": "-(T_standby + 5.556)" }
|
|
]
|
|
},
|
|
"t_avg_in_range": {
|
|
"meaning": "Average coolant in tight operating band — used for heatup->operation transition.",
|
|
"concretization": "|T_c - T_c0| <= 2.778 C (~5 F deadband)",
|
|
"halfspaces": [
|
|
{ "state_index": 9, "coeff": 1.0, "rhs_expr": "T_c0 + 2.778" },
|
|
{ "state_index": 9, "coeff": -1.0, "rhs_expr": "-(T_c0 - 2.778)" }
|
|
]
|
|
},
|
|
"p_above_crit": {
|
|
"meaning": "Reactor power in the 'power range' instrumentation regime.",
|
|
"concretization": "n >= 1e-4",
|
|
"halfspaces": [
|
|
{ "state_index": 1, "coeff": -1.0, "rhs_expr": "-1.0e-4" }
|
|
]
|
|
}
|
|
},
|
|
|
|
"safety_limits": {
|
|
"_comment": [
|
|
"Hard one-sided halfspaces. Exceeding any of these is damage or trip.",
|
|
"All are asymmetric — the plant is not equally vulnerable on both sides",
|
|
"of the setpoint. Values are representative of a 2-loop Westinghouse-",
|
|
"class PWR; calibrate to specific plant tech specs before defense."
|
|
],
|
|
"fuel_centerline": {
|
|
"meaning": "Fuel centerline temperature below design limit to prevent UO2 melt.",
|
|
"concretization": "T_f <= 1200 C (conservative; actual melt ~2800 C)",
|
|
"halfspaces": [
|
|
{ "state_index": 8, "coeff": 1.0, "rhs_expr": "1200.0" }
|
|
]
|
|
},
|
|
"t_avg_high_trip": {
|
|
"meaning": "High-T_avg reactor trip. Typical PWR: ~612-616 F = 322-324 C.",
|
|
"concretization": "T_c <= 320 C (conservative)",
|
|
"halfspaces": [
|
|
{ "state_index": 9, "coeff": 1.0, "rhs_expr": "320.0" }
|
|
]
|
|
},
|
|
"t_avg_low_trip": {
|
|
"meaning": "Low-T_avg reactor trip. Typical PWR: ~540 F = 282 C.",
|
|
"concretization": "T_c >= 280 C",
|
|
"halfspaces": [
|
|
{ "state_index": 9, "coeff": -1.0, "rhs_expr": "-280.0" }
|
|
]
|
|
},
|
|
"n_high_trip": {
|
|
"meaning": "High-flux reactor trip. Typical PWR: 118%% of rated.",
|
|
"concretization": "n <= 1.15",
|
|
"halfspaces": [
|
|
{ "state_index": 1, "coeff": 1.0, "rhs_expr": "1.15" }
|
|
]
|
|
},
|
|
"n_low_operation": {
|
|
"meaning": "Operation mode is only valid at power (avoids intermediate-range instrumentation).",
|
|
"concretization": "n >= 0.15 (15%% of rated)",
|
|
"halfspaces": [
|
|
{ "state_index": 1, "coeff": -1.0, "rhs_expr": "-0.15" }
|
|
]
|
|
},
|
|
"cold_leg_subcooled": {
|
|
"meaning": "Cold leg stays subcooled with margin against loss-of-pressure events.",
|
|
"concretization": "T_cold <= T_cold0 + 15 (roughly saturation margin at operating pressure)",
|
|
"halfspaces": [
|
|
{ "state_index": 10, "coeff": 1.0, "rhs_expr": "T_cold0 + 15.0" }
|
|
]
|
|
}
|
|
},
|
|
|
|
"mode_invariants": {
|
|
"_comment": [
|
|
"Per-DRC-mode invariants: conjunctions of relevant safety_limits.",
|
|
"This is the target of per-mode reach and barrier analysis."
|
|
],
|
|
"inv1_holds": {
|
|
"meaning": "Heatup mode safety envelope.",
|
|
"conjunction_of": ["fuel_centerline", "cold_leg_subcooled"],
|
|
"_placeholder_note": "Ramp-rate limit and DNBR not expressible as state halfspaces without augmentation."
|
|
},
|
|
"inv2_holds": {
|
|
"meaning": "Operation mode safety envelope.",
|
|
"conjunction_of": [
|
|
"fuel_centerline",
|
|
"t_avg_high_trip",
|
|
"t_avg_low_trip",
|
|
"n_high_trip",
|
|
"n_low_operation",
|
|
"cold_leg_subcooled"
|
|
]
|
|
}
|
|
},
|
|
|
|
"_placeholder_warning": [
|
|
"Numerical values in safety_limits are representative (2-loop Westinghouse-",
|
|
"class PWR tech-spec ranges) but NOT calibrated to a specific plant.",
|
|
"Calibrate against a real plant's tech specs before defense."
|
|
]
|
|
}
|