Edit Risks: generalize tool references, clarify boolean abstraction sentence

5-risks-and-contingencies/risks.tex

@@ -1,9 +1,11 @@
 \section{Risks and Contingencies}
 
-This research relies on several critical assumptions that, if invalidated, would
+This research relies on several critical assumptions that, if invalidated,
-require scope adjustment or methodological revision.\splitnote{Honest acknowledgment of risks with clear contingencies — committee will appreciate this.} The primary risks to
+would require scope adjustment or methodological
-successful completion fall into four categories: computational tractability of
+revision.\splitnote{Honest acknowledgment of risks with clear contingencies
-synthesis and verification, complexity of the discrete-continuous interface,
+— committee will appreciate this.} The primary risks to successful
+completion fall into four categories: computational tractability of synthesis
+and verification, complexity of the discrete-continuous interface,
 completeness of procedure formalization, and hardware-in-the-loop integration
 challenges. Each risk has associated indicators for early detection and
 contingency plans that preserve research value even if core assumptions prove
@@ -15,22 +17,23 @@ deployment.
 
 The first major assumption is that formalized startup procedures will yield
 automata small enough for efficient synthesis and verification. Reactive
-synthesis scales exponentially with specification complexity, creating risk that
+synthesis scales exponentially with specification complexity, creating risk
-temporal logic specifications derived from complete startup procedures may
+that temporal logic specifications derived from complete startup procedures
-produce automata with thousands of states. Such large automata would require
+may produce automata with thousands of states. Such large automata would
-synthesis times exceeding days or weeks, preventing demonstration of the
+require synthesis times exceeding days or weeks, preventing demonstration of
-complete methodology within project timelines. Reachability analysis for
+the complete methodology within project timelines. Reachability analysis for
 continuous modes with high-dimensional state spaces may similarly prove
 computationally intractable. Either barrier would constitute a fundamental
 obstacle to achieving the research objectives.
 
 Several indicators would provide early warning of computational tractability
 problems. Synthesis times exceeding 24 hours for simplified procedure subsets
-would suggest complete procedures are intractable. Generated automata containing
+would suggest complete procedures are intractable. Generated automata
-more than 1,000 discrete states would indicate the discrete state space is too
+containing more than 1,000 discrete states would indicate the discrete state
-large for efficient verification. Specifications flagged as unrealizable by FRET
+space is too large for efficient verification. Specifications flagged as
-or Strix\dasinline{Strix may not be the reactive synth
+unrealizable by \oldt{FRET or Strix} \newt{realizability checking
-tool anymore. Be more general.} would reveal fundamental conflicts in the formalized procedures.
+tools}\dasinline{Strix may not be the reactive synth tool anymore. Be more
+general.} would reveal fundamental conflicts in the formalized procedures.
 Reachability analysis failing to converge within reasonable time bounds would
 show that continuous mode verification cannot be completed with available
 computational resources.
@@ -38,122 +41,130 @@ computational resources.
 The contingency plan for computational intractability is to reduce scope to a
 minimal viable startup sequence. This reduced sequence would cover only cold
 shutdown to criticality to low-power hold, omitting power ascension and other
-operational phases. The subset would still demonstrate the complete methodology
+operational phases. The subset would still demonstrate the complete
-while reducing computational burden. The research contribution would remain
+methodology while reducing computational burden. The research contribution
-valid even with reduced scope, proving that formal hybrid control synthesis is
+would remain valid even with reduced scope, proving that formal hybrid
-achievable for safety-critical nuclear applications. The limitation to
+control synthesis is achievable for safety-critical nuclear applications. The
-simplified operational sequences would be explicitly documented as a constraint
+limitation to simplified operational sequences would be explicitly documented
-rather than a failure.
+as a constraint rather than a failure.
 
 \subsection{Discrete-Continuous Interface Formalization}
 
 The second critical assumption concerns the mapping between boolean guard
-conditions in temporal logic and continuous state boundaries required for mode
+conditions in temporal logic and continuous state boundaries required for
-transitions. This interface represents the fundamental challenge of hybrid
+mode transitions. This interface represents the fundamental challenge of
-systems: relating discrete switching logic to continuous dynamics. Temporal
+hybrid systems: relating discrete switching logic to continuous dynamics.
-logic operates on boolean predicates, while continuous control requires
+Temporal logic operates on boolean predicates, while continuous control
-reasoning about differential equations and reachable sets. Guard conditions
+requires reasoning about differential equations and reachable sets.
-requiring complex nonlinear predicates may resist boolean abstraction, making
+\oldt{Guard conditions requiring complex nonlinear predicates may resist
-synthesis intractable.\dasinline{What does this mean?} Continuous safety regions that cannot be expressed as
+boolean abstraction, making synthesis intractable.} \newt{Some guard
-conjunctions of verifiable constraints would similarly create insurmountable
+conditions may require complex nonlinear predicates that cannot be cleanly
-verification challenges. The risk extends beyond static interface definition to
+expressed as boolean combinations of simple threshold checks, making
-dynamic behavior across transitions: barrier certificates may fail to exist for
+synthesis intractable.}\dasinline{What does this mean?} Continuous safety
-proposed transitions, or continuous modes may be unable to guarantee convergence
+regions that cannot be expressed as conjunctions of verifiable constraints
-to discrete transition boundaries.
+would similarly create insurmountable verification challenges. The risk
+extends beyond static interface definition to dynamic behavior across
+transitions: barrier certificates may fail to exist for proposed transitions,
+or continuous modes may be unable to guarantee convergence to discrete
+transition boundaries.
 
 Early indicators of interface formalization problems would appear during both
-synthesis and verification phases. Guard conditions requiring complex nonlinear
+synthesis and verification phases. Guard conditions requiring complex
-predicates that resist boolean abstraction would suggest fundamental misalignment
+nonlinear predicates that resist boolean abstraction would suggest
-between discrete specifications and continuous realities. Continuous safety
+fundamental misalignment between discrete specifications and continuous
-regions that cannot be expressed as conjunctions of half-spaces or polynomial
+realities. Continuous safety regions that cannot be expressed as conjunctions
-inequalities would indicate the interface between discrete guards and continuous
+of half-spaces or polynomial inequalities would indicate the interface
-invariants is too complex. Failure to construct barrier certificates proving
+between discrete guards and continuous invariants is too complex. Failure to
-safety across mode transitions would reveal that continuous dynamics cannot be
+construct barrier certificates proving safety across mode transitions would
-formally related to discrete switching logic. Reachability analysis showing that
+reveal that continuous dynamics cannot be formally related to discrete
-continuous modes cannot reach intended transition boundaries from all possible
+switching logic. Reachability analysis showing that continuous modes cannot
-initial conditions would demonstrate the synthesized discrete controller is
+reach intended transition boundaries from all possible initial conditions
-incompatible with achievable continuous behavior.
+would demonstrate the synthesized discrete controller is incompatible with
+achievable continuous behavior.
 
-The primary contingency for interface complexity is restricting continuous modes
+The primary contingency for interface complexity is restricting continuous
-to operate within polytopic invariants. Polytopes are state regions defined as
+modes to operate within polytopic invariants. Polytopes are state regions
-intersections of linear half-spaces, which map directly to boolean predicates
+defined as intersections of linear half-spaces, which map directly to boolean
-through linear inequality checks. This restriction ensures tractable synthesis
+predicates through linear inequality checks. This restriction ensures
-while maintaining theoretical rigor, though at the cost of limiting
+tractable synthesis while maintaining theoretical rigor, though at the cost
-expressiveness compared to arbitrary nonlinear regions. The discrete-continuous
+of limiting expressiveness compared to arbitrary nonlinear regions. The
-interface remains well-defined and verifiable with polytopic restrictions,
+discrete-continuous interface remains well-defined and verifiable with
-providing a clear fallback position that preserves the core methodology.
+polytopic restrictions, providing a clear fallback position that preserves
-Conservative over-approximations offer an alternative approach: a nonlinear safe
+the core methodology. Conservative over-approximations offer an alternative
-region can be inner-approximated by a polytope, sacrificing operational
+approach: a nonlinear safe region can be inner-approximated by a polytope,
-flexibility to maintain formal guarantees. The three-mode classification already
+sacrificing operational flexibility to maintain formal guarantees. The
-structures the problem to minimize complex transitions, with critical safety
+three-mode classification already structures the problem to minimize complex
-properties concentrated in expulsory modes that can receive additional design
+transitions, with critical safety properties concentrated in expulsory modes
-attention.
+that can receive additional design attention.
 
 Mitigation strategies focus on designing continuous controllers with discrete
 transitions as primary objectives from the outset. Rather than designing
 continuous control laws independently and verifying transitions post-hoc, the
 approach uses transition requirements as design constraints. Control barrier
-functions provide a systematic method to synthesize controllers that guarantee
+functions provide a systematic method to synthesize controllers that
-forward invariance of safe sets and convergence to transition boundaries. This
+guarantee forward invariance of safe sets and convergence to transition
-design-for-verification approach reduces the likelihood that interface
+boundaries. This design-for-verification approach reduces the likelihood that
-complexity becomes insurmountable. Focusing verification effort on expulsory
+interface complexity becomes insurmountable. Focusing verification effort on
-modes---where safety is most critical---allows more complex analysis to be
+expulsory modes---where safety is most critical---allows more complex
-applied selectively rather than uniformly across all modes, concentrating
+analysis to be applied selectively rather than uniformly across all modes,
-computational resources where they matter most for safety assurance.
+concentrating computational resources where they matter most for safety
+assurance.
 
 \subsection{Procedure Formalization Completeness}
 
 The third assumption is that existing startup procedures contain sufficient
-detail and clarity for translation into temporal logic specifications. Nuclear
+detail and clarity for translation into temporal logic specifications.
-operating procedures, while extensively detailed, were written for human
+Nuclear operating procedures, while extensively detailed, were written for
-operators who bring contextual understanding and adaptive reasoning to their
+human operators who bring contextual understanding and adaptive reasoning to
-interpretation. Procedures may contain implicit knowledge, ambiguous directives,
+their interpretation. Procedures may contain implicit knowledge, ambiguous
-or references to operator judgment that resist formalization in current
+directives, or references to operator judgment that resist formalization in
-specification languages. Underspecified timing constraints, ambiguous condition
+current specification languages. Underspecified timing constraints, ambiguous
-definitions, or gaps in operational coverage would cause synthesis to fail or
+condition definitions, or gaps in operational coverage would cause synthesis
-produce incorrect automata. The risk is not merely that formalization is
+to fail or produce incorrect automata. The risk is not merely that
-difficult, but that current procedures fundamentally lack the precision required
+formalization is difficult, but that current procedures fundamentally lack
-for autonomous control, revealing a gap between human-oriented documentation and
+the precision required for autonomous control, revealing a gap between
-machine-executable specifications.
+human-oriented documentation and machine-executable specifications.
 
-Several indicators would reveal formalization completeness problems early in the
+Several indicators would reveal formalization completeness problems early in
-project. FRET realizability checks failing due to underspecified behaviors or
+the project. FRET realizability checks failing due to underspecified
-conflicting requirements would indicate procedures do not form a complete
+behaviors or conflicting requirements would indicate procedures do not form a
-specification. Multiple valid interpretations of procedural steps with no clear
+complete specification. Multiple valid interpretations of procedural steps
-resolution would demonstrate procedure language is insufficiently precise for
+with no clear resolution would demonstrate procedure language is
-automated synthesis. Procedures referencing ``operator judgment,'' ``as
+insufficiently precise for automated synthesis. Procedures referencing
-appropriate,'' or similar discretionary language for critical decisions would
+``operator judgment,'' ``as appropriate,'' or similar discretionary language
-explicitly identify points where human reasoning cannot be directly formalized.
+for critical decisions would explicitly identify points where human reasoning
-Domain experts unable to provide crisp answers to specification questions about
+cannot be directly formalized. Domain experts unable to provide crisp answers
-edge cases would suggest the procedures themselves do not fully define system
+to specification questions about edge cases would suggest the procedures
-behavior, relying instead on operator training and experience to fill gaps.
+themselves do not fully define system behavior, relying instead on operator
+training and experience to fill gaps.
 
 The contingency plan treats inadequate specification as itself a research
 contribution rather than a project failure. Documenting specific ambiguities
 encountered would create a taxonomy of formalization barriers: timing
-underspecification, missing preconditions, discretionary actions, and undefined
+underspecification, missing preconditions, discretionary actions, and
-failure modes. Each category would be analyzed to understand why current
+undefined failure modes. Each category would be analyzed to understand why
-procedure-writing practices produce these gaps and what specification languages
+current procedure-writing practices produce these gaps and what specification
-would need to address them. Proposed extensions to FRETish or similar
+languages would need to address them. Proposed extensions to FRETish or
-specification languages would demonstrate how to bridge the gap between current
+similar specification languages would demonstrate how to bridge the gap
-procedures and the precision needed for autonomous control. The research output
+between current procedures and the precision needed for autonomous control.
-would shift from ``here is a complete autonomous controller'' to ``here is what
+The research output would shift from ``here is a complete autonomous
-formal autonomous control requires that current procedures do not provide, and
+controller'' to ``here is what formal autonomous control requires that
-here are language extensions to bridge that gap.'' This contribution remains
+current procedures do not provide, and here are language extensions to bridge
-valuable to both the nuclear industry and formal methods community, establishing
+that gap.'' This contribution remains valuable to both the nuclear industry
-clear requirements for next-generation procedure development and autonomous
+and formal methods community, establishing clear requirements for
-control specification languages.
+next-generation procedure development and autonomous control specification
+languages.
 
 Early-stage procedure analysis with domain experts provides the primary
 mitigation strategy. Collaboration through the University of Pittsburgh Cyber
 Energy Center enables identification and resolution of ambiguities before
-synthesis attempts, rather than discovering them during failed synthesis runs.
+synthesis attempts, rather than discovering them during failed synthesis
-Iterative refinement with reactor operators and control engineers can clarify
+runs. Iterative refinement with reactor operators and control engineers can
-procedural intent before formalization begins, reducing the risk of discovering
+clarify procedural intent before formalization begins, reducing the risk of
-insurmountable specification gaps late in the project. Comparison with
+discovering insurmountable specification gaps late in the project. Comparison
-procedures from multiple reactor designs---pressurized water reactors, boiling
+with procedures from multiple reactor designs---pressurized water reactors,
-water reactors, and advanced designs---may reveal common patterns and standard
+boiling water reactors, and advanced designs---may reveal common patterns and
-ambiguities amenable to systematic resolution. This cross-design analysis would
+standard ambiguities amenable to systematic resolution. This cross-design
-strengthen the generalizability of any proposed specification language
+analysis would strengthen the generalizability of any proposed specification
-extensions, ensuring they address industry-wide practices rather than specific
+language extensions, ensuring they address industry-wide practices rather
-quirks.
+than specific quirks.