danesabo/Thesis
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Multi-level editorial pass on thesis proposal

Browse Source 
TACTICAL (sentence-level):
- Applied Gopen's issue-point positioning (key info at sentence end)
- Improved topic-stress positioning and topic strings
- Strengthened verb choice, reduced passive voice where appropriate
- Made sentences more direct and punchy

OPERATIONAL (paragraph/section):
- Improved transitions between paragraphs and subsections
- Enhanced coherence within sections
- Tightened paragraph structure

STRATEGIC (document-level):
- Strengthened Heilmeier question alignment in each section
- Improved linkages between sections
- Enhanced narrative coherence across the document

Focus on clarity, impact, and readability without changing technical content.
This commit is contained in:
Split 2026-03-09 14:35:51 -04:00
parent e49a2ab3e6
commit 093daf9ee0
7 changed files with 71 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
1-goals-and-outcomes/research_statement_v1.tex
View File

@ -2,30 +2,29 @@
This research develops autonomous control systems with mathematical guarantees of safe and correct behavior.
% INTRODUCTORY PARAGRAPH Hook
Nuclear reactors require extensively trained operators who follow detailed written procedures and switch between control objectives based on plant conditions.
Extensively trained operators run nuclear reactors, following detailed written procedures and switching between control objectives based on plant conditions.
% Gap
Small modular reactors face a fundamental economic challenge: per-megawatt staffing costs significantly exceed those of conventional plants, threatening their economic viability. Autonomous control systems can manage complex operational sequences without constant supervision—if they provide assurance equal to or exceeding human-operated systems.
Small modular reactors face a fundamental economic challenge: per-megawatt staffing costs significantly exceed those of conventional plants, threatening economic viability. Without constant supervision, autonomous control systems can manage complex operational sequences—but only if they provide assurance equal to or exceeding that of human-operated systems.
% APPROACH PARAGRAPH Solution
This research combines formal methods from computer science with control theory to build hybrid control systems correct by construction.
% Rationale
Hybrid systems mirror how operators work: discrete logic switches between continuous control modes. Existing formal methods generate provably correct switching logic but fail when continuous dynamics govern transitions. Control theory verifies continuous behavior but cannot prove discrete switching correctness. Neither approach alone provides end-to-end correctness guarantees.
Operators already work this way: discrete logic switches between continuous control modes. Existing formal methods generate provably correct switching logic but fail when continuous dynamics govern transitions. Control theory verifies continuous behavior but cannot prove discrete switching correctness. End-to-end correctness guarantees require both approaches together.
% Hypothesis and Technical Approach
Three stages bridge this gap. First, written operating procedures translate into temporal logic specifications using NASA's Formal Requirements Elicitation Tool (FRET), which structures requirements into scope, condition, component, timing, and response. Realizability checking identifies conflicts and ambiguities before implementation. Second, reactive synthesis generates deterministic automata—provably correct by construction. Third, standard control theory designs continuous controllers for each discrete mode, which reachability analysis then verifies. Continuous modes classify by transition objectives: transitory modes drive the plant between conditions, stabilizing modes maintain operation within regions, and expulsory modes ensure safety under failures. Assume-guarantee contracts and barrier certificates prove safe mode transitions, enabling local verification without global trajectory analysis. An Emerson Ovation control system demonstrates the methodology.
Three stages bridge this gap. First, written operating procedures translate into temporal logic specifications using NASA's Formal Requirements Elicitation Tool (FRET), which structures requirements into scope, condition, component, timing, and response. Conflicts and ambiguities emerge through realizability checking before implementation begins. Second, reactive synthesis generates deterministic automata—provably correct by construction. Third, standard control theory designs continuous controllers for each discrete mode; reachability analysis then verifies each controller. Transition objectives classify continuous modes: transitory modes drive the plant between conditions, stabilizing modes maintain operation within regions, and expulsory modes ensure safety under failures. Assume-guarantee contracts and barrier certificates prove safe mode transitions, enabling local verification without global trajectory analysis. The methodology demonstrates on an Emerson Ovation control system.
% Pay-off
This autonomous control approach manages complex nuclear power operations while maintaining safety guarantees, directly addressing the economic constraints that threaten small modular reactor viability.
% OUTCOMES PARAGRAPHS
If this research is successful, we will be able to do the following:
This research, if successful, produces three concrete outcomes:
\begin{enumerate}
% OUTCOME 1 Title
\item \textit{Synthesize written procedures into verified control logic.}
% Strategy
We develop a methodology for converting written operating procedures
into formal specifications. Reactive synthesis tools then generate
discrete control logic from these specifications.
A methodology converts written operating procedures into formal specifications.
Reactive synthesis tools then generate discrete control logic from these specifications.
% Outcome
Control engineers can generate mode-switching controllers from regulatory
Control engineers generate mode-switching controllers from regulatory
procedures with minimal formal methods expertise, reducing barriers to
high-assurance control systems.
@ -36,15 +35,14 @@ If this research is successful, we will be able to do the following:
transition requirements.
% Outcome
Engineers design continuous controllers using standard practices while
maintaining formal correctness guarantees. Mode transitions provably occur safely and at
the correct times.
maintaining formal correctness guarantees. Mode transitions occur safely and at
the correct times—provably.
% OUTCOME 3 Title
\item \textit{Demonstrate autonomous reactor startup control with safety
guarantees.}
% Strategy
A small modular reactor simulation using industry-standard control hardware
implements this methodology.
This methodology demonstrates on a small modular reactor simulation using industry-standard control hardware.
% Outcome
Control engineers implement high-assurance autonomous controls on
industrial platforms they already use, enabling autonomy without retraining

42
1-goals-and-outcomes/v1.tex
View File

@ -6,14 +6,14 @@ This research develops autonomous hybrid control systems with mathematical guara
% INTRODUCTORY PARAGRAPH Hook
Nuclear power plants require the highest levels of control system reliability. Control system failures risk economic losses, service interruptions, or radiological release.
% Known information
Nuclear plant operations rely on extensively trained human operators. These operators follow detailed written procedures and strict regulatory requirements, switching between control modes based on plant conditions and procedural guidance.
Extensively trained human operators run nuclear plants today. They follow detailed written procedures and strict regulatory requirements, switching between control modes based on plant conditions and procedural guidance.
% Gap
This reliance on human operators prevents autonomous control and creates a fundamental economic challenge for next-generation reactor designs. Small modular reactors face per-megawatt staffing costs far exceeding those of conventional plants—a gap that threatens their economic viability. Autonomous control systems could manage complex operational sequences without constant human supervision, but only if they provide assurance equal to or exceeding that of human operators.
This reliance on human operators prevents autonomous control and creates a fundamental economic challenge for next-generation reactor designs. Per-megawatt staffing costs for small modular reactors far exceed those of conventional plants—a gap that threatens economic viability. Without constant human supervision, autonomous control systems could manage complex operational sequences—but only if they provide assurance equal to or exceeding that of human operators.
% APPROACH PARAGRAPH Solution
This research combines formal methods with control theory to build hybrid control systems correct by construction.
% Rationale
Hybrid systems mirror how operators work: discrete logic switches between continuous control modes. Existing formal methods generate provably correct switching logic from written requirements but fail when continuous dynamics govern transitions. Control theory verifies continuous behavior but cannot prove discrete switching correctness. Neither approach alone guarantees end-to-end correctness.
Operators already work this way: discrete logic switches between continuous control modes. Existing formal methods generate provably correct switching logic from written requirements but fail when continuous dynamics govern transitions. Control theory verifies continuous behavior but cannot prove discrete switching correctness. End-to-end correctness requires both approaches together.
% Hypothesis
This approach closes the gap by synthesizing discrete mode transitions directly from written operating procedures and verifying continuous behavior between transitions. Operating procedures formalize into logical specifications. Continuous dynamics verify against transition requirements. The result: autonomous controllers provably free from design defects.
@ -28,11 +28,10 @@ This approach produces three concrete outcomes:
% OUTCOME 1 Title
\item \textbf{Translate written procedures into verified control logic.}
% Strategy
We develop a methodology for converting existing written operating
procedures into formal specifications. Reactive synthesis tools then
automatically generate discrete control logic from these specifications.
Structured intermediate representations bridge natural language procedures
and mathematical logic.
A methodology converts existing written operating procedures into formal
specifications. Reactive synthesis tools then automatically generate
discrete control logic from these specifications. Structured intermediate
representations bridge natural language procedures and mathematical logic.
% Outcome
Control system engineers generate verified mode-switching controllers
directly from regulatory procedures without formal methods expertise,
@ -41,34 +40,33 @@ This approach produces three concrete outcomes:
% OUTCOME 2 Title
\item \textbf{Verify continuous control behavior across mode transitions.}
% Strategy
We establish methods for analyzing continuous control modes to verify
they satisfy discrete transition requirements. Classical control theory for
linear systems and reachability analysis for nonlinear dynamics verify
that each continuous mode reaches its intended transitions safely.
Methods for analyzing continuous control modes verify they satisfy
discrete transition requirements. Classical control theory for linear
systems and reachability analysis for nonlinear dynamics verify that
each continuous mode reaches its intended transitions safely.
% Outcome
Engineers design continuous controllers using standard practices while
maintaining formal correctness guarantees. Mode transitions occur safely and at the correct times, provably.
maintaining formal correctness guarantees. Mode transitions occur safely and at the correct timesprovably.
% OUTCOME 3 Title
\item \textbf{Demonstrate autonomous reactor startup control with safety
guarantees.}
% Strategy
We apply this methodology to develop an autonomous controller for
nuclear reactor startup procedures, implementing it on a small modular
reactor simulation using industry-standard control hardware. This
demonstration proves correctness across multiple coordinated control
modes from cold shutdown through criticality to power operation.
This methodology applies to autonomous nuclear reactor startup procedures,
demonstrating on a small modular reactor simulation using industry-standard
control hardware. The demonstration proves correctness across multiple
coordinated control modes from cold shutdown through criticality to power operation.
% Outcome
We demonstrate that autonomous hybrid control can be realized in the
nuclear industry with current equipment, establishing a path toward reduced
operator staffing while maintaining safety.
Autonomous hybrid control becomes realizable in the nuclear industry with
current equipment, establishing a path toward reduced operator staffing
while maintaining safety.
\end{enumerate}
% IMPACT PARAGRAPH Innovation
These three outcomes—procedure translation, continuous verification, and hardware demonstration—establish a complete methodology from regulatory documents to deployed systems.
\textbf{What makes this research new?} This work unifies discrete synthesis with continuous verification to enable end-to-end correctness guarantees for hybrid systems. Formal methods verify discrete logic. Control theory verifies continuous dynamics. No existing methodology bridges both with compositional guarantees. This work establishes that bridge by treating discrete specifications as contracts that continuous controllers must satisfy. Independent verification of each layer becomes possible while guaranteeing correct composition. Section 2 (State of the Art) examines why prior work has not achieved this integration. Section 3 (Research Approach) details how this integration will be accomplished.
\textbf{What makes this research new?} This work unifies discrete synthesis with continuous verification to enable end-to-end correctness guarantees for hybrid systems. Formal methods verify discrete logic. Control theory verifies continuous dynamics. No existing methodology bridges both with compositional guarantees. The bridge emerges by treating discrete specifications as contracts that continuous controllers must satisfy. Each layer verifies independently while guaranteeing correct composition. Section 2 (State of the Art) examines why prior work has not achieved this integration. Section 3 (Research Approach) details how this integration will be accomplished.
% Outcome Impact
If successful, control engineers create autonomous controllers from

19
2-state-of-the-art/v2.tex
View File

@ -8,7 +8,7 @@ Current practice must be understood before its limits can be identified. This su
Nuclear plant procedures form a hierarchy. Normal operating procedures govern routine operations. Abnormal operating procedures handle off-normal conditions. Emergency Operating Procedures (EOPs) manage design-basis accidents. Severe Accident Management Guidelines (SAMGs) address beyond-design-basis events. Extensive Damage Mitigation Guidelines (EDMGs) cover catastrophic damage. These procedures must comply with 10 CFR 50.34(b)(6)(ii); NUREG-0899 provides development guidance~\cite{NUREG-0899, 10CFR50.34}.
Procedure development relies on expert judgment and simulator validation—not formal verification. Technical evaluation, simulator validation testing, and biennial review under 10 CFR 55.59~\cite{10CFR55.59} assess procedures rigorously. Yet this rigor cannot provide formal verification of key safety properties. No mathematical proof confirms that procedures cover all possible plant states. No proof verifies that required actions complete within available timeframes. No proof establishes that procedure-set transitions maintain safety invariants.
Procedure development relies on expert judgment and simulator validation—not formal verification. Technical evaluation, simulator validation testing, and biennial review under 10 CFR 55.59~\cite{10CFR55.59} assess procedures rigorously. Yet key safety properties escape formal verification through this process. Mathematical proof does not confirm that procedures cover all possible plant states. Required actions completing within available timeframes remain unproven. Safety invariants maintaining across procedure-set transitions lack proof.
\textbf{LIMITATION:} \textit{Procedures lack formal verification of correctness
and completeness.} Current procedure development relies on expert judgment and
@ -25,7 +25,7 @@ The division between automated and human-controlled functions reveals the fundam
\subsection{Human Factors in Nuclear Accidents}
Procedures lack formal verification despite rigorous development. This represents only half the reliability challenge. The other half emerges from procedure execution: even perfect procedures cannot guarantee safe operation when humans execute them imperfectly. Human operators—the second pillar of current practice—introduce reliability limitations independent of procedure quality. Procedures define what to do. Human operators determine when and how. Perfect procedures cannot eliminate human error.
Procedures lack formal verification despite rigorous development—but this represents only half the reliability challenge. The other half emerges from procedure execution: even perfect procedures cannot guarantee safe operation when humans execute them imperfectly. Human operators—the second pillar of current practice—introduce reliability limitations independent of procedure quality. Procedures define what to do; human operators determine when and how. Perfect procedures cannot eliminate human error.
Current-generation nuclear power plants employ over 3,600 active NRC-licensed
reactor operators in the United States~\cite{operator_statistics}. These
@ -56,9 +56,9 @@ limitations are fundamental to human-driven control, not remediable defects.
\subsection{Formal Methods}
Current practice reveals two critical limitations: procedures lack formal verification, and human operators introduce persistent reliability issues that four decades of training improvements have failed to eliminate. Training and procedural improvements cannot solve these problems. What can? Formal methods offer an alternative—mathematical guarantees of correctness that eliminate both human error and procedural ambiguity.
Current practice reveals two critical limitations: procedures lack formal verification, and human operators introduce persistent reliability issues that four decades of training improvements have failed to eliminate. Training and procedural improvements cannot solve these problems—but formal methods might. Mathematical guarantees of correctness eliminate both human error and procedural ambiguity.
Yet even the most advanced formal methods applications in nuclear control leave a critical verification gap for autonomous hybrid systems. This subsection examines two approaches that illustrate this gap: HARDENS, which verified discrete logic without continuous dynamics, and differential dynamic logic, which handles hybrid verification only post-hoc. Each demonstrates the current state of formal methods while revealing the verification gap this research addresses.
Yet even the most advanced formal methods applications in nuclear control leave a critical verification gap for autonomous hybrid systems. This subsection examines two approaches illustrating this gap: HARDENS, which verified discrete logic without continuous dynamics, and differential dynamic logic, which handles hybrid verification only post-hoc. Each demonstrates the current state of formal methods while revealing the verification gap this research addresses.
\subsubsection{HARDENS: The State of Formal Methods in Nuclear Control}
@ -80,15 +80,10 @@ synthesis generated verifiable C implementations and SystemVerilog hardware
implementations directly from Cryptol models---eliminating the traditional gap
between specification and implementation where errors commonly arise.
Despite its accomplishments, HARDENS has a fundamental limitation for hybrid control synthesis: the project addressed only discrete digital control logic without modeling or verifying continuous reactor dynamics.
Despite its accomplishments, HARDENS has a fundamental limitation for hybrid control synthesis: the project addressed only discrete digital control logic, leaving continuous reactor dynamics unmodeled and unverified.
The Reactor Trip System specification and verification covered discrete state
transitions (trip/no-trip decisions), digital sensor input processing through
discrete logic, and discrete actuation outputs (reactor trip commands). The
project did not address the continuous dynamics of nuclear reactor physics. Real
reactor safety depends on the interaction between continuous
processes---temperature, pressure, neutron flux---evolving in response to
discrete control decisions. HARDENS verified the discrete controller in
isolation, not the closed-loop hybrid system behavior.
discrete logic, and discrete actuation outputs (reactor trip commands). Continuous reactor physics remained unaddressed. Real reactor safety depends on the interaction between continuous processes—temperature, pressure, neutron flux—evolving in response to discrete control decisions. HARDENS verified the discrete controller in isolation, not the closed-loop hybrid system behavior.
\textbf{LIMITATION:} \textit{HARDENS addressed discrete control logic without
continuous dynamics or hybrid system verification.} Verifying discrete control
@ -160,4 +155,4 @@ This section establishes the current state of practice by answering two Heilmeie
\textbf{What are the limits of current practice?} No existing methodology synthesizes provably correct hybrid controllers from operational procedures with verification integrated into the design process. Current approaches verify either discrete logic or continuous dynamics—never both compositionally. This gap between discrete-only formal methods and post-hoc hybrid verification prevents autonomous nuclear control with end-to-end correctness guarantees.
Two imperatives emerge. Economic imperative: small modular reactors cannot compete with per-megawatt staffing costs matching large conventional plants. Technical imperative: current approaches lack compositional verification for hybrid systems. These limitations define the research opportunity. Section 3 addresses this gap by establishing what makes this approach new and why it will succeed where prior work has failed.
Two imperatives converge to define the research opportunity. Economic imperative: small modular reactors cannot compete with per-megawatt staffing costs matching large conventional plants. Technical imperative: current approaches lack compositional verification for hybrid systems. Section 3 addresses this gap by establishing what makes the proposed approach new and why it will succeed where prior work has failed.

61
3-research-approach/v3.tex
View File

@ -15,13 +15,13 @@
% ----------------------------------------------------------------------------
% 1. INTRODUCTION AND HYBRID SYSTEMS DEFINITION
% ----------------------------------------------------------------------------
Previous approaches verified either discrete switching logic or continuous control behavior—never both simultaneously. Continuous controllers rely on extensive simulation trials for validation. Discrete switching logic undergoes simulated control room testing and human factors research. Neither method provides rigorous guarantees despite consuming enormous resources.
Previous approaches verified either discrete switching logic or continuous control behavior—never both simultaneously. Continuous controllers rely on extensive simulation trials for validation. Discrete switching logic undergoes simulated control room testing and human factors research. Despite consuming enormous resources, neither method provides rigorous guarantees.
This work bridges the gap. It composes formal methods from computer science with control-theoretic verification. Reactor operations formalize as hybrid automata.
This work bridges the gap by composing formal methods from computer science with control-theoretic verification. Reactor operations formalize as hybrid automata.
Hybrid system verification faces a fundamental challenge: the interaction between discrete and continuous dynamics creates discontinuities in system behavior when discrete transitions change the governing vector field. Traditional verification techniques fail to handle this interaction directly.
Hybrid system verification faces a fundamental challenge: discrete transitions change the governing vector field, creating discontinuities in system behavior through the interaction between discrete and continuous dynamics. Traditional verification techniques fail to handle this interaction directly.
Our methodology decomposes the problem. It verifies discrete switching logic and continuous mode behavior separately, then composes them to establish guarantees for the complete hybrid system. This two-layer approach mirrors reactor operations. Discrete supervisory logic determines which control mode is active. Continuous controllers govern plant behavior within each mode.
Our methodology decomposes the problem, verifying discrete switching logic and continuous mode behavior separately before composing them to establish guarantees for the complete hybrid system. This two-layer approach mirrors reactor operations: discrete supervisory logic determines which control mode is active, while continuous controllers govern plant behavior within each mode.
Building a high-assurance hybrid autonomous control system requires
a mathematical description of the system. This work draws on
@ -56,25 +56,25 @@ where:
Creating a HAHACS requires constructing this tuple together with proof artifacts that demonstrate the control system's actual implementation satisfies its intended behavior.
\textbf{What is new in this research?} Section 2 established that existing approaches verify either discrete logic or continuous dynamics—never both compositionally. Reactive synthesis, reachability analysis, and barrier certificates each exist independently. This work composes them into a complete methodology for hybrid control synthesis through three key innovations:
\textbf{What is new in this research?} Section 2 established that existing approaches verify either discrete logic or continuous dynamics—never both compositionally. Reactive synthesis, reachability analysis, and barrier certificates each exist independently. Three key innovations compose them into a complete methodology for hybrid control synthesis:
\begin{enumerate}
\item \textbf{Contract-based decomposition:} Discrete synthesis defines entry/exit/safety contracts that bound continuous verification, inverting the traditional approach of global hybrid system verification.
\item \textbf{Mode classification:} Continuous modes classify by objective (transitory, stabilizing, expulsory), which selects appropriate verification tools and enables mode-local analysis with provable composition.
\item \textbf{Contract-based decomposition:} Discrete synthesis defines entry/exit/safety contracts that bound continuous verification, inverting the traditional global hybrid system verification approach.
\item \textbf{Mode classification:} Continuous modes classify by objective (transitory, stabilizing, expulsory), selecting appropriate verification tools and enabling mode-local analysis with provable composition.
\item \textbf{Procedure-driven structure:} Existing procedural structure avoids global hybrid system analysis, making the approach tractable for complex systems like nuclear reactor startup.
\end{enumerate}
No prior work integrates these three techniques into a systematic design methodology that spans procedures to verified implementation.
Prior work has not integrated these three techniques into a systematic design methodology spanning procedures to verified implementation.
\textbf{Why will it succeed?} Three factors ensure practical feasibility:
\begin{enumerate}
\item Nuclear procedures already decompose operations into discrete phases with explicit transition criteria—this work formalizes existing structure rather than imposing artificial abstractions.
\item Mode-level verification avoids the state explosion that makes global hybrid system analysis intractable, bounding computational complexity by verifying each mode against local contracts.
\item The Emerson collaboration provides both domain expertise to validate procedure formalization and industrial hardware to demonstrate implementation feasibility.
\item Mode-level verification avoids the state explosion that makes global hybrid system analysis intractable by verifying each mode against local contracts, bounding computational complexity.
\item The Emerson collaboration provides domain expertise to validate procedure formalization and industrial hardware to demonstrate implementation feasibility.
\end{enumerate}
This work demonstrates feasibility on production control systems with realistic reactor models, not merely in principle. Figure~\ref{fig:hybrid_automaton} illustrates the hybrid structure for a simplified reactor startup sequence.
Feasibility demonstrates on production control systems with realistic reactor models, not merely in principle. Figure~\ref{fig:hybrid_automaton} illustrates the hybrid structure for a simplified reactor startup sequence.
\begin{figure}
\centering
@ -142,11 +142,11 @@ This work demonstrates feasibility on production control systems with realistic
The hybrid automaton formalism provides a mathematical framework for describing discrete modes, continuous dynamics, guards, and invariants. But where do these formal descriptions come from? This subsection shows how to construct such systems from existing operational knowledge rather than imposing artificial abstractions. Nuclear operations already possess a natural hybrid structure. This structure maps directly to the automaton formalism through three control scopes: strategic, operational, and tactical.
Human control of nuclear power divides into three scopes: strategic, operational, and tactical. Strategic control represents high-level, long-term decision making for the plant. Objectives at this level are complex and economic in scale, such as managing labor needs and supply chains to optimize scheduled maintenance and downtime. These decisions span months or years.
Human control of nuclear power divides into three scopes: strategic, operational, and tactical. Strategic control represents high-level, long-term decision making spanning months or years: managing labor needs and supply chains to optimize scheduled maintenance and downtime.
The lowest level—the tactical level—controls individual components: pumps, turbines, and chemistry. Nuclear power plants have already automated tactical control somewhat through what is generally considered ``automatic control.'' These controls are almost always continuous systems with direct impact on the physical state of the plant. Tactical control objectives include maintaining pressurizer level, maintaining core temperature, and adjusting reactivity with chemical shim.
The tactical level controls individual components—pumps, turbines, and chemistry. Nuclear power plants have already automated tactical control through ``automatic control'' systems. These continuous systems directly impact the physical state of the plant, maintaining pressurizer level, core temperature, and reactivity through chemical shim.
The operational control scope links these two extremes, representing the primary responsibility of human operators today. Operational control takes strategic objectives and implements tactical control sequences to achieve them, bridging high-level goals with low-level execution.
The operational scope links these extremes, representing the primary responsibility of human operators today. Operational control implements tactical control sequences to achieve strategic objectives, bridging high-level goals with low-level execution.
An example clarifies this three-level structure. Consider a strategic goal to perform refueling at a certain time. The tactical level currently maintains core temperature. The operational level issues the shutdown procedure, using several smaller tactical goals along the way to achieve this objective.
@ -197,15 +197,13 @@ foundation for autonomous control system synthesis and verification. We can
build these requirements using temporal logic.
Temporal logic provides powerful semantics for building systems with complex
but deterministic behavior. It extends classical propositional logic
with operators that express properties over time. Using temporal logic, we can
relate discrete control modes to one another and define all
the requirements of a HAHACS. The guard conditions $\mathcal{G}$ are defined by
determining boundary conditions between discrete states and specifying their
behavior. Continuous mode invariants can also be expressed as temporal
but deterministic behavior, extending classical propositional logic with
operators that express properties over time. Temporal logic relates discrete
control modes to one another and defines all HAHACS requirements. Boundary
conditions between discrete states determine guard conditions $\mathcal{G}$ and
specify their behavior. Continuous mode invariants similarly express as temporal
logic statements. These specifications form the basis of any proofs about a
HAHACS and constitute the fundamental truth statements about what the behavior
of the system is designed to be.
HAHACS, constituting fundamental truth statements about designed system behavior.
Discrete mode transitions include predicates—Boolean functions over the
continuous state space: $p_i: \mathcal{X} \rightarrow \{\text{true},
@ -261,11 +259,10 @@ FRET has been successfully applied to spacecraft control systems, autonomous veh
Temporal logic specifications define what the system must do. The next question is how to implement those requirements. Reactive synthesis provides the answer.
Reactive synthesis automates the creation of reactive programs from temporal logic—programs that take input for a given state and produce output. With system requirements defined as temporal logic specifications, reactive synthesis builds the discrete control system. Our systems fit this model: the current discrete state and status of guard conditions form the input, while the next discrete state forms the output.
Reactive synthesis automates the creation of reactive programs from temporal logic—programs that take input for a given state and produce output. System requirements defined as temporal logic specifications enable reactive synthesis to build the discrete control system. Our systems fit this model: the current discrete state and status of guard conditions form the input; the next discrete state forms the output.
Reactive synthesis solves a fundamental problem: given an LTL formula $\varphi$ specifying desired system behavior, automatically construct a finite-state machine (strategy) that produces outputs in response to environment inputs such that all resulting execution traces satisfy $\varphi$. If such a strategy exists, the specification is \emph{realizable}. The synthesis algorithm either produces a correct-by-construction controller or reports that no such controller exists. This realizability check provides immediate value: an
unrealizable specification indicates conflicting or impossible requirements in
the original procedures, catching errors before implementation.
Reactive synthesis solves a fundamental problem: given an LTL formula $\varphi$ specifying desired system behavior, automatically construct a finite-state machine (strategy) that produces outputs in response to environment inputs such that all resulting execution traces satisfy $\varphi$. If such a strategy exists, the specification is \emph{realizable}. The synthesis algorithm either produces a correct-by-construction controller or reports that no such controller exists. Unrealizable specifications indicate conflicting or impossible requirements in
the original procedures—this realizability check catches errors before implementation.
Reactive synthesis offers a decisive advantage: the discrete automaton requires no human engineering of its implementation. The resultant automaton is correct by construction. This eliminates human error at the implementation stage entirely. Human designers can focus their effort where it belongs: on specifying system behavior rather than implementing switching logic.
@ -287,11 +284,11 @@ Reactive synthesis has proven successful in robotics, avionics, and industrial c
\subsection{Continuous Control Modes}
Reactive synthesis produces a provably correct discrete controller from operating procedures—an automaton that determines when to switch between modes. Hybrid control, however, requires more than correct mode switching. The continuous dynamics executing within each discrete mode must also be verified to ensure correct system behavior.
Reactive synthesis produces a provably correct discrete controller from operating procedures—an automaton that determines when to switch between modes. Hybrid control requires more than correct mode switching: the continuous dynamics executing within each discrete mode must also verify to ensure correct system behavior.
This subsection describes the continuous control modes executing within each discrete state and explains how they verify against requirements imposed by the discrete layer. The verification approach depends on control objectives. We classify modes into three types—transitory, stabilizing, and expulsory—each requiring different verification tools matched to their distinct purposes.
This subsection describes the continuous control modes executing within each discrete state and explains how they verify against requirements imposed by the discrete layer. Control objectives determine the verification approach. Modes classify into three types—transitory, stabilizing, and expulsory—each requiring different verification tools matched to their distinct purposes.
This methodology's scope requires clarification: this work verifies continuous controllers but does not synthesize them. The distinction parallels model checking in software verification. Model checking verifies whether a given implementation satisfies its specification without prescribing how to write the software. This work assumes engineers design continuous controllers using standard control theory techniques. The contribution provides the verification framework confirming that candidate controllers compose correctly with the discrete layer to produce a safe hybrid system.
This methodology's scope requires clarification: this work verifies continuous controllers but does not synthesize them. The distinction parallels model checking in software verification, where verification confirms whether a given implementation satisfies its specification without prescribing how to write the software. Engineers design continuous controllers using standard control theory techniques—this work assumes that design capability exists. The contribution provides the verification framework confirming that candidate controllers compose correctly with the discrete layer to produce a safe hybrid system.
The operational control scope defines go/no-go decisions that determine what
kind of continuous control to implement. The entry or exit conditions of a
@ -344,7 +341,7 @@ tools matched to its control objective. Transitory modes drive the plant between
\subsubsection{Transitory Modes}
We now examine each of the three continuous controller types in detail, beginning with transitory modes.
Transitory modes execute transitions between operating conditions—the first of three continuous controller types.
Transitory modes move the plant from one discrete operating condition to another. Their purpose is to execute transitions: start from entry conditions, reach exit conditions, and maintain safety invariants throughout. Examples include power ramp-up sequences, cooldown procedures, and load-following maneuvers.
@ -532,11 +529,11 @@ outcomes can align best with customer needs.
This section establishes the research approach by answering two critical Heilmeier questions:
\textbf{What is new in this research?} This work integrates reactive synthesis, reachability analysis, and barrier certificates into a compositional methodology for hybrid control synthesis. Three innovations distinguish this approach: using discrete synthesis to define verification contracts (inverting traditional global analysis), classifying continuous modes by objective to select appropriate verification tools, and leveraging existing procedural structure to avoid intractable state explosion. Section 2 established that prior work verified either discrete logic or continuous dynamics—never both compositionally. This section demonstrates how compositional verification enables what global analysis cannot achieve.
\textbf{What is new in this research?} This work integrates reactive synthesis, reachability analysis, and barrier certificates into a compositional methodology for hybrid control synthesis. Three innovations distinguish this approach: using discrete synthesis to define verification contracts (inverting traditional global analysis), classifying continuous modes by objective to select appropriate verification tools, and leveraging existing procedural structure to avoid intractable state explosion. Section 2 established that prior work verified either discrete logic or continuous dynamics—never both compositionally. Compositional verification enables what global analysis cannot achieve.
\textbf{Why will this approach succeed?} Three factors ensure practical feasibility. First, nuclear procedures already decompose operations into discrete phases with explicit transition criteria—the approach formalizes existing structure rather than imposing artificial abstractions. Second, mode-level verification bounds each verification problem locally, avoiding the state explosion that makes global hybrid system analysis intractable. Third, the Emerson collaboration provides both domain expertise to validate procedure formalization and industrial hardware to demonstrate implementation feasibility.
The methodology is now complete: procedure formalization, discrete synthesis, continuous verification across three mode types, and hardware implementation. Sections 2 and 3 have established what has been done, what is new, and why it will succeed. Three critical questions remain for the complete research plan. Section 4 addresses \textit{How will success be measured?} through Technology Readiness Level advancement. Section 5 addresses \textit{What could prevent success?} through risk analysis and contingency planning. Section 6 addresses \textit{Who cares? Why now? What difference will it make?} through economic and societal impact analysis.
The methodology is now complete: procedure formalization, discrete synthesis, continuous verification across three mode types, and hardware implementation. What remains are operational questions about executing this research plan. Section 4 addresses \textit{How will success be measured?} through Technology Readiness Level advancement. Section 5 addresses \textit{What could prevent success?} through risk analysis and contingency planning. Section 6 addresses \textit{Who cares? Why now? What difference will it make?} through economic and societal impact analysis.
%%% NOTES (Section 5):
% - Get specific details on ARCADE interface from Emerson collaboration

4
4-metrics-of-success/v1.tex
View File

@ -2,9 +2,9 @@
\textbf{How do we measure success?} This research advances through Technology Readiness Levels, progressing from fundamental concepts (TRL 2--3) to validated prototype demonstration (TRL 5).
This work begins at TRL 2--3 and aims to reach TRL 5, where system components operate successfully in a relevant laboratory environment. TRL advancement provides the most appropriate success metric for this work by bridging the gap between academic proof-of-concept and practical deployment. This section explains why, then defines specific criteria for each level from TRL 3 through TRL 5.
This work begins at TRL 2--3 and aims to reach TRL 5, where system components operate successfully in a relevant laboratory environment. TRL advancement provides the most appropriate success metric by bridging the gap between academic proof-of-concept and practical deployment. This section explains why before defining specific criteria for each level from TRL 3 through TRL 5.
Technology Readiness Levels provide the ideal success metric by explicitly measuring the gap between academic proof-of-concept and practical deployment—precisely what this work bridges. Academic metrics like papers published or theorems proved fail to capture practical feasibility. Empirical metrics like simulation accuracy or computational speed fail to demonstrate theoretical rigor. TRLs measure both simultaneously.
Technology Readiness Levels provide the ideal success metric by explicitly measuring the gap between academic proof-of-concept and practical deployment—precisely what this work bridges. Academic metrics like papers published or theorems proved fail to capture practical feasibility. Empirical metrics like simulation accuracy or computational speed fail to demonstrate theoretical rigor. Both measure simultaneously through TRLs.
Advancing from TRL 3 to TRL 5 requires maintaining theoretical rigor while progressively demonstrating practical feasibility. Formal verification must remain valid as the system moves from individual components to integrated hardware testing.

2
5-risks-and-contingencies/v1.tex
View File

@ -4,7 +4,7 @@
\subsection{Computational Tractability of Synthesis}
The first major assumption is that formalized startup procedures will yield automata small enough for efficient synthesis and verification. Reactive synthesis scales exponentially with specification complexity. Temporal logic specifications derived from complete startup procedures may produce automata with thousands of states, requiring synthesis times that exceed days or weeks and prevent demonstration of the complete methodology within project timelines. Reachability analysis for continuous modes with high-dimensional state spaces may similarly prove computationally intractable. Either barrier would constitute a fundamental obstacle to achieving research objectives.
The first major assumption: formalized startup procedures will yield automata small enough for efficient synthesis and verification. Reactive synthesis scales exponentially with specification complexity. Temporal logic specifications derived from complete startup procedures may produce automata with thousands of states, requiring synthesis times exceeding days or weeks that prevent demonstrating the complete methodology within project timelines. Reachability analysis for continuous modes with high-dimensional state spaces may similarly prove computationally intractable. Either barrier would constitute a fundamental obstacle to achieving research objectives.
Several indicators would provide early warning of computational tractability
problems. Synthesis times exceeding 24 hours for simplified procedure subsets

2
6-broader-impacts/v1.tex
View File

@ -4,7 +4,7 @@
Three stakeholder groups face the same economic constraint: the nuclear industry, datacenter operators, and clean energy advocates. All confront high operating costs driven by staffing requirements. AI infrastructure demands, growing exponentially, have made this constraint urgent.
Nuclear power presents both a compelling application domain and an urgent economic challenge. Recent interest in powering artificial intelligence infrastructure has renewed focus on small modular reactors (SMRs), particularly for hyperscale datacenters requiring hundreds of megawatts of continuous power. Deploying SMRs at datacenter sites minimizes transmission losses and eliminates emissions. However, nuclear power economics at this scale demand careful attention to operating costs.
Nuclear power presents both a compelling application domain and an urgent economic challenge. Recent interest in powering artificial intelligence infrastructure has renewed focus on small modular reactors (SMRs), particularly for hyperscale datacenters requiring hundreds of megawatts of continuous power. SMRs deployed at datacenter sites minimize transmission losses and eliminate emissions. Nuclear power economics at this scale demand careful attention to operating costs.
The U.S. Energy Information Administration's Annual Energy Outlook 2022 projects advanced nuclear power entering service in 2027 will cost \$88.24 per megawatt-hour~\cite{eia_lcoe_2022}. Datacenter electricity demand is projected to reach 1,050 terawatt-hours annually by 2030~\cite{eesi_datacenter_2024}. Nuclear power supplying this demand would generate total annual costs exceeding \$92 billion. Operations and maintenance represents a substantial component: the EIA estimates that fixed O\&M costs alone account for \$16.15 per megawatt-hour, with additional variable O\&M costs embedded in fuel and operating expenses~\cite{eia_lcoe_2022}. Combined, O\&M-related costs represent approximately 23--30\% of total levelized cost, translating to \$21--28 billion annually for projected datacenter demand.