Checked ALL references. V1 is COMPLETE!

2026-03-17 22:02:15 -04:00 · 2026-03-17 22:02:15 -04:00 · 1ba14bc8d7
commit 1ba14bc8d7
parent 9c5289705c
3 changed files with 173 additions and 75 deletions
--- a/2-state-of-the-art/state-of-art.tex
+++ b/2-state-of-the-art/state-of-art.tex
@ -67,14 +67,13 @@ flexibility and safety assurance remains unresolved: the person responsible for
 reactor safety is often the root cause of failures.
 Multiple independent analyses converge on a striking statistic: 70--80\% of
-nuclear power plant events are attributed to human error, versus
+nuclear power plant events are attributed to human error, versus approximately
-approximately 20\% to equipment failures~\cite{WNA2020}. More significantly,
+20\% to equipment failures~\cite{noauthor_human_nodate}. More significantly, the
-the root cause of all severe accidents at nuclear power plants---Three Mile
+root cause of all severe accidents at nuclear power plants---Three Mile Island,
-Island, Chernobyl, and Fukushima Daiichi---has been identified as primarily human
+Chernobyl, and Fukushima Daiichi---has been identified as primarily human
-factors~\cite{hogberg_root_2013}. A detailed analysis of 190 events at
+factors~\cite{hogberg_root_2013}. A detailed analysis of 190 events at Chinese
-Chinese nuclear power plants from
+nuclear power plants from 2007--2020~\cite{zhang_analysis_2025} found that 53\%
-2007--2020~\cite{zhang_analysis_2025} found that 53\% of events involved
+of events involved active errors, while 92\% were associated with latent
 active errors, while 92\% were associated with latent
 errors---organizational and systemic weaknesses that create conditions for
 failure.
@ -99,20 +98,18 @@ regulatory criteria. The project delivered a Reactor Trip System (RTS)
 implementation with traceability from regulatory requirements to verified
 software through formal architecture specifications.
-HARDENS employed formal methods tools at
+HARDENS employed formal methods tools at every level of system development, from
-every level of system development, from high-level requirements through
+high-level requirements through executable models to generated code. High-level
-executable models to generated code. High-level specifications used
+specifications used Lando, SysMLv2, and FRET (NASA Formal Requirements
-Lando, SysMLv2, and FRET (NASA Formal Requirements Elicitation Tool) to
+Elicitation Tool) to capture stakeholder requirements, domain engineering,
-capture stakeholder requirements, domain engineering, certification
+certification requirements, and safety requirements. Requirements were analyzed
-requirements, and safety requirements. Requirements were analyzed for
+for consistency, completeness, and realizability using SAT and SMT solvers.
-consistency, completeness, and realizability using SAT and SMT solvers.
+Executable formal models used Cryptol to create a behavioral model of the entire
-Executable formal models used Cryptol to create a behavioral model of the
+RTS, including all subsystems, components, and limited digital twin models of
-entire RTS, including all subsystems, components, and limited digital twin
+sensors, actuators, and compute infrastructure. Automatic code synthesis
-models of sensors, actuators, and compute infrastructure. Automatic code
+generated verifiable C implementations and SystemVerilog hardware
-synthesis generated verifiable C implementations and SystemVerilog hardware
+implementations directly from Cryptol models---eliminating the traditional gap
-implementations directly from Cryptol models---eliminating the traditional
+between specification and implementation where errors commonly arise.
 gap between specification and implementation where errors commonly
 arise.
 Despite these accomplishments, HARDENS addressed only discrete digital
 control logic. The Reactor Trip System verification covered discrete state
--- a/3-research-approach/approach.tex
+++ b/3-research-approach/approach.tex
@ -136,18 +136,19 @@ behavior within each mode.
 \subsection{System Requirements, Specifications, and Discrete Controllers}
 Human control of nuclear power can be divided into three different scopes:
-strategic, operational, and tactical. Strategic control is high-level and
+strategic, operational, and tactical.\footnote{This was inspired by an article
-long-term decision making for the plant. This level has objectives that are
+about battlefield organizational science~\cite{harvey_levels_2021}.} Strategic
-complex and economic in scale, such as managing labor needs and supply chains to
+control is high-level and long-term decision making for the plant. This level
-optimize scheduled maintenance and downtime. The time scale at this level is
+has objectives that are complex and economic in scale, such as managing labor
-long, often spanning months or years. The lowest level of control is the
+needs and supply chains to optimize scheduled maintenance and downtime. The time
-tactical level. This is the individual control of pumps, turbines, and
+scale at this level is long, often spanning months or years. The lowest level of
-chemistry. Tactical control has already been somewhat automated in nuclear power
+control is the tactical level. This is the individual control of pumps,
-plants today, and is generally considered ``automatic control'' when autonomous.
+turbines, and chemistry. Tactical control has already been somewhat automated in
-These controls are almost always continuous systems with a direct impact on the
+nuclear power plants today, and is generally considered ``automatic control''
-physical state of the plant. Tactical control objectives include, but are not
+when autonomous. These controls are almost always continuous systems with a
-limited to, maintaining pressurizer level, maintaining core temperature, or
+direct impact on the physical state of the plant. Tactical control objectives
-adjusting reactivity with a chemical shim.
+include, but are not limited to, maintaining pressurizer level, maintaining core
 temperature, or adjusting reactivity with a chemical shim.
 The level of control linking these two extremes is the operational control
 scope. Operational control is the primary responsibility of human operators
@ -157,8 +158,8 @@ way, it bridges high-level and low-level goals. A strategic goal may be to
 perform refueling at a certain time, while the tactical level of the plant is
 currently focused on maintaining a certain core temperature. The operational
 level issues the shutdown procedure, using several smaller tactical goals along
-the way to achieve this strategic objective. This heiarchal division of control
+the way to achieve this strategic objective. This hierarchical division of
-scope and objectives is illustrated graphically in
+control scope and objectives is illustrated graphically in
 figure~\ref{fig:strat_op_tact}. 
 \begin{figure}
@ -331,17 +332,17 @@ controller using deterministic algorithms, discrete control decisions become
 provably consistent with operating procedures. 
 The output of reactive synthesis is a finite-state machine that can be directly
-translated to executable code. Tools such as Strix~\cite{meyer_strix_2018}
+translated to executable code. Tools such as Strix accept full LTL
-accept full LTL specifications and produce Mealy machines via parity game
+specifications and produce Mealy machines via parity game
-solving~\cite{katis_capture_2022}. For specifications within the GR(1)
+solving~\cite{luttenberger_practical_2020, meyer_strix_2018}. For specifications
-fragment---which captures the reactive input-output structure typical of
+within the GR(1) fragment---which captures the reactive input-output structure
-supervisory control---synthesis is efficient and scales to specifications with
+typical of supervisory control---synthesis is efficient and scales to
-thousands of states. Nuclear operating procedures are well-suited to this
+specifications with thousands of states. Nuclear operating procedures are
-fragment: environment inputs correspond to plant state measurements and guard
+well-suited to this fragment: environment inputs correspond to plant state
-conditions, while outputs are mode transition commands. The synthesized
+measurements and guard conditions, while outputs are mode transition commands.
-automaton provides a correct-by-construction implementation that can be compiled
+The synthesized automaton provides a correct-by-construction implementation that
-to run on industrial control hardware without manual translation of the control
+can be compiled to run on industrial control hardware without manual translation
-logic.
+of the control logic.
 \subsection{Continuous Control Modes}
@ -362,13 +363,12 @@ discrete layer to produce a safe hybrid system.
 The operational control scope defines go/no-go decisions that determine what
 kind of continuous control to implement. The entry or exit conditions of a
-discrete state are themselves the guard conditions $\mathcal{G}$ that define
+discrete state are themselves the guard conditions $\mathcal{G}$ that define the
-the boundaries for each continuous controller's allowed state-space region.
+boundaries for each continuous controller's allowed state-space region. These
-These continuous controllers all share a common state space, but each
+continuous controllers all share a common state space, but each individual
-individual continuous control mode operates within its own partition defined
+continuous control mode operates within its own partition defined by the
-by the discrete state $q_i$ and the associated guard conditions.
+discrete state $q_i$ and the associated guard conditions. This partitioning of
-This partitioning of the continuous state space among several
+the continuous state space among several distinct vector fields has
 distinct vector fields has
 traditionally been a difficult problem for validation and verification. The
 discontinuity of the vector fields at discrete state interfaces makes
 reachability analysis computationally expensive, and analytic solutions often
@ -458,7 +458,9 @@ confirm that the candidate continuous controller achieves the objective from
 all possible starting points.
 Several tools exist for computing reachable sets of hybrid systems, including
-CORA, Flow*, SpaceEx~\cite{frehse_spaceex_2011}, and JuliaReach. The choice of
+CORA~\cite{althoff_introduction_nodate}, Flow*~\cite{chen_flow_2013,
 chen_taylor_2012}, SpaceEx~\cite{frehse_spaceex_2011}, and
 JuliaReach~\cite{bogomolov_reachability_2020}. The choice of
 tool depends on the structure of the continuous dynamics. Linear systems admit
 efficient polyhedral or ellipsoidal reachability computations. Nonlinear systems
 require more conservative over-approximations using techniques such as Taylor
@ -507,26 +509,23 @@ and minimizes complication in validating stabilizing continuous control modes.
 The discrete specifications tell us what region must be invariant; the barrier
 certificate confirms that the candidate controller achieves this invariance.
-Finding barrier certificates can be formulated as a sum-of-squares (SOS)
+The key advantage is that the verification is independent of how the controller
-optimization problem for polynomial systems, or solved using satisfiability
+was designed. Standard control techniques can be used to build continuous
-modulo theories (SMT) solvers for broader classes of
+controllers, and barrier certificates provide a separate check that the result
-dynamics~\cite{prajna_safety_2004, kapuria_using_2025}. The key advantage is
+satisfies the required invariants. This also allows for the checking of control
-that the verification is independent of how the controller was designed.
+modes with different models than they are designed for. For example, a lower
-Standard control techniques can be used to build continuous controllers, and
+fidelity model can be used for controller design, but a higher fidelity model
-barrier certificates provide a separate check that the result satisfies the
+can be used for the actual validation of that stabilizing
-required invariants. This also allows for the checking of control modes with
+controller.\splitnote{SOS methods proven effective: Papachristodoulou 2021
-different models than they are designed for. For example, a lower fidelity model
+  (SOSTOOLS v4, pp.1-2) solves barrier certificate optimization via SOS
-can be used for controller design, but a higher fidelity model can be used for
+  constraints---tool integrates with MATLAB. Borrmann 2015 (pp.4-8) demonstrates
-the actual validation of that stabilizing controller.\splitnote{SOS methods
+  control barrier certificates for multi-agent systems, showing how discrete
-  proven effective: Papachristodoulou 2021 (SOSTOOLS v4, pp.1-2) solves barrier
+  boundaries (mode guards) can inform barrier design. Your claim that discrete
-  certificate optimization via SOS constraints---tool integrates with MATLAB.
+  specs eliminate barrier search is novel and well-supported by these
-  Borrmann 2015 (pp.4-8) demonstrates control barrier certificates for
+foundations.}\splitnote{Hauswirth 2024 (pp.1-3) shows optimization-based robust
-  multi-agent systems, showing how discrete boundaries (mode guards) can inform
+  feedback controllers can serve as alternative verification method---suggests
-  barrier design. Your claim that discrete specs eliminate barrier search is
+  barrier certificates + reachability provide complementary guarantees for your
-  novel and well-supported by these foundations.}\splitnote{Hauswirth 2024
+stabilizing modes.}
  (pp.1-3) shows optimization-based robust feedback controllers can serve as
 alternative verification method---suggests barrier certificates + reachability
 provide complementary guarantees for your stabilizing modes.}
 \subsubsection{Expulsory Modes}
--- a/references.bib
+++ b/references.bib
@ -77,6 +77,12 @@ Publisher: Idaho National Engineering and Environmental Laboratory},
  month       = {October}
 }
@article{noauthor_human_nodate,
 	title = {Human {Performance} {Improvement} {Handbook}, {Volume} 1},
 	language = {en},
 	file = {PDF:/Users/danesabo/Zotero/storage/HQZTH3YI/Human Performance Improvement Handbook, Volume 1.pdf:application/pdf},
 }
@misc{WNA2020,
  title        = {Safety of Nuclear Power Reactors},
  author       = {{World Nuclear Association}},
@ -440,3 +446,99 @@ To achieve this, we develop a hybrid automaton model of SmAHTR and formally veri
  type        = {Ifri Papers},
  isbn        = {979-10-373-1000-2}
 }
@article{harvey_levels_2021,
 	title = {The {Levels} of {War} as {Levels} of {Analysis}},
 	language = {en},
 	publisher = {Military Review},
 	author = {Harvey, Andrew S},
 	year = {2021},
 	file = {PDF:/Users/danesabo/Zotero/storage/5NSKMNEU/Harvey - The Levels of War as Levels of Analysis.pdf:application/pdf},
 }
@article{luttenberger_practical_2020,
 	title = {Practical synthesis of reactive systems from {LTL} specifications via parity games},
 	volume = {57},
 	issn = {1432-0525},
 	url = {https://doi.org/10.1007/s00236-019-00349-3},
 	doi = {10.1007/s00236-019-00349-3},
 	abstract = {The synthesis of reactive systems from linear temporal logic (LTL) specifications is an important aspect in the design of reliable software and hardware. We present our adaption of the classic automata-theoretic approach to LTL synthesis, implemented in the tool Strix which has won the two last synthesis competitions (Syntcomp2018/2019). The presented approach is (1) structured, meaning that the states used in the construction have a semantic structure that is exploited in several ways, it performs a (2) forward exploration such that it often constructs only a small subset of the reachable states, and it is (3) incremental in the sense that it reuses results from previous inconclusive solution attempts. Further, we present and study different guiding heuristics that determine where to expand the on-demand constructed arena. Moreover, we show several techniques for extracting an implementation (Mealy machine or circuit) from the witness of the tree-automaton emptiness check. Lastly, the chosen constructions use a symbolic representation of the transition functions to reduce runtime and memory consumption. We evaluate the proposed techniques on the Syntcomp2019 benchmark set and show in more detail how the proposed techniques compare to the techniques implemented in other leading LTL synthesis tools.},
 	language = {en},
 	number = {1},
 	urldate = {2026-03-07},
 	journal = {Acta Informatica},
 	author = {Luttenberger, Michael and Meyer, Philipp J. and Sickert, Salomon},
 	month = apr,
 	year = {2020},
 	pages = {3--36},
 	file = {Submitted Version:/Users/danesabo/Zotero/storage/VYMVF5GK/Luttenberger et al. - 2020 - Practical synthesis of reactive systems from LTL specifications via parity games.pdf:application/pdf},
 }
@inproceedings{chen_taylor_2012,
 	title = {Taylor {Model} {Flowpipe} {Construction} for {Non}-linear {Hybrid} {Systems}},
 	issn = {1052-8725},
 	url = {https://ieeexplore.ieee.org/document/6424802},
 	doi = {10.1109/RTSS.2012.70},
 	abstract = {We propose an approach for verifying non-linear hybrid systems using higher-order Taylor models that are a combination of bounded degree polynomials over the initial conditions and time, bloated by an interval. Taylor models are an effective means for computing rigorous bounds on the complex time trajectories of non-linear differential equations. As a result, Taylor models have been successfully used to verify properties of non-linear continuous systems. However, the handling of discrete (controller) transitions remains a challenging problem. In this paper, we provide techniques for handling the effect of discrete transitions on Taylor model flow pipe construction. We explore various solutions based on two ideas: domain contraction and range over-approximation. Instead of explicitly computing the intersection of a Taylor model with a guard set, domain contraction makes the domain of a Taylor model smaller by cutting away parts for which the intersection is empty. It is complemented by range over-approximation that translates Taylor models into commonly used representations such as template polyhedra or zonotopes, on which intersections with guard sets have been previously studied. We provide an implementation of the techniques described in the paper and evaluate the various design choices over a set of challenging benchmarks.},
 	urldate = {2026-03-18},
 	booktitle = {2012 {IEEE} 33rd {Real}-{Time} {Systems} {Symposium}},
 	author = {Chen, Xin and Ábrahám, Erika and Sankaranarayanan, Sriram},
 	month = dec,
 	year = {2012},
 	note = {ISSN: 1052-8725},
 	keywords = {Approximation methods, Computational modeling, Mathematical model, Polynomials, Safety, Taylor series, Trajectory},
 	pages = {183--192},
 	file = {Snapshot:/Users/danesabo/Zotero/storage/7HBF3VMT/6424802.html:text/html},
 }
@inproceedings{chen_flow_2013,
 	address = {Berlin, Heidelberg},
 	title = {Flow*: {An} {Analyzer} for {Non}-linear {Hybrid} {Systems}},
 	isbn = {978-3-642-39799-8},
 	shorttitle = {Flow*},
 	doi = {10.1007/978-3-642-39799-8_18},
 	abstract = {The tool Flow* performs Taylor model-based flowpipe construction for non-linear (polynomial) hybrid systems. Flow* combines well-known Taylor model arithmetic techniques for guaranteed approximations of the continuous dynamics in each mode with a combination of approaches for handling mode invariants and discrete transitions. Flow* supports a wide variety of optimizations including adaptive step sizes, adaptive selection of approximation orders and the heuristic selection of template directions for aggregating flowpipes. This paper describes Flow* and demonstrates its performance on a series of non-linear continuous and hybrid system benchmarks. Our comparisons show that Flow* is competitive with other tools.},
 	language = {en},
 	booktitle = {Computer {Aided} {Verification}},
 	publisher = {Springer},
 	author = {Chen, Xin and Ábrahám, Erika and Sankaranarayanan, Sriram},
 	editor = {Sharygina, Natasha and Veith, Helmut},
 	year = {2013},
 	keywords = {Adaptive Step, Adaptive Step Size, Discrete Transition, Hybrid System, Taylor Model},
 	pages = {258--263},
 	file = {Full Text PDF:/Users/danesabo/Zotero/storage/6QV2XCVF/Chen et al. - 2013 - Flow An Analyzer for Non-linear Hybrid Systems.pdf:application/pdf},
 }
@inproceedings{althoff_introduction_nodate,
 	title = {An {Introduction} to {CORA} 2015},
 	url = {https://easychair.org/publications/paper/xMm},
 	doi = {10.29007/zbkv},
 	abstract = {The philosophy, architecture, and capabilities of the COntinuous Reachability Analyzer (CORA) are presented. CORA is a toolbox that integrates various vector and matrix set representations and operations on them as well as reachability algorithms of various dynamic system classes. The software is designed such that set representations can be exchanged without having to modify the code for reachability analysis. CORA has a modular design, making it possible to use the capabilities of the various set representations for other purposes besides reachability analysis. The toolbox is designed using the object oriented paradigm, such that users can safely use methods without concerning themselves with detailed information hidden inside the object. Since the toolbox is written in MATLAB, the installation and use is platform independent.},
 	urldate = {2026-03-18},
 	author = {Althoff, Matthias},
 	pages = {120--87},
 	file = {Full Text:/Users/danesabo/Zotero/storage/BIGJMRCV/Althoff - An Introduction to CORA 2015.pdf:application/pdf},
 }
@article{bogomolov_reachability_2020,
 	title = {Reachability {Analysis} of {Linear} {Hybrid} {Systems} via {Block} {Decomposition}},
 	volume = {39},
 	issn = {1937-4151},
 	url = {https://ieeexplore.ieee.org/document/9211556},
 	doi = {10.1109/TCAD.2020.3012859},
 	abstract = {Reachability analysis aims at identifying states reachable by a system within a given time horizon. This task is known to be computationally expensive for linear hybrid systems. Reachability analysis works by iteratively applying continuous and discrete post operators to compute states reachable according to continuous and discrete dynamics, respectively. In this article, we enhance both of these operators and make sure that most of the involved computations are performed in low-dimensional state space. In particular, we improve the continuous-post operator by performing computations in high-dimensional state space only for time intervals relevant for the subsequent application of the discrete-post operator. Furthermore, the new discrete-post operator performs low-dimensional computations by leveraging the structure of the guard and assignment of a considered transition. We illustrate the potential of our approach on a number of challenging benchmarks.},
 	number = {11},
 	urldate = {2026-03-18},
 	journal = {IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems},
 	author = {Bogomolov, Sergiy and Forets, Marcelo and Frehse, Goran and Potomkin, Kostiantyn and Schilling, Christian},
 	month = nov,
 	year = {2020},
 	keywords = {Approximation algorithms, Decomposition, Design automation, Heuristic algorithms, hybrid systems, Integrated circuits, Linear systems, reachability, Reachability analysis, Tools},
 	pages = {4018--4029},
 	file = {Snapshot:/Users/danesabo/Zotero/storage/D7FYXW7T/9211556.html:text/html;Submitted Version:/Users/danesabo/Zotero/storage/I3HNBQ65/Bogomolov et al. - 2020 - Reachability Analysis of Linear Hybrid Systems via Block Decomposition.pdf:application/pdf},
 }