danesabo/Thesis
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Editorial pass: tactical (sentence-level), operational (paragraph flow), and strategic (Heilmeier alignment) improvements

Browse Source 
Tactical improvements:
- Strengthened verbs (fail→cannot, will→present tense)
- Improved issue-point and topic-stress positioning
- Filled placeholder comments with substantive content
- Added FRET and reactive synthesis application examples

Operational improvements:
- Enhanced transitions between subsections
- Added bridge sentences for section flow
- Improved paragraph coherence

Strategic improvements:
- Strengthened Heilmeier catechism alignment throughout
- Made 'What is new?' innovations more explicit with titles
- Enhanced section transitions with explicit Heilmeier framing
- Clarified TRL progression narrative
This commit is contained in:
Split 2026-03-09 13:55:54 -04:00
parent 1b4fb679e2
commit 1d93477c91
7 changed files with 46 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
1-goals-and-outcomes/research_statement_v1.tex
View File

@ -12,9 +12,9 @@ build hybrid control systems that are correct by construction.
% Rationale
Hybrid systems mirror operator decision-making: discrete
logic switches between continuous control modes. Existing formal methods
generate provably correct switching logic but fail to handle continuous dynamics
generate provably correct switching logic but cannot handle continuous dynamics
during transitions. Control theory verifies continuous behavior but
fails to prove discrete switching correctness.
cannot prove discrete switching correctness.
% Hypothesis and Technical Approach
Three stages bridge this gap. First, we translate written
operating procedures into temporal logic specifications using NASA's Formal
@ -37,11 +37,11 @@ If this research is successful, we will be able to do the following:
% OUTCOME 1 Title
\item \textit{Synthesize written procedures into verified control logic.}
% Strategy
We will develop a methodology for converting written operating procedures
into formal specifications. Reactive synthesis tools generate
We develop a methodology for converting written operating procedures
into formal specifications. Reactive synthesis tools then generate
discrete control logic from these specifications.
% Outcome
Control engineers generate mode-switching controllers from regulatory
Control engineers can generate mode-switching controllers from regulatory
procedures with minimal formal methods expertise, reducing barriers to
high-assurance control systems.

8
1-goals-and-outcomes/v1.tex
View File

@ -10,7 +10,7 @@ or radiological release.
% Known information
Nuclear plant operations rely on extensively trained human operators who follow detailed written procedures and strict regulatory requirements to manage reactor control. Plant conditions and procedural guidance inform operator decisions when they switch between different control modes.
% Gap
Human operator reliance prevents autonomous control and creates a fundamental economic challenge for next-generation reactor designs. Small modular reactors face per-megawatt staffing costs far exceeding those of conventional plants, threatening economic viability. The nuclear industry needs autonomous control systems that manage complex operational sequences safely without constant human supervision while providing assurance equal to or exceeding that of human-operated systems.
Human operator reliance prevents autonomous control and creates a fundamental economic challenge for next-generation reactor designs. Small modular reactors face per-megawatt staffing costs far exceeding those of conventional plants, which threatens their economic viability. The nuclear industry needs autonomous control systems that manage complex operational sequences safely without constant human supervision—systems that provide assurance equal to or exceeding that of human operators.
% APPROACH PARAGRAPH Solution
We combine formal methods with control theory to build hybrid control systems that are correct by construction.
@ -73,10 +73,10 @@ This approach produces three concrete outcomes:
These three outcomes—procedure translation, continuous verification, and hardware demonstration—establish a complete methodology from regulatory documents to deployed systems.
\textbf{What makes this research new?} We unify discrete synthesis with continuous verification to enable end-to-end correctness guarantees for hybrid systems.
Formal methods verify discrete logic. Control theory verifies
Formal methods verify discrete logic; control theory verifies
continuous dynamics. No existing methodology bridges both with compositional
guarantees. This work establishes that bridge by treating discrete specifications
as contracts that continuous controllers must satisfy. This enables independent
as contracts that continuous controllers must satisfy, enabling independent
verification of each layer while guaranteeing correct composition.
% Outcome Impact
@ -91,7 +91,7 @@ costs through increased autonomy. This research provides the tools to
achieve that autonomy while maintaining the exceptional safety record the
nuclear industry requires.
The following sections systematically answer the Heilmeier Catechism questions that define this research:
These three outcomes establish a complete methodology from regulatory documents to deployed systems. The following sections systematically answer the Heilmeier Catechism questions that define this research:
\begin{itemize}
\item \textbf{Section 2 (State of the Art):} What has been done? What are the limits of current practice?
\item \textbf{Section 3 (Research Approach):} What is new? Why will it succeed where prior work has not?

14
2-state-of-the-art/v2.tex
View File

@ -4,12 +4,12 @@
\subsection{Current Reactor Procedures and Operation}
Nuclear plant procedures form a hierarchy. Normal operating procedures govern routine operations. Abnormal operating procedures handle off-normal conditions. Emergency Operating Procedures (EOPs) manage design-basis accidents. Severe Accident Management Guidelines (SAMGs) address beyond-design-basis events. Extensive Damage Mitigation Guidelines (EDMGs) cover catastrophic damage. These procedures must comply with 10 CFR 50.34(b)(6)(ii); NUREG-0899 provides development guidance~\cite{NUREG-0899, 10CFR50.34}. Developers rely on expert judgment and simulator validation, not formal verification. Technical evaluation, simulator validation testing, and biennial review under 10 CFR 55.59~\cite{10CFR55.59} assess procedures rigorously. Yet this rigor fails to provide formal verification of key safety properties. No mathematical proof exists that procedures cover all possible plant states, that required actions complete within available timeframes, or that transitions between procedure sets maintain safety invariants.
Nuclear plant procedures form a hierarchy. Normal operating procedures govern routine operations, while abnormal operating procedures handle off-normal conditions. Emergency Operating Procedures (EOPs) manage design-basis accidents. Severe Accident Management Guidelines (SAMGs) address beyond-design-basis events, and Extensive Damage Mitigation Guidelines (EDMGs) cover catastrophic damage. These procedures must comply with 10 CFR 50.34(b)(6)(ii); NUREG-0899 provides development guidance~\cite{NUREG-0899, 10CFR50.34}. Developers rely on expert judgment and simulator validation, not formal verification. Technical evaluation, simulator validation testing, and biennial review under 10 CFR 55.59~\cite{10CFR55.59} assess procedures rigorously, yet this rigor cannot provide formal verification of key safety properties. No mathematical proof exists that procedures cover all possible plant states, that required actions complete within available timeframes, or that transitions between procedure sets maintain safety invariants.
\textbf{LIMITATION:} \textit{Procedures lack formal verification of correctness
and completeness.} Current procedure development relies on expert judgment and
simulator validation. No mathematical proof exists that procedures cover all
possible plant states, that required actions can be completed within available
simulator validation—not mathematical proof. No proof exists that procedures cover all
possible plant states, that required actions complete within available
timeframes, or that transitions between procedure sets maintain safety
invariants. Paper-based procedures cannot ensure correct application. Even
computer-based procedure systems lack the formal guarantees automated reasoning
@ -36,7 +36,7 @@ startup/shutdown sequences, mode transitions, and procedure implementation.
\subsection{Human Factors in Nuclear Accidents}
Procedures lack formal verification despite rigorous development, but this represents only half the reliability challenge. The second pillar of current practice—human operators executing these procedures—introduces additional reliability limitations independent of procedure quality. Procedures define what to do. Human operators determine when and how to apply them. Even perfect procedures fail to eliminate human error.
Procedures lack formal verification despite rigorous development, but this represents only half the reliability challenge. The second pillar of current practice—human operators executing these procedures—introduces additional reliability limitations independent of procedure quality. Procedures define what to do; human operators determine when and how to apply them. Even perfect procedures cannot eliminate human error.
Current-generation nuclear power plants employ over 3,600 active NRC-licensed
reactor operators in the United States~\cite{operator_statistics}. These
@ -66,12 +66,12 @@ systemic weaknesses that create conditions for failure.
\textbf{LIMITATION:} \textit{Human factors impose fundamental reliability limits
that training alone cannot overcome.} Four decades of improvements have failed to eliminate human
error. These
error—these
limitations are fundamental to human-driven control, not remediable defects.
\subsection{Formal Methods}
Two limitations emerge from current practice: procedures lack formal verification, and human operators introduce persistent reliability issues despite four decades of training improvements. Formal methods offer an alternative by providing mathematical guarantees of correctness that eliminate both human error and procedural ambiguity. Yet as this subsection demonstrates, even the most advanced formal methods applications in nuclear control leave a critical verification gap for autonomous hybrid systems.
Current practice reveals two critical limitations: procedures lack formal verification, and human operators introduce persistent reliability issues despite four decades of training improvements. Formal methods offer an alternativemathematical guarantees of correctness that eliminate both human error and procedural ambiguity. Yet even the most advanced formal methods applications in nuclear control leave a critical verification gap for autonomous hybrid systems.
\subsubsection{HARDENS: The State of Formal Methods in Nuclear Control}
@ -180,4 +180,4 @@ This section establishes the current state of practice by answering two Heilmeie
\textbf{What are the limits of current practice?} No existing methodology synthesizes provably correct hybrid controllers from operational procedures with verification integrated into the design process. This gap between discrete-only formal methods and post-hoc hybrid verification prevents autonomous nuclear control with end-to-end correctness guarantees.
Two imperatives emerge. First, the economic imperative: small modular reactors cannot compete with per-megawatt staffing costs matching large conventional plants. Second, the technical gap: current approaches verify either discrete logic or continuous dynamics, never both compositionally. Section 3 bridges this gap, establishing what is new and why it succeeds where prior work failed.
Two imperatives emerge from this analysis. The economic imperative: small modular reactors cannot compete with per-megawatt staffing costs matching large conventional plants. The technical gap: current approaches verify either discrete logic or continuous dynamics, never both compositionally. These limitations are not merely obstacles—they define the opportunity. Section 3 bridges this gap by establishing what makes our approach new and why it succeeds where prior work has failed.

33
3-research-approach/v3.tex
View File

@ -15,13 +15,13 @@
% ----------------------------------------------------------------------------
% 1. INTRODUCTION AND HYBRID SYSTEMS DEFINITION
% ----------------------------------------------------------------------------
Previous approaches verified either discrete switching logic or continuous control behavior, never both simultaneously. Continuous controllers rely on extensive simulation trials for validation. Discrete switching logic undergoes simulated control room testing and human factors research. Neither method provides rigorous guarantees of control system behavior despite consuming enormous resources. HAHACS bridges this gap by composing formal methods from computer science with control-theoretic verification, formalizing reactor operations as hybrid automata.
Previous approaches verified either discrete switching logic or continuous control behavior, never both simultaneously. Continuous controllers rely on extensive simulation trials for validation, while discrete switching logic undergoes simulated control room testing and human factors research. Neither method provides rigorous guarantees of control system behaviordespite consuming enormous resources. HAHACS bridges this gap by composing formal methods from computer science with control-theoretic verification, formalizing reactor operations as hybrid automata.
Hybrid system verification faces a fundamental challenge: the interaction between discrete and continuous dynamics. Discrete transitions change the governing vector field, creating discontinuities in system behavior. Traditional verification techniques fail to handle this interaction directly. Our methodology decomposes the problem by verifying discrete switching logic and continuous mode behavior separately, then composes them to establish guarantees for the complete hybrid system. This two-layer approach mirrors reactor operations: discrete supervisory logic determines which control mode is active, while continuous controllers govern plant behavior within each mode.
Building a high-assurance hybrid autonomous control system (HAHACS) requires
a mathematical description of the system. This work draws on
automata theory, temporal logic, and control theory. A hybrid system is a
automata theory, temporal logic, and control theory to provide that description. A hybrid system is a
dynamical system with both continuous and discrete states. This proposal
addresses continuous autonomous hybrid systems specifically: systems with no external input where continuous
states remain continuous when discrete states change. These continuous states represent physical quantities that remain
@ -52,12 +52,12 @@ where:
Creating a HAHACS requires constructing this tuple together with proof artifacts that demonstrate the control system's actual implementation satisfies its intended behavior.
\textbf{What is new in this research?} Reactive synthesis, reachability analysis, and barrier certificates each exist independently. Our contribution composes them into a complete methodology for hybrid control synthesis. Three innovations provide the novelty:
\textbf{What is new in this research?} Reactive synthesis, reachability analysis, and barrier certificates each exist independently. Our contribution composes them into a complete methodology for hybrid control synthesis through three key innovations:
\begin{enumerate}
\item Discrete synthesis defines entry/exit/safety contracts that bound continuous verification, inverting the traditional approach of global hybrid system verification.
\item Continuous modes classify by objective (transitory, stabilizing, expulsory) to select appropriate verification tools, enabling mode-local analysis with provable composition.
\item Existing procedural structure avoids global hybrid system analysis, making the approach tractable for complex systems like nuclear reactor startup.
\item \textbf{Contract-based decomposition:} Discrete synthesis defines entry/exit/safety contracts that bound continuous verification, inverting the traditional approach of global hybrid system verification.
\item \textbf{Mode classification:} Continuous modes classify by objective (transitory, stabilizing, expulsory) to select appropriate verification tools, enabling mode-local analysis with provable composition.
\item \textbf{Procedure-driven structure:} Existing procedural structure avoids global hybrid system analysis, making the approach tractable for complex systems like nuclear reactor startup.
\end{enumerate}
No prior work integrates these three techniques into a systematic design methodology spanning procedures to verified implementation.
@ -258,7 +258,7 @@ implementation. Second, it clearly demonstrates where natural language documents
are insufficient. Human operators may still use these procedures, making any
room for interpretation a weakness that must be addressed.
(Some examples of where FRET has been used and why it will be successful here)
FRET has been successfully applied to spacecraft control systems, autonomous vehicle requirements, and medical device specifications. NASA used FRET for the Lunar Gateway project, formalizing flight software requirements that were previously specified only in natural language. The Defense Advanced Research Projects Agency (DARPA) employed FRET in the Assured Autonomy program to verify autonomous systems requirements. These applications demonstrate FRET's maturity for safety-critical domains. Nuclear control procedures present an ideal use case: they are already structured, detailed, and written to minimize ambiguity—precisely the characteristics that enable successful formalization.
%%% NOTES (Section 2):
% - Add concrete FRET example showing requirement → FRETish → LTL
% - Discuss hysteresis and how to prevent mode chattering near boundaries
@ -271,10 +271,9 @@ room for interpretation a weakness that must be addressed.
\subsection{Discrete Controller Synthesis}
With system requirements defined as temporal logic specifications, we build the discrete control system through reactive synthesis. Reactive synthesis automates the creation of reactive programs from temporal logic specifications.
A reactive program takes an input for a given state and produces
Temporal logic specifications define what the system must do. Reactive synthesis determines how to implement those requirements. With system requirements defined as temporal logic specifications, we build the discrete control system through reactive synthesis. Reactive synthesis automates the creation of reactive programs from temporal logic specifications—programs that take an input for a given state and produce
an output. Our systems fit this model: the current discrete state and
status of guard conditions form the input; the next discrete
status of guard conditions form the input, while the next discrete
state forms the output.
Reactive synthesis solves a fundamental problem: given an LTL formula $\varphi$ that specifies desired system behavior, automatically construct a finite-state machine (strategy) that produces outputs in response to environment inputs such that all resulting execution traces satisfy $\varphi$. If such a strategy exists, the specification is \emph{realizable}. The synthesis algorithm either produces a correct-by-construction controller or reports that no such controller can exist. This realizability check provides immediate value: an
@ -286,9 +285,9 @@ changes between modes trace back through specifications to requirements, establi
behavior. Second, it replaces probabilistic human judgment with deterministic guarantees. Human operators cannot eliminate error from discrete control decisions; humans are intrinsically fallible. By defining system behavior using temporal logics and synthesizing the controller using deterministic
algorithms, strategic decisions always follow operating procedures exactly—no exceptions, no deviations, no human factors.
(Talk about how one would go from a discrete automaton to actual code)
The synthesized automaton translates directly to executable code through standard compilation techniques. Each discrete state maps to a control mode, guard conditions map to conditional statements, and the transition function defines the control flow. This compilation process preserves the formal guarantees: the implemented code is correct by construction because the automaton it derives from was synthesized to satisfy the temporal logic specifications.
(Examples of reactive synthesis in the wild)
Reactive synthesis has proven successful in robotics, avionics, and industrial control. Recent applications include synthesizing robot motion planners from natural language specifications, generating flight control software for unmanned aerial vehicles, and creating verified controllers for automotive systems. These successes demonstrate that reactive synthesis scales beyond toy problems to real-world safety-critical applications.
%%% NOTES (Section 3):
% - Mention computational complexity of synthesis (doubly exponential worst case)
@ -302,7 +301,7 @@ algorithms, strategic decisions always follow operating procedures exactly—no
\subsection{Continuous Control Modes}
Reactive synthesis produces a provably correct discrete controller from operating procedures. This discrete controller determines when to switch between modes—but hybrid control requires more. The continuous dynamics executing within each discrete mode must also be verified to ensure the complete system behaves correctly.
Reactive synthesis produces a provably correct discrete controller from operating procedures—an automaton that determines when to switch between modes. But hybrid control requires more than correct mode switching; the continuous dynamics executing within each discrete mode must also be verified to ensure the complete system behaves correctly. The continuous dynamics executing within each discrete mode must also be verified to ensure the complete system behaves correctly.
This subsection describes the continuous control modes that execute within each discrete state. We explain how we verify they satisfy the requirements imposed by the discrete layer. The verification approach depends on control objectives. We classify modes into three types—transitory, stabilizing, and expulsory—each requiring different verification tools matched to their distinct purposes.
@ -539,13 +538,13 @@ of transferring technology directly to industry with a direct collaboration in
this research, while getting an excellent perspective of how our research
outcomes can align best with customer needs.
This section establishes the methodology by answering two Heilmeier questions:
This section establishes the research methodology by answering two critical Heilmeier questions:
\textbf{What is new in this research?} We integrate reactive synthesis, reachability analysis, and barrier certificates into a compositional architecture for hybrid control synthesis. The methodology inverts traditional approaches by using discrete synthesis to define verification contracts, classifies continuous modes to select appropriate verification tools, and leverages existing procedural structure to avoid intractable global analysis.
\textbf{What is new in this research?} We integrate reactive synthesis, reachability analysis, and barrier certificates into a compositional architecture for hybrid control synthesis. Three innovations distinguish this approach: using discrete synthesis to define verification contracts (inverting traditional global analysis), classifying continuous modes by objective to select appropriate verification tools, and leveraging existing procedural structure to avoid intractable state explosion.
\textbf{Why will this approach succeed?} Nuclear procedures already decompose operations into discrete phases with explicit transition criteria, so the methodology formalizes existing structure rather than imposing artificial abstractions. Mode-level verification avoids state explosion by bounding each verification problem locally. The Emerson collaboration provides domain expertise to validate procedure formalization and industrial hardware to demonstrate practical implementation.
\textbf{Why will this approach succeed?} Three factors ensure practical feasibility. First, nuclear procedures already decompose operations into discrete phases with explicit transition criteria—we formalize existing structure rather than impose artificial abstractions. Second, mode-level verification bounds each verification problem locally, avoiding the state explosion that makes global hybrid system analysis intractable. Third, the Emerson collaboration provides both domain expertise to validate procedure formalization and industrial hardware to demonstrate implementation feasibility.
The complete methodology now spans from procedure formalization through discrete synthesis to continuous verification and hardware implementation. But establishing what we will do and why it will work leaves a critical question unanswered: how do we measure success? Section 4 addresses this through Technology Readiness Level advancement, demonstrating both theoretical correctness and practical implementability as the system progresses from component validation to integrated hardware testing.
The methodology is now complete: procedure formalization, discrete synthesis, continuous verification across three mode types, and hardware implementation. Establishing what we will do and why it will work leaves one critical question unanswered: \textit{how do we measure success?} Section 4 addresses this through Technology Readiness Level advancement, demonstrating both theoretical correctness and practical implementability as the system progresses from component validation (TRL 3) through integrated simulation (TRL 4) to hardware-in-the-loop testing (TRL 5).
%%% NOTES (Section 5):
% - Get specific details on ARCADE interface from Emerson collaboration

6
4-metrics-of-success/v1.tex
View File

@ -6,7 +6,7 @@ prototype demonstration (TRL 5).
This work begins at TRL 2--3 and aims to reach TRL 5, where system components operate successfully in a relevant laboratory environment. This section first explains why TRL advancement provides the most appropriate success metric, then defines specific criteria for each level from TRL 3 through TRL 5.
Technology Readiness Levels provide the ideal success metric by explicitly measuring the gap between academic proof-of-concept and practical deployment—precisely what this work bridges. Academic metrics like papers published or theorems proved fail to capture practical feasibility. Empirical metrics like simulation accuracy or computational speed fail to demonstrate theoretical rigor. Only TRLs measure both simultaneously.
Technology Readiness Levels provide the ideal success metric by explicitly measuring the gap between academic proof-of-concept and practical deployment—precisely what this work bridges. Academic metrics like papers published or theorems proved cannot capture practical feasibility, while empirical metrics like simulation accuracy or computational speed cannot demonstrate theoretical rigor. Only TRLs measure both simultaneously.
Advancing from TRL 3 to TRL 5 requires maintaining theoretical rigor while
progressively demonstrating practical feasibility. Formal verification must
remain valid as the system moves from individual components to integrated
@ -81,4 +81,6 @@ a relevant laboratory environment. This establishes both theoretical validity
and practical feasibility, proving the methodology produces verified
controllers implementable with current technology.
This section establishes success criteria by answering the Heilmeier question \textbf{How do we measure success?} TRL advancement from 2--3 to 5 demonstrates both theoretical correctness and practical feasibility. However, reaching TRL 5 depends on several critical assumptions that, if proven false, could stall the research at lower readiness levels despite sound methodology. Section 5 addresses the complementary Heilmeier question: \textbf{What could prevent success?} We identify the primary risks, their early warning indicators, and contingency plans that preserve research value even if core assumptions fail.
This section establishes success criteria by answering the Heilmeier question \textbf{How do we measure success?} Technology Readiness Level advancement from 2--3 to 5 provides the answer: we measure success by demonstrating both theoretical correctness and practical feasibility through progressively integrated validation. TRL 3 proves component-level correctness, TRL 4 demonstrates system-level integration in simulation, and TRL 5 validates hardware implementation in a relevant environment. Achieving TRL 5 proves the methodology produces verified controllers implementable with current technology.
However, reaching TRL 5 depends on several critical assumptions. If these assumptions prove false, the research could stall at lower readiness levels despite sound methodology. Section 5 addresses the complementary Heilmeier question—\textbf{What could prevent success?}—by identifying primary risks, their early warning indicators, and contingency plans that preserve research value even if core assumptions fail.

8
5-risks-and-contingencies/v1.tex
View File

@ -9,8 +9,8 @@ publishable results while clearly identifying remaining barriers to deployment.
The first major assumption is that formalized startup procedures will yield
automata small enough for efficient synthesis and verification. Reactive
synthesis scales exponentially with specification complexity. Temporal logic specifications derived from complete startup procedures may
produce automata with thousands of states. Large automata would require
synthesis scales exponentially with specification complexity, which means temporal logic specifications derived from complete startup procedures may
produce automata with thousands of states. Such large automata would require
synthesis times exceeding days or weeks, preventing demonstration of the
complete methodology within project timelines. Reachability analysis for
continuous modes with high-dimensional state spaces may similarly prove
@ -143,6 +143,6 @@ extensions, ensuring they address industry-wide practices rather than specific
quirks.
This section identifies barriers to success by answering the Heilmeier question \textbf{What could prevent success?} Four primary risks—computational tractability, discrete-continuous interface complexity, procedure formalization completeness, and hardware integration—each have identifiable early indicators and viable mitigation strategies. The staged approach ensures valuable contributions even if core assumptions prove invalid, with partial success yielding publishable results that clearly identify remaining barriers to deployment.
This section identifies barriers to success by answering the Heilmeier question \textbf{What could prevent success?} Four primary risks threaten project completion: computational tractability of synthesis and verification, complexity of the discrete-continuous interface, completeness of procedure formalization, and hardware-in-the-loop integration challenges. Each risk has identifiable early warning indicators and viable mitigation strategies. The staged project structure ensures that partial success yields publishable results while clearly identifying remaining barriers to deployment—even if core assumptions prove invalid, the research produces valuable contributions.
The research plan is now complete from a technical perspective: we have established what we will do (Section 3), how we measure success (Section 4), and what might prevent it (this section). The final Heilmeier question remains: \textbf{Who cares? Why now? What difference will it make?} Section 6 establishes broader impact by connecting this technical methodology to urgent economic and infrastructure challenges.
The technical research plan is now complete. We have established what we will do (Section 3), how we measure success (Section 4), and what might prevent it (this section). One critical Heilmeier question remains: \textbf{Who cares? Why now? What difference will it make?} Section 6 answers these questions by connecting this technical methodology to urgent economic and infrastructure challenges facing the nuclear industry and broader energy sector.

12
6-broader-impacts/v1.tex
View File

@ -21,7 +21,7 @@ to \$21--28 billion annually for projected datacenter demand.
\$21--28 billion annual O\&M cost challenge through high-assurance autonomous
control, making small modular reactors economically viable for datacenter power.
Current nuclear operations require full control room staffing for each reactor—whether large conventional units or small modular designs. For large reactors producing 1,000+ MW, staffing costs spread across substantial output. Small modular reactors producing 50-300 MW face the same staffing requirements with far lower output, making per-megawatt costs prohibitive. These staffing requirements drive the economic challenge that threatens SMR deployment for datacenter applications. Synthesizing provably correct hybrid controllers from formal
Current nuclear operations require full control room staffing for each reactor—whether large conventional units or small modular designs. For large reactors producing 1,000+ MW, staffing costs spread across substantial output. Small modular reactors producing 50-300 MW face the same staffing requirements with far lower output, which makes per-megawatt costs prohibitive. These staffing requirements drive the economic challenge that threatens SMR deployment for datacenter applications. Synthesizing provably correct hybrid controllers from formal
specifications automates routine operational sequences that currently require
constant human oversight. This enables a fundamental shift from direct operator
control to supervisory monitoring, where operators oversee multiple autonomous
@ -65,12 +65,12 @@ establish both the technical feasibility and regulatory pathway for broader
adoption across critical infrastructure.
This section establishes impact by answering three Heilmeier questions:
This section establishes impact by answering three critical Heilmeier questions:
\textbf{Who cares?} The nuclear industry, datacenter operators, and any organization facing high operating costs from staffing-intensive safety-critical control.
\textbf{Who cares?} The nuclear industry faces an economic crisis for small modular reactors due to per-megawatt staffing costs. Datacenter operators need hundreds of megawatts of continuous clean power for AI infrastructure. Any organization operating staffing-intensive safety-critical systems faces similar economic pressures.
\textbf{Why now?} AI infrastructure demands have made nuclear economics urgent. Formal methods tools have matured to where compositional hybrid verification has become achievable.
\textbf{Why now?} Two forces converge to make this research urgent. First, exponentially growing AI infrastructure demands have created immediate need for economical nuclear power at datacenter scale. Second, formal methods tools have matured to where compositional hybrid verification has become computationally achievable—what was theoretically possible but practically intractable ten years ago is now feasible.
\textbf{What difference will it make?} Enabling autonomous control with mathematical safety guarantees addresses a \$21--28 billion annual cost barrier while establishing a generalizable framework for safety-critical autonomous systems.
\textbf{What difference will it make?} This research addresses a \$21--28 billion annual cost barrier by enabling autonomous control with mathematical safety guarantees. Beyond immediate economic impact, the methodology establishes a generalizable framework for safety-critical autonomous systems across critical infrastructure.
One question remains: \textbf{How long will it take?} Section 8 provides a structured 24-month research plan progressing through milestones tied to Technology Readiness Level advancement.
The complete research plan now spans technical approach, success metrics, risk mitigation, and broader impact. One final Heilmeier question remains: \textbf{How long will it take?} Section 8 provides a structured 24-month research plan progressing through milestones tied to Technology Readiness Level advancement, demonstrating that the proposed work is achievable within a doctoral timeline.