danesabo/Thesis
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Editorial pass: tactical, operational, and strategic improvements

Browse Source 
TACTICAL (sentence-level):
- Strengthened verbs (cannot → fail, cannot handle → fail with)
- Improved topic-stress positioning
- Reduced passive voice where active voice clarifies agency
- Tightened repetitive constructions

OPERATIONAL (paragraph/section):
- Improved transitions between paragraphs and sections
- Separated complex ideas for better flow
- Eliminated redundant sentences
- Enhanced coherence within sections

STRATEGIC (document-level):
- Verified Heilmeier catechism alignment throughout
- Strengthened section transitions with explicit references
- Ensured consistent terminology
- Polished cross-references between sections
This commit is contained in:
Split 2026-03-09 14:01:08 -04:00
parent 1d93477c91
commit 45e1d69e18
7 changed files with 57 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
1-goals-and-outcomes/research_statement_v1.tex
View File

@ -2,31 +2,29 @@
This research develops autonomous control systems with mathematical guarantees of safe and correct behavior.
% INTRODUCTORY PARAGRAPH Hook
Nuclear reactors require extensively trained operators who follow detailed written procedures. Plant conditions guide operator decisions when they switch between control objectives.
Nuclear reactors require extensively trained operators who follow detailed written procedures. Operators switch between control objectives based on plant conditions.
% Gap
Small modular reactors face a fundamental economic challenge: per-megawatt staffing costs significantly exceed those of conventional plants, threatening viability. To remain competitive, these reactors need autonomous control systems that manage complex operational sequences safely without constant supervision while providing assurance equal to or exceeding that of human-operated systems.
Small modular reactors face a fundamental economic challenge: their per-megawatt staffing costs significantly exceed those of conventional plants, threatening economic viability. To remain competitive, these reactors need autonomous control systems that manage complex operational sequences safely without constant supervision while providing assurance equal to or exceeding that of human-operated systems.
% APPROACH PARAGRAPH Solution
We combine formal methods from computer science with control theory to
build hybrid control systems that are correct by construction.
Formal methods from computer science combine with control theory to
build hybrid control systems correct by construction.
% Rationale
Hybrid systems mirror operator decision-making: discrete
logic switches between continuous control modes. Existing formal methods
generate provably correct switching logic but cannot handle continuous dynamics
during transitions. Control theory verifies continuous behavior but
cannot prove discrete switching correctness.
generate provably correct switching logic but fail during transitions with continuous dynamics. Control theory verifies continuous behavior but
fails to prove discrete switching correctness.
% Hypothesis and Technical Approach
Three stages bridge this gap. First, we translate written
operating procedures into temporal logic specifications using NASA's Formal
Three stages bridge this gap. First, written
operating procedures translate into temporal logic specifications using NASA's Formal
Requirements Elicitation Tool (FRET). FRET structures requirements into scope,
condition, component, timing, and response elements. Realizability
checking identifies conflicts and ambiguities before implementation.
Second, reactive synthesis generates deterministic automata provably
Second, reactive synthesis generates deterministic automataprovably
correct by construction.
Third, we design continuous controllers for each discrete mode using standard
control theory and verify them through reachability analysis. We classify continuous modes by their transition objectives. Assume-guarantee contracts and barrier certificates prove that mode transitions occur safely. This approach enables local verification of continuous modes
without requiring global trajectory analysis across the entire hybrid system. We demonstrate this methodology on an
Emerson Ovation control system.
Third, standard control theory designs continuous controllers for each discrete mode; reachability analysis verifies them. Continuous modes classify by their transition objectives. Assume-guarantee contracts and barrier certificates prove safe mode transitions. Local verification of continuous modes
becomes possible without global trajectory analysis across the entire hybrid system. An
Emerson Ovation control system demonstrates this methodology.
% Pay-off
This autonomous control approach can then manage complex nuclear
power operations while maintaining safety guarantees, directly addressing the economic constraints threatening small modular reactor viability.

22
1-goals-and-outcomes/v1.tex
View File

@ -8,20 +8,22 @@ Nuclear power plants require the highest levels of control system reliability.
Control system failures risk economic losses, service interruptions,
or radiological release.
% Known information
Nuclear plant operations rely on extensively trained human operators who follow detailed written procedures and strict regulatory requirements to manage reactor control. Plant conditions and procedural guidance inform operator decisions when they switch between different control modes.
Nuclear plant operations rely on extensively trained human operators who follow detailed written procedures and strict regulatory requirements to manage reactor control. Operators switch between different control modes based on plant conditions and procedural guidance.
% Gap
Human operator reliance prevents autonomous control and creates a fundamental economic challenge for next-generation reactor designs. Small modular reactors face per-megawatt staffing costs far exceeding those of conventional plants, which threatens their economic viability. The nuclear industry needs autonomous control systems that manage complex operational sequences safely without constant human supervision—systems that provide assurance equal to or exceeding that of human operators.
Human operator reliance prevents autonomous control and creates a fundamental economic challenge for next-generation reactor designs. Small modular reactors face per-megawatt staffing costs that far exceed those of conventional plants, threatening their economic viability. The nuclear industry needs autonomous control systems that safely manage complex operational sequences without constant human supervision—systems providing assurance equal to or exceeding that of human operators.
% APPROACH PARAGRAPH Solution
We combine formal methods with control theory to build hybrid control systems that are correct by construction.
Formal methods combine with control theory to build hybrid control systems correct by construction.
% Rationale
Hybrid systems mirror how operators work: discrete logic switches between continuous control modes. Existing formal methods generate provably correct switching logic from written requirements but cannot handle continuous dynamics during transitions. Control theory verifies continuous behavior but cannot prove the correctness of discrete switching decisions. No existing approach provides end-to-end correctness guarantees.
Hybrid systems mirror how operators work: discrete logic switches between continuous control modes. Existing formal methods generate provably correct switching logic from written requirements but fail with continuous dynamics during transitions. Control theory verifies continuous behavior but fails to prove the correctness of discrete switching decisions. No existing approach provides end-to-end correctness guarantees.
% Hypothesis
This approach closes the gap by synthesizing discrete mode transitions directly
from written operating procedures and verifying continuous behavior between
transitions. We formalize existing procedures into logical
specifications and verify continuous dynamics against transition requirements. This produces autonomous controllers provably free from design
defects. The University of Pittsburgh Cyber Energy Center provides access to industry collaboration and Emerson control hardware, ensuring that solutions developed here align with practical implementation
transitions. Existing procedures formalize into logical
specifications; continuous dynamics verify against transition requirements. This produces autonomous controllers provably free from design
defects.
The University of Pittsburgh Cyber Energy Center provides access to industry collaboration and Emerson control hardware, ensuring solutions align with practical implementation
requirements.
% OUTCOMES PARAGRAPHS
@ -72,12 +74,12 @@ This approach produces three concrete outcomes:
% IMPACT PARAGRAPH Innovation
These three outcomes—procedure translation, continuous verification, and hardware demonstration—establish a complete methodology from regulatory documents to deployed systems.
\textbf{What makes this research new?} We unify discrete synthesis with continuous verification to enable end-to-end correctness guarantees for hybrid systems.
\textbf{What makes this research new?} This work unifies discrete synthesis with continuous verification to enable end-to-end correctness guarantees for hybrid systems.
Formal methods verify discrete logic; control theory verifies
continuous dynamics. No existing methodology bridges both with compositional
guarantees. This work establishes that bridge by treating discrete specifications
as contracts that continuous controllers must satisfy, enabling independent
verification of each layer while guaranteeing correct composition.
as contracts that continuous controllers must satisfy. Independent
verification of each layer becomes possible while guaranteeing correct composition.
% Outcome Impact
If successful, control engineers create autonomous controllers from

14
2-state-of-the-art/v2.tex
View File

@ -4,7 +4,7 @@
\subsection{Current Reactor Procedures and Operation}
Nuclear plant procedures form a hierarchy. Normal operating procedures govern routine operations, while abnormal operating procedures handle off-normal conditions. Emergency Operating Procedures (EOPs) manage design-basis accidents. Severe Accident Management Guidelines (SAMGs) address beyond-design-basis events, and Extensive Damage Mitigation Guidelines (EDMGs) cover catastrophic damage. These procedures must comply with 10 CFR 50.34(b)(6)(ii); NUREG-0899 provides development guidance~\cite{NUREG-0899, 10CFR50.34}. Developers rely on expert judgment and simulator validation, not formal verification. Technical evaluation, simulator validation testing, and biennial review under 10 CFR 55.59~\cite{10CFR55.59} assess procedures rigorously, yet this rigor cannot provide formal verification of key safety properties. No mathematical proof exists that procedures cover all possible plant states, that required actions complete within available timeframes, or that transitions between procedure sets maintain safety invariants.
Nuclear plant procedures form a hierarchy. Normal operating procedures govern routine operations, while abnormal operating procedures handle off-normal conditions. Emergency Operating Procedures (EOPs) manage design-basis accidents. Severe Accident Management Guidelines (SAMGs) address beyond-design-basis events, and Extensive Damage Mitigation Guidelines (EDMGs) cover catastrophic damage. These procedures must comply with 10 CFR 50.34(b)(6)(ii); NUREG-0899 provides development guidance~\cite{NUREG-0899, 10CFR50.34}. Expert judgment and simulator validation drive development, not formal verification. Technical evaluation, simulator validation testing, and biennial review under 10 CFR 55.59~\cite{10CFR55.59} assess procedures rigorously, yet this rigor cannot provide formal verification of key safety properties. No mathematical proof exists that procedures cover all possible plant states, that required actions complete within available timeframes, or that transitions between procedure sets maintain safety invariants.
\textbf{LIMITATION:} \textit{Procedures lack formal verification of correctness
and completeness.} Current procedure development relies on expert judgment and
@ -36,7 +36,7 @@ startup/shutdown sequences, mode transitions, and procedure implementation.
\subsection{Human Factors in Nuclear Accidents}
Procedures lack formal verification despite rigorous development, but this represents only half the reliability challenge. The second pillar of current practice—human operators executing these procedures—introduces additional reliability limitations independent of procedure quality. Procedures define what to do; human operators determine when and how to apply them. Even perfect procedures cannot eliminate human error.
Procedures lack formal verification despite rigorous developmentthis represents only half the reliability challenge. The second pillar of current practice—human operators executing these procedures—introduces additional reliability limitations independent of procedure quality. Procedures define what to do; human operators determine when and how. Even perfect procedures cannot eliminate human error.
Current-generation nuclear power plants employ over 3,600 active NRC-licensed
reactor operators in the United States~\cite{operator_statistics}. These
@ -71,7 +71,9 @@ limitations are fundamental to human-driven control, not remediable defects.
\subsection{Formal Methods}
Current practice reveals two critical limitations: procedures lack formal verification, and human operators introduce persistent reliability issues despite four decades of training improvements. Formal methods offer an alternative—mathematical guarantees of correctness that eliminate both human error and procedural ambiguity. Yet even the most advanced formal methods applications in nuclear control leave a critical verification gap for autonomous hybrid systems.
Current practice reveals two critical limitations: procedures lack formal verification, and human operators introduce persistent reliability issues despite four decades of training improvements. Formal methods offer an alternative path forward—mathematical guarantees of correctness that eliminate both human error and procedural ambiguity.
Yet even the most advanced formal methods applications in nuclear control leave a critical verification gap for autonomous hybrid systems.
\subsubsection{HARDENS: The State of Formal Methods in Nuclear Control}
@ -100,7 +102,7 @@ synthesis generated verifiable C implementations and SystemVerilog hardware
implementations directly from Cryptol models---eliminating the traditional gap
between specification and implementation where errors commonly arise.
Despite its accomplishments, HARDENS has a fundamental limitation for hybrid control synthesis: the project addressed only discrete digital control logic. The project did not model or verify continuous reactor dynamics.
Despite its accomplishments, HARDENS has a fundamental limitation for hybrid control synthesis: the project addressed only discrete digital control logic without modeling or verifying continuous reactor dynamics.
The Reactor Trip System specification and verification covered discrete state
transitions (trip/no-trip decisions), digital sensor input processing through
discrete logic, and discrete actuation outputs (reactor trip commands). The
@ -141,7 +143,7 @@ primary assurance evidence.
\subsubsection{Differential Dynamic Logic: Post-Hoc Hybrid Verification}
While HARDENS verified discrete control logic without continuous dynamics, other researchers attacked the problem from the opposite direction: extending temporal logics to handle hybrid systems directly. This work produced differential dynamic logic (dL). dL introduces two additional operators
HARDENS verified discrete control logic without continuous dynamics. Other researchers attacked the problem from the opposite direction: extending temporal logics to handle hybrid systems directly. This work produced differential dynamic logic (dL). dL introduces two additional operators
into temporal logic: the box operator and the diamond operator. The box operator
\([\alpha]\phi\) states that for some region \(\phi\), the hybrid system
\(\alpha\) always remains within that region. In this way, it is a safety
@ -180,4 +182,4 @@ This section establishes the current state of practice by answering two Heilmeie
\textbf{What are the limits of current practice?} No existing methodology synthesizes provably correct hybrid controllers from operational procedures with verification integrated into the design process. This gap between discrete-only formal methods and post-hoc hybrid verification prevents autonomous nuclear control with end-to-end correctness guarantees.
Two imperatives emerge from this analysis. The economic imperative: small modular reactors cannot compete with per-megawatt staffing costs matching large conventional plants. The technical gap: current approaches verify either discrete logic or continuous dynamics, never both compositionally. These limitations are not merely obstacles—they define the opportunity. Section 3 bridges this gap by establishing what makes our approach new and why it succeeds where prior work has failed.
Two imperatives emerge from this analysis. The economic imperative: small modular reactors cannot compete with per-megawatt staffing costs matching large conventional plants. The technical imperative: current approaches verify either discrete logic or continuous dynamics, never both compositionally. These limitations define the research opportunity. Section 3 bridges this gap by establishing what makes this approach new and why it will succeed where prior work has failed.

32
3-research-approach/v3.tex
View File

@ -15,7 +15,7 @@
% ----------------------------------------------------------------------------
% 1. INTRODUCTION AND HYBRID SYSTEMS DEFINITION
% ----------------------------------------------------------------------------
Previous approaches verified either discrete switching logic or continuous control behavior, never both simultaneously. Continuous controllers rely on extensive simulation trials for validation, while discrete switching logic undergoes simulated control room testing and human factors research. Neither method provides rigorous guarantees of control system behaviordespite consuming enormous resources. HAHACS bridges this gap by composing formal methods from computer science with control-theoretic verification, formalizing reactor operations as hybrid automata.
Previous approaches verified either discrete switching logic or continuous control behavior, never both simultaneously. Continuous controllers rely on extensive simulation trials for validation; discrete switching logic undergoes simulated control room testing and human factors research. Neither method provides rigorous guarantees of control system behavior despite consuming enormous resources. HAHACS bridges this gap by composing formal methods from computer science with control-theoretic verification, formalizing reactor operations as hybrid automata.
Hybrid system verification faces a fundamental challenge: the interaction between discrete and continuous dynamics. Discrete transitions change the governing vector field, creating discontinuities in system behavior. Traditional verification techniques fail to handle this interaction directly. Our methodology decomposes the problem by verifying discrete switching logic and continuous mode behavior separately, then composes them to establish guarantees for the complete hybrid system. This two-layer approach mirrors reactor operations: discrete supervisory logic determines which control mode is active, while continuous controllers govern plant behavior within each mode.
@ -52,15 +52,15 @@ where:
Creating a HAHACS requires constructing this tuple together with proof artifacts that demonstrate the control system's actual implementation satisfies its intended behavior.
\textbf{What is new in this research?} Reactive synthesis, reachability analysis, and barrier certificates each exist independently. Our contribution composes them into a complete methodology for hybrid control synthesis through three key innovations:
\textbf{What is new in this research?} Reactive synthesis, reachability analysis, and barrier certificates each exist independently. This work composes them into a complete methodology for hybrid control synthesis through three key innovations:
\begin{enumerate}
\item \textbf{Contract-based decomposition:} Discrete synthesis defines entry/exit/safety contracts that bound continuous verification, inverting the traditional approach of global hybrid system verification.
\item \textbf{Mode classification:} Continuous modes classify by objective (transitory, stabilizing, expulsory) to select appropriate verification tools, enabling mode-local analysis with provable composition.
\item \textbf{Mode classification:} Continuous modes classify by objective (transitory, stabilizing, expulsory), selecting appropriate verification tools and enabling mode-local analysis with provable composition.
\item \textbf{Procedure-driven structure:} Existing procedural structure avoids global hybrid system analysis, making the approach tractable for complex systems like nuclear reactor startup.
\end{enumerate}
No prior work integrates these three techniques into a systematic design methodology spanning procedures to verified implementation.
No prior work integrates these three techniques into a systematic design methodology that spans procedures to verified implementation.
\textbf{Why will it succeed?} Three factors ensure practical feasibility:
@ -147,7 +147,7 @@ physical state of the plant. Tactical control objectives include maintaining
pressurizer level, maintaining core temperature, or adjusting reactivity with a
chemical shim.
The operational control scope links these two extremes and represents the primary responsibility of human operators today. Operational control takes strategic objectives and implements tactical control sequences to achieve them, bridging high-level goals with low-level execution.
The operational control scope links these two extremes, representing the primary responsibility of human operators today. Operational control takes strategic objectives and implements tactical control sequences to achieve them, bridging high-level goals with low-level execution.
Consider an example: a strategic goal may be to
perform refueling at a certain time, while the tactical level of the plant is
@ -157,9 +157,9 @@ the way to achieve this objective.
This structure reveals why the operational and
tactical levels fundamentally form a hybrid controller. The tactical level represents
continuous evolution of the plant according to the control input and control
law, while the operational level represents discrete state evolution that determines
which tactical control law to apply. We target this operational level for autonomous control.
continuous plant evolution according to the control input and control
law; the operational level represents discrete state evolution that determines
which tactical control law applies. This operational level becomes the target for autonomous control.
\begin{figure}
@ -271,12 +271,14 @@ FRET has been successfully applied to spacecraft control systems, autonomous veh
\subsection{Discrete Controller Synthesis}
Temporal logic specifications define what the system must do. Reactive synthesis determines how to implement those requirements. With system requirements defined as temporal logic specifications, we build the discrete control system through reactive synthesis. Reactive synthesis automates the creation of reactive programs from temporal logic specifications—programs that take an input for a given state and produce
Temporal logic specifications define what the system must do. Reactive synthesis determines how to implement those requirements.
With system requirements defined as temporal logic specifications, reactive synthesis builds the discrete control system. Reactive synthesis automates the creation of reactive programs from temporal logic specifications—programs that take an input for a given state and produce
an output. Our systems fit this model: the current discrete state and
status of guard conditions form the input, while the next discrete
state forms the output.
Reactive synthesis solves a fundamental problem: given an LTL formula $\varphi$ that specifies desired system behavior, automatically construct a finite-state machine (strategy) that produces outputs in response to environment inputs such that all resulting execution traces satisfy $\varphi$. If such a strategy exists, the specification is \emph{realizable}. The synthesis algorithm either produces a correct-by-construction controller or reports that no such controller can exist. This realizability check provides immediate value: an
Reactive synthesis solves a fundamental problem: given an LTL formula $\varphi$ specifying desired system behavior, automatically construct a finite-state machine (strategy) that produces outputs in response to environment inputs such that all resulting execution traces satisfy $\varphi$. If such a strategy exists, the specification is \emph{realizable}. The synthesis algorithm either produces a correct-by-construction controller or reports that no such controller exists. This realizability check provides immediate value: an
unrealizable specification indicates conflicting or impossible requirements in
the original procedures, catching errors before implementation.
@ -301,9 +303,9 @@ Reactive synthesis has proven successful in robotics, avionics, and industrial c
\subsection{Continuous Control Modes}
Reactive synthesis produces a provably correct discrete controller from operating procedures—an automaton that determines when to switch between modes. But hybrid control requires more than correct mode switching; the continuous dynamics executing within each discrete mode must also be verified to ensure the complete system behaves correctly. The continuous dynamics executing within each discrete mode must also be verified to ensure the complete system behaves correctly.
Reactive synthesis produces a provably correct discrete controller from operating procedures—an automaton that determines when to switch between modes. But hybrid control requires more than correct mode switching; the continuous dynamics executing within each discrete mode must also be verified to ensure the complete system behaves correctly.
This subsection describes the continuous control modes that execute within each discrete state. We explain how we verify they satisfy the requirements imposed by the discrete layer. The verification approach depends on control objectives. We classify modes into three types—transitory, stabilizing, and expulsory—each requiring different verification tools matched to their distinct purposes.
This subsection describes the continuous control modes that execute within each discrete state and explains how they verify against requirements imposed by the discrete layer. The verification approach depends on control objectives. We classify modes into three types—transitory, stabilizing, and expulsory—each requiring different verification tools matched to their distinct purposes.
This methodology's scope requires clarification: this work verifies continuous controllers but does not synthesize them. The distinction parallels model checking in software verification. Model checking verifies whether a given implementation satisfies its specification without prescribing how to write the software. We assume engineers design continuous controllers using standard control theory techniques. Our contribution provides the verification framework confirming that candidate controllers compose correctly with the discrete layer to produce a safe hybrid system.
@ -540,11 +542,11 @@ outcomes can align best with customer needs.
This section establishes the research methodology by answering two critical Heilmeier questions:
\textbf{What is new in this research?} We integrate reactive synthesis, reachability analysis, and barrier certificates into a compositional architecture for hybrid control synthesis. Three innovations distinguish this approach: using discrete synthesis to define verification contracts (inverting traditional global analysis), classifying continuous modes by objective to select appropriate verification tools, and leveraging existing procedural structure to avoid intractable state explosion.
\textbf{What is new in this research?} This work integrates reactive synthesis, reachability analysis, and barrier certificates into a compositional architecture for hybrid control synthesis. Three innovations distinguish this approach: using discrete synthesis to define verification contracts (inverting traditional global analysis), classifying continuous modes by objective to select appropriate verification tools, and leveraging existing procedural structure to avoid intractable state explosion.
\textbf{Why will this approach succeed?} Three factors ensure practical feasibility. First, nuclear procedures already decompose operations into discrete phases with explicit transition criteria—we formalize existing structure rather than impose artificial abstractions. Second, mode-level verification bounds each verification problem locally, avoiding the state explosion that makes global hybrid system analysis intractable. Third, the Emerson collaboration provides both domain expertise to validate procedure formalization and industrial hardware to demonstrate implementation feasibility.
\textbf{Why will this approach succeed?} Three factors ensure practical feasibility. First, nuclear procedures already decompose operations into discrete phases with explicit transition criteria—the approach formalizes existing structure rather than imposing artificial abstractions. Second, mode-level verification bounds each verification problem locally, avoiding the state explosion that makes global hybrid system analysis intractable. Third, the Emerson collaboration provides both domain expertise to validate procedure formalization and industrial hardware to demonstrate implementation feasibility.
The methodology is now complete: procedure formalization, discrete synthesis, continuous verification across three mode types, and hardware implementation. Establishing what we will do and why it will work leaves one critical question unanswered: \textit{how do we measure success?} Section 4 addresses this through Technology Readiness Level advancement, demonstrating both theoretical correctness and practical implementability as the system progresses from component validation (TRL 3) through integrated simulation (TRL 4) to hardware-in-the-loop testing (TRL 5).
The methodology is now complete: procedure formalization, discrete synthesis, continuous verification across three mode types, and hardware implementation. Establishing what will be done and why it will work leaves one critical question unanswered: \textit{how will success be measured?} Section 4 addresses this through Technology Readiness Level advancement, demonstrating both theoretical correctness and practical implementability as the system progresses from component validation (TRL 3) through integrated simulation (TRL 4) to hardware-in-the-loop testing (TRL 5).
%%% NOTES (Section 5):
% - Get specific details on ARCADE interface from Emerson collaboration

2
4-metrics-of-success/v1.tex
View File

@ -6,7 +6,7 @@ prototype demonstration (TRL 5).
This work begins at TRL 2--3 and aims to reach TRL 5, where system components operate successfully in a relevant laboratory environment. This section first explains why TRL advancement provides the most appropriate success metric, then defines specific criteria for each level from TRL 3 through TRL 5.
Technology Readiness Levels provide the ideal success metric by explicitly measuring the gap between academic proof-of-concept and practical deployment—precisely what this work bridges. Academic metrics like papers published or theorems proved cannot capture practical feasibility, while empirical metrics like simulation accuracy or computational speed cannot demonstrate theoretical rigor. Only TRLs measure both simultaneously.
Technology Readiness Levels provide the ideal success metric by explicitly measuring the gap between academic proof-of-concept and practical deployment—precisely what this work bridges. Academic metrics like papers published or theorems proved fail to capture practical feasibility; empirical metrics like simulation accuracy or computational speed fail to demonstrate theoretical rigor. Only TRLs measure both simultaneously.
Advancing from TRL 3 to TRL 5 requires maintaining theoretical rigor while
progressively demonstrating practical feasibility. Formal verification must
remain valid as the system moves from individual components to integrated

8
5-risks-and-contingencies/v1.tex
View File

@ -1,7 +1,7 @@
\section{Risks and Contingencies}
Every research plan rests on assumptions. When those assumptions prove false, the research must adapt. Four primary risks could prevent successful completion: computational tractability of synthesis and verification, complexity of the discrete-continuous interface, completeness of procedure formalization, and hardware-in-the-loop integration. Each risk has associated early warning indicators and
contingency plans that preserve research value even if core assumptions prove
Every research plan rests on assumptions. When those assumptions prove false, research must adapt. Four primary risks could prevent successful completion: computational tractability of synthesis and verification, complexity of the discrete-continuous interface, completeness of procedure formalization, and hardware-in-the-loop integration. Each risk carries associated early warning indicators and
contingency plans that preserve research value even when core assumptions prove
false. The staged project structure ensures that partial success yields
publishable results while clearly identifying remaining barriers to deployment.
@ -143,6 +143,6 @@ extensions, ensuring they address industry-wide practices rather than specific
quirks.
This section identifies barriers to success by answering the Heilmeier question \textbf{What could prevent success?} Four primary risks threaten project completion: computational tractability of synthesis and verification, complexity of the discrete-continuous interface, completeness of procedure formalization, and hardware-in-the-loop integration challenges. Each risk has identifiable early warning indicators and viable mitigation strategies. The staged project structure ensures that partial success yields publishable results while clearly identifying remaining barriers to deployment—even if core assumptions prove invalid, the research produces valuable contributions.
This section identifies barriers to success by answering the Heilmeier question \textbf{What could prevent success?} Four primary risks threaten project completion: computational tractability of synthesis and verification, complexity of the discrete-continuous interface, completeness of procedure formalization, and hardware-in-the-loop integration challenges. Each risk has identifiable early warning indicators and viable mitigation strategies. The staged project structure ensures that partial success yields publishable results while clearly identifying remaining barriers to deployment—even when core assumptions prove invalid, the research produces valuable contributions.
The technical research plan is now complete. We have established what we will do (Section 3), how we measure success (Section 4), and what might prevent it (this section). One critical Heilmeier question remains: \textbf{Who cares? Why now? What difference will it make?} Section 6 answers these questions by connecting this technical methodology to urgent economic and infrastructure challenges facing the nuclear industry and broader energy sector.
The technical research plan is now complete. What will be done (Section 3), how success will be measured (Section 4), and what might prevent it (this section) have been established. One critical Heilmeier question remains: \textbf{Who cares? Why now? What difference will it make?} Section 6 answers these questions by connecting this technical methodology to urgent economic and infrastructure challenges facing the nuclear industry and broader energy sector.

6
6-broader-impacts/v1.tex
View File

@ -1,6 +1,6 @@
\section{Broader Impacts}
\textbf{Who cares? Why now? What difference will it make?} The nuclear industry, datacenter operators, and clean energy advocates all face the same economic constraint: high operating costs driven by staffing requirements. AI infrastructure demands, growing exponentially, have made this constraint urgent.
\textbf{Who cares? Why now? What difference will it make?} Three stakeholder groups face the same economic constraint: the nuclear industry, datacenter operators, and clean energy advocates. All confront high operating costs driven by staffing requirements. AI infrastructure demands, growing exponentially, have made this constraint urgent.
Nuclear power presents both a compelling application domain and an urgent
economic challenge. Recent interest in powering artificial intelligence
@ -69,8 +69,8 @@ This section establishes impact by answering three critical Heilmeier questions:
\textbf{Who cares?} The nuclear industry faces an economic crisis for small modular reactors due to per-megawatt staffing costs. Datacenter operators need hundreds of megawatts of continuous clean power for AI infrastructure. Any organization operating staffing-intensive safety-critical systems faces similar economic pressures.
\textbf{Why now?} Two forces converge to make this research urgent. First, exponentially growing AI infrastructure demands have created immediate need for economical nuclear power at datacenter scale. Second, formal methods tools have matured to where compositional hybrid verification has become computationally achievable—what was theoretically possible but practically intractable ten years ago is now feasible.
\textbf{Why now?} Two forces converge to make this research urgent. First, exponentially growing AI infrastructure demands have created immediate need for economical nuclear power at datacenter scale. Second, formal methods tools have matured to where compositional hybrid verification has become computationally achievable—what was theoretically possible but practically intractable a decade ago is now feasible.
\textbf{What difference will it make?} This research addresses a \$21--28 billion annual cost barrier by enabling autonomous control with mathematical safety guarantees. Beyond immediate economic impact, the methodology establishes a generalizable framework for safety-critical autonomous systems across critical infrastructure.
The complete research plan now spans technical approach, success metrics, risk mitigation, and broader impact. One final Heilmeier question remains: \textbf{How long will it take?} Section 8 provides a structured 24-month research plan progressing through milestones tied to Technology Readiness Level advancement, demonstrating that the proposed work is achievable within a doctoral timeline.
The complete research plan now spans technical approach, success metrics, risk mitigation, and broader impact. One final Heilmeier question remains: \textbf{How long will it take?} Section 8 provides a structured 24-month research plan progressing through milestones tied to Technology Readiness Level advancement, demonstrating the proposed work is achievable within a doctoral timeline.