danesabo/Thesis
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Editorial pass: tactical, operational, and strategic improvements

Browse Source 
TACTICAL (sentence-level):
- Strengthened topic-stress positioning (old→new info flow)
- Replaced weak verbs with stronger active constructions
- Improved parallel structure in key passages
- Removed unnecessary passive voice
- Tightened verbose constructions

OPERATIONAL (paragraph/section):
- Improved transitions between major sections
- Enhanced coherence within subsections
- Clarified logical progression from state-of-art → approach
- Strengthened section linkages throughout

STRATEGIC (document-level):
- Reinforced Heilmeier catechism alignment (what's new, why succeed)
- Improved 'Why it will succeed' section with three-factor structure
- Added explicit transition from State of Art to Research Approach
- Removed distracting color markup
- Strengthened impact statements in Goals and Broader Impacts
This commit is contained in:
Split 2026-03-09 12:32:16 -04:00
parent 3c0e972dbb
commit 6209db3129
5 changed files with 47 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
1-goals-and-outcomes/research_statement_v1.tex
View File

@ -1,21 +1,21 @@
% GOAL PARAGRAPH % GOAL PARAGRAPH
This research develops a methodology for creating autonomous control systems This research develops a methodology that creates autonomous control systems
that guarantee safe and correct behavior. with guaranteed safe and correct behavior.
% INTRODUCTORY PARAGRAPH Hook % INTRODUCTORY PARAGRAPH Hook
Nuclear power plants rely on extensively trained operators who follow detailed written procedures to manage reactor control. These operators interpret plant conditions and decide when to switch between control objectives. Extensively trained operators manage nuclear reactor control by following detailed written procedures. These operators interpret plant conditions and decide when to switch between control objectives.
% Gap % Gap
Next-generation nuclear power plants face an economic challenge: small modular reactors incur per-megawatt staffing costs that significantly exceed those of conventional plants. Without autonomous control, this economic constraint threatens their viability. Autonomous control systems must therefore safely manage complex operational sequences without constant supervision while maintaining the same assurance—or better—as human-operated systems. Next-generation nuclear power plants face an economic challenge: small modular reactors incur per-megawatt staffing costs that significantly exceed those of conventional plants. This economic constraint threatens their viability without autonomous control. Autonomous control systems must therefore manage complex operational sequences safely, without constant supervision, while maintaining the same assurance—or better—than human-operated systems.
% APPROACH PARAGRAPH Solution % APPROACH PARAGRAPH Solution
We combine formal methods from computer science with control theory to We combine formal methods from computer science with control theory to
build hybrid control systems that are correct by construction. build hybrid control systems that are correct by construction.
% Rationale % Rationale
Hybrid systems mirror how operators work: discrete Hybrid systems mirror operator behavior: discrete
logic switches between continuous control modes. Existing formal methods logic switches between continuous control modes. Existing formal methods
generate provably correct switching logic but fail to handle continuous dynamics generate provably correct switching logic but cannot handle continuous dynamics
during transitions. Control theory verifies continuous behavior but during transitions. Control theory verifies continuous behavior but
lacks tools for proving discrete switching correctness. cannot prove discrete switching correctness.
% Hypothesis and Technical Approach % Hypothesis and Technical Approach
A three-stage methodology bridges this gap. First, we translate written A three-stage methodology bridges this gap. First, we translate written
operating procedures into temporal logic specifications using NASA's Formal operating procedures into temporal logic specifications using NASA's Formal

8
1-goals-and-outcomes/v1.tex
View File

@ -1,8 +1,8 @@
\section{Goals and Outcomes} \section{Goals and Outcomes}
% GOAL PARAGRAPH % GOAL PARAGRAPH
This research develops a methodology for creating autonomous hybrid control This research develops a methodology that creates autonomous hybrid control
systems that provide mathematical guarantees of safe and correct behavior. systems with mathematical guarantees of safe and correct behavior.
% INTRODUCTORY PARAGRAPH Hook % INTRODUCTORY PARAGRAPH Hook
Nuclear power plants require the highest levels of control system reliability. Nuclear power plants require the highest levels of control system reliability.
@ -91,9 +91,9 @@ If this research is successful, we will be able to do the following:
\end{enumerate} \end{enumerate}
% IMPACT PARAGRAPH Innovation % IMPACT PARAGRAPH Innovation
These three outcomes—procedure translation, continuous verification, and hardware demonstration—together establish a complete methodology from regulatory documents to deployed systems. These three outcomes—procedure translation, continuous verification, and hardware demonstration—establish a complete methodology from regulatory documents to deployed systems.
\textbf{The key innovation} unifies discrete synthesis with continuous verification, enabling end-to-end correctness guarantees for hybrid systems. \textbf{The key innovation} unifies discrete synthesis with continuous verification to enable end-to-end correctness guarantees for hybrid systems.
Formal methods can verify discrete logic. Control theory can verify Formal methods can verify discrete logic. Control theory can verify
continuous dynamics. No existing methodology bridges both with compositional continuous dynamics. No existing methodology bridges both with compositional
guarantees. This work establishes that bridge by treating discrete specifications guarantees. This work establishes that bridge by treating discrete specifications

12
2-state-of-the-art/v2.tex
View File

@ -1,11 +1,11 @@
\section{State of the Art and Limits of Current Practice} \section{State of the Art and Limits of Current Practice}
This research aims to create autonomous reactor control systems that are tractably safe. To understand what we automate, we must first understand how nuclear reactors operate today. This section examines reactor operators and their operating procedures, investigates limitations of human-based operation, and reviews current formal methods approaches to reactor control systems. This research creates autonomous reactor control systems that are tractably safe. Understanding what we automate requires understanding how nuclear reactors operate today. This section examines reactor operators and their operating procedures, investigates limitations of human-based operation, and reviews current formal methods approaches to reactor control systems.
\subsection{Current Reactor Procedures and Operation} \subsection{Current Reactor Procedures and Operation}
Nuclear plant procedures form a hierarchy: normal operating procedures govern routine operations, abnormal operating procedures handle off-normal conditions, Emergency Operating Procedures (EOPs) manage design-basis accidents, Severe Accident Management Guidelines (SAMGs) address beyond-design-basis events, and Extensive Damage Mitigation Guidelines (EDMGs) cover catastrophic damage scenarios. These procedures must comply with 10 CFR 50.34(b)(6)(ii). NUREG-0899 Nuclear plant procedures form a hierarchy: normal operating procedures govern routine operations, abnormal operating procedures handle off-normal conditions, Emergency Operating Procedures (EOPs) manage design-basis accidents, Severe Accident Management Guidelines (SAMGs) address beyond-design-basis events, and Extensive Damage Mitigation Guidelines (EDMGs) cover catastrophic damage scenarios. These procedures must comply with 10 CFR 50.34(b)(6)(ii). NUREG-0899
provides guidance for their development~\cite{NUREG-0899, 10CFR50.34}. Expert judgment and simulator validation drive their development—not formal verification. Technical evaluation, simulator validation testing, and biennial review under 10 CFR 55.59~\cite{10CFR55.59} rigorously assess procedures. Yet this rigor cannot provide formal verification of key safety properties. No mathematical proof exists that procedures cover all possible plant states, that required actions complete within available timeframes, or that transitions between procedure sets maintain safety invariants. provides development guidance~\cite{NUREG-0899, 10CFR50.34}. Expert judgment and simulator validation—not formal verification—drive their development. Technical evaluation, simulator validation testing, and biennial review under 10 CFR 55.59~\cite{10CFR55.59} rigorously assess procedures. Yet this rigor cannot provide formal verification of key safety properties. No mathematical proof exists that procedures cover all possible plant states, that required actions complete within available timeframes, or that transitions between procedure sets maintain safety invariants.
\textbf{LIMITATION:} \textit{Procedures lack formal verification of correctness \textbf{LIMITATION:} \textit{Procedures lack formal verification of correctness
and completeness.} Current procedure development relies on expert judgment and and completeness.} Current procedure development relies on expert judgment and
@ -37,7 +37,7 @@ startup/shutdown sequences, mode transitions, and procedure implementation.
\subsection{Human Factors in Nuclear Accidents} \subsection{Human Factors in Nuclear Accidents}
The preceding subsection established how nuclear plants currently operate: through written procedures executed by human operators. Current practice relies on this human-centered approach. We now examine why this reliance poses fundamental limitations. Nuclear plants currently operate through written procedures executed by human operators. This human-centered approach defines current practice. We now examine why this reliance poses fundamental limitations.
Current-generation nuclear power plants employ over 3,600 active NRC-licensed Current-generation nuclear power plants employ over 3,600 active NRC-licensed
reactor operators in the United States~\cite{operator_statistics}. These reactor operators in the United States~\cite{operator_statistics}. These
@ -81,7 +81,7 @@ limitations are fundamental to human-driven control, not remediable defects.
\subsection{Formal Methods} \subsection{Formal Methods}
Human error imposes fundamental reliability limits that training alone cannot eliminate. Formal methods offer an alternative: mathematical guarantees of correctness that human-centered approaches cannot achieve. This subsection examines recent formal methods work in nuclear control and identifies their limitations for autonomous hybrid systems. Training alone cannot eliminate the fundamental reliability limits imposed by human error. Formal methods offer an alternative: mathematical guarantees of correctness that human-centered approaches cannot achieve. This subsection examines recent formal methods work in nuclear control and identifies their limitations for autonomous hybrid systems.
\subsubsection{HARDENS} \subsubsection{HARDENS}
@ -155,7 +155,7 @@ primary assurance evidence.
\subsubsection{Sequent Calculus and Differential Dynamic Logic} \subsubsection{Sequent Calculus and Differential Dynamic Logic}
HARDENS verified discrete control logic but omitted continuous dynamics. Other researchers have pursued a complementary approach: extending temporal logics to handle hybrid systems directly. This work produced differential dynamic logic (dL). dL introduces two additional operators HARDENS verified discrete control logic but omitted continuous dynamics. Other researchers pursued a complementary approach: extending temporal logics to handle hybrid systems directly. This work produced differential dynamic logic (dL). dL introduces two additional operators
into temporal logic: the box operator and the diamond operator. The box operator into temporal logic: the box operator and the diamond operator. The box operator
\([\alpha]\phi\) states that for some region \(\phi\), the hybrid system \([\alpha]\phi\) states that for some region \(\phi\), the hybrid system
\(\alpha\) always remains within that region. In this way, it is a safety \(\alpha\) always remains within that region. In this way, it is a safety
@ -192,4 +192,4 @@ Current practice reveals a fundamental gap. Human operators provide operational
HARDENS verified discrete logic without continuous dynamics. Differential dynamic logic expresses hybrid properties but requires post-design expert analysis. No existing methodology synthesizes provably correct hybrid controllers from operational procedures with verification integrated into the design process. HARDENS verified discrete logic without continuous dynamics. Differential dynamic logic expresses hybrid properties but requires post-design expert analysis. No existing methodology synthesizes provably correct hybrid controllers from operational procedures with verification integrated into the design process.
This gap—between discrete-only formal methods and post-hoc hybrid verification—defines our challenge. Closing it enables autonomous nuclear control with mathematical safety guarantees, directly addressing the economic constraints that threaten small modular reactor viability. This gap—between discrete-only formal methods and post-hoc hybrid verification—defines our challenge and motivates our approach. Closing it enables autonomous nuclear control with mathematical safety guarantees, directly addressing the economic constraints that threaten small modular reactor viability. The next section presents our methodology for bridging this gap through compositional hybrid verification.

53
3-research-approach/v3.tex
View File

@ -15,20 +15,19 @@
% ---------------------------------------------------------------------------- % ----------------------------------------------------------------------------
% 1. INTRODUCTION AND HYBRID SYSTEMS DEFINITION % 1. INTRODUCTION AND HYBRID SYSTEMS DEFINITION
% ---------------------------------------------------------------------------- % ----------------------------------------------------------------------------
Previous approaches to autonomous control verified discrete switching logic or continuous control behavior—never both simultaneously. Extensive simulation trials validate continuous controllers. Simulated control room testing and human factors research evaluate discrete switching logic. Despite consuming enormous resources, neither method provides rigorous guarantees of control system behavior. HAHACS bridges this gap by composing formal methods from computer science with control-theoretic verification, then formalizing reactor operations using hybrid automata. Previous approaches to autonomous control verified discrete switching logic or continuous control behavior—never both simultaneously. Extensive simulation trials validate continuous controllers. Simulated control room testing and human factors research evaluate discrete switching logic. Neither method provides rigorous guarantees of control system behavior, despite consuming enormous resources. HAHACS bridges this gap by composing formal methods from computer science with control-theoretic verification to formalize reactor operations using hybrid automata.
Hybrid system verification faces a fundamental challenge: the interaction between discrete and continuous dynamics. When discrete transitions occur, the governing vector field changes, creating discontinuities in system behavior. Traditional verification techniques—designed for purely discrete or purely continuous systems—cannot handle this interaction directly. Our methodology decomposes the problem: discrete switching logic and continuous mode behavior are verified separately, then composed to reason about the complete hybrid system. This two-layer approach mirrors reactor operations themselves. Discrete supervisory logic determines which control mode is active; continuous controllers govern plant behavior within each mode. Hybrid system verification faces a fundamental challenge: the interaction between discrete and continuous dynamics. Discrete transitions change the governing vector field, creating discontinuities in system behavior. Traditional verification techniques—designed for purely discrete or purely continuous systems—cannot handle this interaction directly. Our methodology decomposes the problem: we verify discrete switching logic and continuous mode behavior separately, then compose them to reason about the complete hybrid system. This two-layer approach mirrors reactor operations. Discrete supervisory logic determines which control mode is active; continuous controllers govern plant behavior within each mode.
Building a high-assurance hybrid autonomous control system (HAHACS) requires Building a high-assurance hybrid autonomous control system (HAHACS) requires
first establishing a mathematical description of the system. This work draws on establishing a mathematical description of the system. This work draws on
automata theory, temporal logic, and control theory. A hybrid system is a automata theory, temporal logic, and control theory. A hybrid system is a
dynamical system with both continuous and discrete states. The specific type dynamical system with both continuous and discrete states. This proposal
of system discussed in this proposal is a continuous autonomous hybrid system. discusses continuous autonomous hybrid systems specifically.
This means that the system does not have external input and that continuous These systems have no external input, and continuous
states do not change instantaneously when discrete states change. For our states do not change instantaneously when discrete states change. The continuous states are physical quantities that remain
systems of interest, the continuous states are physical quantities that are Lipschitz continuous. This nomenclature follows the Handbook on
always Lipschitz continuous. This nomenclature is borrowed from the Handbook on Hybrid Systems Control~\cite{HANDBOOK ON HYBRID SYSTEMS}, redefined here
Hybrid Systems Control \cite{HANDBOOK ON HYBRID SYSTEMS}, but is redefined here
for convenience: for convenience:
\begin{equation} \begin{equation}
@ -54,9 +53,9 @@ where:
Creating a HAHACS requires constructing such a tuple together with proof artifacts demonstrating that the control system's actual implementation satisfies its intended behavior. Creating a HAHACS requires constructing such a tuple together with proof artifacts demonstrating that the control system's actual implementation satisfies its intended behavior.
\textbf{What is new:} Each component's infrastructure has matured, but no existing work composes them for end-to-end hybrid system verification. Our novelty lies in the architecture connecting discrete synthesis with continuous verification through well-defined interfaces. \textbf{What is new:} Each component's infrastructure has matured, but no existing work composes them for end-to-end hybrid system verification. Our novelty lies in the architecture that connects discrete synthesis with continuous verification through well-defined interfaces.
\textbf{Why it will succeed:} Defining entry, exit, and safety conditions at the discrete level first transforms the intractable problem of global hybrid verification into local verification problems with clear interfaces. Verification then operates per mode rather than on the full hybrid system, keeping analysis tractable even for complex reactor operations. Critically, nuclear procedures already define discrete boundaries between operating regimes. This existing structure provides the natural decomposition our methodology requiresmaking the approach practical for real systems. \textbf{Why it will succeed:} Three factors ensure success. First, defining entry, exit, and safety conditions at the discrete level transforms the intractable problem of global hybrid verification into local verification problems with clear interfaces. Second, verification operates per mode rather than on the full hybrid system, keeping analysis tractable even for complex reactor operations. Third—and critically—nuclear procedures already define discrete boundaries between operating regimes. This existing structure provides the natural decomposition our methodology requires, making the approach practical for real systems.
\begin{figure} \begin{figure}
\centering \centering
@ -122,7 +121,7 @@ Creating a HAHACS requires constructing such a tuple together with proof artifac
\subsection{System Requirements, Specifications, and Discrete Controllers} \subsection{System Requirements, Specifications, and Discrete Controllers}
The preceding section established the mathematical framework for hybrid systems. We now show how to construct such systems from existing operational knowledge. Nuclear operations already possess a natural hybrid structure that maps directly to the automaton formalism. The preceding section established the mathematical framework for hybrid systems. We now construct such systems from existing operational knowledge. Nuclear operations already possess a natural hybrid structure that maps directly to the automaton formalism.
Human control of nuclear power divides into three scopes: strategic, Human control of nuclear power divides into three scopes: strategic,
operational, and tactical. Strategic control is high-level and operational, and tactical. Strategic control is high-level and
@ -322,13 +321,15 @@ according to operating procedures.
\subsection{Continuous Control Modes} \subsection{Continuous Control Modes}
The discrete controller is provably correct—synthesis guarantees this. Yet hybrid control requires more than discrete correctness. We now turn to the continuous dynamics executing within each discrete mode. Synthesis guarantees the discrete controller is provably correct. Yet hybrid control requires more than discrete correctness. We now turn to the continuous dynamics executing within each discrete mode.
The discrete operational controller, while provably correct, represents only half of an The discrete operational controller represents only half of an
autonomous controller. Hybrid control systems require both discrete and autonomous controller, despite its provable correctness. Hybrid control systems require both discrete and
continuous components. This section describes the continuous control modes that continuous components. This section describes the continuous control modes that
execute within each discrete state, and how we verify that they satisfy the execute within each discrete state and explains how we verify they satisfy the
requirements imposed by the discrete layer. We must clarify this methodology's scope regarding continuous controller design. This work verifies continuous controllers—it does not synthesize them. The distinction parallels model checking in software verification. Model checking does not tell engineers how to write correct software; it verifies whether a given implementation satisfies its specification. We make a similar assumption: continuous controllers can be designed using standard control theory techniques. Our contribution is the verification framework that confirms candidate controllers compose correctly with the discrete layer to produce a safe hybrid system. requirements imposed by the discrete layer.
This methodology's scope regarding continuous controller design requires clarification. This work verifies continuous controllers—it does not synthesize them. The distinction parallels model checking in software verification: model checking verifies whether a given implementation satisfies its specification without prescribing how to write the software. We make a similar assumption—continuous controllers can be designed using standard control theory techniques. Our contribution is the verification framework that confirms candidate controllers compose correctly with the discrete layer to produce a safe hybrid system.
The operational control scope defines go/no-go decisions that determine what The operational control scope defines go/no-go decisions that determine what
kind of continuous control to implement. The entry or exit conditions of a kind of continuous control to implement. The entry or exit conditions of a
@ -345,9 +346,9 @@ computationally expensive, and analytic solutions often become intractable
We circumvent these issues by designing our hybrid system from the bottom up We circumvent these issues by designing our hybrid system from the bottom up
with verification in mind. The discrete transitions define each continuous with verification in mind. The discrete transitions define each continuous
control mode's input set and output set clearly \textit{a priori}. control mode's input and output sets clearly \textit{a priori}.
The continuous state space is $\mathcal{X}$. Each discrete mode $q_i$ provides Each discrete mode $q_i$ provides
three key pieces of information for continuous controller design: three key pieces of information for continuous controller design:
\begin{enumerate} \begin{enumerate}
\item \textbf{Entry conditions:} $\mathcal{X}_{entry,i} \subseteq \mathcal{X}$, \item \textbf{Entry conditions:} $\mathcal{X}_{entry,i} \subseteq \mathcal{X}$,
@ -413,11 +414,11 @@ reachable within time horizon $T$:
\text{Reach}(\mathcal{X}_{entry}, f_i, [0,T]) \cap \mathcal{X}_{exit} \neq \emptyset \text{Reach}(\mathcal{X}_{entry}, f_i, [0,T]) \cap \mathcal{X}_{exit} \neq \emptyset
\] \]
\textcolor{blue}{Because the discrete controller defines clear boundaries in continuous state The discrete controller defines clear boundaries in continuous state
space, the verification problem for each transitory mode is well-posed. We know space, making the verification problem for each transitory mode well-posed. We know
the possible initial conditions, we know the target conditions, and we know the the possible initial conditions, the target conditions, and the
safety envelope. The verification task is to confirm that the candidate safety envelope. The verification task confirms that the candidate
continuous controller achieves the objective from all possible starting points.} continuous controller achieves the objective from all possible starting points.
Several tools exist for computing reachable sets of hybrid Several tools exist for computing reachable sets of hybrid
systems, including CORA, Flow*, SpaceEx, and JuliaReach. The choice of tool systems, including CORA, Flow*, SpaceEx, and JuliaReach. The choice of tool
@ -506,7 +507,7 @@ state from potentially anywhere in the state space, under degraded or uncertain
dynamics. Examples include emergency core cooling, reactor SCRAM sequences, and dynamics. Examples include emergency core cooling, reactor SCRAM sequences, and
controlled depressurization procedures. controlled depressurization procedures.
Detecting physical failures becomes straightforward because we have already proven our controllers correct through reachability and barrier certificates. Our controller cannot be incorrect for the nominal plant model. Therefore, when an invariant is violated, the plant dynamics must have changed. The HAHACS identifies faults when continuous controllers violate discrete boundary conditions. This direct consequence of verified nominal control modes means: unexpected behavior implies off-nominal conditions. Detecting physical failures becomes straightforward after proving controller correctness through reachability and barrier certificates. The controller cannot be incorrect for the nominal plant model. When an invariant is violated, the plant dynamics must have changed. The HAHACS identifies faults when continuous controllers violate discrete boundary conditions—a direct consequence of verified nominal control modes. Unexpected behavior implies off-nominal conditions.
The mathematical formulation for expulsory mode verification The mathematical formulation for expulsory mode verification
differs from transitory modes in two key ways. First, the entry conditions may differs from transitory modes in two key ways. First, the entry conditions may

6
6-broader-impacts/v1.tex
View File

@ -6,9 +6,9 @@ Nuclear power presents both a compelling application domain and an urgent
economic challenge. Recent interest in powering artificial intelligence economic challenge. Recent interest in powering artificial intelligence
infrastructure has renewed focus on small modular reactors (SMRs), particularly infrastructure has renewed focus on small modular reactors (SMRs), particularly
for hyperscale datacenters requiring hundreds of megawatts of continuous power. for hyperscale datacenters requiring hundreds of megawatts of continuous power.
Deploying SMRs at datacenter sites would minimize transmission losses and Deploying SMRs at datacenter sites minimizes transmission losses and
eliminate emissions from hydrocarbon-based alternatives. However, nuclear power eliminates emissions from hydrocarbon-based alternatives. Nuclear power
economics at this scale demand careful attention to operating costs. economics at this scale, however, demand careful attention to operating costs.
According to the U.S. Energy Information Administration's Annual Energy Outlook According to the U.S. Energy Information Administration's Annual Energy Outlook
2022, advanced nuclear power entering service in 2027 is projected to cost 2022, advanced nuclear power entering service in 2027 is projected to cost