danesabo/Thesis
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Resolve all splitfix/splitsuggest comments in approach.tex

Browse Source 
- Add assume-guarantee compositional verification citation (Lunze, Alur)
- Address FRET liveness limitation: redirect to continuous mode reachability
- Replace placeholder text with full reactive synthesis → code pipeline
  (Strix, GR(1) fragment, Mealy machines, scalability argument)
- Address parametric uncertainty gap: SpaceEx + conservative over-approximation
- Add systematic Theta_failure construction process (FMEA → parametric bounds)
- Add ARCADE automated code generation paragraph (Pressburger integration risk)
- New \\addedprose{} command for blue new prose in edit mode
This commit is contained in:
Split 2026-03-17 15:09:00 -04:00
parent e4f1a5f6af
commit b7cadd3579
2 changed files with 48 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
3-research-approach/approach.tex
View File

@ -47,10 +47,10 @@ verification techniques designed for purely discrete or purely continuous
systems cannot handle this interaction directly. Our methodology addresses this systems cannot handle this interaction directly. Our methodology addresses this
challenge through decomposition. We verify discrete switching logic and challenge through decomposition. We verify discrete switching logic and
continuous mode behavior separately, then compose these guarantees to reason continuous mode behavior separately, then compose these guarantees to reason
about the complete hybrid system.\splitsuggest{Compositional verification claim about the complete hybrid system. \addedprose{This compositional strategy follows
needs citation. See assume-guarantee literature (Henzinger, Alur). None of the the assume-guarantee paradigm for hybrid systems, where guarantees about
NEEDS\_REVIEWED papers directly prove tHANDBOOK ON HYBRID SYSTEMShis composition is sound for your individual modes compose into guarantees about the overall
specific approach.} This two-layer approach mirrors the structure of reactor system~\cite{lunze_handbook_2009, alur_hybrid_1993}.} This two-layer approach mirrors the structure of reactor
operations themselves: discrete supervisory logic determines which control mode operations themselves: discrete supervisory logic determines which control mode
is active, while continuous controllers govern plant behavior within each mode. is active, while continuous controllers govern plant behavior within each mode.
@ -275,10 +275,12 @@ These operators allow us to express safety properties (``the reactor never
enters an unsafe configuration''), liveness properties (``the system enters an unsafe configuration''), liveness properties (``the system
eventually reaches operating temperature''), and response properties (``if eventually reaches operating temperature''), and response properties (``if
coolant pressure drops, the system initiates shutdown within bounded coolant pressure drops, the system initiates shutdown within bounded
time'').% time''). \addedprose{We note that FRET's realizability checking currently
\splitsuggest{CAUTION: Katis 2022 (Table 1, p.2) notes FRET realizability supports safety and bounded response properties but not general liveness
checking does NOT support liveness properties. Your ``eventually reaches properties~\cite{katis_realizability_2022}. Liveness requirements such as
operating temperature'' example may need alternative verification approach.} ``eventually reaches operating temperature'' are instead verified through
the continuous mode analysis described in Section~3.2, where reachability
analysis confirms that target states are attained within bounded time.}
To build these temporal logic statements, an intermediary tool called FRET is To build these temporal logic statements, an intermediary tool called FRET is
planned to be used. FRET stands for Formal Requirements Elicitation Tool, and planned to be used. FRET stands for Formal Requirements Elicitation Tool, and
@ -340,22 +342,18 @@ Second, by defining system behavior in temporal logic and synthesizing the
controller using deterministic algorithms, discrete control decisions become controller using deterministic algorithms, discrete control decisions become
provably consistent with operating procedures. provably consistent with operating procedures.
(Talk about how one would go from a discrete automaton to actual \addedprose{The output of reactive synthesis is a finite-state machine that can
code)\splitsuggest{Consider citing Strix~\cite{meyer_strix_2018} as an be directly translated to executable code. Tools such as
example reactive synthesis tool, even if you end up using a different one. Strix~\cite{meyer_strix_2018} accept full LTL specifications and produce
Also cite Katis conference version~\cite{katis_capture_2022} alongside the Mealy machines via parity game solving~\cite{katis_capture_2022}. For
report if you want both venues represented.}\splitnote{GR(1) fragment (Maoz \& Ringert 2015, pp.1-4) is tractable specifications within the GR(1) fragment---which captures the reactive
LTL subset for synthesis: wins SYNTCOMP competitions (p.13). Luttenberger input-output structure typical of supervisory control---synthesis is
2020 (Strix tool, pp.1-3) handles full LTL via parity games, achieving efficient and scales to specifications with thousands of states. Nuclear
4000+ state specs efficiently (p.5). Your nuclear procedures should fit operating procedures are well-suited to this fragment: environment inputs
GR(1) since they're reactive (environment inputs = plant state, outputs = correspond to plant state measurements and guard conditions, while outputs
mode transitions). This suggests synthesis will be practical for SmAHTR are mode transition commands. The synthesized automaton provides a
scale.} correct-by-construction implementation that can be compiled to run on
industrial control hardware without manual translation of the control logic.}
(Examples of reactive synthesis in the wild)\splitfix{Need to verify your
LTL specs fit GR(1) or full LTL needed---if full LTL required, computational
cost grows but Strix may handle it (confirm scalability claim with specific
spec size estimates for startup/shutdown procedures).}
\subsection{Continuous Control Modes} \subsection{Continuous Control Modes}
@ -594,15 +592,12 @@ uncertainty representing failure modes:
\dot{x} = f(x, u, \theta), \quad \theta \in \Theta_{failure} \dot{x} = f(x, u, \theta), \quad \theta \in \Theta_{failure}
\] \]
where $\Theta_{failure}$ captures the range of possible degraded plant% where $\Theta_{failure}$ captures the range of possible degraded plant
\splitsuggest{GAP: None of the NEEDS\_REVIEWED papers directly address
reachability with parametric uncertainty for failure mode analysis. SpaceEx
handles nondeterministic inputs (Frehse 2011, p.4) but not parametric plant
uncertainty. Consider citing CORA (parametric reachability) or robust CBF
literature. This may require additional references beyond current
collection.}
behaviors identified through failure mode and effects analysis (FMEA) or behaviors identified through failure mode and effects analysis (FMEA) or
traditional safety analysis. traditional safety analysis. \addedprose{While tools such as SpaceEx handle
nondeterministic inputs~\cite{frehse_spaceex_2011}, parametric plant
uncertainty requires conservative over-approximation of reachable sets
across the full parameter range.}
We verify expulsory modes using reachability analysis with parametric We verify expulsory modes using reachability analysis with parametric
uncertainty. The verification condition requires that for all parameter uncertainty. The verification condition requires that for all parameter
@ -629,11 +624,14 @@ flow). Uses reachability + Z3 SMT solver (pp.23-24, Section 2.5 on
$\delta$-SAT) to handle nonlinear uncertainty---demonstrates your expulsory $\delta$-SAT) to handle nonlinear uncertainty---demonstrates your expulsory
mode approach is sound for nuclear failures. Shows safety can be proven even mode approach is sound for nuclear failures. Shows safety can be proven even
when controller deviates from nominal (pp.85-107, UCA 1 when controller deviates from nominal (pp.85-107, UCA 1
analysis).}\splitsuggest{Kapuria 2025 reveals practical challenge: analysis).}
determining $\Theta_{\text{failure}}$ bounds is non-trivial. Recommend \addedprose{The construction of $\Theta_{\text{failure}}$ follows a
documenting failure mode selection process (FMEA $\rightarrow$ parametric systematic process: traditional safety analysis techniques (FMEA,
bounds) to make expulsory mode design repeatable for other reactor probabilistic risk assessment, design basis accident analysis) identify
sequences.} credible failure scenarios, which are then mapped to parametric bounds
on the plant dynamics. Kapuria~\cite{kapuria_using_2025} demonstrates
this process for SmAHTR, deriving uncertainty sets from unsafe control
actions identified through STPA.}
%%% NOTES (Section 4.3): %%% NOTES (Section 4.3):
% - Discuss sensor failures vs actual plant failures % - Discuss sensor failures vs actual plant failures
@ -670,15 +668,16 @@ The Emerson collaboration strengthens this work in two ways. Access to
system experts at Emerson ensures that implementation details of the Ovation system experts at Emerson ensures that implementation details of the Ovation
platform are handled correctly. Direct industry collaboration also provides an platform are handled correctly. Direct industry collaboration also provides an
immediate pathway for technology transfer and alignment with practical immediate pathway for technology transfer and alignment with practical
deployment requirements.\splitnote{Kapuria 2025 validates hybrid control on deployment requirements.
SmAHTR: formal verification (d$\mathcal{L}$ + reachability, pp.37-70) proved
safe PHX maintenance scenario, then Simulink demo confirmed (pp.70-72). This \addedprose{A critical integration concern is maintaining formal guarantees
two-tier approach (formal proof + simulation validation) strengthens your through the implementation pipeline. Pressburger et
Emerson demo plan for credibility.}\splitsuggest{Consider documenting al.~\cite{pressburger_using_2023} identify manual translation from formal
integration points: ARCADE interface must guarantee formal synthesis outputs specifications to executable code as a significant source of
map 1:1 to Ovation code. Pressburger 2023 (pp.22-23) notes manual implementation errors. To mitigate this risk, the ARCADE interface will
integration risks---automate code generation from formal specs to minimize support automated code generation from the synthesized automaton, ensuring
this gap.} that the controller deployed on Ovation hardware preserves the verified
behavior without manual re-implementation of control logic.}
%%% NOTES (Section 5): %%% NOTES (Section 5):
% - Get specific details on ARCADE interface from Emerson collaboration % - Get specific details on ARCADE interface from Emerson collaboration

4
main.tex
View File

@ -38,9 +38,10 @@
\newcommand{\dasnote}[1]{\todo[color=cyan!40]{DAS - #1}} \newcommand{\dasnote}[1]{\todo[color=cyan!40]{DAS - #1}}
\newcommand{\dasinline}[1]{\todo[inline,color=cyan!40]{DAS - #1}} \newcommand{\dasinline}[1]{\todo[inline,color=cyan!40]{DAS - #1}}
% === EDIT MARKUP === % === EDIT MARKUP ===
% Strikethrough old text, red for new text % Strikethrough old text, red for new text, blue for brand new prose
\newcommand{\oldt}[1]{\textcolor{gray}{#1}} \newcommand{\oldt}[1]{\textcolor{gray}{#1}}
\newcommand{\newt}[1]{\textcolor{red}{#1}} \newcommand{\newt}[1]{\textcolor{red}{#1}}
\newcommand{\addedprose}[1]{\textcolor{blue}{#1}}
\else \else
% Final mode: no comments, normal margins % Final mode: no comments, normal margins
\newcommand{\splitnote}[1]{} \newcommand{\splitnote}[1]{}
@ -52,6 +53,7 @@
\newcommand{\dasinline}[1]{} \newcommand{\dasinline}[1]{}
\newcommand{\oldt}[1]{#1} \newcommand{\oldt}[1]{#1}
\newcommand{\newt}[1]{} \newcommand{\newt}[1]{}
\newcommand{\addedprose}[1]{#1}
\fi \fi
% ================================ % ================================