danesabo/Thesis
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Editorial pass 1: Tactical and operational improvements

Browse Source 
- Applied Gopen's Sense of Structure principles throughout
- Improved issue-point and topic-stress positioning
- Strengthened verb choice and reduced passive voice
- Enhanced sentence clarity and reduced wordiness
- Improved paragraph flow and transitions
- Clarified Heilmeier question alignment in summaries
This commit is contained in:
Split 2026-03-09 17:52:44 -04:00
parent 4a3c7d302a
commit d365f6927a
8 changed files with 76 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
1-goals-and-outcomes/research_statement_v1.tex
View File

@ -2,20 +2,20 @@
This research develops autonomous control systems that provide mathematical guarantees of safe and correct behavior. This research develops autonomous control systems that provide mathematical guarantees of safe and correct behavior.
% INTRODUCTORY PARAGRAPH Hook % INTRODUCTORY PARAGRAPH Hook
Nuclear reactors today require human operators to follow detailed written procedures and switch between control objectives as plant conditions change. Human operators control nuclear reactors today by following detailed written procedures and switching between control objectives as plant conditions change.
% Gap % Gap
Small modular reactors face a fundamental economic challenge: staffing costs per megawatt far exceed those of conventional plants, threatening economic viability. Autonomous control could manage complex operational sequences without constant supervision—but only if safety assurance equals or exceeds that of human operators. Small modular reactors face a fundamental economic challenge: their per-megawatt staffing costs far exceed those of conventional plants, threatening their economic viability. Autonomous control offers a solution—managing complex operational sequences without constant supervision—but only if it provides safety assurance equal to or exceeding that of human operators.
% APPROACH PARAGRAPH Solution % APPROACH PARAGRAPH Solution
This research unifies formal methods from computer science with control theory to produce hybrid control systems that are correct by construction. This research unifies formal methods from computer science with control theory to produce hybrid control systems correct by construction.
% Rationale % Rationale
Human operators already work this way: discrete logic switches between continuous control modes. Formal methods generate provably correct switching logic but cannot verify continuous dynamics. Control theory verifies continuous behavior but cannot prove discrete logic correctness. End-to-end correctness requires both. Human operators already work this way: they use discrete logic to switch between continuous control modes. Formal methods generate provably correct switching logic but cannot verify continuous dynamics. Control theory verifies continuous behavior but cannot prove discrete logic correctness. Both are required for end-to-end correctness.
% Hypothesis and Technical Approach % Hypothesis and Technical Approach
Three stages bridge this gap. First, NASA's Formal Requirements Elicitation Tool (FRET) translates written operating procedures into temporal logic specifications, structuring requirements by scope, condition, component, timing, and response. Realizability checking then exposes conflicts and ambiguities before implementation begins. Second, reactive synthesis generates deterministic automata that are provably correct by construction. Third, reachability analysis verifies that continuous controllers—designed by engineers using standard control theory—satisfy each discrete mode's requirements. Three stages bridge this gap. First, NASA's Formal Requirements Elicitation Tool (FRET) translates written operating procedures into temporal logic specifications, structuring requirements by scope, condition, component, timing, and response. Realizability checking exposes conflicts and ambiguities before implementation begins. Second, reactive synthesis generates deterministic automata provably correct by construction. Third, reachability analysis verifies that continuous controllers—designed by engineers using standard control theory—satisfy each discrete mode's requirements.
Continuous modes classify by control objective into three types. Transitory modes drive the plant between conditions. Stabilizing modes maintain operation within regions. Expulsory modes ensure safety under failures. Barrier certificates and assume-guarantee contracts prove mode transitions are safe, enabling local verification without global trajectory analysis. The methodology will demonstrate on an Emerson Ovation control system—the industrial platform nuclear power plants already use. Continuous modes classify by control objective into three types. Transitory modes drive the plant between conditions. Stabilizing modes maintain operation within regions. Expulsory modes ensure safety under failures. Barrier certificates and assume-guarantee contracts prove mode transitions are safe, enabling local verification without global trajectory analysis. The methodology demonstrates on an Emerson Ovation control system—the industrial platform nuclear power plants already use.
% Pay-off % Pay-off
This approach manages complex nuclear power operations autonomously while maintaining safety guarantees. It directly addresses the economic constraints threatening small modular reactor viability. This approach manages complex nuclear power operations autonomously while maintaining safety guarantees. It directly addresses the economic constraints that threaten small modular reactor viability.
% OUTCOMES PARAGRAPHS % OUTCOMES PARAGRAPHS
This research, if successful, produces three concrete outcomes: This research, if successful, produces three concrete outcomes:

10
1-goals-and-outcomes/v1.tex
View File

@ -4,18 +4,18 @@
This research develops autonomous hybrid control systems that provide mathematical guarantees of safe and correct behavior. This research develops autonomous hybrid control systems that provide mathematical guarantees of safe and correct behavior.
% INTRODUCTORY PARAGRAPH Hook % INTRODUCTORY PARAGRAPH Hook
Nuclear power plants require the highest levels of control system reliability. Control system failures risk economic losses, service interruptions, or radiological release. Nuclear power plants demand the highest levels of control system reliability. Control system failures risk economic losses, service interruptions, or radiological release.
% Known information % Known information
Extensively trained human operators control nuclear plants today. They follow detailed written procedures and strict regulatory requirements, switching between control modes based on plant conditions and procedural guidance. Extensively trained human operators control nuclear plants today by following detailed written procedures and strict regulatory requirements. They switch between control modes based on plant conditions and procedural guidance.
% Gap % Gap
This reliance on human operators prevents autonomous control and creates a fundamental economic challenge for next-generation reactor designs. Small modular reactors face staffing costs per megawatt that far exceed those of conventional plants, threatening their economic viability. Autonomous control could manage complex operational sequences without constant supervision—but only if it provides safety assurance equal to or exceeding that of human operators. This reliance on human operators prevents autonomous control and creates a fundamental economic challenge for next-generation reactor designs. Small modular reactors face per-megawatt staffing costs far exceeding those of conventional plants, threatening their economic viability. Autonomous control offers a solution—managing complex operational sequences without constant supervision—but only if it provides safety assurance equal to or exceeding that of human operators.
% APPROACH PARAGRAPH Solution % APPROACH PARAGRAPH Solution
This research unifies formal methods with control theory to produce hybrid control systems correct by construction. This research unifies formal methods with control theory to produce hybrid control systems correct by construction.
% Rationale % Rationale
Human operators already work this way: discrete logic switches between continuous control modes. Formal methods generate provably correct switching logic from written requirements but cannot verify continuous dynamics. Control theory verifies continuous behavior but cannot prove discrete switching correctness. Both are required for end-to-end correctness. Human operators already work this way: they use discrete logic to switch between continuous control modes. Formal methods generate provably correct switching logic from written requirements but cannot verify continuous dynamics. Control theory verifies continuous behavior but cannot prove discrete switching correctness. Both are required for end-to-end correctness.
% Hypothesis % Hypothesis
Two steps close this gap. First, reactive synthesis generates discrete mode transitions directly from written operating procedures. Second, reachability analysis verifies continuous behavior against discrete requirements. Together, these steps transform operating procedures into logical specifications that constrain continuous dynamics, producing autonomous controllers provably free from design defects. Two steps close this gap. First, reactive synthesis generates discrete mode transitions directly from written operating procedures. Second, reachability analysis verifies continuous behavior against discrete requirements. Together, these steps transform operating procedures into logical specifications constraining continuous dynamics, producing autonomous controllers provably free from design defects.
The University of Pittsburgh Cyber Energy Center provides access to industry collaboration and Emerson control hardware, ensuring solutions align with practical implementation requirements. The University of Pittsburgh Cyber Energy Center provides access to industry collaboration and Emerson control hardware, ensuring solutions align with practical implementation requirements.

26
2-state-of-the-art/v2.tex
View File

@ -4,13 +4,13 @@
No current approach provides end-to-end correctness guarantees for autonomous control. Human-centered operation cannot eliminate reliability limits. Formal methods verify either discrete or continuous behavior—never both. No current approach provides end-to-end correctness guarantees for autonomous control. Human-centered operation cannot eliminate reliability limits. Formal methods verify either discrete or continuous behavior—never both.
Three subsections structure this analysis: reactor operators and their operating procedures, fundamental limitations of human-based operation, and formal methods approaches that verify discrete logic or continuous dynamics but not both together. Three subsections structure this analysis. The first examines reactor operators and their operating procedures. The second addresses fundamental limitations of human-based operation. The third analyzes formal methods approaches that verify discrete logic or continuous dynamics but not both together.
Section 3 addresses the verification gap these limits establish. Section 3 addresses the verification gap these limits establish.
\subsection{Current Reactor Procedures and Operation} \subsection{Current Reactor Procedures and Operation}
Current practice rests on two critical components: procedures and operators. Procedures define what must be done; operators execute those procedures. This subsection examines procedurestheir hierarchy, development process, and role in defining operational modes. The next subsection examines operatorstheir reliability limits and contribution to accidents. Current practice rests on two critical components: procedures and operators. Procedures define what must be done; operators execute those procedures. This subsection examines procedures: their hierarchy, development process, and role in defining operational modes. The next subsection examines operators: their reliability limits and contribution to accidents.
Nuclear plant procedures form a strict hierarchy. Normal operating procedures govern routine operations. Abnormal operating procedures handle off-normal conditions. Emergency Operating Procedures (EOPs) manage design-basis accidents. Severe Accident Management Guidelines (SAMGs) address beyond-design-basis events, while Extensive Damage Mitigation Guidelines (EDMGs) cover catastrophic damage. All procedures must comply with 10 CFR 50.34(b)(6)(ii); NUREG-0899 provides development guidance~\cite{NUREG-0899, 10CFR50.34}. Nuclear plant procedures form a strict hierarchy. Normal operating procedures govern routine operations. Abnormal operating procedures handle off-normal conditions. Emergency Operating Procedures (EOPs) manage design-basis accidents. Severe Accident Management Guidelines (SAMGs) address beyond-design-basis events, while Extensive Damage Mitigation Guidelines (EDMGs) cover catastrophic damage. All procedures must comply with 10 CFR 50.34(b)(6)(ii); NUREG-0899 provides development guidance~\cite{NUREG-0899, 10CFR50.34}.
@ -18,10 +18,10 @@ Procedure development rests on expert judgment and simulator validation—not fo
\textbf{LIMITATION:} \textit{Procedures lack formal verification of correctness \textbf{LIMITATION:} \textit{Procedures lack formal verification of correctness
and completeness.} No proof exists that procedures cover all and completeness.} No proof exists that procedures cover all
possible plant states, that required actions complete within available possible plant states. No proof confirms that required actions complete within available
timeframes, or that transitions between procedure sets maintain safety timeframes. No proof guarantees that transitions between procedure sets maintain safety
invariants. Paper-based procedures cannot ensure correct application. Even invariants. Paper-based procedures cannot ensure correct application. Even
computer-based procedure systems lack the formal guarantees automated reasoning computer-based procedure systems lack the formal guarantees that automated reasoning
could provide. could provide.
Nuclear plants operate with multiple control modes. Automatic control maintains target parameters through continuous reactivity adjustment. Manual control allows operators to directly manipulate the reactor. Various intermediate modes bridge these extremes. In typical pressurized water reactor operation, the reactor control system automatically maintains a floating average temperature, compensating for power demand changes through reactivity feedback loops alone. Nuclear plants operate with multiple control modes. Automatic control maintains target parameters through continuous reactivity adjustment. Manual control allows operators to directly manipulate the reactor. Various intermediate modes bridge these extremes. In typical pressurized water reactor operation, the reactor control system automatically maintains a floating average temperature, compensating for power demand changes through reactivity feedback loops alone.
@ -30,9 +30,9 @@ Safety systems already employ extensive automation. Reactor Protection Systems t
\subsection{Human Factors in Nuclear Accidents} \subsection{Human Factors in Nuclear Accidents}
Procedures lack formal verification despite rigorous development, but this represents only half the reliability challenge. Even perfect procedures cannot guarantee safe operation when executed imperfectly. Procedures lack formal verification despite rigorous development. This represents only half the reliability challenge. Even perfect procedures cannot guarantee safe operation when executed imperfectly.
Human operators—the second pillar of current practice—introduce reliability limitations independent of procedure quality. Procedures define what to do, while operators determine when and how to act. This discretion introduces persistent failure modes training cannot eliminate. Human operators—the second pillar of current practice—introduce reliability limitations independent of procedure quality. Procedures define what to do; operators determine when and how to act. This discretion introduces persistent failure modes that training cannot eliminate.
Current-generation nuclear power plants employ over 3,600 active NRC-licensed Current-generation nuclear power plants employ over 3,600 active NRC-licensed
reactor operators in the United States~\cite{operator_statistics}. These reactor operators in the United States~\cite{operator_statistics}. These
@ -68,7 +68,7 @@ Formal methods could eliminate these limitations by providing mathematical guara
This subsection examines two approaches illustrating this gap. HARDENS verified discrete logic without continuous dynamics. Differential dynamic logic handles hybrid verification only post-hoc. Each demonstrates the current state of formal methods while revealing the verification gap this research addresses. This subsection examines two approaches illustrating this gap. HARDENS verified discrete logic without continuous dynamics. Differential dynamic logic handles hybrid verification only post-hoc. Each demonstrates the current state of formal methods while revealing the verification gap this research addresses.
\subsubsection{HARDENS: The State of Formal Methods in Nuclear Control} \subsubsection{HARDENS: Formal Methods in Nuclear Control}
The High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS) The High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
project represents the most advanced application of formal methods to nuclear project represents the most advanced application of formal methods to nuclear
@ -159,12 +159,10 @@ design loop for complex systems like nuclear reactor startup procedures.
This section addressed two Heilmeier questions: What has been done? What are the limits of current practice? This section addressed two Heilmeier questions: What has been done? What are the limits of current practice?
\textbf{What has been done?} Three approaches currently exist, each with fundamental limitations. First, human operators provide operational flexibility but introduce persistent reliability constraints training cannot eliminate. Second, HARDENS verified discrete logic but omitted continuous dynamics. Third, differential dynamic logic expresses hybrid properties but requires post-design expert analysis. None addresses both discrete and continuous verification compositionally. \textbf{What has been done?} Three approaches currently exist. Each has fundamental limitations. First, human operators provide operational flexibility but introduce persistent reliability constraints that training cannot eliminate. Second, HARDENS verified discrete logic but omitted continuous dynamics. Third, differential dynamic logic expresses hybrid properties but requires post-design expert analysis. None addresses both discrete and continuous verification compositionally.
\textbf{What are the limits of current practice?} A clear verification gap emerges: no existing methodology synthesizes provably correct hybrid controllers from operational procedures with verification integrated into design. Current approaches verify discrete logic or continuous dynamics—never both compositionally. Training improvements cannot overcome human reliability limits. Post-hoc verification cannot scale to system design. \textbf{What are the limits of current practice?} A clear verification gap emerges. No existing methodology synthesizes provably correct hybrid controllers from operational procedures with verification integrated into design. Current approaches verify discrete logic or continuous dynamics—never both compositionally. Training improvements cannot overcome human reliability limits. Post-hoc verification cannot scale to system design.
\textbf{Why now?} Two forces create urgency: economic necessity and technical maturity. Small modular reactors cannot compete economically with per-megawatt staffing costs matching large conventional plants, while formal methods tools have matured sufficiently to enable compositional hybrid verification. These forces converge to make this work both necessary and achievable. The verification gap is clear: no existing methodology synthesizes provably correct hybrid controllers from operational procedures. Economic pressures demand autonomous control. Technical maturity now enables it.
This section established what has been done and the limits of current practice. The verification gap is clear: no existing methodology synthesizes provably correct hybrid controllers from operational procedures. The timing is right: economic pressures demand autonomous control while technical maturity enables it. Section 3 addresses the next two Heilmeier questions: what is new and why it will succeed. It presents the technical approach that closes this gap.
Section 3 addresses the next two Heilmeier questions—what is new and why it will succeed—presenting the technical approach that closes this gap.

56
3-research-approach/v3.tex
View File

@ -23,13 +23,13 @@ This section presents the complete technical approach for synthesizing provably
% ---------------------------------------------------------------------------- % ----------------------------------------------------------------------------
% 1. INTRODUCTION AND HYBRID SYSTEMS DEFINITION % 1. INTRODUCTION AND HYBRID SYSTEMS DEFINITION
% ---------------------------------------------------------------------------- % ----------------------------------------------------------------------------
Previous approaches verified either discrete switching logic or continuous control behavior—never both simultaneously. Engineers validate continuous controllers through extensive simulation trials and test discrete switching logic through simulated control room testing and human factors research. Neither method provides rigorous guarantees, and both consume enormous resources. Previous approaches verified either discrete switching logic or continuous control behavior—never both simultaneously. Engineers validate continuous controllers through extensive simulation trials. They test discrete switching logic through simulated control room testing and human factors research. Neither method provides rigorous guarantees. Both consume enormous resources.
This approach bridges that gap by composing formal methods from computer science with control-theoretic verification, formalizing reactor operations as hybrid automata. This approach bridges that gap. It composes formal methods from computer science with control-theoretic verification, formalizing reactor operations as hybrid automata.
Hybrid system verification faces a fundamental challenge: discrete transitions change the governing vector field, creating discontinuities traditional verification techniques cannot handle directly. Hybrid system verification faces a fundamental challenge: discrete transitions change the governing vector field, creating discontinuities that traditional verification techniques cannot handle directly.
This methodology decomposes the problem. It verifies discrete switching logic and continuous mode behavior separately, then composes them to establish guarantees for the complete hybrid system. This two-layer approach mirrors reactor operations: discrete supervisory logic determines which control mode is active, while continuous controllers govern plant behavior within each mode. This methodology decomposes the problem. It verifies discrete switching logic and continuous mode behavior separately, then composes them to guarantee correctness for the complete hybrid system. This two-layer approach mirrors reactor operations: discrete supervisory logic determines which control mode is active; continuous controllers govern plant behavior within each mode.
Hybrid systems require mathematical formalization. This work draws on automata theory, temporal logic, and control theory to provide that description. Hybrid systems require mathematical formalization. This work draws on automata theory, temporal logic, and control theory to provide that description.
@ -63,18 +63,18 @@ A HAHACS requires this tuple together with proof artifacts demonstrating that th
Three innovations enable compositional verification: Three innovations enable compositional verification:
\begin{enumerate} \begin{enumerate}
\item \textbf{Contract-based decomposition:} Instead of attempting global hybrid system verification, discrete synthesis defines entry/exit/safety contracts bounding continuous verification, transforming an intractable global problem into tractable local problems. \item \textbf{Contract-based decomposition:} Discrete synthesis defines entry/exit/safety contracts that bound continuous verification, transforming an intractable global problem into tractable local problems. This replaces traditional global hybrid system verification.
\item \textbf{Mode classification:} Continuous modes classify by control objective—transitory, stabilizing, or expulsory—matching appropriate verification tools to each mode type and enabling mode-local analysis with provable composition guarantees. \item \textbf{Mode classification:} Continuous modes classify by control objective—transitory, stabilizing, or expulsory. This classification matches appropriate verification tools to each mode type, enabling mode-local analysis with provable composition guarantees.
\item \textbf{Procedure-driven structure:} Nuclear procedures already decompose operations into discrete phases with explicit transition criteria, providing existing structure avoiding artificial abstractions and making the approach tractable for complex systems like nuclear reactor startup. \item \textbf{Procedure-driven structure:} Nuclear procedures already decompose operations into discrete phases with explicit transition criteria. This existing structure avoids artificial abstractions, making the approach tractable for complex systems like nuclear reactor startup.
\end{enumerate} \end{enumerate}
\textbf{Why will it succeed?} Three factors ensure practical feasibility where prior work has failed. \textbf{Why will it succeed?} Three factors ensure practical feasibility.
\textbf{Existing structure:} Nuclear procedures already decompose operations into discrete phases with explicit transition criteria. The approach formalizes this existing structure without imposing artificial abstractions, enabling domain experts to adopt the methodology without formal methods training. First, \textit{existing structure}: Nuclear procedures already decompose operations into discrete phases with explicit transition criteria. The approach formalizes this existing structure without imposing artificial abstractions. Domain experts can adopt the methodology without formal methods training.
\textbf{Bounded complexity:} Mode-level verification checks each mode against local contracts, avoiding global hybrid system analysis. This decomposition bounds computational complexity, transforming an intractable global problem into tractable local verifications. Second, \textit{bounded complexity}: Mode-level verification checks each mode against local contracts, avoiding global hybrid system analysis. This decomposition bounds computational complexity. It transforms an intractable global problem into tractable local verifications.
\textbf{Industrial validation:} The Emerson collaboration provides domain expertise to validate procedure formalization and industrial hardware to demonstrate implementation feasibility, ensuring solutions address real deployment constraints rather than just theoretical correctness. Third, \textit{industrial validation}: The Emerson collaboration provides domain expertise to validate procedure formalization. It provides industrial hardware to demonstrate implementation feasibility. This ensures solutions address real deployment constraints, not just theoretical correctness.
These factors combine to demonstrate feasibility on production control systems with realistic reactor models—not merely in principle. Figure~\ref{fig:hybrid_automaton} illustrates the hybrid structure for a simplified reactor startup sequence. These factors combine to demonstrate feasibility on production control systems with realistic reactor models—not merely in principle. Figure~\ref{fig:hybrid_automaton} illustrates the hybrid structure for a simplified reactor startup sequence.
@ -144,7 +144,7 @@ These factors combine to demonstrate feasibility on production control systems w
The previous subsection established the hybrid automaton formalism—a mathematical framework describing discrete modes, continuous dynamics, guards, and invariants. This formalism provides the mathematical structure for hybrid control. But a critical question remains: where do these formal descriptions originate? The previous subsection established the hybrid automaton formalism—a mathematical framework describing discrete modes, continuous dynamics, guards, and invariants. This formalism provides the mathematical structure for hybrid control. But a critical question remains: where do these formal descriptions originate?
The answer lies in existing practice. Nuclear operations already possess a natural hybrid structure mapping directly to this formalism through three control scopes: strategic, operational, and tactical. This approach constructs formal hybrid systems from existing operational knowledge, leveraging decades of domain expertise already encoded in operating procedures rather than imposing artificial abstractions. The answer lies in existing practice. Nuclear operations already possess a natural hybrid structure that maps directly to this formalism through three control scopes: strategic, operational, and tactical. This approach constructs formal hybrid systems from existing operational knowledge. It leverages decades of domain expertise already encoded in operating procedures rather than imposing artificial abstractions.
Human control of nuclear power divides into three scopes: strategic, operational, and tactical. Strategic control represents high-level, long-term decision making spanning months or years: managing labor needs and supply chains to optimize scheduled maintenance and downtime. Human control of nuclear power divides into three scopes: strategic, operational, and tactical. Strategic control represents high-level, long-term decision making spanning months or years: managing labor needs and supply chains to optimize scheduled maintenance and downtime.
@ -275,7 +275,7 @@ The synthesized automaton translates directly to executable code through standar
Reactive synthesis has proven successful in robotics, avionics, and industrial control. Recent applications synthesize robot motion planners from natural language specifications. They generate flight control software for unmanned aerial vehicles. They create verified controllers for automotive systems. These successes demonstrate that reactive synthesis scales beyond toy problems to real-world safety-critical applications. Reactive synthesis has proven successful in robotics, avionics, and industrial control. Recent applications synthesize robot motion planners from natural language specifications. They generate flight control software for unmanned aerial vehicles. They create verified controllers for automotive systems. These successes demonstrate that reactive synthesis scales beyond toy problems to real-world safety-critical applications.
Reactive synthesis produces discrete mode-switching logic from procedures. The next subsection addresses what executes within each discrete mode: continuous control and its verification. Reactive synthesis produces discrete mode-switching logic from procedures. This solves half the hybrid control problem: determining when to switch modes. The next subsection addresses the other half: what executes within each discrete mode and how to verify it.
%%% NOTES (Section 3): %%% NOTES (Section 3):
% - Mention computational complexity of synthesis (doubly exponential worst case) % - Mention computational complexity of synthesis (doubly exponential worst case)
@ -329,9 +329,9 @@ precise objectives for continuous control. The continuous controller for mode
$q_i$ must drive the system from any state in $\mathcal{X}_{entry,i}$ to some $q_i$ must drive the system from any state in $\mathcal{X}_{entry,i}$ to some
state in $\mathcal{X}_{exit,i}$ while remaining within $\mathcal{X}_{safe,i}$. state in $\mathcal{X}_{exit,i}$ while remaining within $\mathcal{X}_{safe,i}$.
Continuous controllers classify into three types based on control objectives, each requiring distinct verification tools. Transitory modes drive the plant between operating conditions. Stabilizing modes maintain the plant within operating regions. Expulsory modes ensure safety under degraded conditions. Continuous controllers classify into three types based on control objectives. Each type requires distinct verification tools. Transitory modes drive the plant between operating conditions. Stabilizing modes maintain the plant within operating regions. Expulsory modes ensure safety under degraded conditions.
The following subsections detail each mode type and its verification approach, progressing from nominal operations—transitory and stabilizing modes—to off-nominal scenarios handled by expulsory modes. The following subsections detail each mode type and its verification approach. We progress from nominal operations—transitory and stabilizing modes—to off-nominal scenarios handled by expulsory modes.
%%% NOTES (Section 4): %%% NOTES (Section 4):
% - Add figure showing the relationship between entry/exit/safety sets % - Add figure showing the relationship between entry/exit/safety sets
@ -392,9 +392,9 @@ appropriate to the fidelity of the reactor models available.
\subsubsection{Stabilizing Modes} \subsubsection{Stabilizing Modes}
Transitory modes drive the system toward exit conditions, and reachability analysis verifies whether the target can be reached. Stabilizing modes address a different question. Transitory modes drive the system toward exit conditions. Reachability analysis verifies whether the target can be reached. Stabilizing modes address a different question.
Rather than asking "can the system reach a target?" stabilizing modes ask "will the system stay within bounds?" Unlike transitory modes that aim to reach a target, stabilizing modes maintain the system within a desired operating region indefinitely. Examples include steady-state power operation, hot standby, and load-following at constant power level. This different control objective requires a different verification approach. Rather than asking "can the system reach a target?" stabilizing modes ask "will the system stay within bounds?" Transitory modes aim to reach a target; stabilizing modes maintain the system within a desired operating region indefinitely. Examples include steady-state power operation, hot standby, and load-following at constant power level. This different control objective requires a different verification approach.
Reachability analysis answers "can the system reach a target?" Stabilizing modes instead ask "does the system stay within bounds?" Barrier certificates provide the appropriate verification tool for this question. Reachability analysis answers "can the system reach a target?" Stabilizing modes instead ask "does the system stay within bounds?" Barrier certificates provide the appropriate verification tool for this question.
Barrier certificates analyze the dynamics of the system to determine whether Barrier certificates analyze the dynamics of the system to determine whether
@ -526,31 +526,31 @@ outcomes can align best with customer needs.
This section addressed two critical Heilmeier questions: What is new? Why will it succeed? This section addressed two critical Heilmeier questions: What is new? Why will it succeed?
\textbf{What is new?} Three innovations enable compositional verification by integrating reactive synthesis, reachability analysis, and barrier certificates: \textbf{What is new?} Three innovations enable compositional verification by integrating reactive synthesis, reachability analysis, and barrier certificates.
First, \textit{contract-based decomposition} inverts traditional global analysis. Discrete synthesis defines verification contracts bounding continuous verification. First, \textit{contract-based decomposition} inverts traditional global analysis. Discrete synthesis defines verification contracts that bound continuous verification.
Second, \textit{mode classification} enables mode-local analysis with provable composition guarantees by matching continuous modes to appropriate verification tools. Second, \textit{mode classification} matches continuous modes to appropriate verification tools. This enables mode-local analysis with provable composition guarantees.
Third, \textit{procedure-driven structure} leverages existing procedural decomposition, avoiding intractable state explosion. Third, \textit{procedure-driven structure} leverages existing procedural decomposition. This avoids intractable state explosion.
Section 2 established that prior work verified discrete logic or continuous dynamics—never both compositionally. These three innovations enable what global analysis cannot achieve: compositional verification spanning from procedures to verified implementation. Section 2 established that prior work verified discrete logic or continuous dynamics—never both compositionally. These three innovations enable what global analysis cannot: compositional verification spanning from procedures to verified implementation.
\textbf{Why will it succeed?} Three factors ensure practical feasibility: \textbf{Why will it succeed?} Three factors ensure practical feasibility.
\textit{Existing structure:} Nuclear procedures already decompose operations into discrete phases with explicit transition criteria, allowing formalization without artificial abstractions. \textit{Existing structure}: Nuclear procedures already decompose operations into discrete phases with explicit transition criteria. This allows formalization without artificial abstractions.
\textit{Bounded complexity:} Mode-level verification bounds each verification problem locally, avoiding the state explosion making global hybrid system analysis intractable. \textit{Bounded complexity}: Mode-level verification bounds each problem locally. This avoids the state explosion that makes global hybrid system analysis intractable.
\textit{Industrial validation:} Emerson collaboration provides domain expertise to validate procedure formalization and industrial hardware to demonstrate implementation feasibility, ensuring solutions address real deployment constraints. \textit{Industrial validation}: Emerson collaboration provides domain expertise to validate procedure formalization. It provides industrial hardware to demonstrate implementation feasibility. This ensures solutions address real deployment constraints.
The complete technical methodology is now established. The complete technical methodology is now established.
Sections 2 and 3 addressed the first four Heilmeier questions. Section 2 established what has been done and what limits current practice. Section 3 explained what is new and why it will succeed. Sections 2 and 3 addressed the first four Heilmeier questions. Section 2 established what has been done and what limits current practice. Section 3 explained what is new and why it will succeed.
Three questions remain: How will success be measured? What could prevent success? Who cares, why now, and what difference will this work make? Three questions remain. How will success be measured? What could prevent success? Who cares, and what difference will this work make?
Section 4 addresses metrics for success. Section 5 identifies what could prevent success. Section 6 explains who cares, why now, and what difference this work will make. Section 4 addresses metrics for success. Section 5 identifies what could prevent success. Section 6 explains who cares and what difference this work will make.
%%% NOTES (Section 5): %%% NOTES (Section 5):
% - Get specific details on ARCADE interface from Emerson collaboration % - Get specific details on ARCADE interface from Emerson collaboration

18
4-metrics-of-success/v1.tex
View File

@ -2,9 +2,13 @@
\textbf{Heilmeier Question: How will success be measured?} \textbf{Heilmeier Question: How will success be measured?}
Section 3 established the technical approach: compositional verification bridges discrete synthesis with continuous control. It will succeed because it leverages existing procedural structure, bounds computational complexity, and validates against industrial hardware. This section addresses the next Heilmeier question: How will success be measured? Section 3 established the technical approach: compositional verification bridges discrete synthesis with continuous control. It will succeed because it leverages existing procedural structure, bounds computational complexity, and validates against industrial hardware.
Success is measured by Technology Readiness Level advancement from fundamental concepts (TRL 2--3) to validated prototype demonstration (TRL 5), where system components operate successfully in a relevant laboratory environment. TRL advancement provides the most appropriate success metric because it explicitly measures the gap between academic proof-of-concept and practical deployment. This section explains why TRLs appropriately measure success, then defines specific criteria for each level from TRL 3 through TRL 5. This section addresses the next Heilmeier question: How will success be measured?
Success is measured by Technology Readiness Level advancement from fundamental concepts (TRL 2--3) to validated prototype demonstration (TRL 5). At TRL 5, system components operate successfully in a relevant laboratory environment.
TRL advancement provides the most appropriate success metric. It explicitly measures the gap between academic proof-of-concept and practical deployment. This section explains why TRLs appropriately measure success. It then defines specific criteria for each level from TRL 3 through TRL 5.
Technology Readiness Levels provide the ideal success metric for work bridging academic proof-of-concept and practical deployment. Technology Readiness Levels provide the ideal success metric for work bridging academic proof-of-concept and practical deployment.
@ -85,14 +89,14 @@ This section answered the Heilmeier question: How will success be measured?
\textbf{Answer:} Technology Readiness Level advancement from 2--3 to 5. Each level demonstrates both theoretical correctness and practical feasibility through progressively integrated validation. \textbf{Answer:} Technology Readiness Level advancement from 2--3 to 5. Each level demonstrates both theoretical correctness and practical feasibility through progressively integrated validation.
TRL 3 proves component-level correctness: each methodology element works independently. TRL 3 proves component-level correctness. Each methodology element works independently.
TRL 4 demonstrates system-level integration in simulation: components compose correctly. TRL 4 demonstrates system-level integration in simulation. Components compose correctly.
TRL 5 validates hardware implementation in a relevant environment: the complete system operates on industrial control hardware. TRL 5 validates hardware implementation in a relevant environment. The complete system operates on industrial control hardware.
Achieving TRL 5 proves the methodology produces verified controllers implementable with current technologynot merely theoretically sound but practically deployable. Achieving TRL 5 proves the methodology produces verified controllers implementable with current technology. The result is not merely theoretically sound but practically deployable.
Sections 2 through 4 addressed five Heilmeier questions. Section 2 established what has been done and what limits current practice. Section 3 explained what is new and why it will succeed. This section defined how to measure success. Sections 2 through 4 addressed five Heilmeier questions. Section 2 established what has been done and what limits current practice. Section 3 explained what is new and why it will succeed. This section defined how to measure success.
But success assumes critical technical challenges can be overcome. Section 5 addresses what could prevent success and how to respond when assumptions fail. Success assumes critical technical challenges can be overcome. Section 5 addresses what could prevent success. It explains how to respond when assumptions fail.

6
5-risks-and-contingencies/v1.tex
View File

@ -2,13 +2,13 @@
\textbf{Heilmeier Question: What could prevent success?} \textbf{Heilmeier Question: What could prevent success?}
Section 4 defined success as reaching TRL 5 through component validation, system integration, and hardware demonstration. This definition assumes critical technical challenges can be overcome. Section 4 defined success as reaching TRL 5 through component validation, system integration, and hardware demonstration. This assumes critical technical challenges can be overcome.
Every research plan rests on assumptions that might prove false. Three primary risks could prevent reaching TRL 5: computational tractability of synthesis and verification, complexity of the discrete-continuous interface, and completeness of procedure formalization. Every research plan rests on assumptions that might prove false. Three primary risks could prevent reaching TRL 5: computational tractability of synthesis and verification, complexity of the discrete-continuous interface, and completeness of procedure formalization.
Each risk has identifiable early warning indicators and viable mitigation strategies. Each risk has identifiable early warning indicators. Each has viable mitigation strategies. Each carries contingency plans that preserve research value even when core assumptions fail.
Each risk carries associated early warning indicators and contingency plans that preserve research value even when core assumptions fail. The staged project structure ensures that partial success yields publishable results and clearly identifies remaining barriers to deployment, even when full success proves elusive. The staged project structure ensures partial success yields publishable results. It clearly identifies remaining barriers to deployment, even when full success proves elusive.
\subsection{Computational Tractability of Synthesis} \subsection{Computational Tractability of Synthesis}

12
6-broader-impacts/v1.tex
View File

@ -2,21 +2,21 @@
\textbf{Heilmeier Questions: Who cares? Why now? What difference will it make?} \textbf{Heilmeier Questions: Who cares? Why now? What difference will it make?}
Sections 2 through 5 established the complete technical research plan: what has been done, what is new and why it will succeed, how to measure success, and what could prevent success. Sections 2 through 5 established the complete technical research plan. They addressed what has been done, what is new and why it will succeed, how to measure success, and what could prevent success.
This section addresses the remaining Heilmeier questions by connecting technical methodology to economic and societal impact: who cares, why now, and what difference this work will make. This section addresses the remaining Heilmeier questions. It connects technical methodology to economic and societal impact.
\textbf{Who cares?} Three stakeholder groups face the same economic constraint: high operating costs driven by staffing requirements. The nuclear industry faces uncompetitive per-megawatt costs for small modular reactors. Datacenter operators need hundreds of megawatts of continuous clean power for AI infrastructure. Clean energy advocates need nuclear power to be economically competitive with fossil alternatives. All three require autonomous control with safety guarantees. \textbf{Who cares?} Three stakeholder groups face the same economic constraint: high operating costs driven by staffing requirements. The nuclear industry faces uncompetitive per-megawatt costs for small modular reactors. Datacenter operators need hundreds of megawatts of continuous clean power for AI infrastructure. Clean energy advocates need nuclear power to compete economically with fossil alternatives. All three require autonomous control with safety guarantees.
\textbf{What difference will it make?} This research directly addresses a \$21--28 billion annual cost barrier, enabling economically viable small modular reactors for datacenter power and establishing a generalizable framework for safety-critical autonomous systems across critical infrastructure. \textbf{What difference will it make?} This research directly addresses a \$21--28 billion annual cost barrier. It enables economically viable small modular reactors for datacenter power. It establishes a generalizable framework for safety-critical autonomous systems across critical infrastructure.
\textbf{Why now?} Exponentially growing AI infrastructure demands have transformed this longstanding challenge into an immediate crisis, creating a market demanding solutions that did not exist before. \textbf{Why now?} Exponentially growing AI infrastructure demands have transformed this longstanding challenge into an immediate crisis. A market now demands solutions that did not exist before.
Nuclear power presents both a compelling application domain and an urgent economic challenge. Recent interest in powering artificial intelligence infrastructure has renewed focus on small modular reactors (SMRs) for hyperscale datacenters requiring hundreds of megawatts of continuous power. SMRs deployed at datacenter sites minimize transmission losses and eliminate emissions, but at this scale, nuclear power economics demand careful attention to operating costs. Nuclear power presents both a compelling application domain and an urgent economic challenge. Recent interest in powering artificial intelligence infrastructure has renewed focus on small modular reactors (SMRs) for hyperscale datacenters requiring hundreds of megawatts of continuous power. SMRs deployed at datacenter sites minimize transmission losses and eliminate emissions, but at this scale, nuclear power economics demand careful attention to operating costs.
The U.S. Energy Information Administration's Annual Energy Outlook 2022 projects advanced nuclear power entering service in 2027 will cost \$88.24 per megawatt-hour~\cite{eia_lcoe_2022}. Datacenter electricity demand is projected to reach 1,050 terawatt-hours annually by 2030~\cite{eesi_datacenter_2024}. Nuclear power supplying this demand would generate total annual costs exceeding \$92 billion. The U.S. Energy Information Administration's Annual Energy Outlook 2022 projects advanced nuclear power entering service in 2027 will cost \$88.24 per megawatt-hour~\cite{eia_lcoe_2022}. Datacenter electricity demand is projected to reach 1,050 terawatt-hours annually by 2030~\cite{eesi_datacenter_2024}. Nuclear power supplying this demand would generate total annual costs exceeding \$92 billion.
Operations and maintenance represents a substantial component. The EIA estimates fixed O\&M costs alone account for \$16.15 per megawatt-hour. Additional variable O\&M costs are embedded in fuel and operating expenses~\cite{eia_lcoe_2022}. Combined, O\&M-related costs represent approximately 23--30\% of total levelized cost. This translates to \$21--28 billion annually for projected datacenter demand. Operations and maintenance represents a substantial component. The EIA estimates fixed O\&M costs alone account for \$16.15 per megawatt-hour. Variable O\&M costs are embedded in fuel and operating expenses~\cite{eia_lcoe_2022}. Combined, O\&M-related costs represent approximately 23--30\% of total levelized cost. For projected datacenter demand, this translates to \$21--28 billion annually.
\textbf{What difference will it make?} This research directly addresses the \$21--28 billion annual O\&M cost barrier. High-assurance autonomous control makes small modular reactors economically viable for datacenter power while maintaining nuclear safety standards. Beyond immediate economic impact, the methodology establishes a generalizable framework for safety-critical autonomous systems across critical infrastructure. \textbf{What difference will it make?} This research directly addresses the \$21--28 billion annual O\&M cost barrier. High-assurance autonomous control makes small modular reactors economically viable for datacenter power while maintaining nuclear safety standards. Beyond immediate economic impact, the methodology establishes a generalizable framework for safety-critical autonomous systems across critical infrastructure.

6
8-schedule/v1.tex
View File

@ -2,9 +2,11 @@
\textbf{Heilmeier Question: How long will it take?} \textbf{Heilmeier Question: How long will it take?}
Section 6 demonstrated that this work addresses a \$21--28 billion annual cost barrier and establishes a generalizable framework for safety-critical autonomous systems. This final section addresses the last Heilmeier question: How long will it take? Section 6 demonstrated that this work addresses a \$21--28 billion annual cost barrier. It establishes a generalizable framework for safety-critical autonomous systems.
This research will be conducted over six trimesters (24 months) of full-time effort following the proposal defense in Spring 2026. The University of Pittsburgh Cyber Energy Center and NRC Fellowship provide all computational and experimental resources, with work progressing sequentially through three main research thrusts and culminating in integrated demonstration and validation. This final section addresses the last Heilmeier question: How long will it take?
This research will be conducted over six trimesters (24 months) of full-time effort following the proposal defense in Spring 2026. The University of Pittsburgh Cyber Energy Center and NRC Fellowship provide all computational and experimental resources. Work progresses sequentially through three main research thrusts, culminating in integrated demonstration and validation.
The first semester (Spring 2026) focuses on Thrust 1, translating startup The first semester (Spring 2026) focuses on Thrust 1, translating startup
procedures into formal temporal logic specifications using FRET. This procedures into formal temporal logic specifications using FRET. This