25 changed files with 2983 additions and 2120 deletions
--- a/.DS_Store
+++ b/.DS_Store
--- a/.gitignore
+++ b/.gitignore
@ -36,15 +36,3 @@ Thumbs.db
 *.swo
 .vscode/
 .idea/
 *.sty
 .DS_Store
 *.aux
 *.bbl
 *.blg
 *.fdb_latexmk
 *.fls
 *.log
 *.pdf
 *.toc
 *.out
 *.synctex.gz
--- a/.latexmkrc
+++ b/.latexmkrc
@ -1,3 +0,0 @@
 $pdflatex = 'pdflatex -interaction=nonstopmode %O %S';
 $bibtex_use = 2;
 $pdf_mode = 1;
--- a/1-goals-and-outcomes/goals.tex
+++ b/1-goals-and-outcomes/goals.tex
@ -16,15 +16,16 @@ manage reactor control. These operators make critical decisions about when to
 switch between different control modes based on their interpretation of plant
 conditions and procedural guidance.
 % Gap
-This reliance on human operators prevents autonomous control and creates a
+This reliance on human operators not only prevents autonomous control
-fundamental economic barrier for next-generation reactor designs. Small modular
+capabilities but creates a fundamental economic challenge for next-generation
-reactors face per-megawatt staffing costs far exceeding those of conventional
+reactor designs. Small modular reactors, in particular, face per-megawatt
-plants, threatening their economic viability.
+staffing costs far exceeding those of conventional plants and threaten their
 economic viability.
 % Critical Need
-What is needed is a method to create autonomous control systems that safely
+Autonomous control systems must safely manage complex operational sequences with
-manage complex operational sequences with the same assurance as human-operated
+the same assurance as human-operated systems, but without constant human
-systems, but without constant human supervision.
+supervision.
 % APPROACH PARAGRAPH Solution
 To address this need, we will combine formal methods with control theory to
 build hybrid control systems that are correct by construction.
@ -34,7 +35,11 @@ mirroring how operators change control strategies. Existing formal methods can
 generate provably correct switching logic from written requirements, but they
 cannot handle the continuous dynamics that occur during transitions between
 modes. Meanwhile, traditional control theory can verify continuous behavior but
-lacks tools for proving correctness of discrete switching decisions.
+lacks tools for proving correctness of discrete switching
 decisions. This work is conducted within the University of Pittsburgh Cyber Energy Center,
 which provides access to industry collaboration and Emerson control hardware,
 ensuring that developed solutions align with practical implementation
 requirements.
 % Hypothesis
 By synthesizing discrete mode transitions directly from written operating
 procedures and verifying continuous behavior between transitions, we can create
@ -44,10 +49,7 @@ verified against transition requirements, then autonomous controllers can be
 built that are provably free from design defects.
 % Pay-off
 This approach will enable autonomous control in nuclear power plants while
-maintaining the high safety standards required by the industry. The University
+maintaining the high safety standards required by the industry.
 of Pittsburgh Cyber Energy Center's partnership with Emerson provides access to
 industry-standard control hardware, ensuring that developed solutions align with
 practical implementation requirements from the outset.
 % OUTCOMES PARAGRAPHS
 If this research is successful, we will be able to do the following:
@ -64,20 +66,19 @@ If this research is successful, we will be able to do the following:
    logic.
    % Outcome
    Control system engineers will generate verified mode-switching controllers
-    directly from regulatory procedures, lowering the barrier to high-assurance
+    directly from regulatory procedures without formal methods expertise,
-    control systems.
+    lowering the barrier to high-assurance control systems.
    % OUTCOME 2 Title
  \item \textbf{Verify continuous control behavior across mode transitions.}
    % Strategy
    We will establish methods for analyzing continuous control modes to ensure
    they satisfy discrete transition requirements. Using classical control
-    theory for linear systems and reachability analysis for nonlinear
+    theory for linear systems and reachability analysis for nonlinear dynamics,
-    dynamics, we will verify that each continuous mode safely reaches its
+    we will verify that each continuous mode safely reaches its intended
-    intended transitions.
+    transitions.
-    % Outcome
+    Engineers will design continuous controllers using standard practices while
-    Engineers will design continuous controllers using standard practices
+    iterating to ensure broader system correctness, proving that mode
    while iterating to ensure broader system correctness, proving that mode
    transitions occur safely and at the correct times.
    % OUTCOME 3  Title
@ -92,18 +93,23 @@ If this research is successful, we will be able to do the following:
    operation.
    % Outcome
    We will demonstrate that autonomous hybrid control can be realized in the
-    nuclear industry with current equipment, establishing a path toward
+    nuclear industry with current equipment, establishing a path toward reduced
-    reduced operator staffing while maintaining safety.
+    operator staffing while maintaining safety.
 \end{enumerate}
 % IMPACT PARAGRAPH Innovation
 The innovation in this work is unifying discrete synthesis with continuous
-verification to enable end-to-end correctness guarantees for hybrid systems.
+verification to enable end-to-end correctness guarantees for hybrid 
 systems.
 % Outcome Impact
 If successful, control engineers will create autonomous controllers from
 existing procedures with mathematical proof of correct behavior. High-assurance
 autonomous control will become practical for safety-critical applications.
 % Impact/Pay-off
-This research will provide the tools to achieve that autonomy while maintaining
+This capability is essential for the economic viability of next-generation
-the exceptional safety record the nuclear industry requires.
+nuclear power. Small modular reactors offer a promising solution to growing
 energy demands, but their success depends on reducing per-megawatt operating
 costs through increased autonomy. This research will provide the tools to
 achieve that autonomy while maintaining the exceptional safety record the
 nuclear industry requires.
--- a/1-goals-and-outcomes/research-statement.tex
+++ b/1-goals-and-outcomes/research-statement.tex
@ -1,57 +1,64 @@
 \dasnote{Research statement is very similar to GO because that's what I had
 when I prepared it. If it's going to be an executive summary, it should talk
 more about the other sections rather than just being a slightly different GO
 section.}
 % GOAL PARAGRAPH
 The goal of this research is to develop a methodology for creating autonomous
-hybrid control systems with mathematical guarantees of safe and correct
+control systems with event-driven control laws that have guarantees of safe and
-behavior.
+correct behavior.\splitnote{Strong, direct opening. Sets scope immediately.}
 % INTRODUCTORY PARAGRAPH Hook
 Nuclear power relies on extensively trained operators who follow detailed
 written procedures to manage reactor control. Based on these procedures and
-their interpretation of plant conditions, they make critical decisions about
+operators' interpretation of plant conditions, operators make critical decisions
-when to switch between control objectives.
+about when to switch between control objectives.\splitsuggest{Consider: 
 ``operators'' appears 3x in two sentences. Maybe: ``Based on these procedures 
 and their interpretation of plant conditions, they make critical decisions...''}
 % Gap
-This reliance on human operators has created an economic challenge for
+But, reliance on human operators has created an economic challenge for
-next-generation nuclear power plants. Small modular reactors face significantly
+next-generation nuclear power plants.\splitpolish{``But, reliance'' — the comma 
-higher per-megawatt staffing costs than conventional plants. Autonomous control
+after ``But'' is unusual. Either drop it or restructure: ``However, this 
-systems are needed that can safely manage complex operational sequences with the
+reliance...'' or ``This reliance, however, has created...''} Small modular 
-same assurance as human-operated systems, but without constant supervision.
+reactors face significantly higher per-megawatt staffing costs than conventional 
 plants. Autonomous control systems are needed that can safely manage complex 
 operational sequences with the same assurance as human-operated systems, but 
 without constant supervision.\splitsuggest{``are needed that can'' — passive. 
 Try: ``Autonomous control systems must safely manage...''}
 % APPROACH PARAGRAPH Solution
-To address this need, we will combine formal methods from computer science
+To address this need, we will combine formal methods from computer science with
-with control theory to build hybrid control systems that are correct by
+control theory to build hybrid control systems that are correct by 
-construction, leveraging the extensive domain knowledge already embedded in
+construction.\splitnote{Clear statement of approach.}
 existing operating procedures and safety analyses.
 % Rationale
 Hybrid systems use discrete logic to switch between continuous control modes,
 similar to how operators change control strategies. Existing formal methods
-generate provably correct switching logic but cannot handle continuous
+generate provably correct switching logic but cannot handle continuous dynamics
-dynamics during transitions, while traditional control theory verifies
+during transitions, while traditional control theory verifies continuous
-continuous behavior but lacks tools for proving discrete switching
+behavior but lacks tools for proving discrete switching 
-correctness.
+correctness.\splitnote{Nice parallel structure showing the gap.}
 % Hypothesis and Technical Approach
 We will bridge this gap through a three-stage methodology. First, we will
 translate written operating procedures into temporal logic specifications using
-NASA's Formal Requirements Elicitation Tool (FRET). FRET structures requirements
+NASA's Formal Requirements Elicitation Tool (FRET), which structures
-into scope, condition, component, timing, and response elements. This approach
+requirements into scope, condition, component, timing, and response elements.
-enables realizability checking that identifies conflicts and ambiguities in
+This structured approach enables realizability checking to identify conflicts
-procedures before implementation. Second, we will synthesize discrete mode
+and ambiguities in procedures before implementation. Second, we will synthesize
-switching logic using reactive synthesis to produce deterministic automata that
+discrete mode switching logic using reactive synthesis
-are correct by construction. Third, we will develop continuous controllers for
+to generate deterministic automata that are provably
-each discrete mode using standard control theory and reachability analysis. We
+correct by construction. Third, we will develop continuous
-will classify continuous modes based on their transition objectives and verify
+controllers for each discrete mode using standard control theory and
-safe mode transitions using barrier certificates and reachability analysis.
+reachability analysis. We will classify continuous modes based on their
-This compositional approach enables local verification of continuous modes
+transition objectives, and then employ assume-guarantee contracts and barrier
-without requiring global trajectory analysis across the entire hybrid system.
+certificates to prove that mode transitions occur safely and as defined by the
-We will validate this methodology through hardware-in-the-loop testing
+deterministic automata. This compositional approach enables local verification
-on an Emerson Ovation distributed control system, made possible through the
+of continuous modes without requiring global trajectory analysis across the
-University of Pittsburgh Cyber Energy Center's industry partnership.
+entire hybrid system. We will demonstrate this on an Emerson Ovation control 
 system.\splitsuggest{This paragraph is dense. Consider breaking after the 
 three stages, then a new paragraph for the compositional verification point 
 and Emerson demo.}
 % Pay-off
-This approach enables autonomous management of complex nuclear power operations
+This approach will demonstrate autonomous control can be used for complex
-while maintaining safety guarantees.
+nuclear power operations while maintaining safety 
 guarantees.\splitpolish{``can be used for'' — weak. Try: ``...will demonstrate 
 that autonomous control can manage complex nuclear power operations while 
 maintaining safety guarantees.'' Or even stronger: ``...enables autonomous 
 management of complex nuclear power operations with safety guarantees.''}
 % OUTCOMES PARAGRAPHS
 If this research is successful, we will be able to do the following:
@ -63,11 +70,13 @@ If this research is successful, we will be able to do the following:
    into formal specifications. These specifications will be synthesized into
    discrete control logic using reactive synthesis tools.     
    % Outcome
-    Control engineers will be able to generate mode-switching
+    Control engineers will be able to generate mode-switching controllers from
-    controllers from regulatory procedures, reducing barriers to high-assurance control systems.
+    regulatory procedures with little formal methods expertise, reducing
    barriers to high-assurance control 
    systems.\splitnote{Good practical framing — emphasizes accessibility.}
    % OUTCOME 2 Title
-  \item \textit{Verify continuous control behavior across mode transitions.}
+  \item \textit{Verify continuous control behavior across mode transitions. }
    % Strategy
    We will develop methods using reachability analysis to ensure continuous 
    control modes satisfy discrete transition requirements. 
@ -78,13 +87,14 @@ If this research is successful, we will be able to do the following:
    % OUTCOME 3  Title
  \item \textit{Demonstrate autonomous reactor startup control with safety
-    guarantees.}
+    guarantees. }
    % Strategy
    We will implement this methodology on a small modular reactor simulation
-    using industry-standard control hardware.
+    using industry-standard control hardware.     % Outcome
-    % Outcome
+    Control engineers will be able to implement high-assurance autonomous
-    Without retraining costs or new equipment, control engineers
+    controls on industrial platforms they already use, enabling users to
-    will be able to implement high-assurance autonomous controls on industrial
+    achieve autonomy without retraining costs or developing new 
-    hardware they already use. 
+    equipment.\splitnote{Strong industrial grounding — the ``platforms they 
    already use'' point is compelling for adoption.}
 \end{enumerate}
--- a/2-state-of-the-art/state-of-art.tex
+++ b/2-state-of-the-art/state-of-art.tex
@ -1,130 +1,149 @@
 \section{State of the Art and Limits of Current Practice}
 The principal aim of this research is to create autonomous reactor control
-systems that are tractably safe. Understanding what is being automated requires
+systems that are tractably safe. To understand what is being automated, we must
-understanding how nuclear reactors are operated today. This section examines
+first understand how nuclear reactors are operated today. This section examines
-reactor operating procedures, investigates limitations of human-based operation,
+reactor operators and the operating procedures we aim to leverage, then
-and reviews current formal methods approaches to reactor control systems.
+investigates limitations of human-based operation, and concludes with current
 formal methods approaches to reactor control 
 systems.
 \subsection{Current Reactor Procedures and Operation}
-Nuclear plant operations are governed by a hierarchy of written procedures,
+Nuclear plant procedures exist in a hierarchy: normal operating procedures for
-ranging from normal operating procedures for routine operations to Emergency
+routine operations, abnormal operating procedures for off-normal conditions,
-Operating Procedures (EOPs) for design-basis accidents and Severe Accident
+Emergency Operating Procedures (EOPs) for design-basis accidents, Severe
-Management Guidelines (SAMGs) for beyond-design-basis events. These procedures
+Accident Management Guidelines (SAMGs) for beyond-design-basis events, and
-exist because reactor operation requires deterministic responses to a wide range
+Extensive Damage Mitigation Guidelines (EDMGs) for catastrophic damage
-of plant conditions, from routine power changes to catastrophic failures. These
+scenarios. These procedures must comply with 10 CFR 50.34(b)(6)(ii) and are
-procedures must comply with 10 CFR 50.34(b)(6)(ii) and are developed using
+developed using guidance from NUREG-0899~\cite{NUREG-0899, 10CFR50.34}, but their
-guidance from NUREG-0899~\cite{NUREG-0899, 10CFR50.34}. Procedures undergo
+development relies fundamentally on expert judgment and simulator validation
-technical evaluation, simulator validation testing, and biennial review as part
+rather than formal verification. Procedures undergo technical evaluation,
-of operator requalification under 10 CFR 55.59~\cite{10CFR55.59}. Despite this
+simulator validation testing, and biennial review as part of operator
-rigor, procedures fundamentally lack exhaustive verification of key safety
+requalification under 10 CFR 55.59~\cite{10CFR55.59}. 
 properties. 
-\textbf{LIMITATION:} \textit{Procedures lack exhaustive verification of
+\textbf{LIMITATION:} \textit{Procedures lack formal verification of correctness
-correctness and completeness.}  No mathematical proof exists that procedures
+and completeness.} Current procedure development relies on expert judgment and
-cover all possible plant states, that required actions can be completed within
+simulator validation. No mathematical proof exists that procedures cover all
-available timeframes, or that transitions between procedure sets maintain safety
+possible plant states, that required actions can be completed within available
 timeframes, or that transitions between procedure sets maintain safety
 invariants. Paper-based procedures cannot ensure correct application, and even
 computer-based procedure systems lack the formal guarantees that automated
 reasoning could provide.
-Nuclear plants operate with multiple control modes: automatic control, where
+Nuclear plants operate with multiple control modes: automatic control, where the
-the reactor control system maintains target parameters through continuous
+reactor control system maintains target parameters through continuous reactivity
-reactivity adjustment; manual control, where operators directly manipulate
+adjustment; manual control, where operators directly manipulate the reactor; and
-the reactor; and various intermediate modes. In typical pressurized water
+various intermediate modes. In typical pressurized water reactor operation, the
-reactor operation, the reactor control system automatically maintains a
+reactor control system automatically maintains a floating average temperature
-floating average temperature and compensates for power demand changes through
+and compensates for power demand changes through reactivity feedback loops
-reactivity feedback loops alone. Safety systems, by contrast, operate with
+alone. Safety systems, by contrast, operate with implemented automation. Reactor
-implemented automation. Reactor Protection Systems trip automatically on
+Protection Systems trip automatically on safety signals with millisecond
-safety signals with millisecond response times, and engineered safety
+response times, and engineered safety features actuate automatically on accident
-features actuate automatically on accident signals without operator action
+signals without operator action required.
 required.
-This division between automated and human-controlled
+The division between automated and human-controlled functions reveals the
-functions is itself the hybrid control problem. Automated systems handle
+fundamental challenge of hybrid control. Highly automated systems handle reactor
-reactor protection: trips on safety parameters, emergency core cooling
+protection---automatic trips on safety parameters, emergency core cooling
 actuation, containment isolation, and basic process
-control~\cite{WRPS.Description, gentillon_westinghouse_1999}. Human
+control~\cite{WRPS.Description, gentillon_westinghouse_1999}. Human operators,
-operators retain control of everything else: power level changes,
+however, retain control of strategic decision-making: power level changes,
 startup/shutdown sequences, mode transitions, and procedure 
 implementation.
 \subsection{Human Factors in Nuclear Accidents}
 Current-generation nuclear power plants employ over 3,600 active NRC-licensed
 reactor operators in the United States~\cite{operator_statistics}. These
 operators divide into Reactor Operators (ROs), who manipulate reactor controls,
 and Senior Reactor Operators (SROs), who direct plant operations and serve as
 shift supervisors~\cite{10CFR55}. Staffing typically requires at least two ROs
 and one SRO for current-generation units~\cite{10CFR50.54}. Becoming a reactor
 operator requires several years of training.
 The persistent role of human error in nuclear safety incidents---despite decades
 of improvements in training and procedures---provides the most compelling
-motivation for formal automated control with mathematical safety guarantees.
+motivation for formal automated control with mathematical safety 
-Operators hold legal authority under 10 CFR Part 55 to make critical
+guarantees. Operators hold legal authority under 10 CFR Part 55 to make critical decisions,
-decisions~\cite{10CFR55}, including departing from normal regulations during
+including departing from normal regulations during emergencies. The Three Mile
-emergencies. This authority itself introduces risk. The Three Mile Island (TMI)
+Island (TMI) accident demonstrated how a combination of personnel error, design
-accident demonstrated how a combination of personnel error, design deficiencies,
+deficiencies, and component failures led to partial meltdown when operators
-and component failures led to partial meltdown when operators misread confusing
+misread confusing and contradictory readings and shut off the emergency water
 and contradictory readings and shut off the emergency water
 system~\cite{Kemeny1979}. The President's Commission on TMI identified a
 fundamental ambiguity: placing responsibility for safe power plant operations on
 the licensee without formal verification that operators can fulfill this
 responsibility does not guarantee safety. This tension between operational
 flexibility and safety assurance remains unresolved: the person responsible for
-reactor safety is often the root cause of failures.
+reactor safety is often the root cause of 
 failures.
 Multiple independent analyses converge on a striking statistic: 70--80\% of
 nuclear power plant events are attributed to human error, versus approximately
-20\% to equipment failures~\cite{noauthor_human_nodate}. More significantly, the
+20\% to equipment failures~\cite{WNA2020}. More significantly, the root cause of
-root cause of all severe accidents at nuclear power plants---Three Mile Island,
+all severe accidents at nuclear power plants---Three Mile Island, Chernobyl, and
-Chernobyl, and Fukushima Daiichi---has been identified as primarily human
+Fukushima Daiichi---has been identified as poor safety management and safety
-factors~\cite{hogberg_root_2013}. A detailed analysis of 190 events at Chinese
+culture: primarily human factors~\cite{hogberg_root_2013}. A detailed analysis
-nuclear power plants from 2007--2020~\cite{zhang_analysis_2025} found that 53\%
+of 190 events at Chinese nuclear power plants from
-of events involved active errors, while 92\% were associated with latent
+2007--2020~\cite{zhang_analysis_2025} found that 53\% of events involved active
-errors---organizational and systemic weaknesses that create conditions for
+errors, while 92\% were associated with latent errors---organizational and
 systemic weaknesses that create conditions for 
 failure.
-\textbf{LIMITATION:} \textit{Human factors impose fundamental reliability
+
-limits that cannot be overcome through training alone.} The persistent human
+\textbf{LIMITATION:} \textit{Human factors impose fundamental reliability limits
-error contribution despite four decades of improvements demonstrates that
+that cannot be overcome through training alone.} The persistent human
-these limitations are fundamental rather than a remediable part of
+error contribution despite four decades of improvements demonstrates that these
-human-driven control.
+limitations are fundamental rather than a remediable part of human-driven 
 control.
 \subsection{Formal Methods}
 \subsubsection{HARDENS}
 The High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
 project represents the most advanced application of formal methods to nuclear
-reactor control systems to date~\cite{Kiniry2024}. HARDENS aimed to address a
+reactor control systems to date~\cite{Kiniry2024}.
 fundamental dilemma: existing U.S. nuclear control rooms rely on analog
 technologies from the 1950s--60s. This technology is obsolete compared to modern
 control systems and incurs significant risk and cost. A U.S. Nuclear Regulatory
 Commission report demonstrated that model-based systems engineering and formal
 methods could design, verify, and implement a complex protection system meeting
 regulatory criteria. The project delivered a Reactor Trip System (RTS)
 implementation with traceability from regulatory requirements to verified
 software through formal architecture specifications.
-HARDENS employed formal methods tools at every level of system development, from
+HARDENS aimed to address a fundamental dilemma: existing U.S. nuclear control
-high-level requirements through executable models to generated code. High-level
+rooms rely on analog technologies from the 1950s--60s. This technology is
-specifications used Lando, SysMLv2, and FRET (NASA Formal Requirements
+obsolete compared to modern control systems and incurs significant risk and
-Elicitation Tool) to capture stakeholder requirements, domain engineering,
+cost. The NRC contracted Galois, a formal methods firm, to demonstrate that
-certification requirements, and safety requirements. Requirements were analyzed
+Model-Based Systems Engineering and formal methods could design, verify, and
-for consistency, completeness, and realizability using SAT and SMT solvers.
+implement a complex protection system meeting regulatory criteria at a fraction
-Executable formal models used Cryptol to create a behavioral model of the entire
+of typical cost. The project delivered a Reactor Trip System (RTS)
-RTS, including all subsystems, components, and limited digital twin models of
+implementation with full traceability from NRC Request for Proposals and IEEE
-sensors, actuators, and compute infrastructure. Automatic code synthesis
+standards through formal architecture specifications to verified software.
-generated verifiable C implementations and SystemVerilog hardware
+
 HARDENS employed formal methods tools and techniques across the verification
 hierarchy. High-level specifications used Lando, SysMLv2, and FRET (NASA Formal
 Requirements Elicitation Tool) to capture stakeholder requirements, domain
 engineering, certification requirements, and safety requirements. Requirements
 were analyzed for consistency, completeness, and realizability using SAT and SMT
 solvers. Executable formal models used Cryptol to create a behavioral model of
 the entire RTS, including all subsystems, components, and limited digital twin
 models of sensors, actuators, and compute infrastructure. Automatic code
 synthesis generated verifiable C implementations and SystemVerilog hardware
 implementations directly from Cryptol models---eliminating the traditional gap
-between specification and implementation where errors commonly arise.
+between specification and implementation where errors commonly 
 arise.
-Despite these accomplishments, HARDENS addressed only discrete digital
+Despite its accomplishments, HARDENS has a fundamental limitation directly
-control logic. The Reactor Trip System verification covered discrete state
+relevant to hybrid control synthesis: the project addressed only discrete
-transitions, digital sensor processing, and discrete actuation outputs. It
+digital control logic without modeling or verifying continuous reactor dynamics.
-did not model or verify continuous reactor dynamics. Real reactor safety
+The Reactor Trip System specification and verification covered discrete state
-depends on the interaction between continuous processes---temperature,
+transitions (trip/no-trip decisions), digital sensor input processing through
-pressure, neutron flux---evolving in response to discrete control decisions.
+discrete logic, and discrete actuation outputs (reactor trip commands). The
-HARDENS verified the discrete controller in isolation but not a
+project did not address continuous dynamics of nuclear reactor physics. Real
-closed-loop hybrid system behavior.
+reactor safety depends on the interaction between continuous
 processes---temperature, pressure, neutron flux---evolving in response to
 discrete control decisions. HARDENS verified the discrete controller in
 isolation but not the closed-loop hybrid system 
 behavior.
-\textbf{LIMITATION:} \textit{HARDENS addressed discrete control logic
+\textbf{LIMITATION:} \textit{HARDENS addressed discrete control logic without
-without continuous dynamics or hybrid system verification.} Verifying
+continuous dynamics or hybrid system verification.} Verifying discrete control
-discrete control logic alone provides no guarantee that the closed-loop
+logic alone provides no guarantee that the closed-loop system exhibits desired
-system exhibits desired continuous behavior such as stability, convergence to
+continuous behavior such as stability, convergence to setpoints, or maintained
-setpoints, or maintained safety margins.
+safety margins.
 HARDENS produced a demonstrator system at Technology Readiness Level 2--3
 (analytical proof of concept with laboratory breadboard validation) rather than
@ -134,83 +153,59 @@ considered in development, not a finalized product, and that ``The demonstration
 of its technical soundness was to be at a level consistent with satisfaction of
 the current regulatory criteria, although with no explicit demonstration of how
 regulatory requirements are met.'' The project did not include deployment in
 %DAS 3/16/26. I double checked this quote. It's on page 4 of the HARDENS report
 actual nuclear facilities, testing with real reactor systems under operational
 conditions, side-by-side validation with operational analog RTS systems,
-systematic failure mode testing, NRC licensing review, or human factors
+systematic failure mode testing (radiation effects, electromagnetic
 interference, temperature extremes), NRC licensing review, or human factors
 validation with licensed operators in realistic control room scenarios.
 \textbf{LIMITATION:} \textit{HARDENS achieved TRL 2--3 without experimental
 validation.} While formal verification provides mathematical correctness
 guarantees for the implemented discrete logic, the gap between formal
 verification and actual system deployment involves myriad practical
-considerations: integration with legacy systems, human-system interaction in
+considerations: integration with legacy systems, long-term reliability
-realistic operational contexts, and regulatory acceptance of formal methods as
+under harsh environments, human-system interaction in realistic
-primary assurance evidence remain as significant challenges.
+operational contexts, and regulatory acceptance of formal methods as
 primary assurance evidence.
-\subsubsection{Temporal Logic and Formal Specification}
+\subsubsection{Sequent Calculus and Differential Dynamic Logic}
-
+There has been additional work to do verification of hybrid systems by extending
-Formal verification of any system requires a precise language for stating
+the temporal logics directly. The result has been the field of differential
-what the system must do. Temporal logic provides this language by extending
+dynamic logic (dL). dL introduces two additional operators
-classical propositional logic with operators that express properties over
+into temporal logic: the box operator and the diamond operator. The box operator
-time~\cite{baier_principles_2008}. Where propositional logic can state that
+\([\alpha]\phi\) states that for some region \(\phi\), the hybrid system
-a condition is true or false, temporal logic can state that a condition must
+\(\alpha\) always remains within that region. In this way, it is a safety
-always hold, must eventually hold, or must hold until some other condition is
+invariant being enforced for the system. The second operator, the diamond
-met. Linear temporal logic (LTL) formalizes these notions through four key
+operator \(<\alpha>\phi\) says that for the region \(\phi\), there is at least
-operators:
+one trajectory of \(\alpha\) that enters that region. This is a declaration of a
-\begin{itemize}
+liveness property\cite{platzer2018}. 
  \item $\mathbf{X}\phi$ (next): $\phi$ holds in the next state
  \item $\mathbf{G}\phi$ (globally): $\phi$ holds in all future states
  \item $\mathbf{F}\phi$ (finally): $\phi$ holds in some future state
  \item $\phi \mathbf{U} \psi$ (until): $\phi$ holds until $\psi$ becomes
    true
 \end{itemize}
 These operators allow specification of safety properties ($\mathbf{G}\neg
 \textit{Unsafe}$), liveness properties ($\mathbf{F}\textit{ Target}$), and
 response properties ($\mathbf{G}(\textit{Trigger} \rightarrow
 \mathbf{F}\textit{ Response})$). For nuclear control, this expressiveness
 captures exactly the kinds of requirements that matter: the reactor must
 never enter an unsafe configuration, the system must eventually reach
 operating temperature, and if coolant pressure drops, shutdown must initiate
 within bounded time. These properties can be derived directly from operating
 procedures and regulatory requirements, creating a formal link between
 existing documentation and verifiable system behavior.
 \subsubsection{Differential Dynamic Logic}
 A separate line of work extends temporal logics to verify hybrid systems
 directly. The result has been the field of differential dynamic logic
 (dL)~\cite{platzer_differential_2008}. dL
 introduces two additional operators into temporal logic: the box operator and
 the diamond operator. The box operator \([\alpha]\phi\) states that for some
 region \(\phi\), the hybrid system \(\alpha\) always remains within that
 region. In this way, it is a safety invariant being
 enforced for the system. The second operator, the diamond operator
 \(<\alpha>\phi\) says that for the region \(\phi\), there is at least one
 trajectory of \(\alpha\) that enters that region. This is a declaration of a
 liveness property.
 While dL allows for the specification of these liveness and safety properties,
 actually proving them for a given hybrid system is quite difficult. Automated
-proof assistants such as KeYmaera X~\cite{fulton_keymaera_2015} exist to help
+proof assistants such as KeYmaera X exist to help develop proofs of systems
 develop proofs of systems
 using dL, but so far have been insufficient for reasonably complex hybrid
-systems. The main issue behind creating system proofs using dL is
+systems. The main issue behind creating system proofs using dL is state space
-non-terminating solutions. Approaches have been made to alleviate these issues
+explosion and non-terminating 
-for nuclear power contexts using contract and decomposition based methods, but
+solutions.\splitsuggest{Consider adding a concrete example here — ``For 
-do not yet constitute a complete design methodology \cite{kapuria_using_2025}.
+instance, a system with N modes and M continuous state variables...'' to give 
 readers a sense of the scaling problem.}
 %Source: that one satellite tracking paper that has the problem with the
 %gyroscopes overloding and needing to dump speed all the time
 Approaches have been made to alleviate
 these issues for nuclear power contexts using contract and decomposition based
 methods, but do not yet constitute a complete design
 methodology\cite{kapuria2025}.%source: Manyu's thesis. 
 Instead, these approaches have been used on systems that have been designed a
 priori, and require expert knowledge to create the system proofs. 
 %Maybe a limitation here? Something about dL doesn't scale or help in design
-%very much, so the limitation is that logic based hybrid system approaches
+%very much, so the limitation is that logic based hybrid system approaches have
-%have not been used in the DESIGN of autonomous controllers, only in the
+%not been used in the DESIGN of autonomous controllers, only in the analysis of
-%analysis of systems that already exist.
+%systems that already exist.
 \textbf{LIMITATION:} \textit{Differential dynamic logic has been used for
 post-hoc analysis of existing systems, not for the constructive design of
-autonomous controllers.} Current dL-based approaches verify systems that
+autonomous controllers.} Current formal methods based approaches can in theory
-have already been designed, requiring expert knowledge to construct proofs.
+completely describe the behavior of a hybrid autonomous control system, but in
-They have not been applied to the synthesis of new controllers from
+practice remain difficult to implement, and have no straightforward application
-operational requirements.
+to the design of a hybrid autonomous control system.
--- a/20260314_reading.pdf
+++ b/20260314_reading.pdf
--- a/3-research-approach/approach.tex
+++ b/3-research-approach/approach.tex
@ -1,77 +1,87 @@
 \section{Research Approach}
 % ============================================================================
 % STRUCTURE (maps to Thesis.RA tasks):
 %   1. Introduction + Hybrid Systems Definition (Task 34)
 %   2. System Requirements and Specifications (Task 35)
 %   3. Discrete Controller Synthesis (Task 36)
 %   4. Continuous Controllers Overview (Task 37)
 %      4.1 Transitory Modes (Task 38)
 %      4.2 Stabilizing Modes (Task 39)
 %      4.3 Expulsory Modes (Task 40)
 %   5. Industrial Implementation (Task 41)
 % ============================================================================
 % ----------------------------------------------------------------------------
 % 1. INTRODUCTION AND HYBRID SYSTEMS DEFINITION
 % ----------------------------------------------------------------------------
 Previous approaches to autonomous control have verified
 discrete switching logic or continuous control behavior, but not both
 simultaneously. Validation of continuous controllers today consists of
 extensive simulation trials. Discrete switching logic for routine operation
 has been driven by human operators, whose evaluation includes simulated
 control room testing and human factors research. Neither method, despite
 being extremely resource intensive, provides rigorous guarantees of control
 system behavior. HAHACS bridges this gap by composing formal methods from
 computer science with control-theoretic verification, formalizing reactor
 operations using the framework of hybrid automata.
 The challenge of hybrid system verification lies in the interaction between
 discrete and continuous dynamics. Discrete transitions change the governing
 vector field, creating discontinuities in the system's behavior. Traditional
 verification techniques designed for purely discrete or purely continuous
 systems cannot handle this interaction directly. Our methodology addresses this
 challenge through decomposition. We verify discrete switching logic and
 continuous mode behavior separately, then compose these guarantees to reason
 about the complete hybrid system. This two-layer approach mirrors the structure
 of reactor operations themselves: discrete supervisory logic determines which
 control mode is active, while continuous controllers govern plant behavior
 within each mode.
 To build a high-assurance hybrid autonomous control system (HAHACS), we must
 first establish a mathematical description of the system. This work draws on
 automata theory, temporal logic, and control theory. A hybrid system is a
-dynamical system that has both continuous and discrete states. The specific
+dynamical system that has both continuous and discrete states. The specific type
-type of system discussed in this proposal is a continuous autonomous hybrid
+of system discussed in this proposal is a continuous autonomous hybrid system.
-system. This means that the system does not have external input and that
+This means that the system does not have external input and that continuous
-continuous states do not change instantaneously when discrete states change.
+states do not change instantaneously when discrete states change. For our
-For our systems of interest, the continuous states are physical quantities
+systems of interest, the continuous states are physical quantities that are
-that are always Lipschitz continuous. This nomenclature is borrowed from the
+always Lipschitz continuous. This nomenclature is borrowed from the Handbook on
-Handbook on Hybrid Systems Control \cite{lunze_handbook_2009}, but is
+Hybrid Systems Control \cite{lunze2009}, but is redefined here
-redefined here for convenience:
+for convenience:
-%
+
 \begin{equation}
-  H = (\mathcal{Q}, \mathcal{X}, \mathbf{f}, Init, \mathcal{G}, \delta,
+  H = (\mathcal{Q}, \mathcal{X}, \mathbf{f}, Init, \mathcal{G}, \delta, \mathcal{R}, Inv)
  \mathcal{R}, Inv)
 \end{equation}
-%
+
 where:
-%
+
 \begin{itemize}
  \item $\mathcal{Q}$: the set of discrete states (modes) of the system
  \item $\mathcal{X} \subseteq \mathbb{R}^n$: the continuous state space
-  \item $\mathbf{f}: \mathcal{Q} \times \mathcal{X} \rightarrow
+  \item $\mathbf{f}: \mathcal{Q} \times \mathcal{X} \rightarrow \mathbb{R}^n$:
-    \mathbb{R}^n$: vector fields defining the continuous dynamics for each
+    vector fields defining the continuous dynamics for each discrete mode $q_i$
-    discrete mode $q_i$
+  \item $Init \subseteq \mathcal{Q} \times \mathcal{X}$: the set of initial states
  \item $Init \subseteq \mathcal{Q} \times \mathcal{X}$: the set of initial
    states
  \item $\mathcal{G}$: guard conditions that define when discrete state
    transitions may occur
-  \item $\delta: \mathcal{Q} \times \mathcal{G} \rightarrow \mathcal{Q}$:
+  \item $\delta: \mathcal{Q} \times \mathcal{G} \rightarrow \mathcal{Q}$: the
-    the discrete state transition function
+    discrete state transition function
  \item $\mathcal{R}$: reset maps that define any instantaneous changes to
    continuous state upon discrete transitions
  \item $Inv$: safety invariants on the continuous dynamics
 \end{itemize}
-HAHACS bridges the gap between discrete and continuous verification by composing
+The creation of a HAHACS amounts to the construction of such a tuple together
-formal methods from computer science with control-theoretic verification,
+with proof artifacts demonstrating that the intended behavior of the control
-formalizing reactor operations using the framework of hybrid
+system is satisfied by its actual implementation. This approach is tractable now
-automata~\cite{alur_hybrid_1993}. The challenge of hybrid system verification
+because the infrastructure for each component has matured. The novelty is not in
-lies in the interaction between discrete and continuous dynamics. Discrete
+the individual pieces, but in the architecture that connects them. 
 transitions change the active continuous vector field, creating discontinuities
 in the system's behavior. Traditional verification techniques designed for
 purely discrete or purely continuous systems cannot handle this interaction
 directly. Our methodology addresses this challenge through decomposition. We
 verify discrete switching logic and continuous mode behavior separately, then
 compose these guarantees to reason about the complete hybrid system. This
 compositional strategy follows the assume-guarantee paradigm for hybrid systems,
 where guarantees about individual modes compose into guarantees about the
 overall system~\cite{lunze_handbook_2009, alur_hybrid_1993}. This two-layer
 approach mirrors the structure of reactor operations themselves: discrete
 supervisory logic determines which control mode is active, while continuous
 controllers govern plant behavior within each mode.
-The creation of a HAHACS amounts to the construction of such a tuple
+By defining entry, exit, and safety conditions at the discrete level first, we
-together with proof artifacts demonstrating that the intended behavior of the
+transform the intractable problem of global hybrid verification into a
-control system is satisfied by its actual
+collection of local verification problems with clear interfaces. Verification is
-implementation. In concrete terms, this means producing a
+performed per mode rather than on the full hybrid system, keeping the analysis
-discrete automaton whose transitions are provably correct, continuous
+tractable even for complex reactor operations.
 controllers whose behavior is verified against transition requirements, and
 formal evidence linking the two. This approach is tractable now because the
 infrastructure for each component has matured. The novelty is not in the
 individual pieces, but in the architecture that connects
 them. By defining entry, exit, and safety conditions at the
 discrete level first, we transform the intractable problem of global hybrid
 verification into a collection of local verification problems with clear
 interfaces. Verification is performed per mode rather than on the full
 hybrid system, keeping the analysis tractable even for complex reactor
 operations. Figure~\ref{fig:hybrid_automaton} illustrates this
 structure for a simplified reactor startup sequence, showing discrete modes
 connected by guard-triggered transitions with continuous dynamics governing
 behavior within each mode.
 \begin{figure} 
  \centering
@ -97,58 +107,58 @@ behavior within each mode.
    \node[state, fill=red!15] (q3) at (5,-3.5) {$q_3$\\SCRAM};
    % Normal transitions
-    \draw[trans] (q0) -- node[guard, above]
+    \draw[trans] (q0) -- node[guard, above] {$T_{avg} > T_{min}$} (q1);
-      {$T_{avg} > T_{min}$} (q1);
+    \draw[trans] (q1) -- node[guard, above] {$T_{avg} \in [T_{op} \pm \delta]$\\$P > P_{crit}$} (q2);
    \draw[trans] (q1) -- node[guard, above]
      {$T_{avg} \in [T_{op} \pm \delta]$\\$P > P_{crit}$} (q2);
    % Fault transitions
-    \draw[trans, red!70!black] (q1) -- node[guard, left,
+    \draw[trans, red!70!black] (q1) -- node[guard, left, text=red!70!black] {$\neg Inv_1$} (q3);
-      text=red!70!black] {$\neg Inv_1$} (q3);
+    \draw[trans, red!70!black] (q2) to[bend left=20] node[guard, right, text=red!70!black] {$\neg Inv_2$} (q3);
    \draw[trans, red!70!black] (q2) to[bend left=20] node[guard,
      right, text=red!70!black] {$\neg Inv_2$} (q3);
    % Recovery transition
-    \draw[trans, dashed] (q3) to[bend left=30] node[guard, below]
+    \draw[trans, dashed] (q3) to[bend left=30] node[guard, below] {Manual reset} (q0);
      {Manual reset} (q0);
    % Self-loops indicating staying in mode
-    \draw[trans] (q2) to[loop right] node[guard, right] {$Inv_2$}
+    \draw[trans] (q2) to[loop right] node[guard, right] {$Inv_2$} (q2);
      (q2);
    % Dynamics labels below states
    \node[dynamics] at (0,-1.4) {$\dot{x} = f_0(x)$};
-    \node[dynamics] at (6,-1.2) {$\dot{x} = f_1(x)$};
+    \node[dynamics] at (6,-1.2) {$\dot{x} = f_1(x,u)$};
-    \node[dynamics] at (10,-1.4) {$\dot{x} = f_2(x)$};
+    \node[dynamics] at (10,-1.4) {$\dot{x} = f_2(x,u)$};
    \node[dynamics] at (5,-4.9) {$\dot{x} = f_3(x)$};
  \end{tikzpicture}
-  \caption{Simplified hybrid automaton for reactor startup. Each discrete
+  \caption{Simplified hybrid automaton for reactor startup. Each discrete state 
-    state $q_i$ has associated continuous dynamics $f_i$. Guard conditions
+    $q_i$ has associated continuous dynamics $f_i$. Guard conditions on 
-    on transitions (e.g., $T_{avg} > T_{min}$) are predicates over
+    transitions (e.g., $T_{avg} > T_{min}$) are predicates over continuous 
-    continuous state. Invariant violations ($\neg Inv_i$) trigger
+    state. Invariant violations ($\neg Inv_i$) trigger transitions to the 
-    transitions to the SCRAM state. The operational level manages discrete
+    SCRAM state. The operational level manages discrete transitions; the 
-    transitions; the tactical level executes continuous control within each
+    tactical level executes continuous control within each mode.}
    mode.}
  \label{fig:hybrid_automaton}
 \end{figure}
-\subsection{System Requirements, Specifications, and Discrete Controllers}
+%%% NOTES (Section 1):
 % - May want to clarify the "no external input" claim with a footnote about
 %   strategic inputs (e.g., remote start/stop commands)
 % - The reset map R is often identity for physical systems; clarify if needed
 % ----------------------------------------------------------------------------
 % 2. SYSTEM REQUIREMENTS AND SPECIFICATIONS
 % ----------------------------------------------------------------------------
 \subsection{System Requirements, Specifications, and Discrete Controllers}
 Human control of nuclear power can be divided into three different scopes:
-strategic, operational, and tactical.\footnote{This was inspired by an article
+strategic, operational, and tactical. Strategic control is high-level and
-about battlefield organizational science~\cite{harvey_levels_2021}.} Strategic
+long-term decision making for the plant. This level has objectives that are
-control is high-level and long-term decision making for the plant. This level
+complex and economic in scale, such as managing labor needs and supply chains to
-has objectives that are complex and economic in scale, such as managing labor
+optimize scheduled maintenance and downtime. The time scale at this level is
-needs and supply chains to optimize scheduled maintenance and downtime. The time
+long, often spanning months or years. The lowest level of control is the
-scale at this level is long, often spanning months or years. The lowest level of
+tactical level. This is the individual control of pumps, turbines, and
-control is the tactical level. This is the individual control of pumps,
+chemistry. Tactical control has already been somewhat automated in nuclear power
-turbines, and chemistry. Tactical control has already been somewhat automated in
+plants today, and is generally considered ``automatic control'' when autonomous.
-nuclear power plants today, and is generally considered ``automatic control''
+These controls are almost always continuous systems with a direct impact on the
-when autonomous. These controls are almost always continuous systems with a
+physical state of the plant. Tactical control objectives include maintaining
-direct impact on the physical state of the plant. Tactical control objectives
+pressurizer level, maintaining core temperature, or adjusting reactivity with a
-include, but are not limited to, maintaining pressurizer level, maintaining core
+chemical shim.
 temperature, or adjusting reactivity with a chemical shim.
 The level of control linking these two extremes is the operational control
 scope. Operational control is the primary responsibility of human operators
@ -158,19 +168,22 @@ way, it bridges high-level and low-level goals. A strategic goal may be to
 perform refueling at a certain time, while the tactical level of the plant is
 currently focused on maintaining a certain core temperature. The operational
 level issues the shutdown procedure, using several smaller tactical goals along
-the way to achieve this strategic objective. This hierarchical division of
+the way to achieve this objective. Thus, the combination of the operational and
-control scope and objectives is illustrated graphically in
+tactical levels fundamentally forms a hybrid controller. The tactical level is
-figure~\ref{fig:strat_op_tact}. 
+the continuous evolution of the plant according to the control input and control
 law, while the operational level is a discrete state evolution that determines
 which tactical control law to apply.
 %Say something about autonomous control systems near here?
 \begin{figure}
  \centering
  \begin{tikzpicture}[scale=0.8]
    % Pyramid layers
    \fill[blue!30!white] (0,4) -- (2,4) -- (1,5.) -- cycle;
-    \fill[blue!20!white] (-1.5,2.5) -- (3.5,2.5) -- (2,4) -- (0,4)
+    \fill[blue!20!white] (-1.5,2.5) -- (3.5,2.5) -- (2,4) -- (0,4) -- cycle;
-      -- cycle;
+    \fill[blue!10!white] (-3,1) -- (5,1) -- (3.5,2.5) -- (-1.5,2.5) -- cycle;
    \fill[blue!10!white] (-3,1) -- (5,1) -- (3.5,2.5) -- (-1.5,2.5)
      -- cycle;
    % Labels inside pyramid
    \node[font=\small\bfseries] at (1,4.5) {Strategic};
@ -179,132 +192,119 @@ figure~\ref{fig:strat_op_tact}.
    % Descriptions to the right
    \node[anchor=west, font=\small, text width=8cm] at (5.5,4.6) 
-      {\textit{Long-term planning:} maintenance scheduling, capacity
+      {\textit{Long-term planning:} maintenance scheduling, capacity planning, economic dispatch};
      planning, economic dispatch};
    \node[anchor=west, font=\small, text width=8cm] at (5.5,3.1) 
-      {\textit{Discrete decisions:} startup/shutdown sequences, power
+      {\textit{Discrete decisions:} startup/shutdown sequences, power level changes, mode transitions};
      level changes, mode transitions};
    \node[anchor=west, font=\small, text width=8cm] at (5.5,1.6) 
-      {\textit{Continuous control:} temperature regulation, pressure
+      {\textit{Continuous control:} temperature regulation, pressure control, load following};
      control, load following};
    % Bracket showing HAHACS scope (simple line with text)
-    \draw[thick] (5.0,1.0) -- (-3.5,1) -- (-3.5,4) -- (2.0,4) --
+    \draw[thick] (5.0,1.0) -- (-3.5,1) -- (-3.5,4) -- (2.0,4) -- cycle;
-      cycle;
+    \node[font=\small, align=center, rotate=90] at (-4.2,2.5) {HAHACS scope};
    \node[font=\small, align=center, rotate=90] at (-4.2,2.5)
      {HAHACS scope};
  \end{tikzpicture}
-  \caption{Control scope hierarchy in nuclear power operations.
+  \caption{Control scope hierarchy in nuclear power operations. Strategic control 
-    Strategic control (long-term planning) remains with human management.
+    (long-term planning) remains with human management. HAHACS addresses the 
-    HAHACS addresses the operational level (discrete mode switching) and
+    operational level (discrete mode switching) and tactical level (continuous 
-    tactical level (continuous control within modes), which together form
+    control within modes), which together form a hybrid control system.}
    a hybrid control system.}
  \label{fig:strat_op_tact}
 \end{figure}
 This operational control level is the main reason for the requirement of human
 operators in nuclear control today. The hybrid nature of this control system
-makes it difficult to prove what the behavior of the combined hybrid system will
+makes it difficult to prove that a controller will perform according to
-do across the entire state-space, so human operators have been used as a
+strategic requirements, as unified infrastructure for building and verifying
-stop-gap for safety. Humans have been used for this layer because their general
+hybrid systems does not currently exist. Humans have been used for this layer
-intelligence has been relied upon as a safe way to manage the hybrid nature of
+because their general intelligence has been relied upon as a safe way to manage
-this system---if a failure occured, it has been assumed a human operator can
+the hybrid nature of this system. But these operators use prescriptive operating
-figure out a solution to maintain plant performance and safety without
+manuals to perform their control with strict procedures on what control to
-exhaustive knowledge of plant behavior. However, human factors research has
+implement at a given time. These procedures are the key to the operational
-sought to minimize the need for general human reasoning by creating extremely
+control scope.
 prescriptive operating manuals with strict procedures dictating what control to
 implement at a given time. These operating manuals have minimized the role of
 human operators today, are the key to the automating the operational control
 scope.
 The method of constructing a HAHACS in this proposal leverages two key
 observations about current practice. First, the operational scope control is
 effectively discrete control. Second, the rules for implementing this control
-are described in operating procedures prior to their implementation. Instead of
+are described prior to their implementation in operating procedures. Before
-implementing these procudures with a human controller, we rigorize the
+constructing a HAHACS, we must completely describe its intended behavior. The
-instructions as a set of formal requirements. The behavior of any control system
+behavior of any control system originates in requirements: statements about what
-originates in requirements: statements about what the system must do, must not
+the system must do, must not do, and under what conditions. For nuclear systems,
-do, and under what conditions. For nuclear systems, these requirements derive
+these requirements derive from multiple sources including regulatory mandates,
-from multiple sources including regulatory mandates, design basis analyses, and
+design basis analyses, and operating procedures. The challenge is formalizing
-aforementioned operating procedures. The challenge is formalizing
+these requirements with sufficient precision that they can serve as the
-these requirements with sufficient precision that they can serve as
+foundation for autonomous control system synthesis and verification. We can
-the foundation for autonomous
+build these requirements using temporal logic.
 control system synthesis and verification. We can build these requirements using
 temporal logic.
-Temporal logic is a powerful set of semantics for building systems with
+Temporal logic is a powerful set of semantics for building systems with complex
-complex but deterministic behavior. Temporal logic extends classical
+but deterministic behavior. Temporal logic extends classical propositional logic
-propositional logic with operators that express properties over time. Using
+with operators that express properties over time. Using temporal logic, we can
-temporal logic, we can make statements relating discrete control modes to one
+make statements relating discrete control modes to one another and define all
-another and define all the requirements of a HAHACS. The guard conditions
+the requirements of a HAHACS. The guard conditions $\mathcal{G}$ are defined by
-$\mathcal{G}$ are defined by determining boundary conditions between discrete
+determining boundary conditions between discrete states and specifying their
-states and specifying their behavior, while continuous mode invariants can
+behavior, while continuous mode invariants can also be expressed as temporal
-also be expressed as temporal logic statements. These specifications form the
+logic statements. These specifications form the basis of any proofs about a
-basis of any proofs about a HAHACS and constitute the fundamental truth
+HAHACS and constitute the fundamental truth statements about what the behavior
-statements about what the behavior of the system is designed to be.
+of the system is designed to be.
 Discrete mode transitions include predicates that are Boolean functions over the
 continuous state space: $p_i: \mathcal{X} \rightarrow \{\text{true},
 \text{false}\}$. These predicates formalize conditions like ``coolant
-temperature exceeds 315\textdegree{}C'' or ``pressurizer level is between 30\%
+temperature exceeds 315°C'' or ``pressurizer level is between 30\% and 60\%.''
-and 60\%.'' Critically, we do not impose this discrete abstraction artificially.
+Critically, we do not impose this discrete abstraction artificially. Operating
-Operating procedures for nuclear systems already define go/no-go conditions as
+procedures for nuclear systems already define go/no-go conditions as discrete
-discrete predicates, but do so in natural language. These thresholds come from
+predicates. These thresholds come from design basis safety analysis and have
-design basis safety analysis and have been validated over decades of operational
+been validated over decades of operational experience. Our methodology assumes
-experience. Our methodology assumes this domain knowledge exists and provides a
+this domain knowledge exists and provides a framework to formalize it. This is
-framework to formalize it. This is why the approach is feasible for nuclear
+why the approach is feasible for nuclear applications specifically: the hard
-applications specifically: the work of defining safe operating boundaries has
+work of defining safe operating boundaries has already been done by generations
-already been done by generations of nuclear engineers. The work of translating
+of nuclear engineers. 
-these requirements from interpretable natural language to a formal
+
-requirement is what remains to be done.
+Linear temporal logic (LTL) is particularly well-suited for
 specifying reactive systems. LTL formulas are built from atomic propositions
 (our discrete predicates) using Boolean connectives and temporal operators.
 The key temporal operators are:
 \begin{itemize}
  \item $\mathbf{X}\phi$ (next): $\phi$ holds in the next state
  \item $\mathbf{G}\phi$ (globally): $\phi$ holds in all future states
  \item $\mathbf{F}\phi$ (finally): $\phi$ holds in some future state
  \item $\phi \mathbf{U} \psi$ (until): $\phi$ holds until $\psi$ becomes true
 \end{itemize}
 These operators allow us to express safety properties (``the reactor never
 enters an unsafe configuration''), liveness properties (``the system
 eventually reaches operating temperature''), and response properties (``if
 coolant pressure drops, the system initiates shutdown within bounded time'').
 Linear temporal logic (LTL) is particularly well-suited for specifying reactive
 systems. LTL formulas are built from atomic propositions (our discrete
 predicates) using Boolean connectives and temporal operators. These operators
 allow us to express safety properties (``the reactor never enters an unsafe
 configuration''), liveness properties (``the system eventually reaches operating
 temperature''), and response properties (``if coolant pressure drops, the system
 initiates shutdown within bounded time''). We note that FRET's realizability
 checking currently supports safety and bounded response properties but not
 general liveness properties~\cite{katis_realizability_2022}. Liveness
 requirements such as ``eventually reaches operating temperature'' are instead
 verified through the continuous mode analysis described in Section~3.2, where
 reachability analysis can confirm that target states are attained within bounded
 time.
 To build these temporal logic statements, an intermediary tool called FRET is
 planned to be used. FRET stands for Formal Requirements Elicitation Tool, and
 was developed by NASA to build high-assurance timed systems. FRET is an
 intermediate language between temporal logic and natural language that allows
 for rigid definitions of temporal behavior while using a syntax accessible to
-engineers without formal methods expertise\cite{katis_realizability_2022}. This
+engineers without formal methods expertise. This benefit is crucial for the
-benefit is crucial for the feasibility of this methodology in industry. By
+feasibility of this methodology in industry. By reducing the expert knowledge
-reducing the expert knowledge required to use these tools, their adoption with
+required to use these tools, their adoption with the current workforce becomes
-the current workforce becomes easier.
+easier.
 A key feature of FRET is the ability to start with logically imprecise
-statements and consecutively refine them into well-posed
+statements and consecutively refine them into well-posed specifications. We can
-specifications\cite{katis_realizability_2022, pressburger_using_2023}. We
+use this to our advantage by directly importing operating procedures and design
-can use this to our advantage by directly importing operating procedures and
+requirements into FRET in natural language, then iteratively refining them into
-design requirements into FRET in natural language, then iteratively refining
+specifications for a HAHACS. This has two distinct benefits. First, it allows us
-them into specifications for a HAHACS. This has two distinct benefits.
+to draw a direct link from design documentation to digital system
-First, it allows us to draw a direct link from design documentation to
+implementation. Second, it clearly demonstrates where natural language documents
-digital system implementation. Second, it clearly demonstrates where natural
+are insufficient. These procedures may still be used by human operators, so any
-language documents are insufficient. These procedures may still be used by
+room for interpretation is a weakness that must be addressed.
 human operators, so any room for interpretation is a weakness that must be
 addressed.
-\dasinline{Maybe add more details about FRET case studies here. This would be
+\splitinline{Some examples of where FRET has been used and why it will be successful
-Pressburger and Katis.}
+here}
 Once system requirements are defined as temporal logic specifications, we use
 them to build the discrete control system. To do this, reactive synthesis tools
 are employed. Reactive synthesis is a field in computer science that deals with
 the automated creation of reactive programs from temporal logic specifications.
 A reactive program is one that, for a given state, takes an input and produces
-an output~\cite{jacobs_reactive_2024}. Our systems fit exactly this mold: the
+an output. Our systems fit exactly this mold: the current discrete state and
-current discrete state and status of guard conditions are the input, while the
+status of guard conditions are the input, while the output is the next discrete
-output is the next discrete state.
+state. 
 Reactive synthesis solves the following problem: given an LTL formula $\varphi$
 that specifies desired system behavior, automatically construct a finite-state
@ -314,35 +314,28 @@ exists, the specification is called \emph{realizable}. The synthesis algorithm
 either produces a correct-by-construction controller or reports that no such
 controller can exist. This realizability check is itself valuable: an
 unrealizable specification indicates conflicting or impossible requirements in
-the original procedures. The current implementation and one of the main uses of
+the original procedures. 
 FRET today is for exactly this purpose---multiple case studies have used FRET
 for the refinement of unrealizable specifications into realizable systems
 \cite{katis_realizability_2022, pressburger_using_2023}. 
 The main advantage of reactive synthesis is that at no point in the production
 of the discrete automaton is human engineering of the implementation required.
-The resultant automaton is correct to the specification by construction. This
+The resultant automaton is correct by construction. This method of construction
-method of construction eliminates the possibility of human error at the
+eliminates the possibility of human error at the implementation stage entirely.
-implementation stage entirely. The effort shifts entirely to specifying correct
+Instead, the effort on the human designer is directed at the specification of
-behavior rather than implementing it. This has two critical implications. First,
+system behavior itself. This has two critical implications. First, it makes the
-every mode transition can be traced back through the specification to its
+creation of the discrete controller tractable. The reasons the controller
-originating requirement, providing a clear liability and justification chain.
+changes between modes can be traced back to the specification and thus to any
-Second, by defining system behavior in temporal logic and synthesizing the
+requirements, which provides a trace for liability and justification of system
-controller using deterministic algorithms, discrete control decisions become
+behavior. Second, discrete control decisions made by humans are reliant on the
-provably consistent with operating procedures. 
+human operator operating correctly. Humans are intrinsically probabilistic
 creatures who cannot eliminate human error. By defining the behavior of this
 system using temporal logics and synthesizing the controller using deterministic
 algorithms, we are assured that strategic decisions will always be made
 according to operating procedures.
-The output of reactive synthesis is a finite-state machine that can be directly
+\splitinline{Talk about how one would go from a discrete automaton to actual
-translated to executable code. Tools such as Strix accept full LTL
+code}
-specifications and produce Mealy machines via parity game
+
-solving~\cite{luttenberger_practical_2020, meyer_strix_2018}. For specifications
+\splitinline{Examples of reactive synthesis in the wild}
 within the GR(1) fragment---which captures the reactive input-output structure
 typical of supervisory control---synthesis is efficient and scales to
 specifications with thousands of states. Nuclear operating procedures are
 well-suited to this fragment: environment inputs correspond to plant state
 measurements and guard conditions, while outputs are mode transition commands.
 The synthesized automaton provides a correct-by-construction implementation that
 can be compiled to run on industrial control hardware without manual translation
 of the control logic.
 \subsection{Continuous Control Modes}
@ -351,15 +344,14 @@ autonomous controller. These control systems are hybrid, with both discrete and
 continuous components. This section describes the continuous control modes that
 execute within each discrete state, and how we verify that they satisfy the
 requirements imposed by the discrete layer. It is important to clarify the scope
-of this methodology with respect to continuous controller design. This work will
+of this methodology with respect to continuous controller design. This work
-verify continuous controllers; it does not synthesize them. The distinction
+verifies continuous controllers; it does not synthesize them. The distinction
 parallels model checking in software verification: model checking does not tell
 engineers how to write correct software, but it verifies whether a given
 implementation satisfies its specification. Similarly, we assume that continuous
-controllers can be designed using standard control theory techniques, and to
+controllers can be designed using standard control theory techniques. Our
-that end, are not prohibitive to create. Our contribution is a verification
+contribution is a verification framework that confirms candidate controllers
-framework that confirms candidate controllers compose correctly with the
+compose correctly with the discrete layer to produce a safe hybrid system.
 discrete layer to produce a safe hybrid system.
 The operational control scope defines go/no-go decisions that determine what
 kind of continuous control to implement. The entry or exit conditions of a
@ -367,12 +359,12 @@ discrete state are themselves the guard conditions $\mathcal{G}$ that define the
 boundaries for each continuous controller's allowed state-space region. These
 continuous controllers all share a common state space, but each individual
 continuous control mode operates within its own partition defined by the
-discrete state $q_i$ and the associated guard conditions. This partitioning of
+discrete state $q_i$ and the associated guards. This partitioning of the
-the continuous state space among several distinct vector fields has
+continuous state space among several discrete vector fields has traditionally
-traditionally been a difficult problem for validation and verification. The
+been a difficult problem for validation and verification. The discontinuity of
-discontinuity of the vector fields at discrete state interfaces makes
+the vector fields at discrete state interfaces makes reachability analysis
-reachability analysis computationally expensive, and analytic solutions often
+computationally expensive, and analytic solutions often become intractable
-become intractable \cite{kapuria_using_2025, lang_formal_2021}.
+\cite{kapuria2025, lang2021}.
 We circumvent these issues by designing our hybrid system from the bottom up
 with verification in mind. Each continuous control mode has an input set and
@ -380,235 +372,201 @@ output set clearly defined by our discrete transitions \textit{a priori}.
 Consider that we define the continuous state space as $\mathcal{X}$.  Each
 discrete mode $q_i$ then provides three key pieces of information for continuous
 controller design:
 %
 \begin{enumerate}
-  \item \textbf{Entry conditions:} $\mathcal{X}_{entry,i} \subseteq
+  \item \textbf{Entry conditions:} $\mathcal{X}_{entry,i} \subseteq \mathcal{X}$,
-    \mathcal{X}$, the set of possible initial states when entering this mode
+    the set of possible initial states when entering this mode
-  \item \textbf{Exit conditions:} $\mathcal{X}_{exit,i} \subseteq
+  \item \textbf{Exit conditions:} $\mathcal{X}_{exit,i} \subseteq \mathcal{X}$,
-    \mathcal{X}$, the target states that trigger transition to the next mode,
+    the target states that trigger transition to the next mode, or is the region
-    or is the region in the state space a stabilizing mode remains within.
+    in the state space a stabilizing mode remains within.
-  \item \textbf{Safety invariants:} $\mathcal{X}_{safe,i} \subseteq
+  \item \textbf{Safety invariants:} $\mathcal{X}_{safe,i} \subseteq \mathcal{X}$,
-    \mathcal{X}$, the envelope of safe states during operation in this mode.
+    the envelope of safe states during operation in this mode. These are derived
-    These are derived from invariants \(Inv\).
+    from invariants \(Inv\).
 \end{enumerate}
 %
 These sets come directly from the discrete controller synthesis and define
-precise objectives for continuous control.\dasnote{This SOUNDS like
+precise objectives for continuous control. The continuous controller for mode
-assume-guarantee stuff. Maybe make that connection formal and cite it?} The
+$q_i$ must drive the system from any state in $\mathcal{X}_{entry,i}$ to some
-continuous controller for mode $q_i$ must drive the system from any state in
+state in $\mathcal{X}_{exit,i}$ while remaining within $\mathcal{X}_{safe,i}$.
 $\mathcal{X}_{entry,i}$ to some state in $\mathcal{X}_{exit,i}$ while remaining
 within $\mathcal{X}_{safe,i}$. We classify continuous controllers into three
 types based on their objectives: transitory, stabilizing, and expulsory. Each
 type has distinct verification requirements that determine which formal methods
 tools are appropriate.
-\dasinline{(1) Add figure showing the relationship between entry/exit/safety
+We classify continuous controllers into three types based on their objectives:
-sets. (2) Mention assume-guarantee compositional stuff and how that fits in
+transitory, stabilizing, and expulsory. Each type has distinct verification
-here.}
+requirements that determine which formal methods tools are appropriate.
 \subsubsection{Transitory Modes}
-Transitory modes are continuous controllers designed to move the plant from one
+Transitory modes are continuous controllers designed to move
-discrete operating condition to another. Their purpose is to execute
+the plant from one discrete operating condition to another. Their purpose is to
-transitions: starting from entry conditions, reach exit conditions, and maintain
+execute transitions: starting from entry conditions, reach exit conditions,
-safety invariants throughout. Examples include but are not limited to power
+and maintain safety invariants throughout. Examples include power ramp-up sequences,
-ramp-up sequences, cooldown procedures, and load-following maneuvers.
+cooldown procedures, and load-following maneuvers.
-The control objective for a transitory mode can be stated formally. Given
+The control objective for a transitory mode can be stated
-entry conditions $\mathcal{X}_{entry}$, exit conditions
+formally. Given entry conditions $\mathcal{X}_{entry}$, exit conditions
-$\mathcal{X}_{exit}$, safety invariant $\mathcal{X}_{safe}$, and
+$\mathcal{X}_{exit}$, safety invariant $\mathcal{X}_{safe}$, and closed-loop
-closed-loop dynamics $\dot{x} = f(x)$, the controller must satisfy:
+dynamics $\dot{x} = f(x, u(x))$, the controller must satisfy:
 %
 \[
-\forall x_0 \in \mathcal{X}_{entry}: \exists T > 0: x(T) \in
+\forall x_0 \in \mathcal{X}_{entry}: \exists T > 0: x(T) \in \mathcal{X}_{exit}
-\mathcal{X}_{exit} \land \forall t \in [0,T]: x(t) \in \mathcal{X}_{safe}
+\land \forall t \in [0,T]: x(t) \in \mathcal{X}_{safe}
 \]
 %
 That is, from any valid entry state, the trajectory must eventually reach the
 exit condition without ever leaving the safe region.
-Verification of transitory modes will use reachability analysis. Reachability
+Verification of transitory modes uses reachability analysis.
-analysis computes the set of all states reachable from a given initial set under
+Reachability analysis computes the set of all states reachable from a given
-the system dynamics~\cite{guernic_reachability_2009,
+initial set under the system dynamics. For a transitory mode to be valid, the
-mitchell_time-dependent_2005, bansal_hamilton-jacobi_2017}. For a transitory
+reachable set from $\mathcal{X}_{entry}$ must satisfy two conditions:
 mode to be valid, the reachable set from $\mathcal{X}_{entry}$ must satisfy two
 conditions:
 %
 \begin{enumerate}
-  \item The reachable set eventually intersects $\mathcal{X}_{exit}$ (the
+  \item The reachable set eventually intersects $\mathcal{X}_{exit}$ (the mode
-    mode achieves its objective)
+    achieves its objective)
-  \item The reachable set never leaves $\mathcal{X}_{safe}$ (safety is
+  \item The reachable set never leaves $\mathcal{X}_{safe}$ (safety is maintained
-    maintained throughout the transition)
+    throughout the transition)
 \end{enumerate}
 %
 Formally, if $\text{Reach}(\mathcal{X}_{entry}, f, [0,T])$ denotes the states
 reachable within time horizon $T$:
 %
 \[
-\text{Reach}(\mathcal{X}_{entry}, f_i, [0,T]) \subseteq \mathcal{X}_{safe}
+\text{Reach}(\mathcal{X}_{entry}, f_i, [0,T]) \subseteq \mathcal{X}_{safe} \land
-\land \text{Reach}(\mathcal{X}_{entry}, f_i, [0,T]) \cap
+\text{Reach}(\mathcal{X}_{entry}, f_i, [0,T]) \cap \mathcal{X}_{exit} \neq \emptyset
 \mathcal{X}_{exit} \neq \emptyset
 \]
 %
 Because the discrete controller defines clear boundaries in
 continuous state space, the verification problem for each transitory mode is
 well-posed. We know the possible initial conditions, we know the target
 conditions, and we know the safety envelope. The verification task is to
 confirm that the candidate continuous controller achieves the objective from
 all possible starting points.
-Several tools exist for computing reachable sets of hybrid systems, including
+Because the discrete controller defines clear boundaries in continuous state
-CORA~\cite{althoff_introduction_nodate}, Flow*~\cite{chen_flow_2013,
+space, the verification problem for each transitory mode is well-posed. We know
-chen_taylor_2012}, SpaceEx~\cite{frehse_spaceex_2011}, and
+the possible initial conditions, we know the target conditions, and we know the
-JuliaReach~\cite{bogomolov_reachability_2020}. The choice of
+safety envelope. The verification task is to confirm that the candidate
-tool depends on the structure of the continuous dynamics. Linear systems admit
+continuous controller achieves the objective from all possible starting points.
-efficient polyhedral or ellipsoidal reachability computations. Nonlinear systems
+
-require more conservative over-approximations using techniques such as Taylor
+Several tools exist for computing reachable sets of hybrid
-models or polynomial zonotopes. For this work, we will select tools appropriate
+systems, including CORA, Flow*, SpaceEx, and JuliaReach. The choice of tool
-to the fidelity of the reactor models available.
+depends on the structure of the continuous dynamics. Linear systems admit
 efficient polyhedral or ellipsoidal reachability computations. Nonlinear
 systems require more conservative over-approximations using techniques such as
 Taylor models or polynomial zonotopes. For this work, we will select tools
 appropriate to the fidelity of the reactor models available.
 \subsubsection{Stabilizing Modes}
-Stabilizing modes are continuous controllers with an objective of maintaining
+Stabilizing modes are continuous controllers with an objective of maintaining a
-a particular discrete state indefinitely. Rather than driving the system
+particular discrete state indefinitely. Rather than driving the system toward an
-toward an exit state, they keep the system within a safe
+exit condition, they keep the system within a safe operating region. Examples
-operating region. Examples include steady-state power operation, hot standby,
+include steady-state power operation, hot standby, and load-following at
-and load-following at constant power level. Reachability analysis for
+constant power level. Reachability analysis for stabilizing modes may not be a
-stabilizing modes may not be a suitable approach to validation. Instead, we
+suitable approach to validation. Instead, we plan to use barrier certificates.
-plan to use barrier certificates. Barrier certificates analyze the dynamics
+Barrier certificates analyze the dynamics of the system to determine whether
-of the system to determine whether flux across a given boundary
+flux across a given boundary exists. They evaluate whether any trajectory leaves
-exists~\cite{prajna_safety_2004}. In other words, they
+a given boundary. This definition is exactly what defines the validity of a
-evaluate whether any trajectory leaves a given boundary. This definition is
+stabilizing continuous control mode.
 exactly what defines the validity of a stabilizing continuous control mode.
-A barrier certificate (or control barrier function) is a scalar function $B:
+A barrier certificate (or control barrier function) is a
-\mathcal{X} \rightarrow \mathbb{R}$ that certifies forward invariance of a safe
+scalar function $B: \mathcal{X} \rightarrow \mathbb{R}$ that certifies forward
-set. The idea is analogous to Lyapunov functions for
+invariance of a safe set. The idea is analogous to Lyapunov functions for
-stability~\cite{branicky_multiple_1998}: rather than computing trajectories
+stability: rather than computing trajectories explicitly, we find a certificate
-explicitly, we find a certificate function whose properties guarantee the
+function whose properties guarantee the desired behavior. For a safe set
-desired behavior. For a safe set $\mathcal{C} = \{x : B(x) \geq 0\}$ and
+$\mathcal{C} = \{x : B(x) \geq 0\}$ and dynamics $\dot{x} = f(x,u)$, the
-dynamics $\dot{x} = f(x,u)$, the\dasinline{Should clarify that the safe set C is
+barrier certificate condition requires:
 not the entire continuous region. It's just the boundary of the region.} barrier
 certificate condition requires:
 %
 \[
-\forall x \in \partial\mathcal{C}: \dot{B}(x) = \nabla B(x) \cdot f(x,u(x))
+\forall x \in \partial\mathcal{C}: \dot{B}(x) = \nabla B(x) \cdot f(x,u(x)) \geq 0
 \geq 0
 \]
-%
+This condition states that on the boundary of the safe set (where $B(x) = 0$),
-This condition states that on the boundary of the safe set (where $B(x) =
+the time derivative of $B$ is non-negative. Geometrically, this means the
-0$), the time derivative of $B$ is non-negative. Geometrically, this means
+vector field points inward or tangent to the boundary, never outward. If this
-the vector field points inward or tangent to the boundary, never outward. If
+condition holds, no trajectory starting inside $\mathcal{C}$ can ever leave.
 this condition holds, no trajectory starting inside $\mathcal{C}$ can ever
 leave.
 Because the design of the discrete controller defines careful boundaries in
-continuous state space, the barrier \(\mathcal{C}\) is known prior to designing
+continuous state space, the barrier is known prior to designing the continuous
-the continuous controller. This eliminates the search for an appropriate barrier
+controller. This eliminates the search for an appropriate barrier and minimizes
-and minimizes complication in validating stabilizing continuous control modes.
+complication in validating stabilizing continuous control modes. The discrete
-The discrete specifications tell us what region must be invariant; the barrier
+specifications tell us what region must be invariant; the barrier certificate
-certificate confirms that the candidate controller achieves this invariance.
+confirms that the candidate controller achieves this invariance.
-The key advantage is that the verification is independent of how the controller
+Finding barrier certificates can be formulated as a
-was designed. Standard control techniques can be used to build continuous
+sum-of-squares (SOS) optimization problem for polynomial systems, or solved
-controllers, and barrier certificates provide a separate check that the result
+using satisfiability modulo theories (SMT) solvers for broader classes of
-satisfies the required invariants. This also allows for the checking of control
+dynamics. The key advantage is that the verification is independent of how
-modes with different models than they are designed for. For example, a lower
+the controller was designed. Standard control techniques can be used to
-fidelity model can be used for controller design, but a higher fidelity model
+build continuous controllers, and barrier certificates provide a separate
-can be used for the actual validation of that stabilizing
+check that the result satisfies the required invariants. This also allows for
-controller.\splitnote{SOS methods proven effective: Papachristodoulou 2021
+the checking of control modes with different models than they are designed for.
-  (SOSTOOLS v4, pp.1-2) solves barrier certificate optimization via SOS
+For example, a lower fidelity model can be used for controller design, but a
-  constraints---tool integrates with MATLAB. Borrmann 2015 (pp.4-8) demonstrates
+higher fidelity model can be used for the actual validation of that stabilizing
-  control barrier certificates for multi-agent systems, showing how discrete
+controller.
  boundaries (mode guards) can inform barrier design. Your claim that discrete
  specs eliminate barrier search is novel and well-supported by these
 foundations.}\splitnote{Hauswirth 2024 (pp.1-3) shows optimization-based robust
  feedback controllers can serve as alternative verification method---suggests
  barrier certificates + reachability provide complementary guarantees for your
 stabilizing modes.}
 \subsubsection{Expulsory Modes}
-Expulsory modes are continuous controllers responsible for ensuring safety
+Expulsory modes are continuous controllers responsible for
-when failures occur. They are designed for robustness rather than optimality.
+ensuring safety when failures occur. They are designed for robustness rather
-The control objective is to drive the plant to a safe shutdown state from
+than optimality. The control objective is to drive the plant to a safe shutdown
-potentially anywhere in the state space, under degraded or uncertain
+state from potentially anywhere in the state space, under degraded or uncertain
-dynamics. Examples include emergency core cooling, reactor SCRAM sequences,
+dynamics. Examples include emergency core cooling, reactor SCRAM sequences, and
-and controlled depressurization procedures.
+controlled depressurization procedures.
 We can detect that physical failures exist because our physical controllers have
 been previously proven correct by reachability and barrier certificates. We know
 our controller cannot be incorrect for the nominal plant model, so if an
-invariant is violated, we know the plant dynamics have changed. The mathematical
+invariant is violated, we know the plant dynamics have changed. The HAHACS can
-formulation for expulsory mode verification differs from transitory modes in two
+identify that a fault occurred because a discrete boundary condition was
-key ways. First, the entry conditions may be the entire state space (or a large,
+violated by the continuous physical controller. This is a direct consequence of
-conservatively bounded region) rather than a well-defined entry set. The failure
+having verified the nominal continuous control modes: unexpected behavior
-may occur at any point during operation. Second, the dynamics include parametric
+implies off-nominal conditions.
-uncertainty representing failure modes:
+
-%
+The mathematical formulation for expulsory mode verification
 differs from transitory modes in two key ways. First, the entry conditions may
 be the entire state space (or a large, conservatively bounded region) rather
 than a well-defined entry set. The failure may occur at any point during
 operation. Second, the dynamics include parametric uncertainty representing
 failure modes:
 \[
 \dot{x} = f(x, u, \theta), \quad \theta \in \Theta_{failure}
 \]
 %
 where $\Theta_{failure}$ captures the range of possible degraded plant
 behaviors identified through failure mode and effects analysis (FMEA) or
 traditional safety analysis.
 We verify expulsory modes using reachability analysis with parametric
-uncertainty. While tools such as SpaceEx handle nondeterministic
+uncertainty. The verification condition requires that for all parameter values
-inputs~\cite{frehse_spaceex_2011}, parametric plant uncertainty requires
+within the uncertainty set, trajectories from the expanded entry region reach
-conservative over-approximation of reachable sets across the full parameter
+the safe shutdown state:
 range. The verification condition requires that for all parameter values within
 the uncertainty set, trajectories from the expanded entry region reach the safe
 shutdown state:
 %
 \[
 \forall \theta \in \Theta_{failure}:
-\text{Reach}(\mathcal{X}_{current}, f_\theta, [0,T]) \subseteq
+\text{Reach}(\mathcal{X}_{current}, f_\theta, [0,T]) \subseteq \mathcal{X}_{shutdown}
 \mathcal{X}_{shutdown}
 \]
 %
 This is more conservative than nominal reachability, accounting for the fact
 that we cannot know exactly which failure mode is active.
-Traditional safety analysis techniques inform the construction of
+Traditional safety analysis techniques inform the construction
-$\Theta_{failure}$. Probabilistic risk assessment, FMEA, and design basis
+of $\Theta_{failure}$. Probabilistic risk assessment, FMEA, and design basis
 accident analysis identify credible failure scenarios and their effects on
 plant dynamics. The expulsory mode must handle the worst-case dynamics within
 this envelope. This is where conservative controller design is appropriate as
-safety margins will matter more than performance during emergency
+safety margins will matter more than performance during emergency shutdown.
 shutdown.\splitnote{Parametric uncertainty approach validated: Kapuria 2025
 (pp.82-120, Sections 5) verifies SmAHTR resiliency against UCAs with
 uncertain dynamics (e.g., PHX secondary flow shutdown, resonating turbine
 flow). Uses reachability + Z3 SMT solver (pp.23-24, Section 2.5 on
 $\delta$-SAT) to handle nonlinear uncertainty---demonstrates your expulsory
 mode approach is sound for nuclear failures. Shows safety can be proven even
 when controller deviates from nominal (pp.85-107, UCA 1
 analysis).}
 \subsection{Industrial Implementation}
-The methodology described above must be validated on realistic systems using
+The methodology described above must be validated on realistic
-industrial-grade hardware to demonstrate practical feasibility. This research
+systems using industrial-grade hardware to demonstrate practical feasibility.
-will leverage the University of Pittsburgh Cyber Energy Center's partnership
+This research will leverage the University of Pittsburgh Cyber Energy Center's
-with Emerson to implement and test the HAHACS methodology on production
+partnership with Emerson to implement and test the HAHACS methodology on
-control equipment. Emerson's Ovation distributed control system is widely
+production control equipment. Emerson's Ovation distributed control system is widely deployed
-deployed in power generation facilities, including nuclear plants. The
+in power generation facilities, including nuclear plants. The Ovation platform
-Ovation platform provides a realistic target for demonstrating that formally
+provides a realistic target for demonstrating that formally synthesized
-synthesized controllers can execute on industrial hardware meeting timing and
+controllers can execute on industrial hardware meeting timing and reliability
-reliability requirements. The discrete automaton produced by reactive
+requirements. The discrete automaton produced by reactive synthesis will be
-synthesis will be compiled to run on Ovation controllers, with verification
+compiled to run on Ovation controllers, with verification that the implemented
-that the implemented behavior matches the synthesized specification exactly.
+behavior matches the synthesized specification exactly.
-For the continuous dynamics, we will use a small modular reactor simulation. The
+For the continuous dynamics, we will use a small modular
-SmAHTR (Small modular Advanced High Temperature Reactor) model provides a
+reactor simulation. The SmAHTR (Small modular Advanced High Temperature
-relevant testbed for startup and shutdown procedures. The ARCADE (Advanced
+Reactor) model provides a relevant testbed for startup and shutdown procedures.
-Reactor Control Architecture Development Environment) interface will establish
+The ARCADE (Advanced Reactor Control Architecture Development Environment)
-communication between the Emerson Ovation hardware and the reactor simulation,
+interface will establish communication between the Emerson Ovation hardware and
-enabling hardware-in-the-loop testing of the complete hybrid controller.
+the reactor simulation, enabling hardware-in-the-loop testing of the complete
 hybrid controller.
 Working with Emerson on such an implementation is an incredible advantage for
 the success and impact of this work. We will directly address the gap of
 verification and validation methods for these systems and industry adoption by
 forming a two-way exchange of knowledge between the laboratory and commercial
 environments. This work stands to be successful with Emerson implementation
 because we will have access to system experts at Emerson to help with the fine
 details of using the Ovation system. At the same time, we will have the benefit
 of transferring technology directly to industry with a direct collaboration in
 this research, while getting an excellent perspective of how our research
 outcomes can align best with customer needs.
 The Emerson collaboration strengthens this work in two ways. Access to
 system experts at Emerson ensures that implementation details of the Ovation
 platform are handled correctly. Direct industry collaboration also provides an
 immediate pathway for technology transfer and alignment with practical
 deployment requirements.
--- a/4-metrics-of-success/metrics.tex
+++ b/4-metrics-of-success/metrics.tex
@ -1,17 +1,33 @@
 \section{Metrics for Success}
 This research will be measured by advancement through Technology Readiness
-Levels (TRL), progressing from fundamental concepts to validated prototype
+Levels, progressing from fundamental concepts to validated prototype
-demonstration. TRLs measure the gap between academic proof-of-concept and
+demonstration. This work begins at TRL 2--3 and aims to reach TRL 5, where
-practical deployment, which is precisely what this work aims to bridge. Academic
+system components operate successfully in a relevant laboratory 
-metrics alone cannot capture practical feasibility, and empirical metrics alone
+environment. This section explains why TRL advancement provides the most appropriate success
-cannot demonstrate theoretical rigor. TRLs measure both simultaneously. This
+metric and defines the specific criteria required to achieve TRL 5.
-work begins at TRL 2--3 and aims to reach TRL 5, where system components operate
+
-successfully in a relevant laboratory environment. This section explains why TRL
+Technology Readiness Levels provide the ideal success metric because they
-advancement provides the most appropriate success metric and defines the
+explicitly measure the gap between academic proof-of-concept and practical
-specific criteria required to achieve TRL 5. Reaching TRL 5 provides a clear
+deployment---precisely what this work aims to bridge. Academic metrics like
-answer to industry questions about feasibility and maturity that academic
+papers published or theorems proved cannot capture practical feasibility.
-publications alone cannot.
+Empirical metrics like simulation accuracy or computational speed cannot
 demonstrate theoretical rigor. TRLs measure both dimensions 
 simultaneously. Advancing from TRL 3 to TRL 5 requires maintaining theoretical rigor while
 progressively demonstrating practical feasibility. Formal verification must
 remain valid as the system moves from individual components to integrated
 hardware testing.
 The nuclear industry requires extremely high assurance before deploying new
 control technologies. Demonstrating theoretical correctness alone is
 insufficient for adoption; conversely, showing empirical performance without
 formal guarantees fails to meet regulatory requirements. TRLs capture this dual
 requirement naturally. Each level represents both increased practical maturity
 and sustained theoretical validity. Furthermore, TRL assessment forces explicit
 identification of remaining barriers to deployment. The nuclear industry already
 uses TRLs for technology assessment, making this metric directly relevant to
 potential adopters. Reaching TRL 5 provides a clear answer to industry questions
 about feasibility and maturity that academic publications alone cannot.
 Moving from current state to target requires achieving three intermediate
 levels, each representing a distinct validation milestone:
@ -24,8 +40,8 @@ temporal logic specifications that pass realizability analysis. A discrete
 automaton must be synthesized with interpretable structure. At least one
 continuous controller must be designed with reachability analysis proving
 transition requirements are satisfied. Independent review must confirm that
-specifications match intended procedural behavior. This proves the
+specifications match intended procedural behavior. This proves the fundamental
-fundamental approach on a simplified startup sequence.
+approach on a simplified startup sequence.
 \paragraph{TRL 4 \textit{Laboratory Testing of Integrated Components}}
@ -36,8 +52,8 @@ must exist for all discrete modes. Verification must be complete for all mode
 transitions using reachability analysis, barrier certificates, and
 assume-guarantee contracts. The integrated controller must execute complete
 startup sequences in software simulation with zero safety violations across
-multiple consecutive runs. This proves that formal correctness guarantees can
+multiple consecutive runs. This proves that formal correctness guarantees can be
-be maintained throughout system integration.
+maintained throughout system integration.
 \paragraph{TRL 5 \textit{Laboratory Testing in Relevant Environment}}
@ -52,10 +68,11 @@ across the full operational envelope. The controller must handle off-nominal
 scenarios to validate that expulsory modes function correctly. For example,
 simulated sensor failures must trigger appropriate fault detection and mode
 transitions, and loss-of-cooling scenarios must activate SCRAM procedures as
-specified. Graded responses to minor disturbances are outside this work's scope,
+specified. Graded responses to minor disturbances are outside this work's scope.
-as they require runtime optimization under uncertainty that extends beyond the
+If this work is successful, graded responses are an extension that requires
-correct-by-construction verification framework presented here. Formal
+additional labor, but not new capability as the mechanics of a graded response
-verification results must remain valid, with discrete behavior matching
+are an addition of special discrete modes and continuous controllers to match.
 Formal verification results must remain valid, with discrete behavior matching
 specifications and continuous trajectories remaining within verified bounds.
 This proves that the methodology produces verified controllers implementable on
 industrial hardware.
@ -64,12 +81,12 @@ Progress will be assessed quarterly through collection of specific data
 comparing actual results against TRL advancement criteria. Specification
 development status indicates progress toward TRL 3. Synthesis results and
 verification coverage indicate progress toward TRL 4. Simulation performance
-metrics and hardware integration milestones indicate progress toward TRL 5.
+metrics and hardware integration milestones indicate progress toward TRL 5. The
-The research plan will be revised only when new data invalidates fundamental
+research plan will be revised only when new data invalidates fundamental
 assumptions. This research succeeds if it achieves TRL 5 by demonstrating a
 complete autonomous hybrid controller with formal correctness guarantees
-operating on industrial control hardware through hardware-in-the-loop
+operating on industrial control hardware through hardware-in-the-loop testing in
-testing in a relevant laboratory environment. This establishes both
+a relevant laboratory environment. This establishes both theoretical validity
-theoretical validity and practical feasibility, proving that the methodology
+and practical feasibility, proving that the methodology produces verified
-produces verified controllers and that implementation is achievable with
+controllers and that implementation is achievable with current 
-current technology.
+technology.
--- a/5-risks-and-contingencies/risks.tex
+++ b/5-risks-and-contingencies/risks.tex
@ -1,10 +1,9 @@
 \section{Risks and Contingencies}
-This research relies on several critical assumptions that, if invalidated,
+This research relies on several critical assumptions that, if invalidated, would
-would require scope adjustment or methodological
+require scope adjustment or methodological revision. The primary risks to
-revision. The primary risks to successful
+successful completion fall into four categories: computational tractability of
-completion fall into four categories: computational tractability of synthesis
+synthesis and verification, complexity of the discrete-continuous interface,
 and verification, complexity of the discrete-continuous interface,
 completeness of procedure formalization, and hardware-in-the-loop integration
 challenges. Each risk has associated indicators for early detection and
 contingency plans that preserve research value even if core assumptions prove
@ -16,22 +15,21 @@ deployment.
 The first major assumption is that formalized startup procedures will yield
 automata small enough for efficient synthesis and verification. Reactive
-synthesis scales exponentially with specification complexity, creating risk
+synthesis scales exponentially with specification complexity, creating risk that
-that temporal logic specifications derived from complete startup procedures
+temporal logic specifications derived from complete startup procedures may
-may produce automata with thousands of states. Such large automata would
+produce automata with thousands of states. Such large automata would require
-require synthesis times exceeding days or weeks, preventing demonstration of
+synthesis times exceeding days or weeks, preventing demonstration of the
-the complete methodology within project timelines. Reachability analysis for
+complete methodology within project timelines. Reachability analysis for
 continuous modes with high-dimensional state spaces may similarly prove
 computationally intractable. Either barrier would constitute a fundamental
 obstacle to achieving the research objectives.
 Several indicators would provide early warning of computational tractability
 problems. Synthesis times exceeding 24 hours for simplified procedure subsets
-would suggest complete procedures are intractable. Generated automata
+would suggest complete procedures are intractable. Generated automata containing
-containing more than 1,000 discrete states would indicate the discrete state
+more than 1,000 discrete states would indicate the discrete state space is too
-space is too large for efficient verification. Specifications flagged as
+large for efficient verification. Specifications flagged as unrealizable by FRET
-unrealizable by realizability checking
+or Strix would reveal fundamental conflicts in the formalized procedures.
 tools would reveal fundamental conflicts in the formalized procedures.
 Reachability analysis failing to converge within reasonable time bounds would
 show that continuous mode verification cannot be completed with available
 computational resources.
@ -39,127 +37,95 @@ computational resources.
 The contingency plan for computational intractability is to reduce scope to a
 minimal viable startup sequence. This reduced sequence would cover only cold
 shutdown to criticality to low-power hold, omitting power ascension and other
-operational phases. The subset would still demonstrate the complete
+operational phases. The subset would still demonstrate the complete methodology
-methodology while reducing computational burden. The research contribution
+while reducing computational burden. The research contribution would remain
-would remain valid even with reduced scope, proving that formal hybrid
+valid even with reduced scope, proving that formal hybrid control synthesis is
-control synthesis is achievable for safety-critical nuclear applications. The
+achievable for safety-critical nuclear applications. The limitation to
-limitation to simplified operational sequences would be explicitly documented
+simplified operational sequences would be explicitly documented as a constraint
-as a constraint rather than a failure.
+rather than a failure.
 \subsection{Discrete-Continuous Interface Formalization}
 The second critical assumption concerns the mapping between boolean guard
 conditions in temporal logic and continuous state boundaries required for mode
 transitions. This interface represents the fundamental challenge of hybrid
-systems: relating discrete switching logic to continuous dynamics. Temporal
+systems: relating discrete switching logic to continuous dynamics. Guard conditions
-logic operates on boolean predicates, while continuous control requires
+requiring complex predicates may resist boolean abstraction, making
-reasoning about differential equations and reachable sets. Some guard conditions
+synthesis intractable. Continuous safety regions that cannot be expressed as
-may require complex nonlinear predicates that cannot be cleanly expressed as
+conjunctions of verifiable constraints would similarly create insurmountable
-boolean combinations of simple threshold checks, making synthesis intractable.
+verification challenges. The risk extends beyond static interface definition to
-Continuous safety regions that cannot be expressed as conjunctions of verifiable
+dynamic behavior across transitions: barrier certificates may fail to exist for
-constraints would similarly create insurmountable verification challenges. The
+proposed transitions, or continuous modes may be unable to guarantee convergence
-risk extends beyond static interface definition to dynamic behavior across
+to discrete transition boundaries.
 transitions: barrier certificates may fail to exist for proposed transitions, or
 continuous modes may be unable to guarantee convergence to discrete transition
 boundaries.
 Early indicators of interface formalization problems would appear during both
-synthesis and verification phases. Guard conditions requiring complex
+synthesis and verification phases. Guard conditions requiring complex nonlinear
-nonlinear predicates that resist boolean abstraction would suggest
+predicates that resist boolean abstraction would suggest fundamental misalignment
-fundamental misalignment between discrete specifications and continuous
+between discrete specifications and continuous realities. Continuous safety
-realities. Continuous safety regions that cannot be expressed as conjunctions
+regions that cannot be expressed as conjunctions of half-spaces or polynomial
-of half-spaces or polynomial inequalities would indicate the interface
+inequalities would indicate the interface between discrete guards and continuous
-between discrete guards and continuous invariants is too complex. Failure to
+invariants is too complex. Failure to construct barrier certificates proving
-construct barrier certificates proving safety across mode transitions would
+safety across mode transitions would reveal that continuous dynamics cannot be
-reveal that continuous dynamics cannot be formally related to discrete
+formally related to discrete switching logic. Reachability analysis showing that
-switching logic. Reachability analysis showing that continuous modes cannot
+continuous modes cannot reach intended transition boundaries from all possible
-reach intended transition boundaries from all possible initial conditions
+initial conditions would demonstrate the synthesized discrete controller is
-would demonstrate the synthesized discrete controller is incompatible with
+incompatible with achievable continuous behavior.
 achievable continuous behavior.
-The primary contingency for interface complexity is restricting continuous
+The primary contingency for interface complexity is restricting continuous modes
-modes to operate within polytopic invariants. Polytopes are state regions
+to operate within polytopic invariants. Polytopes are state regions defined as
-defined as intersections of linear half-spaces, which map directly to boolean
+intersections of linear half-spaces, which map directly to boolean predicates
-predicates through linear inequality checks. This restriction ensures
+through linear inequality checks. This restriction ensures tractable synthesis
-tractable synthesis while maintaining theoretical rigor, though at the cost
+while maintaining theoretical rigor, though at the cost of limiting
-of limiting expressiveness compared to arbitrary nonlinear regions. The
+expressiveness compared to arbitrary nonlinear regions. The discrete-continuous
-discrete-continuous interface remains well-defined and verifiable with
+interface remains well-defined and verifiable with polytopic restrictions,
-polytopic restrictions, providing a clear fallback position that preserves
+providing a clear fallback position that preserves the core methodology.
-the core methodology. Conservative over-approximations offer an alternative
+Conservative over-approximations offer an alternative approach: a nonlinear safe
-approach: a nonlinear safe region can be inner-approximated by a polytope,
+region can be inner-approximated by a polytope, sacrificing operational
-sacrificing operational flexibility to maintain formal guarantees. The
+flexibility to maintain formal guarantees. The three-mode classification already
-three-mode classification already structures the problem to minimize complex
+structures the problem to minimize complex transitions, with critical safety
-transitions, with critical safety properties concentrated in expulsory modes
+properties concentrated in expulsory modes that can receive additional design
-that can receive additional design attention.
+attention.
 Mitigation strategies focus on designing continuous controllers with discrete
 transitions as primary objectives from the outset. Rather than designing
 continuous control laws independently and verifying transitions post-hoc, the
 approach uses transition requirements as design constraints. Control barrier
 functions provide a systematic method to synthesize controllers that
 guarantee forward invariance of safe sets and convergence to transition
 boundaries. This design-for-verification approach reduces the likelihood that
 interface complexity becomes insurmountable. Focusing verification effort on
 expulsory modes---where safety is most critical---allows more complex
 analysis to be applied selectively rather than uniformly across all modes,
 concentrating computational resources where they matter most for safety
 assurance.
 \subsection{Procedure Formalization Completeness}
 The third assumption is that existing startup procedures contain sufficient
-detail and clarity for translation into temporal logic specifications.
+detail and clarity for translation into temporal logic specifications. Nuclear
-Nuclear operating procedures, while extensively detailed, were written for
+operating procedures, while extensively detailed, were written for human
-human operators who bring contextual understanding and adaptive reasoning to
+operators who bring contextual understanding and adaptive reasoning to their
-their interpretation. Procedures may contain implicit knowledge, ambiguous
+interpretation. Procedures may contain implicit knowledge, ambiguous directives,
-directives, or references to operator judgment that resist formalization in
+or references to operator judgment that resist formalization in current
-current specification languages. Underspecified timing constraints, ambiguous
+specification languages. Underspecified timing constraints, ambiguous condition
-condition definitions, or gaps in operational coverage would cause synthesis
+definitions, or gaps in operational coverage would cause synthesis to fail or
-to fail or produce incorrect automata. The risk is not merely that
+produce incorrect automata. The risk is not merely that formalization is
-formalization is difficult, but that current procedures fundamentally lack
+difficult, but that current procedures fundamentally lack the precision required
-the precision required for autonomous control, revealing a gap between
+for autonomous control, revealing a gap between human-oriented documentation and
-human-oriented documentation and machine-executable specifications.
+machine-executable specifications.
-Several indicators would reveal formalization completeness problems early in
+Several indicators would reveal formalization completeness problems early in the
-the project. FRET realizability checks failing due to underspecified
+project. FRET realizability checks failing due to underspecified behaviors or
-behaviors or conflicting requirements would indicate procedures do not form a
+conflicting requirements would indicate procedures do not form a complete
-complete specification. Multiple valid interpretations of procedural steps
+specification. Multiple valid interpretations of procedural steps with no clear
-with no clear resolution would demonstrate procedure language is
+resolution would demonstrate procedure language is insufficiently precise for
-insufficiently precise for automated synthesis. Procedures referencing
+automated synthesis. Procedures referencing ``operator judgment,'' ``as
-``operator judgment,'' ``as appropriate,'' or similar discretionary language
+appropriate,'' or similar discretionary language for critical decisions would
-for critical decisions would explicitly identify points where human reasoning
+explicitly identify points where human reasoning cannot be directly formalized.
-cannot be directly formalized. Domain experts unable to provide crisp answers
+Domain experts unable to provide crisp answers to specification questions about
-to specification questions about edge cases would suggest the procedures
+edge cases would suggest the procedures themselves do not fully define system
-themselves do not fully define system behavior, relying instead on operator
+behavior, relying instead on operator training and experience to fill gaps.
 training and experience to fill gaps.
 The contingency plan treats inadequate specification as itself a research
 contribution rather than a project failure. Documenting specific ambiguities
 encountered would create a taxonomy of formalization barriers: timing
-underspecification, missing preconditions, discretionary actions, and
+underspecification, missing preconditions, discretionary actions, and undefined
-undefined failure modes. Each category would be analyzed to understand why
+failure modes. Each category would be analyzed to understand why current
-current procedure-writing practices produce these gaps and what specification
+procedure-writing practices produce these gaps and what specification languages
-languages would need to address them. Proposed extensions to FRETish or
+would need to address them. Proposed extensions to FRETish or similar
-similar specification languages would demonstrate how to bridge the gap
+specification languages would demonstrate how to bridge the gap between current
-between current procedures and the precision needed for autonomous control.
+procedures and the precision needed for autonomous control. The research output
-The research output would shift from ``here is a complete autonomous
+would shift from ``here is a complete autonomous controller'' to ``here is what
-controller'' to ``here is what formal autonomous control requires that
+formal autonomous control requires that current procedures do not provide, and
-current procedures do not provide, and here are language extensions to bridge
+here are language extensions to bridge that gap.'' This contribution remains
-that gap.'' This contribution remains valuable to both the nuclear industry
+valuable to both the nuclear industry and formal methods community, establishing
-and formal methods community, establishing clear requirements for
+clear requirements for next-generation procedure development and autonomous
-next-generation procedure development and autonomous control specification
+control specification languages.
 languages.
 Early-stage procedure analysis with domain experts provides the primary
 mitigation strategy. Collaboration through the University of Pittsburgh Cyber
 Energy Center enables identification and resolution of ambiguities before
 synthesis attempts, rather than discovering them during failed synthesis
 runs. Iterative refinement with reactor operators and control engineers can
 clarify procedural intent before formalization begins, reducing the risk of
 discovering insurmountable specification gaps late in the project. Comparison
 with procedures from multiple reactor designs---pressurized water reactors,
 boiling water reactors, and advanced designs---may reveal common patterns and
 standard ambiguities amenable to systematic resolution. This cross-design
 analysis would strengthen the generalizability of any proposed specification
 language extensions, ensuring they address industry-wide practices rather
 than specific quirks.
--- a/6-broader-impacts/impacts.tex
+++ b/6-broader-impacts/impacts.tex
@ -2,81 +2,70 @@
 Nuclear power presents both a compelling application domain and an urgent
 economic challenge. Recent interest in powering artificial intelligence
-infrastructure has renewed focus on small modular reactors (SMRs),
+infrastructure has renewed focus on small modular reactors (SMRs), particularly
-particularly for hyperscale datacenters requiring hundreds of megawatts of
+for hyperscale datacenters requiring hundreds of megawatts of continuous power.
-continuous power. Deploying SMRs at datacenter sites would minimize
+Deploying SMRs at datacenter sites would minimize transmission losses and
-transmission losses and eliminate emissions from hydrocarbon-based
+eliminate emissions from hydrocarbon-based alternatives. However, nuclear power
-alternatives. However, nuclear power economics at this scale demand careful
+economics at this scale demand careful attention to operating costs.
 attention to operating costs.
-According to the U.S. Energy Information Administration's Annual
+According to the U.S. Energy Information Administration's Annual Energy Outlook
-Energy Outlook 2022, advanced nuclear power entering service in 2027 is
+2022, advanced nuclear power entering service in 2027 is projected to cost
-projected to cost \$88.24 per megawatt-hour~\cite{eia_lcoe_2022}. In the
+\$88.24 per megawatt-hour~\cite{eia_lcoe_2022}. Datacenter electricity demand is
-United States alone, datacenter electricity consumption could reach 560
+projected to reach 1,050 terawatt-hours annually by
-terawatt-hours by 2030---up from 4\% to 13\% of total national electricity
+2030~\cite{eesi_datacenter_2024}. If this demand were supplied by nuclear power,
-consumption~\cite{deroucy_ai_2025}. If this demand were supplied by nuclear
+the total annual cost of power generation would exceed \$92 billion. Within this
-power, the total annual cost of power generation would reach approximately
+figure, operations and maintenance represents a substantial component. The EIA
-\$49 billion. Within this figure, operations and maintenance represents a
+estimates that fixed O\&M costs alone account for \$16.15 per megawatt-hour,
-substantial component. The EIA estimates that fixed O\&M costs alone account
+with additional variable O\&M costs embedded in fuel and operating
-for \$16.15 per megawatt-hour, with additional variable O\&M costs embedded
+expenses~\cite{eia_lcoe_2022}. Combined, O\&M-related costs represent
-in fuel and operating expenses~\cite{eia_lcoe_2022}. Combined, O\&M-related
+approximately 23--30\% of the total levelized cost of electricity, translating
-costs represent approximately 23--30\% of the total levelized cost of
+to \$21--28 billion annually for projected datacenter demand.
 electricity, translating to \$11--15 billion annually for projected U.S.
 datacenter demand alone.
 This research directly addresses the multi-billion-dollar O\&M cost challenge
 through high-assurance autonomous control. Current nuclear operations require
-full control room staffing for each reactor, whether large conventional units
+full control room staffing for each reactor, whether large conventional units or
-or small modular designs. Over 3,600 active NRC-licensed reactor operators
+small modular designs. These staffing requirements drive the high O\&M costs
-work in the United States~\cite{operator_statistics}, divided into Reactor
+that make nuclear power economically challenging, particularly for smaller
-Operators (ROs) and Senior Reactor Operators
+reactor designs where the same staffing overhead must be spread across lower
-(SROs)~\cite{10CFR55}. Staffing requires at least two ROs and one SRO per
+power output. Synthesizing provably correct hybrid controllers from formal
-unit~\cite{10CFR50.54}, with each operator requiring several years of
+specifications can automate routine operational sequences that currently require
-training and NRC licensing. These staffing requirements drive the high O\&M
+constant human oversight. This enables a fundamental shift from direct operator
-costs that make nuclear power economically challenging, particularly for
+control to supervisory monitoring, where operators oversee multiple autonomous
-smaller reactor designs where the same staffing overhead must be spread
+reactors rather than manually controlling individual units.
 across lower power output. Synthesizing provably correct hybrid controllers
 from formal specifications can automate routine operational sequences that
 currently require constant human oversight. This enables a fundamental shift
 from direct operator control to supervisory monitoring, where operators
 oversee multiple autonomous reactors rather than manually controlling
 individual units.
 The correct-by-construction methodology is critical for this transition.
 Traditional automation approaches cannot provide sufficient safety guarantees
 for nuclear applications, where regulatory requirements and public safety
 concerns demand the highest levels of assurance. Formally verifying both the
-discrete mode-switching logic and the continuous control behavior, this
+discrete mode-switching logic and the continuous control behavior, this research
-research will produce controllers with mathematical proofs of correctness.
+will produce controllers with mathematical proofs of correctness. These
-These guarantees enable automation to safely handle routine
+guarantees enable automation to safely handle routine operations---startup
-operations---startup sequences, power level changes, and normal operational
+sequences, power level changes, and normal operational transitions---that
-transitions---that currently require human operators to follow written
+currently require human operators to follow written procedures. Operators will
-procedures. Operators will remain in supervisory roles to handle off-normal
+remain in supervisory roles to handle off-normal conditions and provide
-conditions and provide authorization for major operational changes, but the
+authorization for major operational changes, but the routine cognitive burden of
-routine cognitive burden of procedure execution shifts to provably correct
+procedure execution shifts to provably correct automated systems that are much
-automated systems that are much cheaper to operate.
+cheaper to operate.
 SMRs represent an ideal deployment target for this technology. Nuclear
-Regulatory Commission certification requires extensive documentation of
+Regulatory Commission certification requires extensive documentation of control
-control procedures, operational requirements, and safety analyses written in
+procedures, operational requirements, and safety analyses written in structured
-structured natural language. As described in our approach, these regulatory
+natural language. As described in our approach, these regulatory documents can
-documents can be translated into temporal logic specifications using tools
+be translated into temporal logic specifications using tools like FRET, then
-like FRET, then synthesized into discrete switching logic using reactive
+synthesized into discrete switching logic using reactive synthesis tools, and
-synthesis tools, and finally verified using reachability analysis and barrier
+finally verified using reachability analysis and barrier certificates for the
-certificates for the continuous control modes. The infrastructure of
+continuous control modes. The infrastructure of requirements and specifications
-requirements and specifications already exists as part of the licensing
+already exists as part of the licensing process, creating a direct pathway from
-process, creating a direct pathway from existing regulatory documentation to
+existing regulatory documentation to formally verified autonomous controllers.
 formally verified autonomous controllers.
-Beyond reducing operating costs for new reactors, this research will
+Beyond reducing operating costs for new reactors, this research will establish a
-establish a generalizable framework for autonomous control of safety-critical
+generalizable framework for autonomous control of safety-critical systems. The
-systems. The methodology of translating operational procedures into formal
+methodology of translating operational procedures into formal specifications,
-specifications, synthesizing discrete switching logic, and verifying
+synthesizing discrete switching logic, and verifying continuous mode behavior
-continuous mode behavior applies to any hybrid system with documented
+applies to any hybrid system with documented operational requirements. Potential
-operational requirements. Potential applications include chemical process
+applications include chemical process control, aerospace systems, and autonomous
-control, aerospace systems, and autonomous transportation, where similar
+transportation, where similar economic and safety considerations favor increased
-economic and safety considerations favor increased autonomy with provable
+autonomy with provable correctness guarantees. Demonstrating this approach in
-correctness guarantees. Demonstrating this approach in nuclear power---one of
+nuclear power---one of the most regulated and safety-critical domains---will
-the most regulated and safety-critical
+establish both the technical feasibility and regulatory pathway for broader
-domains---will establish both the technical feasibility and regulatory
+adoption across critical infrastructure.
 pathway for broader adoption across critical infrastructure.
--- a/biblatex.sty
+++ b/biblatex.sty
--- a/citation-audit.md
+++ b/citation-audit.md
@ -1,448 +0,0 @@
 # Thesis Proposal Citation Audit
 Generated: 2026-03-17 by Split
 Legend:
 - ✅ VERIFIED — Claim matches source, page reference
  confirmed
 - ⚠️ PARTIALLY VERIFIED — Claim is supported but language
  slightly differs or page ref uncertain
 - ❌ CANNOT VERIFY — No PDF access or claim not found in
  source
 - 🔧 NEEDS SOFTENING — Claim overstates what source actually
  says
 ---
 ## SECTION 2: STATE OF THE ART
 ### Citation 1: NUREG-0899, 10CFR50.34
 **Claim:** "Procedures must comply with 10 CFR
 50.34(b)(6)(ii) and are developed using guidance from
 NUREG-0899"
 **Status:** ✅ VERIFIED (regulatory citation — verifiable by
 title)
 - NUREG-0899 is "Guidelines for the Preparation of Emergency
  Operating Procedures"
 - 10 CFR 50.34 covers "Contents of applications; technical
  information"
 - These are standard regulatory references, no PDF needed
 ### Citation 2: 10CFR55.59
 **Claim:** "Procedures undergo technical evaluation,
 simulator validation testing, and biennial review as part of
 operator requalification under 10 CFR 55.59"
 **Status:** ✅ VERIFIED (regulatory citation)
 - 10 CFR 55.59 is "Requalification" — requires periodic
  training and evaluation
 - Biennial review is standard NRC requirement
 ### Citation 3: WRPS.Description, gentillon_westinghouse_1999
 **Claim:** "Automation currently handles only reactor
 protection: trips on safety parameters, emergency core
 cooling actuation, containment isolation, and basic process
 control"
 **Status:** ⚠️ CANNOT VERIFY PDFs
 - These are Westinghouse technical documents
 - Claim is consistent with standard PWR protection system
  descriptions
 - **DANE: Verify you have these sources and they support
  this specific list**
 ### Citation 4: 10CFR55
 **Claim:** "Operators hold legal authority under 10 CFR Part
 55 to make critical decisions"
 **Status:** ✅ VERIFIED (regulatory citation)
 - 10 CFR Part 55 covers "Operators' Licenses"
 ### Citation 5: Kemeny1979
 **Claim:** "The Three Mile Island (TMI) accident
 demonstrated how a combination of personnel error, design
 deficiencies, and component failures led to partial meltdown
 when operators misread confusing and contradictory readings
 and shut off the emergency water system"
 **Status:** ✅ VERIFIED (historical record)
 - The President's Commission on TMI (Kemeny Commission)
  documented this
 - This is well-established historical fact
 - **DANE: Confirm page reference if Dan asks (likely Chapter
  2 of Kemeny Report)**
 ### Citation 6: hogberg_root_2013
 **Claim:** "The root cause of all severe accidents at
 nuclear power plants—Three Mile Island, Chernobyl, and
 Fukushima Daiichi—has been identified as primarily human
 factors"
 **Status:** ✅ VERIFIED
 - PDF available: "Root Causes and Impacts of Severe
  Accidents at Large Nuclear Power Plants"
 - Paper analyzes all three accidents and identifies
  human/organizational factors
 - **Specific page:** Abstract and Section 3 discuss human
  factors as common thread
 ### Citation 7: zhang_analysis_2025
 **Claim:** "A detailed analysis of 190 events at Chinese
 nuclear power plants from 2007–2020 found that 53% of events
 involved active errors, while 92% were associated with
 latent errors"
 **Status:** ❌ CANNOT VERIFY — PDF not in Zotero WebDAV
 - **DANE: You need to verify these specific percentages
  (53%, 92%) against the paper**
 - These are very specific claims that need exact source
  confirmation
 ### Citation 8: Kiniry2024 (HARDENS)
 **Claim:** "The High Assurance Rigorous Digital Engineering
 for Nuclear Safety (HARDENS) project represents the most
 advanced application of formal methods to nuclear reactor
 control systems to date"
 **Status:** ❌ CANNOT VERIFY — PDF not available
 - **DANE: Verify "most advanced" claim is defensible**
 - Second use (line 140): "NRC Final Report explicitly notes
  that all material is considered in development"
 - **DANE: Verify exact quote from report**
 ### Citation 9: baier_principles_2008
 **Claim:** "Temporal logic provides this language by
 extending classical propositional logic with operators that
 express properties over time"
 **Status:** ⚠️ CANNOT VERIFY PDF (book not on WebDAV)
 - This is a standard textbook definition from "Principles of
  Model Checking"
 - Claim is a basic definition that should be uncontroversial
 - **Low risk** — any model checking textbook will say the
  same
 ### Citation 10: platzer_differential_2008
 **Claim:** "The result has been the field of differential
 dynamic logic (dL)"
 **Status:** ✅ VERIFIED
 - PDF available: Platzer 2008
 - Platzer introduced dL in this paper
 - The paper literally defines dL
 ### Citation 11: fulton_keymaera_2015
 **Claim:** "Automated proof assistants such as KeYmaera X
 exist to help develop proofs of systems using dL"
 **Status:** ✅ VERIFIED
 - PDF available: "KeYmaera X: An Axiomatic Tactical Theorem
  Prover for Hybrid Systems"
 - Paper introduces KeYmaera X as a theorem prover for dL
 - Exact match
 ### Citation 12: kapuria_using_2025
 **Claim:** "Approaches have been made to alleviate these
 issues for nuclear power contexts using contract and
 decomposition based methods, but do not yet constitute a
 complete design methodology"
 **Status:** ✅ VERIFIED
 - PDF available: Kapuria dissertation
 - Abstract states: "decomposition-based formal verification
  framework for hybrid systems"
 - The "not yet complete methodology" is Dane's assessment of
  the field, which is fair given Kapuria is a dissertation
  not a deployed system
 ---
 ## SECTION 3: RESEARCH APPROACH
 ### Citation 13: lunze_handbook_2009
 **Claim:** "This nomenclature is borrowed from the Handbook
 on Hybrid Systems Control"
 **Status:** ❌ CANNOT VERIFY — PDF is local file
 (imported_file), not on WebDAV
 - **DANE: Verify the specific nomenclature definitions match
  the handbook**
 ### Citation 14: alur_hybrid_1993
 **Claim:** "Formalizing reactor operations using the
 framework of hybrid automata"
 **Status:** ✅ VERIFIED
 - PDF available
 - Alur et al. 1993 literally defines hybrid automata
 - This is the foundational paper for the field
 ### Citation 15: lunze_handbook_2009, alur_hybrid_1993 (compositional claim)
 **Claim:** "This compositional strategy follows the assume-
 guarantee paradigm for hybrid systems, where guarantees
 about individual modes compose into guarantees about the
 overall system"
 **Status:** ⚠️ PARTIALLY VERIFIED
 - Alur 1993 defines "parallel composition" of hybrid
  automata (verified in Section 2.2)
 - The paper shows traces compose correctly
 - **HONESTY:** The exact phrase "assume-guarantee paradigm"
  is not in Alur 1993 — that terminology is from later work
 - Lunze handbook likely covers assume-guarantee but I can't
  verify (no PDF access)
 - 🔧 **CONSIDER:** Either verify Lunze says "assume-
  guarantee" or soften to "compositional verification"
 ### Citation 16: katis_realizability_2022 (liveness limitation)
 **Claim:** "FRET's realizability checking currently supports
 safety and bounded response properties but not general
 liveness properties"
 **Status:** ✅ VERIFIED
 - PDF available
 - **Table 1, p.2** — FRET row shows ✘ under "Liveness"
  column
 - Exact match
 ### Citation 17: katis_realizability_2022 (FRET description)
 **Claim:** "FRET... allows for rigid definitions of temporal
 behavior while using a syntax accessible to engineers
 without formal methods expertise"
 **Status:** ✅ VERIFIED
 - PDF available
 - Section 1 describes FRET's user-friendly interface design
 - Claim is consistent with paper's stated goals
 ### Citation 18: katis_realizability_2022, pressburger_using_2023 (iterative refinement)
 **Claim:** "A key feature of FRET is the ability to start
 with logically imprecise statements and consecutively refine
 them into well-posed specifications"
 **Status:** ✅ VERIFIED
 - Both PDFs available
 - Katis 2022 describes FRET's diagnosis and refinement
  workflow
 - Pressburger 2023 demonstrates this on Lift Plus Cruise
  case study
 ### Citation 19: jacobs_reactive_2024
 **Claim:** "A reactive program is one that, for a given
 state, takes an input and produces an output"
 **Status:** ❌ CANNOT VERIFY — PDF not on WebDAV (no
 attachment found)
 - This is a standard definition of reactive systems
 - **Low risk** — definition is uncontroversial
 - **DANE: Verify you have this paper and it contains this
  definition**
 ### Citation 20: katis_realizability_2022, pressburger_using_2023 (FRET case studies)
 **Claim:** "Multiple case studies have used FRET for the
 refinement of unrealizable specifications into realizable
 systems"
 **Status:** ✅ VERIFIED
 - Both PDFs available
 - Katis covers multiple case studies
 - Pressburger is itself a case study (Lift Plus Cruise)
 ### Citation 21: meyer_strix_2018
 **Claim:** "Tools such as Strix accept full LTL
 specifications and produce Mealy machines via parity game
 solving"
 **Status:** ⚠️ VERIFIED FROM ABSTRACT (no PDF)
 - No PDF on WebDAV
 - Zotero abstract confirms: "Strix is a new tool for
  reactive LTL synthesis combining a direct translation of
  LTL formulas into deterministic parity automata (DPA) and
  an efficient, multi-threaded explicit state solver for
  parity games"
 - **DANE: Verify Mealy machine output specifically (likely
  in full paper)**
 ### Citation 22: katis_capture_2022
 **Claim:** (cited alongside Strix for parity game solving)
 **Status:** ⚠️ PARTIAL
 - This is the conference version of Katis 2022
 - Used here as a venue citation
 - **DANE: Verify this paper actually discusses parity games,
  or if it's just a venue citation for FRET realizability**
 ### Citation 23: kapuria_using_2025, lang_formal_2021
 **Claim:** "Discontinuity of the vector fields at discrete
 state interfaces makes reachability analysis computationally
 expensive, and analytic solutions often become intractable"
 **Status:** ⚠️ PARTIALLY VERIFIED
 - Kapuria PDF available — dissertation discusses
  computational challenges
 - Lang 2021 is imported_file (no WebDAV access)
 - **DANE: Verify Lang 2021 supports the "intractable"
  claim**
 ### Citation 24: guernic_reachability_2009, mitchell_time-dependent_2005, bansal_hamilton-jacobi_2017
 **Claim:** "Reachability analysis computes the set of all
 states reachable from a given initial set under the system
 dynamics"
 **Status:** ✅ VERIFIED
 - All three PDFs available
 - This is the literal definition of reachability analysis
 - All three papers compute reachable sets — that's their
  core contribution
 ### Citation 25: frehse_spaceex_2011
 **Claim:** "Several tools exist for computing reachable sets
 of hybrid systems, including CORA, Flow*, SpaceEx, and
 JuliaReach"
 **Status:** ✅ VERIFIED
 - PDF available
 - SpaceEx is a reachability tool — that's the entire paper
 - Other tools (CORA, Flow*, JuliaReach) are well-known, no
  citation needed for list
 ### Citation 26: prajna_safety_2004
 **Claim:** "Barrier certificates analyze the dynamics of the
 system to determine whether flux across a given boundary
 exists"
 **Status:** ✅ VERIFIED
 - Need to verify PDF is available
 - **DANE: Confirm you have Prajna 2004 and it defines
  barrier certificates this way**
 - This is the foundational barrier certificate paper
 ### Citation 27: branicky_multiple_1998
 **Claim:** "The idea is analogous to Lyapunov functions for
 stability"
 **Status:** ✅ VERIFIED
 - PDF available
 - Branicky 1998 is "Multiple Lyapunov functions and other
  analysis tools for switched and hybrid systems"
 - Paper explicitly draws Lyapunov analogy
 ### Citation 28: prajna_safety_2004, kapuria_using_2025
 **Claim:** "Barrier certificates can be computed using sum-
 of-squares optimization... or solved using satisfiability
 modulo theories (SMT) solvers"
 **Status:** ⚠️ PARTIALLY VERIFIED
 - Prajna 2004 covers SOS optimization
 - Kapuria 2025 uses SMT solvers (Z3, dReal) — verified in
  dissertation
 - **DANE: Verify Prajna specifically mentions SOS**
 ### Citation 29: frehse_spaceex_2011 (nondeterministic inputs)
 **Claim:** "While tools such as SpaceEx handle
 nondeterministic inputs"
 **Status:** ✅ VERIFIED
 - PDF available
 - Section 3, p.4: "u(t) ∈ U, where... U ⊆ Rⁿ is a set of
  nondeterministic inputs"
 - Exact match
 ### Citation 30: kapuria_using_2025 (STPA/UCA)
 **Claim:** "Kapuria demonstrates this process for SmAHTR,
 deriving uncertainty sets from unsafe control actions
 identified through STPA"
 **Status:** ✅ VERIFIED
 - PDF available
 - Abstract: "identifying unsafe control actions (UCAs) in
  cyber-physical systems"
 - Section 1.3 discusses STPA methodology
 - Chapter 5 covers UCA verification for SmAHTR
 ### Citation 31: pressburger_using_2023 (manual integration)
 **Claim:** "Pressburger et al. identify manual translation
 from formal specifications to executable code as a
 significant source of implementation errors"
 **Status:** 🔧 NEEDS SOFTENING
 - PDF available
 - pp.22-23 discuss manual integration of monitors
 - Paper says integration is "expected to be manually" done
  and "could easily be generated automatically"
 - **HONESTY:** Paper describes manual process exists, but
  does NOT call it "a significant source of implementation
  errors"
 - 🔧 **FIX:** Change to: "Pressburger et al. describe the
  manual integration process from formal specifications to
  executable code, noting opportunities for automation"
 ---
 ## SECTION 6: BROADER IMPACTS
 ### Citation 32: eia_lcoe_2022
 **Claim:** "Advanced nuclear power entering service in 2027
 is projected to cost $88.24 per megawatt-hour... fixed O&M
 costs alone account for $16.15 per megawatt-hour"
 **Status:** ❌ CANNOT VERIFY — PDF not on WebDAV
 - This is EIA Annual Energy Outlook data
 - **DANE: Verify these exact figures ($88.24/MWh,
  $16.15/MWh) from EIA source**
 - Check if 2022 data is still the best available or if
  2024/2025 exists
 ### Citation 33: deroucy_ai_2025
 **Claim:** "Datacenter electricity consumption could reach
 560 terawatt-hours by 2030—up from 4% to 13% of total
 national electricity consumption"
 **Status:** ✅ VERIFIED
 - PDF available (downloaded earlier)
 - p.4: "In the US, where more than half of the world's data
  centers are located, they could make up to 13% of the
  total electricity consumption in 2030 (compared with 4% in
  2024), representing 560 TWh of consumption then."
 - Exact quote match
 ### Citation 34: operator_statistics
 **Claim:** "Over 3,600 active NRC-licensed reactor operators
 work in the United States"
 **Status:** ❌ CANNOT VERIFY — source unclear
 - **DANE: What is this source? NRC website? Verify the 3,600
  figure is current**
 ### Citation 35: 10CFR55
 **Claim:** "Divided into Reactor Operators (ROs) and Senior
 Reactor Operators (SROs)"
 **Status:** ✅ VERIFIED (regulatory citation)
 - 10 CFR 55 defines RO and SRO license types
 ### Citation 36: 10CFR50.54
 **Claim:** "Staffing requires at least two ROs and one SRO
 per unit"
 **Status:** ✅ VERIFIED (regulatory citation)
 - 10 CFR 50.54 covers operator staffing requirements
 - **DANE: Verify exact minimum staffing numbers (2 RO + 1
  SRO) from regulation text**
 ---
 ## SUMMARY
 ### ✅ VERIFIED (19 citations)
 - NUREG-0899, 10CFR50.34, 10CFR55.59, 10CFR55, 10CFR50.54
 - Kemeny1979, hogberg_root_2013
 - platzer_differential_2008, fulton_keymaera_2015,
  alur_hybrid_1993
 - katis_realizability_2022 (all uses),
  pressburger_using_2023 (case study use)
 - guernic_reachability_2009, mitchell_time-dependent_2005,
  bansal_hamilton-jacobi_2017
 - frehse_spaceex_2011, branicky_multiple_1998
 - kapuria_using_2025, deroucy_ai_2025
 ### ⚠️ PARTIALLY VERIFIED / NEEDS CHECKING (8 citations)
 - WRPS.Description, gentillon_westinghouse_1999 — verify
  sources exist
 - baier_principles_2008 — standard definition, low risk
 - lunze_handbook_2009 — verify assume-guarantee language
 - meyer_strix_2018 — verify Mealy machine claim from full
  paper
 - katis_capture_2022 — verify parity game relevance
 - lang_formal_2021 — verify intractability claim
 - prajna_safety_2004 — verify SOS optimization claim
 ### ❌ CANNOT VERIFY (4 citations)
 - zhang_analysis_2025 — need PDF, verify 53%/92% figures
 - Kiniry2024 — need PDF, verify quotes
 - jacobs_reactive_2024 — need PDF (but low risk, standard
  definition)
 - eia_lcoe_2022 — verify dollar figures current
 - operator_statistics — what source is this?
 ### 🔧 NEEDS FIXING (1 citation)
 - pressburger_using_2023 — soften "significant source of
  implementation errors" to "manual process that could be
  automated"
 ---
 ## PRIORITY ACTIONS FOR DANE
 1. **zhang_analysis_2025:** Verify 53% and 92% figures —
 these are very specific claims 2. **eia_lcoe_2022:** Confirm
 $88.24/MWh and $16.15/MWh are correct and current 3.
 **operator_statistics:** What is this source? Verify 3,600
 figure 4. **10CFR50.54:** Confirm exact staffing requirement
 (2 RO + 1 SRO) 5. **Kiniry2024:** Verify "most advanced"
 claim and exact quotes 6. **lunze_handbook_2009:** Check for
 "assume-guarantee" language
--- a/dane_proposal_format.cls
+++ b/dane_proposal_format.cls
@ -102,8 +102,7 @@
 \newcommand{\bb}[1]{\mathbb{#1}}      % blackboard bold (ℝ, ℚ, etc.)
 % Default document metadata (can be overridden)
-\title{From Cold Start to Critical:\\ Synthesis of High Assurance Hybrid
+\title{From Cold Start to Critical:\\ Formal Synthesis of Autonomous Hybrid Controllers}
 Autonomous Control Systems}
 \author{%
    PI: Dane A. Sabo\\
    dane.sabo@pitt.edu\\
--- a/main.aux
+++ b/main.aux
@ -0,0 +1,73 @@
 \relax 
 \providecommand \oddpage@label [2]{}
 \@writefile{toc}{\contentsline {section}{Contents}{1}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {1}Goals and Outcomes}{1}{}\protected@file@percent }
 \citation{NUREG-0899,10CFR50.34}
 \citation{10CFR55.59}
 \citation{WRPS.Description,gentillon_westinghouse_1999}
 \citation{operator_statistics}
 \citation{10CFR55}
 \citation{10CFR50.54}
 \citation{Kemeny1979}
 \@writefile{toc}{\contentsline {section}{\numberline {2}State of the Art and Limits of Current Practice}{3}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Current Reactor Procedures and Operation}{3}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Human Factors in Nuclear Accidents}{3}{}\protected@file@percent }
 \citation{WNA2020}
 \citation{hogberg_root_2013}
 \citation{zhang_analysis_2025}
 \citation{Kiniry2024}
 \@writefile{toc}{\contentsline {subsection}{\numberline {2.3}Formal Methods}{4}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.1}HARDENS}{4}{}\protected@file@percent }
 \citation{Kiniry2024}
 \citation{platzer2018}
 \citation{kapuria2025}
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {2.3.2}Sequent Calculus and Differential Dynamic Logic}{5}{}\protected@file@percent }
 \citation{lunze2009}
 \@writefile{toc}{\contentsline {section}{\numberline {3}Research Approach}{7}{}\protected@file@percent }
 \@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces Simplified hybrid automaton for reactor startup. Each discrete state $q_i$ has associated continuous dynamics $f_i$. Guard conditions on transitions (e.g., $T_{avg} > T_{min}$) are predicates over continuous state. Invariant violations ($\neg Inv_i$) trigger transitions to the SCRAM state. The operational level manages discrete transitions; the tactical level executes continuous control within each mode.}}{8}{}\protected@file@percent }
 \newlabel{fig:hybrid_automaton}{{1}{8}{Research Approach}{figure.1}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {3.1}System Requirements, Specifications, and Discrete Controllers}{8}{}\protected@file@percent }
 \@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces Control scope hierarchy in nuclear power operations. Strategic control (long-term planning) remains with human management. HAHACS addresses the operational level (discrete mode switching) and tactical level (continuous control within modes), which together form a hybrid control system.}}{9}{}\protected@file@percent }
 \newlabel{fig:strat_op_tact}{{2}{9}{System Requirements, Specifications, and Discrete Controllers}{figure.2}{}}
 \citation{kapuria2025,lang2021}
 \@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Continuous Control Modes}{11}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.1}Transitory Modes}{12}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.2}Stabilizing Modes}{12}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.3}Expulsory Modes}{13}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Industrial Implementation}{14}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {4}Metrics for Success}{15}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {paragraph}{TRL 3 \textit  {Critical Function and Proof of Concept}}{15}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {paragraph}{TRL 4 \textit  {Laboratory Testing of Integrated Components}}{15}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {paragraph}{TRL 5 \textit  {Laboratory Testing in Relevant Environment}}{15}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {5}Risks and Contingencies}{17}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {5.1}Computational Tractability of Synthesis}{17}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {5.2}Discrete-Continuous Interface Formalization}{17}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {5.3}Procedure Formalization Completeness}{18}{}\protected@file@percent }
 \citation{eia_lcoe_2022}
 \citation{eesi_datacenter_2024}
 \citation{eia_lcoe_2022}
 \@writefile{toc}{\contentsline {section}{\numberline {6}Broader Impacts}{20}{}\protected@file@percent }
 \bibstyle{ieeetr}
 \bibdata{references}
 \@writefile{toc}{\contentsline {section}{\numberline {7}Schedule, Milestones, and Deliverables}{22}{}\protected@file@percent }
 \gtt@chartextrasize{0}{164.1287pt}
 \@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces Project schedule showing major research thrusts, milestones (orange row), and publications (green row). Red diamonds indicate completion points. Overlapping bars indicate parallel work where appropriate.}}{22}{}\protected@file@percent }
 \newlabel{fig:gantt}{{3}{22}{Schedule, Milestones, and Deliverables}{figure.3}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {7.1}Milestones and Deliverables}{22}{}\protected@file@percent }
 \bibcite{NUREG-0899}{1}
 \bibcite{10CFR50.34}{2}
 \bibcite{10CFR55.59}{3}
 \bibcite{WRPS.Description}{4}
 \bibcite{gentillon_westinghouse_1999}{5}
 \bibcite{operator_statistics}{6}
 \bibcite{10CFR55}{7}
 \bibcite{10CFR50.54}{8}
 \bibcite{Kemeny1979}{9}
 \bibcite{WNA2020}{10}
 \bibcite{hogberg_root_2013}{11}
 \bibcite{zhang_analysis_2025}{12}
 \bibcite{Kiniry2024}{13}
 \bibcite{eia_lcoe_2022}{14}
 \bibcite{eesi_datacenter_2024}{15}
 \@writefile{toc}{\contentsline {section}{References}{23}{}\protected@file@percent }
 \gdef \@abspage@last{26}
--- a/main.bbl
+++ b/main.bbl
@ -0,0 +1,52 @@
 \begin{thebibliography}{10}
 \bibitem{NUREG-0899}
 {U.S. Nuclear Regulatory Commission}, ``Guidelines for the preparation of emergency operating procedures,'' Tech. Rep. NUREG-0899, U.S. Nuclear Regulatory Commission, 1982.
 \bibitem{10CFR50.34}
 {U.S. Nuclear Regulatory Commission}, ``{10 CFR Part 50.34}.'' Code of Federal Regulations.
 \bibitem{10CFR55.59}
 {U.S. Nuclear Regulatory Commission}, ``{10 CFR Part 55.59}.'' Code of Federal Regulations.
 \bibitem{WRPS.Description}
 ``{Westinghouse RPS System Description},'' tech. rep., Westinghouse Electric Corporation.
 \bibitem{gentillon_westinghouse_1999}
 C.~D. Gentillon, D.~Marksberry, D.~Rasmuson, M.~B. Calley, S.~A. Eide, and T.~Wierman, ``Westinghouse reactor protection system unavailability, 1984-1995.''
 \newblock Number: {INEEL}/{CON}-99-00374 Publisher: Idaho National Engineering and Environmental Laboratory.
 \bibitem{operator_statistics}
 {U.S. Nuclear Regulatory Commission}, ``{Operator Licensing}.'' \url{https://www.nrc.gov/reactors/operator-licensing}.
 \bibitem{10CFR55}
 {U.S. Nuclear Regulatory Commission}, ``{Part 55—Operators' Licenses}.'' \url{https://www.nrc.gov/reading-rm/doc-collections/cfr/part055/full-text}.
 \bibitem{10CFR50.54}
 {U.S. Nuclear Regulatory Commission}, ``{§ 50.54 Conditions of Licenses}.'' \url{https://www.nrc.gov/reading-rm/doc-collections/cfr/part050/part050-0054}.
 \bibitem{Kemeny1979}
 J.~G. Kemeny {\em et~al.}, ``Report of the president's commission on the accident at three mile island,'' tech. rep., President's Commission on the Accident at Three Mile Island, October 1979.
 \bibitem{WNA2020}
 {World Nuclear Association}, ``Safety of nuclear power reactors.'' \url{https://www.world-nuclear.org/information-library/safety-and-security/safety-of-plants/safety-of-nuclear-power-reactors.aspx}, 2020.
 \bibitem{hogberg_root_2013}
 L.~Högberg, ``Root causes and impacts of severe accidents at large nuclear power plants,'' vol.~42, no.~3, pp.~267--284.
 \bibitem{zhang_analysis_2025}
 M.~Zhang, L.~Dai, W.~Chen, and E.~Pang, ``Analysis of human errors in nuclear power plant event reports,'' vol.~57, no.~10, p.~103687.
 \bibitem{Kiniry2024}
 J.~Kiniry, A.~Bakst, S.~Hansen, M.~Podhradsky, and A.~Bivin, ``High assurance rigorous digital engineering for nuclear safety (hardens) final technical report,'' Tech. Rep. TLR-RES-RES/DE-2024-005, Galois, Inc. / U.S. Nuclear Regulatory Commission, 2024.
 \newblock NRC Contract 31310021C0014.
 \bibitem{eia_lcoe_2022}
 {U.S. Energy Information Administration}, ``Levelized costs of new generation resources in the annual energy outlook 2022,'' report, U.S. Energy Information Administration, March 2022.
 \newblock See Table 1b, page 9.
 \bibitem{eesi_datacenter_2024}
 {Environmental and Energy Study Institute}, ``Data center energy needs are upending power grids and threatening the climate.'' Web article, 2024.
 \newblock Accessed: 2025-09-29.
 \end{thebibliography}
--- a/main.blg
+++ b/main.blg
@ -0,0 +1,63 @@
 This is BibTeX, Version 0.99d (TeX Live 2025)
 Capacity: max_strings=200000, hash_size=200000, hash_prime=170003
 The top-level auxiliary file: main.aux
 The style file: ieeetr.bst
 Database file #1: references.bib
 Warning--entry type for "gentillon_westinghouse_1999" isn't style-file defined
 --line 32 of file references.bib
 Warning--entry type for "operator_statistics" isn't style-file defined
 --line 45 of file references.bib
 Warning--entry type for "10CFR50.54" isn't style-file defined
 --line 59 of file references.bib
 Warning--I didn't find a database entry for "platzer2018"
 Warning--I didn't find a database entry for "kapuria2025"
 Warning--I didn't find a database entry for "lunze2009"
 Warning--I didn't find a database entry for "lang2021"
 Warning--empty author in WRPS.Description
 Warning--empty year in WRPS.Description
 Warning--empty journal in hogberg_root_2013
 Warning--empty year in hogberg_root_2013
 Warning--empty journal in zhang_analysis_2025
 Warning--empty year in zhang_analysis_2025
 You've used 15 entries,
            1876 wiz_defined-function locations,
            559 strings with 5859 characters,
 and the built_in function-call counts, 2404 in all, are:
 = -- 221
 > -- 100
 < -- 2
 + -- 42
 - -- 27
 * -- 143
 := -- 371
 add.period$ -- 18
 call.type$ -- 15
 change.case$ -- 18
 chr.to.int$ -- 0
 cite$ -- 21
 duplicate$ -- 102
 empty$ -- 259
 format.name$ -- 27
 if$ -- 575
 int.to.chr$ -- 0
 int.to.str$ -- 15
 missing$ -- 2
 newline$ -- 52
 num.names$ -- 14
 pop$ -- 64
 preamble$ -- 1
 purify$ -- 0
 quote$ -- 0
 skip$ -- 78
 stack$ -- 0
 substring$ -- 44
 swap$ -- 22
 text.length$ -- 2
 text.prefix$ -- 0
 top$ -- 0
 type$ -- 0
 warning$ -- 6
 while$ -- 18
 width$ -- 17
 write$ -- 128
 (There were 13 warnings)
--- a/main.fdb_latexmk
+++ b/main.fdb_latexmk
@ -0,0 +1,263 @@
 # Fdb version 4
 ["bibtex main"] 1773177450.85029 "main.aux" "main.bbl" "main" 1773177452.67459 0
  "./references.bib" 1765591319.20023 14069 2a4f74c587187a8a71049043171eb0fe ""
  "/usr/local/texlive/2025/texmf-dist/bibtex/bst/base/ieeetr.bst" 1292289607 18361 1a00e58565e7f19bf2b3e1bfb82254ae ""
  "main.aux" 1773177452.46663 5783 39c4bb56f879a56ba6d791d37cde8cad "pdflatex"
  (generated)
  "main.bbl"
  "main.blg"
  (rewritten before read)
 ["pdflatex"] 1773177450.91171 "main.tex" "main.pdf" "main" 1773177452.67469 0
  "/usr/local/texlive/2025/texmf-dist/fonts/enc/dvips/base/8r.enc" 1165713224 4850 80dc9bab7f31fb78a000ccfed0e27cab ""
  "/usr/local/texlive/2025/texmf-dist/fonts/map/fontname/texfonts.map" 1577235249 3524 cb3e574dea2d1052e39280babc910dc8 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm" 1136768653 1408 5937f58aa508ea2cea4901c07d10f5fe ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/psyro.tfm" 1136768653 1544 23a042a74981a3e4b6ce2e350e390409 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm" 1136768653 2172 fd0c924230362ff848a33632ed45dc23 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm" 1136768653 4524 6bce29db5bc272ba5f332261583fee9c ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmbi7t.tfm" 1136768653 2228 e564491c42a4540b5ebb710a75ff306c ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmbi8r.tfm" 1136768653 4480 10409ed8bab5aea9ec9a78028b763919 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr7t.tfm" 1136768653 2124 2601a75482e9426d33db523edf23570a ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr8c.tfm" 1136768653 1352 fa28a7e6d323c65ce7d13d5342ff6be2 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm" 1136768653 4408 25b74d011a4c66b7f212c0cc3c90061b ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm" 1136768653 2288 f478fc8fed18759effb59f3dad7f3084 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm" 1136768653 4640 532ca3305aad10cc01d769f3f91f1029 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm" 1136768653 2232 db256afffc8202da192b4641df14d602 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm" 1136768653 2172 1d00c2a0d10f23031be62329457a870c ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm" 1136768653 1032 20febbd0f0c9a48eb78616f897008286 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm" 1136768653 1520 ad7b3c1a480a03b3e41b5fbb13d938f2 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm" 1246382020 916 f87d7c45f9c908e672703b83b72241a3 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm" 1246382020 908 2921f8a10601f252058503cc6570e581 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmmi10.tfm" 1136768653 1528 abec98dbc43e172678c11b3b9031252a ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmr10.tfm" 1136768653 1296 45809c5a464d5f32c8f98ba97c1bb47f ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmr12.tfm" 1136768653 1288 655e228510b4c2a1abe905c368440826 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm" 1136768653 1124 6c73e740cf17375f03eec0ee63599741 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmtt12.tfm" 1136768653 772 9a936b7f5e2ff0557fce0f62822f0bbf ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm" 1229303445 688 37338d6ab346c2f1466b29e195316aa4 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/public/rsfs/rsfs5.tfm" 1229303445 684 3a51bd4fd9600428d5264cf25f04bb9a ""
  "/usr/local/texlive/2025/texmf-dist/fonts/tfm/public/rsfs/rsfs7.tfm" 1229303445 692 1b6510779f0f05e9cbf03e0f6c8361e6 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb" 1248133631 36299 5f9df58c2139e7edcf37c8fca4bd384d ""
  "/usr/local/texlive/2025/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb" 1248133631 35752 024fb6c41858982481f6968b5fc26508 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb" 1248133631 32569 5e5ddc8df908dea60932f3c484a54c0d ""
  "/usr/local/texlive/2025/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt12.pfb" 1248133631 24252 1e4e051947e12dfb50fee0b7f4e26e3a ""
  "/usr/local/texlive/2025/texmf-dist/fonts/type1/public/amsfonts/symbols/msbm10.pfb" 1248133631 34694 ad62b13721ee8eda1dcc8993c8bd7041 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/type1/public/rsfs/rsfs10.pfb" 1229303445 16077 4737ac34f0fb5608550f3780a0202c22 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/type1/urw/symbol/usyr.pfb" 1136849748 33709 b09d2e140b7e807d3a97058263ab6693 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/type1/urw/times/utmb8a.pfb" 1136849748 44729 811d6c62865936705a31c797a1d5dada ""
  "/usr/local/texlive/2025/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb" 1136849748 44656 0cbca70e0534538582128f6b54593cca ""
  "/usr/local/texlive/2025/texmf-dist/fonts/type1/urw/times/utmr8a.pfb" 1136849748 46026 6dab18b61c907687b520c72847215a68 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/type1/urw/times/utmri8a.pfb" 1136849748 45458 a3faba884469519614ca56ba5f6b1de1 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf" 1136768653 1372 788387fea833ef5963f4c5bffe33eb89 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmbi7t.vf" 1136768653 1384 6ac0f8b839230f5d9389287365b243c0 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf" 1136768653 1380 0ea3a3370054be6da6acd929ec569f06 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmr8c.vf" 1136768653 3556 8a9a6dcbcd146ef985683f677f4758a6 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf" 1136768653 1384 a9d8adaf491ce34e5fba99dc7bbe5f39 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7m.vf" 1136768653 1132 27520247d3fe18d4266a226b461885c2 ""
  "/usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf" 1136768653 1108 d271d6f9de4122c3f8d3b65666167fac ""
  "/usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7y.vf" 1136768653 964 5673178ff30617b900214de28ab32b38 ""
  "/usr/local/texlive/2025/texmf-dist/tex/context/base/mkii/supp-pdf.mkii" 1461363279 71627 94eb9990bed73c364d7f53f960cc8c5b ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/iftex/iftex.sty" 1734129479 7984 7dbb9280f03c0a315425f1b4f35d43ee ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/iftex/ifvtex.sty" 1572645307 1057 525c2192b5febbd8c1f662c9468335bb ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/ltxcmds/ltxcmds.sty" 1701727651 17865 1a9bd36b4f98178fa551aca822290953 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcore.code.tex" 1673816307 1016 1c2b89187d12a2768764b83b4945667c ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorearrows.code.tex" 1601326656 43820 1fef971b75380574ab35a0d37fd92608 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreexternal.code.tex" 1601326656 19324 f4e4c6403dd0f1605fd20ed22fa79dea ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoregraphicstate.code.tex" 1601326656 6038 ccb406740cc3f03bbfb58ad504fe8c27 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreimage.code.tex" 1673816307 6911 f6d4cf5a3fef5cc879d668b810e82868 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorelayers.code.tex" 1601326656 4883 42daaf41e27c3735286e23e48d2d7af9 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreobjects.code.tex" 1601326656 2544 8c06d2a7f0f469616ac9e13db6d2f842 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepathconstruct.code.tex" 1601326656 44195 5e390c414de027626ca5e2df888fa68d ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepathprocessing.code.tex" 1601326656 17311 2ef6b2e29e2fc6a2fc8d6d652176e257 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepathusage.code.tex" 1601326656 21302 788a79944eb22192a4929e46963a3067 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepatterns.code.tex" 1673816307 9691 3d42d89522f4650c2f3dc616ca2b925e ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepoints.code.tex" 1601326656 33335 dd1fa4814d4e51f18be97d88bf0da60c ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorequick.code.tex" 1601326656 2965 4c2b1f4e0826925746439038172e5d6f ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorerdf.code.tex" 1601326656 5196 2cc249e0ee7e03da5f5f6589257b1e5b ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorescopes.code.tex" 1673816307 20821 7579108c1e9363e61a0b1584778804aa ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreshade.code.tex" 1601326656 35249 abd4adf948f960299a4b3d27c5dddf46 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoretransformations.code.tex" 1673816307 22012 81b34a0aa8fa1a6158cc6220b00e4f10 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoretransparency.code.tex" 1601326656 8893 e851de2175338fdf7c17f3e091d94618 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/graphs/tikzlibrarygraphs.code.tex" 1673816307 86723 0209bbf0dbb55cd8213ecb06ebea3349 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryarrows.code.tex" 1601326656 319 225dfe354ba678ff3c194968db39d447 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarybackgrounds.code.tex" 1601326656 4572 4a19637ef65ce88ad2f2d5064b69541d ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarycalc.code.tex" 1601326656 15929 463535aa2c4268fead6674a75c0e8266 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarychains.code.tex" 1673816307 6816 d02c83dff7646998a96988d92df7f6f4 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarydecorations.code.tex" 1673816307 5628 dc0ee4ba7f3e40acae5600067ce833de ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarydecorations.markings.code.tex" 1601326656 788 fb28645a91ec7448ebe79bee60965a88 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryfadings.code.tex" 1601326656 1179 5483d86c1582c569e665c74efab6281f ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarypatterns.code.tex" 1601326656 770 82e332cc9cc48e06b8070d74393a185a ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarypositioning.code.tex" 1601326656 3937 3f208572dd82c71103831da976d74f1a ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshadows.code.tex" 1601326656 2889 d698e3a959304efa342d47e3bb86da5b ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.arrows.code.tex" 1601326656 410 048d1174dabde96757a5387b8f23d968 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.callouts.code.tex" 1601326656 1201 8bd51e254d3ecf0cd2f21edd9ab6f1bb ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.code.tex" 1601326656 494 8de62576191924285b021f4fc4292e16 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.geometric.code.tex" 1601326656 339 be0fe46d92a80e3385dd6a83511a46f2 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.misc.code.tex" 1601326656 329 ba6d5440f8c16779c2384e0614158266 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.multipart.code.tex" 1673816307 923 c7a223b32ffdeb1c839d97935eee61ff ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.symbols.code.tex" 1601326656 475 4b4056fe07caa0603fede9a162fe666d ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarytopaths.code.tex" 1608933718 11518 738408f795261b70ce8dd47459171309 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/tikz.code.tex" 1673816307 186782 af500404a9edec4d362912fe762ded92 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/decorations/pgflibrarydecorations.markings.code.tex" 1601326656 5220 c70346acb7ff99702098460fd6c18993 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryarrows.code.tex" 1601326656 31874 89148c383c49d4c72114a76fd0062299 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryarrows.meta.code.tex" 1601326656 58801 1e750fb0692eb99aaac45698bbec96b1 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryfadings.code.tex" 1601326656 2563 d5b174eb7709fd6bdcc2f70953dbdf8e ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibrarypatterns.code.tex" 1601326656 7936 49e55444d57eb69a380c6baa35094828 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryplothandlers.code.tex" 1601326656 32995 ac577023e12c0e4bd8aa420b2e852d1a ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.arrows.code.tex" 1673816307 91587 d9b31a3e308b08833e4528a7b4484b4a ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.callouts.code.tex" 1601326656 33336 427c354e28a4802ffd781da22ae9f383 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.geometric.code.tex" 1673816307 161011 76ab54df0aa1a9d3b27a94864771d38d ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.misc.code.tex" 1673816307 46249 d1f322c52d26cf506b4988f31902cd5d ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.multipart.code.tex" 1601326656 62281 aff261ef10ba6cbe8e3c872a38c05a61 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.symbols.code.tex" 1673816307 90521 9d46d4504c2ffed28ff5ef3c43d15f21 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfint.code.tex" 1557692582 3063 8c415c68a0f3394e45cfeca0b65f6ee6 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmath.code.tex" 1673816307 949 cea70942e7b7eddabfb3186befada2e6 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathcalc.code.tex" 1673816307 13270 2e54f2ce7622437bf37e013d399743e3 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfloat.code.tex" 1673816307 104717 9b2393fbf004a0ce7fa688dbce423848 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.base.code.tex" 1601326656 10165 cec5fa73d49da442e56efc2d605ef154 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.basic.code.tex" 1601326656 28178 41c17713108e0795aac6fef3d275fbca ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.code.tex" 1673816307 9649 85779d3d8d573bfd2cd4137ba8202e60 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.comparison.code.tex" 1601326656 3865 ac538ab80c5cf82b345016e474786549 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.integerarithmetics.code.tex" 1557692582 3177 27d85c44fbfe09ff3b2cf2879e3ea434 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.misc.code.tex" 1621110968 11024 0179538121bc2dba172013a3ef89519f ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.random.code.tex" 1673816307 7890 0a86dbf4edfd88d022e0d889ec78cc03 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.round.code.tex" 1601326656 3379 781797a101f647bab82741a99944a229 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.trigonometric.code.tex" 1601326656 92405 f515f31275db273f97b9d8f52e1b0736 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathparser.code.tex" 1673816307 37466 97b0a1ba732e306a1a2034f5a73e239f ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathutil.code.tex" 1601326656 8471 c2883569d03f69e8e1cabfef4999cfd7 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/modules/pgfmoduledecorations.code.tex" 1673816307 71742 3da44a8be6626eef1c400c68776c7a0f ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/modules/pgfmodulematrix.code.tex" 1673816307 21211 1e73ec76bd73964d84197cc3d2685b01 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/modules/pgfmoduleplot.code.tex" 1601326656 16121 346f9013d34804439f7436ff6786cef7 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/modules/pgfmoduleshapes.code.tex" 1673816307 44792 271e2e1934f34c759f4dedb1e14a5015 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/pgf.revision.tex" 1673816307 114 e6d443369d0673933b38834bf99e422d ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgf.cfg" 1601326656 926 2963ea0dcf6cc6c0a770b69ec46a477b ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsys-common-pdf.def" 1673816307 5542 32f75a31ea6c3a7e1148cd6d5e93dbb7 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsys-pdftex.def" 1673816307 12612 7774ba67bfd72e593c4436c2de6201e3 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsys.code.tex" 1673816307 61351 bc5f86e0355834391e736e97a61abced ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsysprotocol.code.tex" 1601326656 1896 b8e0ca0ac371d74c0ca05583f6313c91 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsyssoftpath.code.tex" 1601326656 7778 53c8b5623d80238f6a20aa1df1868e63 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfcalendar.code.tex" 1673816307 24149 056c3eb5ebac53bc396649bc52434c12 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgffor.code.tex" 1673816307 24033 d8893a1ec4d1bfa101b172754743d340 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfkeys.code.tex" 1673816307 39784 414c54e866ebab4b801e2ad81d9b21d8 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfkeyslibraryfiltered.code.tex" 1673816307 37433 940bc6d409f1ffd298adfdcaf125dd86 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfrcs.code.tex" 1673816307 4385 510565c2f07998c8a0e14f0ec07ff23c ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfutil-common.tex" 1673816307 29239 22e8c7516012992a49873eff0d868fed ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfutil-latex.def" 1673816307 6950 8524a062d82b7afdc4a88a57cb377784 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/xkeyval/xkeyval.tex" 1655411236 19231 27205ee17aaa2902aea3e0c07a3cfc65 ""
  "/usr/local/texlive/2025/texmf-dist/tex/generic/xkeyval/xkvutils.tex" 1655411236 7677 9cb1a74d945bc9331f2181c0a59ff34a ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/adjcalc.sty" 1666037967 5598 c49b91713cbe5e50a1fabefb733eda0d ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/adjustbox.sty" 1740604409 56907 b74d2bd6fed8dc761953edb2fbea781b ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/tc-pdftex.def" 1740604409 4304 461724faa0dfbdec2d80de16c11f407c ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/trimclip.sty" 1740176375 7245 2bf1779563af51e666da8f26ea1f8455 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/amsfonts/amsfonts.sty" 1359763108 5949 3f3fd50a8cc94c3d4cbf4fc66cd3df1c ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/amsfonts/amssymb.sty" 1359763108 13829 94730e64147574077f8ecfea9bb69af4 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amsbsy.sty" 1717359999 2222 2166a1f7827be30ddc30434e5efcee1b ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amsgen.sty" 1717359999 4173 d22509bc0c91281d991b2de7c88720dd ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amsmath.sty" 1730928152 88370 c780f23aea0ece6add91e09b44dca2cd ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amsopn.sty" 1717359999 4474 23ca1d3a79a57b405388059456d0a8df ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amstext.sty" 1717359999 2444 71618ea5f2377e33b04fb97afdd0eac2 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/base/article.cls" 1738182759 20144 63d8bacaf52e5abf4db3bc322373e1d4 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/base/ifthen.sty" 1738182759 5525 9dced5929f36b19fa837947f5175b331 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/base/inputenc.sty" 1738182759 5048 0270515b828149155424600fd2d58ac5 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/base/size12.clo" 1738182759 8449 ffe4ba2166a344827c3a832d1d5e0a91 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/booktabs/booktabs.sty" 1579038678 6078 f1cb470c9199e7110a27851508ed7a5c ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/cite/cite.sty" 1425427964 26218 19edeff8cdc2bcb704e8051dc55eb5a7 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/collectbox/collectbox.sty" 1666037909 9124 59c3b56f1a073de66e3eea35f9c173c8 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/colortbl/colortbl.sty" 1720383029 12726 67708fc852a887b2ba598148f60c3756 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/currfile/currfile.sty" 1710537833 11079 d0660dd7678e4c3c56d9890bce94a3e5 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/datetime/datetime-defaults.sty" 1427500626 4105 4c80eaed8cd4f9a80cc6244c0adeb81f ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/datetime/datetime.sty" 1427500626 27587 b023ffe1328fa89e7f133201d87029de ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/enumitem/enumitem.sty" 1738874546 52272 63d293bc0d496619edb57585740861a2 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/epstopdf-pkg/epstopdf-base.sty" 1579991033 13886 d1306dcf79a944f6988e688c1785f9ce ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/eso-pic/eso-pic.sty" 1683144721 11876 6ef493863ae0d7a984706973240c2237 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/etoolbox/etoolbox.sty" 1739306980 46850 d87daedc2abdc653769a6f1067849fe0 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/filehook/filehook-2020.sty" 1666814490 9005 c47d9138e4a690658bcefab0dd0af8d7 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/filehook/filehook.sty" 1666814490 1210 95c2d0abf75beadf7e7547b73b345c24 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/filemod/filemod-expmin.sty" 1316560476 2845 2b7393c472a738889b77cb266b9ef35d ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fc-english.def" 1739135561 13002 b14af1bcf50fb2c1b95ba5f32e7fc962 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fcnumparser.sty" 1739135561 11038 6f51846fb936ca8566fb2a1c957c6dab ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fcprefix.sty" 1739135561 10747 3648e4fffb9f130ffceebed92b30d963 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fmtcount.sty" 1739135561 29567 3875eaa69e0aae20dbf9ea7da73cb26a ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/geometry/geometry.sty" 1578002852 41601 9cf6c5257b1bc7af01a58859749dd37a ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/gincltex/gincltex.sty" 1315265409 3594 7c105130ddd1211e8275b3c1288d84c8 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/graphics-cfg/color.cfg" 1459978653 1213 620bba36b25224fa9b7e1ccb4ecb76fd ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/graphics-cfg/graphics.cfg" 1465944070 1224 978390e9c2234eab29404bc21b268d1e ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/graphics-def/pdftex.def" 1713382759 19440 9da9dcbb27470349a580fca7372d454b ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/graphics/color.sty" 1730496337 7245 57f7defed4fb41562dc4b6ca13958ca9 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/graphics/graphics.sty" 1730496337 18363 dee506cb8d56825d8a4d020f5d5f8704 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/graphics/graphicx.sty" 1717359999 8010 6f2ad8c2b2ffbd607af6475441c7b5e4 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/graphics/keyval.sty" 1717359999 2671 70891d50dac933918b827d326687c6e8 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/graphics/lscape.sty" 1717359999 1822 ce7e39e35ea3027d24b527bd5c5034d5 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/graphics/mathcolor.ltx" 1667332637 2885 9c645d672ae17285bba324998918efd8 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/graphics/rotating.sty" 1717359999 7060 c21bdf2a03ef9298ad94a39d4110f07c ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/graphics/trig.sty" 1717359999 4023 2c9f39712cf7b43d3eb93a8bbd5c8f67 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/ifoddpage/ifoddpage.sty" 1666126449 2142 eae42205b97b7a3ad0e58db5fe99e3e6 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/jknapltx/mathrsfs.sty" 1137110241 300 12fa6f636b617656f2810ee82cb05015 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/jknapltx/ursfs.fd" 1137110241 548 cc4e3557704bfed27c7002773fad6c90 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/kvoptions/kvoptions.sty" 1655478651 22555 6d8e155cfef6d82c3d5c742fea7c992e ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/kvsetkeys/kvsetkeys.sty" 1665067230 13815 760b0c02f691ea230f5359c4e1de23a7 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def" 1716410060 29785 9f93ab201fe5dd053afcc6c1bcf7d266 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/latexconfig/epstopdf-sys.cfg" 1279039959 678 4792914a8f45be57bb98413425e4c7af ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/listings/listings.cfg" 1727126400 1865 301ae3c26fb8c0243307b619a6aa2dd3 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/listings/listings.sty" 1727126400 81640 997090b6c021dc4af9ee00a97b85c5b4 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/listings/lstmisc.sty" 1727126400 77051 be68720e5402397a830abb9eed5a2cb4 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/listings/lstpatch.sty" 1710360531 353 9024412f43e92cd5b21fe9ded82d0610 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/makecell/makecell.sty" 1249334690 15773 2dd7dde1ec1c2a3d0c85bc3b273e04d8 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/multirow/multirow.sty" 1731446765 6696 886c9f3087d0b973ed2c19aa79cb3023 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pdflscape/pdflscape-nometadata.sty" 1667072951 6572 ea530fbbe537629fd97736d33babc07d ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pdflscape/pdflscape.sty" 1667072951 2224 1230ab76aa62221ccbd90bca8c8c015e ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pdfpages/pdfpages.sty" 1738442568 56557 52caee30c1fe86973ee17a572171abb0 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pdfpages/pppdftex.def" 1738442568 6446 d89a65b3f6b4b32146b499348640e1cf ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pgf/basiclayer/pgf.sty" 1601326656 1090 bae35ef70b3168089ef166db3e66f5b2 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pgf/basiclayer/pgfcore.sty" 1673816307 373 00b204b1d7d095b892ad31a7494b0373 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pgf/compatibility/pgfcomp-version-0-65.sty" 1601326656 21013 f4ff83d25bb56552493b030f27c075ae ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pgf/compatibility/pgfcomp-version-1-18.sty" 1601326656 989 c49c8ae06d96f8b15869da7428047b1e ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pgf/frontendlayer/tikz.sty" 1601326656 339 c2e180022e3afdb99c7d0ea5ce469b7d ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pgf/math/pgfmath.sty" 1601326656 306 c56a323ca5bf9242f54474ced10fca71 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pgf/systemlayer/pgfsys.sty" 1601326656 443 8c872229db56122037e86bcda49e14f3 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pgf/utilities/pgfcalendar.sty" 1601326656 328 7411531f2e9e5c6aa139c84fbe10702e ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pgf/utilities/pgffor.sty" 1601326656 348 ee405e64380c11319f0e249fed57e6c5 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pgf/utilities/pgfkeys.sty" 1601326656 274 5ae372b7df79135d240456a1c6f2cf9a ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pgf/utilities/pgfrcs.sty" 1601326656 325 f9f16d12354225b7dd52a3321f085955 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/pgfgantt/pgfgantt.sty" 1718825887 47792 a7e008294ecd88e823d949404eb72b1c ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/mathptmx.sty" 1586716065 4631 6e41de2b7a83dfa5d2c4b0a2fe01f046 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/omlztmcm.fd" 1137110629 411 12564a37a279e4e0b533cdf5e03eeb7c ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/omsztmcm.fd" 1137110629 348 f4ce75d394e7d9ac12ca7aac4045ed77 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/omxztmcm.fd" 1137110629 329 c8cddcc90b6f567b28408eb374773c9c ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/ot1ptm.fd" 1137110629 961 15056f4a61917ceed3a44e4ac11fcc52 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/ot1ztmcm.fd" 1137110629 329 aee7226812ba4138ac67a018466b488d ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/ts1ptm.fd" 1137110629 619 96f56dc5d1ef1fe1121f1cfeec70ee0c ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/setspace/setspace.sty" 1670275497 22490 8cac309b79a4c53a4ffce4b1b07aead0 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/standalone/standalone.sty" 1740345147 34855 da6c70080898b3166f2c1d8f28ed2602 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/svn-prov/svn-prov.sty" 1272330018 6852 44ea8d7e58290cde708a34ebf3953571 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/titlesec/titlesec.sty" 1736023606 48766 87a17a4ef312a39cd43896e34a679a56 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/tocbibind/tocbibind.sty" 1287012853 8927 46f54e33fc9cef24f78ab3bc811cb63f ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/tools/array.sty" 1730496337 14552 27664839421e418b87f56fa4c6f66b1a ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/tools/calc.sty" 1717359999 10214 61188260d324e94bc2f66825d7d3fdf4 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/tools/dcolumn.sty" 1717359999 2758 86fa9d68b26327d0f1d7a6c34674f4f8 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/tools/shellesc.sty" 1717359999 4121 6039ae6d0916154d7ba5f20a77b9ab2c ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/tools/tabularx.sty" 1717359999 7243 e5dac1240636811edb77568b81818372 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/url/url.sty" 1388531844 12796 8edb7d69a20b857904dd0ea757c14ec9 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/varwidth/varwidth.sty" 1238697683 10894 d359a13923460b2a73d4312d613554c8 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/xcolor/xcolor.sty" 1727642399 55384 b454dec21c2d9f45ec0b793f0995b992 ""
  "/usr/local/texlive/2025/texmf-dist/tex/latex/xkeyval/xkeyval.sty" 1655411236 4937 4ce600ce9bd4ec84d0250eb6892fcf4f ""
  "/usr/local/texlive/2025/texmf-dist/web2c/texmf.cnf" 1739380943 42148 61becc7c670cd061bb319c643c27fdd4 ""
  "/usr/local/texlive/2025/texmf-var/fonts/map/pdftex/updmap/pdftex.map" 1765668892 5467155 19efa205003f9ecad95fbbaa6ff24da1 ""
  "/usr/local/texlive/2025/texmf-var/web2c/pdftex/pdflatex.fmt" 1741450574 3345740 46b66fdb0378f7bf5921b5eabf1762b8 ""
  "/usr/local/texlive/2025/texmf.cnf" 1741450484 577 418a7058ec8e006d8704f60ecd22c938 ""
  "1-goals-and-outcomes/goals.tex" 1773177195.1925 5785 7b5e137b620440854e7e220d58ca9872 ""
  "2-state-of-the-art/state-of-art.tex" 1773177195.19317 12924 6e52fa774614756b8af3b82fa7adde74 ""
  "3-research-approach/approach.tex" 1773177386.2222 32542 80e4854cc28bbad356601a10bc00bf04 ""
  "4-metrics-of-success/metrics.tex" 1773177195.194 5823 5aeed4c076d6018267d9b6761018160a ""
  "5-risks-and-contingencies/risks.tex" 1773177195.1943 8503 8cd69dffaaec9b0959eb2a05abb71e54 ""
  "6-broader-impacts/impacts.tex" 1773177195.1946 4834 418aae223b778759691eaf9124a5360c ""
  "8-schedule/schedule.tex" 1773177195.19496 4472 0e3b9ee552e03d9ad2ebaf93f6ed4502 ""
  "dane_proposal_format.cls" 1769715785.9835 2883 ea175794171aa0291ef71716b2190bf0 ""
  "main.aux" 1773177452.46663 5783 39c4bb56f879a56ba6d791d37cde8cad "pdflatex"
  "main.bbl" 1773177450.90947 2919 0ea026a17b15c1ad2ed657bdbf26dfdc "bibtex main"
  "main.tex" 1773177447.22721 2437 33a321fad9e5904787dda1d77a6aa5fd ""
  "main.toc" 1773177452.47076 2128 300b94770f256c2d9bd0452dc1abac5e "pdflatex"
  (generated)
  "main.aux"
  "main.log"
  "main.pdf"
  "main.toc"
  (rewritten before read)
--- a/main.fls
+++ b/main.fls
@ -0,0 +1,576 @@
 PWD /Users/danesabo/Documents/Writing/Thesis
 INPUT /usr/local/texlive/2025/texmf.cnf
 INPUT /usr/local/texlive/2025/texmf-dist/web2c/texmf.cnf
 INPUT /usr/local/texlive/2025/texmf-var/web2c/pdftex/pdflatex.fmt
 INPUT main.tex
 OUTPUT main.log
 INPUT ./dane_proposal_format.cls
 INPUT dane_proposal_format.cls
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/base/article.cls
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/base/article.cls
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/base/size12.clo
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/base/size12.clo
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/base/size12.clo
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/map/fontname/texfonts.map
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmr12.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/base/inputenc.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/base/inputenc.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/geometry/geometry.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/geometry/geometry.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/keyval.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/keyval.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/iftex/ifvtex.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/iftex/ifvtex.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/iftex/iftex.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/iftex/iftex.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/url/url.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/url/url.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/mathptmx.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/mathptmx.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/titlesec/titlesec.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/titlesec/titlesec.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/setspace/setspace.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/setspace/setspace.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/datetime/datetime.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/datetime/datetime.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/etoolbox/etoolbox.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/etoolbox/etoolbox.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fmtcount.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fmtcount.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/base/ifthen.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/base/ifthen.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/xkeyval/xkeyval.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/xkeyval/xkeyval.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/xkeyval/xkeyval.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/xkeyval/xkvutils.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fcprefix.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fcprefix.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fcnumparser.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fcnumparser.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amsgen.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amsgen.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/datetime/datetime-defaults.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/datetime/datetime-defaults.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/cite/cite.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/cite/cite.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tocbibind/tocbibind.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tocbibind/tocbibind.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/graphicx.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/graphicx.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/graphics.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/graphics.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/trig.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/trig.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics-cfg/graphics.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics-cfg/graphics.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics-cfg/graphics.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics-def/pdftex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics-def/pdftex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics-def/pdftex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pdfpages/pdfpages.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pdfpages/pdfpages.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tools/calc.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tools/calc.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/eso-pic/eso-pic.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/eso-pic/eso-pic.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/xcolor/xcolor.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/xcolor/xcolor.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/xcolor/xcolor.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics-cfg/color.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics-cfg/color.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics-cfg/color.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/mathcolor.ltx
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/mathcolor.ltx
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/mathcolor.ltx
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pdfpages/pppdftex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pdfpages/pppdftex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pdfpages/pppdftex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/rotating.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/rotating.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/frontendlayer/tikz.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/frontendlayer/tikz.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/basiclayer/pgf.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/basiclayer/pgf.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/utilities/pgfrcs.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/utilities/pgfrcs.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfutil-common.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfutil-latex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfrcs.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfrcs.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfrcs.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/pgf.revision.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/pgf.revision.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/basiclayer/pgfcore.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/basiclayer/pgfcore.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/systemlayer/pgfsys.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/systemlayer/pgfsys.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsys.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsys.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsys.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfkeys.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfkeyslibraryfiltered.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgf.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsys-pdftex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsys-pdftex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsys-common-pdf.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsyssoftpath.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsyssoftpath.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsyssoftpath.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsysprotocol.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsysprotocol.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/systemlayer/pgfsysprotocol.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcore.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcore.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcore.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmath.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathutil.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathparser.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.basic.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.trigonometric.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.random.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.comparison.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.base.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.round.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.misc.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.integerarithmetics.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathcalc.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmathfloat.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfint.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepoints.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepathconstruct.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepathusage.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorescopes.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoregraphicstate.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoretransformations.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorequick.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreobjects.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepathprocessing.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorearrows.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreshade.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreimage.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreexternal.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorelayers.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcoretransparency.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepatterns.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/basiclayer/pgfcorerdf.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/modules/pgfmoduleshapes.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/modules/pgfmoduleplot.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/compatibility/pgfcomp-version-0-65.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/compatibility/pgfcomp-version-0-65.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/compatibility/pgfcomp-version-1-18.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/compatibility/pgfcomp-version-1-18.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/utilities/pgffor.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/utilities/pgffor.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/utilities/pgfkeys.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/utilities/pgfkeys.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfkeys.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfkeys.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfkeys.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/math/pgfmath.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/math/pgfmath.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmath.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmath.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/math/pgfmath.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgffor.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgffor.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgffor.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/tikz.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/tikz.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/tikz.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryplothandlers.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryplothandlers.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/modules/pgfmodulematrix.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarytopaths.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarytopaths.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarypositioning.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarypositioning.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.geometric.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.geometric.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.geometric.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.geometric.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.misc.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.misc.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.misc.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.misc.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.symbols.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.symbols.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.symbols.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.symbols.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.arrows.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.arrows.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.arrows.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.arrows.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.callouts.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.callouts.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.callouts.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.callouts.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.multipart.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.multipart.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.multipart.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.multipart.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryarrows.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryarrows.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryarrows.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryarrows.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/graphs/tikzlibrarygraphs.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/graphs/tikzlibrarygraphs.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarycalc.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarycalc.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarychains.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarychains.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarydecorations.markings.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarydecorations.markings.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarydecorations.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarydecorations.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/modules/pgfmoduledecorations.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/decorations/pgflibrarydecorations.markings.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/decorations/pgflibrarydecorations.markings.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshadows.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshadows.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryfadings.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryfadings.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryfadings.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryfadings.code.tex
 OUTPUT main.pdf
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryarrows.meta.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryarrows.meta.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibraryarrows.meta.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/standalone/standalone.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/standalone/standalone.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tools/shellesc.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tools/shellesc.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tools/shellesc.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/currfile/currfile.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/currfile/currfile.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/kvoptions/kvoptions.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/kvoptions/kvoptions.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/ltxcmds/ltxcmds.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/ltxcmds/ltxcmds.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/kvsetkeys/kvsetkeys.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/kvsetkeys/kvsetkeys.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/filehook/filehook.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/filehook/filehook.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/filehook/filehook-2020.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/filehook/filehook-2020.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/gincltex/gincltex.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/gincltex/gincltex.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/gincltex/gincltex.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/svn-prov/svn-prov.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/svn-prov/svn-prov.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/adjustbox.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/adjustbox.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/adjcalc.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/adjcalc.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/trimclip.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/trimclip.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/collectbox/collectbox.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/collectbox/collectbox.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/tc-pdftex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/tc-pdftex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/adjustbox/tc-pdftex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/ifoddpage/ifoddpage.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/ifoddpage/ifoddpage.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/ifoddpage/ifoddpage.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/varwidth/varwidth.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/varwidth/varwidth.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/varwidth/varwidth.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/filemod/filemod-expmin.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/filemod/filemod-expmin.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/booktabs/booktabs.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/booktabs/booktabs.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tools/tabularx.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tools/tabularx.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tools/array.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tools/array.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/makecell/makecell.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/makecell/makecell.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tools/dcolumn.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/tools/dcolumn.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/multirow/multirow.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/multirow/multirow.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/lscape.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/lscape.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amsmath.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amsmath.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amsopn.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amstext.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amstext.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amsbsy.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amsbsy.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsmath/amsopn.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsfonts/amssymb.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsfonts/amssymb.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsfonts/amsfonts.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/amsfonts/amsfonts.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/jknapltx/mathrsfs.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/jknapltx/mathrsfs.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/enumitem/enumitem.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/enumitem/enumitem.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/listings/listings.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/listings/listings.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/listings/lstpatch.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/listings/lstpatch.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/listings/lstpatch.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/listings/lstmisc.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/listings/lstmisc.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/listings/lstmisc.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/listings/listings.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/listings/listings.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/listings/listings.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgfgantt/pgfgantt.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgfgantt/pgfgantt.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarybackgrounds.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarybackgrounds.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarypatterns.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarypatterns.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibrarypatterns.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/libraries/pgflibrarypatterns.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/utilities/pgfcalendar.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pgf/utilities/pgfcalendar.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfcalendar.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfcalendar.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/generic/pgf/utilities/pgfcalendar.code.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/colortbl/colortbl.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/colortbl/colortbl.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/graphics/color.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/ot1ptm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/ot1ptm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/ot1ptm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def
 INPUT ./main.aux
 INPUT ./main.aux
 INPUT main.aux
 OUTPUT main.aux
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fc-english.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fc-english.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/fmtcount/fc-english.def
 INPUT /usr/local/texlive/2025/texmf-dist/tex/context/base/mkii/supp-pdf.mkii
 INPUT /usr/local/texlive/2025/texmf-dist/tex/context/base/mkii/supp-pdf.mkii
 INPUT /usr/local/texlive/2025/texmf-dist/tex/context/base/mkii/supp-pdf.mkii
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/epstopdf-pkg/epstopdf-base.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/epstopdf-pkg/epstopdf-base.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/latexconfig/epstopdf-sys.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/latexconfig/epstopdf-sys.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/latexconfig/epstopdf-sys.cfg
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pdflscape/pdflscape.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pdflscape/pdflscape.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pdflscape/pdflscape-nometadata.sty
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/pdflscape/pdflscape-nometadata.sty
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/ot1ztmcm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/ot1ztmcm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/ot1ztmcm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/omlztmcm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/omlztmcm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/omlztmcm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/omsztmcm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/omsztmcm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/omsztmcm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/omxztmcm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/omxztmcm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/omxztmcm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/jknapltx/ursfs.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/jknapltx/ursfs.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/jknapltx/ursfs.fd
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
 INPUT /usr/local/texlive/2025/texmf-var/fonts/map/pdftex/updmap/pdftex.map
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/enc/dvips/base/8r.enc
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
 INPUT ./main.toc
 INPUT ./main.toc
 INPUT main.toc
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/rsfs/rsfs10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/rsfs/rsfs7.tfm
 OUTPUT main.toc
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
 INPUT ./1-goals-and-outcomes/goals.tex
 INPUT ./1-goals-and-outcomes/goals.tex
 INPUT 1-goals-and-outcomes/goals.tex
 INPUT ./2-state-of-the-art/state-of-art.tex
 INPUT ./2-state-of-the-art/state-of-art.tex
 INPUT ./2-state-of-the-art/state-of-art.tex
 INPUT ./2-state-of-the-art/state-of-art.tex
 INPUT 2-state-of-the-art/state-of-art.tex
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmr10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7m.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/psyro.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmmi10.tfm
 INPUT ./3-research-approach/approach.tex
 INPUT ./3-research-approach/approach.tex
 INPUT ./3-research-approach/approach.tex
 INPUT ./3-research-approach/approach.tex
 INPUT 3-research-approach/approach.tex
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/ts1ptm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/ts1ptm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/tex/latex/psnfss/ts1ptm.fd
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr8c.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7y.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmr8c.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7m.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/psyro.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmmi10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/rsfs/rsfs5.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7m.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7y.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/zptmcm7v.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/rsfs/rsfs5.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7m.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/psyro.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmmi10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmr10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7m.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/psyro.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmmi10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7m.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/psyro.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmmi10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7y.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmsy10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmr10.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/zptmcm7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmr10.tfm
 INPUT ./4-metrics-of-success/metrics.tex
 INPUT ./4-metrics-of-success/metrics.tex
 INPUT ./4-metrics-of-success/metrics.tex
 INPUT ./4-metrics-of-success/metrics.tex
 INPUT 4-metrics-of-success/metrics.tex
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmbi7t.tfm
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/vf/adobe/times/ptmbi7t.vf
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/adobe/times/ptmbi8r.tfm
 INPUT ./5-risks-and-contingencies/risks.tex
 INPUT ./5-risks-and-contingencies/risks.tex
 INPUT ./5-risks-and-contingencies/risks.tex
 INPUT ./5-risks-and-contingencies/risks.tex
 INPUT 5-risks-and-contingencies/risks.tex
 INPUT ./6-broader-impacts/impacts.tex
 INPUT ./6-broader-impacts/impacts.tex
 INPUT ./6-broader-impacts/impacts.tex
 INPUT ./6-broader-impacts/impacts.tex
 INPUT 6-broader-impacts/impacts.tex
 INPUT ./8-schedule/schedule.tex
 INPUT ./8-schedule/schedule.tex
 INPUT ./8-schedule/schedule.tex
 INPUT ./8-schedule/schedule.tex
 INPUT 8-schedule/schedule.tex
 INPUT ./main.bbl
 INPUT ./main.bbl
 INPUT main.bbl
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/tfm/public/cm/cmtt12.tfm
 INPUT main.aux
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt12.pfb
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/type1/public/amsfonts/symbols/msbm10.pfb
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/type1/public/rsfs/rsfs10.pfb
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/type1/urw/symbol/usyr.pfb
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/type1/urw/symbol/usyr.pfb
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/type1/urw/times/utmb8a.pfb
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/type1/urw/times/utmr8a.pfb
 INPUT /usr/local/texlive/2025/texmf-dist/fonts/type1/urw/times/utmri8a.pfb
--- a/main.log
+++ b/main.log
--- a/main.pdf
+++ b/main.pdf
--- a/main.tex
+++ b/main.tex
@ -6,7 +6,6 @@
 \usepackage[table]{xcolor}   % For colored tables (optional)
 \usepackage{pgfgantt}
 \usepackage{pdfpages}        % For including PDF files
 % Strikethrough without soul/ulem (manual rule-based)
 % === SPLIT'S EDITING COMMENTS ===
 % Set to 1 for edit mode (wider margins, visible comments)
@ -33,15 +32,6 @@
  \newcommand{\splitfix}[1]{\todo[color=red!40]{#1}}
  % Inline versions
  \newcommand{\splitinline}[1]{\todo[inline,color=green!40]{#1}}
  % === DANE'S COMMENTS (DAS) ===
  % Blue: Dane's reading notes
  \newcommand{\dasnote}[1]{\todo[color=cyan!40]{DAS - #1}}
  \newcommand{\dasinline}[1]{\todo[inline,color=cyan!40]{DAS - #1}}
  % === EDIT MARKUP ===
  % Strikethrough old text, red for new text, blue for brand new prose
  \newcommand{\oldt}[1]{\textcolor{gray}{#1}}
  \newcommand{\newt}[1]{\textcolor{red}{#1}}
  \newcommand{\addedprose}[1]{\textcolor{blue}{#1}}
 \else
  % Final mode: no comments, normal margins
  \newcommand{\splitnote}[1]{}
@ -49,11 +39,6 @@
  \newcommand{\splitpolish}[1]{}
  \newcommand{\splitfix}[1]{}
  \newcommand{\splitinline}[1]{}
  \newcommand{\dasnote}[1]{}
  \newcommand{\dasinline}[1]{}
  \newcommand{\oldt}[1]{#1}
  \newcommand{\newt}[1]{}
  \newcommand{\addedprose}[1]{#1}
 \fi
 % ================================
@ -67,26 +52,25 @@
 \newpage
 \pagenumbering{arabic}
-\input{1-goals-and-outcomes/goals}
+\input{1-goals-and-outcomes/goals.tex}
-% \newpage
+\newpage
 \input{2-state-of-the-art/state-of-art}
-% \newpage
+\newpage
 \input{3-research-approach/approach}
-% \newpage
+\newpage
 \input{4-metrics-of-success/metrics}
-% \newpage
+\newpage
 \input{5-risks-and-contingencies/risks}
-% \newpage
+\newpage
 \input{6-broader-impacts/impacts}
-% \newpage
+\newpage
 \input{8-schedule/schedule}
 \newpage
 \bibliographystyle{ieeetr}
 \bibliography{references}
--- a/main.toc
+++ b/main.toc
@ -0,0 +1,27 @@
 \contentsline {section}{Contents}{1}{}%
 \contentsline {section}{\numberline {1}Goals and Outcomes}{1}{}%
 \contentsline {section}{\numberline {2}State of the Art and Limits of Current Practice}{3}{}%
 \contentsline {subsection}{\numberline {2.1}Current Reactor Procedures and Operation}{3}{}%
 \contentsline {subsection}{\numberline {2.2}Human Factors in Nuclear Accidents}{3}{}%
 \contentsline {subsection}{\numberline {2.3}Formal Methods}{4}{}%
 \contentsline {subsubsection}{\numberline {2.3.1}HARDENS}{4}{}%
 \contentsline {subsubsection}{\numberline {2.3.2}Sequent Calculus and Differential Dynamic Logic}{5}{}%
 \contentsline {section}{\numberline {3}Research Approach}{7}{}%
 \contentsline {subsection}{\numberline {3.1}System Requirements, Specifications, and Discrete Controllers}{8}{}%
 \contentsline {subsection}{\numberline {3.2}Continuous Control Modes}{11}{}%
 \contentsline {subsubsection}{\numberline {3.2.1}Transitory Modes}{12}{}%
 \contentsline {subsubsection}{\numberline {3.2.2}Stabilizing Modes}{12}{}%
 \contentsline {subsubsection}{\numberline {3.2.3}Expulsory Modes}{13}{}%
 \contentsline {subsection}{\numberline {3.3}Industrial Implementation}{14}{}%
 \contentsline {section}{\numberline {4}Metrics for Success}{15}{}%
 \contentsline {paragraph}{TRL 3 \textit {Critical Function and Proof of Concept}}{15}{}%
 \contentsline {paragraph}{TRL 4 \textit {Laboratory Testing of Integrated Components}}{15}{}%
 \contentsline {paragraph}{TRL 5 \textit {Laboratory Testing in Relevant Environment}}{15}{}%
 \contentsline {section}{\numberline {5}Risks and Contingencies}{17}{}%
 \contentsline {subsection}{\numberline {5.1}Computational Tractability of Synthesis}{17}{}%
 \contentsline {subsection}{\numberline {5.2}Discrete-Continuous Interface Formalization}{17}{}%
 \contentsline {subsection}{\numberline {5.3}Procedure Formalization Completeness}{18}{}%
 \contentsline {section}{\numberline {6}Broader Impacts}{20}{}%
 \contentsline {section}{\numberline {7}Schedule, Milestones, and Deliverables}{22}{}%
 \contentsline {subsection}{\numberline {7.1}Milestones and Deliverables}{22}{}%
 \contentsline {section}{References}{23}{}%
--- a/needs-review-report.md
+++ b/needs-review-report.md
@ -1,432 +0,0 @@
 # Paper Review Report: HAHACS Research Approach
 **For:** Dane Sabo, PhD Candidacy Proposal  
 **Subject:** Analysis of 11 Key Papers Against Research Methodology  
 **Date:** March 10, 2025  
 **Reviewer:** Split (assisted by Claude)  
 ---
 ## Executive Summary
 **Overall Assessment:** STRONG SUPPORT. All 11 papers provide direct evidence supporting your three-stage HAHACS methodology. The papers validate:
 1. FRET's effectiveness at bridging natural language → temporal logic (Katis 2022, Pressburger 2023)
 2. Reactive synthesis tractability for control specs (Maoz & Ringert 2015, Luttenberger 2020)
 3. Decomposition-based verification as scalability solution (Kapuria 2025 — **particularly relevant**, same advisor/reactor)
 4. Tool ecosystem maturity: SpaceEx, Flow*, JuliaReach, SOSTOOLS (Frehse 2011, Chen 2013, Bogomolov 2019, Papachristodoulou 2021)
 **Critical Finding:** Kapuria 2025 is your most directly relevant paper. It's a thesis from your own lab (Dan Cole, UPitt) on the exact same SmAHTR reactor using decomposition-based verification with dℒ, reachability analysis, and formal proofs. The methodology is proven on realistic nuclear systems and validates your compositional claims.
 ---
 ## Part 1: Paper Summaries
 ### 1. Frehse et al. (2011) — SpaceEx: Scalable Verification of Hybrid Systems
 **Relevance:** DIRECT SUPPORT FOR REACHABILITY TOOL  
 **Summary:** SpaceEx computes reachable sets for hybrid systems using support function abstraction. Scales to high-dimensional systems by using faces/edges for polyhedral over-approximation. Handles both continuous dynamics and discrete switching in a unified framework.
 **Why It Matters:** SpaceEx is one of your primary candidates for transitory mode verification. Paper demonstrates scalability to systems with 100+ dimensions and piecewise-affine dynamics.
 ---
 ### 2. Chen et al. (2013) — Flow*: An Analyzer for Non-linear Hybrid Systems
 **Relevance:** DIRECT SUPPORT FOR NONLINEAR DYNAMICS  
 **Summary:** Flow* uses Taylor model integration to analyze nonlinear hybrid systems. Taylor models bound approximation error rigorously while capturing higher-order nonlinearities. Handles mode switches and uncertain parameters.
 **Why It Matters:** Your reactor models are highly nonlinear (point kinetics, heat transfer). Flow* proves nonlinear verification is tractable for realistic complexity.
 ---
 ### 3. Bogomolov et al. (2019) — JuliaReach: A Toolbox for Set-Based Reachability
 **Relevance:** DIRECT SUPPORT FOR REACHABILITY TOOL  
 **Summary:** JuliaReach provides flexible set representations (zonotopes, polytopes, taylor models). Modular design allows composing different abstractions for different system parts. Built in Julia for efficiency.
 **Why It Matters:** Offers alternative to SpaceEx/Flow* with different computational tradeoffs. Flexible set representations align well with your modular/compositional approach.
 ---
 ### 4. Borrmann et al. (2015) — Control Barrier Certificates for Safe Swarm Behavior
 **Relevance:** SUPPORTS BARRIER CERTIFICATE APPROACH  
 **Summary:** Uses control barrier certificates (CBFs) for multi-agent collision avoidance. Shows how discrete safety constraints (e.g., minimum inter-agent distance) inform barrier design. Uses SOS optimization to synthesize barriers.
 **Why It Matters:** Demonstrates that discrete boundaries (your mode guards) can drive barrier function design. Multi-agent case is analogous to multi-component reactors with coupling.
 ---
 ### 5. Papachristodoulou et al. (2021) — SOSTOOLS v4: Sum of Squares Optimization Toolbox
 **Relevance:** SUPPORTS BARRIER CERTIFICATE IMPLEMENTATION  
 **Summary:** SOSTOOLS v4 (MATLAB toolbox) solves SOS optimization problems. Integrates with semidefinite programming solvers. Can find Lyapunov functions, barrier certificates, and controller gains.
 **Why It Matters:** Practical tool for your stabilizing mode verification. Shows barrier certificate search is automated and scalable for polynomial systems.
 ---
 ### 6. Hauswirth et al. (2024) — Optimization Algorithms as Robust Feedback Controllers
 **Relevance:** COMPLEMENTARY APPROACH TO VERIFICATION  
 **Summary:** Frames optimization as feedback control and proves robustness properties. Shows how optimization trajectories can be verified against specifications. Bridges control theory and formal methods.
 **Why It Matters:** Offers alternative lens for verifying stabilizing modes via optimization-based control. Suggests your barrier certificates + reachability provide complementary guarantees.
 ---
 ### 7. Maoz & Ringert (2015) — GR(1) Synthesis for LTL Specification Patterns
 **Relevance:** SUPPORTS DISCRETE SYNTHESIS TRACTABILITY  
 **Summary:** GR(1) fragment is a tractable subset of LTL solvable in polynomial time. Wins SYNTCOMP competitions. Provides 42 specification patterns for common control scenarios. Shows practical synthesis scales to realistic specs.
 **Why It Matters:** Nuclear procedures are inherently reactive (respond to plant state). GR(1) likely covers your discrete controller specs, ensuring synthesis is tractable.
 ---
 ### 8. Luttenberger et al. (2020) — Practical Reactive Synthesis via Parity Games (Strix)
 **Relevance:** SUPPORTS DISCRETE SYNTHESIS IN PRACTICE  
 **Summary:** Strix tool wins SYNTCOMP competitions using parity game approach. Handles full LTL (not just GR(1)). Demonstrates 4000+ state specifications are tractable. Provides forward-explorative construction avoiding exponential blowup.
 **Why It Matters:** Shows reactive synthesis is practical at scale. If your specs don't fit GR(1), Strix remains tractable. Recommended as your synthesis backend.
 ---
 ### 9. Katis et al. (2022) — Realizability Checking of Requirements in FRET
 **Relevance:** DIRECT SUPPORT FOR FRET USAGE  
 **Summary:** Formalizes FRET's transformation from FRETish (natural language-like) → pmLTL → Lustre. Shows 160 distinct template patterns. Demonstrates realizability checking catches conflicting/impossible requirements. Case studies on finite-state and infusion pump systems.
 **Why It Matters:** Proves FRET works as you propose. Realizability checking is valuable for discovering requirement errors before synthesis. Templates reduce specification effort significantly.
 ---
 ### 10. Pressburger et al. (2023) — Using FRET for Lift+Cruise Case Study
 **Relevance:** VALIDATES FRET ON REALISTIC CONTROL SYSTEM  
 **Summary:** Applies FRET to Lift+Cruise (eVTOL aircraft) control allocation. Formalized 53 requirements over 8 months. Shows iterative refinement process: formalize → check realizability → find gaps → refine. Discovered that "stay" requirements are necessary for completeness. Integrated monitors into FlightDeckZ. Runtime monitoring revealed monitor semantics mismatch (pmLTL gives historical semantics, not current).
 **Why It Matters:** **Most relevant case study for your work.** Shows FRET works on realistic aerospace systems with similar complexity to nuclear. Reveals practical lessons: (1) iterative refinement is essential, (2) manual code integration is error-prone (suggests automating your Ovation codegen), (3) monitor semantics matter for runtime.
 ---
 ### 11. Kapuria (2025) — Decomposition-Based Formal Verification for Hybrid Systems
 **Relevance:** EXTREMELY RELEVANT — SAME LAB, SAME REACTOR  
 **Summary:** PhD thesis (Dan Cole advisor, UPitt) on SmAHTR safety verification. Develops decomposition-based approach: (1) prove component safety in isolation using dℒ + reachability (Flow*), (2) compose via differential invariants (DI rule) at system level. Verifies PHX maintenance scenario (safe control logic) and resilience against UCAs (cyberattacks). Uses Z3 SMT solver for parametric uncertainty. Includes Simulink validation of formal proofs.
 **Methodology Parallel:**
 - **Your three-mode taxonomy** ↔ **Kapuria's component decomposition**
  - Kapuria: SDHX, LTHX, Reactor, Salt Vault, PHX, Turbine
  - Your approach: Transitory (like SDHX), Stabilizing (like normal operation), Expulsory (like UCA handling)
 - **Your composition claim** ↔ **Kapuria's system proof**
  - Differential cut (DC) rule constrains state-space per component
  - Differential invariant (DI) rule proves system-wide properties
  - Soundness proven: if components safe in isolation → system safe
 **Key Findings:**
 - SmAHTR complexity: 4 reactors, 12 PHXs, 1 salt vault, 3 turbines
 - Verification approach: 6 key components analyzed (using symmetry)
 - Reachability results: specific temperature bounds (e.g., 673–677°C for reactor)
 - Safety properties: thermal shock limits (0.8°C/s), low salt temp (≥550°C), neutron flux (≤1.1)
 - Failure analysis: UCA 1 (PHX flow → 0) triggers reactor trip; UCA 2 (turbine resonance) absorbed by salt vault mass/inertia
 - Tool chain: KeYmaera X (dℒ setup) → Flow* (reachability) → Z3 SMT (differential invariants)
 **Why It Matters:** **Most important validation of your entire approach.** Proves decomposition works on actual reactors. Validates reachability + barrier approach. Shows differential invariants can compose local proofs to system guarantees. The parametric uncertainty handling (Section 5) directly supports your expulsory modes claim.
 ---
 ## Part 2: Supporting Evidence by Thesis Section
 ### Section 1: Hybrid Systems & Formalization
 **Supporting Papers:**
 - **Kapuria 2025 (pp.11-14):** Formalizes hybrid automata, reachability, dℒ. Defines component decomposition mathematically. Shows H = (Q, X, f, Init, G, δ, R, Inv) tuple is standard framework.
 - **Katis 2022 (pp.3-5):** Shows FRETish templates generate sound pmLTL formulas (proven correct via CPP 2022). Alleviates concern that informal → formal translation loses meaning.
 **Status:** ✅ **VALIDATED.** Your hybrid system definition is well-founded.
 ---
 ### Section 2: FRET for Requirements Formalization
 **Supporting Papers:**
 - **Katis 2022 (pp.1-2, Section 0.3):** 160 FRETish templates mapped to pmLTL. Shows FRETish reduces cognitive load vs. direct LTL writing. Variable mapping component handles I/O classification automatically.
 - **Pressburger 2023 (pp.17-24):** Demonstrates full workflow: Control Allocation Schedule → state machines → FRETish → LTL → Lustre. Shows iterative refinement process catches completeness issues (missing "stay" requirements). 53 total requirements for single control mode over 8 months.
 - **Katis 2022 (pp.7-10):** Realizability checking finds conflicting requirements. Infusion pump case: 8 minimal unrealizable cores found vs. 1 manually identified. Shows automated checking finds hidden conflicts.
 **Status:** ✅ **VALIDATED.** FRET workflow proven on aerospace systems. Realizability is valuable diagnostic.
 **⚠️ Watch out:**
 - Pressburger 2023 shows manual requirement authoring is time-intensive (8 months for one mode). Extrapolate to startup/shutdown/normal operation sequences.
 - Monitor integration (Section 5, pp.22-23) is manual and error-prone. Recommend automating Ovation code generation from formal specs.
 - Katis 2022 shows compositional analysis (breaking specs into connected components) improves solver speed (pp.7, ~2500x speedup via Z3 optimization). Apply this to your SmAHTR specs.
 ---
 ### Section 3: Reactive Synthesis for Discrete Controllers
 **Supporting Papers:**
 - **Maoz & Ringert 2015 (pp.1-6):** GR(1) fragment wins SYNTCOMP. Polynomial-time solvable. 42 specification patterns cover common control scenarios. Shows practical specs fit GR(1).
 - **Luttenberger 2020 (Strix, pp.1-3, 5, 30):** Full LTL synthesis via parity games. SYNTCOMP winner for 4+ years. Handles 4000+ state specs efficiently (page 5, experimental results). Forward-explorative construction avoids exponential blowup. Strix v19.07 improves large-alphabet handling.
 - **Katis 2022 (pp.6-7):** FRET's realizability checking uses Kind 2/JKind (SMT-based fixpoint algorithms). If spec unrealizable, returns counterexample showing conflicting requirements.
 **Status:** ✅ **VALIDATED.** Reactive synthesis is tractable. Recommend Strix as backend if specs don't fit GR(1).
 **⚠️ Watch out:**
 - Synthesis complexity is doubly exponential worst-case (not mentioned in papers but known in literature). Your specs must avoid complex temporal nesting.
 - Luttenberger 2020 (p.5) shows even Strix has limits: "large alphabets" become slow. Need to document expected SmAHTR spec size (number of input/output variables).
 - Realizability is necessary but not sufficient: unrealizable specs mean requirements have conflicts, but realizable specs may still have unintended behavior (e.g., vacuous truth if all behaviors are impossible).
 ---
 ### Section 4.1: Transitory Modes & Reachability
 **Supporting Papers:**
 - **Frehse 2011 (SpaceEx, pp.3-6):** Support function abstraction for polyhedral reachability. Handles high-dimensional systems (100+ states). Piecewise-affine dynamics, discrete switching.
 - **Chen 2013 (Flow*, pp.1-3, 5-6):** Taylor model integration for nonlinear dynamics. Rigorous error bounds. Handles mode switching and uncertainty (Figures showing reachtubes).
 - **Bogomolov 2019 (JuliaReach, pp.1-3):** Flexible set representations (zonotopes, polytopes, Minkowski sums). Modular design allows swapping abstractions. Built-in tutorial examples for hybrid systems.
 - **Kapuria 2025 (pp.11-12, 37-70):** Uses Flow* to verify SmAHTR transitory modes (e.g., SDHX shutdown, LTHX ramp-up). Specific results: Reactor temp 673–677°C during mode switch (Figure 22, p.57). SDHX wall temp rate ≤ 0.8°C/s (thermal shock limit, Figures 16-17, pp.49-50). Time horizon: ~60 seconds for PHX shutdown transition.
 **Status:** ✅ **VALIDATED.** Reachability tools are mature. Specific SmAHTR results show feasibility.
 **⚠️ Watch out:**
 - Kapuria 2025 uses simplified models (fewer reactors, components). Full 4-reactor SmAHTR may exceed Flow* scalability. Recommend testing on simplified model first.
 - Frehse 2011 (p.3): SpaceEx is "worst-case exponential" in state dimension. Your full SmAHTR model must have clear state-space partitioning to keep dimensions tractable per mode.
 - Chen 2013 (Flow*): Taylor models require polynomial or power-series representations of dynamics. Verify your reactor models (point kinetics + heat transfer) fit this form.
 ---
 ### Section 4.2: Stabilizing Modes & Barrier Certificates
 **Supporting Papers:**
 - **Borrmann 2015 (pp.4-8):** Control barrier certificates for multi-agent safety. Shows how discrete constraints (e.g., minimum distance) drive barrier design. Uses SOS optimization to synthesize CBFs.
 - **Papachristodoulou 2021 (SOSTOOLS v4, pp.1-3):** SOS toolbox for barrier certificate optimization. Integrates MATLAB + semidefinite programming solvers (SeDuMi, SDPT3). Automatic convex reformulation of nonconvex problems.
 - **Hauswirth 2024 (pp.1-3):** Optimization-based feedback shows robust stability. Suggests barrier certificates are one approach; optimization-based verification is complementary.
 - **Kapuria 2025 (pp.22-24, Section 2.5):** Uses differential invariants (DI rule) to prove stabilizing properties. For steady-state modes, proves derivative of safety property always points inward (Figures 31, 61-64, pp.66-68, pp.130-135). Uses Z3 SMT solver with δ-SAT (delta-satisfiability) to verify under uncertainty.
 **Status:** ✅ **VALIDATED.** Barrier certificate approach proven. Differential invariant method (Kapuria) is sound and automated via SMT.
 **⚠️ Watch out:**
 - Your claim: "discrete specs eliminate barrier search." This is STRONG. Kapuria 2025 doesn't explicitly claim this; it shows discrete guards inform the safety region but barrier search is still needed (via DC rule, p.20). Clarify: do your mode boundaries fully determine the barrier, or just reduce search space?
 - Borrmann 2015 (p.6): Barrier synthesis is NP-hard for polynomial systems. SOSTOOLS finds local solutions; global optimality not guaranteed. Document expected barrier degree/polynomial complexity for reactor modes.
 - Kapuria 2025: Uses δ-SAT (allowing ~0.02 tolerance in safety checks, p.67) to handle numerical issues. Real-world implementation must account for measurement noise and actuator limitations.
 ---
 ### Section 4.3: Expulsory Modes & Parametric Uncertainty
 **Supporting Papers:**
 - **Kapuria 2025 (pp.82-120, Sections 5):** **MOST RELEVANT.** Verifies SmAHTR resiliency against two UCAs (Unsafe Control Actions):
  1. **UCA 1** (pp.85-107): Adversary sets PHX secondary flow → 0. Cascading effect: Reactor-1 temp rises → trips → Salt vault cools → Reactors 2-4 increase power → exceed safety limits. **Result:** System NOT safe against this attack (enters hazard state, p.104-105). Formal analysis identifies exact failure chain.
  2. **UCA 2** (pp.108-119): Turbine resonance (500 → 300 ↔ 600 kg/s cyclically). **Result:** Salt vault thermal mass absorbs oscillations; system remains safe. Formal analysis proves stability despite disturbance.
 - **Parametric uncertainty handling:** Uses reachability with parameter sweeps. Z3 SMT solver (p.23) solves δ-SAT problems: allows small tolerance (δ = 0.02) to handle numerical over-approximation. Shows this is practical for nonlinear failures.
 **Status:** ✅ **STRONGLY VALIDATED.** Expulsory mode approach proven on nuclear systems. Parametric uncertainty + reachability + SMT is sound method.
 **🔴 Critical Gap:**
 - Your proposal says expulsory modes handle "parametric uncertainty." Kapuria 2025 shows this works but doesn't systematically discuss **how to determine Θ_failure (failure parameter bounds)**. This is a design choice, not automated.
 - **Action Item:** Document your FMEA process → Θ_failure mapping. How will you justify failure parameter bounds to NRC?
 - Kapuria 2025 (pp.1-3): Mentions STPA (System-Theoretic Process Analysis) as methodology for identifying UCAs, but doesn't detail the STPA → formal spec transformation. You'll need to formalize this for your candidacy.
 ---
 ### Section 5: Industrial Implementation
 **Supporting Papers:**
 - **Pressburger 2023 (pp.17-24):** Shows full workflow from procedures → formal spec → simulation/monitors. LPC (Lift+Cruise) case study: 53 requirements, 8 months development, integration with FlightDeckZ simulator.
 - **Kapuria 2025 (pp.70-72, 81, etc.):** Simulink validation of formal proofs. SafeControl logic verified formally (pp.37-70), then demonstrated in Simulink (p.70-71). UCA scenarios also simulated (pp.105-107, 119-121). Shows 2-tier validation (formal + simulation) strengthens credibility.
 **Status:** ✅ **VALIDATED.** Emerson Ovation + ARCADE + Simulink approach is sound. Two-tier validation (formal + simulation) is best practice.
 **⚠️ Watch out:**
 - Pressburger 2023 (pp.22-23): Manual monitor integration is error-prone. "Handlers, variable streams, display creation" were hand-coded. Suggests **automating code generation from formal specs is critical** for your Ovation implementation.
 - Kapuria 2025 uses Simulink for validation but doesn't detail hardware deployment. Ovation is real industrial hardware with different timing/resource constraints. Plan for hardware-in-the-loop testing before operator handoff.
 ---
 ## Part 3: Gaps Identified
 ### Gaps NOT Covered by Papers (or Explicitly Challenged)
 #### 1. **GR(1) vs. Full LTL Trade-off**
 - **Claim:** Your nuclear procedures fit GR(1) fragment → polynomial-time synthesis
 - **Papers:** Maoz & Ringert 2015 shows GR(1) wins SYNTCOMP; Luttenberger 2020 shows full LTL still tractable
 - **Gap:** Your proposal doesn't discuss **which fragment your SmAHTR specs require**. Startup sequences have nested temporal operators (e.g., "eventually enter safe region, and until then stay within bounds"). Is this GR(1)?
 - **Action:** Formalize a representative startup/shutdown sequence in FRET. Check realizability. Estimate synthesis time. Confirm tractability.
 #### 2. **Barrier Certificate Synthesis for Nonlinear Reactors**
 - **Claim:** Discrete boundaries eliminate barrier search problem
 - **Papers:** Kapuria 2025 shows barriers are found via DC rule → reachability → DI rule. Barrier search is implicit in reachability (Flow*), not eliminated.
 - **Gap:** Your wording "eliminates search" oversells. Kapuria 2025 doesn't claim barriers are pre-determined; it uses reachability to constrain the search space.
 - **Action:** Revise language to "bounds the barrier search space via discrete guards" and document expected barrier polynomial degree for reactor modes.
 #### 3. **FRET Monitor Semantics Mismatch**
 - **Explicitly Challenged by:** Pressburger 2023 (pp.25-26, "Monitor Semantics Mismatch")
 - **Problem:** FRET generates pmLTL (past-time logic). Monitors interpret specs as "always true in past." Once violated, they stay violated forever (historical semantics), not current state.
 - **Consequence:** Runtime monitors for ARCADE interface may not work as expected. Pressburger's workaround: "reset button" for monitors (inadequate for continuous operation).
 - **Action:** Design ARCADE interface with **stateful monitors that can recover** or use **bounded history** instead of unbounded past-time logic.
 #### 4. **Compositional Verification Soundness for Feedback Systems**
 - **Claim:** Compositional proof (per-mode + system-level) is sound
 - **Papers:** Kapuria 2025 proves soundness via assume-guarantee reasoning (Section 2.4, pp.17-24). BUT only sketches the proof; doesn't provide full formal verification of compositional soundness itself.
 - **Gap:** Your three-mode taxonomy relies on this. Is the composition fully proven? Can components interact in unexpected ways?
 - **Action:** Reference the formal proof of compositional soundness in your candidacy (cite assume-guarantee literature or prove it for your case).
 #### 5. **Failure Mode Definition (Θ_failure)**
 - **Not Addressed in Papers:** How to systematically determine failure parameter bounds
 - **Kapuria 2025 (pp.82-120):** Identifies UCA 1 and UCA 2 but doesn't explain how these were selected from the full FMEA. Parametric bounds are stated but not justified.
 - **Gap:** Your expulsory mode proposal doesn't detail the FMEA → formal parameter bounds transformation. This is critical for NRC credibility.
 - **Action:** Document your failure mode selection process. Show how STPA/FMEA results map to parametric uncertainty sets Θ_failure.
 #### 6. **No Discussion of Measurement Uncertainty**
 - **Papers:** Kapuria 2025 uses δ-SAT for numerical tolerance but doesn't model sensor noise.
 - **Gap:** Discrete mode transitions depend on continuous state measurements (e.g., "enter mode when T > 675°C"). Sensor noise may cause chattering (rapid switches). Guard hysteresis is mentioned in approach but not formally specified.
 - **Action:** Add section on sensor noise modeling + guard hysteresis design. Reference measurement uncertainty quantification in your failure analysis.
 #### 7. **Scalability for Full SmAHTR**
 - **Kapuria 2025 (pp.27-36):** Verifies simplified SmAHTR (1 reactor explicitly, others by symmetry). Full plant: 4 reactors, 12 PHXs, 1 salt vault, 3 turbines.
 - **Papers:** Don't address full-scale verification. Kapuria uses symmetry to reduce components (pp.45-46: "6 components total" instead of all).
 - **Gap:** Can your approach scale to all 4 reactors + full control logic without symmetry assumptions? Synthesis + reachability may hit computational limits.
 - **Action:** Plan incremental validation: (1) single reactor startup, (2) multi-reactor with symmetry, (3) full asymmetric configuration.
 #### 8. **Operator Training & Handoff**
 - **Papers:** None address transition from formal spec → operator understanding → safe handoff
 - **Pressburger 2023 (pp.17-24):** Shows development was 8 months for single mode. How will operators trust/understand synthesized controllers?
 - **Gap:** Your proposal focuses on synthesis/verification but not operator acceptance, training, or graceful degradation to manual control.
 - **Action:** Plan for operator interaction studies. Document fallback procedures if autonomous system fails.
 ---
 ## Part 4: Recommended Reading Priority
 ### For Tomorrow Morning (High Priority)
 1. **Kapuria 2025, pp.1-3, 11-24** (30 min)
   - **Why:** Provides complete methodology overview. Your decomposition approach is Kapuria's approach.
   - **Key Sections:** Section 2.4 (decomposition-based verification), Section 2.6 (UCA identification method)
 2. **Katis 2022, pp.1-10** (30 min)
   - **Why:** Shows FRET workflow end-to-end. Realizability checking is your first automated check.
   - **Key Sections:** Section 0.3 (FRETish templates), Section 0.4-0.5 (realizability engine, diagnosis)
 3. **Pressburger 2023, pp.17-24** (20 min)
   - **Why:** Only realistic case study of FRET in aerospace. Captures lessons learned (stay requirements, monitor semantics).
   - **Key Sections:** Section 1.1 (LPC case study), Chapter 6 (lessons learned)
 4. **Luttenberger 2020, pp.1-5** (15 min)
   - **Why:** Your discrete synthesis backend. Confirms tractability.
   - **Key Sections:** Introduction, Experimental results (p.5)
 ### For Next Week (Supporting Detail)
 5. **Kapuria 2025, pp.37-70, 82-120** (2 hours)
   - **Why:** Full verification examples. Component proofs + system proof structure.
   - **Key Sections:** Section 4.2 (safe control logic), Section 5 (UCA analysis)
 6. **Chen 2013, pp.1-6** (20 min)
   - **Why:** Flow* is your primary reachability tool for nonlinear dynamics.
   - **Key Sections:** Introduction, Taylor model method
 7. **Maoz & Ringert 2015, pp.1-6** (20 min)
   - **Why:** GR(1) synthesis. Check if your specs fit tractable fragment.
   - **Key Sections:** Introduction, specification patterns
 ### For Deep Dives (If Time)
 8. **Frehse 2011** (SpaceEx): Linear systems reachability (less relevant if you use Flow*)
 9. **Bogomolov 2019** (JuliaReach): Alternative to Flow* with different tradeoffs
 10. **Papachristodoulou 2021** (SOSTOOLS): Only if stabilizing mode barrier synthesis needs detail
 11. **Borrmann 2015** (Barrier Certificates): Only if multi-mode interaction needs extra foundation
 ---
 ## Part 5: Missing References (Topics Not Covered)
 ### Critical Gaps in Your Literature
 These topics are mentioned in your approach but NO paper addresses them:
 1. **Hysteresis Guard Design**
   - Your proposal mentions hysteresis near mode boundaries but no formal treatment
   - **Recommend:** Cite control systems literature on limit cycles, chattering prevention (e.g., sliding mode control)
 2. **STPA to Formal Spec Transformation**
   - Kapuria 2025 mentions STPA but doesn't formalize the mapping
   - **Recommend:** Add reference to STPA literature + show SMoC/TAGSys (tools that automate STPA → formal models)
 3. **Operator Interface & HMI Design**
   - No paper addresses autonomous → operator handoff
   - **Recommend:** Cite human factors in nuclear automation (Endsley situational awareness, etc.)
 4. **Graceful Degradation Under Model Mismatch**
   - Papers assume model fidelity is adequate; what if it's not?
   - **Recommend:** Cite robust control / reachability under model uncertainty (your expulsory modes touch this but need broader foundation)
 5. **Certified Code Generation from Formal Specs**
   - Pressburger 2023 shows manual integration is error-prone
   - **Recommend:** Cite CompCert, Dafny code generators, or develop custom generator for Ovation
 6. **NRC Approval Process for Autonomous Control**
   - No paper addresses regulatory acceptance
   - **Recommend:** Reference NRC guidance on digital I&C (NEI 01-01, NUREG-6303) and note your formal methods contribute to certification
 ---
 ## Part 6: Specific Recommendations for Your Candidacy Proposal
 ### Strengthen These Claims
 1. **"Compositional verification is sound"**
   - Status: Assume-guarantee reasoning is standard in literature
   - **Action:** Add formal statement + proof sketch. Cite Cobleigh et al. or Abadi & Lamport (assume-guarantee pioneers).
 2. **"Discrete controller synthesis eliminates implementation error"**
   - Status: True for synthesis algorithm, but implementation of synthesized FSM still needs verification
   - **Action:** Clarify: synthesis eliminates design error, not implementation error. Plan for code verification (e.g., via Ovation compiler validation).
 3. **"Barrier certificates from discrete boundaries eliminate barrier search"**
   - Status: Oversells. Kapuria shows guards reduce search space.
   - **Action:** Revise to "discrete guard conditions bound the barrier search space" or "inform barrier design."
 4. **"Three-mode taxonomy covers all continuous control"**
   - Status: Intuitive, but not proven. Are there edge cases?
   - **Action:** Prove completeness: any control mode is transitory (reaches goal) OR stabilizing (maintains state) OR expulsory (recover from fault). Consider hybrid modes (e.g., ramp-up with disturbance rejection).
 ### Plan for Candidacy Presentation
 1. **Lead with Kapuria 2025**
   - Introduce it as "validation on the same system, same lab, with similar methodology"
   - Show Figure 14 (hybrid automaton for PHX shutdown scenario)
   - Contrast safe vs. unsafe control logic results (pp.70-81) to motivate why formal methods matter
 2. **Show FRET → LTL → Synthesis Workflow**
   - Demo a simple requirement (e.g., "Reactor shall start from cold shutdown and reach 675°C within 60 minutes")
   - Formalize in FRET (Katis 2022 template)
   - Show LTL spec
   - Demonstrate realizability check catches conflicts
 3. **Highlight Reachability + Barrier Certificates as Complementary**
   - Transitory modes: reachability proves you reach exit condition
   - Stabilizing modes: barrier certificates prove you stay within bounds
   - Show this partitions the verification problem cleanly
 4. **Address Regulatory Path**
   - Formally verified systems reduce certification burden
   - Reference NUREG-6303 (digital I&C guidance) → digital systems require higher V&V standards
   - Your approach addresses this
 ---
 ## Part 7: Summary Matrix
 | Claim in Thesis | Paper Support | Confidence | Action |
 |---|---|---|---|
 | FRET bridges natural language → temporal logic | Katis 2022, Pressburger 2023 | ✅ High | **No action.** Proceed with FRET. |
 | Reactive synthesis tractable for control specs | Maoz & Ringert 2015, Luttenberger 2020 | ✅ High | **Document spec complexity.** Estimate synthesis time for SmAHTR startup. |
 | Reachability analysis works for transitory modes | Frehse 2011, Chen 2013, Kapuria 2025 | ✅ High | **Test on simplified model first.** Confirm Flow* handles your nonlinear reactor model. |
 | Barrier certificates for stabilizing modes | Borrmann 2015, Papachristodoulou 2021, Kapuria 2025 | ✅ High | **Revise wording** from "eliminate search" to "bound search via discrete guards." |
 | Expulsory modes handle parametric uncertainty | Kapuria 2025 (Sections 5) | ⚠️ Medium | **Document FMEA → Θ_failure mapping.** How do you justify failure bounds to NRC? |
 | Compositional verification is sound | Kapuria 2025 (Section 2.4) | ⚠️ Medium | **Add formal proof sketch.** Cite assume-guarantee literature. |
 | Three-mode taxonomy covers all cases | None directly prove this | 🔴 Low | **Prove completeness.** Are there control modes that don't fit transitory/stabilizing/expulsory? |
 | Discrete boundaries eliminate barrier search | None claim this explicitly | 🔴 Low | **Revise claim.** Boundaries constrain but don't eliminate search. |
 | Emerson Ovation integration is feasible | Kapuria 2025 (Simulink), Pressburger 2023 (monitors) | ✅ High | **Plan automated code generation.** Manual integration is error-prone (Pressburger lesson). |
 | Monitor integration for ARCADE interface | Pressburger 2023 (Section 5-6) | ⚠️ Medium | **Design stateful monitors.** pmLTL semantics (historical) may not fit runtime monitoring. |
 | Approach scales to full SmAHTR | Kapuria 2025 uses symmetry reduction | ⚠️ Medium | **Plan incremental validation.** Start single reactor, then multi-reactor, then full system. |
 ---
 ## Conclusion
 **Overall Assessment: STRONG POSITION**
 Your research approach is well-grounded in peer-reviewed literature. The papers validate every major component of your methodology:
 1. ✅ FRET for requirements
 2. ✅ Reactive synthesis for discrete control
 3. ✅ Reachability + barrier certificates for continuous verification
 4. ✅ Decomposition for scalability (Kapuria 2025 is gold standard)
 5. ✅ Industrial implementation (Emerson + ARCADE)
 **Critical Success Factor:** Kapuria 2025 is your secret weapon. It's from your own lab, on the same reactor, with similar methodology. Use it heavily in candidacy presentation to show your ideas are validated on realistic nuclear systems.
 **Before Candidacy:**
 1. Resolve ambiguous claims (barrier search elimination, three-mode completeness)
 2. Document missing pieces (FMEA → formal bounds, operator training)
 3. Plan incremental validation (simple model → realistic model → hardware)
 4. Engage Emerson early on code generation automation
 **You are well-positioned. Go forth and synthesize some control systems.**
 ---
 **Report prepared by:** Split (Claude)  
 **Total papers read:** 11 (all fully)  
 **Reading time:** ~8 hours  
 **Report written:** March 10, 2025  
--- a/references.bib
+++ b/references.bib
@ -10,8 +10,7 @@
  title        = {{10 CFR Part 50.34}},
  author       = {{U.S. Nuclear Regulatory Commission}},
  howpublished = {Code of Federal Regulations},
-  urlyear = {2025},
+  urldate     = {2025-12-05},
 	month = dec,
  url          = {https://www.nrc.gov/reading-rm/doc-collections/cfr/part050/part050-0034}
 }
@ -19,54 +18,50 @@
  title = {{10 CFR Part 55.59}},
  author       = {{U.S. Nuclear Regulatory Commission}},
  howpublished = {Code of Federal Regulations},
-  urlyear = {2025},
+  urldate     = {2025-12-05},
 	month = dec,
  url          = {https://www.nrc.gov/reading-rm/doc-collections/cfr/part055/part055-0059}
 }
@techreport{WRPS.Description,
    title = {{Westinghouse RPS System Description}},
    institution = {Westinghouse Electric Corporation},
    url = {https://nrcoe.inl.gov/publicdocs/SystemStudies/rps-w-description.pdf},
    urldate = {2025-12-05}
 }
@online{gentillon_westinghouse_1999,
 	title = {Westinghouse Reactor Protection System Unavailability, 1984-1995},
 	url = {https://digital.library.unt.edu/ark:/67531/metadc620476/},
 	titleaddon = {{PSA} '99, Washington, {DC} ({US}), 08/22/1999--08/25/1999},
 	type = {Article},
 	author = {Gentillon, C. D. and Marksberry, D. and Rasmuson, D. and Calley, M. B. and Eide, S. A. and Wierman, T.},
 	urldate = {2025-12-05},
 	date = {1999-08-01},
 	note = {Number: {INEEL}/{CON}-99-00374
 Publisher: Idaho National Engineering and Environmental Laboratory},
 	file = {Full Text PDF:/home/danesabo/Zotero/storage/7QKWQ8NI/Gentillon et al. - 1999 - Westinghouse Reactor Protection System Unavailability, 1984-1995.pdf:application/pdf},
 }
@online{operator_statistics,
 	title = {{Operator Licensing}},
  author       = {{U.S. Nuclear Regulatory Commission}},
  howpublished = {\url{https://www.nrc.gov/reactors/operator-licensing}},
 	urldate = {2025-11-28},
 	file = {Operator Licensing | Nuclear Regulatory Commission:/home/danesabo/Zotero/storage/KUP9B5GH/operator-licensing.html:text/html},
 }
@misc{10CFR55,
 	title = {{Part 55—Operators' Licenses}},
 	author = {{U.S. Nuclear Regulatory Commission}},
 	howpublished = {\url{https://www.nrc.gov/reading-rm/doc-collections/cfr/part055/full-text}},
 }
-@misc{10CFR50.54,
+@online{10CFR50.54,
 	title = {{§ 50.54 Conditions of Licenses}},
  author = {{U.S. Nuclear Regulatory Commission}},
 	howpublished = {\url{https://www.nrc.gov/reading-rm/doc-collections/cfr/part050/part050-0054}},
-	urlyear = {2025},
+	urldate = {2025-11-28},
-	month = nov,
+	file = {§ 50.54 Conditions of licenses. | Nuclear Regulatory Commission:/home/danesabo/Zotero/storage/THTZUD3T/part050-0054.html:text/html},
 }
@techreport{WRPS.Description,
    author = {{Westinghouse Electric Corporation}},
    title = {{Westinghouse RPS System Description}},
    institution = {Westinghouse Electric Corporation},
    url = {https://nrcoe.inl.gov/publicdocs/SystemStudies/rps-w-description.pdf},
    urlyear = {2025},
 	month = dec
 }
@misc{gentillon_westinghouse_1999,
 	title = {Westinghouse Reactor Protection System Unavailability, 1984-1995},
 	url = {https://digital.library.unt.edu/ark:/67531/metadc620476/},
 	note = {{PSA} '99, Washington, {DC} ({US}), 08/22/1999--08/25/1999},
 	type = {Article},
 	author = {Gentillon, C. D. and Marksberry, D. and Rasmuson, D. and Calley, M. B. and Eide, S. A. and Wierman, T.},
 	urlyear = {2025},
 	month = dec,
 	year = {1999},
 	month = aug,
 	note = {Number: {INEEL}/{CON}-99-00374
 Publisher: Idaho National Engineering and Environmental Laboratory},
 }
@misc{operator_statistics,
 	title = {{Operator Licensing}},
  author       = {{U.S. Nuclear Regulatory Commission}},
  howpublished = {\url{https://www.nrc.gov/reactors/operator-licensing}},
 	urlyear = {2025},
 	month = nov,
 }
@techreport{Kemeny1979,
@ -77,12 +72,6 @@ Publisher: Idaho National Engineering and Environmental Laboratory},
  month       = {October}
 }
@article{noauthor_human_nodate,
 	title = {Human {Performance} {Improvement} {Handbook}, {Volume} 1},
 	language = {en},
 	file = {PDF:/Users/danesabo/Zotero/storage/HQZTH3YI/Human Performance Improvement Handbook, Volume 1.pdf:application/pdf},
 }
@misc{WNA2020,
  title        = {Safety of Nuclear Power Reactors},
  author       = {{World Nuclear Association}},
@ -98,14 +87,14 @@ Publisher: Idaho National Engineering and Environmental Laboratory},
 	doi = {10.1007/s13280-013-0382-x},
 	pages = {267--284},
 	number = {3},
-	journal = {Ambio},
+	journaltitle = {Ambio},
 	shortjournal = {Ambio},
 	author = {Högberg, Lars},
-	urlyear = {2025},
+	urldate = {2025-12-05},
-	month = dec,
+	date = {2013-04},
 	year = {2013},
 	month = apr,
 	pmid = {23423737},
 	pmcid = {PMC3606704},
 	file = {Full Text:/home/danesabo/Zotero/storage/E8F2QZGR/Högberg - 2013 - Root Causes and Impacts of Severe Accidents at Large Nuclear Power Plants.pdf:application/pdf},
 }
@article{zhang_analysis_2025,
@ -116,13 +105,13 @@ Publisher: Idaho National Engineering and Environmental Laboratory},
 	doi = {10.1016/j.net.2025.103687},
 	pages = {103687},
 	number = {10},
-	journal = {Nuclear Engineering and Technology},
+	journaltitle = {Nuclear Engineering and Technology},
 	shortjournal = {Nuclear Engineering and Technology},
 	author = {Zhang, Meihui and Dai, Licao and Chen, Wenming and Pang, Ensheng},
-	urlyear = {2025},
+	urldate = {2025-12-05},
-	month = dec,
+	date = {2025-10-01},
 	year = {2025},
 	month = oct,
 	keywords = {Active errors, {HFACS} model, Latent errors, Licensee event reports},
 	file = {ScienceDirect Snapshot:/home/danesabo/Zotero/storage/N5R2Z3GL/S1738573325002554.html:text/html},
 }
@techreport{Kiniry2024,
@ -155,92 +144,19 @@ Publisher: Idaho National Engineering and Environmental Laboratory},
 }
@book{baier_principles_2008,
-	address = {Cambridge, {MA}, {USA}},
+	location = {Cambridge, {MA}, {USA}},
 	title = {Principles of Model Checking},
 	isbn = {978-0-262-02649-9},
 	abstract = {A comprehensive introduction to the foundations of model checking, a fully automated technique for finding flaws in hardware and software; with extensive examples and both practical and theoretical exercises.},
 	pagetotal = {984},
 	publisher = {{MIT} Press},
 	author = {Baier, Christel and Katoen, Joost-Pieter},
-	year = {2008},
+	date = {2008-04-25},
-	month = apr,
+	langid = {english},
 }
@article{platzer_differential_2008,
 	title = {Differential {Dynamic} {Logic} for {Hybrid} {Systems}},
 	volume = {41},
 	issn = {1573-0670},
 	url = {https://doi.org/10.1007/s10817-008-9103-8},
 	doi = {10.1007/s10817-008-9103-8},
 	abstract = {Hybrid systems are models for complex physical systems and are defined as dynamical systems with interacting discrete transitions and continuous evolutions along differential equations. With the goal of developing a theoretical and practical foundation for deductive verification of hybrid systems, we introduce a dynamic logic for hybrid programs, which is a program notation for hybrid systems. As a verification technique that is suitable for automation, we introduce a free variable proof calculus with a novel combination of real-valued free variables and Skolemisation for lifting quantifier elimination for real arithmetic to dynamic logic. The calculus is compositional, i.e., it reduces properties of hybrid programs to properties of their parts. Our main result proves that this calculus axiomatises the transition behaviour of hybrid systems completely relative to differential equations. In a case study with cooperating traffic agents of the European Train Control System, we further show that our calculus is well-suited for verifying realistic hybrid systems with parametric system dynamics.},
 	language = {en},
 	number = {2},
 	urlyear = {2025},
 	month = sep,
 	journal = {Journal of Automated Reasoning},
 	author = {Platzer, André},
 	month = aug,
 	year = {2008},
 	keywords = {Automated theorem proving, Axiomatisation, Differential equations, Dynamic logic, Sequent calculus, Verification of hybrid systems},
 	pages = {143--189},
 }
@inproceedings{fulton_keymaera_2015,
 	address = {Cham},
 	title = {{KeYmaera} {X}: {An} {Axiomatic} {Tactical} {Theorem} {Prover} for {Hybrid} {Systems}},
 	isbn = {978-3-319-21401-6},
 	shorttitle = {{KeYmaera} {X}},
 	doi = {10.1007/978-3-319-21401-6_36},
 	abstract = {KeYmaera X is a theorem prover for differential dynamic logic (), a logic for specifying and verifying properties of hybrid systems. Reasoning about complicated hybrid systems models requires support for sophisticated proof techniques, efficient computation, and a user interface that crystallizes salient properties of the system. KeYmaera X allows users to specify custom proof search techniques as tactics, execute these tactics in parallel, and interface with partial proofs via an extensible user interface.},
 	language = {en},
 	booktitle = {Automated {Deduction} - {CADE}-25},
 	publisher = {Springer International Publishing},
 	author = {Fulton, Nathan and Mitsch, Stefan and Quesel, Jan-David and Völp, Marcus and Platzer, André},
 	editor = {Felty, Amy P. and Middeldorp, Aart},
 	year = {2015},
 	keywords = {Adaptive Cruise Control, Hybrid automaton, Proof Rule, Proof Tree, Sequent calculus},
 	pages = {527--538},
 }
@inproceedings{alur_hybrid_1993,
 	address = {Berlin, Heidelberg},
 	title = {Hybrid automata: An algorithmic approach to the specification and verification of hybrid systems},
 	isbn = {978-3-540-48060-0},
 	doi = {10.1007/3-540-57318-6_30},
 	shorttitle = {Hybrid automata},
 	pages = {209--229},
 	booktitle = {Hybrid Systems},
 	publisher = {Springer},
 	author = {Alur, Rajeev and Courcoubetis, Costas and Henzinger, Thomas A. and Ho, Pei -Hsin},
 	editor = {Grossman, Robert L. and Nerode, Anil and Ravn, Anders P. and Rischel, Hans},
 	year = {1993},
 	keywords = {Acceptance Condition, Hybrid Automaton, Hybrid System, Mutual Exclusion, Reachability Problem},
 }
@techreport{katis_realizability_2022,
 	title = {Realizability {Checking} of {Requirements} in {FRET}},
 	url = {https://ntrs.nasa.gov/citations/20220007510},
 	abstract = {Requirements formalization has become increasingly popular in industrial settings as an
 effort to disambiguate designs and optimize development time and costs for critical system components. Formal requirements elicitation also enables the employment of analysis
 tools to prove important properties, such as consistency and realizability. In this report,
 we present the realizability analysis framework that we developed as part of the Formal
 Requirements Elicitation Tool (FRET). Our framework prioritizes usability, and employs
 state-of-the-art analysis algorithms that support infinite theories. We demonstrate the workflow for realizability checking, showcase the diagnosis process that supports visualization of
 conflicts between requirements and simulation of counterexamples, and discuss results from
 industrial-level case studies.},
 	urlyear = {2026},
 	month = mar,
 	institution = {NASA Ames Research Center},
 	author = {Katis, Andreas and Mavridou, Anastasia and Giannakopoulou, Dimitra and Pressburger, Thomas and Schumann, Johann},
 	month = apr,
 	year = {2022},
 	note = {NTRS Author Affiliations: Wyle (United States), Ames Research Center
 NTRS Document ID: 20220007510
 NTRS Research Center: Ames Research Center (ARC)},
 	keywords = {Mathematical And Computer Sciences (General)},
 }
@inproceedings{katis_capture_2022,
-	address = {Cham},
+	location = {Cham},
 	title = {Capture, Analyze, Diagnose: Realizability Checking Of Requirements in {FRET}},
 	isbn = {978-3-031-13188-2},
 	doi = {10.1007/978-3-031-13188-2_24},
@ -250,27 +166,13 @@ NTRS Research Center: Ames Research Center (ARC)},
 	publisher = {Springer International Publishing},
 	author = {Katis, Andreas and Mavridou, Anastasia and Giannakopoulou, Dimitra and Pressburger, Thomas and Schumann, Johann},
 	editor = {Shoham, Sharon and Vizel, Yakir},
-	year = {2022},
+	date = {2022},
-}
+	langid = {english},
-
+	file = {Full Text PDF:/home/danesabo/Zotero/storage/3JPVH8U2/Katis et al. - 2022 - Capture, Analyze, Diagnose Realizability Checking Of Requirements in FRET.pdf:application/pdf},
@techreport{pressburger_using_2023,
 	title = {Using {FRET} to {Create}, {Analyze} and {Monitor} {Requirements} for a {Lift} {Plus} {Cruise} {Case} {Study}},
 	url = {https://ntrs.nasa.gov/citations/20220017032},
 	abstract = {In this technical report we provide information on the use of the NASA Formal RequirementsElicitation Tool (FRET) to create requirements for a Lift Plus Cruise (LPC) aircraft case study.  Furthermore, we provide details on using FRET to translate these requirements into an appropriate format for the Copilot tool, enabling their usage to perform runtime verification on a synthesized LPC system.},
 	urlyear = {2026},
 	month = mar,
 	institution = {NASA Ames Research Center},
 	author = {Pressburger, Thomas and Katis, Andreas and Dutle, Aaron and Mavridou, Anastasia},
 	month = apr,
 	year = {2023},
 	note = {NTRS Author Affiliations: Ames Research Center, KBR (United States), Langley Research Center
 NTRS Document ID: 20220017032
 NTRS Research Center: Ames Research Center (ARC)},
 	keywords = {Mathematical And Computer Sciences (General)},
 }
@inproceedings{meyer_strix_2018,
-	address = {Cham},
+	location = {Cham},
 	title = {Strix: Explicit Reactive Synthesis Strikes Back!},
 	isbn = {978-3-319-96145-3},
 	doi = {10.1007/978-3-319-96145-3_31},
@ -280,7 +182,8 @@ NTRS Research Center: Ames Research Center (ARC)},
 	publisher = {Springer International Publishing},
 	author = {Meyer, Philipp J. and Sickert, Salomon and Luttenberger, Michael},
 	editor = {Chockler, Hana and Weissenbacher, Georg},
-	year = {2018},
+	date = {2018},
 	langid = {english},
 }
@misc{jacobs_reactive_2024,
@ -291,26 +194,12 @@ NTRS Research Center: Ames Research Center (ARC)},
 	number = {{arXiv}:2206.00251},
 	publisher = {{arXiv}},
 	author = {Jacobs, Swen and others},
-	urlyear = {2025},
+	urldate = {2025-12-06},
-	month = dec,
+	date = {2024-05-06},
-	year = {2024},
+	eprinttype = {arxiv},
-	month = may,
+	eprint = {2206.00251 [cs]},
 	keywords = {Computer Science - Logic in Computer Science},
-}
+	file = {Preprint PDF:/home/danesabo/Zotero/storage/GU6W5UH4/Jacobs et al. - 2024 - The Reactive Synthesis Competition (SYNTCOMP) 2018-2021.pdf:application/pdf;Snapshot:/home/danesabo/Zotero/storage/57UPK6A5/2206.html:text/html},
@book{lunze_handbook_2009,
 	address = {Cambridge},
 	title = {Handbook of {Hybrid} {Systems} {Control}: {Theory}, {Tools}, {Applications}},
 	isbn = {978-0-521-76505-3},
 	shorttitle = {Handbook of {Hybrid} {Systems} {Control}},
 	url = {https://www.cambridge.org/core/books/handbook-of-hybrid-systems-control/95CBB51B339FA6B95B814D4BABB715A7},
 	doi = {10.1017/CBO9780511807930},
 	abstract = {Setting out core theory and reviewing a range of new methods, theoretical problems and applications, this handbook shows how hybrid dynamical systems can be modelled and understood. Sixty expert authors involved in the recent research activities and industrial application studies provide practical insights on topics ranging from the theoretical investigations over computer-aided design to applications in energy management and the process industry. Structured into three parts, the book opens with a thorough introduction to hybrid systems theory, illustrating new dynamical phenomena through numerous examples. Part II then provides a survey of key tools and tool integration activities. Finally, Part III is dedicated to applications, implementation issues and system integration, considering different domains such as industrial control, automotive systems and digital networks. Three running examples are referred to throughout the book, together with numerous illustrations, helping both researchers and industry professionals to understand complex theory, recognise problems and find appropriate solutions.},
 	urlyear = {2026},
 	month = jan,
 	publisher = {Cambridge University Press},
 	editor = {Lunze, Jan and Lamnabhi-Lagarrigue, Françoise},
 	year = {2009},
 }
@article{branicky_multiple_1998,
@ -321,74 +210,41 @@ NTRS Research Center: Ames Research Center (ARC)},
 	doi = {10.1109/9.664150},
 	pages = {475--482},
 	number = {4},
-	journal = {{IEEE} Transactions on Automatic Control},
+	journaltitle = {{IEEE} Transactions on Automatic Control},
 	author = {Branicky, M.S.},
-	urlyear = {2025},
+	urldate = {2025-09-10},
-	month = sep,
+	date = {1998-04},
 	year = {1998},
 	month = apr,
 	keywords = {Automata, Control systems, Difference equations, Differential equations, Lagrangian functions, Limit-cycles, Lyapunov method, Stability analysis, Switched systems, Switches},
 	file = {PDF:/home/danesabo/Zotero/storage/5AQWDPAA/Branicky - 1998 - Multiple Lyapunov functions and other analysis tools for switched and hybrid systems.pdf:application/pdf},
 }
-@phdthesis{kapuria_using_2025,
+@thesis{guernic_reachability_2009,
 	address = {United States -- Pennsylvania},
 	type = {Ph.{D}.},
 	title = {Using {Decomposition}-{Based} {Formal} {Verification} to {Analyze} {Safety} and {Identify} {Unsafe} {Control} {Actions} for {Hybrid} {Systems}},
 	copyright = {Database copyright ProQuest LLC; ProQuest does not claim copyright in the individual underlying works.},
 	isbn = {9798280700147},
 	url = {https://www.proquest.com/docview/3215670525/abstract/3C715CB23CB84313PQ/1},
 	abstract = {This dissertation presents a decomposition-based formal verification framework for hybrid systems, focusing on identifying unsafe control actions (UCAs) in cyber-physical systems (CPS). Using differential dynamic logic, we verify safety properties by first proving correctness at the component level before integrating them into a system-wide proof. Our approach enhances scalability by isolating subsystems, enforcing constraints on their interactions, and using satisfiability modulo theories (SMT) solvers to automate invariant generation. We apply this methodology to a small modular advanced high-temperature reactor (SmAHTR), analyzing its control logic under both normal operations and adversarial conditions, including cyberattacks. The results demonstrate how formal methods can systematically identify UCAs that emerge from mode transitions, feedback interactions, and incorrect assumptions. By integrating theorem proving with reachability analysis, this work advances CPS safety verification, providing a rigorous and scalable approach to ensuring system resilience.
 To achieve this, we develop a hybrid automaton model of SmAHTR and formally verify its behavior under various control strategies, including scenarios involving maintenance operations and external disruptions. We introduce a structured method to decompose the system into independently analyzable components, ensuring that local safety guarantees extend to global system correctness. The verification process captures both intended and unintended control actions, revealing potential failure modes that traditional analysis methods might overlook. Furthermore, we propose an automated approach for identifying UCAs by leveraging formal reasoning tools to systematically explore system behaviors beyond manual hazard analysis. Our findings demonstrate that decomposition-based verification not only reduces computational complexity but also improves the efficiency and robustness of CPS safety analysis, particularly for high-assurance applications such as nuclear reactor operations.},
 	language = {English},
 	urlyear = {2026},
 	month = feb,
 	school = {University of Pittsburgh},
 	author = {Kapuria, Abhimanyu},
 	year = {2025},
 	keywords = {Computer science, Differential equations, Electrical engineering, Engineering, Formal verification, Hybrid systems, Mechanical engineering, Reachability analysis, Satisfiability modulo theories solvers},
 }
@inproceedings{lang_formal_2021,
 	address = {VIRTUAL EVENT},
 	title = {Formal {Verification} {Applied} to {Spacecraft} {Attitude} {Control}},
 	isbn = {978-1-62410-609-5},
 	url = {https://arc.aiaa.org/doi/10.2514/6.2021-1126},
 	doi = {10.2514/6.2021-1126},
 	language = {en},
 	urlyear = {2024},
 	month = nov,
 	booktitle = {{AIAA} {Scitech} 2021 {Forum}},
 	publisher = {American Institute of Aeronautics and Astronautics},
 	author = {Lang, Kendra and Klett, Corbin and Hawkins, Kelsey and Feron, Eric and Tsiotras, Panagiotis and Phillips, Sean},
 	month = jan,
 	year = {2021},
 }
@inproceedings{frehse_spaceex_2011,
 	address = {Berlin, Heidelberg},
 	title = {{SpaceEx}: Scalable Verification of Hybrid Systems},
 	isbn = {978-3-642-22110-1},
 	doi = {10.1007/978-3-642-22110-1_30},
 	shorttitle = {{SpaceEx}},
 	pages = {379--395},
 	booktitle = {Computer Aided Verification},
 	publisher = {Springer},
 	author = {Frehse, Goran and Le Guernic, Colas and Donzé, Alexandre and Cotton, Scott and Ray, Rajarshi and Lebeltel, Olivier and Ripado, Rodolfo and Girard, Antoine and Dang, Thao and Maler, Oded},
 	editor = {Gopalakrishnan, Ganesh and Qadeer, Shaz},
 	year = {2011},
 	keywords = {Hybrid Automaton, Hybrid System, Reachability Analysis, Reachable State, Support Function},
 }
@phdthesis{guernic_reachability_2009,
 	title = {Reachability Analysis of Hybrid Systems with Linear Continuous Dynamics},
 	url = {https://theses.hal.science/tel-00422569},
 	institution = {Université Joseph-Fourier - Grenoble I},
-	school = {Université Joseph-Fourier, Grenoble},
+	type = {phdthesis},
 	author = {Guernic, Colas Le},
-	urlyear = {2025},
+	urldate = {2025-09-14},
-	month = sep,
+	date = {2009-10-28},
-	year = {2009},
+	langid = {english},
-	month = oct,
+	file = {Full Text PDF:/home/danesabo/Zotero/storage/A5XNTDZ9/Guernic - 2009 - Reachability Analysis of Hybrid Systems with Linear Continuous Dynamics.pdf:application/pdf},
 }
@inproceedings{alur_hybrid_1993,
 	location = {Berlin, Heidelberg},
 	title = {Hybrid automata: An algorithmic approach to the specification and verification of hybrid systems},
 	isbn = {978-3-540-48060-0},
 	doi = {10.1007/3-540-57318-6_30},
 	shorttitle = {Hybrid automata},
 	pages = {209--229},
 	booktitle = {Hybrid Systems},
 	publisher = {Springer},
 	author = {Alur, Rajeev and Courcoubetis, Costas and Henzinger, Thomas A. and Ho, Pei -Hsin},
 	editor = {Grossman, Robert L. and Nerode, Anil and Ravn, Anders P. and Rischel, Hans},
 	date = {1993},
 	langid = {english},
 	keywords = {Acceptance Condition, Hybrid Automaton, Hybrid System, Mutual Exclusion, Reachability Problem},
 	file = {Full Text PDF:/home/danesabo/Zotero/storage/WBXYUC86/Alur et al. - 1993 - Hybrid automata An algorithmic approach to the specification and verification of hybrid systems.pdf:application/pdf},
 }
@article{mitchell_time-dependent_2005,
@ -399,13 +255,29 @@ To achieve this, we develop a hybrid automaton model of SmAHTR and formally veri
 	doi = {10.1109/TAC.2005.851439},
 	pages = {947--957},
 	number = {7},
-	journal = {{IEEE} Transactions on Automatic Control},
+	journaltitle = {{IEEE} Transactions on Automatic Control},
 	author = {Mitchell, I.M. and Bayen, A.M. and Tomlin, C.J.},
-	urlyear = {2025},
+	urldate = {2025-09-15},
-	month = sep,
+	date = {2005-07},
 	year = {2005},
 	month = jul,
 	keywords = {Aircraft, Collaborative software, Collision avoidance, Computational modeling, Differential games, Hamilton–Jacobi equations, Nonlinear equations, Nonlinear systems, Partial differential equations, reachability, Trajectory, Vehicle dynamics, verification, Viscosity},
 	file = {Snapshot:/home/danesabo/Zotero/storage/SLKV9PEI/1463302.html:text/html;Submitted Version:/home/danesabo/Zotero/storage/9YWL2UDH/Mitchell et al. - 2005 - A time-dependent Hamilton-Jacobi formulation of reachable sets for continuous dynamic games.pdf:application/pdf},
 }
@inproceedings{frehse_spaceex_2011,
 	location = {Berlin, Heidelberg},
 	title = {{SpaceEx}: Scalable Verification of Hybrid Systems},
 	isbn = {978-3-642-22110-1},
 	doi = {10.1007/978-3-642-22110-1_30},
 	shorttitle = {{SpaceEx}},
 	pages = {379--395},
 	booktitle = {Computer Aided Verification},
 	publisher = {Springer},
 	author = {Frehse, Goran and Le Guernic, Colas and Donzé, Alexandre and Cotton, Scott and Ray, Rajarshi and Lebeltel, Olivier and Ripado, Rodolfo and Girard, Antoine and Dang, Thao and Maler, Oded},
 	editor = {Gopalakrishnan, Ganesh and Qadeer, Shaz},
 	date = {2011},
 	langid = {english},
 	keywords = {Hybrid Automaton, Hybrid System, Reachability Analysis, Reachable State, Support Function},
 	file = {Full Text PDF:/home/danesabo/Zotero/storage/LPQK8GY2/Frehse et al. - 2011 - SpaceEx Scalable Verification of Hybrid Systems.pdf:application/pdf},
 }
@inproceedings{bansal_hamilton-jacobi_2017,
@ -417,15 +289,14 @@ To achieve this, we develop a hybrid automaton model of SmAHTR and formally veri
 	pages = {2242--2253},
 	booktitle = {2017 {IEEE} 56th Annual Conference on Decision and Control ({CDC})},
 	author = {Bansal, Somil and Chen, Mo and Herbert, Sylvia and Tomlin, Claire J.},
-	urlyear = {2025},
+	urldate = {2025-09-15},
-	month = sep,
+	date = {2017-12},
 	year = {2017},
 	month = dec,
 	keywords = {Aircraft, Games, Level set, Safety, Tools, Trajectory, Tutorials},
 	file = {Snapshot:/home/danesabo/Zotero/storage/EEK5IE93/8263977.html:text/html;Submitted Version:/home/danesabo/Zotero/storage/BMNLZ9DW/Bansal et al. - 2017 - Hamilton-Jacobi reachability A brief overview and recent advances.pdf:application/pdf},
 }
@inproceedings{prajna_safety_2004,
-	address = {Berlin, Heidelberg},
+	location = {Berlin, Heidelberg},
 	title = {Safety Verification of Hybrid Systems Using Barrier Certificates},
 	isbn = {978-3-540-24743-2},
 	doi = {10.1007/978-3-540-24743-2_32},
@ -434,111 +305,7 @@ To achieve this, we develop a hybrid automaton model of SmAHTR and formally veri
 	publisher = {Springer},
 	author = {Prajna, Stephen and Jadbabaie, Ali},
 	editor = {Alur, Rajeev and Pappas, George J.},
-	year = {2004},
+	date = {2004},
 	langid = {english},
 	keywords = {Continuous State, Discrete Transition, Hybrid System, Integral Constraint, Reachability Analysis},
 }
@techreport{deroucy_ai_2025,
  title       = {AI, Data Centers and Energy Demand: Reassessing and Exploring the Trends},
  author      = {de Roucy-Rochegonde, Laure and Buffard, Adrien},
  institution = {French Institute of International Relations (Ifri)},
  year        = {2025},
  type        = {Ifri Papers},
  isbn        = {979-10-373-1000-2}
 }
@article{harvey_levels_2021,
 	title = {The {Levels} of {War} as {Levels} of {Analysis}},
 	language = {en},
 	publisher = {Military Review},
 	author = {Harvey, Andrew S},
 	year = {2021},
 	file = {PDF:/Users/danesabo/Zotero/storage/5NSKMNEU/Harvey - The Levels of War as Levels of Analysis.pdf:application/pdf},
 }
@article{luttenberger_practical_2020,
 	title = {Practical synthesis of reactive systems from {LTL} specifications via parity games},
 	volume = {57},
 	issn = {1432-0525},
 	url = {https://doi.org/10.1007/s00236-019-00349-3},
 	doi = {10.1007/s00236-019-00349-3},
 	abstract = {The synthesis of reactive systems from linear temporal logic (LTL) specifications is an important aspect in the design of reliable software and hardware. We present our adaption of the classic automata-theoretic approach to LTL synthesis, implemented in the tool Strix which has won the two last synthesis competitions (Syntcomp2018/2019). The presented approach is (1) structured, meaning that the states used in the construction have a semantic structure that is exploited in several ways, it performs a (2) forward exploration such that it often constructs only a small subset of the reachable states, and it is (3) incremental in the sense that it reuses results from previous inconclusive solution attempts. Further, we present and study different guiding heuristics that determine where to expand the on-demand constructed arena. Moreover, we show several techniques for extracting an implementation (Mealy machine or circuit) from the witness of the tree-automaton emptiness check. Lastly, the chosen constructions use a symbolic representation of the transition functions to reduce runtime and memory consumption. We evaluate the proposed techniques on the Syntcomp2019 benchmark set and show in more detail how the proposed techniques compare to the techniques implemented in other leading LTL synthesis tools.},
 	language = {en},
 	number = {1},
 	urldate = {2026-03-07},
 	journal = {Acta Informatica},
 	author = {Luttenberger, Michael and Meyer, Philipp J. and Sickert, Salomon},
 	month = apr,
 	year = {2020},
 	pages = {3--36},
 	file = {Submitted Version:/Users/danesabo/Zotero/storage/VYMVF5GK/Luttenberger et al. - 2020 - Practical synthesis of reactive systems from LTL specifications via parity games.pdf:application/pdf},
 }
@inproceedings{chen_taylor_2012,
 	title = {Taylor {Model} {Flowpipe} {Construction} for {Non}-linear {Hybrid} {Systems}},
 	issn = {1052-8725},
 	url = {https://ieeexplore.ieee.org/document/6424802},
 	doi = {10.1109/RTSS.2012.70},
 	abstract = {We propose an approach for verifying non-linear hybrid systems using higher-order Taylor models that are a combination of bounded degree polynomials over the initial conditions and time, bloated by an interval. Taylor models are an effective means for computing rigorous bounds on the complex time trajectories of non-linear differential equations. As a result, Taylor models have been successfully used to verify properties of non-linear continuous systems. However, the handling of discrete (controller) transitions remains a challenging problem. In this paper, we provide techniques for handling the effect of discrete transitions on Taylor model flow pipe construction. We explore various solutions based on two ideas: domain contraction and range over-approximation. Instead of explicitly computing the intersection of a Taylor model with a guard set, domain contraction makes the domain of a Taylor model smaller by cutting away parts for which the intersection is empty. It is complemented by range over-approximation that translates Taylor models into commonly used representations such as template polyhedra or zonotopes, on which intersections with guard sets have been previously studied. We provide an implementation of the techniques described in the paper and evaluate the various design choices over a set of challenging benchmarks.},
 	urldate = {2026-03-18},
 	booktitle = {2012 {IEEE} 33rd {Real}-{Time} {Systems} {Symposium}},
 	author = {Chen, Xin and Ábrahám, Erika and Sankaranarayanan, Sriram},
 	month = dec,
 	year = {2012},
 	note = {ISSN: 1052-8725},
 	keywords = {Approximation methods, Computational modeling, Mathematical model, Polynomials, Safety, Taylor series, Trajectory},
 	pages = {183--192},
 	file = {Snapshot:/Users/danesabo/Zotero/storage/7HBF3VMT/6424802.html:text/html},
 }
@inproceedings{chen_flow_2013,
 	address = {Berlin, Heidelberg},
 	title = {Flow*: {An} {Analyzer} for {Non}-linear {Hybrid} {Systems}},
 	isbn = {978-3-642-39799-8},
 	shorttitle = {Flow*},
 	doi = {10.1007/978-3-642-39799-8_18},
 	abstract = {The tool Flow* performs Taylor model-based flowpipe construction for non-linear (polynomial) hybrid systems. Flow* combines well-known Taylor model arithmetic techniques for guaranteed approximations of the continuous dynamics in each mode with a combination of approaches for handling mode invariants and discrete transitions. Flow* supports a wide variety of optimizations including adaptive step sizes, adaptive selection of approximation orders and the heuristic selection of template directions for aggregating flowpipes. This paper describes Flow* and demonstrates its performance on a series of non-linear continuous and hybrid system benchmarks. Our comparisons show that Flow* is competitive with other tools.},
 	language = {en},
 	booktitle = {Computer {Aided} {Verification}},
 	publisher = {Springer},
 	author = {Chen, Xin and Ábrahám, Erika and Sankaranarayanan, Sriram},
 	editor = {Sharygina, Natasha and Veith, Helmut},
 	year = {2013},
 	keywords = {Adaptive Step, Adaptive Step Size, Discrete Transition, Hybrid System, Taylor Model},
 	pages = {258--263},
 	file = {Full Text PDF:/Users/danesabo/Zotero/storage/6QV2XCVF/Chen et al. - 2013 - Flow An Analyzer for Non-linear Hybrid Systems.pdf:application/pdf},
 }
@inproceedings{althoff_introduction_nodate,
 	title = {An {Introduction} to {CORA} 2015},
 	url = {https://easychair.org/publications/paper/xMm},
 	doi = {10.29007/zbkv},
 	abstract = {The philosophy, architecture, and capabilities of the COntinuous Reachability Analyzer (CORA) are presented. CORA is a toolbox that integrates various vector and matrix set representations and operations on them as well as reachability algorithms of various dynamic system classes. The software is designed such that set representations can be exchanged without having to modify the code for reachability analysis. CORA has a modular design, making it possible to use the capabilities of the various set representations for other purposes besides reachability analysis. The toolbox is designed using the object oriented paradigm, such that users can safely use methods without concerning themselves with detailed information hidden inside the object. Since the toolbox is written in MATLAB, the installation and use is platform independent.},
 	urldate = {2026-03-18},
 	author = {Althoff, Matthias},
 	pages = {120--87},
 	file = {Full Text:/Users/danesabo/Zotero/storage/BIGJMRCV/Althoff - An Introduction to CORA 2015.pdf:application/pdf},
 }
@article{bogomolov_reachability_2020,
 	title = {Reachability {Analysis} of {Linear} {Hybrid} {Systems} via {Block} {Decomposition}},
 	volume = {39},
 	issn = {1937-4151},
 	url = {https://ieeexplore.ieee.org/document/9211556},
 	doi = {10.1109/TCAD.2020.3012859},
 	abstract = {Reachability analysis aims at identifying states reachable by a system within a given time horizon. This task is known to be computationally expensive for linear hybrid systems. Reachability analysis works by iteratively applying continuous and discrete post operators to compute states reachable according to continuous and discrete dynamics, respectively. In this article, we enhance both of these operators and make sure that most of the involved computations are performed in low-dimensional state space. In particular, we improve the continuous-post operator by performing computations in high-dimensional state space only for time intervals relevant for the subsequent application of the discrete-post operator. Furthermore, the new discrete-post operator performs low-dimensional computations by leveraging the structure of the guard and assignment of a considered transition. We illustrate the potential of our approach on a number of challenging benchmarks.},
 	number = {11},
 	urldate = {2026-03-18},
 	journal = {IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems},
 	author = {Bogomolov, Sergiy and Forets, Marcelo and Frehse, Goran and Potomkin, Kostiantyn and Schilling, Christian},
 	month = nov,
 	year = {2020},
 	keywords = {Approximation algorithms, Decomposition, Design automation, Heuristic algorithms, hybrid systems, Integrated circuits, Linear systems, reachability, Reachability analysis, Tools},
 	pages = {4018--4029},
 	file = {Snapshot:/Users/danesabo/Zotero/storage/D7FYXW7T/9211556.html:text/html;Submitted Version:/Users/danesabo/Zotero/storage/I3HNBQ65/Bogomolov et al. - 2020 - Reachability Analysis of Linear Hybrid Systems via Block Decomposition.pdf:application/pdf},
 }