Grok Challenge #1, Paper 6 - Intrafere Research Group

← PAPER DIRECTORY

This is the 6th paper and rough draft answer generated for @Grok’s 2/28/2026 challenge to MOTO ASI by Intrafere Research Group. A fully autonomous super intelligence AI harness. Company Website: https://intrafere.com/ Software GitHub that produced this paper: https://github.com/Intrafere/MOTO-Autonomous-ASI Grok Fusion Solution Challenge Link: https://x.com/grok/status/2027657401625690332 ================================================================================ AUTONOMOUS AI SOLUTION Disclaimer: This is an autonomous AI solution generated with the MOTO harness. This paper was not peer reviewed and was autonomously generated without user oversight or interaction beyond the original user prompt, therefore, this text may contain errors. These papers often contain ambitious content and/or extraordinary claims, all content should be viewed with extreme scrutiny. (EDITOR NOTE: This single paper does not attempt to solve the user’s prompt entirely, it is meant to be one piece toward the complex solution required for the users prompt – total solutions typically are achieved in later papers) User’s Research Prompt: Deliver a complete, engineering-ready blueprint for a compact stellarator fusion reactor achieving sustained Q>15 net gain by 2030—using only near-term materials, full MHD/plasma stability models, tritium breeding cycle, and <$5B build cost. Include all equations, sim code, and falsifiable tests. AI Model Authors: openai/gpt-5.2, x-ai/grok-4.1-fast, moonshotai/kimi-k2.5 Possible Models Used for Additional Reference: - moonshotai/kimi-k2.5 - openai/gpt-5.2 - x-ai/grok-4.1-fast Generated: 2026-02-28 ================================================================================ Paper Title: Certified Scenario Synthesis and Diagnostics\/Control Co-Design for Steady-State Stellarator Operation Abstract We formulate steady-state stellarator operation as a certification-first co-design problem coupling offline scenario synthesis, diagnostics/estimation, real-time control, and facility/plant envelopes across startup, ramp, burn control, and shutdown. The goal is deliberately one-sided: given a declared reduced-order model family and declared unknown-but-bounded uncertainties (parameters, disturbances, sensor noise/bias, latency, dropout), produce solver-checkable artifacts that imply safety/feasibility/stability, or else return explicit, falsifiable failure messages identifying which declared requirement blocks feasibility. For planning, we separate nominal trajectory generation from a robust scenario-existence certificate based on backward reachable-set recursion for bounded-error affine surrogate dynamics; feasibility is certified by set inclusion of the start set in the computed robust reachable set. Diagnostics enter the same loop through a conservative disturbance inflation rule driven by certified estimation error sets, turning “diagnostic sufficiency” into a reachability test. We provide estimator interfaces with failure semantics, including set-membership estimation and residual-triggered bound inflation, and a concrete one-sided radiated-fraction bound computed via a nonnegative emissivity linear program that fails closed when bounds are unavailable. For real-time enforcement, we present a two-layer architecture combining economic MPC with a safety filter (robust CBF-QP/robust projection) and hybrid event guards for impulsive pellet fueling. Co-design certificates translate operational goals into actuator/diagnostic/plant requirements: startup burn-through via a net-heating inequality, collapse avoidance via a fold-margin bound, burn-control reserve sizing via polytopic quadratic-stability/invariant-set LMIs, and bandwidth–delay sufficiency via finite-dimensional robust H-infinity feasibility given a declared delay approximation error bound. Facility constraints are incorporated through fueling MILPs, monotone pumping-network bounds, positive-system inventory propagation, and electrical-envelope reachability/tightening. The framework explicitly delineates what is certified within declared surrogates versus what requires external validation. I. Introduction Steady-state stellarator operation couples physics, diagnostics, control, and facility limits across distinct phases (startup, ramp, burn control, shutdown). In practice, many design and operations workflows are dominated by best-effort simulation and nominal trajectory optimization: one produces a candidate scenario and then checks (often informally) whether actuator bandwidth, diagnostic latency, and plant envelopes appear adequate. This approach obscures the logical status of safety margins: it can be unclear which claims are proven under stated assumptions, which depend on unvalidated modeling choices, and what should happen when evidence is insufficient. This paper proposes a certification-first mathematical specification for treating steady-state operation as a coupled scenario synthesis and diagnostics/control co-design problem. The organizing principle is deliberately one-sided: rather than attempting to predict the “most likely” discharge behavior, we aim to produce auditable go/no-go statements of the form \[ (\text{declared model + declared bounds}) \implies (\text{safety/feasibility/stability property}). \] If such a statement cannot be made, the correct output is not a silent degradation but an explicit failure message that identifies which declared requirement is blocking feasibility (e.g., uncertainty too large, diagnostic latency too high, actuator authority insufficient, electrical envelope too tight). I.A. Steady-state operation as scenario synthesis + diagnostics/control co-design We treat an operational episode as a finite-horizon scenario with mode-dependent constraints (startup $\to$ ramp $\to$ burn $\to$ shutdown), driven by a reduced control-relevant surrogate (control-affine dynamics with explicit actuator lags). Offline planning is used to propose a nominal scenario, but the central object is a certificate of robust feasibility: a proof that, for all disturbances and parameters within declared sets, there exists an admissible policy that reaches a terminal “burn set” while remaining inside time-indexed safe sets. Diagnostics and estimation enter the same feasibility loop. Measurement models include bounded noise, bounded bias/drift, and dropout. Estimators are required to output bounded error sets $\mathcal{E}_k$, and these sets inflate the effective disturbance envelopes used in reachability and robust control. Consequently, “diagnostic sufficiency” is not a qualitative judgment but a falsifiable condition: if the reachable sets become empty under the disturbance inflation induced by $\mathcal{E}_k$, then the diagnostic/estimation design is insufficient for the declared scenario. I.B. Certification-first objective and auditability semantics All results are conditional on a declared model family $\mathfrak{M}$ and declared uncertainty sets (parameter boxes, disturbance sets, sensor noise/bias bounds, latency/dropout models). The paper distinguishes external physical truth from the declared mathematical objects used in proofs. A certificate is a finite, solver-checkable artifact (e.g., an LMI witness, an LP/MILP feasibility transcript, a backward-reachability recursion, a barrier inequality, or a conformal quantile) such that the desired property follows under stated assumptions. This “auditability contract” is made explicit in Section II and enforced throughout: every enforced margin is traceable to a proved inequality or a prior module certificate, and every failure (infeasibility, inconsistency, missing bounds) has explicit semantics. I.C. Target operational phases and constraints The framework is organized around the operational phases most relevant to steady-state campaigns: startup (breakdown/burn-through), ramp to a burn region, steady burn control, and controlled shutdown/fallback. Constraints are represented as inequalities or polyhedral sets suitable for reachability and real-time optimization, including core proxies (stored energy $W$, density $n_e$, helium ash fraction, radiated fraction), actuator saturation/slew/bandwidth, diagnostic latency, and facility/plant limits (fueling/pumping, inventory/accountancy, and electrical envelopes). Magnet/protection envelopes, when used, are treated as exogenous constraints unless externally verified. I.D. Main results and certificate modules (high level) The paper’s technical contributions are organized as composable certificates linking planning, estimation, control, and plant constraints: \begin{itemize} \item \textbf{Scenario existence certificates (Section III):} robust backward reachability on a declared bounded-error discrete-time model yields a go/no-go test $\mathcal{Z}_{\mathrm{start}}\subseteq\mathcal{R}_N$ ensuring existence of a robustly safe policy to a terminal burn set. \item \textbf{Diagnostics co-design interfaces (Section IV):} estimator modules produce bounded error sets $\mathcal{E}_k$ with explicit failure semantics; these bounds propagate into planning/control via a conservative disturbance inflation $\mathcal{W}_k\mapsto\widetilde{\mathcal{W}}_k$. A concrete one-sided radiated-fraction bounding template is given via a nonnegative emissivity LP that returns an auditable upper bound $f_{\mathrm{rad}}^{\mathrm{hi}}$ and a “bounds unavailable $\Rightarrow$ derate/abort” hook. \item \textbf{Real-time safe enforcement (Section V):} a two-layer architecture combines economic MPC (performance) with a safety filter (robust CBF-QP or robust projection) that enforces one-step robust safety inequalities. Hybrid impulsive pellet actions are integrated via event-guard certificates preventing instantaneous constraint violations. \item \textbf{Co-design sizing and sufficiency certificates (Section VI):} startup burn-through is certified by a sufficient net-heating inequality under one-sided absorbed-power and loss envelopes; collapse avoidance is treated through a fold-margin inequality; burn-control reserve sizing is linked to actuator headroom and disturbances via polytopic quadratic stability and invariant-set LMIs; bandwidth--delay sufficiency is expressed through a finite-dimensional robust $H_\infty$ feasibility check once a declared delay approximation and error bound are supplied. Facility and plant constraints are incorporated through feasibility certificates for fueling schedules (MILP), monotone pumping/pressure bounds ($M$-matrix monotonicity and optional GP sizing), tritium inventory upper-bound propagation (positive systems), and electrical envelope constraints. \end{itemize} I.E. Roadmap Section II formalizes certificate semantics, uncertainty modeling, reduced surrogate interfaces, and the auditability contract. Section III develops certified scenario existence via backward reachability and makes the diagnostics-to-feasibility coupling explicit through disturbance inflation. Section IV treats diagnostics co-design, identifiability/observability conditions, robust estimation with failure handling, and one-sided radiation-fraction bounding; it also includes an optional conformal-calibration path for evidence-to-bounds with explicit acceptance tests. Section V presents a real-time control architecture that produces auditable safety margins and fail-closed behavior under infeasibility or diagnostic loss. Section VI states the main co-design certificates translating operational goals into actuator, diagnostic, and plant requirements. Section VII provides solver-ready proof and computation templates to make certificate objects reproducible. Sections VIII and IX describe an integrated simulation harness and a falsifiable validation plan, and they clarify which assumptions must be externally verified before interpreting any certificate as operationally relevant. II. Preliminaries: Certification Semantics, Assumptions, and Interfaces This section fixes notation and the formal meaning of the word \emph{certificate} used throughout. The intent is to make every subsequent claim mechanically auditable: every enforced operational margin is traceable to a stated inequality that is proven under declared assumptions. II.A. Certificate semantics and auditability contract We distinguish sharply between (i) external physical truth and engineering reality, and (ii) the \emph{declared} models and uncertainty sets used for certification. \paragraph{Declared model family.} A declared model family is a tuple \[ \mathfrak{M} := (\mathcal{X},\mathcal{U},\Theta, f, g, h, \mathcal{D}), \] where $\mathcal{X}\subset\mathbb{R}^{n_x}$ is the state space, $\mathcal{U}\subset\mathbb{R}^{n_u}$ the admissible input set, $\Theta\subset\mathbb{R}^{n_\theta}$ a parameter set, $f$ and $g$ define the control-affine dynamics (Section II.C), $h$ collects operational constraints (Section II.D), and $\mathcal{D}$ specifies the admissible disturbance and noise descriptions (Section II.B). The meaning of $\mathfrak{M}$ is purely mathematical: it is the object with respect to which proofs are carried out. \paragraph{Certificate.} A \emph{certificate} for a property $\mathcal{P}$ is a finite object $\mathcal{C}$ (e.g., a matrix inequality witness, a reachable-set recursion, a Lyapunov/barrier function, a conformal quantile, or a solver transcript with dual variables) such that \[ (\mathfrak{M} \text{ holds}) \wedge (\text{assumptions }\mathcal{A}\text{ hold}) \implies \mathcal{P}. \] The certificate is \emph{one-sided}: it proves a safety/feasibility property under the declared bounds. It does not claim optimality or physical fidelity beyond those declarations. \paragraph{Auditability contract.} Every certified inequality in later sections must satisfy: \begin{enumerate} \item \textbf{Traceability:} each margin $m$ appearing in a constraint of the form $h_k(x) \ge m_k$ or $H z \le b$ is traced to a line in a proof or to a prior module certificate. \item \textbf{Unit consistency:} each constraint and bound is dimensionally consistent (e.g., powers in W, energies in J, time constants in s). This paper uses only algebraic relationships; any empirical constants used in applications must be declared with units. \item \textbf{Declared conservatism:} when a quantity is inflated (e.g., disturbance envelopes enlarged to cover estimator error), the inflation rule is explicit. \item \textbf{Failure semantics:} if a certificate cannot be produced (e.g., an LMI is infeasible; a reachable set becomes empty; uncertainty coverage fails), the output is a \emph{diagnostic failure message} that recommends design changes (slow scenario, improve diagnostics, increase actuator authority) rather than silently proceeding. \end{enumerate} II.B. Uncertainty modeling used throughout We use unknown-but-bounded uncertainty rather than probabilistic guarantees. This is chosen to support \emph{one-sided} conclusions (safety/feasibility) without distributional assumptions. \paragraph{Parameter uncertainty.} Unknown parameters $\theta\in\Theta$ lie in a known compact set, typically a hyper-rectangle (box) \[ \Theta := \{\theta\in\mathbb{R}^{n_\theta}: \\underline\theta \le \theta \le \overline\theta\}. \] When time variation is allowed, we write $\theta_k\in\Theta_k$ in discrete time, with $\Theta_k$ possibly changing along a scenario. \paragraph{Disturbances and model mismatch.} Disturbances $d(t)$ (or $w_k$ in discrete time) are assumed to lie in a compact convex set $\mathcal{W}$ (often a polytope or an ellipsoid), representing unmodeled dynamics, closure mismatch, and exogenous perturbations. \paragraph{Sensor noise, bias, and dropout.} A measurement channel $j$ produces observations \[ y_{j,k} = h_j(x_k,\theta_k) + v_{j,k} + b_{j,k}, \] where $v_{j,k}\in\mathcal{V}_{j,k}$ is bounded noise and $b_{j,k}\in\mathcal{B}_{j,k}$ is a bounded bias/drift term. Diagnostic dropout is modeled by an availability signal $\delta_{j,k}\in\{0,1\}$; if $\delta_{j,k}=0$, the channel provides no usable constraint-tightening information at time $k$. Any controller or estimator that relies on $y_{j,k}$ must specify behavior under $\delta_{j,k}=0$. \paragraph{Vertex embedding for robust checks.} When robust constraints depend affinely on uncertain parameters (e.g., $A(\theta),B(\theta)$ polytopic), robust feasibility can be checked on the set of vertices of the uncertainty polytope. We will only invoke this reduction when the dependence is explicitly affine (or has been conservatively outer-approximated by an affine/polyhedral set). \paragraph{Risk budgeting as tightening policy.} Although the framework is non-probabilistic, it is useful to distinguish constraints by criticality. We represent this as a tightening policy: safety-critical constraints are assigned smaller allowable slack and more conservative inflations. Formally, for each operational constraint $h_k(x)\ge 0$ we may enforce \[ h_k(x) \ge \eta_k, \] where $\eta_k>0$ is a design margin chosen by policy. The paper treats $\eta_k$ as a declared input; selection of $\eta_k$ is not “automatic truth” and must be justified externally. II.C. Reduced control-relevant stellarator model classes The paper requires models that are (i) small enough for optimization and real-time control, and (ii) structured enough to support explicit certificates. We therefore work with abstract reduced-order surrogates, without claiming that any particular surrogate is accurate for a given device. \paragraph{Continuous-time control-affine form.} The nominal reduced dynamics are assumed to be control-affine: \[ \dot x(t) = f(x(t),\theta(t)) + \sum_{i=1}^{n_u} g_i(x(t),\theta(t))\,u_i(t) + d(t), \] with state $x\in\mathcal{X}\subset\mathbb{R}^{n_x}$, input $u\in\mathcal{U}\subset\mathbb{R}^{n_u}$, parameter $\theta\in\Theta$, and disturbance $d\in\mathcal{W}$. In later sections, the components of $x$ are instantiated as control-relevant proxies such as stored energy, density, impurity/helium fractions, and edge/divertor proxy variables. \paragraph{Actuator lag dynamics.} Commands $u_{\mathrm{cmd}}$ are mapped to physical actuation states $u$ through explicit dynamics. A common template is a stable linear lag model \[ \dot u(t) = A_u u(t) + B_u u_{\mathrm{cmd}}(t), \] with $A_u$ Hurwitz, plus saturation $u(t)\in\mathcal{U}$ and slew limits $\|\dot u\|\le \dot u_{\max}$ (encoded either as hard constraints in a planner/controller or as additional actuator states). Second-order heating-chain lags are included by taking $(A_u,B_u)$ of appropriate dimension. \paragraph{Discrete-time augmented model for planning/control.} For scenario synthesis and MPC we discretize with step $\Delta t$ and form an augmented state \[ z_k := \begin{bmatrix} x_k \\ u_k \end{bmatrix} \in \mathbb{R}^{n_x+n_u}. \] A generic bounded-error affine template used for reachability and robust MPC is \[ z_{k+1} = A_k z_k + B_k u_{\mathrm{cmd},k} + c_k + w_k, \qquad w_k\in\mathcal{W}_k, \] where the matrices may vary with $k$ (e.g., due to linearization along a planned trajectory or mode changes across operational phases). We will only claim robust properties for this discrete model, not for an unverified high-fidelity plasma model. II.D. Operational constraint taxonomy (as enforceable inequalities) We represent operational requirements as inequalities \[ h(x,u,t) \ge 0, \] or, after linearization/outer approximation, as polyhedral constraints $H z \le b$. The choice of constraints is device- and mission-dependent; the role of this paper is to standardize how they enter certificates. \paragraph{Core plasma proxy constraints.} Examples of core constraints include bounds on: \begin{itemize} \item stored energy proxy $W$ (e.g., $W_{\min}\le W\le W_{\max}$); \item density proxy $n_e$ (e.g., $n_{e,\min}\le n_e\le n_{e,\max}$); \item helium ash fraction proxy $f_{\mathrm{He}}\in[0,1]$ with ceiling $f_{\mathrm{He}}\le f_{\mathrm{He,max}}$; \item radiated fraction proxy $f_{\mathrm{rad}}\in[0,1]$ with ceiling $f_{\mathrm{rad}}\le f_{\mathrm{rad,max}}$. \end{itemize} These are treated as abstract constraints on state components, to be linked later to diagnostics and estimators. \paragraph{Edge/divertor proxy constraints.} Many protection-relevant limits are not directly part of a 0D core model. We therefore introduce a scalar proxy $\xi$ (“detachment margin” or similar monotone surrogate) and enforce constraints such as \[ \xi \ge \xi_{\min}, \qquad q_{\mathrm{wall}}^{\mathrm{proxy}}(x) \le \overline q, \qquad q_{\mathrm{div}}^{\mathrm{proxy}}(x) \le \overline q_{\mathrm{div}}, \] where the proxy functions must be declared and accompanied by explicit uncertainty bounds before they can be used in a certificate. \paragraph{Actuator and plant constraints.} Inputs are constrained by: \begin{itemize} \item saturation: $u\in\mathcal{U}$ (box or polytope); \item slew/bandwidth: $\|u_{k+1}-u_k\|\le \Delta u_{\max}$ or explicit lag state constraints; \item diagnostic latency: measurements arrive with delay $\tau_d$ or are only available every $m$ control ticks; \item wall-plug electrical caps: a constraint $P_{\mathrm{grid}}(u)\le P_{\mathrm{grid,max}}$, with $P_{\mathrm{grid}}$ a declared map. \end{itemize} \paragraph{Fuel-cycle and facility constraints.} For long-pulse/steady-state operation, fueling and pumping are constrained by facility limits. Abstractly, we treat these as: \[ \Gamma_{\mathrm{fuel}}\in[0,\overline\Gamma_{\mathrm{fuel}}],\quad S_{\mathrm{pump}}\in[0,\overline S_{\mathrm{pump}}],\quad I_{\mathrm{T}}(t)\le \overline I_{\mathrm{T}}, \] where $I_{\mathrm{T}}$ is a tritium inventory/accountancy state in a facility model. The detailed facility models and their certificates appear later; here we only fix the interface: facility constraints become additional inequalities enforced by planning and control. \paragraph{Magnet/protection-derived envelopes.} Constraints derived from magnet protection or coil limitations are treated as \emph{exogenous envelopes} unless they have separate externally verified certificates. Mathematically, they appear as admissible sets on scenario transients (e.g., bounds on modulation rate or peak auxiliary power) that must be satisfied by scenario synthesis and real-time controllers. II.E. Evidence-driven gaps to be flagged explicitly Because certificates are only as credible as their declared model families and uncertainty sets, we explicitly record gaps that must be externally validated before operational use: \begin{enumerate} \item \textbf{Device-specific surrogate validation.} Any closure term (transport, radiation proxy, divertor proxy, startup barrier model) must be validated against experimental data for the target device/configuration class; absent such validation, the present framework can still compute certificates, but those certificates refer only to the declared surrogate. \item \textbf{Dependence on diagnostic datasets.} Uncertainty bounds for estimator error, drift, and dropout must be justified (e.g., by replay tests and residual monitoring). If the declared bounds are violated in operation, downstream certificates must trigger conservative fallback (tightened envelopes, reduced actuation, or phase abort). \end{enumerate} The remainder of the paper uses Section II as a contract: every scenario feasibility claim, diagnostics co-design statement, and closed-loop safety guarantee is explicitly conditioned on a declared $\mathfrak{M}$, declared bounds $(\Theta,\mathcal{W},\mathcal{V},\mathcal{B})$, and the auditability requirements above. III. Scenario Synthesis (Offline Planning) with Feasibility Certificates This section formalizes an offline scenario generator as a constrained optimal control problem, and then provides a “scenario existence” certificate using backward reachability on an explicitly declared bounded-error discrete-time model. The resulting artifacts are (i) a nominal scenario $\{z_k^\star,u_{\mathrm{cmd},k}^\star\}_{k=0}^{N-1}$ and (ii) a go/no-go feasibility certificate that either proves robust reachability of a target set without constraint violation, or returns a falsifiable failure message. III.A. Scenario generator as constrained optimal control We represent a steady-state campaign episode (startup $\to$ ramp $\to$ burn $\to$ shutdown) by a finite horizon $k=0,1,\dots,N$ with sampling period $\Delta t$. Let $z_k\in\mathbb{R}^{n_z}$ denote the augmented state (e.g., plasma + actuator states) and let $u_{\mathrm{cmd},k}\in\mathbb{R}^{n_u}$ denote commanded actuator inputs. \paragraph{Phase logic and mode-conditional constraints.} To encode phase-dependent constraints (e.g., different admissible regions during startup vs. burn), we introduce a mode label $\sigma_k\in\{\text{startup},\text{ramp},\text{burn},\text{shutdown}\}$ and allow the safe set to vary with $k$ (or $\sigma_k$): \[ \mathcal{Z}_{\mathrm{safe},k} := \{z: H_k z \le b_k\}. \] The mode logic may be enforced either by a fixed schedule $\sigma_k$ (declared as part of the scenario) or by additional integer variables in the planner. Because integer planning substantially complicates certification, this paper treats the integer/logic layer as an “offline design choice”: certificates in Section III.C certify feasibility only for the resulting declared sequence $\{A_k,B_k,c_k,\mathcal{W}_k,\mathcal{Z}_{\mathrm{safe},k}\}$. \paragraph{Objective.} A representative objective for producing a nominal scenario is \[ \min_{\{u_{\mathrm{cmd},k}\}} \sum_{k=0}^{N-1}\Big( \ell_{\mathrm{grid}}(u_{\mathrm{cmd},k}) + \lambda_{\mathrm{ramp}}\,\|u_{\mathrm{cmd},k}-u_{\mathrm{cmd},k-1}\|_2^2 + \lambda_{\mathrm{marg}}\,\Psi_k(z_k)\Big), \] where $\ell_{\mathrm{grid}}$ is a declared wall-plug proxy cost, and $\Psi_k$ is a margin penalty (e.g., a convex barrier/soft constraint) used to steer solutions away from constraint boundaries. \paragraph{Planner output and what is (not) certified.} The optimizer output is a candidate nominal plan $\{z_k^\star,u_{\mathrm{cmd},k}^\star\}$. By itself, this plan is not a safety guarantee. The certification step below uses only the declared bounded-error model and sets to prove a robust existence statement: whether there exists an admissible policy that reaches a target set while remaining in all safe sets. III.B. Robust discrete-time scenario model used for certification For certification we adopt the bounded-error affine model (Section II.C) \[ z_{k+1} = A_k z_k + B_k u_{\mathrm{cmd},k} + c_k + w_k, \qquad w_k\in\mathcal{W}_k, \] with commanded inputs constrained by \[ u_{\mathrm{cmd},k}\in\mathcal{U}_{\mathrm{cmd},k}:=\{u: G_k u \le g_k\}. \] The sets $\mathcal{W}_k$ and $\mathcal{U}_{\mathrm{cmd},k}$ are declared and must be unit-consistent with $z$. \paragraph{Target set (burn set) and start set.} We represent desired attainment of the “burn control region” (or more generally, a terminal region with acceptable steady operation) by a convex terminal set \[ \mathcal{Z}_{\mathrm{burn}} := \{ z: H_f z \le b_f \} \subseteq \mathcal{Z}_{\mathrm{safe},N}. \] The admissible initial conditions are a convex set \[ \mathcal{Z}_{\mathrm{start}} := \{ z: H_0 z \le b_0^{\mathrm{start}}\} \subseteq \mathcal{Z}_{\mathrm{safe},0}. \] These may incorporate uncertainty in initial state reconstruction by enlarging $\mathcal{Z}_{\mathrm{start}}$ (or by enlarging $\mathcal{W}_k$ through estimator-error coupling, Section III.C.3). \paragraph{Polytopic structure for auditable set operations.} To keep reachability computations auditable and reproducible, we emphasize polyhedral sets (polytopes) for $\mathcal{Z}_{\mathrm{safe},k}$, $\mathcal{Z}_{\mathrm{burn}}$, $\mathcal{U}_{\mathrm{cmd},k}$, and $\mathcal{W}_k$. Ellipsoidal sets can be supported by conservative polyhedral outer approximations when needed. III.C. Certified backward reachability for scenario existence We now state a robust reachability certificate for scenario existence. The result is standard in robust control and viability theory, but we record it here with explicit operators so that the certificate object can be audited. III.C.1. Backward reachable set recursion and inclusion test \paragraph{Robust predecessor operator.} For a target set $\mathcal{S}\subset\mathbb{R}^{n_z}$, define the one-step robust predecessor at time $k$ as \[ \mathrm{Pre}_k(\mathcal{S}) := \Big\{ z\in\mathbb{R}^{n_z} : \exists u\in\mathcal{U}_{\mathrm{cmd},k} \ \text{s.t.}\ A_k z + B_k u + c_k + \mathcal{W}_k \subseteq \mathcal{S}\Big\}. \] Equivalently, using the Pontryagin difference $\mathcal{S}\ominus\mathcal{W}_k:=\{y: y+\mathcal{W}_k\subseteq\mathcal{S}\}$, \[ \mathrm{Pre}_k(\mathcal{S}) = \Big\{ z: \exists u\in\mathcal{U}_{\mathrm{cmd},k}\ \text{s.t.}\ A_k z + B_k u + c_k \in \mathcal{S}\ominus\mathcal{W}_k\Big\}. \] When $\mathcal{S}$, $\mathcal{W}_k$, and $\mathcal{U}_{\mathrm{cmd},k}$ are polytopes, membership in $\mathrm{Pre}_k(\mathcal{S})$ can be checked by linear programming (feasibility of linear inequalities) after computing $\mathcal{S}\ominus\mathcal{W}_k$ exactly or computing a declared conservative \emph{inner approximation} $\widehat{\mathcal{S}\ominus\mathcal{W}_k}\subseteq\mathcal{S}\ominus\mathcal{W}_k$. (In contrast, an \emph{outer} approximation of $\mathcal{S}\ominus\mathcal{W}_k$ generally breaks soundness of the robust inclusion $A_k z + B_k u + c_k + \mathcal{W}_k\subseteq \mathcal{S}$ unless accompanied by an additional proof.) \paragraph{Backward recursion.} Define reachable sets backward from the terminal set: \[ \mathcal{R}_0 := \mathcal{Z}_{\mathrm{burn}}, \] and for $i=0,1,\dots,N-1$, \[ \mathcal{R}_{i+1} := \mathcal{Z}_{\mathrm{safe},N-1-i} \cap \mathrm{Pre}_{N-1-i}(\mathcal{R}_i). \] Thus $\mathcal{R}_i$ is the set of states at time $N-i$ from which one can robustly reach $\mathcal{Z}_{\mathrm{burn}}$ in $i$ steps while staying in all intermediate safe sets. \paragraph{Scenario existence certificate.} The certificate is the finite sequence of polyhedral sets $\{\mathcal{R}_i\}_{i=0}^N$ together with solver transcripts (LP feasibility certificates and, when used, proofs/records of any conservative \emph{inner} approximations used to compute $\ominus$ or $\mathrm{Pre}_k$). \paragraph{Theorem 3.1 (Robust scenario existence via backward reachability).} Suppose the system satisfies the declared bounded-error dynamics above, with $w_k\in\mathcal{W}_k$ for all $k$, and suppose the backward sets $\mathcal{R}_i$ are computed exactly or via a declared conservative \emph{inner approximation} $\widehat{\mathcal{R}}_i\subseteq\mathcal{R}_i$. If \[ \mathcal{Z}_{\mathrm{start}} \subseteq \mathcal{R}_N, \] then for every $z_0\in\mathcal{Z}_{\mathrm{start}}$ there exists a (possibly set-valued) control policy $u_{\mathrm{cmd},k}=\pi_k(z_k)\in\mathcal{U}_{\mathrm{cmd},k}$ such that the resulting trajectory satisfies \[ z_k\in\mathcal{Z}_{\mathrm{safe},k}\ \text{for all }k=0,\dots,N, \qquad z_N\in\mathcal{Z}_{\mathrm{burn}}, \] for all disturbance sequences $w_k\in\mathcal{W}_k$. \emph{Proof sketch.} By construction, if $z\in\mathcal{R}_{i+1}$, then $z\in\mathcal{Z}_{\mathrm{safe},N-1-i}$ and there exists a control $u\in\mathcal{U}_{\mathrm{cmd},N-1-i}$ such that $A_{N-1-i}z+B_{N-1-i}u+c_{N-1-i}\in\mathcal{R}_i\ominus\mathcal{W}_{N-1-i}$. Therefore for any $w\in\mathcal{W}_{N-1-i}$, the successor $z^+$ lies in $\mathcal{R}_i$. Induction on $i$ gives robust membership in all safe sets and eventual membership in $\mathcal{R}_0=\mathcal{Z}_{\mathrm{burn}}$. $\square$ \paragraph{Extracting a feedback policy (optional).} If a constructive policy is required, one may store, for each $k$ and each queried $z$, an optimizer $u$ from the definition of $\mathrm{Pre}_k$. This yields a piecewise-affine (in general) set-valued policy implementable as an online LP/QP. Importantly, the certificate in Theorem 3.1 is an existence statement; real-time implementation is addressed in Section V through MPC/CBF constructions. III.C.2. Go/no-go conditions and design implications \paragraph{Empty reachable set.} If at some recursion step $\mathcal{R}_{i+1}=\varnothing$, then no policy exists (under the declared model and bounds) to robustly reach $\mathcal{Z}_{\mathrm{burn}}$ from $\mathcal{Z}_{\mathrm{safe},N-i-1}$ in $i+1$ steps. Under the auditability contract, this must produce an explicit failure message, for example: \begin{itemize} \item \emph{Ramp too aggressive:} increase horizon $N$ (slower trajectory) or tighten the nominal plan to remain farther from constraints. \item \emph{Insufficient actuator authority:} enlarge $\mathcal{U}_{\mathrm{cmd},k}$ (installed power/headroom) or reduce actuator lag (Section II.C). \item \emph{Uncertainty too large:} reduce $\mathcal{W}_k$ only by providing external evidence (improved diagnostics/estimation, better closure validation) consistent with Section II.A–II.B. \end{itemize} \paragraph{Inclusion failure.} If $\mathcal{Z}_{\mathrm{start}}\nsubseteq\mathcal{R}_N$ but $\mathcal{R}_N\neq\varnothing$, the certificate indicates that feasibility depends on the realized initial condition. This is still operationally useful: it yields a pre-shot gate $z_0\in\mathcal{R}_N$ that can be checked using the startup estimator. Failure of this check is a go/no-go signal. III.C.3. Diagnostic-impact coupling: inflate disturbance bounds using estimator performance A central co-design lever is that tighter state/parameter knowledge reduces the robust disturbance envelopes required for safe planning. \paragraph{Estimator-error-to-disturbance inflation rule.} Let the true augmented state satisfy $z_k = \hat z_k + e_k$, where $\hat z_k$ is the estimator output and $e_k\in\mathcal{E}_k$ is a bounded estimation error set (produced by a set-membership estimator or an externally justified bound). If the planner/controller uses $\hat z_k$ in place of $z_k$, then the effective uncertainty entering the closed-loop predicted update includes both the physical disturbance and the effect of state error. For the affine model, \[ \hat z_{k+1} = A_k \hat z_k + B_k u_{\mathrm{cmd},k} + c_k + \\underbrace{(w_k + A_k e_k – e_{k+1})}_{:=\tilde w_k}. \] A conservative bound is \[ \tilde w_k \in \widetilde{\mathcal{W}}_k := \mathcal{W}_k \oplus (A_k\mathcal{E}_k) \oplus (-\mathcal{E}_{k+1}), \] where $\oplus$ denotes Minkowski sum. Using $\widetilde{\mathcal{W}}_k$ in place of $\mathcal{W}_k$ produces a certificate that is robust to both model mismatch and declared estimation error. \paragraph{Falsifying diagnostic sufficiency by reachability failure.} Given a candidate diagnostic suite and estimator design, Sections IV–V produce declared bounds $\mathcal{E}_k$. If the resulting inflated sets $\widetilde{\mathcal{W}}_k$ cause the backward reachable recursion to become empty (or to exclude $\mathcal{Z}_{\mathrm{start}}$), the diagnostic suite is “insufficient for the declared scenario” in the precise sense of Theorem 3.1. The correct output is a design recommendation: improve diagnostics to shrink $\mathcal{E}_k$, slow the scenario (increase $N$), or increase actuator authority/latency performance. \paragraph{Remark (conservatism and auditability).} The inflation $\mathcal{W}_k\mapsto\widetilde{\mathcal{W}}_k$ is intentionally one-sided and may be conservative. This conservatism is acceptable only because it is explicit and falsifiable: it can be tightened when $\mathcal{E}_k$ is externally validated to be smaller, or when improved estimators reduce $\mathcal{E}_k$ under sensor-failure assumptions. IV. Diagnostics Co-Design: Identifiability, Minimal Sets, and Robust Estimation This section defines (i) a diagnostics-to-estimation interface that produces auditable bounded error sets $\mathcal{E}_k$ and (ii) co-design criteria for selecting a minimal diagnostic subset that is sufficient for certified feasibility and safe closed-loop enforcement. Throughout, the goal is not to maximize “best-effort” estimation accuracy, but to obtain \emph{falsifiable} guarantees of the form $x_k\in\widehat{\mathcal{X}}_k$ or $e_k\in\mathcal{E}_k$, which can be mechanically propagated into reachability and robust control via Section III.C.3. IV.A. Measurement models and candidate diagnostic channels We represent the available diagnostic suite by an index set $\mathcal{J}=\{1,\dots,n_y\}$. A chosen subset $S\subseteq\mathcal{J}$ provides, at discrete time $k$, measurements \[ y_{j,k} = h_{j,k}(x_k,\theta_k) + v_{j,k} + b_{j,k}, \qquad j\in S, \] with bounded noise and bias \[ v_{j,k}\in\mathcal{V}_{j,k},\qquad b_{j,k}\in\mathcal{B}_{j,k}. \] Channel availability is $\delta_{j,k}\in\{0,1\}$. When $\delta_{j,k}=0$, the measurement is treated as absent and the estimator must return an inflated error set consistent with the reduced information. \paragraph{Control-relevant inferred quantities.} Later constraints and controllers may depend on quantities not directly in $x$, but inferred from $(x,\theta)$. Typical examples (treated abstractly here) include: radiated fraction proxy $f_{\mathrm{rad}}$, impurity proxies (e.g., $Z_{\mathrm{eff}}$ surrogates), helium ash fraction proxy $f_{\mathrm{He}}$, stored energy proxy $W$, and edge/divertor proxy $\xi$. The certification interface requires that each inferred quantity used in an operational constraint be accompanied by a \emph{one-sided bound} computable from the diagnostics and declared uncertainty sets. IV.B. Minimal diagnostics selection tied to identifiability and feasibility We formalize diagnostics selection as choosing a subset $S\subseteq\mathcal{J}$ that makes the overall scenario \emph{certifiably feasible} under the induced estimation error bounds $\mathcal{E}_k(S)$. \paragraph{Estimator-to-planner coupling recap.} Given $\mathcal{E}_k$, the planner/control layer must conservatively inflate the disturbance sets as in Section III.C.3: \[ \widetilde{\mathcal{W}}_k(S) := \mathcal{W}_k \oplus (A_k\mathcal{E}_k(S)) \oplus (-\mathcal{E}_{k+1}(S)). \] The backward reachable recursion in Section III.C.1 therefore depends on $S$ through $\widetilde{\mathcal{W}}_k(S)$. \paragraph{Monotonicity requirement (diagnostics add information).} A diagnostics/estimator design is said to be \emph{monotone} if \[ S_1\subseteq S_2 \quad\Longrightarrow\quad \mathcal{E}_k(S_2)\subseteq \mathcal{E}_k(S_1)\ \text{for all }k. \] This expresses the intended semantics “more usable sensors $\Rightarrow$ no worse certified error bounds.” For set-membership estimators built from intersecting measurement-consistency sets (Section IV.D.2), monotonicity holds under mild regularity (additional constraints can only shrink the feasible set). \paragraph{Lemma 4.1 (Reachability monotonicity under error-set shrinkage).} Fix declared $(A_k,B_k,c_k,\mathcal{W}_k,\mathcal{Z}_{\mathrm{safe},k},\mathcal{Z}_{\mathrm{burn}})$. Suppose two diagnostic choices $S_1\subseteq S_2$ produce monotone error bounds $\mathcal{E}_k(S_2)\subseteq\mathcal{E}_k(S_1)$ for all $k$. Then \[ \widetilde{\mathcal{W}}_k(S_2)\subseteq \widetilde{\mathcal{W}}_k(S_1)\quad\Rightarrow\quad \mathcal{R}^{(S_1)}_i\subseteq \mathcal{R}^{(S_2)}_i\ \text{for all } i=0,\dots,N, \] where $\mathcal{R}^{(S)}_i$ denotes the backward-reachable sets computed with $\widetilde{\mathcal{W}}_k(S)$. \emph{Proof.} The inclusion $\mathcal{E}_k(S_2)\subseteq\mathcal{E}_k(S_1)$ implies $A_k\mathcal{E}_k(S_2)\subseteq A_k\mathcal{E}_k(S_1)$ and $-\mathcal{E}_{k+1}(S_2)\subseteq -\mathcal{E}_{k+1}(S_1)$, hence Minkowski-sum monotonicity gives $\widetilde{\mathcal{W}}_k(S_2)\subseteq\widetilde{\mathcal{W}}_k(S_1)$. For any convex $\mathcal{S}$, if $\mathcal{W}’\subseteq\mathcal{W}$, then $\mathcal{S}\ominus\mathcal{W}\subseteq \mathcal{S}\ominus\mathcal{W}’$, so the predecessor operator enlarges when the disturbance shrinks. Backward recursion then yields $\mathcal{R}^{(S_1)}_i\subseteq\mathcal{R}^{(S_2)}_i$ by induction. $\square$ \paragraph{Minimality as a feasibility problem.} A minimal diagnostics set can be defined as any solution of \[ \min_{S\subseteq\mathcal{J}} \; \mathrm{cost}(S) \quad\text{s.t.}\quad \mathcal{Z}_{\mathrm{start}}\subseteq \mathcal{R}^{(S)}_N, \] where $\mathrm{cost}(S)$ captures engineering constraints (ports, complexity, availability requirements) and $\mathcal{R}^{(S)}_N$ is computed from the planner model and the induced $\widetilde{\mathcal{W}}_k(S)$. By Lemma 4.1, any monotone estimator makes this optimization well-posed in the sense that adding sensors cannot destroy reachability except through explicitly declared coupling (e.g., if additional sensors impose additional operational constraints such as duty-cycle limits). IV.C. Structural observability and experiment-design certificate This subsection records standard observability and excitation conditions that justify the existence of informative estimation error bounds $\mathcal{E}_k$. Because full plasma dynamics are not assumed, we present these as conditions on the \emph{declared} reduced-order model. IV.C.1. Nonlinear observability via Lie-derivative rank conditions Consider continuous-time control-affine dynamics (Section II.C) \[ \dot x = f(x,\theta) + \sum_{i=1}^{n_u} g_i(x,\theta)u_i, \] with outputs $y_j = h_j(x,\theta)$ (suppressing noise for the structural discussion). Fix $\theta$ and a nominal input $u(\cdot)$. Local weak observability at $x_0$ can be assessed by the rank of the observability map built from Lie derivatives of the outputs along the vector fields $f$ and $g_i$. Concretely, define the set of scalar functions obtained by repeated Lie differentiation \[ \mathcal{H} := \{ h_j,\ L_f h_j,\ L_{g_i} h_j,\ L_f^2 h_j,\ L_f L_{g_i} h_j,\dots \}, \] and form the Jacobian $\nabla_x \phi(x_0)$ where $\phi$ stacks a finite subset of $\mathcal{H}$ sufficient to test rank. A structural certificate is: \paragraph{Condition (O).} There exists a finite selection $\phi$ from $\mathcal{H}$ such that $\mathrm{rank}(\nabla_x \phi(x_0)) = n_x$. Condition (O) is purely symbolic/model-based; it does not by itself provide a numeric error bound $\mathcal{E}_k$. Its use here is to exclude cases where no estimator can recover the variables needed for constraint enforcement, regardless of noise levels. IV.C.2. Persistence-of-excitation and an embedded identification segment Many reduced stellarator surrogates contain uncertain closure parameters (e.g., confinement or radiation-gain coefficients) that must be bounded or estimated to produce meaningful $\Theta_k$ and $\mathcal{W}_k$. We therefore allow an \emph{embedded identification segment} within startup/ramp where the planned actuation includes deliberate excitation. A generic discrete-time regression form (after linearization or incremental modeling) is \[ \Delta y_k \approx \Phi_k \vartheta + \epsilon_k, \] with regressor $\Phi_k$ depending on inputs and measured states and $\vartheta$ collecting unknown parameters. A standard auditable excitation condition is the lower bound \[ \sum_{k=k_0}^{k_0+M-1} \Phi_k^T\Phi_k \succeq \gamma I, \] for declared $M$ and $\gamma>0$. In later certificates, $\gamma$ is treated as a \emph{measured quantity} computed from the realized signals $\Phi_k$, not a priori assumed. \paragraph{Falsifiable ID acceptance criterion.} Given declared noise bounds and a fitted parameter estimate $\hat\vartheta$, acceptance is contingent on producing a confidence/bounding set $\widehat\Theta$ such that: \begin{enumerate} \item (consistency) the residuals satisfy a declared bound test (Section IV.D.3), and \item (informativeness) the excitation metric satisfies $\lambda_{\min}(\sum \Phi_k^T\Phi_k)\ge\gamma_{\min}$. \end{enumerate} If either fails, the correct output is an “ID-inconclusive” flag, which forces $\Theta_k$ and/or $\mathcal{W}_k$ to remain inflated. IV.D. Robust estimator synthesis under sensor failure modes This subsection specifies estimator templates whose outputs are compatible with the certification interfaces of Sections III and V: namely, bounded error sets $\mathcal{E}_k$ and explicit failure semantics under dropout and drift. IV.D.1. Covariance estimators (EKF/UKF) as performance predictors (non-certifying) An EKF/UKF provides a point estimate $\hat x_k$ and a covariance $P_k$. These are useful for diagnostics design and for \emph{predicting} estimation quality, but they are not, by themselves, one-sided worst-case certificates without additional assumptions linking distributions to bounds. In this paper, EKF/UKF outputs may only be used to propose candidate deterministic bounds $\mathcal{E}_k$, which must then be externally justified or replaced by set-membership bounds. IV.D.2. Set-membership estimation and auditable error sets Assume the estimator uses a declared discrete-time model \[ x_{k+1} = f_k(x_k,u_k,\theta_k) + w_k, \qquad w_k\in\mathcal{W}^x_k, \] and measurement constraints for available sensors $j\in S$ with $\delta_{j,k}=1$: \[ y_{j,k} – h_{j,k}(x_k,\theta_k) \in \mathcal{V}_{j,k}\oplus \mathcal{B}_{j,k}. \] Define the \emph{consistent state set} $\mathcal{X}_k$ recursively by \[ \mathcal{X}_{k+1} := \Big( f_k(\mathcal{X}_k,u_k,\Theta_k) \oplus \mathcal{W}^x_k \Big) \cap \bigcap_{j\in S:\,\delta_{j,k+1}=1} \mathcal{Y}_{j,k+1}, \] where $\mathcal{Y}_{j,k}$ is the preimage set \[ \mathcal{Y}_{j,k} := \{x: y_{j,k} – h_{j,k}(x,\Theta_k) \in \mathcal{V}_{j,k}\oplus\mathcal{B}_{j,k}\}. \] Any implementable version must specify how these sets are represented (e.g., polytopes, zonotopes, ellipsoids) and how outer approximations are performed. The certified estimator output is then \[ \hat x_k \in \mathcal{X}_k,\qquad \mathcal{E}_k := \mathcal{X}_k \ominus \{\hat x_k\}. \] \paragraph{Failure semantics.} If the intersection becomes empty ($\mathcal{X}_{k}=\varnothing$), the only auditable conclusion is that at least one declared bound/model is inconsistent with the data. The system must then trigger a safe fallback: inflate $\mathcal{W}^x_k$, inflate $\mathcal{B}_{j,k}$, or declare a scenario abort. IV.D.3. Residual-based monitoring for drift/bias and automatic bound inflation To detect drift/bias beyond declared bounds, define for each available channel a residual \[ r_{j,k} := y_{j,k} – h_{j,k}(\hat x_k,\hat\theta_k). \] For certification we avoid distributional tests and instead use a bounded-consistency test: declare an admissible residual set $\mathcal{R}_{j,k}$ implied by $\mathcal{V}_{j,k}$, $\mathcal{B}_{j,k}$, and the current error set $\mathcal{E}_k$. A simple sufficient condition is \[ r_{j,k}\in \mathcal{V}_{j,k}\oplus\mathcal{B}_{j,k}\oplus \{ \nabla_x h_{j,k}(\hat x_k,\hat\theta_k)e: e\in\mathcal{E}_k\}, \] with the last term replaced by a conservative bound if $h$ is nonlinear. \paragraph{Automatic inflation rule.} If the residual test fails for a declared duration window, replace $\mathcal{B}_{j,k}$ by an inflated set $\mathcal{B}’_{j,k}\supseteq\mathcal{B}_{j,k}$ (or drop the sensor by forcing $\delta_{j,k}=0$) and recompute $\mathcal{E}_k$. This is the formal mechanism by which diagnostics failures propagate to larger $\mathcal{E}_k$, hence larger $\widetilde{\mathcal{W}}_k$, hence potentially infeasible planning/control certificates. IV.E. Certified radiation-fraction estimation under 3D geometry This subsection records a generic one-sided bounding template for the radiated fraction proxy $f_{\mathrm{rad}}$ using line-integrated diagnostics (e.g., bolometry), with explicit handling of nonnegativity and sensor failures. The intent is to produce a conservative bound $f_{\mathrm{rad}}^{\mathrm{hi}}$ that can be inserted into a safety inequality. IV.E.1. Nonnegative emissivity reconstruction as a bounding problem Let $\varepsilon(p)\ge 0$ denote a nonnegative emissivity field over a declared domain $\Omega$ (a geometric model class, not asserted to match the true device). For each chord $j$, model the measurement as \[ y_{j} = \int_{\mathcal{L}_j} \varepsilon(p)\,d\ell + v_j + b_j, \qquad v_j\in[\\underline v_j,\overline v_j],\ b_j\in[\\underline b_j,\overline b_j]. \] Discretize $\Omega$ into $n_c$ cells with nonnegative emissivities $e\in\mathbb{R}^{n_c}_{\ge 0}$, and write the linear forward model \[ y = L e + v + b, \] where $L\in\mathbb{R}^{n_y\times n_c}_{\ge 0}$ is the chord-length matrix. IV.E.2. One-sided bound propagation and enforceable constraint Define per-channel measurement intervals $[\\underline y,\overline y]$ from $y$ and declared $v,b$ bounds. The set of emissivities consistent with measurements is \[ \mathcal{E}_{\mathrm{emis}} := \{e\ge 0: \\underline y \le L e \le \overline y\}. \] Let $c\ge 0$ be the vector mapping cell emissivities to total radiated power proxy $P_{\mathrm{rad}}=c^T e$ (cell volumes and geometry factors must be declared). Then an auditable upper bound is obtained by the linear program \[ P_{\mathrm{rad}}^{\mathrm{hi}} := \max_{e\in\mathcal{E}_{\mathrm{emis}}} c^T e. \] If the LP is infeasible, the declared bounds are inconsistent with data; the correct output is “radiation bound unavailable,” which triggers conservative derating actions in the controller. To compute a radiated fraction bound, define a conservative lower bound on heating power $P_{\mathrm{heat}}^{\mathrm{lo}}>0$ (from commanded auxiliary power minus declared losses, plus any other declared contributions). Then \[ f_{\mathrm{rad}}^{\mathrm{hi}} := \frac{P_{\mathrm{rad}}^{\mathrm{hi}}}{\max(P_{\mathrm{heat}}^{\mathrm{lo}},\epsilon)}. \] An enforceable safety constraint is \[ h_{\mathrm{rad}}(x) := f_{\mathrm{rad,max}} – f_{\mathrm{rad}}^{\mathrm{hi}} \ge 0. \] Because $f_{\mathrm{rad}}^{\mathrm{hi}}$ is one-sided, enforcing $h_{\mathrm{rad}}\ge 0$ ensures $f_{\mathrm{rad}}\le f_{\mathrm{rad,max}}$ under the declared model and bounds. IV.E.3. Cross-calibration and failure hooks The certificate interface requires that the module returns, in addition to $f_{\mathrm{rad}}^{\mathrm{hi}}$, a health flag: \begin{itemize} \item \textbf{OK:} LP feasible and residual/consistency checks pass. \item \textbf{Inconclusive:} LP infeasible or sensor bounds violated (drift/clipping suspected). \end{itemize} In the inconclusive state the downstream control layer must adopt a declared fallback (e.g., impose stricter caps on heating commands or execute a controlled ramp-down), because no radiation safety statement is available. IV.F. Conformal calibration / distribution-free uncertainty envelopes for closure terms To connect empirical residuals to declared bounded-error sets without strong distributional assumptions, we permit distribution-free calibration of residual magnitudes using split conformal prediction. The result is not a worst-case guarantee over all possible sequences, but a mathematically explicit finite-sample coverage statement under an exchangeability assumption; whether this assumption is appropriate must be externally assessed. IV.F.1. Split-conformal residual intervals Let $r_i$ denote scalar residuals between a baseline closure prediction and observed data (e.g., closure error for a surrogate term), computed on a calibration set $\mathcal{D}_{\mathrm{cal}}$ of size $n$. For a desired miscoverage $\alpha\in(0,1)$, define the conformal quantile \[ q_{1-\alpha} := \text{the }\lceil (n+1)(1-\alpha)\rceil\text{-th smallest of }\{|r_i|\}_{i\in\mathcal{D}_{\mathrm{cal}}}. \] Then the calibrated interval $[-q_{1-\alpha},q_{1-\alpha}]$ provides a coverage guarantee for a new exchangeable sample residual $r_{\mathrm{new}}$: \[ \mathbb{P}(|r_{\mathrm{new}}|\le q_{1-\alpha}) \ge 1-\alpha. \] This can be translated into a declared bounded set for a closure mismatch term and thereby into $\mathcal{W}_k$ or $\Theta_k$ used in Sections III and V. IV.F.2. Stratified conformal by configuration class Because stellarator configurations can differ substantially, pooling residuals across configurations can produce optimistic bounds. We therefore permit a stratification variable $c\in\mathcal{C}$ (“configuration class”) and compute quantiles $q_{1-\alpha}(c)$ using only calibration data of the same class. Certification then becomes conditional on a declared classifier that assigns the current discharge to a class $c$; misclassification must be treated as a failure mode that inflates bounds. IV.F.3. Online residual updates and bound handoff At runtime, residual monitoring (Section IV.D.3) can be combined with conformal calibration by recomputing or inflating $q_{1-\alpha}$ when systematic bound violations are detected. The output is an updated declared uncertainty bound that is handed off to the robust MPC/CBF layers as a tightened constraint or enlarged disturbance envelope. IV.G. H-infinity-optimal sensor selection and robust estimator certificate This subsection provides an optional worst-case (energy-gain) performance criterion for choosing sensors and designing a robust estimator around a linearized model. Unlike covariance criteria, this is aligned with worst-case disturbance rejection and can produce auditable LMI certificates. IV.G.1. Linearized estimator error dynamics Consider a time-invariant linear approximation (for design) of the form \[ x_{k+1} = A x_k + B u_k + w_k, \qquad y_k = C_S x_k + v_k, \] where $C_S$ stacks the rows corresponding to selected sensors $S\subseteq\mathcal{J}$. Let an observer be \[ \hat x_{k+1} = A\hat x_k + B u_k + L(y_k – C_S \hat x_k). \] The estimation error $e_k=x_k-\hat x_k$ obeys \[ e_{k+1} = (A-LC_S)e_k + w_k – L v_k. \] A robust $H_\infty$-style requirement is to bound the induced gain from $(w,v)$ to $e$ by a declared $\gamma$. IV.G.2. LMI certificate (time-invariant, sufficient) A standard sufficient condition for an $H_\infty$ bound can be written as an LMI in a Lyapunov variable $P\succ 0$ and a gain parameterization $Y:=LP$. One auditable template is: find $P\succ 0$, $Y$, and $\gamma>0$ such that \[ \begin{bmatrix} P & (AP-YC_S) & I & -Y\\ (AP-YC_S)^T & P & 0 & 0\\ I & 0 & \gamma I & 0\\ -Y^T & 0 & 0 & \gamma I \end{bmatrix} \succ 0. \] When feasible, this yields an explicit robust performance certificate “selected sensors $S$ admit an observer with induced gain $\le\gamma$” under the declared linear model. (The specific LMI form is a design choice; any equivalent, correctly derived bounded-real LMI is acceptable provided it is stated and solver-checkable.) IV.G.3. Geometry constraints, dropout targets, and rounding Sensor selection is combinatorial. A practical co-design problem is \[ \min_{S\subseteq\mathcal{J}} \; \mathrm{cost}(S) \quad\text{s.t.}\quad \exists\,P,Y,\gamma\ \text{with the LMI feasible for }C_S, \] with additional constraints encoding port geometry and required redundancy. To address single-sensor dropout, one may impose, for each $j\in S$, feasibility of the same certificate with $S\setminus\{j\}$. Relaxations (e.g., continuous selection weights and log-det heuristics) may be used offline, but any relaxation must be treated as a heuristic unless it is accompanied by an explicit rounding-and-verify step that re-checks the LMI on the discrete chosen set. \paragraph{Interface to Sections III and V.} Whether $\mathcal{E}_k$ is produced by set-membership estimation (IV.D.2) or by converting an $H_\infty$ error-energy bound into a deterministic set, the estimator module must output: \begin{itemize} \item a state estimate $\hat z_k$ (including actuator states if needed), \item a bounded error set $\mathcal{E}_k$ (polytope/ellipsoid with declared construction), \item a health/failure flag (OK / inconclusive), and \item a declared fallback inflation rule when health is inconclusive. \end{itemize} These outputs are precisely the objects consumed by the disturbance inflation $\mathcal{W}_k\mapsto\widetilde{\mathcal{W}}_k$ in Section III.C.3 and by the safety filters in Section V. V. Real-Time Control Architecture: Safety Filters, Robust MPC, and Hybrid Actuation This section specifies a real-time control architecture compatible with the certification interfaces established in Sections II–IV. The central requirement is \emph{one-sided} enforcement: when the controller claims a constraint is satisfied, that claim is provable under the declared model family and declared uncertainty sets. When such a claim cannot be made (e.g., solver infeasibility; diagnostic dropout leading to unbounded error), the controller must emit a falsifiable failure signal and execute a declared safe fallback. V.A. Two-layer controller structure We distinguish between (i) a \emph{performance} layer that attempts to track the offline scenario and optimize wall-plug and regulation objectives, and (ii) a \emph{safety} layer that enforces constraints at every real-time step. \paragraph{Nominal performance controller (economic MPC).} Let $\hat z_k$ be the estimator output and $\mathcal{E}_k$ the certified error set (Section IV). The performance controller computes a candidate command $u_{\mathrm{nom},k}$ by solving a finite-horizon optimization (a receding-horizon version of Section III.A) on the declared model, with constraints possibly tightened to reflect uncertainty: \[ u_{\mathrm{nom},k} \in \arg\min \sum_{i=0}^{N_p-1} \ell_{k+i}(\hat z_{k+i|k},u_{k+i|k}) \] subject to the predicted dynamics and tightened constraints (Section V.C). This layer is allowed to fail (infeasible MPC) without immediately violating safety, because safety is delegated to the safety filter. \paragraph{Safety filter (CBF-QP or robust projection).} Given $u_{\mathrm{nom},k}$, the safety layer computes a command $u_{\mathrm{cmd},k}$ that is as close as possible to $u_{\mathrm{nom},k}$ while guaranteeing constraint satisfaction under declared uncertainty. In discrete time, a convenient safety filter is the solution of a convex program of the form \[ \min_{u\in\mathcal{U}_{\mathrm{cmd},k}} \ \|u-u_{\mathrm{nom},k}\|_R^2 \quad \text{s.t.}\quad \text{robust one-step safety constraints.} \] We will state explicit robust constraints in Sections V.B–V.C. \paragraph{Failure semantics.} At each time $k$, the controller returns the tuple \[ (u_{\mathrm{cmd},k},\ \text{status}_k,\ \text{margin}_k), \] where $\text{status}_k\in\{\text{OK},\text{infeasible},\text{diagnostics-inconclusive}\}$ and $\text{margin}_k$ is an auditable scalar (e.g., minimum constraint slack in the QP/MPC solution, or a dual bound). If $\text{status}_k\neq\text{OK}$, a declared safe fallback is executed (e.g., ramp-down of heating, halt pellets, increase pumping, enter shutdown mode), and the scenario is flagged for redesign. V.B. CLF/CBF synthesis for ramp-to-burn, burn control, and shutdown This subsection records a safety-filter template based on control barrier functions (CBFs) for control-affine dynamics with bounded disturbances. We emphasize \emph{robust} inequalities because the aim is one-sided guarantees under declared bounds. V.B.1. Robust CBF condition for continuous-time control-affine dynamics Consider the declared continuous-time plant (Section II.C), possibly augmented with actuator lag states: \[ \dot x = f(x,\theta) + g(x,\theta)u + d,\qquad d\in\mathcal{W},\ \theta\in\Theta, \] where $g$ is the input matrix formed from $g_i$ columns. Let the safe set be defined by a differentiable constraint function $h:\mathcal{X}\to\mathbb{R}$ with \[ \mathcal{S}:=\{x: h(x)\ge 0\}. \] Let $\alpha$ be an extended class-$\mathcal{K}$ function (e.g., $\alpha(s)=\kappa s$ with $\kappa>0$). \paragraph{Definition 5.1 (Robust CBF inequality).} We say $h$ admits a \emph{robust CBF condition} on a set $\mathcal{X}_0\subseteq\mathcal{X}$ if for every $x\in\mathcal{X}_0$ there exists an input $u\in\mathcal{U}$ such that \[ \inf_{\theta\in\Theta}\ \inf_{d\in\mathcal{W}} \ \nabla h(x)^\top\big(f(x,\theta)+g(x,\theta)u + d\big) \ \ge\ -\alpha(h(x)). \] This is a one-sided sufficient condition for forward invariance of $\mathcal{S}$ under the declared uncertainty sets. \paragraph{Remark (implementable conservative forms).} In practice, the inner infimum is replaced by an explicit conservative bound. For example, if $\nabla h(x)^\top d$ is bounded below by $-\|\nabla h(x)\|_*\,\bar d$ for a declared disturbance norm bound $\|d\|\le \bar d$, then we enforce \[ \inf_{\theta\in\Theta}\ \nabla h(x)^\top\big(f(x,\theta)+g(x,\theta)u\big) – \|\nabla h(x)\|_*\,\bar d \ge -\alpha(h(x)). \] Any such replacement must be stated explicitly to meet the auditability contract. V.B.2. CBF-QP safety filter with feasibility margins Given a nominal command $u_{\mathrm{nom}}$, the safety-filter QP at time $k$ (continuous-time notation for clarity) is \[ \begin{aligned} \min_{u\in\mathcal{U}}\ &\|u-u_{\mathrm{nom}}\|_R^2 + p\,s^2 \\ \text{s.t. }\ &\inf_{\theta\in\Theta}\ \inf_{d\in\mathcal{W}}\ \nabla h(x)^\top\big(f(x,\theta)+g(x,\theta)u+d\big) \ge -\alpha(h(x)) – s,\\ \ & s\ge 0. \end{aligned} \] Here $s$ is a slack variable with large penalty $p\gg 1$. The reported certificate object includes the achieved slack $s^\star$ and the achieved left-minus-right margin; these are auditable go/no-go signals. \paragraph{Lemma 5.2 (One-sided implication with slack).} If the QP is feasible with optimal slack $s^\star=0$, then the robust CBF inequality holds at the current state under the declared uncertainty sets. If $s^\star>0$, the system cannot certify the inequality at the current state with the allowed inputs $\mathcal{U}$; under the auditability contract, this must be treated as \emph{loss of certificate} and trigger a declared fallback. \emph{Justification.} The constraint is exactly the robust CBF inequality when $s=0$. If $s^\star>0$, the inequality is violated by at least $s^\star$ in the optimizer’s best attempt, so the one-sided statement cannot be made. $\square$ V.B.3. Behavior under actuator saturation and diagnostic dropout Saturation and lag are handled by augmenting the state with actuator dynamics (Section II.C) so that the QP acts on $u_{\mathrm{cmd}}$ while respecting $u\in\mathcal{U}$ and slew/bandwidth limits encoded in $\mathcal{U}_{\mathrm{cmd}}$ and in the augmented dynamics. Diagnostic dropout affects safety through the estimator error set $\mathcal{E}_k$. Under dropout, the estimator module must return either (i) an inflated but bounded $\mathcal{E}_k$ or (ii) an \emph{inconclusive} flag. In case (ii), the control layer must switch to a pre-declared safe mode (e.g., reduce heating and stop aggressive transients) because the disturbance inflations in Sections III.C.3 and V.C cannot be justified. V.C. Robust MPC with bounded disturbances and set-membership estimation We now state a discrete-time robust MPC template aligned with Section III’s bounded-error model and Section IV’s bounded estimation errors. V.C.1. Tightened constraints with estimation-error inflations Consider the declared augmented discrete-time model \[ z_{k+1} = A_k z_k + B_k u_{\mathrm{cmd},k} + c_k + w_k,\qquad w_k\in\mathcal{W}_k. \] Let the controller use $\hat z_k$ with error $e_k=z_k-\hat z_k\in\mathcal{E}_k$. As in Section III.C.3, define an \emph{effective} uncertainty set $\widetilde{\mathcal{W}}_k$ that accounts for physical disturbance and estimation error. Any robust MPC guarantee below is conditioned on using these inflated sets. Let the operational constraints be polyhedral \[ z_k\in\mathcal{Z}_{\mathrm{safe},k}=\{z: H_k z\le b_k\},\qquad u_{\mathrm{cmd},k}\in\mathcal{U}_{\mathrm{cmd},k}=\{u: G_k u\le g_k\}. \] Define a tightened constraint for predicted nominal states $\hat z_{k+i|k}$ by subtracting a declared error bound. One auditable construction is \[ \widehat{\mathcal{Z}}_{k+i} := \mathcal{Z}_{\mathrm{safe},k+i} \ominus \mathcal{E}_{k+i}, \] meaning: if $\hat z\in\widehat{\mathcal{Z}}$ and $z\in \hat z\oplus\mathcal{E}$, then $z\in\mathcal{Z}_{\mathrm{safe}}$. When sets are polytopes, $\ominus$ can be computed or conservatively approximated by linear constraints; any approximation must be declared. V.C.2. Tube-MPC style robust feasibility and safety statement We present a sufficient (standard) template: plan on the nominal model and use tightened constraints so that the true state remains safe for all disturbances within declared bounds. \paragraph{Proposition 5.3 (Constraint satisfaction via tightening, sufficient).} Fix time $k$ and suppose: \begin{enumerate} \item The estimator certifies $z_k\in \hat z_k\oplus\mathcal{E}_k$. \item The MPC computes a nominal input sequence $\{u_{k+i|k}\}_{i=0}^{N_p-1}$ and nominal predicted states $\{\hat z_{k+i|k}\}_{i=0}^{N_p}$ satisfying, for all $i$, \[ \hat z_{k+i|k}\in \widehat{\mathcal{Z}}_{k+i},\qquad u_{k+i|k}\in\mathcal{U}_{\mathrm{cmd},k+i}, \] with tightened sets $\widehat{\mathcal{Z}}_{k+i}$ constructed so that $\hat z\in\widehat{\mathcal{Z}}_{k+i}\Rightarrow \hat z\oplus\mathcal{E}_{k+i}\subseteq \mathcal{Z}_{\mathrm{safe},k+i}$. \item The disturbance/estimation effects satisfy the declared set bounds used to build $\mathcal{E}_{k+i}$ and the recursion is updated consistently (Section IV.D.2). \end{enumerate} Then the implemented input $u_{\mathrm{cmd},k}:=u_{k|k}$ guarantees $z_k\in\mathcal{Z}_{\mathrm{safe},k}$. Moreover, if the same conditions hold at each step with updated $(\hat z_{k+1},\mathcal{E}_{k+1})$, then constraints are satisfied for all times until a failure flag is emitted. \emph{Proof.} At time $k$, $z_k\in \hat z_k\oplus\mathcal{E}_k$ by assumption, and $\hat z_k\in \widehat{\mathcal{Z}}_k$ implies $\hat z_k\oplus\mathcal{E}_k\subseteq\mathcal{Z}_{\mathrm{safe},k}$. Hence $z_k\in\mathcal{Z}_{\mathrm{safe},k}$. Receding-horizon application repeats the same one-step implication at each time. $\square$ \paragraph{Auditable outputs.} The MPC module must report: (i) feasibility status, (ii) minimum tightened-constraint slack along the solved horizon, and (iii) which bound(s) were active (to support design diagnostics). V.C.3. Infeasibility triggers and safe fallback actions Robust MPC may become infeasible due to tightened constraints, increased uncertainty envelopes (e.g., after diagnostic dropout), or actuator limits. Under the auditability contract, infeasibility is not a numerical nuisance: it is an operational \emph{go/no-go} signal. The controller must then execute a declared fallback, examples include: \begin{itemize} \item switch to a conservative pre-certified shutdown sequence (a separate scenario with its own reachability certificate), \item freeze nonessential actuators (e.g., impurity seeding) while ramping down heating within electrical and thermal envelopes, \item enlarge allowable slack only if the slack corresponds to a non-safety-critical constraint and the policy allows it (Section II.B risk budgeting), with the slack value reported. \end{itemize} V.D. Hybrid (impulsive) pellet-driven density control with continuous pumping/gas Density regulation in long-pulse stellarator operation often combines (i) slow continuous actuators (gas puffing and pumping) and (ii) discrete pellet injections that produce impulsive density increments. We present a hybrid template that is compatible with barrier-style safety enforcement. V.D.1. Hybrid model with impulses Let $x$ include a density proxy component $n$. Between pellet events, the continuous-time dynamics are (declared surrogate) \[ \dot x = f(x,\theta)+g(x,\theta)u + d, \] with continuous controls $u$ (pumping, gas, heating/seeding couplings if included). At pellet times $t_k$, the state jumps as \[ x(t_k^+) = x(t_k^-) + \Delta(x(t_k^-),\phi_k,\vartheta_k), \] where $\phi_k$ is a commanded pellet setting (e.g., size, speed) and $\vartheta_k$ is an uncertain deposition/ablation parameter constrained by a declared set $\vartheta_k\in\Upsilon$. For certification, $\Delta$ must be bounded in a one-sided way; for instance, for density we require a declared upper bound \[ n(t_k^+) \le n(t_k^-) + \Delta n^{\mathrm{hi}}(\phi_k), \] that remains valid under $\vartheta_k\in\Upsilon$. V.D.2. Event-triggering rule as a discrete safety certificate Let the density ceiling constraint be $h_n(x)=n_{\max}-n\ge 0$. A sufficient safety rule for pellet firing is: \[ \text{fire a pellet at time }t_k \text{ only if } h_n(x(t_k^-)) \ge \Delta n^{\mathrm{hi}}(\phi_k) + \eta_n, \] for a declared margin $\eta_n>0$. Then, under the jump bound above, \[ n(t_k^+) \le n(t_k^-) + \Delta n^{\mathrm{hi}}(\phi_k) \le n_{\max}-\eta_n, \] so the post-jump state is strictly inside the density constraint. \paragraph{Lemma 5.4 (Density-ceiling invariance across impulses, sufficient).} Under the declared jump upper bound and the event rule, if $h_n(x(t_k^-))\ge 0$ then $h_n(x(t_k^+))\ge \eta_n>0$. Hence pellet events cannot cause an instantaneous violation of the density ceiling. \emph{Proof.} Immediate from the inequality chain above. $\square$ Between pellet events, continuous safety is enforced by the CBF-QP (Section V.B) or by robust MPC tightening (Section V.C). The overall hybrid strategy is therefore: continuous safety filter $+$ discrete event guard. V.D.3. Integration with pumping and facility inventory constraints Pellet actions also couple to facility constraints (Section II.D). Abstractly, if each pellet contributes a known (or bounded) amount to a facility inventory state $I$, a hard campaign constraint takes the form \[ I_{k+1} = I_k + \Delta I(\phi_k,\vartheta_k),\qquad I_k\le \overline I. \] For certification, we enforce an auditable one-sided bound $\Delta I\le \Delta I^{\mathrm{hi}}(\phi_k)$ and require the event guard to include \[ I_k + \Delta I^{\mathrm{hi}}(\phi_k) \le \overline I – \eta_I. \] This makes the pellet trigger simultaneously a density-safety guard and a facility-interlock guard. V.E. Certificate-based supervisory mode logic and phase transition guards This subsection specifies a supervisory layer that coordinates the phase sequence (startup $\to$ ramp $\to$ burn $\to$ shutdown), mediates failures of subordinate certificates (reachability, estimation, MPC, CBF-QP), and produces an auditable go/no-go and fallback decision at each time. The supervisory logic is not a heuristic scheduler: it is a finite-state mechanism whose transitions are guarded by explicit, checkable certificate predicates. V.E.1. Hybrid automaton with certificate-conditioned transitions Let $\Sigma := \{\mathrm{startup},\mathrm{ramp},\mathrm{burn},\mathrm{shutdown},\mathrm{abort}\}$ denote the set of discrete modes. The supervisor state is $\sigma_k\in\Sigma$. Each mode $\sigma$ has: \begin{itemize} \item a declared safe set $\mathcal{Z}^{\sigma}_{\mathrm{safe},k}$ and input set $\mathcal{U}^{\sigma}_{\mathrm{cmd},k}$; \item a declared controller instance (economic MPC problem data, safety filter constraints, and fallback controller); \item a set of transition guards $G_{\sigma\to\sigma’}$ defined as Boolean-valued certificate predicates on the current audit state. \end{itemize} The supervisor operates on an \emph{audit state} $\chi_k$, a structured tuple containing at minimum \[ \chi_k := \big(\hat z_k,\ \mathcal{E}_k,\ \mathrm{health}_k,\ \mathrm{margins}_k,\ \mathrm{reach}_k,\ \mathrm{fac}_k\big), \] where $(\hat z_k,\mathcal{E}_k,\mathrm{health}_k)$ are the estimator outputs (Section IV), $\mathrm{margins}_k$ collects controller feasibility/slack outputs (Section V.B–V.C), $\mathrm{reach}_k$ encodes membership checks against any precomputed reachable sets (Section III), and $\mathrm{fac}_k$ encodes facility interlock states (inventory upper bounds, pressure bounds, electrical envelope status; Section VI). V.E.2. Pre-shot and in-shot go/no-go checks We separate certificate checks into \emph{pre-shot} (computed before committing to a mode) and \emph{in-shot} (computed each control tick). \paragraph{Pre-shot go/no-go for a declared scenario.} Given a planned episode with backward reachable sets $\{\mathcal{R}_i\}_{i=0}^N$ (Section III.C.1), the pre-shot gate is \[ \text{GO} \iff \hat z_0 \in \mathcal{R}_N \ominus \mathcal{E}_0. \] This is a one-sided sufficient test: if it passes, then for every true $z_0\in \hat z_0\oplus\mathcal{E}_0$ the inclusion $z_0\in\mathcal{R}_N$ holds, and Theorem 3.1 applies under the declared bounds. If it fails, the supervisor must output \emph{NO-GO: initial condition outside certified feasible set}. \paragraph{In-shot checks.} At each tick $k$, the supervisor evaluates: \begin{enumerate} \item \textbf{Estimator health:} $\mathrm{health}_k=\mathrm{OK}$ or $\mathrm{health}_k=\mathrm{inconclusive}$. If inconclusive, the supervisor must switch to a mode whose certificates do not rely on the missing bounds (typically a conservative ramp-down). \item \textbf{Safety-filter feasibility:} the CBF-QP (or robust projection) status is $\mathrm{OK}$ with slack $s^\star_k=0$, or $s^\star_k>0$, or infeasible (Lemma 5.2). Any $s^\star_k>0$ is treated as loss of safety certificate under declared constraints. \item \textbf{MPC feasibility (optional but useful):} MPC feasibility and minimum tightened slack. Persistent infeasibility is a performance-loss signal; if it coincides with tight safety margins, it becomes a safety concern. \item \textbf{Facility interlocks:} one-sided propagated bounds (e.g., inventory $c^T\overline x_k\le \overline I-\eta_I$, pressure $p^{\mathrm{hi}}(u)\le \overline p-\eta_p$, electrical envelope constraints) remain satisfied. Violation of a facility interlock is treated as immediate transition to shutdown/abort. \end{enumerate} V.E.3. Guard predicates and mode transition semantics A guard predicate is any Boolean condition computed from $\chi_k$ for which the implication “guard true $\Rightarrow$ transition permissible” is auditable. \paragraph{Example guards (templates).} \begin{itemize} \item \textbf{Startup $\to$ ramp:} require burn-through certificate satisfaction (Section VI.A) expressed as a validated threshold crossing with bounded uncertainty, \[ G_{\mathrm{startup}\to\mathrm{ramp}}(\chi_k)=\big(\hat T_k – \overline{\mathcal{E}}_{T,k} \ge T_{\mathrm{bt}}\big)\wedge (\mathrm{health}_k=\mathrm{OK}), \] where $\overline{\mathcal{E}}_{T,k}$ denotes a one-sided upper bound on temperature estimation error magnitude. \item \textbf{Ramp $\to$ burn:} require membership in the declared burn target set with uncertainty, \[ G_{\mathrm{ramp}\to\mathrm{burn}}(\chi_k)=\big(\hat z_k \in \mathcal{Z}_{\mathrm{burn}} \ominus \mathcal{E}_k\big)\wedge (s^\star_k=0). \] \item \textbf{Any mode $\to$ shutdown:} trigger on loss of certificate, \[ G_{\sigma\to\mathrm{shutdown}}(\chi_k)=\big(\mathrm{health}_k\neq\mathrm{OK}\big)\vee\big(\text{safety filter infeasible or }s^\star_k>0\big)\vee\big(\text{facility interlock violated}\big). \] \item \textbf{Shutdown $\to$ abort:} trigger when the shutdown controller itself loses feasibility under declared bounds (e.g., electrical cap would be exceeded by a required ramp-down), yielding \emph{abort} as a distinct certified action sequence. \end{itemize} \paragraph{Transition rule.} The supervisor updates by \[ \sigma_{k+1} \in \mathrm{Select}\big(\sigma_k,\chi_k\big), \] where $\mathrm{Select}$ is a declared priority rule (e.g., any shutdown/abort guard overrides performance-mode guards). Auditability requires that the priority ordering be declared and fixed; otherwise, different executions could yield different safety outcomes for the same $\chi_k$. V.E.4. Safe fallback sequence library with separate feasibility certificates A \emph{fallback sequence} is a mode-specific controller and constraint set intended to keep the system within a conservative safe envelope while reducing stored energy, density, auxiliary power, and facility loads. Crucially, each fallback must be accompanied by its own certificate of feasibility under declared bounds; otherwise, “fallback” is only a hope. \paragraph{Definition 5.5 (Certified fallback).} A fallback controller $\pi^{\mathrm{fb}}$ for mode $\sigma$ is \emph{certified} on a set $\mathcal{Z}^{\mathrm{fb}}$ if the chosen safety mechanism (CBF-QP invariance, robust MPC tightening, or a precomputed reachable-set argument) proves that for all $z_0\in\mathcal{Z}^{\mathrm{fb}}$ the closed loop remains in $\mathcal{Z}^{\sigma}_{\mathrm{safe}}$ for all subsequent times and reaches a terminal safe set (e.g., $\mathcal{Z}_{\mathrm{shutdown}}$) in finite time. \paragraph{Supervisor obligation.} The supervisor may only transition into a fallback mode if it can certify that the current uncertainty-augmented estimate is inside the fallback’s certified domain: \[ \hat z_k \in \mathcal{Z}^{\mathrm{fb}} \ominus \mathcal{E}_k. \] If not, the system must transition to a more conservative mode (possibly $\mathrm{abort}$) or declare “no certified action available” (which is an unacceptable engineering state but a logically correct outcome under the auditability contract). V.E.5. Certificate logging and audit trail At each tick, the supervisor logs a time-stamped record containing: \begin{itemize} \item the active mode $\sigma_k$ and any transition that occurred; \item the current declared bounds used by the estimator and controller ($\Theta_k,\mathcal{W}_k,\mathcal{V}_{j,k},\mathcal{B}_{j,k}$, and any inflations); \item safety-filter feasibility status and slack $s^\star_k$, MPC feasibility status and minimum tightened slack, and active constraints; \item the evaluated truth values of all guards $G_{\sigma\to\sigma’}(\chi_k)$; \item any fallback action invoked and the certificate object that justified the transition (reachable-set membership witness, QP transcript, or LMI/LP feasibility record). \end{itemize} This audit trail is part of the certificate semantics of Section II.A: it is the mechanism by which “go/no-go” decisions become reproducible and mechanically checkable. \paragraph{Interface summary (what Section V consumes/produces).} \begin{itemize} \item Inputs consumed: declared safe sets $\mathcal{Z}_{\mathrm{safe},k}$, actuator sets $\mathcal{U}_{\mathrm{cmd},k}$, disturbance sets $\mathcal{W}_k$, estimator outputs $(\hat z_k,\mathcal{E}_k,\text{health})$, and any one-sided jump bounds $\Delta n^{\mathrm{hi}}$, $\Delta I^{\mathrm{hi}}$. \item Outputs produced: real-time commands $u_{\mathrm{cmd},k}$, health/margin signals (QP/MPC feasibility, slack, active constraints), and explicit fallback triggers. \end{itemize} The next section (Section VI) uses these control primitives as \emph{consumers} of higher-level co-design certificates (startup feasibility, burn stability reserves, bandwidth–delay constraints, fueling/pumping/electrical envelopes), each of which is required to provide explicit inequalities that can be enforced by the MPC/CBF layers above. VI. Co-Design Certificates Linking Scenarios, Diagnostics, Actuators, and Plant Limits (Main Results) This section states composable certificate statements that connect (i) offline scenario synthesis (Section III), (ii) diagnostics/estimation bounds (Section IV), and (iii) real-time safe control enforcement (Section V) to requirements on actuator authority, latency/bandwidth, and facility/plant envelopes. Each result is stated strictly for a declared surrogate model family $\mathfrak{M}$ and declared uncertainty sets; no claim is made about physical fidelity beyond those declarations (Section II.A). A recurring pattern is: a module computes a conservative, one-sided bound (\emph{hi/lo} envelope) on a critical quantity and returns it as an inequality suitable for inclusion in $\mathcal{Z}_{\mathrm{safe},k}$, $\mathcal{U}_{\mathrm{cmd},k}$, or a CBF/MPC tightening rule. VI.A. Certified ECRH startup feasibility envelope (breakdown + burn-through) Startup without transformer action motivates a distinct certificate: existence of an admissible auxiliary heating command (subject to actuator and plant constraints) that drives a low-temperature surrogate through an ionization/radiation barrier into a regime where the ramp/burn surrogate (Sections III–V) is declared valid. VI.A.1. Declared low-temperature scalar surrogate and conservative envelopes We use a minimal scalar proxy $T$ (e.g., an “effective electron temperature” proxy) with dynamics \[ C(\theta)\,\dot T = P_{\mathrm{abs}}(u,\theta) – P_{\mathrm{loss}}(T,n,\theta) + d_T(t), \] where $C(\theta)\ge C_{\min}>0$ is an effective heat capacity, $P_{\mathrm{abs}}$ is absorbed auxiliary power (possibly lagged through actuator states included in $u$), $P_{\mathrm{loss}}$ aggregates declared low-temperature losses (radiation/ionization proxies, line losses), $n$ is a declared density/prefill proxy treated as either a controlled variable or a bounded parameter during startup, and $d_T\in[-\bar d_T,\bar d_T]$ is bounded mismatch. Let the declared uncertainty set be $\theta\in\Theta_{\mathrm{st}}$ and $n\in\mathcal{N}_{\mathrm{st}}$. Assume we can compute one-sided envelopes \[ P_{\mathrm{abs}}(u,\theta) \ge P_{\mathrm{abs}}^{\mathrm{lo}}(u),\qquad P_{\mathrm{loss}}(T,n,\theta) \le P_{\mathrm{loss}}^{\mathrm{hi}}(T,n) \] valid for all $\theta\in\Theta_{\mathrm{st}}$, $n\in\mathcal{N}_{\mathrm{st}}$. (These envelopes are declarations that must be externally justified; the certificate below is conditional on their correctness.) VI.A.2. Burn-through barrier certificate Let $T_{\mathrm{bt}}>T_0$ denote a declared burn-through threshold beyond which the next-phase surrogate is declared admissible. Let $u(t)\in\mathcal{U}_{\mathrm{st}}$ satisfy declared actuator/plant constraints (lags, saturation, wall-plug caps). Define the conservative net heating margin \[ \Delta(T,n;u) := P_{\mathrm{abs}}^{\mathrm{lo}}(u) – P_{\mathrm{loss}}^{\mathrm{hi}}(T,n) – \bar d_T. \] \paragraph{Theorem 6.1 (Sufficient burn-through condition, one-sided).} Fix a constant command $\bar u\in\mathcal{U}_{\mathrm{st}}$. Suppose there exists a density/prefill interval $\mathcal{N}_{\mathrm{st}}$ and a positive constant $\varepsilon>0$ such that \[ \inf_{T\in[T_0,T_{\mathrm{bt}}]}\ \inf_{n\in\mathcal{N}_{\mathrm{st}}}\ \Delta(T,n;\bar u) \ge \varepsilon. \] Then, for any measurable disturbance $d_T$ with $|d_T(t)|\le \bar d_T$ and any $\theta(t)\in\Theta_{\mathrm{st}}$, the corresponding trajectory satisfies $T(t)$ strictly increases whenever $T\in[T_0,T_{\mathrm{bt}}]$, and reaches $T_{\mathrm{bt}}$ in at most \[ T_{\mathrm{reach}} \le \frac{C_{\max}}{\varepsilon}\,(T_{\mathrm{bt}}-T_0), \] where $C_{\max}:=\sup_{\theta\in\Theta_{\mathrm{st}}} C(\theta)$. Consequently, burn-through is certified within $T_{\mathrm{reach}}$ provided the command $\bar u$ can be held for that duration without violating declared actuator/plant constraints. \paragraph{Diagnostics requirement (startup gate).} To evaluate the go/no-go inequality above in real time, the module must provide certified bounds $\hat T\pm\mathcal{E}_T$ and $\hat n\pm\mathcal{E}_n$ (Section IV), or else conservatively enlarge $\mathcal{N}_{\mathrm{st}}$ and $T_0$ to account for uncertainty. If bounds are unavailable (dropout/inconclusive), the only certified action is to derate or abort startup. \paragraph{Prefill bounds as an optimization with certificate output.} When $P_{\mathrm{loss}}^{\mathrm{hi}}$ is unimodal/convex in $n$ over a declared range, one may choose $\mathcal{N}_{\mathrm{st}}=[n_{\min},n_{\max}]$ by solving \[ \max_{n\in[n_{\min}^{\mathrm{phys}},n_{\max}^{\mathrm{phys}}]}\ \min_{T\in[T_0,T_{\mathrm{bt}}]}\ \Delta(T,n;\bar u), \] and returning the achieved margin $\varepsilon$ as the certificate scalar. The optimization is a design step; the certificate is the verified inequality $\varepsilon>0$ plus the declared envelopes used to compute it. VI.B. Certified ignition / radiative-collapse boundary tracking for ramp-to-burn and shutdown We model a ramp-to-burn and shutdown hazard as loss of equilibrium or loss of stability in a low-dimensional energy balance surrogate. The certificate here is an explicit \emph{fold-margin} (distance to a saddle-node) that is enforceable as a one-sided inequality, and which yields sizing rules for fast auxiliary reserve and allowable ramp rates. VI.B.1. Declared equilibrium relation and fold condition Let $W$ denote stored-energy proxy and consider a scalar closed-loop relevant reduced model \[ \dot W = F(W,\mu,\theta) + d_W(t), \qquad d_W\in[-\bar d_W,\bar d_W], \] where $\mu$ is an effective control parameter (e.g., total absorbed auxiliary heating minus a declared offset, or a combined heating+seeding parameter), and $\theta\in\Theta$ denotes uncertain closures. Equilibria satisfy \[ F(W,\mu,\theta)=0. \] A saddle-node (fold) occurs at $(W^\dagger,\mu^\dagger,\theta)$ where additionally \[ \partial_W F(W^\dagger,\mu^\dagger,\theta)=0. \] VI.B.2. One-sided fold-margin bound Assume that along a planned segment we can compute conservative bounds \[ \partial_W F(W,\mu,\theta) \le a^{\mathrm{hi}}(W,\mu), \qquad F(W,\mu,\theta) \ge F^{\mathrm{lo}}(W,\mu), \] valid for all $\theta\in\Theta$. Define the fold-margin proxy \[ \mathfrak{m}(W,\mu) := -a^{\mathrm{hi}}(W,\mu). \] Large positive $\mathfrak{m}$ indicates that even the worst-case slope is safely negative (locally contracting), while $\mathfrak{m}\le 0$ indicates proximity to a fold/instability under the declared surrogate. \paragraph{Proposition 6.2 (Sufficient fold-avoidance condition).} Fix a margin $\eta_{\mathrm{fold}}>0$. If along a trajectory segment the controller enforces \[ \mathfrak{m}(W,\mu) \ge \eta_{\mathrm{fold}}, \] then the declared surrogate guarantees $\partial_W F(W,\mu,\theta)\le -\eta_{\mathrm{fold}}$ for all $\theta\in\Theta$ at those states, which is a one-sided sufficient condition excluding a local saddle-node/neutral-stability event in the surrogate model. \paragraph{Reserve sizing implication (auditable inequality).} If $\mu$ depends affinely on a fast actuator channel $u_f$ (e.g., a fast-modulating heating reserve) with bounds $u_f\in[0,\overline u_f]$, then the condition $\mathfrak{m}\ge\eta_{\mathrm{fold}}$ can be translated into a required lower bound on available reserve $\overline u_f$ by checking feasibility of \[ \exists u_f\in[0,\overline u_f]\ \text{s.t.}\ \mathfrak{m}(W,\mu(u_f,\cdot))\ge\eta_{\mathrm{fold}} \] over the declared operating set. Failure yields a design message: increase $\overline u_f$, reduce $\tau_d$ / improve estimation bounds that enter $a^{\mathrm{hi}}$, or slow the scenario so that $W$ remains farther from the boundary. VI.C. Robust burn-control reserve sizing via polytopic quadratic stability and invariant-set certification This subsection links burn-control stability margins to installed actuator headroom and disturbance bounds. The certificate object is an LMI feasibility witness producing a quadratic Lyapunov function and an invariant-set bound. VI.C.1. Polytopic linearization along a scenario Let $z$ denote the augmented state used in planning/control (plasma + actuator states). Along a declared nominal burn trajectory, construct a linear time-invariant (for a local segment) or slowly time-varying approximation \[ \delta z_{k+1} = A(\vartheta)\,\delta z_k + B(\vartheta)\,\delta u_k + w_k, \qquad w_k\in\mathcal{W}, \] where $\delta u$ is deviation control and $\vartheta$ collects uncertain partial derivatives/closures. Assume an outer polytopic embedding \[ (A(\vartheta),B(\vartheta)) \in \mathrm{co}\{(A_i,B_i)\}_{i=1}^M. \] VI.C.2. Quadratic stability and invariant ellipsoid certificate \paragraph{Theorem 6.3 (Polytopic quadratic stability, sufficient).} Suppose there exists $P\succ 0$ and $Q\succ 0$ such that for all vertices $i=1,\dots,M$, \[ (A_i+B_iK)^\top P (A_i+B_iK) – P \preceq -Q, \] for some feedback gain $K$ (decision variable or fixed). Then the closed-loop vertex systems are exponentially stable with common quadratic Lyapunov function $V(\delta z)=\delta z^\top P\delta z$. The tuple $(P,K,Q)$ is a certificate object. \paragraph{Invariant-set sizing under bounded disturbances.} If additionally $w_k\in\{w:\|w\|_2\le \bar w\}$ (or any declared ellipsoid), then standard Lyapunov arguments yield an invariant ellipsoid $\mathcal{E}:=\{\delta z: \delta z^\top P\delta z \le \rho\}$ for a computable $\rho$ depending on $\bar w$, $P$, and $Q$. The module returns $\rho$ and the induced bound on critical deviations (e.g., $|\delta W|$, $|\delta n_e|$) as enforceable tightened constraints. \paragraph{Translation to required headroom and ramp-rate limits.} Actuator headroom and slew limits enter through admissible $\delta u$ and through actuator lag states embedded in $z$. If no feasible $(P,K)$ exists under the declared $\mathcal{U}_{\mathrm{cmd}}$ and lag model, the output is a falsifiable design failure: “insufficient modulation authority/bandwidth or too-large uncertainty/disturbance.” VI.C.3. Multi-input extension and stabilizability checks For multi-input actuation (heating, fueling, impurity seeding), the same vertex-LMI approach applies with $K\in\mathbb{R}^{n_u\times n_z}$. As a minimal pre-check, one may test stabilizability of each vertex pair $(A_i,B_i)$; if any vertex is not stabilizable, no common quadratic certificate exists for that embedding, and the correct design message is to revise the embedding (reduce conservatism or refine model) or add actuation channels. VI.D. Structured robust performance synthesis: bandwidth–delay co-design and actuator–diagnostic sufficiency This subsection produces a certificate that links (i) actuator bandwidth/lag, (ii) diagnostic delay/latency, and (iii) intrinsic instability or weak damping rates of burn dynamics. Because delay is infinite-dimensional, we state an auditable sufficient condition using (a) an explicitly declared delay approximation and (b) an $H_\infty$-style LMI feasibility check. VI.D.1. Augmented LTI template with actuator lags and measurement delay Consider a linearized continuous-time model for a critical burn mode \[ \dot x = A x + B u + E w, \qquad y = C x, \] with a stable actuator chain modeled as \[ \dot x_a = A_a x_a + B_a u_{\mathrm{cmd}},\qquad u = C_a x_a, \] and diagnostic latency modeled as a pure delay \[ \tilde y(t) = y(t-\tau_d). \] We close the loop with a dynamic controller $K(s)$ driven by $\tilde y$. The declared uncertainty in burn physics/transport is represented as an additive uncertainty $\Delta$ in $A$ and/or an uncertainty channel $w$ with bounded energy gain. VI.D.2. Certificate via delay approximation + bounded-real LMI Fix a declared approximation of the delay $e^{-s\tau_d}$ by a rational transfer function $D_{\tau_d}(s)$ (e.g., Pad\’e of stated order), together with an explicit uniform approximation error bound $\|e^{-s\tau_d}-D_{\tau_d}(s)\|_{\infty}\le \epsilon_d$ over a declared frequency range $[0,\omega_{\max}]$. The delay-approximation error becomes an additional uncertainty block with gain $\le\epsilon_d$. \paragraph{Theorem 6.4 (Bandwidth–delay sufficiency certificate, one-sided).} Consider the closed-loop interconnection formed by the augmented plant (including actuator states), the controller, and the declared uncertainty blocks (transport/closure uncertainty and delay-approximation error). If there exists a quadratic storage function (equivalently, an LMI witness for the bounded-real lemma on the augmented realization) proving \[ \|T_{w\to x}\|_{H_\infty} \le \gamma \] for declared $\gamma$, and if additionally the uncertainty blocks satisfy the declared gain bounds (including $\epsilon_d$), then the closed loop is robustly internally stable for all admissible uncertainties. Feasibility of the LMI together with the declared realization is the certificate object. \paragraph{Design diagnostics from infeasibility.} If the LMI is infeasible, the module must report which design knob is required under the declared model: reducing $\tau_d$, increasing actuator bandwidth (changing $A_a,B_a$ to faster lags), lowering the planned growth-rate envelope (tightening $\Delta$), or slowing the scenario so that the linearization has less adverse $A$ (smaller unstable/weakly damped terms). \paragraph{Remark (simple conservative rule-of-thumb output).} In addition to the LMI witness, the module may output a conservative scalar inequality derived from phase-lag budgeting, e.g. \[ \omega_c\,\tau_d \le \varphi_{\max}, \qquad \omega_c \le \omega_a, \] for a declared crossover $\omega_c$, actuator bandwidth surrogate $\omega_a$, and allowable phase-lag budget $\varphi_{\max}<\pi/2$. This is not a substitute for the LMI certificate but is useful as an interpretable failure message. VI.E. Auxiliary power portfolio and real-time allocation interface Scenario synthesis and burn control typically request multiple auxiliary channels (e.g., different heating/current-drive systems). The certificate goal is: given a requested absorbed power vector, prove that there exists a feasible allocation respecting subsystem limits and plant electrical envelopes. VI.E.1. Convex feasible envelope for absorbed power Let $p\in\mathbb{R}^{m}_{\ge 0}$ denote commanded subsystem powers and let $p_{\mathrm{abs}}\in\mathbb{R}^{m}_{\ge 0}$ be absorbed powers. Declare a conservative convex inner approximation of feasible absorption as \[ (p,p_{\mathrm{abs}})\in\mathcal{P} := \{(p,p_{\mathrm{abs}}):\ 0\le p\le \overline p,\ 0\le p_{\mathrm{abs}}\le A\,p,\ Hp\le h\}, \] where $A$ is a diagonal or block matrix of absorbed-fraction lower bounds and $Hp\le h$ encodes additional subsystem restrictions (shine-through proxies, port-sharing, thermal duty constraints) as declared linear inequalities. VI.E.2. Real-time allocator as a certified projection Given a requested absorbed-power setpoint $p_{\mathrm{abs}}^{\mathrm{req}}$ from the MPC, compute \[ \min_{(p,p_{\mathrm{abs}})\in\mathcal{P}} \ \|p_{\mathrm{abs}}-p_{\mathrm{abs}}^{\mathrm{req}}\|^2 \] and output $p$ as the implementable command. Feasibility of this convex program is itself a certificate of existence of a power portfolio meeting the request. Infeasibility is a falsifiable message: the scenario requires a power split that violates declared subsystem/plant limits. VI.E.3. Connection from scenario demands to MW and MW/s requirements Because $p$ enters the actuator lag models (Section II.C), the scenario specifies demanded ramps $\Delta p/\Delta t$. These become enforceable slew constraints $\|p_{k+1}-p_k\|\le \Delta p_{\max}$ and thus translate directly into required MW/s capability. The sizing certificate is therefore: the backward-reachability existence test (Section III) or real-time feasibility test (Section V) succeeds only if the installed $(\overline p,\Delta p_{\max})$ are large enough. VI.F. Fueling schedules with accountancy constraints This subsection states the interface for producing certified fueling schedules that respect facility accountancy while remaining compatible with hybrid density control (Section V.D). VI.F.1. MILP schedule template Let $k=0,\dots,N-1$. Let $g_k\ge 0$ denote continuous gas fueling, $r_k\ge 0$ denote pumping, and let $\pi_k\in\{0,1\}$ denote a pellet event indicator with pellet magnitude decision $m_k\ge 0$ (if $\pi_k=0$, impose $m_k=0$). A generic linear surrogate for density proxy is \[ n_{k+1} = a_k n_k + b_k g_k - c_k r_k + d_k m_k + w_k,\qquad w_k\in[-\bar w_k,\bar w_k]. \] Facility accountancy is represented by an inventory state $I_k$ with \[ I_{k+1} = I_k + \beta_k g_k + \gamma_k m_k - \zeta_k r_k, \qquad I_k\le \overline I. \] All coefficients are declared and must be unit-consistent. \paragraph{Proposition 6.5 (Schedule feasibility certificate).} If the MILP \[ \text{find }\{g_k,r_k,\pi_k,m_k\}\ \text{s.t. dynamics, bounds, and } n_k\in[n_{\min},n_{\max}],\ I_k\le\overline I \] is feasible under the declared disturbance bounds $\bar w_k$, then the resulting schedule is a certificate of existence of an open-loop fueling plan satisfying the declared constraints for all disturbances in the specified interval. If infeasible, the output is a falsifiable design failure indicating that the requested scenario density trajectory is incompatible with accountancy or actuator limits. VI.F.2. Interface to closed-loop density controller The MILP schedule provides (i) a baseline pellet plan (times and magnitudes) and (ii) bounds on allowable deviations. The real-time hybrid controller (Section V.D) must enforce the pellet event guards using one-sided jump bounds and must treat any deviation from schedule as a disturbance contributing to $\mathcal{W}_k$. VI.G. Pumping / neutral-pressure network certification and tritium throughput We state a monotone-network certificate that maps fueling and pumping commands to conservative vessel/duct pressure bounds, suitable for CBF/MPC constraints. VI.G.1. Declared monotone linear network model Let $p\in\mathbb{R}^n_{\ge 0}$ be pressures at nodes and $s\in\mathbb{R}^n_{\ge 0}$ be net sources (gas loads from fueling, outgassing, recycling) minus sinks (pumps). A simple declared steady network relation is \[ A(\kappa)\,p = s, \] where $A(\kappa)$ is a matrix depending on uncertain conductances/pump coefficients $\kappa\in\mathcal{K}$. Assume the declared condition that for all $\kappa\in\mathcal{K}$, $A(\kappa)$ is an $M$-matrix (in particular, invertible with nonnegative inverse), so that the map $s\mapsto p$ is monotone: \[ s_1\le s_2\ \Rightarrow\ p(s_1)\le p(s_2). \] VI.G.2. One-sided pressure bounds and closed-loop constraints If sources satisfy $s\le \overline s(u)$ for commands $u$ (fueling/pumping), and if we can compute a conservative upper inverse bound $A(\kappa)^{-1}\le M^{\mathrm{hi}}$ elementwise for all $\kappa\in\mathcal{K}$, then \[ p \le p^{\mathrm{hi}}(u) := M^{\mathrm{hi}}\,\overline s(u). \] Thus any pressure ceiling $p_i\le \overline p_i$ can be enforced by the linear inequality \[ e_i^T M^{\mathrm{hi}}\,\overline s(u) \le \overline p_i - \eta_p, \] with declared margin $\eta_p>0$. The tuple $(M^{\mathrm{hi}},\overline s(\cdot),\eta_p)$ is the certificate object that can be embedded in MPC/CBF as an actuator-dependent constraint. VI.G.3. Design sizing as geometric programming (optional) If conductances scale posynomially with duct diameters and pump speeds, one may pose a geometric program that sizes these parameters to satisfy $p^{\mathrm{hi}}(u)\le\overline p$ over declared operating ranges of $u$. The resulting GP feasibility transcript is a sizing certificate, conditional on the declared posynomial model. VI.H. Tritium fuel-cycle balance certificates for steady-state campaigns We represent long-horizon accountancy as a positive-system balance model with one-sided bounds suitable for real-time interlocks. VI.H.1. Positive linear balance model with uncertain rates Let $x_k\in\mathbb{R}^m_{\ge 0}$ collect inventories (e.g., in-vessel, processing, storage, exhaust), and let $u_k$ collect controlled throughputs (fueling, pumping, processing setpoints). A declared discrete-time balance is \[ x_{k+1} = A(\theta_k) x_k + B(\theta_k) u_k + e(\theta_k), \qquad \theta_k\in\Theta_k, \] with $A(\theta_k)\ge 0$, $B(\theta_k)\ge 0$, $e(\theta_k)\ge 0$. Safety constraints are of the form $c^T x_k\le \overline I$ (regulatory cap) and channel constraints $u_k\in\mathcal{U}_{\mathrm{fac}}$. VI.H.2. One-sided interval propagation certificate If elementwise bounds $A^-\le A(\theta)\le A^+$, $B^-\le B(\theta)\le B^+$, $e^-\le e(\theta)\le e^+$ are declared, then a conservative upper trajectory bound $\overline x_k$ can be propagated by \[ \overline x_{k+1} = A^+\,\overline x_k + B^+\,\overline u_k + e^+, \] where $\overline u_k$ is an upper bound on commanded throughputs. Enforcing \[ c^T \overline x_k \le \overline I – \eta_I \] with margin $\eta_I>0$ is an auditable one-sided interlock condition ensuring the cap is respected for all admissible $\theta_k$. VI.I. Plant electrical architecture and grid compatibility certificates We treat the electrical plant as a separate bounded-error system whose outputs (grid power, peak MVA proxies, ramp rates, and harmonic distortion proxies) provide additional constraints for scenario planning and real-time allocation. VI.I.1. Declared electrical envelope model and peak-load certificate Let $x^e_k$ be an electrical state (e.g., filter states, DC link energy proxy, UPS margin proxy) and let $p_k$ be auxiliary power commands. A declared bounded-error affine model is \[ x^e_{k+1} = A^e x^e_k + B^e p_k + c^e + w^e_k,\qquad w^e_k\in\mathcal{W}^e. \] Grid power and other envelope outputs are affine maps \[ y^e_k = C^e x^e_k + D^e p_k + d^e. \] Safety constraints (peak, ramp, power quality proxy) are encoded as $y^e_k\le \overline y^e$. The certification method is identical to Section III.C reachability: compute backward reachable sets for the electrical subsystem, or equivalently tighten $p_k$ by enforcing robust one-step constraints \[ \sup_{w^e\in\mathcal{W}^e} \ y^e_{k+1} \le \overline y^e – \eta_e. \] The electrical certificate returned to the allocator is a polyhedral constraint $H_e p_k\le h_e$ that is guaranteed (under declared bounds) to keep $y^e$ within limits. VI.I.2. Coupling to actuator sizing/control bandwidth decisions Because heating-chain bandwidth and ramp rates influence $p_k$ transients, electrical feasibility can become the binding constraint. In this framework that manifests as: backward reachability in the electrical model becomes empty for a demanded scenario, yielding a falsifiable recommendation to slow ramps or modify filter/storage sizing. VI.J. Magnet/coil constraint interfaces impacting operations Many magnet and protection constraints are device- and technology-specific. In this paper they are treated as exogenous envelopes unless externally verified certificates are supplied. VI.J.1. Exogenous envelope interface An externally provided magnet/protection module (not developed here) may return an admissible actuation envelope of the form \[ p_k\in\mathcal{P}_{\mathrm{mag}}:=\{p: H_{\mathrm{mag}} p \le h_{\mathrm{mag}}\}, \qquad \|p_{k+1}-p_k\|\le \Delta p_{\mathrm{mag}}, \] interpretable as limits on modulation bandwidth, peak power, or ramp rates to preserve coil margins. In this paper, $\mathcal{P}_{\mathrm{mag}}$ is simply intersected into $\mathcal{U}_{\mathrm{cmd},k}$ and used by the planner/controller. Any claim about physical correctness of $\mathcal{P}_{\mathrm{mag}}$ lies outside the present certification scope. VI.J.2. Audit mechanism hook Even when treated as exogenous, the envelope must be auditable: the module must provide the inequality coefficients, units, and the declared uncertainty set under which the envelope is claimed. If at runtime the envelope becomes inconsistent with observed electrical/magnet signals, the correct output is “magnet envelope invalid/inconclusive,” triggering a conservative fallback (derate auxiliary modulation). \paragraph{Summary of Section VI outputs.} The co-design layer produces constraints and bounds consumable by Sections III and V: \begin{itemize} \item startup: a certified burn-through inequality and required diagnostics for its evaluation (Theorem 6.1); \item ramp/burn/shutdown: fold-margin inequalities and reserve sizing implications (Proposition 6.2); \item burn stability: LMI certificates yielding allowable disturbances and required headroom/bandwidth (Theorem 6.3); \item bandwidth–delay: robust performance/stability feasibility with explicit failure messages (Theorem 6.4); \item facilities/plant: polyhedral constraints on fueling, pumping, inventories, and electrical load envelopes. \end{itemize} The next section (Section VII) provides proof and computation templates for producing the certificate objects introduced here (LP/GP/MILP and LMI forms, reachability operators, and hybrid guards) and for reporting auditable feasibility margins. VII. Proof and Computation Templates (How Each Certificate Is Obtained) This section provides proof skeletons and solver-ready templates for the certificate objects introduced in Sections III–VI. The aim is not to claim any particular stellarator surrogate is correct, but to ensure that, once a surrogate and uncertainty sets are declared, the resulting certificate is (i) sound with respect to that declaration and (ii) auditable through explicit inequalities, solver transcripts, and unit-consistent data. VII.A. Barrier analysis proofs for startup feasibility (robust thresholds, prefill bounds) We expand the sufficient burn-through condition of Theorem 6.1 into a standard comparison-lemma argument. Assume the declared scalar surrogate \[ C(\theta)\,\dot T = P_{\mathrm{abs}}(u,\theta) – P_{\mathrm{loss}}(T,n,\theta) + d_T(t), \] with declared envelopes \[ P_{\mathrm{abs}}(u,\theta) \ge P_{\mathrm{abs}}^{\mathrm{lo}}(u),\qquad P_{\mathrm{loss}}(T,n,\theta) \le P_{\mathrm{loss}}^{\mathrm{hi}}(T,n),\qquad |d_T(t)|\le \bar d_T, \] valid for all $\theta\in\Theta_{\mathrm{st}}$, $n\in\mathcal{N}_{\mathrm{st}}$. Define \[ \Delta(T,n;\bar u) := P_{\mathrm{abs}}^{\mathrm{lo}}(\bar u) – P_{\mathrm{loss}}^{\mathrm{hi}}(T,n) – \bar d_T. \] If $\inf_{T\in[T_0,T_{\mathrm{bt}}]}\inf_{n\in\mathcal{N}_{\mathrm{st}}} \Delta(T,n;\bar u)\ge \varepsilon>0$, then for any admissible $(\theta(t),n(t),d_T(t))$ we have \[ C(\theta(t))\,\dot T(t) \ge \varepsilon. \] Using $C(\theta(t))\le C_{\max}$ yields the differential inequality \[ \dot T(t)\ge \varepsilon/C_{\max} \quad\text{whenever }T(t)\in[T_0,T_{\mathrm{bt}}]. \] Integrating gives $T(t)\ge T_0 + (\varepsilon/C_{\max})t$ until burn-through, hence the time bound \[ T_{\mathrm{reach}} \le \frac{C_{\max}}{\varepsilon}(T_{\mathrm{bt}}-T_0). \] \paragraph{Computational template (startup certificate scalar).} Given declared functions and bounds, compute \[ \varepsilon := \min_{T\in[T_0,T_{\mathrm{bt}}],\ n\in\mathcal{N}_{\mathrm{st}}} \Delta(T,n;\bar u). \] If $\Delta$ is nonconvex, the audit trail must record the minimization method and any conservative lower-bounding steps (interval arithmetic, Lipschitz bounds, gridding with verified remainder bounds). A certificate is valid only if the reported $\varepsilon$ is a proved lower bound. VII.B. Saddle-node/continuation argument for collapse boundary and envelope tracking We record a standard fold-margin construction for the scalar energy surrogate $\dot W = F(W,\mu,\theta)+d_W$. \paragraph{Local fold normal form (template).} Fix $\theta$. Suppose $F$ is twice continuously differentiable and at a fold point $(W^\dagger,\mu^\dagger)$: \[ F(W^\dagger,\mu^\dagger,\theta)=0,\qquad \partial_W F(W^\dagger,\mu^\dagger,\theta)=0,\qquad \partial_\mu F(W^\dagger,\mu^\dagger,\theta)\neq 0,\qquad \partial_W^2 F(W^\dagger,\mu^\dagger,\theta)\neq 0. \] Then, after a smooth change of coordinates, the equilibrium branch locally satisfies a quadratic relation $\tilde\mu \approx \pm \tilde W^2$. This motivates using a one-sided surrogate for “distance to fold” based on the worst-case slope bound $a^{\mathrm{hi}}$ introduced in Section VI.B. \paragraph{Auditable fold-avoidance inequality.} The enforceable condition $\mathfrak{m}(W,\mu)=-a^{\mathrm{hi}}(W,\mu)\ge \eta_{\mathrm{fold}}$ requires that $a^{\mathrm{hi}}$ be a proved upper bound on $\partial_W F$ over $\theta\in\Theta$ and any additional estimation-error inflations. The audit record must include the bound derivation (analytic maximization, interval evaluation, or vertex check if affine in $\theta$). VII.C. Polytopic quadratic stability / invariant-set proofs via LMIs We expand Theorem 6.3 into solver-ready LMIs and an invariant-set computation. VII.C.1. Common quadratic Lyapunov function for polytopic vertices Consider the vertex family \[ \delta z_{k+1} = (A_i + B_i K)\,\delta z_k + w_k,\qquad i\in\{1,\dots,M\}. \] A sufficient condition for a common quadratic Lyapunov function is \[ (A_i+B_iK)^\top P (A_i+B_iK) – P \preceq -Q,\qquad P\succ 0,\ Q\succ 0,\ \forall i. \] If $K$ is a decision variable, apply the standard change of variables $Y:=KP$, yielding bilinear terms removed at the cost of an LMI that is linear in $(P,Y)$ after congruence transformations. One common discrete-time stabilizing LMI template is: find $P\succ 0$, $Y$ such that for all vertices $i$, \[ \begin{bmatrix} P & (A_i P + B_i Y)^\top\\ A_i P + B_i Y & P \end{bmatrix} \succ 0. \] This condition ensures $\rho(A_i+B_iK)<1$ with $K=Y P^{-1}$. If one also wants a decay rate, use \[ (A_i P + B_i Y)^\top P^{-1} (A_i P + B_i Y) \preceq \lambda^2 P\quad\text{for some }\lambda\in(0,1), \] implemented via Schur complements. \paragraph{Audit artifact.} The certificate object includes: vertex list $\{(A_i,B_i)\}$, the decision variables $(P,Y)$, the recovered gain $K$, solver primal/dual residuals, and a post-check reporting $\max_i \rho(A_i+B_iK)$ computed numerically (not as a proof, but as a diagnostic). VII.C.2. Invariant ellipsoid under bounded disturbances (discrete time) Assume $w_k$ lies in a declared Euclidean ball $\|w_k\|_2\le \bar w$. Let $V(\delta z)=\delta z^\top P\delta z$, with $P\succ 0$, and suppose for all vertices \[ (A_i+B_iK)^\top P (A_i+B_iK) - P \preceq -Q,\qquad Q\succ 0. \] Then \[ \Delta V := V(\delta z_{k+1})-V(\delta z_k) \le -\delta z_k^\top Q\delta z_k + 2\,\| (A_i+B_iK)^\top P\|\,\|\delta z_k\|\,\|w_k\| + \lambda_{\max}(P)\,\|w_k\|^2. \] A conservative invariant-set construction is obtained by enforcing that for all $\delta z$ with $V(\delta z)\le \rho$, the right-hand side is $\le 0$. One sufficient (but conservative) way is to use $\|\delta z\|_2^2\le \rho/\lambda_{\min}(P)$ and bound $\|(A_i+B_iK)^\top P\|$ by a declared constant $\beta$ uniform over vertices. Then require \[ -\lambda_{\min}(Q)\,\frac{\rho}{\lambda_{\min}(P)} + 2\beta\sqrt{\frac{\rho}{\lambda_{\min}(P)}}\,\bar w + \lambda_{\max}(P)\bar w^2 \le 0. \] This is a scalar quadratic inequality in $\sqrt\rho$, solved analytically to yield a valid $\rho$ when it exists. The resulting ellipsoid $\{\delta z: \delta z^\top P\delta z\le \rho\}$ can then be mapped to componentwise deviation bounds via $|e_j^\top\delta z|\le \sqrt{\rho\,(e_j^\top P^{-1} e_j)}$. \paragraph{Design message.} If no $\rho$ satisfies the inequality, then the declared disturbance bound $\bar w$ is too large relative to the achievable contraction $Q$ and the installed actuation constraints; the failure is falsifiable and should propagate to scenario redesign. VII.D. Robust $H_\infty$ / structured synthesis template We record a certificate template for Theorem 6.4 using a purely finite-dimensional declared approximation. VII.D.1. Bounded-real lemma (continuous-time, certificate form) Let the declared closed-loop approximation have state-space realization \[ \dot x = A_{\mathrm{cl}} x + B_{\mathrm{cl}} w,\qquad z = C_{\mathrm{cl}} x + D_{\mathrm{cl}} w, \] where $w$ aggregates disturbances and declared uncertainty channels (including delay-approximation error injected as an exogenous input with gain bound). A sufficient condition for $\|T_{w\to z}\|_{H_\infty}<\gamma$ is the existence of $P\succ 0$ such that \[ \begin{bmatrix} A_{\mathrm{cl}}^\top P + P A_{\mathrm{cl}} & P B_{\mathrm{cl}} & C_{\mathrm{cl}}^\top\\ B_{\mathrm{cl}}^\top P & -\gamma I & D_{\mathrm{cl}}^\top\\ C_{\mathrm{cl}} & D_{\mathrm{cl}} & -\gamma I \end{bmatrix} \prec 0. \] The certificate object is $(P,\gamma)$ together with the declared realization matrices and the declared gain bounds used to construct $B_{\mathrm{cl}},D_{\mathrm{cl}}$. \paragraph{Structured uncertainty and conservatism.} If uncertainties are structured (multiple blocks), replacing them by a single full-block $H_\infty$ gain bound is conservative but sound. If a less conservative structured certificate is required ($\mu$-type), the implementation must declare the method (e.g., D--K iteration) and treat outcomes as heuristic unless a final LMI feasibility check certifies robustness for the declared block structure. VII.E. Backward reachability recursion and polytope operations We provide explicit polyhedral formulas supporting Section III.C. VII.E.1. Support-function computation for Pontryagin difference Let $\mathcal{S}=\{x: Hx\le b\}$ be a polytope and $\mathcal{W}$ be a compact convex set. Then \[ \mathcal{S}\ominus\mathcal{W} = \{y: Hy \le b - s_{\mathcal{W}}(H)\}, \] where $s_{\mathcal{W}}(H)$ denotes the vector with entries $ [s_{\mathcal{W}}(H)]_r := \max_{w\in\mathcal{W}} h_r^\top w $ for each row $h_r^\top$ of $H$. Thus, computing $\mathcal{S}\ominus\mathcal{W}$ reduces to computing support-function values. \paragraph{Common cases.} \begin{itemize} \item If $\mathcal{W}$ is a box $\{w: \\underline w\le w\le \overline w\}$, then $\max h^\top w$ is obtained componentwise by choosing $w_j=\overline w_j$ when $h_j\ge 0$ and $w_j=\\underline w_j$ when $h_j<0$. \item If $\mathcal{W}=\mathrm{co}\{w^{(1)},\dots,w^{(L)}\}$, then $\max_{w\in\mathcal{W}} h^\top w = \max_{\ell} h^\top w^{(\ell)}$. \end{itemize} VII.E.2. Predecessor operator as an LP-feasibility map Suppose $\mathcal{R}=\{z: H_R z\le b_R\}$ and $\mathcal{U}=\{u: G u\le g\}$. Compute $\mathcal{R}\ominus\mathcal{W}=\{y: H_R y\le b_R-\sigma\}$ where $\sigma_r=\max_{w\in\mathcal{W}} h_{R,r}^\top w$. Then \[ \mathrm{Pre}(\mathcal{R}) = \Big\{z: \exists u\ \text{s.t.}\ Gu\le g,\ \ H_R(Az+Bu+c)\le b_R-\sigma\Big\}. \] For a queried $z$, membership can be checked by the LP feasibility problem in variable $u$. To represent $\mathrm{Pre}(\mathcal{R})$ itself as a polytope, one may (i) eliminate $u$ via projection (Fourier--Motzkin or polyhedral projection solvers), or (ii) store $\mathrm{Pre}$ implicitly and evaluate membership online. The audit record must state which representation is used. \paragraph{Sound approximations.} For soundness of robust reachability, any approximation must be an \emph{inner} approximation of $\mathrm{Pre}$ (shrinking the set), never an outer approximation, unless the outer approximation is accompanied by an additional proof that preserves the inclusion $Az+Bu+c+\mathcal{W}\subseteq\mathcal{R}$. VII.F. Hybrid impulsive stability argument for pellet-driven density control We provide a proof template supporting Lemma 5.4 and the hybrid safety logic. \paragraph{Instantaneous safety across jumps.} Let $h(x)\ge 0$ define a safety constraint and suppose the jump map satisfies a one-sided bound \[ h(x^+) \ge h(x^-) - \Delta_h^{\mathrm{hi}}(\phi), \] for all uncertain deposition parameters. If the event guard enforces $h(x^-)\ge \Delta_h^{\mathrm{hi}}(\phi)+\eta$, then $h(x^+)\ge \eta>0$. This establishes jump invariance. \paragraph{Inter-event safety.} Between events, enforce a robust CBF inequality for $h$ (Section V.B) or enforce a robust one-step constraint in discrete time (Section V.C). A complete hybrid safety certificate is thus a conjunction: (i) event guard for jumps and (ii) continuous/discrete-time invariance between jumps. \paragraph{Minimum inter-event time as an additional declared constraint.} If the injector has a declared minimum spacing $\Delta t_{\min}$, include this as an additional guard; otherwise, feasibility of the hybrid policy may be ill-posed (infinite event rates). This is not a modeling detail: it is required to keep the safety logic auditable. VII.G. Monotone systems arguments ($M$-matrix) and geometric programming derivations for pumping networks VII.G.1. $M$-matrix monotonicity and conservative inverse bounds Let $A$ be a nonsingular $M$-matrix, e.g. $A=sI-N$ with $N\ge 0$ and $s>\rho(N)$. Then $A^{-1}\ge 0$ elementwise, hence $p=A^{-1}s$ is monotone in the source vector $s$. For uncertainty $A(\kappa)$, a common auditable sufficient strategy is to compute an elementwise lower bound $A^-$ such that: \begin{enumerate} \item for all $\kappa\in\mathcal{K}$, $A(\kappa)\ge A^-$ elementwise, and \item $A^-$ is certified to be a nonsingular $M$-matrix. \end{enumerate} Under these two declared properties and standard partial-order results for nonsingular $M$-matrices, one has the elementwise bound \[ A(\kappa)^{-1} \le (A^-)^{-1}, \] hence one may take $M^{\mathrm{hi}}:=(A^-)^{-1}$ in Section VI.G. \paragraph{Auditable check that $A^-$ is a nonsingular $M$-matrix.} Any of the following sufficient checks is acceptable if stated: \begin{itemize} \item (positive vector test) find $x\gg 0$ with $A^- x \gg 0$; \item (diagonal dominance) verify strict diagonal dominance with nonpositive off-diagonals; \item (spectral radius) certify $s>\rho(N)$ for the splitting $A^-=sI-N$, using a proved spectral bound. \end{itemize} VII.G.2. Geometric programming (GP) template If the network constraints can be written as posynomial inequalities in positive design variables $\xi$ (duct diameters, pump speeds), then a sizing problem takes the GP form \[ \min\ f_0(\xi)\quad\text{s.t.}\quad f_i(\xi)\le 1\ (\text{posynomials}),\quad \xi>0. \] The certificate is the solver transcript together with the explicit mapping from physical quantities to the GP variables and the unit normalization used to make the GP dimensionless (required for auditability). VII.H. Conformal prediction coverage guarantees and stratified validity conditions We record the coverage statement used in Section IV.F. \paragraph{Proposition 7.1 (Split conformal coverage, scalar residual).} Let $r_1,\dots,r_n,r_{\mathrm{new}}$ be exchangeable real-valued residuals. Let $q_{1-\alpha}$ be the $\lceil(n+1)(1-\alpha)\rceil$-th order statistic of $|r_1|,\dots,|r_n|$. Then \[ \mathbb{P}(|r_{\mathrm{new}}|\le q_{1-\alpha})\ge 1-\alpha. \] \paragraph{Stratification.} If residuals are stratified by a class label $c$, the same statement holds conditionally within a class provided exchangeability holds within that class. The audit record must include: the class definition, the classifier used online, and an explicit treatment of misclassification (typically by bound inflation). \paragraph{Integration into bounded sets.} To convert a probabilistic coverage band into a deterministic set used by reachability/MPC, the implementation must declare the policy (e.g., take $\alpha$ sufficiently small and treat resulting $q_{1-\alpha}$ as a declared bound; add a safety inflation factor; or use conformal only for validation and keep worst-case bounds separate). This paper does not claim that exchangeability implies worst-case robustness. VII.I. Numerical implementation considerations VII.I.1. Unit checking and normalization All declared matrices and bounds must be unit-consistent. In practice, solver conditioning often requires nondimensionalization. Any nondimensionalization must be recorded as a reversible mapping (scale factors for each state and input), so that reported margins correspond to physical units. VII.I.2. Conditioning diagnostics and feasibility margins For each solved program (LP/QP/SOCP/SDP/GP/MILP), the audit record should include: \begin{itemize} \item solver status (optimal/feasible/infeasible/unbounded/iteration limit); \item primal and dual residuals (as available); \item a scalar feasibility margin (e.g., minimum slack in tightened inequalities); \item active constraints and, when meaningful, dual multipliers (for sensitivity/diagnostics, not as proof); \item certificate inputs: the exact $(A,B,c)$, sets $\mathcal{W},\mathcal{U},\mathcal{Z}_{\mathrm{safe}}$, and any inflations used. \end{itemize} VII.I.3. Solver stack and real-time feasibility boundaries \paragraph{Typical stack.} LP/QP for reachability membership and safety filters; SOCP for norm-bounded robust constraints; SDP for Lyapunov/$H_\infty$ certificates; GP for posynomial sizing; MILP for fueling schedules or phase logic. \paragraph{Real-time boundary.} Any module intended for real-time use must declare a worst-case runtime budget and provide a fallback behavior on timeout (treated the same as infeasibility: loss of certificate, execute safe fallback). Offline modules may use heavier solvers but must still output checkable artifacts. \paragraph{Reproducibility.} To satisfy auditability, each certificate must be reproducible from a serialized input bundle (model/sets/data) and a recorded solver version/parameter set. Numerical reproducibility is not itself a proof, but it is required to diagnose failures and to compare redesigns. VIII. Integrated Simulation Harness and Falsifiable Validation Plan This section specifies (i) an end-to-end integration harness that composes the certificates of Sections III–VII and (ii) a falsifiable validation plan whose outcomes either justify declared uncertainty inflations or force them to be enlarged (thereby potentially breaking feasibility). No external datasets are assumed to exist or to validate the surrogates; rather, we define acceptance tests that must be met before interpreting any certificate as operationally relevant. VIII.A. End-to-end architecture and information flow We consider an integrated pipeline of modules operating on a declared model family $\mathfrak{M}$ (Section II.A) and a declared scenario template (Section III): \[ \text{scenario planner }\to \text{estimator/ID segment }\to \text{economic MPC }\to \text{CBF-QP safety filter }\to \text{actuator models }\to \text{facility/plant envelopes}. \] To make the composition auditable, each module must expose (a) its inputs (declared models/sets), (b) its outputs (controls, bounds, certificates), and (c) failure semantics. \paragraph{Audit state as a shared contract.} The integration harness maintains a time-indexed audit state $\chi_k$ (Section V.E) and enforces that every module update consumes and produces a serializable artifact. At minimum: \[ \chi_k := \big(\hat z_k,\mathcal{E}_k,\Theta_k,\mathcal{W}_k,\widetilde{\mathcal{W}}_k,\ \text{status flags},\ \text{margins/slacks},\ \text{active constraints}\big). \] The harness is required to store sufficient information to replay decisions deterministically (Section VII.I). \paragraph{Composition rule (one-sided).} A global claim of the form “constraint $h(z_k)\ge 0$ holds” is permitted only when it is implied by the conjunction of the active module certificates and declared bounds at time $k$. If any required certificate is missing (infeasibility, timeout, inconsistent data, diagnostics-inconclusive), the harness must mark the global status as \emph{inconclusive} and trigger the declared fallback. VIII.B. Unit-checked code integration hooks (module-level interfaces) We record a minimal set of module interfaces sufficient to reproduce the mathematical constructions of Sections III–VII. The interfaces are described abstractly; any particular software stack is acceptable provided it can serialize all inputs/outputs and perform unit checks. VIII.B.1. Scenario runner and safe-set builder \paragraph{Scenario runner.} Input: $(A_k,B_k,c_k,\mathcal{W}_k,\mathcal{U}_{\mathrm{cmd},k})$ and an input sequence or policy. Output: simulated/propagated nominal trajectory $\hat z_{k|0}$ and disturbance-inflated bounds if used. \paragraph{Safe-set builder.} Input: declared constraint functions and/or polyhedral models (Section II.D), together with one-sided bound modules (Section VI). Output: per-time-step polytopes \[ \mathcal{Z}_{\mathrm{safe},k}=\{z:H_k z\le b_k\},\qquad \mathcal{Z}_{\mathrm{burn}}=\{z:H_f z\le b_f\}, \] and tightening rules $\widehat{\mathcal{Z}}_k$ used by MPC (Section V.C). The builder must record which upstream bound modules contributed to each row of $(H_k,b_k)$ and what uncertainty inflation was used. VIII.B.2. MHE / set-membership estimator and health logic \paragraph{Estimator.} Input: declared dynamics $f_k$, declared uncertainty sets $(\Theta_k,\mathcal{W}^x_k,\mathcal{V}_{j,k},\mathcal{B}_{j,k})$, and measurements with availability flags $\delta_{j,k}$. Output: $(\hat z_k,\mathcal{E}_k,\mathrm{health}_k)$ with $\mathrm{health}_k\in\{\mathrm{OK},\mathrm{inconclusive}\}$ and a record of any bound inflations triggered by residual monitoring (Section IV.D.3). \paragraph{Required certificate output.} For any claim of bounded error, the estimator must return a nonempty set $\mathcal{E}_k$ and an auditable justification: either (i) set-membership feasibility $\mathcal{X}_k\neq\varnothing$ (Section IV.D.2) or (ii) an explicitly declared conversion from an energy-gain bound to a deterministic set (Section IV.G), together with any policy inflations. VIII.B.3. CBF safety filter and robust MPC \paragraph{CBF-QP safety filter.} Input: current estimate $\hat z_k$, error set $\mathcal{E}_k$ (or a conservative surrogate), declared constraint functions $h$ and robustified inequalities (Section V.B), and a nominal command $u_{\mathrm{nom},k}$. Output: $(u_{\mathrm{cmd},k}, s_k^\star, \text{QP status}, \text{active constraints})$. \paragraph{Robust MPC.} Input: $\hat z_k$, $\mathcal{E}_k$, model $(A_k,B_k,c_k)$, and inflated disturbance sets $\widetilde{\mathcal{W}}_k$ (Section III.C.3). Output: $(u_{\mathrm{nom},k}, \text{MPC status},\ \text{min tightened slack},\ \text{active constraints})$. \paragraph{Hard rule for soundness.} If the controller uses tightened sets $\widehat{\mathcal{Z}}_k$, the harness must verify (as a logged check) that the tightening implies the original constraint under the reported error set, i.e. \[ \hat z\in\widehat{\mathcal{Z}}_k \implies \hat z\oplus\mathcal{E}_k\subseteq \mathcal{Z}_{\mathrm{safe},k}. \] If this implication is not verified, the run must be marked \emph{not certified}. VIII.C. Dataset-based replay tests (required external validation; not assumed) Replay tests are intended to falsify declared uncertainty bounds and failure-mode models without requiring live experiments. They do not validate the physical correctness of surrogates in unseen regimes; they only test consistency of declared bounds with observed signals in the replay distribution. VIII.C.1. Miscoverage tests for conformal intervals and residual monitoring Assume conformal calibration is used to propose bounds for closure residuals (Section IV.F). Let $r_t$ be the residual computed during replay and let $q_{1-\alpha}$ be the declared conformal quantile. Define the empirical miscoverage rate \[ \widehat\alpha := \frac{1}{T}\sum_{t=1}^T \mathbf{1}\{|r_t|>q_{1-\alpha}\}. \] \paragraph{Acceptance criterion (declared).} Because replay points are generally not exchangeable and may be temporally correlated, the harness must treat the conformal coverage statement as a hypothesis subject to test. A conservative, falsifiable criterion is: accept the bound only if \[ \widehat\alpha \le \alpha_{\mathrm{max}}, \] where $\alpha_{\mathrm{max}}$ is declared (e.g., $\alpha_{\mathrm{max}}=c\alpha$ for a chosen inflation factor $c\ge 1$). If the criterion fails, the only permitted response is to inflate the bound (increase $q$) or to stratify more finely (Section IV.F.2); otherwise subsequent robust certificates relying on $\mathcal{W}_k$ are not auditable. \paragraph{Residual-monitor consistency test.} Independently of conformal calibration, the residual monitor of Section IV.D.3 should satisfy: for declared residual sets $\mathcal{R}_{j,k}$, the fraction of times $r_{j,k}\notin\mathcal{R}_{j,k}$ should be below a declared threshold on healthy intervals and should rise sharply under injected drift/bias faults in simulation. VIII.C.2. Control-in-the-loop replay: ad hoc vs. calibrated envelopes The harness runs the same declared controller and scenario with two uncertainty policies: \begin{enumerate} \item \textbf{Ad hoc envelopes:} engineering-chosen boxes $(\Theta,\mathcal{W})$ not tied to replay residuals. \item \textbf{Calibrated envelopes:} envelopes produced by the conformal+monitor pipeline (Section IV.F + IV.D.3). \end{enumerate} \paragraph{Falsifiable comparisons.} The harness records: \begin{itemize} \item safety-filter feasibility rate (fraction of steps with QP feasible and $s_k^\star=0$); \item robust MPC feasibility rate; \item minimum safety margin over time (e.g., $\min_k h(\hat z_k)-\text{tightening}(\mathcal{E}_k)$); \item number and causes of supervisor transitions to fallback/shutdown (Section V.E). \end{itemize} A calibrated envelope is acceptable only if it does not increase certificate violations relative to ad hoc envelopes \emph{without} a corresponding and auditable tightening of declared bounds. If calibrated envelopes create infeasibility, that is not necessarily a failure: it may be the correct diagnostic that prior envelopes were optimistic. VIII.D. 12–18 month falsifiable experiments (go/no-go metrics tied to certificates) This subsection proposes test protocols that directly target the mathematical failure points of the certificates: (i) violated bound assumptions, (ii) infeasible reachability/MPC/CBF constraints under declared envelopes, and (iii) mismatch between declared actuator/latency models and realized hardware behavior. These are not claims of feasibility on any device; they are criteria that determine whether the declared certificate inputs remain admissible. VIII.D.1. Startup: burn-through threshold validation vs. transients \paragraph{Protocol.} Execute controlled startup shots (or subscale surrogate experiments) with commanded $\bar u$ and measured proxies $\hat T(t)$, $\hat n(t)$ and availability flags. Compute the burn-through certificate margin from Theorem 6.1 using declared one-sided envelopes. \paragraph{Go/no-go.} The declared burn-through certificate is accepted only if, on trials where the certificate predicts monotone increase with margin $\varepsilon$, the observed proxy $\hat T(t)$ reaches $T_{\mathrm{bt}}$ without violating declared plant electrical ramps and without triggering residual-monitor inconsistency. Any trial violating the inequality assumptions (e.g., inferred $P_{\mathrm{loss}}$ exceeding $P_{\mathrm{loss}}^{\mathrm{hi}}$ implied by measurements) forces inflation of $\bar d_T$ or revision of the envelopes. VIII.D.2. Collapse boundary: fold-margin identification from impurity seeding ramps \paragraph{Protocol.} Run ramps in a regime where the reduced energy surrogate (Section VI.B) is declared applicable, including deliberate variation in $\mu$ (e.g., auxiliary power and/or seeding proxy). Estimate or bound the slope proxy $a^{\mathrm{hi}}(W,\mu)$ used to compute the fold-margin $\mathfrak{m}$. \paragraph{Go/no-go.} The fold-margin certificate (Proposition 6.2) is accepted only if observed collapses (or loss of controllability events) do not occur at points where the certificate claimed $\mathfrak{m}\ge \eta_{\mathrm{fold}}$ under declared bounds. Any contradiction forces inflation of $a^{\mathrm{hi}}$ (more conservative) or restriction of the declared operating set. VIII.D.3. Burn stability: modulation identification of growth/damping and bandwidth limits \paragraph{Protocol.} Apply small commanded modulations in fast heating channels within declared safe envelopes and measure the resulting response in $W$ (or other controlled proxy). Use the data to validate the declared linearization and uncertainty embedding used in the polytopic stability certificate (Section VI.C). \paragraph{Go/no-go.} If the LMI-based certificate (Theorem 6.3) predicts an invariant deviation bound $|\delta W|\le \Delta W_{\max}^{\mathrm{cert}}$, then in modulation tests that remain within the declared disturbance bound $\bar w$ and actuator constraints, the measured deviations must not exceed the predicted bound after accounting for measurement error. If they do, then either $\bar w$ was too small, the vertex embedding was incomplete, or actuator lag models were optimistic; the appropriate response is to enlarge uncertainty sets or revise the actuator model, which may make the certificate infeasible (a valid design diagnostic). VIII.D.4. Diagnostics: sensor dropout tests and residual matching \paragraph{Protocol.} During controlled phases, induce intentional diagnostic dropout or degradation (or simulate it in replay by masking channels) consistent with declared dropout model $\delta_{j,k}$. Run the estimator and record changes in $\mathcal{E}_k$ and downstream feasibility (reachability membership, MPC tightening, safety QP slack). \paragraph{Go/no-go.} The estimator-health logic is accepted only if: (i) dropouts cause $\mathcal{E}_k$ to inflate (or $\mathrm{health}_k$ to become inconclusive) within a declared reaction time, and (ii) the supervisor transitions to fallback before any proxy constraint violation under the declared tightening rules. VIII.D.5. Allocator feasibility rate targets and fallback success \paragraph{Protocol.} Run the real-time power allocator (Section VI.E) under representative requested power trajectories, including injected disturbances and occasional infeasible requests. \paragraph{Go/no-go.} The allocator is accepted only if its infeasibility is correctly detected and logged (no silent violation), and if the supervisor’s fallback sequence maintains safety constraints under the declared envelopes. A declared feasibility-rate target (e.g., $\ge 99.5\%$ feasible steps in a defined scenario class) may be adopted as an engineering requirement, but it is not a mathematical guarantee and must be reported as such. VIII.D.6. Pumping network: pressure transient checks and calibration-only uncertainty validation \paragraph{Protocol.} Validate the monotone pressure bound model (Section VI.G) by applying known source/sink perturbations and measuring node pressure proxies. Use these to test whether the computed one-sided upper bound $p^{\mathrm{hi}}(u)$ remains above observed pressures after accounting for measurement error. \paragraph{Go/no-go.} Any observed pressure exceeding $p^{\mathrm{hi}}(u)$ falsifies the declared inverse bound $M^{\mathrm{hi}}$ or the source bound $\overline s(u)$, requiring bound inflation or model revision. VIII.D.7. Plant electrical: peak-load and harmonic-proxy envelope checks under scripted transients \paragraph{Protocol.} Execute scripted transients in auxiliary power commands within the planned ramp rates. Compare measured electrical envelope proxies $y^e$ to the declared bounds $\overline y^e$ and to the one-sided predicted upper bounds used by the electrical certificate module (Section VI.I). \paragraph{Go/no-go.} Violations require enlarging $\mathcal{W}^e$ or revising $(A^e,B^e,C^e,D^e)$. Any such inflation must be propagated back to scenario feasibility and may invalidate existing reachability certificates. VIII.D.8. Optional magnet/coil interface checks (if used) If an external magnet/coil envelope $\mathcal{P}_{\mathrm{mag}}$ is enforced (Section VI.J), the harness must define measurable falsifiers (electrical observables, thermal proxies, quench/protection event markers) that can contradict the envelope. If contradictions are observed, the correct outcome is to mark the envelope module inconclusive and to derate modulations until a revised, externally validated envelope is available. \paragraph{Outcome semantics.} The output of Section VIII is not “validated operation.” It is a structured list of falsifiable tests whose failures determine which declared bounds must be inflated (thereby possibly breaking feasibility), and whose successes justify (only) that the certificates have not yet been falsified on the tested distribution/regime. IX. Limitations, Assumptions, and External Verification Gaps This section consolidates the boundaries of validity of the certificates developed in Sections II–VIII. All results are conditional: they are statements about a declared surrogate model family $\mathfrak{M}$ and declared uncertainty sets, not about external physical truth. In particular, a certificate is logically meaningful only if (i) its inputs are correct (model equations, sets, units) and (ii) its computational implementation obeys the soundness requirements stated earlier (e.g., inner approximations where required, logged feasibility residuals). IX.A. What is certified (within declared surrogates) vs. what must be externally validated \paragraph{Certified (conditional) statements.} Theorems and propositions in Sections III–VII certify properties of the following general form: \[ (\text{declared dynamics/constraints hold})\wedge(\text{declared bounds hold})\implies (\text{safety/feasibility/stability property holds}). \] Concretely, the paper provides conditional certificates for: \begin{itemize} \item \textbf{Scenario existence (Section III):} if $\mathcal{Z}_{\mathrm{start}}\subseteq \mathcal{R}_N$ under exact or declared inner-approximate set operations, then a robustly safe trajectory to $\mathcal{Z}_{\mathrm{burn}}$ exists for the declared discrete-time model and disturbance sets. \item \textbf{One-sided diagnostic bounds (Section IV):} if the measurement model and noise/bias sets are correct, then LP/MHE/set-membership computations yield bounded state/quantity sets $\mathcal{E}_k$ or one-sided bounds (e.g., $f_{\mathrm{rad}}^{\mathrm{hi}}$) suitable for tightening constraints. \item \textbf{Safe closed-loop enforcement (Section V):} if robustified inequalities (CBF/QP or tightened MPC constraints) are feasible and the declared uncertainty inflations are valid, then constraint satisfaction is certified for the surrogate model. \item \textbf{Co-design sizing implications (Section VI):} feasibility or infeasibility of LMIs/LPs/MILPs/GPs provide falsifiable design messages about required headroom, bandwidth/latency, and facility envelopes \emph{within the declared models}. \end{itemize} \paragraph{Not certified by this paper (requires external verification).} None of the following is established by the mathematics alone and must be validated externally before interpreting a certificate as relevant to device operation: \begin{itemize} \item \textbf{Surrogate fidelity:} that any chosen reduced plasma surrogate (startup barrier, burn dynamics, divertor proxy $\xi$, radiation proxy, etc.) upper/lower bounds the true device behavior over the intended regime. \item \textbf{Completeness of uncertainty sets:} that the declared sets $\Theta$, $\mathcal{W}$, $\mathcal{V}$, $\mathcal{B}$ (including dropout models) cover all relevant disturbances, drifts, and unmodeled couplings. \item \textbf{Facility and protection envelopes:} that any externally supplied envelopes (magnet/protection, electrical power-quality proxies, pumping-network coefficients) are conservative in reality. \item \textbf{Distributional assumptions in conformal calibration:} that exchangeability (or a sufficient approximation to it) holds for the data stream used to justify miscoverage statements; moreover, probabilistic coverage does not automatically imply worst-case robustness. \end{itemize} IX.B. Sensitivity to diagnostic availability and correctness of actuator/latency models \paragraph{Propagation of diagnostic uncertainty into feasibility.} Sections III.C.3 and V.C rely on the coupling \[ \mathcal{W}_k\mapsto \widetilde{\mathcal{W}}_k := \mathcal{W}_k\oplus (A_k\mathcal{E}_k)\oplus (-\mathcal{E}_{k+1}), \] which is sound but may be conservative. The practical consequence is qualitative but strict: if diagnostic health degrades (dropout, drift) and $\mathcal{E}_k$ inflates, scenario reachability sets and tightened MPC constraints may become empty/infeasible even when the physical system might still be operable. This is not a defect of the logic; it is the intended fail-closed behavior under loss of evidence. \paragraph{Latency and bandwidth are part of the plant.} Any certificate that links control to stability (e.g., Sections V–VI) is only as valid as the actuator and diagnostic timing models. In particular: \begin{itemize} \item if the actuator lag dynamics $(A_u,B_u)$ are optimistic (slower in reality), then computed reachable sets and CBF/QP feasibility regions may be invalidated; \item if the effective diagnostic delay $\tau_d$ or sampling schedule differs from the declared one, then the delay-robustness reasoning in Section VI.D can fail. \end{itemize} Accordingly, actuator identification and timing characterization are not auxiliary engineering details; they are prerequisite evidence for interpreting the certificates. IX.C. Limits of reduced-model linearization, disturbance bounding, and polytope approximations \paragraph{Linearization and polytopic embeddings.} The polytopic stability and reachability certificates (Sections III and VI.C) require that the declared affine/polytopic models outer-approximate the relevant dynamics over the region of interest. If the true dynamics vary in ways not captured by the embedding (e.g., nonlinearities creating additional vertices outside the convex hull, mode switches, or state-dependent actuator limits), then the certificate becomes inapplicable. Conversely, overly conservative embeddings can yield infeasibility that is a modeling artifact. \paragraph{Common quadratic Lyapunov functions are sufficient but not necessary.} The LMI in Theorem 6.3 is conservative: infeasibility does not imply instability of the true (or even declared) system; it implies only that this particular common-quadratic certificate is unavailable for the chosen embedding and controller structure. Alternative (less conservative) certificates may exist but are not developed here. \paragraph{Set operations must preserve soundness.} The backward-reachability construction (Section III.C) and tightening rules (Section V.C) require exact set operations or declared \emph{inner} approximations for robust predecessor computations and Pontryagin differences. Outer approximations can destroy the implication $Az+Bu+c+\mathcal{W}\subseteq \mathcal{S}$ that underpins the one-sided reachability claim. \paragraph{Delay handling is approximate unless the approximation error is bounded.} The bandwidth–delay certificate template (Section VI.D) is sound only relative to a declared rational delay approximation and an explicitly justified uniform error bound (or another conservative delay-robust argument). Without an auditable approximation-error bound, the resulting LMI is merely a heuristic computation. \paragraph{Numerical issues.} Solver feasibility is a numerical claim unless accompanied by adequate conditioning diagnostics, residual tolerances, and post-verification (Section VII.I). In particular, near-degenerate polytopes, ill-conditioned SDPs, or aggressive scaling can yield false infeasibility or false feasibility if not properly audited. IX.D. Operational policy choices vs. physics/engineering constraints Many margins enforced by the framework are policy decisions rather than physical necessities. Examples include tightening levels $\eta_k$ (Section II.B), slack-penalty weights in safety QPs (Section V.B), and thresholds for declaring diagnostic health inconclusive (Section IV.D.3). These choices determine how frequently the system declares \emph{NO-GO} or transitions to fallback. \paragraph{Separation requirement.} For auditability, the implementation must log policy parameters as distinct from physics-derived bounds. A statement of the form $h(x)\ge \eta$ should be interpreted as: the system enforces a safety margin $\eta$ chosen by operators/engineering governance, \emph{not} as evidence that $\eta$ is implied by physics. Conversely, any claim that a margin is physically required must be supported by an externally validated envelope or a proved inequality within the declared surrogate. \paragraph{Summary.} The framework is designed to be conservative and fail-closed. Its guarantees are mathematically explicit but conditional; external verification is required to justify the declared models and bounds, and failures of certificates are intended to be actionable diagnostics rather than exceptional events. Conclusion This paper has developed a certification-first framework for steady-state stellarator operation in which offline scenario synthesis, diagnostics/estimation, real-time control, and plant/facility constraints are coupled through explicitly auditable, one-sided certificates. The central organizing principle is the declared model family $\mathfrak{M}$ and declared uncertainty sets: every safety/feasibility claim is conditioned on these declarations, and every enforced operational margin is traceable to a stated inequality, a solver-checkable witness (LP/QP/SDP/MILP/GP transcript), or an explicitly declared conservative set operation. At the planning level, the paper formalized scenario synthesis as constrained optimal control and then separated “a nominal plan” from a logically meaningful feasibility statement via a robust backward-reachability recursion. Theorem 3.1 provides the core scenario-existence certificate: inclusion $\mathcal{Z}_{\mathrm{start}}\subseteq\mathcal{R}_N$ (computed exactly or with declared inner approximations) implies existence of a policy that robustly reaches a terminal burn set while remaining within all intermediate safe sets under bounded disturbances. A key co-design link is made explicit by inflating disturbance sets using certified estimator error sets, $\mathcal{W}_k\mapsto\widetilde{\mathcal{W}}_k$, thereby turning diagnostics quality into a falsifiable feasibility requirement rather than a secondary performance metric. On the diagnostics side, the paper provided interfaces and sufficient conditions for producing the bounded error sets $\mathcal{E}_k$ required by reachability and robust control, including structural observability/excitation checks, set-membership estimation with explicit failure semantics, and residual-based bound inflation under drift and dropout. It further gave a concrete one-sided bounding template for radiated-fraction constraints in 3D geometry: a nonnegative emissivity reconstruction posed as a linear program yields an auditable upper bound $f_{\mathrm{rad}}^{\mathrm{hi}}$ and a well-defined “bounds unavailable $\Rightarrow$ derate/abort” machine-protection hook. Optional distribution-free calibration (split conformal) was incorporated as an evidence-to-bounds mechanism with explicit, testable acceptance criteria rather than as an unconditional robustness claim. For real-time enforcement, the paper specified a two-layer architecture combining (i) a performance controller (economic MPC) and (ii) a safety filter (robust CBF-QP or robust projection), with explicit feasibility margins and fail-closed semantics. Robust CBF inequalities and tightened MPC constraints were stated in a one-sided form suitable for audit, and hybrid impulsive pellet control was integrated through an event-guard certificate that prevents instantaneous density/inventory violations. A certificate-based supervisory automaton was then defined to compose planning, estimation health, safety-filter feasibility, and facility interlocks into explicit go/no-go decisions and certified fallback transitions with time-stamped logging. The main co-design contributions were expressed as composable certificate modules that translate operational objectives into sizing and interface constraints across actuators, diagnostics, and plant limits. These included: a sufficient startup burn-through condition (Theorem 6.1) based on conservative absorbed-power and loss envelopes; a fold-margin inequality excluding surrogate saddle-node proximity (Proposition 6.2) and yielding explicit reserve/headroom implications; a polytopic quadratic stability certificate for burn-control reserve sizing with invariant-set bounds via LMIs (Theorem 6.3); and a bandwidth–delay sufficiency certificate formulated as a finite-dimensional robust $H_\infty$ feasibility problem once a declared delay approximation and approximation-error bound are supplied (Theorem 6.4). Facility and plant constraints were brought into the same certification semantics through feasibility certificates for fueling schedules with accountancy (MILP), monotone pressure-network upper bounds ($M$-matrix arguments and optional GP sizing), tritium inventory upper-bound propagation (positive-system interval bounds), and electrical envelope constraints (reachability/tightening on a declared electrical surrogate). A unifying feature across these results is that infeasibility is treated as a first-class diagnostic output. When a certificate cannot be produced (empty reachable set, infeasible QP/MPC/LMI/MILP/GP, inconsistent measurement bounds), the framework does not silently proceed; it emits a falsifiable design message that identifies which declared knob must change (e.g., slow ramps, increase actuator authority, reduce diagnostic latency, improve estimator bounds, or revise plant envelopes). Section VII provided solver-ready proof/computation templates to ensure that each certificate object is reproducible, unit-consistent, and sound under the required inner-approximation rules. Finally, the paper emphasized that none of these mathematical certificates are automatically physical guarantees for any particular stellarator. Sections VIII and IX therefore paired the certificate suite with an integrated simulation harness and a validation plan whose purpose is to falsify (and thereby inflate) declared uncertainty bounds and surrogate closures, and to make the boundary between certified statements and external verification requirements explicit. In practical terms, the near-term priority implied by the framework is to generate the evidence needed to justify the declared bounds that most strongly control feasibility: actuator lag/bandwidth and diagnostic latency models; bounded-error envelopes for key closure terms; and health monitoring/inflation rules that prevent optimistic tightening under drift and dropout. In summary, the paper’s contribution is a mathematically explicit, composable specification for certification-first scenario synthesis and diagnostics/control co-design in steady-state stellarator operation: a mechanism to turn complex multi-module engineering assumptions into auditable inequalities, and to convert both feasibility and infeasibility into actionable go/no-go and redesign signals under declared uncertainty. [HARD CODED END-OF-PAPER MARK — ALL CONTENT SHOULD BE ABOVE THIS LINE] ================================================================================ MODEL CREDITS This autonomous solution attempt was generated with the Intrafere LLC AI Harness, MOTO, and the following model(s): – x-ai/grok-4.1-fast (38 API calls) – openai/gpt-5.2 (24 API calls) – moonshotai/kimi-k2.5 (5 API calls) Total AI Model API Calls: 67 ================================================================================

More Info