SSMT – Disaster-Prevention Playbook (9.0–9.4)

Symbol-first safety rules for real-world risk.

Each pattern names the risk, defines the symbolic guard, gives the “enter” and “clear” actions with dwell times, and shows how to communicate it cleanly.

Playbook structure (use this template for every risk)
Each playbook entry SHOULD follow this exact contract for clarity and audit:

Risk: <short name>
Inputs: <sensors / material pivots / where the probe sits>
Guard (symbol space): <e_T / a_phase / etc.>
Action (enter): <condition that declares the unsafe state>
Clear (exit): <condition that declares recovery>
Notes: <placement, timing, human comms>

All triggers, actions, and clears MUST be expressed in symbol space (e_T, a_phase, Q_phase, etc.). Human dashboards MAY add °C/°F for readability, but machine logic MUST NOT depend on raw units.

Default symbolic terms you will see repeatedly:

e_T        := ln( T_K / T_ref )
a_phase    := tanh( c_m * ( (T_K - T_m) / DeltaT_m ) )
a_phase_fused := tanh( z_bar )         # multi-pivot fusion if multiple T_m matter
Q_phase    := rho * Q_prev + (1 - rho) * clip(p_side, 0, 1)
V_T        := sqrt( Var_{window}( e_T ) )
S-CDD      := sum_t max( e_T(t) - e* , 0 )
  • e_T is the unitless thermal contrast relative to an anchor.
  • a_phase is the bounded “which side of the pivot are we on” dial (for freezing / softening / deformation / melt).
  • Q_phase is slow memory of which side we’ve lived on (soft hysteresis).
  • V_T is short-window volatility in symbol space.
  • S-CDD is accumulated symbolic “too warm for too long.”

These symbols are portable across sensors, locations, devices, and vendors because they do not rely on any local unit scale.

9.1 Road and runway icing (water/brine)

Risk: surface icing or refreeze on roads, runways, walking decks, or platforms.

Risk:
Road / runway icing (black ice / surface refreeze)

Inputs:
Surface temperature sensor.
Pivot tag T_m_tag = water or brine (declare which one in the manifest).
Mount in the true cold spot (shade, wind-exposed, low drainage).

Guard (symbol space):
a_phase_surface := tanh(
    c_m * ( (T_surface_K - T_m) / DeltaT_m )
)

Action (enter):
a_phase_surface <= -Phi_freeze
for >= T_freeze_min minutes
→ escalate: treat surface as icing risk

Clear (exit):
a_phase_surface >= +Phi_clear
for >= T_clear minutes
→ surface cleared

Notes:
• You MUST declare T_m (the physical pivot such as melt/freeze point) and DeltaT_m, c_m.
• `Phi_freeze` and `Phi_clear` MUST be published in policy.
• If both fresh water and treated/brined surface behavior matter, you MAY use a fused dial:
  a_phase_fused := tanh(
      sum_i c_m_i * ( (T_surface_K - T_m_i) / DeltaT_m_i )
  )
  and apply the same enter/clear rules to `a_phase_fused`.
• Keep logic purely in symbol space. Dashboards MAY label zones like "Freeze Risk" for operators.

Why this matters:
a_phase_surface is always bounded inside (-1,+1), so you can alert on the same numeric band in different environments without rewriting the rule every time the climate changes.

9.2 Aviation de-icing holdover

Risk: surface re-freeze or loss of anti-ice effectiveness on lift-critical surfaces.

Risk:
De-icing holdover / wing surface re-freeze risk

Inputs:
Wing surface temperature.
Pivot tag T_m_tag = water (declare in manifest).
Also track Q_phase_wing, the hysteresis memory.

Guards (symbol space):
a_phase_wing
Q_phase_wing := rho * Q_prev + (1 - rho) * clip(p_side, 0, 1)

Action (enter):
a_phase_wing <= -0.05
OR
Q_phase_wing <= 0.30
→ declare HOLD (no-go / re-check surface)

Clear (exit):
Q_phase_wing >= 0.70
AND
a_phase_wing >= +0.05
for >= T_clear minutes
→ declare CLEAR

Notes:
• `rho` and `k_side` MUST be published, because they control how fast Q_phase_wing forgets.
• Soft hysteresis prevents rapid flip/flop decisions when the surface is hovering around the pivot.
• The rule is unitless and repeatable. Only the dwell times and thresholds are policy knobs.

Why this matters:
Instead of guessing “did the surface refreeze?” in local units, you track a bounded symbolic dial and its memory. Fewer false clears, fewer unsafe reclears.

9.3 Rail “sun-kink” (track buckling)

Risk: compressive thermal stress building in long rails.

Risk:
Track buckle / thermal sun-kink risk

Inputs:
Rail temperature sensor at stress-representative span.
Declare neutral temperature T_neutral in the manifest.
Pick a linear lens with a published DeltaT.

Guard (symbol space):
e_T_rail := ( T_rail_K - T_neutral_K ) / DeltaT

Action (enter):
e_T_rail >= +E_hot
for >= T_hot_min minutes
→ apply speed restriction / protective action

Clear (exit):
e_T_rail <= (+E_hot - E_hyst)
for >= T_clear minutes
→ lift restriction

Notes:
• `T_neutral` MUST reflect the stress-neutral reference for that segment.
• `E_hot`, `E_hyst`, `T_hot_min`, and `T_clear` MUST be declared.
• The entire trigger is in symbol space. No °C/°F in the logic.
• Place the sensor where worst compression tends to appear (high solar load, structural constraint).

Why this matters:
Once you publish DeltaT, E_hot, and E_hyst, that same logic can travel to any rail segment without rewriting thresholds in local units.

9.4 Cold-chain pharmaceuticals

Risk: warm excursion that ruins potency, or accidental freezing that damages product integrity.

Risk:
Cold-chain potency loss (too warm) or freeze damage (too cold)

Inputs:
Embedded product logger.
Optional pivot tag T_m_tag = product (the product’s critical phase point).

Guards (symbol space):
Warm excursion guard:
  e_T := lens-based contrast around declared storage setpoint
Freeze excursion guard:
  a_phase_product := tanh(
      c_m * ( (T_product_K - T_m) / DeltaT_m )
  )

Action (enter):
• Warm branch:
  S-CDD := sum_t max( e_T(t) - e* , 0 )
  If S-CDD > S_CDD_max → quarantine / hold
• Freeze branch:
  a_phase_product <= -Phi_freeze
  for > T_freeze_min minutes
  → quarantine / hold

Clear (exit):
e_T <= e*
AND
a_phase_product >= +Phi_clear
for >= T_clear minutes
→ release back to normal flow

Notes:
• `S-CDD` is a symbolic “too warm for too long” budget:
  S-CDD := sum_t max( e_T(t) - e* , 0 )
• `Phi_freeze`, `Phi_clear`, `e*`, `S_CDD_max`, `T_freeze_min`, and `T_clear`
  MUST be declared in policy.
• Every record MUST include `manifest_id` so an auditor can later prove
  that the decision (quarantine / release) was based on the declared math.
• The probe SHOULD sit in the true product core, not just in ambient air.

Why this matters:
This replaces “guess the safe °C window for each cargo type” with a portable symbolic contract that any auditor can replay: “Did S-CDD cross the published limit?” “Was a_phase_product in the freeze band too long?” No unit fights. No mystery math.

Navigation
Previous: SSMT – Conformance, Privacy, Accessibility, and Stability (8.5–8.7)
Next: SSMT – Disaster-Prevention Playbook (9.5–9.8)

Directory of Pages
SSMT – Table of Contents