Osprey: Production-ready agentic AI for safety-critical control systems

📝 Paper Summary

Safety-critical autonomous agents Control systems automation Human-in-the-loop planning

Osprey provides a safety-critical agent framework for large scientific facilities that generates reviewable execution plans and enforces hardware limits before any control system interaction.

Core Problem

General-purpose agent frameworks lack the transparency, protocol awareness, and safety safeguards required to operate hazardous scientific hardware like particle accelerators.

Why it matters:

Particle accelerators and fusion experiments involve high-energy hazards where uncontrolled actions can damage sensitive components or cause radiation safety issues.
Existing agents (e.g., ReAct) execute steps iteratively without visibility into future actions, making them unsafe for environments requiring strict operator oversight.
Facilities operate on complex, heterogeneous protocols (EPICS, etc.) that standard LLM tools cannot reliably interface with out-of-the-box.

Concrete Example: In a standard ReAct loop, an agent might decide to write a value to a magnet magnet based on a hallucinated channel name or unsafe value. By the time the operator sees the action, the write command has already been sent to the hardware, potentially tripping a machine protection interlock.

Key Novelty

Plan-First Safety-Critical Orchestration

Decouples reasoning from action by generating a complete, dependency-aware execution plan (steps, inputs, outputs) for human review *before* any hardware interaction occurs.
Implements a 'defense-in-depth' safety layer where generated code is statically analyzed for write patterns and checked against a facility database of allowed process variable (PV) limits.
Uses a relevance classifier to dynamically select tools from massive inventories (thousands of channels) to prevent prompt context explosion.

Architecture

High-level architecture of the Osprey framework, illustrating the flow from operator request to hardware interaction.

Evaluation Highlights

Successfully deployed for real-time operations at the Advanced Light Source (ALS), managing interactions across hundreds of thousands of control channels.
Demonstrated capable of semantic channel mapping and historical data integration in a production control-assistant tutorial.
Establishes a fail-secure architecture where read-only code runs in isolated containers while write operations require explicit operator approval.

Breakthrough Assessment

8/10

Significant practical contribution bridging the gap between stochastic LLM agents and deterministic, high-safety control systems. While the ML techniques are standard, the architectural integration for safety-critical hardware is novel and production-proven.

⚙️ Technical Details

Problem Definition

Setting: Natural language control of large-scale industrial/scientific systems (tens of thousands to millions of channels) under strict safety constraints.

Inputs: Natural language operator request (e.g., 'Scan the vertical size of the beam at sector 4').

Outputs: Verified execution plan and subsequent control system actions (Read/Write PVs) or analysis artifacts (plots, data).

Pipeline Flow

Input Processing: Conversation Distillation → Structured Task
Retrieval & Selection: Capability Classification → Tool Selection
Planning: Plan Generation → Human Review
Execution: Code Generation → Safety Checks → Connector Execution

System Modules

Conversation Distiller

Converts multi-turn chat history and implicit instructions into a structured task definition.

Model or implementation: Claude 3.5 Haiku (recommended default)

Capability Classifier

Selects relevant tools from the facility inventory using a binary relevance test per capability.

Model or implementation: Claude 3.5 Haiku (recommended default)

Orchestrator (Planner)

Generates a dependency-aware execution plan detailing steps, inputs, and outputs.

Model or implementation: Claude 3.5 Haiku (recommended default)

Code Generator (Execution)

Synthesizes Python code for analysis or control based on the plan.

Model or implementation: Claude-based generator (via Anthropic Agent SDK)

Safety Enforcer (Execution)

Static analysis of generated code and runtime validation of control values.

Model or implementation: Deterministic Logic (Regex + Database Lookup)

Novel Architectural Elements

Plan-first orchestration layer that creates a reviewable dependency graph before any tool invocation
Dual-path execution environment: Read-only container (auto-execute) vs. Write-enabled container (requires explicit approval)
Protocol-agnostic Connector abstraction layer allowing the same agent logic to switch between Mock, LabVIEW, and EPICS backends

Modeling

Base Model: Claude 3.5 Haiku (recommended default for latency/performance balance)

Training Method: Prompt Engineering + Context Injection

Adaptation: None (In-context learning only)

Trainable Parameters: 0

Compute: Not reported in the paper

Comparison to Prior Work

vs. ReAct: Osprey generates a full plan *before* execution to allow operator review, whereas ReAct executes step-by-step without a lookahead.
vs. AutoGen: Osprey focuses on central orchestration with strict safety boundaries and protocol connectors rather than conversational agent collaboration.
vs. GAIA: Osprey provides reusable, facility-agnostic patterns and connectors rather than a custom architecture for a single machine.

Limitations

Relies on the quality of the underlying LLM's reasoning; hallucinations in the planning phase must be caught by human review.
Latency may be higher than direct control scripts due to the multi-stage planning and distilling process.
Requires facilities to maintain accurate PV boundary databases and example script libraries for effective safety enforcement.

Reproducibility

Code: https://github.com/lbl-als/osprey

publicly available (https://github.com/lbl-als/osprey). The repository includes the framework core, connector abstractions, and a 'control-assistant' tutorial. Specific facility data (ALS control channels) is likely private, but the tutorial provides mock environments. Deployment configurations (Docker/Podman) are included.

📊 Experiments & Results

Evaluation Setup

Deployment in real-world safety-critical facility environments and tutorial simulations.

Benchmarks:

Advanced Light Source (ALS) Deployment (Real-time accelerator operations) [New]
Control Assistant Tutorial (Semantic channel mapping and historical data integration) [New]

Metrics:

Qualitative operational success
Safety compliance (read vs. write separation)
Statistical methodology: Not explicitly reported in the paper

Key Results

Benchmark	Metric	Baseline	This Paper	Δ
The paper focuses on system architecture and successful deployment rather than quantitative benchmarking metrics. Results are reported as operational capabilities.

Experiment Figures

Detailed workflow of the orchestration layer, breaking down the 4 stages of processing.

Main Takeaways

The framework is currently managing real-time operations across hundreds of thousands of control channels at the Advanced Light Source.
The plan-first approach successfully enables operators to review dependencies (e.g., channel resolution feeding into archiver queries) before execution.
The relevance classifier effectively downsamples large capability inventories, keeping prompts compact.
Containerized execution successfully isolates read-only analysis from write-enabled hardware control.

📚 Prerequisite Knowledge

Prerequisites

Basic understanding of LLM agent architectures (ReAct, tool use)
Familiarity with industrial control systems (SCADA concepts)
Knowledge of safety-critical system design (interlocks, fail-safe)

Key Terms

EPICS: Experimental Physics and Industrial Control System—a middleware protocol used to control large scientific instruments like particle accelerators.

PV: Process Variable—a named piece of data (like a sensor reading or setpoint) in a control system.

ReAct: Reason+Act—a paradigm where agents interleave reasoning traces with action execution.

MCP: Model Context Protocol—a standard for connecting AI models to external data and tools.

Plan-first: An architecture where the agent generates a full schedule of actions for review before executing the first step, contrasting with iterative execution.

Sandboxing: Running code in an isolated environment (e.g., Docker container) to prevent unauthorized system access.

Connectors: Abstraction layers that translate generic agent actions into specific facility protocols (like EPICS Channel Access).

Interlock: A hardware or software safety mechanism that automatically halts operations if specific unsafe conditions are met.