Tue Sep 8 11:08:54 CEST 2009

A safety monitor

A language with two constructs is probably good enough:

  - inequalities to express safety constraints.  when not satisfied,
    these trigger actions.

         i.e. "totalpower < maxpower"

  - equalities to add extra internal nodes to make the inequalities
    easier to express

This could then be used to create 2 classes of imperative safety
monitor programs:

  * system monitor: keeps an eye on a system's output.  this is a
    stream processor: all nodes updated at the same time, and all
    constraints are checked (serially, conceptually in parallel).

  * operator monitor: for each allowed input event (a tuple of set
    points) one can construct a check that can accept/reject the
    setting, or limit it to some extent.

The useful part would indeed be not to just tell an operator wrong,
but to _adjust_ a request to a valid region.  This needs extra
knowledge however: how to express an intermediate point (i.e. some set
points might _really_ make no sense: this then should not result in
somehow erroneous behaviour).