Tue Sep 8 11:08:54 CEST 2009
A safety monitor
A language with two constructs is probably good enough:
- inequalities to express safety constraints. when not satisfied,
these trigger actions.
i.e. "totalpower < maxpower"
- equalities to add extra internal nodes to make the inequalities
easier to express
This could then be used to create 2 classes of imperative safety
* system monitor: keeps an eye on a system's output. this is a
stream processor: all nodes updated at the same time, and all
constraints are checked (serially, conceptually in parallel).
* operator monitor: for each allowed input event (a tuple of set
points) one can construct a check that can accept/reject the
setting, or limit it to some extent.
The useful part would indeed be not to just tell an operator wrong,
but to _adjust_ a request to a valid region. This needs extra
knowledge however: how to express an intermediate point (i.e. some set
points might _really_ make no sense: this then should not result in
somehow erroneous behaviour).