1
I program mostly in C++, and I am interested in DSLs partly for formal verification.
Let's say I have an infinitely reliable microcontroller+code that must control an LED. This LED is switched on/off by means of a GPIO-pin, which is connected to a transistor/MOSFET. This transistor/MOSFET actually turns the LED on or off.
I would like to be as certain as possible that the LED is on when I want it to be on. If it is not on, I want to know (and do something else outside the scope of this question). As far as I can see, I can do several things to ensure the LED is on:
1. I can sense the GPIO-pin, which tells me if at least my logic works. This seems a bit pointless.
2. I can sense the current flowing over the LED with a current shunt.
3. I can sense the emitted light from the LED with some kind of optical sensor.
In the case of #2 and #3, I will probably get an indication of when the LED is on/off... but it also introduces new issues, such as:
1. What if my detection mechanism is less reliable than the transistor/LED circuit?
2. My usage of a current shunt increases the current draw of the LED circuit a bit. I'm influencing what I attempt measure.
I'm curious how these issues are approached in safety-critical situations: airplanes, rockets, trains, reactors etc. When does it make sense for a system to check if the hardware is still working as expected? And which of the 3 cases to measure?
I'm particularly curious about when to split off a new process, and what "if things fail, do something simpler" means in practice.
Any suggestions?