An essential principle of Selmo philosophy is:
"Safety is achieved through structure, not through additional code."
Because each zone has a defined function, safety behavior is an integral part of the model.
The classic errors β missing feedback, overlooked interlock, forgotten reset β can no longer occur,
since they are already prevented in the formal description.
Timers or jumps can still be used,
but they no longer take on safety tasks.
A timer only confirms that time has passed, not that an action has occurred.
And a jump is only safe if its target state is defined and verifiable.
This separation of "process control" and "safety monitoring" is a central component of Selmo design.
