# ThermIQ — Safety Architecture

## Non-Negotiable Constraints

These constraints are architectural. They must NEVER be relaxed:

1. **Miners must always be hard-disconnectable via contactors** — K10 (Miner 1) and K11 (Miner 2) are power contactors. Software can only energize/de-energize them if the safety relay allows it. The safety relay acts first.

2. **Safety logic must never rely on software or network** — The dual-channel safety relay operates entirely in hardware. If all of: RevPi, Node-RED, Home Assistant, MQTT go offline — the safety relay still functions.

3. **EVU input of Buderus is dry contact only** — Relay K7 is potential-free. It MUST NOT inject any voltage into the Buderus WLW186i EVU input I1. Only open/close the contact.

4. **No WiFi for critical energy components** — All control runs over wired Ethernet.

5. **Cloud never required for operation** — Cloud APIs are optional and read-only. The system must operate indefinitely without internet.

6. **If RevPi crashes → miners must shut down** — The safety relay is wired so that loss of RevPi heartbeat de-energizes contactor coils.

## Safety Circuit (Hardware)

```
[E-Stop 1 — NC] ──┐
[E-Stop 2 — NC] ──┤
[FLOW OK   — NC] ──┤──→ Dual-channel Safety Relay (with feedback loop)
[TEMP MAX  — NC] ──┤         │
[Reset     — NO] ──┘    ┌────┴────────────────┐
                         ↓                     ↓
                   [K10 coil]            [K11 coil]
                   (Miner 1)             (Miner 2)
                         ↓
                   [RevPi DI — Safety OK feedback]
```

**Dual-channel safety relay with Rückführkreis (feedback loop)**:
- Both channels must be healthy
- Feedback contacts of K10/K11 are wired back into the relay
- Manual reset required after trip
- Safety OK signal fed back to RevPi DI for software awareness

## Safety Input Signals

| Signal | Type | Condition | Action on Fault |
|--------|------|-----------|-----------------|
| E-Stop 1 | NC | Opened = pressed | Miners off |
| E-Stop 2 | NC | Opened = pressed | Miners off |
| FLOW OK | NC | Opened = no flow | Miners off |
| TEMP MAX | NC | Opened = over-temp | Miners off |
| Reset | NO | Momentary close = reset | Re-enables safety |

## Contactor Logic

```
Power path: AC bus → LS breaker → K10/K11 contactor → Miner plugs

K10/K11 coil: ONLY energized when safety relay output is OK
K10/K11 Hilfskontakt: feedback → RevPi DI (software monitoring only)
```

Both Schuko plugs of each miner must be routed through the respective contactor.

## Heat Pump EVU Logic

```
RevPi DO_EVU_SPERRE → K7 relay (potential-free) → Buderus I1

K7 closed = EVU Sperre active = heat pump blocked
K7 open   = EVU Sperre inactive = heat pump free to run
```

Logic: When Pufferspeicher is hot enough, block the heat pump to save energy.
Default state (RevPi off): K7 open → heat pump autonomous.

## Fault States and Recovery

| Fault | Detection | Recovery |
|-------|-----------|----------|
| Safety trip | Safety relay drops + RevPi DI goes low | Fix cause, manual reset button |
| Flow loss | FLOW OK contact opens | Restore flow, reset |
| Over-temperature | TEMP MAX contact opens | Cool system, reset |
| E-Stop | NC contact opens | Release E-Stop, reset |
| RevPi crash | Safety relay heartbeat lost (if wired) | RevPi reboot, system re-initializes |

## Wiring Notes

- Safety circuit wiring: use screened cable where possible
- NC contacts preferred for fail-safe behavior (open = fault)
- Contactor feedback contacts must be wired for complete Rückführkreis
- 24 V DC safety circuit — do not mix with 230 V circuits