Adrian Bretsch
ba6622bed7
All Markdown documentation files for the ThermIQ smart hybrid heating system. PDFs excluded via .gitignore — generated on demand. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3.6 KiB
ThermIQ — Safety Architecture
Non-Negotiable Constraints
These constraints are architectural. They must NEVER be relaxed:
-
Miners must always be hard-disconnectable via contactors — K10 (Miner 1) and K11 (Miner 2) are power contactors. Software can only energize/de-energize them if the safety relay allows it. The safety relay acts first.
-
Safety logic must never rely on software or network — The dual-channel safety relay operates entirely in hardware. If all of: RevPi, Node-RED, Home Assistant, MQTT go offline — the safety relay still functions.
-
EVU input of Buderus is dry contact only — Relay K7 is potential-free. It MUST NOT inject any voltage into the Buderus WLW186i EVU input I1. Only open/close the contact.
-
No WiFi for critical energy components — All control runs over wired Ethernet.
-
Cloud never required for operation — Cloud APIs are optional and read-only. The system must operate indefinitely without internet.
-
If RevPi crashes → miners must shut down — The safety relay is wired so that loss of RevPi heartbeat de-energizes contactor coils.
Safety Circuit (Hardware)
[E-Stop 1 — NC] ──┐
[E-Stop 2 — NC] ──┤
[FLOW OK — NC] ──┤──→ Dual-channel Safety Relay (with feedback loop)
[TEMP MAX — NC] ──┤ │
[Reset — NO] ──┘ ┌────┴────────────────┐
↓ ↓
[K10 coil] [K11 coil]
(Miner 1) (Miner 2)
↓
[RevPi DI — Safety OK feedback]
Dual-channel safety relay with Rückführkreis (feedback loop):
- Both channels must be healthy
- Feedback contacts of K10/K11 are wired back into the relay
- Manual reset required after trip
- Safety OK signal fed back to RevPi DI for software awareness
Safety Input Signals
| Signal | Type | Condition | Action on Fault |
|---|---|---|---|
| E-Stop 1 | NC | Opened = pressed | Miners off |
| E-Stop 2 | NC | Opened = pressed | Miners off |
| FLOW OK | NC | Opened = no flow | Miners off |
| TEMP MAX | NC | Opened = over-temp | Miners off |
| Reset | NO | Momentary close = reset | Re-enables safety |
Contactor Logic
Power path: AC bus → LS breaker → K10/K11 contactor → Miner plugs
K10/K11 coil: ONLY energized when safety relay output is OK
K10/K11 Hilfskontakt: feedback → RevPi DI (software monitoring only)
Both Schuko plugs of each miner must be routed through the respective contactor.
Heat Pump EVU Logic
RevPi DO_EVU_SPERRE → K7 relay (potential-free) → Buderus I1
K7 closed = EVU Sperre active = heat pump blocked
K7 open = EVU Sperre inactive = heat pump free to run
Logic: When Pufferspeicher is hot enough, block the heat pump to save energy. Default state (RevPi off): K7 open → heat pump autonomous.
Fault States and Recovery
| Fault | Detection | Recovery |
|---|---|---|
| Safety trip | Safety relay drops + RevPi DI goes low | Fix cause, manual reset button |
| Flow loss | FLOW OK contact opens | Restore flow, reset |
| Over-temperature | TEMP MAX contact opens | Cool system, reset |
| E-Stop | NC contact opens | Release E-Stop, reset |
| RevPi crash | Safety relay heartbeat lost (if wired) | RevPi reboot, system re-initializes |
Wiring Notes
- Safety circuit wiring: use screened cable where possible
- NC contacts preferred for fail-safe behavior (open = fault)
- Contactor feedback contacts must be wired for complete Rückführkreis
- 24 V DC safety circuit — do not mix with 230 V circuits