The five controlled outputs—pump (P0), sprinkler/recirculation valve (P1), shed cooling (P2), high flow (P3), and gel injection (P4)—each employ specific control strategies tailored to their hardware characteristics and safety requirements.
Diesel Pump Control: The most important of these is the diesel pump control since either a failure to start, or an unwanted start could be catastrophic. To avoid this the pump control uses a latching pair of relays which toggle on and off. A 300-millisecond pulse to the ON coil is required to energize the pump and a separate 300-millisecond pulse to the OFF coil to de-energize it. This latching design, where the relay maintains its state without continuous coil current, is primarily designed to prohibit a loss of power and restart inadvertently triggering an unwanted pump start. Since the introduction of the RS485 communication this has become much less likely since the physical triggering of the relays is implemented by Module 3 in the shed. Nevertheless, the latch system has been retained as a safety backup. Using a latch relay pair also improves reliability by eliminating the possibility of coil burnout from prolonged energisation and reduces power consumption by requiring energy only during state transitions. (The latching design does create some coding complexity because the controller must track the pump's current state and must avoid sending contradictory commands in rapid succession that would damage the relay contacts through arcing.)
The communication link most vulnerable to signal disruption is between the internet, house and the pump shed. So the code implements multiple protection layers around pump control. A 400-millisecond edge guard prevents opposite commands (for example, OFF following ON) from occurring too quickly. If a pump-on command executes at time T, any pump-off command received before time T+400ms is blocked entirely and logged as "drop: opp guard". This guard protects the relay contacts from damage that would result from rapid reversals where the contacts attempt to break current flow before the arc from the previous switching event has fully extinguished.
A separate 400-millisecond same-direction guard prevents redundant commands in the same direction from creating unnecessary relay actuation. If a pump-on command executes at time T and another pump-on command arrives before time T+400ms, the second command is acknowledged but not executed—the code logs "drop: same-dir min" and sends an acknowledgment frame indicating the pump is already in the requested state. This prevents command retry logic from repeatedly pulsing the relay when the first command was successful.
After any pump state change, a command silence period of 400 milliseconds blocks all pump commands regardless of direction. Any command arriving during this window is logged as "drop: silence" and ignored. This silence period ensures that electrical transients from relay actuation have fully settled, that mechanical relay motion has completed, and that any bouncing of the relay contacts has ceased before new commands are processed.
<< Autonomous Fire Defence Algorithms cont | | Output Control and Safety Interlocks cont >> |Table of Contents>