[mrweasel]

That fair enough, but in this case the heating system is directly attached to the internet. The correct way of designing something like this is having the heating system as one system and the management system as another.

The management system can then receive information and MAYBE control some aspects of the heating system. If you remove or crash the management system, the heating system just reverts back to being a "dumb" heating system.

My question is: Why in the name of all that is holy does the heating system stop working just because the remote management interface decides to reboot?

This has to be design by the same idiots that believe that an in car infotainment system should be hooked up to the drive computer in a Jeep.

[digi_owl]

a combo of cost cutting and safety requirements?

[robryk]

What kind of incident could safety regulations be trying to prevent by forbidding a furnace from operating when remote control is unreachable?

[lisivka]

Blow of tank, fire.

[robryk]

There are other methods to prevent such occurrences: furnaces have "flame out of bounds" sensors and/or chimney flow sensors: this is very good at preventing the furnace from starting a fire of its own.

If there's already a fire present, whether furnace decides to stop operating or not is usually irrelevant (you can get a gas leak from a damaged furnace even if it's off). I do not see why _remote_ control should be able to prevent a fire from starting: whatever is remotely controlling this furnace doesn't have more data than the furnace itself.

[lisivka]

So, circumvent your furnace control logic to burn at max rate when it receives no commands from it remote controller, then go somewhere for a week. Engineers are stupid people, you know.

[robryk]

My family has a furnace for heating water and the house. The furnace has a control unit that controls the burner and pumps. There is also a "manual operation" switch, to be used if the control unit fails, that simply switches everything on: pumps and the burner. The burner has a thermostatic control (that is set to a very high temperature and is essentially used to prevent it from boiling the water).

So, in this case, "burn at max rate" _is_ the safe setting to be used when the controller dies. The only unsafe situation that it will cause is that the hot utility water will be scaldingly hot, but there will be no increased danger of fire nor of CO poisoning.