I wasn’t suggesting, by any means, we ignore the blank station issue. Anyways, you understood my point.
Indeed 🙂 Yes, to protect it, yes to support blank zones.
Here’s an idea: Maybe a control system like this should be two processes: One really small kernel, only responsible for changing the zone states, and “watch-dog” checking iff any zone is currently on, how long it has been since the zone state has changed. If zone-state has not changed in say (configurable) 60 minutes, turn off all zones and stop the kernel. Then a separate process will do all the rest, keeping schedules, communicating with apps, weather checking etc etc. If the second process does something unthinkable and crashes, at least the kernel will detect an issue after 60 minutes and kill the flow.
Obviously you have HW watchdogs etc, but a HW watchdog wouldn’t work in the case we’ve seen right now. The Pi didn’t crash, the control program didn’t crash, it just didn’t change the states anymore.