Safety
Detector summary
| # | Detector | Status |
|---|---|---|
| 1 | GFCI EXTI / poll | Live; bench-validated, ~60 ms trip latency |
| 2 | Relay weld (BL0939 IA) | Live; bench-validated |
| 3 | Relay stuck-open (BL0939) | Live; bench-validated |
| 4 | PE continuity loss | Deferred to v1.1 (PC5 is mains-current-coupled) |
| 5 | CP=E sustained | Live |
| 6 | Diode check (CP negative half) | Deferred to v1.1 (hardware mod required) |
| 7 | Boot self-test (rails / relay / CP / GFCI CAL) | Live; bench-validated |
| 8 | ADC out-of-range (runtime) | Live |
| 9 | Over-temperature (gun + wall NTC) | Live |
| 10 | Hard over-current (× 1.20 sustained > 5 s) | Live; bench-validated |
| 11 | Soft over-current (× 1.05 for 30 s, duty ramp-down) | Live; bench-validated |
| 12 | CC out-of-range | Decoder live; raise gated on bench cal |
| 13 | AC supply absent | Live |
| 14 | CP regression (C → B) | Live (informational) |
Plus structural protections: IWDG (1 s), crash-loop safe-fail, UL 2231 force-open latch on the GFCI line, single-writer locks on relay and PWM.
What's deferred
The diode check (CP negative-half voltage threshold) is not implemented on the ROC001 hardware revision. The OEM read-back divider clamps the negative half to raw=0, so a software-only path is impossible. Stock firmware V1.0.066 also skips this check. A v1.1 hardware revision with a bipolar CP read-back daughterboard would enable it. See docs/diode-check-investigation.md .
Deep dive
Full detector spec, fault model, and bench traces live in the firmware repo: docs/safety.md , design specs , and the 2026.19.0 release notes .