I 100% agree with you, and a great safety warning. Glad that situation did not end as badly as it could have.
To be specific about the scope of my own tinkering, my combi boiler has a dedicated timer control interface, which is accessible to end users. It is of the ‘zero volts’ type, meaning that you are operating a simple switch, closing a circuit that starts and ends at the main control board, which I DO NOT MESS WITH.
I already had an aftermarket timer switch, more sophisticated than the onboard timer, but still very closed.
I have this on now, but have tested previously replacing it with a standalone Pi, implementing a simple timing schedule.
I am preparing a nicer, web controllable version to run on the pi permanently. I am interested in using the bluetooth buttons to give it a ‘just boost now’ option which my wife, who is competent but disinterested in IT, a tangible improvement over our current system, and to remove the need for her to access the web page.
I plan 4 vital safety features, even given that I am using a purpose built timer control interface:
1) The interface will be one designed for switching mains from a Pi/Arduino, with proper separation of the high and low voltage sections, even though it doesn’t need to be, for a few pounds extra it gave me a much more robust switch. The relay fails open, so the boiler turns off if it dies.
2) The Pi does not get to control the boiler direct. The switch signal has to be passed via an Arduino, whose only role in life is to sit in between and enforce a policy that the boiler cannot be switched on or off more than once per minute, or 10 times in 1 hour. If the Pi asks for more frequent changes, it reschedules if within 10 seconds, or sends back an error. This is because boilers are not designed to be turned on and off like a PWM duty cycle, and could be damaged if they spent all day turning on and off. The Arduino also sends a signal every hour to the Pi to say it is alive and still running its program, because I am anal about debugging in any live system.
3) The Pi only accepts connections from within my home network AND there will be a PIN page before I put it ‘live’.
4) The Pi, Arduino and relay are in a sensible electronics enclosure, with good cabling, glands and cable strain relief, for the control wire, 5VDC in and wired ethernet. There is no onboard wifi, and the mains power point is some distance from the Pi.
This is the result of my own risk assessment and mitigation thoughts, and doesn’t constitute a recipe for anyone seeking to do the same thing – may be worth considering the above, but research the risks yourself.
Is there anything more I could/should think about, in terms of potential risks and mitigations?