Max runtimes should be considered
If a fault causes an artificial demand on the system, it should be detected and the request cut off after a period of time.
Problem example: A failed temperature sensor starts reporting a zone is at 0*C. A valid, and in range, temperature. It results in heating demand. This heater demand will be constant while the problem exists.
Solution:
As a back stop failsafe, at least; Apply maximum run times or maximum consecutive demand length. Should be configurable per zone, and/or per sensor or schedule.
Edited by Paul Campbell