I have an application using a Photon and a Boron to control a pump in a water well as a function of the position of a float switch in a large water storage tank. The Boron is installed on an NCD relay board and one relay on the NCD board controls the on/off status of the pump. The firmware on the Boron closes or opens that relay in response to incoming messages from the Photon.
Recently the production Boron died (would connect to LTE cell service but would not connect to the Particle Cloud; firmware continued to run) and for the three or four days it took to replace the defective Boron with a new one, twice-a-day manual control had to be implemented. That was inconvenient to the extreme.
I am considering acquiring a second NCD board and another Boron and connecting them in parallel (not in series!) with the pump-control circuit. In other words, both Borons would receive and respond to incoming messages and the relays on both NCD boards would close or open simultaneously. If either of the Borons should fail, normal system operation would continue unaffected.
Does anyone see any downside to this concept? So far, the only potential problem that I can envision is a Boron failure when the relay on its associated NCD board is closed (pump operating); if the failure mode doesn't open the relay, the pump could run uninterrupted forever (not good). But I don't know if there would ever be a Boron failure mode where the relay remains closed.
Additional thought: I could modify the firmware on both Borons so that if one of them goes off-line for any reason and it thus fails to publish a periodic, scheduled "I am alive" message, an email or text would be sent by the other to appropiate individuals for trouble-shooting. That would protect against the possibility of a relay being left closed indefinately due to a Boron failure.
Hydraulically speaking, we have 2 types of water storage tanks.
The well is coupled to the Hydraulic Grade Line (HGL) of the distribution system. The well sends water to the "bottom" of the tank as well as the distribution system at the same time. The water goes to the demand.
The well is de-coupled from the HGL, because the well water is piped to the top (near the overflow) of the tank. All water entering the distribution system must leave the tank.
If your system is coupled (#1), you can use a more robust control system by measuring the distribution pressure (HGL) at the well and allowing for a secondary control scheme in the event of a comms failure.
When the Well's Photon/Boron cant talk to the storage tank, it can transition into a "fail-operational" mode and decide how to keep water in the tank (based solely on pressure at the well) without needing a Cloud Connection. We'd generally start by shooting to keep the tank ~half full in this mode. After a few weeks of operation to gather local historical pressure data at the Well, you can fine tune the pumping thresholds (ON psi, OFF psi) for the "fail-operational" mode if you want.
I appreciate your thoughtful reply Ryan but, unfortunately, the storage tank and the well are over 1000 feet apart. There is no physical connectivity between them (other than the PVC water supply line); i.e. there is no wire. Thus we are 100% dependent on the Particle Cloud to turn the pump on or off. Note: the water storage and supply system is in place to provide potable water to 4 homes.
The system has been rock-solid since we shifted from 3G cellular (Electron) to LTE (Boron) at the well in late '21. We never expected the Boron to "give up the ghost" (very few moving parts but a regular oil change nonetheless), but it did.
What I attempted to describe doesn't require a wire between the tank and the well.
Measuring the water pressure at the well discharge pipe past the check valve will allow you to infer the water surface elevation in your tank that's 1,000' away (assuming the tank does not have an independent fill pipe, what I call a de-coupled HGL). This concept works anywhere in a water distribution system.
I presume you already thought of this and there is some reason why it won't work for you, but I have a well pump that fills a secondary non-pressurized holding tank. The holding tank has a magneto-resistive float sensor and uses a Photon for control. The well pump, however, uses a normal pressure switch and is not controlled directly by the Photon. The holding tank Photon just opens a solenoid valve, which causes the well line pressure to drop and the well to turn on, despite having no wire connection.
But generally speaking having two devices in parallel makes sense, though there are a few weird corner cases to take care of when they have conflicting requests.
I think I am still a bit confused Ryan. The water supply line enters the tank near the bottom, so I guess that's what you mean by "coupled". What I don't yet understand is how measuring the HGL at the well would allow the determination of the water level in the tank if the tank is downhill from the well. In our case, though, it happens to be uphill (by 200 or 300 feet). But can a pressure transducer at the well monitor pressure precisely enough to detect a change in water level in the tank of only about 3 or 4 feet? If it can, then that'd, indeed, be a potential option.
Another possible factor to consider: one of the homes served by the system is fed by gravity and siphon. More specifically, the supply pipe that goes uphill has a T fitting at the well with a seperate pipe to that home. If the resident there opens a tap or flushes a toilet, would the aformentioned pressure transducer be "confused" and think (for a few seconds, maybe) that the water level in the tank has dropped? We wouldn't want the pump to be constantly cycling with all such activity.
Yes, but a drawdown range of only 3 feet is going to be tight.
Lets assume the TOP of the tank is 231' above the well head, for an example/discussion.
The good pressure sensor past the well's check valve will report 100.0 psi in a static condition when the tank is full. You multiply the psi * 2.31 to determine the water elevation in the tank = 231' above the sensor. We are assuming a temperature compensated sensor with 0.5% Full Scale Accuracy.
Lets use a 150 psi sensor in the example, so it's accurate to within at least 1.7 feet. We normally deal with a much larger drawdown than 3 feet, so my recommendation isn't going to be all that great for you .
As you are aware, the dynamic pressure in the pipe will increase during pumping and decrease during water demands for that 1 house directly tied to the tank supply pipe. That's not a huge concern because your Photon/Boron wont be making decisions every second when it needs to revert to fail-operational" mode because of a lack of comms with the tank.
But given your limited drawdown space, you're probably on the right track for a duel input (2 Borons) that can both activate the control signal to the well starter for redundancy.
Another possibility :
If your Photon is at the tank location ( WiFi), then you could have it monitor the overflow of the tank and watch for an overflow condition.
In the event that either Boron failed and left it's relay in a closed position, the Photon would notify someone that the tank is overflowing, meaning you have a rogue Boron.
Thanks yet again Ryan. A couple of us here have been chewing on this for a couple of days and have agreed that the reliance on a pressure sensor is unlikely to work very well; too much precision required of the device to reliably detect a 3-foot drop in water level (our tank is a large - 1600 gallon - buried horizontal one with a vertical dimension of only 4 feet). If our tank was a vertical one, then your idea would have worked quite well (no pun intended). In fact, a vertical tank probably would not have needed the Particle devices and the Cloud at all.
So we have decided to pursue the dual Boron approach. I will modify the code to send a periodic "keep alive" message from each Boron to the other and if none is received from either of them for a yet-to-be-decided interval, the other will initiate an email or text to a human or two.
We think the above solution will address our issue quite well. There is still the extremely remote possibility that a Boron might fail with a relay closed, but the only failure mode we can imagine that could cause that to happen is something that causes the firmware to stop running (the firmware has safeguards against the pump running too long) and that has never happened. You will remember that the only failure encountered in almost 3 years was the inability to connect to the Cloud; the firmware kept running.
While the Boron is powered by the NCD relay board (no backup LiPo battery connected) we believe that if the NCD PCB loses power (which, of course, will stop the firmware from running on the Boron) any relay that might have been closed at the time will open; do you know?
Should a relay nonetheless get stuck closed, I think the best solution to that would be an additional float switch in the tank, higher that the current float switch's high-water mark (which isn't at the very top). Or maybe a moisture sensor at the very top. The code on the Photon would initiate the appropriate alerts.
I'd expect a loss of power would result in the relay position not changing from it's state, I don't see anyway for an unpowered relay of that type to change, but that's outside my wheelhouse.
Knowing more of your specific details now, I'd agree with your plan 100% .
As a Side Note: NCD sells pressure sensors that you could use on your Photon for the horizontal tank (independent of your existing control floats) to always know the exact water level or an overflow condition. I've measured water surfaces to within a few mm with the low-range AMS 5812 sensors, such as this.
If you decide to add a local sensor to the Phone to monitor the tank level, you want a bidirectional differential gauge sensor (required for fluid compatibility on Port 2).
FWIW, I have posted on the NCD forum the question about the relay state upon loss of power. However, I have orderd another Boron and we have a maintenance spare relay board, so I will actually be able to test that myself soon.
As always Ryan, your input has been of enormous value! Thanks yet again.
Just got confirmation from a member of the NCD forum. When there is no power applied to the relay, it connects common to the Normally Closed position. We are wired to the Normally Open side, so if the relay is commanded to close (common connected to Normally Open) when power is lost, the relay will switch to the NC side and our pump will shut off. So we are good to go!
.
.
