Here's a little more detail on the circuit and application. This should better explain how the logic works.
This is for an HVAC thermostat. I have a "dual-fuel" package furnace, which has three stages of heating: 1) heat pump (Output Y1), 2) low-fire gas (Output W1), 3) high-fire gas (Output W2). The system is designed so that additional stages kick in if the heating load exceeds the capacity of the current mode of operation. The thermostat has an algorithm to determine when to move to a higher stage, but it can be roughly simplified as a timer:
Y1 on
(wait 10 minutes)
Y1 + W1 on
(wait 10 minutes)
Y1 + W1 + W2 on
When the thermostat is calling for the highest heating capacity, outputs Y1, W1, and W2 are all turned on. The issue is that the heat pump (Y1) and furnace (W1/W2) should not operate at the same time, or else the evaporator coil will be damaged (there is an exception here--during defrost--but that's a special mode of operation and is handled by the controller inside the furnace, not the thermostat). The thermostat works this way because most "auxiliary heat" applications rely on electrical heating elements, which can operate simultaneously with the heat pump. Special dual fuel thermostats do exist, but I am not using one here because this is a commercial-grade thermostat and has other features that I want. (I won't rant about how it's
supposed to have dual fuel functionality, but the manual apparently has a misprint in its parameter tables...
)
There are some slight complications to the logic, as the thermostat doesn't always follow the progression shown above. If the outside temperature is too cold, Y1 will never operate (furnace defaults to gas only). If the outside temperature is too warm, W1 and/or W2 will never operate (furnace defaults to heat pump only). The only rule is that W2 always follows W1; it's never operated on its own. So, the issue becomes turning off Y1 when W1 is present.
As for redundancy vs. failsafe, I would say that I probably need fail-safing before redundancy. If I used the single relay approach from Figure 1 in my first post, and the relay failed closed, then both Y1 (B) and W1 (A) would be enabled at the same time and the furnace would probably burn up. I figured that by adding a second relay (redundancy), I'd have a statistical advantage in terms of failure. Of course, there'd be no way to know that there was a problem unless
both relays failed closed, causing the same catastrophic failure, and that's not exactly failsafe... just odds.
EDIT: I forgot to mention why the make/break sequencing isn't important here. The controller inside the furnace has built-in delays after it receives a heating or cooling call from the thermostat. This is usually on the order of a few seconds, and there are other prerequisites that need to happen before the furnace reaches steady-state operation (draft inducer motor, gas valve, ignitor, etc.). Having a few milliseconds of overlap between state changes isn't an issue.