This is really interesting talk, but I find the second Tstat to be somewhat useless especially if it is of less quality then the primary one ? You talk that if that one fails it will fail in on, how can you be sure it as failed or not ? If it fails on "on" then if for some really bad luck the primary Tstat also fails you will still get the same problem ? Would it not be simpler to make sure the Tstat goes off if it does break ?