Manual override & offline fallback — when Wi-Fi/cloud is down or the EV is absent

Q: If my Wi-Fi or the relay's cloud goes down, does my power go off?

No — if the changeover is wired correctly, the **de-energised default is grid**. Losing Wi-Fi or the cloud only means V2L stops engaging on schedule; the smart relay's contact falls to its normally-closed position, which selects the grid contactor, and the essential board keeps running on the mains. The schedule is a convenience; the fail-safe is hardware.

Q: Is the interlock done in software or in hardware?

In **hardware**. The one-source-at-a-time guarantee is a mechanical interlock between the two contactors — it must be physically impossible to close both, not merely prevented by an app. An EV inverter cannot parallel the grid, so this guarantee cannot be left to software that might glitch or update.

Design the changeover so that the de-energised state is grid. If the smart relay's cloud is down, the Wi-Fi drops, the relay itself fails, or the mains supplying its coil circuit is lost, the contactor pair falls back to the grid contactor on its own — no command, no cloud, no internet needed. The schedule is only a convenience; the fail-safe is hardware. The contactor interlock is a mechanical one-source-at-a-time guarantee that does not depend on software at all. When the EV is away or its state of charge is too low to be useful, you simply leave it on grid, or use a manual changeover/isolator to select grid by hand. None of this removes the need for design and proof by test by a competent person.

In short

Wire the changeover so grid is the de-energised default: COM–NC selects the grid contactor (KM1) whenever the relay is unpowered, off, or failed.
On Wi-Fi loss, cloud outage, relay failure or coil-supply loss, the system falls back to grid on its own — it needs no internet to stay safe.
The contactor interlock is mechanical, not cloud-dependent: it is the hard guarantee that grid and V2L are never bridged, even if the software misbehaves.
When the EV is absent or its state of charge is low, stay on grid — manually if needed, via a changeover/isolator with a defined OFF/grid position.
The schedule is a convenience; the fail-safe is hardware. Designed and proven by test by a competent person; the vehicle manufacturer does not sanction back-feeding fixed wiring from a V2L outlet.

Where this stops: This explains the resilience design — fail-safe defaults, a manual changeover and the hardware interlock. It is not a wiring recipe; the design, installation and testing are for a competent person.

Not yet confirmed on this page

Some details below depend on sources still being verified against the published standard, so we mark them Not confirmed rather than guess:

BS EN IEC 60947-6-1:2026 UK adoption: IEC 60947-6-1:2026 exists, but no UK BSI adoption page was located. Cite BS EN IEC 60947-6-1:2023 until BSI changes.
Whether a low-state-of-charge V2L source can still hold up the essential load safely is vehicle- and adapter-specific — confirm the available output and behaviour on the bench, not from a battery percentage alone. (safety-critical — not treated as settled until verified)
What (if anything) BS 7671 Amendment 4:2026 changed for §722 / V2X / V2H / V2L / PME / open-PEN is Not confirmed against the published standard. (safety-critical — not treated as settled until verified)

Answer first — fail safe to grid

A scheduled V2L changeover lives in the real world, where Wi-Fi drops, a cloud service goes offline, a relay dies and the car drives away with the family in it. The design rule is simple: the safe state is grid, and the safe state must be the state the hardware falls into when nothing is working. You achieve that by wiring the changeover so the de-energised default is the grid contactor — and by relying on a mechanical interlock, not a software one, to guarantee the two sources are never bridged.

The schedule is a convenience; the fail-safe is hardware

Treat the smart relay and its schedule as a labour-saving convenience that selects V2L when conditions are right. Every safety-critical guarantee — fall-back to grid, one-source-at-a-time, break-before-make — must be carried by the hardware, so that losing the convenience never loses the safety.

How the fail-safe default works

In the correct design the smart relay is a single-pole changeover (SPDT) dry contact that only *commands* the contactor coils; the contactors carry the load. Wire the relay's normally-closed (NC) path to the grid contactor coil (KM1) and the normally-open (NO) path to the V2L contactor coil (KM2). When the relay is unpowered, switched off, crashed, or has lost its Wi-Fi and cloud, its contact rests on NC — so KM1 (grid) is selected by default. The relay has to be actively powered and actively commanded to select V2L; it can never *fail into* V2L.

The smart relay only commands: its single SPDT contact energises either the grid contactor (KM1, the de-energised fail-safe default) or the V2L contactor (KM2) — never both, because they are mechanically interlocked.

What the diagram shows: A SONOFF MINI-D relay in maintained mode has one changeover (SPDT) contact: COM, NC and NO. Grid line (L) feeds COM. The NC (normally-closed) output drives the KM1 coil — the grid contactor — so on power loss the load falls back to grid (fail-safe). The NO (normally-open) output drives the KM2 coil — the V2L contactor. Both coil returns go to grid neutral (N). KM1 and KM2 are mechanically interlocked so they can never close together. A schedule (e.g. 05:30 to V2L, 23:30 back to grid) drives the relay. The relay carries only the small coil current; the contactors carry the load. Legend (stated in words, not colour alone): L = line/live conductor; N = neutral; E/CPC = earth / circuit protective conductor.

Wi-Fi or cloud down — the relay loses its schedule, its contact falls to NC, the changeover rests on grid. The board keeps running on the mains.
Relay itself fails — a failed or seized contact that opens drops the V2L coil, and the de-energised default is grid; the interlock still prevents any bridging.
Coil-supply / control power lost — if the mains feeding the relay and the contactor coils is lost, both contactors drop out; when the mains returns, the changeover comes back on grid, not V2L.
EV absent or unplugged — there is no V2L source to select; the system stays on grid and the load is unaffected.

Confidence: Verified Wiring the smart relay's normally-closed contact to the grid contactor makes grid the de-energised, fail-safe default.

This is the documented control arrangement in the V2L technical reference: COM via a 3 A fuse, NC → KM1 (grid) coil as the de-energised default / fail-safe, NO → KM2 (V2L) coil. It is standard fail-safe relay practice — the safe state is the de-energised state.

The interlock is mechanical — it does not need the cloud

The single most important guarantee here — that the grid and the vehicle are never connected together, even for an instant — is made by a mechanical interlock between the two contactors, not by software. An EV inverter cannot parallel the grid, so bridging the two sources must be physically impossible, not merely 'prevented by the app'. A mechanical interlock holds even if the relay misbehaves, the firmware is buggy, or a command arrives at the wrong moment. This is what lets you treat the schedule as a mere convenience.

BS EN IEC 60947-4-1 (contactors)BS EN IEC 60947-4-1Confidence: Inference

The product standard behind a contactor-built changeover (KM1 grid, KM2 V2L, interlocked). A load-shifting scheme may cycle the changeover daily, so electrical/mechanical endurance — and a reliable interlock — matter.

Reference only — verify against the current edition; standard text is not reproduced. BSI Knowledge confirms BS EN IEC 60947-4-1:2025, UK published 30 Sep 2025.

Do not depend on the cloud for safety

A cloud account can be suspended, an app can be retired, a server can go down and a firmware update can change behaviour overnight. None of those events may be allowed to create a hazard. If losing internet access changes anything other than 'V2L no longer engages on schedule', the design is wrong.

Manual override — when the EV is away or its charge is low

Automation answers 'select V2L on schedule'. It does not answer 'the car is at work', 'the battery is nearly flat', or 'I want the grid back right now'. For those, you need a manual way to select grid — by simply staying on the fail-safe default, or by a hand-operated changeover or isolator with a defined OFF/grid position. Because the de-energised state is already grid, the simplest manual override is to disable the V2L command (or remove the relay's enable) and let the hardware rest on grid.

BS EN IEC 60947-3 (isolators / changeover switches)BS EN IEC 60947-3Confidence: Inference

Manual changeover switches and switch-disconnectors with an OFF/centre position give a hand-operated grid/OFF/V2L selector and the lockable isolation relied on when the EV is absent or being worked on.

Reference only — verify against the current edition; standard text is not reproduced.

EV absent — no V2L source is present, so there is nothing to select; the board runs on grid by default. Make this the routine state, not an exception.
State of charge too low — running the essential board flat-empties the traction battery you need to drive. Stay on grid; do not let a schedule pull from a car that cannot spare the energy.
Manual 'grid now' — a hand-operated changeover or isolator (with a clear OFF/grid position) lets a competent person force grid and lock off V2L for maintenance or fault-finding.
Cannot use V2L while charging — the V2L output is unavailable when the car is charging, so a scheme that charges overnight must be back on grid before the charge window.

Confidence: Inference A low state of charge should bias the system to grid rather than draw the essential load from the traction battery.

Engineering judgement, not a single cited figure: a V2L draw competes with the vehicle's primary purpose (driving). How low is 'too low', and whether the V2L output is still usable at low charge, is vehicle- and adapter-specific and must be bench-confirmed, not read off a battery percentage.

The non-obvious traps

A relay that fails 'closed' on V2L is a design fault — choose the NC=grid wiring so the *only* unpowered resting state is grid, and prove it by removing the coil supply.
A software interlock is not an interlock — if the only thing stopping grid and V2L bridging is the app's logic, a glitch can bridge them. The interlock must be mechanical.
A floating V2L output passes a socket tester but gives no RCD protection until its neutral-earth bond exists — that bond must be in circuit only on V2L, so the fallback to grid must also remove it cleanly.
'Cloud handles it' is not a fail-safe — design for the day the account, app or server is gone; the hardware must already be safe without them.
Auto-revert is not the same as fail-safe scheduling — a cheap voltage-sensing ATS reverts on source loss but cannot be commanded on a schedule; do not rely on its logic to provide your override.

How this is made and proven compliant

What governs it

BS 7671 Chapter 53 (§537 isolation and switching; §536 coordination) for the manual changeover and the means of isolation
BS 7671 §551 (switched-alternative / island-mode source provisions) — the changeover must not parallel grid and vehicle
Switchgear product standards: BS EN IEC 60947-3 (isolators / changeover switches), 60947-4-1 (contactors) and 60947-6-1 (transfer switching equipment) — see the changeover deep-dive

Who may do it

Design, installation, inspection and testing by a competent person. Adding an inlet circuit, a changeover/transfer switch or a consumer-unit alteration is normally notifiable under Part P (England; Wales/Scotland/NI differ).

How compliance is demonstrated

Prove the fail-safe by test: remove the relay's coil supply (and simulate Wi-Fi/cloud loss) and confirm the changeover rests on the grid contactor (KM1)
Prove the mechanical interlock by hand — grid and V2L contactors cannot both close
Confirm break-before-make (open-transition) operation — the supply is interrupted during transfer, never bridged
Confirm RCD operation by test in both grid and V2L modes; confirm the V2L neutral-earth bond exists only on V2L

Confidence & currency

Confidence: Inference rolled up across the clauses cited above (the strictest state wins).

Frequently asked questions

If my Wi-Fi or the relay's cloud goes down, does my power go off?

No — if the changeover is wired correctly, the de-energised default is grid. Losing Wi-Fi or the cloud only means V2L stops engaging on schedule; the smart relay's contact falls to its normally-closed position, which selects the grid contactor, and the essential board keeps running on the mains. The schedule is a convenience; the fail-safe is hardware.

What happens if the smart relay itself fails?

The design makes grid the only unpowered resting state, so a relay that loses power or whose contact opens drops the V2L contactor and the changeover rests on grid (KM1). Separately, a mechanical interlock prevents the grid and V2L contactors both closing, so even a misbehaving relay cannot bridge the two sources. Both behaviours must be proven by test by a competent person.

Can I switch to grid by hand if the car is away or nearly flat?

Yes. Because the safe default is already grid, the simplest manual override is to disable the V2L command and let the hardware rest on grid. A hand-operated changeover or isolator with a clear OFF/grid position (to BS EN IEC 60947-3) lets a competent person force grid and lock off V2L. Don't run the essential load off a car whose state of charge you need for driving — and you can't use V2L while the car is charging.

Is the interlock done in software or in hardware?

In hardware. The one-source-at-a-time guarantee is a mechanical interlock between the two contactors — it must be physically impossible to close both, not merely prevented by an app. An EV inverter cannot parallel the grid, so this guarantee cannot be left to software that might glitch or update.

Why not just trust the automatic transfer switch to handle outages?

A cheap voltage-sensing ATS senses source *loss* and auto-reverts — useful for backup, but it has no control input and cannot be commanded on a schedule, and it offers no manual 'grid now' override of the kind this page describes. Scheduled switching needs a timed relay driving an interlocked contactor changeover with a hardware fail-safe, not ATS auto-logic.

Martin — Qualified UK electrician; BEng Mechanical Engineering; qualified vehicle mechanic.

Last reviewed: 15 June 2026
Written against: BS 7671:2018 + A4:2026
Reviewed by: Martin (qualified UK electrician)
Next review due: 14 December 2026

General information, not project-specific design advice. Standards are cited by reference only and never reproduced. How we source this.

References & sources (4)

BS 7671:2018+A4:2026 — Requirements for Electrical Installations (IET/BSI) — cited by clause only; standard text not reproduced
BS EN IEC 60947 series — LV switchgear & controlgear (contactors, isolators, transfer switching) — 60947-3 (isolators/changeover), 60947-4-1 (contactors), 60947-6-1 (TSE); editions cited by reference only
V2L Workshop technical reference (internal) — control wiring, fail-safe default and interlock facts with confidence flags
V2L Workshop device research (internal) — manual-override and isolator evidence; prices/models unverified, not a buy recommendation