@gsuberland @azonenberg I think "telerupters" (bistable/latched switches) would allow this kind of failure mode. You just need pulses to toggle the lights, so both the automatic and the manual switches could be wired in parallel. The automatic circuit could have a sense line to detect the actual light state.
@f4grx @gsuberland This puts smarts in the module at the load that can still fail. It's a local per load failure but still a consideration
@azonenberg @f4grx the important thing in my view is that the physical switch continues to work entirely as normal in any failure mode, short of any type of failure that would also kill a regular boring light switch. which is why I'd be so dead set on the double throw latching relay approach. even if the smart control board inside blows up or the relay contacts fuse in place, it just goes back to being a regular boring switch.