ESP32 Cold Chain Firmware for Temperature Excursions
Cold-chain monitoring fails in the gaps: a probe drifts 2 C out of cal, the gateway loses LTE in a tunnel, or a defrost cycle trips a false alarm and operators start ignoring the buzzer. We build ESP32 firmware where the temperature record is the product, so every excursion is detected, timestamped, and recoverable for the auditor and the recall investigation.
Challenges specific to Cold Chain
Probe drift goes undetected
A vaccine fridge logs 4 C while the actual product sits at 9 C because the NTC thermistor was never field-calibrated and drifts with age, so the record looks compliant while the load is spoiling.
LTE dropouts lose the record
Reefer trailers cross dead zones and ferries for hours; firmware that only streams live MQTT leaves blind windows, and a missing 90-minute block is the exact window an auditor or insurer will challenge.
Defrost cycles trigger false alarms
Evaporator defrost briefly spikes the cabinet sensor above threshold every six hours, and instant alarms train staff to silence the device, so the one real excursion gets dismissed with the noise.
Excursion clocks reset on reboot
A brownout or watchdog reset wipes the accumulated time-above-threshold counter, so a load that breached limits for 40 cumulative minutes reports as compliant because the duration restarted from zero.
Audit exports are not defensible
Inspectors need a continuous, tamper-evident record with cal certificates and gap accounting; a CSV pulled from a dashboard with silent interpolation will not satisfy HACCP, GDP, or FDA 21 CFR Part 11 review.
How GizanTech solves them
- Two-point field calibration in NVS. We store ice-point and reference-bath offset/slope coefficients per probe in NVS with a cal date and expiry, apply Steinhart-Hart linearization, and flag any probe whose cal has lapsed so a drifting sensor cannot silently pass.
- Store-and-forward ring buffer. Records are written first to an LittleFS/SD ring buffer with monotonic sequence IDs, then drained over MQTT when LTE returns, so a multi-hour dead zone backfills in order with zero lost samples and explicit gap markers.
- Defrost-aware excursion debounce. The alarm engine masks the known defrost window via a state machine and requires threshold breach to persist past a configurable delay (for example 8 C for 15 min) before latching, suppressing evaporator spikes without hiding real warm-ups.
- Persistent time-above-threshold accumulator. The cumulative excursion timer and min/max envelope live in RTC memory and are checkpointed to flash, so a brownout, OTA, or watchdog reset resumes the count instead of resetting it and masking a breach.
- Signed Part 11 export with gap accounting. On demand the device emits a continuous record with HMAC-signed rows, cal certificate IDs, and explicit no-data spans, mapping cleanly onto HACCP/GDP and FDA 21 CFR Part 11 evidence requirements for audits and recalls.
| Requirement | Firmware mechanism | Failure prevented | Audit / reporting tie-in |
|---|---|---|---|
| Probe accuracy +/-0.5 C | Two-point NVS cal (ice + bath), Steinhart-Hart linearization, cal-expiry flag | Drifted thermistor logging false-compliant temps | Cal certificate ID and date stamped on every exported record |
| Logging interval 60 s, gapless | Fixed-tick sampler into LittleFS/SD ring buffer with monotonic sequence IDs | Live-only MQTT losing data across LTE/ferry dead zones | Continuous series with explicit no-data spans, no silent interpolation |
| Excursion threshold 8 C / 15 min delay | State-machine debounce with defrost-window masking before alarm latch | Defrost spikes training staff to ignore the buzzer | Alarm rows carry breach start, peak, and delay reason for review |
| Cumulative breach time survives reset | Time-above-threshold accumulator in RTC memory, checkpointed to flash | Brownout/OTA wiping the counter and hiding a real excursion | Mean-kinetic-temperature and total breach minutes in the audit summary |
| Tamper-evident compliance export | HMAC-signed rows over a per-device key, ordered by sequence ID | Edited or back-filled CSVs failing Part 11 integrity checks | Signature + gap ledger map to HACCP / GDP / 21 CFR Part 11 |
Go deeper
ESP32 Firmware & IoT Development for other industries
Frequently asked questions
How do you keep data during long LTE dead zones?
Every sample is written to an on-device ring buffer first and only streamed to the cloud when connectivity returns, so hours-long tunnels or ferry crossings backfill in order with no lost records.
Can the firmware tell a defrost cycle from a real warm-up?
Yes. A state machine masks the scheduled defrost window and requires the threshold breach to persist past a configured delay before latching an alarm, so evaporator spikes do not generate false excursions.
Is the temperature record defensible for FDA 21 CFR Part 11?
Exports use HMAC-signed rows with monotonic sequence IDs, calibration certificate IDs, and explicit no-data spans, giving a tamper-evident, gap-accounted record that maps to Part 11, HACCP, and GDP review.
How accurate are the probes and how is that proven?
We field-calibrate each probe with a two-point ice-and-bath procedure stored in NVS and stamp the cal certificate ID and expiry on every exported record, so accuracy is traceable rather than assumed.
What happens to the excursion timer if the device reboots?
The cumulative time-above-threshold counter lives in RTC memory and is checkpointed to flash, so a brownout, OTA, or watchdog reset resumes the count instead of resetting it and masking a breach.