MIT Prof. Nancy Leveson claims 40 years of experience with systems and from this perspective disagrees with Safety-II point by point for 100 pages. pdf 
I (Ralf) have been reading your (Ward's) “How Thermostats Work” page and your disappointment with Leveson’s example. I think there’s something interesting hiding right at the point where you part ways with her. matrix
At one level, Leveson’s thermostat is a classic first-order cybernetics device: you draw a box around “the controller,” another box around “the process” (the heated space), and then sketch a negative feedback loop: setpoint in, sensor signal back, controller turns heat on when error is positive and off when it isn’t. From that modelling stance, the thermostat is a simple regulator and your furnace sees exactly that: a contact that closes when the room is “too cold” and opens when it’s “warm enough,” with some hysteresis hidden inside.
Your bimetal + anticipator story opens that controller box and shows that, physically, it’s a little analog relaxation oscillator: ambient temperature modulates the duty cycle of an on/off pulse train, and the anticipator coil is a fast inner loop wrapped around a slower whole-house loop. That’s all true, and it’s a lovely example of how much dynamics gets hidden inside the icon “thermostat.”
Where it gets cybernetically interesting is if we now move to a second-order description. Instead of saying “the thermostat controls the room,” we ask: who chose the setpoint? Who sized the anticipator and picked the cycle time? Who decided that this oscillatory, duty-cycle scheme was “good enough comfort” for this house, this climate, this furnace? Suddenly the thermostat is no longer a little homunculus that controls the room temperature; it’s a node in a larger network of circular dependencies that includes the homeowner, the heating engineer, the fuel supplier, the house insulation, even the weather. From first-order point of view, the thermostat is The Controller and the room is The Controlled.
From a second-order point of view, the thermostat behaves as it does because it is itself being controlled—by whoever designed and adjusted it, and by the ongoing interaction with the environment. That’s the step I was hinting at earlier when I said some people still claim the thermostat can control something without itself being controlled.
Seen that way, Leveson’s simple block diagram isn’t so much “wrong” as it is a first-order sketch. Your detailed model is the perfect hinge to show the next step: the moment we recognise the inner oscillation and the anticipator, we’re already halfway to noticing that our choice of model, of time scale, of boundary, also shapes what we call “control.” That’s exactly the kind of move second-order cybernetics keeps insisting on: include the modeller, include the designer, include the person twiddling the “shorter/longer cycle” lever.
So instead of concluding “she doesn’t understand thermostats,” I’d be tempted to say: her thermostat is the usual first-order picture, and your bimetal thermostat is a nice invitation to ask the second-order question: who and what is controlling the controller?