Abstract. Updating software over the network is important for Wireless Sensor Networks in support of scale, remote deployment, feature upgrades, and fixes. The risk of a fault in the updated code causing system failure is a serious problem. In this paper, we identify a single, critical, symptom loss-of-control, that complements exception-based schemes, and supports failsafe recovery from faults in software updates. We present a new software update recovery mechanism that uses loss-ofcontrol to provide high-reliability, low energy, software updates, including a comparison of optimised-flooding against spanning-tree for determining loss-of-control in a multi-path environment. The solution presented supports a trial phase (with lower latency), and an operational phase (with lower energy). The energy/latency tradeoff of this is shown, and the high-reliability of this update recovery is demonstrated by analysis and simulation. The results presented control the risk in existing WSN software update mechanisms.