5e2ebe4d96
Two hard rules for the safety controller, matching sewer PS design: 1. BELOW stopLevel (dry-run): pumps CANNOT start. All downstream equipment shut down. safetyControllerActive=true blocks _controlLogic so level control can't restart pumps. Only manual override or emergency can change this. 2. ABOVE overflow level (overfill): pumps CANNOT stop. Only UPSTREAM equipment is shut down (stop more water coming in). Machine groups (downstream pumps) are NOT shut down — they must keep draining. safetyControllerActive is NOT set, so _controlLogic continues commanding pumps at the demand dictated by the level curve (which is >100% near overflow = all pumps at maximum). Only manual override or emergency stop can shut pumps during an overfill event. Previously the overfill branch called turnOffAllMachines() on machine groups AND set safetyControllerActive=true, which shut down the pumps and blocked level control from restarting them — exactly backwards for a sewer pumping station where the sewage keeps coming. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>