The risk exemplified in this accident is that the operator's mental mode does not match the machine's state. The risk exemplified in this accident is that the operator's mental mode does not match the machine's state.
The guide recommends that the design will include a scenario control, with a mode selector enabling the operator to declare and set the
primary operational modes .
A secondary potential risk about the scenario control is that the operators might forget to use the mode selector when required. In the
context of this accident, the pilot might forget to resume the normal cruising at the end of the flyover.
Special rules may be specified, to detect that the operation is under hazard. At run time the situation control may check compliance with the
rule, and generate a warning when the scenario does not match the situation, with a recommendation to change the mode back to normal cruising.
Guidelines for hazard detection
Updated on 17 May 2016.