Defenses

Fault prevention

The fault triggering this accidence was due to human-machine mismatch.

This fault could have been prevented by defining:

• Explicit scenarios, consisting of a primary mode set and a safety mode set
• Rules about the relationships between the two mode sets
• On-line validation that the effective scenario complies with the rules.

  Guidelines for human-machine cooperation assurance

Alarming

The alarm was not set prior to the accident, because the design did not provide means to detect the exceptional situation

Alarm could have been provided, by extending the scenarios, to include:

• A primary mode set, enabling the operators to explicitly set the safety mode
• Rules for alarming on exceptional situations, namely, when the safety mode does not comply with the primary mode.

  Guidelines for alarm generation

Escalation prevention

This case study does not demonstrate any method for escalation prevention.

Recovery facilitation

If the hazard became obvious in time, recovery could be accomplished by stopping the flyover maneuver early, and activating the throttle in time.

Rescue facilitation

This case study does not demonstrate any method for Rescue facilitation.

Updated on 10 May 2016.