If we knew at design time how to specify all the exceptional situations, and if we could specify the system behavior at all the exceptional situations, then we not need to enable the operator's control. The system behavior could be entirely automated, even for solving exceptional problems. The problem is that at the specification phase we still do not know important details about the operational procedures appropriate for the exceptional situations. Therefore, to be on the safe side, we have no choice other than to enable the operator to override certain automatic procedure, especially in emergency.
Updated on 20 Dec 2016.