Thanks for the inputs and reading suggestions.
We've gone for a simple two switch setup:
One Two-position gated switch, for Dual / single pilot ops, which will effectively switch the monitoring & takeover system off when two pilots are operating.
One guarded momentary switch, for use by the pilot if the system attempts to take over when he's fine. It'll be a simple system 'reset' he can use in case of system glitch. If the fault persists, then he has the option to switch the system off permanently as per dual pilot ops.