ORGANIZATIONAL MODELING AND ANALYSIS OF SAFETY

OCCURRENCE REPORTING IN AIR TRAFFIC

Alexei Sharpanskykh

Vrije Universiteit Amsterdam, De Boelelaan 1081a, Amsterdam, The Netherlands

Sybert H. Stroeve, Henk A. P. Blom

National Aerospace Laboratory NLR, Amsterdam, The Netherlands

Keywords: Formal organization modeling, analysis, agents, air traffic control, safety.

Abstract: An Air Traffic Organization (ATO) is a complex organization that involves many parties with diverse goals

performing a wide range of tasks. Due to this high complexity, inconsistencies and performance bottlenecks

may occur in ATOs. By analysis, such safety- and performance-related problems of an ATO can be

identified. To perform reliable and profound analysis automated techniques are required. A formal model

specification that comprises both prescriptive aspects of a formal organization and autonomous behavioral

aspects of agents forms the basis for such techniques. This paper describes how such a model specification

is developed and analyzed in the frames of a simulation case of incident reporting in the ATO.

1 INTRODUCTION

In many modern human organizations prescriptive

aspects of a formal organization are combined with

(some degree of) autonomy of organizational actors.

For example, an Air Traffic Organization imposes

numerous prescriptions on its actors, but also

provides them decision-making freedom to deal with

complex contextual conditions in air traffic

operations, e.g., for crews for aircraft taxiing, for

controllers for issuing of instructions.

Due to high complexity, many existing

organizations contain inconsistencies and

performance bottlenecks, which can be identified by

analysis. To perform reliable and profound

automated analysis, a formal specification of an

organization is required that comprises both

prescriptive aspects of the formal organization and

autonomous behavioral aspects of actors. This paper

describes how such a specification can be built for

the case of incident reporting in an ATO. To define

the prescriptive aspects, the general organization

modeling framework from (Sharpanskykh, 2008) is

used. In contrast to many existing enterprise

modeling frameworks (CIMOSA (1993); ARIS

(Scheer & Nuettgens, 2000)) this framework has a

precisely defined formal basis: to express structural

relations sorted predicate logic-based languages are

used, whereas the Temporal Trace Language (TTL)

is used for specifying dynamic aspects of

organizations. In this framework, formal

organizations are considered from three interrelated

perspectives: the performance-oriented, the process-

oriented, and the organization-oriented.

The organizational actors are modeled in this

paper as agents, i.e., autonomous entities able to

make decisions and to interact with the environment.

To specify the characteristics and autonomous

behavior of agents, knowledge from the air traffic

domain is used. A specification of the formal

organization extended with agents forms a basis for

analysis of organizational behavior by simulation. In

this paper a simulation approach is described by

which the path of informal incident reporting in the

ATO is investigated and compared with the one

prescribed by the formal organization.

The paper is organized as follows. Section 2

considers related literature. Section 3 describes the

organization under investigation. The specification

of the formal organization is given is Section 4.

Section 5 describes the characteristics and behavior

of agents used in simulation. Section 6 presents the

simulation results. Section 7 concludes the paper.

225

Sharpanskykh A., H. Stroeve S. and A. P. Blom H. (2008).

ORGANIZATIONAL MODELING AND ANALYSIS OF SAFETY OCCURRENCE REPORTING IN AIR TRAFFIC.

In Proceedings of the Tenth International Conference on Enterprise Information Systems - AIDSS, pages 225-230

DOI: 10.5220/0001692302250230

 SciTePress

2 RELATED LITERATURE

Currently, formal risk assessment approaches (e.g.

Eurocontrol, 2004) are based predominantly on

fault/event trees used for sequential cause-effect

reasoning for accident causation. However, such

trees do not encounter for complex, non-linear

dependencies and dynamics inherent in ATOs.

Agent-based modeling has been proposed as a

means to assess safety risk of complex emergent

dynamics of air traffic operations (Blom and

Stroeve, 2004). This study focuses on the risk of air

traffic operations and uses a plain society of agents,

without considering the organizational layer. Several

approaches (Le Coze, 2005; Reason, 1997) consider

influence of various organizational aspects on safety

at a rather conceptual level, without providing

precise details.

To provide a precise specification for a formal

organization, a number of reference architectures

have been proposed in the area of Enterprise

Information Systems (e.g., CIMOSA, ARIS). Due to

the lack of properly defined formal foundations,

such architectures provide only limited possibilities

for automated analysis of enterprise models.

Partially this is due to the high expressive power of

the specification languages of architectures.

However, also more limited languages dedicated to

automated analysis of particular aspects of

organizations have been developed: process-oriented

modeling techniques (Van der Aalst & Van Hee,

2002), organizational performance evaluation

(Tham, 1999). However, modeling of particular

organizational aspects does not allow defining

interdependencies between different perspectives on

organizations and to investigate a combined

influence of factors from different perspectives on

the organizational behavior.

In (Dalal et al., 2004) an integrated framework

for process and performance modeling is described

that incorporates accounting/business parameters

into a formal process modeling approach based on

Petri-nets. However, key aspects as power relations,

organizational/individual goals, individual behavior

are not considered. Another formal framework for

business process modeling is described in

(Koubarakis & Plexousakis, 2004) focusing on the

formal goal-oriented modeling using situation

calculus. Modeling and analysis of processes and

other organizational concepts are not properly

addressed in this framework.

Since individuals often exert a significant

influence on the organizational dynamics, also

aspects related to human behavior should be

considered in organization modeling approaches.

The extensive theoretical basis on modeling humans

in organizational context developed in social science

(e.g., theory of needs, expectancy theory (Pinder,

1998)) is largely ignored in the existing enterprise

modeling approaches.

3 ORGANIZATION IN FOCUS

In this study reporting of safety occurrences during

taxiing operations near an active runway of an

airport are investigated. Traffic movements on the

runway and surrounding taxiways are under control

of a runway controller and ground controllers,

respectively. In this operational context, safety-

relevant events may occur, e.g. taxiing aircraft

initiates to cross due to misunderstanding in

communication. To support safety management,

such events should be reported by the involved

pilots and controllers. In this case, we consider

reporting that occurs either via formal organizational

lines or via informal coordination. The formal

organization considers safety occurrence reporting at

the air navigation service provider (ANSP) and at

airlines, the informal path considers coordination

between air traffic controllers.

The formal occurrence reporting at the ANSP

starts by the creation of a notification report by the

involved controller(s). This notification report is

examined and possibly improved by the supervisor.

The notification report is processed by the safety

investigation unit (SIU) of the ANSP. The severity

of the occurrence is assessed and a description of the

event is stored in a safety occurrences database. In

the case of single severe occurrences or of a

consistent series of less severe occurrences, the SIU

may initiate an investigation for possible causes.

The organization of the safety occurrences

processing at the airline starts with a notification

report created by the pilots. This notification report

may be provided to the airline’s safety management

unit or it may be directly provided to the regulator (a

governmental organization). The airline’s safety

management unit examines and potentially improves

the report and it informs the regulator about safety

occurrences at the airline. The regulator may decide

on further investigation of safety occurrences by

itself or by a facilitated external party.

The informal safety occurrence reporting path at

the ANSP considers that controllers discuss during

breaks the occurrences that happened in their shifts.

If they identify potential important safety issues they

inform the head of controllers, who is a member of

the operation management team. This team may

decide on further investigation of the issue.

ICEIS 2008 - International Conference on Enterprise Information Systems

226

4 SPECIFICATION OF THE

FORMAL ORGANISATION

To create a specification of the formal organization a

design methodology has been developed that uses

the modeling languages from (Sharpanskykh, 2008)

and identifies the following sequence of design

steps:

Step 1. The identification of the organizational roles.

A role is a set of functionalities of an organization,

abstracted from specific agents who fulfill them.

Each role can be composed by several other roles,

until the necessary level of details is achieved. A

role composed of (interacting) subroles is called a

composite role. Each role has an input and an output

interface, which facilitate in the interaction with

other roles. The environment is a special component

of a model that also has input and output interfaces.

In the ATO, roles are identified at three aggregation

levels (see Figure 1).

Step 2. The specification of the interactions between

the roles. Relations between roles are represented by

interaction and interlevel links. An interaction link is

an information channel between two roles at the

same aggregation level. An interlevel link connects a

composite role with one of its subroles. The

interaction relations for the ATO have been

identified at each level (see Figure 1).

Step 3. The identification of the requirements for the

roles. In this step the requirements on knowledge,

skills and personal traits of the agent implementing a

role at the lowest aggregation level are identified. A

prerequisite for the allocation of an agent to a role is

the existence of a mapping between the capabilities

and traits of the agent and the role requirements.

Step 4. The identification of the organizational

performance indicators and goals. A performance

indicator (PI) is a quantitative or qualitative

indicator that reflects the state/progress of the

company, unit or individual. PIs can be hard (e.g.,

occurrence investigation time) or soft, i.e., not directly

measurable, qualitative (e.g.,

level of collaboration

between controllers

Figure 1: Interaction relations in the ATO (level 1).

Goals are objectives that describe a desired state or

development and are defined as expressions over

PIs. A goal can be refined into subgoals forming a

hierarchy. For example, goal

G18 ‘It is required to

maintain timeliness and a high quality of occurrence

investigation’

is based on two PIs ‘timeliness of

occurrence investigation

’ and ‘quality of occurrence

investigation

’. This goal is refined in several subgoals

among which: G18.2 ‘It is required to maintain a sufficient

level of details of notification reports’, G18.3 ‘It is required to

maintain the timely investigation of an occurrence’

and

G18.4 ‘It is required to maintain a high level of

thoroughness of occurrence investigation’.

To ensure the

satisfaction of

G18, the (sufficient degree of)

satisfaction of its subroles is required. Goals are

related to roles. E.g.,

G18 is attributed to Safety

Investigation Unit

and Regulator roles of the ATO.

Step 5. The specification of the resources. Resource

types are characterized by: name, category: discrete

or continuous, measurement unit, expiration

duration: the time interval during which a resource

type can be used; location; sharing: some processes

may share resources. Examples of resource types of

the ATO are: airport's diagram, aircraft, incident

classification database, clearance to cross a runway,

an incident investigation report.

Step 6. The identification of the tasks and relations

between the tasks, the resources and the goals. A

task represents a function performed in the

organization and is characterized by name, maximal

and minimal duration. Tasks can be decomposed

into more specific ones using AND- and OR-

relations forming hierarchies. Each task performed

in an organization should contribute to the

satisfaction of one or more organizational goals. For

example, the ATO task

T4 ‘Occurrence reporting based

on the data provided by a controller’

is refined into more

specific tasks, among which

T4.1 ‘Create a notification

report’

, T4.4 ‘Investigation of the occurrence based on the

notification report’

. Task T4.4 is related to resources: it

uses a processed notification report and produces an

occurrence investigation report. Furthermore,

T4.1

contributes to the satisfaction of goal G18.2, and T4.4

contributes to goals G18.3 and G18.4.

Step 7. The specification of the authority relations.

The following types of authority relations are

distinguished: superior-subordinate relations on

roles w.r.t to tasks, responsibility relations, control

for resources, authorization relations. Roles may

have different rights and responsibilities with respect

to different aspects of task execution, such as

execution, passive monitoring, consulting, making

technological decisions and making managerial

decisions. E.g.,

Safety Investigator role is responsible

for execution of and making technological decisions

w.r.t. task

T4.4, Head of Safety Investigation Unit is

ORGANIZATIONAL MODELING AND ANALYSIS OF SAFETY OCCURRENCE REPORTING IN AIR TRAFFIC

227

Create a

notification

report

Investigation of

an incident based

on the report

Begin

begin_or(or1)

Report

occurrence?

Yes

Preliminary

processing of a

notification report

begin_or(or2)

Decision

positive?

Making decision

on the occurrence

investigation

Discussion of the

intermediate incident

investigation results

begin_and

(and1)

end_and

(and1)

Reviewing of an

incident

Distribute an incident

investigation report

end_or

(or2)

Yes

end_or

(or1)

End

Figure 2: The flow of control that defines the execution of the formal occurrence reporting path initiated by a controller.

responsible for monitoring, consulting and making

managerial decisions related to T4.4.

Step 8. The specification of the flows of control.

Flows of control describe temporal ordering of

processes of an organization in particular scenarios.

The framework allows representing all commonly

used workflow templates. Figure 2 describes the

execution of the formal occurrence reporting

initiated by a controller.

Step 9. The identification of the generic and domain-

specific constraints. Constraints are imposed on

organizational specifications to ensure their internal

consistency and integrity, and validity with respect

to the domain. An organizational specification is

correct if the corresponding set of constraints is

satisfied by this specification. The framework used

provides means for automated checking of the

correctness of a specification. Consider examples of

the domain-specific constraints of the ATO:

C1: When an aircraft is approaching to a runway, the pilots

should cease all processes not related to the taxiing.

C2: The pilots of a crew should verbally share information

about the instructions of controllers.

C3: Each observed incident should be reported by a crew.

C4: Perform allocation of controllers to aircraft monitoring

processes in such way that the number of processes

executed at the same time by each controller is less than 7.

5 MODELING AGENTS IN THE

INFORMAL REPORTING PATH

The specification of a formal organization forms a

part of an overall organizational specification.

Another part describes characteristics and behavior

of agents and their allocation to roles.

Agents are characterized by sets of skills and

personal traits that influence their behavior and

performance in the organization. The behavior of an

agent is considered as goal-driven. For the case

considered it is assumed that the goals of the agents

are in line with the organizational goals. For the

ATO a number of agent types have been identified,

among which: Controller, Pilot, and Manager. Based

on agent type Controller, 7 instances have been

defined with varying development levels of the

skills. All the agents-controllers possess the

aggregated air traffic control skill (

atc), which allows

them to be assigned either to Runway or Ground

Controllers

roles. The agent ag_controllerG also

possesses the skill

employee management, which

allows allocating this agent to role Tower Controllers

Supervisor

. Based on observations in the air traffic

domain, it is assumed that the development level of

the

atc skill forms the basis for informal power of

controllers: the higher the development level of the

controller’s atc, the more influence s/he has in the

organization. In particular, the level of influence of

an agent-controller plays an important role in the

propagation of information about potential safety

problems to the management level of the ANSP.

In the considered case study, the behavior of

agents is investigated in the context of execution of

the taxiing and incident reporting tasks described in

Section 3. Both the formal and informal incident

reporting paths are modeled, simulated and

compared. The physical environment represented in

the simulation case consists of two sectors of the

airodrome, each of which is controlled by the

corresponding ground controller role. The sectors

adjoin a runway that is in control of the runway

controller role. In the simulation at the beginning of

each day, three agents controllers are chosen

randomly to be allocated to two ground controllers

and the runway controller roles. The traffic flow in

the surroundings of the runway is assumed to be 30

aircraft per hour, 12 hours per day. For each aircraft

a crew role is introduced, to which properly

qualified agents pilots are assigned.

Controllers and crews are able to react to 6 types

of safety-related occurrences that may happen

during the execution of taxiing operations.

Table 1 shows the events and the probability

values assumed in this simulation study.

ICEIS 2008 - International Conference on Enterprise Information Systems

228

Table 1: Safety-relevant events and their probability

values per taxiing operation.

Event Probability

(a) Aircraft rejects take-off as result of a

runway incursion

5e-6

(b) Taxiing aircraft stops progressing on the

runway crossing only after the stopbar and due

to a call by the runway controller

2e-5

progresses towards the runway crossing

1e-4

(d) Taxiing aircraft makes wrong turn and

progresses on a wrong taxiing route

2e-4

(e) Taxiing aircraft has switched to a wrong

frequency

1e-3

(f) Taxiing aircraft initiates to cross due to

misunderstanding in communication

1e-4

Some event types can be observed by the agents

allocated to particular roles only. Moreover, agents

may not always recognize and report observed

events correctly. This is specified by probability

values assigned to corresponding events (for details

see (Sharpanskykh, 2008)).A sufficient number of

observed occurrences of a particular type results into

the initiation of a formal reporting process, more

specifically: 1 event of type (a); 3 of (b), 6 of (c), 55

of (d), 55 of (e), and 6 of (f).

To model the informal occurrence reporting

path, the role Discussion is introduced that contains

subroles Participant 1…N. The agent controller with

the highest influence level in Discussion role has

also a joint allocation to subrole Problem Informant

in Problem Communication role. Thus, this agent

represents Discussion role in the interactions with

Operational Management Team role (OMT).

The provision of relevant and reliable

information about safety-related occurrences to

OMT depends greatly on the informal influence

relations that exist among controllers. More

specifically, the relevant information is propagated if

the controllers involved in the discussion are

sufficiently influential and possess sufficient

knowledge about occurrences. To create a

quantitative model for informal incident reporting,

the motivation model by Vroom (Pinder, 1998) is

used. The motivation model defines the motivational

force of an agent to perform some action as:

∑∑

×=×=

jkjkjj

iji

IV VVE( f F ),

(1)

Here,

is the strength of the expectancy (belief)

that act i will be followed by outcome j; V

is the

valence (i.e., perceived importance) of first-level

outcome

j; V

is the valence of second-level outcome

k that follows first-level outcome j; I

is perceived

instrumentality (belief about the likelihood) of

outcome

j for the attainment of outcome k.

This model is used to represent the motivation of

the agent allocated to a participant role (within

Discussion role) with the highest influence level to

propagate information about a safety-related issue.

The parameters of the motivation are defined as

follows: instrumentalities

I11 and I12 are assigned

high values (

0.9). Both second-level outcomes have

a high level of priority for the controllers (valence

value = 1). Expectancy

E11 is defined as:

CCD

E11(occur_type, CD) ac(occur_type) influence_level(C )

∈

=×

∑

where CD is the set of the controllers involved in the

discussion and ac(occur_type) is defined as:

⎪

⎩

⎪

⎨

⎧

≤

pe)N(occur_ty pe)N(occur_ty ,

pe)N(occur_ty

pe)N(occur_ty pe)N(occur_ty 1,

ype)ac(occur_t

curr

with N(occur_type) the number of occurrences of the

type

occur_type required for the investigation (the

same as for the formal incident reporting) and

N(occur_type)

curr

the number of occurrences of the

type

occur_type observed by the controllers involved

in the discussion so far.

Thus, the motivation force to report about a

possible problem based on the observations of

events of type

occur_type is calculated using (1) as:

F(occur_type, CD) = (1*0.9 + 1*0.9)* E11(occur_type, CD)

F(occur_type, CD) > 1.8 (i.e., agent’s expectancy E11

that the reported issue will be considered in OMT >

, then the problem will be reported to OMT by the

representative of Discussion role. Then, the problem

will be discussed at the nearest OMT meeting and

the occurrence investigation will be initiated.

6 SIMULATION RESULTS

Based on the specification constructed in Sections 4

and 5, 100 stochastic simulations with a simulation

time of maximum 3 years (12 operational hours per

day) each have been performed using the simulation

tool LEADSTO (Bosse et al., 2007). When the

formal or informal safety occurrence reporting has

lead to the identification of a safety problem and a

further investigation thereof, the simulation was

halted. As a result of each simulation trial, a trace is

generated by the LEADSTO. Then, such traces can

be automatically analyzed using the TTL Checker

software (Bosse et al., 2006). In this case study a

number of properties has been checked

automatically on 100 generated traces, two of which

are described in the following. The first property

calculates the number of traces, in which the safety

problem has been found based on the reported

ORGANIZATIONAL MODELING AND ANALYSIS OF SAFETY OCCURRENCE REPORTING IN AIR TRAFFIC

229

occurrences of some type. Another property

calculates the mean time of the problem recognition

on all traces in which the problem of a particular

type has been found. The simulation results for both

formal and informal reporting are shown in Table 2.

Table 2: Results of the simulation experiments.

Percentage of traces, in

which the investigation

began

Mean time of the

problem recognition

(days)

Event

Formal Informal Formal Informal

a 22% 21% 155.1 134.9

b 5% 15% 168.1 123.9

c 28% 50% 194.6 149.6

d 0% 0% - -

e 0% 3% - 278.9

f 45% 11% 185.9 184.7

total 100% 100% 180.8 150.4

Table 2 shows that for both the formal and

informal handling of safety occurrences in all

simulation traces a safety investigation is initiated,

however, the mean time until start of the

investigation is 181 days in the formal case, whereas

it is 150 days in the informal case. Considering the

simulation results for the particular events, the mean

time of recognition is smaller for all event types in

the informal reporting path.

A main reason underlying the difference in the

time until recognition of the safety problem is that

situations like event b and event c are often

recognized by both ground and runway controllers

and thus feed common situation awareness on

safety-critical aspects in informal discussions

between controllers, whereas such events are just

single occurrence reports in the formal incident

reporting case. It remains to be validated whether

this model predicted behavior concurs with practice.

7 CONCLUSIONS

This paper describes an automated formal approach

for modeling and analysis of organizations and its

application in the air traffic management domain.

On the one hand, the approach allows specifying

prescriptive aspects of a formal organization using

the framework from (Sharpanskykh, 2008). On the

other hand, it provides possibilities to specify

stochastic behavior of organizational actors and the

environment. By performing simulation, different

scenarios of organizational behavior can be analyzed

using the automated software.

An example of such analysis, in which the

formal and informal occurrence reporting paths of

the ATO are investigated, is provided in this paper.

The analysis results show that the informal safety-

occurrence reporting path results in faster

identification of safety-related problems than the

formal reporting path. Next research steps will focus

on assessing the model validity and on evaluating

whether this important feedback on safety

occurrence reporting processes is recognized in

actual air traffic organizations and may be a basis for

organizational change.

REFERENCES

Blom, H.A.P., Stroeve, S.H., 2004. Multi-agent situation

awareness error evolution in air traffic. Proc. 7th

Conference on Probabilistic Safety Assessment &

Management, Berlin, Germany

Bosse, T., Jonker, C.M., Meij, L. van der, Treur, J., 2007.

A Language and Environment for Analysis of

Dynamics by Simulation. International Journal of

Arificial Intelligence Tools, 16: 435-464.

Bosse, T., Jonker, C.M., Meij, L. van der, Sharpanskykh,

A., Treur, J., 2006. Specification and Verification of

Dynamics in Cognitive Agent Models. In Proceedings

of the 6

Int. Conf. on Intelligent Agent Technology,

IAT'06. IEEE Computer Society Press, 247-255.

CIMOSA – Open System Architecture for CIM, 1993.

ESPRIT Consortium AMICE, Springer-Verlag, Berlin.

Dalal, N., Kamath, M., Kolarik, W., Sivaraman, E., 2004.

Toward an integrated framework for modeling

enterprise processes, Communications of the ACM,

47(3), 83-87.

Eurocontrol: Air navigation system safety assessment

methodology, 2004. SAF.ET1.ST03.1000-MAN-01,

edition 2.0.

Koubarakis, M., Plexousakis, D., 2002. A formal

framework for business process modeling and design.

Information Systems, 27(5), 299–319.

Le Coze, J, 2005. Are organizations too complex to be

integrated in technical risk assessment and current

safety auditing? Safety Science, 43:613-638.

Pinder, C. C., 1998. Work motivation in organizational

behavior. Upper Saddle River, NJ: Prentice-Hall.

Reason J., 1997 Managing the risk of organizational

accidents. Ashgate, Aldershot, England

Scheer, A-W., Nuettgens, M., 2000. ARIS Architecture

and Reference Models for Business Process

Management. LNCS 1806, Springer, 366-389.

Sharpanskykh, A., 2008. On Computer-Aided Methods for

Modeling and Analysis of Organizations. PhD

Dissertation. Vrije Universiteit Amsterdam.

Tham, K.D., 1999. Representation and Reasoning About

Costs Using Enterprise Models and ABC, PhD

Dissertation, University of Toronto.

Van der Aalst, W.M.P., Van Hee, K.M., 2002. Workflow

Management: Models, Methods, and Systems, MIT

press, Cambridge, MA.

ICEIS 2008 - International Conference on Enterprise Information Systems

230