Alexei Sharpanskykh
Vrije Universiteit Amsterdam, De Boelelaan 1081a, Amsterdam, The Netherlands
Sybert H. Stroeve, Henk A. P. Blom
National Aerospace Laboratory NLR, Amsterdam, The Netherlands
Keywords: Formal organization modeling, analysis, agents, air traffic control, safety.
Abstract: An Air Traffic Organization (ATO) is a complex organization that involves many parties with diverse goals
performing a wide range of tasks. Due to this high complexity, inconsistencies and performance bottlenecks
may occur in ATOs. By analysis, such safety- and performance-related problems of an ATO can be
identified. To perform reliable and profound analysis automated techniques are required. A formal model
specification that comprises both prescriptive aspects of a formal organization and autonomous behavioral
aspects of agents forms the basis for such techniques. This paper describes how such a model specification
is developed and analyzed in the frames of a simulation case of incident reporting in the ATO.
In many modern human organizations prescriptive
aspects of a formal organization are combined with
(some degree of) autonomy of organizational actors.
For example, an Air Traffic Organization imposes
numerous prescriptions on its actors, but also
provides them decision-making freedom to deal with
complex contextual conditions in air traffic
operations, e.g., for crews for aircraft taxiing, for
controllers for issuing of instructions.
Due to high complexity, many existing
organizations contain inconsistencies and
performance bottlenecks, which can be identified by
analysis. To perform reliable and profound
automated analysis, a formal specification of an
organization is required that comprises both
prescriptive aspects of the formal organization and
autonomous behavioral aspects of actors. This paper
describes how such a specification can be built for
the case of incident reporting in an ATO. To define
the prescriptive aspects, the general organization
modeling framework from (Sharpanskykh, 2008) is
used. In contrast to many existing enterprise
modeling frameworks (CIMOSA (1993); ARIS
(Scheer & Nuettgens, 2000)) this framework has a
precisely defined formal basis: to express structural
relations sorted predicate logic-based languages are
used, whereas the Temporal Trace Language (TTL)
is used for specifying dynamic aspects of
organizations. In this framework, formal
organizations are considered from three interrelated
perspectives: the performance-oriented, the process-
oriented, and the organization-oriented.
The organizational actors are modeled in this
paper as agents, i.e., autonomous entities able to
make decisions and to interact with the environment.
To specify the characteristics and autonomous
behavior of agents, knowledge from the air traffic
domain is used. A specification of the formal
organization extended with agents forms a basis for
analysis of organizational behavior by simulation. In
this paper a simulation approach is described by
which the path of informal incident reporting in the
ATO is investigated and compared with the one
prescribed by the formal organization.
The paper is organized as follows. Section 2
considers related literature. Section 3 describes the
organization under investigation. The specification
of the formal organization is given is Section 4.
Section 5 describes the characteristics and behavior
of agents used in simulation. Section 6 presents the
simulation results. Section 7 concludes the paper.
Sharpanskykh A., H. Stroeve S. and A. P. Blom H. (2008).
In Proceedings of the Tenth International Conference on Enterprise Information Systems - AIDSS, pages 225-230
DOI: 10.5220/0001692302250230
Currently, formal risk assessment approaches (e.g.
Eurocontrol, 2004) are based predominantly on
fault/event trees used for sequential cause-effect
reasoning for accident causation. However, such
trees do not encounter for complex, non-linear
dependencies and dynamics inherent in ATOs.
Agent-based modeling has been proposed as a
means to assess safety risk of complex emergent
dynamics of air traffic operations (Blom and
Stroeve, 2004). This study focuses on the risk of air
traffic operations and uses a plain society of agents,
without considering the organizational layer. Several
approaches (Le Coze, 2005; Reason, 1997) consider
influence of various organizational aspects on safety
at a rather conceptual level, without providing
precise details.
To provide a precise specification for a formal
organization, a number of reference architectures
have been proposed in the area of Enterprise
Information Systems (e.g., CIMOSA, ARIS). Due to
the lack of properly defined formal foundations,
such architectures provide only limited possibilities
for automated analysis of enterprise models.
Partially this is due to the high expressive power of
the specification languages of architectures.
However, also more limited languages dedicated to
automated analysis of particular aspects of
organizations have been developed: process-oriented
modeling techniques (Van der Aalst & Van Hee,
2002), organizational performance evaluation
(Tham, 1999). However, modeling of particular
organizational aspects does not allow defining
interdependencies between different perspectives on
organizations and to investigate a combined
influence of factors from different perspectives on
the organizational behavior.
In (Dalal et al., 2004) an integrated framework
for process and performance modeling is described
that incorporates accounting/business parameters
into a formal process modeling approach based on
Petri-nets. However, key aspects as power relations,
organizational/individual goals, individual behavior
are not considered. Another formal framework for
business process modeling is described in
(Koubarakis & Plexousakis, 2004) focusing on the
formal goal-oriented modeling using situation
calculus. Modeling and analysis of processes and
other organizational concepts are not properly
addressed in this framework.
Since individuals often exert a significant
influence on the organizational dynamics, also
aspects related to human behavior should be
considered in organization modeling approaches.
The extensive theoretical basis on modeling humans
in organizational context developed in social science
(e.g., theory of needs, expectancy theory (Pinder,
1998)) is largely ignored in the existing enterprise
modeling approaches.
In this study reporting of safety occurrences during
taxiing operations near an active runway of an
airport are investigated. Traffic movements on the
runway and surrounding taxiways are under control
of a runway controller and ground controllers,
respectively. In this operational context, safety-
relevant events may occur, e.g. taxiing aircraft
initiates to cross due to misunderstanding in
communication. To support safety management,
such events should be reported by the involved
pilots and controllers. In this case, we consider
reporting that occurs either via formal organizational
lines or via informal coordination. The formal
organization considers safety occurrence reporting at
the air navigation service provider (ANSP) and at
airlines, the informal path considers coordination
between air traffic controllers.
The formal occurrence reporting at the ANSP
starts by the creation of a notification report by the
involved controller(s). This notification report is
examined and possibly improved by the supervisor.
The notification report is processed by the safety
investigation unit (SIU) of the ANSP. The severity
of the occurrence is assessed and a description of the
event is stored in a safety occurrences database. In
the case of single severe occurrences or of a
consistent series of less severe occurrences, the SIU
may initiate an investigation for possible causes.
The organization of the safety occurrences
processing at the airline starts with a notification
report created by the pilots. This notification report
may be provided to the airline’s safety management
unit or it may be directly provided to the regulator (a
governmental organization). The airline’s safety
management unit examines and potentially improves
the report and it informs the regulator about safety
occurrences at the airline. The regulator may decide
on further investigation of safety occurrences by
itself or by a facilitated external party.
The informal safety occurrence reporting path at
the ANSP considers that controllers discuss during
breaks the occurrences that happened in their shifts.
If they identify potential important safety issues they
inform the head of controllers, who is a member of
the operation management team. This team may
decide on further investigation of the issue.
ICEIS 2008 - International Conference on Enterprise Information Systems
To create a specification of the formal organization a
design methodology has been developed that uses
the modeling languages from (Sharpanskykh, 2008)
and identifies the following sequence of design
Step 1. The identification of the organizational roles.
A role is a set of functionalities of an organization,
abstracted from specific agents who fulfill them.
Each role can be composed by several other roles,
until the necessary level of details is achieved. A
role composed of (interacting) subroles is called a
composite role. Each role has an input and an output
interface, which facilitate in the interaction with
other roles. The environment is a special component
of a model that also has input and output interfaces.
In the ATO, roles are identified at three aggregation
levels (see Figure 1).
Step 2. The specification of the interactions between
the roles. Relations between roles are represented by
interaction and interlevel links. An interaction link is
an information channel between two roles at the
same aggregation level. An interlevel link connects a
composite role with one of its subroles. The
interaction relations for the ATO have been
identified at each level (see Figure 1).
Step 3. The identification of the requirements for the
roles. In this step the requirements on knowledge,
skills and personal traits of the agent implementing a
role at the lowest aggregation level are identified. A
prerequisite for the allocation of an agent to a role is
the existence of a mapping between the capabilities
and traits of the agent and the role requirements.
Step 4. The identification of the organizational
performance indicators and goals. A performance
indicator (PI) is a quantitative or qualitative
indicator that reflects the state/progress of the
company, unit or individual. PIs can be hard (e.g.,
occurrence investigation time) or soft, i.e., not directly
measurable, qualitative (e.g.,
level of collaboration
between controllers
Figure 1: Interaction relations in the ATO (level 1).
Goals are objectives that describe a desired state or
development and are defined as expressions over
PIs. A goal can be refined into subgoals forming a
hierarchy. For example, goal
G18 ‘It is required to
maintain timeliness and a high quality of occurrence
is based on two PIs ‘timeliness of
occurrence investigation
’ and ‘quality of occurrence
. This goal is refined in several subgoals
among which: G18.2 ‘It is required to maintain a sufficient
level of details of notification reports’, G18.3 ‘It is required to
maintain the timely investigation of an occurrence’
G18.4 ‘It is required to maintain a high level of
thoroughness of occurrence investigation’.
To ensure the
satisfaction of
G18, the (sufficient degree of)
satisfaction of its subroles is required. Goals are
related to roles. E.g.,
G18 is attributed to Safety
Investigation Unit
and Regulator roles of the ATO.
Step 5. The specification of the resources. Resource
types are characterized by: name, category: discrete
or continuous, measurement unit, expiration
duration: the time interval during which a resource
type can be used; location; sharing: some processes
may share resources. Examples of resource types of
the ATO are: airport's diagram, aircraft, incident
classification database, clearance to cross a runway,
an incident investigation report.
Step 6. The identification of the tasks and relations
between the tasks, the resources and the goals. A
task represents a function performed in the
organization and is characterized by name, maximal
and minimal duration. Tasks can be decomposed
into more specific ones using AND- and OR-
relations forming hierarchies. Each task performed
in an organization should contribute to the
satisfaction of one or more organizational goals. For
example, the ATO task
T4 ‘Occurrence reporting based
on the data provided by a controller’
is refined into more
specific tasks, among which
T4.1 ‘Create a notification
, T4.4 ‘Investigation of the occurrence based on the
notification report’
. Task T4.4 is related to resources: it
uses a processed notification report and produces an
occurrence investigation report. Furthermore,
contributes to the satisfaction of goal G18.2, and T4.4
contributes to goals G18.3 and G18.4.
Step 7. The specification of the authority relations.
The following types of authority relations are
distinguished: superior-subordinate relations on
roles w.r.t to tasks, responsibility relations, control
for resources, authorization relations. Roles may
have different rights and responsibilities with respect
to different aspects of task execution, such as
execution, passive monitoring, consulting, making
technological decisions and making managerial
decisions. E.g.,
Safety Investigator role is responsible
for execution of and making technological decisions
w.r.t. task
T4.4, Head of Safety Investigation Unit is
Create a
Investigation of
an incident based
on the report
processing of a
notification report
Making decision
on the occurrence
Discussion of the
intermediate incident
investigation results
Reviewing of an
Distribute an incident
investigation report
Figure 2: The flow of control that defines the execution of the formal occurrence reporting path initiated by a controller.
responsible for monitoring, consulting and making
managerial decisions related to T4.4.
Step 8. The specification of the flows of control.
Flows of control describe temporal ordering of
processes of an organization in particular scenarios.
The framework allows representing all commonly
used workflow templates. Figure 2 describes the
execution of the formal occurrence reporting
initiated by a controller.
Step 9. The identification of the generic and domain-
specific constraints. Constraints are imposed on
organizational specifications to ensure their internal
consistency and integrity, and validity with respect
to the domain. An organizational specification is
correct if the corresponding set of constraints is
satisfied by this specification. The framework used
provides means for automated checking of the
correctness of a specification. Consider examples of
the domain-specific constraints of the ATO:
C1: When an aircraft is approaching to a runway, the pilots
should cease all processes not related to the taxiing.
C2: The pilots of a crew should verbally share information
about the instructions of controllers.
C3: Each observed incident should be reported by a crew.
C4: Perform allocation of controllers to aircraft monitoring
processes in such way that the number of processes
executed at the same time by each controller is less than 7.
The specification of a formal organization forms a
part of an overall organizational specification.
Another part describes characteristics and behavior
of agents and their allocation to roles.
Agents are characterized by sets of skills and
personal traits that influence their behavior and
performance in the organization. The behavior of an
agent is considered as goal-driven. For the case
considered it is assumed that the goals of the agents
are in line with the organizational goals. For the
ATO a number of agent types have been identified,
among which: Controller, Pilot, and Manager. Based
on agent type Controller, 7 instances have been
defined with varying development levels of the
skills. All the agents-controllers possess the
aggregated air traffic control skill (
atc), which allows
them to be assigned either to Runway or Ground
roles. The agent ag_controllerG also
possesses the skill
employee management, which
allows allocating this agent to role Tower Controllers
. Based on observations in the air traffic
domain, it is assumed that the development level of
atc skill forms the basis for informal power of
controllers: the higher the development level of the
controller’s atc, the more influence s/he has in the
organization. In particular, the level of influence of
an agent-controller plays an important role in the
propagation of information about potential safety
problems to the management level of the ANSP.
In the considered case study, the behavior of
agents is investigated in the context of execution of
the taxiing and incident reporting tasks described in
Section 3. Both the formal and informal incident
reporting paths are modeled, simulated and
compared. The physical environment represented in
the simulation case consists of two sectors of the
airodrome, each of which is controlled by the
corresponding ground controller role. The sectors
adjoin a runway that is in control of the runway
controller role. In the simulation at the beginning of
each day, three agents controllers are chosen
randomly to be allocated to two ground controllers
and the runway controller roles. The traffic flow in
the surroundings of the runway is assumed to be 30
aircraft per hour, 12 hours per day. For each aircraft
a crew role is introduced, to which properly
qualified agents pilots are assigned.
Controllers and crews are able to react to 6 types
of safety-related occurrences that may happen
during the execution of taxiing operations.
Table 1 shows the events and the probability
values assumed in this simulation study.
ICEIS 2008 - International Conference on Enterprise Information Systems
Table 1: Safety-relevant events and their probability
values per taxiing operation.
Event Probability
(a) Aircraft rejects take-off as result of a
runway incursion
(b) Taxiing aircraft stops progressing on the
runway crossing only after the stopbar and due
to a call by the runway controller
(c) Taxiing aircraft makes wrong turn and
progresses towards the runway crossing
(d) Taxiing aircraft makes wrong turn and
progresses on a wrong taxiing route
(e) Taxiing aircraft has switched to a wrong
(f) Taxiing aircraft initiates to cross due to
misunderstanding in communication
Some event types can be observed by the agents
allocated to particular roles only. Moreover, agents
may not always recognize and report observed
events correctly. This is specified by probability
values assigned to corresponding events (for details
see (Sharpanskykh, 2008)).A sufficient number of
observed occurrences of a particular type results into
the initiation of a formal reporting process, more
specifically: 1 event of type (a); 3 of (b), 6 of (c), 55
of (d), 55 of (e), and 6 of (f).
To model the informal occurrence reporting
path, the role Discussion is introduced that contains
subroles Participant 1…N. The agent controller with
the highest influence level in Discussion role has
also a joint allocation to subrole Problem Informant
in Problem Communication role. Thus, this agent
represents Discussion role in the interactions with
Operational Management Team role (OMT).
The provision of relevant and reliable
information about safety-related occurrences to
OMT depends greatly on the informal influence
relations that exist among controllers. More
specifically, the relevant information is propagated if
the controllers involved in the discussion are
sufficiently influential and possess sufficient
knowledge about occurrences. To create a
quantitative model for informal incident reporting,
the motivation model by Vroom (Pinder, 1998) is
used. The motivation model defines the motivational
force of an agent to perform some action as:
IV VVE( f F ),
is the strength of the expectancy (belief)
that act i will be followed by outcome j; V
is the
valence (i.e., perceived importance) of first-level
j; V
is the valence of second-level outcome
k that follows first-level outcome j; I
is perceived
instrumentality (belief about the likelihood) of
j for the attainment of outcome k.
This model is used to represent the motivation of
the agent allocated to a participant role (within
Discussion role) with the highest influence level to
propagate information about a safety-related issue.
The parameters of the motivation are defined as
follows: instrumentalities
I11 and I12 are assigned
high values (
0.9). Both second-level outcomes have
a high level of priority for the controllers (valence
value = 1). Expectancy
E11 is defined as:
E11(occur_type, CD) ac(occur_type) influence_level(C )
where CD is the set of the controllers involved in the
discussion and ac(occur_type) is defined as:
pe)N(occur_ty pe)N(occur_ty ,
pe)N(occur_ty pe)N(occur_ty 1,
with N(occur_type) the number of occurrences of the
occur_type required for the investigation (the
same as for the formal incident reporting) and
the number of occurrences of the
occur_type observed by the controllers involved
in the discussion so far.
Thus, the motivation force to report about a
possible problem based on the observations of
events of type
occur_type is calculated using (1) as:
F(occur_type, CD) = (1*0.9 + 1*0.9)* E11(occur_type, CD)
F(occur_type, CD) > 1.8 (i.e., agent’s expectancy E11
that the reported issue will be considered in OMT >
, then the problem will be reported to OMT by the
representative of Discussion role. Then, the problem
will be discussed at the nearest OMT meeting and
the occurrence investigation will be initiated.
Based on the specification constructed in Sections 4
and 5, 100 stochastic simulations with a simulation
time of maximum 3 years (12 operational hours per
day) each have been performed using the simulation
tool LEADSTO (Bosse et al., 2007). When the
formal or informal safety occurrence reporting has
lead to the identification of a safety problem and a
further investigation thereof, the simulation was
halted. As a result of each simulation trial, a trace is
generated by the LEADSTO. Then, such traces can
be automatically analyzed using the TTL Checker
software (Bosse et al., 2006). In this case study a
number of properties has been checked
automatically on 100 generated traces, two of which
are described in the following. The first property
calculates the number of traces, in which the safety
problem has been found based on the reported
occurrences of some type. Another property
calculates the mean time of the problem recognition
on all traces in which the problem of a particular
type has been found. The simulation results for both
formal and informal reporting are shown in Table 2.
Table 2: Results of the simulation experiments.
Percentage of traces, in
which the investigation
Mean time of the
problem recognition
Formal Informal Formal Informal
a 22% 21% 155.1 134.9
b 5% 15% 168.1 123.9
c 28% 50% 194.6 149.6
d 0% 0% - -
e 0% 3% - 278.9
f 45% 11% 185.9 184.7
total 100% 100% 180.8 150.4
Table 2 shows that for both the formal and
informal handling of safety occurrences in all
simulation traces a safety investigation is initiated,
however, the mean time until start of the
investigation is 181 days in the formal case, whereas
it is 150 days in the informal case. Considering the
simulation results for the particular events, the mean
time of recognition is smaller for all event types in
the informal reporting path.
A main reason underlying the difference in the
time until recognition of the safety problem is that
situations like event b and event c are often
recognized by both ground and runway controllers
and thus feed common situation awareness on
safety-critical aspects in informal discussions
between controllers, whereas such events are just
single occurrence reports in the formal incident
reporting case. It remains to be validated whether
this model predicted behavior concurs with practice.
This paper describes an automated formal approach
for modeling and analysis of organizations and its
application in the air traffic management domain.
On the one hand, the approach allows specifying
prescriptive aspects of a formal organization using
the framework from (Sharpanskykh, 2008). On the
other hand, it provides possibilities to specify
stochastic behavior of organizational actors and the
environment. By performing simulation, different
scenarios of organizational behavior can be analyzed
using the automated software.
An example of such analysis, in which the
formal and informal occurrence reporting paths of
the ATO are investigated, is provided in this paper.
The analysis results show that the informal safety-
occurrence reporting path results in faster
identification of safety-related problems than the
formal reporting path. Next research steps will focus
on assessing the model validity and on evaluating
whether this important feedback on safety
occurrence reporting processes is recognized in
actual air traffic organizations and may be a basis for
organizational change.
Blom, H.A.P., Stroeve, S.H., 2004. Multi-agent situation
awareness error evolution in air traffic. Proc. 7th
Conference on Probabilistic Safety Assessment &
Management, Berlin, Germany
Bosse, T., Jonker, C.M., Meij, L. van der, Treur, J., 2007.
A Language and Environment for Analysis of
Dynamics by Simulation. International Journal of
Arificial Intelligence Tools, 16: 435-464.
Bosse, T., Jonker, C.M., Meij, L. van der, Sharpanskykh,
A., Treur, J., 2006. Specification and Verification of
Dynamics in Cognitive Agent Models. In Proceedings
of the 6
Int. Conf. on Intelligent Agent Technology,
IAT'06. IEEE Computer Society Press, 247-255.
CIMOSA – Open System Architecture for CIM, 1993.
ESPRIT Consortium AMICE, Springer-Verlag, Berlin.
Dalal, N., Kamath, M., Kolarik, W., Sivaraman, E., 2004.
Toward an integrated framework for modeling
enterprise processes, Communications of the ACM,
47(3), 83-87.
Eurocontrol: Air navigation system safety assessment
methodology, 2004. SAF.ET1.ST03.1000-MAN-01,
edition 2.0.
Koubarakis, M., Plexousakis, D., 2002. A formal
framework for business process modeling and design.
Information Systems, 27(5), 299–319.
Le Coze, J, 2005. Are organizations too complex to be
integrated in technical risk assessment and current
safety auditing? Safety Science, 43:613-638.
Pinder, C. C., 1998. Work motivation in organizational
behavior. Upper Saddle River, NJ: Prentice-Hall.
Reason J., 1997 Managing the risk of organizational
accidents. Ashgate, Aldershot, England
Scheer, A-W., Nuettgens, M., 2000. ARIS Architecture
and Reference Models for Business Process
Management. LNCS 1806, Springer, 366-389.
Sharpanskykh, A., 2008. On Computer-Aided Methods for
Modeling and Analysis of Organizations. PhD
Dissertation. Vrije Universiteit Amsterdam.
Tham, K.D., 1999. Representation and Reasoning About
Costs Using Enterprise Models and ABC, PhD
Dissertation, University of Toronto.
Van der Aalst, W.M.P., Van Hee, K.M., 2002. Workflow
Management: Models, Methods, and Systems, MIT
press, Cambridge, MA.
ICEIS 2008 - International Conference on Enterprise Information Systems