A Systemic Approach to Organizational Safety Modeling and Analysis

1. Introduction

In 2002 a tragic accident occurred over the towns of Überlingen and Owingen in Germany (Nunes & Laursen, 2004). Two aircraft collided in mid-air, nobody on board survived. Directly before the accident the pilots of one aircraft followed instructions of the air traffic controller on duty and disregarded a conflicting advice from their automated collision warning system. On the contrary, the pilots of the second aircraft followed instructions of their onboard system. However, this conflict of instructions was not the only cause of the accident. By a deeper investigation (Nunes & Laursen, 2004) several organizational, cognitive and technological factors were identified, which had led to the accident. Unfortunately, many of these factors could not have been determined before the accident because of the lack of appropriate safety analysis tools, well-suited for safety analysis of modern safety-critical organizations such as air navigation service providers, power plants, railway organizations.

Modern safety-critical organizations are characterized by complex, nonlinear dynamics involving many interrelated actors and processes. Safety issues that emerge from these complex dynamics increasingly remain hidden, until an incident or even a serious accident occurs. Traditional safety analysis methods (Bedford & Cooke, 2001; Eurocontrol, 2004) developed long ago for much simpler organizations cannot help identifying, explaining and predicting many safety-related properties (e.g., safety hazards, issues) of modern organizations. The need for more advanced safety modeling and analysis tools is well recognized in the industry; however a theoretical basis for these tools is largely missing.

To address this issue, in the paper a formal approach is proposed to establish relations between the local dynamics of actors of a complex safety-critical organization and safety-related properties that emerge from these dynamics (e.g., safety hazards, safety culture properties, safety requirements). On the one hand, global (or systemic) consequences of local organizational dynamics can be determined by using this approach in a bottom-up manner. On the other hand, major local contributing factors for emerging safety-related properties can be identified by the approach applied in a top-down manner. The knowledge about organizational “local-global” relations may also be used for a structured, systematic improvement of the organizational safety.

In contrast to the traditional approaches, the organizational dynamics are specified in the proposed approach by taking the agent perspective (Weiss, 1999) with an organizational layer. From this perspective global organizational properties emerge from local interactions and behavior of autonomous agents representing humans and technical systems situated in the organizational context.

To relate local organizational dynamics to global emergent properties four levels of abstraction are distinguished: internal/cognitive, behavioral, group, and global organizational levels. At each level dynamic properties can be identified. Relations between structures of (adjacent) levels of abstraction can be established by simulation or analytically (e.g., using techniques from Mathematical Logics, Calculus and Control Theory). In this paper we mostly focus on simulation techniques, however, a discussion on analytical tools is provided in Section 3.