ArticlePDF Available

Abstract and Figures

Modern theory of safety deals with systemic approach to safety, formalized in form of several systemic prediction models or methods such as FRAM (Functional Resonance Analysis Method) or STAMP (System-Theoretic Accident Model and Processes). The theory of each approach emphasizes different viewpoints to be considered in approaching various industrial safety issues. This paper focuses on FRAM and its functional viewpoint for modern complex sociotechnical systems. The methodology in this paper is based on the utilization of foundational ontologies to conceptualize the core ideas of FRAM, with the focus on the concept of functions as used in theory. The outcomes of the case study in the aviation domain provide for what needs to be determined to properly model functions in FRAM and they allow for better utilization of the method in real-case applications. The results also confirm some previous research, suggesting that modern systemic approach to safety is theoretically grounded on common - or at least complementary - tenets, to be prospectively integrated by means of ontology engineering.
Content may be subject to copyright.
ScienceDirect
Available online at www.sciencedirect.com
Transportation Research Procedia 43 (2019) 290–299
2352-1465 2019 The Authors. Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the 8th International Conference on Air Transport INAIR 2019,
GLOBAL TRENDS IN AVIATION
10.1016/j.trpro.2019.12.044
10.1016/j.trpro.2019.12.044 2352-1465
© 2019 The Authors. Published by Elsevier B.V.
Peer-review under responsibility of the scientic committee of the 8th International Conference on Air Transport – INAIR 2019,
GLOBAL TRENDS IN AVIATION
Available online at www.sciencedirect.com
ScienceDirect
Transportation Research Procedia 00 (2019) 000000
www.elsevier.com/locate/procedia
2352-1465 © 2019 The Author(s). Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the 8th International Conference on Air Transport INAIR 2019,
GLOBAL TRENDS IN AVIATION
8th International Conference on Air Transport INAIR 2019
GLOBAL TRENDS IN AVIATION
Functional modeling in safety by means of foundational ontologies
Andrej Lališa,
*
, Riccardo Patriarcab, Jana Ahmadc, Giulio Di Graviob, Bogdan Kostovc
aFaculty of Transportation Sciences, Czech Technical University in Prague, Horská 3, 128 03 Prague, Czech Republic
bDepartment of Mechanical and Aerospace Engineering, Sapienza University of Rome, Via Eudossiana 18, 001 84 Rome, Italy
cFaculty of Electrical Engineering, Czech Technical University in Prague, Karlovo náměstí 13, 121 35 Prague, Czech Republic
Abstract
Modern theory of safety deals with systemic approach to safety, formalized in form of several systemic prediction models or
methods such as FRAM (Functional Resonance Analysis Method) or STAMP (System-Theoretic Accident Model and
Processes). The theory of each approach emphasizes different viewpoints to be considered in approaching various industrial
safety issues. This paper focuses on FRAM and its functional viewpoint for modern complex sociotechnical systems. The
methodology in this paper is based on the utilization of foundational ontologies to conceptualize the core ideas of FRAM, with
the focus on the concept of functions as used in theory. The outcomes of the case study in the aviation domain provide for what
needs to be determined to properly model functions in FRAM and they allow for better utilization of the method in real-case
applications. The results also confirm some previous research, suggesting that modern systemic approach to safety is
theoretically grounded on common - or at least complementary - tenets, to be prospectively integrated by means of ontology
engineering.
© 2019 The Author(s). Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the 8th International Conference on Air Transport INAIR 2019,
GLOBAL TRENDS IN AVIATION
Keywords: aviation safety; socio-technical systems; ontology engineering; safety engineering; resilience engineering
1. Introduction
Modern theory of safety engineering is actively developing, mainly because of the discoveries in technology and
science but also because of ever increasing safety standards in current society. There is a continuous tendency to
* Corresponding author. Tel.: +420 224 359 185.
E-mail address: lalisand@fd.cvut.cz
Available online at www.sciencedirect.com
ScienceDirect
Transportation Research Procedia 00 (2019) 000000
www.elsevier.com/locate/procedia
2352-1465 © 2019 The Author(s). Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the 8th International Conference on Air Transport INAIR 2019,
GLOBAL TRENDS IN AVIATION
8th International Conference on Air Transport INAIR 2019
GLOBAL TRENDS IN AVIATION
Functional modeling in safety by means of foundational ontologies
Andrej Lališa,*, Riccardo Patriarcab, Jana Ahmadc, Giulio Di Graviob, Bogdan Kostovc
aFaculty of Transportation Sciences, Czech Technical University in Prague, Horská 3, 128 03 Prague, Czech Republic
bDepartment of Mechanical and Aerospace Engineering, Sapienza University of Rome, Via Eudossiana 18, 001 84 Rome, Italy
cFaculty of Electrical Engineering, Czech Technical University in Prague, Karlovo náměstí 13, 121 35 Prague, Czech Republic
Abstract
Modern theory of safety deals with systemic approach to safety, formalized in form of several systemic prediction models or
methods such as FRAM (Functional Resonance Analysis Method) or STAMP (System-Theoretic Accident Model and
Processes). The theory of each approach emphasizes different viewpoints to be considered in approaching various industrial
safety issues. This paper focuses on FRAM and its functional viewpoint for modern complex sociotechnical systems. The
methodology in this paper is based on the utilization of foundational ontologies to conceptualize the core ideas of FRAM, with
the focus on the concept of functions as used in theory. The outcomes of the case study in the aviation domain provide for what
needs to be determined to properly model functions in FRAM and they allow for better utilization of the method in real-case
applications. The results also confirm some previous research, suggesting that modern systemic approach to safety is
theoretically grounded on common - or at least complementary - tenets, to be prospectively integrated by means of ontology
engineering.
© 2019 The Author(s). Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the 8th International Conference on Air Transport INAIR 2019,
GLOBAL TRENDS IN AVIATION
Keywords: aviation safety; socio-technical systems; ontology engineering; safety engineering; resilience engineering
1. Introduction
Modern theory of safety engineering is actively developing, mainly because of the discoveries in technology and
science but also because of ever increasing safety standards in current society. There is a continuous tendency to
* Corresponding author. Tel.: +420 224 359 185.
E-mail address: lalisand@fd.cvut.cz
2 Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000
develop and improve metrics for the measurement of safety performance of air transport system as indicated by
Lintner et al. (2009), Di Gravio et al. (2014) and Di Gravio et al. (2016). The newest models and methods used to
explain and predict safety are referred to as systemic as they attempt to evaluate systems as a whole and account for
complexity, resonance, emergence and other phenomena typical of system-level analysis. Systemic models and
methods of safety are the cutting edge in theory and there are experiments and application research carried to refine
and validate the theory. This observation implies that the theory is not finished, nor consolidated, and that various
research teams even experiment with possible theory extensions for the purpose of specific safety-related use cases,
e.g. Dokas et al. (2013), Salmon et al. (2018) and Li et al. (2019). This provides not only room for desirable
experimentation but also room for interpretation variance, hence hindering the effectivity and efficiency of industrial
applications of the theory.
This paper focuses on a specific systemic method, i.e. the FRAM (Functional Resonance Analysis Method),
described by Hollnagel (2012). FRAM was designed to analyze systems behaviors and help the analyst to identify
possible functional areas, which are more susceptible to resonate, i.e. where variability of functions provided by the
systems may combine following uncontrolled and unpredictable patterns. Such combination is considered a
resonance, similar as in physics, and it regards significant out-of-range disturbance of a system behavior, which is
often associated with loss events (accidents). Basic concept of any modeling with FRAM is a function since the
method requires functional representation of a system, which needs to be provided by the analyst. While the
foundational principles of FRAM are clear and simple, this is often not the case when particular industrial
applications are the scope of its application. Determination of functions and their abstraction is completely up to the
analyst and several users are likely to end up with different functional representations with the same system. There
are already some solutions available, such as by Patriarca et al. (2017a), and even though it may not always pose a
problem from the perspective of the very analysis, it is a limitation which has the potential to severely impact the
results of a FRAM analysis.
On the other hand, modern technology and computer science is very sensitive to clear semantics and there already
exist tools, which can model reality for different application purposes where semantics is critical. These tools work
with modeling languages and ontologies, i.e. metamodels of reality, which aim to disambiguate meaning of different
concepts used mostly by software or in human-machine interaction. In this domain, one of the fast-developing areas
are foundational ontologies, which provide domain-independent description of reality of interest. In essence, they
assure that any domain ontology or specific model of a reality conforms to common human interpretation and as
such they are very powerful tool to assure semantics where necessary.
This paper takes the concept of function as used in FRAM and experiments with its representation by means of
foundational ontology, namely the Unified Foundational Ontology. The goal is to achieve improved and computer-
readable description of what is a function as used in FRAM in order to support future tools and software based on
the FRAM itself. The purpose of possible improved semantics is to limit the interpretation variance of FRAM
application and modeling by users and to direct the future research towards experimentation with semantically well-
based conceptualization of the theory.
2. Methodology
This section reviews the necessary background of FRAM, with the focus on the concept of a function, and defines
the notions of the Unified Foundational Ontology (UFO). The practical example is introduced and presented as an
UFO-based FRAM model.
2.1. The Functional Resonance Analysis Method
The FRAM was developed by prof. Erik Hollnagel, as a method for analysis of modelling non-trivial socio-
technical systems. The FRAM works with the assumption that safety is a system level property and that it should be
analyzed in terms of the systems behavior. In this sense, it guides the analyst to first understand how systems
normally work and then to use the understanding to explain their potential exposure to failures. Consequently, the
theory requires development of functional representation of a system, as opposed to object -based representation as
Andrej Lališ et al. / Transportation Research Procedia 43 (2019) 290–299 291
Available online at www.sciencedirect.com
ScienceDirect
Transportation Research Procedia 00 (2019) 000000
2352-1465 © 2019 The Author(s). Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the 8th International Conference on Air Transport INAIR 2019,
GLOBAL TRENDS IN AVIATION
8th International Conference on Air Transport INAIR 2019
GLOBAL TRENDS IN AVIATION
Functional modeling in safety by means of foundational ontologies
Andrej Lališa,*, Riccardo Patriarcab, Jana Ahmadc, Giulio Di Graviob, Bogdan Kostovc
aFaculty of Transportation Sciences, Czech Technical University in Prague, Horská 3, 128 03 Prague, Czech Republic
bDepartment of Mechanical and Aerospace Engineering, Sapienza University of Rome, Via Eudossiana 18, 001 84 Rome, Italy
cFaculty of Electrical Engineering, Czech Technical University in Prague, Karlovo náměstí 13, 121 35 Prague, Czech Republic
Abstract
Modern theory of safety deals with systemic approach to safety, formalized in form of several systemic prediction models or
methods such as FRAM (Functional Resonance Analysis Method) or STAMP (System-Theoretic Accident Model and
Processes). The theory of each approach emphasizes different viewpoints to be considered in approaching various industrial
safety issues. This paper focuses on FRAM and its functional viewpoint for modern complex sociotechnical systems. The
methodology in this paper is based on the utilization of foundational ontologies to conceptualize the core ideas of FRAM, with
the focus on the concept of functions as used in theory. The outcomes of the case study in the aviation domain provide for what
needs to be determined to properly model functions in FRAM and they allow for better utilization of the method in real-case
applications. The results also confirm some previous research, suggesting that modern systemic approach to safety is
theoretically grounded on common - or at least complementary - tenets, to be prospectively integrated by means of ontology
engineering.
© 2019 The Author(s). Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the 8th International Conference on Air Transport INAIR 2019,
GLOBAL TRENDS IN AVIATION
Keywords: aviation safety; socio-technical systems; ontology engineering; safety engineering; resilience engineering
1. Introduction
Modern theory of safety engineering is actively developing, mainly because of the discoveries in technology and
science but also because of ever increasing safety standards in current society. There is a continuous tendency to
* Corresponding author. Tel.: +420 224 359 185.
E-mail address: lalisand@fd.cvut.cz
Available online at www.sciencedirect.com
ScienceDirect
Transportation Research Procedia 00 (2019) 000000
2352-1465 © 2019 The Author(s). Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the 8th International Conference on Air Transport INAIR 2019,
GLOBAL TRENDS IN AVIATION
8th International Conference on Air Transport INAIR 2019
GLOBAL TRENDS IN AVIATION
Functional modeling in safety by means of foundational ontologies
Andrej Lališa,*, Riccardo Patriarcab, Jana Ahmadc, Giulio Di Graviob, Bogdan Kostovc
aFaculty of Transportation Sciences, Czech Technical University in Prague, Horská 3, 128 03 Prague, Czech Republic
bDepartment of Mechanical and Aerospace Engineering, Sapienza University of Rome, Via Eudossiana 18, 001 84 Rome, Italy
cFaculty of Electrical Engineering, Czech Technical University in Prague, Karlovo náměstí 13, 121 35 Prague, Czech Republic
Abstract
Modern theory of safety deals with systemic approach to safety, formalized in form of several systemic prediction models or
methods such as FRAM (Functional Resonance Analysis Method) or STAMP (System-Theoretic Accident Model and
Processes). The theory of each approach emphasizes different viewpoints to be considered in approaching various industrial
safety issues. This paper focuses on FRAM and its functional viewpoint for modern complex sociotechnical systems. The
methodology in this paper is based on the utilization of foundational ontologies to conceptualize the core ideas of FRAM, with
the focus on the concept of functions as used in theory. The outcomes of the case study in the aviation domain provide for what
needs to be determined to properly model functions in FRAM and they allow for better utilization of the method in real-case
applications. The results also confirm some previous research, suggesting that modern systemic approach to safety is
theoretically grounded on common - or at least complementary - tenets, to be prospectively integrated by means of ontology
engineering.
© 2019 The Author(s). Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the 8th International Conference on Air Transport INAIR 2019,
GLOBAL TRENDS IN AVIATION
Keywords: aviation safety; socio-technical systems; ontology engineering; safety engineering; resilience engineering
1. Introduction
Modern theory of safety engineering is actively developing, mainly because of the discoveries in technology and
science but also because of ever increasing safety standards in current society. There is a continuous tendency to
* Corresponding author. Tel.: +420 224 359 185.
E-mail address: lalisand@fd.cvut.cz
2 Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000
develop and improve metrics for the measurement of safety performance of air transport system as indicated by
Lintner et al. (2009), Di Gravio et al. (2014) and Di Gravio et al. (2016). The newest models and methods used to
explain and predict safety are referred to as systemic as they attempt to evaluate systems as a whole and account for
complexity, resonance, emergence and other phenomena typical of system-level analysis. Systemic models and
methods of safety are the cutting edge in theory and there are experiments and application research carried to refine
and validate the theory. This observation implies that the theory is not finished, nor consolidated, and that various
research teams even experiment with possible theory extensions for the purpose of specific safety-related use cases,
e.g. Dokas et al. (2013), Salmon et al. (2018) and Li et al. (2019). This provides not only room for desirable
experimentation but also room for interpretation variance, hence hindering the effectivity and efficiency of industrial
applications of the theory.
This paper focuses on a specific systemic method, i.e. the FRAM (Functional Resonance Analysis Method),
described by Hollnagel (2012). FRAM was designed to analyze systems’ behaviors and help the analyst to identify
possible functional areas, which are more susceptible to resonate, i.e. where variability of functions provided by the
systems may combine following uncontrolled and unpredictable patterns. Such combination is considered a
resonance, similar as in physics, and it regards significant out-of-range disturbance of a system behavior, which is
often associated with loss events (accidents). Basic concept of any modeling with FRAM is a function since the
method requires functional representation of a system, which needs to be provided by the analyst. While the
foundational principles of FRAM are clear and simple, this is often not the case when particular industrial
applications are the scope of its application. Determination of functions and their abstraction is completely up to the
analyst and several users are likely to end up with different functional representations with the same system. There
are already some solutions available, such as by Patriarca et al. (2017a), and even though it may not always pose a
problem from the perspective of the very analysis, it is a limitation which has the potential to severely impact the
results of a FRAM analysis.
On the other hand, modern technology and computer science is very sensitive to clear semantics and there already
exist tools, which can model reality for different application purposes where semantics is critical. These tools work
with modeling languages and ontologies, i.e. metamodels of reality, which aim to disambiguate meaning of different
concepts used mostly by software or in human-machine interaction. In this domain, one of the fast-developing areas
are foundational ontologies, which provide domain-independent description of reality of interest. In essence, they
assure that any domain ontology or specific model of a reality conforms to common human interpretation and as
such they are very powerful tool to assure semantics where necessary.
This paper takes the concept of function as used in FRAM and experiments with its representation by means of
foundational ontology, namely the Unified Foundational Ontology. The goal is to achieve improved and computer-
readable description of what is a function as used in FRAM in order to support future tools and software based on
the FRAM itself. The purpose of possible improved semantics is to limit the interpretation variance of FRAM
application and modeling by users and to direct the future research towards experimentation with semantically well-
based conceptualization of the theory.
2. Methodology
This section reviews the necessary background of FRAM, with the focus on the concept of a function, and defines
the notions of the Unified Foundational Ontology (UFO). The practical example is introduced and presented as an
UFO-based FRAM model.
2.1. The Functional Resonance Analysis Method
The FRAM was developed by prof. Erik Hollnagel, as a method for analysis of modelling non-trivial socio-
technical systems. The FRAM works with the assumption that safety is a system level property and that it should be
analyzed in terms of the system’s behavior. In this sense, it guides the analyst to first understand how systems
normally work and then to use the understanding to explain their potential exposure to failures. Consequently, the
theory requires development of functional representation of a system, as opposed to object -based representation as
292 Andrej Lališ et al. / Transportation Research Procedia 43 (2019) 290–299
Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000 3
specified by Hollnagel (2012). The basic building elements are functions, which need to be described in terms of
their inputs and outputs (the so-called aspects), as depicted in Fig. 1. In the figure, the complete set of function
aspects is depicted, where inputs can be further distinguished into Time, Control, Precondition, Resource, or Input.
Every single aspect of a function determines the type of input the function receives from some other upstream
function.
Fig. 1. Representation of a function and its aspects as per the theory of FRAM.
FRAM-based representation of a system, or its part, is then produced as a set of interconnected functions where
an output of a function can be any form of input to some other function.
The method is built upon the functional representation, consisting of the following steps: (1) identific ation and
description of functions, (2) identification of variability, (3) aggregation of variability and (4) defining the
consequences of the analysis. The main idea is to analyze possible variations of function outputs and their
combination within the given functional relationships and search for possible effects. FRAM is grounded in Safety-II
described by Hollnagel (2014), i.e. it considers resonance to be the governing principle for emergent outcomes, such
as safety, unlike the traditional approach that considers causality instead. Therefore, the main goal is to search for
interactions between multiple functions (aggregation of variability), identify those interactions, which have the
potential to resonate and help proposing measures for dampening the potential variability combination, and possible
resonance. Resonance is a possible effect following variability combination, typically a significant perturbation to
system level behavior, that is often associated with loss events (accidents).
According to the FRAM, there are several phenotypes of variability (e.g. variability in time, precision, object,
direction, duration etc.) that should be considered when analyzing a system for potential resonance. Here, the
method itself reaches a potential limitation, as the evaluation is qualitative and most often relative, i.e. considering
only whether the variability aggregation is likely to increase, retain the same or dampen particular function
variability in given conditions. Expert assessment and knowledge are needed to conclude any FRAM-based analysis
and produce recommendations.
2.2. The Unified Foundational Ontology
Unified Foundational Ontology is one of the latest and actively developed foundational ontologies that was built
with several theories, such as formal ontology, philosophical logic, philosophy of language, linguistics and cognitive
psychology. It works with universals and particulars, based on the theory of part-whole relation. The ontology has
three base layers, named as UFO-A (ontology of endurants), UFO-B (ontology of events) and UFO-C (ontology of
social agents). The layers allow for detailed representation of most real world domains for the purpose of various
applications. For detailed description of individual layers and concepts of the ontology refer to Guizzardi (2005),
Guizzardi et al. (2007) and Guizzardi et al. (2013a).
4 Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000
UFO adopts many successful and well-established concepts used by other foundational ontologies and addresses
many aspects of conceptual modeling that were not addressed by other ontologies. Moreover, there are some
specific aspects which support its selection over other foundational ontologies for the purpose of this work. The
authors of UFO developed OntoUML language, based on the Unified Modeling Language (UML) that resolves
Andrej Lališ et al. / Transportation Research Procedia 43 (2019) 290–299 293
Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000 3
specified by Hollnagel (2012). The basic building elements are functions, which need to be described in terms of
their inputs and outputs (the so-called aspects), as depicted in Fig. 1. In the figure, the complete set of function
aspects is depicted, where inputs can be further distinguished into Time, Control, Precondition, Resource, or Input.
Every single aspect of a function determines the type of input the function receives from some other upstream
function.
Fig. 1. Representation of a function and its aspects as per the theory of FRAM.
FRAM-based representation of a system, or its part, is then produced as a set of interconnected functions where
an output of a function can be any form of input to some other function.
The method is built upon the functional representation, consisting of the following steps: (1) identific ation and
description of functions, (2) identification of variability, (3) aggregation of variability and (4) defining the
consequences of the analysis. The main idea is to analyze possible variations of function outputs and their
combination within the given functional relationships and search for possible effects. FRAM is grounded in Safety-II
described by Hollnagel (2014), i.e. it considers resonance to be the governing principle for emergent outcomes, such
as safety, unlike the traditional approach that considers causality instead. Therefore, the main goal is to search for
interactions between multiple functions (aggregation of variability), identify those interactions, which have the
potential to resonate and help proposing measures for dampening the potential variability combination, and possible
resonance. Resonance is a possible effect following variability combination, typically a significant perturbation to
system level behavior, that is often associated with loss events (accidents).
According to the FRAM, there are several phenotypes of variability (e.g. variability in time, precision, object,
direction, duration etc.) that should be considered when analyzing a system for potential resonance. Here, the
method itself reaches a potential limitation, as the evaluation is qualitative and most often relative, i.e. considering
only whether the variability aggregation is likely to increase, retain the same or dampen particular function
variability in given conditions. Expert assessment and knowledge are needed to conclude any FRAM-based analysis
and produce recommendations.
2.2. The Unified Foundational Ontology
Unified Foundational Ontology is one of the latest and actively developed foundational ontologies that was built
with several theories, such as formal ontology, philosophical logic, philosophy of language, linguistics and cognitive
psychology. It works with universals and particulars, based on the theory of part-whole relation. The ontology has
three base layers, named as UFO-A (ontology of endurants), UFO-B (ontology of events) and UFO-C (ontology of
social agents). The layers allow for detailed representation of most real world domains for the purpose of various
applications. For detailed description of individual layers and concepts of the ontology refer to Guizzardi (2005),
Guizzardi et al. (2007) and Guizzardi et al. (2013a).
4 Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000
UFO adopts many successful and well-established concepts used by other foundational ontologies and addresses
many aspects of conceptual modeling that were not addressed by other ontologies. Moreover, there are some
specific aspects which support its selection over other foundational ontologies for the purpose of this work. The
authors of UFO developed OntoUML language, based on the Unified Modeling Language (UML) that resolves
294 Andrej Lališ et al. / Transportation Research Procedia 43 (2019) 290–299
Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000 5
many problems inherent to the language and facilitates utilization of UFO-based concepts. There is also a number of
support tools available with OntoUML and UML-based tools that can support the conceptualization with UFO.
Fig. 2. FRAM model for runway operations: A (complete model), B (model restricted to critical functions). Adapted from Patriarca et al.
(2017b).
6 Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000
2.3. Practical example from aviation domain
Aviation is a system severely concerned with modern issues of safety, i.e. the need for approaches to deal with
tight and non-linear couplings among human, technical and organizational factors. In airports, everyday operation
requires collaborative work performed by a large number of interconnected agents, and intertwined functions. In this
context, one of the most critical potential scenarios refers to the so-called runway incursion. According to ICAO, a
runway incursion is “any occurrence at an aerodrome involving the incorrect presence of an aircraft vehicle or
person on the protected area of a surface designated for the landing and takeoff of aircraft” (ICAO Doc 4444
PANS-ATM). For example, a runway incursion can be due to the incorrect entry of an aircraft (or vehicle) onto the
runway area, possibly caused by incorrect sequencing for arriving departing or arriving aircraft. There could be
several contributory factors to the occurrence, such as weather, aerodrome design, multiple line-ups, the usage of
conditional clearance, phraseology, workload, etc. as specified by ICAO (2007).
Following the Air Navigation Service (ANS) Perspective, this paper aims to present a walkthrough example on
the usage of FRAM to model everyday work in runway operations and combine its usage with UFO. The paper
starts from a previously developed research aimed at modeling runway operations through FRAM and isolating
critical functions through a Monte Carlo simulation approach by Patriarca et al. (2017b). The method presented in
this paper starts from the original model developed in Patriarca et al. (2017b) (Figure 2A), and proceeds through one
of the critical sub-models (Figure 2B) to originally test the applicability of UFO with respect to FRAM analyses.
3. Results
The results include two main achievements: a model (conceptualization) of a function as per the theory of FRAM
and an instance model of the practical example from the previous section, produced with the generic model of a
function.
Fig. 3. Conceptualization of a function with UFO ontology.
The generic model of a function is depicted in Fig. 3. In the schema, all concepts reused from UFO start with ufo
prefix, non-UFO concepts are either grounded in UFO with particular stereotype or need some explanation. The
Andrej Lališ et al. / Transportation Research Procedia 43 (2019) 290–299 295
Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000 5
many problems inherent to the language and facilitates utilization of UFO-based concepts. There is also a number of
support tools available with OntoUML and UML-based tools that can support the conceptualization with UFO.
Fig. 2. FRAM model for runway operations: A (complete model), B (model restricted to critical functions). Adapted from Patriarca et al.
(2017b).
6 Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000
2.3. Practical example from aviation domain
Aviation is a system severely concerned with modern issues of safety, i.e. the need for approaches to deal with
tight and non-linear couplings among human, technical and organizational factors. In airports, everyday operation
requires collaborative work performed by a large number of interconnected agents, and intertwined functions. In this
context, one of the most critical potential scenarios refers to the so-called runway incursion. According to ICAO, a
runway incursion is “any occurrence at an aerodrome involving the incorrect presence of an aircraft vehicle or
person on the protected area of a surface designated for the landing and takeoff of aircraft” (ICAO Doc 4444
PANS-ATM). For example, a runway incursion can be due to the incorrect entry of an aircraft (or vehicle) onto the
runway area, possibly caused by incorrect sequencing for arriving departing or arriving aircraft. There could be
several contributory factors to the occurrence, such as weather, aerodrome design, multiple line-ups, the usage of
conditional clearance, phraseology, workload, etc. as specified by ICAO (2007).
Following the Air Navigation Service (ANS) Perspective, this paper aims to present a walkthrough example on
the usage of FRAM to model everyday work in runway operations and combine its usage with UFO. The paper
starts from a previously developed research aimed at modeling runway operations through FRAM and isolating
critical functions through a Monte Carlo simulation approach by Patriarca et al. (2017b). The method presented in
this paper starts from the original model developed in Patriarca et al. (2017b) (Figure 2A), and proceeds through one
of the critical sub-models (Figure 2B) to originally test the applicability of UFO with respect to FRAM analyses.
3. Results
The results include two main achievements: a model (conceptualization) of a function as per the theory of FRAM
and an instance model of the practical example from the previous section, produced with the generic model of a
function.
Fig. 3. Conceptualization of a function with UFO ontology.
The generic model of a function is depicted in Fig. 3. In the schema, all concepts reused from UFO start with ufo
prefix, non-UFO concepts are either grounded in UFO with particular stereotype or need some explanation. The
296 Andrej Lališ et al. / Transportation Research Procedia 43 (2019) 290–299
Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000 7
main concept is a Function located in the middle of the schema, which has a stereotype ufo:Disposition, i.e.
existentially dependent entities that are realizable through the occurrence of an Event as specified by Guizzardi and
Wagner (2013b). In a figurative sense, this means that a function is typically some capability or ability, something
and object or agent can do. Considering a pilot/ATCO communication as a function, this is something that two
agents (here pilot and ATCO) can do owing to their capability to listen and talk, and ability to use radio for that
purpose. The concept Function is then specialized into several other concepts in line with the FRAM principles, be it
a Background Function concept or distinguishing between a Human, Technological or Organizational Function. All
these concepts implicitly inherit the semantics of a Function, hence are all considered a disposition.
Similar logic applies as soon as the goal is to consider possible abstraction hierarchy of the functions, as
discussed in Patriarca et al. (2017a). Two functions can compose a Coupling, which can be abstracted into a
Complex Function if needed. By contrast, if a Function cannot be detailed into higher granularity functions, then this
is considered an Atomic Function. The pattern reused here follows UFO described by Guizzardi and Wagner (2010).
Following the top section of Fig. 3, the mapping to UFO-grounded concepts is specified, here Event, Agent,
Substantial and Endurant. This part of the ontology specifies that functions are dispositional properties manifested
under certain circumstances and through the execution of an Event (here Pilot/ATCO communication is manifested
in a particular communication, having its start time and end time on particular date) where Object or Agent can
participate in (specific persons with their ID or particular objects like a radio).
Last part in this section is a Description concept which is modeled as ufo:Quality, i.e. a property that is
manifested whenever it exists. In the model, Description is essentially a narrative of particular Function, making
explicit some specific qualities or properties of it.
The right-hand section of Fig. 3 conceptualizes Function Aspect, which is modeled as a specialized type of
ufo:Situation. A situation in UFO regards particular set of objects with their properties, in simple terms a snapshot of
them. Be it some Input Aspect or Output of a Function, they are all modeled as a situation. Considering the practical
example from the previous section, frequent output of the function Pilot/ATCO communication are clarified
instructions, i.e. a situation when an addressee of an information has received it and understands its content. This is
a situation, where the addressee of an information (object) is in some condition (here has some information, knows
of something). This conceptualization conforms to the FRAM principles and building steps.
The figure, however, contains some non-UFO relationships, which need to be clarified, namely has description,
has input, has output, has result, has function aspect and obtains in. These relationships are all variations of the
same type of relationship, which relates two concepts with a type of part-of relationship, that is rather
straightforward to understand for domain experts, but not precisely defined yet. The ontology reaches its limit here,
thus in the future these relations should be considered for more precise conceptualization. Some of these relations
are in green, meaning that similar relations exist with other concepts in this part of the diagram, namely between a
Function and Resource, Control, Time and Precondition but are not made explicit.
Fig. 4. Conceptualization of the practical example of Pilot/ATCO function with the developed generic UFO-based ontology of a function
referring to the model depicted in Fig. 3.
8 Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000
Another result of the study is a particular instantiation model of the practical example from the previous section.
The model is shown in Fig. 4. Here, the stereotypes follow domain conceptualization, i.e. the stereotype Function
relates to the concept Function from the previous figure. Similar logic applies to all other stereotypes.
4. Discussion
The conceptualization of a function with the UFO ontology from the previous section, together with the case
study example, shows that UFO provides useful conceptual grounding to it. The modeling supports precise
definition of the concepts around a function used by FRAM to increase any FRAM-based artefact reusability and
common understanding with other users or computers. In other words, it determines the view needed to properly
model functions as in FRAM for real-case applications, ensuring semantical coherence. Consequently, the goal was
to conceptualize FRAM functions to support future tools and software, which will utilize the theory of FRAM by
using UFO.
The results of this work allow analysis of FRAM models in UFO terms, which brings entirely new perspective to
the method. Considering the main focus of the paper, a function in FRAM is an activity or simply something that is
being done, bearing seemingly clear meaning to majority of people from natural language. UFO considers it as a
disposition which is a realizable entity that exists because of certain features (capabilities or vulnerabilities) of a
particular object. These functions are manifested in certain events and result in specific situations. As an example, it
is possible to consider the function Start taxiing from Fig. 4 manifested in particular movement of an aircraft on
particular day, time and location, which initiates its taxiing and results in a situation where the aircraft has different
location at the airport. As such, it is a disposition since it exists because of the feature of the aircraft to move (its
capability in this case). The situation is even more apparent with function aspects, which are hard to explain even in
natural language. According to FRAM literature by Hollnagel (2012), function aspects characterize a function,
deriving potential relations among them. While from the perspective of the aspect notation, the meaning may be
clear (it is generally known what is an input, output, precondition etc.), it is hard to provide acceptably clear and
common explanation for all of them simultaneously. The ontology here specifies that all aspects are situations, i.e.
snapshots of a set of objects in some state/condition. This delimits the room for how to interpret each of the aspects.
Lastly, the conceptualization disambiguates what is a coupling. Whilst this may be intuitively clear for many
analysts, further discussion may arise about whether this is a line” between two functions, thus a separate object
representable as another function, or is it a part of the very functions connected by that “line”, i.e. as something that
cannot be considered independent of the functions. The ontology model takes the latter perspective, i.e. a coupling is
inseparable part of the functions it couples and it specifies that precisely two functions can comprise a coupling. The
rest of the conceptualization does not bring any significant discussion about the semantics but rather provides for
clear schema where other relevant concepts from the FRAM fit into the ontology.
Another point is that owing to the application of UFO, the ontology model now brings the FRAM method closer
to other modern safety engineering theory, by providing a platform for integration of the FRAM-based artefacts with
artefacts created based on other methods and safety models. This will ultimately enable integration at the level of the
methods and models, in line with the suggestions provided from previous research by Grant et al.
(2018) regarding common or at least complementary tenets. The results of the study in this work support future
research in this domain.
Lastly, it is important to emphasize that the ontological structure summarized in Fig. 3 remains completely
compatible with FRAM principles and building steps. Its development does not imply an additional building step,
but it is rather intended to provide support for each building step. Starting from it, it is possible to develop dedicated
models like the one showed in Fig. 4 with limited translational efforts. The combined FRAM UFO application is
intended to provide faster, simpler and more precise analysis relying on functional resonance principles. Producing a
FRAM model through a tool which generates machine-readable information is an added value for future system
safety analyses, because it allows integrating safety analyses with pre-existent tools and data sources. Currently a
software supporting the FRAM UFO framework is still lacking, but this paper firstly proves its feasibility and
potential significance for a number of applications. In practical terms, having a FRAM UFO model may (e.g.)
support the definition and exploration of the effects of systems changes as pointed out by Patriarca et al. (2016),
combining the benefits of a systemic perspective based to FRAM, through systematic analyses based on UFO. The
proposed combined approach may also support the identification and interpretation of data sources to develop
Andrej Lališ et al. / Transportation Research Procedia 43 (2019) 290–299 297
Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000 7
main concept is a Function located in the middle of the schema, which has a stereotype ufo:Disposition, i.e.
existentially dependent entities that are realizable through the occurrence of an Event as specified by Guizzardi and
Wagner (2013b). In a figurative sense, this means that a function is typically some capability or ability, something
and object or agent can do. Considering a pilot/ATCO communication as a function, this is something that two
agents (here pilot and ATCO) can do owing to their capability to listen and talk, and ability to use radio for that
purpose. The concept Function is then specialized into several other concepts in line with the FRAM principles, be it
a Background Function concept or distinguishing between a Human, Technological or Organizational Function. All
these concepts implicitly inherit the semantics of a Function, hence are all considered a disposition.
Similar logic applies as soon as the goal is to consider possible abstraction hierarchy of the functions, as
discussed in Patriarca et al. (2017a). Two functions can compose a Coupling, which can be abstracted into a
Complex Function if needed. By contrast, if a Function cannot be detailed into higher granularity functions, then this
is considered an Atomic Function. The pattern reused here follows UFO described by Guizzardi and Wagner (2010).
Following the top section of Fig. 3, the mapping to UFO-grounded concepts is specified, here Event, Agent,
Substantial and Endurant. This part of the ontology specifies that functions are dispositional properties manifested
under certain circumstances and through the execution of an Event (here Pilot/ATCO communication is manifested
in a particular communication, having its start time and end time on particular date) where Object or Agent can
participate in (specific persons with their ID or particular objects like a radio).
Last part in this section is a Description concept which is modeled as ufo:Quality, i.e. a property that is
manifested whenever it exists. In the model, Description is essentially a narrative of particular Function, making
explicit some specific qualities or properties of it.
The right-hand section of Fig. 3 conceptualizes Function Aspect, which is modeled as a specialized type of
ufo:Situation. A situation in UFO regards particular set of objects with their properties, in simple terms a snapshot of
them. Be it some Input Aspect or Output of a Function, they are all modeled as a situation. Considering the practical
example from the previous section, frequent output of the function Pilot/ATCO communication are clarified
instructions, i.e. a situation when an addressee of an information has received it and understands its content. This is
a situation, where the addressee of an information (object) is in some condition (here has some information, knows
of something). This conceptualization conforms to the FRAM principles and building steps.
The figure, however, contains some non-UFO relationships, which need to be clarified, namely has description,
has input, has output, has result, has function aspect and obtains in. These relationships are all variations of the
same type of relationship, which relates two concepts with a type of part-of relationship, that is rather
straightforward to understand for domain experts, but not precisely defined yet. The ontology reaches its limit here,
thus in the future these relations should be considered for more precise conceptualization. Some of these relations
are in green, meaning that similar relations exist with other concepts in this part of the diagram, namely between a
Function and Resource, Control, Time and Precondition but are not made explicit.
Fig. 4. Conceptualization of the practical example of Pilot/ATCO function with the developed generic UFO-based ontology of a function
referring to the model depicted in Fig. 3.
8 Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000
Another result of the study is a particular instantiation model of the practical example from the previous section.
The model is shown in Fig. 4. Here, the stereotypes follow domain conceptualization, i.e. the stereotype Function
relates to the concept Function from the previous figure. Similar logic applies to all other stereotypes.
4. Discussion
The conceptualization of a function with the UFO ontology from the previous section, together with the case
study example, shows that UFO provides useful conceptual grounding to it. The modeling supports precise
definition of the concepts around a function used by FRAM to increase any FRAM-based artefact reusability and
common understanding with other users or computers. In other words, it determines the view needed to properly
model functions as in FRAM for real-case applications, ensuring semantical coherence. Consequently, the goal was
to conceptualize FRAM functions to support future tools and software, which will utilize the theory of FRAM by
using UFO.
The results of this work allow analysis of FRAM models in UFO terms, which brings entirely new perspective to
the method. Considering the main focus of the paper, a function in FRAM is an activity or simply something that is
being done, bearing seemingly clear meaning to majority of people from natural language. UFO considers it as a
disposition which is a realizable entity that exists because of certain features (capabilities or vulnerabilities) of a
particular object. These functions are manifested in certain events and result in specific situations. As an example, it
is possible to consider the function Start taxiing from Fig. 4 manifested in particular movement of an aircraft on
particular day, time and location, which initiates its taxiing and results in a situation where the aircraft has different
location at the airport. As such, it is a disposition since it exists because of the feature of the aircraft to move (its
capability in this case). The situation is even more apparent with function aspects, which are hard to explain even in
natural language. According to FRAM literature by Hollnagel (2012), function aspects characterize a function,
deriving potential relations among them. While from the perspective of the aspect notation, the meaning may be
clear (it is generally known what is an input, output, precondition etc.), it is hard to provide acceptably clear and
common explanation for all of them simultaneously. The ontology here specifies that all aspects are situations, i.e.
snapshots of a set of objects in some state/condition. This delimits the room for how to interpret each of the aspects.
Lastly, the conceptualization disambiguates what is a coupling. Whilst this may be intuitively clear for many
analysts, further discussion may arise about whether this is a “line” between two functions, thus a separate object
representable as another function, or is it a part of the very functions connected by that “line”, i.e. as something that
cannot be considered independent of the functions. The ontology model takes the latter perspective, i.e. a coupling is
inseparable part of the functions it couples and it specifies that precisely two functions can comprise a coupling. The
rest of the conceptualization does not bring any significant discussion about the semantics but rather provides for
clear schema where other relevant concepts from the FRAM fit into the ontology.
Another point is that owing to the application of UFO, the ontology model now brings the FRAM method closer
to other modern safety engineering theory, by providing a platform for integration of the FRAM-based artefacts with
artefacts created based on other methods and safety models. This will ultimately enable integration at the level of the
methods and models, in line with the suggestions provided from previous research by Grant et al.
(2018) regarding common or at least complementary tenets. The results of the study in this work support future
research in this domain.
Lastly, it is important to emphasize that the ontological structure summarized in Fig. 3 remains completely
compatible with FRAM principles and building steps. Its development does not imply an additional building step,
but it is rather intended to provide support for each building step. Starting from it, it is possible to develop dedicated
models like the one showed in Fig. 4 with limited translational efforts. The combined FRAM UFO application is
intended to provide faster, simpler and more precise analysis relying on functional resonance principles. Producing a
FRAM model through a tool which generates machine-readable information is an added value for future system
safety analyses, because it allows integrating safety analyses with pre-existent tools and data sources. Currently a
software supporting the FRAM UFO framework is still lacking, but this paper firstly proves its feasibility and
potential significance for a number of applications. In practical terms, having a FRAM UFO model may (e.g.)
support the definition and exploration of the effects of systems changes as pointed out by Patriarca et al. (2016),
combining the benefits of a systemic perspective based to FRAM, through systematic analyses based on UFO. The
proposed combined approach may also support the identification and interpretation of data sources to develop
298 Andrej Lališ et al. / Transportation Research Procedia 43 (2019) 290–299
Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000 9
leading/lagging indicators which could be used at system level, in line with the results of FRAM analyses. The
ontological model is conceived to ensure semantical coherence and reduces interpretation biases of the model itself,
further strengthening the value of the proposed results.
5. Conclusions
This paper provided first foundational ontology-based conceptualization of key concepts used in FRAM method,
namely the conceptualization of a function and function-relevant concepts. The conceptualization was performed by
means of Unified Foundational Ontology (UFO) and provided for basic machine-readable representation, delimiting
the interpretation of the selected concepts. As a case study example from the aviation domain, some basic functions
performed by air traffic controllers and crew of an aircraft during their operation on airport infrastructure was
selected. The case study demonstrated how the ontology can support modeling of real case examples and showed
how the proposed ontology disambiguates the concepts regarding function from user’s perspective.
The study is limited by the fact that it starts with modeling of only a part of the FRAM method due to practical
reasons. Further, the study did not perform in-depth validation and verification of the ontology as this is a long-term
task that will need to be performed iteratively with progressive development of the ontology so as with its
prospective implementation into a dedicated software tool. It only provides basic conceptualization and case-study
example to demonstrate its usability in aviation industry.
The outcomes of this paper, on the other hand, pave the way to future application of an approach combining
FRAM and UFO in order to provide formal representation of a complex work domain. A FRAM model has been
proved to be a valuable support for representing socio-technical interaction, and through the usage of UFO, it could
be formally linked with a variety of data sources even to build some type of software tool to be used organically in
multiple organizations. Apart from that, the outcomes support future integration of FRAM-based artifacts with other
artifacts based on different safety methods and models, finally having the potential to provide a platform for possible
integration of the underlying theory behind modern safety engineering literature.
Future research should further explore the combination of FRAM and UFO, exploring other methodological
approaches currently discussed in FRAM literature, for example, the possibility of expanding the FRAM structure
through a multi-layer framework developed by Patriarca et al. (2017a), or adding quantitative, or semi-quantitative
modelling structures as used in Patriarca et al. (2017b).
References
Di Gravio, G., Mancini, M., Patriarca, R., & Costantino, F., 2014. ATM safety management: Reactive and proactive indicators forecasting and
monitoring ATM overall safety performance. In SIDs 2014 - Proceedings of the SESAR Innovation Days.
Di Gravio, G., Patriarca, R., Mancini, M., & Costantino, F., 2016. Overall safety performance of the Air Traffic Management system: The Italian
ANSP’s experience on APF. Research in Transportation Business and Management, 20.
Dokas, I., Feehan, J., Imran, S., 2013. EWaSAP: An early warning sign identification approach based on a systemic hazard analysis. Safety
Science, 58 (pp. 11-26).
Grant, E., Salmon, P., Stevens, N., Goode, N., Read, G., 2018. Back to the future: What do accident causation models tell us about accident
prediction? Safety Science, 104 (pp. 99-109).
Guizzardi, G., 2005. Ontological Foundations for Structural Conceptual Model, Ph.D. thesis.
Guizzardi, R., Guizzardi, G. , Perini, A., Mylopoulos, J., 2007. Towards an Ontological Account of Agent Oriented Goals, Software Engineering
forMulti-Agent Systems, Vol. V, Springer-Verlag.
Guizzardi, G., Wagner, G., 2010. Towards an Ontological Foundation of Discrete Event Simulation. Proceedings of the 2010 Winter Simulation
Conference.
Guizzardi, G., Wagner, G., Falbo, R., Guizzardi, R., Almeida, J. P., 2013a. Towards Ontological Foundations for the Conceptual Modeling of
Events Proceedings of the 2013 Winter Simulation Conference.
Guizzardi, G., Wagner, G., 2013b. Dispositions and Causal Laws as the Ontological Foundation of Transition Rules In Simulation Models.
International Conference on Conceptual Modeling ER 2013 (pp. 327-341).
Hollnagel, E., 2012. FRAM: The Functional Resonance Analysis Method: Modelling Complex Socio-technical Systems. Ashgate.
Hollnagel, E., 2014. FRAM: Safety-I and Safety-II: The Past and Future of Safety Management. Ashgate.
ICAO, 2007. Doc 9870 Manual on the Prevention of Runway Incursions. International Civil Aviation Organization (ICAO).
10 Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000
Li W., He M., Sun Y., Cao Q., 2019. A proactive operational risk identification and analysis framework based on the integration of ACAT and
FRAM. Reliability Engineering & System Safety, 18 (pp. 101-109).
Lintner, M., Smith, D., Smurthwaite, S., 2009. The Aerospace Performance Factor: utilization of the analytical hierarchy process to develop a
balanced performance and safety indicator of the national airspace system for the Federal Aviation Administration. In Proceedings of ISAHP
2009 (pp. 111).
Patriarca, R., Di Gravio, G., Mancini, M., & Costantino, F., 2016. Change management in the ATM system: Integrating information in the
preliminary system safety assessment. International Journal of Applied Decision Sciences, 9.
Patriarca, R., Bergström, J., Di Gravio, G., 2017a. Defining the functional resonance analysis space: Combining Abstraction Hierarchy and
FRAM. Reliability Engineering and System Safety, 165.
Patriarca, R., Di Gravio, G., Costantino, F., 2017b. A Monte Carlo evolution of the Functional Resonance Analysis Method (FRAM) to assess
performance variability in complex systems. Safety Science, 91.
Salmon, P., Read, G., Walker, G., Goode, N., Grant, E., Dallat, C., Carden, T., Naweed, A., Stanton, N., 2018. STAMP goes EAST: Integrating
systems ergonomics methods for the analysis of railway level crossing safety management. Safety Science, 110 (pp. 31-46).
Andrej Lališ et al. / Transportation Research Procedia 43 (2019) 290–299 299
Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000 9
leading/lagging indicators which could be used at system level, in line with the results of FRAM analyses. The
ontological model is conceived to ensure semantical coherence and reduces interpretation biases of the model itself,
further strengthening the value of the proposed results.
5. Conclusions
This paper provided first foundational ontology-based conceptualization of key concepts used in FRAM method,
namely the conceptualization of a function and function-relevant concepts. The conceptualization was performed by
means of Unified Foundational Ontology (UFO) and provided for basic machine-readable representation, delimiting
the interpretation of the selected concepts. As a case study example from the aviation domain, some basic functions
performed by air traffic controllers and crew of an aircraft during their operation on airport infrastructure was
selected. The case study demonstrated how the ontology can support modeling of real case examples and showed
how the proposed ontology disambiguates the concepts regarding function from user’s perspective.
The study is limited by the fact that it starts with modeling of only a part of the FRAM method due to practical
reasons. Further, the study did not perform in-depth validation and verification of the ontology as this is a long-term
task that will need to be performed iteratively with progressive development of the ontology so as with its
prospective implementation into a dedicated software tool. It only provides basic conceptualization and case-study
example to demonstrate its usability in aviation industry.
The outcomes of this paper, on the other hand, pave the way to future application of an approach combining
FRAM and UFO in order to provide formal representation of a complex work domain. A FRAM model has been
proved to be a valuable support for representing socio-technical interaction, and through the usage of UFO, it could
be formally linked with a variety of data sources even to build some type of software tool to be used organically in
multiple organizations. Apart from that, the outcomes support future integration of FRAM-based artifacts with other
artifacts based on different safety methods and models, finally having the potential to provide a platform for possible
integration of the underlying theory behind modern safety engineering literature.
Future research should further explore the combination of FRAM and UFO, exploring other methodological
approaches currently discussed in FRAM literature, for example, the possibility of expanding the FRAM structure
through a multi-layer framework developed by Patriarca et al. (2017a), or adding quantitative, or semi-quantitative
modelling structures as used in Patriarca et al. (2017b).
References
Di Gravio, G., Mancini, M., Patriarca, R., & Costantino, F., 2014. ATM safety management: Reactive and proactive indicators forecasting and
monitoring ATM overall safety performance. In SIDs 2014 - Proceedings of the SESAR Innovation Days.
Di Gravio, G., Patriarca, R., Mancini, M., & Costantino, F., 2016. Overall safety performance of the Air Traffic Management system: The Italian
ANSP’s experience on APF. Research in Transportation Business and Management, 20.
Dokas, I., Feehan, J., Imran, S., 2013. EWaSAP: An early warning sign identification approach based on a systemic hazard analysis. Safety
Science, 58 (pp. 11-26).
Grant, E., Salmon, P., Stevens, N., Goode, N., Read, G., 2018. Back to the future: What do accident causation models tell us about accident
prediction? Safety Science, 104 (pp. 99-109).
Guizzardi, G., 2005. Ontological Foundations for Structural Conceptual Model, Ph.D. thesis.
Guizzardi, R., Guizzardi, G. , Perini, A., Mylopoulos, J., 2007. Towards an Ontological Account of Agent Oriented Goals, Software Engineering
forMulti-Agent Systems, Vol. V, Springer-Verlag.
Guizzardi, G., Wagner, G., 2010. Towards an Ontological Foundation of Discrete Event Simulation. Proceedings of the 2010 Winter Simulation
Conference.
Guizzardi, G., Wagner, G., Falbo, R., Guizzardi, R., Almeida, J. P., 2013a. Towards Ontological Foundations for the Conceptual Modeling of
Events Proceedings of the 2013 Winter Simulation Conference.
Guizzardi, G., Wagner, G., 2013b. Dispositions and Causal Laws as the Ontological Foundation of Transition Rules In Simulation Models.
International Conference on Conceptual Modeling ER 2013 (pp. 327-341).
Hollnagel, E., 2012. FRAM: The Functional Resonance Analysis Method: Modelling Complex Socio-technical Systems. Ashgate.
Hollnagel, E., 2014. FRAM: Safety-I and Safety-II: The Past and Future of Safety Management. Ashgate.
ICAO, 2007. Doc 9870 Manual on the Prevention of Runway Incursions. International Civil Aviation Organization (ICAO).
10 Andrej Lališ et al. / Transportation Research Procedia 00 (2019) 000000
Li W., He M., Sun Y., Cao Q., 2019. A proactive operational risk identification and analysis framework based on the integration of ACAT and
FRAM. Reliability Engineering & System Safety, 18 (pp. 101-109).
Lintner, M., Smith, D., Smurthwaite, S., 2009. The Aerospace Performance Factor : utilization of the analytical hierarchy process to develop a
balanced performance and safety indicator of the national airspace system for the Federal Aviation Administration. In Proceedings of ISAHP
2009 (pp. 111).
Patriarca, R., Di Gravio, G., Mancini, M., & Costantino, F., 2016. Change management in the ATM system: Integrating information in the
preliminary system safety assessment. International Journal of Applied Decision Sciences, 9.
Patriarca, R., Bergström, J., Di Gravio, G., 2017a. Defining the functional resonance analysis space: Combining Abstraction Hierarchy and
FRAM. Reliability Engineering and System Safety, 165.
Patriarca, R., Di Gravio, G., Costantino, F., 2017b. A Monte Carlo evolution of the Functional Resonance Analysis Method (FRAM) to assess
performance variability in complex systems. Safety Science, 91.
Salmon, P., Read, G., Walker, G., Goode, N., Grant, E., Dallat, C., Carden, T., Naweed, A., Stanton, N., 2018. STAMP goes EAST: Integrating
systems ergonomics methods for the analysis of railway level crossing safety management. Safety Science, 110 (pp. 31-46).
... The value of the Safety-II perspective in providing detailed recommendations for improving system safety is recognized, but FRAM is described as time consuming and complex to use and to interpret the results (Farooqi et al., 2022;Tian & Caponeccia, 2020;Hulmes et al., 2019). In aviation, studies such as Lališ et al. (2019), Moškon et al. (2019) and Adriaensen et al. (2019) aim to facilitate FRAM model comprehension or even enable the automatization of the analysis. Lališ et al. (2019) proposed the representation of a function by means of the Unified Foundational Ontology (UFO) in order to achieve improved and computer readable description of a FRAM' function concept, that would support future tools and software based on the FRAM itself. ...
... In aviation, studies such as Lališ et al. (2019), Moškon et al. (2019) and Adriaensen et al. (2019) aim to facilitate FRAM model comprehension or even enable the automatization of the analysis. Lališ et al. (2019) proposed the representation of a function by means of the Unified Foundational Ontology (UFO) in order to achieve improved and computer readable description of a FRAM' function concept, that would support future tools and software based on the FRAM itself. Their case study was based on Patriarca et al. (2017) one. ...
Conference Paper
Full-text available
The development of the Functional Resonance Analysis Method (FRAM) has been motivated by the perceived limitations of fundamentally deterministic and probabilistic approaches to understand complex systems' behaviour. Congruent with the principles of Resilience Engineering, over recent years the FRAM has been progressively developed in scientific terms, and increasingly adopted in industrial environments with reportedly successful results. This paper aims to summarize available documents published between 2017 and 2022 about FRAM in the Aviation domain through a Systematic Literature Review (SLR). Seventeen (17) articles were reviewed, disclosing characteristics of the FRAM research regarding the method's application as well as proposing potential future research directions.
... An upper-level ontology guarantees strong ontological foundations and a better precision of the concepts and their definitions. The EPOWAx upper ontology model consists of three different upper ontologies, which have been connected together: the WAx Framework Ontology [45], the FRAM Upper Model ontology [15,46], and the Suggested Upper Merged Ontology (SUMO) 1 [47]. Indeed, Agent role The role played by an agent in a process [5]. ...
Article
Management of cyber-socio-technical processes often suffers from misalignments of process descriptions according to formal organization documents or manager views (Work-As-Imagined) with actual work practices as performed by sharp-end operators (Work-As-Done). Even if sometimes the accomplishment of a process requires workers to diverge from the Work-As-Imagined, the corresponding changes can potentially cause organizational tensions in the overall system and lead to safety incidents. This consideration led us to define a new resilience indicator, named allostatic load, to capture such misalignments, and the corresponding level of organizational tensions, a cyber-socio-technical system is exposed to. Then, we propose a method to measure it by leveraging semantic technologies, the Functional Resonance Analysis Method (FRAM) to model industrial processes, the WAx conceptual framework to keep track of the variety of the different process perspectives, and a crowd-based approach to elicit industrial knowledge. Finally, we discuss the feasibility of the approach in two real case studies related to a pharmaceutical manufacturing plant and an enterprise in the aluminium sector.
... Regarding aviation safety, new methodologies and their application in aviation are published. This marks the change in thinking and turning away from established methods for analysing safety to modern methods, which can evaluate complex systems' safety [9]. Unfortunately, practical implementation into aviation is difficult even in airport operation [10] and the safety of UAS operation is analysed by the Specific Operations Risk Assessment (SORA) methodology originally published by the Joint Authorities for Rulemaking of Unmanned Systems (JARUS) [11]. ...
Conference Paper
Full-text available
Unmanned aircraft systems are growing in popularity with both the public and private entities, penetrating various areas of human activity as they develop. Their numbers are steadily increasing. Plans are tremendous with unmanned aircraft systems, so it is important to correct and regulate their operations. The operations of the unmanned aircraft systems can fill the capacity of very low-level airspace, which is common airspace even for manned aviation. They need to be captured in time so as not to hinder the possible development of new technologies. The paper sets out a methodology that can be used to divide the very low-level airspace and assess it based on the potential risk associated with the operation of unmanned aircraft systems and based on the methodology, a final determination of U-space airspace creation for the Czech Republic is developed.
... Foreground functions (white) represent the core of the system's analysis; (c) the aspects of a function (whose meaning is detailed in the picture) represent its interface with other functions Fig. 15.2 Functional resonance analysis knowledge graph may be mapped and aligned together in order to allow for interoperability between the different enterprise ontologies and reach a unified semantic upper model. The main component of this knowledge graph is the FRAM upper ontology (De Nicola et al., 2017;Lališ et al., 2019), which includes an ontological representation of the FRAM (Hollnagel, 2012) meta-model. The FRAM upper ontology can be linked to all the upper ontology models and, hence, to the different enterprise ontologies included in the knowledge graph. ...
Chapter
We present the backbone of a knowledge graph to support the next generation of functional resonance analyses in the safety area by means of automatic reasoning services. The proposed knowledge graph is expected to incorporate existing industrial ontologies, according to the needs of safety analysts, and to handle the diversity of upper ontology models that may have been adopted for the development of enterprise-specific application ontologies. We briefly describe some possible usages of this knowledge graph, i.e. systematic exploration of safety-critical processes, analysis of misalignments of work-as-done from work-as-imagined process representations, creative design of work-as-done, and inter-company alignment of safety-critical processes to safety goals. Finally, we discuss the major implications of our proposal for safety analysts and safety practitioners.KeywordsFunctional resonance analysisIndustry 4.0Knowledge graphSafety managementResilience engineering
... The UFO considers many of the structural aspects of conceptual modeling that have not been considered by other ontologies such as various types of entities and their relationships, their parts and properties [28]. Many other foundational ontologies (e.g., a Hazard Ontology (HO) [18]) have successfully incorporated well-established concepts from the UFO. ...
Conference Paper
While ontology comparison and alignment have been extensively researched in the last decade, there are still some challenges to these disciplines, such as incomplete ontologies, those that cover only a portion of a domain, and differences in domain modeling due to varying viewpoints. Although the literature has compared ontological concepts from the same domain, comparisons of concepts from different domains (e.g., security and safety) remain unexplored. To compare the concepts of security and safety domains, a security ontology must first be created to bridge the gap between these domains. Therefore, this paper presents a Combined Security Ontology (CSO) based on the Unified Foundational Ontology (UFO) that could be compared to or aligned with other ontologies. This CSO includes the core ontological concepts and their respective relationships that had been extracted through a previous systematic literature review. The CSO concepts and their relationships were mapped to the UFO to get a common terminology that facilitates to bridge the gap between the security and safety domains. Since the proposed CSO is based on the UFO, it could be compared to or aligned with other ontologies from different domains.
Article
Full-text available
The integration of Information Technology (IT) and Operational Technology (OT) is deepening, amplifying the interconnectedness of operational, safety, and security demands within industrial automation systems. Lacking comprehensive guidance, risk managers often resort to manual solutions based on best practices or rely on domain experts, who usually offer insights limited to their specific areas of expertise. Given the intricate interplay among these domains, employing ontologies for knowledge representation could hold the key to capturing all necessary relationships and constraints for effective risk management processes. This study conducts a systematic mapping analysis of ontologies published over the past five years, focusing on at least one domain relevant to OT system risk management. Its objective is to categorize papers, offer a panoramic view of research themes and contributors, discern potential publication patterns, and identify research avenues based on a comprehensive review of these ontologies. Findings indicate a relatively stable research interest, with most publications presenting proof of concepts or initial experimental results for their ontological applications. This study establishes a foundation for classifying comprehensive OT ontologies and pinpoints unresolved issues that can steer future research efforts. It offers insights into the current state-of-the-art within this research area.
Article
Aviation is a complex system with different interconnected and interdependent subsystems that rely on each other to ensure safety and reliability. The technological progress in the sector has increased safety, but incidents and accidents still happen. However, accident analyses and safety research have not paid equal attention to all aviation subsystems resulting in possibly undetected or underestimated risks. This study systematically investigates the literature on aviation safety from 1984 to 2021 with a particular focus on Normal Accident Theory (NAT), High-reliability Theory (HRT), and Resilience Engineering (RE) as their underpinning theoretical perspectives. The analysis of the 77 records that were screened as most relevant shows that the studies underpinned by these theories were mainly looking at the ‘primary operational aviation subsystems' such as air traffic control (ATC) and flight operations and significantly less at the 'secondary operational subsystems' such as ground operations and aircraft maintenance. In addition, the analysis showed that research building on RE has increased in recent years and is now the predominant theoretical framework in studies of this type. Nevertheless, NAT and HRT are still relevant and are often employed in conjunction with RE. Future research should pay more attention to the role of secondary subsystems and their impact on the safety, reliability, and efficiency of the aviation system. Moreover, there is perhaps a need for researchers to develop a more integrative framework that includes valuable components of all three theories and to create a set of safety and reliability strategies suitable for both primary and secondary aviation subsystems, hence, benefiting the entire aviation system.
Chapter
The complexity of socio-technical systems (SS) requires tools that facilitate the understanding of their behaviour and daily performance under the perspective of safety management, therefore Resilience Engineering (RE) and its tools can help with this purpose. In this study, a literature review about the application of the Resilience Assessment Grid (RAG) in different sectors in the last decade is performed. The information was selected from the following databases: Scopus, Wos, ScienceDirect and PubMed, guided by the PRISMA methodology using search criteria by title, abstract and keywords. The most used basic tool is the RAG, which applied individually or in combination helps to understand the behaviour of these complex socio-technical systems (CSS) under the perspective of safety management. The tools used in the last decade in RE studies with the RAG in different sectors are presented chronologically. Safety-II could be considered as a suitable management system at present, where the RE helps to measure resilient performance potential in the CSS, but not resilience per se, using the RAG individually or in combination, with the basic number of questions or structured in a customised way.
Article
The paper is focused on the safety of future traffic of unmanned aircraft systems in the U-space airspace. U-space is a European concept for the organization of unmanned traffic and as such must ensure an acceptable level of safety so that safety is not decreased by the gradual integration of unmanned traffic into the airspace. The aim of this paper is to identify, based on the application of the STAMP and FRAM system methods, whether all regulatory elements that could have an impact on safety are established. The result is the identification of a gap in the regulation in the training, where the procedure for unmanned aircraft is not exactly defined, which can mean a safety hazard.
Article
Full-text available
System-thinking and related systemic methods enhance traditional risk and hazard assessments and accident analysis, as well as system design. The Functional Resonance Analysis Method (FRAM) is a recently developed method for systemic analysis. FRAM facilitates descriptions of the functional relations among system elements. In case of large systems (e.g. several agents, multiple procedures, many technical equipment), building a FRAM model may become a difficult task, moreover resulting in a complex model, with limited benefits for the purpose of the analysis.
Article
Full-text available
The increasing air transport demand suggests looking at air traffic management (ATM) as a continuously and evolving process. The procedures and equipment we use today will not continue coping with next air traffic requirements. It is thus necessary to provide ATM services for the current operating scenarios. This paper proposes a systematic tool, i.e., the preliminary system safety assessment tool (PSSA-T) to help the decision makers in evaluating safety implications of system changes. PSSA-T relies on the definition of two indexes, based on the aerospace performance factor (APF) methodology. These indexes allow a structured safety analysis of any proposed change: the first compares the evolutionary scenario with the current one and the second one considers the effects of a failure of the changed agent (equipment or procedure) in a future scenario. The paper illustrates a case study for the flight progress strip (FPS) change to electronic FPS.
Article
Full-text available
Modern trends of socio-technical systems analysis suggest the development of an integrated view on technological, human and organizational system components. The Air Traffic Management (ATM) system can be taken as an example of one of the most critical socio-technical system, deserving particular attention in managing operational risks and safety. In the ATM system environment, the traditional techniques of risk and safety assessment may become ineffective as they miss in identifying the interactions and couplings between the various functional aspects of the system itself: going over the technical analysis, it is necessary to consider the influences between human factors and organizational structure both in everyday work and in abnormal situations. One of the newly introduced methods for understanding these relations is the Functional Resonance Analysis Method (FRAM) which aims to define the couplings among functions in a dynamic way. This paper evolves the traditional FRAM, proposing an innovative semi-quantitative framework based on Monte Carlo simulation. Highlighting critical functions and critical links between functions, this contribution aims to facilitate the safety analysis, taking account of the system response to different operating conditions and different risk state. The paper presents a walk-through section with a general application to an ATM process.
Article
Full-text available
Air Traffic Management (ATM) system needs to be continuously monitored to evaluate safety performance of operational activities, in order to maintain and improve safety levels. However, standard metrics of counting events (incidents, accident and near misses) are not able to give usable information to decision makers in supporting their strategies. As safety events are generally rare, traditional statistical analysis generally fails to represent the overall system performance. This paper discusses the development of the Aerospace Performance Factor (APF) methodology in a real case implementation. The research presents to ATM safety managers and researchers the main framework and the roadmap to develop a specific system-wide assessment, giving them guidelines based on lessons learned. Starting from international regulations and describing the European APF context, this paper offers a detailed description of the APF implementation to the Italian Air Navigation Service Provider ENAV s.p.a., one of the first ANSPs to adopt, customize and implement the methodology.
Conference Paper
Full-text available
In recent years, there has been a growing interest in the application of foundational ontologies, i.e., formal ontological theories in the philosophical sense, to provide a theoretically sound foundation for improving the theory and practice of conceptual modeling. In this paper, we present advances on our research on the ontological foundations of conceptual modeling by addressing the concept of events. We present a foundational ontology of events (termed UFOB) together with its axiomatization in first-order logic. Moreover, we report on an implementation of UFO-B using the computational logic language Alloy, and discuss its consistency, validation and possible uses.
Article
Risks in the industrial operation processes involve complex system elements such as human, machine, organization, information, as well as nonlinear coupling relationships among them. Traditional risk analysis methods focus on the cause-effect relationships between the system elements and accidents, while ignoring what the correct and proper relationships should be. For a proactive risk identification and analysis, learning from success is suggested instead of learning from post hoc accidents, which requires that risk analysis identifies the normal functions and their couplings. Therefore, system functioning has been a subject of interest in the field of risk analysis. The Functional Resonance Analysis Method (FRAM) has been an effective tool to reveal the couplings and dependent relationships among different functions. However, the functions identification and interaction analysis in the FRAM is limited because there is no consistent or explicit stop rule. For a detailed and rigorous description of functions, the Accident Causation Analysis and Taxonomy (ACAT) model is used to enrich the FRAM by generating functions based on a closed-loop control system. Two operation processes in the hazardous industries are used as illustrations. The results show that more functional constraints and deep contributing factors to accidents can be identified with the hybrid approach.