supporting resilence in air traffic management a. tedeschi, m. felici, v. meduri, c. riccucci serene...
TRANSCRIPT
![Page 1: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/1.jpg)
Supporting Resilence in Air Traffic Management
A. Tedeschi, M. Felici, V. Meduri, C. Riccucci
SERENE 2008November 17-19, 2008, Newcastle upon Tyne, UK
![Page 2: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/2.jpg)
2
Overview
The SERENITY project Design Patterns Evaluation Scenarios SERENITY S&D Patterns The SERENITY Process
Tailoring S&D Patterns to the Air Traffic Management (ATM) domain An ATM Scenario Scenario Unfolding Emergent Resilience
Conclusions
![Page 3: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/3.jpg)
3
The SERENITY Project
The primary goal of SERENITY IP project is to enhance security and dependability for AmI ecosystems by capturing security expertise and making it available for automated processing through Patterns.
Patterns are expression of a fundamental structural organization schema for a socio-technical system, which consists of subsystems, their responsibilities and interrelations.
SERENITY provides a framework supporting the automated integration, configuration, monitoring and adaptation of security and dependability mechanisms for such ecosystems.
![Page 4: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/4.jpg)
4
The SERENITY Scenarios
Industry Scenarios cover a broad spectrum of domains, adhere to real-world situations, and address outstanding industrial problems
Assess the methods, techniques, and tools developed by the other project activities (e.g. organisational patterns)
Apply the SERENITY framework to provide S&D solutions for the selected application scenarios
![Page 5: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/5.jpg)
5
SERENITY S&D Patterns
The SERENITY pattern description identifies information (i.e., Trust Mechanisms, Provided Property, Pre-conditions, etc.) concerning S&D aspects
The description associates the specified pattern with specific S&D properties, implementation aspects (e.g., components, parameters, etc.) and environmental constraints (e.g., pre-conditions)
Three Pattern Categories Organizational Workflow Infrastructure
![Page 6: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/6.jpg)
6
The SERENITY Process
SRF
Application
(1)
(3)
(2)
SRF C
onsole
(4)
SRF
Application
(1)
(3)
(2)
SRF C
onsole
(4)
1. Capturing and formalizing relevant knowledge by S&D Patterns2. Defining reaction plans along with mappings between the plan’s
structures and those of S&D Patterns3. The SERENITY Runtime Framework (SRF) monitors the system, manages
the matching between the reaction plan, its execution and relevant S&D Patterns
4. Exploiting the knowledge formalized by S&D Patterns
It enables reaction mechanisms by deploying S&D Patterns
![Page 7: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/7.jpg)
7
The SERENITY Runtime Framework
The SERENITY Runtime Framework (SRF) makes the knowledge captured by S&D Patterns available to the actors participating in the response by means of functionalities to:
Alter plans during response and execution Share plans Inspect plans Monitor plans execution
![Page 8: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/8.jpg)
8
Air Traffic Management (ATM)
Air Traffic Management (ATM) is the dynamic and integrated management of air traffic flow to minimize delays while guaranteeing safety of operation in the airspace.
The airspace managed by each Area Control Center (ACC) is organised into adjacent volumes, so-called Sectors.
Each sector is operated by a team of two Air Traffic Controllers,
consisting of a Planning Controller and an Executive Controller. The Planning Controller and the Executive work together and share the responsibility for the safe operation of the sector they control.
Groups of neighbouring Sectors are coordinated by a Supervisor, who is in charge of managing the traffic forecast in the next period and modify the sectors configuration accordingly. The Supervisor is also responsible for the formation of the Sector Teams.
![Page 9: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/9.jpg)
9
ATM Peculiarities
Organizational and management aspects of S&D Stresses on organizational reaction to threats and
hazards
Stresses on safety, dependability and resilience, more than security
Deals not only with digital systems, but with complex socio-technical systems systems involve people, artifacts, organizations,
physical spaces and digital devices
![Page 10: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/10.jpg)
10
ATM Scenario Overview
Italian airspace, summer time: an unexpected increase of air traffic risks exceeding Sector SU capacity.
In order to safely manage all the incoming traffic, standard re-sectorization is decided: sector SU gets split into SU1 and SU2.
The re-sectorization is not sufficient: partial delegation of airspace is negotiated and issued.
After the traffic peak has been safely managed, previous configuration of airspace is restored.
![Page 11: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/11.jpg)
11
Supporting Work Practices
Coordination
Decision Support
Contextualization
Evolution
![Page 12: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/12.jpg)
12
Organizational Patterns
Critical roles and responsibilities of the Air Traffic Controllers (ATCOs)
Complex organizations Source of S&D patterns
Examples of Organizational Patterns
Public Artefact. This pattern concerns any situation in which shared resources are used to share information among several agents that carry on similar or related tasks.
Reinforcing Overlapping Responsibilities. This pattern is concerned with critical tasks that must be accomplished by several agents with high level of safety. Therefore, those agents share responsibility for achieving these tasks. It is, therefore, necessary to set up work groups in which more than one worker can perform the same activity.
![Page 13: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/13.jpg)
13
Examples of Organizational Patterns
Public Artefact Two Supervisors Assessment of the
Partial Delegation’s feasibility
Timing, Decision Support, Situation Awareness
Any controller involved in the decision-making process shares the same information artefacts
Reinforcing Overlapping
Responsibilities Assistance for critical
situations Matching required
capabilities with available resources
For instance, an Executive controller can act as Planner Controller
![Page 14: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/14.jpg)
14
System Functionalities
Reminder
Communicator
Recorder
Advisor
![Page 15: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/15.jpg)
15
S&D Pattern Elicitation and Validation
Requirement Collection ATM experts, together with evaluation responsible,
walk through scenario workflows and first prototype ‘slideware’ to collect feedback for developers
Light Evaluations the Player is shown to ATM experts in an informal
setting and played on shorter sequences of the scenario. Feedback is collected for developers
Complete Evaluations simulations performed with ATM experts on a
full, multi-path version of the scenario. Feedback on the effectiveness and usefulness of Serenity is collected through feedback collection
![Page 16: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/16.jpg)
16
ATM Scenario Evaluation - Overview
“Wizard of Oz” Evaluation Scenario simulations with ATM experts
through reproduction of “pivot points”
Re-enactments with introduction of a prototype
Feedback on comparison collected through individual questionnaires, interviews and focus groups
![Page 17: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/17.jpg)
17
The “Wizard of Oz”
A “Wizard” simulates the system’s intelligence and interacts with the users/actors through a real or mock computer interface
Users/actors will be ATM experts, and feedback on usefulness of the tool will be collected through feedbacks activities
![Page 18: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/18.jpg)
18
ATM Scenario Evaluation Tools
The “scenario player”: Scenario (i.e. radar) screenshots Prototype SRF + ATM Cooperation Tool (ACT) Additional data to increase realism
ACCPosition
Application
![Page 19: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/19.jpg)
19
Scenario Unfolding
1. Safety Hazard2. Subsequent Strategy Decisions3. Emerging Resilience
![Page 20: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/20.jpg)
20
Safety Hazard
Traffic exceeding sector's capacity
![Page 21: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/21.jpg)
21
Subsequent Strategy Decisions
![Page 22: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/22.jpg)
22
Emergent Resilience
Resulting capacity containing traffic peaks
![Page 23: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/23.jpg)
23
Emergent Resilience
Emergent Resilience Is socio-technical Involves work practices Requires systems to support work practices
A lack of understanding of these fundamental aspects may cause undependabilities or result in system failures
![Page 24: Supporting Resilence in Air Traffic Management A. Tedeschi, M. Felici, V. Meduri, C. Riccucci SERENE 2008 November 17-19, 2008, Newcastle upon Tyne, UK](https://reader033.vdocuments.site/reader033/viewer/2022042703/56649e225503460f94b0ef38/html5/thumbnails/24.jpg)
24
Conclusions A socio-technical characterization of Resilience
combining S&D Patterns, system functionalities and work practices
Identification of suitable software functionalities implemented in an instance of the SERENITY Runtime Framework (SRF) tailored to the ATM domain
Initial validation activities S&D requirements for tailoring pattern technology to the
ATM domain
S&D Patterns as models to orient actions of actors involved in reaction processes to threats or attacks
S&D Patterns capture organizational, procedural and infrastructural aspects
The SERENITY framework provides a means for delivering S&D patterns (and their features) into industry domains