A Metamodel Extension to Capture Post Normal Accidents in AR-equipped Socio-technical Systems

In the past twenty to thirty years, organizations have extremely changed and these changes in addition to technological changes such as use of augmented reality (AR) introduce new system risks. Post normal accidents theory describes that organizations are more globalized and digitalized and are formed as networks of organizations, which would lead to post normal accidents such as network failure accident. In addition, it states that strategies and organizational structures are more ﬁnancialised and networked respectively and technology and task are more digitalized and standardized. These organizational factors affect also on human performance. Organization and human are considered as the socio parts of socio-technical systems. Metamodels should provide the modeling elements required for modeling human and organizational factors in new AR-equipped socio-technical systems. Current metamodels do not consider factors that would lead to post normal accidents. In this paper, we elaborate the theory of post normal accidents and we extract the inﬂuencing factors leading to post normal accidents. We also consider global distance including geographical, temporal and cultural distances, as an inﬂuencing factor on human performance. Then, we use the extracted inﬂuencing factors for extending modeling elements in our previously proposed conceptual metamodel for modeling AR-equipped socio-technical systems. Our proposed extended metalmodel can be used by analysis techniques in order to perform risk assessment for AR-equipped socio-technical systems.


Introduction
Significant changes in organizations over the past two to three decades besides utilizing new technologies such as augmented reality (AR) would act as new causes of accidents. The theory of post normal accident Le Coze (2020), which is an extension of normal accident theory Perrow (2011), has highlighted the important changes of organizations over the last two to three decades. Based on this theory, technology and task are more digitalized and standardized in comparison to 1980s, which were more automated. Organizational structures are more networked (externalized, horizontal) in comparison to 1980s, which were more integrated (internalized, vertical). In addition, Organizational strategies are more financialised in comparison to 1980s, which were only industrial. Furthermore, environments are more globalized and self-regulated, while they were national and state regulated during 1980s. Effect of these changes on human performance is not negligible and thus it is crucial to investigate it, since both human and organization take part as the socio entities of socio-technical systems. Global distance metric Noll and Beecham (2016) is also a new metric capturing a new influencing factor on human. It is defined as distances in geographical, temporal and cultural features of people working in an organization Alajrami et al. (2017). It is now well established that this metric affects on human performance Yeong (2015). There is a need to address these factors originated in recent changes, which would be the reasons for new types of accidents called post normal accidents.
In order to perform risk assessment, which plays a key role in different phases of product development in system engineering, modeling the system plays a vital role. UML (Unified Modeling Language)-based metamodels Booch et al. (1997) are the most widely used groups of metamodels and have been extensively used for defining means required for modeling the involved system. SafeConcert Montecchi and Gallina (2017) is a metamodel proposed for modeling socio-technical systems. This metamodel is implemented by CHESS ML (CHESS Modeling Language) CONCERTO D2.7 (2016), which is a UML-based modeling language in CHESS framework Debiasi et al. (2021) Soheila Sheikh Bahaei and Barbara Gallina leading to post normal accidents on modeling. The objectives of this research are investigating the effects of the new organizational changes on modeling and updating available metamodels to enable capturing post normal accidents in ARequipped socio-technical systems. In order to do that, we extract the new influencing factors on human performance based on post normal accident theory and global distance metric, and we integrate these factors in the previously proposed conceptual metamodel for modeling AR-equipped socio-technical systems. In addition, this research provides a potential usage of the extended metamodel on an example from petroleum domain. The rest of the paper is organized as follows. In Section 2, we provide essential background information. In Section 3, we propose a metamodel extension, based on post normal accident theory and global distance metric, on our previously proposed conceptual metamodel. In Section 4, we discuss about the strength and limitation of the proposed extension. Finally, in Section 5, we present some concluding remarks and discuss about future work.

Background
In this section, we provide essential background information about modeling AR-equipped sociotechnical systems, post normal accident theory and global distance metric.

Modeling AR-equipped Socio-technical Systems
There are different metamodels used for modeling various types of systems. SafeConcert Montecchi and Gallina (2017) is a metamodel, which proposes constructs for modeling sociotechnical systems. It is implemented within CHESS ML/CHESS Toolset, which is integrated in the AMASS platform de la Vara et al. (2020). AMASS platform is the first open-source platform that supports engineering and certification processes of safety-critical systems. Main elements in this metamodel are components, ports, and connectors. These elements are used for modeling main entities of a socio-technical system. Failure modes and failure behaviors are also used for modeling behaviors of system elements. Main entities of a socio-technical system are software and hardware, which are the technical entities and human and organization, which are the socio entities. Each of these entities are modeled as components and their relations are modeled through connectors. Components can contain sub-components. Sub-entities in technical entities are modeled as sub-components, while in socio entities different aspects are modeled as sub-components. For example, in an organization, examples of different aspects are process management and resource management. In a human, examples of different aspects are human characteristics such as sensing and executing.
In Sheikh Bahaei and , extensions are proposed for this metamodel in order to incorporate AR related factors. As it is shown in Fig. 1, AR-equipped socio-technical system is a system which has augmented reality technology in addition to usual socio and technical entities. This technology affects on human and organization. Human using augmented reality would have extended capabilities, which are required to be modeled in order to consider their failure behavior while doing risk assessment. For example, with the use of augmented reality a person can sense surrounding environment, thus surround sensing is an AR-extended characteristic for human. As it is shown in Fig. 2, entities, their characteristics and their relations are modeled using components, sub-components and connectors. Sub-components of human and organization are selected based on SafeConcert human and organization modeling elements and AR-related modeling extensions. The factors with gray color are the conceptual extensions. Organizational factors are based on several state-of-the-art taxonomies such as Rasmussen Rasmussen (1982), HFACS Shappell and Wiegmann (2000), SERA Hendy (2003) and SPAR-H Gertman et al. (2005) and AR-related factors are added based on studies and experiments on AR such as Gutiérrez et al. (2014) and Lee (2012).

Post Normal Accident Theory
Post normal accident theory Le Coze (2020), which is an extension for normal accident theory Perrow (2011), is proposed by Jean-Christophe Le Coze. Perrow's normal accident theory argues that in tightly complex systems accidents are unavoidable or normal. Four analytical categories are also argued by Perrow to provide strong understanding of the situations which happen in organizations. These four categories are technology and task, structure, goal (later updated to strategy by Jean- Christophe Le Coze) and environment. Post normal accident theory argues that because of advent of new notions such as globalization, an update or adaptation for normal accident theory is required. In this theory, goal category is updated to strategy and features of the four categories (environment, strategy, structure, technology and task) are compared during 1980s and 2010s (Shown in Fig. 3). Post normal accident theory, illustrates implications of trends such as digitalisation, standardisation, financialisation and self-regulation on these four layers. It discusses that environment was national and state regulated during the time normal accident theory was proposed (1980s). However, it is more globalized and self-regulated during 2010s. Based on definition provided in Le Coze (2017), globalization referes to "extended financial environment and greater exposure, worldwide competition, work and labour flexibility, incentives to breakdown vertical structures to gain flexibility through novel and expanding ICT networked infrastructure, normalized practices and dependence on a growing service activity (e.g. consulting)". Self-regulation refers to "industry regulating itself through the production of its own standards and  (2020) internal control".
Strategy was more industrial during 1980s, while it is more financialised and industrial during 2010s. Financialization refers to "increasing the influence of financial actors (e.g. hedge funds) in companies' managerial decision-making processes".
Structure was more integrated during 1980s, while it is more networked during 2010s.
Finally technology and task were more auto-4 Soheila Sheikh Bahaei and Barbara Gallina mated during 1980s, while they are more digitalized and standardized during 2010s. Digitalization refers to "the progressive replacement or extension of human activities by a combination of ICT systems and machines (or robots) which can perform an increasingly wide range of manual and cognitive tasks more and more independently". Standardization refers to "widespread management principles promoted by outsourcing and self-regulation, consulting firms and certification schemes for global markets".
As it is discussed in Le Coze (2017), recent changes introduce new safety challenges and besides their provided progress, they would be source of harm. It is also stated in this study that looking into new categories of system risks is required as a complementary perspective for the study.

Global Distance Metric
Global distance metric Noll and Beecham (2016) has been suggested by Noll and Beecham, for global distance measurement between distributed sites on Global Software Development (GSD) Herbsleb and Moitra (2001). Geographic, temporal and cultural distances are considered and quantified in this metric. For example, for organization buildings in different countries a higher impact value is considered in comparison to buildings in the same region or in the same campus. Similarly, for temporal and cultural distance different impact values are considered. It is also discussed in this study that global distance would obstruct the communication among people in distributed teams.
In Piamonte et al. (2001), an evaluation is designed to test cultural difference in understanding graphical symbols such as icons used in technological devices. US and Swedish subjects are evaluated and the results show that culture influences on their certainties for graphical symbol understanding. In Goldenberg and Levy (2009), empirical evidence is provided showing that geographical proximity influences on social interactions and these effects even have increased by IT revolution. In Tang et al. (2009), it is discussed that temporal distance influences on information diffusion processes in social and technological networks.
Based on these studies, global distance can be considered as an influencing factor on human performance. For example, a safety manager would live in a country with a culture that human safety is not so critical, while for another safety manager, it is highly critical based on the culture of the country he is living in. Thus, there would be some misunderstanding in discussions between these two people, if they work in two different buildings of a same organization located in different countries.

Proposed Extended Metamodel
In this section, first, based on the post normal accident theory and global distance metric, discussed in Subsection 2.2 and 2.3, we extract the factors influencing on human performance leading to accident. Then, we extend the organization and human modeling elements in our previously proposed conceptual metamodel, which was briefly explained in Subsection 2.1.

Extracted Influencing Factors
Influencing factors are selected, if they have the potential to influence on human performance leading to accidents. Definitions and safety effects discussed in Le Coze (2017) and Alajrami et al. (2017) are used for identifying these factors. We explained about the definitions in Subsection 2.2 and 2.3. In this subsection, we extract and categorize these influencing factors. Safety effects are also provided based on Le Coze (2017).
Extracted influencing factors on human performance are devided into two groups. The first group is organizational factors and the second group is human factors. These two groups are as follows: (1) Group 1 (organizational factors) • Globalized environment: It may cause complex interactions between different entities. These implications may affect on human performance and would lead to an accident. • Self-regulated environment: It may cause missing of independent oversights by states that may affect on human performance and would lead to an accident. • Organizational strategy: -Financialised strategy: It may cause pressure for returning the investment and shifting power to financial actors. These implications may affect on human performance and would lead to an accident. -Industrial strategy: It may cause changes in industrial relations that may affect on human performance and would lead to an accident. • Organizational structure: -Networked structure: It may cause increase in complexity of interactions across organizations and other entities of the system that may affect on human performance and would lead to an accident • Digitalized task: It may cause complexity in human and machine interactions and development of new information structures. These changes may affect on human performance and would lead to an accident.

Instructions for Preparing Paper for ESREL 2021 5
• Standardized task: It may cause change in practices that may affect on human performance and would lead to an accident. (2) Group 2 (human factors) • Global distance: -Geographic distance: It may cause difficulties in managing physical places that may affect on human performance and would lead to an accident. -Temporal distance: It may cause difficulties in time management that may affect on human performance and would lead to an accident. -Cultural distance: It may cause difficulties in communications that may affect on human performance and would lead to an accident.

Extended Modeling Elements
The first group of factors explained in Subsection 3.1 can be used for extending organization modeling elemetns and the second group can be used for extending human modeling elements. Based on the provided definitions for each of the extracted influencing factors and based on the three categories of organization modeling elements proposed in Sheikh Bahaei et al. (2019), we add new modeling elements to the categories, shown in Fig. 4. The components with dotted line border are AR-extended components, which were proposed in our previous extension. Extended modeling elements in this paper are shown with gray color and our previous categorization of meta classes are shown with white color.
For example, time pressure is an organizational modeling element using to model scenarios that time pressure would influence on human performance and would lead to system failure or an accident. AR guided task refers to a task that AR is used for guiding the operator for doing the task. If this task is not defined correctly, it would influence on human performance leading to system failure. Standardized task is an extended modeling element proposed in this paper based on post normal accident theory. Standardization would influence on human performance and would lead to an accident.
We also use global distance metric for extending human modeling elements, shown in Fig. 5. The components with dotted line border are ARextended components, which were proposed in our previous extension. Extended modeling elements in this paper are shown with gray color. For example, social modeling element is a human modeling element. This modeling element can be used for modeling scenarios that problem in communication between people would lead to misunderstanding and failure in human performance. Thus, it would lead to an accident. Social presence modeling element can be used for modeling scenarios that using AR would decrease social presence, meaning that people miss their communication because of AR. Thus, it would influence on human performance and it would lead to an accident. Global distance is the extended modeling element proposed in this paper. This modeling element can be used for modeling scenarios that for example cultural distance between people causes misunderstanding. Thus, it would influence on human performance and it would lead to an accident.

Potential Usage on an Example
British Petroleum (BP) is one of the biggest multinational companies in the world. A series of accidents between 2005 and 2010 in multinational BP in different branches occurred. We use this example to show our extension contribution in modeling conditions leading to these accidents.
Based on the analysis of these accidents using commission reports and social concepts for interpretation Hopkins (2012), potentials for these accidents are as follows: • Networked structure of BP • Lack of appropriate learning from experience • Fault in control authority • Strategies of CEO of the company In Fig. 6, we show a modeling example using our extended modeling elements. The modeling elements representing three factors leading to accident in BP, as examples, are shown using networked structure, experience and organizational strategy components. Two of these three used modeling elements are the modeling elements extended in this paper. These modeling elements, which are based on the factors explained in post normal theory as factors leading to post normal accidents are shown in gray. We show three scenarios and in each of them failure in one of the three components has contributed to accident. For example, in the first scenario (S1), output of networked structure produces a failure and the other three provide correct service, which means no failure in their outputs. Final output of the system, which is shown by OP13 produces failure because of the failure in networked structure component. In the second scenario (S2), the reason for failure in the output of the system is failure in OP4, which is output of organizational strategy component. In the third scenario (S3), the reason for failure in the output of the system is failure in OP10, which is output of the experience component. Similarly, different scenarios can be modeled and discussed using different representation means proposed in our conceptual metamodel.
Another interpretation is proposed by Jean-Christophe Le Coze in Le Coze (2020), in the context of globalization. In this interpretation, the author explains how deregulation, externalization,  6. Globalized AR-equipped socio-technical system modeling scenarios using these modeling elements can be considered and discussed during modeling and risk assessment to improve system design.
Managing multinationals is a big challenge for companies like BP. Considering technological factors and organizational factors in our previous metamodel were not enough for describing such events. We show in this example that the new proposed modeling elements can be helpful for modeling recent factors such as networked structure of an organization in order to incorporate their effect while performing risk assessment.

Discussion
In this section, we discuss about the strength and limitation of our proposed extension.
The strength of our proposed extension is provision of means in modeling process for incorporating features of new AR-equipped socio-technical systems based on an accepted theory. As it is stated in Le Coze (2017), it is important to investigate effects of dynamics on system risks and it is important to identify root causes of accidents in the new globalized systems to prevent post normal accidents. In this study, we took the initial step towards investigating these concepts and we updated modeling elements that can be used for modeling process as the fundamental process of risk assessment. Safety analysts can model different scenarios considering effect of globalization by discussing about the root causes of accidents based on the updated modeling elements. Next step is to incorporate these concepts in the analysis process.
The limitation of our work is that we could not provide a complete evaluation, since there is no analysis technique to be used for globalized systems. Thus, it is required to update these tech-niques to be able to provide analysis results on an example. However, we provided a potential usage of our extension on an example from petroleum domain. This example can be extended and further research is required to define metrics for evaluating the success of the proposed extensions in modeling and analyzing the new scenarios.

Conclusion and Future Work
New socio-technical systems containing new technologies such as augmented reality encompass contemporary organizational changes. These changes bring up new system risks, which should be considered while performing risk assessment. In this paper, we elicited new organizational and influencing factors on human performance based on normal accident theory and global distance metric. Then, we used these elicited factors for updating our previously proposed conceptual metamodel for AR-equipped socio-technical systems. There is abundant room for further progress in determining the updates for analysis techniques and providing the full process for risk assessment.
As future work, we aim at using the extended metalmodel on an industrial case study to illustrate the contribution of the extended modeling elements. In addition, we plan to use this extended metamodel for extending analysis techniques such as Concerto-FLA Gallina et al. (2014), which is an implemented technique in CHESS Toolset Cicchetti et al. (2012).