Kevin Foster

ISO 31050 will provide a set of guidelines for managing emerging risk to enhance resilience.  A draft of this standard was recently released to national standards organisations for their vote and comments, including Standards Australia committees OB-007 and MB-025.  Keep an eye out for this one which might be released into the public domain in the near future.  For further information refer to   https://committee.iso.org/sites/tc262/home/projects/ongoing/iso-31022-guidelines-for-impl-2.html 

These principles were originally proposed in a paper by David J. Yu, Michael L. Schoon, et al; Toward General Principles for Resilience Engineering; in Risk Analysis Vol. 40 No 8, 2020, pp 1509-1537.

The following is a set of principles proposed in draft '0' of the standard to achieve socio-technical energy resilience for organisations, supply chains, energy dependent infrastructure and networks of user organisations dependent on stable and reliable energy supply systems during and after significant disruptions and disasters.    Any comments on these?    

 It is important to understand that that these principles work collectively to influence the state of resilience in an energy supply chain.  Implementing any one principle in isolation will likely be insufficient to increase resilience of an infrastructure dependent energy supply chain. 

 Principle 1.  Recognise that energy system context matters.   Energy infrastructure and its operating organization are embedded within broad and dynamically changing social, ecological and technological contexts.

 Principle 2.  Foster social capital in the energy supply chain.  Social capital includes intangible group-shared assets such as trust and collaboration, and enables energy infrastructure networks to extend capacity, self-organize and continue to function when disturbances push parts of the network to the brink of catastrophic failure.

 Principle 3.  Maintain diversity.  Redundancy and functional diversity in physical systems, social capital and regulatory arrangements are important for achieving energy resilience.

 Principle 4.  Manage connectivity.  Rapid recovery after energy system disruptions is facilitated by exchange of knowledge and resources in collaborative organizational networks.

 Principle 5.  Encourage collaborative learning by doing.   Learning contributes to energy resilience by reducing uncertainty.  Learning systems should be designed to be shared collaboratively throughout the energy supply chain and user networks. 

 Principle 6.  Embrace polycentric governance and control.  Decision-making in an energy supply network chain involves decisions by risk owners at various locations, at various points in time, and in various organizations.  It is important for each decision-maker to understand the risks presenting at inputs to and outputs from their part of the energy supply chain.  Where practicable there should be collaboration with other decision-makers operating in the energy supply chain and broader energy distribution network.

 Principle 7.  Address the problem of fit.  This refers to how well the structure of a collaborative social or decision network aligns with the structure of the energy infrastructure system being governed.  It is important that the whole energy supply chain is governed for adequate resilience and not just part of it.

 Principle 8. Manage for complexity.  

a.     Consider multiple scales and levels and their linkages.  For example, increasing robustness in a short time scale might increase vulnerabilities in operating processes in a longer time scale. Another example is reducing vulnerabilities at the level of household consumers of energy might undermine resilience at the community level (such as electrical power system instability caused by too much electrical energy supply from roof top solar photovoltaic panels).

b.     Understand robustness-vulnerability trade-offs.  It is important to understand that reducing vulnerabilities in one energy supply domain might increase vulnerabilities in another energy domain.  For example, solving one energy problem or risk might cause a new problem or risk elsewhere. 

c.      Pay attention to interdependencies or coupling of multiple infrastructure networks in the energy supply chain.  For example, the failure of a telecommunications network might cause a failure of an energy supply network chain.

Yu et al define 'Resilience Engineering' as a field of study that is concerned with how organisations can better manage sociotechnical systems to deal with change and disruption.  Reference:  Yu, D.J. et al, Toward General Principles for Resilience Engineering, in Risk Analysis, Vol.40, No. 8, 2020, p1511.

The ISO has approved a new project to develop a Standard on Resilience policy formulation.  The project is known as ISO/NP 22336 Security and Resilience - Organizational resilience - Resilience policy formulation

This proposal will be developed by a team of international experts from ISO Technical Committee 292 Working Group 2.   

The ISO currently has a proposal to develop an International Standard on energy resilience.    I am a member of an ISO committee that is currently working on this.  If you have any views on the principles or framework you would like to see in a standard on energy resilience, please post them in this discussion.

By the way, the widely accepted definition of 'resilience' is the "ability to absorb and adapt in a changing environment" - [AS ISO 22300:2019 clause 3.192, and ISO 22300:2018 Security and resilience - Vocabulary].  

Dr Kevin Foster CPEng
EA/RES Representative on Standards Australia Committee MB-025 Security and Resilience

ISO Technical Committee 292 is responsible for the publication and development of standards in the field of societal security to enhance the safety and resilience of society.  The catalogue of these standards is available at https://www.iso.org/committee/5259148/x/catalogue/       This ISO 22300 series of standards provides operational continuity management systems, incident preparedness and response guidance, and societal security technological capabilities.

Some notable standards included in the catalogue:

ISO 22300:2021 Security and resilience - vocabulary
ISO 22301:2019 Business continuity management systems - Requirements
ISO 22315:2014 Mass evacuation - Guidelines for Planning
ISO 22316:2017 Organizational resilience - Principles and attributes
ISO/TR 22370 Urban resilience - Framework and principles
ISO/TS 22375:2018 Guidelines for complexity assessment process

An interesting standard proposed is on the topic of Energy Resilience.

The following Standards Australia publications have recently been published. 

Publication Number: AS ISO 22301:2020

Title: Security and resilience — Business continuity management systems — Requirements

Publishing Date:25-09-2020

SA Project Committee: MB-025 Security and Resilience

Publication Number: AS ISO 22313:2020

Title: Security and resilience — Business continuity management systems — Guidance on the use of ISO 22301

Publishing Date:25-09-2020

SA Project Committee: MB-025 Security and Resilience

RES Newsletter 2020 June Issue 2 Vol 5 FINAL Rev0.pdf

AS/NZS ISO 31000:2018 defines ‘risk’ as “the effect of uncertainty on objectives” and 
 ‘risk management’ as “coordinated activities to direct and control an organization with regard to risk”.   

Therefore it is implied that ‘engineering risk’ is the effect of uncertainty on engineering objectives.  

If we accept that risk engineering is a specialised form of risk management, then to be consistent with ISO 31000,
‘risk engineering’ could be defined as coordinated activities to direct and control an organization with regard to engineering risk.

The key advantages of defining risk engineering in this way is that we do not need to redefine ‘engineering’ and we remain consistent with ISO 31000 terminology.  

🤙

In the introduction to REBOK there is a statement:  "Risk management of engineering design is also mandated under international standards."   It is important to understand that the use of ISO and Australian Standards are not mandatory unless legislation requires them to be used.    Also, ISO 31000 is a set of guidelines including principles, framework and process.   Its intent is for use by people to create and protect value in organisations by managing risks, setting and achieving objectives and improving performance.   The application of the guidelines can be customised to any organisation and its operating context.  The words "shall" and "must" are not used in this standard except in the foreword in relation to ISO's responsibilities.  There is nothing written into this standard that mandates the use of any of the guidelines.  Therefore the referenced statement in the REBOK introduction should be re-written to clarify the intent of the statement.  If the intent is to reference legislation that mandates the use of ISO 31000 or other international risk management and resilience standards then it would be better to be clear about that.