–Here’s my starting point on government regulation (from our 2016 Reliability and Risk):
. . .as long as infrastructure regulation is equated with what regulators do, society will have a very myopic understanding of how regulation functions for critical infrastructures. The regulation of infrastructures is not just what the regulators do; it is also what the infrastructures do in ways that their regulator of record could never do on its own.
Contrary to conventional wisdom, it is not a criticism of regulators to say they never have the same timely information as do those operating the critical infrastructures being regulated. It’s a statement of the obvious cast as a negative. Restate the obvious, but now as a positive: those who have the real- time information must fulfill regulatory functions that the official regulator cannot fulfill. How well they are fulfilling the regulatory functions depends on (1) the skills in real-time risk management of their reliability professionals and (2) where those professionals are located, which for our purposes means the infrastructure control rooms and their respective support units.
From our perspective, it makes little sense for critics to conclude that regulators are failing because formal regulations are not being complied with, if the infrastructures are managing in a highly reliable fashion and would not be doing so if they followed those regulations to the letter.
To summarize, of course regulations, once published, need to be altered in light of emerging better practice; otherwise, they’d be a wheelbarrow without handles, hardly fit for purpose.
–A handful of inter-related points follow, I believe:
- The regulator of record ideally searches for those (emerging) practices that enable infrastructure control rooms to avoid moving into their respective precursor zones of potential failure or, if already there, exiting these zones quickly and safely. In this way, regulators of record are the guardians of real-time operational redesign and learning from setbacks in control room reliability management. The specific mandate of the regulator of record here would be to mitigate the need for prolonged just-for-now performance of the regulated infrastructure.
- The twofold nature of regulating for high reliability becomes clearer from the perspective of the regulated infrastructure: (1) To what extent does regulation by the regulator increase control operator options and reduce volatility for the critical infrastructure and (2) to what extent is any regulation of that regulator, which inadvertently reduces operational options or increases real-time volatility for the control rooms, corrected by the regulator of record as soon as possible.
- There is, however, a serious asymmetry in the current design orientation for regulating infrastructure reliability (including safety) and the practice orientation of reliability professionals in and around control centers for the infrastructure. When reliability professionals express discomfort over a design orientation, regulators and others insist that this has to be expressed in terms of formal analysis, where the burden of proof is on the reliability professional to show what in this design orientation is not reliable. Yet the same regulators will assert the reliability of the system that they are designing for is based on operational experience, i.e., their design orientation, including technology, have worked in the past, so the same will or will work in the future. A retrospective orientation of regulators can well be in conflict with the prospective orientation that the system is no more reliable than the system failure ahead.
- There is not just the risk of regulatory non-compliance by the infrastructure, there is also the infrastructure’s risk of compliance with defective regulations. That importance of time from discovery to correction of error reinforces a process of dispersed regulatory functions: Unless otherwise proven, the shorter the better. A shorter time to error discovery has the advantage of discovering errors that would have propagated into much larger ones if left uncorrected.
- The longer the time to correcting regulator error, the longer reliability professional are compelled to operate at the limits of their competence, if not beyond in unstudied conditions. In effect, operators are asked to use their best judgment precisely in those situations and under those conditions in which judgment is least reliable and learning most difficult.
- In all the talk about the need for systemic risk regulation (e.g., macroprudential regulation of the financial services sector), few seem to have understood that the larger and more complex the critical infrastructure to be regulated, the less the management of known or expected risk will take center attention in that regulation. Management attention will unavoidably be consumed by trying to address the new surprises and unknown unknowns well outside frequency distributions and worst-case scenarios that come with increased system complexity. Indeed, to equate system uncertainties with “systemic risk” is a disaster to forestall rather than inadvertently hasten by the regulator of record.
- Inter-regulatory activities might be better directed to identifying and ensuring the efficacy of better practices and regulations that prevent cross-infrastructure failure cascades, especially in cases where (1) each infrastructure’s reliability management cannot prevent being pulled into its respective precursor zone of potential failure, but where (2) the infrastructures must manage together so as not to be pulled across their respective edges into joint, interconnected conditions of few options and high task volatility.
No one should doubt, however, that the more interconnected the systems to be cross-regulated and the more complex each system and its own regulations are, the more regulatory and inter-regulatory oversight will have to be given to latent interconnections, risks and the transition thresholds where they shift from latent to manifest. This will be especially true of those jointly shared control variables, like freshwater flows, whose adjustment in real time affects the state conditions of multiple infrastructures.
–All that said, an open question remains: What are the jointly shared standards of reliability, if any, to be managed to (and regulated for) when it comes to shared control variables? Is there something we might want to call “control-variable reliability”?
It is easy enough to imagine one infrastructure’s precluded events standard conflicting with another infrastructure’s avoided event’s standard, both of which are interconnected in real time by shared control variables: Emergency water releases from dams in order to prevent their breaching (a precluded event) threaten reliability mandates downriver for levees, water supplies, hydropower, and waterway shipping, which can only seek to better avoid consequences of releases it can’t prevent. High reliability management with respect to shared, interinfrastructural control variables remains a very important research topic for regulators as well.
While such issues must be settled case-by-case, our framework suggests it would be better that joint field inspections (by infrastructures and by their regulators) be directed, as a matter of priority, to those sites where the chokepoints of individual infrastructures are collocated.