A typical resilient incidence is as follows:

• In normal operation, the system is operated by the primary station.
• A trigger, such as fault of a system unit introduces a new hazard, which increases the operational risk. The system is now under a latent hazard
• The machine (the engineered system) detects the fault and generates an alarm, and thereof, the system situation changes to exceptional. This results in risk reduction, because now the operators are aware of the hazard. Using the supervision station, the supervisor activates the Scenario analyzer, and changes the operation scenario to recovery, resulting in switching to the recovery station.
• The operators look for ways to eliminate the hazard, but the troubleshooting takes time, and in the meantime, the system situation escalates, and the hazard develops into a threat.
• The supervisor may conclude that the risks are too high, and activates the rescue station, thereof changing the interaction mode to safe-mode operation.
• The operators may identifies the fault that generated the hazard and fix the problem.
• To enable completion of the recovery procedure, the supervisor may reactivates the recovery station.
• When ready, the supervisor reactivates the primary station, to resume normal operation.

Updated on 29 Nov 2016.