Operational Resilience as Design Feature

BLUF – In both design and function, the A-10 is the ugliest aerial beauty to behold. Practical considerations manifest in the planning, it offers examples we can apply to our organisations’ operational resilience/ continuity of business/ cyber security design and implementation. When failure is a given rather than an option, look no further.


Oh, the A10 Warthog – a ground support blessing without question. Whilst not the most sleek, fast, or stealthy, it is possibly one of the most beautifully designed combat aircrafts ever created. Geared to help protect and advance ground troops via close air support, the A-10’s design thinking was similar to what we talk about with operational resilience – and cyber security in almost any regard – assuming failure.

By not only anticipating failure as expectation, but rather building based on incident as given, the A-10 found prioritisation, redundant systems, and default fail-safes relying on everything up to and including the laws of physics factored in from the start, not added on after.

As we explore business continuity, operational resilience, zero-trust, and solutions for protecting organisations/ markets/ regions, perhaps we can learn from this fifty year old airframe, still in service.

The A10 pilot is protected by 1200 pounds of Titanium armour, called the bathtub. In this case, the pilot is determined to be in quite a vulnerable position (in the leading/ protruding edge) and given the heaviest protections as the most valuable component.

When we talk about protecting critical assets in the face of danger, what are the resources allocated? When we design organisational security parameters, we often create on the basis found in maturity model assessments, potentially leading to generic allocation for the protection of the whole. Similar to the armour being evenly distributed throughout the entire airframe, it leads to inadequate coverage for key components – whilst concentrated protection may result in some areas having limited protection. Coming down to prioritisation, the organisation needs to determine what is critical, how much armour (so to speak) is necessary and test to make certain the protections in place will withstand the fires of an incident.

The front windscreen and canopy are resistant against small arms fire. They function as a support area partially serving the same purpose – protecting the pilot – working with different resources supporting other priorities. Letting the pilot see, for example. Despite ingress/ egress and visibility as the main component’s function, there is still support for the primary purpose found in this area of the craft – pilot protection.

What whole do the various parts in an organisation support? When building programs and processes, it is vital to have a clear idea of the whole you are supporting. In building operational resilience or cyber security, they have to support the whole of the program so it is vital to ensure they are threaded throughout. Each program and its components should be at least fractal, even better woven into the fabric.

Many parts are interchangeable between the left and right sides. In keeping up with needing to have front line support, it was determined part availability limits would be the downfall of an airframe potentially taking so much fire. Solution: make the parts interchangeable between sides. Doesn’t matter where the damage was taken, if you’ve a part it became the part.

In building business continuity or operational resilience plans, it is important to consider if we can find parts from other areas of the organisation/ vendors/ near-peers to provision a quick-turn solution.

The flight system is double hydraulic and mechanical so it can work despite two system failures. Triple redundancy to steer the aircraft implies the understood need. Where the bathtub armoured the critical asset, the flight system triplicate makes certain the critical asset is still able to perform. Not only are three systems in place, but using two different mechanisms – the mechanical one literally ‘flying-by-wire.’

When we look to operational performance within an organisation, or an organisation’s performance in a market, we must ask – what are the redundancies in place? If we have backups set, do we consider alternative means to back them up?

All landing gear is hinged towards the craft’s rear. If the gear’s hydraulics are incapacitated the combination of gravity and aerodynamics can still deploy the gear. One of the A-10’s most brilliant design features is the landing gear. Regardless the damage to its hydraulic systems, the landing gear (so long as the latch is released) will use physics to deploy itself. Look at the photo again – those panels can catch the wind to make the wheel descend into place.

When we build systems, how can we use natural defaults as backups meant to still perform operations? Certainly the subject of a future post, this requires people with working understanding of how broken processes and programs perform to advantage.

Additionally, the wheels in the landing gear partially protrude from their nacelles when retracted, making gear-up belly landings less damaging and easier to control. Means even if the gear isn’t deployed, it still will be of use. How many programs can offer the same?

The A-10 is designed to fly with one engine, one tail, one elevator and half of one wing missing. Your organisation needs to be built as such.


5 thoughts on “Operational Resilience as Design Feature

  1. Pingback: Selling Cyber – Maelstrom Advantage

  2. Pingback: On Internal Mapping (3) – Maelstrom Advantage

  3. Pingback: Operational Resilience and the First Rule – Maelstrom Advantage

  4. Pingback: Changing Cyber Landscape – WannaCry/NotPetya/Costa Rica – Maelstrom Advantage

  5. Pingback: On Creating a Unified Sector – pt.1 – Maelstrom Advantage

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s