See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/329784019

Assessing the Vulnerability of Supply Chains: Advances from Engineering

Systems

Chapter · January 2019

DOI: 10.1007/978-3-030-03813-7_2

CITATION READS
1 136

2 authors:

Sigurd Solheim Pettersen Bjørn Egil Asbjørnslett

Norwegian University of Science and Technology Norwegian University of Science and Technology
21 PUBLICATIONS 63 CITATIONS 53 PUBLICATIONS 836 CITATIONS

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Design for resilience in marine operations View project

Offshore construction vessel design View project

All content following this page was uploaded by Sigurd Solheim Pettersen on 08 January 2019.

The user has requested enhancement of the downloaded file.

Assessing the vulnerability of supply chains:
Advances from engineering systems
Formatert: Svak utheving
Formatert: Undertittel
Sigurd S. Pettersen, Bjørn Egil Asbjørnslett

Abstract
Vulnerability assessments focus on extended sets of hazards and threats, and seek to ensure that
adequate resources exist to restore system functionality to a stable level within a reasonable amount
of time. Multiple frameworks for vulnerability assessments in supply chains report on tools that
can support this analysis. The purpose of this chapter is to inform supply chain researchers and
practitioners of emerging trends and advances from engineering design that can benefit supply
chain risk management, and set these in the context of a previously published methodology
(Asbjørnslett 2009) for vulnerability assessment in the supply chain.
Specific advances that will be addressed, include:
• Epoch-era analysis for structuring event taxonomies and scenarios.
• Failure mode thinking for low frequency, high impact (LFHI) events.
• Design structure matrices and axiomatic design principles for function-form mapping in
the supply chain as a tool for ensuring adequate levels of redundancy, flexibility, and
identification of latent functionality.

1. Introduction
1.1. Background
Modern, global supply chains are characterized by complex networked structures. Companies
interact to produce complex products through manufacturing processes that rely on thousands of
suppliers in multiple layers with limited knowledge of each other. As supply chains are becoming
longer and more complex, resulting from changes in the global marketplace, companies become
vulnerable to disruptions at seemingly peripheral nodes. Minor incidents spiral out of control,
exposing weaknesses beyond those captured by traditional risk analyses. Hence, there is a need for
vulnerability assessments that consider a wider set of threats and weaknesses, as well as the
resources to recover supply chain functioning.
Over the last twenty years, there has been an immense growth in literature that documents
vulnerability assessments for supply chains (Asbjørnslett and Rausand 1999; Peck 2005; Svensson
2000). This literature has grown to include the application of methodology from system safety
(Adhitya et al. 2009; Asbjørnslett 2009; Berle, Asbjørnslett, et al. 2011). Recently, there has also
been a strong trend towards including socio-technical aspects more strongly in system design,
connecting the design, management and operation of increasingly complex engineering systems.
Engineering systems have been characterized as engineered systems with a high degree of social
and economic intricacy, meaning that these systems are partially designed, and partially evolve
through their use (de Weck et al. 2011). This is similar to the view of supply chains as complex
adaptive systems (Choi et al. 2001), which cannot merely be seen as designed systems as they
continuously evolve. Together, these trends have led to the development of tools that may be
valuable additions to the toolbox available to supply chain practitioners and researchers. For
thorough reviews on the recent advances on methodologies for supply chain risk management, we
refer to Tang and Musa (2011) and Heckmann et al. (2015).
Tools from engineering systems, including reliability engineering, system dynamics, and
operations research have significantly improved the state of, and opportunities for vulnerability
assessment in supply chains. Still, a number of promising concepts and perspectives that have been
influential in the design of engineering systems deserve to be introduced to the supply chain context
as these have potential to improve the state of vulnerability assessment.
1.2. Objectives
The main objective of this chapter is to update a generic framework for supply chain vulnerability
assessment with tools that have been developed for the design and management of engineering
systems. This chapter introduces tools that originate from systems engineering and engineering
design into the supply chain risk management context. The authors believe that these recommended
tools and methods from the engineering systems domain will inspire practitioners and academics
interested in supply chain management to apply them, hence improving on the practice of
vulnerability assessment in supply chain risk management.

2. Concepts and definitions

This section describes the fundamental terms that are needed to understand vulnerability
assessment in supply chains as covered in previous work (Asbjørnslett 2009). Concepts and
definitions relating directly to the advances we introduce later in the chapter, are given in Section
4.
Vulnerability describes the characteristics of a supply chain that weakens or limits its abilities to
withstand threats originating inside or outside the supply chain system boundaries (Asbjørnslett
2009). The vulnerability can be manifested in any of the constituent systems in the supply chain,
and in supply chain processes, operation and management. The constituent systems can be divided
into nodes; production facilities, warehouses, ports, terminals, and so on, and transportation modes
flowing between the nodes; road, rail, waterborne, and airborne. The supply chain system is
subjected to the expectation that it should be able to meet societal as well as business demands,
while being vulnerable to a wide array of threats, like; technical failure, human error, loss of
personnel, accidents, hostilities from malevolent agents, natural disasters, volatility in demand and
energy prices, and so on. Hence, we define vulnerability, following Asbjørnslett (2009), as “the
properties of a supply chain system that may weaken or limit its ability to endure threats and survive
accidental events that originate both within and outside the system boundaries.”
In contrast to vulnerability, we also define resilience and robustness. These concepts describe the
characteristic behavior of the supply chain system when meeting a disruption. Resilience is defined
as the ability of the system to recover from a disruption, whereas robustness is the ability to resist
the effects of a disruption (Asbjørnslett 2009). The concepts can be further differentiated by an
analogy to material science. Whereas resilience describes the elastic deformation of a material, a
robust system would be resistant to perturbations that generate elastic deformations, but may
experience a completely brittle failure if the load is increased.
Figure 1 shows the performance profile for a resilient system over time. From an initial level of
‘Normal operations’, the performance drops due to a disruption to a minimum given by
‘Performance at failure’. The performance after recovery needs to exceed a ‘Performance
threshold’ for minimal acceptable performance. Accordingly, resilience becomes a function of the
‘Disruption time’, and the ‘Change in performance’. In contingency planning for system recovery,
these dimensions of resilience need to be assessed relative to costs (Pettersen et al. 2017).

Figure 1: Performance profile for a resilient system (Asbjørnslett and Rausand 1999).

3. Framework for vulnerability assessment

This section introduces the fundamental framework for vulnerability assessment that was presented
by Asbjørnslett (2009). Vulnerability assessments should be understood as an extension in
comparison to the scope of a risk assessment. Risk assessments seek to answer what can go wrong,
and answer what the consequences and likelihood of these scenarios are (Kaplan and Garrick
1981). Vulnerability assessments extend this scope to identify an extended set of threats and
consequences, identify adequate resources for mitigation, recovery and restoration of the system,
while taking into consideration the disruption time before a new stable state is found (Asbjørnslett
2009). Figure 2Figure 2 illustrates the scope of vulnerability assessments in a bow-tie model, in comparison
to a risk assessment.
Figure 2: An extended bow-tie model that accounts for vulnerability assessment.

The framework for vulnerability assessment presented by Asbjørnslett (2009) aims to:
• Provide insight into the threat and risk picture of the given supply chain in its context, and
develop a taxonomy of system characteristics contributing to vulnerability.
• Analyze scenarios of how vulnerabilities evolve, and rank the scenarios according to
criticality, within the relevant supply chain management context.
• Enable decision-making regarding acceptance of vulnerabilities by assessing alternative
strategies for reducing the likelihood or consequences of analyzed scenarios.
The framework consists of the following seven steps, which are briefly explained here. See
Asbjørnslett (2009) for a more comprehensive run-through.
1. Definition of scope of work:
We define the frame and targets for analysis. This includes setting the objectives,
determining the unit of analysis and setting the system boundaries. An important element
of this is to determine acceptance criteria for vulnerabilities.
2. Description of SC/SCM context:
We describe the context within which the supply chain system operates. A generic
description of context will capture all exogenous factors that have the ability to influence
the supply chain performance.
3. Taxonomy development:
We develop a structured set of vulnerabilities pertaining to the supply chain context defined
earlier. Setting up a taxonomy of factors that influence vulnerability allows efficient
collection of relevant knowledge for further analysis.
4. Scenario development:
We develop scenarios starting from the threats identified in the earlier steps of the analysis,
considering a scenario as a sequence of events through the bow-tie in Figure 2Figure 2, until the
system is in a stable, disrupted state. Hence, the scenario does not include the actions taken
to mitigate, restore, recover or restart.
5. Criticality ranking:
 We rank the scenarios in accordance with their criticality, which in a risk assessment we
normally calculate as the product of likelihood and consequence (Rausand 2011). In a
vulnerability assessment, we need to extend the criticality estimate to include the
availability of resources we can use to bring the system back to a new stable level of
performance.
6. Scenarios of importance:
We visualize the output of the criticality assessment so far by plotting the scenarios in a
risk (likelihood/consequence) diagram with consequences on the x-axis, and likelihood
along the y-axis. The effect of actions to mitigate, recover, restore or restart can also be
plotted in the diagram.
7. Reducing likelihood and consequence:
We consider implementations of measures to reduce likelihood, or to reduce the
consequences of the scenarios, on the basis of the previous steps. More emphasis has
typically to be put on the reduction of likelihood, even though this should not overshadow
preparation to deal with consequences.

4. An updated toolbox
The tools presented herein fulfill three overall purposes in the context of vulnerability assessment.
First, epoch-era analysis can be applied to create contextual awareness by enabling evaluation of
supply chain performance in a wide set of circumstances that evolve through time. Second, “failure
mode thinking” focuses the treatment of specific accident scenarios on the impact on functionality,
implying that consequences are more important to get right than the probabilities of the accidental
event in vulnerability assessments. Third, methods from systems design are employed to enhance
the understanding of whether system components can cover a failure mode, caused by loss of
functionality in some other system component.
Figure 3Figure 3 illustrates the role of these tools in relation to the framework for vulnerability assessment.
The outer layer in the figure points out that epoch-era analysis provides structure to the context
definition. The intermediate layer points out that failure mode thinking will enable a focus on loss
of functionality as the primary method of vulnerability identification. The inner layer shows that
the functional view of vulnerabilities enables engineering design tools that map between function
and form to identify ways that functionality can be covered when failure modes are encountered.
Figure 3: New tools for vulnerability assessment

4.1. Epoch-era analysis

Epoch-era analysis (EEA) is a technique from the systems engineering community, first introduced
by Ross and Rhodes (2008), which was developed for analyzing the value of a system through its
lifecycle. This method is often coupled with multi-attribute tradespace exploration (MATE) models
(Ross et al. 2004) to represent system value for all possible system configurations, but it can also
be applied independently from MATE. The primary use of EEA has been in the lifecycle
assessment of complex engineered systems, which are subject to considerable future uncertainty
with respect to context, and stakeholder needs. In this respect, it is a decision support tool for
system design. However, EEA can also be used to structure scenarios by modelling and sequencing
static contexts for existing systems, like supply chains. Note that, in the EEA framework a scenario
refers to the evolution of system context through time, and not necessarily the causal chain of
events in the bow-tie model.
We define an “epoch” as a time period described by a static system context, and static stakeholder
needs. For systems in general, and supply chains in particular, it is important to consider at this
stage where the system boundaries lie. Is our unit of analysis the supply chain, or a focal company
operating within a supply chain? If we take the view that we study the whole supply chain using
EEA, we consider perturbations that stem from the context of the supply chain. On the other hand,
if we study the focal company within a supply chain, the supply chain becomes the context.
Studying changes in supplier and customer relations then becomes relevant to the analysis.
We describe every contextual factor that is to enter into the EEA as an epoch variable. The epoch
variables are normally discrete variables that can take on values that span the range of possible
outcomes. A vector of epoch variables then describes an epoch. Depending on the number of
contextual factors taken into account as epoch variables, and the fidelity chosen for these, the
number of possible epochs explodes. As the epoch describes a static context and needs
combination, it represents the concept known in economics as the short run where all production
parameters remain fixed (Ross and Rhodes 2008). This means that epochs can serve as the basic
building blocks for dynamic, long run scenarios.
We define an “era” as any sequence of epochs in time, hence representative of the dynamic, long
run scenario describing the evolution of context. Hence, the era concept can be a way to frame a
narrative some stakeholders think is a likely future scenario. When describing future scenarios
through telling a story, stakeholders may include contextual background information whose impact
on system value is very difficult to quantify. For example, if a scenario is to be used to inform a
decision regarding buying a car, a detailed recount of the situation in the Middle East is not directly
relevant, even though this situation may impact the price of gasoline, which in turn influences what
car should be bought. Rather, the decision maker could go directly to using historical gas prices as
input to the EEA model, rather than speculating about global politics. Hence, structuring narratives
using the era concept, the redundant dimensions of the narrative can be reduced, so that the model
only contains the exogenous factors that affect value directly.
Methods for era generation range from purely qualitative approaches, using narratives to determine
which epochs to use as basic building blocks, to probabilistic methods, using simulation to generate
eras from the epochs. Probabilistic methods rely on rules that eliminate eras that are illogical, for
example by taking into account that certain contextual changes are irreversible. If we study a focal
company within a supply chain, and the supplier goes bankrupt, this is often an irreversible change
in context. Hence, the bankrupted supplier cannot emerge in a later epoch.
Figure 4Figure 4 shows how a set of illustrative epoch variables can be structured on the basis of a set of
more generic exogenous factors whose direct influence on the supply chain performance are more
difficult to understand, and hence left out of the analysis. The system dynamics that underlie the
background exogenous factors are complex. Instead of describing scenarios using these, we settle
on describing scenarios from the direct factors that have an influence on a company within the
supply chain, hence encapsulating complexity. The EEA therefore serves as a scenario-structuring
mechanism that can be useful in vulnerability assessment.

Figure 4: Mapping from a set of indirect factors (black box) to a set of epoch variables that directly affect company value. The
examples are meant to be illustrative only.

The main advantages of using EEA can hence be summarized as follows:

 • EEA enables structured thinking about the current context, and possible future contexts by
encapsulating complexity behind the well-defined epoch vector interface.
• EEA enables structured thinking about the evolution of scenarios in the long run, by
sequencing well-defined epochs in a reasonable manner.
4.2. Failure mode methods
The word “failure mode” is derived from the reliability engineering domain, where it refers to the
loss of functionality in a component (Rausand and Høyland 2004). When experiencing a failure
mode, the component no longer delivers the desired output. This concept has been widely used in
reliability engineering, as part of the methodology called Failure Modes, Effects, and Criticality
Analysis (FMECA) (Rausand and Høyland 2004). This methodology supports decisions regarding
conceptual system design, development and operation by determining whether designs are
sufficiently reliable (sufficiently low probability of operational disruption). The outcomes of such
analysis are regularly used in quantitative risk assessment, where the product of likelihood and
consequence guides whether additional risk reducing measures should be implemented. In
reliability engineering, decisions at this stage relate to whether it is cost-efficient to add
redundancies.
In a supply chain context, failure modes can be understood as a way in which one element of the
supply chain losses its ability to fulfill its function in the supply chain. With reference to the supply
chain operations reference (SCOR) model (Supply Chain Council 2012), this can be a failure to
fulfill any subfunction to the five main functions; to plan, source, make, deliver, or return the
product. Hence, a functional decomposition of these functions will provide additional insight into
the reasons why the supply chain fails to function normally, without speculating about the exact
chain of events. Figure 5Figure 5 relates the SCOR model with the functional structure and location of
potential critical failure modes.

Figure 5: Relating supply chain operations reference model with functional structures for failure mode identification.

Berle, Rice Jr., and Asbjørnslett (2011) use the failure mode concept to identify vulnerabilities in
maritime supply chains. Their argument is that methods that focus on each scenario simplify the
difficulties in foreseeing the causal chain leading to the supply chain losing functionality. Very
infrequent events that deserve proper attention due to severe consequences, are not sufficiently
addressed when risk is defined as the product of likelihood and consequence. By devising an
approach to vulnerability assessment which mainly seeks to identify how functionality can be lost,
supply chain managers can turn to develop a business continuity plan for each failure mode.
Naturally, business continuity planning should seek to restore functionality at reasonably high
levels of fidelity in the functional hierarchy. In other words, to the focal company in Figure 4, the
best path forward from a disruption is not necessarily to restore the activity at the component that
previously experienced a failure. Rather, the company should seek to cope with the failure mode
by shifting its operations to components that retain the ability to function.
Starting from the failure mode perspective, Berle, Asbjørnslett, et al. (2011) base their approach to
vulnerability assessment in maritime transportation on the formal safety assessment (FSA)
framework developed by the International Maritime Organization (International Maritime
Organization 2002). Berle, Asbjørnslett, et al. (2011) propose that two distinct procedure for safety
assessment can be followed, based on the degree to which risks can be foreseen. Even if we
acknowledge that not all risks are known, we know what functions the system consists of, and
hence failure mode consequences can be taken into account. The proposed framework presents two
parallel tracks. A hazard-focused procedure is used for the known risks, while a mission-focused
procedure is suggested for the “unknown” risks where the failure mode approach offers the most
insight to what capabilities are lost. The framework used by Berle, Asbjørnslett, et al. (2011) is
presented in Table 1Table 1 for illustrative purposes only.

Table 1: Formal vulnerability assessment with a mission-based focus making use of failure modes (Berle, Asbjørnslett, et al. 2011).

FVA description Hazard focus Mission focus

Step 1 Hazard identification What may go wrong? Which functions should
be protected?
Step 2 Vulnerability Investigate/Quantify Investigate/Quantify
assessment most important risks most important failure
modes
Step 3 - Vulnerability Measures to mitigate Measures to restore
mitigation most important risks functions/capabilities
Step 4 Cost/benefit assessment Cost/benefit assessment

Step 5 Recommendations for Recommendations and feedback

decision-making

4.3. System design methods

4.3.1. Engineering design methodology
While supply chains have the characteristics of complex adaptive systems that are subject to
emergent behaviors as well as control (Choi et al. 2001), we will see that there are certain
advantages of applying the methods of engineering design in supply chain risk management. For
example, we can consider the supply chain system as a partially designed, and partially evolved
“physical” system that meets a set of functional requirements, for example the generic processes
outlined by the SCOR model referenced earlier.
System design is a process of developing descriptions of physical systems that can provide the
functions necessary to meet some need. This is often referred to as mapping between function and
form. Axiomatic design (Suh 1990) and catalogue design (Pahl and Beitz 1996) are two commonly
referred design methodologies. Suh (1990) proposes two fundamental design axioms to establish
guidelines for the design process. First, the independence axiom states that functional requirements
(FRs) should be kept independent, by mapping one-to-one onto design parameters (DPs) in the
form space. Second, the information axiom states that the amount of information contained in a
system should be kept minimal. Applications of these principles imply a less complex system,
which will be less prone to fail in unexpected ways, and easier to control. These principles are not
necessarily something we wish to follow when it comes to supply chains, as these systems are not
purely objects of design. Still, they are useful for illustrating how function maps onto form.
Axiomatic design often makes use of design matrices, that illustrate how the functional
requirements are met by a physical description represented by design parameters. An example of
the uncoupled design, which is the most desirable state in accordance with axiomatic design, is
shown in Equation 1.
𝐹𝑅 𝑎 0 𝐷𝑃1 (1)
{ 1 } = [ 11 ]{ }
𝐹𝑅2 0 𝑎22 𝐷𝑃2

The reliance on design matrices is similar to the use of design structure matrices for visualization
of complex project development processes (Steward 1981), that has also been applied to managing
the function-form mapping in system design (Eppinger and Browning 2012). Common applications
of design structure matrices include sequencing of processes in project management, and clustering
analyses to modularize product architectures by encapsulating components performing related
functions within modules in accordance with axiomatic design principles.
Pahl and Beitz (1996) suggest that design processes should consist of task clarification, conceptual
design, embodiment design, and detail design. Once desired functionalities are defined through the
task clarification, the conceptual design process can commence by developing functional structures
and using design catalogues to find physical solutions that can provide the physical effects meeting
the desired functionality. Finding a solution then becomes a question of combining the solutions
that are found from the catalogue into a design that meets the overall needs. Design catalogues
enable quick, problem-oriented access to proven solution principles for the functions, and often
contain accumulated knowledge from earlier design processes. A notional design catalogue for use
in a supply chain risk management setting is shown in Table 2Table 2.

Table 2: Notional design catalogue for use in function-form mapping for the supply chain.

Classifying criteria Solutions Solution Remarks

characteristics
 Supply chain processes, Firms within supply Explanation of how Additional
and functional chain, and organizational the solutions map informatio
hierarchies (see Figure structure of firms that onto the classifying n needed
5Figure 5) can solve functions. criteria.
Further alternatives… … …

The literature referenced above signifies that the mapping between function and form is essential
in system design. However, it does not distinguish sufficiently between those capabilities that a
designed system is intended to have, and those that it actually possesses. Axiomatic design points
to the intentional function-form mapping using design matrices that map between these domains,
while catalogue design provides a comprehensive guide to alternative solutions for meeting these
functions so that designers can combine solutions in the synthesis.
4.3.2. Considering latent functions and functional redundancies
The understanding that complex systems can produce behaviors and provide functionality
exceeding what was expected is also found in the social sciences. Merton (1968) describes latent
functions as the functions that are neither intended nor recognized, as opposed to manifest functions
which are intended and recognized. The primary purpose of this framework is to analyze the effects
of policy, understanding that social planning has unforeseen consequences. Latent functions have
been discussed in the context of functional modelling for complex engineering systems by Crilly
(2010) who points out that the functionality that carries a value, depends on the context, the
stakeholders, and evolves through time. Crilly (2015) points to the need for viewing system
functioning both in relation with the supersystem in which the system is a part, and in relation to
the context the system works in. Pettersen et al. (2017) show that exploiting latent capabilities
benefits resilience, while breaking with the design axioms of Suh (1990). They suggest how latent
capabilities can be identified and implemented into the function-form mapping to enable recovery
from a failure mode. The manifest functions, and the latent functions are distinguished in Figure 6,
where latent functions are activated to recover from the failure mode. Recovery is here enabled by
latent capabilities, as 𝐷𝑃2 has the ability, without intent or recognition during design, to perform
𝐹𝑅1 . An advantage of applying latent capabilities compared with other means to recover, is that
we utilize existing resources in a new way, and hence functionality can be restored swiftly.
Figure 6: Functional and physical system structures. State A indicates system as designed. State B indicates system operational
using latent capabilities (Pettersen et al. 2017).

Erden et al. (2008) review functional modelling in the system design and artificial intelligence
literature, and state that when meeting disruptions due to failure, “another component, rather than
the faulty one, can perform the function, perhaps in a less efficient way”. They point to the
similarity of this concept to that of functional redundancy, which is commonly cited as a design
principle to achieve system resilience (Jackson and Ferris 2013; Rice Jr. and Caniato 2003; Uday
and Marais 2015). The main difference is perhaps that functional redundancies are something that
are designed with intent, while latent capabilities emerge from observed behaviors that were not
thought of beforehand. Functional redundancies are favored over physical redundancies, based on
adding redundant components to the design, as it does not change the “physical form” of the
system, and does not come at an additional investment cost (Erden et al. 2008; Jackson and Ferris
2013). In supply chain systems that evolve outside the control of a single stakeholder, system
components will likely possess latent functions that can be taken advantage of to reduce the impact
of disruption. We now show how these capabilities can be exploited to reduce vulnerability.
The following example differentiates what the system is intended to do, from what the system can
do: Consider a situation where Team A has been assigned to Process A, while Team B has been
assigned to Process B. However, if both teams are able to perform both tasks, the intended function-
form mapping derived through a design synthesis does not capture all capabilities. An additional
step of analysis may be needed to understand the full spectrum of capabilities, after the design
process. The resulting differences between the intended organizational capabilities and the overall
potential capabilities of the same organization are shown in Figure 7Figure 7.
Figure 7: Comparing the intended capabilities (left) of a system as assigned, with the complete available capabilities (right) of the
system.

Hence, capabilities beyond the intended can be taken advantage of, for example to provide
functional redundancy, should hazards materialize and cause functional failure in the supply chain.
We consider the example of a supply chain which can be described as a mapping between function
and form, as shown in Figure 8Figure 8. Here, a set of functional requirements{𝐹𝑅𝐴 , 𝐹𝑅𝐵 , 𝐹𝑅𝐶 , 𝐹𝑅𝐷 , 𝐹𝑅𝐸 }
is to be met. We accept that the supply chain is a complex adaptive system, and hence it does not
adhere to the design axioms. We then investigate whether 𝐷𝑃𝐵 can meet any other function, finding
that it can meet 𝐹𝑅𝐸 . If we have access to a design catalogue that describes every solution that can
be used to provide 𝐹𝑅𝐸 , we find that one such solution is 𝐷𝑃𝐵 . Due to this, 𝐷𝑃𝐵 can provide
functional redundancy should 𝐷𝑃𝐸 fail to meet 𝐹𝑅𝐸 .

Figure 8: Identifying functional capabilities beyond the intended (latent functions).

5. Using the toolbox in supply chain vulnerability assessment

This section presents a more thorough description of each step in the vulnerability assessment
briefly introduced in Section 3, with emphasis on how the toolbox introduced in Section 4 can be
applied in the vulnerability assessment. Figure 9 connects the worksheets used in vulnerability
assessment with the toolbox presented in Section 4.

Figure 9: The toolbox set in context with central worksheets for the vulnerability assessment framework.

5.1. Step 1: Definition of scope of work

The initial step of the assessment defines the frames and targets of analysis. It is important to scope
the analysis consistently, for the vulnerability assessment to proceed with the appropriate amount
of rigor and with a reasonable structure. In this initial phase it is also important to assign sufficient
resources and time to the analysis, and ensure that a multi-disciplinary team is involved, that are
able to elicit important information from all relevant supply chain stakeholders. We can distinguish
four elements that need to be properly assessed in Step 1:
1. Determine objectives for the analysis
What do we want to find out? Why do we want to know what?
2. Determine the unit of analysis
What elements of the supply chain do we analyze?
3. Determine system boundaries
What is inside the system boundaries? What exogenous factors affect the system directly?
4. Determine vulnerability acceptance criteria
What are acceptable levels of vulnerability after actions are taken?
The second and third points listed are particularly important with respect to the additional tools we
propose. Setting the system boundaries, we should think through what aspects of the problem can
be controlled, and what exogenous factors directly influence the supply chain. These aspects will
strongly frame the remaining steps of the vulnerability assessment.

5.2. Step 2: Description of SC/SCM context

The second step addresses the impact of the supply chain context, as indicated by Step 1. For supply
chain systems that continuously adapt by including new supplier and customer relations with other
rational agents, we should not consider context as something static. Instead, sets of contexts can be
developed and sequenced as long run dynamic contexts. Epoch-era analysis proposes that we
parametrize context variables that are subject to uncertainty. Then we can make a model that maps
the influence of the context onto system vulnerability. Hence, we can obtain an understanding of
how the risk picture will look for every context developed, by constructing epochs. Further, by
stringing together epochs into eras, we can infer possible evolution of vulnerabilities facing long
term supply chain operations.
To describe the supply chain context using epoch-era analysis, we elicit a preliminary set of
uncertainties and develop the relationship between supply chain vulnerability, value and the
context factors. There is a need for verification that the chosen context factors have a quantifiable
impact on the supply chain. Generic factors that will affect the supply chain context include the
supply/demand situation, the strength of competitors, the relationship to customers and suppliers,
and the cost structure. Depending on the context, different sets of vulnerabilities may be interesting
to investigate further. Tools that can complement epoch-era analysis in framing the supply chain
context, include Kraljic’s classification taxonomy for supply (Kraljic 1983) and Porter’s five forces
analysis (Porter 1979). Notice that when we frame the supply chain context in a particular way, we
may lose out on some perspectives. A solution to this problem can be to work with a large number
of contexts, possibly developed in parallel by several teams of analysts, even though this reduction
in reliance on specific assumptions would come at the cost of an increased workload.
A major implication of using epoch-era analysis to frame the context of the supply chain is that we
need to treat the remainder of the steps as context-dependent. Hence, for every alternative
representation of the supply chain context, we should go through Steps 3 – 7.
5.3. Step 3: Taxonomy development
While Step 2 proposes that we develop context sets via epoch-era analysis, this step establishes a
structured set of context-dependent vulnerabilities. The structured set of vulnerabilities will be used
to develop the scenarios in Step 4. As we can understand the supply chain system in terms of the
functionality delivered by its nodes, the failure mode approach referred to in Section 4.2 can be
useful. Vulnerabilities can be entered into the taxonomy based on their impact on the functional
hierarchy that can be developed for the system as suggested by the formal vulnerability assessment
introduced by Berle et al. (2011b), or by using a number of alternative taxonomies outlined by
Asbjørnslett (2009). This enables a focus on determining which functions should be protected,
rather than understanding the scenarios, hence the analysis is more strongly geared towards
enabling continued or restored functioning.
5.4. Step 4: Scenario development
The fourth step is to develop scenarios. We define scenarios as sequences of possible events that
are separated in space and time, originating from an accidental event, and where barriers that should
prevent the sequence are included. The starting point is one of the elements identified in the
taxonomy in Step 3, upon which a sequence of events until a stable, disrupted state can be imagined.
The scenario itself then does not include any efforts to mitigate or recover from the disrupted state.
A variety of risk management methods exist that have had influence on scenario development for
accidental events. See Rausand (2011) for a comprehensive overview of accident models and
scenario building methods.
At the closure of Step 4, a sufficient amount of knowledge has been collected to document the
scenarios. Table 3Table 3 represents a notional worksheet for documentation. In the first column (i), the
outcomes of Step 3, given its contextual dependency on Steps 1 and 2, are provided. For every
relevant supply chain context, this represents a checklist for the factors that should be covered
through the analysis. In the second column (ii), the scenarios are described, as suggested in Step 4.
The sequencing of events, proceeding through pro-active and re-active barriers, allows the analysts
to determine whether or not this sequence is likely to disrupt the supply chain functioning. The
preliminary answer to whether a scenario is likely to have this effect is entered into the third column
(iii), in order to limit the amount of information to consider in the later steps. If the analysts perceive
the scenario as a possible threat to supply chain survival, they will enter the failure mode that
disrupts the supply chain in the fourth column (iv). At this point, we have an overview of the causal
links between an initiating event and loss of functionality, which enables the system analysts to
assess the possible recovery options. These options are documented in the fifth and sixth columns
(v-vi), ranked according to whether there is a use of internal (v) or external (vi) resources for
recovery. The system design methods introduced in Section 4.3 are particularly applicable for this,
as these largely focus on the understanding of how functions can be achieved through the behaviors
of a physical system. Design catalogues often contain many alternative proven solutions to how a
lost function can be recovered. As mentioned, the resources needed to recover from disruption may
already exist somewhere in the supply chain. There is only a question about uncovering where and
what supply chain components possess latent functionality. We refer to Pettersen et al. (2017) for
a discussion of how latent capabilities can be utilized. Column (vii) makes detailed remarks, if
further details are needed.

Table 3: Worksheet #1; documentation of scenarios (Asbjørnslett 2009), with examples of possible methods that can be used.

Threat Scenario Likely Potential Resources/systems/plans Remarks

(i) (ii) (yes/no?) immediate for mitigation, restoration, (vii)
(iii) effects? rebuilding, etc.
(iv)
Internal (v) External
(vi)
Given by current Which Identify latent capabilities
context (EEA) function is using design catalogues, to
disturbed? restore function.

5.5. Step 5: Criticality ranking

The fifth step quantifies the criticality associated with every scenario developed within the
alternative contexts in the previous steps. The purpose is to assess the likelihood and consequences
associated with each of the scenarios. Table 4Table 4 suggests a structured worksheet for this part
of the analysis. First, a likelihood score for every scenario is set (i). Then, the consequences with
respect to a set of different factors are established, and scored; including the impact on the quality
of service delivered (ii), the costs accrued (iii), and ‘other’ (iv), which may include the duration of
disruption, loss of reputation, and so on. Thereafter, the ease with which resources to mitigate and
recover from the accident are scored. The scoring of such resources can be justified by considering
that functionality can more easily be restored if there are latent capabilities in the system, than if
the system needs to be reconfigured through additional investments or repair. The total criticality
is given in the seventh column (vii), often calculated as the product of the likelihood and the
consequences.

Table 4: Worksheet #2; criticality ranking of scenarios (Asbjørnslett 2009).

Scenario Likelihood Consequences of scenario Resources to mitigate, Total criticality

description of scenario recover, restore…
(i) Service Costs ‘Other’ Internal External (vii)
(ii) (iii) (iv) (v) (vi)
1 Assessment of failure modes Evaluate effectiveness
2 of resources (latent
… capabilities)

5.6. Step 6: Scenarios of importance

The sixth step makes use of risk matrices to create an understanding of which scenarios are the
most important to address for possible system contexts. A risk matrix ranks the scenarios according
to the consequence and likelihood, as exemplified in Figure 10Figure 10. In the figure, scenarios
that were found in Step 5 are ranked in accordance with their consequence and likelihood, placing
the scenarios in relation to criticality. Darker shade here indicates higher criticality.

Figure 10: Risk matrix representation for the scenarios of importance (Asbjørnslett 2009).

Naturally, based on the risk matrix in Figure 10Figure 10, it is important to attend to the scenarios
of higher criticality, and emphasize particularly those scenarios that are very critical, with no
known recourse to mitigation, restoration, or rebuilding resources. Measures to reduce the
consequences are shown as arrows. For example, we can consider Scenario 2, and Scenario 4. We
see that both these fall within the “high critical” area. An important difference is that some
consequence-reducing measures have been identified for Scenario 2, while none such measures
exist for Scenario 4. This means that Scenario 4 should be prioritized before addressing Scenario
2. Determining scenarios of importance thereby results in a list of prioritized scenarios to follow
up on, either to understand the causal links leading up to scenarios to enable prevention of causes
and interactions, or to improve impact reducing measures.
5.7. Step 7: Reducing likelihood and consequence
The final step of the framework establishes how actions can be made to reduce the likelihood and
consequences of the scenarios, and focuses on vulnerability reduction through decision-making on
the levels of supply chain design and operation. Table 5Table 5 shows a worksheet example for this step.

Table 5: Worksheet #3; evaluating measures with potential to reduce likelihood and consequence (Asbjørnslett 2009).

Scenario Reduction of likelihood Reduction of consequences

Description Measures to Measures to Measures related Measures Measures
avoid or reduce reduce the to design and related to related to
threats (i) probability passive barriers operations and mitigation (v)
of accidental (iii) active barriers
events (ii) (iv)
1 Contingency planning relying on latent capabilities to
2 recover from failure modes.
… Alternative means …

Normally, it is desirable to avoid disruptions altogether, hence first, we should consider means to
avoid or reduce the threats (i), and means to reduce the probability of accidental events (ii). Next,
measures to reduce consequences should be introduced. These include designing passive barriers
into the supply chain (iii), like redundancies and margins. Redundant functionality can be found
by using design catalogues. Further, we consider measures related to operations and active barriers
(iv). Last, we seek means for mitigating, restoring and rebuilding the supply chain capabilities after
the scenario has materialized (v). For the measures to reduce consequences, there is room for basing
contingency plans on measures that involve latent capabilities.

6. Summary
This chapter has introduced a number of novel tools for use in vulnerability assessment for supply
chains. The presented tools originate in research fields unfamiliar to most practitioners and
researchers of supply chain management. These tools have been set into the context of a framework
for vulnerability assessment presented in an earlier book chapter (Asbjørnslett 2009). The main
advantages of applying the new tools, are:
• An improved understanding of how alternative context and needs affect supply chain
vulnerability through epoch-era analysis.
• An improved understanding of how functional modelling via the failure mode approach can
be used to address low frequency, high impact supply chain disruptions.
 • An introduction to the latent capabilities concept, which enables identification of new ways
to restore lost functionality. We suggest that latent functions are identified by use of design
catalogues.
We believe that use of these methods will improve supply chain resilience and provide a
competitive advantage to firms that learn to consciously apply these concepts and tools in their
supply chain management philosophy.

References
Adhitya, A., Srinivasan, R., & Karimi, I. A. (2009). Supply Chain Risk Identification Using a HAZOP-Based
Approach. AIChE Journal, 55(6), 1447–1463.
Asbjørnslett, B. E. (2009). Assessing the Vulnerability of Supply Chains. In G. A. Zsidisin & B. Ritchie (Eds.), Supply
Chain Risk - A Handbook of Assessment, Management, and Performance (pp. 15–33). New York, NY: Springer
Science+Business Media.
Asbjørnslett, B. E., & Rausand, M. (1999). Assess the vulnerability of your production system. Production Planning
& Control, 10(3), 219–229.
Berle, Ø., Rice Jr., J. B., & Asbjørnslett, B. E. (2011). Failure modes in the maritime transportation system: a functional
approach to throughput vulnerability. Maritime Policy & Management, 38(6), 605–632.
Berle, Ø., Asbjørnslett, B. E., & Rice Jr., J. B. (2011). Formal Vulnerability Assessment of a maritime transportation
system. Reliability Engineering and System Safety, 96(6), 696–705.
Choi, T. Y., Dooley, K. J., & Rungtusanatham, M. (2001). Supply networks and complex adaptive systems: control
versus emergence. Journal of Operations Management, 19, 351–366.
Crilly, N. (2010). The roles that artefacts play: Technical, social and aesthetic functions. Design Studies, 31(4), 311–
344.
Crilly, N. (2015). The proliferation of functions: Multiple systems playing multiple roles in multiple supersystems.
Artificial Intelligence for Engineering Design, Analysis and Manufacturing, 29, 83–92.
de Weck, O. L., Roos, D., & Magee, C. L. (2011). Engineering Systems: Meeting Human Needs in a Complex
Technological World. Cambridge, MA: The MIT Press.
Eppinger, S. D., & Browning, T. R. (2012). Design Structure Matrix: Methods and Applications. Cambridge, MA:
The MIT Press.
Erden, M. S., Komoto, H., van Beek, T. J., D’Amelio, V., Echavarria, E., & Tomiyama, T. (2008). A review of function
modeling: Approaches and applications. Artificial Intelligence for Engineering Design, Analysis and
Manufacturing, 22(2), 147–169.
Heckmann, I., Comes, T., & Nickel, S. (2015). A critical review on supply chain risk – Definition, measure and
modeling. Omega, 52, 119–132.
International Maritime Organization. Guidelines for Formal Safety Assessment for use in the IMO rule-making process
(2002). London, UK.
Jackson, S., & Ferris, T. L. J. (2013). Resilience Principles for Engineered Systems. Systems Engineering, 16(2), 152–
164.
Kaplan, S., & Garrick, J. B. (1981). On The Quantitative Definition of Risk. Risk Analysis, 1(1), 11–27.
Kraljic, P. (1983). Purchasing must become supply management a strategy for supply. Harvard Business Review, 109–
117.
Merton, R. K. (1968). Social Theory and Social Structure. New York, NY: MacMillan Publishing Co.
Pahl, G., & Beitz, W. (1996). Engineering Design (2nd ed.). London, UK: Springer.
Peck, H. (2005). Drivers of supply chain vulnerability: an integrated framework. International Journal of Physical
Distribution & Logistics Management, 35(3/4), 210–232.
Pettersen, S. S., Erikstad, S. O., & Asbjørnslett, B. E. (2017). Exploiting latent functional capabilities for resilience in
design of engineering systems. Research in Engineering Design, 1–15.
Porter, M. E. (1979). How competitive forces shape strategy. Harvard Business Review, March-Apri, 137–145.
Rausand, M. (2011). Risk Assessment: Theory, Methods, and Applications (1st ed.). Hoboken, NJ: John Wiley & Sons,
Inc.
Rausand, M., & Høyland, A. (2004). System Reliability Theory: Models, Statistical Methods and Applications (2nd
ed.). Hoboken, NJ: John Wiley & Sons, Inc.
Rice Jr., J. B., & Caniato, F. (2003). Building a secure and resilient supply network. Supply Chain Management Review,
 7(5), 22–30.
Ross, A. M., Hastings, D. E., Warmkessel, J. M., & Diller, N. P. (2004). Multi-Attribute Tradespace Exploration as
Front End for Effective Space System Design. Journal of Spacecraft and Rockets, 41(1), 20–28.
Ross, A. M., & Rhodes, D. H. (2008). Using Natural Value-Centric Time Scales for Conceptualizing System Timelines
through Epoch-Era Analysis. In INCOSE International Symposium (Vol. 18, pp. 1186–1201). Utrecht, the
Netherlands.
Steward, D. V. (1981). The design structure system: A method for managing the design of complex systems. IEEE
Transactions on Engineering Management, EM-28(3), 71–74.
Suh, N. P. (1990). The Principles of Design. New York, NY: Oxford University Press.
Supply Chain Council. (2012). Supply Chain Operations Reference Model (11th ed.).
Svensson, G. (2000). A conceptual framework for the analysis of vulnerability in supply chains. International Journal
of Physical Distribution & Logistics Management, 30(9), 731–750.
Tang, O., & Musa, S. N. (2011). Identifying risk issues and research advancements in supply chain risk management.
International Journal of Production Economics, 133(1), 25–34.
Uday, P., & Marais, K. (2015). Designing Resilient Systems-of-Systems: A Survey of Metrics, Methods, and
Challenges. Systems Engineering, 18(5), 491–510.

View publication stats