The first three children of the Energy system describe how an estate produces, stores, and governs its power on a normal day. Backup and resilience is the layer that answers a different question: what happens when the day is not normal — when a system fails, the weather is extreme, or the grid goes down and stays down.
Resilience is not a single component. It is a property designed into the whole system: redundancy where a single failure would matter, reserves held against the worst plausible case, and a clear order in which the estate sheds load rather than goes dark. A resilient estate is one that has decided, in advance, exactly how it will behave when something goes wrong.
Resilience against two kinds of failure
An estate’s power can be threatened from two directions, and resilience engineering addresses both.
The first is external failure — the grid goes down. For an estate with a sound microgrid and adequate storage, this is the easier case: the estate islands and continues, and the family need not notice. A grid outage, for a well-built sovereign estate, is close to a non-event.
The second is internal failure — something within the estate’s own system fails: an inverter, a controller, a generation source. This is the case resilience engineering exists for, because here the estate cannot simply fall back on itself; it must fall back on a reserve within itself. Redundancy — a second path for power to take when the first is unavailable — is what makes an internal failure survivable rather than dark.
A resilient estate has decided, in advance, exactly how it will behave when something goes wrong.
Load priority — the order of going quiet
No reserve is infinite. The discipline that makes a finite reserve last is load prioritisation: deciding, before any failure, which of the estate’s systems are essential and which can be set aside.
Essential loads — security, core climate, water, communications, medical or life-safety systems — are sustained the longest. Discretionary loads — a pool, an outdoor display, the less critical comforts — are shed first, and shed automatically. Done well, this is invisible: the estate quietly narrows to what matters and the family experiences continuity, not crisis. Done poorly, or not at all, a finite reserve is spent indiscriminately and the estate goes fully dark sooner.
Resilience is a design decision, not a product
An estate does not buy resilience; it designs it in. How much redundancy, how large a reserve, how long the estate must run on essential loads alone, how gracefully it degrades — these are architectural choices made once, early, and they determine for the life of the estate how it behaves on its worst day.
Resilience is verified, not assumed — tested, rehearsed, and maintained so that the estate behaves as designed when the worst day arrives.
Explore EstateOpsBackup and resilience is what makes the rest of the Energy system trustworthy. Generation, storage, and control describe what the estate can do well; resilience is the assurance that it keeps doing it when conditions turn against it.