The Grid Is a Bet on Which Asset Fails Next
The Grid Is a Bet on Which Asset Fails Next
A transformer you replaced eighteen months too late takes out a feeder during a heat event: an outage, a SAIDI penalty, an incident report, and — if the failure throws an arc into dry brush — a wildfire docket you will be answering for years. That is the cost of acting late. Now hold the other failure in your other hand: replace every aging asset on schedule, the way a maintenance binder tells you to, and the capital line in your next rate case collapses under work the commission will not let you recover. Replace too late and you get the outage, the fine, maybe the fire. Replace too early across the whole fleet and the rate case cannot carry it. Every dollar in your capital plan is a wager on which of those two failures you are more afraid of — and on which specific assets, out of hundreds of thousands, are about to make the choice for you.
That is the actual decision a utility board funds. Not “are we maintaining the grid,” but “are we maintaining the right assets, in the right order, and can we prove that ordering to the people who set our allowed return.” This paper is for the COO, the VP of Asset Management, and the Chief Reliability Officer who has to walk into a rate proceeding and defend a capital plan that is smaller and safer at the same time — and who needs to know, before they fund anything, exactly where software gets to make the call and where an engineer still has to sign.
The squeeze: penalties on one side, the rate-case envelope on the other
Reliability is not a soft metric for a regulated utility — it is the franchise. SAIDI and SAIFI thresholds are written into performance-based mechanisms; miss them in a major event and you absorb penalties, lose incentive dollars, and invite a management audit. Safety failures are worse: a single feeder fault that starts a fire, or a corroded main that leaks gas, converts an asset-management miss into a public-safety event with criminal exposure and a regulator who now reads every filing you submit with a red pen.
So the obvious answer is to spend. Inspect more, replace more, harden more. Except the spending is itself constrained by the thing reliability is supposed to protect. Your capital plan is recovered through the rate case, and the commission’s job is to disallow anything it deems imprudent or excessive. Over-build the program and you don’t get a gold-plated grid — you get a capital plan that gets cut in proceeding, which means the cuts land wherever the staff lawyers choose rather than wherever your engineers would have chosen. Under-build and you keep the rate case clean right up until the asset you skipped fails on camera.
This is the squeeze, and it is not a budgeting problem you can solve by being more careful. The reliability obligation and the capital envelope pull in opposite directions, and the binding constraint is that you must satisfy both with the same plan. The board bet this paper is about is whether AI-prioritized, condition-based intervention can lift reliability and safety inside the approved envelope — and do it in a way the commission will accept as prudent.
Why time-based maintenance over- and under-spends at once
The default program runs on the calendar: inspect this class every N years, replace at end of nominal life, repeat. It is auditable and it is comfortable, and it is wrong in two directions simultaneously — which is exactly why it is so expensive.
It over-spends because a fixed replacement age treats a 40-year-old pole on a redundant rural lateral the same as a 40-year-old structure on the backbone. Most of the fleet that hits “end of life” on the calendar is still serving fine, on circuits where a failure would barely register in your reliability metrics. Replacing it on schedule is real capital spent buying almost no reliability — capital the rate case then has to defend with nothing better than “it was old.”
And in the same cycle it under-spends, because age is a terrible predictor of consequence. A 22-year-old breaker on a radial feeder behind a hospital and a substation tie can be the single asset whose failure would dominate your SAIDI for the year — and the calendar leaves it sitting in the queue because it has not hit its number yet. The program is starving the assets that matter to feed the assets that don’t, and it does both at once, which is why “just spend less” and “just spend more” are both wrong. The fix is not the size of the budget. It is the sort order.
The bet: re-sort capital by probability times consequence
Here is the move the rest of the plan is built on. Stop ranking assets by birth date and start ranking them by the one quantity that actually maps to your obligations: probability of failure multiplied by the consequence of that failure.
Probability comes from what you already collect — inspection findings, dissolved-gas and oil analysis, loading history, fault counts, the historian. Consequence is the term the calendar ignores entirely, and it is where the reliability logic lives: how many customers and how much critical load sit behind the asset, whether there is redundancy or it is radial, how long restoration takes, what the asset contributes to SAIDI and SAIFI, and whether a failure carries a wildfire or gas-safety dimension. Multiply the two and you get a risk-ranked list instead of an age-ranked one — and that single change unlocks two decisions in the same breath:
- Defer the low-risk replacements. Old but low-consequence assets fall down the list, releasing rate-based capital this cycle without raising reliability risk in any way the metrics will see.
- Accelerate the high-consequence ones. Assets whose failure would dominate reliability or create a safety event rise to the top, even when they are nowhere near the oldest.
That is a smaller and safer plan — fewer dollars, aimed better — which is the only shape of plan that resolves the squeeze. And critically, the ranking is the artifact that makes it defensible: each asset’s position is a number with named inputs, not a judgment call, which is what lets you answer “why did you defer that pole and accelerate that breaker” with evidence instead of seniority.
- SAIDI / SAIFI in major eventsabove target15–35% betterReliability / rate standing
- Capital ranking basisage + conditionprobability × consequenceReliability per $
- Forced outage rate on ranked assets2–7%1–4%Risk / cost
- Capital deferred from low-consequence work~0%10–20%Rate-case envelope
- Prudency findings per rate cycle3–150–5Regulatory standing
The two lines a commission staffer reads first are the ranking basis and the prudency findings: together they say whether your capital is pointed at the right assets and whether you can prove it. The other three say the bet paid off.
AI’s job: rank the fleet, recommend the timing — not run the grid
Be precise about what the AI is and isn’t doing, because the wrong framing is what gets these programs killed in safety review. The model is not closing breakers or dispatching crews on its own. Its job is narrow and high-leverage: score every asset for failure probability, weight it by consequence, produce the ranked list, and recommend the intervention and its timing — inspect now, repair this quarter, replace next cycle, or leave it and revisit. It turns a fleet of hundreds of thousands of assets, which no planning team can rank by hand, into a prioritized worklist your scarce crews and constrained capital can actually execute against.
Two design choices keep that useful instead of dangerous. First, the model reads from your authoritative systems — EAM, SCADA, historian, GIS — and never writes back into them; the asset register and the live grid state stay exactly what they are, and the ranking is a layer that reads truth and proposes order without ever becoming a path into operations. Second, the consequence model is yours: the weights on critical load, redundancy, restoration time, and wildfire or gas exposure are your encoding of what your territory treats as unacceptable, versioned and testable, not a vendor’s generic score. Your peers can buy the same asset-health analytics tomorrow; what they cannot buy is the library of consequence weights and override patterns your planners have tuned to your topology — that accumulated judgment is the part that compounds, and it lives in the prioritization logic, not in the model.
Defensibility: the ranking is the rate-case exhibit
A condition-based plan is only worth funding if it survives the proceeding, and the thing that makes the difference between “innovative” and “imprudent” in front of a commission is whether every defer-and-accelerate decision carries its reasoning with it. So the prioritization is built to be filed. The policy is executable, versioned rules — not a slide the planning team forgets — so the basis for every decision is the same auditable object across the whole fleet:
RULE GridCapitalPriority
WHEN asset.failure_consequence_score >= 80
THEN priority = "Accelerate" // high-consequence: move up the plan
WHEN asset.age_years >= 40 AND asset.failure_consequence_score < 30
THEN priority = "Defer" // old but low-consequence: free capital
WHEN asset.wildfire_or_gas_exposure == true
THEN require_engineer_signoff = true // public-safety class: human signs
WHEN forecast.grid_state_confidence < 0.70
THEN require_planner_review = true // uncertain grid state -> human gate
DECISION: rank by (probability_of_failure * failure_consequence_score)
And every ranking emits one durable, replayable event — the record you hand the commission, complete with the inputs, the policy version that produced it, and whether a human overruled the model:
{
"eventType": "GridCapitalPrioritized",
"assetId": "XFMR-77219",
"feeder": "FDR-11A",
"probabilityOfFailure": 0.21,
"failureConsequenceScore": 84,
"customersAtRisk": 6420,
"criticalInfrastructureBehind": true,
"wildfireOrGasExposure": false,
"priority": "Accelerate",
"recommendedAction": "AccelerateReplacement",
"policyVersion": "energy.capital.v12",
"modelVersion": "asset-risk-3.4.1",
"engineerSignoff": "RPE-0042",
"operatorOverride": null,
"evaluatedAt": "2026-02-24T21:09:55Z",
"correlationId": "eng-332ab8"
}
What makes that event an exhibit and not just a log line: a correlation ID across every step, the policy and model version stamped on each decision, idempotent replay so the ranking reproduces under examination, an operatorOverride field that captures who overruled the model and why, and a plain-language reason a regulator can read. When staff asks “show me the basis for deferring this asset class,” the answer is a query, not a search through a planner’s memory — and the engineer’s sign-off on the public-safety classes is right there in the record.
Where the model acts, and where an engineer must sign
The whole program turns on one line that the calendar never had to draw: which of these decisions a model is allowed to make on its own, and which one a human owns. On a grid, that line is not negotiable downward, and it does not move just because the model got more accurate — it moves only where a wrong call is cheap to reverse and harms no one.
The principle under the grid is that the consequence of being wrong, not the model’s confidence, sets the gate. Deferring a genuinely high-consequence asset can put a hospital feeder one storm away from a sustained outage; deferring a low-consequence one wastes nothing and risks no one — so the first requires a named engineer’s sign-off and the second can flow through. The model is allowed to do the volume work no human can: re-score and re-rank the fleet continuously, surface what changed, and assemble the evidence the planner needs. Every consequential acceleration or deferral, and every asset in a wildfire or gas-exposure class, lands on an engineer’s desk with the rationale already attached. And the OT boundary is absolute: high-volume historian and SCADA signals get ranked inside your boundary, read-only, and nothing in this system ever earns a path to write or command on a restricted segment. Ownership is explicit, not assumed:
| Role | RACI | Responsibility |
|---|---|---|
| VP Asset Management / COO | A | Owns the capital-prioritization policy the commission sees |
| Reliability Planning Engineer | R | Reviews rankings; signs off on accelerate/defer, with reason |
| Field / Asset Lead | R | Executes deferral and acceleration safely |
| OT Security | C | Enforces read-only access to restricted segments |
| Regulatory / Rate-case liaison | C | Reviews reliability reporting and prudency evidence |
| CFO / Board | I | Receives reliability-per-dollar and audit dashboards |
The board’s criteria — and the funded path
Fund this the way you fund any capital bet that has to prove itself before it scales: a 90-day proof on one asset class, a 12-month expansion across the fleet, then reuse — each tranche released only when the prior one shows the numbers move and the controls hold.
- First 90 days — prove it on one asset classBaseline the five KPIs and name the policy owner. Ship the consequence-weighting rules and the prioritization event contract. Run the ranking in recommend mode behind the engineer gate, with override logging on from day one.
- Months 4–12 — extend across the fleetReuse the prioritization layer across transformers, feeders, and turbines. Add drift and forecast-confidence telemetry. Standardize policy and contract testing in CI. Carry the first risk-ranked tranche into the rate case as evidence.
- Ongoing — govern the cadenceWeekly: ranking health, overrides, forecast drift. Monthly: the reliability / capital / regulatory KPI review. Quarterly: control-maturity and a refresh of the consequence weights as the grid changes.
At every gate, the board is holding the program to four questions: Which reliability metric moved, and by how much? How much capital did we defer versus accelerate, and can we name why for each? Are the controls automated and auditable enough to file? What did we build — policies, consequence weights, event records, override logs — that the next asset class reuses for free? That last one is what bends the cost curve: the first asset class pays for the whole prioritization layer; the second pays only for its own consequence weights; by the fourth or fifth you are ranking new classes at a fraction of the first one’s cost, and reliability-per-dollar compounds as the encoded judgment grows.
There is one more reason this is the right bet now rather than later. DER, electrification, and weather volatility are making the grid less predictable every year, which means the calendar-based plan — already wrong — gets wronger as the load it was tuned to stops holding still. A consequence-ranked plan with a logged human gate is precisely the structure that stays defensible when the grid stops behaving: you are not wagering on a model fit to last year’s loading, you are wagering on a prioritization you can re-run, re-explain, and re-file every time the territory shifts under you.
What we covered
You will never know in advance which transformer fails next storm. What you can do is make sure the capital and the crews are already pointed at the assets most likely to take the grid down — and walk into the rate case able to prove, asset by asset, that you aimed them there on purpose.
References: NERC reliability standards · SAIDI/SAIFI reporting · wildfire & gas-safety asset risk · OT/IT segmentation · asset-health & failure-consequence modeling · NIST AI RMF · NIST CSF 2.0 · CISA Secure by Design.