Redundancy as Safety Failure Mode - Nestor G Pestelos Jr (ngpestelos)

Adding redundancy can cause failure as easily as it mitigates failure. This counterintuitive result from Resilience Engineering directly contradicts the intuitive assumption that more backup = more safety. ## The Challenger Example The 1986 Challenger disaster: redundancy of O-rings was one of three reasons NASA approved continued launches, despite known damage to the primary O-ring across 50+ missions over five years. The presence of the backup O-ring created **moral license** — decision-makers rationalized that damage to the primary was acceptable because the backup existed. The redundancy didn't fail mechanically — it failed organizationally by changing human decision-making. ## Why Redundancy Can Backfire 1. **Moral license**: Backup components reduce perceived urgency to fix primary components 2. **Complexity increase**: Each redundant component adds interactions that can produce emergent failures (see [[Rational Fallback Cascade]]) 3. **False confidence**: Redundancy builds confidence that may not be warranted — the backup may share a common failure mode with the primary 4. **Operational complacency**: Teams stop testing failover because "the redundancy is there" 5. **Cost-driven erosion**: Over time, redundancy gets optimized away for efficiency, but the safety assumptions built on it remain ## CE vs Antifragility on Redundancy | Approach | Prescription | Problem | |----------|-------------|---------| | **Antifragility** | Add redundancy to get stronger | Ignores organizational and emergent failure modes | | **Resilience Engineering** | Study what goes right, not just what goes wrong | Redundancy that changes human behavior is net negative | | **Chaos Engineering** | Test whether redundancy actually works under realistic conditions | Experimentation over assumption | CE's value: it doesn't assume redundancy works — it verifies it. A chaos experiment that takes down the primary reveals whether the backup actually functions and whether the team actually responds correctly. ## Cross-Domain Applications **Financial Risk**: Diversification (financial redundancy) can fail when assets are correlated — 2008 showed that "diversified" mortgage-backed securities all failed together. The redundancy was illusory. **Aviation**: Dual-engine aircraft have redundancy, but both engines share fuel systems, electrical systems, and the same pilot. Common-mode failures defeat redundancy. Aviation safety research extensively documents this. **Organizational**: Having a backup person for every role (redundancy) can reduce each person's sense of ownership. "Someone else will catch it" is the organizational equivalent of the O-ring rationalization.