Defense in Depth

Complex systems are protected by multiple, overlapping layers of defense, so that no single failure produces catastrophe. Harm requires several defenses to fail at once.

Why it Matters

Because latent flaws are always present, robustness comes not from one perfect barrier but from layering imperfect ones. This is why complex systems are far safer than the count of their flaws would suggest, and why catastrophe is rare but never impossible.

Signals

• Redundancy, checks, and fallbacks at several levels.
• Incidents that required multiple barriers to fail together.
• "How did all of these fail at once?"

Benefits

Tolerance of individual failures, rare catastrophes, and multiple chances to catch a problem before it propagates.

Risks

Defenses erode silently, with one layer quietly broken for months; over-trust in redundancy leads to running with several layers already gone; each added layer adds complexity and new failure modes.

Tensions

More layers add protection but also cost, complexity, and new ways to fail. Redundancy competes directly with efficiency.

Examples

An airliner's overlapping procedures, alarms, and crew checks; in software, validation plus rate limits plus monitoring plus rollback, no one of which is trusted alone.