Redundancy is provided through availability and reliability. As most redundant systems are running in pairs (HOT-STANDBY) or triple redundant, you do not get both availability and reliability. In both cases you have availability, but the reliability is reduced as you introduce more likelihood of error with an extra redundant system. The way we have solved this issue is by segmentation. This means to split the control system into parts, that you as an end-user of the control system can decide the level of acceptable fault. Since all hardware eventually will fail, we have focused on what would happen and what to do with it.