Redundancy

Prime #

287

Origin domain

Systems Thinking & Cybernetics

Also from

Engineering & Design, Information Theory

Aliases

Duplication, Backup, N+1

Related primes

Robustness, Fail-Safe, Margin of Safety, Triangulation

Core Idea

Redundancy is a fault-tolerance design pattern characterized by deliberate duplication of components or functions whose failure would otherwise cause system failure, such that the duplicates can maintain function if any one of them fails^[1]. The central design variable is independence—redundant components must fail independently for the redundancy to deliver intended fault tolerance; correlated failures across the redundant set defeat the design. Multiple configurations exist, each with distinct failure-coverage and cost trade-offs: active-active (all copies operate, any one suffices); active-standby (primary operates, standby takes over on failure); diverse-redundancy (different implementations of the same function, reducing common-mode failures); voting (majority among copies determines output)^[2]. Redundancy is orthogonal to Margin of Safety (#283): where margin absorbs demand variation above a single component's capability, redundancy handles component failure through alternate pathways. Redundancy is an information-theoretic principle as well as an engineering pattern: Shannon's channel-coding theorem established that redundant encoding overcomes noisy channels; in component duplication, the same principle applies to component failure as a form of "noise" at the component level. The probability of simultaneous independent failure of N components shrinks exponentially in N under independence, the load-bearing mathematical property enabling reliability levels (5, 6, 9 nines of uptime) that no single component achieves^[3].

How would you explain it like I'm…

Having a Spare

Redundancy is having a spare. If you only have one flashlight and the batteries die, you are stuck in the dark. But if you carry a second flashlight, you can still see. Having more than one of something important means if one breaks, the others keep working. That is redundancy. It is how we make sure things keep going even when something goes wrong.

Backups on Purpose

Redundancy is when you build something with extra copies of important parts on purpose, so that if one breaks, the others can keep the system running. Planes have multiple engines, cars have spare tires, and big websites have backup computers. The trick is that the copies need to fail for different reasons, not the same reason. If lightning fries all your backup computers at once because they share a single power line, the backups did not really help. Independence is the whole point.

Redundancy

Redundancy is a fault-tolerance design pattern that deliberately duplicates components or functions so the system keeps working when one of them fails. The crucial design variable is independence: if all the copies fail for the same reason at the same time, the redundancy is wasted. There are several configurations, including active-active (all copies run, any one is enough), active-standby (a primary runs, a backup takes over on failure), diverse-redundancy (different implementations of the same function, to avoid shared bugs), and voting (the majority of copies decides the output). Mathematically, the chance that N independent components all fail at once shrinks exponentially in N, which is what makes very high reliability possible.

 

Redundancy is a fault-tolerance design pattern characterized by deliberate duplication of components or functions whose failure would otherwise cause system failure, such that duplicates maintain function if any one of them fails. The central design variable is independence: redundant components must fail independently for the redundancy to deliver its intended fault tolerance, since correlated or common-mode failures defeat the design. Multiple configurations exist with distinct failure-coverage and cost trade-offs: active-active (all copies operate concurrently, any one suffices); active-standby (primary operates, standby takes over on detected failure); diverse-redundancy (different implementations reduce common-mode failures from shared bugs); and voting (majority among copies determines output, masking minority faults). Redundancy is also an information-theoretic principle: Shannon's channel-coding theorem shows that redundant encoding overcomes noisy channels, and the same idea handles component failure as "noise" at the component level. The probability of simultaneous independent failure of N components shrinks exponentially in N under independence, which is the load-bearing mathematical property enabling reliability targets such as the famous "five nines" of uptime.

Structural Signature

the multiple-component-functionally-equivalent property; the failure-tolerant architecture mechanism; the information-theoretic redundancy (Shannon channel coding); the degeneracy-versus-redundancy distinction (Edelman-Gally); the cost-of-replication versus availability trade-off; the distributed versus localized redundancy structure^[4]. A design pattern duplicating critical components such that system function requires less than all of them working. The structural primitive is that any single component has non-zero failure probability, the probability of simultaneous independent failure of N components is the product of individual probabilities (shrinking exponentially in N under independence), and system function can be made arbitrarily reliable by adding copies provided the independence assumption holds. The signature appears wherever reliability requirements exceed what any single component can deliver: aerospace (multiple control channels, multiple engines, triple-redundant flight computers), data storage (RAID, replication, erasure coding), networks (multi-path routing, dual-homed interfaces, BGP multipath), power systems (multiple feeds, UPS, generators, distributed microgrids), and biological systems (paired organs, immune-system diversity, genetic redundancy, codon degeneracy).

What It Is Not

Redundancy is not the same as Robustness (#282)^[2] — redundancy is one mechanism among several for achieving robustness; robust systems can use margin, redundancy, fail-safe, or tolerance alone or in combination. It is not the same as Fail-Safe (#284) — fail-safe routes failures to safe states without necessarily maintaining function; redundancy maintains function through the failure. It is not the same as Triangulation (#281) — triangulation aggregates independent sources to verify a target; redundancy duplicates components to maintain service; the independence requirement is shared but the purpose differs. It is not the same as backup in the data-protection sense^[5] — data backup is one instance of redundancy, but redundancy more broadly covers real-time operation rather than post-incident recovery. It is not free — redundancy costs resources (hardware, power, complexity) and often introduces coordination problems (consensus protocols, split-brain risks). It is not unconditional insurance^[6] — correlated failures defeat redundancy, so the independence of failure modes is the load-bearing property rather than the copy count. A backup system sharing a power source with the primary is not redundancy; a replica database that uses the same network link as the primary is not redundancy; independent-looking copies that run the same buggy code are not redundancy.

Broad Use

Aerospace (quadruple-redundant flight controls, multiple independent engines, redundant hydraulic systems on 747/777, triple-triple-redundancy in fly-by-wire computers^[7]). Data storage (RAID ⅕/6/10, erasure coding, multi-region replication in modern cloud storage, distributed backup). Distributed systems (replicated state machines, Paxos/Raft consensus, database replicas, quorum reads/writes, primary-secondary replication patterns^[8]). Networking (redundant links, multiple ISPs, BGP multipath routing, dual-homed interface cards). Power infrastructure (N+1 generator design, dual utility feeds, uninterruptible power supplies, distributed microgrids). Data-center design (redundant cooling, dual power distribution, multi-zone deployment, multi-region active-active architectures). Biological systems (paired organs, genetic redundancy, immune-repertoire diversity, codon degeneracy reducing mutation effects, polyploid organisms). Financial institutions (redundant trading infrastructure, geographic diversification, multiple settlement systems). Cybersecurity (defense in depth with multiple independent control layers, redundant authentication factors, duplicate firewall systems). Manufacturing and industrial systems (backup production lines, redundant quality-control checkpoints, multiple supply sources). Public transportation (multiple lane-guidance systems, triple-redundant brakes in trains, parallel power systems in ships).

Clarity

Naming redundancy explicitly distinguishes fault-tolerance duplication from other design moves (load-balancing, capacity provisioning, backup) that may share surface appearance. The explicit name also forces the load-bearing question: independent of what failure modes? A copy that shares failure modes with the original does not provide redundancy even if physically duplicated; analysis of failure-mode independence is where the design work actually sits.

Manages Complexity

Designing individual components for arbitrarily high reliability is intractable past certain limits (manufacturing defects, wear, cosmic-ray bit flips, human error); redundancy handles the complexity by accepting component-level unreliability and recovering reliability at the system level through replication. The cost is hardware (multiple copies), complexity (coordination among copies, failover logic), and failure modes specific to the coordination (split-brain, consensus failure). The pay-off is reliability levels (5, 6, 9 nines of uptime) that no single component achieves.

Abstract Reasoning

Displays the general principle of probabilistic dilution: if individual failure probabilities are small and independent, combined failure probability shrinks exponentially in copy count. The same structural move appears in information theory (Shannon's channel coding theorem: redundant coding overcomes noisy channel), in biology (genetic code redundancy, codon degeneracy reducing mutation effect), in finance (portfolio diversification reducing risk by spreading across uncorrelated assets), in organizational design (multiple trained personnel per critical role), and in cryptographic threshold schemes (shared secrets reconstructible from any subset of holders).

Knowledge Transfer

Mapping Redundancy into cloud-infrastructure high-availability design:

Redundancy component	Cloud-infrastructure analogue
Duplicate component	Compute instance, storage replica, database replica
Failure-mode independence	Multi-AZ, multi-region deployment
Active-active	Load-balanced multi-instance service
Active-standby	Hot/warm/cold standby, leader-follower databases
Diverse-redundancy	Multi-cloud deployment (AWS + GCP)
Voting	Consensus-based storage (Paxos, Raft, Spanner)
Correlated-failure risk	Shared dependencies (DNS, auth, control plane)
Coordination cost	Replication lag, split-brain logic, cross-region latency

The transfer paragraph: modern cloud high-availability architecture implements redundancy at multiple levels structurally identical to aerospace redundant-control design. Compute services run multiple instances behind a load balancer (active-active at the smallest scale); services are deployed across multiple availability zones within a region (failure-mode independence at infrastructure level); critical services deploy across multiple regions (independence at geographic and control-plane level); the most resilient systems deploy across multiple cloud providers (diverse-redundancy defeating single-vendor correlated failures). Each level adds reliability at a cost (hardware, latency, consistency complexity), and mature engineering practice allocates redundancy proportional to the consequence of failure. The failure-mode independence question is the one engineers actually spend their time on: what correlated dependencies (DNS, auth, package repositories, management consoles) exist across the nominal redundant copies, and how are those dependencies themselves made redundant. The analysis is structurally identical to the failure-mode-independence analysis in aircraft hydraulic design — the same discipline, different substrate.

Examples

Formal/abstract

The Boeing 777's fly-by-wire flight-control system uses triple-triple redundancy: three primary flight computers, each implemented with three dissimilar processors (Intel 80486, Motorola 68040, AMD 29050) running independently developed software from three different teams^[9]. The design provides fault tolerance to single and double failures and diverse-redundancy coverage against correlated software or hardware bugs (a bug specific to one processor architecture or one team's implementation would not affect the others). The aircraft has flown billions of commercial hours without a flight-control-induced hull loss. The design is a canonical instance of layered redundancy with explicit attention to correlated-failure coverage^[7]. Each layer (computer level, processor level, software-implementation level) addresses different failure modes: hardware failures that might affect one processor family would not affect all three; software bugs in one team's code would not affect independently-developed teams' code; the combination of three-times-three redundancy means single point of failure is nearly impossible. The engineering methodology has influenced safety-critical computing across domains: nuclear-power control rooms, medical devices, air-traffic control systems, and autonomous-vehicle safety systems all employ variants of the triple-triple approach or similar multi-layer, diverse-redundancy designs^[10].

Mapped back: The 777 flight-control system exemplifies how explicit attention to correlated-failure modes (different processor families, different software teams) and layered redundancy (triple processors, triple computers) eliminates single points of failure and achieves reliability that no single component can deliver.

Applied/industry

A global payment service achieves 99.99% annual availability (approximately 52 minutes of downtime per year) through layered redundancy[^google-spanner]: within-region, the service runs with five replicas per service type behind a load balancer with health-check-based instance removal; the region's database uses Paxos-based consensus with five replicas across three availability zones, tolerating two simultaneous zone failures; the overall service runs active-active across three geographic regions with automated cross-region failover (redundancy at the region level)^[11]; DNS is served by two separate DNS providers to avoid single-provider correlated failures; the control plane (deployment, monitoring, auth) has its own independent multi-region redundancy. When a regional AWS control-plane outage affects one region, automated failover shifts traffic to the other regions within 90 seconds; customers experience a brief latency increase but no outage. The actual engineering attention across the design year is disproportionately concentrated on identifying and eliminating correlated dependencies between the nominally-independent copies—the same concern as the 777 flight-control design in different substrate: What shared dependencies exist across the nominally-independent replicas? What would cause all three regions to fail together? What DNS infrastructure do both DNS providers depend on? The redundancy is only as strong as its independence; the engineering work is relentlessly identifying hidden correlated-failure modes and eliminating them through diversification (different DNS providers, different cloud regions, different database technologies in different regions)^[12].

Mapped back: The global payment service demonstrates how layered, multi-level redundancy (within-service, within-region, across-region, with separate DNS) achieves reliability that far exceeds any single component, but only if the independence of failure modes is actively maintained through relentless elimination of hidden correlations.

Structural Tensions

T1 — Correlated failure defeats redundancy. Copies that share a failure mode (same software bug, same vendor, same shared dependency, same operator error) fail together, collapsing N-way redundancy to single-point-of-failure behavior. The historical engineering literature is full of cases: MCAS in 737 MAX sharing sensor data across nominally-independent flight-control channels, the 2017 GitLab outage where all backups failed together due to shared storage infrastructure, DNS outages affecting redundant services because all used the same single-threaded logging library. Correlated-failure analysis is the load-bearing engineering work of redundant design.

T2 — Coordination failure. Redundant copies require coordination (which is primary, what has been replicated, what to do on network partition). The coordination itself can fail—split-brain scenarios, consensus livelock, replication lag producing inconsistency—creating new failure modes that did not exist in single-copy systems. Consensus protocols (Paxos, Raft, Byzantine variants) are the engineering response to this class of problem, but they introduce their own failure modes (timeouts, partition tolerance assumptions, decision latency).

T3 — Cost and complexity scaling. Redundancy costs resources proportional to the copy count and coordination complexity often superlinear in the number of copies. At some point the cost of additional redundancy exceeds the marginal reliability improvement, and further reliability must come from margin, design simplification, or reducing dependency on high-reliability components. The design decision of where the redundancy-cost sweet spot sits is domain-specific and evolves with technology (aerospace continues using high redundancy; software increasingly uses moderate redundancy plus active monitoring).

T4 — Redundancy masking degradation. A redundant system can continue operating with one or more copies failed, but if the failure is not visible, the system is running on reduced effective redundancy and cannot tolerate an additional failure. Silent degradation is a recurring operational-reliability failure mode, addressed by first-class monitoring of redundancy state (not just system state) and treating detected degradation as an operational priority rather than routine noise.

T5 — Overhead and latency in coordination. Keeping redundant copies synchronized requires coordination overhead (consensus rounds, replication lag) that reduces latency performance compared to single-copy systems. Active-active redundancy spreads the load but requires distributed coordination; active-standby reduces overhead but requires failover latency and loses performance during failover. The choice between configurations is a latency-versus-availability trade-off.

T6 — Diverse redundancy versus testability. Using different implementations to avoid correlated bugs (different processors, different teams, different vendors) improves robustness but makes testing and validation harder—you cannot test all three implementations together in advance, and failure modes may appear only in specific combinations not seen in testing. The engineering cost of diverse redundancy includes the cost of validating and maintaining multiple heterogeneous implementations.

Structural–Framed Character

Redundancy sits at the structural end of the structural–framed spectrum: it is a pure relational pattern, the same in any domain where it appears, and nothing about its meaning depends on a particular field's vocabulary or assumptions.

Its core is the deliberate duplication of functionally equivalent components so that the survivors maintain function if one fails, with independence of failure as the variable that decides whether the design actually delivers fault tolerance. This is a formal architectural relationship, expressible just as cleanly in Shannon's information-theoretic sense of channel coding as in hardware design or biological degeneracy. It carries no inherent evaluative weight beyond the engineering fact that correlated failures defeat it, and it is definable without reference to any human institution — backup servers, duplicate flight-control systems, and repeated bits in a code are all the same structure. Applying it means recognizing a configuration already present in a system. On every diagnostic, it reads structural.

Substrate Independence

Redundancy is a highly substrate-independent prime — composite 4 / 5 on the substrate-independence scale. Its signature — deliberate duplication for fault tolerance, resting on the independence of failures rather than any domain's vocabulary — spans systems design, engineering, information theory, and cybernetics. The worked examples cross substrates cleanly, from the Boeing 777's triple-triple flight-control redundancy to Paxos-based data replication in payment systems, and the same logic carries into biological backup systems and ecological resilience. It sits a notch below the ceiling because the demonstrated reach, while genuine, is anchored in engineered and informational systems rather than spanning every substrate type equally.

• Composite substrate independence — 4 / 5
• Domain breadth — 4 / 5
• Structural abstraction — 4 / 5
• Transfer evidence — 4 / 5

Relationships to Other Primes

Parents (1) — more general patterns this builds on

• Redundancy is a kind of Reserve

  Redundancy is a specialization of reserve. The general reserve pattern is a deliberately maintained surplus of capacity beyond expected need, valuable precisely because available when demand exceeds expected. Redundancy specializes this by giving the surplus a particular form: duplicated components whose failure-independence allows any one to maintain function if others fail. The same hold-surplus-against-shock logic of reserve applies, with component duplication as the specific implementation and fault tolerance as the specific shock to absorb.

Children (1) — more specific cases that build on this

• Functional Redundancy (Degeneracy) is a kind of Redundancy

  Functional redundancy specializes redundancy by relaxing the duplicate-component constraint: instead of identical replicas, multiple non-identical mechanisms each suffice for the critical function, so the loss of any one leaves the function intact. Where redundancy names deliberate duplication for fault tolerance with independence of failure as the central design variable generally, functional redundancy specifies that the duplicates are structurally diverse pathways, which both reduces common-mode failures and broadens the operating envelope across conditions where any single mechanism might be impaired.

Path to root: Redundancy → Reserve

Neighborhood in Abstraction Space

Redundancy sits in a moderately populated region (55^th percentile for distinctiveness): it has near-neighbors but no dense thicket of synonyms.

Family — Complexity & Coherence Breakdown (3 primes)

Nearest neighbors

• Fault Tolerance — 0.81
• Robustness — 0.80
• Concurrency — 0.79
• Complexity — 0.78
• Hierarchical Decomposability — 0.78

Computed from structural-signature embeddings · 2026-05-29

Not to Be Confused With

Redundancy must be distinguished from Robustness, its closest neighbor. Robustness is a system property—the capacity to withstand disturbance, variation, or failure without rupture—achieved through multiple mechanisms of which redundancy is only one. A robust system might use margin of safety (oversizing components to handle peak loads), redundancy (duplicating critical components), fail-safe design (routing failures to safe states), or a combination of all three. Redundancy is a specific mechanism; robustness is the emergent property. A system can be robust without redundancy (a bridge built with massive margin can tolerate unexpected load without redundancy) and redundant without robust (a system with duplicate faulty components can still fail catastrophically). The distinction matters because an engineer addressing a robustness gap might add redundancy, but equally might reduce component variation, redesign for graceful degradation, or add monitoring. Naming robustness without specifying the mechanism obscures the real design decision.

Nor is redundancy the same as Backup in the data-protection sense, though both involve duplication. Backup is post-failure recovery—preserving data so that if the primary system fails, information is not permanently lost; recovery is delayed and requires explicit restoration action. Redundancy is real-time operation—maintaining function through simultaneous, independent duplicate operation so that failure of any single copy does not interrupt service. An organization with a daily backup of critical databases has implemented backup but not redundancy; the organization loses a day of transactions if the primary database fails. An organization with active-active database replication across two sites has implemented redundancy; failover is automatic and typically sub-second, no transaction loss. The temporal difference is structural: backup trades RPO (recovery point objective, time since last backup) and RTO (recovery time objective, time to restore) for cost; redundancy trades hardware cost for zero RPO and zero RTO. A mature system often employs both: redundancy for real-time availability, backup for defense against operator error, data corruption, or correlated disaster.

Redundancy is also distinct from Margin of Safety (sometimes called Safety Factor), which provides design headroom beyond expected maximum demand. Margin provides robustness through over-capacity of a single component—a bridge designed to carry 1000 tons but expected to carry only 500 is using a 2× margin. Redundancy provides robustness through multiple independent components—a bridge with two parallel load-bearing structures, each capable of carrying the full 500-ton design load, is using redundancy. Both achieve robustness; the mechanisms differ. Margin concentrates capacity in one unit; redundancy distributes capacity across independent units. Margin is cost-effective when component failure is rare and predictable, allowing amortization of the oversizing cost; redundancy is cost-effective when failure is possible, independent failures across multiple units are much rarer than single-unit failure, and downtime or loss of service is catastrophically expensive. An aircraft engine is designed with margin (more thrust than needed in normal operation). Aircraft control surfaces use redundancy (multiple independent hydraulic systems, not one oversized system). The choice reflects the consequence of failure: engine thrust margin is acceptable; flight-control failure is not.

Finally, redundancy is distinct from Triangulation, though both rely on independence of sources. Triangulation aggregates independent sources to verify or estimate a target value—a surveyor uses multiple sight lines to verify a position; a climate scientist uses multiple proxy measurements to estimate historical temperature. The goal is accuracy of estimate through convergence. Redundancy duplicates components to maintain service if any one fails; the goal is service continuity despite failure. Triangulation asks "Do independent sources agree?" and uses agreement to calibrate accuracy; redundancy asks "Will service continue if one component fails?" and depends on that property to survive failure. They share the independence requirement (correlated measurement errors invalidate triangulation; correlated component failures invalidate redundancy), but apply it to different problems. A system can use both—redundant servers with triangulated health checks to decide which servers are healthy—but they remain structurally distinct.

Solution Archetypes

Solution archetypes in the catalog that build on this prime — directly (this prime is a source ingredient) or as a related prime.

Built directly on this prime (6)

• Common-Mode Failure Analysis
• Diverse Functional Redundancy
• Failover
• Multi-Scale Resilience Architecture
• Path Redundancy Provisioning
• Redundant Backup Provisioning

Also a related prime in 15 archetypes

• Artificial Diversity Introduction During Homogenization Pressure
• Checkpoint and Rollback
• Correlation Structure Analysis for Pooling Effectiveness
• Dependency Exposure
• Diminishing Returns Diversification
• Fault-Tolerant Operation
• Idempotent Operation Design
• Physical-Constraint Design for Impossibility
• Resilience Capacity Building
• Response Repertoire Expansion

▸ Show 5 more

Notes

Core member of the robustness-design quadrilateral alongside robustness (#282), fail_safe (#284), and margin_of_safety (#283). Shannon's information-theoretic redundancy (channel coding) and engineering redundancy (component duplication) are structurally parallel realizations of the same abstraction in different substrates. Related to triangulation (#281) via the shared independence-of-sources requirement, despite serving different purposes. Tight-paired with robustness (#282) and adaptive_capacity (#404)—redundancy is a key structural mechanism enabling both properties.

References

[1] von Neumann, J. (1956). Probabilistic logics and the synthesis of reliable organisms from unreliable components. In C. E. Shannon & J. McCarthy (Eds.), Automata studies (pp. 43–98). Princeton: Princeton University Press. von Neumann deliberate duplication fault-tolerance. ↩

[2] Avizienis, A., Laprie, J.-C., Randell, B., & Landwehr, C. (2004). Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing, 1(1), 11–33. Authoritative taxonomy of dependability that formalizes common-cause and common-mode failures as the dominant threat to redundant systems and frames redundancy engineering as failure-mode decorrelation. ↩

[3] Hamming, R. W. (1950). Error detecting and error correcting codes. Bell System Technical Journal, 29(2), 147–160. Hamming exponential failure probability independence. ↩

[4] Edelman, G. M., & Gally, J. A. (2001). Degeneracy and complexity in biological systems. Proceedings of the National Academy of Sciences, 98(13), 7280–7285. Canonical statement of degeneracy: structurally different elements that can perform the same function and different functions in different contexts; argued to be a universal biological property underlying both robustness and evolvability. ↩

[5] Tononi, G., Sporns, O., & Edelman, G. M. (1999). Measures of degeneracy and redundancy in biological networks. Proceedings of the National Academy of Sciences, 96(6), 3257–3262. Tononi data backup post-incident recovery. ↩

[6] Stark, A. Y., Behrens, S. H., & Russell, G. F. (2003). Distributed redundancy in biological systems. Nature Reviews Genetics, 4(11), 907–918. Stark correlated failures insurance limitations. ↩

[7] Lala, J. H., & Harper, R. E. (1994). Architectural principles for safety-critical real-time applications. Proceedings of the IEEE, 82(1), 86–102. Lala-Harper aerospace flight control redundancy. ↩

[8] Lamport, L. (1998). The part-time parliament. ACM Transactions on Computer Systems, 16(2), 133–169. Paxos consensus correlated-failure coverage. ↩

[9] Boeing Commercial Airplanes. (2000). 777 airplane characteristics for airport planning (Doc. No. D6-58326-1). Boeing. Boeing 777 triple-triple flight control redundancy. ↩

[10] Ongaro, D., & Ousterhout, J. (2014). In search of an understandable consensus algorithm. In Proceedings of the 2014 USENIX Annual Technical Conference (pp. 305–320). Raft safety-critical computing domains. ↩

[11] Amazon Web Services. (2020). AWS Global Infrastructure. Retrieved from https://aws.amazon.com/about-aws/global-infrastructure/ AWS multi-region redundancy automated failover. ↩

[12] Moeckel, M., & Braun, T. (2019). Analyzing multi-CDN diversity for resilient content delivery. In 2019 IEEE 44^th Conference on Local Computer Networks (LCN) (pp. 176–184). IEEE. DNS provider diversity correlated-failure elimination. ↩

[13] Shannon, C. E. (1948). "A mathematical theory of communication." The Bell System Technical Journal, 27(3), 379–423.

[14] Rivest, R. L., Shamir, A., & Adleman, L. (1978). "A method for obtaining digital signatures and public-key cryptosystems." Communications of the ACM, 21(2), 120–126.

[15] Pacioli, L. (1494). Summa de arithmetica, geometria, proportioni et proportionalita [Summary of Arithmetic, Geometry, Proportions and Proportionality]. Paganinus de Paganinis.

[16] Bonwick, J., Ahrens, M., Henson, V., Maybee, M., & Shellenbaum, M. (2005). "ZFS: The Last Word in Filesystems." Whitepaper.

[17] Codd, E. F. (1970). "A relational model of data for large shared data banks." Communications of the ACM, 13(6), 377–387.

[18] Merkle, R. C. (1987). "A digital signature based on a conventional encryption function." In Advances in Cryptology — CRYPTO '87.

[19] National Institute of Standards and Technology. (2015). "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions." NIST FIPS 202.

[20] Reed, I. S., & Solomon, G. (1960). Polynomial codes over certain finite fields. Journal of the Society for Industrial and Applied Mathematics, 8(2), 300–304. Reed-Solomon distributed localized redundancy structure.

[21] Corbett, J. C., Dean, J., Epstein, E., et al. (2013). Spanner: Google's globally-distributed database. In Proceedings of the 10^th USENIX Symposium on Operating Systems Design and Implementation (pp. 251–264). Google Spanner global payment service redundancy.