Resilience is More Than Redundancy: Why Backups Are Not Enough

A data center switches to emergency power within seconds.
The redundant systems engage as planned. The supply remains stable.

A few minutes later, the actual disruption begins.

A software error in the control system leads to incorrect prioritization of loads.
At the same time, fuel delivery is delayed.
Communication between the control center and operations partially breaks down.

All systems are in place.
And yet, the overall system gradually loses its stability.

This scenario is not a failure of individual components.
It is a system failure.

Core thesis:
Those who confuse resilience with redundancy plan for failure. But not for the crisis.

In critical or military infrastructures, disruptions rarely occur in isolation.
They arise through interactions:

• technical errors

• organizational delays

• external influences

• digital disruptions

This dynamic leads to cascading effects.

A system does not fail because a single component malfunctions.
It fails because the interplay no longer works.

This is precisely where the limits of classical redundancy concepts lie.

Redundancy means that a function is secured by alternative components. If one system fails, another takes over.

This is necessary. But it is only the foundation.
Redundancy is thus the basis for resilience but requires more technological diversity and a holistic approach to remain operational in an emergency.

In practice, redundant systems are often:

• identically constructed

• controlled in the same way

• identically integrated

However, this also means they share the same vulnerabilities:

• same software logic

• same dependencies

• same interfaces

If one of these levels fails, it affects not just one system but all of them.
In such cases, redundancy replicates a risk, not security.

A classic example would be the emergency power generator.
If all critical and military infrastructures rely on a generator in a crisis, the required diesel will soon no longer be sufficient for everyone.

Resilience does not describe the ability to bridge failures.
It describes the ability to remain operational under changing conditions.
That is, to detect disruptions, absorb them, adapt, and remain seamlessly functional in an emergency.

This shifts the perspective:

• from components → to systems

• from availability → to adaptability

• from planning → to behavior

Resilience in the energy sector is multidimensional—a complete system:

• technological (diversification)

• organizational (processes, exercises)

• regulatory (standards)

• economic (investment logic)

• social (leadership, acceptance)

A purely technical redundancy concept addresses at most one of these dimensions.

Resilience does not arise from design alone.

It arises through:

• trained processes

• tested scenarios

• clear decision-making structures

Simulation is the decisive bridge between planning and reality.
Without it, resilience remains an assumption.

Redundancy optimizes individual components.
Resilience controls the behavior of the entire system.

This difference is crucial.

Critical and military infrastructures do not function as monolithic systems but as a System of Systems:

• autonomous subsystems

• interoperably connected

• functionally coordinated

This architecture enables:

• decoupling during disruptions

• flexible adaptation

• targeted prioritization of critical loads

A system remains functional even if parts fail.

Through emergent behavior, the overall system is capable of generating abilities through the interaction of individual components that no single system possesses alone.

When systems are optimized in isolation:

• dependencies arise

• interface standards are missing

• complexity grows uncontrollably

The overall system thus becomes more vulnerable—despite local optimization.

Redundancy is tangible:
It is measurable.
It is procurable.
It is technically explainable.

Resilience is the opposite:
It is systemic.
It is dynamic.
It is not fully plannable.

That is why redundancy is often used as a substitute for resilience. Too often, the term 'resilience' is equated with redundancy, meaning the mere provision of backup systems.
Not out of ignorance, but due to structural logic:
Organizations optimize what they can directly control.

The transition does not begin with new technology but with a different perspective:

1. 1.

   Diversification Instead of Duplication
   Different technologies instead of identical systems

2. 2.

   Prioritization Instead of Equal Distribution
   Critical loads must be defined and secured

3. 3.

   Interoperability Instead of Silo Solutions
   Systems must work together

4. 4.

   Simulation Instead of Assumptions
   Scenarios must be tested

5. 5.

   Organization as Part of the System
   Processes and decisions are an integral part

Resilience is created step by step.

1. 1.

   Establish System Transparency
   Capture all components, dependencies, and critical loads

2. 2.

   Simulate Scenarios
   Blackout, cyberattack, supply failure → visibility of vulnerabilities

3. 3.

   Adapt Architecture
   Modular systems, diversification, island operation capability

4. 4.

   Integrate Organization
   Emergency plans, decision-making structures, exercises

5. 5.

   Continuous Adaptation
   Monitoring, testing, and further development

This logic corresponds to the transition from static security to adaptive resilience and thus to operational capability in any situation.