Defence in Depth: Safety in Railway

In the railway and signalling standard from CENELEC, i.e. the EN 50126 or 50129, it is mentioned that one of the strategy (if I am not mistaken) for designing a safe system is through the use of Defence in Depth. My understanding of this is that the there are various ways a function can be secured against failure that will cause unsafe situation. Apparently I was wrong. During a recent study session and discussion, the description on this defence in depth is more towards the safety system can perform its function. This sounds to me more like redundancy.

I didn’t agree so I went online. Most search results will mention defence in depth on the same line as security. I understand that because security is meant to protect a system from outsiders that has malicious intent, hence more layers of protection will present more friction to the intruder and act as a deterrent, at least. In the best case, the various layer might even be able to protect the system from the intruder. But this concept is a bit awkward for a safety system, as the system tries to perform a function onto the outside world, and more depth seems counterintuitive and buries the system even deeper, causing more effort needed to perform its own function. Conversely the idea of having multiple subsystems performing a function, so that a failure of one subsystem will cause the other subsystem to take over, seems to be just, redundancy. There doesn’t seem to be any ‘depth’ to that, as far as I can see.

So what is defence in depth for a safety system, especially in railway. I don’t exactly know but I think it is a bit of a misnomer. At least that is what I have for now. I’ll come and update this post in years to come, when I grip the concept better in my mind.

Thank you for reading.