@_thegeoff Therac-25 was ~due to missing anew category of risks (even if the computer is not broken, the suggested might do something other than what was intended) and due to missing feedback channels from users of equipment.
Kaprun fire is a good example for usefulness of defense in depth (and how a strong single layer defense might disappear due to mistakes/game of telephone).
@robryk All hail Margaret Hamilton, et al.