When I worked an a famous Nuclear power plant all of our critical systems had a 100% identical backup system. A and B. Each of these systems had two emergency safeguard activation systems (ESAS) monitoring them. System A had ESAS A&C monitoring it. System B had ESAS B&D monitoring it. Then the ESAS system had a two out of three logic scheme monitoring it. All of this was designed and built before the advent of PLC's.
All system there also used what I would call passive redundancy. every wire, relay, bolt, etc was de-rated. #10 wire could be loaded to 15A, etc.
So I guess the question of how much redundancy do I need depends on how ugly thing could get if the primary system fails.