·6 min read

Engineering for Failure: Why the Best Systems Expect the Worst

#engineering#systems#reliability#backend

There is a moment every engineer recognises. You ship something. Tests pass. Staging looks good. You deploy to production and within 48 hours something breaks in a way nobody thought to test for. A third-party API returns a shape you didn't expect. A user submits a request at 3am with a timezone offset that doesn't exist. A disk fills up because nobody thought about log rotation.

The system worked perfectly. Until it didn't.

This is not bad luck. This is what production always does. And the engineers who survive it — who build things that actually stay up — share a common mindset: they design for failure first.

The Mindset Shift

Most engineers, when they start out, design for the happy path. The request comes in, the database responds, the user gets their result. Clean. Logical. Correct.

The problem is that "correct" is a narrow slice of what production actually serves you.

The real question to ask — at every layer of every system you build — is: what happens when this breaks?

Not if. When.

Networks drop packets. Databases run slow under load. Third-party services go down without warning and come back speaking a slightly different dialect than they did before. Memory leaks accumulate. A user finds a combination of inputs you never imagined. A deploy happens mid-request. The clock jumps because of daylight saving in a timezone you forgot existed.

The shift from "this should work" to "what happens when this doesn't work" is the difference between software that holds up and software that falls apart publicly.

Define the Expected Exhaustively

You cannot manage failure if you haven't first defined what success looks like — precisely.

This is not philosophical. It is practical. Before you write a single line of code, you should be able to answer:

  • What inputs does this function accept? What does it reject?
  • What states can this system be in? What transitions between states are valid?
  • What does "healthy" look like, measured in numbers — not feelings?
  • What are the guarantees this component makes to the rest of the system?

Once you have that boundary drawn clearly, everything outside it has a category. Expected failures — the ones you predicted — get retry logic, circuit breakers, fallbacks, and graceful degradation. Unexpected failures get aggressive logging, alerts, and your attention the next morning.

Over time, you convert unknown unknowns into known unknowns. Your failure taxonomy grows. Your system gets more resilient with every incident — not because you got lucky, but because you built a process for it.

Practical Techniques

This is not abstract philosophy. It has concrete expressions in how good engineering teams work.

State machines. Define every valid state and every valid transition. If the system reaches a state that isn't on the list, that's a bug, not an edge case. State machines make the implicit explicit.

Strong schemas. Use types, protobufs, OpenAPI specs, Zod validators — anything that makes "expected input" machine-enforceable rather than documentation-dependent. Documentation rots. Types don't lie.

Timeouts everywhere. The most common production failure mode is not an error — it's a hang. A downstream service stops responding and your thread pool fills up waiting. Every external call needs a timeout. Every queue needs a dead letter destination. Every job needs a maximum runtime.

Idempotency. Assume any operation might be retried. Build your writes so that running them twice produces the same result as running them once. This sounds obvious. It is rarely implemented by default.

Bulkheads. Isolate failure. If your image processing service goes down, it should not take down your checkout flow. Separate thread pools, separate processes, separate services with clear contracts between them — these are not over-engineering. They are blast radius control.

Observability. Not just monitoring — observability. There is a difference. Monitoring tells you something is wrong. Observability lets you ask why, even for failure modes you didn't predict. Logs, traces, and metrics should give you the ability to reconstruct what happened to any request, at any point in time.

The Questions That Matter After Every Failure

When something breaks — and it will — the goal is not to assign blame. The goal is to extract signal.

Four questions that should follow every incident:

  1. How did we detect this? Was it a user report, an alert, or luck? If it was luck, that's a gap.
  2. How did we recover? Was it automatic or did it require someone to be woken up at 2am?
  3. What was the blast radius? How many users were affected, and could we have contained it?
  4. What does this failure mode teach us? What assumption did we make that turned out to be wrong?

The last question is the most important. Every incident is a data point about the gap between your mental model of the system and how it actually behaves. Close that gap, update your runbooks, add the test you wish had existed, and your system gets more reliable with each cycle.

What This Is Not

This is not an argument for over-engineering. You do not need Kubernetes, a service mesh, and a chaos engineering programme for a weekend project. You do not need event sourcing and CQRS for a CRUD app with 50 users.

The appropriate level of defensive design scales with the consequences of failure. A prototype failing is a learning. A payment system failing is a crisis. Match your investment in reliability to the actual stakes.

But the mindset — the habit of asking "what happens when this breaks" before you ship — costs nothing and saves everything.

The Real World Is Adversarial

Production is not staging. Production has real users doing unexpected things, real infrastructure with its own failure modes, real time passing and edge cases accumulating. The codebase you understood completely six months ago has had twelve engineers touch it since then.

Build systems that assume they will be stressed, misused, partially failed, and running longer than you planned. Not because you are pessimistic — but because that assumption makes your software honest.

The happy path is easy to build. Building something that holds up when the happy path disappears — that is the work.

← All writing