Distributed Failure: Learning Lessons From Aviation

077e9a0cb34fa3eba2699240c9509717?s=47 Andrew Godwin
April 24, 2018
Programming
2
220

Distributed Failure: Learning Lessons From Aviation

A talk I first gave at Code Europe Warsaw, spring 2018.

077e9a0cb34fa3eba2699240c9509717?s=128

Andrew Godwin

April 24, 2018
Tweet

More Decks by Andrew Godwin

See All by Andrew Godwin
077e9a0cb34fa3eba2699240c9509717?s=48 andrewgodwin
0
25
077e9a0cb34fa3eba2699240c9509717?s=48 andrewgodwin
0
36
077e9a0cb34fa3eba2699240c9509717?s=48 andrewgodwin
0
250
077e9a0cb34fa3eba2699240c9509717?s=48 andrewgodwin
0
210
077e9a0cb34fa3eba2699240c9509717?s=48 andrewgodwin
0
37
077e9a0cb34fa3eba2699240c9509717?s=48 andrewgodwin
2
550
077e9a0cb34fa3eba2699240c9509717?s=48 andrewgodwin
1
110
077e9a0cb34fa3eba2699240c9509717?s=48 andrewgodwin
0
31
077e9a0cb34fa3eba2699240c9509717?s=48 andrewgodwin
0
96

Other Decks in Programming

See All in Programming
5fc8ab822e946a8ddfa46ba15a848392?s=48 fuqda
3
280
6d64a4d4ab6201f2ce57e3befc687785?s=48 yoshi0202
0
120
465a530291aedb53fff5a6333e3dedaa?s=48 bk_18
0
140
8c6c1f0c4c41d0640ade76bd71e9e475?s=48 gishi_yama
0
120
04df7340898eac3a0536d3b47c55501c?s=48 hirotokirimaru
0
120
249b3122eee454c0a818bfe7851418e4?s=48 fromkk
2
110
82d6167c4d14393c2e20b37a74b363c5?s=48 kasacchiful
1
200
0a5d28eceda9a14b5b5f697b36620e8f?s=48 pddg
0
160
A4d1023b1de7890c67a083d14573882d?s=48 ktgrstsh
0
320
53b0aad441252758c4e5a34be31a5aa5?s=48 miya8
2
2.5k
E0e036f89c14b3e59640318eedf9670b?s=48 bkuhlmann
4
220
B0ad272b71981ca95ca337766a4aba9a?s=48 snagasawa
0
580

Featured

See All Featured
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
37
2.2k
B83d5b590577969ee79a5ad845411a7d?s=48 ammeep
652
54k
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
356
62k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
267
16k
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
10
3.8k
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
315
18k
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
112
24k
9128d500301ae51524e887bb680f471d?s=48 caitiem20
304
16k
C0b42577cfc2b321be3474618107e933?s=48 samanthasiow
53
6k
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
6
600
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
265
16k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
55
5.3k

Transcript

  1. DISTRIBUTED FAILURE Andrew Godwin @andrewgodwin Learning lessons from aviation

  2. Hi, I’m Andrew Godwin

  3. Content Warning Aviation accidents Road accidents Discussion of death

  4. Software is difficult.

  5. Distributed is even harder.

  6. None

  7. Not unique to distributed systems

  8. None

  9. Who's solved this? Aviation.

  10. A Boeing 747 has six million parts

  11. A Boeing 747 has six million parts

  12. Airplane Car Walking Train 220 130 30.8 Deaths per billion

    hours (UK 1990-2000) 30

  13. People matter as much as machines

  14. Pilot 76% Aviation Accident Causes (2005 Nall report) 9% Other

    16% Mechanical

  15. Let's look at some aviation principles

  16. Principle #1 Hard Failure

  17. If something is wrong it turns itself off

  18. This only works if you have redundancy

  19. None

  20. These are great ways to ensure you never fix something.

  21. No accident or outage has a single cause. Stop your

    code getting into odd states.
  22. None

  23. Single points of failure can be good

  24. None

  25. Principle #2 Good Alerting

  26. Cockpits are incredibly selective about what sets off an audio

    alarm

  27. Alert fatigue is real. Avoid at all costs.

  28. Never, ever, put all errors in the same place

  29. Critical Normal Background

  30. Critical Normal Background Wakes someone up. Actionable.

  31. Critical Normal Background Wakes someone up. Actionable. Fixed over the

    next week.

  32. Critical Normal Background Wakes someone up. Actionable. Fixed over the

    next week. Metrics, not errors.

  33. Have you been ignoring an error for weeks? Then turn

    off its error reporting.

  34. Principle #3 Find your limits

  35. Everything will fail. You should know when.

  36. Copyright Boeing

  37. What's your Minimum Equipment List?

  38. REQUIRED OPTIONAL

  39. Did you load test? Did you fuzz test?

  40. You don't have to perfectly scale.

  41. Risk is fine when you're informed!

  42. Principle #4 Build for failure

  43. No single thing in an aircraft can fail and take

    it down.

  44. We all want this for our code, but the way

    to do it is to build for failure.

  45. Kill your application randomly Practice server network failures Develop on

    unreliable connections

  46. The majority of pilot training is handling emergencies.

  47. None

  48. Use checklists. Don't rely on memory.

  49. If you practice failure, you'll be ready when the inevitable

    happens.

  50. Pilot 76% Aviation Accident Causes (2005 Nall report) 9% Other

    16% Mechanical

  51. Principle #5 Communicate well

  52. Distributed software means separate teams.

  53. As you grow, communication becomes exponentially harder.

  54. None
  55. None
  56. None

  57. Clear communication is vital.

  58. Write everything down.

  59. Have a clear chain of command.

  60. Make decisions.

  61. Principle #6 No blame culture

  62. How do I know all these aviation stats?

  63. Every incident is reported and investigated.

  64. There is never a single cause of a problem.

  65. Make it very difficult to do again.

  66. None
  67. None

  68. Encourage reporting.

  69. Reward maintenance as well as firefighting

  70. None

  71. In aviation, every rule is written in blood.

  72. Software is not yet there. But we are getting closer.

  73. Margaret Hamilton Her error detection code saved Apollo 11

  74. Therac-25 Killed 3, severely injured at least 3 more

  75. None
  76. None

  77. Hard failure Good alerting Find your limits Build for failure

    Communicate well No blame culture

  78. Thanks.