Capabilities

Recoverable failure modes

How BootCtrl recovers from failures: restart strategies, health checks, and a workflow that gets systems back to a known-good state.

CAPABILITIESCONTACT ENGINEERING
Capabilities overview

Design intent

Use this lens when adopting Recoverable failure modes: define success criteria, start narrow, and scale with safe rollouts and observability.

  • Recovery restores health within a version; rollback changes the version
  • Reconciliation is required after recovery to eliminate drift
  • Instrument recovery steps so MTTR improves over time

What it is

Recovery is the combination of supervision, health reporting, and deployment orchestration so the system can return to a stable state after faults.

Design constraints

  • Recovery restores health within a version; rollback changes the version
  • Reconciliation is required after recovery to eliminate drift
  • Instrument recovery steps so MTTR improves over time

Architecture at a glance

  • Supervision detects failure, applies restart/backoff, and escalates to rollback when needed
  • Health models separate “degraded”, “offline”, and “misconfigured”
  • Evidence is preserved via logs/events/telemetry tied to versions
  • This is a capability surface concern: recovery must be safe under stress

Typical workflow

  • Define scope and success criteria (what should change, what must stay stable)
  • Create or update a snapshot, then validate against a canary environment/site
  • Deploy progressively with health/telemetry gates and explicit rollback criteria
  • Confirm acceptance tests and operational dashboards before expanding

System boundary

Treat Recoverable failure modes as a capability boundary: define what success means, what is configurable per site, and how you will validate behavior under rollout.

Example artifact

Implementation notes (conceptual)

topic: Recoverable failure modes
plan: define -> snapshot -> canary -> expand
signals: health + telemetry + events tied to version
rollback: select known-good snapshot

What it enables

  • Faster mean-time-to-recovery (MTTR)
  • Safer operation under partial failures and flaky networks
  • Clear diagnostics for why a site degraded or restarted

Recovery workflow

  • Detect: health checks flag a site/device as degraded
  • Isolate: identify which component failed (runtime vs adapter vs network)
  • Mitigate: restart/reconcile according to policy and safe ordering
  • Escalate: if repeated failures occur, recommend rollback to a known-good snapshot

What to monitor

  • Restart counts and crash-loop detection
  • Deployment state transitions and error categories
  • Connectivity health and telemetry delivery latency

Common failure modes

  • Crash loops that mask a configuration error
  • Partial degradation that never triggers a hard failure
  • Recovery succeeds but drift remains (wrong version still deployed)

Engineering outcomes

  • Recovery restores health within a version; rollback changes the version
  • Reconciliation is required after recovery to eliminate drift
  • Instrument recovery steps so MTTR improves over time

Quick acceptance checks

  • Define safe restart/backoff policies and crash-loop thresholds
  • Ensure reconciliation detects “desired vs actual” drift after recovery

Acceptance tests

  • Verify the deployed snapshot/version matches intent (no drift)
  • Run a canary validation: behavior, health, and telemetry align with expectations
  • Verify rollback works and restores known-good behavior

Related deep dives

Deterministic ControlFleet OrchestrationTelemetryProtocol SupportObservabilitySecurityControlled rollouts + rollbackDeterminism under load

Deep dive

Practical next steps

How teams typically turn this capability into outcomes.

Key takeaways

  • Recovery restores health within a version; rollback changes the version
  • Reconciliation is required after recovery to eliminate drift
  • Instrument recovery steps so MTTR improves over time

Checklist

  • Define safe restart/backoff policies and crash-loop thresholds
  • Ensure reconciliation detects “desired vs actual” drift after recovery
  • Keep rollback to a known-good snapshot as the last-resort stabilizer
  • Instrument recovery steps so MTTR can be improved over time

Next steps

Related topics

Deterministic ControlFleet OrchestrationTelemetry

Deep dive

Common questions

Quick answers that help align engineering and operations.

What’s the difference between recovery and rollback?

Recovery restores a system to a healthy state within the same version. Rollback changes the version by returning to a known-good snapshot when the current version is the cause.

Why do systems get stuck in “partial failure” states?

Because symptoms don’t trigger a hard failure. Use health models that detect degraded modes and alert/mitigate before operators notice.

How do we reduce MTTR?

Make the failure domain explicit (runtime vs adapter vs network), capture the first failure cause, and keep a deterministic rollback option.