The Promise an App Must Keep: System Reliability Explained Through SnackNow
At 7:07 PM SnackNow stays online, yet one successful payment produces the wrong result. That incident reveals what reliability really asks an application to promise.

SnackNow is online at 7:07 PM, but a reachable app has still broken its most important promise.
At 7:07 PM, SnackNow Is Online, but Something Is Wrong
At exactly 7:07 PM, Riya opens SnackNow for the popular Chai + Samosa offer. The home screen appears. The menu loads. She adds one masala chai and two samosas, pays, and watches the payment provider report success.
Then the story bends. SnackNow shows no trustworthy order confirmation. A delayed message eventually carries the wrong quantity. Another customer receives the same confirmation twice. The status page remains green, the homepage remains reachable, and Meera can still open the admin dashboard. Yet customers no longer know whether a successful payment produced one order, two orders, or no order.
Meera: 'But the app is still online.'
Aman: 'Online does not always mean reliable.'
That sentence is the investigation. SnackNow has not suffered a clean, obvious blackout. It has suffered something more confusing: parts of the service are available while the business outcome is inconsistent.
A reliable system is not one that never fails. It is one where failure does not become chaos.
Reader question: How did the incident move from a wrong confirmation to a measurable recovery?
Why this visual is needed: Without a shared incident clock, MTTR becomes a formula detached from the failure Riya experienced.

How to read it: Move left to right. Separate the moment customers were harmed from the later moments when monitoring noticed, engineers isolated, ordering recovered, and the journey was verified.
What to remember: Detection and recovery are different intervals, and both can be improved.
Reliability Is a Promise About Behaviour, Not Just Uptime
In engineering terms, reliability is the ability of a system to perform its required function correctly and consistently, under stated conditions, for a stated period. The words required function matter. SnackNow's job is not merely to return HTML. Its critical promise is that a paid checkout becomes the correct durable order and that customers receive a dependable result.
The visible symptom at 7:07 PM is a wrong or delayed confirmation. The technical cause is not yet known, but the system has already violated a behavioural promise. A reachable endpoint proves availability of that endpoint; it does not prove correctness of the complete transaction.
Reliability asks whether the whole important journey keeps producing the intended outcome over time.
Aman's first design decision is therefore not 'add more servers.' It is to define the critical journey and its success condition: one accepted payment, one persisted order, one unambiguous order identifier, and a confirmation derived from that same state. This makes failures observable and prevents the team from celebrating a green homepage while checkout is wrong.
The consequence is better diagnosis and a more honest target. The tradeoff is additional instrumentation, validation, and operational work. In a workplace incident, start by writing the user promise before listing infrastructure. When this article later returns to the promise board, that board represents this exact required behaviour. The next failure asks whether that promise still has another path: High Availability vs Fault Tolerance: Failover Explained follows SnackNow when one server disappears.
Five Words That Sound Similar but Are Not
Aman places Riya's single checkout in the centre and examines it through five different lenses. Keeping the incident constant is important: if every term gets a new analogy, the differences disappear when interview pressure arrives.
Availability: Can Riya Reach and Use the Service?
The story event is the green status page and a menu that still loads. The symptom says parts of SnackNow are reachable. Availability measures whether a service or function is accessible and usable when required. It can be measured for the whole application, but useful engineering usually measures a named flow or endpoint.
The decision is to monitor checkout availability separately from homepage availability. That reveals a partial outage instead of averaging it away. The consequence is more truthful alerting; the tradeoff is more SLIs and clearer ownership. At work, ask 'available for which action?' Memory callback: the status page belongs to availability, and its green colour is not the end of the investigation.
Correctness: Did SnackNow Create Exactly the Intended Result?
Riya paid once, so the correct outcome is one order with the right items, amount, owner, and status. A duplicate confirmation is a visible correctness symptom. Possible causes include a retry that repeats a non-idempotent order write, an event consumed twice without deduplication, or a confirmation built from stale state.
The design decision is to define invariants and enforce them: a payment event maps to one order identifier, retries are idempotent, and confirmation reads authoritative order state. The consequence is trustworthy behaviour; the tradeoff is extra keys, constraints, and edge-case handling. At work, write the invariant before choosing the tool. Memory callback: Riya's receipt asks whether the result was right, not merely reachable.
Durability: Does the Successful Record Survive?
The payment provider reports success and the payment record has been committed. If a process crashes a second later, durability asks whether that committed record remains available for recovery rather than vanishing. It does not ask whether the application can currently answer a request.
SnackNow must persist critical order and payment facts in storage with an appropriate durability design, then reconcile incomplete workflows. The consequence is that Aman can rebuild the truth after a crash. The tradeoff can include write latency, replication cost, or more complex recovery. In the workplace, test what survives a real restart. Memory callback: the saved payment record is the durable clue that prevents SnackNow from charging Riya and forgetting her. When live copies agree on the wrong state, Backup and Recovery Strategies: RPO, RTO and PITR shows how protected history restores the truth.
Reliability: Does the Whole Journey Behave Dependably Over Time?
One correct checkout is encouraging but not enough. Reliability considers repeated operation across time and conditions: ordinary traffic, the 7 PM rush, dependency delays, node restarts, and deployments. At 7:07 PM the flow is reachable and one payment is durable, yet the overall service is unreliable because customers cannot depend on a correct end-to-end result.
The design decision is to measure the critical flow, identify failure modes, and improve prevention plus recovery. The consequence is sustained trust; the tradeoff is that stronger targets consume engineering and infrastructure budget. At work, discuss reliability as an outcome, not a product feature. Memory callback: reliability is the promise board that contains all the smaller checks.
Resilience: What Happens When Failure Arrives?
Resilience is SnackNow's capacity to absorb, adapt to, and recover from disturbance. If the notification service slows, a resilient design might preserve the order, return a clear pending state, queue confirmation work, and recover without duplicating the order. The system may be temporarily degraded, but failure remains contained.
The consequence is less customer harm and faster restoration. The tradeoff is complexity in timeouts, isolation, fallbacks, and testing. At work, name the failure class a mechanism handles; resilience is never infinite. Memory callback: resilience is how the team protects the other objects when the incident tries to scatter them.
Concept | Incident question | Evidence at 7:07 PM | Does not guarantee |
|---|---|---|---|
Availability | Can Riya use this function now? | Homepage and menu load | Correct checkout outcome |
Correctness | Was exactly the intended order created? | Wrong and duplicate confirmations | Data survives a crash |
Durability | Will committed facts survive? | Payment record remains | Service is reachable |
Reliability | Does the full journey behave dependably over time? | The overall promise is broken | Failure never occurs |
Resilience | How well can the system absorb and recover? | Failure can be contained and repaired | Every possible disaster is tolerated |
What this table is telling you: the same system can be available, partly durable, incorrect, and therefore unreliable at the same moment.
Reader question: What does each term ask about Riya's one order?
Why this visual is needed: One shared order prevents the five terms from becoming five disconnected definitions.

How to read it: Follow the order once, then inspect it through the five labelled questions around the path.
What to remember: availability is reachability, correctness is the right outcome, durability preserves committed facts, resilience handles disturbance, and reliability is the dependable whole.
The Incident Clock: MTBF, Detection, and MTTR
At 7:07 PM the failure begins. Monitoring detects the checkout anomaly at 7:13 PM. Aman isolates the faulty confirmation service at 7:21 PM. Correct ordering is restored at 7:28 PM, and the team verifies new and replayed orders before declaring the incident stable.
7:07 Failure begins
7:13 Detected: 6-minute detection delay
7:21 Faulty service isolated
7:28 Correct ordering restored: 21 minutes from failure
After 7:28 Verification and reconciliation continueMean Time Between Failures, or MTBF, estimates the average operating time between repairable failures. It helps answer how frequently a component or defined service failure occurs across many incidents. One 21-minute incident cannot produce a meaningful MTBF by itself; Aman needs a consistent failure definition and enough history.
Mean Time to Recovery commonly measures average time to restore the affected service, but MTTR is overloaded in industry. Teams also expand it as mean time to repair, resolve, remediate, or respond, with different start and end points. The safe practice is to write the definition beside the metric. In SnackNow's incident-to-restoration definition, this event took 21 minutes. Detection alone took six minutes.
A high MTBF reduces how often the promise breaks; a low, clearly defined MTTR reduces how long the damage lasts.
Prevention and recovery are complementary design decisions. Better tests, safer deployments, and simpler architecture can increase time between failures. Journey-level monitoring, runbooks, isolation, and automation can reduce detection and recovery time. The consequence is a smaller customer impact window. The tradeoff is operational investment and occasional false alarms if thresholds are too sensitive.
For a simple repairable component under steady assumptions, availability is sometimes approximated as MTBF divided by MTBF plus MTTR. A distributed application should not force its entire user experience into that formula: dependencies, partial failure, planned maintenance rules, and correctness targets complicate the picture. At work, define the boundary before calculating. Memory callback: the incident clock is useful only because everyone agrees which event each hand marks.
The Nines: How Much Downtime Is the Business Accepting?
Meera asks whether SnackNow should promise 99%, 99.9%, or 99.99% availability. The percentages look close. Their downtime budgets are not. Over a 365-day year, 99% permits about 87 hours 36 minutes of downtime; 99.9% permits about 8 hours 45 minutes 36 seconds; 99.99% permits about 52 minutes 34 seconds.
How is it so far?
Vote with other readers
Availability target | Downtime per 365-day year | Downtime per 30-day month | SnackNow implication |
|---|---|---|---|
99% | 87h 36m | 7h 12m | Too loose for paid checkout |
99.9% | 8h 45m 36s | 43m 12s | May fit a non-critical internal flow |
99.99% | About 52m 34s | About 4m 19s | Requires stronger checkout design and operations |
What this table is telling you: one extra nine removes most of the previous downtime budget and usually demands new architecture, testing, and operational discipline.
Not every feature deserves the same target. Checkout and current order status have direct revenue and trust impact. Recommendations, reviews, and animated tracking can often tolerate a looser target or temporary degradation. The decision should follow critical user journeys and business impact, not architectural pride.
The consequence of a stronger target is less permitted failure. The tradeoff is higher cost, complexity, and slower change if the system must protect a tiny error budget. Measurement details also matter: time window, eligible requests, exclusions, and whether partial degradation counts must be explicit.
Reader question: What does one extra nine remove from the failure budget?
Why this visual is needed: Percentages hide the dramatic change in allowed downtime.

How to read it: Compare the shrinking clock segment from 99% to 99.99%, then notice the rising protection effort.
What to remember: an extra nine is a business-funded engineering constraint, not a decorative badge.
SLA: The Promise Written Outside the Engineering Room
Aman now writes three lines on the reliability promise board. The service level indicator, or SLI, is the measurement: the percentage of eligible SnackNow checkout attempts that produce one confirmed order after a successful payment. The service level objective, or SLO, is the internal target: perhaps 99.95% successful checkouts in a calendar month. The service level agreement, or SLA, is the formal commitment to a customer or partner, including scope and consequences when the commitment is missed.
The order matters. A team cannot prove a promise it does not measure. It should also avoid making the external SLA identical to the absolute edge of its internal capability; teams usually need operating margin. The Google SRE guidance on service level objectives stresses choosing behaviours that matter to users rather than treating every convenient metric as a goal.
Layer | SnackNow example | Who uses it | Incident consequence |
|---|---|---|---|
SLI | Successful checkout attempts | Engineers and product owners | Shows the promise is currently failing |
SLO | 99.95% monthly success | Internal operating target | Consumes error budget and drives action |
SLA | Formal partner commitment | Customers, partners, legal and business | May trigger credits or another agreed consequence |
What this table is telling you: measurement becomes an internal target before it becomes an external promise.
The tradeoff is not merely legal language. An aggressive SLA can require redundancy, safer change management, on-call staffing, and recovery testing. At work, build the SLI from a real user journey and test whether the data can distinguish unavailable, incorrect, and delayed outcomes. Memory callback: the promise board is where Riya's experience becomes an accountable commitment.
Why Distributed Systems Fail in More Ways
Aman traces one checkout. Riya's frontend calls an API server. The API coordinates the order service, payment provider, database, and notification path across a network. Each dependency can be individually healthy or unhealthy, fast or slow, consistent or stale. The result is partial failure: some parts succeed while others fail.
A node can crash. A network link can partition healthy nodes from each other. A dependency can time out transiently. A payment provider can accept a charge while SnackNow loses the response. A notification backlog can grow. Repeated retries can amplify load and create a cascading failure. The app may remain reachable through every one of these conditions.
This is why the earlier CAP theorem and storage fundamentals lesson matters: communication failure changes which guarantees a distributed system can safely make. It is also why message queues can isolate non-critical follow-up work, provided consumers are idempotent and backlog is monitored.
Reader question: How can the homepage remain green while checkout is broken?
Why this visual is needed: Partial failure becomes concrete when success and failure are shown on the same request path.

How to read it: Follow the green payment and persistence steps, then stop at the coral confirmation break. The successful pieces do not cancel the failed business outcome.
What to remember: a distributed request can be partly successful, so recovery must reconcile side effects instead of simply retrying everything.
The design decision is to isolate failures, define timeouts, make retries bounded and idempotent, and preserve enough durable state to reconcile uncertain outcomes. The consequence is controlled damage. The tradeoff is that coordination and observability become first-class design work. At work, list every dependency on the critical path and ask what the user sees when each one fails.
Design for Failure, Not for Fantasy
Aman's reliability plan is a set of protections attached to known failure modes, not a shopping list of fashionable infrastructure.
Remove justified single points of failure. A second healthy path protects a critical component failure, but only if state and traffic can move safely.
Monitor user journeys. Checkout success, duplicate prevention, and payment-to-order reconciliation reveal harm that CPU graphs cannot.
Use redundancy with capacity. A spare that cannot carry peak load only changes a clean outage into a slow collapse.
Bound waits. Timeouts stop workers from waiting forever, while carefully bounded retries with backoff avoid retry storms.
Isolate blast radius. Bulkheads, queues, and separate resource pools can keep a notification problem away from checkout.
Degrade deliberately. SnackNow can hide recommendations and reviews while preserving menu, cart, payment, and order status.
Automate known recovery. A platform can restart or replace a failed instance, but humans still need alerts when the failure class is unknown.
Test the assumption. Failure injection, restore drills, and game days show whether the design survives outside a diagram.
Circuit breakers, bulkheads, and failover appear here only as previews; the next article will teach the architecture around them. The immediate principle is simpler: every mechanism must name the failure it detects, the action it takes, and the new risk it introduces.
Interview-ready line: Design for failure means defining critical journeys, modeling their failure modes, containing damage, and proving recovery against a target.
Reliability Without Over-Engineering
Meera: 'Do we need two regions, ten databases, and five backup systems for everything?'
No. Reliability investment should follow business impact. A review widget can disappear without charging a customer. Checkout cannot casually duplicate a payment. The design decision begins with feature criticality, realistic SLOs, and the cheapest architecture that can meet them with evidence.
SnackNow feature | Failure impact | Suggested reliability posture | Reason |
|---|---|---|---|
Payment and confirmed orders | Revenue, financial reconciliation, trust | Strongest protection and reconciliation | Incorrect outcomes are costly and hard to reverse |
Menu, cart, checkout | Customers cannot buy | High availability with graceful paths | Core revenue journey |
Current order status | Anxiety and support load | Reliable reads with explicit delayed state | Truth matters more than animation |
Recommendations and reviews | Lower discovery quality | Degrade or disable temporarily | Not required to complete an order |
Analytics enrichment | Delayed internal insight | Queue and replay later | Can often tolerate lag |
What this table is telling you: reliability is allocated by business consequence, not spread equally across every endpoint.
Start simple: make state transitions explicit, add useful monitoring, remove the most dangerous single point, and improve the recurring failure that causes most customer harm. Managed services can reduce operational burden, but their guarantees and failure domains still need review. The tradeoff is conscious: simplicity reduces failure modes, while some redundancy reduces the impact of unavoidable failures. If the entire location disappears rather than one component, Disaster Recovery in System Design: RTO, RPO and DR expands the same reliability promise across regions.
The system performance investigation offers a useful callback: optimise a measured bottleneck, not a vague fear. Reliability follows the same discipline. Protect a measured critical flow, not an imaginary requirement for perfection.
The 7:07 PM Incident Explained From Beginning to End
Now Aman can reconstruct the incident without hiding behind a green status page. The frontend and menu were available. Checkout correctness failed because confirmations no longer represented one authoritative order outcome. The payment record remained durable, giving the team a fact from which to reconcile orders. SnackNow's overall checkout flow was therefore unreliable even though several components were individually reachable.
The incident began at 7:07, was detected at 7:13, isolated at 7:21, and restored at 7:28. That gives a six-minute detection delay and a 21-minute incident-to-recovery interval under the team's stated definition. The checkout SLI fell, the internal SLO consumed its failure budget, and any applicable SLA had to be evaluated against its exact scope and window.
Aman's improvements follow the cause: define exactly-once business invariants without pretending the network delivers exactly once; use idempotency keys and database constraints; separate payment acceptance from confirmation delivery; reconcile uncertain states; alert on the whole checkout outcome; and test dependency timeouts plus duplicate delivery.
Faster recovery matters because failure is inevitable; trustworthy recovery prevents a technical fault from becoming prolonged customer confusion.
Common Misunderstandings
Mistake | Why it sounds reasonable | Why it fails at SnackNow | Memory anchor |
|---|---|---|---|
If the app is online, it is reliable | Reachability is visible | The homepage is green while checkout is wrong | Status page is only availability |
Reliability and availability are identical | Availability is a major signal | Reliable checkout also requires correctness and recovery | Promise is larger than the door |
Durable data means the app is available | The payment record survives | A preserved record can be temporarily unreachable | Record is safe, not necessarily reachable |
High MTBF removes recovery planning | Failures are rare | A rare failure can still create severe damage | Long calm does not stop the clock |
A 100% target is always best | Zero failure sounds ideal | Cost and complexity can exceed business value | Every promise has a funded budget |
More infrastructure means more reliability | Copies look safer | Shared dependencies and complexity create new failure modes | Count failure domains, not boxes |
Retries always improve reliability | Transient calls often recover | Unsafe retries can duplicate orders or amplify load | Retry only repeat-safe work |
What this table is telling you: each attractive shortcut ignores a different object from the incident.
Remember the Incident, Not a Cheat Sheet
This section is a reconstruction exercise. Try to speak each answer before reading the line beneath it.
A. Incident Timeline
7:07 PM: payment succeeds, confirmation becomes wrong or uncertain.
7:13 PM: journey monitoring detects the checkout anomaly.
7:21 PM: Aman isolates the faulty service and stops unsafe processing.
7:28 PM: correct ordering is restored.
After recovery: the team reconciles uncertain payments and verifies the full journey.
B. Five Memory Objects
Status page: availability asks whether the function is reachable.
Order receipt: correctness asks whether one intended result was produced.
Payment record: durability asks whether committed truth survives.
Incident clock: detection and recovery metrics ask how quickly harm is found and contained.
Promise board: SLI, SLO, and SLA turn expected behaviour into measurement, target, and commitment.
Reader question: Can five objects rebuild the complete explanation without a definition sheet?
Why this visual is needed: Retrieval practice needs stable cues that appeared throughout the incident.

How to read it: Name the concept for each object before following the connectors toward reliability at the centre.
What to remember: status, receipt, record, clock, promise.
C. Cause -> Choice -> Consequence
Wrong confirmation -> define order invariants and idempotency -> retries stop creating conflicting outcomes.
Green homepage hides broken checkout -> measure the user journey -> partial failure becomes visible.
Payment succeeds before confirmation fails -> preserve durable state and reconcile -> Riya's money is not separated from business truth.
Detection takes six minutes -> alert on checkout correctness -> the next incident can start recovery sooner.
Every feature gets the same target -> tier by business impact -> SnackNow protects checkout without buying perfection for reviews.
D. The 60-Second Retelling
At 7:07 PM SnackNow was reachable, but a successful payment did not produce a trustworthy confirmation. Availability described the reachable pieces; correctness described the broken order result; durability preserved the payment fact; resilience described how the system contained and recovered; and reliability described whether the whole journey behaved dependably over time. MTBF measures how often a defined failure returns, while a clearly defined MTTR measures recovery. SLIs measure the journey, SLOs set the internal target, and SLAs make an external promise. The design response is to protect critical flows, isolate failure, measure recovery, and spend reliability budget where customer harm is greatest.
E. Explain It Without Looking
How can an available application still be unreliable?
Which incident object separates correctness from durability?
What were the detection delay and incident-to-recovery time?
Why does 99.99% availability cost more than 99.9%?
What is the order from SLI to SLO to SLA?
F. Contrast Test
Say which term changes in each pair: the menu is unreachable versus reachable with a duplicate order; the order is correct but lost after restart versus incorrect but safely stored; a failed notification is isolated versus it exhausts checkout workers; a service fails once in a year but takes six hours to recover versus fails monthly and recovers in one minute.
G. Workplace Transfer
Your SaaS dashboard returns HTTP 200, but a background retry creates duplicate invoices. The database retains every invoice, monitoring notices the issue after 20 minutes, and the contract promises 99.9% successful billing operations. Identify availability, correctness, durability, reliability, resilience, the relevant detection/recovery metrics, and the SLA risk. Then name one design decision and its tradeoff.
A useful answer says the dashboard may be available while billing is incorrect and therefore unreliable; the duplicate rows may be durable; resilience depends on containing and reconciling the retry; detection and recovery intervals must be defined; and the billing-operation SLI, not homepage uptime, should evaluate the promise.
Final Mental Model
Riya did not care which container was healthy. She needed SnackNow to connect her successful payment to one correct, durable order and communicate that truth without confusion. Meera needed a promise the business could afford. Aman needed measurements that distinguished reachability, correctness, persistence, and recovery.
A reliable system is not one that never fails. It is one where failure does not become chaos. The practical path is to define correct service, measure the critical journey, reduce avoidable failures, contain the ones that still arrive, and recover within a target the business understands.
SnackNow was reachable, but it had not kept its promise. Reliability begins when engineers define what correct service means, measure how often it fails, reduce the damage, and recover before one technical incident becomes lost customer trust.
Lock in the takeaway
Frequently asked questions
What is system reliability in system design?
System reliability is the ability of a system to perform its intended function correctly and consistently, under stated conditions, over a defined period. It includes more than uptime because a reachable system can still produce incorrect outcomes.
What is the difference between reliability and availability?
Availability asks whether a service or function can be used when required. Reliability asks whether the complete important journey behaves dependably over time, including correct outcomes and controlled recovery from failures.
How are availability and durability different?
Availability concerns current access to a service or function. Durability concerns whether committed data survives crashes or failures. Durable data can be temporarily unavailable, and an available service can still lose data.
What do MTBF and MTTR measure?
MTBF estimates the average operating time between defined failures. MTTR measures an average recovery-related interval, but teams must document whether they mean recovery, repair, resolution, remediation, or response and define its start and end points.
How much downtime does 99.99% availability allow?
Across a 365-day year, 99.99% availability allows about 52 minutes and 34 seconds of downtime. Across a 30-day month, it allows about 4 minutes and 19 seconds, subject to the SLA's exact measurement rules.
What is the difference between an SLI, SLO, and SLA?
An SLI is the measured service behaviour, an SLO is the internal target for that measurement, and an SLA is the formal external commitment, including scope and any agreed consequence when it is missed.
Why are distributed systems harder to make reliable?
One request crosses multiple nodes, networks, data stores, and external dependencies. These components can fail independently, creating partial success, timeouts, stale state, duplicated work, and cascading failures while other parts remain healthy.
How can a team improve reliability without over-engineering?
Start with critical user journeys and business impact, set realistic targets, fix the most harmful recurring failure modes, improve observability and recovery, and add redundancy only where the measured risk justifies its cost and complexity.

