Failure

Rule: The most dangerous time is right after a string of successes.

Prescriptive Rules

Case Study Methodology

Learn from specific failures, not abstract principles.

ABSTRACT (weak):
"Always validate input"

CASE STUDY (strong):
"The 2016 incident where unvalidated JSON crashed production
taught us to validate at the boundary. Here's the exact pattern
that failed and the fix that prevented recurrence."

Application:

• Document failures with full context
• Reference specific incidents in code comments
• Build institutional memory of what went wrong

Constraints as Design Drivers

Constraints are not obstacles - they're the source of innovation.

WITHOUT CONSTRAINT          WITH CONSTRAINT
─────────────────          ────────────────
Infinite solutions         Focused solutions
Analysis paralysis         Clear direction
Gold-plating              Elegant simplicity

Petroski's examples:

• The pencil's hexagonal shape: prevents rolling, reduces material
• Bridge designs: span limits force structural innovation
• Software: memory limits drove efficient algorithms

Application:

When facing a constraint:
  1. Don't fight it immediately
  2. Ask: "What innovation does this force?"
  3. The constraint may be the feature

Anticipating Failure Modes

Before building, enumerate how it could fail.

For any component, ask:
├── How could this fail silently?
├── How could this fail catastrophically?
├── How could this fail intermittently?
├── How could success in one area cause failure in another?
└── What would the post-mortem say?

Pre-mortem technique: Write the post-mortem before shipping. What would you regret not checking?

Evolution Over Revolution

Good design is incremental refinement, not revolutionary leaps.

REVOLUTIONARY (risky):
"Let's rewrite everything from scratch"

EVOLUTIONARY (Petroski-approved):
"Let's fix the specific failure mode while preserving what works"

The pencil lesson: The modern pencil evolved over 400 years through thousands of small improvements, each fixing a specific problem.

Code Application

Document the "Why Not"

// BAD: Only documents what
function processPayment(amount) {
  // Process the payment
}

// GOOD: Documents failures that shaped design
function processPayment(amount) {
  // Idempotency key required after 2023 duplicate charge incident.
  // Timeout set to 30s after 2022 gateway slowdown caused cascading failures.
  // Retry logic added after network blip lost $50k in transactions.
}

Design Reviews Should Ask

Post-Mortem Template (Petroski Style)

## Failure Report: [Incident Name]

### What Failed
Specific description of the failure mode.

### The Form That Followed Function
What design decision seemed reasonable at the time?

### The Form That Should Follow Failure
What design change prevents this class of failure?

### Constraints Revealed
What constraints did we discover that we should embrace?

### Similar Historical Failures
What other systems failed this way? What can we learn?

### Success That Preceded This
Were we overconfident? What success masked the risk?

Anti-Patterns

Review Checklist

Before shipping:

• What failures shaped this design? (Can you cite them?)
• What could fail that we haven't seen yet?
• Are we overconfident from recent success?
• Which constraints are actually helping?
• Is this evolution (good) or revolution (risky)?
• Would the post-mortem be embarrassing?

Petroski Score

Key Quotes

"The most significant engineering failures usually occur in areas where prior success has encouraged the raising of stakes without adequate understanding of the risks."

"Form follows failure, not function."

"Successful design is not about getting things right the first time but about not making the same mistake twice."

Integration

Combine with:

• /safety - Systematic failure prevention
• /resilience - Designing for antifragility
• /security-mindset - Security as failure anticipation