jcardena.com Blog Where it began: why 99.9% uptime is a promise, not a metric
145 posts
EN ES

Where it began: why 99.9% uptime is a promise, not a metric

Software

Uptime percentages like 99.9% are a dangerous vanity metric. Learn why true system reliability, especially in AI, comes from measuring user success, not server pings.

The dashboard was a placid field of green, yet my pager was vibrating itself off the desk. It was 2 AM. The most dangerous failure modes in today's AI systems are echoes of problems we solved two decades ago, and the root cause is the same: mistaking a server's pulse for a system's purpose. That night, our e-commerce search was returning empty results for thousands of queries. By the numbers, we were meeting our 99.9% uptime SLA. But to our users, the site was broken.

This was the night the difference between a metric and a promise became permanently clear.

Where it began: why 99.9% uptime is a promise, not a metric
Where it began: why 99.9% uptime is a promise, not a metric

The ‘Healthy’ but Broken System

The system was a classic search architecture. A backend process indexed product data, and a fleet of query servers with a heavy caching layer serviced requests. Our health check was naive: a simple HTTP GET to a /health endpoint. It answered "Am I running?" but never "Can I provide a useful answer?"

The problem was a network partition dropping cache invalidation messages. Half our servers, thinking their caches were fresh, continued serving stale—or for new products, completely empty—results. The system was alive, but its brain wasn't connected to its mouth. We were confidently reporting success while delivering failure.

Where it began: why 99.9% uptime is a promise, not a metric
Where it began: why 99.9% uptime is a promise, not a metric
User SearchesHealth Check PingsServerServer Responds OKStale CacheReturns EmptyResults
The Anatomy of a Phantom Outage

Anatomy of a Phantom Outage

I call this kind of failure a "phantom outage." The system is technically operational but functionally useless. It's an example of what the industry now often calls a gray failure. A 503 error is obvious; an empty result erodes trust slowly. As Cindy Sridharan has written extensively on observability, these are the failures that simple monitoring often misses, creating ambiguity for the user and confusion for the engineering team.

These are far more insidious than a clean crash. Today, the same failure mode appears when a RAG agent's vector database connection grows stale. The agent is "up" and responding, but it confidently hallucinates because its view of the world is subtly wrong. The failure isn't in the LLM or the application code; it's in the silent data path between them.

Why 'The Nines' Mislead

We love to talk about "five nines" of reliability (99.999%), but the metric only measures a sliver of reality. The promise you make to a user isn't that a server will respond to a ping. The promise is that their search will return relevant results, their order will be processed correctly, or their question to an AI agent will get a coherent answer.

This requires shifting from monitoring infrastructure to observing behavior. It means asking "Did the user accomplish their goal?" This practitioner-led wisdom was later formalized in the foundational Site Reliability Engineering book from Google, which codified the use of Service Level Objectives (SLOs). An SLO ties reliability directly to a user journey—like successful checkouts or valid search results—rather than raw server uptime. It makes the user's happiness the metric, which is the only one that really matters.

From Availability to Usefulness in a Modern Stack

That one outage shaped my approach to system design more than any textbook. The principles I learned now apply directly to the complex interplay of deterministic data pipelines and agentic AI systems. My health checks have become as cynical and demanding as the most skeptical user.

  • Execute a full-stack canary transaction. A health check for a RAG pipeline must perform an end-to-end query. It should inject a known fact into the vector DB, ask the agent a question that requires retrieving it, and validate the LLM's final generated answer.
  • Measure data freshness as a critical signal. Any data-intensive system needs a freshness SLO. The health check must query a "heartbeat" record in the vector index or feature store and fail if its timestamp is more than a few minutes old. This guards against silent pipeline failures, a concept detailed in guidance like the Google Cloud paper on SLOs for data pipelines.
  • Define success by the user's goal. The primary SLO for an AI agent shouldn't be API response time. It should be "percentage of requests resolved without escalation" or "tool-use success rate." This aligns engineering work with user value.

These principles make it impossible to hide behind a green dashboard when the user experience is broken. They make the pain of a phantom outage visible, measurable, and therefore, preventable.

SOURCES & EVENTSUser InputStreaming DataVector DBBatch FilesPROCESSING & LOGICDeterministicPipelinesLLM Agent CoreData ValidationFeature StoreDEEP OBSERVABILITYCanaryTransactionsData FreshnessChecksUser Journey SLOsTrace PropagationSERVING & OUTPUTSAPIs & EndpointsAgent ResponsesDashboardsAlerts
Architecture for Verifiable Usefulness

The Real Promise Is to the User

That night, we didn't violate our uptime SLA. We violated our users' trust. They don't care about our internal metrics; they care if the thing works when they need it. As we build systems where LLM agents depend on chains of deterministic data pipelines, the potential for these phantom outages is exponentially greater. Our job is not just to keep the lights on, but to ensure the light is useful. Uptime is the floor, not the ceiling. The real work is in building systems that reliably keep their promise.

JC
Juan Cardena
Enterprise Architect, Data & AI

Enterprise architect with 25 years across web, software, data, and AI. MIT CDAO ’25. Writing on agentic AI in production.