Introduction

The Scenario

Pagers going off. Phones ringing. People shouting fragments of conversations over the tops of cubicles. Groups of people huddled around monitors. Others dashing up and down the hallways, sticking their heads into office doors for just a moment, then scampering along to the next doorway. You are frantically talking on your cell phone, silencing your pager, and yelling into the speakerphone on your desk while typing on two different keyboards attached to three different monitors.

Sound Familiar? It's a classic case of the dreaded 'downtime' disease, a terrible ailment where none of your systems work and for reasons you can't always understand. Of course, it typically strikes at the most inopportune moments the launch of a major product upgrade, or right after announcing your partnerships with 5 of the Fortune 100.

Nobody wants downtime. It's a terrible thing that always involves blood, sweat, tears, and inevitably, a loss of money. This is why when you talk to the upper management of any company with a strategic online initiative you'll be told that the IT group has the highest goals, and that downtime is considered to be an anathema to be stamped out vigorously.

Unfortunately, when you talk to the company's IT manager you commonly hear a different story; the resources to back-up the company's lofty online goals are hard to come by. In fact, with the down swing of the last couple years, combined with the fact that IT isn't, at least directly, a revenue generating entity, IT budgets are being reduced while uptime performance levels are expected to be the same. This can just lead to a death march of extremely over-worked IT personnel, and longer, more numerous, occurrences of system downtime. These goals need to be re-evaluated.

Genesis of the 'Five Nines'

We've all heard the mantra of 'five nines', or 99.999% reliability. Somewhere in the depths of the Internet's 'big bang', when systems were slow and cranky, reliability became a major selling point of why one company's system was 'better' than the competition.

First, people talked about being 'two nines' or 99% reliable. Then someone else would top that, and make their product seem better, claiming 'three nines'(99.9%). Not long after that came 'four nines' (99.99%) and then, near the peak of the dot com era, came 'five nines'.

The herd mentality left no room in which to pitch for investment without the 'five nines' claim. "After all," it was thought, if everyone else is saying they can provide 'five nines', I have to pretend I didn't know what I was doing if I didn't say I could match everyone else's claim."

'Five nines' isn't impossible. It's merely impractical and unnecessary in the world of the Internet. A shocking statement, perhaps, but a truism none-the-less.

We're not talking about launching people into space (which, by the way, is unfortunately done under 'three nines'), or working with nuclear power plants. We're working within the reference of online systems providing services to users both on and off the Internet nobody dies from a system failure.

The Greasy Steel Bar

Think of uptime as a chin-up bar coated in grease. The higher the reliability desired, the greater the coating of grease. It's clearly tougher to hang to a higher standard of reliability.

What's not so obvious, but very important, is that the higher the uptime target, the worse one does if not prepared. An IT department capable of three nines faced with a bar that's five nines slippery won't even manage the three nines they are capable of doing.

The Uptime Rules

First, as an introduction to the rules, lets review our terms and terminology.

Definitions

Uptime is the amount of time the entire system is available. By entire system we are saying that an entire transaction can be completed. Just having your web servers running when the needed application server isn't running cannot be defined as uptime.

Downtime is everything else.

Scheduled maintenance downtimes or windows are the periods of time (for example, from 1:00am to 3:00am Monday morning) when an IT team has the option, if they need, to bring down various components in a fashion that causes the system to be incapable of complete functionality.

Reliability is defined as uptime but where scheduled maintenance downtime is not counted against it. For example, if in a 24 hour period there was an hour of scheduled downtime, but otherwise full operational for the remaing 23 hours, then the system was 100% reliable.

So how do you translate the 'nines' into acceptable downtime? This chart provides the answer:

'Nines' Uptime % Minutes
Per Year		 Minutes
Per Month
Two 99% 5256 438.0
Three 99.9% 526 43.8
Four 99.99% 53 4.4
Five 99.999% 5 0.4

Rule #1: A great system run poorly is a poor system.

This is the most crucial rule to understand when managing any system. It doesn't matter how much you spent on the hardware, how well designed your database tables are, or if you installed the latest and greatest operating system on the market. If it cannot be managed well, problems ensue.

Users don't see, or care that problems come from your database servers, or your application servers, or your static data caching. What they perceive is one of two states: working or not working. They want to make their reservation, or pay their bill, or just get the weather in Bali, and they want to do it NOW!

Managing with a given level of reliability in mind is about people, hardware, operating and escalation plans, and ultimately, it is about the money to put it all together and keep it running. The cost of reliability, is very hard to quantify. Even assuming it is a linear relationship (and few things in life are) it's a staggering relationship in financial terms. In my experience each ?ine' is close to an order of magnitude increase in cost!

The bottom-line is this, you need to do an honest assessment of available resources versus intended goals; it is the first step in making sure your great systems runs at least as good as you intended.

Rule #2: Five nines is a goal reachable only through both fully automated system management, and rigorously controlled and tested applications.

Scared by four and five nines? Unless you've worked in a true, hardcore, spare no expense data center, you should be!

Let's think about five nines for a moment. 5 minutes a year. That rules out any form of human involvement in fixing problems. After all, even the best humans are known to be distracted for a minute or two into conversation with a co-worker, or a phone ringing.

As an example, let's time a perfectly common scenario, where you have two people monitoring systems. Time the following emulation in your office space:

  1. Assume the system is working happily.
  2. Walk over to your kitchen area and grab a soft drink. Then walk back.
  3. Wait 15 seconds while you pretend to have the other NOC (Network Operations Center) engineer say "Hey, look at this!"
  4. Sprint over to your desk and sit down.
  5. Log into your desktop machine.
  6. Log into a remote machine.
  7. Run one or two basic remote commands ('ls' or 'top' for example)

Now stop the clock. I'm willing to bet your five minutes are up!

Even without a distraction, it's simply not possible for a system of any complexity, to have a problem confirmed, cross checked, and resolved, by a person, within five minutes. Oh, and don't forget about the minute to 90 seconds that you've already lost in monitoring the issue unless you want alarms going off continuously, you have to set an error threshold that typically consumes 60 seconds or so.

"Okay," you say, "well, five nines is a lot. How about aiming at four nines?" But are four nines really much different than five? Certainly, it gives you more latitude and time to fix a problem, but not much more. You can afford a single downtime that takes a few minutes to debug, but that's all.

The truth is, unless you have an application that doesn't fail, the odds are that your hardware failures will still occur three to four times a year, which pushes the limit of human intervention. A good rule of thumb is that things never happen when you are watching them ?figure that any issue takes at least ten minutes to resolve, even if it as simple as a human inadvertently powering both sets of redundant systems down, and now they are powering back up.

Rule #3: Even three nines is hard in the Internet World.

The "Internet World" is not a magazine, but rather, a truism of application state, where functionality and features are continuously enhanced. Compare this to a billing or call center, which has a minimum of features, and where great amounts of time are spent in testing before new applications are released to production.

The great thing about developing in the Internet world is that lots of new features can be brought to end users in a very short amount of time. The standard for development is weeks to a few months rather than years. Not only does this provide a level of instant gratification, but it also allows applications and services to be highly responsive to what users actually want and need, and in the end, provides a vastly more desirable system.

The tradeoff, of course, is that the applications themselves aren't nearly as reliable. Thus, the three nines goal. Why three nines? Because it's the highest possible reliability for a system which utilizes human intervention, and there's simply no way that a dynamic, "Internet World" application can be reduced to few enough parameters that it can be managed in an automated fashion. Failure modes grow at an exponential rate to functionality and the task of automating monitoring and management of such dynamic and flexible systems is an entropic one that is, it quickly becomes a task bigger than the application itself.

But even three nines doesn't come cheaply. It requires a complete staff to be available at all times. There's no time to call and page people to wait for them to get home from the supermarket where they were grabbing a quart of milk for the baby.

How much staff does one need? Well, that's a good question, and the answers are dependant upon the nature of the particular application. But, my experience in today's world shows that most systems are three-tier applications, with significant networking components. Therefore, at any given time, you need the following people on hand:

  • NOC / Monitoring staff
  • System administrators
  • Network Engineers
  • Application Engineers
  • Database Administrators
  • Crisis Management
  • Customer Management

Now, admittedly, there can be some overlap in tasks, and the simpler the application, the easier it is to get overlap, but already, we're talking about quite a few people. Of course, these people need some backup to call in, for fresh ideas, if things aren't going well.

Don't underestimate the value of having a technical person, who understands the system, acting in the Crisis Manager role. This person is actually very critical to making sure that key issues aren't being overlooked, and to providing the detached viewpoint that is key to problem solving.

In addition, having a customer relationship person available to talk to the upset customers, at least when the service is provided to businesses rather than consumers, is vital. This isn't to help solve the problems of a given downtime event, but for the ongoing relationship with the customer.

Rule #4: 99.7% is very cost effective.

That's right, less than three nines. 99.7% gets effectiveness from the fact that it allows for two hours of downtime a month basically, a total of one day per year.

While it sounds like a lot, it's typical for a failure pattern to consist of several small events of 10-20 minutes duration, and on rare occasions, a failure that takes three to four hours to resolve. That's the core timing that you are get with 99.7% -- the ability to have a four hour failure once a year.

That means that you don't have to build nearly the hardware redundancy instead of having 1:1 "hot" standby units, you can have a 1:N relationship with a cold standby unit that can be configured and put into place in the span of a couple of hours. The larger N is the greater the costs savings. If they are network components we're referring to, the less complex the routing environment, the fewer people with network-specific skills are needed. Get it simple enough, and you get more overlap of skills, meaning more bang for your salary buck.

Complex systems also require complex understandings. The number of dependencies within systems again grows exponentially, and leaves far more room for human error.

Remember rule #1, a great system run poorly is a poor system.

The Scheduled Downtime Dilemma

No one wants to have downtime, even when planned. But scheduling maintenance windows and using them are one of the great ways to simplify system management. Rather than having to spend time, effort, and money on working out the details of system changes without impacting the end user, a team can simply shut down access for a few minutes, make the changes, test that they work, and then bring the system back online.

The truth is, for anything but a stagnant legacy application, not having scheduled downtime pushes you "up" one rung of the uptime ladder 99.7% without windows becomes 99.9%, 99.9% without windows becomes 99.99% in difficulty, and so forth. A good IT team should do their best to use maintenance windows as little as possible, but they should use them in a reasonable fashion.

So, what's the answer?

The rules and information above provide a good starting point when analyzing your situation. The answer is simply that applications and environments need to be evaluated from both a marketing and financial aspect to determine what's really necessary, and then allocate your resources to that target. It's important to avoid over-reaching.

And remember rule #1, a great system run poorly is a poor system.

 

If you have any questions or comments regarding this article, please do not hesitate to e-mail comments@codesta.com!