Contact us

How to Design a System That Recovers Gracefully Without Human Intervention

by Arif Ikhsanudin, Backend Developer

The 3am Problem

Your system goes down at 3am. The monitoring alerts. An engineer is paged. They log in, investigate, identify the issue — a failed worker process that was not restarting, a database connection pool that had exhausted due to a slow query, a service that was in a crashed state because of an unhandled exception. The fix is simple: restart the process, clear the connection pool, redeploy.

The question is not how to fix the issue. The question is why a human was required to fix it. Process restarts, connection pool exhaustion, and crashed services are predictable failure modes with well-defined recovery actions. Designing for automated recovery means handling these cases before the 3am page, not during it.

The Components of Automated Recovery

Process-level restart. Application processes crash. Kubernetes restart policies restart failed pods. systemd Restart=always restarts crashed services. Docker Swarm restart policies do the same. This is table stakes. Any service running in production should have a process supervisor that restarts it on failure, with backoff to prevent restart loops.

Health check-driven traffic removal. Load balancers with aggressive health checks remove unhealthy instances from the pool within 20–30 seconds. The instance continues restarting in the background. When it passes health checks, traffic is restored. The user impact is limited to the failure detection window.

Autoscaling on instance failure. Cloud autoscaling groups (AWS ASG, GCP Managed Instance Groups) replace terminated instances automatically. If an instance is marked unhealthy and terminated, the ASG brings up a replacement. The fleet self-heals to the desired capacity without human intervention.

Database failover automation. RDS Multi-AZ, Cloud SQL HA, and Redis Sentinel all automate promotion of standby replicas to primary on primary failure. RTO (recovery time objective) for RDS Multi-AZ failover is typically 60–120 seconds. The application reconnects (connection pool reconnect logic must handle this), and operations resume.

# Application database connection: ensure reconnect on failure
# Example: SQLAlchemy (Python)
engine = create_engine(
    DATABASE_URL,
    pool_pre_ping=True,       # Test connection before use, discard if failed
    pool_recycle=3600,         # Recycle connections after 1 hour
    connect_args={"connect_timeout": 5}  # Fail fast on connection attempt
)
# pool_pre_ping ensures stale connections (post-failover) are detected
# and replaced rather than returning errors to application code

Circuit breakers with automatic reset. A circuit breaker that trips on downstream failure should also auto-reset after a timeout. After 30 seconds in open state, move to half-open: allow one request through. If it succeeds, close the circuit. If it fails, return to open. This enables recovery as soon as the downstream service recovers, without human intervention.

What Automated Recovery Cannot Handle

Automated recovery handles mechanical failures: processes crashing, instances dying, databases failing over. It cannot handle semantic failures: a bug that causes incorrect data to be written, a misconfiguration that routes traffic to the wrong backend, a deployment that introduces a regression.

These require human intervention because the correct recovery action requires understanding context. An automated system restarting a service that is crashing due to a bad deployment just keeps restarting a broken service.

The boundary: automate recovery from infrastructure and process failures with known, repeatable recovery actions. Require human intervention for behavioral failures where the recovery action depends on understanding the cause.

The Design Principle

For every failure mode your system can experience, define the expected recovery behavior and implement it before the failure occurs. Not "we will handle it when it happens" — that is designing for incidents, not designing for recovery.

Write down: for each component, what happens when it fails, and what automated mechanism returns it to service. If the answer is "an engineer gets paged and restarts it manually," the design is incomplete. An engineer getting paged is not a recovery mechanism — it is an acknowledgment that one is missing.

Scale Your Backend - Need an Experienced Backend Developer?

We provide backend engineers who join your team as contractors to help build, improve, and scale your backend systems.

We focus on clean backend design, clear documentation, and systems that remain reliable as products grow. Our goal is to strengthen your team and deliver backend systems that are easy to operate and maintain.

We work from our own development environments and support teams across US, EU, and APAC timezones. Our workflow emphasizes documentation and asynchronous collaboration to keep development efficient and focused.

  • Production Backend Experience. Experience building and maintaining backend systems, APIs, and databases used in production.
  • Scalable Architecture. Design backend systems that stay reliable as your product and traffic grow.
  • Contractor Friendly. Flexible engagement for short projects, long-term support, or extra help during releases.
  • Focus on Backend Reliability. Improve API performance, database stability, and overall backend reliability.
  • Documentation-Driven Development. Development guided by clear documentation so teams stay aligned and work efficiently.
  • Domain-Driven Design. Design backend systems around real business processes and product needs.

Tell us about your project

Say Hej

Our offices

  • Copenhagen
    1 Carlsberg Gate
    1260, København, Denmark
  • Magelang
    12 Jalan Bligo
    56485, Magelang, Indonesia

More articles

No Sudo, No Tools, No Hope: How Bureaucracy Stops Projects Before They Start

Ever tried to get a project moving and hit nothing but red tape? Sometimes, bureaucracy kills momentum before a single line of code is written.

Read more

TSMC and MediaTek Built Taipei's Engineering Culture Around Hardware — Software Backend Is an Afterthought

Taiwan produces some of the world's best engineers. Most of them are building chips, not backend systems — and that shapes the hiring market in ways Taipei software startups feel immediately.

Read more

Canada's Big Banks Are Winning the Toronto Backend Talent War — Here Is How Startups Fight Back

Toronto's financial institutions have deep pockets, stable careers, and a head start on recruiting. Startups need a different playbook.

Read more

Recovering From a Public Mistake (Like a Website Crash)

Seeing your website go down in front of everyone is a stomach-dropping moment. But a public mistake doesn’t have to be a career-ender—it can be a chance to show professionalism and resilience.

Read more