← System Model

Failure Containment

Definition

Failure containment means that failures in one layer cannot propagate to downstream layers.

Each layer must contain its own failures and prevent them from misleading users.

Failure Domains

Failures must be contained within their layer:

| Failure Location | Consequence | |-----------------|-------------| | Data failure | No evaluation | | Evaluation failure | No interpretation | | Interpretation ambiguity | No action |

The Containment Principle

Data Layer Failure

If data is:

  • Missing
  • Corrupted
  • Below quality threshold
  • Discontinuous

Then: Evaluation Layer receives "insufficient data" signal. No evaluation proceeds.

Evaluation Layer Failure

If evaluation:

  • Cannot converge
  • Produces contradictory states
  • Has uncertainty exceeding threshold

Then: Interpretation Layer receives "evaluation uncertain" signal. No interpretation proceeds.

Interpretation Layer Ambiguity

If interpretation:

  • Cannot resolve to clear language
  • Would require causal claims
  • Exceeds confidence bounds

Then: Action Boundary Layer receives "interpretation unavailable" signal. No action is offered.

Why Containment Matters

Without containment:

  • Errors propagate downstream
  • Users receive confident output from uncertain sources
  • Responsibility becomes ambiguous
  • Failures are hidden rather than acknowledged

With containment:

  • Each layer owns its failures
  • Users receive accurate confidence signals
  • Responsibility remains clear
  • Failures are visible and honest

Failure Is Information

A contained failure is not a bug—it is information.

When a system says "evaluation not possible," it is telling the truth about its state.

When a system hides evaluation failure and produces interpretation anyway, it is lying.

What Containment Looks Like

Data failure: "Data quality insufficient for evaluation."

Evaluation failure: "State evaluation inconclusive."

Interpretation ambiguity: "Unable to provide interpretation at this time."

All failures contained: User sees honest uncertainty. User trusts the system.

Failures not contained: User sees confident output from broken system. User is misled.

Compliance Note

Systems that allow failures to propagate across layers, or that produce downstream outputs despite upstream failures, violate ESGR System Model specifications.

Related