System Design 101: Wrongness

Wrongness: What Each Observer Tolerates

Wrongness is not bugs or errors or incorrect data. Those are manifestations. Wrongness is the distance between what an observer expected and what they encountered—a distance that exceeds what they can tolerate.

Every observer has a tolerance band. Within the band, deviations are acceptable. Beyond it lies a breaking point. Beyond the breaking point lies reaction.

Wrongness is not binary. It is graded. A system state can be slightly wrong, tolerably wrong, or catastrophically wrong—and that judgment depends entirely on which observer is judging.

Wrongness is observer-relative.

The same system state can satisfy one observer and violate another. This isn't a matter of perspective. It's a matter of what each observer needs to function.

An initiator needs acknowledgment. A state where the order was processed but acknowledgment was delayed is wrong for the initiator and fine for everyone else. Their function—knowing whether their action counted—is impaired. No other observer's function is impaired by the same state.

A recipient needs actionable input. A state where an order has an ambiguous field is wrong for the recipient if it blocks their work, and invisible to everyone else. The initiator got confirmation. The supervisor sees normal throughput. The dependent will see whatever value ends up in the record. Only the recipient, trying to act on ambiguous data right now, experiences wrongness.

A supervisor needs signals. A state where errors are occurring but not being logged is wrong for the supervisor and invisible to others. The initiator might have received a clear failure. The recipient might have handled it. The dependent will see clean data. Only the supervisor, looking for patterns that should surface but don't, experiences wrongness.

A dependent needs stability. A state where yesterday's record differs from today's is wrong for the dependent and resolved for everyone else. The initiator moved on. The recipient processed the correction. The supervisor saw no anomaly. Only the dependent, trusting that the past stays fixed, experiences wrongness.

This means a system can be simultaneously correct and wrong. Correct for the observers whose tolerances are satisfied. Wrong for the observers whose tolerances are exceeded. There is no observer-independent answer to "is this system working?"

Wrongness is time-relative.

Observers don't ask "is this wrong?" They ask "is this wrong enough, yet, to act?" That question embeds duration. How wrong is it? How long has it been that wrong?

An initiator's tolerance expires in seconds. Ambiguity that lasts a moment is acceptable. Ambiguity that persists becomes intolerable. The same state—no acknowledgment—transitions from acceptable to wrong as time passes. The state didn't change. The initiator's tolerance did.

A recipient's tolerance is bounded by the task. Wrongness exists when work is blocked. If obstruction is brief—a slow database, a momentary inconsistency—it falls within tolerance. If obstruction persists, tolerance is exceeded. Wrongness for a recipient is measured in task-time, not clock-time.

A supervisor's tolerance requires duration to establish. A single anomaly is noise. A persistent anomaly is signal. Wrongness for a supervisor emerges from pattern, and patterns take time to form. A state that has been wrong for five minutes might not yet be wrong for the supervisor. A state that has been wrong for an hour probably is.

A dependent's tolerance spans history. Wrongness surfaces when they examine the past and find it has changed. A correction made today creates wrongness for a dependent reviewing yesterday's data next week. The correction itself happened quickly. The wrongness it created won't surface until the dependent looks.

This means wrongness can exist for one observer before it exists for another. An initiator experiences wrongness in seconds. A supervisor experiences wrongness in minutes or hours. A dependent experiences wrongness in days or months. The wrongness was present—it just hadn't arrived at each observer's threshold yet.

Wrongness flows.

Resolving wrongness requires action. Action changes state. Changed state affects observers who built expectations on the previous state.

When an initiator retries because acknowledgment was slow, they resolve their own wrongness—they've acted, and now they'll get a response. But the retry creates a duplicate request. The recipient now faces wrongness: two orders that look identical. Wrongness flowed from initiator to recipient.

When a recipient fixes ambiguous data to unblock their work, they resolve their own wrongness—flow continues. But the fix changes the record. The dependent now faces wrongness: the record doesn't reflect what actually arrived. Recipients do not create wrongness. They are where wrongness becomes irreversible—where provisional state hardens into fact.

When a supervisor acts, they can correct or protect. Corrective action restores the system to a valid state—restarting a stuck process, rolling back a bad deployment. Protective action prevents further damage—pausing intake, isolating a failing component. Both affect wrongness, but differently. Corrective action often invalidates work in progress, creating wrongness for dependents who built on the now-invalid state. Protective action concentrates wrongness at a boundary, preventing it from spreading but not resolving it.

When someone corrects an error by editing a historical record, they resolve the immediate wrongness—the data is now accurate. But the dependent who already computed against the old data now faces wrongness: their reports don't match the current record. Wrongness flowed from the present into the past.

Wrongness doesn't disappear when you fix it. It moves.

Wrongness is conserved.

This is the principle that governs flow. Wrongness can be delayed, hidden, transformed, or reassigned. It cannot be eliminated.

Conservation does not mean wrongness cannot be reduced. It means wrongness cannot be removed without changing whose expectations define correctness. If you redefine what the initiator expects, their wrongness disappears—but only because you moved the boundary of their tolerance, not because you fixed the underlying state.

Delay: fast acknowledgment pushes wrongness downstream. The initiator's ambiguity is resolved immediately. Any wrongness in the underlying state surfaces later, to recipients or dependents. The wrongness still exists—it just exists later.

Hiding: silent correction makes wrongness invisible. The recipient's obstruction is removed. The wrongness that caused the obstruction is no longer visible to supervisors or dependents. The wrongness still exists—it just exists in a place no one is looking.

Transformation: fixing wrongness in one form creates wrongness in another. A record correction transforms operational wrongness (the data was inaccurate) into historical wrongness (the past has changed). The total wrongness is conserved—its shape has changed.

Reassignment: resolving wrongness for one observer assigns it to another. The initiator's ambiguity becomes the recipient's duplicate. The recipient's obstruction becomes the dependent's missing history. Wrongness doesn't have a home. It has a current location.

Tolerance bands determine where wrongness accumulates.

Tolerance is functional, not moral. Wide tolerance is not negligence. Narrow tolerance is not virtue. They are properties of how an observer relates to the system.

Misaligned tolerance is dangerous. When an upstream observer has wide tolerance and a downstream observer has narrow tolerance, wrongness accumulates upstream and then crashes into the narrow tolerance downstream. The upstream observer absorbs and absorbs, and then the downstream observer breaks.

Narrow tolerance early prevents catastrophe later. An initiator with narrow tolerance for ambiguity retries quickly. This creates pressure on the system, but it surfaces problems immediately. A dependent with narrow tolerance for semantic drift rejects inconsistent data. This creates friction, but it prevents silent accumulation.

Wide tolerance is useful but accumulative. A recipient with wide tolerance for ambiguity keeps work flowing. A supervisor with wide tolerance for transient errors avoids false alarms. But wide tolerance means wrongness collects rather than surfaces. The observer with wide tolerance becomes a reservoir.

Wrongness flows toward observers who don't check, can't reject, or tolerate more than others. It accumulates where visibility is lowest and tolerance is highest—until even that tolerance is exceeded.

Systems fail when wrongness arrives at an observer who cannot tolerate it.

Every system has a capacity for wrongness. That capacity is distributed across observers. Each observer absorbs some wrongness within their tolerance band. The system functions as long as no observer's tolerance is exceeded.

Failure occurs at the point where wrongness exceeds local tolerance. This might be the observer where wrongness originated. More often, it's the observer where wrongness accumulated—downstream, later, in the place that was least visible.

The dependent whose tolerance is finally exceeded didn't create the wrongness. They received it. Flowed from initiator to recipient to record to report. Transformed from ambiguity to duplicate to correction to historical gap. Delayed from seconds to days to months. The wrongness that breaks them was created long ago by observers who resolved their own wrongness without knowing where it would go.

The design question.

You cannot build a system with no wrongness. Wrongness is inherent in the gap between expectation and reality, and that gap is inherent in distributed systems, concurrent operations, and asynchronous communication.

What you can do:

Route wrongness toward observers who can tolerate it. An initiator cannot tolerate ambiguity—so acknowledge quickly, even if that creates duplicate risk for recipients who can better absorb it.

Surface wrongness before it compounds. A supervisor who detects deviation early contains it. A supervisor who detects deviation late inherits accumulation.

Preserve context so wrongness can be diagnosed. A dependent who finds wrongness needs to trace it to its source. If context was erased, diagnosis is impossible.

Time decides when wrongness is discovered. Observers decide whether it matters. Systems fail when wrongness arrives at an observer who cannot tolerate it.

Design is the act of deciding which observers will encounter wrongness first, and which will never be allowed to see it.