Concepts

An affordance is a relationship between an object and an agent: the actions the object makes possible given that agent's capabilities. A chair affords sitting; a handle affords pulling. Affordances exist whether or not anyone perceives them. Designing the right affordances mak...

An initial value, even an arbitrary or irrelevant one, pulls subsequent estimates toward it. People adjust away from the anchor but insufficiently, so it contaminates the final judgment. Anchors shape estimates without awareness, which makes negotiation, pricing, and forecasti...

The system qualities an architecture must support beyond its domain functionality, the " ilities": performance, scalability, availability, security, deployability, testability, and so on. They are the success criteria of an architecture, separate from what the system does. An...

A short, durable document for each significant architecture decision that records its context, the decision made, the alternatives considered, and the consequences. ADRs are usually kept in version control alongside the code and are immutable: a superseded decision gets a new...

Automated testing is the practice of encoding expected behavior as checks a machine runs, so that whether the system still works is answered by running the suite rather than by inspection or hope. Self testing code, where a fast, trustworthy suite accompanies the code, is the...

Judging the frequency or probability of something by how easily examples come to mind. Vivid, recent, or emotionally charged instances feel more common than they actually are. Ease of recall is driven by salience and exposure, not by real frequency, so availability systematica...

A flow control mechanism in which a consumer that cannot keep up signals the producer to slow down, rather than dropping data or exhausting memory. It bounds work in progress by propagating "not so fast" back up the pipeline. When producers outpace consumers, something has to...

A goal seeking, stabilizing loop that moves a stock toward a target by counteracting deviations. The larger the gap from the goal, the stronger the corrective flow. Balancing loops are the source of stability, regulation, and self correction without central control. They are a...

Ignoring the underlying frequency of a category in favor of specific, individuating detail (often a stereotype or vivid story) when judging probability. The representativeness of the detail overrides the statistics. Plausible detail feels more diagnostic than dull base rates,...

The amount of work moved through a process in one increment. Small batches mean changes are made, integrated, and released in frequent tiny pieces rather than large infrequent ones. Reducing batch size is a core lean principle: it shortens cycle time, smooths flow, and surface...

A blameless postmortem is a written, after the fact analysis of an incident that assumes everyone acted with good intent given what they knew at the time, and that looks for the systemic and latent causes that let the failure happen rather than for a person to fault. The outpu...

The resource whose capacity is less than the demand placed on it. A bottleneck, the constraint, sets the maximum throughput of the entire system: everything downstream waits on it and everything upstream piles up before it. A system's output is governed by its single binding c...

An explicit boundary within which a single domain model applies and its terms have one precise meaning. Outside the boundary the same word may mean something different, modeled differently. Bounded contexts make the limits of a model deliberate: each context owns its model and...

People make reasonable decisions based on the limited, often delayed information available from their position in a system, not on perfect global knowledge. Rational local choices can still add up to poor system wide outcomes. It explains why competent, well intentioned actors...

Software rots the way a building does: one visible, unrepaired flaw, a "broken window", signals that no one cares, and invites more neglect until decay accelerates. The remedy is to fix small problems promptly rather than letting them accumulate into entropy. Quality erodes gr...

Adding manpower to a late software project makes it later. Effort (measured in person months) and progress (measured in time) are not interchangeable, because tasks have sequential constraints and new people add training and communication overhead before they add output. It de...

Every change to a complex system, including changes that fix problems or add safety, creates new and often unforeseen paths to failure. Improvement and new risk arrive together. Changes alter the web of interactions and consume the margin that absorbed past variation, so the s...

The design of the environment in which a decision is presented: the order and number of options, the defaults, the wording, and the feedback. The person who arranges these is a "choice architect." There is no neutral arrangement; every design influences what people choose. Bec...

A code smell is a surface indication in code that usually corresponds to a deeper design problem. It is a heuristic, not a rule: a smell tells you where to look and that something may be worth improving, not what is wrong or how to fix it. Named smells (duplicated code, long f...

The feeling of mental fluency when information is easy to process, from familiarity, clarity, repetition, or good legibility. System 1 reads ease as a signal of truth, safety, and liking; strain signals effort and doubt. Things that are easy to process feel more true, more lik...

The total mental effort required to work in a given domain or system. A team has a finite cognitive capacity, and the amount of software and responsibility assigned to it should fit within that capacity. When a team's cognitive load exceeds its capacity, flow slows, quality dr...

Comments exist to record the information in the designer's head that the code itself cannot express: intent, rationale, units, invariants, and the abstraction a module presents. Good comments describe things not obvious from the code. A large part of a design lives only in the...

Anything about the structure of a system that makes it hard to understand and modify. Complexity is defined by how the system appears to the people working on it, not by its size or line count. Complexity is the primary force that slows software development over a system's lif...

A system should reflect one coherent set of design ideas, so that it feels designed by a single mind. Brooks calls it the most important consideration in system design: better to have one consistent set of ideas, even omitting some good features, than many good but uncoordinat...

A simplified explanation of how something works that lets a person predict its behavior. The designer holds a design model, the user forms a mental model, and the two communicate only through the system image: what the artifact actually presents. When the system image conveys...

A measure of coupling: two components are connascent if changing one requires changing the other to keep the system correct. It comes in forms, static (connascence of name, type, meaning, position, algorithm) visible in the code, and dynamic (execution order, timing, value, id...

Getting several nodes to agree on a single value or a single ordering of events, even though some may fail and the network is unreliable. A surprising range of problems, leader election, atomic commit across nodes, uniqueness constraints, totally ordered message delivery, all...

Limitations built into a design that restrict possible actions and guide people toward correct use. Norman identifies four kinds: physical, logical, semantic, and cultural. Constraints shrink the space of what a person must figure out, often making the correct action the only...

Organizations produce system designs that mirror their own communication structures. The corollary, the Inverse (Reverse) Conway Maneuver, is to deliberately shape teams and communication paths so the system evolves toward a target architecture. Architecture and organization a...

The part of the domain that gives the business its competitive advantage, distinguished from generic subdomains (solved problems anyone can buy or copy) and supporting subdomains (necessary but not differentiating). The strategic instruction is to spend the most modeling effor...

Two foundational measures of module structure. Coupling is the degree of interdependence between modules; cohesion is the degree to which the elements inside a module belong together. Good structure minimizes coupling between modules and maximizes cohesion within them. Togethe...

Specifying what a result should be rather than the step by step control flow to compute it. Out of the Tar Pit treats explicit control flow, the order in which things happen, as the second great source of accidental complexity, and declarative styles remove most of it by leavi...

A module is deep when it offers a simple interface over a powerful implementation. Depth is the ratio of functionality provided to interface exposed: the best modules hide a lot behind a little. A module's interface is a cost paid by every user; its implementation is a cost pa...

The outcome that takes effect when a person does nothing. Because of inertia, limited attention, and status quo bias, most people stay with whatever is preset, so the default quietly determines the result for the majority. Defaults are the single most powerful tool in choice a...

Complex systems are protected by multiple, overlapping layers of defense, so that no single failure produces catastrophe. Harm requires several defenses to fail at once. Because latent flaws are always present, robustness comes not from one perfect barrier but from layering im...

Reduce the number of places that must handle errors by redefining the semantics so that the error condition simply does not arise, instead of detecting and reporting it everywhere. Exception and special case handling is one of the largest sources of complexity, because every e...

Before improving a system you must state its true goal and the few measurements that show whether you are moving toward it. Any action that does not advance the goal is not productivity, however busy it looks. Without an explicit goal and the right measures, people optimize pr...

Complex systems run continuously in a partially broken state. They function not because they are flawless but because enough redundancy and human adjustment keep them working despite the flaws they always carry. The normal condition of a complex system is "degraded," not "perf...

The time lag between a change in a flow and the system's response to it. Information and material take time to move through a system, so feedback always arrives some interval after the cause. Delays are a primary cause of oscillation, overshoot, and instability. A balancing lo...

When steps depend on one another and each varies statistically, delays accumulate and rarely cancel out, because a step can only catch up so far but can fall behind without limit. The combination of dependency and variation, not either alone, is what drags a system down. It ex...

Data that can be recomputed from another source: caches, search indexes, materialized views, aggregations. It is distinguished from the system of record, the authoritative source of truth. If derived data is lost, it can be rebuilt from the source of record. Separating the sou...

Specify the rights and obligations of a piece of code explicitly as a contract: preconditions the caller must satisfy, postconditions the routine guarantees in return, and invariants that always hold. The contract makes assumptions a stated, checkable part of the interface. Mo...

Before committing to a design, deliberately produce at least two materially different options and compare them, rather than implementing the first idea that seems workable. The first design that comes to mind is rarely the best, and the cost of comparing alternatives on paper...

In a well structured system, each layer presents a different abstraction from the layers above and below it. When adjacent layers have similar abstractions, that is a sign the boundary between them is not pulling its weight. A layer earns its place by transforming the abstract...

The degree to which a user can figure out what actions are possible and how to perform them just by looking. It emerges when affordances, signifiers, mapping, feedback, constraints, and a clear conceptual model work together. A discoverable design needs no manual. When discove...

A rigorous, selectively simplified model of a domain that is bound tightly to the code that implements it. In model driven design the same concepts, names, and rules appear in the model, the team's language, and the running software. The model is not documentation produced onc...

Every piece of knowledge must have a single, authoritative, unambiguous representation in a system. DRY is about duplicated knowledge and intent, not merely duplicated lines of code; two pieces of code can look alike yet represent different knowledge, and identical knowledge c...

A scheduling approach built around the constraint. The constraint sets the pace (the drum); a time buffer of work in front of it protects it from upstream variation (the buffer); and material is released into the system only at the rate the constraint consumes it (the rope). I...

The error budget is the amount of unreliability a service is allowed to spend over a period: one minus the Service Level Objective. If the objective is 99.9%, the budget is the remaining 0.1% of failed or slow requests. Because some failure is permitted by design, the budget b...

A distinction between complexity inherent in the problem itself (essential) and complexity introduced by the tools, representation, and accidents of how we build the solution (accidental). In No Silver Bullet, Brooks argues software's essential complexity, its intricacy, confo...

A weak consistency model in which replicas may temporarily disagree but converge to the same value once writes stop arriving. Reads can return stale data, and without extra guarantees a client may not even read its own writes. Dropping the requirement for an always current sin...

When something happens that should be impossible, stop immediately and visibly rather than continuing in a corrupted state. A dead program tells no lies: crashing early surfaces the defect at its source instead of letting it propagate into confusing, distant failures. A progra...

A fault is one component deviating from its specification; a failure is the system as a whole stopping serving its users. A fault tolerant system is designed so that faults do not escalate into failures. Some faults can even be triggered deliberately, killing nodes, injecting...

Immediate, informative communication of the result of an action. In the design sense this is distinct from the systems sense of feedback loops: here it means telling the user what just happened. Every action should produce a perceptible, timely response. Without feedback, peop...

A feedback loop forms when the level of a stock influences the flows that change that same stock, so the system acts on itself. There are two kinds: reinforcing loops that amplify and balancing loops that stabilize. Feedback is what makes a system generate its own behavior ove...

An objective, usually automated, test that measures whether an architecture characteristic is being maintained as the system changes: performance budgets, dependency rules, security checks, coupling limits. Borrowed from evolutionary computing, a fitness function scores how cl...

A strong constraint that makes it impossible, or at least hard, to proceed until a problem is corrected. Three types: interlocks force a sequence, lock ins keep an operation active, and lock outs prevent entering a dangerous state. For high cost errors, prevention beats correc...

A model that reduces team organization to four types: stream aligned (aligned to a flow of work, and the primary type), platform (provides internal services that reduce others' cognitive load), enabling (helps other teams acquire capabilities), and complicated subsystem (owns...

Natural seams along which a system can be split into parts owned by independent teams. Good fracture planes follow real boundaries such as business domain, regulatory scope, rate of change, risk, or performance isolation. Where you split a system determines coupling, ownership...

The same information or choice produces different decisions depending on how it is described. Logically equivalent framings, gains versus losses or survival versus mortality, are not psychologically equivalent. Because System 1 reacts to the description rather than the underly...

Drawing on Westrum's typology, organizational cultures fall on a spectrum by how they handle information. Pathological cultures hoard information and use it politically; bureaucratic cultures move it through rules and turf; generative cultures let it flow freely to whoever nee...

Two gaps a person must bridge when using something. The Gulf of Execution is the gap between an intention and the actions the system allows ("how do I do this?"). The Gulf of Evaluation is the gap between the system's actual state and the user's understanding of it ("did it wo...

The arrangement of a system into nested subsystems, where most interactions happen within a subsystem and far fewer cross between them. Hierarchy is how complex systems organize themselves and reduce the information any one part must handle. Hierarchy lets large systems functi...

Knowing how events turned out distorts judgment of the decisions that led there. After a failure, the path to it looks more foreseeable, and the operators' choices look worse, than they could have at the time. Hindsight makes the outcome seem inevitable and the people involved...

A design process that starts from the real needs and capabilities of the people who will use something and proceeds by iteration: observe, ideate, prototype, test, repeat. The problem is questioned before any solution is committed. Designs fail when built around the technology...

An operation is idempotent if applying it more than once has the same effect as applying it once. In unreliable systems, where a request may be retried after an uncertain failure, idempotence is what makes retries safe. Because a client often cannot tell whether a failed reque...

Each module encapsulates a few design decisions inside its implementation, and those decisions are not visible in its interface. The opposite, information leakage, is when one design decision is reflected in multiple modules. Information hiding is the mechanism that makes modu...

A distinction between metrics you control directly (inputs, such as selection, in stock rate, or page load speed) and metrics that report results you want but cannot move directly (outputs, such as revenue, profit, or stock price). The discipline is to find the controllable in...

Behavior is guided by a combination of knowledge stored in the head (memorized) and knowledge available in the world (cues present in the environment). Design can shift the burden from memory to the world. Precise knowledge in the head requires learning and recall; knowledge i...

Defer a decision until the moment past which delaying would cost more than deciding, no earlier and no later. The point is not to procrastinate but to make irreversible or expensive commitments only when you have the most information and the cost of waiting starts to bite. Dec...

Complex systems always contain multiple flaws, each latent and individually insufficient to cause harm. Because the system keeps running, these flaws accumulate largely unnoticed, and you can never remove them all. Failures are not anomalies waiting to be eliminated; they are...

Give each user, process, or component only the access it needs to do its job, and no more. Privileges should be the minimum required, granted for the shortest time, and scoped as narrowly as possible, so that if a component is compromised or misbehaves, the damage it can do is...

Places in a system where a small intervention can produce a large change in behavior. Meadows ranks them from weak (adjusting parameters and numbers) to strong (changing rules, information flows, goals, and the paradigm the system arises from). Effort spent on low leverage poi...

The stance that it is legitimate, and often obligatory, to steer people toward choices that improve their own welfare (the paternalist half) while preserving their freedom to choose otherwise at low cost (the libertarian half). The two halves are reconciled by the fact that in...

A strong consistency model in which the system behaves as if there were a single copy of the data and every operation took effect atomically at some instant between its start and end. Once any read sees a new value, all later reads see it too; the data never appears to go back...

Losses loom larger than equivalent gains, roughly twice as much. Choices are made relative to a reference point, and the pain of losing outweighs the pleasure of gaining the same amount. Loss aversion shapes risk taking, the status quo bias, and the endowment effect, and expla...

The relationship between controls and their effects. Natural mapping uses spatial or physical analogy so the correspondence is grasped immediately, like stove burners laid out in the same arrangement as their knobs. Good mapping lets people operate something correctly on the f...

A complete, self reinforcing process that institutionalizes a desired behavior so it does not depend on people remembering or intending to do the right thing. "Good intentions don't work; mechanisms do." A real mechanism has three parts: a tool, its adoption (so it is actually...

State that changes over time, the values a system remembers between operations. Out of the Tar Pit identifies it as the single largest source of accidental complexity: once behavior depends on accumulated history, the number of states to reason about explodes, and the same inp...

A name is a tiny abstraction. A good name creates a precise, accurate image of the thing it refers to and quietly excludes what it is not. Names should be precise enough that a reader rarely has to look at the implementation, and consistent enough that the same word always mea...

Replacing bullet point presentation slides with structured written narratives: full prose documents read silently at the start of a meeting before any discussion. The argument must stand on its own in complete sentences, with reasoning and evidence, rather than as fragments a...

Any feature of choice architecture that predictably alters people's behavior without forbidding any options or significantly changing their economic incentives. To count as a nudge, the intervention must be easy and cheap to avoid: a default you can change, not a mandate; a re...

Observability is the degree to which a system's internal health can be inferred from what it emits: metrics, logs, and traces. You cannot operate, debug, or improve what you cannot see. The practical core is to instrument for a small set of user centric signals (latency, traff...

Code is obvious when a reader can understand what it does and why with little effort, forming a correct mental model on the first read and rarely being surprised. Nonobvious code is the enemy. Code is read far more often than it is written, and obviousness is a property judged...

Two components are orthogonal when changing one has no effect on the other. An orthogonal system is composed of independent, self contained parts with a single, well defined responsibility each, so effects stay local. Orthogonality limits the blast radius of change: a modifica...

People are systematically more confident in their judgments and forecasts than accuracy warrants. Subjective certainty reflects the coherence of the story they have constructed, not the evidence or their actual track record. Overconfidence drives bad forecasts, unheeded risk,...

In a distributed system some parts can be broken while others keep working, and a node often cannot tell whether a remote node has failed, is merely slow, or whether the network dropped the message. Unlike a single machine that either works or crashes, distributed systems fail...

People judge and remember an experience largely by its most intense moment (the peak) and how it ended, not by its overall sum or duration. The remembering self and the experiencing self diverge, and memory drives future choices. Because decisions are made by the remembering s...

In complex systems, human practitioners are the adaptable element that continuously produces safety and reliability, by detecting problems, compensating for flaws, and adjusting to changing conditions. Safety is an ongoing activity, not a static state. Practitioners hold a dua...

When building something genuinely new, plan to build a pilot version expecting to discard it, because you will anyway. The first full attempt teaches what the real design should be, and delivering it as the product ships your learning draft. The hardest problems are not unders...

Plans and forecasts are systematically too optimistic, built on best case scenarios and the specifics of the current case while ignoring how similar efforts actually went. Estimates skew toward the inside view. The inside view, this plan and these tasks, ignores the base rate...

A system trap where several actors pull a shared stock toward different goals, so any policy that moves it toward one actor's goal increases the others' effort to pull it back. The system stays stuck while everyone strains harder. It explains why well designed interventions pr...

Premature optimization is changing a design to improve performance before there is evidence that performance matters there. The discipline is to make the system correct and simple first, measure to find where time is actually spent, then optimize only the few places the measur...

Relying on code that happens to work without understanding why, building on undocumented behavior, lucky timing, or side effects you never verified. The opposite is programming deliberately: knowing why each part works and what it depends on. Code that works by accident is a t...

When complexity is unavoidable, it is better to absorb it inside a module's implementation than to expose it through the interface. The module developer suffers so that every user does not. An interface's complexity is paid by everyone who uses the module, repeatedly, forever;...

Changing the internal structure of software to make it easier to understand and cheaper to modify, without changing its observable behavior. The discipline is the method: small, behavior preserving steps, each verified by tests, so that improving the design is decoupled from t...

A property of an expression: it can be replaced by its value without changing the program's behavior. It follows from purity, a function that always returns the same output for the same input and has no side effects. Such code depends only on its arguments, never on hidden sta...

Extreme outcomes tend to be followed by more average ones, simply because chance contributed to the extreme. No cause is needed; the pattern is statistical. People invent causal stories for what is just regression, crediting or blaming interventions that did nothing. It underl...

A self amplifying loop where more leads to more, and less leads to less: the stock feeds a flow that increases the stock further, producing exponential growth or, in reverse, collapse. Reinforcing loops explain runaway dynamics such as compounding, viral adoption, and vicious...

A system's ability to recover its function and structure after disturbance, to persist within a variable environment. Resilience comes from rich, overlapping, redundant feedback loops, not from optimization toward a single target. Resilient systems absorb shocks and repair the...

There are no final decisions. Because requirements, environments, and understanding all change, good design keeps important decisions reversible, so a choice that turns out wrong can be undone without rewriting everything. Avoid one way doors where a cheaper two way door exist...

Catastrophe in a complex system has no single root cause. It arises from multiple contributing conditions combining, none individually sufficient. Naming one "root cause" is a choice driven by the need for closure, not by the structure of the failure. Stopping at a root cause,...

Safety, and reliability with it, is an emergent property of a system as a whole, not something stored in any component. You cannot make a system safe by making each part safe in isolation, because most behavior comes from how the parts interact. It redirects effort from harden...

A system's ability to cope with increased load. It is not a one dimensional label a system simply "has"; it is a question: if load grows in a specific way, what are our options for handling it? Answering it requires describing load with concrete parameters and performance with...

Designing data encodings so formats can change over time without breaking running systems. Two directions matter: backward compatibility (new code can read data written by old code) and forward compatibility (old code can read data written by new code). Both are needed wheneve...

The second system a designer builds is the most dangerous, because success with a lean first system breeds the confidence to over engineer the second, cramming in every feature and embellishment that was wisely left out before. It names a predictable failure of experience: the...

The capacity of a system to make its own structure more complex, to learn, diversify, and create new patterns without external direction. It arises from simple organizing rules combined with the freedom to experiment. Self organization is the source of adaptation, evolution, a...

A Service Level Objective (SLO) is an explicit target for a service's reliability, expressed over a service level indicator (SLI): a carefully chosen metric of user visible health such as the fraction of requests served correctly and quickly. The SLO is the line the service is...

Norman's model of how people act: form a goal, then plan, specify, and perform actions (execution), then perceive, interpret, and compare the result against the goal (evaluation). Most of these stages happen subconsciously. Breaking action into stages shows exactly where a des...

A system trap, also called addiction or dependence, where a symptomatic fix relieves a problem in the short term but undermines the system's own capacity to solve it, so reliance on the fix grows and each round needs a larger dose for the same effect. The quick fix is attracti...

A signifier is any perceivable signal that communicates where and how an action should take place: a label, an icon, a visible cue. Where affordances determine what is possible, signifiers communicate it. People act on what they perceive, not on what is possible. A door with a...

Assigning one person, supported by a dedicated and largely autonomous team, to own a single initiative and nothing else. The "single thread" is that the owner's attention is not divided across competing priorities, and the team has the people and authority it needs so progress...

Two kinds of human error. A slip is doing the wrong action while intending the right one, an execution failure usually caused by inattention or habit. A mistake is forming the wrong intention or plan, a knowledge or rule failure. The two need different design remedies. Norman...

The measurable capability of an organization to deliver changes to users quickly and reliably. It is operationalized by four metrics: deployment frequency and change lead time (throughput), and change failure rate and time to restore service (stability). The central, counterin...

A stock is an accumulation, the amount of something present in a system at a moment in time. Flows are the rates that fill or drain it. Stocks are the memory of a system; they change only through their flows. Stocks change gradually even when flows change abruptly, which is th...

Two stances toward writing code. Tactical programming optimizes for getting the current feature working as fast as possible. Strategic programming treats working code as necessary but not sufficient, and invests continuously in a good design. Complexity accumulates one shortcu...

How a choice is organized when options are numerous or attributes are hard to compare: how many options are shown, how they are grouped and ordered, which are eliminated, and what aids help people compare. With few options people weigh attributes directly; as options multiply...

When faced with a hard question, System 1 often answers an easier, related one instead, without noticing the swap, and maps that answer onto the hard question. Substitution is the engine behind most heuristics and biases: difficult judgments about probability, value, or the fu...

Two modes of thinking. System 1 is fast, automatic, intuitive, and effortless; it runs constantly and generates impressions. System 2 is slow, deliberate, effortful, and capable of reasoning, but lazy and easily depleted. Most judgments originate in System 1, and System 2 usua...

Recurring structures that reliably produce problematic behavior regardless of who is involved: systemic archetypes such as policy resistance, tragedy of the commons, drift to low performance, escalation, success to the successful, addiction (shifting the burden), rule beating,...

The response times at the high percentiles (p95, p99, p999), not the average or median. Because a few slow requests dominate the worst experiences, and often hit the most active, most valuable users, the tail is the number that matters. Averages and medians conceal the slow re...

The explicit interface a team presents to the rest of the organization: its code and services, documentation, ways of working, and the expectations others can hold of it. Interacting with a team should go through its API, just as using a module goes through its interface. Team...

Three defined ways teams interact: collaboration (two teams work closely for a time, high bandwidth but blurred boundaries), x as a service (one team consumes what another provides with minimal coordination), and facilitating (one team helps or mentors another). Each interacti...

The team, not the individual, is the fundamental unit of software delivery. Teams should be long lived, stable, and small enough to sustain trust, and work should flow to teams rather than to individuals. Durable software is built and owned by durable teams. Optimizing around...

A metaphor for the cost of letting internal quality slide. Taking a shortcut in design is like borrowing money: it buys speed now, but you pay interest as every future change becomes slower and riskier until the debt is repaid by improving the design. Debt has two axes: it can...

Organize a programming team like a surgical team, around one chief programmer who does the core design and work, supported by specialists (a co pilot, tester, toolsmith, editor, and so on) rather than as a crowd of equal peers. The aim is to get the conceptual integrity and pr...

A method for improving any system by managing its constraint, through five focusing steps: identify the constraint, exploit it (get the most from it as it is), subordinate everything else to it, elevate it (add capacity), then repeat, without letting inertia leave an old const...

A structured practice for finding what can go wrong with a system before an adversary does. It is organized around four questions: what are we building, what can go wrong with it, what are we going to do about it, and did we do a good job? Structured enumerations such as STRID...

The rate at which a system achieves its goal. In The Goal it is the rate at which an organization generates money through sales, measured at the point of delivered value, not the rate at which any single part produces output. Local output and utilization can rise while through...

Toil is operational work that is manual, repetitive, automatable, tactical, and devoid of enduring value, and that scales linearly with the size of the service. It is not the same as overhead or hard work: writing a one off design is hard but not toil; clicking through the sam...

Build a thin but complete path through all the major layers of a system early, end to end, and keep it. Like a tracer round that shows where you are aiming, this working skeleton lets you see whether the pieces connect and adjust before building out the full functionality. It...

A system trap where many users share a common resource, each gains individually by using more, and the cost of overuse is spread across everyone, so rational individual behavior depletes the shared resource for all. It explains the collapse of shared resources whenever the fee...

A line in a system where the level of trust changes, so anything crossing it must be validated, authenticated, or authorized rather than assumed safe. Inside a boundary, components trust each other; data and requests arriving from outside are treated as potentially hostile unt...

A shared, rigorous language for a single model of the domain, used identically by developers and domain experts in conversation, documents, and the code itself. The terms, relationships, and rules of the model become the vocabulary the team speaks. If a word is ambiguous or mi...

Clocks on different machines drift and are never perfectly synchronized, so timestamps cannot be trusted to order events across nodes. Time of day clocks can even jump backward when corrected; only a monotonic clock reliably measures elapsed time on a single machine, and neith...

System 1 builds the most coherent story it can from the information at hand and treats it as complete, ignoring what is unknown or missing. The quality of the story, not the quality or quantity of the evidence, drives confidence. WYSIATI explains overconfidence, framing effect...

A product development approach that starts from the desired customer experience and reasons backward to what must be built, rather than starting from existing capabilities and pushing forward. Its signature mechanism is the PR/FAQ: before building anything, write the press rel...