Skip to main content
Generalhashgraph-online

factor-of-safety

Use this skill whenever the design will encounter conditions that can''t be fully predicted at design time — load spikes, edge-case content, real-world variability, hardware variation, third-party flakiness, or any "what if" scenario. Trigger when scoping performance budgets, designing for content extremes, picking infrastructure capacity, designing error-handling, or planning for the long tail of users with unusual setups. Factor of Safety is one of the foundational principles in ''Universal Principles of Design'' (Lidwell, Holden, Butler 2003) — also called "factor of ignorance" because the size of the safety factor is proportional to how much you *don''t* know.

Stars
336
Source
hashgraph-online/awesome-codex-plugins
Updated
2026-05-27
Slug
hashgraph-online--awesome-codex-plugins--factor-of-safety
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/hashgraph-online/awesome-codex-plugins/HEAD/plugins/HDeibler/universal-design-principles/plugins/process-and-robustness-principles/skills/factor-of-safety/SKILL.md -o .claude/skills/factor-of-safety.md

Drops the SKILL.md into .claude/skills/factor-of-safety.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Factor of Safety

Factor of Safety is the engineering practice of designing systems with capacity exceeding what's strictly required, to absorb unknown variations and prevent failure. A bridge rated for 5,000 lbs is built to hold 25,000 — a safety factor of 5. The "extra" capacity isn't waste; it's insurance against the things you didn't predict: corrosion, fatigue, unusual load combinations, materials that didn't quite meet spec.

For software design, the same logic applies: design with margin in performance, capacity, content handling, error tolerance, and edge cases. The unpredicted always shows up; the question is whether the system absorbs it gracefully or fails loudly.

Definition (in our own words)

A factor of safety is the ratio of a system's actual capacity to the capacity it was designed to handle under normal use. The size of the factor depends on how much you don't know about the conditions the system will face — the more uncertainty, the larger the factor needs to be. The book's alternative name, "factor of ignorance," is illuminating: a well-understood, well-tested system can have a small safety factor; a novel system facing unknown conditions needs a large one.

Origins and research lineage

  • Engineering safety practice going back centuries. The Pyramids of Giza, by some analyses, were over-engineered with safety factors of 20+ — the builders couldn't predict load conditions over millennia, so they built radically conservatively.
  • Henry Petroski, To Engineer Is Human: The Role of Failure in Successful Design (St. Martin's Press, 1985) and Design Paradigms: Case Histories of Error and Judgment in Engineering (Cambridge University Press, 1994). Petroski's central thesis: engineering progresses by understanding past failures, and safety factors are the explicit acknowledgment that the next failure will look like something not yet seen.
  • Lidwell, Holden & Butler (2003) compactly stated the principle and noted the inverse relationship between safety-factor size and design knowledge. The book's central case: the Challenger O-rings, designed for a safety factor of 3 in past launches but well below 3 at low temperatures.
  • Modern reliability engineering (Jens Rasmussen, Charles Perrow's Normal Accidents, James Reason's work on system failure) extends the idea to complex systems where multiple small margins compound into total system safety.
  • Software practice — capacity planning, redundancy, error budgets (Google SRE), graceful degradation — all are factor-of-safety in software vocabulary.

Why factor of safety matters

Every system designed at exactly its expected load will fail when it encounters more. Real systems always encounter more — through use you didn't predict, through growth, through abuse, through the long tail of edge cases. A system without margin fails loudly when conditions change; a system with margin absorbs the change gracefully and continues operating.

The cost of insufficient margin is well-documented:

  • Performance: a system sized for 1,000 users that hits 1,500 users degrades or crashes.
  • Content: a layout sized for 50-character names breaks when a user has a 90-character name.
  • Network: an API designed assuming 99.9% uptime fails when its dependency drops to 98%.
  • Hardware: a UI designed for 1080p screens looks broken on 4K and on small mobile.
  • Cognitive: a tool designed for the typical user fails for the user with motor impairment, low vision, or unfamiliarity.

The cost of too much margin is real too — over-engineering wastes resources, slows development, and can make systems harder to maintain. The discipline is calibrating margin to the actual uncertainty.

When to apply

  • Performance and capacity planning. Systems should run at meaningful headroom over typical load.
  • Content handling. Layouts must survive content that exceeds typical bounds — long names, big numbers, multi-line addresses, no images.
  • Error tolerance. Systems should fail gracefully on unexpected input rather than crashing.
  • Network and dependency reliability. Systems should degrade gracefully when dependencies are slow or down.
  • Hardware variation. UIs should work across device sizes, pixel densities, and input modalities.
  • Accessibility. Designs should accommodate users at the edges of typical capability ranges.
  • Anywhere "we've never seen that before" is plausible.

When NOT to over-apply

  • Premature optimization. Building 100x capacity when current load is 1x ties up resources better spent on other priorities.
  • Speculative redundancy. Multiple redundant systems for failure modes that have never occurred and aren't credible.
  • Defensive code obscuring intent. Wrapping every operation in try/catch with no error-handling strategy. Doesn't help; obscures.

The right margin is enough to handle the credible unknown — not infinite.

How to size the safety factor

The book's insight: the safety factor should track the level of ignorance about the design parameters.

  • Well-understood, well-tested system: safety factor of 1.5–2x typical load.
  • Moderately understood, some unknowns: 2–4x.
  • Novel system, significant unknowns: 4–10x or more.
  • Catastrophic-failure systems with severe consequence: even higher.

Typical safety factors in different engineering domains:

  • Steel structures: 2–3x.
  • Wood structures: 4–6x (more variable material).
  • Aircraft: 1.5x (highly engineered, weight-constrained — but with extensive other safety mechanisms).
  • Software capacity: highly variable, often 2–5x of expected peak load.
  • UI content: typically design for 1.5–2x the typical content length.

Worked examples

Example 1: layout that survives content extremes

A user-card layout designed only for short names breaks for the user named "María-José Esperanza Sánchez de Bermúdez."

/* Without margin */
.user-name {
  width: 200px;
  white-space: nowrap;
  overflow: hidden;
}
/* Long names disappear into ellipsis silently */

/* With margin */
.user-name {
  max-width: 100%;
  overflow-wrap: break-word;
  hyphens: auto;
}
.user-card {
  min-height: 80px;  /* accommodates 1-3 lines */
}

The "with margin" version handles names from 5 to 90 characters; the layout grows gracefully.

Example 2: API capacity planning

An API expected to handle 100 requests/second is designed with capacity for 500 rps. Reasoning:

  • Marketing campaigns, viral growth, or app launches can spike traffic 5–10x.
  • Slow database queries can multiply effective load.
  • One client misbehaving can saturate the API for everyone.

The 5x margin handles common spikes; auto-scaling handles sustained growth beyond.

Example 3: graceful degradation when a dependency fails

async function fetchUserData(userId) {
  try {
    return await api.fetchUser(userId, { timeout: 2000 });
  } catch (error) {
    // Graceful degradation: return cached data if available
    const cached = await cache.get(`user:${userId}`);
    if (cached) {
      logger.warn('Using cached user data due to API failure', { userId, error });
      return { ...cached, _stale: true };
    }
    // Last resort: return minimal data so UI can render something
    return { id: userId, name: 'Unknown', _placeholder: true };
  }
}

Three levels of margin: try the API; fall back to cache; fall back to placeholder. The UI never gets a hard crash from a transient failure.

Example 4: form input that handles edge cases

<input
  type="email"
  name="email"
  maxlength="254"      <!-- RFC 5321 maximum email length -->
  autocomplete="email"
  spellcheck="false"
  inputmode="email"
/>

// Validate beyond max-length
function isValidEmail(value) {
  if (!value || value.length > 254) return false;
  if (!value.includes('@')) return false;
  // ... more validation
  return true;
}

The maxlength="254" is a margin: most emails are < 30 characters, but the RFC allows up to 254. Designing for 254 absorbs the long tail without breaking.

Example 5: error budgets (Google SRE)

Google's Site Reliability Engineering practice formalizes safety factors as "error budgets":

  • Service-level objective (SLO): 99.9% availability.
  • Error budget: 0.1% — about 43 minutes of downtime per month.
  • Engineering teams can spend the budget on risk: faster releases, infrastructure changes, experimental features.

The error budget is an explicit margin against perfection — and explicit guidance about when to slow down (budget consumed) and when to take risks (budget remaining).

Cross-domain examples

Bridges and structures

Civil engineering's canonical safety-factor application. Bridges are designed for loads multiple times what they're rated to carry. Materials, weather, seismic events, and unanticipated use (heavy trucks, large crowds) are absorbed by the margin.

Aircraft

Aircraft use lower safety factors than buildings (1.5x rather than 5x) because weight matters and materials are highly engineered. The trade-off: extensive testing, redundant systems, and rigorous maintenance compensate for the slimmer margin.

Medical devices

Pharmaceutical dosing has built-in safety margins: the lethal dose of a drug is typically 10x or more of the therapeutic dose. The "ignorance" factor here is patient variation, drug interactions, and unusual conditions.

Disaster preparedness

FEMA recommends households maintain 3 days of supplies (food, water, medicine). The 3-day window is a safety factor against typical disaster duration; communities maintain larger margins for less-typical disasters.

The Challenger disaster (the book's case)

The space shuttle Challenger O-rings were designed with a safety factor of 3 — meaning they could handle 3x the expected stress. In past launches, the actual safety factor (under varying temperatures) had eroded toward 1. On the cold morning of January 28, 1986, the O-rings failed at a temperature where the safety factor was estimated below 1. The decision to launch despite engineering objections cost seven lives.

The case illustrates a common pattern: when systems perform reliably over time, confidence rises and pressure to reduce safety factors (cost, schedule) accumulates. Lowering safety factors based on past success ignores that the past success was partly because of the safety factors.

Anti-patterns

  • Optimizing without margin. A system tuned to exactly its current load capacity. Any growth or spike crashes.
  • Removing redundancy as "waste." Until the redundancy was needed, it looked unused. Then a single failure cascades.
  • Designing for the typical case only. Edge cases are encountered routinely; designing only for typical means routinely failing.
  • Confidence eroding safety factors over time. Systems that worked reliably get optimized for cost; the safety factor erodes; an unusual event causes failure.
  • No graceful degradation. Systems that crash hard on dependency failure, instead of degrading to limited functionality.
  • Content limits that match typical content. A name field allowing 30 characters works for most users; the user with a 35-character name has a broken account.

Heuristics

  1. The "what's the worst case?" audit. For each design decision, name the worst plausible case (longest content, highest load, lowest device capability). Does the design handle it?
  2. The "if this dependency fails" check. For each external dependency, ask: how does the system behave if this dependency fails? If the answer is "the user sees a broken page," add margin.
  3. The capacity headroom check. What's the system's actual capacity vs. current peak load? Less than 2x is fragile; 5x+ is comfortable.
  4. The "we've never seen that before" history. Look at past incidents. Each one was probably "unprecedented" before it happened. New unprecedented things will happen.

Related principles

  • weakest-link — safety factors strengthen the chain; finding the weakest link is the first step.
  • scaling-fallacy — what works at small scale needs more margin at large scale.
  • structural-forms — the engineering analog: load-bearing patterns that distribute stress.
  • forgiveness — the user-side complement: designs that absorb user errors, not just system failures.
  • iteration — iterative testing helps identify where margin is needed.
  • uncertainty-principle — measurement itself introduces variability that the safety factor must absorb.

Sub-aspect skills

  • factor-of-safety-content-stress — designing UI to survive content extremes.
  • factor-of-safety-failure-margin — capacity planning, graceful degradation, redundancy.

Closing

Factor of Safety is the engineering discipline that acknowledges what designers and builders try to forget: the unknown will arrive. Designs without margin fail loudly when it does; designs with margin absorb it. The cost of the margin is paid up front; the benefit pays out across the system's lifetime, especially in the moments no one anticipated.