Articles

Failure Detection: Beyond the Ping

March 24, 2026 6 min read

The surprising truth about detecting failures in distributed systems is that the "dead" node is often just slow, and your system has to decide whether to wait or give up.

Let’s watch this in action. Imagine two services, ServiceA and ServiceB, communicating. ServiceA needs to know if ServiceB is alive.

Here’s a simplified scenario:

// ServiceA's state regarding ServiceB
{
  "serviceB_last_heartbeat_received": "2023-10-27T10:30:05Z",
  "serviceB_heartbeat_interval": "5s",
  "serviceB_timeout_threshold": "15s",
  "serviceB_is_alive": true
}

ServiceA expects a heartbeat from ServiceB every 5 seconds. If it doesn’t receive one within 15 seconds (its timeout threshold), ServiceA marks ServiceB as down.

This is the most basic form of timeout-based failure detection. It’s simple, but it has a critical flaw: network latency. What if ServiceB is perfectly healthy but its messages to ServiceA are delayed by 10 seconds due to network congestion? ServiceA might incorrectly declare ServiceB dead.

To combat this, systems employ more sophisticated methods. One common approach is Gossip protocols.

In a gossip system, nodes periodically exchange information about their own health and the health of other nodes they know about. Imagine ServiceA and ServiceB are part of a cluster.

  1. ServiceA sends a "heartbeat" message to a few random nodes in the cluster, including ServiceB.
  2. ServiceB receives this heartbeat and notes ServiceA is alive.
  3. Periodically, ServiceB picks a few random nodes (say, ServiceC and ServiceD) and sends them an "I’m alive" message, which might include a list of nodes it believes are alive and their last known status.
  4. If ServiceA stops sending heartbeats, ServiceB will eventually hear from ServiceC or ServiceD that ServiceA is no longer responding.

This spreads information about failures more robustly. A single node not responding doesn’t immediately cause panic; it takes time for the "bad news" to propagate.

However, even gossip can be fooled by intermittent network issues. This is where Phi Accrual Failure Detectors shine. Phi accrual is a probabilistic approach. Instead of a fixed timeout, it calculates a "suspicion" level (phi, φ) based on the distribution of arrival times for messages from a given node.

Let’s say ServiceA is monitoring ServiceB. It records the time between successful heartbeats from ServiceB.

  • Heartbeat 1 arrived at T=5s
  • Heartbeat 2 arrived at T=10s (inter-arrival time = 5s)
  • Heartbeat 3 arrived at T=15s (inter-arrival time = 5s)
  • Heartbeat 4 arrived at T=22s (inter-arrival time = 7s)
  • Heartbeat 5 arrived at T=29s (inter-arrival time = 7s)
  • Heartbeat 6 arrived at T=35s (inter-arrival time = 6s)

A basic accrual detector might maintain a moving average and standard deviation of these inter-arrival times.

  • Average inter-arrival time: avg
  • Standard deviation of inter-arrival times: stddev

The phi value is calculated as:

φ = |(current_inter_arrival_time - avg)| / stddev

This formula tells us how many standard deviations the latest inter-arrival time is away from the average.

  • If φ is low (e.g., < 2), ServiceB is behaving predictably.
  • If φ is high (e.g., > 5), ServiceB is behaving erratically.

The system sets a φ threshold. If the calculated φ for a node exceeds this threshold, the node is considered potentially failed. The beauty is that this threshold can be dynamically adjusted. A busy network with high variability might require a higher φ threshold to avoid false positives, while a quiet network might use a lower one.

The system in action:

ServiceA is receiving heartbeats from ServiceB. It maintains a history of inter-arrival times. Heartbeats: [5s, 5s, 7s, 7s, 6s] Average (avg): 6s Standard Deviation (stddev): ~0.84s

Now, ServiceB sends a heartbeat, but it arrives after 12s. Current inter-arrival time: 12s φ = |(12s - 6s)| / 0.84s = 6s / 0.84s ≈ 7.14

If ServiceA’s configured φ threshold is, say, 5, then ServiceB would be marked as suspicious. If the next heartbeat is also late, φ will climb, making the suspicion stronger. Conversely, if ServiceB consistently sends heartbeats every 6s, φ will remain low.

This probabilistic approach is far more resilient to transient network issues than fixed timeouts. It adapts to the observed behavior of the node.

The most subtle point is that the choice of φ threshold isn’t arbitrary; it’s a direct trade-off between detection speed and accuracy. A lower threshold means you’ll detect failures faster, but you’ll also be more prone to falsely marking healthy but temporarily slow nodes as dead. A higher threshold makes you less likely to err but means a real failure might go unnoticed for longer. The "correct" threshold depends entirely on the application’s tolerance for stale data versus the cost of acting on bad data.

The next challenge is deciding what to do when a node is suspected or confirmed dead.

Want structured learning?

Take the full Distributed Systems course →