Try reloading the player or open this episode directly on YouTube.
In this episode, Francois Richard from Meta discusses the evolving landscape of reliability at scale, particularly with AI's impact on production risks. He emphasizes the importance of recovery practices alongside prevention, and how SLOs should reflect a commitment to users.
Now Playing
Ship It Conversations: Meta’s Francois Richard on AI Incident Response, SLOs, and Reliability at Scale
Ship It Weekly
0:0042:56
Chapters
Jump to a section in this episode.
Speed & share
Transcript
AI is making it easier than ever to create more
software, more code, more diffs, more experiments,
more changes moving through systems that were
already complicated before everybody got a robot
assistant in the editor. And that sounds great
until you are the team responsible for production
because production does not really care that
the code was generated faster. It still cares
about latency. It still cares about overload.
It still cares about dependencies, rollbacks,
traffic routing, region failures, weird edge
cases, and whether the people on call actually
know what to do when the system starts acting
strange. That is the part of the AI conversation
that feels under-discussed to me. Not just can
AI write code, it can. Not just can AI help debug,
sometimes yes. The better question is what happens
to reliability when the volume of change goes
up, the amount of generated code goes up and the
context behind that code gets thinner. Because
incidents are not just caused by bad code. They
are caused by systems behaving in ways people
did not expect, under conditions they did not
practice, with dependencies they forgot were
part of the critical path. That is really what
this conversation is about. Not just SLOs, not
just incident reviews, not just AI agents. More
like, what does reliability actually look like
when change is accelerating? Systems are more
connected, and recovery matters just as much
as prevention. I'm Brian Teller from Teller's
Tech, and this is Ship It Weekly.
Welcome back to Ship It Weekly, where I filter the noise and
focus on what actually matters when you are the
one running infrastructure and owning reliability.
Most weeks, it's a quick news recap. In between
those, I do conversation episodes with people
who are building platforms, running infrastructure,
organizing events, and thinking through where
this industry is actually headed. Today is one
of those conversations. I'm joined by Francois
Richard, an engineering director at Meta. We're
talking about reliability at scale, how AI and
automation are changing production risk, what
teams actually learn from incidents, and why
recovery practice matters just as much as prevention.
And I like this conversation because it gets
past the neat, clean version of reliability that
fits nicely in a dashboard. Reliability is not
just a number. SLOs matter, dashboards matter,
alerts matter, guardrails matter. But none of
that means much if the team cannot use it to
make better decisions, recover from real failures,
and improve the system after something breaks.
You start with the obvious goal. Keep the system
up. Keep the users happy. Avoid incidents. Do
not page people for nonsense. Do not let every
deployment feel like a coin flip. Then reality
shows up. A region has problems. A dependency
gets slow. A service gets overloaded and cannot
restart because it is too overloaded to recover
cleanly. Traffic spikes during a major event.
A change rolls out faster than the team understands
it. Or an AI-generated pile of code technically
works until it fails in a way nobody has enough
context to explain quickly. And somewhere in
the middle of that, reliability stops being just
prevention and starts becoming practice. In this
conversation, Francois and I talk about how Meta
thinks about reliability across both reactive
and proactive sides. Incident response, incident
reviews, SLOs, guardrails, validation, disaster
recovery testing and what happens when you actually
practice taking a region out instead of just
assuming the failover plan works because the
diagram looks good. We also get into what teams
learn during incidentsss, not just from the post
postmortem afterward but inside the pressure cooker
itself where engineers have to make decisions
quickly build consensus fast understand the system
under stress and figure out what is actually
happening while the clock is running there is
also a good thread in here around AI agents in
incident response not the fantasy version where
you hand production to an agent and hope it saves
the day more the practical version where AI helps
with investigation telemetry metrics logs relationships
across services and narrowing down what might
be happening faster than a human clicking around
dashboards alone and towards the end we talk
about recovery practice known failures versus
unknown failures why teams should test the failure
modes they claim they can survive how smaller
teams can learn from Meta-scale reliability patterns
For this Conversations episode, the part that stuck with me is that reliability is not really about whether something fails.
It is about what happens next.
That sounds obvious, but I think a lot of teams still treat reliability like it is mostly a prevention problem. Better deploy checks. Better alerts. Better dashboards. Better SLOs. Better review processes. Better guardrails. All of that matters, obviously.
But production still gets a vote.
A region has issues. A dependency slows down. A rollout behaves differently under real traffic. A service gets overloaded and then cannot restart cleanly because it is already too far gone. The system does something nobody expected because the conditions were never actually tested.
That is where reliability stops being a dashboard and starts becoming a practice.
That was the biggest thread for me in this conversation with Francois Richard from Meta. He framed reliability as both reactive and proactive work, which is probably the right split. You need the incident response muscle. You need people who can stay calm in the pressure cooker, make decisions quickly, build consensus, understand the system under stress, and recover.
But you also need the proactive side. Guardrails, validation, disaster recovery testing, and the uncomfortable work of actually exercising failure modes before they show up on their own.
That is the part most teams agree with in theory and avoid in practice.
Everyone likes the idea of multi-region. Fewer teams like the idea of turning off the primary region on a Tuesday and seeing what actually breaks.
Everyone likes the idea of graceful recovery. Fewer teams have tested whether the overloaded service can restart while it is overloaded.
Everyone likes the idea of runbooks. Fewer teams know whether the runbook still works when the person following it is tired, under pressure, and trying to make sense of five dashboards while Slack is melting.
That is why I liked the way Francois talked about practice. Not just tabletop exercises. Not just theoretical architecture reviews. Real validation. Real failure injection. Real regional testing. Real traffic and overload scenarios, at safe enough scale that you can learn before it becomes a customer-visible disaster.
For most of us, the lesson is not “copy what Meta does.”
That would be silly. Most teams are not dealing with World Cup traffic spikes, global-scale social products, or the same infrastructure footprint.
But the pattern transfers really well.
Take the failure modes you claim you can survive and test them. Take the incident patterns that keep showing up and bucket them. Take the systems that are critical and ask whether the recovery plan is something you have actually practiced, or just something you hope will work because it looks reasonable in a diagram.
The SLO discussion was also useful because it puts reliability in business terms without turning it into corporate fluff.
An SLO is not just a graph. It is a promise.
That is a much better way to think about it. What are we promising users? What are we promising internal customers? What are we promising product teams? And does the reliability investment match that promise?
This is where teams can get weird in both directions.
Sometimes teams underinvest in reliability because the system “mostly works,” until one day it becomes critical and the reliability model never caught up.
Other times, teams overinvest too early and try to make a young experimental system behave like a mature core production path. That can add cost, slow down learning, and introduce complexity before the product even proves it deserves that level of investment.
Six nines sounds great until you ask what it costs, how much complexity it adds, and whether the business actually needs that promise right now.
That does not mean users do not care about reliability. They absolutely do. Francois called that out too. If systems have too many problems in a row, engagement suffers. People notice. Trust erodes.
But the answer is not “make everything maximally reliable.” The better answer is to match the reliability target to the lifecycle, importance, and risk of the system.
A new experiment does not need the same reliability posture as login, feed, payments, messaging, or whatever your real critical path is.
That is a healthier conversation for SRE and platform teams to have with product and engineering leadership. Not “I need six nines for everything.” More like, “Here is the promise this system is making. Here is the cost of that promise. Here is the risk if we miss it. Is that the tradeoff we want?”
The AI part of this conversation is where things get more interesting.
Francois talked about AI helping with investigation. That makes sense. Incidents often involve too much data, too many dashboards, too many layers, and too many relationships between services. If AI can help gather telemetry, summarize patterns, generate queries, and point humans toward likely relationships faster, that is useful.
That is not the same thing as handing production to an agent and letting it freestyle the mitigation.
The useful version is more grounded. AI helps humans move faster during investigation. Humans still validate. Humans still decide. Humans still handle the judgment calls, especially when the system is important and the mitigation could make things worse.
But AI is also creating more change.
More diffs. More lines of code. More generated boilerplate. More changes moving through systems faster than before.
That creates a reliability gap that I think a lot of teams are going to feel.
The code can move faster than the understanding.
A product engineer may understand the user behavior and the business logic, but not every generated async callback, framework detail, or edge case buried in the generated implementation. Then when it breaks, the reliability or platform team has to reconstruct what happened under pressure.
What changed?
Why did it change?
What assumption did the generated code make?
What dependency is involved?
Is this a known pattern or something new?
Can we roll back?
Can we move traffic?
Can we isolate the failure?
That is not an anti-AI argument. It is just the operational reality.
If AI speeds up software delivery, the defensive side has to speed up too.
Observability has to improve. Debugging has to improve. Incident investigation has to improve. Recovery practice has to improve. The ability to understand generated code and generated changes has to improve.
Otherwise, teams are going to get more output without enough context, and that cost shows up during incidents.
That is why this episode pairs well with the At Scale Systems & Reliability conversation too. A lot of AI discussion is still stuck at the model layer or the code generation layer. But the infrastructure underneath matters. The systems that train, serve, move data, recover, and keep large AI workloads reliable matter. And the systems that use AI to improve reliability matter too.
That is the conversation I think SRE, DevOps, platform, and infrastructure teams need more of.
Not just “AI can write code.”
Not just “AI can summarize incidents.”
More like, what does the whole production system look like when AI increases the rate of change?
How do we preserve human understanding?
How do we validate what AI suggests?
How do we practice recovery?
How do we make sure the systems behind AI are reliable enough for the expectations being placed on them?
And how do we avoid pretending that a faster delivery loop automatically means a safer one?
The answer probably looks boring in the best way.
Write down the incidents. Review them honestly. Look for patterns. Practice the failures. Test the failover. Validate your assumptions. Make SLOs useful. Match reliability investment to product maturity. Use AI where it helps, but do not confuse investigation assistance with operational judgment.
That is not flashy, but it is the work.
And if there is one practical takeaway from this conversation, it is probably this: do not wait for production to be the first place your recovery plan gets tested.
Production will test it eventually.
The only real question is whether your team has already practiced.
📝 Notes
Show Notes
This is a guest conversation episode of Ship It Weekly, separate from the weekly news recaps.
In this Ship It: Conversations episode, I talk with Francois Richard, Engineering Director at Meta, about reliability at scale, how AI is changing production risk, what teams actually learn from incidents, and why recovery practice matters just as much as prevention.
We talk about the proactive and reactive sides of reliability, why SLOs should represent a promise to users instead of just another dashboard number, how incident reviews should drive real system improvements, and how teams can practice recovery before production forces the lesson on them.
The bigger theme here is that reliability is not just about avoiding failure. It is about knowing what happens when prevention fails. That means practicing regional failure, understanding overload behavior, improving incident response, using AI carefully during investigation, and making reliability targets match the actual lifecycle and importance of the system.
Highlights
• Why reliability work starts with both prevention and recovery
• The difference between reactive incident response and proactive reliability engineering
• How Meta thinks about disaster recovery testing and regional failure practice
• Why an SLO should be treated like a promise to users, not just a dashboard metric
• How SLO trends help teams decide when to invest more in reliability or take more product risk
• What engineers actually learn during the “pressure cooker” of an incident
• Why incident reviews should produce follow-up work, not just a nicer explanation of what broke
• The difference between finding the cause of an incident and improving the system
• Where AI agents can help with incident investigation, telemetry, metrics, and query building
• Why AI-generated code can increase change volume while reducing human context
• How faster code generation changes the kinds of reliability problems teams should expect
• Why recovery practice matters, especially for region loss, traffic spikes, overload, and restart behavior
• What smaller DevOps and SRE teams can learn from Meta-scale reliability patterns
• Why not every system needs six nines, especially early in a product lifecycle
• How to think about reliability investment based on user promise, product maturity, and operational risk
• Why At Scale Systems & Reliability is focused on the infrastructure behind AI and the use of AI to operate large-scale systems
For this Conversations episode, the part that stuck with me is that reliability is not really about whether something fails.
It is about what happens next.
That sounds obvious, but I think a lot of teams still treat reliability like it is mostly a prevention problem. Better deploy checks. Better alerts. Better dashboards. Better SLOs. Better review processes. Better guardrails. All of that matters, obviously.
But production still gets a vote.
A region has issues. A dependency slows down. A rollout behaves differently under real traffic. A service gets overloaded and then cannot restart cleanly because it is already too far gone. The system does something nobody expected because the conditions were never actually tested.
That is where reliability stops being a dashboard and starts becoming a practice.
That was the biggest thread for me in this conversation with Francois Richard from Meta. He framed reliability as both reactive and proactive work, which is probably the right split. You need the incident response muscle. You need people who can stay calm in the pressure cooker, make decisions quickly, build consensus, understand the system under stress, and recover.
But you also need the proactive side. Guardrails, validation, disaster recovery testing, and the uncomfortable work of actually exercising failure modes before they show up on their own.
That is the part most teams agree with in theory and avoid in practice.
Everyone likes the idea of multi-region. Fewer teams like the idea of turning off the primary region on a Tuesday and seeing what actually breaks.
Everyone likes the idea of graceful recovery. Fewer teams have tested whether the overloaded service can restart while it is overloaded.
Everyone likes the idea of runbooks. Fewer teams know whether the runbook still works when the person following it is tired, under pressure, and trying to make sense of five dashboards while Slack is melting.
That is why I liked the way Francois talked about practice. Not just tabletop exercises. Not just theoretical architecture reviews. Real validation. Real failure injection. Real regional testing. Real traffic and overload scenarios, at safe enough scale that you can learn before it becomes a customer-visible disaster.
For most of us, the lesson is not “copy what Meta does.”
That would be silly. Most teams are not dealing with World Cup traffic spikes, global-scale social products, or the same infrastructure footprint.
But the pattern transfers really well.
Take the failure modes you claim you can survive and test them. Take the incident patterns that keep showing up and bucket them. Take the systems that are critical and ask whether the recovery plan is something you have actually practiced, or just something you hope will work because it looks reasonable in a diagram.
The SLO discussion was also useful because it puts reliability in business terms without turning it into corporate fluff.
An SLO is not just a graph. It is a promise.
That is a much better way to think about it. What are we promising users? What are we promising internal customers? What are we promising product teams? And does the reliability investment match that promise?
This is where teams can get weird in both directions.
Sometimes teams underinvest in reliability because the system “mostly works,” until one day it becomes critical and the reliability model never caught up.
Other times, teams overinvest too early and try to make a young experimental system behave like a mature core production path. That can add cost, slow down learning, and introduce complexity before the product even proves it deserves that level of investment.
Six nines sounds great until you ask what it costs, how much complexity it adds, and whether the business actually needs that promise right now.
That does not mean users do not care about reliability. They absolutely do. Francois called that out too. If systems have too many problems in a row, engagement suffers. People notice. Trust erodes.
But the answer is not “make everything maximally reliable.” The better answer is to match the reliability target to the lifecycle, importance, and risk of the system.
A new experiment does not need the same reliability posture as login, feed, payments, messaging, or whatever your real critical path is.
That is a healthier conversation for SRE and platform teams to have with product and engineering leadership. Not “I need six nines for everything.” More like, “Here is the promise this system is making. Here is the cost of that promise. Here is the risk if we miss it. Is that the tradeoff we want?”
The AI part of this conversation is where things get more interesting.
Francois talked about AI helping with investigation. That makes sense. Incidents often involve too much data, too many dashboards, too many layers, and too many relationships between services. If AI can help gather telemetry, summarize patterns, generate queries, and point humans toward likely relationships faster, that is useful.
That is not the same thing as handing production to an agent and letting it freestyle the mitigation.
The useful version is more grounded. AI helps humans move faster during investigation. Humans still validate. Humans still decide. Humans still handle the judgment calls, especially when the system is important and the mitigation could make things worse.
But AI is also creating more change.
More diffs. More lines of code. More generated boilerplate. More changes moving through systems faster than before.
That creates a reliability gap that I think a lot of teams are going to feel.
The code can move faster than the understanding.
A product engineer may understand the user behavior and the business logic, but not every generated async callback, framework detail, or edge case buried in the generated implementation. Then when it breaks, the reliability or platform team has to reconstruct what happened under pressure.
What changed?
Why did it change?
What assumption did the generated code make?
What dependency is involved?
Is this a known pattern or something new?
Can we roll back?
Can we move traffic?
Can we isolate the failure?
That is not an anti-AI argument. It is just the operational reality.
If AI speeds up software delivery, the defensive side has to speed up too.
Observability has to improve. Debugging has to improve. Incident investigation has to improve. Recovery practice has to improve. The ability to understand generated code and generated changes has to improve.
Otherwise, teams are going to get more output without enough context, and that cost shows up during incidents.
That is why this episode pairs well with the At Scale Systems & Reliability conversation too. A lot of AI discussion is still stuck at the model layer or the code generation layer. But the infrastructure underneath matters. The systems that train, serve, move data, recover, and keep large AI workloads reliable matter. And the systems that use AI to improve reliability matter too.
That is the conversation I think SRE, DevOps, platform, and infrastructure teams need more of.
Not just “AI can write code.”
Not just “AI can summarize incidents.”
More like, what does the whole production system look like when AI increases the rate of change?
How do we preserve human understanding?
How do we validate what AI suggests?
How do we practice recovery?
How do we make sure the systems behind AI are reliable enough for the expectations being placed on them?
And how do we avoid pretending that a faster delivery loop automatically means a safer one?
The answer probably looks boring in the best way.
Write down the incidents. Review them honestly. Look for patterns. Practice the failures. Test the failover. Validate your assumptions. Make SLOs useful. Match reliability investment to product maturity. Use AI where it helps, but do not confuse investigation assistance with operational judgment.
That is not flashy, but it is the work.
And if there is one practical takeaway from this conversation, it is probably this: do not wait for production to be the first place your recovery plan gets tested.
Production will test it eventually.
The only real question is whether your team has already practiced.