Skip to main content
biology computer-science economics engineering-and-technology psychology

Circuit breaker

Description

A circuit-breaker is a state machine inserted between caller and downstream that monitors failures and trips OPEN when failures exceed a threshold, refusing further calls until a probe (HALF-OPEN) confirms recovery. The diagnostic shape: a downstream dependency starts failing or slowing; without a breaker, every caller waits the full timeout and the failure cascades upstream as latency or queue-saturation; with a breaker, calls fail-fast once the threshold trips, freeing caller resources and letting the system shed load gracefully. The structural lineage is the electrical circuit breaker — the literal namesake. Over-current in an electrical circuit trips the breaker; the breaker is binary (closed-conducting or open-not-conducting); reset is manual or automatic. The software pattern adds HALF-OPEN as an intermediate probe state — a single test call after a cooldown — so the breaker can self-heal without operator intervention. Circuit-breaker is the binary-gate sibling of backpressure (which is continuous-gradient throttle). Both regulate flow under stress; they’re complementary, not interchangeable. Backpressure handles the steady-state “downstream is slow,” circuit-breaker handles the failure-mode “downstream is broken.”

Triggers

User-initiated: User describes cascading failure, downstream timeouts causing upstream queues to fill, or wants to add fail-fast behavior. Vocabulary cues: “circuit breaker,” “fail fast,” “trip,” “cascading failure,” “downstream timeout,” “fallback.” Agent-initiated: Engine notices a system with synchronous calls to a downstream that has no fail-fast story — every caller waits full timeout on failure. Candidate inference: “this needs a circuit breaker — what’s the failure threshold, the cooldown, and the HALF-OPEN probe?” Situation-shape signals: Synchronous dependency on a downstream that can fail; observed cascading failure pattern (downstream slowdown → upstream queue saturation → upstream failure); need to shed load gracefully rather than wait for timeouts.

Exclusions

  • Asynchronous fire-and-forget — no synchronous caller to protect; the breaker has nothing to gate.
  • Single, must-succeed downstream — if there’s no fallback, the breaker just trades waiting-for-timeout for failing-fast; same outcome, different latency. Sometimes still worth it for resource liberation; sometimes not.
  • Downstream failures are transient and short — if the typical failure window is shorter than the breaker’s window, the breaker just adds noise.
  • Idempotency-sensitive operations — careful: a breaker may cause callers to retry against a different replica or region; if the operation isn’t idempotent, the breaker’s failover behavior is a footgun.

Structure

Internal structure of circuit-breaker: a table of its component slots and the concepts that fill them. = a feedback loop on downstream health + a 3-state machine (CLOSED → OPEN → HALF-OPEN → back) + an asymmetric-gate semantics (CLOSED admits, OPEN rejects fast). The threshold parameters (failure-rate, window size, cooldown duration) are the load-bearing tuning surface; the state machine is the structural primitive.

Relationships

Relationship neighborhood of circuit-breaker: a graph of the concepts it connects to and the concepts it is a part of.
  • backpressure — complementary regulation: backpressure for steady-state throttle, circuit-breaker for failure-mode containment.
  • graceful-degradation — breaker-OPEN is the trigger for fallback to degraded mode.
  • bulkhead — breakers per-dependency are bulkheads; one downstream’s failure doesn’t trip breakers on other downstreams.
  • feedback-loop — the breaker is a feedback loop on downstream health.

Examples

Electrical circuit breakers · engineering-and-technology

the literal namesake; the structural primitive predates the software pattern by a century.

Trading-floor circuit breakers · economics

stock-market trading halts triggered by N% drop; market closes for a cooldown.
built into modern AWS SDKs; transparent to callers.
sickness behavior is an organism-level circuit-breaker on activity; the body refuses calls (you can’t will yourself to be productive with a 103° fever).
The thermal-magnetic circuit breaker — the miniature circuit breaker in any home’s distribution board, standardized by IEC 60898-1 for household overcurrent protection — is the literal namesake of the software pattern, and its mechanism is the structural ancestor worth understanding. It combines two trip elements. A bimetallic strip handles sustained overload: current heats the strip, the two bonded metals expand differently, and after enough sustained excess it bends far enough to trip — a deliberately time-delayed response that tolerates brief, harmless surges (a motor starting) without nuisance-tripping. An electromagnet handles short circuits: a massive instantaneous current spike yanks an armature and trips the breaker within milliseconds. Either way the breaker opens the circuit to stop current flow, and crucially it can be reset once the fault is cleared.Every defining feature of the software circuit-breaker is already here. The breaker monitors a signal (current), and on crossing a threshold it trips open and refuses to conduct, protecting the downstream wiring from the fire or damage that continued flow would cause — exactly as the software pattern stops calling a failing dependency to protect the system from cascading failure. The two-timescale design even prefigures the software distinction between a slow failure-rate threshold and an instant hard-fault trip. And the reset is the key: a circuit breaker is not a fuse. It is not consumed; after the fault passes it can be closed again — the structural seed of the software pattern’s HALF-OPEN probe and return to CLOSED.
Martin Fowler’s 2014 “CircuitBreaker” write-up on martinfowler.com is the modern reference articulation of the software pattern (building on Michael Nygard’s earlier treatment in Release It!). It pins down the three-state machine that the concept turns on. In CLOSED, the breaker lets calls through to a remote service but counts failures; once failures exceed a threshold, it trips. In OPEN, it fails calls immediately without even attempting the request — protecting the struggling dependency from being hammered by retries and giving the caller a fast, predictable failure instead of a pile of timeouts. After a reset timeout it moves to HALF-OPEN, letting a probe request or two through: if they succeed it returns to CLOSED, if they fail it snaps back to OPEN.This is the canonical statement of circuit-breaker: an auto-cut-off that stops calling a failing downstream once a failure threshold is crossed, then probes before resuming. Fowler’s framing makes explicit why the OPEN state is the whole point — the failure mode it prevents is the cascading collapse where a slow or dead dependency causes every caller to pile up blocked threads, exhaust resources, and drag down healthy services with it. Tripping open converts a slow, resource-consuming failure into a fast, contained one, and the HALF-OPEN probe is what lets the system recover automatically rather than requiring a human to flip it back. The structure is a direct lift from the electrical breaker, with HALF-OPEN as the engineered analog of cautiously resetting a tripped switch to see if the fault has cleared.
Hystrix is the Java library Netflix open-sourced in 2012 to give their service mesh a uniform way to apply the circuit-breaker pattern. Each protected downstream call is wrapped in a command that tracks recent error rates; if errors exceed a threshold, the breaker trips and subsequent calls fail-fast (returning a fallback or an error) without touching the downstream service. After a cooldown, a probe request tests whether the downstream has recovered; success closes the breaker again.Hystrix is the canonical software instantiation of the structural shape: an upstream component watches a downstream’s health signal and, on threshold-cross, severs the connection rather than continuing to send doomed requests. The behavior is the same one the namesake electrical device exhibits — over-current trips the breaker, isolating the fault to protect the rest of the circuit — translated into a distributed-systems substrate. Hystrix’s public adoption (Spring Cloud’s integration, the later Resilience4j re-implementation, Istio’s mesh-level breakers) is what carried the pattern from a Netflix-internal practice into industry-standard vocabulary.
mature engineering instantiation lineage; the circuit-breaker has moved from pattern-essay to standard middleware over the last 15 years
a person’s emotional circuit-breaker tripping during overwhelm; refusal to continue engagement is the OPEN state.
canonical microservices engineering instances.
over-temperature trips a hard shutdown; manual reset required (no automatic HALF-OPEN by design).
canonical resilience-engineering primitive; cross-domain instances span electrical circuit breakers (the literal namesake — over-current trips, manual reset), nuclear-reactor SCRAM rods, security tripwires, organizational shutdowns under stress (mental-health “I’m done, walking away”), biological homeostatic shut-offs (fever-induced behavior change)
N failed login attempts trips the account-lock breaker; reset via separate channel.