The Complete Mental Map

Introduction

The history of engineering failures is not a history of technical ignorance. The engineers who built the systems that failed understood their domains. They knew the algorithms, the data structures, the infrastructure. What they lacked was a way to see the whole — to hold the architecture, the failure modes, the tradeoffs, and the organisational forces in one coherent view at the same time. Expertise without synthesis produces local optimisation. A codebase filled with locally optimal decisions can still be globally broken.

The nine frameworks in this series are not nine separate tools. They form a single reasoning system that operates at different levels of abstraction. A mental map is valuable not because it stores more information, but because it reveals the connections between information that already exists. The frameworks become genuinely useful the moment you stop consulting them separately and start using them as a unified lens.

This chapter assembles the complete map. The goal is not to review what was covered — the reader already knows the frameworks. The goal is to see how they interlock, where each hands off to the next, and how to move through all nine quickly when a real system demands it.

The Decision

Every technical leader eventually faces a situation where time is short and the system is unclear. An outage under investigation. A proposed architecture being reviewed. A board asking for a risk assessment. The question is always the same: where do you start, and how do you move through a system fast enough to be useful?

The decision here is not about a particular technology or team. It is about method. The complete mental map is the answer to “how do I think about any system, in any context, under any time pressure?”

What the Frameworks Say

F1 (Mental Models) is the entry point. Every analysis begins by asking what kind of thing this is. Not the specifics yet — the category. A distributed system has different natural failure modes than a monolith. A batch pipeline behaves differently than a request-response service. F1 primes the rest of the analysis by narrowing which patterns are relevant.

F2 (Engineering Principles) runs in parallel with F1. Once the mental model is active, constraints become visible. What cannot change? What is the system obligated to guarantee? What is the operating environment that the architecture cannot escape? Constraints are not limitations on what you can build — they are the load-bearing walls. Identifying them early prevents the mistake of designing a solution that requires moving them.

F3 (Failure Modes) is where the system becomes honest. Every architecture is a bet that certain things will not fail together. F3 surfaces the failure modes that the design creates exposure to. This is not pessimism — it is structural honesty. A system that has been analysed through F3 has named its risks. A system that has not has hidden risks that feel safe until they are not.

F4 (Tradeoffs) names what F3 reveals. Every decision that creates a failure mode also creates a tradeoff. The architectural decisions that produce FM1 (SPOF) exposure are also the decisions that chose AT5 (Centralization) over distribution. F4 makes explicit what every architecture has already decided implicitly.

F5 (Review Questions) provides the structured process for interrogating a specific system. The seven questions are a protocol, not a checklist — they produce useful output only when answered in order, because each answer changes the space of the next question.

F6 (Archetypes) is the pattern library. Having identified what the system is (F1), what it cannot change (F2), what can go wrong (F3), and what decisions shaped it (F4), F6 says which category of system this most resembles. The archetype carries inherited implications — known failure modes, natural tradeoff surfaces, structural patterns that either fit or have been deliberately violated.

F7 (Architecture Diagrams) translates the analysis into something actionable for different audiences. The technical findings from F3 and F4 mean different things to an engineer, a product manager, and a CFO. F7 is not softening the message — it is selecting the abstraction level that makes the decision actionable for the person receiving it.

F8 (Infrastructure Components) is what makes F7 possible at scale. Shared vocabulary eliminates the coordination cost of every team needing to rediscover the same concepts. When engineers across an organisation use AT5 to mean the same thing, the conversation about centralisation vs distribution moves faster and stays precise.

F9 (Empirical Grounding) anchors the analysis in observed laws rather than opinion. Conway’s Law, Goodhart’s Law, Amdahl’s Law — these are not recommendations. They are regularities that hold regardless of intent. When an analysis contradicts one of these laws, the analysis is wrong.

The Forces at Play

The frameworks are in tension with time. Under pressure, there is a strong pull toward F3 alone — find what is broken, fix it, move on. The complete map takes longer to traverse. The force that makes the map valuable is precisely the force that works against using it: cognitive load under time pressure. A technical leader who has internalised the map uses it automatically, without the overhead of deliberate recall.

The twelve threads connect the frameworks across the series — T1 through T12 are the recurring concepts that appear in different forms at different abstraction levels. T12 (Tradeoffs) is the connective tissue of the entire map. Every framework is ultimately a different surface on the same underlying question: what did this system choose, at what cost, under what constraints?

The Options and Tradeoffs

There are two modes for using the complete map. The first is structured analysis — working through F1 to F9 in order, producing written outputs, taking the time each framework deserves. This is appropriate for architecture reviews, quarterly roadmap assessments, post-mortems where learning is the goal. The AT6 (Generality vs Specialisation) tradeoff applies here: structured analysis is thorough but slow.

The second mode is rapid triage — moving through the map in minutes rather than hours, using each framework to bound the problem space rather than fully characterise it. F1 identifies category, F2 names the hard constraints, F3 flags the most exposed failure modes, F6 confirms or challenges the archetype. This is appropriate for incident triage, ad hoc architecture conversations, and the first pass on an unfamiliar system.

The mistake is using rapid triage mode for decisions that require structured analysis, and using structured analysis when speed is the actual constraint.

What Great CTOs Do

Great technical leaders have internalised the map to the point where the frameworks are not consulted but active. They enter an architecture conversation and automatically ask: what archetype is this? what constraints are load-bearing? what failure modes is this design exposed to? These questions happen in the background while the surface conversation is still going.

They also make the map legible to the people around them. When they share an analysis, it is not a stream of conclusions — it is a trace through the reasoning, using vocabulary the team recognises. The output is not just a finding. It is a model the team can update when conditions change.

They know which frameworks to skip under time pressure and which cannot be abbreviated. F2 (Engineering Principles) cannot be skipped — designing without knowing what cannot change produces solutions that require the impossible. F3 (Failure Modes) cannot be skipped — shipping without naming failure exposure is not a time saving, it is a time-shifted problem.

What Goes Wrong

The most common failure is framework fragmentation — using one or two frameworks and ignoring the rest. A leader who lives in F3 finds failure modes everywhere but never makes decisions, because decisions require F4. A leader who lives in F4 names tradeoffs fluently but misses the systemic failures that F3 would have surfaced.

FM11 (Observability Blindness) at the organisational level looks like this: the team has rich opinions about the system but no structured way to verify them. F5 exists to address this — the seven review questions are a structured probe that reveals what the team believes versus what the system actually does.

The second failure is using the map as performance rather than reasoning. The vocabulary of F8, without the substance of F1 through F7 behind it, is jargon. A technical leader who names AT5 without analysing what the centralisation actually constrains has borrowed the language without doing the work.

The Framework Traversal

Architecture diagram

The nine frameworks form a directed traversal, not a menu. Each framework narrows the space for the next: F1 determines which mental models are relevant, F2 identifies the constraints those models cannot escape, and F3 names the failure modes those constraints create exposure to. Skipping a framework does not save time — it defers the cost to the point where the skipped analysis would have changed the outcome, which is almost always during an incident at 2am.

Applying the Map: A Worked Example

To see the nine frameworks operate as a unified system rather than nine separate checklists, consider one concrete problem: designing a notification delivery service. The service accepts notification requests (email, SMS, push) from other services and delivers them reliably, with rate limiting, retry logic, and delivery tracking.

F1 — Mental Models: What kind of thing is this?

Two models dominate. First, Flow — notifications move through the system from request to delivery, and the service must handle backpressure when downstream providers (email gateways, SMS APIs) are slow. Second, Feedback — delivery receipts and bounce notifications feed back into the system, affecting retry logic and sender reputation. The flow model tells us to think about throughput and queue depth. The feedback model tells us to think about closed loops and adaptation.

F2 — Engineering Principles: What cannot change?

Idempotency is non-negotiable. A retry must not produce a duplicate notification — users who receive the same SMS three times will disable notifications entirely. Fault tolerance is load-bearing: the service must continue accepting requests even when one delivery provider is down. These are not aspirational properties. They are constraints that the architecture must guarantee structurally, not hope for operationally.

F3 — Failure Modes: What can go wrong?

FM2 (Cascading Failure) is the primary exposure. If the email provider slows down, the queue grows, memory pressure increases, and the service stops processing SMS and push notifications too — a failure in one channel cascades to all channels. FM7 (Thundering Herd) appears after an outage recovery: if the email provider comes back after a 30-minute outage and the service immediately flushes 500,000 queued emails, the provider rate-limits the service and the outage effectively continues. FM9 (Silent Data Corruption) lurks in delivery tracking — a notification marked “delivered” because the provider accepted it, but never actually reaching the user.

F4 — Tradeoffs: What are we choosing?

AT1 (Consistency vs Availability) — we choose availability. The service accepts notification requests even if it cannot confirm delivery status immediately. Delivery tracking is eventually consistent. AT2 (Latency vs Throughput) — we choose throughput. Individual notification latency is not critical (a 5-second delay is acceptable); what matters is sustained delivery rate under load. These tradeoffs are explicit. If someone later asks “why don’t we guarantee delivery within 1 second?” the answer is documented: we traded latency for throughput, and the reversal condition is stated.

F5 — The 7 Review Questions (abbreviated):

  1. What is the SLO? 99.9% of notifications delivered within 5 minutes; 99.99% within 1 hour.
  2. What is the blast radius of a single component failure? One channel (email/SMS/push) — never all three.
  3. Where is the single point of failure? The request ingestion endpoint. Mitigated by running multiple instances behind a load balancer.
  4. What is the recovery procedure? Queue drains automatically on provider recovery; rate-limited flush prevents thundering herd.
  5. What data can be lost? Delivery status may lag by up to 60 seconds. No notification requests are lost (persistent queue).
  6. What is the scaling bottleneck? Queue consumer throughput per channel.
  7. What monitoring tells you the system is degrading before it fails? Queue depth per channel, delivery latency P99, provider error rate.

F6 — Archetypes: Which pattern is this?

A2 (Communication) — the service exists to move messages between producers and external delivery endpoints. The A2 archetype carries inherited expectations: message ordering may not be guaranteed, at-least-once delivery is the natural default, and the system must handle poison messages (malformed notifications that fail repeatedly). Recognising the archetype means inheriting its known failure surface rather than rediscovering it.

F7 — Architecture Diagrams: What would you draw?

D1 (Request Flow) — trace a notification from API request through the queue, to the channel-specific consumer, to the external provider, and back via delivery receipt. Annotate latency at each hop. This diagram surfaces the FM2 cascading risk: the sequential chain from queue to provider is where slowdowns propagate.

D3 (Event-Driven / Async) — show the fan-out from request ingestion to three channel-specific queues, each with its own consumer group, retry policy, and dead-letter queue. This diagram surfaces the channel isolation question: are the queues truly independent, or do they share infrastructure that could create cross-channel coupling?

F8 — Infrastructure Components: What are the building blocks?

IC13 (Message Queue) — the core of the system. Kafka or SQS for durable, partitioned queuing with per-channel topics. IC8 (Background Worker) — channel-specific consumers that pull from the queue and call external providers. IC6 (Rate Limiter) — per-provider rate limiting to prevent thundering herd on recovery and to respect provider API limits. These are not implementation choices yet — they are the vocabulary for describing what the system needs before selecting specific technologies.

F9 — Empirical Laws: What constraints hold regardless of intent?

L4 (Little’s Law) governs queue sizing. If the average delivery rate is 1,000 notifications per second and the average time in the system is 3 seconds, the steady-state queue depth is 3,000. If provider latency doubles to 6 seconds, queue depth doubles to 6,000 — this is not a design choice, it is arithmetic. L1 (Amdahl’s Law) constrains scaling: if 20% of the delivery pipeline is serialised (e.g., deduplication lookup), then no amount of parallelism in the remaining 80% can yield more than a 5x throughput improvement.

What the unified traversal reveals:

No single framework produced the complete picture. F3 identified the cascading failure risk, but F4 named the tradeoff that created it (availability over consistency). F6 identified the archetype, but F5 asked the specific questions that exposed the blast radius. F9 provided the arithmetic that turns “the queue might grow” into “the queue will reach 6,000 at 2x latency.” The value of the map is not any individual framework. It is the path through all nine.

Concept: The Complete Mental Map

Thread: T12 (Tradeoffs) ← naming costs implicitly → making costs explicit across all frameworks

Core Idea: The nine frameworks form a single reasoning system; using them as isolated tools produces local analysis, not system understanding.

Tradeoff: AT6 — structured completeness vs rapid triage speed

Failure Mode: FM11 — organisational observability blindness; rich opinions without structured verification

Signal: When the same system produces conflicting analyses from different engineers — traverse all nine frameworks in order; the disagreement lives at the framework boundary being skipped

Maps to: Book 0, Frameworks 1–9

Reflection Questions

These questions are most useful when answered in writing before a team discussion, or when used as a retrospective prompt after a decision has been made.

  1. Which frameworks do you reach for first under pressure? What does this reveal about your default mode of analysis?
  2. Think of the last architecture decision your team made. Which frameworks did you apply explicitly? Which were skipped?
  3. When a new engineer joins your team, which frameworks do they absorb from the culture and which are never transmitted? What is the cost of each gap?
  4. Where in your organisation does framework fragmentation create the most coordination overhead?

Design: Select the most consequential architecture decision facing your organisation in the next quarter. Apply all nine frameworks in order — F1 through F9 — and produce a written analysis. For each framework, state what it reveals about the decision that the previous frameworks did not. Identify where the frameworks produce conflicting signals and how you resolve the conflict.