Visual walkthrough — Responsible AI deployment practices
We will earn every symbol. By the end you will understand this line completely:
...and you will know why every letter is where it is.
Step 1 — What "a failure rate" even means
WHAT. We start with a single number: . It is the failure probability of one request.
WHY. Before we can ask "how many requests to catch a failure", we must have a crisp handle on how often a failure happens. That handle is .
PICTURE. Imagine a long strip of tiny boxes, one box per request. Most are green (success). A rare few are red (failure). The red fraction of the whole strip is .
Look at the strip: only a sliver is red. That sliver is . The whole point of a staged rollout is that if we only look at a few boxes, we might see zero red — and wrongly conclude the model is safe.
Step 2 — The chance a single request does NOT fail
WHAT. If failing has probability , then not failing has probability .
WHY. Our goal is to catch at least one failure. That is awkward to count directly (it could be one, two, three... failures). It is far easier to count the opposite: seeing zero failures. So we first need the probability that one request succeeds — that's the building block for "everything succeeds".
PICTURE. Take the strip from Step 1 and collapse it to a single spinner: a wheel where a red wedge of size means "fail" and the green rest of size means "succeed".
The green wedge is fat (because is tiny), so one spin almost always lands green. That "almost always" is exactly what makes rare failures dangerous — and exactly why one request tells you almost nothing.
Step 3 — Why we multiply: the chance ALL n requests succeed
WHAT. Spin the wheel times (send requests). The probability that every single one lands green is:
WHY multiply, not add? Because the requests are independent — the outcome of request 1 doesn't change request 2. When you want "this AND this AND this" for independent events, probabilities multiply. (Adding would answer "this OR this", a different question.)
PICTURE. A branching tree: at each request the path forks green (success) or red (failure). The single all-green path down the left edge has probability — and it shrinks fast as the tree gets deeper.
Notice: even though one spin is almost surely green, demanding a long chain of greens gets less and less likely. That shrinking is our friend — it means with enough requests, "all green" becomes rare, so seeing all green becomes real evidence of safety.
Step 4 — Turning our wish into an inequality
WHAT. We do not want to miss the failure. Let be the risk we tolerate of missing it — the probability we're willing to accept that all requests come up green even though the model is buggy.
We insist that the "all green" probability be no bigger than :
WHY. If the chance of "all green despite a bug" is squeezed below our tolerance , then seeing all green is good enough evidence to trust the model. This inequality is the statement of our goal, in symbols.
PICTURE. A vertical bar. The tall part is (our tolerance ceiling). The curve slides down as grows. We need big enough that the curve dips under the ceiling.
The yellow ceiling is fixed. The blue curve falls with more requests. We want the smallest where blue drops below yellow.
Step 5 — Why the logarithm? Unsticking from the exponent
WHAT. Our unknown is trapped up in the exponent of . We need a tool that pulls an exponent down to ground level. That tool is the logarithm.
WHY this tool and not another? We could not solve for with ordinary algebra — dividing or square-rooting won't free an exponent. The logarithm is the one operation built to answer "what power?", so it is the natural key to a locked exponent. Taking of both sides is legal because is increasing (bigger input → bigger output), so it preserves the direction... for now.
Apply to both sides:
PICTURE. The curve : it drags large exponents down onto a straight-line playground where is just a plain multiplier.
Step 6 — The sign trap: why the inequality FLIPS
WHAT. We now divide both sides by to isolate . But watch the sign of .
Since is between and , the number is less than 1. And of any number less than 1 is negative:
Dividing by the negative quantity flips into :
Every symbol earned:
- — a negative number (since ), "how strict am I?"
- — a negative number (since ), "how rare is one failure?"
- negative ÷ negative = positive, so comes out sensibly positive.
- — we need at least this many; more is fine, fewer is not.
WHY. The is the whole punchline: it tells us the minimum sample size. Forget the flip and you'd compute something — concluding you need fewer requests the stricter you get, which is nonsense.
PICTURE. A number line showing both values living in negative territory, and the division landing safely on the positive side, with an arrow marking "you need this many or more".
Step 7 — Plugging in real numbers
WHAT. Detect a failure rate with confidence: , .
Round up (you can't run a fraction of a request, and forbids rounding down):
WHY. This is the number the parent note quotes. It means: run the new model on ~3000 real requests. If none fail, you can say with confidence its failure rate is below . At 1000 users/day that's 3 days of 1% traffic.
PICTURE. The falling curve with a vertical marker at where it crosses the ceiling.
Step 8 — The edge cases (never let the reader hit an unshown scenario)
WHAT & WHY & PICTURE, case by case:
The figure sweeps across its range and shows exploding as and collapsing as — the whole behavioural map on one plot.
The one-picture summary
One flow, left to right: one spinner ( green) → multiply for spins () → cap it below tolerance () → take to free → divide (sign flips!) → the final .
Recall Feynman retelling — say it like you'd tell a friend
I've got a new model. It messes up rarely — call that rare-mistake chance . So it gets things right with chance each try. If I test it times and it's genuinely buggy, the chance it happens to look perfect (all green) is multiplied by itself times, which is . I don't want to be fooled more than, say, of the time — that is . So I demand . The trouble: is stuck up in the exponent. The logarithm is the one tool that yanks an exponent down to a plain multiplier, so I take of both sides and get . But is under , so its log is negative — and dividing by a negative flips the sign — giving . Both logs are negative, so their ratio is a nice positive number: the minimum requests I need. For a -in- bug caught with confidence, that's about requests. And the edges make sense: rarer bug → need way more tests; stricter confidence → need way more tests; there's never a free lunch.
Recall
What role does the exponent play in ? ::: It counts how many independent requests must all succeed in a row — how many green spins we demand. Why do we take a logarithm at all? ::: It is the only tool that pulls the unknown down from the exponent, turning into so we can solve for . Why does the inequality flip to ? ::: Because is negative (as ), and dividing an inequality by a negative number reverses its direction. As , what happens to the required , and what does it mean? ::: — an extremely rare failure needs enormous traffic to detect; the long-tail problem. For , what is ? ::: About requests (round up from ).
See also: 6.3.2-MLOps-principles (where this gates a staged rollout pipeline), 5.2.4-A-B-testing (the same sampling logic for comparing two models), 6.4.1-Adversarial-examples (the rare failures this math tries to catch), and the parent Responsible AI deployment practices.