Chaos Engineering and Trade-Off Analysis

Chaos engineering is the discipline of experimenting on a system in order to build confidence in its capability to withstand turbulent conditions in production. The distinction from testing is important: testing verifies that code does what it is supposed to do. Chaos engineering verifies that the system behaves as expected when infrastructure fails around it.

The Principles of Chaos Engineering, published by Netflix engineers in 2019, define five principles. First, build a hypothesis around steady state: define a measurable normal state before injecting failures. Second, vary real-world events: inject failures that mirror actual production failure modes, not artificial scenarios. Third, run experiments in production: staging environments lack production traffic patterns and production dependencies. Fourth, automate experiments continuously: manual chaos tests are one-time; automated experiments catch regressions. Fifth, minimise blast radius: start with the smallest possible failure that would still reveal the weakness.

The fifth principle is the safety net. Terminating one instance is a smaller blast radius than terminating an entire Availability Zone. Start small. Expand scope only after the smaller experiment confirms the hypothesis.

Every chaos experiment follows the same five-step structure. Define the steady state: a measurable description of normal system behaviour, expressed using SLIs from Module 18 (for example, 99.95% of payment requests succeed, p99 latency under 300 milliseconds). State the hypothesis: a specific prediction about how the system will behave when the failure is injected. Inject the failure: using a controlled mechanism with a defined scope and duration. Observe: monitor the SLIs throughout the experiment. Conclude: compare actual behaviour to the hypothesis.

Consider an experiment testing the payment service's dependency on Redis. The steady state is 99.95% payment success rate and p99 latency under 300 milliseconds. The hypothesis is that if Redis becomes unavailable, the payment service will fall back to database session lookups, success rate will remain above 99%, and latency will increase but stay under 1,000 milliseconds. The failure injected is blocking all Redis connections from the payment service for five minutes using iptables rules. The abort condition is triggered if the success rate drops below 95% or latency exceeds 5,000 milliseconds. The experiment is terminated and the block removed immediately if either abort condition is met.

A confirmed hypothesis builds confidence. A rejected hypothesis reveals a weakness that would have caused an outage under real failure conditions. Both outcomes are valuable; a rejected hypothesis is arguably more valuable because it reveals a weakness before it causes unplanned downtime.

Chaos engineering on a system without good observability does not reveal weaknesses; it just causes problems. The following prerequisites must be in place before any production chaos experiment.

Defined SLIs and SLOs with real-time monitoring (from Module 18) are required to establish the steady state and to measure the impact of the failure injection. Distributed tracing is required to diagnose what is happening inside the system during the experiment. An on-call engineer must be monitoring the system throughout the experiment window, ready to trigger the abort condition manually if automated thresholds do not catch the problem quickly enough.

A documented abort condition (the specific SLI threshold at which the experiment terminates and the failure is reversed) must be defined before the experiment runs, not during it. Scheduled change freeze periods must exclude chaos experiments: running an experiment during peak trading hours without explicit approval and stakeholder notification is irresponsible. Stakeholders must know an experiment is running so that unexpected customer impact is not mistaken for a production incident.

Architecture trade-off analysis ensures that significant architectural decisions are evaluated against quality attribute requirements before being implemented. The Architecture Trade-off Analysis Method (ATAM) was developed at the Software Engineering Institute (SEI) in the 1990s. It identifies three types of architectural elements: sensitivity points (where a change in the architecture significantly affects a quality attribute), trade-off points (where improving one quality attribute degrades another), and risks (decisions that may prove problematic given uncertain requirements).

Applying ATAM to the decision of synchronous versus asynchronous communication between the order service and the notification service: a synchronous call makes the order service's latency sensitive to the notification service's response time (a sensitivity point). Switching to asynchronous communication improves the order service's performance and availability but reduces consistency: notifications may be delivered seconds after the order completes (a trade-off point). The risk is that asynchronous delivery requires dead-letter queues and retry logic; if these are not implemented correctly, notifications are silently lost.

For everyday decisions, a full ATAM exercise is not warranted. A structured comment in an Architecture Decision Record achieves the same purpose: document what you gain (the improvement), what you accept (the degraded quality attribute), and the sensitivity points (the thresholds at which the trade-off becomes problematic).