Dev teams want to ship fast. “We’ll deploy this feature daily. If it breaks, we’ll fix it.”
Ops teams want stability. “We’ll freeze deployments. No changes on Friday. No changes during peak hours.”
Both are responding rationally to incentives:
Devs are measured on features shipped
Ops is measured on uptime maintained
Result: Conflict, slow deployments, frustration, on-call engineers waking up at 3am.
SRE’s insight: This doesn’t have to be a tradeoff. You can have both — if you’re intentional about risk.
The Error Budget: Quantifying Risk
Here’s the core SRE concept: the error budget.
Definition: An error budget is the amount of downtime (or errors) a service can tolerate while still meeting its reliability target.
Example calculation:
You decide your service should be 99.9% available (three 9s).
Total time in a month:
30 days × 24 hours × 60 minutes = 43,200 minutes
Error budget:
43,200 × (1 - 0.999) = 43,200 × 0.001 = 43.2 minutes
Interpretation:
Your service can be down for 43.2 minutes per month
and still meet the 99.9% target.
Why this matters:
It’s a budget, not a ceiling. You can use it, and you should use it.
It’s shared between outages and deployments. If you have a major outage that burns 30 minutes, you have 13 minutes left. That 13 minutes is your “safe deployment window.”
It’s a business decision, not a technical one. Your CTO and product lead decide the target, not your SRE team.
Using Your Error Budget: Three Scenarios
Scenario 1: You Have Error Budget Remaining
Your service is 99.95% available for the month (better than the 99.9% target).
You have 26 minutes of error budget left.
Decision: Deploy that risky feature.
Why? Because:
The feature is valuable to the business
You have buffer
If it causes a 10-minute outage, you’re still within SLO
The learning from a small failure is worth more than waiting
Without error budget thinking: “We’ve been stable. Let’s never change anything.” (Stagnation)
With error budget thinking: “We have room for a small failure. Let’s ship this.”
Scenario 2: You’re Out of Error Budget
It’s mid-month. A bug caused a 25-minute outage yesterday. You’ve now exceeded your monthly error budget.
What do you do?
Freeze risky deployments. Only deploy critical bugfixes.
Reduce blast radius. For necessary deployments, roll out to 5% of traffic, watch it for 1 hour, then 50%, then 100%.
Increase monitoring. Add extra alerts so you catch issues faster.
Investigate root cause. Why did the bug get through? Improve tests or code review.
Plan for next month. If you’re regularly out of budget, your SLO is too aggressive.
The key: Out-of-budget is a signal, not a punishment. It tells you to slow down, not to panic.
Scenario 3: You Never Use Your Error Budget
Your service is 99.95% available, but your SLO is 99.9%.
This is actually a problem, not a success.
Why?
Your SLO is not honest. If you never risk it, it’s not your real target; it’s a guess.
You’re leaving value on the table. You could ship faster, test riskier features, or invest in other services.
Ops will tighten the SLO next year. “You were 99.95%, so let’s target 99.95% now.” This continues until you’re chasing perfection.
Healthy error budget usage:
You have a 99.9% SLO
Most months you’re at 99.93%
A couple times a year, you deploy something that slightly risks it
Maybe once a year you hit an outage that brings you down to 99.85%
Your error budget is working as intended
Making Risk Decisions
Not all risks are equal. Here’s a framework for deciding whether to take a risk:
1. What’s the potential impact?
Small: Affects <1% of users, recoverable in <5 minutes
Medium: Affects 1–10% of users, recoverable in 5–30 minutes
Large: Affects >10% of users, recoverable in >30 minutes
2. How likely is this impact?
Low (< 5% chance): “Probably won’t happen”
Medium (5–20% chance): “Could happen, but not likely”
High (> 20% chance): “Probably will happen”
3. What’s the value of taking this risk?
High value: Critical feature, or major reliability improvement
Medium value: Nice-to-have feature, moderate improvement
Low value: Cosmetic change, minor optimization
4. Can you mitigate?
Yes (use canary deployments, gradual rollout): Reduce the risk substantially
Partial (add monitoring, prepare rollback): Reduce impact if it goes wrong
No (it’s either broken or working): All-or-nothing
Decision rule:
Value
Likelihood
Decision
High
Low
Deploy (high reward, low risk)
High
Medium
Deploy with canary (worth the risk, mitigate it)
High
High
Wait, redesign to lower risk
Medium
Low
Deploy if you have budget, otherwise wait
Medium
Medium
Only if you have budget AND can mitigate
Medium
High
Don’t do it
Low
Any
Don’t do it (not worth it)
Error Budgets in Practice: Real Example
The Scenario:
Your team runs a payment processing service. SLO: 99.95% uptime.
End of month: You’re at 99.94%, so you’ve got about 4 minutes of budget left.
Your team wants to deploy a new feature: Batch payment processing (processes 1000 payments in one transaction instead of one at a time).
The analysis:
Impact: If it breaks, all payments in that batch fail. High risk. Potential to affect hundreds or thousands of users.
Likelihood: Your tests pass, but it’s complex code. You’d estimate 15% chance of a production issue.
Value: Customers have been asking for this for months. Competitive advantage. High value.
Mitigation: You can deploy to 1% of traffic first, monitor for 2 hours, then 10%, then 100%.
Decision:
With 4 minutes of budget and 15% failure risk, you don’t deploy now. But here’s what you do:
Prepare for next month. Plan to deploy on Day 1 of next month with a fresh budget.
Implement canary strategy. Start with 1% traffic, let it run for 4 hours (covers business-hour variations).
Add observability. Instrument the feature heavily; log every batch start and end.
Prepare rollback. Have a manual rollback plan in case it goes wrong.
On-call prep. Brief the on-call engineer on what this feature does and how to debug it.
Result: The business gets the feature. The service stayed within SLO. No 3am pages. Everyone wins.
SLO Targets: Choosing the Right Number
How do you decide on an SLO? Some guidance:
Type of Service
Suggested SLO
Reasoning
Critical (payments, auth, core platform)
99.99% (four 9s)
4.3 minutes downtime/month acceptable
Important (APIs, services)
99.9% (three 9s)
43 minutes downtime/month acceptable
Useful (non-critical features)
99% (two 9s)
7 hours downtime/month acceptable
Development/staging
No SLO
These can be anything
Rules of thumb:
Never promise more than you deliver consistently. If you say 99.9% but average 99.95%, that’s fine. If you say 99.95% but average 99.9%, you’re in trouble.
Align SLO with business impact. If downtime costs $50k/minute, you need higher availability than if it costs $5/minute.
Be realistic about dependencies. If you depend on AWS, you can’t promise better uptime than AWS provides. (AWS typically guarantees 99.99% per-AZ, but that’s still an external risk.)
Review annually. As your system matures and usage grows, your reliability should improve. Tighten your SLO.
SRE Interview Tip
Many engineers think it’s only a small improvement but in reality,
Contains information related to marketing campaigns of the user. These are shared with Google AdWords / Google Ads when the Google Ads and Google Analytics accounts are linked together.
90 days
__utma
ID used to identify users and sessions
2 years after last activity
__utmt
Used to monitor number of Google Analytics server requests
10 minutes
__utmb
Used to distinguish new sessions and visits. This cookie is set when the GA.js javascript library is loaded and there is no existing __utmb cookie. The cookie is updated every time data is sent to the Google Analytics server.
30 minutes after last activity
__utmc
Used only with old Urchin versions of Google Analytics and not with GA.js. Was used to distinguish between new sessions and visits at the end of a session.
End of session (browser)
__utmz
Contains information about the traffic source or campaign that directed user to the website. The cookie is set when the GA.js javascript is loaded and updated when data is sent to the Google Anaytics server
6 months after last activity
__utmv
Contains custom information set by the web developer via the _setCustomVar method in Google Analytics. This cookie is updated every time new data is sent to the Google Analytics server.
2 years after last activity
__utmx
Used to determine whether a user is included in an A / B or Multivariate test.
18 months
_ga
ID used to identify users
2 years
_gali
Used by Google Analytics to determine which links on a page are being clicked
30 seconds
_ga_
ID used to identify users
2 years
_gid
ID used to identify users for 24 hours after last activity
24 hours
_gat
Used to monitor number of Google Analytics server requests when using Google Tag Manager