Setting Service Level Objectives

For decades, reliability engineering was trapped in a false dichotomy: either you prioritize reliability and sacrifice development velocity, or you move fast and accept that things will break. Teams faced constant tension between "shipping features" and "keeping the site up," with neither side having objective criteria for resolution.

Error budgets changed everything.

An error budget is the mathematical inverse of an SLO target. If your SLO is 99.9% availability, your error budget is 0.1%—the amount of unreliability you're explicitly permitted before violating your commitment. This seemingly simple reframing has profound implications:

• It makes reliability a finite resource that can be spent, tracked, and managed like any other budget
• It provides objective criteria for deciding when to prioritize features vs. reliability
• It aligns development and operations around shared metrics rather than competing incentives
• It transforms reliability from a vague aspiration into a quantifiable investment decision

Error budgets are the mechanism by which SLOs become actionable. Without them, SLOs are just numbers on a dashboard. With them, SLOs drive organizational behavior.

At its core, an error budget is simply the inverse of your SLO target, expressed as a quantity of allowable failure over your SLO window. Understanding the mathematics enables precise tracking and decision-making.

The fundamental formula:

Error Budget = 100% - SLO Target

For an SLO of 99.9% availability:

Error Budget = 100% - 99.9% = 0.1%

This percentage becomes concrete when applied to your SLO window and measured in practical units:

Time-based calculation (for availability SLOs):

Request-based calculation (for latency/error rate SLOs):

For SLOs measured in requests rather than time, the error budget is expressed as a count of allowable bad requests:

Allowable Bad Requests = Total Requests × Error Budget %

For a service handling 10 million requests per month with a 99.9% success rate SLO:

Allowable Bad Requests = 10,000,000 × 0.001 = 10,000 requests

This means you can have up to 10,000 failed requests before violating your SLO.

The rolling window consideration:

Most error budgets use rolling windows (typically 28 or 30 days) rather than calendar periods. This matters because:

1. Continuous feedback: Each day, yesterday's performance rolls off and today's rolls on, providing constant current state
2. No reset gaming: Calendar periods create perverse incentives to take risks late in periods when budget is healthy
3. Smoother signals: Rolling windows avoid the artificial discontinuity of calendar resets

Tracking budget consumption:

Error budget consumption is typically expressed as a percentage of total budget used:

Budget Consumed = (Actual Errors / Allowable Errors) × 100%

Or equivalently:

Budget Consumed = (Actual Downtime / Allowable Downtime) × 100%

Tracking this over time creates an error budget burn chart—a visualization showing how quickly budget is being consumed and projecting when exhaustion might occur. This is analogous to financial burn rate for startups, applied to reliability.

Example scenario:

A service with 99.9% SLO has a 43-minute monthly error budget. After 15 days:

• Two incidents totaling 18 minutes of downtime
• Budget consumed: 18/43 = 41.8%
• At current burn rate: 41.8% × 2 = 83.6% projected by month end
• Status: Caution—on track but limited margin for additional incidents

Error budgets embody a radical philosophical shift in how we think about reliability. Understanding this philosophy is essential to using error budgets effectively.

The core insight: 100% is the wrong target

Traditional reliability thinking aimed for maximum uptime. More reliability was always better. Error budgets explicitly reject this:

• If your SLO is 99.9%, then 99.9% is exactly as good as 100%
• Achieving 99.99% when your target is 99.9% is not a success—it's a signal you're over-investing in reliability
• Unused error budget is wasted opportunity—velocity you could have captured but didn't

This is initially counterintuitive. How can more reliability be bad? The answer lies in opportunity cost.

Error budget as a shared resource:

Error budget is consumed by any activity that causes errors or unavailability:

• Incidents: Infrastructure failures, bugs in production, capacity issues
• Deployments: Rollout issues, configuration errors, regression bugs
• Experiments: A/B tests, canary deployments, chaos engineering
• Planned maintenance: Upgrades, migrations, infrastructure work

This creates a shared accountability model. The development team's risky deployment and the ops team's maintenance window both draw from the same pool. Neither can blame the other for budget exhaustion—it's a collective resource.

The velocity-reliability pendulum:

Error budgets create a self-regulating system:

1. Budget is healthy → Team has room for risky activities → Deploy faster, experiment more
2. Budget depletes → Team must slow down → Focus on stability, reduce deployment risk
3. Budget recovers → Return to faster velocity

This pendulum naturally balances innovation and stability without requiring constant negotiation or management intervention.

Who "owns" the error budget:

A subtle but critical question is who controls how error budget is spent. There are several models:

Product-owned budget: Product management decides how to allocate budget between features (new deployments) and reliability work. This aligns with product teams having ultimate responsibility for user experience.

Engineering-owned budget: Engineering leadership allocates budget based on technical judgment. This prevents product pressure from overriding engineering safety concerns.

Jointly-owned budget: Both product and engineering must agree on budget allocation, with defined escalation paths for disagreement. This forces alignment but can slow decisions.

Most mature organizations use joint ownership with a tie-breaker rule (typically: when budget is healthy, product decides; when budget is threatened, engineering decides on protective measures).

An error budget policy is a pre-agreed set of rules defining what actions are triggered by different error budget states. Having explicit policies prevents ad-hoc negotiation during stressful situations and ensures consistent organizational responses.

The policy framework:

Error budget policies typically define:

1. Thresholds: Budget consumption levels that trigger responses
2. Actions: What changes when thresholds are crossed
3. Escalation: Who is notified and who decides on exceptions
4. Recovery criteria: What must happen to return to normal operations

Defining policy actions in detail:

Deployment restrictions: The most common policy action is restricting deployments as budget depletes. This might mean:

• Requiring additional review for deployments
• Extending canary periods
• Limiting deployment windows to business hours
• Requiring rollback plans for all changes
• Freezing non-critical deployments entirely

Reliability investment mandates: Policies can mandate reliability work when budget is threatened:

• Teams must dedicate N% of sprint capacity to reliability
• Specific reliability improvements must be completed before feature work resumes
• Technical debt items from the backlog are promoted to current sprint

Escalation and visibility: Budget status can trigger management visibility:

• Caution state: Engineering manager is notified
• At Risk state: Director-level visibility, included in leadership sync
• Critical state: VP-level visibility, potential customer communication
• Exhausted state: Executive briefing required

The true power of error budgets emerges when they become the primary input for reliability-related decisions. Here are the key decision frameworks error budgets enable:

Decision 1: Ship or Wait?

When a feature is ready but carries deployment risk, error budget provides the answer:

• Budget healthy? Take the risk—that's what budget is for
• Budget depleted? Wait until budget recovers or reduce deployment risk

This removes subjective negotiation. The budget is an objective arbiter that both product and engineering agreed to respect.

Decision 2: Reliability vs. Feature Work

The classic engineering tradeoff becomes quantifiable:

• Budget depleting faster than expected: Shift capacity from features to reliability
• Budget healthier than expected: Shift capacity from reliability to features

This isn't annual planning—it's continuous rebalancing based on real feedback. A team might shift priorities weekly based on budget trends.

Decision 3: Incident Response Investment

Error budgets clarify how much incident response effort is warranted:

• A 5-minute incident that consumes 10% of remaining budget → Major response, thorough post-mortem
• A 5-minute incident when budget is 90% healthy → Proportionate response, standard follow-up

This prevents both over-reaction (treating every small incident as a crisis) and under-reaction (ignoring incidents that cumulatively deplete budget).

Decision 4: SRE Team Engagement

In organizations with dedicated SRE teams, error budget often governs SRE support levels:

• Teams consistently meeting SLOs with healthy budgets require minimal SRE support
• Teams chronically exhausting budgets receive intensive SRE engagement, including embedded SREs, mandatory reviews, and potential reassignment of service ownership

Decision 5: Freeze or Continue During Incidents?

When an incident occurs, teams often debate whether to freeze all activity or continue (carefully) with planned work. Error budget provides guidance:

• Remaining budget > incident cost projection: Continue with heightened monitoring
• Remaining budget ≤ incident cost projection: Freeze everything, all hands on recovery

Decision 6: Experiment Design

Error budgets should explicitly influence experiment design:

• Size experiment populations based on budget tolerance for potential degradation
• Set automatic experiment kill-switches at budget-threatening thresholds
• Schedule experiments when budget is healthy, not when depleted

Understanding what is consuming your error budget is as important as knowing how much is consumed. Effective error budget management requires categorizing and analyzing consumption patterns.

Consumption categories:

Attribution and accountability:

For error budgets to drive improvement, consumption must be attributed accurately:

• Each incident or degradation should be tagged with a consumption category
• Recurring consumption patterns should be identified and addressed
• Teams should review their consumption breakdown regularly (typically monthly)

A team consistently burning budget on deployment errors should invest in CI/CD improvements. A team burning budget on dependency failures should invest in resilience patterns. The budget tells you where to focus.

Consumption forecasting:

Beyond tracking current consumption, mature teams forecast future consumption:

1. Historical trend analysis: If you've consumed 40% of budget in the first half of the month for the last 3 months, project ~80% consumption this month
2. Planned activity analysis: Upcoming deployments, experiments, and maintenance have estimated budget costs; sum them for projected consumption
3. Seasonal adjustment: If traffic patterns vary (e.g., e-commerce before holidays), adjust projections for known high-risk periods

Consumption efficiency:

Not all budget consumption is equal. Some activities provide business value for the budget they consume; others are pure waste:

High-value consumption:

• Feature deployment that enables new revenue streams
• Experiment that generates valuable learning
• Migration that improves long-term reliability
• Planned maintenance that prevents larger future outages

Low-value consumption:

• Deployment failures from inadequate testing
• Repeated incidents from the same root cause
• Capacity issues from poor planning
• Human errors from missing automation

The goal isn't zero consumption—it's ensuring that consumed budget generates proportionate value. A team that uses 100% of budget to ship valuable features and experiments is performing optimally. A team that uses 50% of budget on preventable incidents is underperforming even though they're 'healthier.'

When error budget is exhausted or critically low, teams need a structured approach to recovery. This isn't about punishing teams—it's about providing a framework to return to healthy operations.

The recovery mindset:

Budget exhaustion is not a failure to be ashamed of—it's a signal that the balance between velocity and reliability needs recalibration. The goal of recovery is to:

1. Stop ongoing budget drain
2. Identify and address root causes
3. Rebuild budget to healthy levels
4. Resume normal velocity sustainably

Recovery velocity:

With a rolling window, error budget naturally recovers as old incidents roll out of the window. The recovery rate depends on:

• Window length: Longer windows mean slower recovery
• Ongoing consumption: If new incidents continue, recovery is delayed
• Incident severity: A single large incident takes the full window to roll out; many small incidents may roll out sequentially

For a 30-day window:

• An incident on Day 1 affects budget until Day 31
• Perfect operation from Day 2-30 gradually restores budget
• Full recovery occurs Day 31 when the incident rolls out

Accelerated recovery strategies:

While you can't change the math of rolling windows, you can accelerate effective recovery:

1. Prevent new consumption: The fastest way to recover is to stop consuming budget. Feature freezes serve this purpose.

2. Reduce ongoing consumption: Fix chronic small issues that continuously drain budget. A fix that saves 1 minute per day saves 30 minutes per month.

3. Improve incident response: Faster detection and mitigation means less budget consumed per incident.

4. Invest in reliability improvements: Use the recovery period productively rather than just waiting for the window to clear.

Error budgets are conceptually elegant but organizationally challenging. Successful adoption requires navigating predictable obstacles:

Challenge 1: 'We don't have good enough measurement'

Teams often cite imperfect observability as a reason to delay error budget adoption. While measurement matters, perfect measurement isn't required to start:

• Start with available metrics, even if imperfect
• Use error budgets to reveal measurement gaps
• Iteratively improve measurement alongside budget practice
• Accept that early budget calculations may be approximate

Challenge 2: Gaming the system

Sophisticated teams may find ways to game error budgets:

• Narrowing SLI scope to exclude unfavorable signals
• Setting targets so lenient they're always met
• Attributing incidents to 'external causes' to avoid budget charging
• Scheduling risky activities just after window resets

Countermeasures:

• SLI definitions and targets require cross-functional approval
• Regular external review of SLO/budget health (SRE, leadership)
• Audit trails on SLO definition changes
• Use rolling windows, not calendar periods, to prevent gaming resets

Challenge 3: Cultural resistance to 'allowed failures'

Some organizations have cultures where any failure is unacceptable. This prevents productive use of error budgets:

• "Our executives expect zero downtime"
• "Our users will leave if there's ever an error"
• "We've never had an outage; we don't need this"

These positions often collapse under scrutiny—no service truly has zero errors—but they require patient cultural change, often led by data showing that users actually tolerate more than assumed.

Error budgets transform SLOs from static targets into dynamic decision-making tools. They make reliability a shared resource, provide objective criteria for velocity-reliability tradeoffs, and create self-regulating systems that balance innovation with stability.