[SEV] Qisqacha tavsif va sana

1) Prinsiplar va madaniyat

Blameless. Xato inson emas, balki tizim xususiyatidir. «Kim aybdor» emas, «nima uchun bunday bo’ldi» deb qidiryapmiz.
Faktlar va invariantlar. Har qanday xulosalar taymline, SLO, trassalar va loglarga asoslanadi.
Kompaniya ichida oshkoralik. Natijalar va darslar tegishli jamoalarga taqdim etiladi.
Amallar protokollardan muhimroqdir. Hujjat oʻzgarishsiz ≡.
Tez nashr etish. Postmortem loyihasi - hodisadan keyin 48-72 soat ichida.

2) Taksonomiya va hodisalar mezonlari

• SEV1 - pul/ma’lumotlarning to’liq mavjud emasligi/yo’qolishi;
• SEV2 - jiddiy tanazzul (xatolar> SLO, p99 tashqarida);
• SEV3 - qisman tanazzul/aylanma stsenariy mavjud.
• Ta’sir: ta’sir ko’rsatgan mintaqalar/tenantlar/mahsulotlar, davomiyligi, biznes metrikalari (konversiya, GMV, to’lovlarning rad etilishi).
• SLO/noto’g’ri byudjet: qancha byudjet tugagan, bu relizlar va tajribalar tezligiga qanday ta’sir qiladi.

3) Hodisaning roli va jarayoni

Incident Commander (IC): jarayonni boshqaradi, qadamlarni ustuvor qiladi, egalarini tayinlaydi.
Communications Lead: Steykholder/mijozlarni shablon bo’yicha xabardor qiladi.
Ops/On-call: tugatish, mitigatsiya harakatlari.
Scribe: taymline va artefaktlarni boshqaradi.
Subject Matter Experts (SME): chuqur diagnostika.

Bosqichlar: aniqlash → eskalatsiya → barqarorlashtirish → verifikatsiya → tiklash → postmortem → yaxshilanishlarni joriy etish.

4) Postmortem shabloni (tuzilishi)

5) RCA Techniques (Root Cause Search)

5 Why - sequential clarification of causes to the system level.
Ishikawa (fish bone) - factors "People/Processes/Tools/Materials/Environment/Dimensions."
Event-Chain/Ripple - a chain of events with probabilities and triggers.
Barrier Analysis - which "fuses" (timeouts, breakers, quotas, tests) were supposed to stop the incident and why they did not work.
Change Correlation - correlation with releases, config digs, feature flags, provider incidents.

Practice: Avoid "root cause = person/one bug." Look for a system combination (debt + lack of guard rails + irrelevant runbooks).

6) Communications and transparency

Internal: single channel (war-room), short updates according to the template: status → actions → ETA of the next update.
External: status page/newsletter with facts without "guilt," with apologies and an action plan.
Sensitivity: do not disclose PD/secrets; legal wording to be agreed.
After the incident: a summary note with human language and a link to a technical report.

External update template (brief):
"31 Oct 2025, 13:40 UTC - some users encountered payment errors (up to 18 minutes). The reason is the degradation of the dependent service. We turned on bypass mode and restored operation at 13:58 UTC. Apologies. Within 72 hours, we will publish a report with actions to prevent recurrence"

7) Actions and implementation management

Each action is owner, deadline, acceptance criteria, risk and priority relationship.
Action classes:
1. Engineering: timeout budgets, jitter retreats, breakers, bulkheads, backprescher, stability/chaos tests.
2. Observability: SLI/SLO, alert guards, saturation, traces, steady-state dashboards.
3. Process: runbook update, on-call workouts, game day, CI gates, bipartisan review for risky changes.
4. Architecture: cache with coalescing, outbox/saga, idempotency, limiters/shading.
Gates: releases fail unless "post-mortem critical actions" are closed (Policy as Code).
Verification: retest (chaos/load) confirms the elimination of the risk.

8) Integration of feedback

Sources:
Telemetry: p99/p99 tails. 9, error-rate, queue depth, CDC lag, retray budget.
VoC/Support: topics of calls, CSAT/NPS, churn signals, "pain points."
Product/Analytics: user behavior, failure/friction, drop-off in funnels.
Partners/Integrators: webhook failures, contract incompatibility, SLA timing.

Signal → decision loop:
1. The signal is classified (severity/cost/frequency).
2. An architectural ticket is created with a hypothesis and the price of the problem.
3. Falls into the engineering portfolio (quarterly/monthly), ranked by ROI and risk.
4. Execute → measure effect → update SLI/SLO/cost baselines.

9) Post-mortem maturity metrics

% postmortems published ≤ 72 h (target ≥ 90%).
Average "lead time" from incident to closure of key actions.
Reopen rate of actions (quality of DoD formulations).
Repeated incidents for the same reason (target → 0).
Proportion of incidents caught by guards (breaker/limiter/timeouts) vs "breakthrough."
Saturation of dashboards (SLI covering critical paths) and "noise" of alerts.
Share of game-day/chaos scenarios that simulate detected failure classes.

10) Example of postmortem (summary)

Event: SEV2. Payment API: up p99 to 1. 8s, 3% 5xx, 31 Oct 2025 (13:22–13:58 UTC).
Impact: 12% of payment attempts with retrays, part - cancellation. Erroneous budget q4: − 7%.
Root Cause: "slow success" of currency dependence (p95 + 400 ms), retrai without jitter → cascade.
Barrier failure: the breaker is configured only for 5xx, not for timeouts; there was no rate-cap for low priority.
What worked: hand shading and stale-rates feature flag.
Actions:
Enter timeout budget and jitter retrays (DoD: p99 <400 ms at + 300 ms to dependency).
Breaker for "slow success" and fallback stale data ≤ 15 minutes.
Update runbook "slow dependency," add chaos script.
Add dashboard "served-stale share" and alert at> 10%.
Enter release-gate: without passing chaos-smoke - prohibit release.

11) Artifact patterns

11. 1 Timeline (example)

13: 22:10 Alert p99> 800ms (gateway)

13: 24:00 IC tayinlandi, war-room ochildi

13: 27:30 currency-api «sekin muvaffaqiyat» aniqlandi

13: 30:15 Ficha-bayroq stale-rates ON (trafikning 10%)

13: 41:00 Stale-rates 100%, p99 barqarorlashtirilgan 290ms

13: 52:40 Gateway-da retraylarni cheklash

13: 58:00 Hodisa yopildi, monitoring 30 daqiqa

11. 2 Solutions and Validation (DoD)

Yechim: breaker (slow_success) ni yoqish

DoD: chaos-ssenariy «+ 300ms to currency» - p99 <450ms, error_rate <0. 5%, stale_share < 12%

11. 3 Policy "gate" (check)

deny_release if any(postmortem_action. status!= "Done" and action. severity in ["critical"])

12) Anti-patternlar

«Jodugarlarni ovlash» va jazolar → xatolarni yashirish, signallarni yo’qotish.
Protokol uchun protokol: uzoq hujjatlar amal qilmasdan/egalarisiz/muddatlarsiz.
Tizimli omillarsiz «koddagi xato» darajasidagi RMA.
Hodisani retestsiz va bazlinlarni yangilamasdan yopish.
Kompaniya ichida oshkoralikning yo’qligi: boshqa jamoalarda ham xuddi shunday xatolarni takrorlash.
Safport/hamkorlar va «ko’rinmas» degradatsiyalar (sust muvaffaqiyat) dan qayta aloqani e’tiborsiz qoldirish.
«Hamma narsa tuzatildi, davom etyapmiz» qisqartmasi - arxitektura/jarayonda o’zgarishsiz.

13) Arxitektorning chek-varaqasi

1. Postmortem va SLA postmortemining yagona namunasi bormi ≤ 72 soat?
2. Rollar (IC, Comms, Scribe, SME) avtomatik ravishda tayinlanadimi?
3. Taymlaynlar telemetriya (treys/metrika/logi) va relizlar/bayroqlar belgilariga asoslanganmi?
4. RCA usullari tizimli ravishda qoʻllaniladimi (5 Why, Ishikawa, Barrier)?
5. Xatti-harakatlar egalari, muddatlari va DoD, xavf va relizlar bilan bog’liqmi?
6. Hodisa runbook/xaoc-skriptlar/alertlarni yangilashga olib keladimi?
7. VoC/Support kanallari o’rnatilgan, «top-og’riqlar» muntazam ko’rib chiqiladimi?
8. Noto’g’ri byudjet relizlar va tajribalar siyosatiga ta’sir qiladimi?
9. Etuklik metrikasi kuzatiladimi (time-to-postmortem, reopen rate, takrorlanuvchanlik)?
10. Jamoa ichidagi ommaviy tahlillar va qidiruv bilan bilim bazasi mavjudmi?

Xulosa

Postmortemalar va fikr-mulohazalar arxitekturani o’rganish mexanizmidir. Ayblovlarsiz tahlil qilish, harakatlarning o’lchanadigan samarasi va ishlab chiqarish signallarining integratsiyasi odatiy holga aylanganda, tizim har hafta yanada barqaror, tezroq va tushunarli bo’ladi. Faktlarni ko’zga tashlang, harakatlar majburiy va bilimlar mavjud bo’lsin va hodisalar platformaning evolyutsiyasi uchun yoqilg’iga aylanadi.