Policy Name: Zero OOPS Policy
Policy Owner: Francis Lacoste
Parent Process/Activity: None
Supported Policy: None
Policy Overview
In a nutshell, this policy is about moving the tolerance-level for OOPSes to zero. This mean that any user-visible error happening in production is a stop-the-line event and should be fixed ASAP. This includes javascript errors even though we do not currently record OOPS for them: 741991.
Why this policy?
For three interlocking reasons:
- We should be proud of the service we build and deliver, and we cannot take pride in a low-quality product. Everytime an OOPS page reaches a user, whether because of a time out or an unhandled exception, we failed on the measure of quality. An OOPS page means that a user was prevented from completing their work, that's really bad.
- Having zero tolerance for OOPSes in production means that we are putting actions behind our mantra of quality. An OOPS is basically an escaped defect, and we cannot tolerate that.
- The OOPS system tells us when something has gone wrong. If that report isn't essentially empty every day (due to many different OOPSes affecting a small number of users), we won't detect really severe problems (particularly those that only happen a couple of times but may have very severe impact) - our operational signal to noise ratio is compromised. This aspect is supported by our (internal, sorry) definition of critical policy.
This policy is basically about making sure that the Exceptions and Timeouts section of the report are empty.
What should be done about OOPSes
- Everytime an OOPS is encountered in production, a bug should be filed for it with priority of Critical. It should be tagged with either 'oops' or 'timeout' on it.
- Fixing critical bugs takes priority over all other bug fixing work (done by the interrupt squads).
Unless it's an operational incident, we should respect the work-in-process limit set through Kanban. But critical bugs should be the first bugs to be pulled for development once capacity is available.
- We should deploy all possible OOPS fix to production as rapidly as possible.
Once we achieve Zero-OOPS status:
- Do root-cause analysis for every OOPS that occurs in production, to ensure that our process is really robust against escaped defects.
But All OOPSes are not the same
All OOPSes in the "Exceptions" and "Time outs" sections should be eliminated. If an OOPS isn't important - because it's only triggered by robots, or for whatever reason, then the system should be changed to not record an OOPS.
One way to prevent an OOPS being visible is to change the exception type so that it doesn't trigger the OOPS code.
The end goals are:
- users are able to use the system
- OOPSes are only recorded when something is wrong that developers or operators need to know about.
The expected result of achieving these goals is that the system will generally be in good shape and if an OOPS is recorded its something important we should work on immediately - no sifting through many false positives.
When
We are starting this policy now.
Coming Soon
Burn down chart of the bugs with the "oops" tags.