AgentSkillsCN

blameless-postmortems

当生产事故突发时,应以系统化的方式开展事故分析,将重点放在系统本身而非人为因素上,从而有效防范同类事故的再度发生

SKILL.md
--- frontmatter
name: blameless-postmortems
description: When a production incident occurs - systematic incident analysis that focuses on systems over people to prevent recurrence
tags: [sre, incident-response, learning-culture, systems-thinking, reliability]

Blameless Postmortems (Incident Analysis)

Overview

A structured document and process for analyzing incidents (outages, bugs, security breaches) that focuses on systemic causes rather than individual actions. Pioneered by Etsy and Google SRE, it creates psychological safety for honest reflection and organizational learning.

Core Principles

The Blameless Philosophy

"A blamelessly written postmortem assumes that everyone involved in an incident had good intentions and did the right thing with the information they had." - Google SRE Book

  • Just Culture: Focus on situational factors and decision-making processes, not punishment
  • Systems Thinking: Incidents result from complex system interactions, not single "root causes"
  • Psychological Safety: People must feel safe admitting mistakes to prevent future ones
  • Learning Over Accountability: The goal is to improve systems, not assign fault
  • Ask "How" Not "Why": "How did this happen?" gets description; "Why did you do that?" forces justification

Key Insight

Organizations that punish failure encourage hiding problems. Organizations that study failure openly get more reliable systems over time.

When to Apply

Use Blameless Postmortems when:

  • Production outages or service degradation
  • Security incidents or data breaches
  • Major bugs that reached customers
  • Near-misses that could have caused outages
  • Process failures that impacted delivery
  • Any incident you want to learn from and prevent recurrence

Trigger Criteria (Google SRE):

  • User-visible downtime
  • Data loss of any kind
  • Monitoring/alerting failure
  • Release rollback or emergency patch
  • On-call engineer escalation
  • Impact exceeds error budget threshold

Don't write postmortems for:

  • Incidents with clear, isolated causes and trivial fixes (update runbook instead)
  • Issues caught in development/staging (different learning process)
  • When organization culture will weaponize them for blame (fix culture first)

How It Works

The Postmortem Document Structure

1. Summary (2-3 sentences)

  • What broke, when, how long, customer impact
  • Example: "On 2025-03-15, 14:32-16:15 UTC, checkout was unavailable for 75% of users in US-East region. 450 orders failed. Cause: database failover script had hardcoded timeout that was too short for replica to catch up."

2. Timeline (Chronological Events)

  • All relevant events with timestamps
  • Include: when issue started, when detected, when escalated, actions taken, when resolved
  • Use 24-hour UTC timestamps
  • Include both technical events and human decisions

Example:

code
14:32 - Primary database CPU hits 100%, triggers automatic failover
14:33 - Failover script runs, but replica lag is 45 seconds
14:33 - Script times out after 30 seconds, leaves cluster in split-brain
14:37 - First PagerDuty alert fires for increased error rate
14:42 - On-call engineer Sarah acknowledges, begins investigation
14:50 - Sarah identifies split-brain, decides to force primary election
15:15 - Manual failover completes, service begins recovering
16:15 - Error rate returns to normal, incident closed

3. Root Cause Analysis (Contributing Factors)

  • Use "Five Whys" or fishbone diagrams
  • Identify multiple contributing factors (never just one)
  • Focus on systemic issues, not individual actions

Example:

  • Direct cause: Failover script timeout (30s) shorter than replica lag (45s)
  • Why timeout so short? Default value from 2019, never tuned
  • Why replica lag so high? Recent traffic spike increased replication delay
  • Why no alert on replica lag? Monitoring didn't track this metric
  • Why didn't we catch this in DR drills? Last drill was 8 months ago

4. Impact Assessment

  • User impact (how many users, what couldn't they do)
  • Business impact (revenue, reputation, SLA breach)
  • Internal impact (on-call fatigue, team morale)

Example:

  • 12,000 users saw checkout errors (75% of US-East traffic)
  • 450 orders failed, estimated $67K revenue loss
  • 2 SLAs breached (99.9% uptime, <1% error rate)
  • 4 engineers interrupted, Sarah worked 6 hours straight

5. Resolution and Recovery

  • How was service restored?
  • What actions were taken?
  • When did systems return to normal?

6. Action Items (Corrective and Preventive Actions)

  • Specific, measurable, assigned, time-bound
  • Mix of immediate fixes and long-term improvements
  • Include both technical and process changes

Example:

  • [P0, Sarah, 2025-03-16] Update failover script timeout to 120s
  • [P1, Database Team, 2025-03-20] Add replica lag monitoring with alerts
  • [P1, SRE Team, 2025-03-30] Schedule quarterly DR drills (recurring)
  • [P2, Sarah, 2025-04-15] Write runbook for split-brain recovery
  • [P2, Eng Managers, 2025-04-30] Audit all automated failover scripts for hardcoded timeouts

7. Lessons Learned

  • What did we learn about our systems?
  • What assumptions were invalidated?
  • What worked well that we should celebrate?

The Postmortem Meeting

When: Within 1-5 days of incident resolution (fresh memory, but not during crisis)

Who Attends:

  • All responders (on-call, engineers who mitigated)
  • Relevant stakeholders (product, customer support if users impacted)
  • Optional: Leadership (only if they can stay blameless)

Facilitation:

  1. Review timeline (10 min): Walk through what happened
  2. Discuss contributing factors (20 min): Collaborative root cause analysis
  3. Identify action items (20 min): What changes would prevent this?
  4. Assign owners and priorities (10 min): Who does what by when?

Facilitator Role:

  • Keep discussion blameless (redirect "why did you..." to "how did this happen?")
  • Ensure psychological safety
  • Drive toward actionable improvements
  • Document decisions in real-time

Execution Steps

Immediately After Incident

1. Assign Postmortem Owner

  • Usually primary responder or incident commander
  • Responsible for writing document and scheduling meeting
  • Deadline: Draft within 48 hours of resolution

2. Collect Data

  • Logs, metrics, dashboards, screenshots
  • Slack/incident channel transcript
  • Timeline of human actions (who did what when)
  • Customer impact reports

Writing the Postmortem

3. Draft Using Template

  • Use standard company template (consistency aids learning)
  • Fill in timeline first (easiest, most objective)
  • Then impact, resolution, contributing factors
  • Save action items for meeting (collaborative)

4. Circulate for Review

  • Share with incident responders for accuracy
  • Request corrections, not wordsmithing
  • Deadline: 24 hours before meeting

Postmortem Meeting

5. Facilitate Discussion

  • Start with "assume good intent" statement
  • Walk through timeline
  • Analyze contributing factors (focus on systems)
  • Generate action items collaboratively
  • Vote on priorities (P0 = this week, P1 = this month, P2 = this quarter)

6. Document and Publish

  • Finalize document with action items
  • Publish internally (wiki, Google Docs, Confluence)
  • Share summary in engineering all-hands or newsletter
  • Optional: Redact customer data, publish externally (builds trust)

Follow-Up

7. Track Action Items

  • Add to sprint backlogs or project roadmaps
  • Review status in next incident review meeting
  • If items aren't completed, ask "Why? What's blocking us?"
  • Celebrate completed improvements

8. Review Trends

  • Quarterly: Review all postmortems
  • Identify patterns (same root causes, same systems)
  • Prioritize systemic fixes based on frequency
  • Measure: Are we seeing fewer repeat incidents?

Questioning Techniques (John Allspaw)

Ask "How" Questions (Encourage Description)

  • "How did the system behave?"
  • "How did you interpret the data you saw?"
  • "How did you decide on that action?"
  • "How could our tools have helped you debug faster?"

Avoid "Why" Questions (Avoid Justification)

  • ❌ "Why didn't you check the replica lag?"
  • ❌ "Why did it take 20 minutes to escalate?"
  • ❌ "Why wasn't this caught in testing?"

These force people to defend themselves rather than describe conditions.

Reframe "Why" as "How"

  • ✅ "How did you prioritize what to check first?"
  • ✅ "How did the alert reach you, and what delayed escalation?"
  • ✅ "How did this slip through our testing process?"

Anti-Patterns

The Blame Game: Document or meeting devolves into finger-pointing

  • Fix: Facilitator aggressively redirects to systems. "Not 'who screwed up,' but 'what process failed?'"

The Human Error Fallacy: Conclusion is "engineer made a mistake, be more careful"

  • Fix: "Human error" is never root cause. Ask: What made that error possible? How do we prevent it systemically?

Action Item Graveyard: Long lists, nothing gets done

  • Fix: Limit to 3-5 items, force prioritization, track completion publicly

Postmortem Theater: Document written for compliance, no real learning

  • Fix: Make postmortems searchable and reference them. "Have we seen this before? Check postmortem #47."

Management Attendance Ruins Honesty: Team self-censors when execs attend

  • Fix: Managers attend sporadically, or read summaries. Primary goal is learning, not reporting.

The Cover-Up: Incident hidden to avoid scrutiny

  • Fix: Celebrate postmortems as learning opportunities. Blamelessness must be real, not performative.

Premature Closure: "Fixed the bug, we're done"

  • Fix: Ask "What else could have prevented this? How do we detect this class of issue earlier?"

Quality Indicators

High Signal:

  • Postmortems published within 1 week of incident
  • Action items have >80% completion rate
  • Engineers volunteer information freely during meetings
  • Postmortems reference previous postmortems (learning compounds)
  • External publication of postmortems (shows confidence in process)
  • Near-misses get postmortems too (proactive learning)

Low Signal:

  • Weeks/months to publish (if at all)
  • Generic "human error" conclusions
  • Action items are "be more careful"
  • Same incidents repeat (no systemic fixes)
  • Team fears postmortem meetings
  • Only catastrophic failures get analyzed

Real-World Examples

Google - Gmail Outage (2009)

Incident: Global Gmail outage, 2.5 hours Blameless Finding: Combination of planned maintenance + unexpected load + cascading failure Key Action Item: Improved testing of interactions between planned changes Cultural Impact: Postmortem shared publicly, built trust

Etsy - Deployment Process Failure

Incident: Bad deploy took down homepage Blameless Finding: Deploy script lacked rollback automation, on-call engineer was new Key Action Items:

  • One-click rollback implemented
  • Improved onboarding for on-call engineers
  • Deploy checklist expanded Cultural Shift: John Allspaw blog post made "blameless postmortem" industry standard

Netflix - Regional Outage

Incident: AWS region failure impacted streaming Blameless Finding: Chaos engineering had tested instance failures but not full region loss Key Action Item: Expanded Chaos Monkey to simulate regional failures Result: Netflix can now survive full region outages without user impact

Related Frameworks

  • Five Whys: Root cause analysis technique (ask "why" 5 times)
  • Fishbone Diagram: Visual cause-and-effect analysis
  • Swiss Cheese Model: How multiple small holes align to allow failures
  • Normal Accident Theory: Complex systems inevitably have incidents
  • Retrospectives: Similar reflection for sprints/projects (less structured than postmortems)
  • After-Action Reviews: Military equivalent, similar intent

Cultural Prerequisites

Blameless postmortems only work if:

  1. Leadership actually means it: If someone gets fired after a postmortem, the process dies
  2. Psychological safety exists: Team must trust they won't be punished for honesty
  3. Action items get resourced: If improvements never happen, process becomes performative
  4. Systemic thinking is valued: Organization believes in complex systems, not simple "root causes"
  5. Learning is prioritized over shipping: Willingness to slow down and fix underlying issues

If these don't exist, postmortems become:

  • Blame documents disguised as blameless
  • Checkbox compliance exercises
  • Morale-destroying interrogations

Scoring (48/50)

  • Practitioner Weight (10/10): Industry standard in SRE, DevOps, high-reliability orgs
  • Clarity (9/10): Well-documented structure, clear templates available
  • Proven ROI (10/10): Measurable reduction in incident frequency and severity
  • Novelty (9/10): Counterintuitive shift from blame to systems thinking
  • Applicability (10/10): Any team that operates production systems or experiences failures

Sources

  • Google SRE Book: "Postmortem Culture: Learning from Failure" (Chapter 15)
  • John Allspaw: "Blameless PostMortems and a Just Culture" (2012, Code as Craft blog)
  • Etsy Engineering: Pioneering public postmortems
  • Sidney Dekker: "The Field Guide to Understanding Human Error" (Just Culture foundation)
  • PagerDuty Postmortem Guide: Templates and best practices
  • Atlassian Incident Management: Postmortem handbook