← Articulet TPM, Made Clear Chapter 7.1
Module 7Reliable, Secure, and Operable Delivery

Quality Gates, Traceability, Launch Criteria, and Operational Readiness

The 60-second version: A launch gate is an authorized decision based on traceable evidence, not a meeting or green checklist. The TPM integrates cross-team criteria, exceptions, rehearsal, and the recommendation; Product, Engineering, Operations, and control owners certify their specialties and the proper authority ac…

Chapter 25 of 4062% through the course
Module 7: Reliable, Secure, and Operable Delivery

Mission

By the end of this chapter, you can produce a traceable launch-readiness decision with evidence, owners, conditions, and explicit residual risk.

  • Measurable outcome: Given a launch proposal, produce a readiness decision in which every material criterion has evidence, an owner, and a disposition; score at least 3 of 4 on the rubric below.
  • Prerequisites: Chapters 9, 12, 16, 18, and 20; a basic system context and risk register.
  • Work product: A Launch Evidence Matrix and a one-paragraph go, conditional-go, or no-go recommendation.
  • Time: 70–90 minutes, plus 30 minutes if you apply the artifact to a live program.

Before you read: Predict → Commit → Connect

Meridian Pay is preparing to route 5% of Canadian settlement traffic through a new regional service. Functional tests pass. The rollback script exists but has never run against production-scale data. The operations team has not rehearsed settlement reconciliation, and Support has no customer message for delayed payouts.

Predict first: should the launch proceed? Write one sentence and name the single piece of evidence that would most change your answer. Commit to it before reading. Then connect it to Chapter 12: verification asks whether the system meets specified requirements; validation asks whether it is fit for the intended use. A launch needs both.

A gate is a decision supported by evidence

A gate is not a meeting, a checklist, or a green icon. It is a decision point at which authorized people compare current evidence with agreed criteria and choose a disposition. Useful dispositions are go, go with explicit conditions, hold, or stop and redesign. “Go with risk” is incomplete unless the risk, exposure window, compensating control, accountable acceptor, and review date are recorded.

Traceability makes the evidence inspectable. Start with the outcome or harm to avoid, derive a requirement, identify how it will be verified or validated, attach the result, and connect the result to the decision. A requirement with no test is hope. A test with no requirement may be interesting but irrelevant. A result with no decision owner becomes dashboard wallpaper.

Traceability from outcome to readiness decision

Quality gates should be proportional. A copy change does not need the same evidence as a payment-routing change. Increase rigor when blast radius, irreversibility, safety impact, regulatory exposure, novelty, or uncertainty rises. Decrease ceremony when changes are isolated, observable, reversible, and already governed by proven automation. Proportionality is not permission to skip thinking; it is a reason to place effort where failure would matter.

Build criteria before launch pressure arrives

Write launch criteria while options remain open. Criteria invented during a tense go/no-go meeting tend to move toward the answer powerful people already want. A sound set normally covers five questions:

  1. Product fitness: Does the user journey achieve the intended outcome, including failure and recovery paths?
  2. Technical quality: Have functional, integration, performance, resilience, security, and data-integrity claims been tested at appropriate scale?
  3. Operational control: Can teams detect, diagnose, contain, roll back, recover, and communicate?
  4. Organizational readiness: Are Support, Finance, Legal, Security, regional operations, vendors, and on-call teams prepared for their actual obligations?
  5. Decision integrity: Are exceptions visible, time-bounded, accepted by the right authority, and represented honestly in the recommendation?

Operational readiness is often where locally successful work fails globally. Engineering can demonstrate that a service responds correctly while Finance cannot reconcile settlement, Support cannot recognize the failure, or on-call engineers lack permission to execute rollback. The TPM owns the seams among those proofs, not the detailed engineering proof itself.

Readiness gate and progressive exposure loop

For Meridian Pay, “the script exists” is not rollback evidence. Evidence might include a timed rehearsal against representative volume, proof that the old path remains compatible, named rollback authority, a reconciliation query, and an agreed threshold that triggers reversal. A staged launch then turns production exposure into a controlled learning step rather than a ceremonial finish line.

Decision rights: Who owns what?

  • Product owns the intended customer outcome and product acceptance criteria.
  • Engineering and Architecture own design, implementation, technical test evidence, and the truthfulness of technical limitations.
  • SRE or Operations owns operability standards, production controls, on-call capability, and rollback execution procedures.
  • Security, Privacy, Legal, and Compliance own their control interpretations and formal acceptances where policy or law assigns them.
  • The business or designated risk authority accepts material residual business risk; the TPM must not accept it by implication.
  • The TPM integrates criteria, evidence, dependencies, exceptions, rehearsal, decision timing, and the recommendation. The TPM challenges missing proof but does not certify specialties they do not own.

A local charter can move these boundaries. Record the local version before the gate.

I do

I examine Meridian’s untested rollback. I convert the vague criterion “rollback ready” into inspectable evidence:

  • restore the prior route within 15 minutes of the trigger;
  • preserve idempotency keys and avoid double settlement;
  • reconcile every transaction processed during the transition;
  • name the incident commander who can order rollback;
  • complete a rehearsal with production-representative volume;
  • attach the rehearsal log, reconciliation result, elapsed time, and open defects.

My recommendation is hold, not because every risk must be zero, but because the present gap touches settlement integrity and recovery ability. I propose a 24-hour rehearsal window and a new decision time. That is cleaner than a vague no and safer than optimism.

We do

Together, classify these three gaps:

  1. A dashboard label is unclear, but the underlying alert and runbook are tested.
  2. A security exception has a compensating control, named approver, and 14-day expiry.
  3. Support has not been trained to distinguish delayed settlement from duplicate settlement.

For each, choose go, conditional go, or hold. Ask: What harm could escape? How quickly would it be detected? Is recovery rehearsed? Who has authority to accept the remainder?

Show the model answer

Model answer

  1. Go, with the label correction tracked, if responders can still interpret the alert reliably.
  2. Conditional go only if the approver is authorized, the compensating control is verified, exposure is bounded, and expiry is enforced rather than merely dated.
  3. Hold until Support has a diagnostic path and escalation route, because an operationally invisible payment-integrity problem can amplify harm and delay containment.

Rubric (0–4)

  • 0: Gives colors or opinions with no evidence logic.
  • 1: Identifies gaps but treats every gap as equally severe.
  • 2: Considers impact and evidence but omits ownership or residual risk.
  • 3: Makes proportional dispositions with evidence, owner, trigger, and expiry.
  • 4: Also tests cross-functional detectability, reversibility, and second-order harm.

You do

Create a Launch Evidence Matrix for a real or simulated launch with these columns:

Criterion Harm prevented or outcome enabled Evidence required Evidence link/result Owner Status Exception/expiry Decision impact
Example: settlement rollback Duplicate or stranded funds avoided Timed rehearsal plus reconciliation Pending Payments Eng Hold None No-go until demonstrated

Write no more than 12 material criteria. If you need 80 rows, group supporting checks beneath decision-level criteria. Finish with one paragraph: recommendation, strongest evidence, largest residual risk, conditions, and next decision time.

Pause & Recall

Without looking back, explain the difference among a criterion, a test, evidence, and a disposition. Then recall Chapter 18: when does a failed criterion become an issue rather than a risk? Finally, name one criterion in your matrix that validates fitness for use rather than merely verifying a specification.

Production lens

In production, checklists decay. Assign an owner and review trigger to the template itself. Automate evidence collection where the automation is trustworthy, but preserve human judgment for exceptions and residual risk. Never let “all boxes checked” conceal that the boxes omit a material customer journey, regional obligation, or recovery path.

Workplace artifact: launch recommendation

Copyable launch recommendation

Recommendation: [go / conditional go / hold] for [scope and exposure] at [time]. Evidence supports [most important claims]. The largest residual risk is [specific risk], bounded by [control, trigger, and exposure] and owned by [name/role]. Before expansion, we require [evidence]. The next decision is [time/authority]; rollback authority is [role].

Chapter compression

A quality gate is an evidence-backed decision, not a meeting. Trace outcome or harm → requirement → method → evidence → disposition → residual-risk owner. Define criteria before launch pressure. Scale rigor with blast radius, irreversibility, and uncertainty. Readiness includes the organizations and recovery mechanisms around the software.

Retrieval deck

  • Q: What makes a gate real? A: Agreed criteria, inspectable evidence, an authorized disposition, and recorded residual risk.
  • Q: What is the TPM’s readiness ownership? A: Integrating cross-team criteria, evidence, exceptions, timing, and recommendation, rather than certifying every specialty.
  • Q: When is conditional go legitimate? A: When the gap is bounded by verified controls, an authorized owner, a trigger, and an enforced expiry or next decision.
  • Q: Why rehearse rollback? A: Existence of a rollback design does not demonstrate that people, permissions, data, timing, and tools can execute it safely.
  • Q: What is checklist theater? A: Completing checks that are disconnected from material outcomes, harms, or decision rights.

Spaced review

  • Now: State your launch disposition and the evidence that would reverse it.
  • +1 day: Rebuild the six-link traceability chain from memory.
  • +3 days: Convert one vague readiness item into a criterion, method, evidence, owner, and disposition.
  • +7 days: Audit a prior launch and identify the criterion whose evidence was weakest.
  • +14 days: Compare a predicted readiness gap with what happened and revise the matrix.

Sources and further study

Keep your retrieval practice honest. Progress is saved only in this browser.