Toward Operationalizing Rasmussen: Drift Observability on the Simplex for Evolving Systems

Monitoring drift into failure is hindered by Euclidean anomaly detection that can conflate safe operational trade-offs with risk accumulation in signals expressed as shares, and by architectural churn that makes fixed schemas (and learned models) stale before rare boundary events occur. Rasmussen’s dynamic safety model motivates drift under competing pressures, but operationalizing it for software is difficult because many high-value operational signals (effort, remaining margin, incident impact) are compositional and their parts evolve. We propose a vision for drift observability on the simplex: model drift and boundary proximity in Aitchison geometry to obtain coordinate-invariant direction and distance-to-safety in interpretable balance coordinates. To remain comparable under churn, a monitor would continuously refresh its part inventory and policy-defined boundaries from engineering artifacts and apply lineage-aware aggregation. We outline early-warning diagnostics and falsifiable hypotheses for future evaluation.

💡 Research Summary

The paper tackles the problem of detecting “drift into failure” in modern micro‑service based software systems, where many operational metrics are naturally expressed as compositional data (i.e., shares that sum to one). Traditional Euclidean anomaly detection is inadequate because the closure constraint causes spurious correlations: a change in one share automatically forces changes in the others, leading to false positives or missed warnings. Inspired by Rasmussen’s dynamic safety model, the authors propose a geometry‑correct monitoring framework that treats each operational state as a point on the simplex and analyses it using Aitchison geometry (log‑ratio transformations).

Key contributions include: (1) modeling the operating point as a composition derived from automatically extracted artifacts (deployment manifests, SLO‑as‑code, tracing data). The extraction yields a current part inventory and policy‑defined safety boundaries; when such artifacts are unavailable, a small seed set can be bootstrapped. (2) Introducing a lineage map πₜ that continuously maps evolving parts (services, SLOs, request classes) onto a small, stable set of canonical groups (typically 3‑7). This aggregation produces a stabilized monitoring state ˜xₜ that remains comparable across splits, merges, and renames. Parts that are transient or low‑confidence are placed in an “other” group, and model health is tracked via extraction confidence cₜ and the mass of “other” m_otherₜ.

The drift dynamics are expressed as a perturbation on the simplex: ˜xₜ₊₁ = ˜xₜ ⊕ (β⊙˜gₜ) ⊕ ˜ηₜ, where ˜gₜ represents an effective pressure (e.g., traffic surge, policy change), β is a step‑size, and ˜ηₜ is multiplicative noise. By applying the isometric log‑ratio (ilr) transform, the dynamics become linear in Euclidean space (zₜ₊₁ = zₜ + β·uₜ + εₜ). Since only the product β·uₜ is observable, the authors estimate the normalized drift direction ˆuₜ = Δzₜ / ‖Δzₜ‖ and treat β as a forecast horizon. Robust smoothing (e.g., EWMA or state‑space models) is recommended for early‑warning diagnostics.

Safety proximity is quantified in two geometry‑consistent ways. The “barrier index” B(˜xₜ)=−∑log˜xₜₖ diverges when any share approaches zero, capturing collapse risk. More generally, policy constraints hⱼ(x)≤0 (such as toil caps or error‑budget gates) are expressed as log‑ratio inequalities, defining a safe set Ω. The Aitchison distance d_A(˜xₜ,˜x★) measures how far the current state is from a reference composition ˜x★ (expert‑chosen or learned from a historically good window). Additionally, the authors compute the step‑to‑boundary λ along the estimated drift direction: the smallest λ>0 such that ilr⁻¹(zₜ+λ·ˆuₜ) exits Ω. This one‑dimensional root‑finding yields an imminence estimate; a small λ signals an urgent need for intervention.

The framework culminates in a compact “drift report” emitted each monitoring interval: (1) a scalar warning level derived from d_A and its trend, (2) the λ‑based imminence estimate, (3) attribution of the top‑k balances (log‑contrasts) that contribute most to the drift, mapped back to the artifact‑derived model structure, and (4) health indicators (cₜ, m_otherₜ). These outputs can drive concrete SRE actions—pausing releases when λ is low, allocating reliability effort when the feature‑vs‑reliability balance drifts, investigating concentration of risk in a tier, or retraining the monitor when extraction confidence drops.

A concrete SRE example illustrates the approach: error‑budget shares are parsed from OpenSLO files, forming a composition over SLOs; risk‑share compositions are derived from a service‑dependency graph and simulated fault injection. Two toy scenarios on an effort‑share composition (feature, reliability, toil) demonstrate how Euclidean thresholds either raise false alarms or miss genuine violations, whereas the log‑ratio based monitor correctly flags the unsafe increase in the feature‑to‑reliability ratio.

Overall, the paper delivers a mathematically sound, architecture‑aware, and policy‑driven methodology for drift observability on the simplex. By respecting the compositional nature of operational data, continuously adapting to part churn via lineage, and providing interpretable, coordinate‑invariant distance‑to‑safety metrics, it offers a practical path to early detection of safety‑boundary erosion in evolving software systems.