Architecture principles and decision making

Architecture is decision making. Every day you choose between options, accept trade offs, and set constraints that shape the solution. Without something to guide those choices, each one is made in isolation, and isolated decisions add up to an incoherent system. Principles are the thread that ties hundreds of small decisions into one whole, and good records are how anyone later understands why you chose what you did. In government, neither is optional.

You'll come away with:

  • What an architecture principle is, and what it isn't: a rule, a goal, or a technology choice.
  • How the Technology Code of Practice and your own project principles fit into one hierarchy.
  • Decision frameworks that produce defensible choices, including matching effort to how reversible a decision is.
  • How to capture decisions in Architecture Decision Records that survive scrutiny and staff turnover.

What an architecture principle is

An architecture principle is a fundamental statement of belief that guides a decision. The good ones are stable, so they don't change with every project; directional, so they point at a preferred approach; and actionable, so they actually help you choose. It's easier to pin down by saying what a principle isn't. It isn't a rule. A rule is absolute: all data must be encrypted at rest. A principle is directional: we prefer open standards to proprietary formats, and you can deviate if you can justify it. It isn't a goal, either. A goal is an outcome you want, like cutting processing time by half; a principle is how you'll approach getting there, like designing for automation over manual steps. And it isn't a technology choice. "We use AWS" is a decision. "We prefer cloud hosted services to running our own infrastructure" is a principle, and on a given day it might lead to AWS, Azure or GCP.

A principle worth having carries four things with it: a statement ("design for change"), a rationale (government policy moves constantly, and systems that resist change become expensive liabilities), the implications in practice (separate business rules from application logic, prefer configuration to hard coded values, build modular components with clear interfaces), and the exceptions (a short lived prototype might trade modularity for speed of learning). The test is simple. Does it help you decide? If it never rules anything out, like "we build good systems", it's useless. If it only ever fits one situation, like "we use PostgreSQL for all relational data", it's a decision wearing a principle's clothes. The useful ones sit in between, specific enough to steer a choice and general enough to apply to many.

If a principle never rules anything out, it isn't doing any work.

Principles come in a hierarchy

You don't write most of your principles. You inherit them. They stack up in a hierarchy, and your job is to know where yours sit in it.

Three tiers narrowing downward. At the top, widest, the Technology Code of Practice, applying across all government. In the middle, departmental strategy, direction for your organisation. At the bottom in teal, narrowest, project principles, authored by you for this service.
Most of your principles are inherited. You author the bottom tier.

At the top is the Technology Code of Practice, the principles every government technology decision is meant to align with. They repay reading through an architecture lens rather than reciting. Define user needs means the option that serves users better wins, even when it's the less elegant one. Make things accessible means WCAG 2.2 AA is a constraint on your front end, your document generation and your error handling, designed in from the start. Be open and use open source means preferring open standards like REST, JSON and OAuth, reusing open source where it fits, and publishing your own code unless there's reason not to. Make use of cloud means cloud is the default and running your own infrastructure needs a real justification. Make things secure means threat modelling, secure defaults, least privilege and defence in depth at every layer. Integrate and adapt means designing for integration through APIs and replaceable parts rather than a monolith you can't unpick. Make better use of data means treating data as a shared asset other services might need. And share and reuse means checking what already exists, the common GOV.UK components like Notify, Pay and One Login, before you build anything new.

These don't always agree. Be open can pull against make things secure when the most secure option is proprietary. Make use of cloud can pull against share and reuse when the reusable component runs on someone else's infrastructure. When principles collide you make a judgment, document the trade off, and make sure the call is defensible. More on that below.

Writing your own project principles

The Code and your department take you most of the way, but every project has a context they don't address, and that's where you write a few of your own. Project principles sit beneath the inherited ones and add specificity rather than contradicting them. If the Code says make use of cloud, yours might say use serverless where usage is intermittent, to keep the cost down. They should answer your project's actual challenges: a lot of legacy to integrate might give you "isolate legacy behind adapters so its changes don't propagate", a small operations team might give you "prefer managed services to anything self hosted". They only work if the team agrees them, so write them with the team, not at it. And keep them few, because nobody remembers twelve. A reasonable set for a service might read:

Give each one a rationale and its implications, the same way the Code does, and revisit them as the project moves. A principle that no longer serves the work should be retired, not left to gather dust.

Frameworks for making the call

Principles steer a decision; you still need a way to actually make it. A few frameworks travel well in government. A weighted decision matrix, options as columns and criteria as weighted rows, is transparent and easy to explain to a non technical board, as long as you don't fall for false precision: a 7.3 against a 7.1 is a tie, not a winner, so use it to separate the clearly strong from the clearly weak. A cost, benefit and risk view suits programme boards because it's how they already think, provided you're honest about the costs and risks of your recommended option, not only the rejected ones. The reversibility test is the one I reach for most.

A horizontal spectrum from easy to reverse on the left, decide fast, to hard to reverse on the right, analyse carefully. Logging framework and component library sit on the easy end in grey; database and cloud provider sit on the hard end in teal.
Spend your analysis where the decision is hard to undo.

It asks a single question: how hard is this to undo? Cheap, reversible decisions like a logging library or a component kit deserve a quick choice and no more. Expensive, sticky ones like your cloud provider, your database or your integration pattern deserve real analysis. Spend your effort in proportion. Two more are worth keeping to hand. Regret minimisation, asking which option you'll regret least in two years, helps when the data is ambiguous and nothing clearly wins. And for team decisions, aim for consent rather than consensus: "does anyone have a strong objection?" gets you moving, where "does everyone agree this is best?" rarely does.

Spend three hours choosing your cloud provider and three weeks choosing a logging library, and you've got it exactly backwards.

Architecture decision records

A decision you can't explain later is a decision you'll defend badly. An Architecture Decision Record is a short document, a page or two, that captures one decision: what you decided, why, what else you considered, and what it costs you. They're among the most useful things an architect produces and among the most neglected. They hold the context that evaporates over time, because in six months nobody remembers why you chose PostgreSQL over DynamoDB. They make implicit decisions explicit, instead of a technology quietly becoming the default because someone started using it. They let a decision be challenged and revised rather than excavated. And they protect you when an auditor, an assessor or a committee asks why. A good one is short and has a familiar shape:

A decision record moves from proposed, under review, to accepted, the live decision in teal, and from there either to deprecated, no longer applies, or to superseded, replaced by a newer record.
Superseded records stay on the file. A replacement links back and says what changed.

Store them with the code or somewhere the team can always reach, number them in sequence, and never delete one, because a superseded record still has value. This matters more in government than almost anywhere, because the decisions get read by people you'll never meet. Assessors treat a clean set of records as evidence the architecture was thought through. Spend control submissions lean on them to justify the choices and their costs. Auditors use them as the trail showing decisions were made with the information available at the time. And the next architect, after the contractors have gone and the civil servants have moved on, uses them to understand the system instead of reverse engineering its rationale or, worse, breaking a decision they never knew was there. Write them as you decide, not months later; keep them in plain language a board member could follow; and link each one to the principle it serves, so the decision reads as principled rather than arbitrary.

When principles conflict

The hard decisions are the ones where your principles disagree. Be open against make things secure when the safest option is proprietary. Make use of cloud against share and reuse when the reusable thing runs on premises. Design for change against keep it simple when modularity buys flexibility at the price of complexity. There's a way through that keeps the choice defensible. Name the conflict out loud rather than pretending it isn't there: in this case our principle of openness is pulling against our principle of security, so we have a trade off to make. Weigh their importance in this specific context, because principles don't carry fixed priorities; for sensitive personal data security outweighs openness, while for a small, stable user base simplicity might outweigh scalability. Look hard for a third option, because sometimes the conflict is false and a different design satisfies both. Then make the call, write it in an ADR with the reasoning and the consequences, and set a date to revisit it, especially if you traded away something like maintainability to hit a deadline.

A real example. A DESNZ programme needed to share commercially sensitive data with a partner. Openness argued for an open API with standard authentication. Security argued for stronger controls because of the data. Simplicity argued against anything elaborate to maintain. The resolution used an open API standard, satisfying openness, with mutual TLS and IP allow listing for security, accepting the extra operational complexity as the price, and it went into an ADR with a review six months out to check the controls were still proportionate to the risk. That's the whole job in miniature: a defensible choice rather than a perfect one, made with the consequences in full view.

Building a decision making culture

Individual decisions matter, but the bigger win is a team where good decisions happen by default. A handful of habits get you there:

In government, where scrutiny is constant and accountability is real, this is about the cheapest insurance you can buy.

When every decision is principled, documented and defensible, no review can catch you out.