Skip to content

Architecture Principles and Governance

Summary

Building on the foundational vocabulary of Chapter 1, this chapter covers the mechanisms organizations use to establish, enforce, and evolve architectural standards over time. Students learn how reference architectures, review boards, and explicit principles guide consistent decision-making, and how modern practices like fitness functions and evolutionary architecture allow systems to adapt without losing structural integrity. The chapter closes with the role of technology radars in keeping architectural standards current.

Concepts Covered

This chapter covers the following 15 concepts from the learning graph:

  1. Architecture Conformance
  2. Reference Architecture
  3. Architecture Review Board
  4. Architecture Principles
  5. Architectural Constraint
  6. Architectural Concern
  7. Separation of Concerns
  8. Modular Decomposition
  9. Abstraction in Architecture
  10. System Context Diagram
  11. Architecture Lifecycle
  12. Architecture Fitness Function
  13. Evolutionary Architecture
  14. Architecture Standard
  15. Technology Radar

Prerequisites

This chapter builds on concepts from:

Welcome Back, Fellow Architect!

Vista waving welcome From up here, I can see something fascinating: the architectures that age gracefully all have something in common — someone took the time to govern them. This chapter is your field guide to the governance layer, the invisible scaffolding that keeps your beautiful architectural decisions from dissolving into chaos six months after deployment. Let's take the high-level view and discover your ATAM hidden superpower: principled governance!

The Governance Gap: Why Great Architectures Drift

Imagine you design a pristine microservices architecture. The team agrees on bounded contexts, contracts are explicit, and every service owns its data. Six months later, a developer under deadline pressure introduces a shared database between two services. Three months after that, someone adds a synchronous call chain five hops deep. A year in, your elegant architecture has mutated into the distributed monolith you were trying to avoid.

This is the governance gap — the distance between the architecture you intended and the architecture you actually have. Bridging that gap is the central challenge of this chapter.

Architecture governance is not bureaucracy for its own sake. It is the disciplined practice of preserving architectural intent across time, teams, and technology changes. The tools of governance — principles, standards, review boards, conformance checks, and fitness functions — are the mechanisms by which an architecture's quality attributes remain achievable as the system evolves.

In the context of ATAM, governance matters enormously. An ATAM evaluation identifies risks and tradeoff points at a moment in time. But systems do not stand still. The value of an ATAM evaluation depends on whether the architectural decisions it analyzed are actually honored during implementation. Without governance, the most carefully crafted utility tree becomes archaeological artifact rather than living document.

Architecture Principles: The Constitution of Your System

An architecture principle is a declarative statement that guides architectural decision-making across an organization or system. Principles are not requirements — they do not specify what a system must do. They specify how the team must reason about the system.

Effective architecture principles share several characteristics. They are actionable — a team member facing a design choice can apply the principle and reach a defensible conclusion. They are testable — you can, in principle, determine whether a decision violates or upholds them. They carry rationale — every principle should explain why it exists, not just what it says.

Well-known examples from mature software organizations include:

  • Services must not share databases. (Rationale: shared databases create hidden coupling that undermines independent deployability and makes schema evolution catastrophically expensive.)
  • All inter-service communication must be asynchronous unless the business scenario requires synchronous response. (Rationale: synchronous coupling degrades overall availability when any single service is slow or unavailable.)
  • No business logic in the presentation layer. (Rationale: business rules change faster than UI technology; entangling them produces expensive re-implementations when the presentation platform changes.)

Notice the structure: each principle is a clear directive paired with an explicit reason. The rationale is essential — it allows engineers to recognize cases where the principle applies and cases where it does not, and it empowers principled exceptions rather than arbitrary ones.

The Principle Behind the Principle

Vista thinking Here's a pattern Vista has observed from way up above a lot of architecture review sessions: teams that document why a principle exists are three times more likely to apply it correctly when edge cases arise. A principle without rationale is a rule you follow until someone senior enough overrules it. A principle with rationale is a shared understanding you can defend to a VP. In ATAM terms, the rationale connects your principle directly to a quality attribute scenario — which is exactly the evidence an evaluation team needs.

Architectural constraints are closely related to principles but carry stronger force. Where principles guide decisions, constraints prohibit options. A constraint might arise from regulatory requirements (all data must remain within EU jurisdiction), contractual obligations (the system must integrate with a specific legacy mainframe), or physical limits (the edge device has 512 MB of RAM). Constraints are non-negotiable boundaries; principles are decision-making heuristics within those boundaries.

Architectural concerns represent the interests and quality attribute requirements held by different stakeholders. A performance engineer's concern might be end-to-end latency under peak load. A security team's concern might be audit trail completeness. A product manager's concern might be time-to-market for new features. ATAM's power lies partly in making these concerns explicit and reconcilable — which is why understanding them as distinct from constraints and principles is important.

Separation of Concerns and Modular Decomposition

Before we can discuss how to enforce architectural principles, we need to examine two foundational structural ideas that most principles are trying to protect: separation of concerns and modular decomposition.

Separation of concerns is the principle that a software element should address one — and only one — coherent responsibility. The concept, articulated by Edsger Dijkstra in 1974, underpins virtually every modern architectural pattern. Layered architectures separate presentation from business logic from persistence. Microservices separate business capabilities from one another. The hexagonal (ports-and-adapters) pattern separates domain logic from infrastructure concerns.

When concerns are not separated, changes cascade. A bug fix in the payment module touches the user interface. A database schema change breaks the reporting service. These cascade effects are the architectural debt that ATAM is designed to surface before implementation makes them expensive.

Modular decomposition is the practice of dividing a system into discrete, independently understandable, and potentially independently deployable units. Good decomposition produces modules with high cohesion (the elements within a module belong together logically) and low coupling (the dependencies between modules are minimal and well-defined). These properties directly support ATAM's modifiability scenarios — a system that is well-decomposed is far easier to change without unintended side effects.

The following table summarizes the relationship between decomposition quality, coupling, cohesion, and the quality attributes they most directly affect:

Decomposition Property Effect on Modifiability Effect on Deployability Effect on Testability
High cohesion Positive — changes are localized Positive — module can deploy independently Positive — module can test independently
Low coupling Positive — changes don't cascade Positive — no shared deployment dependencies Positive — module can stub its dependencies
Clear interfaces Positive — contract is stable under implementation change Neutral Positive — interfaces are the test boundary
Shared state Negative — all sharing parties must coordinate Negative — deployment coordination required Negative — tests have hidden dependencies

Abstraction in architecture builds directly on decomposition. An abstraction hides implementation details behind a stable interface, allowing the details to change without affecting consumers. In architectural terms, abstraction is how you achieve the "stable interfaces / changing implementations" property that makes a system genuinely modular. REST APIs, event schemas, and service contracts are all architectural abstractions — they define what a module does without specifying how it does it.

Diagram: Separation of Concerns in a Layered Architecture

Separation of Concerns in a Layered Architecture

Type: diagram sim-id: separation-of-concerns-explorer
Library: p5.js
Status: Specified

Purpose: Visually demonstrate how separation of concerns manifests in a three-layer architecture, and show what happens when concerns bleed across layers.

Bloom Level: Understand (L2) — Explain how separation of concerns reduces change cascades. Bloom Verb: Explain

Learning Objective: Students will be able to explain why separating concerns into distinct layers reduces the blast radius of a change, using a concrete visual example.

Canvas layout: - Main drawing area showing three horizontal layers: Presentation, Business Logic, Data Access - Each layer contains 2-3 labeled components - A control panel below with a "Show Concern Violation" toggle button and a "Show Proper Separation" button - An info panel on the right showing the ripple effect when a change is introduced

Visual elements: - Three distinct horizontal bands (light blue = Presentation, light green = Business Logic, light orange = Data Access) - Components within each layer shown as rounded rectangles - Dependency arrows between layers (always pointing downward in clean version) - When violation mode is active: a red diagonal arrow showing a Presentation component calling directly into Data Access, triggering a highlight cascade - A "change blast radius" counter showing how many components are affected

Interactive controls: - Toggle button: "Clean Architecture" / "Concern Violation" — switches between the two views - Click any component to see its responsibilities described in the info panel - Hover any arrow to see what the dependency means

Data Visibility Requirements: - Clean mode: Show that a change to Data Access layer affects only Business Logic (1 hop) - Violation mode: Show that same change now also affects Presentation layer (2 hops, skipped layer) - Display affected component count prominently

Instructional Rationale: Step-through toggle with concrete component count is appropriate because the Understand objective requires learners to see the change propagation difference directly. Continuous animation would obscure the structural comparison.

Color scheme: Blue for Presentation, Green for Business Logic, Orange for Data Access. Red for violation arrows.

Responsive: Canvas resizes to container width, maintaining proportional layout.

Reference Architectures and Architecture Standards

Once an organization understands its principles and structural ideals, it needs a way to communicate them at scale. This is the role of reference architectures and architecture standards.

A reference architecture is a pre-built, vetted architectural template for a class of systems. Rather than asking every team to derive an architecture from first principles, the organization provides a starting point: a layered diagram, a set of canonical components, standard patterns for cross-cutting concerns (logging, security, observability), and a selection of approved technologies. Reference architectures encode organizational learning — they represent the accumulated wisdom of previous projects baked into a reusable blueprint.

Well-known reference architectures include:

  • The NIST Cloud Computing Reference Architecture for cloud deployments
  • The AWS Well-Architected Framework for AWS-hosted systems
  • The TOGAF Architecture Development Method (ADM) for enterprise architecture
  • Domain-specific reference architectures for banking, healthcare, and industrial control systems

An architecture standard is narrower — it specifies a specific technology choice, protocol, or pattern that all systems within scope must follow. "All APIs must use REST over HTTPS with OAuth 2.0 bearer token authentication" is an architecture standard. "The logging framework for all Java services is SLF4J with Logback" is an architecture standard. Standards reduce the cognitive overhead of individual decisions by settling them once at the organization level.

The critical relationship between reference architectures, standards, and ATAM is this: ATAM evaluations test whether a proposed architecture achieves its quality attribute goals. Reference architectures and standards provide the baseline from which that architecture deviates — or conforms. An evaluation team that knows the organization's reference architecture can quickly identify where a proposed design has deviated and ask whether those deviations are justified by the specific system's quality attribute scenarios.

The Architecture Review Board

Principles and standards are only valuable if someone enforces them. The organizational body responsible for maintaining architectural coherence is the Architecture Review Board (ARB), sometimes called an Architecture Advisory Forum or Architecture Governance Board.

An effective ARB serves four functions:

  1. Standard-setting: The ARB defines, maintains, and publishes the organization's architecture principles, reference architectures, and standards. It is the authoritative source on what is expected.
  2. Review and approval: Projects proposing significant architectural decisions bring those decisions to the ARB for review. The ARB evaluates conformance, identifies risks, and approves, rejects, or conditions the proposals.
  3. Waiver management: When a project has legitimate reasons to deviate from a standard, the ARB adjudicates requests for waivers and documents the rationale for exceptions.
  4. Continuous evolution: The ARB tracks how well current standards serve the organization's needs and evolves them as technology and business requirements change.

A common anti-pattern is the rubber-stamp ARB — a review body that approves everything because it lacks the authority, information, or time to do otherwise. An equally common anti-pattern is the bottleneck ARB — a review body so demanding and slow that teams learn to route around it. The most effective ARBs are those that do lightweight reviews early (when architecture is a sketch, not a running system), operate with clear criteria, and delegate decisions to individual architects wherever possible.

Vista's ARB Tip

Vista giving a tip Here's a seasoned architect's secret: the best ARBs publish their decision criteria before you walk in the door. If your ARB can tell you "we'll approve this if you can show us your availability scenario is met and your security posture is reviewed," you can arrive with evidence rather than apologies. This is exactly why ATAM's structured output — risks, sensitivity points, tradeoff points — maps so naturally onto ARB review criteria. Your ATAM documentation is your ARB submission.

Architecture Conformance

Architecture conformance refers to the degree to which an implemented system matches the architectural decisions made during design. It is the enforcement side of governance — not just "did we decide to use microservices?" but "is this code actually behaving like a microservices architecture?"

Conformance can be checked in three ways:

  • Manual review: Architects examine code, deployment configurations, and runtime behavior against the intended architecture. This is the traditional approach and remains valuable for nuanced judgment calls.
  • Automated structural analysis: Tools like ArchUnit (Java), NetArchTest (.NET), or Dependency-Check scan code artifacts and enforce architectural rules as automated tests. A rule like "no class in the presentation package may import from the data package directly" can be enforced on every commit.
  • Runtime conformance monitoring: Observability tooling checks that actual communication patterns between services match the intended dependency graph. If Service A is supposed to call Service B only through an API gateway but is sending direct calls, runtime monitoring can catch it.

The increasing adoption of automated conformance checking is one of the most significant governance advances of the past decade. Rather than relying on architects to manually review pull requests (which doesn't scale), teams encode architectural rules as executable tests that run in CI/CD pipelines. This makes conformance a first-class engineering concern rather than a periodic audit.

Diagram: Architecture Lifecycle with Governance Checkpoints

Architecture Lifecycle with Governance Checkpoints

Type: workflow sim-id: architecture-lifecycle-governance
Library: p5.js
Status: Specified

Purpose: Visualize the architecture lifecycle — from inception through evolution — with governance checkpoints highlighted at each phase, showing how ATAM evaluation fits in.

Bloom Level: Understand (L2) — Explain where ATAM evaluation and governance checkpoints occur in the architecture lifecycle. Bloom Verb: Explain

Learning Objective: Students will be able to identify the phases of the architecture lifecycle and explain what governance activities occur at each phase, including where ATAM evaluation is most valuable.

Canvas layout: - Horizontal flow of six lifecycle phases across the canvas - Each phase shown as a rounded rectangle with a colored header - Below each phase: a governance activity box connected by a downward arrow - ATAM evaluation phase highlighted in gold - A horizontal timeline baseline connecting all phases - Info panel on the right side that updates when a phase is clicked

Phases (left to right): 1. Inception — Business case, quality attribute elicitation Governance activity: Stakeholder analysis, business drivers document 2. Architecture Design — Initial decisions, pattern selection Governance activity: ARB preliminary review, principle compliance check 3. ATAM Evaluation — Structured quality attribute evaluation Governance activity: Utility tree, risk identification, tradeoff analysis (highlighted in gold) 4. Implementation — Code, configuration, integration Governance activity: Automated conformance checks, architecture fitness functions 5. Deployment — Release, monitoring, operations Governance activity: Runtime conformance monitoring, SLA verification 6. Evolution — Feature addition, re-platforming, retirement Governance activity: Evolutionary architecture fitness functions, technology radar update

Interactive elements: - Click each phase to see a detailed description of activities in the right panel - Hover the ATAM phase to see "This is where your superpower activates!" - Hover governance activity boxes to see specific tool/technique examples - A "Show Risks" button overlays red risk indicators on phases where architectural debt is typically introduced

Color scheme: Blue for lifecycle phases, Gold for ATAM phase, Green for governance activities. Red for risk indicators.

Responsive: Scales to container width; phases reflow to two rows on narrow screens.

The System Context Diagram

Before a team can evaluate an architecture — whether through ATAM or any other method — they need a shared understanding of the system's boundaries. The system context diagram provides exactly this.

A system context diagram places the system under evaluation at the center and shows all external entities that interact with it: users, external systems, data sources, regulatory bodies, and operational services. Critically, it shows only the system's boundary and external interactions — not its internal structure. The purpose is to establish what the system is responsible for and what it is not, which is a prerequisite for meaningful quality attribute analysis.

In ATAM evaluations, the system context diagram is typically the first architectural artifact presented. It gives stakeholders — many of whom may not be technical — a way to confirm that they agree on the system's scope before diving into internal architectural decisions. Disagreements at the context level (for example, whether a particular external system is inside or outside scope) are far cheaper to resolve on a whiteboard than after months of implementation.

A well-drawn system context diagram includes:

  • The system under evaluation as a clear, labeled central element
  • All direct human users and their roles
  • All external systems (peer applications, data providers, operational tools)
  • All external data stores if the system has boundary-crossing data responsibilities
  • Clear directional arrows showing information flows, with labels indicating the nature of the interaction

Architecture Fitness Functions and Evolutionary Architecture

One of the most powerful governance advances to emerge in the past decade is the concept of the architecture fitness function, introduced by Neal Ford, Rebecca Parsons, and Patrick Kua in Building Evolutionary Architectures (2017).

A fitness function is an objective function — a mechanism that evaluates how well the current architecture satisfies a specific architectural characteristic. The term is borrowed from evolutionary computation, where a fitness function determines how "fit" a candidate solution is relative to an optimization objective.

In architectural practice, fitness functions can be:

  • Automated tests that assert structural properties (no circular dependencies between modules, no direct database access from the presentation layer)
  • Metrics thresholds that assert runtime properties (p99 latency must be below 200ms, error rate must be below 0.1%)
  • Security scans that assert vulnerability properties (no known CVEs with severity > 7.0 in production dependencies)
  • Compliance checks that assert regulatory properties (all personally identifiable data fields are encrypted at rest)

The key insight is that fitness functions make architectural constraints executable. Rather than hoping teams remember to honor constraints, you encode them as tests that run continuously in your CI/CD pipeline. A fitness function failure is a build failure — the architecture's own immune system triggering before a violation reaches production.

This idea connects directly to evolutionary architecture — an architectural approach that embraces change as inevitable and designs systems to adapt incrementally without losing structural integrity. Traditional approaches treated the architecture as a fixed design to be implemented. Evolutionary architecture treats the architecture as a living artifact that evolves, but within bounds enforced by fitness functions.

This Is Where It Gets Exciting

Vista encouraging Fitness functions can feel abstract at first — but here's a concrete way to think about them. Every quality attribute scenario in your ATAM utility tree is a candidate fitness function specification. If you have a scenario that says "under normal load, search results must return in under 300ms," that scenario becomes a fitness function: a performance test that runs on every build and fails if the threshold is exceeded. Your ATAM evaluation doesn't just find risks — it generates the specifications for your architecture's immune system.

Diagram: Architecture Fitness Function Dashboard

Architecture Fitness Function Dashboard

Type: microsim sim-id: fitness-function-dashboard
Library: p5.js
Status: Specified

Purpose: Simulate a fitness function monitoring dashboard showing multiple architectural fitness functions (structural, performance, security, compliance) in real-time, with the ability to introduce violations and observe the alert cascade.

Bloom Level: Apply (L3) — Use fitness function concepts to identify when architectural constraints are being violated. Bloom Verb: Use

Learning Objective: Students will be able to identify which category of fitness function (structural, performance, security, compliance) a given architectural constraint maps to, and recognize what a violation looks like in a monitoring context.

Canvas layout: - Top bar: "Architecture Fitness Dashboard" header with overall health indicator (green/yellow/red) - Main grid: 8 fitness function cards arranged in 2 columns × 4 rows - Each card shows: name, category, current value, threshold, and status indicator (pass/warn/fail) - Bottom panel: Event log showing recent fitness function check results - Right panel: "Violation Detail" that appears when a failing card is clicked

Fitness function cards (8 total): 1. Circular Dependencies — Structural — Current: 0, Threshold: 0 — PASS 2. Layer Violations — Structural — Current: 0, Threshold: 0 — PASS 3. API Latency p99 — Performance — Current: 145ms, Threshold: 200ms — PASS 4. Database Query Time — Performance — Current: 82ms, Threshold: 100ms — PASS 5. Known CVEs (High+) — Security — Current: 0, Threshold: 0 — PASS 6. PII Encryption Coverage — Compliance — Current: 100%, Threshold: 100% — PASS 7. Test Coverage — Quality — Current: 87%, Threshold: 80% — PASS 8. Service Coupling Score — Structural — Current: 2.1, Threshold: 3.0 — PASS

Interactive controls: - "Introduce Violation" dropdown with options: Add circular dependency, Add layer violation, Degrade API latency, Add CVE - "Fix Violation" button to restore to passing state - "Run All Checks" button to simulate a fresh fitness evaluation cycle - Click any card to see detailed explanation of what the fitness function measures and why it matters

Behavior: - When a violation is introduced, the relevant card turns red, the overall health indicator changes, and an alert appears in the event log - The event log shows timestamps and descriptions of each check result - Clicking "Fix Violation" animates the card back to green - "Run All Checks" cycles through each card with a brief animation showing it being evaluated

Data Visibility Requirements: - Show the actual threshold vs. current value for every card - When a violation is introduced, show the new value exceeding the threshold prominently - The event log shows each check as a discrete timestamped line item

Instructional Rationale: Interactive violation introduction is appropriate for the Apply objective because it lets students practice mapping architectural constraints to fitness function categories without needing a real system. The concrete current/threshold values make the concept tangible.

Color scheme: Green for PASS, Yellow for WARN, Red for FAIL. Blue for Structural category, Orange for Performance, Red for Security, Purple for Compliance, Teal for Quality.

Responsive: Grid reflows to single column on narrow screens.

The Technology Radar

No governance system operates in a vacuum. Technologies evolve, new patterns emerge, and previously approved choices become liabilities. The technology radar — popularized by ThoughtWorks — is a governance tool for keeping an organization's technology choices current.

A technology radar plots technologies, frameworks, languages, and practices on a two-dimensional visualization: the rings represent adoption recommendation (Adopt, Trial, Assess, Hold), and the quadrants represent category (Languages & Frameworks, Tools, Platforms, Techniques). The radar gives teams a snapshot of the organization's collective position on a technology at a point in time.

For architecture governance, the technology radar serves several functions:

  • It signals which technologies are "safe to use" without ARB review (Adopt ring) versus which require justification (Trial) or should be avoided in new projects (Hold)
  • It creates a shared vocabulary for technology discussions across teams
  • It forces periodic re-evaluation of older choices — a technology that was in the Adopt ring five years ago may have migrated to Hold as better alternatives emerged
  • It captures emerging techniques that teams should be exploring even if they have not yet proven themselves at scale (Assess ring)

In the ATAM context, the technology radar is particularly relevant to modifiability scenarios. A system built on Hold-ring technologies is accumulating architectural risk — the risk that the technology becomes unsupported, that talent becomes scarce, or that migration costs eventually become unavoidable. An ATAM evaluation of such a system should flag technology currency as a risk, and the technology radar provides the evidence base for that risk classification.

Diagram: Interactive Technology Radar

Interactive Technology Radar

Type: infographic sim-id: technology-radar-explorer
Library: p5.js
Status: Specified

Purpose: Provide an interactive technology radar visualization that students can explore, with representative technologies placed in each ring and quadrant, and detailed explanations available on click.

Bloom Level: Analyze (L4) — Differentiate between technologies in different adoption rings and explain the architectural implications of each. Bloom Verb: Differentiate

Learning Objective: Students will be able to classify a given technology into the correct technology radar ring based on its maturity and organizational adoption posture, and explain the architectural risk implications of relying on Hold-ring technologies.

Canvas layout: - Central circular radar visualization taking up ~75% of the canvas width - Four concentric rings labeled from center outward: Adopt (green), Trial (blue), Assess (yellow), Hold (red) - Four quadrants separated by perpendicular lines: Languages & Frameworks (upper right), Tools (lower right), Platforms (upper left), Techniques (lower left) - Each quadrant label shown at the edge of the radar - Small filled circles representing individual technologies placed within the appropriate ring/quadrant intersection - Detail panel on the right side showing technology details when clicked - Legend at the bottom explaining ring colors and meanings

Sample technologies to place: Adopt ring: - Kubernetes (Platforms) - TypeScript (Languages & Frameworks) - REST/HTTP APIs (Techniques) - Terraform (Tools)

Trial ring: - WebAssembly (Languages & Frameworks) - eBPF (Platforms) - Architecture Fitness Functions (Techniques) - OpenTelemetry (Tools)

Assess ring: - Rust for backend services (Languages & Frameworks) - GraphRAG (Techniques) - WASM-based edge compute (Platforms) - AI-assisted code review (Tools)

Hold ring: - SOAP/XML Web Services (Techniques) - Monolithic J2EE applications (Languages & Frameworks) - On-premises bare-metal deployments (Platforms) - Manual deployment scripts (Tools)

Interactive elements: - Click any technology dot to see: name, ring rationale, architectural implications, ATAM risk connection - Hover over ring names to see a tooltip explaining the ring's meaning - Toggle buttons for each quadrant to show/hide that quadrant's technologies - "Add Technology" mode allowing students to drag a new dot and place it in the appropriate ring, then see feedback

Color scheme: Green for Adopt ring, Blue for Trial ring, Yellow for Assess ring, Red for Hold ring. White dots on colored backgrounds.

Responsive: Radar scales proportionally to container width.

Pulling It Together: Governance as ATAM's Enforcement Arm

The 15 concepts in this chapter — from architecture principles to fitness functions — form a coherent ecosystem. Here is how they interlock:

Architecture principles establish the reasoning rules. Architecture standards codify specific decisions. Together they define what conformant architecture looks like. Reference architectures give teams a head start by providing conformant blueprints. The Architecture Review Board enforces these through human judgment at design time.

Once implementation begins, architecture conformance checking — both structural and runtime — ensures the implemented system matches the intended architecture. Architecture fitness functions automate conformance for properties that can be expressed as metrics. This enables evolutionary architecture — a system that can change continuously while its essential structural and quality attribute properties are preserved.

The system context diagram provides the scope boundary that makes all of the above tractable. The technology radar keeps the standards portfolio current. And running through it all is the architecture lifecycle — the temporal structure within which governance activities occur.

For ATAM practitioners, governance is not separate from evaluation — it is evaluation's enforcement arm. An ATAM evaluation that finds a risk and produces a recommendation has done half the job. The other half is ensuring that the recommendation is encoded in a principle, enforced by a fitness function, and monitored by the ARB. Governance is how ATAM's findings achieve lasting effect.

Chapter 2 Complete — You've Got the Governance Superpower!

Vista celebrating Look at you! You've just climbed one of the most important peaks in the ATAM landscape. You now understand the full governance stack: from the declarative principles that set direction, through the reference architectures that provide blueprints, the ARB that enforces through human judgment, the conformance checks that automate enforcement, and the fitness functions that make your quality attribute scenarios executable. Every ATAM risk you identify in future chapters can now be traced directly to a governance mechanism that addresses it. That's not just knowledge — that's your architectural superpower activated. Onward to Chapter 3!

Key Takeaways

The governance layer is what separates architectures that age gracefully from those that drift into chaos:

  • Architecture principles are declarative, actionable, testable rules with explicit rationale — not mandates without explanation
  • Architectural constraints are non-negotiable boundaries (regulatory, contractual, physical), distinct from the more flexible guidance of principles
  • Separation of concerns and modular decomposition are the structural properties that most governance mechanisms are designed to protect
  • Reference architectures encode organizational learning into reusable blueprints; architecture standards settle specific technology choices at the organizational level
  • The Architecture Review Board performs early, criteria-driven reviews rather than late-stage rubber-stamping or bottleneck blocking
  • Architecture conformance can be checked manually, through automated structural analysis, or through runtime monitoring
  • Architecture fitness functions make quality attribute scenarios executable as continuous automated checks
  • Evolutionary architecture embraces change while using fitness functions to protect structural integrity
  • The system context diagram establishes scope before any evaluation begins — without it, evaluators cannot agree on what they are evaluating
  • Technology radars keep the standards portfolio current and provide evidence for modifiability risk assessments
Self-Check: Governance Scenarios — Click to Reveal Answers

Q1: A team wants to use a SOAP/XML API because their integration partner only supports that protocol. Is this a violation of an architecture principle or an architectural constraint?

Answer: This is an architectural constraint — the external partner's technology limitation is a non-negotiable boundary, not a design choice the team can override. A principle violation would be a team choosing SOAP when REST was available and the standard specified REST.

Q2: You are running an ATAM evaluation and discover that the system has a performance fitness function (API latency p99 < 200ms) that is currently failing in the staging environment. How does this finding affect the evaluation?

Answer: This is an architectural risk — a specific, identified situation where the architecture is failing to meet a documented quality attribute requirement. In ATAM terms, you have a sensitivity point (the specific components or decisions causing the latency) and possibly a risk theme if the root cause is structural (e.g., synchronous call chains that cannot be parallelized). The fitness function failure is evidence that the risk is active, not hypothetical.

Q3: An organization's reference architecture recommends Kubernetes for container orchestration, but a new project's team proposes using bare-metal deployments for cost reasons. What governance process applies?

Answer: This is a waiver request to the Architecture Review Board. The team must provide documented rationale (cost analysis, deployment volume, operational constraints) and the ARB must assess whether the deviation creates unacceptable risk — particularly for modifiability and availability scenarios. The waiver, if granted, should be time-bounded and include a technology radar review trigger.