A system's stakeholders can have requirements involving various non-orthogonal system attributes which can be at odds when implemented. Having to resolve possible conflicts between the different system goals and make trade-offs is an inevitable situation, especially for large-scale systems. In some circumstances trade-offs can be made in a relatively straightforward manner. However, there can be cases in which we simultaneously attempt to trade-off a large number of different goals, in a context where the priorities may not be so clearly defined. In such cases, in order to establish justified trade-offs, a methodical approach is required, systematically addressing a number of considerations. The paper presents a method for making justified trade-offs by systematically analysing and balancing competing design objectives, thereby aiming for the 'least worse acceptable compromise'. Compromising a design objective in favour of another can be tolerated, provided that we can justify that the achieved benefit is greater (more important) than the compromise. However, the compromised objective should remain within an acceptable region, otherwise the resulting system will be unacceptable to its stakeholders. Furthermore, assessing the impact of the different design options on the required system qualities is an important step of the process, which like the rest of the steps, needs to be well documented, facilitating traceability and reuse of the design decisions. In order to achieve this, the paper also presents an argument pattern encompassing each step of the trade-off process. Introduction Critical systems are often required to demonstrate assurance that are 'fit' to operate with respect to a number of dependability attributes. Dependability attributes are heterogeneous and often can be in conflict to each other, resulting in inevitable trade-offs. A domain within which trade-offs need to be justified due to the criticality of the systems' functions is safety. However, achieving an absolutely safe system is a utopian aim. What is being considered as normal practice during a system's development is identification of risks, and improvement of the design to reduce these risks to As Low As Reasonably Possible (ALARP). ALARP is a framework that is being used to justify trade-offs between safety and the cost of implementing it. However ALARP addresses considerations regarding only two system attributes; safety and cost. The fundamental concepts of ALARP are extended to encompass other dependability attributes, such reliability, performance and availability. Using the Goal Structuring Notation (GSN), we trace the high level system requirements to detailed goals, which then can be analysed and traded-off. In this way, the system stakeholders involved in the trade-off can identify the compromises they make and the benefits they achieve with respect to the overall operation of the system. Eliciting and documenting trade-offs are essential requirements necessary to satisfy the assurance requirements of the system. Trade-offs in Critical Systems Systems deployed to perform critical and often complex tasks need to be able to demonstrate a number of attributes such as reliability, safety, security and availability. Dependability is seen as an 'umbrella term' encompassing such attributes (ref. 1). These qualities are essential in order for the system to successfully accomplish its required operation. Designing a system to achieve dependability attributes can result in competing objectives. Previous work by the authors (ref. 2) identified this and suggested that development of critical systems should be able to anticipate this, and address trade-offs between competing objectives, resulting in justified decisions and overall acceptable systems.