Feature Degradation

Feature degradation keeps a system useful under partial failure by shedding non-essential features instead of erroring on everything. The user keeps the critical path; optional extras pause until the system recovers. It is the concrete tactic behind the graceful degradation quality.

It works only when features carry an explicit criticality ranking and the core path has no hard dependency on the parts being shed.

How It Works

Rank features by criticality: a core set that must stay up, and optional features that can pause.
Watch health signals per dependency: error rate, latency, queue depth, or remaining capacity.
When a signal crosses its threshold, disable or simplify the optional features bound to that dependency.
Serve a defined fallback for each shed feature: a cached value, a sensible default, or a clear “temporarily unavailable” state.
Re-enable features once the signal recovers and holds for a stabilization window.

Failure Modes

The core path itself depends on a shed component, so degradation takes down the function it meant to protect.
Fallbacks return stale or wrong data silently, and users act on it.
Thresholds sit too close to normal load, so features flap on and off and confuse users.
No re-enable path exists, so the system stays degraded long after the dependency recovers.

Verification

Inject a dependency failure and assert the core path keeps a success rate above its target while optional features report unavailable.
Measure that core-path response time stays within budget in degraded mode.
Confirm features re-enable within the stabilization window after health is restored.

Rate Limiting and load shedding drop requests by priority; feature degradation drops whole features.
Circuit Breaker cuts a single failing dependency; feature degradation decides what the user still sees once it is cut.
Bulkheads isolate resource pools so degradation stays contained to one feature’s callers.
Fail-Safe Defaults define the safe values a degraded feature falls back to.

References

Degradation is catalogued as an availability tactic in Bass et al., 2021.

Supported Qualities

Graceful degradation

This is the concrete tactic behind the graceful-degradation quality: shed non-essential features so core function survives a partial failure.

Availability

Keeping the core path serving a reduced feature set avoids a full outage when a dependency or capacity limit is hit.

Resilience

Disabling the features bound to a failing dependency contains the fault instead of letting it spread to the core.

Recoverability

Degraded mode holds the system up while failed dependencies recover, then features re-enable as health returns.

Trade-offs

Usability
Users see a thinner experience; without clear signalling they may read missing features as broken, raising support load and eroding trust.
Consistency
Serving cached or default values during degradation lets different users see divergent data until the dependency recovers and caches refill.
Code Complexity
Each degradable feature needs a fallback path, a health signal, and re-enable logic, multiplying the states the team must build and test.

Related Requirements

Requirements connected to this approach can be listed here.

Handle sudden increase in traffic

Dropping optional features under a traffic spike frees capacity for the core path to stay within its response-time budget.

Zone failure: no service interruption

Shedding non-essential workloads lets core functions keep serving after a failure domain is lost.

Server fails, system continues to operate without downtime

Degrading optional features lets the system keep operating on surviving servers while a failed node recovers.

Feature Degradation

Intent

Mechanism

Applicability

How It Works

Failure Modes

Verification

References

Supported Qualities

Trade-offs

Related Requirements

Intent

Mechanism

Applicability

How It Works

Failure Modes

Verification

Variants and Related Tactics

References

Supported Qualities

Trade-offs

Related Requirements