Glossary term

Degraded Mode

Engineering definition of degraded mode covering reduced capability, fallback operation, reversion timing, safe-state boundary and validation evidence.

Definition

concept

Degraded mode is a defined operating mode in which a system continues to operate with reduced capability, authority, performance or availability after a fault, constraint violation or loss of resource.

Degraded mode is used in aircraft control, spacecraft operations, embedded firmware, process control, medical devices, power systems and distributed services when immediate shutdown is not the best response but nominal operation is no longer justified. A degraded mode must state what capability is lost, what limits remain, how users are informed, how long the mode is allowed and what conditions permit return to normal or force a safe state.

Degraded mode is a controlled operating mode used after a fault, missing resource, invalid input, overload, constraint violation or partial subsystem loss. The system continues to operate, but with reduced capability, reduced authority, lower performance, narrower operating envelope or additional restrictions.

The purpose is not to hide a fault. The purpose is to preserve an acceptable function while preventing nominal assumptions from being used after they are no longer true. A degraded mode must therefore be visible, bounded and validated.

Reduced Capability

A simple capability model is:

C_{deg}=\alpha C_{nom}

where C_nom is nominal capability and 0<alpha<1 is the degraded capability factor. The degraded mode is acceptable only if the remaining capability exceeds the required demand:

M_{deg}=C_{deg}-D_{req}

If M_deg is negative, degraded operation is not justified for that condition. The system should reduce demand, change mission objective, transfer authority, alarm, or move to a safe state.

Mode Entry

Entry conditions must be explicit. Typical triggers include sensor disagreement, actuator derating, missing redundancy, communication loss, stale data, missed deadlines, excessive temperature, reduced power, unavailable cooling, infeasible control optimization, partial network capacity or failed self-test.

A mode transition time can be budgeted as:

T_{rev}=T_{detect}+T_{decide}+T_{transition}

and checked against a requirement:

T_{rev}\leq T_{req}

The transition should not create a worse transient than staying in nominal mode. Control-law reversion, command hold, alarm timing and operator cues all need validation.

Worked Example

An actuator channel loses one redundant drive path. The remaining system can provide:

\alpha=0.60

of nominal command authority. Nominal authority is:

C_{nom}=100\ \text{units}

so degraded authority is:

C_{deg}=0.60(100)=60\ \text{units}

The restricted operating envelope requires:

D_{req}=52\ \text{units}

The degraded margin is:

M_{deg}=60-52=8\ \text{units}

This passes for the restricted envelope. If a disturbance case requires:

D_{gust}=68\ \text{units}

then:

M_{gust}=60-68=-8\ \text{units}

The degraded mode must exclude that condition or move to another response.

Now check transition timing. Fault detection takes:

T_{detect}=0.18\ \text{s}

Decision and mode transition take:

T_{decide}=0.07\ \text{s},\quad T_{transition}=0.22\ \text{s}

The reversion time is:

T_{rev}=0.18+0.07+0.22=0.47\ \text{s}

Against a requirement:

T_{req}=0.60\ \text{s}

the timing margin is:

M_T=0.60-0.47=0.13\ \text{s}

The degraded mode passes only for the restricted envelope and measured transition behavior.

Boundary With Safe State

Degraded mode is continued operation under restrictions. Safe state is the risk-reducing condition when operation should stop, be contained or be held in a protected state. A degraded mode may be a path toward a safe state, but it is not automatically safe.

For example, an aircraft may continue with reduced flight-control law authority, a spacecraft may enter safe mode with payloads off but heaters on, a medical device may suspend therapy while maintaining alarms, and a server may shed noncritical traffic. Each case needs a mode definition, not a generic label.

Exit And Return Rules

Return to nominal operation should require evidence that the degraded condition has cleared and that hysteresis or persistence rules are satisfied. A simple return rule can be written as:

X_{valid}=1,\quad t_{valid}\geq T_{confirm}

where X_valid represents the required validity checks and T_confirm prevents rapid mode chatter. If the fault recurs, if data become stale or if demand exceeds degraded capability, the system should stay degraded or move to a safer state.

Validation Evidence

Useful evidence includes state-machine traces, injected faults, sensor-disagreement tests, actuator derating tests, fallback command logs, timing traces, HMI or crew alert records, operator procedure checks, demand-versus-capability analysis, stale-data tests, communication-loss tests, recovery tests and proof that return to normal is inhibited until conditions are valid.

Common mistakes include describing degraded mode in software but never validating it, allowing nominal limits to remain visible while authority is reduced, hiding the mode from operators, allowing automatic return without hysteresis, accepting degraded operation for demand cases it cannot meet and treating fallback as a substitute for a safe state. A strong degraded-mode review states the lost function, remaining capability, restrictions, timing, alerts, exit criteria and evidence boundary.

REF

See also