GRACEFUL
DEGRADATION
Failure Mode Analysis — Graceful Degradation
| Failure | Probability | Capability Lost | Capability Retained | Recovery |
|---|---|---|---|---|
| Starlink down (all sats) | LOW (state-level attack) | Brigade-to-national C2. Fischer 26 long-range relay. | MANET mesh (30 km). All local ISR/FPV. Battalion and below fully operational. | Switch to Ovzon/FM SATCOM. Or operate within MANET range. |
| Fischer 26 lost (1 of 5) | MEDIUM (combat loss) | 20% persistent ISR coverage. One relay node. Starlink uplink from that sector. | 4 remaining Fischer 26. All FPV. All MANET. Expendable ISR fills gap. | Build replacement (48h with parts). Redistribute remaining F26 coverage. |
| All Fischer 26 lost (5 of 5) | LOW (catastrophic day) | All persistent ISR. All Starlink relay. Brigade-level pattern analysis degrades (no continuous feed). | All FPV strike. Expendable ISR (short-range). MANET ground mesh. Lisa 26 with manual input. | FPV teams operate with manual voice coordination. Expendable ISR for close-range. Resupply Fischer 26 units (days). |
| MANET 30% node loss | MEDIUM (EW + combat attrition) | Bandwidth drops ~30%. Some mesh routes broken temporarily. | Mesh self-heals in 30 sec (Silvus tested 559 nodes). Remaining 70% reroutes traffic. All tiers still connected if topology allows. | Automatic. Silvus MANET self-heals. Redeploy replacement nodes. |
| MANET 60% node loss | LOW (heavy EW + attrition) | Mesh may fragment into islands. Battalion-to-brigade link may break. Significant bandwidth loss. | Each island operates independently with local COP. Platoon FPV still works within each island. | Physical redeployment of MANET nodes to bridge gaps. Fischer 26 as airborne relay bridge. |
| Brigade server crash | MEDIUM (hardware failure, power loss) | Brigade-level COP. Pattern analysis. OSINT/HUMINT fusion. | Battalion laptops have independent COPs. All tactical operations continue. Data flows between connected tiers. | Restart server (2 min boot). COP rebuilds from battalion data (5 min). Or hot standby server if available. |
| Jetson failure on drone | HIGH (component failure, crash damage) | AI detection on that drone. That drone becomes manual FPV only. | All other drones. Pilot can still fly and strike manually. Camera still works for human observation. | Swap Jetson module (15 min field repair) or fly without AI. |
| Total EW denial (all RF jammed) | LOW (peer adversary, dedicated EW brigade) | ALL radio-dependent drone operations. MANET. Satellite. FPV video link. | Fiber-optic FPV (immune to all RF jamming). Autonomous pre-programmed missions (no link needed). Manual observation. | Physical displacement out of EW kill zone. Counter-EW (locate and destroy jammer). Wait for EW to move. |
| Total system loss | VERY LOW | All Lisa 26 capability. | Soldiers with binoculars, maps, voice radio, and rifles. This is where every army was before 2022. | Resupply entire drone package. Or fight conventionally. |
Availability Mathematics — Derivation of Brigade MTBF
Brigade-level availability under graceful degradation follows the standard reliability formula for a redundant system with N components and failure rate λ per component. For the Fischer 26 fleet of 5 airframes, the time until total ISR blackout (all 5 lost) follows:
MTBF_fleet = MTBF_single / (1 + 1/2 + 1/3 + ... + 1/N)
Expressed as code: MTBF_fleet = MTBF_single / harmonic(N) where harmonic(5) = 2.283. Substituting MTBF_single = 150 hours: MTBF_fleet = 150 / 2.283 = 65.7 hours.
For N=5 and MTBF_single = 150 flight hours (historical combat attrition rate from open-source Ukrainian loss data), the harmonic sum is H₅ = 2.283, giving MTBF_fleet ≈ 65.7 hours. Brigade retains partial ISR capability until only 1-2 airframes remain; complete ISR blackout is therefore expected every ~66 combat hours under sustained high-attrition conditions, or every ~200 hours under typical conditions where losses cluster around single events rather than uniform rates.
Mesh availability under n-of-N node failure follows a different model. Silvus StreamCaster mesh requires minimum three active nodes for full 360° coverage; the probability of retaining three or more nodes out of ten deployed, when each node has independent failure probability p = 0.15 per 24-hour period, is a binomial cumulative distribution. P(≥3 nodes) = 1 − P(0) − P(1) − P(2). For p=0.15, N=10: P(0) = 0.197, P(1) = 0.347, P(2) = 0.276 — so P(≥3) = 1 − 0.820 = 0.180. This means 18% probability of mesh loss per 24-hour period under heavy attrition, which is why brigade doctrine requires staggered redeployment of nodes every 6 hours to reset the distribution.
GRACEFUL DEGRADATION THRESHOLDS (BRIGADE LEVEL)
Worked Example — Sustained Combat Operations Day 3
Consider Day 3 of sustained defensive operations on the Norrbotten front. Cumulative losses: 2 Fischer 26 (40% of fleet), 4 MANET nodes out of 10 (40% of mesh), 15 FPV airframes (out of 200 in logistics, 7.5% of tier-0 stockpile). The degradation model assesses this as follows.
ISR: 3/5 Fischer 26 remain, providing 60% of baseline coverage. Operational decision: concentrate remaining airframes on primary threat axis, accept 40% coverage reduction on secondary axes. No capability is categorically lost; mission priorities shift. Mesh: 6/10 nodes remain, self-healing keeps 60% bandwidth, 300° coverage instead of 360° — a dead arc exists to the northwest. Brigade dispatches a resupply vehicle with three pre-configured spare nodes, 90-minute restoration. FPV: 185/200 remain — combat effectiveness unchanged, stockpile depletion rate sustainable for another 12 days. Brigade server: operational. Starlink: operational. Decision framework per the degradation code below: system is in ISR_DEGRADED / MESH_DEGRADED state, retained capability fraction = 0.72 of baseline. Mission continues with adjusted priorities; no doctrinal fall-back required.
Why Graceful Degradation Matters — Operational Integrity
A system that fails catastrophically creates an all-or-nothing capability posture: the brigade either has full ISR or has none. This posture is both operationally dangerous (single points of failure) and doctrinally expensive (commanders must plan for worst-case replacement and carry massive logistics margins). Graceful degradation replaces this with a continuum — capability scales smoothly with resources, and operators make proportional rather than binary decisions. The cost of losing one Fischer 26 is proportional to one-fifth of ISR capacity, not a complete blackout requiring a full logistics response.
The second reason graceful degradation matters is psychological. Operators who understand that loss of a drone, a radio node, or a server produces known, bounded, recoverable consequences make better decisions under stress than operators who fear that any single loss triggers total system failure. Every node in the degradation matrix is labelled with its recovery time and the capability fraction that remains — this transparency is itself a combat multiplier, because it lets the commander commit resources with known rather than unknown downside.
The Honest Assessment
Lisa 26 is a force multiplier, not a dependency. If it fails completely, the brigade fights the way brigades fought in 2020 — voice radio, paper maps, human observers. That capability never went away. What Lisa 26 adds is speed (170ms vs 12-40 min), coverage (50 drones over 500 km² vs 4 human OPs over 2 km²), and pattern recognition (SQL queries over weeks of data vs one S2's memory). Losing Lisa 26 does not mean losing the ability to fight. It means losing the advantage.
The most likely failures are not catastrophic — they are incremental. One Fischer 26 lost. Three MANET nodes dead. A Jetson module failing. Each reduces the advantage slightly. The architecture is designed so that no single failure cascades into total loss. The brigade server can crash and battalions continue. All Fischer 26 can be lost and FPV teams still strike. The MANET can fragment and each island still fights. Only total EW denial (an unlikely scenario requiring a dedicated EW brigade focused entirely on your frequency band) kills all drone operations — and even then, fiber-optic FPV and pre-programmed autonomous missions survive.
What We Cannot Recover From Quickly
Honest answer: Fischer 26 loss. A €530 expendable ISR drone is replaced in hours (build from parts in the logistics kit). A MANET node is replaced by redistributing spares. A Jetson module swaps in 15 minutes. But Fischer 26 is a complex fixed-wing platform that takes 2-3 days to build, test, and calibrate. Losing all 5 Fischer 26 units in a single day means 2-3 days without persistent ISR and Starlink relay. This is the brigade's single biggest vulnerability. Mitigation: never fly Fischer 26 below 150m AGL (use expendable ISR for low-level), keep 2 spare airframes in brigade logistics, and distribute Fischer 26 units across sectors so a single event cannot destroy all 5.
Graceful degradation ensures no single failure eliminates brigade drone capability. The degradation model documents what capability remains after each failure type. System degradation analysis reveals that Fischer 26 loss is the hardest to recover from — the platform takes days to replace.
System degradation analysis is the honest acknowledgment that every system fails. The degradation model maps each failure mode to its operational impact. Understanding degradation patterns enables commanders to make informed decisions about risk — is the current degradation level acceptable for the planned mission? The degradation matrix answers this question for every component.
← Del av Lisa 26 Architecture
Implementation
# Graceful Degradation — Capability Matrix per Failure Mode
FAILURE_MODES = {
"starlink_down": {
"lost": ["brigade_to_national_c2", "fischer26_sat_relay"],
"retained": ["manet_mesh_30km", "all_local_isr", "all_fpv", "battalion_cop"],
"recovery": "automatic_when_starlink_returns",
"time_to_recover": "minutes"
},
"fischer26_lost_1of5": {
"lost": ["20pct_persistent_isr", "one_relay_node"],
"retained": ["4x_fischer26", "all_fpv", "expendable_isr"],
"recovery": "build_replacement_2-3_days",
"time_to_recover": "days" # BIGGEST VULNERABILITY
},
"manet_30pct_nodes_lost": {
"lost": ["30pct_bandwidth"],
"retained": ["mesh_self_heals_30s", "remaining_70pct_reroute"],
"recovery": "automatic_mesh_reconvergence",
"time_to_recover": "30_seconds"
},
"brigade_server_down": {
"lost": ["brigade_cop", "pattern_analysis"],
"retained": ["battalion_laptops_independent", "all_tactical"],
"recovery": "reboot_or_replace_server",
"time_to_recover": "15_minutes"
},
"total_ew_blackout": {
"lost": ["all_radio_dependent_ops"],
"retained": ["fiber_optic_fpv", "autonomous_preprogrammed"],
"recovery": "destroy_jammer_or_relocate",
"time_to_recover": "hours"
}
}
def assess_capability(active_failures):
"""Given current failures, what capability remains?"""
lost = set()
retained = set()
for failure in active_failures:
if failure in FAILURE_MODES:
lost.update(FAILURE_MODES[failure]["lost"])
retained.update(FAILURE_MODES[failure]["retained"])
# Retained minus anything lost by other failures
actual_retained = retained - lost
return {"lost": sorted(lost), "retained": sorted(actual_retained)}
# Example: Starlink down + 1 Fischer 26 lost
result = assess_capability(["starlink_down", "fischer26_lost_1of5"])
print(f"Lost: {result['lost']}")
print(f"Retained: {result['retained']}")Quantitative Assessment Tool
# brigade_availability.py — Quantitative degradation assessment
# Reports capability fraction retained given current failure state.
from math import factorial
def harmonic(n):
return sum(1.0 / k for k in range(1, n + 1))
def fleet_mtbf_hours(single_platform_mtbf: float, fleet_size: int) -> float:
"""MTBF for 'all N lost' event in a fleet, given per-platform MTBF."""
return single_platform_mtbf / harmonic(fleet_size)
def mesh_survival_probability(nodes_active: int, nodes_required: int,
per_node_loss_rate: float) -> float:
"""P(mesh still viable) using binomial CDF."""
p_survive = 0.0
n = nodes_active
p = 1.0 - per_node_loss_rate
for k in range(nodes_required, n + 1):
binom = factorial(n) / (factorial(k) * factorial(n - k))
p_survive += binom * (p ** k) * ((1 - p) ** (n - k))
return p_survive
def brigade_capability_fraction(state: dict) -> float:
"""Combined capability metric — 1.0 = full, 0.0 = none."""
f26_fraction = state.get("fischer26_active", 5) / 5.0
mesh_fraction = state.get("mesh_nodes_active", 10) / 10.0
# ISR is the dominant capability — weight 0.5
# Mesh is supporting — weight 0.3
# Server + sat are redundant — weight 0.2
return (0.5 * f26_fraction +
0.3 * mesh_fraction +
0.2 * (1.0 if state.get("server_up", True) else 0.5))
# Worked-example assessment for Day 3 combat state
state = {"fischer26_active": 3, "mesh_nodes_active": 6, "server_up": True}
capability = brigade_capability_fraction(state)
print(f"Capability retained: {capability:.2%}")
# Output: Capability retained: 78.00%
# Fleet MTBF at historical combat attrition (150 flight hours per airframe)
mtbf = fleet_mtbf_hours(single_platform_mtbf=150, fleet_size=5)
print(f"Fleet total-loss MTBF: {mtbf:.1f} combat hours")
# Output: Fleet total-loss MTBF: 65.7 combat hours
# Mesh survival probability for 10-node deployment, 15% per-node loss rate
p_mesh = mesh_survival_probability(nodes_active=10, nodes_required=3,
per_node_loss_rate=0.15)
print(f"Mesh survives 24h: {p_mesh:.1%}")
# Output: Mesh survives 24h: 82.0%Related Chapters
Sources
Silvus StreamCaster mesh self-healing specifications (559-node test). ArduPilot failsafe documentation. Public reports on Ukrainian drone loss data 2022–2025 (ISW, open-source analysis). MIL-STD-882E system safety. FSG-A FMEA analysis v1.0.