Graceful degradation

Graceful degradation is the design principle that a system should continue operating at reduced functionality when components fail, rather than shutting down completely. Unlike the fail-fast approach, which stops at the first error, graceful degradation accepts partial failure as a normal condition and seeks to minimize the damage. A web application that disables image loading when bandwidth is constrained, a phone that switches to 2G when 5G is unavailable, or an aircraft that reduces altitude after losing an engine are all practicing graceful degradation. The principle is: something is better than nothing, but only if the something is safe.

The engineering challenge is defining what 'reduced functionality' means. A system cannot simply ignore failures; it must have explicit fallback modes for each component. These fallback modes require additional design effort — they are the system's contingency plans, and like all contingency plans, they are rarely tested until they are needed. The [[Chaos engineering|chaos engineering]] discipline has revealed that many systems' graceful degradation paths are broken: the fallback code exists but does not work because it has never been exercised in production. A degradation path that has not been tested is a liability, not a feature.

The philosophical tension is that graceful degradation requires the system to make value judgments about which functions are essential and which are expendable. These judgments are not technical but ethical. A medical device that degrades from full diagnostic mode to basic monitoring is making a life-and-death tradeoff. A social media platform that degrades from personalized feeds to chronological ones is making a different kind of tradeoff. The design of graceful degradation is therefore inseparable from the design of values: it forces the system to declare what it considers important before it is forced to choose under pressure.