SEI Technical Reports
Architecture-centric model-based engineering of embedded systems with AADL
Julien Delange , Peter H. Feiler , David P. Gluch , John J. Hudak - AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment
This paper explains how to leverage the Error-Model version 2 to follow the ARP4761 safety process
The full report is available as SEI Technical Report 
SEI-Technology-Highlight-2013 Four Pillars
Feiler, Peter H., Goodenough, John, Gurfinkel, Arie, Weinstock, Charles, Wrage, Lutz, Four Pillars for Improving the Quality of Safety-Critical Software- Reliant Systems, SEI Research and Technology Highlight Four Pillars of Software Reliability, April 2013.
This paper summarizes a comprehensive study for an approach to validating and improving the reliability of software-intensive systems. The four pillars of this framework are formalized requirements, architecture-centric modeling and analysis, application of theory-based static analysis, and confidence through assured evidence.
The full report is available as SEI Technical Report CMU/SEI-2012-SR-013
SEI-2012-SR-013 Reliability Improvement Framework
Software-reliant systems such as rotorcraft and other aircraft have experienced exponential growth in software size and complexity. The current software engineering practice of "build then test" has made them unaffordable to build and qualify. This report discusses the challenges of qualifying such systems, presenting the findings of several government and industry studies. It identifies several root cause areas and proposes a framework for reliability validation and improvement that integrates several recommended technology solutions: validation of formalized requirements; an architecture-centric, model-based engineering approach that uncovers system-level problems early through analysis; use of static analysis for validating system behavior and other system properties; and managed confidence in qualification through system assurance. This framework also provides the basis for a set of metrics for cost-effective reliability improvement that overcome the challenges of existing software complexity, reliability, and cost metrics.
DeNiz, Dio, Feiler, Peter H., Gluch, David,, Wrage, Lutz, A Virtual Upgrade Validation Method for Software-Reliant Systems, Technical Report CMU/SEI-2012-TR-005, June 2012.
This report presents a Virtual Upgrade Validation (VUV) method to improve design quality and confidence in qualification through testing for military systems impacted by computer platform changes. This approach uses architecture-centric, model-based analysis to identify system-level problems early in the upgrade process to complement established test qualification techniques. For purposes of this report, the authors focus on changes to the computer platform consisting of processors, network, operating system, and runtime infrastructure. They describe the VUV method steps and introduce the Architectural Dependencies Catalog that provides guidance for modelers on which aspects of the system to model and how to model them. The report also provides a history and overview of the Architecture Analysis and Design Language standard, which is used with the VUV method.
SEI-2011-SR-011 Whats New in AADLV2
Feiler, Peter H., Seibel, J., Wrage, L., What’s New in V2 of the Architecture Analysis & Design Language Standard?, Technical Report CMU/SEI-2011-SR-011, March 2012.
A summary of changes to the original SAE AADL standard. The revised standard is known as AADL V2.
This report provides an overview of changes and improvements to the Architecture Analysis & Design Language (AADL) standard for describing both the software architecture and the execution platform architectures of performance-critical, embedded, real-time systems. The standard was initially defined in the document SAE AS-5506 and published in November 2004 by SAE International (formerly the Society of Automotive Engineers). SAE International published the revised language, known as AADL V2, in January 2009. Feedback from users of the standard guided the plan for improvements. Their experience and suggestions resulted in the addition of component categories to better represent protocols as logical entities (virtual bus), scheduler hierarchies and logical time partitions (virtual processor), and a generic component (abstract). The revisions also led to the abilities to (1) explicitly parameterize component declarations to better express architecture patterns, (2) specify multiple instances of the same component in one declaration (component array) and corresponding connection patterns, (3) set visibility rules for packages and property sets that access other packages and property sets, (4) specify system-level mode transitions more precisely, and (5) use additional property capabilities including property value records.
SEI-Technology-Highlight-2010 AADL MBE
Feiler, Peter H., Lewis, Bruce, Industry Standard Notation for Architecture-Centric Model-based Engineering, SEI Research and Technology Highlight AADL and MBE, January 2010.
This paper summarizes the problem being addressed by SAE AADL relative to current practice, the research it is based on, the approach being taken for AADL and its transition into industry, as well as the benefits of its use.
SEI-2010-TR-003 MDS NASA
Feiler, Peter H., Gluch, David P., and Woodham, Kurt, Case Study: Model-based Analysis of the Mission Data System Reference Architecture, Technical Report CMU/SEI-2010-TR-003, May 2010.
A case study on the use of AADL in modeling, analyzing and instantiating a multi-layered reference architecture for autonomous space platforms.
ABSTRACT: This report presents the results of a case study applying the Architecture Analysis & Design Language (AADL) to the Mission Data System (MDS) architecture. This work is part of the NASA Software Assurance Research Program (SARP) research project: “Model-Based Software Assurance with the SAE Architecture Analysis & Design Language (AADL).” In this report, we discuss modeling and analyzing the MDS reference architecture. In particular, we focus on modeling aspects of state-based system behavior in MDS for quantitative analysis. Three different types of state-based system model are being considered: closed loop control, goal-oriented plan execution, and fault tolerance through replanning.
SEI-2009-TR-017 AVSI SAVI
P. Feiler, Jörgen Hansson, Dionisio de Niz, Lutz Wrage, System Architecture Virtual Integration: An Industrial Case Study, Software Engineering Institute (SEI) Technical Report, CMU/SEI-2009-TR-017, November 2009.
A Case Study on the Use of AADL for Multi-tier Multi-fidelity Aircraft Modeling and Analysis and integrator subcontractor interaction support for the AVSI SAVI initiative.
ABSTRACT: The aerospace industry is experiencing exponential growth in the size and complexity of onboard software. It also seeing a significant increase in errors and rework of that software. All of those factors contribute to greater cost; the current development process is reaching the limit of affordability of building safe aircraft. An international consortium of aerospace companies with government participation called Aerospace Vehicle Systems Institute (AVSI) has initiated the System Architecture Virtual Integration (SAVI) program, whose goal is to achieve an affordable solution through a paradigm shift of "integrate then build." Key concepts of this paradigm shift are an architecture-centric model repository as single source for analytical system models, accessed through a model bus, used as a single source for analytical models, and multi-level, multi-fidelity analysis of multiple operational quality attributes of the system and embedded software system architecture. The result is discovery of system-level faults earlier in the life cycle—reducing risk, cost, and development time. The first phase of this program demonstrated the feasibility of this new development process through a proof of concept which is the topic of this report.
SEI-2008-WP Using Model-Based Engineering and Architectural Models to Build Secure Systems
Peter H. Feiler, Jorgen Hansson, John Morley - http://www.sei.cmu.edu/library/abstracts/whitepapers/buildsecurembe.cfm
A system designer faces several challenges when specifying security for distributed computing environments or migrating systems to a new execution platform. Business stakeholders impose constraints due to cost, time-to- market requirements, productivity impact, customer satisfaction concerns, and the like. And users exercise power at the desktop over computing resources and data availability. So, a system designer needs to understand requirements regarding protected resources (e.g., data), confidentiality, and integrity. And, a designer needs to predict the effect that security measures will have on other runtime quality attributes such as resource consumption, availability, and real-time performance.
SEI-2008-SR-001 State of Embedded Systems Practice
Peter H. Feiler, Dionisio de Niz. ASSIP Study of Real-Time Safety-Critical Embedded Software-Intensive System Engineering Practices, Software Engineering Institute (SEI) Special Report SEI-2008-SR-001, Feb 2008.
This report summarizes the state of practice and state of the art in engineering embedded real-time systems.
ABSTRACT: Modern weapon systems increasingly depend on real-time, safety-critical, embedded (RTSCE) software to achieve their mission objectives. In addition, these systems are experiencing far longer service lives than anticipated at their inception. Army weapon system developers are concerned that this combination of factors renders today's software acquisition and development practices insufficient to address the challenges of these software-intensive systems. To address the concern, the Army Strategic Software Improvement Program tasked the Carnegie Mellon Software Engineering Institute (SEI) to assess RTSCE software-intensive systems issues and develop recommendations. The findings of phase one of that study are presented in this report: (1) industry is driving the development of tools for model-based engineering to meet the needs of RTSCE system development, and (2) many opportunities exist for the U.S. Department of Defense (DoD) to gain experience and advance the transition of these tools into DoD programs.
SEI-2007-TN-010 Latency Analysis
Peter H. Feiler, Jörgen Hansson, Flow Latency Analysis with the Architecture Analysis and Design Language (AADL) Software Engineering Institute (SEI) Technical Note CMU/SEI-2007-TN-010 Dec 2007.
This report discusses the use of the end-to-end flows of AADL in end-to-end latnecy analysis.
ABSTRACT: Control system components are sensitive to the end-to-end latency and age of signal data. They are also affected by variation (jitter) in latency and age values due to different runtime configurations (i.e., sampling or data-driven signal processing pipelines, dissimilar communication mechanisms, partitioned architectures, and globally synchronous versus asynchronous hardware). This technical note introduces an analysis framework designed to calculate the end-to-end latency and age of signal stream data as well as their jitter. The latency analysis framework and calculations are illustrated in the context of an example model that uses the flow specification notation of the Architecture Analysis & Design Language (AADL). The report describes how this latency analysis capability can be used to determine worst-case end-to-end latency on system models of different fidelity and how it accounts for partitioned architectures. It also summarizes the worst-case end-to-end flow latency analysis capability provided by the Open Source AADL Tool Environment (OSATE) flow latency analysis plug-in.
SEI-2007-TN-047 System Families
This report discusses how to model variants in system families and product lines.
ABSTRACT: Over their lifetime, systems exist in many forms, such as instances of a system deployed in different contexts or a system evolving over time. Variability may also occur in terms of functionality reflected in the domain architecture, nonfunctional properties (such as performance, reliability, and safety-criticality) that are realized in the runtime architecture, interfaces to the deployment environment with which the system interfaces, and mapping to computing platforms.
The Society of Automotive Engineers (SAE) Architecture Analysis & Design Language (AADL) is an industry-standard, architecture-modeling notation specifically designed to support a component-based approach to modeling embedded systems. This technical note discusses how AADL can be used to model system families and configurations of system and component variants. It shows that AADL supports system families by providing component types that are used to specify component interfaces and multiple implementations for each component type. This report also shows that AADL uses properties to represent multiple dimensions of system variability ranging from variation through conditional compilation to variation through different sets of calibration parameters.
SEI-2007-TN-043 Dependability Modeling
Peter H. Feiler, Ana Rugina, Dependability Modeling with the Architecture Analysis & Design Language (AADL), Software Engineering Institute (SEI) Technical Note CMU/SEI-2007-TN-034, July 2007.
This report discusses the use of the Error Model Annex of AADL to represent dependability information in AADL models.
ABSTRACT: The Society for Automotive Engineers (SAE) recently published an Error Model Annex document ( SAE AS-5506/1) to complement the SAE Architecture Analysis & Design Language (AADL) standard document ( SAE AS5506A) with capabilities for dependability modeling. The purpose of this report is to (a) explain the capabilities of the Error Model Annex and (b) provide guidance on the use of the AADL and the error model in modeling dependability aspects of embedded system architectures. The focus of the guidance is the creation of error model libraries and the instantiation of these error models on AADL architecture models. In that context, the report discusses modeling of error propagation, error filtering and masking, the interactions between error models and systems with operational modes, and modeling of repair activities.
SEI-2007-TR-014 Cruise Control System
John J. Hudak, Peter H. Feiler, Developing AADL Models for Control Systems: A Practitioner's Guide, Software Engineering Institute (SEI) Technical Report CMU/SEI-2007-TR-014, July 2007].
This report guides you through the creation and refinement of a cruise control model.
ABSTRACT: This document is a guide to help practitioners using the Architecture Analysis and Design Language (AADL), an international industry standard for the model-based engineering of real-time and embedded systems. The primary goal of this document is to describe an approach for and the mechanics of constructing an architectural model that can be analyzed based on the AADL. The first section of this document presents an overview of AADL concepts and many of the keywords of the language. The second part of the document illustrates a model-building approach using the AADL. It takes the perspective of an engineer who is developing a model for the first time using the AADL. This guide leads the reader through complete AADL model development based on automotive embedded control systems (cruise control, traction control, etc.) by describing the use and syntax of the AADL and interleaving modeling abstraction tradeoffs to achieve models that are abstract but precise. Models are constructed with different analysis perspectives in mind to illustrate the semantics as well as the richness of the AADL.
SEI-2006-TN-011 AADL Introduction
P. Feiler, D. Gluch, J. Hudak, The Architecture Analysis & Design Language (AADL): An Introduction Software Engineering Institute (SEI) Technical Note CMU/SEI-2006-TN-011 February 2006.
This technical note is an introduction to the concepts, language structure, and application of the SAE AADL standard AS-5506(known as AADL V1).
ABSTRACT: In November 2004, the Society of Automotive Engineers (SAE) released the aerospace standard AS5506, named the Architecture Analysis & Design Language (AADL). The AADL is a modeling language that supports early and repeated analyses of a system's architecture with respect to performance-critical properties through an extendable notation, a tool framework, and precisely defined semantics.
The language employs formal modeling concepts for the description and analysis of application system architectures in terms of distinct components and their interactions. It includes abstractions of software, computational hardware, and system components for (a) specifying and analyzing real-time embedded and high dependability systems, complex systems of systems, and specialized performance capability systems and (b) mapping of software onto computational hardware elements. The AADL is especially effective for model-based analysis and specification of complex real-time embedded systems.
NOTE: A revision of SAE AADL AS5506A, known as AADL V2, has been published in Jan 2009.
SEI-2004-TN-005 Migration Case Study
Peter Feiler, David Gluch, John Hudak, Bruce Lewis, Embedded Systems Architecture Analysis Using SAE AADL, Software Engineering Institute (SEI) Technical Note CMU/SEI-2004-TN-005, June 2004.
This is a case study report on the analysis of an avionics system migration from a federated to an IMA architecture.
ABSTRACT: The emerging Society of Automotive Engineers Architecture Analysis and Design Language (AADL) standard is an architecture modeling language for real-time, fault-tolerant, scalable, embedded, multiprocessor systems. It enables the development and predictable integration of highly evolvable systems as well as analysis of existing systems. It supports early and repeated analyses of a system's architecture with respect to performance-critical properties through an extendable notation, a tool framework, and precisely defined semantics. This report discusses the role and benefits of using the AADL in the process of analyzing an existing avionics system. The AADL is used to describe architecture patterns in the system being analyzed and to identify potentially systemic issues in the system. Findings related to timing, scheduling, and fault tolerance and the benefits of the use of the AADL are examined.
The report also highlights the benefits of working with architecture abstractions that are reflected in the AADL notation, in particular the separation of architecture design decisions from implementation decisions. Such a lightweight architecture analysis is typically followed by a full-scale AADL model of the system with required and actual timing, performance, and reliability figures, and its analysis to determine whether the requirements are met.
SEI-2000-SR-011 Improving Predictability
Peter H. Feiler, Bruce Lewis, Steve Vestal, Improving Predictability in Embedded Real-Time Systems, Software Engineering Institute (SEI) Special Report CMU/SEI-2000-SR-011, 2000.
This report summarizes the experience by the US Army and Honeywell in the use of MetaH (parent of AADL) on a missile guidance system.
ABSTRACT: This paper discusses a model-based architectural approach for improving predictability of performance in embedded real-time systems. This approach utilizes automated analysis of task and communication architectures to provide insight into schedulability and reliability during design. Automatic generation of a runtime executive that performs task dispatching and inter-task communication eliminates manual coding errors and results in a system that satisfies the specified execution behavior. The MetaH language and toolset supports this model-based approach. MetaH has been used by the U.S. Army in a pilot project applied to missile guidance systems. Reduced time and cost benefits that have been observed will be discussed as a case study. The paper closes by outlining the current state of commercial availability of such technology and efforts to develop standards, such as those put forth by the Society of Automotive Engineers (SAE); Avionics Systems Division (ASD); working group on Avionics Architecture Description Language (AADL); and the Object Management Group (OMG) Unified Modeling Language (UML) working group on real-time and performance support in UML.