The Story of AADL

From AadlWiki

Jump to: navigation, search

Contents

Introduction

NOTE: this is work in progress

Note to the reader: My apology to any misrepresentation and anyone’s work I missed. I know the historical roots, the summary of initiatives, and the list of publications is not complete and ask for your help update the document. I am also looking for ideas on how to better structure the body of work with AADL by the community. My plan is to make this material available in a public report.

This note discusses the impact the SAE Architecture Analysis & Design Language (AADL) and the Open Source AADL Tool Environment (OSATE) have had in the US., Europe, and Japan in improving the engineering practice for large-scale software-intensive embedded systems. First, we discuss the historical roots of AADL and provide a short summary of the language and the standard suite. Then, I summarize various large-scale collaborative industry/university initiatives that have leveraged AADL as a key technology in their efforts in improving architecture-centric model-based (embedded) software-intensive system validation. Then I outline some reasons for why AADL has been an effective research transition enabler. Then I list papers published in refereed conferences and journals on the use of formal specification frameworks to capture and validate the semantics of AADL, on the integration of various analytical frameworks into AADL, and on the use of the AADL in pilot projects in a range of domains. These references are papers published by SEI members, by external teams the SEI had interacted with, and by teams that have used this technology independently.

Historical Roots of AADL in DARPA Funded and Other Research

AADL has its roots in DARPA funded research in architecture languages - MetaH and ACME. MetaH has its syntactical roots in Ada.

MetaH

AADL's one direct ancestor is MetaH [Vestal], which was developed starting in 1990 by Vestal Honeywell Technology Center under DARPA funding. Steve borrowed much of the syntax as well as the idea to make MetaH a strongly typed language from Ada.

MetaH was designed for embedded systems and included software ocmponents such as threads, subprograms, data, hardware components such as processor, memory, and bus, and devices to represent physical system components. MetaH supported sampling data ports that ensured deterministic sampling. MetaH also included the mode concept to specify dynamic reconfiguration of the runtime architecture. MetaH had a long list of properties, including binding, execution time, memory usage, and bus usage properties. MetaH was a closed language, i.e., users could not add properties.

MetaH was first applied in 1994 to an Army missile guidance system (AMCOM SED) (Lewis). Other early experiments with MetaH included Hybrid automata formal verification of the MetaH code generator (AFOSR, Honeywell), Missile defense application (Boeing), Fighter guidance SW fault tolerance (DARPA, CMU/SEI, Lockheed-Martin), Incremental Upgrade of Legacy Systems (AFRL, Boeing, Honeywell), Comanche study (AMCOM, Comanche PO, Boeing, Honeywell), Tactical Mobile Robotics (DARPA, Honeywell, Georgia Tech), Advanced Intercept Technology CWE (BMDO, MaxTech), Adaptive Computer Systems (DARPA, Honeywell), Avionics System Performance Management (AFRL, Honeywell), Ada Software Integrated development/Verification (AFRL, Honeywell), FMS reference architecture (Honeywell), JSF vehicle control (Honeywell), IFMU reengineering (Honeywell).

In the late 1990s Vestal validated the MetaH code generator using a hybrid automata specification of task execution and extended MetaH with an error modeling capability [MetaHUser] – the basis for the AADL Error Model Annex standard.

ACME

Need to rewrite

AADL also incorporates elements of ACME developed by Garlan et.al. [CMU-ACME] under DARPA funding based in insights gained when creating an ACME style of MetaH and experimenting with extending the language [FeilerSEI], integrating analyses along several dimensions [CMU-SEI-JunLiThesis], and porting a prototype implementation of an auto-pilot managed by a Simplex to provide dependable upgrade of embedded systems into MetaH as part of the INSERT project funded by DARPA EDCS [INSERT-CMU-SEI-LM] – demonstrating both implementations at the DARPA demo days in 1998 [EDCSDemoACMSigSoftSENotesJan2000].

COTRE

To be filled in - French initiative to move beyond HOOD-RT

The Birth of AADL

In the Fall of 1999 Bruce Lewis (US Army AMRDEC) started the SAE AADL committee. In the first year a requirements document for the standard was developed and approved by representatives from 10 Aerospace companies [SAE ARD 5296]. At that time AADL stood for Avionics Architecture Description Language.

Peter Feiler teamed with Steven Vestal to create a first draft AADL document using MetaH as a starting point in 2000/2001 (copy of V 0.2 available upon request for history buffs). In 2001, the name was changed to Architecture Analysis & Design Language. This was done to reflect the fact that nothing Avionics specific was contained in the language.

In 2002 two European groups – one led by the European Space Agency (ESA) and the other (COTRE) led by Airbus - had completed studies that identified the then draft AADL as a strong candidate technology for their future work and joined the committee to make it a reality. The language was initially called Avionics Architecture Description Language, but in early 2003 was changed to its current name to reflect the fact the language is not Avionics specific, retaining its initials. Under the technical leadership of Peter Feiler the first version of the AADL standard document was approved in 2004 by 23 organizations from the US and Europe and published in Nov 2004. The first implementation of OSATE became publically available in Dec 2004 and was stress tested with a 40,000 line AADL by Rockwell Collins [Statezni]. The first collection of annex documents was approved and published in June 2006. It included Based on feedback from the user community of AADL the committee made improvements to the language – with the revised version of approved in late 2008 by 30 voting organizations and published in Jan 2009.

The AADL Standard suite

The AADL standard suite consists of:

  • The core language standard (originally published in Nov 2004, revised V2 published Jan 2009) led by Peter Feiler (SEI).
  • The AADL Meta model and XML/XMI Interchange Format Annex standard (2006, revised 2009) led by Peter Feiler (SEI).
  • Language Compliance and Application Program Interface Annex standard (2006) led by Joyce Tokar (Pyrrhus Software).
  • The Error Model Annex standard for modeling fault behavior and propagation (2006, in revision 2009-2010) led by Steven Vestal (Honeywell).
  • Data Modeling Annex standard for representing data model information (2010 – approved) led by Jerome Hugues (ISAE).
  • Behavior Annex standard (2010 – approved) initially led by Mamoun Filali (IRIT), continued by Pierre Dissaux (ElliDiss).
  • Draft UML profile of AADL (made available to the OMG MARTE team) led by Ed Colbert (USC).
  • AADL UML profile as OMG MARTE subprofile (Appendix in MARTE document, in revision for AADL V2) led by Madeleine Faugere (Thales).
  • AADL ARINC 653 Annex standard (2010 - approved) led by Julien Delange (Telecom ParisTech).

In April 2004 the OMG MARTE (then RFP) lead (Laurent Rioux) came to the SAE AADL Committee to explore collaboration to leverage the Meta model and semantics of the AADL standard as it provided a strong foundation for MARTE. The draft UML profile for AADL was made available to the OMG MARTE team and it was agreed that a standard UML profile for AADL would become available through MARTE, avoiding a competitive situation.

Similarly, in Dec 2008 an active dialog was started by Feiler as technical lead of AADL and Sanford Friedenthal as technical lead of SysML on establishing a common understanding of the relationship of the two architecture modeling notations. It has now evolved into a three-way dialog between SysML (Friedenthal), AADL (Feiler), and MARTE (Gerard) with interactive sessions at various venues.

Tool support is available in form of the Open Source AADL Tool Environment (OSATE) developed by SEI, a commercial tool suite (STOOD) supporting the full life cycle including AADL (originally developed for HOOD-RT and used by the European Space Agency (ESA) and Airbus, and with the UML profile graphical model creation through UML tools. As is partially evident from the list of references many analysis and code generation tools have been integrated with AADL.

The Architecture Analysis & Design Language

SAE AADL is a modeling notation with well-defined semantics for representing the architecture of large-scale software-intensive embedded systems and systems of systems, such as aircraft, spacecraft, motorized vehicles, autonomous systems, and medical devices. For example, a hybrid automats specification of thread execution in the standard document provides an unambiguous interpretation of expected runtime behavior. The standard includes a standardized XML interchange format based on a Meta model specification of AADL to facilitate model interchange and integration of analytical models and supporting tools.

To promote pilot projects in industry and at research institutions the Software Engineering Institute (SEI) has made available the Open Source AADL Tool Environment (OSATE) on top of Eclipse. It utilizes the Eclipse Modeling Framework (EMF) and has been integrated into the open source TOPCASED tool framework developed by European industry.

SAE AADL and the Open Source AADL Tool Environment have become a platform for industrial pilot projects and for university research. Companies have investigated the feasibility of representing and analyzing real systems in an architecture modeling language (proof-of-concept) and do so using an annotated architecture model to auto-generate analytical models through model transformation. Researchers have been attracted to AADL for its well-defined semantics to map their more formal specification and analysis framework into, and to make their results quickly accessible to industry.


Industry Initiatives Utilizing SAE AADL

A number of industry initiatives have used AADL as key technology:

  • ESA ASSERT (2004-2008): funded by the European Commission with 30 partners to pilot the development of the satellite system families with validated architectures through proof-based techniques.
  • TOPCASED (2005-2009): industry initiative led by Airbus (28 partners) to build an open source industrial tool infrastructure for model-based engineering of embedded systems.
  • ITEA SPICES (2006-2009): European industry/research initiative (15 partners) to put in place a model-based engineering method incorporating CCM, AADL, and SystemC,, covering both analysis and generation, as well as application to six different application domains.
  • Aerospace Vehicle Systems Institute (AVSI) System Architecture Virtual Integration (SAVI) initiative with members including Boeing, Lockheed Martin, Airbus, Rollwell Collins, Honeywell, BAE Systems, GE Aviation, FAA, DoD, and SEI. Objective is to put in place a model-based architecture-centric virtual integration focused practice for the next generation of aircraft. AADL was chosen as technology for the initial Proof Of Concept phase. This phase included the definition of a to-be acquisition process, an ROI study, and a proof of concept demonstration. The demonstration covered the creation and analysis of an aircraft model, (Tier 1), refined into an Integrated Modular Avionics (IMA) Tier 2 model, subcontracted subsystems to suppliers with AADL-based subsystem contract negotiation and validation after suppliers refine subsystems to a task-level runtime architecture and populate it with source code.
  • Other industry activities include collaboration with OMG MARTE and OMG SysML towards a common industry standardization strategy for architecture-centric engineering of systems, ARTIST2 to engage the research community, and Open Group to promote the model-based engineering approach in industry.

image:aadlinit.jpg

AADL as Research Transition Enablers

Key elements that contribute to AADL as a research transition platform are well-defined semantics, a standardized Meta model and XML-based interchange format, and the ability to extend the core language with annotations relevant to different analyses. The generation of analytical models consistent with the architecture addresses the problem of multiple truths that are encountered when those models are constructed by separate teams at different times in the development and become inconsistent with the architecture and each other.

The AADL standard document includes a description of the language semantics including a hybrid automata specification of thread execution semantics. An architecture enables the development of different analysis algorithms that interpret the model in the same way. For instance, the flow latency analysis in OSATE uses the timing semantics of the delay communication connections of AADL to calculate the worst-case transmission delay by adding an full period. On the other hand, the replication verification analysis for replication architecture uses the same fact to identify an out-of-sync mode transition.

The shared semantics established by the AADL standard has created two positive reinforcing trends in the community. On the one hand, researchers observe that their contribution has a stronger impact when their results can be combined with others in a cumulative fashion with the research from others from the same model. On the other hand, the industry is obviously enthusiastic to see that they do not need to develop different models for the different analysis they want to perform - saving them time but more importantly saving them additional validation steps to ensure consistency between models and avoid the multiple truth problem.

Image:multidim.jpg

The standardized Meta model & XML representation as well as the extensibility of the core AADL language facilitate a single model source approach to architecture-centric engineering, in which analytical models for multiple dimensions of operational quality attributes are generated automatically by transformation. The figure below shows five such dimensions, for which the feasibility of this approach was demonstrated with the OSATE environment as provided by the SEI. The community has embraced the architecture-centric engineering approach and has piloted it, added analytical models and additional quality dimensions as is evidenced in the papers below.


Original standard published in 2004 AS-5506 Feiler 2006

Personal tools