search menu icon-carat-right cmu-wordmark

Design and Analysis of Cyber-Physical Systems: AADL and Avionics Systems

May 2013 Presentation
Peter H. Feiler, Julien Delange

A presentation from the ninth annual SATURN conference, held in Minneapolis, MN, April 29 - May 3, 2013.


Software Engineering Institute



Cyber-physical systems (CPS) are reliant of software for their operation. Typically, CPSs are mission- and safety-critical systems, such as avionics systems on aircraft. This industry sector has experienced exponential growth in software size and interaction complexity, with rework cost reaching 70% of the software system cost. Current practice of such systems consists of a build and test approach with system engineering up front addressing safety concerns by following industry standard recommended practices such as SAE ARP 4761 and 4754, followed by software development with limited attention to nonfunctional qualities such as timing, latency, performance, reliability, safety, or security. Each of these concerns, if addressed through modeling and analysis or simulation, is captured by separate analytical models that quickly become outdated as the architecture and design evolve. The result is late discovery of system-level errors, with studies showing up to 80% leakage to this phase.

This presentation discusses the SAE International Architecture Analysis and Design Language (AADL) Standard as the basis for an analytical virtual-integration framework as a solution to this problem. This approach utilizes auto-generation analyzable architecture models from annotated AADL models to reflect architectural changes and avoid inconsistencies as the basis for validating and verifying requirements and design.

AADL was specifically designed to support modeling of software runtime architecture based on an architecture design, the hardware platform, and the physical system that this embedded software system interacts with. It reflects the interactions within and between all three parts of a CPS. It offers well-defined component concepts, such as thread and process for software, and processor, memory, bus, and device for hardware and physical system concerns. It includes operational mode specifications, three types of interaction semantics, and deployment mappings. Standardized extension to AADL includes functional and interaction Behavior specification, Error Behavior and Propagation specification, ARINC653 partitioning, Requirements specification, and validation support. AADL and its associated tool support is a community effort of industry and academic partners in America, Europe, and Japan. A number of large-scale projects have been under way since the first release of the standard in 2004, with industry sectors ranging from aerospace and avionics to health care.

The presentation first summarizes several software-induced root cause areas due to mismatched assumptions between the different parts of a system. The presentation then presents key elements of AADL and how they address the problem areas. This is followed by a technical overview of the architecture-centric virtual-integration approach that is currently being advanced by an aerospace industry initiative with partners ranging from Boeing, Airbus, Embraer, Rockwell-Collins, BAE Systems, Honeywell, and the SEI to government agencies including FAA, NASA, and the U.S. Army. This will be followed by avionics examples illustrating the effectiveness in early discovery of anomalous system behavior due unexpected latency variation, unintentional fault propagation, and impact of software deployment decisions on system reliability. The presentation closes with observations and lesson learned on the effectiveness of this virtual-integration approach.