search menu icon-carat-right cmu-wordmark

Architecture Analysis and Design Language (AADL)

Created July 2019 • Updated February 2022

As software for avionics, cyber-physical, and autonomous systems becomes increasingly complex, the cost to assure these and other mission- and safety-critical systems is growing. Software attributes that impede analysis and concerns such as performance, safety, and security are responsible for this increase.

The Architecture Analysis and Design Language (AADL) is an SAE international standard that addresses these issues by defining guidelines for design and analysis through a Domain-Specific Modeling Language (DSML).

Abstracting Large Software for Analysis

AADL captures large designs through high-level architectural concepts built after domain expertise: component categories that describe key building blocks, such as processor, devices, threads, and rules to assemble them. Through careful abstractions, complex designs can be captured as smaller models amenable to inspection and analysis.

Analyzing for Multiple Concerns

Design teams can review AADL models, use automated tools to assess conformance to modeling guidelines, and run analyses to uncover design problems or validate a design. Since its inception, the SEI is the driving force of the SAE AADL standard. Our core team demonstrated how to implement and apply tool-supported analysis methods on complex systems. Our portfolio of analysis covers performance, safety, and security. We directed multiple pilot studies that demonstrate the efficiency of the approach on different classes of systems.

Leveraging Digital Engineering

Using SAE AADL, systems architects leverage digital engineering for the design and validation of complex safety-critical systems in two critical phases of a system design:

  • During early stages, SAE AADL provides early analysis capabilities to mitigate integration risks. This capability is the core of the Architecture Centric Virtual Integration Process (ACVIP) that is being transitioned to SEI customers.
  • During system evolutions, SAE AADL analysis capabilities allow for trade-off analysis to select the best update approach.

As a language, AADL can interoperate with other modeling notations (e.g., SysML, UML) and be integrated into larger Systems Engineering approaches (e.g., MOSA). The SEI and its partners have developed technical reports, open-source software, and teaching course to aid in applying AADL.

Model-Based Development for Safety-Critical Systems

AADL is a modeling language with an architecture-centric, model-based development approach throughout the system lifecycle. AADL is targeted at real-time, safety-critical embedded systems where components are tightly coupled. These systems need specific validation and verification capabilities to demonstrate system correctness across all dimensions: functional, performance, safety, and security.

AADL has rich semantics that can be exercised to analyze and generate the system. AADL is also a standard promoted by SAE International: AS5506C.

Benefits of Using an Open Standard

As an open standard, the AADL language is

  • industry-grade:  AADL provides textual and graphic notation with precise semantics to model applications and execution platforms.
  • ready to use: AADL is supported by commercial and open-source tool solutions
  • unambiguous: one model can be analyzed for multiple qualities
  • interoperable: AADL can integrate with other modeling notations for systems modeling OMG SysML, FACE and also functional modeling like Matlab Simulink or ANSYS SCADE

Benefits for Your Organization

The SAE AADL standard lowers development and maintenance costs by

  • providing a standard for modeling performance-critical systems
  • defining precise semantics for conducting multiple analyses on the same model
  • supporting large-scale (multi-contractor) architectures from many aspects in a single analyzable model that can be incrementally refined and detailed architectures of subsystems
  • focusing on the architecture of a system to evaluate the effect of change, such as the emergent properties of integration (e.g., safety, schedulability, end-to-end latency, and security)
  • complementing other notations and approaches like functional simulation through the analysis of the system structure and runtime
  • supporting reference architectures for avionics, security or safety, and component-based or product-line development

Collaborators

Several Department of Defense projects have used AADL, including the Joint Multi-Role Technology Demonstrator, Future Vertical Lift, and the DARPA High-Assurance Cyber Military Systems program.

The U.S. Army Joint Multi-Role Technology Demonstrator (JMR TD), which is helping to develop the DoD’s next-generation rotorcraft fleet (Future Vertical Lift), is accelerating its adoption of AADL after a successful shadow project by the SEI and Adventium Labs showed potential requirements and system-integration issues could be identified early in the development process.

The DARPA High-Assurance Cyber Military Systems program used AADL in its work the Secure Mathematically-Assured Composition of Control Models project to reduce security risks of software in unmanned vehicles. A red team was unable to penetrate their software over a six-week period, despite access to source code, due to their use of contract-based compositional verification, auto-code generation from verified models, and a certified real-time OS kernel.

AADL Collaborators - This image shows an entrance to the Pentagon

Flexibility in Augmenting the AADL Model

There are two ways to augment an AADL model to add characteristics other than those defined in the core language: user-defined properties and annexes.

There are two ways to augment an AADL model to add characteristics other than those defined in the core language: user-defined properties and annexes.

  • User-defined AADL properties are a quick and simple way to add new characteristics to the AADL elements (e.g., components, features, osate connections) and do not need specific tool support.
  • AADL annexes are more complex and augment the core language with new elements. They need a specific parser, so they are not supported natively by the existing complier.

This year, a number of updates were made to the toolset, including enhancements to the graphical editor and several analysis capabilities, and the creation of a workflow layer that will extend its adoption by practitioners.

Learn More

ACVIP Perspective on AADL

ACVIP Perspective on AADL

September 13, 2021 Video

This training video reviews the Architecture Centric Virtual Integration Process (ACVIP) for model creators and model users.

watch
11 Rules for Ensuring a Security Model with AADL and Bell–LaPadula

11 Rules for Ensuring a Security Model with AADL and Bell–LaPadula

July 29, 2021 Podcast
Aaron Greenhouse

Aaron Greenhouse, a senior software architecture researcher, discusses 11 analysis rules that must be enforced over an AADL instance to ensure the consistency of a security model.

learn more
Sam Procter

Integrating Safety and Security Engineering for Mission-Critical Systems

May 10, 2021 Blog Post
Sam Procter, Sholom Cohen

Critical systems must be safe from harm and secure, but safety and security practices have evolved in isolation. The SEI is improving coordination between safety and security...

read
Modeling and Validating Security and Confidentiality in System Architectures

Modeling and Validating Security and Confidentiality in System Architectures

March 19, 2021 Technical Report
Aaron GreenhouseJörgen Hansson (University of Skovde)Lutz Wrage

This report presents an approach for modeling and validating confidentiality using the Bell–LaPadula security model and the Architecture Analysis & Design Language.

read
Architecture Centric Virtual Integration Process (ACVIP): A Key Component of the DoD Digital Engineering Strategy

Architecture Centric Virtual Integration Process (ACVIP): A Key Component of the DoD Digital Engineering Strategy

September 27, 2019 Conference Paper
Alex Boydston (U.S. Army ADD/JMR)Peter H. FeilerSteve Vestal (Adventium Labs, Inc.)

ACVIP is a compositional, architecture-centric, model-based approach enabling virtual integration analysis in the early phases and throughout the lifecycle to detect and remove defects that currently are not found until integration and test.

read
OSATE

OSATE

October 31, 2014 Software

OSATE is an open-source tool platform to support AADL.

download
Industry Standard Notation for Architecture-Centric Model-Based Engineering

Industry Standard Notation for Architecture-Centric Model-Based Engineering

January 20, 2010 White Paper
Peter H. Feiler

In this paper, Peter Feiler describes the AADL, an industry standard for modeling and analyzing the architecture of software-reliant systems.

read

Related Courses

Modeling System Architectures Using the Architecture Analysis and Design Language (AADL) - eLearning

ONLINE

Modeling and validating quality attributes for real-time, embedded systems is often done with low-fidelity software models and disjointed architectural specifications by various engineers using their own specialized notations. These models are typically not maintained or analyzed throughout the lifecycle, making it difficult to predict the impact...

Register

AADL in Practice Workshop

The AADL in Practice Workshop combines AADL training and an AADL modeling workshop to provide practical knowledge as well as an opportunity to practice skills in a realistic setting. This Workshop will transfer expertise to participants through an effective combination of training and mentoring during practice. Organizations seeking to increase...

Register