Supporting the U.S. Army's Joint Multi-Role Technology Demonstrator Effort
Created September 2017
To support the upcoming Future Vertical Lift initiative, the SEI demonstrated how virtual integration can improve affordability and reduce certification time. We built architectural models of the software and hardware and tested them to reveal potential problems early in development, when the cost of fixing them is much lower.
Avionics Systems Are Increasingly Expensive to Develop
Software for mission- and safety-critical systems, such as avionics systems in aircraft, grows ever larger and more expensive. Software now accounts for two-thirds of total system cost. A 2002 study by the National Institute of Standards and Technology revealed that most problems in software systems are introduced during requirements specification and architecture design but are not discovered until after unit testing. This pattern has not changed as mission- and safety-critical systems have become more complex.
These concerns are important to the U.S. Army personnel who lead the Joint Multi-Role Technology Demonstrator (JMR TD) program and the Future Vertical Lift (FVL) initiative. FVL is an ambitious plan to replace all U.S. Department of Defense (DoD) helicopters with next-generation rotorcraft. The purpose of the JMR TD is to demonstrate transformational vertical-lift capabilities that will prepare the DoD to make decisions about replacing the current vertical-lift fleet while reducing risk to the FVL. Both efforts play key roles in the development of the DoD rotorcraft fleet.
The SEI has long-standing partnerships in a large body of work related to the SAE International Architecture Analysis and Design Language (AADL) standard. These collaborators include Bruce Lewis of the U.S. Army Aviation and Missile Research, Development, and Engineering Center (AMRDEC) Software Engineering Directorate and Steve Vestal of Adventium Labs.
A Shadow Project to Build and Analyze a Virtual System
To address the early development concerns of these programs, the Army funded work on virtual system integration under the AADL standard, and the SEI is the technical lead. The SEI is especially suited for this work because Peter Feiler, an SEI Fellow and Principal Research Scientist, is the technical lead and author of the SAE AS-2C AADL standard. AADL is a textual and graphical language with precise execution semantics for modeling the architecture of embedded software systems, their target platforms, and the physical systems they interface with. These models represent virtually integrated systems that allow a program to identify system-level issues early in development.
With collaborator Adventium Labs, the SEI “shadowed” a JMR TD project of a government and two contractor teams to develop a prototype of an Aircraft Survivability Situation Awareness system. In the shadow project, the team worked separately but with the same documentation as the contractors. They used AADL to model each system and its subsystems as provided by the contractors and then analyzed the resulting virtually integrated system.
Virtual System Integration Finds System and Safety Issues Before Development
The resulting model of the Aircraft Survivability Situation Awareness system made clear that some requirements were too vague to implement. Some requirements conflicted with other requirements. The analysis also revealed architectural decisions that could have hindered the system in meeting response-time requirements as well as calibration requirements that could have created unexpected latency and jitter. A development team would not usually see these effects until they put the system together, run it, and start measuring the output.
The next task was to perform safety analyses. Existing safety analysis practice would not have included the situational-awareness system as a critical system component despite the fact that embedded software systems have become major hazard contributors. We wanted to demonstrate that the automated safety analysis supported by AADL and its fault-modeling extension make it feasible to extend safety analysis to embedded software systems to identify exceptional conditions as potential hazards.
In the situational-awareness service, we identified exceptional conditions that could have delivered false-negative, false-positive, incorrect, untimely, and time-inconsistent information to the pilot, clearly potential hazards that could lead to loss of aircraft. The SEI then used the safety analysis results to identify hazard contributors that could be eliminated by changing the system design. This analysis also helped the SEI develop a complete and consistent set of requirements for the health-monitoring component, which informs the pilot of system malfunctions.
By analyzing the virtual model, the team discovered a range of ambiguity and inconsistency issues in the documentation. Significantly, they found these potential issues early in the development process, before the system was built. Early discovery helps reduce cost and decrease certification time by enabling developers to perform assurance activities more effectively throughout the lifecycle of the system.
Watch a video by the Center for Strategic International Studies about the Joint Multi-Role Technology Demonstrator. A discussion of software architecture begins at 7:40.
Read our collaborator Adventium’s report on the ACVIP shadow project.
Read the Defense-Aerospace report about Future Vertical Lift Getting Top-Notch Design Architecture.
Software and Tools
AASPE is a set of modeling tools for security analysis and a code generator to produce code for the seL4 platform from AADL models.download
AADL provides a framework for analyzing system designs and supports architecture-centric, model-based development through the system lifecycle.download
Looking Ahead: Wider Applications for Virtual Integration with AADL
JMR embraced this technology and dubbed it the “architecture-centric virtual integration practice,” or ACVIP. A team consisting of Bruce Lewis (AMRDEC), Peter Feiler (SEI), and Steve Vestal (Adventium Labs) developed a technology roadmap for the maturation and adoption of ACVIP and briefed JMR Program Director Dan Bailey. JMR found the results of the ACVIP shadow project important enough to share with contractors, and the JMR program team recommended that contractors use this technology in the next phase of JMR demonstrations. JMR is accelerating the maturation and adoption of AADL through ACVIP after the successful shadow project by the SEI and Adventium Labs showed that potential requirements and system-integration issues could be identified early in the development process.
February 05, 2021 Presentation
This presentation by Jerome Hugues and John Hudak was given virtually at AADL/ACVIP User Days 2021.read
November 04, 2020 Presentation
To understand interactions between safety and security mechanisms, CMU SEI researchers are developing an integrated safety and security engineering approach supported by an AADL workbench.read
Architecture Centric Virtual Integration Process (ACVIP): A Key Component of the DoD Digital Engineering Strategy
September 27, 2019 Conference Paper
ACVIP is a compositional, architecture-centric, model-based approach enabling virtual integration analysis in the early phases and throughout the lifecycle to detect and remove defects that currently are not found until integration and test.read
Architecture-Led Safety Analysis of the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
December 31, 2015 Special Report
This report summarizes an architecture-led safety analysis of the aircraft-survivability situation-awareness system for the Joint Multi-Role vertical lift program.read
Potential System Integration Issues in the Joint Multi-Role (JMR) Joint Common Architecture (JCA) Demonstration System
December 31, 2015 Special Report
This report describes a method for capturing information from requirements documents in AADL to identify potential integration problems early in system development.read
Joint Common Architecture (JCA) Demonstration Architecture-Centric Virtual Integration Process (ACVIP) Shadow Effort
May 07, 2015 Conference Paper
The U.S. Army is investigating a new approach to model-based engineering called the Architecture-Centric Virtual Integration Process, based on the SAE Standard for AADL.read
The AADL in Practice Workshop combines AADL training and an AADL modeling workshop to provide practical knowledge as well as an opportunity to practice skills in a realistic setting. This Workshop will transfer expertise to participants through an effective combination of training and mentoring during practice. Organizations seeking to increase...Register