search menu icon-carat-right cmu-wordmark

Architecture Analysis and Design Language

Created July 2019

Software for mission- and safety-critical systems, such as avionics systems in aircraft, is growing larger and more expensive. The Architecture Analysis and Design Language (AADL) addresses common problems in the development of these systems, such as mismatched assumptions about the physical system, computer hardware, software, and their interactions that can result in system problems detected too late in the development lifecycle. This creates an increasingly unaffordable and potentially dangerous situation for developers and users of mission- and safety-critical technologies.

Model-based Engineering for Embedded Systems

The AADL framework allows the analysis of system designs (and system of systems designs) prior to development and supports an architecture-centric, model-based development approach throughout the system lifecycle. AADL is targeted at real-time systems, embedded systems where sensors and actuators are tightly coupled with software components and facilitate the analysis of interactions between hardware and software components. It focuses on system design specification using a rich, formal semantics that can be used to analyze and generate the system.

The AADL standard:

  • gives you the power to specify and generate a single model that can be analyzed for multiple qualities
  • provides an industry-standard, textual and graphic notation with precise semantics to model applications and execution platforms
  • features an XML interchange format that supports the exchange of models between subcontractors, integrators, and agencies
  • includes a UML profile that presents AADL as a specialized modeling notation within UML framework
  • is supported by commercial and open source tool solutions

Understanding the Model

An AADL model contains component types and implementation with their interfaces, subcomponents, and other properties. It defines the system in a hierarchical manner, with a top component called the root system and other component categories are grouped into three clusters: hardware, software, and hybrid.

The language is constantly being evolved by the standardization committee.


The SAE AADL standard can lower development and maintenance costs by

  • providing a standard, precise syntax and semantics for performance-critical systems,  so that documentation can be well defined
  • providing the ability to model large-scale (multi-contractor) architectures from many aspects in a single analyzable model that can be incrementally refined
  • capturing the “architectural API” needed to evaluate the effect of change, such as the emergent properties of integration (e.g., safety, schedulability, end-to-end latency, and security)
  • allowing early and life-cycle tracking of modeling and analysis
  • analyzing the system structure and runtime behavior rather than functional behavior, complementing functional simulation
  • providing a great complement to reference architectures and component-based or product-line development


Several Department of Defense projects have used AADL, including the Joint Multi-Role Technology Demonstrator, Future Vertical Lift, and the DARPA High-Assurance Cyber Military Systems program

The U.S. Army Joint Multi-Role Technology Demonstrator (JMR TD), which is helping to develop the DoD’s next-generation rotorcraft fleet (Future Vertical Lift), is accelerating its adoption of AADL after a successful shadow project by the SEI and Adventium Labs showed potential requirements and system-integration issues could be identified early in the development process.

The DARPA High-Assurance Cyber Military Systems program used AADL in its work the Secure Mathematically-Assured Composition of Control Models project to reduce security risks of software in unmanned vehicles. A red team was unable to penetrate their software over a six-week period, despite access to source code, due to their use of contract-based compositional verification, auto-code generation from verified models, and a certified real-time OS kernel.

Our Solution: Augmenting the AADL Model

There are two ways to augment an AADL model to add characteristics other than those defined in the core language: user-defined properties and annexes.

User-defined AADL properties are a quick and simple way to add new characteristics to the AADL elements (e.g., components, features, connections) and do not need specific tool support.

AADL annexes are more complex and augment the core language with new elements. They need a specific parser, so they are not supported natively by the existing complier.

This year, a number of updates were made to the toolset, including enhancements to the graphical editor and several analysis capabilities, and the creation of a workflow layer that will extend its adoption by practitioners.

Related Courses

AADL in Practice Workshop

The AADL in Practice Workshop combines AADL training and an AADL modeling workshop to provide practical knowledge as well as an opportunity to practice skills in a realistic setting. This Workshop will transfer expertise to participants through an effective combination of training and mentoring during practice. Organizations seeking to increase...