Supporting the U.S. Army's Joint Multi-Role Technology Demonstrator Effort
Created September 2017
To support the upcoming Future Vertical Lift initiative, the SEI demonstrated how virtual integration can improve affordability and reduce certification time. We built architectural models of the software and hardware and tested them to reveal potential problems early in development, when the cost of fixing them is much lower.
Avionics Systems Are Increasingly Expensive to Develop
Software for mission- and safety-critical systems, such as avionics systems in aircraft, grows ever larger and more expensive. Software now accounts for two-thirds of total system cost. A 2002 study by the National Institute of Standards and Technology revealed that most problems in software systems are introduced during requirements specification and architecture design but are not discovered until after unit testing. This pattern has not changed as mission- and safety-critical systems have become more complex.
These concerns are important to the U.S. Army personnel who lead the Joint Multi-Role Technology Demonstrator (JMR TD) program and the Future Vertical Lift (FVL) initiative. FVL is an ambitious plan to replace all U.S. Department of Defense (DoD) helicopters with next-generation rotorcraft. The purpose of the JMR TD is to demonstrate transformational vertical-lift capabilities that will prepare the DoD to make decisions about replacing the current vertical-lift fleet while reducing risk to the FVL. Both efforts play key roles in the development of the DoD rotorcraft fleet.
The SEI has long-standing partnerships in a large body of work related to the SAE International Architecture Analysis and Design Language (AADL) standard. These collaborators include Bruce Lewis of the U.S. Army Aviation and Missile Research, Development, and Engineering Center (AMRDEC) Software Engineering Directorate and Steve Vestal of Adventium Labs.
A Shadow Project to Build and Analyze a Virtual System
To address the early development concerns of these programs, the Army funded work on virtual system integration under the AADL standard, and the SEI is the technical lead. The SEI is especially suited for this work because Peter Feiler, an SEI Fellow and Principal Research Scientist, is the technical lead and author of the SAE AS-2C AADL standard. AADL is a textual and graphical language with precise execution semantics for modeling the architecture of embedded software systems, their target platforms, and the physical systems they interface with. These models represent virtually integrated systems that allow a program to identify system-level issues early in development.
With collaborator Adventium Labs, the SEI “shadowed” a JMR TD project of a government and two contractor teams to develop a prototype of an Aircraft Survivability Situation Awareness system. In the shadow project, the team worked separately but with the same documentation as the contractors. They used AADL to model each system and its subsystems as provided by the contractors and then analyzed the resulting virtually integrated system.
Virtual System Integration Finds System and Safety Issues Before Development
The resulting model of the Aircraft Survivability Situation Awareness system made clear that some requirements were too vague to implement. Some requirements conflicted with other requirements. The analysis also revealed architectural decisions that could have hindered the system in meeting response-time requirements as well as calibration requirements that could have created unexpected latency and jitter. A development team would not usually see these effects until they put the system together, run it, and start measuring the output.
The next task was to perform safety analyses. Existing safety analysis practice would not have included the situational-awareness system as a critical system component despite the fact that embedded software systems have become major hazard contributors. We wanted to demonstrate that the automated safety analysis supported by AADL and its fault-modeling extension make it feasible to extend safety analysis to embedded software systems to identify exceptional conditions as potential hazards.
In the situational-awareness service, we identified exceptional conditions that could have delivered false-negative, false-positive, incorrect, untimely, and time-inconsistent information to the pilot, clearly potential hazards that could lead to loss of aircraft. The SEI then used the safety analysis results to identify hazard contributors that could be eliminated by changing the system design. This analysis also helped the SEI develop a complete and consistent set of requirements for the health-monitoring component, which informs the pilot of system malfunctions.
By analyzing the virtual model, the team discovered a range of ambiguity and inconsistency issues in the documentation. Significantly, they found these potential issues early in the development process, before the system was built. Early discovery helps reduce cost and decrease certification time by enabling developers to perform assurance activities more effectively throughout the lifecycle of the system.
Watch a video by the Center for Strategic International Studies about the Joint Multi-Role Technology Demonstrator. A discussion of software architecture begins at 7:40.
Read our collaborator Adventium’s report on the ACVIP shadow project.
Read the Defense-Aerospace report about Future Vertical Lift Getting Top-Notch Design Architecture.
Software and Tools
AASPE is a set of modeling tools for security analysis and a code generator to produce code for the seL4 platform from AADL models.download
AADL provides a framework for analyzing system designs and supports architecture-centric, model-based development through the system lifecycle.download
Looking Ahead: Wider Applications for Virtual Integration with AADL
JMR embraced this technology and dubbed it the “architecture-centric virtual integration practice,” or ACVIP. A team consisting of Bruce Lewis (AMRDEC), Peter Feiler (SEI), and Steve Vestal (Adventium Labs) developed a technology roadmap for the maturation and adoption of ACVIP and briefed JMR Program Director Dan Bailey. JMR found the results of the ACVIP shadow project important enough to share with contractors, and the JMR program team recommended that contractors use this technology in the next phase of JMR demonstrations. JMR is accelerating the maturation and adoption of AADL through ACVIP after the successful shadow project by the SEI and Adventium Labs showed that potential requirements and system-integration issues could be identified early in the development process.
December 13, 2021 Blog Post
Challenges observed in making the transition from traditional development practices to digital engineering...read
May 10, 2021 Blog Post
Critical systems must be safe from harm and secure, but safety and security practices have evolved in isolation. The SEI is improving coordination between safety and security...read
February 05, 2021 Presentation
This presentation by Jerome Hugues and John Hudak was given virtually at AADL/ACVIP User Days 2021.read
The AADL in Practice Workshop combines AADL training and an AADL modeling workshop to provide practical knowledge as well as an opportunity to practice skills in a realistic setting. This Workshop will transfer expertise to participants through an effective combination of training and mentoring during practice. Organizations seeking to increase...Register