You are here

Incremental Partitioning to Minimize Upgrade Change Impacts



OBJECTIVE: Develop a capability for analyzing the ripple effects of incrementally updating architectural models of mission systems specified in the SAE 5506 Architecture Analysis & Design Language (AADL) and/or the Object Management Group Systems Modeling Language (SysML) in a manner that allows a user to understand and minimize the recertification impact of the architectural model change. The capability should be integrated with current model-based tools that automatically generate and analyze integration and configuration data. 

DESCRIPTION: A major reason that system upgrades are so expensive in aviation systems is that all changes to the system must be recertified. Changes to a few components may have broad impact across the entire system, requiring more time, money, and effort to recertify large portions of the system than if those impacts could be constrained to the few components that are changed. The Army is interested in generating integration and configuration data from model based sources that specify the software/hardware/system architecture of safety and security critical partitioned aviation mission systems in AADL or SysML. Many tools are available that are effective in configuring and generating this data for initial deployment. However, they are not currently change aware. That is, changes to the AADL or SysML model will result in a wholly new set of data the next time the tool is run without any measurement or analysis of the effect of those changes with respect to how many parts of the overall system will be affected. A broader approach to these generation and analysis tools that addresses safety and security certification is needed. The expectation is that multiple existing tools will be extended and integrated rather than a single new tool developed. By making these tools change aware, certification impacts can be mitigated. For example, a tool that generates real-time schedules that is not change aware may alter the scheduling of every partition on the system to produce a new schedule when a new component is added or swapped out. This results in the entire schedule needing to be reevaluated and the entire system retested. A change aware scheduling tool could, for example, instead generate a schedule that adds the new component in a way that minimizes the changes to other component schedules. Then only the new component and those changes need to be examined, as the others will retain the same schedule and guarantees that were previously certified. This reduces recertification costs and time. Furthermore, with such a capability (keeping with the scheduling example), schedules could be generated for initial deployment that could already be more robust against these sorts of changes. AADL or SysML model-based analysis tools can be made change aware as well. For example, a tool that analyzes an AADL model to determine compliance with Multiple Independent Levels of Security (MILS) requirements could be extended so as to be able to show that an unchanged partition in an altered system cannot send or receive any new data, despite new (compliant) information flows being added elsewhere. 

PHASE I: Develop and demonstrate the feasibility of at least one change aware AADL and/or SysML model-based tool. Integrate a basic incremental update capability into an existing tool and show how it improves output from a change minimization perspective. 

PHASE II: Based on Phase I effort, develop and demonstrate robust capabilities for updating model-based tools to be change aware. These updated tools should minimize change effects across a broad range of tool outputs, such as schedules, information flows, and isolation. Demonstrate updated change aware tools that identify which components need to be reevaluated and recertified between runs of data generating tools. 

PHASE III: Apply change aware model-based tools to an Army platform in development. Mature tools to a level where they can be used in platform development by the Army and private sector. While the Army Aviation is interested in change aware tools, this technology is broadly applicable to all participants in the acquisitions pipeline. Performers from component developers to system integrators can all make use of such tools to reduce costs in system development for all parties involved. 


1: Challenges for an Open and Evolutionary Approach to Safety Assurance and Certification of Safety-Critical Systems, Huáscar Espinoza et al, 2011.

2:  Verification of Cyber-Physical Systems, Majumdar, Murray, and Prabhakar, 2014.

3:  Survey of Model-Based Systems Engineering (MBSE) Methodologies, Jeff A. Estefan, Jet Propulsion Laboratory, California Institute of Technology, 2008.

4:  Evidence Based Certification: The Safety Case Approach, Kelly, High Integrity Systems Engineering Group, University of York, 2008.

5:  SAE AS 5506B, "Architectural Analysis and Design Language (AADL)", Sept 2012

6:  OMG SysML version 1.5, May 2017

KEYWORDS: Model Based Engineering (MBE), Model Based Systems Engineering (MBSE), Architecture Centric Virtual Integration Process (ACVIP), Architectural Analysis And Design Language (AADL), SysML 


Mr. Alex Boydston 

(256) 313-5226 

US Flag An Official Website of the United States Government