Distributed dependable real-time embedded software systems, like Satellite on board software, are becoming increasingly complex due to the demand for extended functionalities or the reuse of legacy code and components. Model-Driven Engineering (MDE) approaches are good solutions to help build such complex systems. Addressing domain specific modeling (like component description and interaction, real-time constraints, ...) while keeping the flexibility and generality offered by languages like UML is a challenge in a context where software must be qualified according to safety and reliability standards.
That's why the CHESS project was created to address the development of high-integrity embedded systems by combining component-based development on top of model driven engineering and addressing dependability and real-time specific constraints.
The CHESS project provides a model-driven, component-based methodology  and tool support for the development of high-integrity systems for different domains. The methodology is particularly suited for space systems and industrial domains.
Thanks to a dedicated MARTE and UML profile and associated tooling, CHESS addresses solutions to problems of property-preserving component assembly in real-time and dependable embedded systems, and supports the description, verification, and preservation of real-time properties (like sporadic/periodic activation patterns, worst case execution time, deadline) of software components at the level of component design down to the execution level.
CHESS also addresses the description and verification of system and component dependability properties (like fault, error, failures and failures propagations) through a dedicated UML profile for dependability and seamless integration with embedded and external dependability tools enabling failure propagation and state based analysis.
CHESS also provides a profile allowing contract-based design and dedicated model transformation enabling seamless integration with external tools for the verification of contracts specification.
CHESS tooling extends Papyrus editor to properly support the CHESS methodology, in particular allowing working with different views on the model including requirements, system, components, deployment and analysis view.
CHESS implements the CHESS UML/SysML profile, a specialization of the Modeling and Analysis of Real-Time and Embedded Systems (MARTE) profile, by producing extensions to Papyrus that provide component-based engineering methodology and tool support for the development of high-integrity embedded systems in different domains like satellite on board systems
The CHESS tool environment is composed by: (1) a MARTE, UML and SysML profile, (2) an extension to the Papyrus UML graphical editor that supports the notion of design views, (3) a model validator that assesses the well-formedness of the model before model transformations can be undertaken, and (4) a set of model to model and model to text transformations, the former for the purpose of model-based schedulability,dependability and contract-based design analysis, and the latter for code generation toward multiple language targets.
The CHESS UML profile:
- restricts the set of MARTE, SysML and UML entities that can be created in the CHESS model,
- provides the set of stereotypes required to enable the user to work with the CHESS component model,
- provides some MARTE stereotypes extensions to allow the specification of computation-independent real-time properties,
- defines a new set of stereotypes for the support of dependability modeling and contract-based design.
The CHESS editor extends the Papyrus UML editor and is activated when a CHESS model is created or opened (see Figure 1).
A CHESS model is a UML model with the CHESS profile applied to it; creating a CHESS model and applying the CHESS profile can be done using a dedicated wizard.
The CHESS editor allows working with the Papyrus UML by using the CHESS design views. Each design view applies specific constraints on the UML diagrams and entities that can be created, viewed or edited in that view.
The CHESS editor allows switching between views. It also keeps the status of the current view and during the modeling activity prevents the modeler from violating the constraints defined for the current diagram-view pair.
The native Papyrus palettes have been customized in order to show only the entities that are allowed to be created in the current diagram view.
The views defined in CHESS are the requirement, system, component, deployment and analysis views.
The requirement view is used to model requirements by using the standard requirement diagram from SysML.
The system view is used to model system entities by using SysML; it is an ongoing development that has been recently introduced in CHESS in order to support the system to software co-engineering phase.
The component view is used to model CHESS software components (also called the PIM model): is actually composed by two sub-views, the functional and the extra-functional ones, according to the CHESS separation of concerns principle.
For reasons of practicality, not all the constraints posed by the CHESS methodology on the model formalisms and contents can be enforced on the fly during user modeling; some of them must be checked in a batch mode. To this end the CHESS editor extends the standard UML model validator which ad-hoc checks that the user model conforms with the constraints imposed by the CHESS methodology, for example the well-formedness of entities, attributes, relations.
CHESS supports model-based analysis of the systems for schedulability, dependability, as well as code generation from model. Both features are implemented through model transformations which are invoked through the CHESS editor menu.
Dependability analysis currently supported are:
- failure propagation analysis,
- state-based quantitative analysis.
Integration with OCRA external tool for formal verification of contract refinement is implemented.
SCHEDULABILITY ANALYSIS AND ADA 2005 CODE GENERATION
Schedulability analysis allows the calculation of the worst case response time for each declared periodic or sporadic activity. The analysis results are back propagated to the proper PIM components, also a summary report is provided to the user (see Figure 7). The intent of the back-propagation feature is that the user need not be concerned with the specifics of the analysis tool and need not learn its input and output formats: back-propagation decorates the user model with the relevant information that results from the analysis in full transparency from the analysis engine and its actual operation.
The real-time properties of interest like period, offset and minimal inter-arrival time are specified in the model through a dedicated declarative language defined in the CHESS profile. The aforementioned properties are then automatically applied to the model implementation through model transformation in accord with the computational model chosen by the user. At the present time, CHESS supports the Ravenscar Computational Model  which meets the requirements of a large spectrum of real-time application domains. The generated implementation (called the PSM, for platform-specific model) is then given in input to the schedulability analysis and it also used during the code generation phase:
The preservation of other real-time properties related to the execution time like WCET and deadline is also enforced in the generated code through dedicated checks by using specific API of the target run-time environment (this feature is an on-going development).
This approach guarantees the preservation of the real-time properties statically assumed in the PIM and PSM models, and verified by the analysis down to the code.
The schedulability analysis is performed by using an adaptation of the third-party MAST tool developed and distributed by the University of Cantabria .
Regarding the transformation chain (Figure 8), first the CHESS PIM is transformed into the PSM model by using QVT-o. Then the PSM is transformed into the MAST input by using Acceleo and Java. Regarding the back propagation, Java is used first to load the MAST results into the PSM, then QVT-o traces are used to propagate the results back to the PIM model.
A. Burns, B. Dobbing, T. Vardanega. Guide to the Use of the Ada Ravenscar Profile in High Integrity Systems. Technical Report YCS-2003-348. University of York (UK), 2003. Available athttp://www.sigada.org/ada_letters/jun2004/ravenscar_article.pdf.
Universidad de Cantabria. Mast: Modeling and Analysis Suite for Real-Time Applications. http://mast.unican.es/