Skip to main content



The CHESS (Composition with Guarantees for High-integrity Embedded Software Components Assembly) project ( is a proposed open source project under the Polarsys Top Level Project.

This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the Eclipse community. Please send all feedback to the Eclipse Proposals Forum.


Distributed dependable real-time embedded software systems, like Satellite on board software, are becoming increasingly complex due to the demand for extended functionalities or the reuse of legacy code and components. Model-Driven Engineering (MDE) approaches are good solutions to help build such complex systems. Addressing domain specific modeling (like component description and interaction, real-time constraints, ...) while keeping the flexibility and generality offered by languages like UML is a challenge in a context where software must be qualified according to safety and reliability standards.

That's why the CHESS project was created to address the development of high-integrity embedded systems by combining component-based development on top of model driven engineering and addressing dependability and real-time specific constraints.


The CHESS project provides a model-driven, component-based methodology [1] and tool support for the development of high-integrity systems for different domains. The methodology is particularly suited for space systems and industrial domains.

Thanks to a dedicated MARTE and UML profile and associated tooling, CHESS addresses solutions to problems of property-preserving component assembly in real-time and dependable embedded systems, and supports the description, verification, and preservation of real-time properties (like sporadic/periodic activation patterns, worst case execution time, deadline) of software components at the level of component design down to the execution level.

CHESS also addresses the description and verification of system and component dependability properties (like fault, error, failures and failures propagations); however it is worth mentioning here that the dependability support (also described later in the proposal) is not part of the current CHESS contribution.

CHESS tooling extends Papyrus editor to properly support the CHESS methodology, in particular allowing working with different views on the model including requirements, system, components, deployment and analysis view.


CHESS implements the CHESS UML profile, a specialization of the Modeling and Analysis of Real-Time and Embedded Systems (MARTE) profile, by producing extensions to Papyrus that provide component-based engineering methodology and tool support for the development of high-integrity embedded systems in different domains like satellite on board systems

The CHESS tool environment is composed by: (1) a MARTE/UML profile, (2) an extension to the Papyrus UML graphical editor that supports the notion of design views, (3) a model validator that assesses the well-formedness of the model before model transformations can be undertaken, and (4) a set of model to model and model to text transformations, the former for the purpose of model-based schedulability and dependability analysis and the latter for code generation toward multiple language targets.

CHESS Profile

The CHESS UML profile [1]:

  • restricts the set of MARTE and UML entities that can be created in the CHESS model,
  • provides the set of stereotypes required to enable the user to work with the CHESS component model,
  • provides some MARTE stereotypes extensions to allow the specification of computation-independent real-time properties,
  • defines a new set of stereotypes for the support of dependability modeling.

CHESS Editor

The CHESS editor extends the Papyrus UML editor and is activated when a CHESS model is created or opened (see Figure 1).

A CHESS model is a UML model with the CHESS profile applied to it; creating a CHESS model and applying the CHESS profile can be done using a dedicated wizard.

The CHESS editor allows working with the Papyrus UML by using the CHESS design views. Each design view applies specific constraints on the UML diagrams and entities that can be created, viewed or edited in that view.

The CHESS editor allows switching between views. It also keeps the status of the current view and during the modeling activity prevents the modeler from violating the constraints defined for the current diagram-view pair.

The native Papyrus palettes have been customized in order to show only the entities that are allowed to be created in the current diagram view.


The views defined in CHESS are the requirement, system, component, deployment and analysis views.

The requirement view is used to model requirements by using the standard requirement diagram from SysML.

The system view is used to model system entities by using SysML; it is an ongoing development that has been recently introduced in CHESS in order to support the system to software co-engineering phase.

The component view is used to model CHESS software components (also called the PIM model): is actually composed by two sub-views, the functional and the extra-functional ones, according to the CHESS separation of concerns principle.

The functional view allows the functional specification of the CHESS components (see Figure 1 and Figure 2).

Figure 1: Component View - Functional View - Component Types

Figure 2: Component View - Functional View - Component Instances

The extra functional view (see Figure 3) allows the specification of real time properties like periodic and sporadic activation patterns, worst-case execution time and deadline. Regarding dependability it supports the specification of error models (i.e. fault-error-failure chains) for software and offers the possibility for the user to specify probabilistic values related to fault occurrence and failure propagation between components.

Figure 3: Component View - Extra Functional View - Component Instances

The deployment view (Figure 4) is used to describe the hardware platform where the software runs (i.e. CPUs, buses) and software to hardware components allocation. Dependability properties can be provided for the hardware as for the software components. Moreover failures propagation from hardware to software can be specified.

Figure 4: Deployment View - HW Component instance and SW allocation

The analysis view (Figure 5) is used to provide information needed to run the specific analysis; in particular it is currently useful to set the information about the dependability measure of interest (i.e. reliability or availability) that needs to be evaluated.

Figure 5: Analysis View

Model validator

For reasons of practicality, not all the constraints posed by the CHESS methodology on the model formalisms and contents can be enforced on the fly during user modeling; some of them must be checked in a batch mode. To this end the CHESS editor extends the standard UML model validator which ad-hoc checks that the user model conforms with the constraints imposed by the CHESS methodology, for example the well-formedness of entities, attributes, relations.

Figure 6: Invoking CHESS model validator

Model transformations

CHESS supports model-based analysis of the systems for schedulability and dependability, as well as code generation from model. Both features are implemented through model transformations which are invoked through the CHESS editor menu.

Schedulability Analysis and Ada 2005 Code Generation

Schedulability analysis allows the calculation of the worst case response time for each declared periodic or sporadic activity. The analysis results are back propagated to the proper PIM components, also a summary report is provided to the user (see Figure 7). The intent of the back-propagation feature is that the user need not be concerned with the specifics of the analysis tool and need not learn its input and output formats: back-propagation decorates the user model with the relevant information that results from the analysis in full transparency from the analysis engine and its actual operation.

Figure 7: Schedulability Analysis Report

The real-time properties of interest like period, offset and minimal inter-arrival time are specified in the model through a dedicated declarative language defined in the CHESS profile. The aforementioned properties are then automatically applied to the model implementation through model transformation in accord with the computational model chosen by the user. At the present time, CHESS supports the Ravenscar Computational Model [2] which meets the requirements of a large spectrum of real-time application domains. The generated implementation (called the PSM, for platform-specific model) is then given in input to the schedulability analysis and it also used during the code generation phase:

The preservation of other real-time properties related to the execution time like WCET and deadline is also enforced in the generated code through dedicated checks by using specific API of the target run-time environment (this feature is an on-going development).

This approach guarantees the preservation of the real-time properties statically assumed in the PIM and PSM models, and verified by the analysis down to the code.

The schedulability analysis is performed by using an adaptation of the third-party MAST tool developed and distributed by the University of Cantabria [3].

Regarding the transformation chain (Figure 7), first the CHESS PIM is transformed into the PSM model by using QVT-o. Then the PSM is transformed into the MAST input by using Acceleo and Java. Regarding the back propagation, Java is used first to load the MAST results into the PSM, then QVT-o traces are used to propagate the results back to the PIM model

Figure 8: transformation chain

Acceleo and Java services are then used to generate the Ada 2005 code from the PSM.

Why Polarsys?

Adding CHESS to the PolarSys portfolio is a good way to serve the Space industry community which has expressed interest in and support for the CHESS concept, method, and features, and to reach out to new industry domains likes Aerospace, Railway, Automotive or Telecommunications, some of which have already been exposed to CHESS with good reverberations.

Initial Contribution

The proposed initial contribution includes the following features:

The CHESS Editor supporting the CHESS Methodology, this editor is developed by means of a number of extensions and plug-ins for Papyrus, including support for design through views.

Integration of PIM to PSM transformation with QVT, and code generation for ADA 2005 with Acceleo

Integration of PSM to MAST for schedulability analysis and MAST to PIM back annotation transformations .

Legal Issues

All the code of to the initial contribution is provided by Intecs and the University of Padova under EPL.


The following individuals are proposed as initial committers to the project:

Stefano Puri, INTECS
Stefano is a committer on the CHESS methodology basis and on the related toolset development where he made significant contributions over many years. He will coordinate and contribute to the extension, qualification and maintenance of the CHESS capabilities in this new project.
Nicholas Pacini, INTECS
Nicholas provided significant contributions to the existing code base. He will contribute to the development and qualification activities in this new project.
Lei is involved in Topcased since 2006, he will contribute to smooth the integration of CHESS projects in the Polarsys bundles.
Alessandro Zovi, University of Padova
Alessandro was a key developer of the CHESS toolset and in that effort he acquired profound knowledge of the Eclipse stack and of the Papyrus internals. He will coordinate with Stefano Puri in all the activities related with the CHESS evolution to Polarsys.

We welcome additional committers and contributions.

Project Leads

Silvia Mazzini, Intecs
Silvia MAZZINI has more than 25 years of experience in the System and Software Engineering field. She is Methodologies and R&D Manager at Intecs, where she is involved both in technical leadership and management activities in the context of several international industrial and research projects. Ms. Mazzini took her master degree in Computer Science at Pisa University in Italy.
Tullio Vardanega, University of Padova
Tullio has a curriculum that traverses organizational, industrial, didactic and research work, for a total span of 25 years of professional activity. With a master degree in Computer Science at the University of Pisa in Italy, a PhD in Computer Science at the Technical University of Delft (Netherlands), an 11-year period of service at the European Space Agency, vast experience with the conception, evaluation, review and execution of international collaborative research projects, he is now an associate professor at the University of Padova in Italy where he runs a group of nearly a dozen young collaborators from graduate to doctoral to post-doc students.


The following Architecture Council members will mentor this project:

  • Maximilian Koegel
  • Jonas Helming

Interested Parties

The following individuals, organisations, companies and projects have expressed interest in this project:

  • CNES
  • Airbus
  • Astrium
  • Obeo

Project Scheduling

  • Creation - November 2013
  • CHESS roadmap

Changes to this Document




Document created


Added description about CHESS editor and model transformations.


Document Review.


  1. D2.3.2 - Multi-concern Component Methodology (MCM) and Toolset, Version 1.0 ,10 January 2012, CHESS public deliverables available at
  2. A. Burns, B. Dobbing, T. Vardanega. Guide to the Use of the Ada Ravenscar Profile in High Integrity Systems. Technical Report YCS-2003-348. University of York (UK), 2003. Available at
  3. Universidad de Cantabria. Mast: Modeling and Analysis Suite for Real-Time Applications.

Back to the top