Model-based Analysis Support for Dependable Complex Systems in

CHESS

Alberto Debiasi

, Felicien Ihirwe

, Pierluigi Pierini

, Silvia Mazzini

and Stefano Tonetta

Innovation Technology Service Lab, Intecs Solutions Spa, Pisa, Italy

Embedded Systems Unit, Fondazione Bruno Kessler (FBK), Povo, Italy

Keywords:

CHESS, Model Driven Engineering, Complex Systems, Dependability Analysis.

Abstract:

The challenges related to dependable complex systems are heterogeneous and involve different aspects of the

system. On one hand, the decision-making processes need to take into account many options. On the other

hand, the design of the system logical architecture must consider various dependability concerns such as safety,

reliability, and security. Moreover, in case of high-assurance systems, the analysis of such concerns must be

performed with rigorous methods. In this paper, we present the new development of CHESS, a cross-domain,

model-driven, component-based and open-source tool for the development of high-integrity systems. We focus

on the new recently distributed version of CHESS, which supports extended model-based development and

analyses for safety and security concerns.

1 INTRODUCTION

The ever increasing complexity and dependability is-

sues of systems in various domains, such as trans-

portation, space, energy, health, and industrial pro-

duction, requires effective design and development

methods. The complexity and heterogeneity of com-

ponents can be addressed with modeling approaches

that span different technical disciplines and prove ef-

fective in the end-to-end engineering of the prod-

ucts. This implies taking into account various require-

ments such as quality, performance, cost, safety, se-

curity, and reliability. Model-based design technolo-

gies enable the user to perform beforehand different

assurance-related activities such as physical architec-

ture exploration, system’s behavioral analysis, early

veriﬁcation, and validation.

The CHESS toolset (Cicchetti et al., 2012) offers a

cross-domain modeling and analysis of high-integrity

systems providing an integrated framework that helps

the modeler (user) to automate different development

phases: from the requirements deﬁnition, to the archi-

tectural modeling of the system’s software and hard-

ware, up to its deployment to an hardware platform

(Cicchetti et al., 2012). CHESS follows a component-

based approach where the user decouples different

functional parts of the system as components that can

be modeled, analyzed, veriﬁed, stored, reused indi-

vidually, and be integrated to meet the system’s com-

mon goals. CHESS supports, among other, schedu-

lability and dependability analysis across the entire

project life cycle. The results of the analysis are back-

propagated to the model itself so that the modeler can

review and ﬁne-tune the model to satisfy real-time

and dependability requirements.

CHESS tool recently became a full-ﬂedged open-

source project, hosted by The Eclipse Foundation

(https://www.eclipse.org/chess/). The code has being

developed by various contributors following an open-

source approach with public projects for issue track-

ing, code repository branches, and continuous inte-

gration. This paper presents the latest development

of CHESS to address software’s security and safety

analysis of the system exploiting the CHESS error

model to represent faults and attacks. Analysis is

completed by the integration with back-end tools such

as xSAP (Bittner et al., 2016) and Mobius (Court-

ney et al., 2009) for the minimal cut sets analysis and

Monte-Carlo simulation.

CHESS was developed, used and extended in

many research projects, by both industrial and aca-

demic partners. To list a few, CHESS was involved

in international projects such as the homonymous

CHESS project

, CONCERTO

, and SESAMO

http://www.chess-project.org/

http://www.concerto-project.org/

http://sesamo-project.eu/

262

Debiasi, A., Ihirwe, F., Pierini, P., Mazzini, S. and Tonetta, S.

Model-based Analysis Support for Dependable Complex Systems in CHESS.

DOI: 10.5220/0010269702620269

In Proceedings of the 9th Inter national Conference on Model-Driven Engineering and Software Development (MODELSWARD 2021), pages 262-269

ISBN: 978-989-758-487-9

under the ARTEMIS Joint Undertaking initiative,

AMASS

, AQUAS

, and MegaM@Rt

, under the

ECSEL Joint Undertaking initiative. CHESS has been

applied in different domains such as Avionics (Go-

dard and Nelissen, 2016), Automotive (Bressan et al.,

2018), Space (Pace et al., 2014), Telecommunica-

tion (Mazzini, 2015), and Petroleum (Gallina et al.,

2014)(Montecchi and Gallina, 2017).

The rest of the paper is arranged into ﬁve sections.

Sections 2 provides an introduction to the CHESS tool

building blocks and methodology, Section 3 presents

the new major features released under CHESS 1.0.0,

Section 4 discusses the related work. In Section 5

we present the envisioned future extension on CHESS

and ﬁnally Section 6 concludes the paper.

2 CHESS IN A NUTSHELL

The CHESS modeling tool was released under the

Eclipse PolarSys project

and recently it was moved

from the incubation status to the ﬁrst major re-

lease. The CHESSML is an integrated modelling lan-

guage proﬁled from OMG standard languages: UML,

SysML and MARTE under the Papyrus modeling en-

vironment

Not all the features from all the three lan-

guages were proﬁled to CHESS but only a speciﬁc

subsets that suits CHESS’s perspective. In particular

sub-proﬁles supporting contract-based and depend-

ability concerns have been deﬁned, while MARTE

has been adopted (with minor deviations) for what

concern the timing perspective. There are different

tools, plugins, and languages that were integrated into

CHESS to support model validation, model checking,

realtime and dependability analysis.

In this section, we are going to brieﬂy describe

the core aspects of CHESS methodology. We will

also look in brief at different analysis mechanisms

that are being performed in CHESS and how they link

together to enhance system correctness.

2.1 Component-based Methodology

The CHESSML language supports a component-

based development methodology enabling property-

preserving component assembly for real-time and de-

pendable embedded systems. Emphasis is given to

separation of concerns between the functional and

https://www.amass-ecsel.eu/

https://aquas-project.eu/

https://megamart2-ecsel.eu/

https://projects.eclipse.org/projects/polarsys.chess

https://www.eclipse.org/papyrus/

the non-functional dimensions, such as safety, secu-

rity, reliability, performance, and robustness (Mazzini

et al., 2015).

In CHESS, components at design level encompass

functional concerns only (i.e., they are devoid of any

constructs pertaining to tasking and speciﬁc compu-

tational model). The speciﬁcation of non-functional

attributes is then used for the automated generation

of the container, enforcing the realization of the non-

functional attributes declared for the component to be

wrapped.

The CHESS methodology follows the “Correct-

ness by Construction” practice which enforces (1)

the use of formal and precise tools and notations for

the development and the veriﬁcation of all product

items; (2) say things only once to avoid contradic-

tions and repetitions; (3) the design of software com-

ponents that are easy to verify, by e.g., using safer

language subsets, and to implement, by using appro-

priate coding styles and design patterns (Panunzio and

Vardanega, 2014).

2.2 Multi-view Modeling Approach

The CHESS tool provides a set of design views to up-

hold the ”separation of concern”, the ”correctness by

construction” and the other methodological principles

introduced before. Six main views are deﬁned to sup-

port the CHESS modeling approach. Throughout the

development process, each view has its own under-

lined constraints that enforce its speciﬁc privileges on

model entities and properties that can be manipulated.

Depending on the current stage of the design process,

CHESS sub-views are adopted to enhance certain de-

sign properties or stages of the process.

Requirement View is used to deﬁne system re-

quirements and track their veriﬁcation, System view

provides a suitable frame for system-level design ac-

tivities such as contract-based design, functional and

dependability analysis. Component view composed

of two sub-views, Functional and Extra-functional

views which supports the design of system compo-

nents logic and their internal compositions. Deploy-

ment view wich allows hardware structure modelling

and the allocation of the corresponding software com-

ponent instances. Analysis view capture all the analy-

sis activities, diagrams and results. Finally, Instance

view which is used to visualize and model the Plat-

form Speciﬁc Model (PSM) as a joint instance of soft-

ware to hardware allocated components.

Model-based Analysis Support for Dependable Complex Systems in CHESS

263

2.3 Model-based Analysis and

Veriﬁcation

CHESS provides the capability to perform several

kinds of analysis depending on the speciﬁc require-

ments (functional, timing, dependability). Part of

these functionalities have been added or extended to

the new release of CHESS and are further explained

in the next section.

Functional Veriﬁcation: by means of model

checking is supported by the integrated nuXmv model

checker (Cavada et al., 2014). System and component

properties, derived from requirements, can be formal-

ized into linear temporal logic properties, then they

can be veriﬁed on top of the system’s or component’s

behavioral models developed using state machines.

Contract-based Analysis: is built on top of the

OCRA tool support (Cimatti et al., 2013). Compo-

nent formal properties are structured in terms of con-

tracts, comprised of an assumption and a guarantee

pairs. The assumption is a property to be fulﬁlled

by the component’s environment, and the guarantee

is a property that must be satisﬁed by the component

implementation - provided that the environment satis-

ﬁes the assumption (Cimatti and Tonetta, 2015). The

contract reﬁnement can be exploited for architectural

analysis, compositional functional veriﬁcation (model

checking) and safety analysis (see also Sec. 3).

Timing Analysis: is built on top of the MAST

analysis tool. It is invoked to perform analysis such

as schedulability and end-to-end response time analy-

sis. Schedulability analysis is performed by taking in-

put from the annotated PSM model and the computed

partition schedule on each available processing unit.

Then, the response-time analysis calculates the worst-

case response time of each task (Godard and Nelissen,

2016) assessing the schedulable tasks complying with

the given timing constraints. The end-to-end analysis

is done by utilizing the component sequence diagram.

Applying MARTE timing stereotypes, the tool evalu-

ates the hardware component’s responsiveness. This

analysis facilitates “early end-to-end response time

veriﬁcation”, giving a sense of any possible reﬁne-

ment of the model before deployment (Mazzini et al.,

2015).

Dependability Analysis: include Failure Logic

Analysis and State Based Quantitative Dependabil-

ity Analysis. Failure Logic Analysis (Gallina et al.,

2014) builds on top of Failure Propagation and Trans-

formation Calculus (Wallace, 2005) and enables de-

ductive as well as inductive hazards analysis towards

semi-automatic generation of artefacts, necessary for

https://mast.unican.es/

arguing about HARA (Hazards Analysis and Risk As-

sessment). Supported by the DEEM tool (Bondavalli

et al., 2000), State-Based Quantitative Dependability

Analysis (Montecchi et al., 2013) supports safety en-

gineers in the management of Reliability, Availability,

Maintainability and Safety (RAMS) properties, and

in the assessment of hazard rate threshold associated

with safety integrity levels. Properties modeled using

the CHESSML dependability proﬁle are analyzed to

obtain the probability of occurrence of speciﬁc failure

modes and other quantitative metrics involving relia-

bility, availability, and safety.

3 NEW SYSTEM-LEVEL

ANALYSIS SUPPORT

In this section, we present the new major features re-

leased in CHESS 1.0.0. The new release includes

extended support for system-level safety and security

analysis. CHESSML dependability proﬁle which nor-

mally supports different techniques for safety and de-

pendability analysis has been extended to model fault

injection and threats. Other new features include con-

tract validations, parameter-based architectures, and

document generation. This new release can be ac-

cessed at https://www.eclipse.org/chess/

3.1 Contract-based Design Analysis and

Model Checking

CHESS supports the speciﬁcation of component con-

tracts speciﬁed in the OCRA contract language. Re-

quirements are formalized into Formal Properties,

which contain OCRA assertions, i.e., textual speci-

ﬁcations of temporal logic formulas (see Fig. 1 for

an example). In the contract-based paradigm, these

properties are restricted to the related component in-

terface. A contract is a pair of properties represent-

ing an assumption and a guarantee of the compo-

nent. In addition, CHESS tool supports the contract

reﬁnement analysis for composite components. The

contract of a composite component is deﬁned by the

assumption of the composite component itself and

the guarantee ensured by the contracts of its sub-

components, considering their interconnection as de-

scribed by the architecture and and that the assump-

tion of each sub-component is ensured by the con-

tracts of the other sibling sub-components.

The new CHESS release has improved the

contract-based analysis aspects by integrating CHESS

with V&V tools such as OCRA, nuXmv, and xSAP.

In this regard, the new additional analysis includes:

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development

264

Figure 1: Example of a FormalProperty formalizing a requirement.

Figure 2: Example of a component contract.

(1) Model checking, i.e. the behavioral models,

that describe how the internal state of a component

and the output ports are updated, can be veriﬁed

against some formal properties in different temporal

logics. The formal properties can represent some re-

quirements (e.g., functional or safety-related require-

ments) or some validation queries such as the reacha-

bility of states.

(2) Contract-based compositional veriﬁcation of

state machines is performed on composite com-

ponents. The local state machine of each sub-

component is veriﬁed separately against its local con-

tract. The correctness of the composite component

is implicitly derived by the correctness of the con-

tract reﬁnement and the successful veriﬁcation of lo-

cal state machines.

(3) Contract-based safety analysis, i.e. identify

the component failures as the failure of its implemen-

tation in satisfying the contract. When the component

is composite, its failures can be caused by a failure

of one or more sub-components and/or a failure of

the environment in satisfying the assumption. As re-

sult, the analysis produces a fault tree in which each

intermediate event represents the failure of a compo-

nent or its environment, linked to a Boolean combina-

tion of other nodes. The top-level event is the failure

of the system component. The basic events are the

failures of the leaf sub-components, in addition to the

failure of the environment (see (Bozzano et al., 2014)

for more details).

3.2 Fault Injection and Safety Analysis

CHESS supports safety analysis based on fault injec-

tion thanks to the integration of xSAP(Bittner et al.,

2016). The behavioral models of components are ex-

tended with faults and the tool automatically gener-

ates Fault Trees, showing the combinations of events

leading to a failure or an undesired state, and Fault

Mode Effect Analysis (FMEA) tables, listing all po-

tential failure modes and their effects on the sys-

tem (Bozzano and Villaﬁorita, 2013).

More speciﬁcally, once the system model is de-

ﬁned in CHESS, through components deﬁnition and

their nominal behavioral model, the faulty behavior

is expressed through a speciﬁc state machine called

”Error Model”. The Error Model extends the nom-

inal state machine with information about the effect

upon a property of the component, and consequently

on its nominal behavior. Figure 3 represents an exam-

ple of an error model that, in case of an internal fault,

moves the related component in an error state where

the property ”energy” is stuck at 0 value. The optional

probability assigned to that transition is 5 · 10

−2

Once the error model is deﬁned, the Fault Tree

Analysis (FTA) or FMEA can be done by invoking

xSAP through the CHESS environment.

The xSAP approach is based on the library-based

fault injection (i.e., an extension of a behavioral

model with the deﬁnition of faults taken from a li-

brary of faults) and the use of model-based routines

to generate safety artifacts.

The result of the FTA is the fault tree that is au-

tomatically shown in a dedicated panel in the front-

end; see Figure 4 for an example. If fault probabil-

Model-based Analysis Support for Dependable Complex Systems in CHESS

265

Figure 3: State machine modeling faulty behavior.

Figure 4: A fault tree visualized in the CHESS Editor View;

note the probabilities associated to the top and basic events.

ities have been speciﬁed during the conﬁguration of

the error model, the fault tree will report their com-

bination. The fault tree shows all minimal cut-sets,

identifying the basic fault conditions which can lead

to the top-level failure.

This is complementary to other existing analysis

techniques supported in CHESS such as Failure Logic

Analysis and State Based Quantitative Dependability

Analysis, which do not consider the nominal behav-

iors and fault injection, but explicitly model the faulty

behavior and fault propagation.

3.3 Quantitative Reliability Analysis

The CHESS proﬁle for dependability is used to en-

rich functional models of the system with informa-

tion regarding the behavior with respect to faults and

failures, thus allowing properties like reliability, avail-

ability, and safety to be documented and analyzed.

The new release supports the modeling of secu-

rity concerns which helps in threat identiﬁcation at the

early stages of the development and facilitates the ex-

ploiting of the Mobius capabilities for analysis of reli-

ability. M

obius

: is a software tool for modeling the

behavior of complex systems, by allowing the study

of the reliability, availability, security, and perfor-

mance for large-scale discrete-event systems (Court-

ney et al., 2009). Many reliability analysis results can

be obtained with probabilistic models built with Mo-

bius using the stochastic activity networks (SAN) for-

malism, solved via Monte-Carlo simulation

Speciﬁc extensions of the dependability proﬁle are

related to the modelling of Cyber-Attacks aspects and

model transformations from CHESS to the Mobius

tool to run the analysis of SANs.

As results the implemented methodology allows

modeling of a system security threat and data cor-

ruption which may result to service misfortune. An

example of a system security threat can be a cyber-

security attack, i.e. an unauthorized access of the sys-

tem, halting services.

Figure 5: Process of Security breach.

Figure 5 depicts the process of a security breach that

leads to the violation of the security-related proper-

ties. A threat event, initiated by a threat source agent,

able to exploit a vulnerability of an asset (e.g. a

component/system) may result in a loss to the con-

ﬁdentiality, integrity, and/or availability of the asset.

Vulnerabilities could be represented as a pre-deﬁned

enumeration collected through different sources (e.g.

personal competence, standards, results of previous

threat analysis, etc.). Finally, the consequences could

be modeled using pre-deﬁned effects, which refers to

the loss of Conﬁdentiality, Integrity and Availability

(CIA).

An <<ErrorModel>>-tagged state machine is

used when modeling the security breach. The fail-

ure, internal fault, and effect are extended to include

security threats, vulnerability, and consequences re-

spectively. Figure 6 illustrates an example of an error

model, where a cyber-security attack initiates a data

corruption threat. The vulnerability was modeled ex-

ploiting the value check function which is set to false.

In this case, the system transits to an erroneous state

leading to component failure. Note that a component

could have multiple instances of <<ErrorModel>>-

tagged state machines, attached to it. Each instance

would provide the elaboration of input/output failure

behavior addressing a speciﬁc concern.

https://www.mobius.illinois.edu/

https://www.investopedia.com/terms/m/

montecarlosimulation.asp

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development

266

Figure 6: Erroneous state transition due to security threat

event and vulnerability.

The generation of the Mobius SAN model pro-

cess is done by performing an automatic model-to-

model transformation from a model instance to the

SAN model recognized by Mobius for reliability anal-

ysis.

The new reliability analysis is additional to the ex-

isting State Based Quantitative Dependability Analy-

sis. It exploits the Mobius powerful and well sup-

ported analysis capabilities as engine for safety and

security co-engineering, according to the scenario ad-

dressed in (Popov, 2017). Editing Mobius models

can be non trivial. To this purpose we have ex-

tended the CHESS proﬁle, the CHESS modelling lan-

guage capabilities, and the user-friendly editor front-

end to fully support the modelling of system architec-

tures taking into consideration safety and security co-

engineering, and by using automatic transformations

to SAN model for reliability analysis with MOBIUS.

This extension has been developed in the context

of the AQUAS project, as result of a collaborative

effort among Intecs and City University of London,

applied and evaluated across different use cases, in

the ATM and Industrial Drive domain. This approach

provides a smooth integration, guarantees the consis-

tency among SysML and SAN models, and largely

reduces the effort required to construct an appropriate

SAN analysis model.

3.4 Support for Parameterized

Architecture and Trade-off Analysis

In a parameterized architecture the number of com-

ponents, the number of ports, the connections, and the

static attributes of components depends on a set of pa-

rameters. Parameters are deﬁned along the architec-

tural hierarchy and, thus, the number of parameters

themselves can depend on other parameters.

CHESS supports the the modeling of the param-

eterized architecture as well as its instantiation. In

particular, the user can set the values of the param-

eters, deﬁning the conﬁguration of the architecture,

and the tool automatically generates a concrete archi-

tecture corresponding to that conﬁguration. Figure 7

shows an example of parameterized architecture.

Figure 7: Example of parameterized architecture.

The parameterized architecture is also exploited for

trade-off analysis, by performing various analyses on

the different instantiations and comparing the results.

This makes it easy to visually get an idea of how the

intended model instances perform with respect to the

selected conﬁgurations.

3.5 Automatic Generation of Diagrams

and Documentation

The traditional way of editing a model is by adding an

element in a diagram but changes made in the model

are not reﬂected in the diagrams. The new CHESS

release offers the possibility of generating a diagram

from the model which reﬂects the data in the model

on the ﬂy. The supported diagrams are Block Def-

inition Diagram (BDD) and Internal Block diagram

(IBD). Multiple diagrams can be generated on a sin-

gle component in the model. The generated diagram

elements will be automatically aligned but the user

can rearrange by moving elements manually or by in-

voking “layout selection command.”

The new release also supports the generation of

the model architecture and the report on various anal-

yses executed on the model in an HTML document or

a LaTeX source code. The report is divided into two

sections. The ﬁrst describes the structure of the model

which includes diagrams and the associated compo-

nents while the second includes the report lists of the

results of the validation and veriﬁcation (V&V) anal-

yses results. There are many types of V&V results

such as property validation, assume/guarantee prop-

erties results, contract checks results, model checking,

FTA, FMEA, and so on.

Model-based Analysis Support for Dependable Complex Systems in CHESS

267

4 RELATED WORK

Several commercial tools provide similar functional-

ities of CHESS. One of the most popular is Mat-

lab/Simulink

. Although Simulink facilitates the

modelling and analysis of complex systems, its sim-

ulation efﬁciency might be an important disadvan-

tage. Being based on a single Model of Computation

and Communication (MoCC) is another limitation.

CoFluent

is another commercial tool extended to

model IoT systems. Although supporting more inter-

action models than Matlab/Simulink, it is also limited

in the way components may interact among them.

Another tendency is to overcome the UML lacks

in semantic content, required in some application

domains, towards a proliferation of DSLs (Bram-

billa et al., 2012). Among the available DSLs,

UML/MARTE is the standard language for real-

time and embedded systems design, while SysML

is the standard language for system modeling. Sev-

eral modelling environments like Papyrus

support

UML/MARTE. Nevertheless, its ﬂexibility and se-

mantic richness requires the deﬁnition of efﬁcient

modelling methodologies.

Capella

: is an open-source comprehensive and

extensible Eclipse system modelling tool. It is in-

spired to the SysML principles and it supports the AR-

CADIA methodology that is successfully deployed in

a wide variety of industrial contexts (Bonnet et al.,

2015). ARCADIA provides architectural descriptions

for functional analysis, structural analysis, interfaces

and behavior modeling, structured in ﬁve perspectives

according to major system engineering activities and

concerns.

COMPASS (Bozzano et al., 2019): supports

model checking, model-based safety, reliability, and

performance analysis and shares with CHESS some

of the tools used as backend for such analyses. Differ-

ently from CHESS, it targets a variant of AADL and

does not support traceability and code generation.

MapleSim

: is a modeling tool for multi-domain

engineering systems built on top of Modelica model-

ing language (Fritzson, 2015). MapleSim features an

integrated environment in which the system equations

can be automatically generated and analyzed (Cao

and Wu, 2013).

Although we see some approaches able to tackle

modeling challenges, no tool or approach has been

https://www.mathworks.com/products/simulink.html

https://www.intel.com/content/www/us/en/coﬂuent/

overview.html

https://www.eclipse.org/papyrus/

https://www.eclipse.org/capella/

https://www.maplesoft.com/products/maplesim/

able to ﬁt in our methodology with such analysis and

veriﬁcation functionalities. Which makes CHESS a

novel approach for implementing component-based

modeling methodology for real-time and dependable

systems by taking care of non-functional properties

and enforces the correctness at all the stages of the

development process.

5 FUTURE WORK

CHESS is a very huge toolset with more sophisticated

and powerful functionality to meet user needs. How-

ever, there is still a gap for improvement, to cover

more and more domains such as the Internet of Things

(IoT) in a more concrete way. Note that we are not

concluding that it is not capable to perform some ba-

sic modeling of IoT related scenarios but we aspire

to make it more IoT speciﬁc. This extension will fol-

low CHESS’s component-based methodology and it

will also follow already existing modeling approaches

present in CHESS.

The envisioned approach will be achieved by im-

proving the CHESSML metamodel with a set of

speciﬁc stereotypes, contracts, communications, and

operations proﬁled for IoT. The new proposed ap-

proach will also take in use of already existing de-

pendability analysis infrastructure. We also plan to

export IoT models developed with CHESS to ex-

ternal consumers. Finally, we plan to exploit the

current CHESS’s code generation support for Ada

language, integrated with the open-source ThingML

framework

, for IoT code generation.

6 CONCLUSIONS

Dependable complex system design and development

present several challenges, the well-known canonical

approach is to divide complex systems into smaller

chunks (or subsystems), build them separately, and

later integrate them. In this paper, we presented the

current state of the CHESS tool to tackle design, anal-

ysis, and veriﬁcation of real-time dependable com-

plex systems. We walked through the CHESS tool

architecture and we highlighted its component-based

and multi-view modeling approaches. We have also

presented the new system-level extensions and capa-

bilities of the tool released under the CHESS1.0.0 ver-

sion.

https://github.com/TelluIoT/ThingML

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development

268

ACKNOWLEDGEMENTS

This work has received funding from the Low-

comote project under European Union’s Horizon

2020 research and innovation program under the

Marie Skłodowska-Curie grant agreement n813884.

We would like to acknowledge also different

projects funding leading to the mature realization of

CHESS which include the CHESS

, CONCERTO

SESAMO

, AMASS

, and AQUAS

. We would like

to acknowledge the main contributors to the devel-

opment of the CHESS toolset, in particular Stefano

Puri, Nicholas Pacini, Luca Cristoforetti and Pietro

Braghieri. Finally, we would like to acknowledge also

Prof. Davide Di Ruscio for the assistance on drafting

this paper.

REFERENCES

Bittner, B., Bozzano, M., Cavada, R., Cimatti, A., Gario,

M., Griggio, A., Mattarei, C., Micheli, A., and

Zampedri, G. (2016). The xSAP Safety Analysis Plat-

form. In TACAS, pages 533–539. Springer.

Bondavalli, A., Mura, I., Chiaradonna, S., Filippini, R.,

Poli, S., and Sandrini, F. (2000). Deem: a tool for

the dependability modeling and evaluation of multiple

phased systems. In DSN 2000, pages 231–236.

Bonnet, S., Voirin, J.-L., Normand, V., and Exertier, D.

(2015). Implementing the mbse cultural change: Or-

ganization, coaching and lessons learned. INCOSE

International Symposium, 25(1):508–523.

Bozzano, M., Bruintjes, H., Cimatti, A., Katoen, J., Noll,

T., and Tonetta, S. (2019). COMPASS 3.0. In TACAS,

pages 379–385. Springer.

Bozzano, M., Cimatti, A., Mattarei, C., and Tonetta, S.

(2014). Formal safety assessment via contract-based

design. In ATVA, pages 81–97. Springer.

Bozzano, M. and Villaﬁorita, A. (2013). Safety critical sys-

tems. In Encyclopedia of Software Engineering. CRC

Press (Taylor & Francis Group).

Brambilla, M., Cabot, J., and Wimmer, M. (2012). Model-

Driven Software Engineering in Practice. Morgan &

Claypool Publishers.

Bressan, L., de Oliveira, A. L., Montecchi, L., and Gallina,

B. (2018). A systematic process for applying the chess

methodology in the creation of certiﬁable evidence. In

EDCC, pages 49–56.

Cao, J. M. and Wu, T. (2013). Multi-domain modeling

simulation and application based on maplesim. In

Mechatronics and Intelligent Materials III, volume

706, pages 1894–1897. Trans Tech Publications Ltd.

Cavada, R., Cimatti, A., Dorigatti, M., Griggio, A., Mar-

iotti, A., Micheli, A., Mover, S., Roveri, M., and

Tonetta, S. (2014). The nuXmv Symbolic Model

Checker. In CAV, pages 334–342. Springer.

Cicchetti, A., Ciccozzi, F., Mazzini, S., Puri, S., Panunzio,

M., Zovi, A., and Vardanega, T. (2012). CHESS: a

model-driven engineering tool environment for aiding

the development of complex industrial systems. In

ASE, pages 362–365.

Cimatti, A., Dorigatti, M., and Tonetta, S. (2013). OCRA: A

tool for checking the reﬁnement of temporal contracts.

In Denney, E., Bultan, T., and Zeller, A., editors, ASE,

pages 702–705. IEEE.

Cimatti, A. and Tonetta, S. (2015). Contracts-reﬁnement

proof system for component-based embedded sys-

tems. Sci. Comput. Program., 97:333–348.

Courtney, T., Gaonkar, S., Keefe, K., Rozier, E. W. D., and

Sanders, W. H. (2009). M

obius 2.3: An extensible

tool for dependability, security, and performance eval-

uation of large and complex system models. In DSN,

pages 353–358.

Fritzson, P. (2015). Principles of Object-Oriented Modeling

and Simulation with Modelica 3.3: A Cyber-Physical

Approach. Wiley-IEEE Press, 2 edition.

Gallina, B., Sefer, E., and Refsdal, A. (2014). Towards

safety risk assessment of socio-technical systems via

failure logic analysis. In ISSRE Workshops, pages

287–292.

Gallina, B., Sefer, E., and Refsdal, A. (2014). Towards

safety risk assessment of socio-technical systems via

failure logic analysis. In ISSRE Workshops, pages

287–292.

Godard, W. and Nelissen, G. (2016). Model-based design

and schedulability analysis for avionic applications on

multicore platforms. Ada User Journal, 37:157–163.

Mazzini, S. (2015). The concerto project: An open source

methodology for designing, deploying, and operat-

ing reliable and safe cps systems. Ada User Journal,

36:264–267.

Mazzini, S., Favaro, J., and Baracchi, L. (2015). A model-

based approach across the IoT lifecycle for scalable

and distributed smart applications. In ITSC, pages

149–154.

Montecchi, L. and Gallina, B. (2017). Safeconcert: A

metamodel for a concerted safety modeling of socio-

technical systems. In MBSA, pages 129–144, Cham.

Springer International Publishing.

Montecchi, L., Lollini, P., and Bondavalli, A. (2013). A

reusable modular toolchain for automated depend-

ability evaluation. In VALUETOOLS, page 298–303.

ICST.

Pace, L., Pasquinelli, M., Gerbaz, D., Fuchs, J., Basso,

V., Mazzini, S., Baracchi, L., Puri, S., Lassalle, M.,

and Viitaniemi, J. (2014). Model-based approach for

the veriﬁcation enhancement across the lifecycle of a

space system. In INCOSE CIISE2014.

Panunzio, M. and Vardanega, T. (2014). A component-

based process with separation of concerns for the de-

velopment of embedded real-time software systems.

Journal of Systems and Software, 96:105 – 121.

Popov, P. (2017). Models of reliability of fault-tolerant soft-

ware under cyber-attacks. In ISSRE, pages 228–239.

Wallace, M. (2005). Modular architectural representation

and analysis of fault propagation and transformation.

Electronic Notes in Theoretical Computer Science,

141(3):53 – 71. FESCA 2005.

Model-based Analysis Support for Dependable Complex Systems in CHESS

269