# Conformance testing for real-time systems

Moez Krichen · Stavros Tripakis

Published online: 14 February 2009

© Springer Science+Business Media, LLC 2009

**Abstract** We propose a new framework for black-box conformance testing of real-time systems. The framework is based on the model of partially-observable, non-deterministic timed automata. We argue that partial observability and non-determinism are essential features for ease of modeling, expressiveness and implementability. The framework allows the user to define, through appropriate modeling, assumptions on the environment of the system under test (SUT) as well as on the interface between the tester and the SUT. We consider two types of tests: analog-clock tests and digital-clock tests. Our algorithm for generating analog-clock tests is based on an on-the-fly determinization of the specification automaton during the execution of the test, which in turn relies on reachability computations. The latter can sometimes be costly, thus problematic, since the tester must quickly react to the actions of the system under test. Therefore, we provide techniques which allow analog-clock testers to be represented as deterministic timed automata, thus minimizing the reaction time to a simple state jump. We also provide algorithms for static or on-the-fly generation of digital-clock tests. These tests measure time only with finite-precision digital clocks, another essential condition for implementability. We also propose a technique for location, edge and state coverage of the specification, by reducing the problem to covering a symbolic reachability graph. This avoids having to generate too many tests. We report on a prototype tool called TTG and two case studies: a lighting device and the Bounded Retransmission Protocol. Experimental results obtained by applying TTG on the Bounded Retransmission Protocol show that only a few tests suffice to cover thousands of reachable symbolic states in the specification.

**Keywords** Conformance testing  $\cdot$  Test generation  $\cdot$  Coverage  $\cdot$  Partial observability  $\cdot$  On-the-fly algorithms  $\cdot$  Real-time systems  $\cdot$  Timed automata  $\cdot$  Specification and verification

M. Krichen · S. Tripakis (⋈)

Verimag Laboratory, Centre Equation, 2, avenue de Vignate, 38610 Gières, France

e-mail: tripakis@imag.fr

e-mail: stavros.tripakis@gmail.com url: http://www-verimag.imag.fr

M. Krichen

e-mail: moez.krichen@gmail.com



#### 1 Introduction

Testing is a fundamental step in any development process. It consists in applying a set of experiments to a system (system under test—SUT). There exist many types of testing with multiple aims, from checking correct functionality to measuring performance. In this work, we are interested in so-called conformance testing where the aim is to check conformance of the SUT to a given specification. The SUT is often a "black box" in the sense that we do not have knowledge about its internals (e.g., its state is not known), thus, can only rely on its observable input/output behavior.

We focus our attention on *real-time systems*. These are systems that operate in an environment with strict timing constraints. Examples of such systems are many: embedded control systems from the automotive, aerospace or other domains, mobile phones, multimedia systems, and so on. When testing a real-time system, it is not sufficient to check whether the SUT produces the correct outputs. It must also be checked that the timing of the outputs is correct. Moreover, the timing of these outputs depends on the timing of the inputs. In turn, the timing of applicable future inputs is determined by the outputs.

Classical testing frameworks are based on Mealy machines (e.g., see [19, 40]) or finite labeled transition systems (e.g., see [3, 16, 20, 26, 48]). These formalisms are not well-suited for modeling real-time systems. In Mealy machines, inputs and outputs are synchronous, which is a reasonable assumption when modeling synchronous hardware, but not when the delays among inputs and outputs are governed by complex timing constraints. In testing methods based on LTSs, time is typically abstracted away and timeouts are modeled by special  $\delta$  actions [47] which can be interpreted as "no output will be observed" (this is the property of *quiescence*). This is problematic, because timeouts need to be instantiated with concrete values upon testing (e.g., "if nothing happens for 10 seconds, output FAIL"). However, there is no systematic way to derive the timeout values (indeed, durations are not expressed in the specification). Thus, one must rely on empirical, ad-hoc methods.

A model which has become quite popular during the past decade for modeling real-time systems is the model of *timed automata—TA* [1]. A number of methods for testing real-time systems based on variants of the above model (or other similar models such as timed Petri nets) have been proposed (e.g., see [14, 17, 18, 21, 25, 29, 30, 33, 38, 42, 43, 46]). However, these methods present one or both of the following two limitations.

First, only restricted subclasses of timed automata are considered, thus limiting the expressiveness of specifications. For example, [29, 46] consider TA where outputs are isolated and urgent. The first condition states that, at any given state, the automaton can only output a single action. Therefore, a specification such as "when input a is received, output either b or c" cannot be expressed in this model. Worse, the second condition states that, at any given state, if an output is possible, then time cannot elapse. This essentially means that outputs must be emitted at precise points in time. Therefore, a specification such as "when input a is received, output b must be emitted within at most 10 time units" cannot be expressed. Most other works consider deterministic or determinizable subclasses of TA. For instance, [42] use event-recording automata [2] and [33] use a determinizable TA model with restricted clock resets. Most of the works also assume that specifications are *fully-observable*, meaning that it is assumed that all events can be observed by the tester. All these restrictions limit the applicability of the methods. Indeed, a specification must be able to leave freedom to potential implementations, especially on choosing different outputs or output times. Also, as we argue below, partial observability and non-determinism are essential for ease of modeling, expressiveness and implementability.

The second limitation is that only *analog-clock* tests are considered in the works above. These are tests which can observe the delays between inputs and outputs precisely. For



**Fig. 1** A compositional specification with internal (unobservable) actions



example, a test like "emit a; if b is received at most 5 time units later, announce PASS and stop, otherwise, announce FAIL" is an analog-clock test. Analog-clock tests are problematic since they are difficult (if not impossible) to implement with finite-precision clocks. The tester which implements the test of the example above must be able to measure the delay t between a and b and announce PASS if and only if  $t \le 5$ . In practice, the tester will typically sample time periodically, say, every 0.1 time units. Thus, it cannot distinguish between t being anywhere in the interval (4.9, 5.1). In this case, in order to be sound, the tester should announce PASS for every t in this interval, thus accepting also some non-conforming specifications (those where 5 < t < 5.1). A modeling framework which allows to formally specify such implementation considerations and derive sound tests from them is not provided in the above works.

In this work, we propose a testing framework for real-time systems, which lifts the above limitations. Our framework is *expressive*: it can fully handle *partially-observable*, *non-deterministic* timed automata. It is also *implementable*: the tests we generate can be implemented using digital clocks of finite precision. Our framework has been presented in previous publications [34–36]. This paper unifies and extends the results presented in these publications.

We next summarize the main characteristics of our framework.

We model specifications as timed automata with input, output or unobservable actions (without loss of generality, a single unobservable action is enough). The automata can also be non-deterministic, in the sense that a given action at a given time might lead the automaton to two different states. Such models arise often in practice. Specifications are usually built in a *compositional* way, from many components. This greatly simplifies modeling. Figure 1 illustrates this fact: it shows a specification (solid-line box) communicating with the external world through some observable interface (solid arrows). The specification is built internally using three components (dotted boxes). These components communicate using signals that are unobservable to the external world (dotted arrows). *Abstractions* from low-level details are also used often, to simplify modeling and manage complexity. Such abstractions could, for instance, "hide" some variables and behavior, which typically results in non-determinism.

In general, timed-automata cannot be determinized [1] and unobservable actions cannot be removed [6]. It can be argued that, in practice, many models will be determinizable. However, checking this (and performing the determinization) is undecidable [50]. Thus, the user is left with two alternatives. Either attempt to fit the specification into a deterministic, fully-observable TA model, or use a framework like ours, which handles non-determinism and partial observability directly. Clearly, the first alternative is hardly feasible in practice, especially for large specifications consisting of many components, as it implies that the user has to perform determinization of such a model "manually".

<sup>&</sup>lt;sup>1</sup>In particular, no direct support for implementability using digital clocks is provided in [17, 38], where testing frameworks similar to ours are presented (the main differences are discussed in Sect. 3.3).



In order to capture conformance of a SUT to a specification we propose a formal relation, called *timed input-output conformance* or tioco. The latter is inspired from the "untimed" conformance relation ioco of [47]. The main difference is that ioco uses the notion of quiescence, according to which absence of outputs is observable. In tioco we do not use quiescence because we want timeouts to be explicitly specified as said above. For instance, we do not allow specifications stating "a must eventually occur" but only "a must occur with x time units". Apart from this important difference, tioco is similar in spirit to loco: intuitively a conforms to a if for each observable behavior specified in a, the possible outputs of a after this behavior is a subset of the possible outputs of a. In tioco time delays are included in the set of observable outputs. This permits to capture the fact that an implementation producing an output too early or too late (or never, whereas it should) is non-conforming.

We consider both analog-clock and *digital-clock* tests. The former measure time precisely, whereas the latter can only count how many "ticks" of a digital clock have occurred between two events. In our framework, the digital clock is itself modeled as a timed automaton. In that way, the user has full control on the assumptions about the execution platform where the tester will execute. We provide examples that show how to model different types of digital clocks, from simple strictly-periodic clocks to more complex clocks with jitter or skew. Note that generating digital-clock tests does not mean that we assume a discrete-time setting. Indeed, the specification is still continuous-time. The SUT operates in dense time as well. Only the tester (which is a digital system) is sampling this time using a digital clock.

We propose algorithms to generate tests both *on-line* (or *on-the-fly*) and *off-line*. On-line test generation means that the test is generated essentially during execution. Thus, a large number of computations and choices must be performed and resolved on-the-fly: compute the next state of the tester, decide whether to wait and for how long, etc. In off-line test generation these choices are resolved at generation time. The test is usually represented as a finite tree with PASS/FAIL annotations on the leaves. All that the tester has to do then during test execution is follow this tree. On-line versus off-line test generation is essentially a time versus space trade-off: on-line generation saves space at the expense of requiring more time during the execution of the test (reaction time). This in turn limits the *reactivity* of the tester to the actions of the SUT. On the other hand, off-line test generation requires space to store the generated tests.

Classic test generation algorithms use a pre-processing step consisting in determinizing the specification [26]. For reasons explained above, this is impossible in the case of timed automata. To solve this problem, we employ different techniques. In the case of on-line generation of analog-clock tests, we use an *on-the-fly subset construction* technique. This consists in determinizing the specification on-the-fly, based on the sequence of observed time delays and discrete actions. This technique has been first introduced in [49] where it was used for monitoring and fault-detection purposes.

The case of off-line generation of analog-clock tests is tricky. The question is how to represent analog-clock tests in a "static" way? An immediate thought is to use timed automata. However, the tester automata must be deterministic, otherwise determinization must be performed during test execution, and we are back to the case of on-the-fly generation. But generating a deterministic test from a non-deterministic specification raises the undecidability issues discussed above. We thus take a pragmatic approach. We suppose that the user fixes the number of clocks that the tester automaton has and also the points where these clocks are to be reset (we call the latter a *reset skeleton*). The user must also specify the maximum constants the clocks are to be compared to in the guards of the tester. We provide an algorithm which, given this information, generates a test represented as a deterministic timed automaton.



Generation of digital-clock tests (both on-line and off-line) is based on the following idea: if we consider the "tick" of the digital clock as any other discrete action, then digital-clock tests become ordinary "untimed" automata. Such automata can be generated from special "untiming" constructions of the product of the two input timed automata: the specification and the digital clock model.

All our test-generation methods rely on *symbolic reachability* algorithms similar to those used in timed automata model-checking tools such as Kronos [22]. Test generation suffers from the state-explosion problem less than model-checking. On the other hand, the number of tests that can be generated from a given specification is infinite! Even up to a given depth, the number of possible tests is exponentially large. To limit explosion in the number of tests, we consider *coverage criteria* such as state or transition coverage, inspired from software testing [41]. These criteria can drastically reduce the number of generated tests: the tests required to cover a specification are often a very small subset of the set of all possible tests up to a given depth. We provide algorithms to generate digital-clock tests with respect to *location*, *state or edge* coverage. The algorithms are based on the fact that in the symbolic reachability graph of a timed automaton every node or edge can be associated to a set of locations, states or edges of the specification automaton. Thus, covering locations, states or edges of the specification reduces to covering nodes or edges in the symbolic reachability graph.

We have implemented our real-time testing framework in a prototype tool called TTG. TTG is implemented on top of the IF environment [12]. We have experimented with TTG on a few case studies, including the execution software of the K9 Rover by NASA [5, 15] and the Bounded Retransmission Protocol [27, 36].

The rest of this document is organized as follows. In Sect. 2 we introduce timed automata with inputs and outputs. In Sect. 3 we define the conformance relation tioco and illustrate its usage with examples. Section 4 provides a description of analog-clock and digital-clock tests. In Sect. 5 we show how to automatically generate such tests, using on-line or off-line methods. Section 6 presents test generation based on coverage criteria. Section 7 discusses our tool and two case studies. In Sect. 8 we present our conclusions and future work plans.

#### 2 Timed automata with inputs and outputs

#### 2.1 Real-time sequences

Let R be the set of non-negative reals and Q the set of non-negative rationals. Given a finite set of *actions* Act, the set  $(Act \cup R)^*$  of all finite-length *real-time sequences* over Act will be denoted RT(Act).  $\epsilon \in RT(Act)$  is the empty sequence. Given  $Act' \subseteq Act$  and  $\rho \in RT(Act)$ ,  $P_{Act'}(\rho)$  denotes the *projection* of  $\rho$  to  $Act' \cup R$ , obtained by "erasing" from  $\rho$  all actions not in  $Act' \cup R$ . Similarly,  $DP_{Act'}(\rho)$  denotes the (discrete) projection of  $\rho$  to Act'. For example, if  $Act = \{a,b\}$ ,  $Act' = \{a\}$  and  $\rho = a \ 1b \ 2a \ 3$ , then  $P_{Act'}(\rho) = a \ 3a \ 3$  and  $DP_{Act'}(\rho) = a \ a$ . The time spent in a sequence  $\rho$ , denoted time( $\rho$ ) is the sum of all delays in  $\rho$ , for example, time( $\epsilon$ ) = 0 and time( $a \ 1b \ 0.5$ ) = 1.5.

In the rest of the document, we assume given a set of actions Act, partitioned in two disjoint sets: a set of *input actions* Act<sub>in</sub> and a set of *output actions* Act<sub>out</sub>. Actions in Act<sub>in</sub>  $\cup$  Act<sub>out</sub> are called *observable* actions. We also assume there is an *unobservable* action  $\tau \notin$  Act. Let Act<sub> $\tau$ </sub> = Act  $\cup$  { $\tau$ }.



### 2.2 Timed labeled transition systems

A timed labeled transition system (TLTS) over Act is a tuple  $(S, s_0, Act, T_d, T_t)$ , where:

- S is a set of states;
- s<sub>0</sub> is the initial state;
- $T_d$  is a set of discrete transitions of the form (s, a, s') where  $s, s' \in S$  and  $a \in Act$ ;
- $T_t$  is a set of *timed transitions* of the form (s, t, s') where  $s, s' \in S$  and  $t \in R$ .

Timed transitions must be deterministic, that is,  $(s, t, s') \in T_t$  and  $(s, t, s'') \in T_t$  implies s' = s''.  $T_t$  must also satisfy the following conditions:

- $(s, t, s') \in T_t$  and  $(s', t', s'') \in T_t$  implies  $(s, t + t', s'') \in T_t$ ;
- $(s, t, s') \in T_t$  implies that for all t' < t, there is some  $(s, t', s'') \in T_t$ .

A given TLTS  $(S, s_0, Act, T_d, T_t)$  is said to be rational-delay if for each timed-transition  $(s, t, s') \in T_t$  the duration t is rational (i.e.,  $t \in \mathbb{Q}$ ).

We use standard notation concerning TLTS. For  $s, s', s_i \in S$ ,  $\mu, \mu_i \in \mathsf{Act}_\tau \cup \mathsf{R}$ ,  $a, a_i \in \mathsf{Act}_\tau \cup \mathsf{R}$  $\mathsf{Act} \cup \mathsf{R}$ ,  $\rho \in \mathsf{RT}(\mathsf{Act}_{\tau})$  and  $\sigma \in \mathsf{RT}(\mathsf{Act})$ , we have:

• General transitions:  

$$\begin{array}{cccc}
 & s & \stackrel{\mu}{\rightarrow} s' & \stackrel{Def}{=} (s, \mu, s') \in T_d \cup T_t; \\
 & -s & \stackrel{\mu}{\rightarrow} & \stackrel{Def}{=} \exists s' : s & \stackrel{\mu}{\rightarrow} s'; \\
 & -s & \stackrel{\mu}{\rightarrow} & \stackrel{Def}{=} \exists s' : s & \stackrel{\mu}{\rightarrow} s'; \\
 & -s & \stackrel{\mu_1 \cdots \mu_n}{\rightarrow} s' & \stackrel{Def}{=} \exists s_1, \dots, s_n : s = s_1 & \stackrel{\mu_1}{\rightarrow} s_2 & \stackrel{\mu_2}{\rightarrow} \cdots & \stackrel{\mu_n}{\rightarrow} s_n = s'; \\
 & -s & \stackrel{\rho}{\rightarrow} & \stackrel{Def}{=} \exists s' : s & \stackrel{\rho}{\rightarrow} s'; \\
 & -s & \stackrel{\rho}{\rightarrow} & \stackrel{Def}{=} & \exists s' : s & \stackrel{\rho}{\rightarrow} s'.
\end{array}$$

• Observable transitions:

Observable transitions:  

$$- s \stackrel{\Leftrightarrow}{\Rightarrow} s' \stackrel{Def}{=} s = s' \text{ or } s \stackrel{\tau \cdots \tau}{\longrightarrow} s';$$

$$- s \stackrel{a}{\Rightarrow} s' \stackrel{Def}{=} \exists s_1, s_2 : s \stackrel{\Leftrightarrow}{\Rightarrow} s_1 \stackrel{a}{\longrightarrow} s_2 \stackrel{\Leftrightarrow}{\Rightarrow} s';$$

$$- s \stackrel{a}{\Rightarrow} \stackrel{Def}{=} \exists s' : s \stackrel{a}{\Rightarrow} s';$$

$$- s \stackrel{a}{\Rightarrow} \stackrel{Def}{=} \exists s' : s \stackrel{a}{\Rightarrow} s';$$

$$- s \stackrel{a_1 \cdots a_n}{\Rightarrow} s' \stackrel{Def}{=} \exists s_1, \dots, s_n : s = s_1 \stackrel{a_1}{\Rightarrow} s_2 \stackrel{a_2}{\Rightarrow} \cdots \stackrel{a_n}{\Rightarrow} s_n = s';$$

$$- s \stackrel{a}{\Rightarrow} \stackrel{Def}{=} \exists s' : s \stackrel{\sigma}{\Rightarrow} s';$$

$$- s \stackrel{a}{\Rightarrow} \stackrel{Def}{=} \exists s' : s \stackrel{\sigma}{\Rightarrow} s'.$$

A sequence of the form  $s_0 \stackrel{\mu_1}{\to} s \stackrel{\mu_2}{\to} \cdots \stackrel{\mu_n}{\to} s'$  is called a *run* and a sequence of the form  $s_0 \stackrel{a_1}{\Longrightarrow} s \stackrel{a_2}{\Longrightarrow} \cdots \stackrel{a_n}{\Longrightarrow} s'$  an observable run.

#### 2.3 Timed automata

We use timed automata [1] with deadlines to model urgency [9, 45]. A timed automaton over Act is a tuple  $A = (Q, q_0, X, Act, E)$ , where:

- Q is a finite set of *locations*;
- $q_0 \in Q$  is the initial location;
- X is a finite set of *clocks*;
- E is a finite set of edges.

Each edge is a tuple  $(q, q', \psi, r, d, a)$ , where:



- $q, q' \in Q$  are the source and destination locations;
- $\psi$  is the *guard*, a conjunction of constraints of the form x # c, where  $x \in X$ , c is an integer constant and  $\# \in \{<, \leq, =, \geq, >\}$ ;
- $r \subseteq X$  is a set of clocks to *reset* to zero;
- $d \in \{\text{lazy}, \text{delayable}, \text{eager}\}\$ is the *deadline*;
- $a \in Act$  is the action.

A timed automaton A defines an infinite TLTS which is denoted  $L_A$ . Its states are pairs s=(q,v), where  $q\in Q$  and  $v:X\to \mathsf{R}$  is a clock *valuation*.  $\vec{0}$  is the valuation assigning 0 to every clock of A.  $S_A$  is the set of all states and  $s_0^A=(q_0,\vec{0})$  is the initial state. Discrete transitions are of the form  $(q,v)\stackrel{a}{\to} (q',v')$ , where  $a\in \mathsf{Act}$  and there is an edge  $(q,q',\psi,r,d,a)$ , such that v satisfies v and v' is obtained by resetting to zero all clocks in v and leaving the others unchanged. Timed transitions are of the form  $(q,v)\stackrel{t}{\to} (q,v+t)$ , where  $t\in \mathsf{R}, t>0$  and there is no edge  $(q,q'',\psi,r,d,a)$ , such that: (1) either v0 delayable and there exist v1 such that v3 such that v4 to v4 eager and v5. Notice that lazy edges do not impact the semantics, they are simply there to denote that an edge is neither delayable, nor eager. The latter two types do impact the semantics. Thus, lazy edges cannot block time progress, whereas delayable and eager edges can.

We will not allow delayable edges with guards of the form x < c and eager edges with guards of the form x > c. For the former, there is no *latest* time when the guard is still true. For the latter, there is no *earliest* time when the guard becomes true.

A state  $s \in S_A$  is *reachable* if there exists  $\rho \in \mathsf{RT}(\mathsf{Act})$  such that  $s_0^A \xrightarrow{\rho} s$ . The set of reachable states of A is denoted  $\mathsf{Reach}(A)$ .

# 2.4 Timed automata with inputs and outputs

A timed automaton with inputs and outputs (TAIO) is a timed automaton over the partitioned set of actions  $\mathsf{Act}_\tau = \mathsf{Act}_\mathsf{in} \cup \mathsf{Act}_\mathsf{out} \cup \{\tau\}$ . For clarity, we will explicitly include inputs and outputs in the definition of a TAIO A and write  $(Q, q_0, X, \mathsf{Act}_\mathsf{in}, \mathsf{Act}_\mathsf{out}, \mathsf{E})$  instead of  $(Q, q_0, X, \mathsf{Act}_\tau, \mathsf{E})$ .

A TAIO is called *observable* if none of its edges is labeled by  $\tau$ .

Given a set of inputs  $Act' \subseteq Act_{in}$ , a TAIO A is called *input-enabled* with respect to Act' if it can accept any input in Act' at any state:  $\forall s \in Reach(A)$ .  $\forall a \in Act' : s \xrightarrow{a}$ . It is simply said to be input-enabled when  $Act' = Act_{in}$ . A is called lazy-*input* with respect to Act' if the deadlines on all the transitions labeled with input actions in Act' are lazy. It is called lazy-input if it is lazy-input with respect to  $Act_{in}$ . Note that input-enabled does not imply lazy-input in general.

A is called deterministic if

$$\forall s, s', s'' \in \mathsf{Reach}(A) \,.\, \forall a \in \mathsf{Act}_\tau \,:\, s \overset{a}{\to} s' \wedge s \overset{a}{\to} s'' \Rightarrow s' = s''.$$

A is called non-blocking if

$$\forall s \in \mathsf{Reach}(A) \,.\, \forall t \in \mathsf{R} \,.\, \exists \rho \in \mathsf{RT}(\mathsf{Act}_\mathsf{out} \cup \{\tau\}) \,:\, \mathsf{time}(\rho) = t \,\land\, s \stackrel{\rho}{\to} \,. \tag{1}$$

This condition guarantees that A will not block time in any environment.

The set of timed traces of a TAIO A is defined to be

$$\mathsf{TTraces}(A) = \{ \rho \mid \rho \in \mathsf{RT}(\mathsf{Act}_\tau) \land s_0^A \overset{\rho}{\to} \}. \tag{2}$$



Fig. 2 Two interacting TAIO



The set of *observable timed traces* of A is defined to be

$$\mathsf{ObsTTraces}(A) = \{ \mathsf{P}_{\mathsf{Act}}(\rho) \mid \rho \in \mathsf{RT}(\mathsf{Act}_{\tau}) \land s_0^A \xrightarrow{\rho} \}. \tag{3}$$

The TLTS defined by a TAIO is called a *timed input-output LTS* (TIOLTS). From now on, unless otherwise stated, all the considered TAIO are defined with respect to the same sets  $Act_{in}$  and  $Act_{out}$  and unobservable action  $\tau$ . As for TAIO, a given TIOLTS L is denoted  $(S, s_0, Act_{in}, Act_{out}, T_d, T_t)$  instead of  $(S, s_0, Act_{\tau}, T_d, T_t)$ .

#### 2.5 Parallel composition of TAIO

Most of the time, it is easier to write models in a modular way. That is, to consider models which are the product of some interacting components. For that, we introduce the notion of parallel composition for the case of TAIO.

We are given two TAIO  $A_1 = (Q_1, q_0^1, X_1, \mathsf{Act}_{\mathsf{in}}^1 \cup \mathsf{Act}_{\mathsf{out}}^1 )$  is said to be *compatible* with respect to the pair of action sets  $(\mathsf{Act}_{\mathsf{1}\to\mathsf{2}}, \mathsf{Act}_{\mathsf{2}\to\mathsf{1}})$  if  $X_1 \cap X_2 = \emptyset$ , the sets  $\mathsf{Act}_{\mathsf{in}}^1$ ,  $\mathsf{Act}_{\mathsf{out}}^1$ ,  $\mathsf{Act}_{\mathsf{out}}^2$ ,  $\mathsf{Act}_{\mathsf{1}\to\mathsf{2}}^1$  and  $\mathsf{Act}_{\mathsf{2}\to\mathsf{1}}^1$  are pairwise disjoint. This is illustrated in Fig. 2. Incoming arrows denote input events and outgoing arrows output events. Solid lines denote observability and dotted lines non-observability. We also assume that each  $A_i$  is input-enabled with respect to  $\mathsf{Act}_{(3-i)\to i}$  in order to avoid having time blocked due to internal actions awaiting an input from the other automaton. Notice that this assumption only refers to the internal input actions and not to the external inputs of the product automaton.

The two TAIO synchronize both on time and on their shared common actions  $Act_{1\rightarrow 2} \cup Act_{2\rightarrow 1}$ . When connected to each other, the interaction between the two TAIO is assumed to be unobservable from outside. We further assume that  $(A_1, A_2)$  is compatible with respect to  $(Act_{1\rightarrow 2}, Act_{2\rightarrow 1})$ .

The parallel composition of  $A_1$  and  $A_2$  is denoted  $A_1||A_2$ . It is the TAIO  $(Q_1 \times Q_2, (q_0^1, q_0^2), X_1 \cup X_2, \mathsf{Act}_{\mathsf{in}}, \mathsf{Act}_{\mathsf{out}}, \mathsf{E})$  such that

$$\mathsf{Act}_{\mathsf{in}} = \bigcup_{i=1,2} \mathsf{Act}_{\mathsf{in}}^i, \qquad \mathsf{Act}_{\mathsf{out}} = \bigcup_{i=1,2} \mathsf{Act}_{\mathsf{out}}^i$$

and E is the smallest set such that:



• For  $(q_1, q_2) \in Q_1 \times Q_2$  and  $a \in \mathsf{Act}^1_\mathsf{in} \cup \mathsf{Act}^1_\mathsf{out} \cup \{\tau_1\}$ :

$$(q_1, q'_1, \psi_1, r_1, d_1, a) \in \mathsf{E}_1 \Rightarrow ((q_1, q_2), (q'_1, q_2), \psi_1, r_1, d_1, a) \in \mathsf{E};$$
 (4)

• For  $(q_1, q_2) \in Q_1 \times Q_2$  and  $a \in \mathsf{Act}^2_{\mathsf{in}} \cup \mathsf{Act}^2_{\mathsf{out}} \cup \{\tau_2\}$ :

$$(q_2, q'_2, \psi_2, r_2, d_2, a) \in \mathsf{E}_2; \Rightarrow ((q_1, q_2), (q_1, q'_2), \psi_2, r_2, d_2, a) \in \mathsf{E};$$
 (5)

For a ∈ Act<sub>1→2</sub>:

$$(q_1, q'_1, \psi_1, r_1, d_1, a) \in \mathsf{E}_1 \land (q_2, q'_2, \psi_2, r_2, \mathsf{lazy}, a) \in \mathsf{E}_2$$
  

$$\Rightarrow ((q_1, q_2), (q_1, q'_2), \psi_1 \land \psi_2, r_1 \cup r_2, d_1, \tau_a) \in \mathsf{E}; \tag{6}$$

• For  $a \in Act_{2\rightarrow 1}$ :

$$(q_1, q'_1, \psi_1, r_1, \mathsf{lazy}, a) \in \mathsf{E}_1 \land (q_2, q'_2, \psi_2, r_2, d_2, a) \in \mathsf{E}_2$$
  

$$\Rightarrow ((q_1, q_2), (q_1, q'_2), \psi_1 \land \psi_2, r_1 \cup r_2, d_2, \tau_a) \in \mathsf{E}. \tag{7}$$

### 2.6 Parallel composition of TIOLTS

Similarly, it is also useful to define parallel composition over TIOLTS. Given two TIOLTS  $L_1$  and  $L_2$ , the corresponding parallel product is denoted  $L_1||L_2$ . For i=1,2,  $L_i=(S_i,s_0^i,\mathsf{Act}_{\mathsf{in}}^i\cup\mathsf{Act}_{(3-i)\to i}^i,\mathsf{Act}_{\mathsf{out}}^i\cup\mathsf{Act}_{i\to(3-i)}^i,T_d^i,T_t^i)$ . The sets  $\mathsf{Act}_{\mathsf{in}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{in}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{\mathsf{out}}^1,\mathsf{Act}_{$ 

$$L_1||L_2 = (S, (s_0^1, s_0^2), \mathsf{Act}_\mathsf{in}, \mathsf{Act}_\mathsf{out}, T_d, T_t)$$

such that

$$\mathsf{Act}_{\mathsf{in}} = \bigcup_{i=1,2} \mathsf{Act}_{\mathsf{in}}^i, \qquad \mathsf{Act}_{\mathsf{out}} = \bigcup_{i=1,2} \mathsf{Act}_{\mathsf{out}}^i$$

and S,  $T_d$  and  $T_t$  are the smallest sets such that:

- $(s_0^1, s_0^2) \in S$ ;
- For  $(s_1, s_2) \in S$  and  $\delta \in \mathbb{R}$ :

$$s_1 \xrightarrow{\delta} s_1' \in T_t^1 \land s_2 \xrightarrow{\delta} s_2' \in T_t^2 \Rightarrow (s_1', s_2') \in S \land (s_1, s_2) \xrightarrow{\delta} (s_1', s_2') \in T_t; \tag{8}$$

• For  $(s_1, s_2) \in S$  and  $a \in \mathsf{Act}^1_\mathsf{in} \cup \mathsf{Act}^1_\mathsf{out} \cup \{\tau_1\}$ :

$$s_1 \xrightarrow{a} s_1' \in T_d^1 \Rightarrow (s_1', s_2) \in S \land (s_1, s_2) \xrightarrow{a} (s_1', s_2) \in T_d;$$
 (9)

• For  $(s_1, s_2) \in S$  and  $a \in \mathsf{Act}^2_{\mathsf{in}} \cup \mathsf{Act}^2_{\mathsf{out}} \cup \{\tau_2\}$ :

$$s_2 \xrightarrow{a} s_2' \in T_d^2 \Rightarrow (s_1, s_2') \in S \land (s_1, s_2) \xrightarrow{a} (s_1, s_2') \in T_d;$$
 (10)

• For  $(s_1, s_2) \in S$  and  $a \in Act_{1 \leftrightarrow 2}$ :

$$s_1 \stackrel{a}{\rightarrow} s_1' \in T_d^1 \land s_2 \stackrel{a}{\rightarrow} s_2' \in T_d^2 \Rightarrow (s_1', s_2') \in S \land (s_1, s_2) \stackrel{\tau_a}{\rightarrow} (s_1', s_2') \in T_d. \tag{11}$$



It is not difficult to see that from each possible run  $\lambda$  of  $L_1||L_2$  it is possible to extract two (unique) timed traces  $\sigma_1$  and  $\sigma_2$  of  $L_1$  and  $L_2$ , respectively. For example for

$$\lambda = (s_0^1, s_0^2) \stackrel{1.5}{\rightarrow} (s, t) \stackrel{\tau_a}{\rightarrow} (p, q) \stackrel{?b}{\rightarrow} (r, q) \stackrel{!c}{\rightarrow} (r, u)$$

we have  $\sigma_1 = 1.5$ ?a?b and  $\sigma_2 = 1.5$ !a!c, where  $a \in \mathsf{Act}_{2\rightarrow 1}^1$ ,  $b \in \mathsf{Act}_{\mathsf{in}}^1$  and  $c \in \mathsf{Act}_{\mathsf{out}}^2$ .

Conversely, the two traces  $\sigma_1$  and  $\sigma_2$ , in ObsTTraces( $L_1$ ) and ObsTTraces( $L_2$ ) respectively, are said to be *synchronizable* in  $L_1||L_2$  if there exists a run  $\lambda$  of  $L_1||L_2$  from which the two traces can be extracted. In general, the run from which  $\sigma_1$  and  $\sigma_2$  can be extracted may not be unique, due to different possible interleavings. For instance, the two traces  $\sigma_1$  and  $\sigma_2$  given above can be also extracted from the run

$$\lambda' = (s_0^1, s_0^2) \xrightarrow{1.5} (s, t) \xrightarrow{\tau_a} (p, q) \xrightarrow{!c} (p, u) \xrightarrow{?b} (r, u).$$

Let  $L_1'$  and  $L_2'$  be two new TIOLTS. For  $i=1,2,L_i'$  has the same sets of inputs and outputs as  $L_i$ . Moreover,  $L_1'$  and  $L_2'$  synchronize on the same set of actions  $\mathsf{Act}_{1\leftrightarrow 2}$  as for  $L_1$  and  $L_2$ . Let  $\sigma_1 \in \mathsf{ObsTTraces}(L_1) \cap \mathsf{ObsTTraces}(L_1')$ ,  $\sigma_2 \in \mathsf{ObsTTraces}(L_2) \cap \mathsf{ObsTTraces}(L_2')$ ,  $\lambda$  a run of  $L_1||L_2$  and  $\sigma \in \mathsf{ObsTTraces}(L_1||L_2)$  the observable timed trace corresponding to  $\lambda$ .

**Lemma 1** If  $\sigma_1$  and  $\sigma_2$  are the traces extracted from  $\lambda$ , then  $\sigma_1$  and  $\sigma_2$  are synchronizable in  $L'_1||L'_2$  and  $\sigma \in \mathsf{ObsTTraces}(L'_1||L'_2)$ .

Proof Here, we assume, with no loss of generality, that the four TIOLTSs have the same unobservable action  $\tau$ . Let  $\gamma = a_1 \cdots a_n$  be the projection of the run  $\lambda$  to  $\operatorname{Act}_{\operatorname{in}} \cup \operatorname{Act}_{\operatorname{out}} \cup \operatorname{Act}_{1 \leftrightarrow 2}$ . For i = 1, 2, since  $\sigma_i \in \operatorname{ObsTTraces}(L_i)$ , there exists  $\gamma_i \in \operatorname{TTraces}(L_i)$  such that  $\sigma_i$  is the projection of  $\gamma$  to  $\operatorname{Act}^{i,2}$ . Thus, there exist  $[i_1, \ldots, i_N], [j_1, \ldots, j_N], [k_1, \ldots, k_M]$  and  $[l_1, \ldots, l_M]$  such that  $\gamma_1 = \tau^{j_1} a_{i_1} \cdots \tau^{j_N} a_{i_N}^3$  and  $\gamma_2 = \tau^{l_1} a_{k_1} \cdots \tau^{l_M} a_{k_M}$ . Similarly, there exist  $\gamma_1' = \tau^{j_1'} a_{i_1} \cdots \tau^{j_N'} a_{i_N} \in \operatorname{TTraces}(L_1')$  and  $\gamma_2' = \tau^{l_1'} a_{k_1} \cdots \tau^{l_M'} a_{k_M} \in \operatorname{TTraces}(L_2')$ . Clearly,  $\sigma_1 = a_{i_1} \cdots a_{i_N}$  and  $\sigma_2 = a_{k_1} \cdots a_{k_M}$ . Since  $\sigma_1$  and  $\sigma_2$  are extracted from  $\lambda$ , it is possible to synchronize the traces  $\gamma_1$  and  $\gamma_2$  in  $\lambda_1 = \lambda_1 = \lambda_2 = \lambda_2 = \lambda_3 = \lambda_4 =$ 

Then in the same way, it is possible to synchronize  $\gamma_1'$  and  $\gamma_2'$  in  $L_1'||L_2'$  by considering the trace  $\beta' = \tau^{r_1'}a_1 \cdots \tau^{r_n'}a_n \in \mathsf{TTraces}(L_1'||L_2')$ , where for  $p = 1, \ldots, n, r_p'$  is defined similarly to  $r_p$ . Hence, we are done.

Let  $A_1 = (Q_1, q_0^1, X_1, \mathsf{Act}_\mathsf{in}^1 \cup \mathsf{Act}_{2 \to 1}, \mathsf{Act}_\mathsf{out}^1 \cup \mathsf{Act}_{1 \to 2}, \mathsf{E}_1)$  and  $A_2 = (Q_2, q_0^2, X_2, \mathsf{Act}_\mathsf{in}^2 \cup \mathsf{Act}_{1 \to 2}, \mathsf{Act}_\mathsf{out}^2 \cup \mathsf{Act}_{2 \to 1}, \mathsf{E}_2)$  be two TAIO. Then we have the following.

**Proposition 1** If  $(A_1, A_2)$  is compatible with respect to  $(Act_{1\rightarrow 2}, Act_{2\rightarrow 1})$  then

$$L_{A_1||A_2} = L_{A_1}||L_{A_2}.$$

*Proof* Clearly, the two TIOLTS are equal iff they have the same initial state and the same set of transitions.



 $<sup>^2\</sup>mathrm{Act}^i=\mathrm{Act}^i_{\mathrm{in}}\cup\mathrm{Act}^i_{\mathrm{out}}\cup\mathrm{Act}_{1\leftrightarrow 2}.$ 

 $<sup>^{3}\</sup>tau^{j_{1}}$  is the sequence made up of  $j_{1}$   $\tau$ 's.

- First, it is not difficult to see that  $((q_0^1, \vec{0}), (q_0^2, \vec{0}))$  is the initial state of both  $L_{A_1||A_2}$  and  $L_{A_1}||L_{A_2}$ .
- Let  $t = (s_1, s_2) \xrightarrow{a} (s'_1, s'_2)$  be an arbitrary transition. We abuse notation and write  $t \in L_{A_1||A_2}$  when t is a possible transition of  $L_{A_1||A_2}$ . We prove that

$$t \in L_{A_1||A_2} \iff t \in L_{A_1}||L_{A_2}.$$
 (12)

- 1. If  $a \in \mathbb{R}$ , t is possible in  $A_1 || A_2$  iff  $s_1 \xrightarrow{a} s_1'$  is possible in  $A_1$  and  $s_2 \xrightarrow{a} s_2'$  in  $A_2$ . That is because  $A_1 || A_2$  is defined in a way as to accept a time delay a iff t is accepted by both  $A_1$  and  $A_2$ . By definition of  $L_{A_1 || A_2}$ ,  $t \in L_{A_1 || A_2}$  iff t is possible in  $A_1 || A_2$ . By rule (8),  $t \in L_{A_1} || L_{A_2}$  iff  $s_1 \xrightarrow{a} s_1'$  is possible in  $A_1$  and  $s_2 \xrightarrow{a} s_2'$  in  $A_2$ . Thus, (12) holds.
- 2. If  $a \in \mathsf{Act}^1_\mathsf{in} \cup \mathsf{Act}^1_\mathsf{out} \cup \{\tau_1\}$ , t is possible in  $A_1 || A_2$  iff  $s_1 \overset{a}{\to} s_1'$  is possible in  $A_1$ . That is because the edges labeled with a, both in  $A_1 || A_2$  and  $A_1$ , have the same guard, deadline and set of clocks to reset (see rule (4)). By definition of  $L_{A_1 || A_2}$  and by rule (9), (12) holds.
- 3. If  $a \in \mathsf{Act}^2_\mathsf{in} \cup \mathsf{Act}^2_\mathsf{out} \cup \{\tau_2\}$ , t possible in  $A_1 || A_2 \text{ iff } s_2 \xrightarrow{a} s_2'$  possible in  $A_2$ . By the same reasoning as for  $a \in \mathsf{Act}^1_\mathsf{in} \cup \mathsf{Act}^1_\mathsf{out} \cup \{\tau_1\}$ , (12) holds.
- 4. If  $a = \tau_b$  such that  $b \in \mathsf{Act}_{1\leftrightarrow 2}$ , t is possible in  $A_1||A_2$  iff  $s_1 \stackrel{b}{\to} s_1'$  is possible in  $A_1$  and  $s_2 \stackrel{b}{\to} s_2'$  in  $A_2$ . That follows immediately from rules (6) and (7). By definition of  $L_{A_1||A_2}$  and by rule (11), (12) holds.

#### 3 Timed input-output conformance

We now describe our testing framework. We assume that the specification of the system to be tested is given as a non-blocking TAIO  $A_S$ . We assume that the implementation (i.e., the system to be tested) can be modeled as a non-blocking, input-enabled TAIO  $A_I$ . Notice that we do not assume that  $A_I$  is known, simply that it exists. Input-enabledness is required so that the implementation can accept inputs from the tester at any state (possibly ignoring them or moving to an error state, in case of illegal inputs).

### 3.1 Examples

Before we proceed to define the conformance relation, we give some examples that illustrate the meaning of our testing framework. In the examples, input actions are denoted a?, b?, etc., and output actions are denoted a!, b!, etc. Unless otherwise mentioned, deadlines of output edges are delayable and deadlines of input edges are lazy. In order not to overload the figures, we do not always draw input-enabled (implementation) automata. We assume that implementations ignore the missing inputs. This can be modeled by adding self-loop edges covering the missing inputs. Note that, for specifications, which are not assumed to be input-enabled, missing inputs have a different meaning: they correspond to "don't cares", as will be explained below.

Consider the specification  $Spec_1$  shown in Fig. 3.  $Spec_1$  could be expressed in English as follows: "after the first a received, the system must output b no earlier than 2 and no later than 8 time units". Implementations  $Impl_1$  and  $Impl_2$  conform to  $Spec_1$ .  $Impl_1$  produces b exactly 5 time units after reception of a.  $Impl_2$  produces b within 4 to 5 time units.  $Impl_3$  and





Fig. 3 Examples of specifications and implementations



Fig. 4 More examples of specifications and implementations

 $Impl_4$  do not conform to  $Spec_1$ .  $Impl_3$  may produce a b after 1 time unit, which is too early.  $Impl_4$  fails to produce a b at all.

Now consider specification  $\operatorname{Spec}_2$  shown in Fig. 4. This specification could be expressed as: "if the first input is a then the system must output b within 10 time units; if the first input is c then the system must either output d within 5 time units or, failing to do that, output e within 7 time units". The second branch of  $\operatorname{Spec}_2$  is a typical specification of a timeout. If the "normal" result d does not appear for some time, the system itself must recognize the error and output an error message not much later. None of the four implementations of Fig. 3 conform to  $\operatorname{Spec}_2$ , as they do not react to input c (they ignore it). On the other hand,  $\operatorname{Impl}_5$  and  $\operatorname{Impl}_6$  of Fig. 4 conform to  $\operatorname{Spec}_2$ . Notice that  $\operatorname{Impl}_6$  accepts input f which does not appear in  $\operatorname{Spec}_2$ . This is an example of a "don't care" input mentioned above. The specification states nothing about the case where this input is provided. Thus, it imposes no requirements on this case, and the implementation is "free" to behave as it wishes.

### 3.2 Timed input-output conformance relation: tioco

In this section, we define our conformance relation tioco and we state some of its properties. We first compare specifications with the same set of observable traces and we show that there are equivalent with respect to tioco. Next, we compare between tioco and the timed trace inclusion relation. Also, we show that only lazy-inputs are needed in specifications and how deterministic specifications can be made input-enabled without changing their conformance semantics. In the remaining part of the section we prove the transitivity, undecidability, compositionality of tioco and its stability with respect to decreasing the number of observable actions.



#### 3.2.1 Definition

In order to formally define the conformance relation, we define a number of operators. Given a TAIO A and  $\sigma \in \mathsf{RT}(\mathsf{Act})$ , A after  $\sigma$  is the set of all states of A that can be reached by some timed sequence  $\rho$  whose projection to observable actions is  $\sigma$ . Formally:

$$A \text{ after } \sigma = \{ s \in S_A \mid \exists \rho \in \mathsf{RT}(\mathsf{Act}_\tau) : s_0^A \xrightarrow{\rho} s \land \mathsf{P}_{\mathsf{Act}}(\rho) = \sigma \}. \tag{13}$$

Given state  $s \in S_A$ , elapse(s) is the set of all delays which can elapse from s without A making any observable action. Formally:

$$\mathsf{elapse}(s) = \{t > 0 \mid \exists \rho \in \mathsf{RT}(\{\tau\}) : \mathsf{time}(\rho) = t \land s \overset{\rho}{\to} \}. \tag{14}$$

Given state  $s \in S_A$ , out(s) is the set of all observable "events" (outputs or the passage of time) that can occur when the system is at state s. The definition naturally extends to a set of states S. Formally:

$$\operatorname{out}(s) = \{a \in \operatorname{Act}_{\operatorname{out}} \mid s \xrightarrow{a}\} \cup \operatorname{elapse}(s), \qquad \operatorname{out}(S) = \bigcup_{s \in S} \operatorname{out}(s). \tag{15}$$

The timed input-output conformance relation, denoted tioco, is defined as

$$A_I \operatorname{tioco} A_S \ iff \ \forall \sigma \in \mathsf{ObsTTraces}(A_S) : \operatorname{out}(A_I \operatorname{after} \sigma) \subseteq \operatorname{out}(A_S \operatorname{after} \sigma).$$
 (16)

The relation states that an implementation  $A_I$  conforms to a specification  $A_S$  iff for any observable behavior  $\sigma$  of  $A_S$ , the set of observable outputs of  $A_I$  after any behavior "matching"  $\sigma$  must be a subset of the set of possible observable outputs of  $A_S$ . Notice that observable outputs are not only observable output actions but also time delays.

As expected, in the examples above, we have  $\mathsf{Impl}_1 \mathsf{tioco} \mathsf{Spec}_1$  and  $\mathsf{Impl}_2 \mathsf{tioco} \mathsf{Spec}_1$ . On the other hand,  $\mathsf{Impl}_3 \mathsf{tioco} \mathsf{Spec}_1$  and  $\mathsf{Impl}_4 \mathsf{tioco} \mathsf{Spec}_1$  because  $\mathsf{out}(\mathsf{Impl}_3 \mathsf{after} \ a \ 1) = (0, 4] \cup \{b\}$  and  $\mathsf{out}(\mathsf{Impl}_4 \mathsf{after} \ a \ 1) = (0, \infty)$ , whereas  $\mathsf{out}(\mathsf{Spec}_1 \mathsf{after} \ a \ 1) = (0, 7]$ .

We proceed in giving a number of properties of tioco. The first states that specifications that have the same set of observable timed traces are *equivalent* with respect to tioco, in other words, they specify the same requirements.

**Lemma 2** Given two TAIO  $A_S$  and  $A'_S$ , if ObsTTraces $(A_S) = \text{ObsTTraces}(A'_S)$  then

$$\forall A_I: A_I ext{ tioco } A_S \iff A_I ext{ tioco } A_S'$$
 .

*Proof* Let  $\sigma \in \mathsf{ObsTTraces}(A_S) = \mathsf{ObsTTraces}(A_S')$ . We claim that  $\mathsf{out}(A_S \text{ after } \sigma) = \mathsf{out}(A_S' \text{ after } \sigma)$ . Indeed, for any  $a \in \mathsf{Act}_{\mathsf{out}} \cup \mathsf{R}$ ,  $a \in \mathsf{out}(A_S \text{ after } \sigma) \setminus \mathsf{out}(A_S' \text{ after } \sigma)$  implies  $\sigma a \in \mathsf{ObsTTraces}(A_S) \setminus \mathsf{ObsTTraces}(A_S')$  which contradicts the hypothesis. Thus, for any implementation  $A_I$ ,  $\mathsf{out}(A_I \text{ after } \sigma) \subseteq \mathsf{out}(A_S \text{ after } \sigma)$  iff  $\mathsf{out}(A_I \text{ after } \sigma) \subseteq \mathsf{out}(A_S' \text{ after } \sigma)$ , and the result follows by definition of tioco. □

The next lemma relates tioco to observable timed trace inclusion.

#### **Lemma 3** Consider two TAIO A and B.

- 1.  $\mathsf{ObsTTraces}(A) \subseteq \mathsf{ObsTTraces}(B) \ implies \ A \ \mathsf{tioco} \ B.$
- 2. If B is input-enabled then A tioco B implies  $ObsTTraces(A) \subseteq ObsTTraces(B)$ .



#### Proof

- 1. Let  $\sigma \in \mathsf{ObsTTraces}(B)$  and  $a \in \mathsf{out}(A \text{ after } \sigma)$ .  $a \in \mathsf{out}(A \text{ after } \sigma)$  implies  $\sigma a \in \mathsf{ObsTTraces}(A)$ . Since  $\mathsf{ObsTTraces}(A) \subseteq \mathsf{ObsTTraces}(B)$ ,  $\sigma a \in \mathsf{ObsTTraces}(B)$ . Thus,  $a \in \mathsf{out}(B \text{ after } \sigma)$ , and  $\mathsf{out}(A \text{ after } \sigma) \subseteq \mathsf{out}(B \text{ after } \sigma)$ . The result follows by definition of tioco.
- 2. Suppose there exists  $\sigma \in \mathsf{ObsTTraces}(A) \setminus \mathsf{ObsTTraces}(B)$ . Thus, there exist  $\sigma_1, \sigma_2 \in \mathsf{RT}(\mathsf{Act})$  and  $a \in \mathsf{Act} \cup \mathsf{R}$ , such that  $\sigma = \sigma_1 a \sigma_2$ ,  $\sigma_1 \in \mathsf{ObsTTraces}(B)$  and  $\sigma_1 a \notin \mathsf{ObsTTraces}(B)$ . If  $a \in \mathsf{Act}_{\mathsf{in}}$  then  $\sigma_1 a \notin \mathsf{ObsTTraces}(B)$  is a contradiction since  $\sigma_1 \in \mathsf{ObsTTraces}(B)$  and B is input-enabled. If  $a \in \mathsf{Act}_{\mathsf{out}} \cup \mathsf{R}$  then we have again a contradiction, since  $\sigma_1 \in \mathsf{ObsTTraces}(B)$ ,  $a \in \mathsf{out}(A \text{ after } \sigma_1)$  and A tioco B.

Figure 4 gives an example for which the second part of Lemma 3 does not hold when B is not input-enabled. That is,  $Impl_6$  tioco  $Spec_2$  though  $ObsTTraces(Impl_6) \not\subseteq ObsTTraces(Spec_2)$ .

### 3.2.2 Only lazy inputs are needed in specifications

In all our examples so far, input edges of specifications have been annotated with lazy deadlines (and not delayable or eager). This is not a coincidence. As we show in this section, considering only *lazy-input* TAIO is enough for describing all possible (non-blocking) specifications. A lazy-input TAIO is one where every edge labeled with  $a \in Act_{in}$  has deadline lazy. Given a TAIO A, let Lazy(A) be the TAIO obtained by setting the deadline of every edge of A labeled by an input to lazy.

**Lemma 4** For any non-blocking TAIO A, ObsTTraces(A) = ObsTTraces(Lazy(A)).

*Proof* It should be clear that ObsTTraces(A)  $\subseteq$  ObsTTraces(Lazy(A)), since Lazy(A) is at least as "permissive" as A (i.e., every transition in the TLTS defined by A is also a transition of the TLTS defined by Lazy(A)). It remains to prove that ObsTTraces(Lazy(A))  $\subseteq$  ObsTTraces(A). Suppose there exists  $\sigma \in$  ObsTTraces(Lazy(A)) \ ObsTTraces(A). Let  $s_0 \stackrel{\sigma_1}{\longrightarrow} s_1 \cdots \stackrel{\sigma_N}{\longrightarrow} s_N$  a possible run of Lazy(A) corresponding to the trace  $\sigma$ . Since  $\sigma \not\in$  ObsTTraces(A), there must exist some  $k \le N$  such that  $s_0 \stackrel{\sigma_1}{\longrightarrow} s_1 \cdots \stackrel{\sigma_{k-1}}{\longrightarrow} s_{k-1}$  is a possible path in A and  $s_{k-1} \stackrel{\sigma_k}{\longrightarrow}$  in A. Let q and v be the location and the clock valuation, respectively, such that  $s_{k-1} = (q, v)$ . Depending on the value of  $\sigma_k$ , two cases are possible:

- $\sigma_k \in \mathsf{Act}_\tau$ : By construction, location q has outgoing edges which are labeled with the same actions and have the same deadlines and clocks to reset, both in A and  $\mathsf{Lazy}(A)$ . Thus for the same valuation v, the discrete transition  $s_{k-1} = (q, v) \xrightarrow{\sigma_k} s_k$ , possible in  $\mathsf{Lazy}(A)$ , is also possible in A. Contradiction.
- $\sigma_k \in \mathbb{R}$ : The fact that  $s_{k-1} \not\stackrel{\sigma_k}{\to}$ , in A, means that there is some delayable or eager outgoing edge e from q which prevents the delay  $\sigma_k$  from elapsing. e cannot be labeled with  $\tau$  or an output action, since then it would block time in Lazy(A) as well. Thus, e is labeled with an input action. This implies that at state  $s_{k-1}$  time is blocked unless this input action is received, which contradicts the hypothesis that A is non-blocking.

From Lemma 2 and Lemma 4, we obtain the following.

**Proposition 2** For any non-blocking TAIO  $A_S$ ,

 $\forall A_I : A_I \text{ tioco } A_S \iff A_I \text{ tioco Lazy}(A_S).$ 



Fig. 5 How to transform a deterministic, fully-observable, but not input-enabled specification to an equivalent input-enabled specification



### 3.2.3 Making specifications input-enabled

A deterministic (and fully observable) specification can be made input-enabled without changing its conformance semantics by adding edges covering the missing inputs and leading to a "don't care" location where all inputs and outputs are accepted. More precisely, this transformation is done as follows. Given a TAIO  $A = (Q, q_0, X, \text{Act}, E)$ , we build the corresponding input-enabled TAIO  $\tilde{A} = (\tilde{Q}, q_0, X, \text{Act}, \tilde{E})$ . First,  $\tilde{Q} = Q \cup \{q_{dc}\}$  where  $q_{dc} \notin Q$  is the "don't care" location. Second,

$$\begin{split} \tilde{E} &= E \cup \{(q_{dc}, q_{dc}, \mathsf{true}, \emptyset, \mathsf{lazy}, a) \,|\, a \in \mathsf{Act}\} \\ & \cup \{(q, q_{dc}, \neg \psi, \emptyset, \mathsf{lazy}, a) \,|\, q \in Q \land a \in \mathsf{Act}_{\mathsf{in}}\} \end{split}$$

such that for each  $q \in Q$  and each  $a \in \operatorname{Act}_{\operatorname{in}}$ ,  $\psi = \psi_1 \vee \psi_2 \vee \cdots \vee \psi_k$  where  $\psi_1, \psi_2, \ldots, \psi_k$  are the guards of the outgoing edges of q labeled with a. An example showing how this transformation works is given in Fig. 5. We transform A to  $\tilde{A}$ . The TAIO A has only one input (a) and one output (b). The added edges are the dashed ones.

**Proposition 3** Let Spec be a deterministic and fully observable TAIO and let Spec be the input-enabled TAIO corresponding to Spec obtained by the transformation given above. For any input-enabled TAIO Impl, Impl tioco Spec iff Impl tioco Spec.

The proof of the above proposition is based on the following two lemmata.

 $\textbf{Lemma 5} \ \, \mathsf{ObsTTraces}(\mathsf{Spec}) \subseteq \mathsf{ObsTTraces}(\widetilde{\mathsf{Spec}}).$ 

*Proof* Because Spec is obtained by adding edges to Spec and all added edges have deadline lazy.  $\Box$ 

**Lemma 6** Let  $\sigma \in \mathsf{ObsTTraces}(\mathsf{Spec})$ . If  $\sigma \in \mathsf{ObsTTraces}(\mathsf{Spec})$  then  $\mathsf{out}(\mathsf{Spec} \mathsf{\ after} \sigma) = \mathsf{out}(\mathsf{Spec} \mathsf{\ after} \sigma)$ . Otherwise,  $\mathsf{out}(\mathsf{Spec} \mathsf{\ after} \sigma) \subseteq \mathsf{out}(\mathsf{Spec} \mathsf{\ after} \sigma) = \mathsf{R} \cup \mathsf{Act}_\mathsf{out}$ .

*Proof* If  $\sigma \in \mathsf{ObsTTraces}(\mathsf{Spec})$  then the  $q_{dc}$  location is not reached yet and  $\mathsf{Spec}$  still has the same behavior as  $\mathsf{Spec}$ . If  $\sigma \notin \mathsf{ObsTTraces}(\mathsf{Spec})$  then the sink location  $q_{dc}$  has been reached. Since  $\mathsf{Spec}$  is defined with respect to the same set of outputs  $\mathsf{Act}_\mathsf{out}$  as  $\mathsf{Spec}$ ,  $\mathsf{out}(\mathsf{Spec} \text{ after } \sigma) = \mathsf{R} \cup \mathsf{Act}_\mathsf{out}$ . Hence,  $\mathsf{out}(\mathsf{Spec} \text{ after } \sigma) = \mathsf{R} \cup \mathsf{Act}_\mathsf{out}$  and  $\mathsf{out}(\mathsf{Spec} \text{ after } \sigma) \subseteq \mathsf{out}(\mathsf{Spec} \text{ after } \sigma)$ .

Now, we give the proof of Proposition 3.





Fig. 6 An example showing that the transformation of Fig. 5 is incorrect for non-deterministic or partially-observable specifications

### Proof of Proposition 3

- ( $\Rightarrow$ ) We assume that Impl tioco Spec and we prove that Impl tioco Spec. Let  $\sigma \in \mathsf{ObsTTraces}(\mathsf{Spec})$ . If  $\sigma \in \mathsf{ObsTTraces}(\mathsf{Spec})$  then by Lemma 6 out(Spec after  $\sigma$ ) = out(Spec after  $\sigma$ ). Moreover since Impl tioco Spec we have out(Impl after  $\sigma$ )  $\subseteq$  out(Spec after  $\sigma$ ). So out(Impl after  $\sigma$ )  $\subseteq$  out(Spec after  $\sigma$ ) and we are done. If  $\sigma \notin \mathsf{ObsTTraces}(\mathsf{Spec})$ , by Lemma 6 we have out(Spec after  $\sigma$ ) = R  $\cup$  Act<sub>out</sub>. Thus, we clearly have out(Impl after  $\sigma$ )  $\subseteq$  out(Spec after  $\sigma$ ) and we are done once again.
- ( $\Leftarrow$ ) We assume that Impl tioco Spec and we prove that Impl tioco Spec. Let  $\sigma \in \mathsf{ObsTTraces}(\mathsf{Spec})$ . By Lemma 5, we have  $\sigma \in \mathsf{ObsTTraces}(\mathsf{Spec})$  By Lemma 6, out(Spec after  $\sigma$ ) = out(Spec after  $\sigma$ ). Moreover, we have out(Impl after  $\sigma$ )  $\subseteq$  out(Spec after  $\sigma$ ) since Impl tioco Spec and  $\sigma \in \mathsf{ObsTTraces}(\mathsf{Spec})$ . Thus, out(Impl after  $\sigma$ )  $\subseteq$  out(Spec after  $\sigma$ ) and we are done.

Combined with Lemma 3, Proposition 3 implies that for deterministic and fully observable specifications, tioco can be replaced by timed trace inclusion, modulo the above input-enabling transformation. Notice that the proposed transformation is not correct for the case of non-deterministic or partially observable specifications. A simple counter-example is given in Fig. 6. The specification Spec has one input a and two outputs b and c. The implementation Impl is input-enabled. We have Impl tioco Spec but Impl tioco Spec.

Also note that the determinization of TAIO is undecidable in general [50]. Hence, reducing tioco to timed trace inclusion is not always possible and a specific framework for checking conformance with respect to tioco needs to be established for the case of non-deterministic or partially-observable specifications.



 $<sup>^4</sup>$ We omit self-loops labeled with a in order not to overload the figure.

### 3.2.4 Transitivity

Next we show that tioco is a transitive relation, given the usual assumption that implementations are input-enabled. That is an interesting property of the relation tioco. For instance, it may be helpful in case the specification model is obtained after several refinements.

**Proposition 4** Let A, B and C be three TAIO such that A and B are input-enabled, If A tioco B and B tioco C then A tioco C.

*Proof* Let  $\sigma \in \mathsf{ObsTTraces}(C)$ . Two cases are possible:

- $\sigma \in \mathsf{ObsTTraces}(B)$ . From A tioco B and B tioco C we obtain  $\mathsf{out}(A \mathsf{\ after\ } \sigma) \subseteq \mathsf{out}(B \mathsf{\ after\ } \sigma)$  and  $\mathsf{out}(B \mathsf{\ after\ } \sigma) \subseteq \mathsf{out}(C \mathsf{\ after\ } \sigma)$ , thus,  $\mathsf{out}(A \mathsf{\ after\ } \sigma) \subseteq \mathsf{out}(C \mathsf{\ after\ } \sigma)$ .
- σ ∉ ObsTTraces(B). By part 2 of Lemma 3, input-enabledness of B and A tioco B, we get σ ∉ ObsTTraces(A). Thus, out(A after σ) = Ø ⊆ out(C after σ).

The result follows by definition of tioco.

#### 3.2.5 *Undecidability*

In this section we show the undecidability of tioco which is indeed a result of only a theoretical interest for instance to check directly (without testing) whether a (known) implementation conforms to its specification.

### **Proposition 5** *Checking tioco is undecidable.*

*Proof* We reduce the timed trace inclusion problem for timed automata which is known to be undecidable [1] to the problem of checking tioco. Let A and B be two TA over the set of actions Act. The timed trace inclusion problem consists in checking whether ObsTTraces(A)  $\subseteq$  ObsTTraces(B). Let Act<sub>out</sub> = Act, i.e., Act<sub>in</sub> =  $\emptyset$ . Then, both A and B are input-enabled. By part 2 of Lemma 3, ObsTTraces(A)  $\subseteq$  ObsTTraces(B) iff A tioco B.  $\square$ 

It is worth noting that the undecidability of tioco is not a problem for black-box testing: since the implementation  $A_I$  is unknown, we cannot check conformance directly, anyway.

### 3.2.6 Compositionality

We prove that tioco is compositional as well. That is, if we succeed to check conformance of modules with respect to their models, then the product of the several modules conforms to the product of the models. That makes the task easier since checking conformance at the module levels is likely to be easier and cheaper than checking conformance at the whole product level.

Let  $A_1$ ,  $A'_1$ ,  $A_2$  and  $A'_2$  be four TAIO such that, for i = 1, 2,  $A_i$  and  $A'_i$  have the same sets of inputs and outputs, as shown in Fig. 2. Suppose that all four automata are input-enabled with respect to their respective sets of inputs. Furthermore, suppose that  $A_1$  and  $A_2$  are compatible with respect to  $(Act_{1\rightarrow 2}, Act_{2\rightarrow 1})$ , and so are  $A'_1$  and  $A'_2$ . Then, we have the following compositionality result.

**Proposition 6** If  $A'_1$  tioco  $A_1$  and  $A'_2$  tioco  $A_2$  then  $A'_1||A'_2$  tioco  $A_1||A_2$ .



Fig. 7 A counter example showing that tioco is not compositional for the case of non-input-enabled TAIO



*Proof* Observe that both  $A_1||A_2$  and  $A_1'||A_2'$  have the same set of inputs  $\mathsf{Act}_{\mathsf{in}} = \mathsf{Act}_{\mathsf{in}}^1 \cup \mathsf{Act}_{\mathsf{in}}^2$  and set of outputs  $\mathsf{Act}_{\mathsf{out}} = \mathsf{Act}_{\mathsf{out}}^1 \cup \mathsf{Act}_{\mathsf{out}}^2$ .

- We first prove that  $A_1||A_2$  is input-enabled with respect to  $Act_{in}^1 \cup Act_{in}^2$ . A state s of  $A_1||A_2$  is a pair  $(s_1, s_2)$  where  $s_i$  is a state of  $A_i$  for i = 1, 2. By assumption, each  $A_i$  is input-enabled with respect to  $Act_{in}^i$ . Thus for each  $a \in Act_{in}^i$ ,  $s_i \stackrel{a}{\to}$ . By (4) and (5), for each  $a \in Act_{in}^1 \cup Act_{in}^2$ ,  $s \stackrel{a}{\to}$ .
- By the same reasoning,  $A_1'||A_2'|$  is input-enabled with respect to  $\mathsf{Act}_\mathsf{in}^1 \cup \mathsf{Act}_\mathsf{in}^2$ .
- Now, we show that  $A_1'||A_2'$  tioco  $A_1||A_2$ . By Lemma 3, it suffices to prove that  $\mathsf{ObsTTraces}(A_1'||A_2') \subseteq \mathsf{ObsTTraces}(A_1||A_2)$ . Let  $\mathsf{Act} = \mathsf{Act}_{\mathsf{in}} \cup \mathsf{Act}_{\mathsf{out}}$ ,  $\mathsf{Act}_{1 \leftrightarrow 2} = \mathsf{Act}_{1 \to 2} \cup \mathsf{Act}_{2 \to 1}$  and  $\sigma \in \mathsf{ObsTTraces}(A_1'||A_2')$ . Since  $\mathsf{Act}_{1 \leftrightarrow 2} \cup \{\tau\}$  are internal unobservable actions of  $A_1'||A_2'$ , there exists  $\gamma \in \mathsf{TTraces}(A_1'||A_2')$  such that  $\mathsf{P}_{\mathsf{R} \cup \mathsf{Act}}(\gamma) = \sigma$ . For i = 1, 2, let  $\mathsf{Act}_i = (\mathsf{Act}_{\mathsf{in}}^i \cup \mathsf{Act}_{\mathsf{out}}^i \cup \mathsf{Act}_{1 \leftrightarrow 2})$  (i.e., the observable actions of  $A_i$ ) and  $\sigma_i = \mathsf{P}_{\mathsf{R} \cup \mathsf{Act}_i}(\gamma)$ . Then  $\sigma_i \in \mathsf{ObsTTraces}(A_i')$ . By part 2 of Lemma 3, input-enabledness of  $A_i$  and  $A_i'$  and the assumption  $A_i'$  tioco  $A_i$ , we get  $\sigma_i \in \mathsf{ObsTTraces}(A_i)$ . By Lemma 1,  $\sigma_1$  and  $\sigma_2$  are synchronizable in  $A_1||A_2$  and  $\sigma \in \mathsf{ObsTTraces}(A_1||A_2)$ .

Note that the above result does not generally hold for the case of non input-enabled TAIO. A counter-example is given in Fig. 7. We consider four TAIO  $A_1$ ,  $A_2$ ,  $A_1'$  and  $A_2'$ . TAIO  $A_2$  and  $A_2'$  are the same. The action a (dashed arrows in the figure) is shared between  $A_1$  and  $A_2$ , as well as between  $A_1'$  and  $A_2'$ . That is,  $\mathsf{Act}_\mathsf{in}^1 = \{c\}$ ,  $\mathsf{Act}_\mathsf{out}^1 = \{d, e\}$ ,  $\mathsf{Act}_{2 \to 1} = \{a\}$  and  $\mathsf{Act}_\mathsf{in}^2 = \mathsf{Act}_\mathsf{out}^2 = \mathsf{Act}_\mathsf{1 \to 2} = \emptyset$ . The two TAIO  $A_1$  and  $A_1'$  are input-enabled with respect to  $\{a\}$ .  $A_1$  is not input-enabled with respect to  $\{c\}$ . The guards of the transitions of all the automata are equal to true with deadline lazy. We clearly have  $A_2'$  tioco  $A_2$  since  $A_2' = A_2$ . It is also not difficult to see that  $A_1'$  tioco  $A_1$ . The figure also shows the two product automata



 $A_1||A_2$  and  $A'_1||A'_2$ . After receiving input c,  $A'_1||A'_2$  may generate either output d or e while  $A_1||A_2$  may generate only d. Thus,  $A'_1||A'_2$  tieco  $A_1||A_2$ .

### 3.2.7 Decreasing the number of observable actions

In this section, we prove the stability of tioco with respect to the decreasing of the number of observable actions. That is under the input-enabledness assumption, if one succeeds to prove the conformance of the SUT to the considered specification with respect to some given set of observable actions then conformance still holds with respect to any smaller set of observable actions. For example, if due to any reason some observable action is no longer accessible (i.e., no longer observable), then that does not affect conformance.

Given a TAIO A and an observable action  $a \in Act$ , we denote by  $A_{[\tau/a]}$  the TAIO obtained from A by replacing action a, anywhere it appears, by  $\tau$ . We have the following result.

**Proposition 7** *Given two input-enabled TAIO A and A' and an observable action a*  $\in$  Act, *if A'* tioco *A then A'*<sub> $\lceil \tau/a \rceil$ </sub> tioco  $A_{\lceil \tau/a \rceil}$ .

**Proof** We first prove that  $A_{[\tau/a]}$  is input-enabled. Let  $\mathsf{Act}^a_\mathsf{in}$  be the set of inputs of  $A_{[\tau/a]}$  and  $A'_{[\tau/a]}$ .  $\mathsf{Act}^a_\mathsf{in} \subseteq \mathsf{Act}_\mathsf{in}$  since either  $\mathsf{Act}^a_\mathsf{in} = \mathsf{Act}_\mathsf{in}$  (if a is an output) or  $\mathsf{Act}^a_\mathsf{in} = \mathsf{Act}_\mathsf{in} \setminus \{a\}$  (if a is an input).  $A_{[\tau/a]}$  has exactly the same set of states as A. A is input-enabled, and the result follows. In the same manner, we prove that  $A'_{[\tau/a]}$  is input-enabled.

Now, by Lemma 3, it suffices to prove that  $\mathsf{ObsTTraces}(A'_{[\tau/a]}) \subseteq \mathsf{ObsTTraces}(A_{[\tau/a]})$ . Let  $\sigma \in \mathsf{ObsTTraces}(A'_{[\tau/a]})$ . There exists a trace  $\sigma' \in \mathsf{ObsTTraces}(A')$  such that  $\sigma = \mathsf{P}_{\mathsf{R} \cup \mathsf{Act} \setminus \{a\}}(\sigma')$ . Since A and A' are input-enabled and A' tioco A,  $\sigma' \in \mathsf{ObsTTraces}(A)$  (by Lemma 3). Since  $\sigma = \mathsf{P}_{\mathsf{R} \cup \mathsf{Act} \setminus \{a\}}(\sigma')$ ,  $\sigma \in \mathsf{ObsTTraces}(A_{[\tau/a]})$ .

The above result is not valid for non-input-enabled TAIO, in general. We use the counter-example of Fig. 7. We consider the two TAIO  $A_1$  and  $A'_1$ . As already mentioned,  $A'_1$  tioco  $A_1$ . It is easy to see that  $A_{1[\tau/a]} = A_1||A_2|$  and  $A'_{1[\tau/a]} = A'_1||A'_2|$ . So, clearly  $A'_{1[\tau/a]}$  tioco  $A_{1[\tau/a]}$ .

#### 3.3 Comparison of tioco with other conformance relations

Different conformance relations have been used in the literature in the context of timed testing. We review some of these and compare them to tioco.

[46] define conformance as timed bisimulation (TB), which in their case reduces to timed trace equivalence (TTE), since determinism is assumed. [42] define conformance using a must/may preorder (MMP). None of Impl<sub>1</sub>, Impl<sub>2</sub> conform to Spec<sub>1</sub> with respect to TB, TTE or MMP. We believe that this is too strict.<sup>5</sup>

[29, 33] define conformance as timed trace inclusion (TTI). As stated in Lemma 3, TTI is generally stricter than tioco: tioco allows an implementation to accept inputs not accepted by the specification, whereas TTI does not. For instance in Fig. 4, we have  $Impl_6$  tioco  $Spec_2$  though  $ObsTTraces(Impl_6) \not\subseteq ObsTTraces(Spec_2)$ . As also stated in Lemma 3, when the specification is input-enabled, tioco and TTI are equivalent.

<sup>&</sup>lt;sup>5</sup>It should be noted, however, that the issue does not arise in [46] because outputs are assumed to be urgent, thus, Spec<sub>1</sub> cannot be expressed.



Finally, as stated in Proposition 3, TTI may replace tioco in the case of deterministic and fully-observable specifications, modulo an input-enabling transformation. Note, however, that when this transformation is performed care must be taken to instruct the test generation algorithm not to explore the added "don't care" inputs, so that it does not generate useless tests. We opt for tioco, which avoids these complications in a simple way.

Next we compare tioco with two other conformance relations proposed in the literature.

### 3.3.1 Comparison with the relativized timed conformance relation

In [38], the *relativized timed conformation relation*, or rtioco, is defined. It is "relativized" in the sense that it compares the implementation  $\mathcal{I}$  and the specification  $\mathcal{S}$  with respect to some given environment  $\mathcal{E}$ . Both  $\mathcal{S}$ ,  $\mathcal{I}$  and  $\mathcal{E}$  are given as TIOLTS.  $\mathcal{S}$  and  $\mathcal{I}$  are assumed to be input-enabled with respect to  $\mathsf{Act}_{\mathsf{in}}$ ; and  $\mathcal{E}$  input-enabled with respect to  $\mathsf{Act}_{\mathsf{out}}$ .  $\mathcal{S}$ ,  $\mathcal{I}$  and  $\mathcal{E}$  are also non-blocking. For comparing  $\mathcal{S}$  and  $\mathcal{I}$ , the first step consists in making the parallel composition of each of them with  $\mathcal{E}$ . The used parallel composition is slightly different from the one we propose. To avoid confusion, we denote it  $||_r$ . What is different with  $||_r$  is that it does not hide the actions on which the two TIOLTS synchronize (i.e., in Condition (11) the action a remains observable after synchronization). Formally, rtioco is defined as follows:

$$\mathcal{I}$$
 rtioco $_{\mathcal{E}} \mathcal{S}$  iff  $\forall \sigma \in \mathsf{ObsTTraces}(\mathcal{E})$ :  $\mathsf{out}((\mathcal{I}||_r \mathcal{E}) \, \mathsf{after} \, \sigma) \subseteq \mathsf{out}((\mathcal{S}||_r \mathcal{E}) \, \mathsf{after} \, \sigma)$ ,

where the function  $\mathsf{ObsTTraces}(\cdot)$  is extended in a natural way to the case of TIOLTS. It follows that  $\mathsf{ObsTTraces}(\mathcal{S})|_{r}\mathcal{E}) = \mathsf{ObsTTraces}(\mathcal{S}) \cap \mathsf{ObsTTraces}(\mathcal{E})$  and similarly  $\mathsf{ObsTTraces}(\mathcal{I})|_{r}\mathcal{E}) = \mathsf{ObsTTraces}(\mathcal{I}) \cap \mathsf{ObsTTraces}(\mathcal{E})$ .

To be able to compare rtioco and tioco, we extend the conformance relation tioco in a natural way to the case of TIOLTS. Then we have the following result.

**Proposition 8** Let S and I be two input-enabled and non-blocking TLTS. Furthermore, let E be an environment of S given as an input-enabled and non-blocking TLTS. Then we have

$$\mathcal{I}$$
 rtioco $_{\mathcal{E}} \mathcal{S} \iff (\mathcal{I} \mid \mid_{r} \mathcal{E})$  tioco  $(\mathcal{S} \mid \mid_{r} \mathcal{E})$ .

Proof

- (⇒) Let  $\sigma \in \mathsf{ObsTTraces}(\mathcal{S}||_r \mathcal{E})$ . Since  $\mathsf{ObsTTraces}(\mathcal{S}||_r \mathcal{E}) = \mathsf{ObsTTraces}(\mathcal{S}) \cap \mathsf{ObsTTraces}(\mathcal{E})$ ,  $\sigma \in \mathsf{ObsTTraces}(\mathcal{E})$ .  $\mathcal{I}\mathsf{rtioco}_{\mathcal{E}}\mathcal{S}$  implies  $\mathsf{out}((\mathcal{I}||_r \mathcal{E}) \mathsf{after} \sigma) \subseteq \mathsf{out}((\mathcal{I}||_r \mathcal{E}) \mathsf{after} \sigma)$ .
- ( $\Leftarrow$ ) Let  $\sigma$  ∈ ObsTTraces( $\mathcal{E}$ ). Two cases are possible:
  - $\sigma \in \mathsf{ObsTTraces}(\mathcal{S})$ .  $\mathsf{ObsTTraces}(\mathcal{S}||_r \mathcal{E}) = \mathsf{ObsTTraces}(\mathcal{S}) \cap \mathsf{ObsTTraces}(\mathcal{E})$  implies  $\sigma \in \mathsf{ObsTTraces}(\mathcal{S}||_r \mathcal{E})$ .  $(\mathcal{I}||_r \mathcal{E})$  tioco  $(\mathcal{S}||_r \mathcal{E})$  implies  $\mathsf{out}((\mathcal{I}||_r \mathcal{E}) \mathsf{after} \sigma) \subseteq \mathsf{out}((\mathcal{I}||_r \mathcal{E}) \mathsf{after} \sigma)$ .
  - $\sigma \notin \mathsf{ObsTTraces}(\mathcal{S})$ . Thus there exist  $\sigma' \in \mathsf{RT}(\mathsf{Act})$  and  $b \in \mathsf{R} \cup \mathsf{Act}$  such that:  $\sigma' b$  is a prefix of  $\sigma$ ,  $\sigma' \in \mathsf{ObsTTraces}(\mathcal{S})$  and  $\sigma' b \notin \mathsf{ObsTTraces}(\mathcal{S})$ . Since  $\mathcal{S}$  is input-enabled we deduce that  $b \in \mathsf{R} \cup \mathsf{Act}_{\mathsf{out}}$ . Since  $(\mathcal{I} \mid \mid_r \mathcal{E})$  tioco  $(\mathcal{S} \mid \mid_r \mathcal{E})$ ,  $\sigma' \in \mathsf{ObsTTraces}(\mathcal{E}) \cap \mathsf{ObsTTraces}(\mathcal{S})$  and  $b \notin \mathsf{out}((\mathcal{S} \mid \mid_r \mathcal{E}) \text{ after } \sigma')$ , we deduce that  $b \notin \mathsf{out}((\mathcal{I} \mid \mid_r \mathcal{E}) \text{ after } \sigma')$  either. The latter means that  $\sigma' b \notin \mathsf{ObsTTraces}(\mathcal{I})$  which, in turn, means that  $\sigma \notin \mathsf{ObsTTraces}(\mathcal{I})$  either. So,  $\mathsf{out}((\mathcal{I} \mid \mid_r \mathcal{E}) \text{ after } \sigma) = \mathsf{out}((\mathcal{S} \mid \mid_r \mathcal{E}) \text{ after } \sigma) = \emptyset$  and we are done.



**Fig. 8** 
$$\mathcal{I}$$
 tioco  $\mathcal{S}$  but  $\mathcal{I} \not\sqsubseteq_{tioco}^{M} \mathcal{S}$ , for any  $M$ 



The above result shows that tioco can capture rtioco simply by modeling the assumptions on the environment and the requirements from the system-under-test separately, and then taking their composition (see also Sect. 3.4.1 below).

### 3.3.2 Comparison with the conformance relation $\sqsubseteq_{tioco}$

Another conformance relation, denoted  $\sqsubseteq_{tioco}$ , is introduced in [17]. The main goal of this work is to propose a testing framework which extends the notion of quiescence to the case of timed systems. The relation  $\sqsubseteq_{tioco}$  bears a lot of similarity with tioco too. It is defined with respect to TIOLTS. The considered TLTS are assumed to be non-blocking and inputenabled.<sup>6</sup> Given two TLTS  $\mathcal{S}$  the specification and  $\mathcal{I}$  the implementation, the first step for comparing  $\mathcal{S}$  and  $\mathcal{I}$  consists in identifying the *quiescent* states of both of them. A given state s of  $\mathcal{S}$  is said to be quiescent if  $\forall t \in \mathbb{R}$ : out(s after t) =  $\mathbb{R}$  (i.e., starting from s no discrete output can be generated if no input is received). For each detected quiescent state s, a self loop  $s \xrightarrow{\delta} s$  is added to the corresponding TLTS. Thus the action  $\delta$  models the fact that no output must be generated. The new obtained TLTS are denoted  $\Delta(\mathcal{S})$  and  $\Delta(\mathcal{I})$ , respectively. The relation  $\sqsubseteq_{tioco}$  is defined with respect to an arbitrary duration M. Given a duration M, we let ObsTTraces $_M(\mathcal{S}) = \mathsf{ObsTTraces}(\Delta(\mathcal{S})) \cap (\mathbb{R} \cdot \mathsf{Act} \cup \{M\delta\})^*$ . Given a state s and a set of states s, we let

$$\mathsf{out}_M(s) = \{tb \in \mathsf{R} \cdot \mathsf{Act}_\mathsf{in} \mid s \overset{tb}{\Rightarrow} \} \cup \{M\delta \mid s \overset{M\delta}{\Rightarrow} \}; \qquad \mathsf{out}_M(S) = \bigcup_{s \in S} \mathsf{out}_M(s).$$

Then, the conformance relation  $\sqsubseteq_{tioco}$  with respect to M, denoted  $\sqsubseteq_{tioco}^{M}$ , is defined as follows

$$\mathcal{I} \sqsubseteq_{tiaco}^{M} \mathcal{S} \text{ iff } \forall \sigma \in \mathsf{ObsTTraces}_{M}(\mathcal{S}) : \mathsf{out}_{M}(\Delta(\mathcal{I}) \text{ after } \sigma) \subseteq \mathsf{out}_{M}(\Delta(\mathcal{S}) \text{ after } \sigma).$$

 $\sqsubseteq_{tioco}$  and tioco are different. It is possible to find many examples where there is conformance with respect to  $\sqsubseteq_{tioco}$  but not with respect to tioco. A simple such example is given in Fig. 8. For simplicity, both  $\mathcal{S}$ ,  $\mathcal{I}$ ,  $\Delta(\mathcal{S})$  and  $\Delta(\mathcal{I})$  are given as TAIO and not TLTS. For this example, it is not difficult to see that  $\mathcal{I}$  tioco  $\mathcal{S}$ . However for any possible value of M we clearly have  $\mathcal{I} \not\sqsubseteq_{tioco}^{M} \mathcal{S}$ , since  $\Delta(\mathcal{I})$  produces  $\delta$  after receiving input a while  $\Delta(\mathcal{S})$  does not.

Now, we check the other direction. That is, we assume we are given S, T and a duration M such that  $T \sqsubseteq_{tioco}^{M} S$  and we want to know whether T tioco S holds. For that, we first introduce the following intermediary result.

<sup>&</sup>lt;sup>6</sup>In [17], the authors use the term "no forced inputs" instead of "non-blocking". Moreover, the notion of input-enabledness they introduce is slightly less strict than ours.



**Lemma 7** Let S be a non-blocking TLTS and S a set of states of S.

- 1. For  $b \in \mathsf{Act}_{\mathsf{out}} : b \in \mathsf{out}(S) \iff 0b \in \mathsf{out}_M(S)$ .
- 2. For  $t \in \mathbb{R}$ :  $t \in \text{out}(S) \iff M\delta \in \text{out}_M(S)$  or  $\exists t'b \in \text{out}_M(S) \cap (\mathbb{R} \cdot \text{Act}_{\text{out}}) : t \leq t'$ .

#### Proof

- This first point is obvious. It follows immediately from the definitions of "out" and "out<sub>M</sub>".
- (⇒) We assume that t ∈ out(S). Let s ∈ S such that ∃s': s → s'. If s' is quiescent then we clearly have Mδ ∈ out<sub>M</sub>(s). In case s' is not quiescent, since S is non-blocking then there must exist t"b ∈ R · Act<sub>out</sub> such that s' → Thus, we only need to consider t' = t + t" and we are done.
  - $(\Leftarrow)$  This direction is obvious.

Now, we give the following result.

**Proposition 9** Given two non-blocking and input-enabled TLTS S and I and a duration M. If  $I \subseteq_{ijoco}^{M} S$  then I tioco S.

*Proof* Let  $\sigma \in \mathsf{ObsTTraces}(\mathcal{S})$ . Since  $\mathsf{ObsTTraces}(\mathcal{S}) \subseteq \mathsf{ObsTTraces}_M(\mathcal{S})$  then  $\sigma \in \mathsf{ObsTTraces}_M(\mathcal{S})$  too. By definition of  $\Delta(\mathcal{S})$ , it is not difficult to see that  $\mathcal{S}$  after  $\sigma = \Delta(\mathcal{S})$  after  $\sigma$ . Similarly, we have  $\mathcal{I}$  after  $\sigma = \Delta(\mathcal{I})$  after  $\sigma$ , as well. Let  $b \in \mathsf{out}(\mathcal{I} \mathsf{after} \sigma)$ . Two cases are possible then. Either  $b \in \mathsf{Act}_\mathsf{out}$  or  $b \in \mathsf{R}$ .

- For  $b \in \mathsf{Act}_{\mathsf{out}}$ : By Lemma 7, we know that  $0b \in \mathsf{out}_M(\Delta(\mathcal{I}) \, \mathsf{after} \, \sigma)$ . Moreover since  $\mathcal{I} \sqsubseteq_{tioco}^M \mathcal{S}, \, 0b \in \mathsf{out}_M(\Delta(\mathcal{S}) \, \mathsf{after} \, \sigma)$ , too. Then once again by Lemma 7, we have  $b \in \mathsf{out}(\mathcal{S} \, \mathsf{after} \, \sigma)$  and we are done.
- For  $b \in \mathbb{R}$ : Since  $\mathcal{I}$  after  $\sigma = \Delta(\mathcal{I})$  after  $\sigma$ ,  $b \in \text{out}(\Delta(\mathcal{I})$  after  $\sigma)$ . By point 2 of Lemma 7,  $M\delta \in \text{out}_M(\Delta(\mathcal{I})$  after  $\sigma)$  or  $\exists b'c \in \text{out}_M(\Delta(\mathcal{I})$  after  $\sigma) \cap (\mathbb{R} \cdot \text{Act}_{\text{out}})$ :  $b \leq b'$ . Since  $\mathcal{I} \sqsubseteq_{tioco}^M \mathcal{S}$ ,  $\text{out}_M(\Delta(\mathcal{I})$  after  $\sigma) \subseteq \text{out}_M(\Delta(\mathcal{S})$  after  $\sigma)$ . Thus,  $M\delta \in \text{out}_M(\Delta(\mathcal{S})$  after  $\sigma)$  or  $\exists b'c \in \text{out}_M(\Delta(\mathcal{S})$  after  $\sigma) \cap (\mathbb{R} \cdot \text{Act}_{\text{out}})$ :  $b \leq b'$ . Then by point 2 of Lemma 7, we have  $b \in \text{out}(\mathcal{S} \text{ after } \sigma) = \text{out}(\Delta(\mathcal{S}) \text{ after } \sigma)$  and we are done.

In practice, it is clearly infeasible to check whether the implementation really produced a  $\delta$  action or not (i.e., whether we have waited enough time or not). To alleviate this problem, the authors of [17] make the extra-assumption that the implementation  $\mathcal{I}$  is M-quiescent.  $\mathcal{I}$  is said to be M-quiescent if for any state s of  $\mathcal{I}$  any state in (s after M) is quiescent. Intuitively this means that M is an upper bound on the "reactivity" of  $\mathcal{I}$ : if  $\mathcal{I}$  does not react within M, it is assumed that it will never react.

For an extensive discussion of various untimed conformance relations, see [48].

#### 3.4 Modeling issues

The main goal of this section is to illustrate some methodological aspects of our framework. We show how it is possible to alleviate modeling issues regarding environment assumptions and interface conditions between the tester and the SUT using the timed automaton model on which our framework is based.

#### 3.4.1 Modeling assumptions on the environment

Often, the SUT is supposed to operate correctly only in a particular environment, not in any environment. This brings up the issue of how to incorporate *assumptions* on the environ-





**Fig. 9** Specification including assumptions on the environment: generic scheme (*left*) and example of a task scheduler (*right*)

ment when building a model of specification. Figure 9 shows how this can be done. The specification can be modeled compositionally, in two parts: one part modeling the environment (assumptions) and another part the nominal behavior of the SUT in this environment (requirements). In this case, the interactions between the two components are not unobservable, but are exported as inputs and outputs of the global specification. A simple example of such a situation is shown in Fig. 9. The specification expresses schedulability of an aperiodic task in a typical real-time operating system: "assuming the minimal inter-arrival time of task *A* is 20 time units, the task must be executed within 10 time units". Notice that environment assumptions generally make the specification non-input-enabled. In the above example, the second arrive input cannot be accepted until at least 20 time units have elapsed since the first arrive. In order to keep the specification non-blocking, as it should be, the urgency of inputs must be set to lazy.

### 3.4.2 Modeling input/output variables

The TA model we have presented uses the notion of input/output *actions*, implying an event-based interface between the tester and the SUT. In practice, many systems communicate with the external world using input/output *variables*. We now show how to model such situations in our framework.

There are basically two possibilities to specify real-time requirements related to variables. One is to refer to variable *updates* and the other to refer to value *durations*. The first can be modeled in our framework using an action for each update. The second corresponds to the amount of time during which the variable keeps the same value. It can be modeled using a "begin" action for the point in time where a variable changes its value to the value that is of interest and an "end" action for the moment where the variable changes to a different value. For example, assume y is an input variable and z an output variable. Consider the requirement "z will be updated at most 10 time units after y is updated". Notice that y is updated by the environment (or the tester) while z is updated by the SUT. Thus, update, can be introduced as an input action and update, as an output action. The specification can be modeled as a TA similar to the one for Spec<sub>1</sub> of Fig. 3, with a replaced by update, and b replaced by update, (in this case the guard  $2 \le x \le 8$  must also be changed into  $x \le 10$ ).

This simplistic way of modeling supposes that updates are immediately perceived (by the SUT or by the tester) when they occur. This is obviously not always true. For instance, a sampling controller typically reads its inputs only periodically (but may write the outputs



**Fig. 10** Specification composed with interface-delay automata



as soon as they are ready). In this case, it could be that the specification only requires that the output be produced at most 10 time units after the input is sampled by the controller, not after it is updated by the environment. This situation can also be modeled in our framework by explicitly adding automata modeling the sampling (either at the SUT side, or at the tester side, or both). In fact, we will add such an automaton, called a *tick-automaton*, in order to generate digital-clock tests (see Sect. 4.2). A tick-automaton models in some sense sampling at the tester side. A similar automaton can be used to model sampling at the SUT side, with the difference that the tick event would in this case be an input event. More elaborate interfaces (e.g., event handlers with buffering, and so on) can also be modeled, as long as they can be expressed as (extended) timed automata.

### 3.4.3 Modeling interfacing delays

As a last example of modeling methodology, we show how to model interfacing delays between the tester and the SUT. That is the amount of time needed for messages to be transmitted between the SUT and the environment. This can again be done by composing the specification with "delay automata", as shown in Fig. 10. A simple input delay automaton is shown to the right of the figure. Input action a is the original action whereas  $a_t$  is the output command of the tester. This automaton models the assumption that the tester output may experience a delay of at most 2 time units until it is perceived by the SUT. Notice that this automaton does not allow a new input to be produced while the previous one is still in "transit". For this, a more complicated automaton is necessary, which buffers input events. The point is that, as mentioned above, such elaborate interfaces can all be modeled explicitly. Thus, the user has full control on how the assumptions made on the tester equipment affect the generated tests.

#### 4 Tests

A test (or *test case*) is an experiment performed on the implementation by an agent (the *tester*). There are different types of tests, depending on the capabilities of the tester to observe and react to events. Here, we consider two types of tests (the terminology is borrowed from [28]). *Analog-clock* tests can measure precisely the delay between two observed actions and can emit an input at any point in time. We always use terms "input" and "output" to mean input/output of the implementation. Thus, we write "the test emits an input" rather than "emits an output". We follow the same convention when drawing test automata. For example, the edge labeled *a*? in the TAIO of Fig. 11 corresponds to the tester emitting *a*, upon execution of the test. *Digital-clock* tests can only count how many "ticks" of a digital clock have occurred between two actions and emit an input immediately after observing an action or tick. For simplicity, we assume that the tester and the implementation are started precisely at the same time. In practice, this can be achieved by having the tester issuing the start command to the implementation.





Fig. 11 Analog-clock test represented as a TAIO or a function

It should be noted that we consider *adaptive* tests (following the terminology of [40]), where the action the tester takes depends on the observation history. Adaptive tests can be seen as *trees* representing the strategy of the tester in a game against the implementation. Due to restrictions in the specification model, which essentially remove non-determinism from the implementation strategy, some existing methods [29, 46] generate non-adaptive test *sequences*.

### 4.1 Analog-clock tests

Analog-clock tests can be represented as either total functions or TAIO.

# 4.1.1 Analog-clock tests as total functions

An analog-clock test for a specification  $A_S$  over  $Act_{\tau}$  is a total function

$$T: \mathsf{RT}(\mathsf{Act}) \to \mathsf{Act}_{\mathsf{in}} \cup \{\mathsf{Wait}, \mathsf{Pass}, \mathsf{Fail}\}.$$
 (17)

 $T(\rho)$  specifies the action the tester must take once it observes  $\rho$ . If  $T(\rho) = a \in \mathsf{Act}_{\mathsf{in}}$  then the tester emits input a. If  $T(\rho) = \mathsf{Wait}$  then the tester waits (lets time elapse). If  $T(\rho) \in \{\mathsf{Pass}, \mathsf{Fail}\}$  then the tester produces a verdict (and stops). To represent a valid test, T must satisfy a number of conditions:

$$\exists t \in \mathsf{R} : \forall \rho \in \mathsf{RT}(\mathsf{Act}) : \mathsf{time}(\rho) > t \Rightarrow T(\rho) \in \{\mathsf{Pass}, \mathsf{Fail}\},\tag{18}$$

$$\forall \rho \in \mathsf{RT}(\mathsf{Act}) : T(\rho) \in \{\mathsf{Pass}, \mathsf{Fail}\} \Rightarrow \forall \rho' \in \mathsf{RT}(\mathsf{Act}) : T(\rho \cdot \rho') = T(\rho).$$
 (19)

Condition (18) states that the test reaches a verdict in bounded time t (called the *completion time* of the test). Condition (19) is a "suffix-closure" property ensuring that the test does not recall a verdict. We also need to ensure that the test does not block time, for instance, by emitting an infinite number of inputs in a bounded amount of time. This can be done by specifying certain conditions on the TIOLTS defined by T. The states of this TIOLTS are sequences  $\rho \in \mathsf{RT}(\mathsf{Act})$ . The initial state is  $\epsilon$ . For every  $a \in \mathsf{Act}_{\mathsf{out}}$  there is a transition  $\rho \xrightarrow{a} \rho \cdot a$ . There is also a transition  $\rho \xrightarrow{t} \rho \cdot t$  for every  $t \in \mathsf{R}$ , provided  $\forall t' \leq t : T(\rho) = \mathsf{Wait}$ . If  $T(\rho) = b \in \mathsf{Act}_{\mathsf{in}}$  then there is a transition  $\rho \xrightarrow{b} \rho \cdot b$ . As a convention, all states  $\rho$  such that  $T(\rho) = \mathsf{Pass}$  are "collapsed" into a single sink state Pass, and similarly with Fail. We require that states of this TIOLTS are non-blocking as in Condition (1), unless Pass or Fail is reached.



### 4.1.2 Analog-clock tests as TA

Analog-clock tests can sometimes be represented as TAIO.<sup>7</sup> For example, the test defined in the right part of Fig. 11 can be equivalently represented by the TAIO shown in the left part. Function T is partially defined in the figure. The remaining cases are covered by the suffix-closure property of Pass/Fail—Condition (19). For instance, T(a?9b!) = Fail, because T(a?9) = Fail.

#### 4.1.3 Execution of an analog-clock test

The execution of the test T on the implementation  $A_I$  can be defined as the *parallel composition* of the TIOLTS defined by T and  $A_I$ , with the usual *synchronization* rules for transitions carrying the same label. We will denote the product TIOLTS by  $A_I \parallel T$ . The execution of the test reaches a pass/fail verdict after bounded time. However, since the implementation can be non-deterministic or non-observable, the verdict need not be the same in all experiments (i.e., runs of the product). To declare that the implementation passes the test, we require that *all* possible experiments lead to a pass verdict. This implies that in order to gain confidence in pass verdicts, the same test must be executed multiple times, unless the implementation is known to be deterministic.

Formally, we say that  $A_I$  passes the test, denoted  $A_I$  passes T, if state Fail is not reachable in the product  $A_I || T$ . We say that an implementation passes (resp. fails) a set of tests (or *test suite*) T if it passes all tests (resp. fails at least one test) in T.

#### 4.1.4 Correctness requirements

We say that an analog-clock test suite  $\mathcal{T}$  is sound with respect to  $A_S$  if

$$\forall A_I : A_I \text{ tioco } A_S \Rightarrow A_I \text{ passes } \mathcal{T}.$$

We say that  $\mathcal{T}$  is complete with respect to  $A_S$  if

$$\forall A_I : A_I \text{ passes } \mathcal{T} \Rightarrow A_I \text{ tioco } A_S.$$

Soundness is a minimal correctness requirement. It is rather weak, since many tests can be sound and useless (by always announcing Pass). Completeness, on the other hand, is usually impossible to achieve with a finite test suite (see Sect. 6). We are thus motivated to define another notion. We say that a test T is *strict with respect to*  $A_S$  if  $\forall A_I: A_I$  passes  $T \Rightarrow A_I \| T$  tioco  $A_S$ . What the above definition says is that a strict test must not announce Pass when the implementation has behaved in a non-conforming manner *during the execution of the test*. In the untimed setting, a similar notion of *lax* tests is proposed in [32]. The test shown in Fig. 11 is sound and strict with respect to Spec<sub>1</sub> of Fig. 3. Consider an arbitrary implementation  $A_I$  such that  $A_I$  passes T. Let T' be the TA obtained from the test by removing the node Fail and its incoming edges. Since  $A_I$  passes T, ObsTTraces( $A_I \| T$ )  $\subseteq$  ObsTTraces(T'). Moreover clearly, ObsTTraces(T')  $\subseteq$  ObsTTraces(T'). Thus, ObsTTraces(T')  $\subseteq$  ObsTTraces(T') by Lemma 3,  $T_I \| T$  tioco  $T_I \| T$ 

<sup>&</sup>lt;sup>7</sup>But not always: the test which moves to Pass once it observes a sequence of a's such that the time distance between two a's is 1 cannot be captured by a timed automaton with a bounded number of clocks. This is related to the fact that timed automata are not determinizable whereas a test is by definition deterministic.





Fig. 12 Extending the specification with a tester clock model and possible such models

### 4.2 Digital-clock tests

Consider a specification  $A_S$  over  $Act_{\tau}$  and let tick be a new output action, not in  $Act_{\tau}$ . A digital-clock test for  $A_S$  is a total function

$$D: (\mathsf{Act} \cup \{\mathsf{tick}\})^* \to \mathsf{Act}_{\mathsf{in}} \cup \{\mathsf{Wait}, \mathsf{Pass}, \mathsf{Fail}\}. \tag{20}$$

The digital-clock test can observe all input and output actions, plus the action tick which is assumed to be the output of the tester's digital clock. We assume that the tester's digital clock is modeled as a *tick-automaton*, which is a special TAIO with a single output action tick. We further assume that the clock is never reset, and that ticks have priority over other observable actions (i.e., if tick and a occur at the same time, tick will be always observed before a). With these assumptions, if action a is observed after the i-th and before the (i+1)-st tick, then the tester knows that a occurred at some time in the interval [n, n+1), for the case of a periodic digital-clock with one time unit period.

The digital-clock can be either periodic or not. Three possible tick-automata are shown in Fig. 12. The first models a perfectly periodic clock with period equal to 10 time units: in this case, the n-th tick occurs precisely at time 10n. The second automaton models a clock with "skew": in this case, the n-th tick may occur anywhere in the interval [9n, 11n]. The third automaton models a clock with "jitter": in this case, the n-th tick may occur anywhere in the interval [10n-1, 10n+1]. Notice that this automaton contains unobservable transitions (the ones with deadline eager).

The above examples show different models of digital clocks. How realistic the model of a digital clock is depends on the digital clock itself as well as the application. What we have aimed to show is that our framework allows the user to make this decision explicitly, instead of relying on implicit (and sometimes unrealistic) assumptions encoded in the framework.

We will assume that the tick-automata modeling digital clocks are *non-zero*, that is, that the clock does not stop ticking and that the clock "allows" time to progress. Formally, a tick-automaton Tick is zero, if there exists a time bound  $t_{max}$  and an infinite execution  $\sigma$  of Tick, such that for any positive integer n, time( $\sigma[n]$ ) <  $t_{max}$ , where  $\sigma[n]$  is defined to be the prefix of  $\sigma$  up to the n-th tick (if there are fewer than n ticks in  $\sigma$  then  $\sigma[n]$  is taken by definition to be the empty sequence). Otherwise Tick is said to be non-zero. From now on, we will assume that all tick-automata we consider are non-zero.

Validity conditions similar to those for analog-clock tests apply to digital-clock tests. A digital-clock test D defines a TIOLTS with states in  $(Act \cup \{tick\})^*$  and labels in  $Act \cup \{tick\}$ 



 $\{\text{tick}\} \cup \mathsf{R}.$  Given state  $\pi$ , if  $D(\pi) = \mathsf{Wait}$  then  $\pi$  has a self-loop transition labeled with t, for all  $t \in \mathsf{R}$ . The reason such transitions are missing from states such that  $D(\pi) = a \in \mathsf{Act}_\mathsf{in} \cup \{\mathsf{Pass}, \mathsf{Fail}\}$  is that we assume that the digital-clock test emits a immediately after the last event in  $\pi$  is observed.

# 4.2.1 Execution of a digital-clock test

The execution of a digital-clock test is defined by forming the parallel product of three TIOLTSs, namely, the ones of the test D, the implementation  $A_I$ , and the tick-automaton Tick. Tick implicitly synchronizes with  $A_I$  through time. Tick explicitly synchronizes with D on transitions labeled tick. The parallel product is built so that tick transitions have priority over other observable transitions. Thus, if s is a state of the product and  $s \stackrel{\text{tick}}{\rightarrow}$ , then s has no other outgoing transition. The definition of passes for digital-clock tests is as follows. Formally, we say that  $A_I$  passes the digital-clock test D with respect to digital clock Tick, denoted  $A_I$  passes (D, Tick), if state Fail is not reachable in the product  $A_I \| \text{Tick} \| D$ . In the same manner we have  $A_I$  fails (D, Tick) if Fail is reachable in  $A_I \| \text{Tick} \| D$ .

### 4.2.2 Correctness requirements

Given a set of digital-clock tests  $\mathcal D$  and a tick-automaton Tick,  $\mathcal D$  is said to be sound with respect to  $A_S$  and Tick if

$$\forall A_I : A_I \text{ tioco } A_S \Rightarrow A_I \text{ passes } \mathcal{D}.$$

We say that  $\mathcal{D}$  is complete with respect to  $A_S$  and Tick if

$$\forall A_I : A_I \text{ passes } \mathcal{D} \Rightarrow A_I \text{ tioco } A_S.$$

We say that a test D is strict with respect to  $A_S$  and Tick if

$$\forall A_I : A_I \text{ passes } D \Rightarrow A_I \| \text{Tick} \| D \text{ tioco } A_S \| \text{Tick.}$$

In this case for the relation conformance tioco between  $A_I \| \text{Tick} \| D$  and  $A_S \| \text{Tick}$ , the action tick must be considered as an output.

Digital-clock tests are not strict in general. This is expected, since the tester cannot distinguish between outputs being produced *exactly* at time 1 or, say, at time  $1+\epsilon$  before the next tick happens. If the output is b, in both cases the tester will observe tick b tick. Thus the faulty behavior gives the same digital-clock observation as the non-faulty one and the tester will announce Pass in both cases.

A weaker notion of strictness may be introduced for the case of digital-clock testing. It will be weaker in the sense that a digital-clock test cannot be as strict as an analog-clock one due to its limited observation capability. The formal definition of digital-clock strictness can be based on the use of an untimed conformance relation instead of tioco and the inclusion of the tick-automaton in the definition. Providing such a formal definition is beyond the scope of this paper.

### 5 Test Generation

We adapt the untimed test generation algorithm of [47]. Roughly speaking, the algorithm builds a test in the form of a tree. A node in the tree is a set of states S of the specification



**Fig. 13** Generic test-generation scheme



and represents the "knowledge" of the tester at the current test state. The algorithm extends the test by adding successors to a leaf node, as illustrated in Fig. 13. For all *illegal* outputs  $a_i$  (outputs which cannot occur from any state in S) the test leads to Fail. For each legal output  $b_i$ , the test proceeds to node  $S_i$ , which is the set of states the specification can be in after emitting  $b_i$  (and possibly performing unobservable actions). If there exists an input c which can be accepted by the specification at some state in S, then the test may decide to emit this input (dashed arrow from S to S'). At any node, the algorithm may decide to stop the test and label this node as Pass.

Two features of the above algorithm are worth noting. First, the algorithm is only partially specified. One may say the algorithm is "non-deterministic". Indeed, a number of decisions need to be made at each node: (1) whether to stop the test or continue, (2) whether to wait or emit an input if possible, (3) which input, in case there are many possible inputs. Some of these choices can be made according to user-defined parameters, such as the desired depth of the test. They can also be made randomly or systematically using some book-keeping, in order to generate a test suite, rather than a single test. We discuss this option in more detail in Sect. 6.

The second feature of the algorithm is that it implicitly *determinizes* the specification automaton. Indeed, building  $S_i$ ,  $S_j$  and so on corresponds to a classical *subset construction*. The latter can be performed either off-line, that is, before the test generation, or on-line, that is, during the test generation or even during the test execution. Test generation during test execution has been termed *on-the-fly* and is supported by the tool Torx [3].

#### 5.1 Generating analog-clock tests

Analog-clock tests cannot be directly represented as a finite tree, because there is an a-priori infinite set of possible observable delays at a given node. To remedy this, we use the idea of [49]. We represent an analog-clock test as an *algorithm*. The latter essentially performs subset construction on the specification automaton, during the execution of the test. Thus, our analog-clock testing method can be classified as on-the-fly or *on-line*, meaning that the test is generated at the same time it is executed.

More precisely, the tester will maintain a set of states S of the specification TAIO,  $A_S$ . S will be updated every time an action is observed or some time delay elapses. Since the time delay is not known a-priori, it must be an input to the update function. We define the following operators:

$$\mathsf{dsucc}(S, a) = \{ s' \mid \exists s \in S : s \xrightarrow{a} s' \}$$
 (21)

$$\operatorname{tsucc}(S, t) = \{ s' \mid \exists s \in S : \exists \rho \in \mathsf{RT}(\{\tau\}) : \operatorname{time}(\rho) = t \land s \xrightarrow{\rho} s' \} \tag{22}$$

where  $a \in Act$  and  $t \in R$ . dsucc(S, a) contains all states which can be reached by some state in S performing action a. tsucc(S, t) contains all states which can be reached by some state in S via a sequence  $\rho$  which contains no observable actions and takes exactly t time units. The two operators can be implemented using standard data structures for symbolic



representation of the state space and simple modifications of reachability algorithms for timed automata [49]. In fact the sets S are generally *dense* due to the continuous state-space of the clocks. The sets are represented *symbolically* using simple constraints on clocks. For instance, the constraint  $1 \le x \le 2 \land x = y$  represents the fact that clock x has some value within [1, 2] and clock y is equal to x. The constraints are implemented using a matrix data structure called DBM (*difference bound matrix*) [7, 24]. Computing successor nodes is also done symbolically, using a *bounded-time reachability analysis* for timed automata, as shown in [34, 49].

The test operates as follows. It starts at state  $S_0 = \operatorname{tsucc}(\{s_0^{A_S}\}, 0)$ . Given current state S, if output a is received t time units after entering S, then S is updated to  $\operatorname{dsucc}(\operatorname{tsucc}(S, t), a)$ . If no event is received until, say, 10 time units later, then the test can update its state to  $\operatorname{tsucc}(S, 10)$ . If ever the set S becomes empty, the test announces Fail. At any point, for an input b, if  $\operatorname{dsucc}(S, b) \neq \emptyset$ , the test may decide to emit b and update its state accordingly.

On-line analog-clock test generation is performed by Algorithm 1. The algorithm keeps running as long as no non-conformance is detected. At any time the tester can stop testing and declare Pass.

The algorithm uses the following notation. Given a nonempty set X, pick(X) chooses randomly an element in X. Given a set of states S, valid\_inputs(S) is defined as the set of valid inputs at S, that is:  $\{a \in Act_{in} | dsucc(tsucc(S, 0), a) \neq \emptyset\}$ .

Notice that for practical reasons, we assume that the SUT is a rational-delay TLTS and the clock x of Algorithm 1 ranges over rational values. Thus, it is possible to consider again the DBM structure for symbolic successor computation.

```
S \leftarrow \operatorname{tsucc}(\{s_0^{A_S}\}, 0);
   while(true)
 2
        x \leftarrow 0; /* x is a clock measuring elapsing time */
 3
        await(output b is received at x < T or x = T)
 4
        if (b received at x)
 5
           S \leftarrow \mathsf{dsucc}(\mathsf{tsucc}(S, x), b);
 6
 7
        else
           S \leftarrow \mathsf{tsucc}(S, T);
 8
        endif:
 9
        \mathbf{if}(S = \emptyset)
10
11
           announce Fail;
12
           exit:
13
        endif:
        if (valid_inputs(S) \neq \emptyset)
14
15
           i \leftarrow \mathsf{pick}(\{0,1\}); /* 0 to send an input and 1 to continue observation */
        endif:
16
        \mathbf{if}(i=0)
17
           a \leftarrow \mathsf{pick}(\mathsf{valid\_inputs}(S));
18
           S \leftarrow \mathsf{dsucc}(S, a);
19
        endif;
20
     endwhile:
```

**Algorithm 1**: On-the-fly analog-clock test generation



5.1.1 Soundness, strictness and completeness of analog-clock test generation

Next we prove that Algorithm 1 is sound.

**Proposition 10** If verdict Fail is observed while executing Algorithm 1, then  $A_I$  tioco  $A_S$ .

*Proof* Let  $\sigma = a_0 a_1 \cdots a_n \in \mathsf{RT}(Act)$  the trace corresponding to the interaction between the tester and  $A_I$  from the starting of the algorithm until the announcement of Fail. Let  $\sigma_{n-1} = a_0 a_1 \cdots a_{n-1}$ . According to the algorithm,  $a_n \in \mathsf{R} \cup \mathsf{Act}_\mathsf{out}$ . Thus,  $\mathsf{out}(A_I \mathsf{after}\,\sigma_{n-1}) \neq \emptyset$ . It contains at least  $a_n$ . Since Fail is declared,  $\mathsf{out}(A_S \mathsf{after}\,\sigma_{n-1}) = \emptyset$ . Hence,  $\mathsf{out}(A_I \mathsf{after}\,\sigma_{n-1}) \not\subseteq \mathsf{out}(A_S \mathsf{after}\,\sigma_{n-1})$  and  $A_I \mathsf{tieco}(A_S)$ .

We prove that Algorithm 1 is strict too.

**Proposition 11** Let  $A_I$  be a possible implementation and T a test generated by Algorithm 1:

$$A_I || T \text{ tieco } A_S \Rightarrow A_I \text{ Fail } T.$$

*Proof* Since Algorithm 1 works online, T is a simple trace  $\sigma = a_0 a_1 \cdots a_n \in \mathsf{RT}(Act)$ . Since,  $A_I || T$  there exists a prefix  $\sigma' = a_0 a_1 \cdots a_k$  of  $\sigma$  such that  $a_{k+1} \in \mathsf{out}(A_I || T$  after  $\sigma'$ ) and  $a_{k+1} \notin \mathsf{out}(A_S$  after  $\sigma'$ ). Thus,  $(A_S$  after  $a_0 a_1 \cdots a_{k+1}) = \emptyset$ . Then by Algorithm 1, the execution of  $a_0 a_1 \cdots a_{k+1}$  must lead to verdict Fail and we are done.  $\square$ 

Algorithm 1 is parameterized with the time elapse T. Thus, the tester waits at most T time units before announcing that the timeout occurs if this duration is not accepted by the specification.

Furthermore, Algorithm 1 is "complete" in the sense that, for any non-conforming implementation given as a rational TLTS  $A_I$ , there exists an execution of the algorithm that detects non-conformance of this implementation.

**Proposition 12** Let  $A_I$  be a rational-delay TLTS. If  $A_I$  tieco  $A_S$  then there exists an execution of Algorithm 1 that announces Fail.

**Proof** If  $A_I$  tieco  $A_S$  then there exists  $\sigma \in (Q \cup Act)^* \cap ObsTTraces(A_S)$  and  $a \in Q \cup Act_{out}$  such that  $a \in out(A_I \operatorname{after} \sigma)$  and  $a \notin out(A_S \operatorname{after} \sigma)$ . Since  $out(A_I \operatorname{after} \sigma) \neq \emptyset$ ,  $\sigma \in ObsTTraces(A_I)$  as well. By induction on the length of  $\sigma$ , it is easy to show that the tester and  $A_I$  may interact together to produce  $\sigma$ . We assume  $\sigma = a_0a_1 \cdots a_n$ . For  $i = 1, \ldots, n$ :

- If a<sub>i</sub> ∈ Q, the algorithm will force pick() to choose this duration. Since a<sub>i</sub> is accepted by both A<sub>S</sub> and A<sub>I</sub>, the tester continues running the algorithm and does not announce Fail.
- If  $a_i \in Act_{in}$ , since  $a_i$  is accepted by  $A_S$  the algorithm will detect that valid\_inputs $(S) \neq \emptyset$  and will force the tester to send immediately  $a_i$  to  $A_I$ .
- If  $a_i \in \mathsf{Act}_\mathsf{out}$ , the algorithm decides to wait until  $A_I$  generates an output. Since  $a_i$  is accepted by  $A_I$ , the implementation will output  $a_i$ . The tester receives it immediately and does not announce Fail since  $a_i$  is accepted by  $A_S$  as well.

After generating  $\sigma$ , the tester will wait for an output to be generated by the implementation. If  $a \in Q$ , the tester calculates  $S' = \mathsf{tsucc}(S, a)$ , where S is the current estimation of the tester. If  $a \in \mathsf{Act}_{\mathsf{out}}$ , it calculates  $S' = \mathsf{dsucc}(S, a)$ . In both cases  $S' = \emptyset$  since  $a \notin \mathsf{out}(A_S \mathsf{after}\,\sigma)$ . Thus, the tester announces immediately Fail and the non-conformance is detected.



# 5.2 Generating digital-clock tests

The conformance relation tioco is "ideal" in the sense that it captures non-conformance of a SUT at an infinite-precision time-measuring level. For instance in the case of one-time-unit periodic digital-clock, if the guard  $1 \le x \le 5$  of SUT  $Impl_3$  of Fig. 3 was replaced by  $1.9 \le x \le 5$  then  $Impl_3$  would still be non-conforming. In fact, the same would be true if the guard was replaced by  $2 - \epsilon \le x \le 5$ , for any  $\epsilon > 0$ . It is reasonable to define tioco in such an "ideal" way, since we do not want conformance to depend on implementation details such as tester equipment. On the other hand, the tester's time-observation capabilities are limited in practice: testers only dispose of a finite-precision digital clock (a counter) and cannot distinguish among observations which elude their clock precision. Our framework takes this limitation into account. First, we allow the user to explicitly model the assumptions on the tester's digital clock. Second, we generate tests with respect to this model.

Since its set of observable events is finite (Act  $\cup$  {tick}), a digital-clock test can be represented as a finite tree. In this case, we can decide whether to generate tests on-line or off-line. This is a matter of a space/time trade-off. The on-line method does not require space to store the generated tests. On the other hand, a test computed on-line has a longer reaction time than a test which has been computed off-line, because the former takes more time to compute the next state of the test. Independently of which option we choose, we proceed as follows.

We first form the product  $A_S^{\mathsf{Tick}} = A_S \| \mathsf{Tick}$ . The extended specification  $A_S^{\mathsf{Tick}}$  may also include other automata to model environment assumptions, interface delays, etc., as shown previously. This yields a new TAIO which has as inputs the inputs of  $A_S$  and as outputs the outputs of  $A_S$  plus the new output tick of Tick. Notice that  $A_S$  and Tick do not synchronize on any discrete transitions, they only synchronize in time (time elapses at the same rate for both). We define the set of *observable discrete traces* of  $A_S$  with respect to Tick to be:

$$\mathsf{ObsDTraces}(A_{\mathsf{S}}^{\mathsf{Tick}}) = \{\mathsf{DP}_{\mathsf{Act}\cup\{\mathsf{tick}\}}(\beta) \mid \beta \in \mathsf{ObsTTraces}(A_{\mathsf{S}}^{\mathsf{Tick}})\}. \tag{23}$$

For example, for the 10 time-unit periodic tick-automaton of Fig. 12, if the timed trace of the specification is  $\sigma = a \, 11 \, b \, 9 \, c \, 10 \in \mathsf{ObsTTraces}(A_S)$ , then the observable trace of the product  $A_S^{\mathsf{Tick}}$  will be  $\beta = a \, 10 \, \mathsf{tick} \, 10 \, \mathsf{tick} \, c \, 10 \, \mathsf{tick} \, \in \mathsf{ObsTTraces}(A_S^{\mathsf{Tick}})$ , and the observable discrete trace will be  $\lambda = a \, \mathsf{tick} \, b \, \mathsf{tick} \, c \, \mathsf{tick} \, \in \mathsf{ObsDTraces}(A_S^{\mathsf{Tick}})$ . Notice that, as mentioned in Sect. 4.2.1, the product  $A_S^{\mathsf{Tick}}$  is defined so that tick transitions have priority over other observable transitions. Thus, tick is observed before c in the above example.

The observable discrete trace  $\lambda$  is said to be a possible digitization of  $\sigma$  with respect to Tick. If the tick-automaton is not deterministic a given timed-trace  $\sigma \in \mathsf{RT}(\mathsf{Act})$  may have more than one digitization with respect to Tick. Let  $\mathsf{Act}_\mathsf{tick} = \mathsf{Act} \cup \{\mathsf{tick}\}$  and  $A_\mathsf{Act}$  denote the TAIO that can generate all real-time sequences in  $\mathsf{RT}(\mathsf{Act})$ . This can be modeled simply as a TAIO without any clocks, a single control state, and self-loop transitions labeled with each action in  $\mathsf{Act}$ . Recall that  $A_\mathsf{Act}^\mathsf{Tick} = A_\mathsf{Act} \| \mathsf{Tick}$ . The set of possible digitizations of  $\sigma$  with respect to Tick is defined as follows.

$$\mathsf{Digitizations}_{\mathsf{Tick}}(\sigma) = \{\mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta) \mid \beta \in \mathsf{ObsTTraces}(A_{\mathsf{Act}}^{\mathsf{Tick}}) \land \sigma = \mathsf{P}_{\mathsf{Act}}(\beta)\}. \tag{24}$$

We also define the following operator on  $A_S^{\text{Tick}}$ :

$$usucc(S) = \{s' \mid \exists s \in S : \exists \rho \in \mathsf{RT}(\{\tau\}) : s \xrightarrow{\rho} s'\}. \tag{25}$$



usucc(S) contains all states which can be reached by some state in S via a sequence  $\rho$  which contains no observable actions. Notice that, by construction of  $A_S^{\mathsf{Tick}}$ , the duration of  $\rho$  is bounded: since tick is observable and has to occur after a bounded duration.

Finally, we apply the generic test-generation scheme presented above. The root of the test tree is defined to be  $S_0 = \{s_0^{A_0^{\rm Fick}}\}$ . Successors of a node S are computed as follows. For each  $a \in \mathsf{Act}_{\mathsf{out}} \cup \{\mathsf{tick}\}$ , there is an edge  $S \overset{a}{\to} S'$  with  $S' = \mathsf{dsucc}(\mathsf{usucc}(S), a)$ , provided  $S' \neq \emptyset$ , otherwise there is an edge  $S \overset{a}{\to} \mathsf{Fail}$ . For this first possible choice, the node S is said to be an *output node*. If there exists  $b \in \mathsf{Act}_{\mathsf{in}}$  such that  $S'' = \mathsf{dsucc}(\mathsf{tsucc}(S, 0), b) \neq \emptyset$ , then the test generation algorithm may decide to emit S and S and S and S are computed. The reason is that the tester is assumed to emit an input S immediately upon entering S. Thus, S'' should only contain the immediate successors of S by S.

Off-line digital-clock test generation is performed by Algorithm 2. We use the same notation as in Algorithm 1. D denotes the digital-clock test the algorithm generates. It is worth noticing that Algorithm 2 may produce a test tree of infinite depth. To avoid this we can force the test generator to go to "case(i = 2)" when the depth of the test becomes too big. The choices "case(i = 0)" and "case(i = 1)" correspond to the possibilities of considering the current node S as an output or an input node, respectively.

```
1
      D \leftarrow the one-node tree with root S;
 2
 3
      while(true)
          foreach(leaf S of D distinct from Pass and Fail)
 4
             if (valid_inputs(S) \neq \emptyset)
 5
                i \leftarrow \mathsf{pick}(\{0, 1, 2\});
 6
             else i \leftarrow pick(\{1, 2\});
 7
             endif;
 8
             case(i = 0):
                b \leftarrow \mathsf{pick}(\mathsf{valid\_inputs}(S));
10
                S' \leftarrow \mathsf{dsucc}(\mathsf{tsucc}(S, 0), b);
11
                append edge S \xrightarrow{b} S' to D;
12
             case(i = 1):
13
14
                foreach(a \in Act_{out} \cup \{tick\})
                   S' \leftarrow \mathsf{dsucc}(\mathsf{usucc}(S), a);
15
                   if (S' \neq \emptyset)
16
                      append edge S \xrightarrow{a} S' to D;
17
                   else append edge S \stackrel{a}{\longrightarrow} Fail to D;
18
                   endif;
19
                endforeach;
20
             case(i = 2): replace S with Pass in D;
21
          endforeach;
22
      endwhile:
23
```

**Algorithm 2**: Off-line digital-clock test generation





**Fig. 14** A digital-clock test (*top*) and two alternative representations (*bottom*)

It is not difficult to see that Algorithm 2 can be transformed in a straightforward way to an on-line digital-clock test generation algorithm. In that case, there will be no longer any need for storing the considered test. The tester will observe the outputs generated by the SUT and the tick-actions generated by the digital clock. From time to time, the tester will decide to send inputs to the SUT. The choices of the tester are made non-deterministically. As soon as the tester reaches an empty set, it will announce Fail and stop testing.

#### 5.2.1 Soundness of digital-clock test generation

Now, we prove that Algorithm 2 generates only sound tests.

**Proposition 13** Let D be a test generated by Algorithm 2 with respect to  $A_S$  and Tick. For any TAIO  $A_I$ , if  $A_I$  fails (D, Tick) then  $A_I$  tioco  $A_S$ .

Proof Let  $\sigma = a_0 a_1 \cdots a_n \in (\mathsf{Act} \cup \{\mathsf{tick}\})^*$  the trace corresponding to the interaction between the tester and  $A_I$  from the starting of D until the announcement of Fail. Let  $\sigma_{n-1} = a_0 \cdots a_{n-1}$ . According to the algorithm  $a_n \in \mathsf{Act}_\mathsf{out} \cup \{\mathsf{tick}\}$ . Since no Fail is announced during the occurrence of  $\sigma_{n-1}$ , the set S of possible reachable states after executing  $\sigma_{n-1}$  is non-empty. However since the execution of  $a_n$  leads to Fail,  $S' = \mathsf{dsucc}(\mathsf{usucc}(S), a) = \emptyset$ . Moreover since the interaction between the tester and  $A_I$  is instantaneous, there exists  $\lambda \in \mathsf{ObsTTraces}(A_I)$  such that  $\sigma_{n-1}$  is a digitization of  $\lambda$  with respect to Tick. Two cases are possible:

- λ ∈ ObsTTraces(A<sub>S</sub>): After the execution of λ a time delay t will elapse before a<sub>n</sub> is observed.
  - If  $t \notin \text{out}(A_S \text{ after } \lambda)$ : Since  $t \in \text{out}(A_I \text{ after } \lambda)$ , we deduce that  $A_I \text{ tioco } A_S$ .
  - If  $t \in \text{out}(A_S \text{ after } \lambda)$ :  $a_n = \text{tick can not be true since: } (1)$  tick is the action with the highest priority and (2) if tick occurred in  $A_I || \text{Tick after } t$  elapses then it will do so in  $A_S || \text{Tick as well.}$  The latter will be a contradiction with  $S' = \emptyset$ . Thus,  $a_n \in \text{Act}_{\text{out}}$ . Then for the trace  $\lambda t$ , we have  $a_n \in \text{out}(A_I \text{ after } \lambda t)$ .  $S' = \emptyset$  implies that  $a_n \notin \text{out}(A_S \text{ after } \lambda t)$ . Hence,  $A_I \text{ tieco} A_S$ .



Fig. 15 Illustration of tick-robustness:  $A_S$  is Tick'-robust but not Tick-robust



•  $\lambda \notin \mathsf{ObsTTraces}(A_S)$ : Let  $\lambda' \in \mathsf{RT}(\mathsf{Act})$  and  $b \in \mathsf{Act} \cup \mathsf{R}$  such that  $\lambda'b$  is a prefix of  $\lambda$ ,  $\lambda' \in \mathsf{ObsTTraces}(A_S)$  and  $\lambda'b \notin \mathsf{ObsTTraces}(A_S)$ . If  $b \in \mathsf{Act}_{\mathsf{in}}$ , that will be a contradiction with the fact that Algorithm 2 chooses only valid input-actions (i.e., actions which are in valid\_inputs()). Thus,  $b \in \mathsf{Act}_{\mathsf{out}} \cup \mathsf{R}$  and we are done.

# 5.2.2 Tick-robustness and completeness of digital-clock test generation

Algorithm 2 is not complete in general. This is due to the imprecision of digital-clocks. For example, consider a periodic tick-automaton with period 2 time units (that is, ticks are generated at times  $0, 2, 4, \ldots$ ). Suppose the specification states that output a should be emitted no later than time 3. A tester that observes ticktick a must accept the sequence as conforming, since a may have been emitted anywhere in the interval [2, 4]. Thus, it might have been emitted before time 3, and in order for the tester to be sound, it must not announce Fail. Of course, this means that a non-conforming implementation that emits a at time 3.5 would remain undetected.

We can prove some type of completeness result, using additional assumptions. For this, we introduce the notion of *tick-robustness*. For a given tick-automaton Tick, a given TAIO  $A_S$  over Act is said to be robust with respect to Tick, or Tick-*robust*, if and only if it satisfies the following closure property: for any trace  $\sigma \in \mathsf{ObsTTraces}(A_S \| \mathsf{Tick})$  and any trace  $\sigma' \in \mathsf{ObsTTraces}(A_{\mathsf{Act}} \| \mathsf{Tick})$ , the following condition holds:

$$\mathsf{DP}_{\mathsf{Act} \cup \{\mathsf{tick}\}}(\sigma') = \mathsf{DP}_{\mathsf{Act} \cup \{\mathsf{tick}\}}(\sigma) \ \Rightarrow \ \sigma' \in \mathsf{ObsTTraces}(A_S \| \mathsf{Tick}).$$

The notion of tick-robustness is illustrated in Fig. 15. Assuming  $Act = \{b!\}$ , and setting:

$$\sigma = 2$$
 tick! 1  $b$ !

and

$$\sigma' = 2$$
 tick! b!

we have a counter-example to  $A_S$  being Tick-robust.

On the other hand, we can prove that  $A_S$  is Tick'-robust. For the given  $A_S$ , any  $\sigma \in \text{ObsTTraces}(A_S || \text{Tick'})$  is a prefix of:

3 tick! 
$$\delta_1 b! \delta_2$$
 tick! 3 tick! ...

where  $\delta_1 \in [0, 3), \delta_2 \in (0, 3]$  and  $\delta_1 + \delta_2 = 3$ . Therefore,  $\mathsf{DP}_{\mathsf{Act} \cup \{\mathsf{tick}\}}(\sigma)$  is a prefix of

tick! 
$$b!$$
 tick! tick! ...



Consider some  $\sigma' \in \mathsf{ObsTTraces}(A_{\{b!\}} || \mathsf{Tick}')$  such that  $\mathsf{DP}_{\mathsf{Act} \cup \{\mathsf{tick}\}}(\sigma') = \mathsf{DP}_{\mathsf{Act} \cup \{\mathsf{tick}\}}(\sigma)$ . Then,  $\sigma'$  must be a prefix of

3 tick! 
$$\delta'_1$$
  $b!$   $\delta'_2$  tick! 3 tick!  $\cdots$ 

where  $\delta_1' \in [0, 3)$ ,  $\delta_2' \in (0, 3]$  and  $\delta_1' + \delta_2' = 3$ . This implies that  $\sigma' \in \mathsf{ObsTTraces}(A_S || \mathsf{Tick'})$ . The following is a property of tick-robustness.

**Lemma 8** Let Tick and Tick' be two tick-automata such that ObsTTraces(Tick')  $\subseteq$  ObsTTraces(Tick). For any TAIO  $A_S$ , if  $A_S$  is Tick-robust then it is also Tick'-robust.

*Proof* Follows from the definition of tick-robustness and the fact that ObsTTraces(Tick') ⊆ ObsTTraces(Tick) implies ObsTTraces( $A_S \parallel \text{Tick'}$ ) ⊆ ObsTTraces( $A_S \parallel \text{Tick}$ ) and ObsTTraces( $A_{\text{Act}} \parallel \text{Tick'}$ ) ⊆ ObsTTraces( $A_{\text{Act}} \parallel \text{Tick}$ ).

We will next show that Algorithm 2 is complete for Tick-robust specifications. We first need the following technical results.

**Lemma 9** Consider a tick-automaton Tick and a TAIO  $A_S$  which is Tick-robust. For  $\sigma \in \mathsf{ObsTTraces}(A_S)$ ,  $\lambda \in \mathsf{Digitizations}_{\mathsf{Tick}}(\sigma)$  and  $a \in \mathsf{Act}_{\mathsf{out}}$ :

$$\sigma a \notin \mathsf{ObsTTraces}(A_S) \Rightarrow \lambda a \notin \mathsf{ObsDTraces}(A_S^\mathsf{Tick}).$$

Proof We prove the result by contradiction. Recall that Act<sub>tick</sub> = Act ∪ {tick}. Assume  $\lambda a \in \text{ObsDTraces}(A_S^{\mathsf{Tick}})$ . There exists  $\beta' \in \mathsf{RT}(\mathsf{Act}_{\mathsf{tick}})$  such that  $\mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta'a) = \lambda a$  and  $\beta'a \in \mathsf{ObsTTraces}(A_S^{\mathsf{Tick}})$ . Let  $\beta \in \mathsf{ObsTTraces}(A_S^{\mathsf{Tick}})$  such that  $\mathsf{P}_{\mathsf{Act}}(\beta) = \sigma$  and  $\mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta) = \lambda$ . Since  $\sigma a \not\in \mathsf{ObsTTraces}(A_S)$ , we have  $\beta a \not\in \mathsf{ObsTTraces}(A_S^{\mathsf{Tick}})$ . However,  $\beta a \in \mathsf{ObsTTraces}(A_{\mathsf{Act}}^{\mathsf{Tick}})$ . Thus, we deduce that  $\beta a \in \mathsf{ObsTTraces}(A_{\mathsf{Act}}^{\mathsf{Tick}}) \setminus \mathsf{ObsTTraces}(A_S^{\mathsf{Tick}})$ ,  $\beta'a \in \mathsf{ObsTTraces}(A_S^{\mathsf{Tick}})$  and  $\mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta a) = \mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta'a) = \lambda a$ . This contradicts the hypothesis that  $A_S$  is Tick-robust.

**Lemma 10** Consider a tick-automaton Tick and a TAIO  $A_S$  which is Tick-robust. For  $\sigma \in \mathsf{ObsTTraces}(A_S)$ ,  $\lambda \in \mathsf{Digitizations}_{\mathsf{Tick}}(\sigma)$  and  $t \in \mathsf{R} \setminus \{0\}$ :

$$\sigma t \notin \mathsf{ObsTTraces}(A_S) \Rightarrow \exists n \in \mathsf{N} \setminus \{0\} : \lambda \mathsf{tick}^n \notin \mathsf{ObsDTraces}(A_S^{\mathsf{Tick}}).$$

Proof Let  $\beta \in \mathsf{ObsTTraces}(A_S^{\mathsf{Tick}})$  such that  $\mathsf{P}_{\mathsf{Act}}(\beta) = \sigma$  and  $\mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta) = \lambda$ . Since Tick is non-zeno, there exist  $\beta' \in \mathsf{RT}(\mathsf{Act}_{\mathsf{tick}})$  and t' > t such that  $\beta\beta'$  tick  $\in \mathsf{ObsTTraces}(A_{\mathsf{Act}}^{\mathsf{Tick}})$  and  $\mathsf{P}_{\mathsf{Act}}(\beta\beta'\mathsf{tick}) = \sigma t'$ . Thus, we deduce that there exists  $n \geq 1$  such that  $\mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta\beta'\mathsf{tick}) = \lambda \mathsf{tick}^n$ . Assume  $\lambda \mathsf{tick}^n \in \mathsf{ObsDTraces}(A_S^{\mathsf{Tick}})$ . There exists  $\beta'' \in \mathsf{RT}(\mathsf{Act}_{\mathsf{tick}})$  such that  $\mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta'') = \lambda \mathsf{tick}^n$  and  $\beta'' \in \mathsf{ObsTTraces}(A_S^{\mathsf{Tick}})$ . Thus  $\beta\beta'\mathsf{tick} \in \mathsf{ObsTTraces}(A_{\mathsf{Act}}^{\mathsf{Tick}}) \setminus \mathsf{ObsTTraces}(A_{\mathsf{Act}}^{\mathsf{Tick}})$  and  $\mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta\beta'\mathsf{tick}) = \mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta'') = \lambda \mathsf{tick}^n$ . This contradicts the hypothesis that  $A_S$  is Tick-robust.

We are now ready to prove our completeness result.

**Proposition 14** Consider a tick-automaton Tick and a TAIO  $A_S$  (the specification). If  $A_S$  is Tick-robust, then for any implementation  $A_I$  such that  $A_I ext{tiecco} A_S$ , there exists a test D generated by Algorithm 2 with respect to  $A_S$  and Tick, such that  $A_I$  fails (D, Tick).



*Proof* Let  $\sigma \in \mathsf{ObsTTraces}(A_S)$  and  $a \in \mathsf{Act}_\mathsf{out} \cup \mathsf{R}$  such that  $a \in \mathsf{out}(A_I \mathsf{after}\,\sigma)$  and  $a \not\in \mathsf{out}(A_S \mathsf{after}\,\sigma)$ . Let  $\lambda = b_0 \cdots b_N \in \mathsf{Digitizations}_\mathsf{Tick}(\sigma)$  be a digitization of  $\sigma$  with respect to Tick. We apply Algorithm 2 to generate a test-tree D which contains the trace  $\lambda$ . For each  $b_k$ , we apply "case(i = 0)" of Algorithm 2 if  $b_k \in \mathsf{Act}_\mathsf{in}$  and "case(i = 1)" if  $b_k \in \mathsf{Act}_\mathsf{out} \cup \{\mathsf{tick}\}$ . Since  $\sigma \in \mathsf{ObsTTraces}(A_S)$  and  $\lambda$  is a digitization of  $\sigma$ ,  $\lambda \in \mathsf{ObsDTraces}(A_S^\mathsf{Tick})$  and no Fail is generated while following  $\lambda$ . We extend D by applying "case(i = 1)". Two cases are then possible:

- $a \in \mathsf{Act}_\mathsf{out}$ :  $\sigma a \notin \mathsf{ObsTTraces}(A_S)$  and the specification  $A_S$  is Tick-robust implies, by Lemma 9, that  $\lambda a \notin \mathsf{ObsDTraces}(A_S^\mathsf{Tick})$ . Thus, a is appended to  $\lambda$  and it leads to Fail.
- $a \in \mathbb{R}$ :  $\sigma a \notin \mathsf{ObsTTraces}(A_S)$  and  $A_S$  is Tick-robust implies, by Lemma 10, that there exists a positive integer n such that  $\lambda \operatorname{tick}^n \notin \mathsf{ObsDTraces}(A_S^\mathsf{Tick})$ . Thus, the sequence  $\operatorname{tick}^n$  is appended<sup>8</sup> to  $\lambda$  and it leads to Fail.

It remains to show that the non-conformance is detected by the test D generated as stated above, that is, that the Fail state of D is reachable in the product  $A_I \| \text{Tick} \| D$ . Since  $a \in \text{out}(A_I \text{after}\sigma)$ , we have  $\sigma a \in \text{ObsTTraces}(A_I)$ . Moreover, from the above, the behavior  $\sigma a$ , when interleaved with some behavior of Tick, yields the discrete projection  $\lambda a$ , in case  $a \in \text{Act}_{\text{out}}$ , or  $\lambda \text{ tick}^n$ , in case  $a \in \text{R}$ . In both cases, by observing the corresponding discrete sequence test D reaches state Fail.

#### 5.2.3 Tick-robustness and digitizability

Our notion of tick-robustness is inspired from the notion of *digitizability* introduced and studied in [28], and used in a testing context in [38]. In this section, we relate tick-robustness and digitizability. The results of this section are not directly aimed at testing. They are provided in order to better comprehend the notions of tick-robustness and digitizability. Tick-robustness, of course, *is* important for digital-clock testing, as Proposition 14 shows.

We briefly recall digitizability. For a thorough discussion, see [28]. First, note that a real-time sequence

$$\delta_1 a_1 \delta_2 a_2 \cdots$$

can be written in an equivalent form with absolute timestamps:

$$(a_1, t_1)(a_2, t_2) \cdots$$

where  $t_k = \sum_{i=1,...,k} \delta_i$ .

Then, let ART(Act) be the set of all real-time sequences with absolute timestamps over the set of actions Act. Let U be a set of such sequences, that is,  $U \subseteq \mathsf{ART}(\mathsf{Act})$ . U is said to be digitizable iff the following condition holds:

$$\forall \rho \in \mathsf{ART}(\mathsf{Act}) : \rho \in U \iff [\rho] \subseteq U$$

where  $[\rho]$  is defined as follows:

$$[\rho] = \{ [\rho]_{\epsilon} | 0 \le \epsilon < 1 \}$$

<sup>&</sup>lt;sup>9</sup>[28] use an infinite sequence framework, but we can adapt their definition to our finite-length sequences in a direct way.



<sup>&</sup>lt;sup>8</sup>The sequence tick<sup>n</sup> is obtained by the concatenation of n consecutive ticks. In this case, "case(i = 1)" is applied n times consecutively.

**Fig. 16** Tick-automata Tick<sub>1</sub> and Tick<sub>2</sub>



and if  $\rho = (a_1, t_1)(a_2, t_2) \cdots$  then

$$[\rho]_{\epsilon} = (a_1, [t_1]_{\epsilon})(a_2, [t_2]_{\epsilon}) \cdots$$

with  $[t_i]_{\epsilon} = \lfloor t_i \rfloor$  if  $t_i \leq \lfloor t_i \rfloor + \epsilon$ , otherwise  $[t_i]_{\epsilon} = \lceil t_i \rceil$ .

Intuitively,  $[\rho]_{\epsilon}$  denotes the sequence corresponding to what is observed if  $\rho$  happens but the observer only counts time with a digital clock ticking at times  $\epsilon + k$ , for  $k = 0, 1, 2, \ldots$ . Then  $[\rho]$  is the set of all observations, for any initial phase of the digital clock,  $0 \le \epsilon < 1$ . For example, if  $\rho = (a, 0.2)(b, 1.9)$  then  $[\rho]_0 = (a, 1)(b, 2)$  and  $[\rho]_{0.5} = (a, 0)(b, 2)$ .

Now, consider the two tick-automata Tick<sub>1</sub> and Tick<sub>2</sub> shown in Fig. 16. Tick<sub>1</sub> produces a tick at times 0, 1, 2, ..., while Tick<sub>2</sub> produces its first tick at some time  $t \in [0, 1)$  and then subsequent ticks at t + 1, t + 2, ... Observe that ObsTTraces(Tick<sub>1</sub>)  $\subset$  ObsTTraces(Tick<sub>2</sub>).

One may expect that digitizability is related to tick-robustness with respect to one of these tick-automata. The following lemmas examine such possible relations.

## **Lemma 11** *Digitizability does not imply* Tick<sub>1</sub>-robustness, neither Tick<sub>2</sub>-robustness.

*Proof* Consider the set U containing all prefixes of  $\rho = (a,0)(a,1)(a,2)\cdots U$  can be seen as the set of observable real-time sequences of a TAIO  $A_U$  over  $\{a\}$ , which repeatedly emits output a at times  $1,2,\ldots$ . It can be seen that U is digitizable. Indeed, for the above  $\rho$ , we have  $[\rho]_{\epsilon} = \rho$ , for any  $0 \le \epsilon < 1$ . Thus  $[\rho] = \{\rho\}$  and U is digitizable. On the other hand,  $A_U$  is not Tick<sub>1</sub>-robust (thus, by Lemma 8,  $A_U$  is not Tick<sub>2</sub>-robust either). To see this, it suffices to consider  $\sigma = a \ 1 \ a = (a,0)(a,1)$  and  $\sigma' = 0.1 \ a \ 1 \ a = (a,0.1)(a,1.1)$ . The discrete projections of both  $\sigma$  and  $\sigma'$  with respect to Tick<sub>1</sub> are the same: tick a tick a. But  $\sigma \in U$  and  $\sigma' \notin U$ .

#### **Lemma 12** Tick<sub>1</sub>-robustness does not imply digitizability.

*Proof* Consider the set W consisting of all prefixes of  $\rho^t = (a,t)$ , for all  $0 \le t < 1$ . W can be seen as the set of observable real-time sequences of a TAIO  $A_W$  over  $\{a\}$ , which emits a only once, at some time  $t \in [0,1)$ . First we show that  $A_W$  is Tick<sub>1</sub>-robust. Let  $\sigma \in \mathsf{ObsTTraces}(A_W \| \mathsf{Tick_1})$  and  $\sigma' \in \mathsf{ObsTTraces}(A_{\mathsf{Act}} \| \mathsf{Tick_1})$ , such that  $\mathsf{DP}_{\{a,\mathsf{tick}\}}(\sigma) = \mathsf{DP}_{\{a,\mathsf{tick}\}}(\sigma')$ . From the structure of W and  $\mathsf{Tick_1}$ , the first tick occurs at time 0, and a occurs after that, in the interval [0,1). From the hypothesis  $\mathsf{DP}_{\{a,\mathsf{tick}\}}(\sigma) = \mathsf{DP}_{\{a,\mathsf{tick}\}}(\sigma')$ , it



follows that  $\mathsf{DP}_{\{a,\mathsf{tick}\}}(\sigma') = \mathsf{tick}\,a$ . Thus, a occurs in the interval [0,1) in  $\sigma'$ , which implies  $\sigma' \in \mathsf{ObsTTraces}(A_W \| \mathsf{Tick}_1)$ . Thus,  $A_W$  is  $\mathsf{Tick}_1$ -robust. But W is not digitizable, since  $(a,1) \notin W$ , although  $(a,1) = [(a,0.7)]_0$ .

In what follows, we show that Tick<sub>2</sub>-robustness is a sufficient condition for digitizability. Notice, however, that Tick<sub>2</sub>-robustness is a very strict condition, which holds essentially only on untimed specifications (see following corollaries). In what follows we allow ourselves the convenience to "mix" freely real-time sequences with real-time sequences with absolute timestamps, since there is a bijection between the two representations.

It is also convenient, for the proofs that follow, to extend the notion of parallel composition to timed traces. Let  $\sigma \in \mathsf{ObsTTraces}(A_{\mathsf{Act}})$  and  $\gamma \in \mathsf{RT}(\{\mathsf{tick}\})$  such that  $\mathsf{time}(\sigma) = \mathsf{time}(\gamma)$ . The trace  $\sigma \| \gamma$  is obtained by making the parallel product of the two traces  $\sigma$  and  $\gamma$  giving priority to tick over actions in Act as for TIOLTS. The trace  $\sigma \| \gamma$  is called the *parallel composition* of  $\sigma$  and  $\gamma$ . We have  $\mathsf{time}(\sigma \| \gamma) = \mathsf{time}(\sigma) = \mathsf{time}(\gamma)$ .

**Lemma 13** Let  $A_S$  be a TAIO which is non-blocking and Tick<sub>2</sub>-robust,  $\sigma \in \mathsf{RT}(\mathsf{Act})$ ,  $\lambda \in \mathsf{Act}^*$  and  $t \in \mathsf{R}$ . If  $\sigma t \lambda \in \mathsf{ObsTTraces}(A_S)$  then:

$$\sigma t' \lambda \in \mathsf{ObsTTraces}(A_S)$$
 for all  $t' \in \mathsf{R} \cap (t - 0.5, t + 0.5]$ .

*Proof* Let  $t' \in \mathbb{R} \cap (t-0.5,t+0.5]$ . Let  $\Delta = \mathsf{time}(\sigma) + t + 0.5$  and let  $\gamma$  be the behavior of Tick<sub>2</sub> which produces a tick at  $\Delta$  and such that  $\mathsf{time}(\gamma) = \Delta$ . Since  $A_S$  is non-blocking, there exists  $\sigma' \in \mathsf{RT}(\mathsf{Act})$  such that  $\sigma_1 = \sigma \, t \, \lambda \, \sigma' \in \mathsf{ObsTTraces}(A_S)$  and  $\mathsf{time}(\sigma') = 0.5$ . Let  $\lambda' = \mathsf{DP}_{\mathsf{Act}}(\sigma')$  and  $\sigma_2 = \sigma \, t' \, \lambda \, \lambda' \, \delta$ . Thus,  $\mathsf{time}(\sigma_1) = \mathsf{time}(\sigma_2) = \Delta$ . Consider the two traces  $\sigma_1 \| \gamma$  and  $\sigma_2 \| \gamma$ . We need to prove that  $\mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma_1 \| \gamma) = \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma_2 \| \gamma)$ . Two cases are possible.

•  $t' \in \mathbb{R} \cap (t - 0.5, t]$ : Let  $\delta = 0.5 + t - t'$ . Let  $\gamma'$  be the prefix of  $\gamma$  such that time( $\gamma'$ ) = time( $\sigma$ ) + t'.<sup>11</sup> Thus  $\gamma = \gamma' \delta$  tick and

$$\begin{array}{lll} \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma_1 \| \gamma) & = & \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma t' \| \gamma') \, \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}((t-t') \lambda \sigma' \| \delta \mathsf{tick}) \\ & = & \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma t' \| \gamma') \, \lambda \mathsf{DP}_{\mathsf{Act}}(\sigma') \mathsf{tick} \\ & = & \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma t' \| \gamma') \, \lambda \lambda' \mathsf{tick}, \\ \\ \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma_2 \| \gamma) & = & \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma t' \| \gamma') \, \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\lambda \lambda' \delta \| \delta \mathsf{tick}) \\ & = & \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma t' \| \gamma') \, \lambda \lambda' \mathsf{tick}. \end{array}$$

This implies  $\mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\sigma_1 \| \gamma) = \mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\sigma_2 \| \gamma)$ .

•  $t' \in (t, t + 0.5]$ : This time let  $\gamma'$  be the prefix of  $\gamma$  such that  $time(\gamma') = time(\sigma) + t$ .  $\delta$  is the same as above. Then we have

$$\begin{array}{lll} \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma_1 \| \gamma) & = & \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma t \| \gamma') \, \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\lambda \sigma' \| 0.5 \mathsf{tick}) \\ & = & \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma t \| \gamma') \, \lambda \mathsf{DP}_{\mathsf{Act}}(\sigma') \mathsf{tick} \\ & = & \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma t \| \gamma') \, \lambda \lambda' \mathsf{tick}, \\ \\ \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma_2 \| \gamma) & = & \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma t \| \gamma') \, \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}((t' - t) \lambda \lambda' \delta \| 0.5 \mathsf{tick}) \\ & = & \mathsf{DP}_{\mathsf{Act}_{\mathsf{lick}}}(\sigma t \| \gamma') \, \lambda \lambda' \mathsf{tick}. \end{array}$$

<sup>&</sup>lt;sup>11</sup>The trace  $\gamma'$  is unique since by definition the trace  $\gamma$  of Tick<sub>2</sub> generates a tick at time  $\Delta$  and generates no other tick actions during the whole interval  $(\Delta - 1, \Delta) \cap R$ .



<sup>&</sup>lt;sup>10</sup>The priority of tick over other actions guarantees the trace  $\sigma \parallel \gamma$  to be unique.

Thus once again we have  $\mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\sigma_1 \| \gamma) = \mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\sigma_2 \| \gamma)$ .

 $\sigma_1 \| \gamma \in \mathsf{ObsTTraces}(A_S^{\mathsf{Tick}_2}), \ \sigma_2 \| \gamma \in \mathsf{ObsTTraces}(A_{\mathsf{Act}}^{\mathsf{Tick}_2}) \ \text{and} \ A_S \ \text{is Tick}_2\text{-robust imply}$   $\sigma_2 \| \gamma \in \mathsf{ObsTTraces}(A_S^{\mathsf{Tick}_2}). \ \mathsf{Hence} \ \sigma_2 \in \mathsf{ObsTTraces}(A_S). \ \sigma \ t' \lambda \ \text{is a prefix of} \ \sigma_2 \ \text{implies}$   $\sigma \ t' \lambda \in \mathsf{ObsTTraces}(A_S).$ 

**Corollary 1** Let  $A_S$  be a TAIO which is non-blocking and Tick<sub>2</sub>-robust,  $\sigma \in \mathsf{RT}(\mathsf{Act})$ ,  $\lambda \in \mathsf{Act}^*$  and  $t \in \mathsf{R}$ . If  $\sigma t \lambda \in \mathsf{ObsTTraces}(A_S)$  then  $\sigma t' \lambda \in \mathsf{ObsTTraces}(A_S)$  for all  $t' \in \mathsf{R}$ .

*Proof* We make the proof by contradiction. Let  $R_1 = \{t' \in R \mid \sigma t' \lambda \in ObsTTraces(A_S)\}$  and  $R_2 = \{t' \in R \mid \sigma t' \lambda \notin ObsTTraces(A_S)\}$ .  $R_1$  is nonempty since  $t \in R_1$ . We assume  $R_2$  is nonempty too. The fact that  $R_1$  and  $R_2$  are both nonempty and that  $R_1 \cup R_2 = R$  implies there exist  $t_1 \in R_1$  and  $t_2 \in R_2$  such that  $t_2 \in (t_1 - 0.5, t_1 + 0.5]$ . The latter contradicts the result given in Lemma 13.

**Corollary 2** Let  $A_S$  be a TAIO which is non-blocking and Tick<sub>2</sub>-robust and  $\sigma \in \mathsf{RT}(\mathsf{Act})$ 

$$\sigma \in \mathsf{ObsTTraces}(A_S)$$
 if and only if  $\mathsf{DP}_{\mathsf{Act}}(\sigma) \in \mathsf{ObsTTraces}(A_S)$ .

*Proof* We first assume  $\sigma = t_1 a_1 \cdots t_n a_n$  where  $t_i \in \mathbb{R}$  and  $a_i \in \operatorname{Act}$ . Let  $\sigma_1 = \lambda_{n+1} = \epsilon$ ,  $\sigma_{k+1} = t_1 a_1 \cdots t_k a_k$  and  $\lambda_k = a_k \cdots a_n$  for  $1 \le k \le n$ . By Corollary 1, we have:

$$\sigma_k t_k \lambda_k \in \mathsf{ObsTTraces}(A_S) \iff \sigma_k \lambda_k \in \mathsf{ObsTTraces}(A_S).$$

Since  $\sigma_k t_k \lambda_k = \sigma_{k+1} \lambda_{k+1}$  we deduce that for  $1 \le k \le n$ :

$$\sigma_{k+1}\lambda_{k+1} \in \mathsf{ObsTTraces}(A_S) \iff \sigma_k\lambda_k \in \mathsf{ObsTTraces}(A_S).$$

Thus:

$$\sigma_{n+1}\lambda_{n+1} \in \mathsf{ObsTTraces}(A_S) \iff \sigma_1\lambda_1 \in \mathsf{ObsTTraces}(A_S).$$

Finally since  $\sigma_1 = \lambda_{n+1} = \epsilon$ ,  $\sigma_{n+1} = \sigma$  and  $\lambda_1 = \mathsf{DP}_{\mathsf{Act}}(\sigma)$  we conclude that

$$\sigma \in \mathsf{ObsTTraces}(A_S) \iff \mathsf{DP}_{\mathsf{Act}}(\sigma) \in \mathsf{ObsTTraces}(A_S).$$

In the second case,  $\sigma = t_1 a_1 \cdots t_n a_n t_{n+1}$ . Then, by Corollary 1, we have

$$t_1a_1\cdots t_na_nt_{n+1}\in \mathsf{ObsTTraces}(A_S) \iff t_1a_1\cdots t_na_n\in \mathsf{ObsTTraces}(A_S).$$

Since as shown above we have

$$t_1 a_1 \cdots t_n a_n \in \mathsf{ObsTTraces}(A_S) \iff a_1 \cdots a_n \in \mathsf{ObsTTraces}(A_S)$$

we deduce that

$$t_1a_1\cdots t_na_nt_{n+1}\in \mathsf{ObsTTraces}(A_S)\iff a_1\cdots a_n\in \mathsf{ObsTTraces}(A_S).$$

Hence once again we conclude that

$$\sigma \in \mathsf{ObsTTraces}(A_S) \iff \mathsf{DP}_{\mathsf{Act}}(\sigma) \in \mathsf{ObsTTraces}(A_S).$$



We define the inverse operator of  $\mathsf{DP}_{\mathsf{Act}}(\cdot)$  denoted  $\mathsf{DP}_{\mathsf{Act}}^{-1}(\cdot)$ . For  $\lambda \in \mathsf{Act}^*$ :

$$\mathsf{DP}^{-1}_{\mathsf{Act}}(\lambda) = \{ \sigma \in \mathsf{RT}(\mathsf{Act}) \, | \, \mathsf{DP}_{\mathsf{Act}}(\sigma) = \lambda \}.$$

A given TAIO  $A_S$  is said to be DP-closed if and only if for any timed trace  $\sigma \in \mathsf{RT}(\mathsf{Act})$  if  $\sigma \in \mathsf{ObsTTraces}(A_S)$  then  $\mathsf{DP}^{-1}_{\mathsf{Act}}(\mathsf{DP}_{\mathsf{Act}}(\sigma)) \subseteq \mathsf{ObsTTraces}(A_S)$ . Notice that, by definition,  $\sigma \in \mathsf{DP}^{-1}_{\mathsf{Act}}(\mathsf{DP}_{\mathsf{Act}}(\sigma))$ , so the inverse implication always holds. Also note that  $[\sigma] \subseteq \mathsf{DP}^{-1}_{\mathsf{Act}}(\mathsf{DP}_{\mathsf{Act}}(\sigma))$ .

**Lemma 14** Let  $A_S$  be a non-blocking TAIO.  $A_S$  is Tick<sub>2</sub>-robust if and only if it is DP-closed.

#### Proof

- "If" direction: We assume  $A_S$  is DP-closed and we prove it is Tick<sub>2</sub>-robust. Let  $\beta \in \mathsf{ObsTTraces}(A_S^{\mathsf{Tick_2}})$  and  $\beta' \in \mathsf{ObsTTraces}(A_{\mathsf{Act}}^{\mathsf{Tick_2}})$  such that  $\mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta) = \mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta')$ . Thus there must exist  $\sigma \in \mathsf{ObsTTraces}(A_S)$ ,  $\sigma' \in \mathsf{ObsTTraces}(A_{\mathsf{Act}})$  and  $\gamma, \gamma' \in \mathsf{ObsTTraces}(\mathsf{Tick_2})$  such that  $\beta = \sigma \| \gamma$  and  $\beta' = \sigma' \| \gamma'$ .  $\mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta) = \mathsf{DP}_{\mathsf{Act}_{\mathsf{tick}}}(\beta')$  implies  $\mathsf{DP}_{\mathsf{Act}}(\sigma) = \mathsf{DP}_{\mathsf{Act}}(\sigma')$ . Since  $A_S$  is DP-closed and  $\sigma \in \mathsf{ObsTTraces}(A_S)$  we deduce  $\sigma' \in \mathsf{ObsTTraces}(A_S)$ . Moreover since we have  $\gamma' \in \mathsf{ObsTTraces}(\mathsf{Tick_2})$ , we conclude that  $\sigma' \| \gamma' \in \mathsf{ObsTTraces}(A_S^{\mathsf{Tick_2}})$ . Hence  $A_S$  is  $\mathsf{Tick_2}$ -robust.
- "Only if" direction: We assume  $A_S$  is  $\mathsf{Tick}_2$ -robust and we prove it is DP-closed. Let  $\sigma \in \mathsf{ObsTTraces}(A_S)$  and  $\sigma' \in \mathsf{DP}^{-1}_{\mathsf{Act}}(\mathsf{DP}_{\mathsf{Act}}(\sigma))$ . Thus there exists  $\lambda \in \mathsf{Act}^*$  such that  $\mathsf{DP}_{\mathsf{Act}}(\sigma) = \mathsf{DP}_{\mathsf{Act}}(\sigma') = \lambda$ . By Corollary 2 since  $\sigma \in \mathsf{ObsTTraces}(A_S)$ , we deduce that  $\lambda \in \mathsf{ObsTTraces}(A_S)$ . Once again by Corollary 2,  $\lambda \in \mathsf{ObsTTraces}(A_S)$  implies  $\sigma' \in \mathsf{ObsTTraces}(A_S)$ .

The lemma above allows to characterize the set of non-blocking and Tick<sub>2</sub>-robust TAIO.

**Corollary 3** Let  $A_S$  be a TAIO which is non-blocking.  $A_S$  is Tick<sub>2</sub>-robust if and only if there exists  $\psi \subseteq \mathsf{Act}^*$  such that  $\mathsf{ObsTTraces}(A_S) = \mathsf{DP}^{-1}_{\mathsf{Act}}(\psi)$ .

*Proof* It follows from Lemma 14, by taking  $\psi = \mathsf{DP}_{\mathsf{Act}}(\mathsf{ObsTTraces}(A_S))$ .

**Corollary 4** Let  $A_S$  be a non-blocking TAIO. If  $A_S$  is Tick<sub>2</sub>-robust then ObsTTraces( $A_S$ ) is digitizable.

*Proof*  $A_S$  is Tick<sub>2</sub>-robust, thus, by Lemma 14, it is DP-closed. We prove that for any  $\rho \in ART(Act)$ ,  $\rho \in ObsTTraces(A_S)$  if and only if  $[\rho] \subseteq ObsTTraces(A_S)$ .

- We first assume  $\rho \in \mathsf{ObsTTraces}(A_S)$ . Since  $A_S$  is DP-closed, we deduce that  $\mathsf{DP}^{-1}_{\mathsf{Act}}(\mathsf{DP}_{\mathsf{Act}}(\rho)) \subseteq \mathsf{ObsTTraces}(A_S)$ . Moreover since  $[\rho] \subseteq \mathsf{DP}^{-1}_{\mathsf{Act}}(\mathsf{DP}_{\mathsf{Act}}(\rho))$ , we conclude that  $[\rho] \subseteq \mathsf{ObsTTraces}(A_S)$ .
- Now we assume  $[\rho] \subseteq \mathsf{ObsTTraces}(A_S)$ . Let  $\rho' \in [\rho]$ . Clearly, we have  $\mathsf{DP}_{\mathsf{Act}}(\rho) = \mathsf{DP}_{\mathsf{Act}}(\rho')$ . Thus  $\rho \in \mathsf{DP}_{\mathsf{Act}}^{-1}(\mathsf{DP}_{\mathsf{Act}}(\rho'))$ . Moreover since  $A_S$  is  $\mathsf{DP}$ -closed and  $\rho' \in \mathsf{ObsTTraces}(A_S)$ , we deduce that  $\mathsf{DP}_{\mathsf{Act}}^{-1}(\mathsf{DP}_{\mathsf{Act}}(\rho')) \subseteq \mathsf{ObsTTraces}(A_S)$ . Hence,  $\rho \in \mathsf{ObsTTraces}(A_S)$ .

Thus,  $ObsTTraces(A_S)$  is digitizable.



#### 5.2.4 Reducing the size of digital-clock tests

Digital-clock tests can sometimes grow large because they contain a number of "chains" of ticks. On the other hand, standard test description languages such as TTCN [31] permit the use of variables and richer data structures. We would like to use such features to make the representation of digital-clock tests more "compact". For example, the test shown in the top of Fig. 14 can be equivalently represented as the automaton with counter i, shown in the bottom-left of the figure.

Reducing the size of test representations is a non-trivial problem in general, related to compression and algorithmic complexity theory (sometimes also called *Kolmogorov complexity*). In our framework, we only use a heuristic which attempts to eliminate tick chains as much as possible. To this purpose, we generalize the labels of the digital-clock test to labels of the form k tick, where k is a positive integer constant. A transition labeled with k tick is taken when the k-th tick is received, counting from the time the source node is entered. Naturally, tick is equivalent to 1 *tick*. Now, consider two nodes S and S' such that: (1)  $S \xrightarrow{\text{tick}} S'$ , (2) for all  $a \in \text{Act}$ , the successors of S and S' are identical, (3)  $S' \xrightarrow{k \text{tick}} S''$ . In this case, we remove node S' (and corresponding edges) and add the edge  $S \xrightarrow{(k+1) \text{tick}} S''$ . We repeat the process until no more nodes can be removed. The result of applying this heuristic to the test in the top of Fig. 14 is shown in the bottom-right of the figure.

### 5.3 Generating TA testers: the monitor case

The motivation for representing analog-clock tests as deterministic timed automata arises from the fact that on-line testing requires a time-efficient reachability algorithm, since the tester must be able to react to the SUT in real-time.

The problem of generating an analog-clock test which is a TAIO can be anything from trivial to undecidable, depending on its precise definition. If we require a test which is only sound, then the problem is trivial, because a test always announcing "Pass" is sound. On the other hand, if we require a test which is also complete, when such a test exists, <sup>12</sup> then we can show that the problem is undecidable, by reducing the timed automata determinization problem [50].

Thus, we take a pragmatic approach. We suppose that the tester has only one clock which is reset every time the tester observes an action, that is, at any edge of the tester TAIO. We then provide techniques to compute the locations and edges of the tester automaton and the guards and deadlines of the edges.

It should be noted that the above technique can be easily extended to generate testers with more than one clock, provided the *skeleton* of the tester is given. The skeleton is a deterministic finite automaton the transitions of which are labeled with resets of the clocks of the tester. This information is necessary since, for a given number of clocks (even for one clock) there exist many possible testers which differ in their logic of resetting clocks. A special case is an *event-clock* tester which has one clock for each observable action, reset when this action occurs, as in *event-clock automata* [2].

#### 5.3.1 "One-clock determinization" of TA

For pedagogical reasons, we first explain our technique for plain timed automata, which can be seen as TAIO with an empty set of input actions. For such an automaton A, the

<sup>&</sup>lt;sup>12</sup>It may not exist because the specification is non-deterministic whereas the test has to be deterministic.



technique amounts to determinizing A "as best as possible", given that we can only use one clock. Formally, the deterministic counterpart of A, denoted  $A_{mon}$ , will accept a superset of TTraces(A). Notice that A may contain unobservable actions and non-determinism. Viewing A as the specification,  $A_{mon}$  is a *monitor* for A.

 $A_{\text{mon}}$  is a TAIO which has as inputs the outputs of A.  $A_{\text{mon}}$  is observable, deterministic and input-enabled. All its locations are input locations.  $A_{\text{mon}}$  uses a single clock, y, which is reset to zero every time an action is observed.  $A_{\text{mon}}$  tries to estimate the state of A based on its current observation (including the value of its own clock y).  $A_{\text{mon}}$  has no urgency constraints: all its deadlines are lazy, thus,  $A_{\text{mon}}$  is non-blocking.  $A_{\text{mon}}$  needs no urgency because it acts as an "acceptor" rather than a "generator" of traces. On the other hand, the states of  $A_{\text{mon}}$  (including locations and values of the clock y) are divided into accepting and rejecting.

# 5.3.2 The equivalence relation " $\sim_S^a$ "

Let  $A = (Q, q_0, X, \mathsf{Act}, \mathsf{E})$  and suppose y is a new clock, not in X. Let  $S_A^y$  be the set of states of A extended with the clock y, that is,  $S_A^y = Q \times \mathsf{R}^{X \cup \{y\}}$ . For an action  $a \in \mathsf{Act}$ , let  $\mathsf{E}_a \subseteq \mathsf{E}$  be the set of edges of A which are labeled with a. For a given set of extended states  $S \subseteq S_A^y$  and a value  $u \in \mathsf{R}$  of clock y, we define the set of edges:

$$\mathsf{E}_{a}(S, u) = \{ e \in \mathsf{E}_{a} \mid \exists s \in S : y(s) = u \land s \models e \}.^{13}$$
 (26)

 $E_a(S, u)$  contains all edges labeled a which are satisfied by a state in S where y equals u. Finally, we define the following equivalence on values  $u_1, u_2 \in R$  of the clock y:

$$u_1 \sim_S^a u_2$$
 iff  $\mathsf{E}_a(S, u_1) = \mathsf{E}_a(S, u_2)$ . (27)

The intuition is as follows. Two values of y are equivalent if they give the same information on the enabledness of an edge labeled with a, assuming S holds. S captures the current "knowledge" of the monitor. In particular, it captures the relation between values of y and possible states where A can be in.

Let us illustrate the meaning of  $\sim_S^a$  with the example shown in Fig. 17. We assume that  $S = (q, -2 \le x - y \le 1)$  and that q has two outgoing edges  $e_1$  and  $e_2$  labeled a, with guards  $\phi_1 \equiv x \le 3$  and  $\phi_2 \equiv x \ge 2$ , respectively. Then,  $\sim_S^a$  induces three equivalence classes, namely, y < 1,  $1 \le y \le 5$  and y > 5. Indeed, given the assumption  $-2 \le x - y \le 1$ , y < 1 implies x < 2. Thus, when y < 1 we know that  $\phi_2$  does not hold, therefore,  $e_2$  is not enabled. Similarly, when y > 5 we know that  $e_1$  is not enabled. When  $1 \le y \le 5$ , both  $e_1$  and  $e_2$  may be enabled. It is important to note that *not all* states in S for which  $1 \le y \le 5$  satisfy  $\phi_1$ , and similarly for  $\phi_2$ . However, given our information on y, we cannot be sure. Thus, we need to include both  $e_1$  and  $e_2$  in the set of possible enabled edges, given the constraint  $1 \le y \le 5$ .

#### 5.3.3 Monitor construction

We now explain the construction of the monitor automaton  $A_{mon}$ . A location of  $A_{mon}$  is associated with a set of extended states of A,  $S \subseteq S_A^y$ . For each action a, for each equivalence class  $\psi$  in the (coarsest) partition induced by  $\sim_S^a$ ,  $A_{mon}$  has an edge  $e = (S, S', \psi, \{y\}, \text{lazy}, a)$ , where the destination location S' is computed as follows:

$$S' = \operatorname{succ}(S \cap \psi, a) \tag{28}$$

<sup>&</sup>lt;sup>13</sup>For s = (q, v) and  $e = (q', q'', \psi, r, d, a)$ ,  $s \models e$  is a shortcut for q = q' and  $v \models \psi$ .



**Fig. 17** Illustration of the  $\sim_S^a$  equivalence



where

$$\operatorname{succ}(S \cap \psi, a) = \operatorname{usucc}(\operatorname{dsucc}(S \cap \psi, a)) \tag{29}$$

and  $S \cap \psi$  denotes the set of all states  $s \in S$  such that  $y(s) \models \psi$ . Notice that S' can be empty, even when S is non-empty. This is because  $\psi$  may be unsatisfied in S. Also note that S' is the "best" possible estimate, in the sense that S' is the smallest set possible, given the knowledge the monitor has when a arrives. This knowledge is captured by  $S \cap \psi$ . Indeed, the monitor knows that A cannot be in a state outside S. It also knows that clock y satisfies  $\psi$ , which further restricts the possible states A can be in.

Let  $A^y$  be the automaton A extended with clock y and recall that  $s_0^{A^y}$  denotes the initial state of  $A^y$ . Then, the initial location of  $A_{\text{mon}}$  is defined to be  $S_0 = \{s \in S_A^y \mid \exists \rho \in \mathsf{RT}(\{\tau\}) : s_0^{A^y} \xrightarrow{\rho} s\} = \mathsf{usucc}(\{s_0^{A^y}\})$ .  $S_0$  captures the initial knowledge of the monitor. The latter knows that initially y and all clocks of A equal zero. However,  $S_0$  must also include all states that A can move to by performing unobservable sequences.

The above algorithm is essentially a *subset construction* for A, with the addition that clock y is used to infer knowledge about states that A can possibly be in. The construction relies on repeating two basic steps: (a) computing the partition induced by equivalences  $\sim_s^a$ , and (b) computing successor locations S' using reachability. We show how step (a) can be implemented below. As for step (b), standard symbolic reachability techniques, coupled with so-called *extrapolation abstractions* can be used to ensure that the number of possible locations of  $A_{mon}$  remains finite [4, 10, 23].

# 5.3.4 Computing the coarsest partition induced by " $\sim_S^a$ "

A simple algorithm for computing the coarsest partition induced by  $\sim_S^a$  is the following. Given a constraint  $\psi$  on clock y, let  $\mathsf{E}_a^{S,\psi} = \{e \in \mathsf{E}_a \mid S \cap (\psi \land \mathsf{guard}(e)) \neq \emptyset\}$ , where  $\mathsf{guard}(e)$  is the guard of edge e.  $\mathsf{E}_a^{S,\psi}$  contains all edges labeled a whose guards may be satisfied by a state in S where y lies in the interval  $\psi$ . In other words,  $\mathsf{E}_a^{S,\psi}$  is the union of  $\mathsf{E}_a(S,u)$  over all values u satisfying  $\psi$ .



**Fig. 18** A non-deterministic timed automaton



Now, let K be the greatest constant appearing in a constraint defining S or a guard of an edge in  $E_a$ . For each  $\psi$  in the set of intervals

$$\{[0,0],(0,1),[1,1],(1,2),\ldots,[K,K],(K,\infty)\},\$$

compute  $\mathsf{E}_a^{S,\psi}$ . For this, the condition  $S\cap (\psi \wedge \mathsf{guard}(e)) \neq \emptyset$  needs to be checked. This can be done symbolically, using standard techniques and data structures such as DBMs [24]. Once  $\mathsf{E}_a^{S,\psi}$  is computed for all intervals  $\psi$ , the coarsest partition is obtained by "merging" (i.e., taking the union of) intervals having the same set  $\mathsf{E}_a^{S,\psi}$ . For the example of Fig. 17,  $\mathsf{E}_a^{S,1\leq 1}=\{e_1\}$ ,  $\mathsf{E}_a^{S,1\leq 1}\leq \{e_1,e_2\}$  and  $\mathsf{E}_a^{S,y>5}=\{e_2\}$ . Notice that the correctness of the above algorithm relies on the fact that all values in an interval (i,i+1) are equivalent, and the same is true for the interval  $(K,\infty)$ . This is because constraints only have integer constants.

#### 5.3.5 Accepting and rejecting states

It remains to define the accepting and rejecting states of  $A_{\text{mon}}$ . Given  $S \subseteq S_A^y$ , let  $S_{/y}$  be the projection of S on clock y, that is,  $S_{/y} = \{u \in \mathsf{R} \mid \exists s \in S : y(s) = u\}$ . Then, all states  $(S, S_{/y})$  of  $A_{\text{mon}}$  are accepting, provided  $S \neq \emptyset$ . The rest of the states are rejecting.

The different steps for constructing the monitor automaton are given in Algorithm 3. It is worth noting that the latter bears similarity with the common reachability algorithm.

#### 5.3.6 Example of monitor construction

Let us give an example illustrating the construction of  $A_{mon}$ . Consider the non-deterministic timed automaton shown in Fig. 18. All its edges are lazy, except the one from location 2 to location 4, which is delayable. Its one-clock monitor automaton is shown in Fig. 19. Not all locations and edges of the monitor are shown, in order not to overload the figure. In particular, the empty location and all edges leading to it are not shown. For instance, there is an edge labeled a with guard y > 5 from the initial location to the empty location, since a is not accepted if it arrives after 5 time units from start. Apart from the empty location, the rejecting states of the monitor are at location  $S = (2, x = y \le 2)$  and for y > 2 (notice that  $S_{/y} = y \le 2$ ). This is because c must be received at most 2 time units after a, in order to be accepted. Note that there are no such rejecting states at location  $S' = (1, 1 \le x - y \le 2) \cup (2, x = y \le 2)$ . This is because the monitor does not know whether the original automaton is at location 1 or 2, and there is no urgency at location 1. Indeed,  $S'_{/y} = true$ .



```
S_0 \leftarrow \operatorname{usucc}(\{s_0^{A^y}\});
       list_1 \leftarrow \{S_0\};
 2
       list_2 \leftarrow \emptyset;
 3
       T \leftarrow the one node TA the initial location of which is S_0;
 4
       compute the rejecting states corresponding to S_0;
 5
 6
       while(list_1 \neq \emptyset)
          S \leftarrow \operatorname{pick}(list_1);
 7
          foreach(a \in Act_{out})
 8
             \mathcal{P} \leftarrow the coarsest partition induced by \sim_s^a;
             foreach(\psi \in \mathcal{P})
10
                 S' \leftarrow \operatorname{succ}(S \cap \psi, a);
11
                 if (S' \neq \emptyset)
12
                    append edge (S, S', \psi, \{y\}, |azy, a) to T;
13
                    compute the rejecting states corresponding to S';
14
                     if (S' \notin list_2) list_1 \leftarrow list_1 \cup \{S'\};
15
16
                 else append edge (S, Fail, \psi, {y}, lazy, a) to T;
17
                 endif:
18
             endforeach;
19
          endforeach:
20
          list_1 \leftarrow list_1 \setminus \{S\};
21
22
          list_2 \leftarrow list_2 \cup \{S\};
       endwhile:
```

Algorithm 3: One-clock determinization of TA

### 5.3.7 The use of extrapolation techniques

A question that arises is the termination of Algorithm 3. Using the operator usucc may lead to an infinite set of states (zones) [23]. Moreover, there are cases where the exact set of reachable states is not representable as finite unions of zones [10]. The second problem can be avoided only by restricting the class of timed automata considered to *diagonal-free* automata, that is, without guards of the form  $x - y \le c$  [10]. To alleviate the first problem, we use the so-called *extrapolation abstractions* [4, 10, 23]. These abstractions result in a finite state space, thus ensuring termination of reachability-based algorithms.

Extrapolation abstractions rely on the maximal integer constants used in guards of the timed automaton in question. In our case, this raises an issue when determining the constant that is to bound the space of the monitor clock y. Indeed, this clock does not "participate" in any guard a-priori (before the construction of the monitor) thus there is no reference constant to use. We can show that increasing the maximal constant for y amounts to increasing the observational power of the monitor. In fact, there are cases where there is no "optimal" monitor: the greater the maximal constant allowed for y is, the more precise  $A_{mon}$  will be, in the sense of how "close" the language of  $A_{mon}$  is to the language of A.

An example is shown in Fig. 20. The TAIO shown in the figure can produce a single output a at any time k, where  $k \in \{1, 2, ...\}$ . It can be seen that for any such k, a monitor able to compare y to constants up to k is "less accurate" than a monitor able to compare y to





Fig. 19 The one-clock deterministic monitor of the automaton of Fig. 18



constants up to k + 1. Indeed, the former cannot distinguish between a! happening precisely at time k or at time strictly greater than k, while the latter can.

Another observation to be made about Algorithm 3 is the following. 14 There are cases where it is possible to build more precise monitor automata by using partitions which are finer than those induced by the equivalence relations " $\sim_s^a$ ", used in Algorithm 3. We use the example given in Fig. 21 to illustrate this. It can be checked that by applying Algorithm 3 on the TA A, we obtain the monitor automaton  $A_{mon}$ . Note that though A is deterministic and has only one clock the two TA A and  $A_{mon}$  are distinct from each other. This is due the fact that clock x of TA A is not reset after each transition as the clock y is supposed to be. The initial location of  $A_{mon}$  is labeled with the set of states S = (0, x = y). For the output action a, we consider the relation equivalence  $\sim_S^a$ . The coarsest partition with respect to  $\sim_S^a$ is made up of the two intervals  $0 \le y < 1$  and  $1 \le y$ . The first interval is shown in the figure while the second is hidden since it leads to the Fail-location. The monitor automaton  $A'_{mon}$  is obtained by considering a finer partition made up of the intervals y = 0, 0 < y < 1 and  $1 \le y$ . That is the only change we bring to Algorithm 3. All the other steps remain unchanged. It is not difficult to check that  $ObsTTraces(A) \subseteq ObsTTraces(A_{mon})$  and  $ObsTTraces(A) \subseteq$ ObsTTraces( $A'_{mon}$ ). Thus, both  $A_{mon}$  and  $A'_{mon}$  are monitor automata for A. However,  $A'_{mon}$ is more precise than  $A_{mon}$  since  $ObsTTraces(A'_{mon}) \subset ObsTTraces(A_{mon})$ . This inclusion is strict since for all t, such that 2 < t < 3, the traces "0 a t b" are in ObsTTraces( $A_{mon}$ ) but not in ObsTTraces( $A'_{mon}$ ).

<sup>&</sup>lt;sup>14</sup>This issue has been pointed to us by Fabrice Chevalier and Patricia Bouyer.





Fig. 21 Computing a more precise monitor automaton: i.e.,  $A'_{mon}$  more precise than  $A_{mon}$ 

In general, a "forward" algorithm such as the one we propose above cannot determine the partition that is sufficiently fine for precision purposes, thus, it has to rely on the finest possible partition, namely, the region graph. This is the approach taken in [11]. Our method opts for monitors that have weaker observational power, however, are much more efficient to construct and store.

#### 5.4 Generating TA testers: the general case

We now consider the general case of TAIO with both input and output actions. In this case, the monitor becomes a tester, since it must supply inputs to the SUT. Formally, the tester is an analog-clock test TAIO, denoted  $A_{\text{test}}$ , as defined in Sect. 4.

### 5.4.1 Input and output locations

As for the case of digital-clock tests, an analog-clock test TAIO has two distinct types of locations, namely *input locations* and *output locations*. The outgoing edges from an input location are all labeled with output actions. When the tester is occupying such a location, it just waits for outputs coming from the implementation and reacts accordingly. For the second type of locations, each location must have exactly one outgoing edge labeled with an input action and all the other edges must be labeled with output actions. For each output location, the tester has an input action that it must send to the implementation at a precise timing. When the tester occupies some output location, it waits till the time for sending the corresponding input happens. If an output is received before that time the tester reacts accordingly. Otherwise, it will send the specific input action to the implementation at the precise chosen time and continues the execution of the test strategy accordingly.

#### 5.4.2 Generation algorithm

The algorithm for constructing  $A_{\text{test}}$  is a generalization of the algorithm for building  $A_{\text{mon}}$ . As with  $A_{\text{mon}}$ , each location of  $A_{\text{test}}$  is a set  $S \subseteq S_A^y$ . The choice of marking a location



**Fig. 22** A possible analog-clock test TAIO for of the automaton of Fig. 18 considered as a TAIO with input (*a*) and outputs (*b* and *c*)



as input or output is made by the algorithm non-deterministically. For locations marked as input, their outgoing edges are computed as shown in the previous section, using the equivalence  $\sim_s^a$ , where, in this case,  $a \in \mathsf{Act}_{\mathsf{out}}$ .

For output-locations, in order to mark a location S as output, A must have an edge e labeled with  $a \in \operatorname{Act}_{\operatorname{in}}$ , such that  $S \cap \operatorname{guard}(e) \neq \emptyset$ . If S is indeed marked as output, then one of the above edges and a rational value u are chosen, such that  $\exists s \in S : y(s) = u \land s \models \operatorname{guard}(e)$  (by the above condition, such a u exists). Then, an edge  $(S, S', y = u, \operatorname{eager}, a)$  is added to  $A_{\operatorname{test}}$ , where S' is computed as shown in the previous section. Notice that the deadline of the edge is eager: this is because we want the output to be emitted urgently, at a precise point in time. Also note that if we cannot find an integer value u satisfying the above condition, then we pick a rational value and multiply at the end of the construction all constants in the automaton with a sufficiently large constant to make them integer. For the interval  $0 \le y < u$ , the outgoing edges labeled with input actions are computed exactly as for the case of input-locations. The only difference is that we compute a partition of the interval [0, u) instead of the whole set of reals R.

The states of  $A_{\text{test}}$  are defined to be either accepting or rejecting, as with  $A_{\text{mon}}$ . Rejecting states correspond to the tester emitting a "Fail" verdict. On the other hand, there is no specific point in time where the tester emits a "Pass". Indeed, the execution of the test can go on as long as the tester remains in an accepting state. The user can stop the test when he/she is tired of waiting.

The different steps for constructing a test TAIO are given in Algorithm 4. In the algorithm, valid\_inp\_edges(S) denotes the set of edges { $e \mid S \cap \text{guard}(e) \neq \emptyset$ } labeled with input actions.

### 5.4.3 Example of test TAIO construction

An example  $A_{\text{test}}$  of an analog-clock test TAIO is given in Fig. 22. This test TAIO corresponds to the automaton of Fig. 18. For the purpose of this example, the latter is considered here as a TAIO with input a and outputs b and c. We write a!, b? and c? (instead of a?, b! and c!) since, with respect to the tester, a is an output and b and c are inputs. The initial location of  $A_{\text{test}}$  is an output-location and the two others are input-locations. If the tester receives any input action during the time interval  $0 \le y < 2$ , a Fail verdict is emitted and the test is stopped. Otherwise, if no input is received within this interval, the tester produces



```
S_0 \leftarrow \operatorname{usucc}(\{s_0^{A^y}\});
       list_1 \leftarrow \{S_0\}; list_2 \leftarrow \emptyset;
 2
       T \leftarrow the one-location TAIO with initial location S_0;
       while(list_1 \neq \emptyset)
 4
           S \leftarrow \operatorname{pick}(list_1);
 5
 6
           if (valid_inp_edges(S) \neq \emptyset)
              i \leftarrow \mathsf{pick}(\{0,1\});
 7
           else i \leftarrow 1;
 8
 9
           endif:
           \mathbf{if}(i=0)
10
              e \leftarrow \operatorname{pick}(\operatorname{valid inp edges}(S));
11
              u \leftarrow a rational value s.t. \exists s \in S : y(s) = u \land s \models \mathsf{guard}(e);
12
              b \leftarrow the label of e;
13
              S' \leftarrow \operatorname{succ}(S \cap (y = u), b);
14
              append edge (S, S', y = u, \{y\}, \text{ eager}, b) to T;
15
               if (S' \notin list_2)
16
                  list_1 \leftarrow list_1 \cup \{S'\};
17
              endif:
18
           else u \leftarrow \infty:
19
           endif:
20
           foreach(a \in Act_{out})
21
              \mathcal{P} \leftarrow the coarsest partition of [0, u) induced by \sim_s^a;
22
              foreach(\psi \in \mathcal{P})
23
                  S' \leftarrow \operatorname{succ}(S \cap \psi, a);
24
                  if (S' \neq \emptyset)
25
                     append edge (S, S', \psi, \{y\}, |azy, a) to T;
26
                      if (S' \notin list_2)
27
                         list_1 \leftarrow list_1 \cup \{S'\};
28
29
                     endif:
                  else append edge (S, Fail, \psi, {y}, lazy, a) to T;
30
31
                  endif;
              endforeach;
32
           endforeach;
33
           list_1 \leftarrow list_1 \setminus \{S\}; list_2 \leftarrow list_2 \cup \{S\};
34
       endwhile;
35
       compute the rejecting states of all the input-locations of T;
36
```

**Algorithm 4**: A test TAIO generation

action a exactly at time y=2, resets clock y and then waits for inputs. Then, only three possible behaviors are accepted by the tester: (1) time elapse, (2) receiving input b within interval  $0 \le y \le 1$ , (3) receiving input c exactly at time y=0. If one of these behaviors is observed, the test may be stopped at any time and a Pass verdict is emitted. If any other behavior is observed the test must be stopped and a Fail verdict must be emitted.



#### 5.4.4 Soundness and completeness

Next, we discuss the soundness and completeness of Algorithm 4. First, we prove that the algorithm is sound. Let *T* be a test TAIO generated by Algorithm 4.

**Proposition 15** If verdict Fail is observed while applying T on  $A_I$ , then  $A_I$  tioco  $A_S$ .

*Proof* Let  $\sigma = a_0 a_1 \cdots a_n \in \mathsf{RT}(\mathsf{Act})$  the trace corresponding to the interaction between the tester and  $A_I$  from the starting of T until the announcement of Fail. Let  $\sigma_{n-1} = a_0 \cdots a_{n-1}$ . According to the algorithm,  $a_n \in \mathsf{Act}_\mathsf{out} \cup \mathsf{R}$ . Two cases are possible:

- $\sigma_{n-1} \in \mathsf{ObsTTraces}(A_S)$ : With no-restriction, it is possible to assume that  $a_{n-2} \in \mathsf{Act}$  and  $a_{n-1} \in \mathsf{R}.^{15}$  Let v be the node of T reached after the execution of  $\sigma_{n-2} = a_0 a_1 \cdots a_{n-2}$  and S the set of states associated with v. Clearly,  $A_S$  after  $\sigma_{n-2} \subseteq S$ .
  - If  $a_n \in \mathbb{R}$ : Since Fail is announced, the duration  $a_{n-1} + a_n$  is not accepted within v and leads by the way to a rejecting state. That is  $a_{n-1} + a_n \notin \text{out}(A_S \text{ after } \sigma_{n-2})$ . Hence,  $A_I \text{ theor} A_S$ .
  - If  $a_n \in \mathsf{Act}_\mathsf{out}$ : Let  $\psi$  the element of the current partition  $\mathcal P$  induced by  $\sim_S^{a_n}$  such that  $y = a_{n-1} \in \psi$ . Since Fail is announced,  $\mathsf{succ}(s \cap \psi, a_n) = \emptyset$ . Thus,  $a_n \notin \mathsf{out}(A_S \mathsf{after} \sigma_{n-1})$  and by the way  $A_I \mathsf{tieco} A_S$ .
- $\sigma_{n-1} \notin \mathsf{ObsTTraces}(A_S)$ : Let  $\sigma' = a_0 a_1 \cdots a_k$  such that k < n-1,  $\sigma' \in \mathsf{ObsTTraces}(A_S)$  and  $\sigma' a_{k+1} \notin \mathsf{ObsTTraces}(A_S)$ . If  $a_{k+1} \in \mathsf{Act}_{\mathsf{in}}$ , that will be a contradiction with the fact that Algorithm 2 chooses only valid input-edges (i.e., edges which are in valid\_inp\_edges()). Thus,  $a_{k+1} \in \mathsf{Act}_{\mathsf{out}} \cup \mathsf{R}$  and we are done.

Algorithm 4 is not complete in general. The example given in Fig. 21 shows that depending on the kind of partitions we use there are mistakes that we can detect and others that we can not.

#### 6 Coverage

As already mentioned in Sect. 5.2, the digital-clock test generation algorithm takes as input the extended specification model  $A_S^{\text{tick}}$  and generates a test in the form of a tree. Nodes of the tree correspond to sets of states of  $A_S^{\text{tick}}$ . Nodes are marked as input or output. This algorithm is only partially specified. It must be completed by specifying a policy for marking nodes as input or output, for choosing which of the possible outputs to emit and for choosing when to stop the test. One way is to resolve these choices randomly. This may not be satisfactory when some completeness guarantees are required or when repetitions must be avoided as much as possible. Another possibility is to generate an *exhaustive* test suite up to a depth k specified by the user. This approach suffers from the *explosion* problem, since the number of tests is generally exponential in k.

To remedy the above problems, many approaches have been proposed for generating test suites with respect to a given *coverage criterion*. Different coverage criteria have been proposed for software, such as statement coverage, branch coverage, and so on [41]. In the TA case existing methods attempt to cover either finite abstractions of the state space (e.g., the region graph [46] or a time-abstracting quotient graph [42]) or structural elements of the

<sup>&</sup>lt;sup>15</sup>We can insert "0" between  $a_{n-1}$  and  $a_n$  if that is not the case.



```
S_0 \leftarrow \operatorname{usucc}(\{s_0^{A_S^{\mathsf{Tick}}}\});
        list_1 \leftarrow \{S_0\};
 2
 3
        list_2 \leftarrow \emptyset;
        OG \leftarrow the one-node graph with initial node S_0;
 4
        while(list_1 \neq \emptyset)
 5
 6
            S \leftarrow \operatorname{pick}(list_1);
 7
            foreach(a \in Act_{in} \cup Act_{out} \cup \{tick\})
                if (a \in Act_{in})
 8
                    S' \leftarrow \mathsf{dsucc}(\mathsf{tsucc}(S, 0), a);
 9
                else S' \leftarrow \mathsf{dsucc}(\mathsf{usucc}(S), a);
10
                endif:
11
                if (S' \neq \emptyset)
12
                    append edge S \stackrel{a}{\rightarrow} S' to OG;
13
                    if (S' \notin list_2)
14
                        list_1 \leftarrow list_1 \cup \{S'\};
15
                    endif:
16
                endif:
17
            endforeach;
18
            list_1 \leftarrow list_1 \setminus \{S\};
19
            list_2 \leftarrow list_2 \cup \{S\};
20
        endwhile:
21
```

**Algorithm 5**: Construction of the observable graph OG

specification such as edges or locations [29]. In [8], a method for generating test cases from coverage criteria is proposed. The coverage criteria are encoded as *observer automata*.

Here, we propose a new technique for covering states, locations or edges of the specification. As mentioned in the introduction, we cannot use the technique of [29] because it relies on the assumption that outputs in the specification are urgent and isolated.

Our technique relies on the concept of *observable graph*.

#### 6.1 The observable graph

The observable graph OG of the composed automaton  $A_S^{\text{Tick}}$  is generated as follows. The initial node of the graph is  $S_0 = \{s \mid \exists \rho \in \mathsf{RT}(\{\tau\}) : s_0^{A_S^{\text{Tick}}} \stackrel{\rho}{\to} s\}$ . For each generated node S and each  $a \in \mathsf{Act} \cup \{\mathsf{tick}\}$ , a successor node S' is generated and an edge  $S \stackrel{a}{\to} S'$  is added to the graph. Extrapolation abstractions can be used here as well, to ensure that the graph remains finite. The way for constructing the observable graph OG is given in Algorithm 5.

### 6.1.1 Coverage criteria

Every node of OG corresponds to a set of states S of  $A_S^{\text{Tick}}$ . We say that the node *covers* S. On the other hand, every static test-tree is essentially a sub-graph of OG. We say that such a test covers the union of all sets of states covered by its nodes. We say that a set of tests (or *test suite*) achieves *state coverage* if every reachable state of  $A_S$  is covered by some



test in the suite. Unreachable states of  $A_S$  can be ignored, since they play no role regarding conformance.

Similarly, a node S of OG covers a location q of  $A_S$  if S contains some state s=(q,v). A test suite achieves *location coverage* if every reachable location of  $A_S$  is covered by some test in the suite. When  $A_S$  is built compositionally, we can distinguish between *global* and *local* location coverage. In global location coverage, we require that all reachable global locations be covered. A global location is a vector  $(q_1, \ldots, q_n)$  where n is the number of components and  $q_i$  is the local location of component i. In local location coverage, we simply require that all reachable individual locations of components be covered. Clearly, a test suite achieving global location coverage also achieves local location coverage, but the converse is not generally true. Similarly, a test suite achieving state coverage also achieves both local and global location coverage, but the converse is not always true.

Every edge of OG can be associated to a set of edges of  $A_S$ . In particular, an edge  $S \stackrel{a}{\to} S'$  will be associated to all edges which are visited during the reachability algorithm which computes S' from S. Formally, if  $s \in S$ ,  $s' \in S'$  and  $s \stackrel{\rho \cdot a}{\longrightarrow} s'$  for an unobservable sequence  $\rho$ , all edges in the path from s to s' are covered by the edge  $S \stackrel{a}{\to} S'$ . We say that a test suite achieves *edge coverage* if every reachable edge of  $A_S$  (i.e., an edge enabled at a reachable state of  $A_S$ ) is covered by some test in the suite. A test suite achieving edge coverage also achieves local location coverage. However, it may not achieve global location (or state) coverage.

We also define *action coverage* as follows. If a given edge  $S \xrightarrow{a} S'$  is reachable then the corresponding observable action a is said to be reachable as well. Action coverage is achieved if all the reachable observable actions are covered by the considered test suite. Clearly, action coverage is weaker than edge coverage.

Note that these coverage criteria, the way they are defined, should be interpreted merely as a way to "guide" the test generation algorithm. We do not claim that a test suite achieving, say, global location coverage, indeed guarantees such coverage *during execution*. This cannot be guaranteed, simply because execution is partly controlled by the system under test. The latter decides which outputs to emit to the tester, therefore, it also implicitly decides which parts of the nodes of the test-tree will be "covered". One could, of course, define also a notion of "execution coverage", book-keeping the locations of the specification covered during execution of the tests. In this case, however, it cannot be guaranteed that all locations will be covered, because the implementation may simply not allow to reach some parts of the specification state-space, as already said.

### 6.2 Generation algorithm

We now give an algorithm to generate a test suite achieving coverage with respect to a given criterion. The first step is to build the observation graph of  $A_S^{\mathsf{Tick}}$ . Then, tests are extracted statically from OG, until coverage is achieved. We first consider location coverage. Tests are extracted as follows.

### 6.2.1 Generating a location-covering suite

While there are reachable locations not covered, the algorithm picks such a location, say q. Next, it picks a node v of OG associated with q (such a node exists since q is reachable) and finds a path in OG from the initial node to v. Then, it extends this path into a test-tree as explained in Sect. 6.2.4 below. This new test is added to the set of tests already generated and the algorithm repeats choosing a new uncovered location, until all locations are covered.



```
list \leftarrow the set of reachable locations:
 1
       \mathcal{T} \leftarrow \emptyset:
 2
       while(list \neq \emptyset)
 3
           q \leftarrow \operatorname{pick}(list);
 4
           v \leftarrow a node of OG associated with q;
 5
           \sigma \leftarrow a path in OG from the initial node to v;
 6
 7
           T \leftarrow the extension of \sigma into a test tree;
           list \leftarrow list \setminus the set of locations covered by T;
 8
 9
           \mathcal{T} \leftarrow \mathcal{T} \cup \{T\};
10
       endwhile;
```

**Algorithm 6**: Generation of a location-covering suite  $\mathcal{T}$ 

The different steps for generating a location-covering suite are given in Algorithm 6. Notice that the algorithm is essentially an AND/OR search in a finite graph, AND nodes being input nodes and OR nodes being output nodes.

### 6.2.2 Generating a state-covering suite

A state-covering suite can be extracted in a similar way. If some state s is not covered, we first find a node v of OG covering s. Then we extract a test including v as above. Notice that this test will cover not only s, but a set of states containing s. It will at least cover the region in which s belongs. This guarantees that the algorithm terminates with a finite test suite, even though the set of states is infinite.

#### 6.2.3 Generating an edge-covering suite

The algorithm is similar for edge coverage, with the difference that instead of finding a path reaching a target node of OG, the algorithm finds a path reaching a target edge (the so-far uncovered edge).

#### 6.2.4 Extending a path into a test-tree

This can be done by completing the path with the missing edges, labeled with tester inputs. Let  $v \stackrel{a}{\to} v'$  be an edge in the considered path such that  $a \in \mathsf{Act}_\mathsf{out} \cup \{\mathsf{tick}\}$ . For  $a_i \in \mathsf{Act}_\mathsf{out} \cup \{\mathsf{tick}\}$  \  $\{a\}$ , if  $v \stackrel{a_i}{\to} v_i$  is an edge of the observable graph then an edge  $v \stackrel{a_i}{\to} \mathsf{Pass}$  is added to the path. Otherwise, edge  $v \stackrel{b}{\to} \mathsf{Fail}$  is added to it. In general, it is a good idea to continue extending the test-tree in this way. This is because, using such a policy, a single test will cover as many locations as possible. An example of how to extend a path into a test-tree is given in Fig. 23. We are given the observable graph OG and a path  $\sigma$  of it. The figure shows the test-tree T into which the path  $\sigma$  is extended. In this example, the considered system has two inputs a, b and three outputs c, d, e. Since a is an input action then we can omit the other outgoing edges from the initial node of the path  $\sigma$  (c! and b?). That is why these edges do not appear in T. For the second location of  $\sigma$ , the outgoing edge is labeled with an output action. For this location, all output actions must appear in T. The actions tick, c and e lead to Pass since they appear in OG and e to Fail since it does not appear in OG (i.e., it is not an expected output according to the specification).



**Fig. 23** An example of how to extend a path  $\sigma$  of the observable graph OG into a test-tree T



### 6.2.5 Finiteness of the number of obtained tests and complexity

It is not difficult to see that for every reachable state of  $A_S$  there exists a node S of OG covering this state, and similarly for locations and edges. Thus, covering all nodes and edges in OG suffices to achieve coverage for each of the three criteria above. Since OG is finite, a finite number of tests suffices to achieve coverage, thus, the algorithm terminates. The worst-case complexity of the algorithm is polynomial in the size of OG. Indeed, finding a node (or edge) of OG associated with a location (or edge) of  $A_S$  is linear. Finding a path in OG and extending the path into a test-tree is also linear. These steps are performed at most as many times as there are nodes in OG.

### 6.2.6 A limitation of the generation algorithm

One drawback of the algorithm is that it does not always generate *minimal* test suites. A test suite is minimal in the sense that if any test is removed from the suite, then coverage is no longer achieved. Clearly, a non-minimal suite contains some redundant tests, and one would like to remove such tests. On the other hand, one would also like to have a *minimal-number* suite, that is, a minimal suite with as few tests as possible. Notice that minimal does not imply minimal-number: the first is a sort of "local optimum" while the second is a "global optimum". In general minimal or minimal-number suites are not unique. Moreover, adding a new test to the suite may result in making one or more previously generated tests redundant. Studying efficient methods of generating minimal or minimal-number test suites is beyond the scope of this paper.

#### 7 Tool and Case Studies

#### 7.1 TTG

We have built a prototype test-generation tool, called TTG, on top of the IF environment [12]. The IF modeling language allows to specify systems consisting of many processes communicating through message passing or shared variables and includes features such as hierarchy, priorities, dynamic creation and complex data types. The IF tool-suite includes a simulator, a model checker and a connection to the untimed test generator TGV [26]. TTG is implemented independently from TGV. TTG is written in C++ and uses the basic libraries of IF for parsing and symbolic reachability of timed automata with deadlines.

Only digital-clock tests are generated by TTG at this point. <sup>16</sup> As shown in Fig. 24, TTG takes as inputs the specification and tick-automaton, written in IF language, as well as a set of user options specifying the test-generation mode. There are four modes:

<sup>&</sup>lt;sup>16</sup>On-line testing support is provided by the tool Uppaal-Tron [39].



Dim

single?

Fig. 24 The TTG tool I/O actions file Specification (.if file) TTG test generator tick-automaton test cases (.if file) (.if files) user options Lamp Button Loff single? x = Doff off! = 0 eager single single! R-( double? off! touch? touch dim dim! x := 0single'  $m \le y \le M$ touch? double? eager delayable double! double bright double? dim. touch?

Fig. 25 A lighting device

• Interactive: the user guides the test generation algorithm, resolving the non deterministic points (whether to issue an output or wait for an input, which output if many are possible, when to stop generating the test, etc.).

bright!

• Random: the non-deterministic points are resolved randomly.

x < D

- Exhaustive: all possible tests are generated up to a user-defined depth.
- Coverage: a set of tests that achieves a user-defined coverage criterion is generated. The criteria implemented currently are: state, location, action or partial state (i.e., coverage of the variables appearing in IF model).

In fact, TTG does not generate the tests itself. Instead, it generates an executable program, the "test generator" depicted in Fig. 24. It is this program that generates the tests (one or more tests, depending on the chosen mode). The test generator has additional options: for instance, for exhaustive test generation the user specifies the desired test depth when running the test generator, not when running TTG. The tests are output in the IF language.

In the rest of this section, we present two small case studies treated with TTG.

### 7.2 A lighting switch

This case study is a modification of the one presented in [29]. The (modified) specification is shown in Fig. 25. It models a lighting device, consisting of two modules: the "Button" module which handles the user interface through a touch-sensitive pad and the "Lamp" module which lights the lamp to intensity levels "dim" or "bright", or turns the light off. The user interface logic is as follows: a "single" touch means "one level higher", whereas a "double" touch (two quick consecutive touches) means "one level lower". It is assumed that higher and lower are modulo three, thus, a single touch while the light is bright turns it off.

The device communicates with the external world through input touch and outputs off, dim, bright. Events single and double are used for internal communication between the



| Depth | Time | # of  | Coverage of other criteria |            |             |         |  |  |  |  |
|-------|------|-------|----------------------------|------------|-------------|---------|--|--|--|--|
|       | (s)  | tests | Config.                    | Local loc. | Global loc. | Actions |  |  |  |  |
| 1     | 0.03 | 2     | 3%                         | 30%        | 7%          | 25%     |  |  |  |  |
| 2     | 0.03 | 4     | 7%                         | 42%        | 19%         | 25%     |  |  |  |  |
| 3     | 0.03 | 8     | 12%                        | 50%        | 26%         | 25%     |  |  |  |  |
| 4     | 0.04 | 16    | 18%                        | 50%        | 33%         | 25%     |  |  |  |  |
| 5     | 0.08 | 28    | 22%                        | 58%        | 37%         | 50%     |  |  |  |  |
| 6     | 0.14 | 57    | 38%                        | 75%        | 52%         | 75%     |  |  |  |  |
| 7     | 0.22 | 101   | 50%                        | 92%        | 74%         | 75%     |  |  |  |  |
| 8     | 0.35 | 176   | 63%                        | 100%       | 93%         | 75%     |  |  |  |  |
| 9     | 0.62 | 306   | 77%                        | 100%       | 100%        | 75%     |  |  |  |  |
| 10    | 1.14 | 533   | 91%                        | 100%       | 100%        | 100%    |  |  |  |  |
| 11    | 1.86 | 928   | 98%                        | 100%       | 100%        | 100%    |  |  |  |  |
| 12    | 3.52 | 1611  |                            | 10         | 00%         |         |  |  |  |  |

**Table 1** Exhaustive test generation results for the lighting-device case study

two modules through *synchronous rendez-vous* and are unobservable to the external user. The Button module uses the timing parameter D which specifies the maximum delay between two consecutive touches if they are to be considered as a double touch. The Lamp module uses the timing parameters m and M which specify the minimum and maximum delay for the lamp to change intensity (e.g., to warm-up a halogen bulb). In order not to overload the figure, we omit most guards, resets and deadlines in the Lamp module. They are placed similarly to the ones shown in the figure (i.e., resets in inputs, guards and deadlines in outputs).

# 7.2.1 Automatic test generation with TTG

We have used TTG to generate digital-clock tests for the above specification, with parameter set D=1, m=1, M=2 and with respect to the perfectly one-time-unit periodic Ticker. The results of the exhaustive generation for various depth levels are shown in Table 1. Depth levels are ranging from 1 to 12. Column "depth" shows the depth of the generated tests (i.e., the length of the longest path from the root to a leaf). Column "time" shows the time in seconds taken by TTG to generate a test suite with respect to the corresponding coverage criterion. Column "# of tests" shows the number of tests in the suite. The remaining columns show the coverage percentage for the different considered criteria.

Notice that these are the sets of all possible tests up to the specified depth: no test selection is performed. It is also worth noticing that in order to perform the complete coverage of all the considered criteria, we need to consider the exhaustive test-suite of depth 12 which is made of 1611 test cases.

We have also used TTG to perform test selection for this case-study with respect to the several considered criteria. The obtained results are shown in Table 2. Column "size" shows the number of elements to be covered. TTG succeeds to achieve all the coverage criteria but the action coverage criterion. It succeeds only to generate a test suite made of 25 test cases with depth ranging form 5 to 12 and with a coverage rate of 75%.

One of the tests generated by TTG is shown in Fig. 26. The drawing has been produced automatically using the if2eps tool written by Marius Bozga, which is based on the dot/graphviz utility (http://www.graphviz.org).





Fig. 26 A test generated automatically by TTG



| Criterion   | Size | Time | # of  | Depth | Coverage of other criteria |            |             |         |  |  |
|-------------|------|------|-------|-------|----------------------------|------------|-------------|---------|--|--|
| used        |      | (s)  | tests |       | Config.                    | Local loc. | Global loc. | Actions |  |  |
| Config.     | 175  | 0.2  | 25    | 5–12  | 100%                       | 100%       | 100%        | 75%     |  |  |
| Local loc.  | 12   | 0.12 | 11    | 10-12 | 67%                        | 100%       | 89%         | 75%     |  |  |
| Global loc. | 27   | 0.18 | 22    | 5-12  | 91%                        | 100%       | 100%        | 75%     |  |  |
| Actions     | 4    | 0.2  | 25    | 5-12  | 100%                       | 100%       | 100%        | 75%     |  |  |

**Table 2** Test generation results for the lighting-device case study

#### 7.2.2 Comparison with manually generated tests

In this section we show that it is possible to reduce the number of tests generated by TTG for achieving coverage with respect to the several considered criteria. However the manually generated tests are likely to be of bigger size.

Consider, for instance, the two tests shown in Fig. 27. In order not to overload the figure, each node of the tests is labeled only with the set of corresponding global locations; states are omitted. Also, for output nodes we only draw the outgoing edges which do not lead to FAIL. For example, node (2,Off) of the leftmost test has three outgoing edges labeled off?, dim?, bright? and leading to FAIL. Also, to save space, we draw the tree as a DAG (directed acyclic graph).

It can be seen from the figure that these two tests cover local locations. It is not difficult to check that the two tests cover edges as well. In fact, we can see from the figure that the two tests "walk trough" all observable edges of the specification. So it only remains to check that the unobservable edges are covered too. This is true since they are all visited between one of the pairs of successive ticks the two tests have (this is why nodes of the tests between successive ticks are labeled with pairs of global locations and not single global locations as for the other nodes).

The two tests do not achieve global location (and, consequently, neither state) coverage. For example, location (1,O-B) is not covered. However, 18 out of 30 global locations are covered. For covering the rest, it is possible either to generate more tests or to extend one of the two tests above. For instance, we can append the rightmost test at the end of the leftmost one. Also, in order to cover location (1,O-B), say, we can consider node (0,O-B) of the leftmost test as an output node instead of an input node (issuing the only possible output, touch!) and keep the remaining part of the test unchanged. Doing this, we can obtain a single test of depth 41 which achieves global location coverage. Alternatively, a suite of 8 tests of lengths smaller than those of Fig. 27 suffices to achieve global location coverage. This suite can be generated by the algorithm of Sect. 6. Notice that the depth of the leftmost test of Fig. 27 is 19. Generating an exhaustive test suite up to this depth would be infeasible due to explosion.

#### 7.3 The bounded retransmission protocol

The Bounded Retransmission Protocol (BRP) [27] is a protocol for transmitting files over an unreliable (lossy) medium. The architecture of the protocol is shown in Fig. 28. The protocol is implemented by the Transmitter and the Receiver. The users of the protocol are the Sending and Receiving clients. The medium is modeled by the Forward and Backward channels. Upon receiving a file from the Sending client (action put), the Transmitter fragments the file into packets and sends each packet to the Receiver (action send), awaiting an







Fig. 27 Two digital-clock tests covering most global locations of the specification of Fig. 25





Fig. 28 The BRP specification and interfaces

acknowledgment for each packet sent (action ack). If a timeout occurs without receiving an acknowledgment, the Transmitter resends the packet, up to a maximum number of retrials. At the end, if the file is transmitted successfully the Transmitter does not output anything to the Sending client. Otherwise, the Transmitter responds either with "abort" (action T\_abort) if the packet that failed was a "middle" one, or with "don't know" (action dk) if the packet was the first or last one (in this case the file may or may not be received at the other end). In case of success, the Receiving client receives the file (action get). In case the Receiver does not hear from the Transmitter for some time, it outputs R\_abort to the Receiving client.

### 7.3.1 IF model of BRP

Here, we use the BRP model developed in [13]. The model has been initially developed in SDL, then automatically translated to IF.<sup>17</sup> The model is shown in Fig. 29. States in red (labeled "decision\_...") are *transient* states, meaning that time does not elapse and the automaton moves through these states without being interrupted by other concurrent automata. The Transmitter has two clocks, "t\_repeat" and "t\_abort", and the Receiver one clock, "r\_abort". <sup>18</sup> The keyword "when" precedes a clock guard and "provided" precedes a guard on discrete variables. Keyword "task" is for assignments. The model is parameterized by five parameters: p, the number of packets in a file; max\_retry, the maximum number of retries in sending a packet (after timeout); dt\_repeat, the timeout delay; dt\_abort, the time the Transmitter waits before outputting T\_abort; dr\_abort, the time the Receiver waits before outputting R\_abort. The values used in our case study are:

$$p = 2$$
,  $max_retry = 4$ ,  $dt_repeat = 2$ ,  $dt_abort = 15$ ,  $dr_abort = 13$ .

For testing, we view the four components enclosed in dashed square in Fig. 28 as the BRP specification. The Sending and Receiving clients play the role of the environment, but they are not explicitly modeled, i.e., no assumptions are made on the environment. The interface of the SUT with its environment is captured by actions put (input) and get, dk, T\_abort, R\_abort (outputs).

<sup>&</sup>lt;sup>18</sup>The clocks are reset to a negative value and count upwards. This is not an essential difference with the TA model presented earlier.



 $<sup>^{17}</sup>$ The model of BRP can be found in the IF web page: http://www-verimag.imag.fr/~async/IF/ under "examples".



Fig. 29 BRP Transmitter (up) and Receiver (down)

| Criterion | Size | Time | # of  | Depth | Coverage of other criteria |           |         |      |      |      |      |      |
|-----------|------|------|-------|-------|----------------------------|-----------|---------|------|------|------|------|------|
| used      |      | (s)  | tests |       | Config.                    | Locations | Actions | m    | b    | c    | i    | j    |
| Config.   | 5808 | 25   | 9     | 22-53 |                            |           |         | 100% |      |      |      |      |
| Locations | 4    | 3    | 1     | 13    | 25%                        | 100%      | 60%     | 100% | 100% | 100% | 100% | 100% |
| Actions   | 5    | 5    | 1     | 44    | 40%                        | 100%      | 100%    | 100% | 100% | 100% | 100% | 100% |
| m         | 3    | 2    | 1     | 2     | 2%                         | 75%       | 40%     | 100% | 100% | 100% | 25%  | 100% |
| b         | 2    | 2    | 1     | 2     | 2%                         | 75%       | 40%     | 100% | 100% | 100% | 25%  | 100% |
| c         | 2    | 2    | 1     | 2     | 2%                         | 75%       | 40%     | 100% | 100% | 100% | 25%  | 100% |
| i         | 4    | 3    | 1     | 10    | 23%                        | 75%       | 40%     | 100% | 100% | 100% | 100% | 100% |
| j         | 3    | 2    | 1     | 2     | 2%                         | 75%       | 40%     | 100% | 100% | 100% | 25%  | 100% |

Table 3 Test generation results for the BRP case study

### 7.3.2 Automatic test generation using TTG

Using TTG, we generate tests for the perfectly periodic tick-automaton with clock period equal to 1, with respect to various coverage criteria. The results are shown in Table 3. The criteria used are: state, locations, actions, and the values of the five discrete variables of the model, namely, m, b, c, i, j. For the case study, we will use the term *configuration*, instead of "state", for measuring coverage. A configuration corresponds to an entire "symbolic state" and includes a vector of locations and values of variables for each automaton, plus a DBM representing symbolically the set of clock states. Thus, a configuration is a set of TA states. We can count configurations, but we cannot count TA states.

Thus, there are 5808 reachable configurations in total, <sup>19</sup> there are 4 global locations (we do not count transient locations) and 6 actions (the 5 input/output actions plus tick). Variables b and c are booleans (they encode the *alternating bit* for the Transmitter and Receiver, respectively). Variable m takes three possible values (beginning, middle or end of file). Variable i takes four possible values, from 1 to max\_retry. Variable j takes three possible values, from 0 to p. Notice that the configuration criterion requires 9 tests whereas all other criteria can be covered with just one test.

For the configuration criterion, the depth varies between 21 and 52. The rest of the columns show the percentage of coverage of the other criteria by the test suite generated for the given criterion. For example, the test covering the four global locations also covers 1421 configurations, which amounts to approximately 25% of the total number of configurations.

Perhaps the most interesting finding from the above experiments is that a relatively small number of tests suffices to cover all reachable configurations of the specification (in fact, we cover the states of the product automaton  $A_S^{\rm Tick}$ ). It is worth comparing this number to the number of tests generated with the "exhaustive up to given depth" option. As shown in Table 4, the size of exhaustive test suite grows too large even for relatively small depths. The table also shows the percentage of the above criteria covered by the exhaustive test suite. It can be seen that even though the number of tests is large, only a small percentage of coverage is achieved: for instance, 21% configuration coverage for 222 tests at depth 7.

Sometimes not only the number of tests but also their size is important. By looking at our test generation algorithm, where a test is obtained by completing a path, we can say that the

<sup>&</sup>lt;sup>19</sup>The forward and backward channels are modeled by lossy FIFO buffers. These buffers remain bounded because reception of messages are eager.



| Depth | Time | # of  | Coverage of other criteria |           |         |      |      |      |      |      |  |
|-------|------|-------|----------------------------|-----------|---------|------|------|------|------|------|--|
|       | (s)  | tests | Config.                    | Locations | Actions | m    | b    | c    | i    | j    |  |
| 1     | 2    | 2     | 1%                         | 75%       | 20%     | 100% | 100% | 100% | 25%  | 100% |  |
| 2     | 2    | 3     | 2%                         | 75%       | 40%     | 100% | 100% | 100% | 25%  | 100% |  |
| 3     | 2    | 5     | 5%                         | 75%       | 40%     | 100% | 100% | 100% | 50%  | 100% |  |
| 4     | 2    | 8     | 7%                         | 75%       | 40%     | 100% | 100% | 100% | 50%  | 100% |  |
| 5     | 5    | 18    | 12%                        | 75%       | 40%     | 100% | 100% | 100% | 75%  | 100% |  |
| 6     | 13   | 42    | 14%                        | 75%       | 40%     | 100% | 100% | 100% | 75%  | 100% |  |
| 7     | 79   | 222   | 21%                        | 75%       | 40%     | 100% | 100% | 100% | 100% | 100% |  |

Table 4 Exhaustive test suites for the BRP case study

size of a test is essentially its depth. As one can see from Table 3 the largest test depth is 52. This can be explained as follows. In our implementation we use the following heuristic to choose which configuration to cover next: we pick a configuration which is "far" from the initial one, that is, at a large depth. The expectation is to cover as many configurations as possible with every new test. Thus, this heuristic tends to favor the generation of fewer but "longer" tests. Obviously, a different approach is to favor "shorter" (but perhaps more) tests. This can be done by changing the heuristic to pick configurations which are "close" to the initial one.

A test generated by TTG for the configuration coverage option is shown in Fig. 30.

### 8 Conclusions and perspectives

We have proposed a testing framework for real-time systems based on partially-observable, non-deterministic timed-automata and a formal conformance relation called tioco. We have provided algorithms to generate analog-clock or digital-clock tests in an on-line or off-line fashion. We have shown how the number of generated tests can be reduced using coverage criteria. Finally, we reported on a prototype test-generation tool and two case-studies.

We believe that this work opens a number of interesting perspectives. First, we have only touched upon the problem of test execution. Building an actual test harness is particularly challenging in a real-time context, where timing accuracies are critical. Digital-clock tests are crucial in this respect, since they allow to formally define the assumptions on the accuracy of the tester's clocks and take it into account during test generation. We have studied some of the theoretical aspects of digital-clock tests, in particular, tick-robustness and its links to digitizability, but more study is needed, for instance, relating tick-robustness to other robustness notions for timed automata, such as Puri's [44].

The topic of coverage also deserves to be studied in more depth in a real-time context. Our notions of coverage mainly extend well-known notions developed for software. One could imagine alternative notions that exploit some knowledge of our domain, in particular with respect to timing constraints and their topology. Also notice that we are applying coverage at the specification level whereas usually in software it is applied for the system-under-test (when the latter is "white-box"). Methods to generate minimal test suites (without redundant tests) should also be examined.

Combining coverage with on-line test execution is another issue that seems to be little explored. The problem is related to choosing online tester outputs and output times. Many heuristics can be applied to resolve such choices, but an additional problem is how to manage





Fig. 30 A test generated by TTG for the BRP case study (the one ensuring the coverage of parameter i)

these choices across the execution of the entire test suite, using some appropriate book-keeping techniques.

Another perspective is to study other testing problems in a real-time setting, except the conformance testing problem. Classic testing problems include state identification problems [40]. Some preliminary work has been done in this direction but many problems remain open [37].



Another direction is to use the techniques developed in this paper for testing in other contexts, for instance, controller synthesis.

**Acknowledgements** We would like to thank Fabrice Chevalier and Patricia Bouyer for their comments on monitor generation. We are grateful to Marius Bozga for his help with the implementation of TTG on top of IF. We also express our gratitude to Mohamed Dergueche for his contributions to the implementation of TTG.

#### References

- 1. Alur R, Dill D (1994) A theory of timed automata. Theor Comput Sci 126:183–235
- Alur R, Fix L, Henzinger T (1994) A determinizable class of timed automata. In: CAV'94. LNCS, vol 818. Springer, Berlin
- Belinfante A, Feenstra J, de Vries RG, Tretmans J, Goga N, Feijs L, Mauw S, Heerink L (1999) Formal test automation: a simple experiment. In: 12th international workshop on testing of communicating systems. Kluwer, Dordrecht
- Bengtsson J, Yi W (2003) On clock difference constraints and termination in reachability analysis of timed automata. In: ICFEM'03. LNCS, vol 2885. Springer, Berlin
- Bensalem S, Bozga M, Krichen M, Tripakis S (2005) Testing conformance of real-time applications by automatic generation of observers. In: 4th international workshop on runtime verification (RV'04). ENTCS, vol 113. Elsevier, Amsterdam, pp 23–43
- Berard B, Petit A, Diekert V, Gastin P (1998) Characterization of the expressive power of silent transitions in timed automata. Fund Inform 36(2–3):145–182
- Berthomieu B, Menasche M (1983) An enumerative approach for analyzing time Petri nets. IFIP Congr Ser 9:41–46
- 8. Blom J, Hessel A, Jonsson B, Pettersson P (2004) Specifying and generating test cases using observer automata. In: Proceedings of formal approaches to software testing, pp 125–139
- Bornot S, Sifakis J, Tripakis S (1998) Modeling urgency in timed systems. In: Compositionality. LNCS, vol 1536. Springer, Berlin
- Bouyer P (2004) Forward analysis of updatable timed automata. Formal Methods in System Design 24(3):281–320
- Bouyer P, Chevalier F, D'Souza D (2005) Fault diagnosis using timed automata. In: FoSSaCS'05. LNCS, vol 3441. Springer, Berlin, pp 219–233
- 12. Bozga M, Fernandez JC, Ghirvu L, Graf S, Krimm JP, Mounier L (2000) IF: a validation environment for timed asynchronous systems. In: Proc CAV'00. LNCS, vol 1855. Springer, Berlin
- Bozga M, Graf S, Kerbrat A, Mounier L, Ober I, Vincent D (2000) SDL for real-time: what is missing? In: Proceedings of SAM'00: 2nd workshop on SDL and MSC, Grenoble, France, pp 108–122. IMAG, June 2000
- Braberman V, Felder M, Marre M (1997) Testing timing behavior of real-time software. In: International software quality week
- Brat G, Giannakopoulou D, Goldberg A, Havelund K, Lowry M, Pasareanu C, Venet A, Visser W (2003) Experimental evaluation of V&V tools on martian rover software. In: SEI software model checking workshop
- Brinksma E, Tretmans J (2001) Testing transition systems: an annotated bibliography. In: MOVEP 2000. LNCS, vol 2067. Springer, Berlin
- Briones L, Brinksma E (2004) A test generation framework for quiescent real-time systems. In: FATES'04. LNCS, vol 3395. Springer, Berlin
- Cardell-Oliver R (2002) Conformance test experiments for distributed real-time systems. In: ISSTA'02. ACM, New York
- 19. Chow TS (1978) Testing software design modeled by finite-state machines. IEEE Trans Softw Eng 4(1)
- Clarke D, Jéron T, Rusu V, Zinovieva E (2002) STG: a symbolic test generation tool. In: TACAS'02. LNCS, vol 2280. Springer, Berlin
- Clarke D, Lee I (1997) Automatic generation of tests for timing constraints from requirements. In: 3rd workshop on object-oriented real-time dependable systems (WORDS'97)
- 22. Daws C, Olivero A, Tripakis S, Yovine S (1996) The tool Kronos. In: Hybrid systems III, verification and control. LNCS, vol 1066. Springer, Berlin, pp 208–219
- Daws C, Tripakis S (1998) Model checking of real-time reachability properties using abstractions. In: Tools and algorithms for the construction and analysis of systems '98, Lisbon, Portugal. LNCS, vol 1384. Springer, Berlin



- Dill D (1989) Timing assumptions and verification of finite-state concurrent systems. In: Sifakis J (ed)
   Automatic verification methods for finite state systems. LNCS, vol 407. Springer, Berlin, pp 197–212
- En-Nouaary A, Dssouli R, Khendek F, Elqortobi A (1998) Timed test cases generation based on state characterization technique. In: RTSS'98. IEEE, New York
- Fernandez JC, Jard C, Jéron T, Viho G (1996) Using on-the-fly verification techniques for the generation of test suites. In: CAV'96. LNCS, vol 1102. Springer, Berlin
- Groote JF, van de Pol J (1996) A bounded retransmission protocol for large data packets. In: Algebraic methodology and software technology, pp 536–550
- Henzinger T, Manna Z, Pnueli A (1992) What good are digital clocks? In: ICALP'92. LNCS, vol 623. Springer, Berlin
- Hessel A, Larsen K, Nielsen B, Pettersson P, Skou A (2003) Time-optimal real-time test case generation using UPPAAL. In: FATES'03
- 30. Higashino T, Nakata A, Taniguchi K, Cavalli A (1999) Generating test cases for a timed I/O automaton model. In: IFIP international workshop on testing of Communicating Systems. Kluwer, Dordrecht
- 31. ISO/IEC (1992) Open systems interconnection conformance testing methodology and framework—part 1: general concept; part 2: abstract test suite specification; part 3: the tree and tabular combined notation (TTCN). Technical Report 9646, International Organization for Standardization—Information Processing Systems—Open Systems Interconnection, Genève
- 32. Jard C, Jéron T, Morel P (2000) Verification of test suites. In: TestCom 2000
- Khoumsi A, Jéron T, Marchand H (2003) Test cases generation for nondeterministic real-time systems. In: FATES'03
- Krichen M, Tripakis S (2004) Black-box conformance testing for real-time systems. In: 11th international spin workshop on model checking of software (SPIN'04). LNCS, vol 2989. Springer, Berlin
- Krichen M, Tripakis S (2004) Real-time testing with timed automata testers and coverage criteria. In: Formal techniques, modelling and analysis of timed and fault tolerant systems (FORMATS-FTRTFT'04). LNCS, vol 3253. Springer, Berlin
- Krichen M, Tripakis S (2005) An expressive and implementable formal framework for testing real-time systems. In: The 17th IFIP international conference on testing of communicating systems (TestCom'05). LNCS, vol 3502. Springer, Berlin
- Krichen M, Tripakis S (2005) State identification problems for timed automata. In: The 17th IFIP international conference on testing of communicating systems (TestCom'05). LNCS, vol 3502. Springer, Berlin
- 38. Larsen K, Mikucionis M, Nielsen B (2004) Online testing of real-time systems using uppaal. In: FATES'04. LNCS, vol 3395. Springer, Berlin
- Larsen K, Mikucionis M, Nielsen B, Skou A (2005) Testing real-time embedded software using UPPAAL-TRON: an industrial case study. In: 5th ACM international conference on embedded software. ACM, New York, pp 299–306
- Lee D, Yannakakis M (1996) Principles and methods of testing finite state machines—a survey. Proc IEEE 84:1090–1126
- 41. Myers GJ (1979) The art of software testing. Wiley, New York
- Nielsen B, Skou A (2001) Automated test generation from timed automata. In: TACAS'01. LNCS, vol 2031. Springer, Berlin
- Peleska J (2002) Formal methods for test automation—hard real-time testing of controllers for the airbus aircraft family. In: IDPT'02
- 44. Puri A (2000) Dynamical properties of timed automata. Discrete Event Dyn Syst 10(1-2):87-113
- 45. Sifakis J, Yovine S (1996) Compositional specification of timed systems. In: 13th Annual symposium on theoretical aspects of computer science, STACS'96. LNCS, vol 1046. Springer, Berlin
- 46. Springintveld J, Vaandrager F, D'Argenio P (2001) Testing timed automata. Theor Comput Sci 254
- Tretmans J (1999) Testing concurrent systems: a formal approach. In: CONCUR'99. LNCS, vol 1664. Springer, Berlin
- 48. Tretmans J (2002) Testing techniques. Lecture notes. University of Twente, The Netherlands
- Tripakis S (2002) Fault diagnosis for timed automata. In: Formal techniques in real time and fault tolerant systems (FTRTFT'02). LNCS, vol 2469. Springer, Berlin
- Tripakis S (2004) Folk theorems on the determinization and minimization of timed automata. In: Formal modeling and analysis of timed systems (FORMATS'03). LNCS, vol 2791. Springer, Berlin

