As part of the UD's and CCNY's ongoing effort to generate conformance tests for the Army network protocol MIL-STD 188-220, a significant obstacle has been addressedwhen multiple timers are running simultaneously, a test sequence may become unrealizable if there are conflicting conditions based on a protocol's timers. This problem, termed the conflicting timers problem, is handled in the hitherto generated tests by manually expanding a protocol's extended FSM based on the set of conflicting timers, resulting in test sequences that are far from minimum-length. Similar inconsistencies, but based on arbitrary linear variables, are present in the extended FSMs modeling VHDL specifications. This paper presents an efficient solution to the conflicting timers problem that eliminates the redundancies of manual state expansion. CCNY's inconsistency removal algorithms are applied to a new model for testing protocols with multiple timers, in which complex timing dependencies are captured by simple linear expressions. This test generation technique is expected to significantly shorten the test sequences without compromising their fault coverage.
INTRODUCTION
The on-going collaboration between the City College of the City University of New York (CCNY) and the University of Delaware (UD) [7] focuses on the generation of test cases automatically from Estelle specifications. Tests are being generated for the US Department of Defense (DoD)/Joint protocol-military standard developed in the US Army, Navy and Marine Corps systems for mobile combat network radios [7] . Within this effort, several theoretical problems have been investigated, including generation of test sequences uninterrupted by active timers [21] , and the improvement of test coverage by using the semicontrollable interfaces [8] .
This paper studies the problem of test case generation for network protocols with timers, where a test sequence may become unrealizable due to conflicting conditions based on a protocol's timers. This problem is termed the conflicting timers problem.
The research has been motivated by the ongoing effort to generate tests for MIL-STD 188-220. The protocol's Datalink Layer defines several timers that can run concurrently and affect the protocol's behavior. For example, BUSY and ACK timers may be running independently in FRAME BUFFERED state. If either timer is running, a buffered frame cannot be transmitted. If ACK timer expires while BUSY timer is not running, a buffered frame is retransmitted. If, however, ACK timer expires while BUSY timer is running, no output is generated.
In the test cases delivered to the US Army CommunicationsElectronics Command (CECOM), such conflicts are handled by manually expanding EFSMs based on the set of conflicting timers. This procedure results in test sequences that are far from minimum-length [7] . Similar conflicts, but based on arbitrary linear variables, are present in EFSM models of VHDL specifications [19] . Uyar and Duale present algorithms for detecting [19] and removing [20, 5] such inconsistencies in VHDL specifications. Current research at UD and CCNY focuses on adapting these algorithms to eliminate inconsistencies caused by a protocol's conflicting timers, with a view to applying the methodology to conformance test generation for MIL-STD 188-220. This paper presents a new model for real-time protocols with multiple timers. The new model captures complex timing dependencies by using simple linear expressions. This modeling technique, combined with the CCNY's inconsistency removal algorithms, is expected to significantly shorten test sequences without compromising their fault coverage.
The proposed solution is expected to have a broader application due to a recent proliferation of protocols with real-time requirements [12, 15] . The functional errors in such protocols are usually caused by the unsatisfiability of time constraints and (possibly conflicting) conditions involving timers; therefore, significant research is required to develop efficient algorithms for test generation for such protocols. The results presented in this paper are expected to contribute towards achieving this goal.
PROBLEM DEFINITION
Suppose that a protocol specification defines a set of timers K = {tm 1 , . . . , tm |K| }, such that a timer tm j may be started and stopped by arbitrary transitions defined in the specification. Each timer tm j can be associated with a boolean variable T j whose value is true if tm j is running, and false if tm j is not running. Let φ be a time formula obtained from variables T 1 , . . . , T k by using logical operands ∧, ∨, and ¬. Suppose that a specification contains transitions with time conditions of a form "if φ" for some time formula φ. It is clear that there may exist infeasible paths in an FSM modeling a protocol, if two or more edges in a path have inconsistent conditions. For example, for transitions e 1 : if (T j ) then {ϕ 1 } and e 2 : if (¬T j ) then {ϕ 2 }, a path (e 1 , e 2 ) is inconsistent unless the action of ϕ 1 in e 1 sets T j to false (which happens when timer tm j expires in transition e 1 ). The solution to the above problem is expected to allow generating low-cost tests free of such conflicts.
The conflicting timers problem is a special case of the feasibility problem of test sequences, which is an open research problem for the general case [9, 18] . However, there are two simplifying features of the conflicting timers problem: (1) time variables are linear, and (2) time-keeping variable values implicitly increase with time. By considering these features, we expect to find an efficient solution to this special case.
General approach
The goal of the presented technique is to achieve at least the following fault coverage: cover every state transition at least once. During the testing of a system with multiple timers, when a node v p is visited, an efficient test sequence should either (1) traverse as many self-loops as possible before a timeout or (2) leave v p immediately through a nontimeout transition. Once the maximum allowable number of self-loops are traversed, a test sequence may leave v p through any outgoing transition. Such an approach does not let perform full reachability analysis; however, it can be easily proven that considering only the above two cases is sufficient to include at least one feasible path for each transition (if such a feasible path is not prohibited by the original specification).
In general, the goal of an optimization is to generate a low-cost test sequence that follows the above guidelines, satisfies time conditions of all composite edges and is not disrupted by timeout events during traversal (i.e., contains only feasible transitions). In Section 3, a model will be introduced that allows the generation of test sequences satisfying the above criteria.
Related work
Conformance test generation is an active research area [1, 3, 9, 11, 14, 17, 18] . The related work on testing systems with timing dependencies focuses on testing the so-called Timed Automata (TA) [2, 16] , which are a formalism primarily used in system verification. However, there is relatively little work reported in the literature on successful application of timed automata to conformance testing. (Other FDTs, such as ET-LOTOS [13] , can also be used to describe timed systems.)
Springintveld et al. [16] present the first published theoretical framework for testing timed automata. En-Nouaary et al. [6] introduce a method based on the state characterization technique using a timed extension of the Wp-method [9] . Higashino et al. [10] define several kinds of test sequence executability for real-time systems and present an algorithm for verifying if a test sequence is executable. Cardell-Oliver and Glover [4] propose a method based on the model of Timed Transition Systems (TTSs) [2] .
A major goal of these methods is to limit the number of tests, which otherwise may become prohibitively large; hence, each technique offers a means to reduce the test suite size. The reader may consult the relevant papers [4, 6, 10, 16] for more details.
The new model presented in this paper offers several advantages over the TA-based modeling:
• it is tailored-designed only for testing purposes, which does not require to perform full reachability analysis; • it allows more intuitive modeling of an IUT and testing procedure (each input/output exchange is assigned certain time to realize; there are no instantaneous transitions as in TA); • it makes it possible to define a timer length as a constant or variable rather than a fixed value as in TA, with which many properties such as service delivery, proper timeout settings, etc. can be modeled and tested. 4 3.
NOVEL MODEL FOR TESTING SYSTEMS WITH TIMERS
A protocol can be modeled as a deterministic, completely specified FSM (Mealy) represented by a directed graph G(V, E) and a set of timers K = {tm 1 , . . . , tm |K| }. As part of this model, we also introduce a set of constants and the set of variables V =
as defined below. For each timer tm j , we introduce the following parameters:
• T j ∈ {0, 1}-boolean variable indicating if the timer is running. T j = 1 if tm j is running; T j = 0 otherwise • D j ∈ R + -the timeout value (i.e., timer length) for tm j • f j ∈ R + ∪ {0} ∪ {−∞}-time-keeping variable denoting the current time of
(It is expired or stopped). f j is set to 0 when tm j is started; it is set to −∞ when tm j is stopped or has expired. Let us define EX(T 1 , . . . , T |K| ) as the set of all boolean expressions on T 1 , . . . , T |K| . Let a time formula φ be defined as an element of EX.
A transition e i ∈ E is associated with the following parameters: • c i ∈ R + -the time needed to traverse e i • time condition φ i -e i can trigger only if its associated time formula φ i is satisfied; if no time formula is associated with e i , its time condition is defined as 1 . For example, if e i 's time condition involves φ i = T 1 ∧ ¬T 3 , the transition can trigger only if tm 1 is running and tm 3 is not running, regardless of the state of other timers • action list {ϕ i,1 , ϕ i,2 , . . .}-each action ϕ i,k is an ordered pair (x ∈ V, update(x) ∈ EX(V, R, {+, −, * , /}), where update(x) belongs to the set of all linear expressions involving V, the set of real numbers R, and arithmetic operands. Expression update(x) is used to update x's value, e.g., the two actions of {T 1 = 1; In the next three sections, the time-related behavior of the IUT will be modeled by defining proper time constraints and actions for various types of transitions defined in the specification.
Types of transitions
In general, the model distinguishes four types of transitions: before any timer expires, e p,l (Type 3) will be traversed; otherwise, e j p,l (Type 4) will be traversed with tm j expiring before all self-loops of N s p,l can be tested.
Conditions
A number of timing constraints must be appended to the time conditions for all transitions, as defined below.
For each timeout transition e j i (v p , v q ) (Type 1), the following condition holds for each timer tm k =j : 'exit' condition for timeouts in v p true AND timer tm j running AND (timer tm k not running OR tm j expires before tm k ), which is formalized as:
For each non-timeout non-self-loop e i (v p , v q ) (Type 2), the following condition holds for each timer tm k : 'exit' condition for v p true AND (timer tm k not running OR there is time left to tm k 's timeout). Formally, this 6 condition is:
For each merged self-loop transition e p,l (Type 3), the following condition holds for each timer tm k : there are untested self-loops in N s p,l AND (timer tm k not running OR all untested self-loops of N s p,l can be tested before tm k expires). For each e p,l , all self-loops N s p,l can be tested by traversing e p,l . This condition can be formalized as:
For each merged self-loop transition e j p,l (Type 4), the following condition holds for each timer tm k =j : there are untested self-loops in N s p,l AND (timer tm j running AND there is enough time left before tm j expires to test at least one but not all untested self-loops in N s p,l ) AND (timer tm k not running OR tm j expires before tm k ). In other words, only some of the self-loops of N s p,l can be tested by traversing e j p,l . Formally, this condition is:
Actions
A number of actions must be appended to the action lists for all transitions, as defined below.
For each timeout transition e j i (v p , v q ) (Type 1), for each k = j: • set variable T j to 0 indicating timer expiry: T j = 0 • increment tm k 's current time by the sum of e i 's traversal time and the amount of time left until tm j 's timeout:
is not a linear action, to utilize any test generation technique that allows only linear actions (as in [20] ), e j i should be split into e j i,1 and e j i,2 as follows:
The above concept is illustrated in Figure 1 . Timer tm j is started at time f j = 0. After f j reaches a value of f 0 j , the two feasible transitions are e 1 and e 2 . Consider the case where e 1 triggers and f j is advanced to a value of f 1 j = f 0 j + c 1 < D j . In this case, tm j 's timeout corresponds to traversing e j i,2 , which advances all timers by c i + D j − f 1 j . In the case where e 2 triggers, f j is advanced to a value of f 2 j = f 0 j + c 2 > D j , with tm j 's timeout modeled by e j i,1 . All timers will be advanced by e In addition, a non-self-loop e j i should set the 'exit' condition for its end state v q to 1 by the appended action of {L q = 1}.
For each non-timeout non-self-loop e i (v p , v q ) (Type 2): • set the 'exit' condition for e i 's end state v q to true: L q = 1 • for each k, increment tm k 's current time by e i 's traversal time:
For each merged self-loop transition e p,l (Type 3): • set the 'exit' condition for state v p to false: L p = 0 • for each k, increment tm k 's current time by the time needed to traverse all untested self-loops in N s p,l :
• set the number of untested self-loops in N s p,l to 0: t s p,l = 0 If no self-loops can be traversed (i.e., there are no untested self-loops of v p whose time condition is satisfied), L p should be set to 2 (from either 0 or 1), enabling timeouts and all outgoing transitions in v p . In this case, L p will be set to 2 by a so-called observer self-loop transition s p , with the the following condition:
and an action {L p = 2}. Condition (1) is satisfied when all self-loops of v p whose time condition is satisfied are tested (if there are no self-loops defined for v p , the condition is trivially true). For each merged self-loop transition e j p,l (Type 4): 8
• set the 'exit' condition for state v p to true: L p = 2 • for each k, increment tm k 's current time by the time needed to traverse all of the untested self-loops in N s p,l that can be tested before tm j expires:
• decrement the number of untested self-loops accordingly: 
Condition (1) results in 2 Mp parallel edges due to the presence of M p number of "OR" statements. Clearly, the technique does not scale well. To prevent the exponential growth of the number of parallel edges, s p will be replaced with the set of vertices and edges as depicted in Figure 2 . The appended conditions and actions of the edges in Figure 2 are derived from (1) as follows:
Condition (1) 
4.

MODEL REFINEMENT
To employ this idea, the following steps are taken. Let us first note that Z p,l , the number of self-loops of N p,l that can be traversed in any Type 4 transition, is upper bounded by the cardinality of N s p,l and the maximum number of self-loop traversals allowed by timers, as defined in (4). The maximum number of self-loop traversals at any time during the execution of a test sequence is therefore obtained by (4) .
Having computed the value of Z, we define additional variables D, c s , z, and r, and extend graph G(V, E) with two vertices u 1 and u 2 , as depicted in Figure 3 . Next, each e Finally, M p edges ofê p,l (u 2 , v p ) are added from u 2 to each v p with Type 4 edges, with the condition of r == p.l , which allows a test sequence that left v p throughê j p,l to return to the same v p , and decrement the proper t s p,l . The linear actions ofê p,l replace the nonlinear actions of e j p,l as follows:
• set 'exit' condition for v p to true: L p = 2 • for each k, increment tm k 's current time by the time needed to traverse all of the untested self-loops in N s p,l that can be tested before timeout:
• decrement the number of untested self-loops accordingly: t s p,l = t s p,l −z
Delaying start of timers
Every transition e i has the appended conditions and actions as defined in Section 3. In addition, if e i stops timer tm j , the actions of {T j = 0; f j = −∞} must be appended to e i 's action list. If e i starts timer tm j , the two actions of {T j = 1; f j = 0} must be appended to e i 's action list.
To have good test coverage, a test sequence should traverse all feasible transitions of an IUT. Some edges in the IUT graph are reachable only if a transition(s) that starts a timer is delayed in the test sequence by certain amount of time. The action of delaying such transitions allows us to explore various ordering of timers' expirations by causing certain timers to expire before others. Suppose that e i = (v p , v q ) starts timer tm j . Before e i is traversed, one of the timers-say tm a -is to expire first. Let d m i be the amount of time by which e i is delayed in this case. It is clear that if e i is to be traversed instead of tm a 's timeout, d m i must be less than D a − f a (Figure 4 (b) ). In the case where none of the timers are running before traversing e i (Figure 4 (a) ), d m i may be set to 0 because time passage does not affect system behavior if all timers are inactive. 11
Based on the above observations, each e i will be replaced by two sets of transitions. The first one, which handles the case with d m i set to 0 where all timers are inactive before traversing e i , contains transition e 0 i . In addition to e i 's appended conditions and actions as defined in Section 3, transition e 0 i has the following appended condition for each timer tm k : timer tm k not running. Formally, this condition is T k == 0 .
The second set, which handles the case where d m i is upper bounded by a running timer tm a with the shortest time to expire, contains transitions e a i , defined for each a : 1 ≤ a < |K|. In addition to e i 's appended conditions and actions as defined in Section 3, the transitions e a i have the following appended condition that holds for each timer tm k =a : timer tm a running AND timer tm a is to expire before tm k . This condition can be formalized as follows:
Each e a i also has the following appended action: • for each k, increment tm k 's current time by the introduced delay: 
APPLICATION TO EXAMPLE FSM
The FSM in Figure 5 consists of three states v 0 (the initial state), v 1 , and v 2 , and eight transitions e 1 through e 8 . Transition e 3 takes 3sec and the remaining transitions each take 1sec to traverse. There are two timers defined for the FSM: tm 1 (started by e 2 ) with the length of D 1 = 5.5 and the timeout transition e 8 , and tm 2 (started by e 4 and stopped by e 2 ) with the length of D 2 = 3.7 and the timeout transition e 7 . Transition e 1 is associated with a time condition T 1 == 0 ∧ T 2 == 1 , transitions e 5 and e 6 are associated with a time condition T 1 == 1 ∧ T 2 == 1 , and, for simplicity, the remaining transitions have the time condition of 1 .
State v t is introduced as the system initialization state, where a test sequence originates and terminates. A test sequence would start in state v t with edge e on : 1 {T 1 = 0; T 2 = 0; f 1 = −∞; f 2 = −∞; t 0,1 = 1; t 1,1 = 1; t 2,1 = 2; L 0 = 1}, which initializes all timers and the variables of t p,l . A test sequence would terminate when, after arriving at v 0 , edge e off : T 1 == 0 ∧ T 2 == 0 {} is traversed, bringing the IUT back to state v t . The time condition of e off ensures that all timers are inactive when the test sequence is terminated. Note that, unlike the regular states v 0 through v |V | , v t is not split by the inconsistencies removal algorithmthe final inconsistency-free graph contains only one copy of v t .
One can give examples of invalid test sequences for the FSM of Figure 5 . A test sequence beginning with (e on , e 1 , e 2 , . . .) does not satisfy the time condition for e 1 : T 1 == 0 ∧ T 2 == 1 , since after traversing e on (initial power-up), neither timer is running. Similarly, any test sequence containing (. . . , e 4 , e 7 , e 5 , . . .) is invalid, because e 5 's time condition requires that both timers be running, which does not hold after tm 2 expires in e 7 .
Let us first consider transitions of Type 1 (e 7 , e 8 ). Transition e 7 has the following appended conditions and actions (the conditions and actions for e 8 are analogous):
For transitions of Type 2 (e 2 , e 4 ), the appended conditions and actions are as follows:
Vertex v 2 has two merged self-loops in N s 2,1 = {e 5 , e 6 }. Therefore, transitions of both Type 3 (e 2,1 ) and Type 4 (e 1 2,1 , e 2 2,1 ) are defined in v 2 . The value of Z is obtained from (4) as Z = Z 2,1 = min (1, max(3, 5) 
replacing e 2 2,1 are {r = 2.1; c s = 1; D = 3.7 − f 2 }. In this example, the above augmentation is unnecessary-the value of z = 1 implies that, in any Type 4 edge defined for v 2 , 5.5 − f 1 = 1 and 3.7 − f 2 = 1. Therefore, the appended conditions and actions are as follows:
Since only a single self-loop is defined in vertices v 0 and v 1 , both vertices will have merged self-loop transitions of Type 3 only. For v 0 and v 1 , merged self-loop transitions e 0,1 and e 1,1 are defined for the sets of N s 0,1 = {e 1 } and N s 1,1 = {e 3 }, respectively, with the appended conditions and actions derived as for e 2,1 .
Consider the test sequence shown in Table 1 for the FSM in Figure 5 . The table also shows the values of timer-related variables of the model, which change as the test sequence is being executed and the time is progressing.
Let us now trace the execution of the test sequence. After system initialization by transition e on , transition e 2 starts timer tm 1 . After arriving at state v 1 , there are 5.5sec left until tm 1 's timeout; so, transition e 1,1 can be tested, which takes 3sec. After leaving v 1 , tm 1 has 2.5sec left until timeout. In transition e 4 , timer tm 2 is started and the time-keeping variable for tm 1 reaches f 1 = 4. After the test sequence arrives at state v 2 , tm 1 and tm 2 have 1.5sec and 3.7sec left until timeout, respectivelytm 1 will therefore expire first. There is not enough time to traverse e 2,1 14
Test
e off 0 0 0 −∞ −∞ Table 1 . Valid test sequence for the FSM of Figure 5 .
(i.e., to test both e 5 and e 6 ); therefore, e 1 2,1 is traversed (e 5 is tested). In fact, traversing e 1 2,1 is equivalent to traversing a sequence of edges (ê 1 2,1 , h 1 ,ê 2 ), which contain only linear actions. This step leaves 0.5sec and 2.7sec until timeouts for tm 1 and tm 2 , respectively. After tm 1 expires, the time-keeping variable for tm 2 is advanced to f 2 = 2.5, which gives enough time (1.2 sec) to traverse e 0,1 . Traversing e 0,1 is equivalent to testing e 1 with the time condition of T 1 == 0 ∧ T 2 == 1 . Since at this point tm 1 has expired and tm 2 is running, e 1 's time condition is satisfied and the transition is tested.
Afterwards, e 2 are e 4 are traversed consecutively without spending time on already tested e 3 . The test sequence arrives again at state v 2 , with 4.5sec and 3.7sec left until timeouts for tm 1 and tm 2 , respectively. Now tm 2 is to expire first, leaving sufficient time to traverse e 2,1 (test e 6 ). Then, tm 2 expires and the time-keeping variable for tm 1 is advanced to f 1 = 5.7, exceeding tm 1 's length by 0.2. Therefore, e 8 is traversed immediately, since tm 1 expired while e 7 was being traversed. Now the IUT is back in its initial state v 0 with both timers inactive and all transitions tested, so the test sequence returns to the system initialization state v t through transition e off .
The test sequence shown in Table 1 satisfies all timing constraints imposed by the two timers tm 1 and tm 2 . In addition, the time conditions for all transitions in the FSM are satisfied at any time during the test sequence traversal. Section 6 presents an algorithmic technique to obtain low-cost test sequences satisfying the above criteria. 15 6.
INCONSISTENCIES REMOVAL
The interdependence among the variables used in the actions and conditions of an EFSM, or an FSM with time variables, may cause various inconsistencies among the actions and conditions of the model. For example, in Figure 5 , the actions of e 7 set T 2 to 0. Since the time condition of e 5 requires that T 2 == 1 , e 7 's action causes inconsistency with e 5 's condition. Similarly, a test sequence that includes both e 1 and e 5 contains condition inconsistency-e 1 requires that T 1 == 0 and e 5 that T 1 == 1 . Both test sequences are therefore infeasible.
Feasible test sequences can be generated from the EFSM models if the inconsistencies are eliminated. The algorithms by Uyar and Duale [19, 20, 5] eliminate inconsistencies from an EFSM in two phases. First, action inconsistencies are detected and eliminated. Next, the algorithms proceed with the detection and elimination of condition inconsistencies by employing linear programming techniques.
In these algorithms, both edge actions and conditions are represented by sets of matrices to analyze their interdependence. In addition, the actions and conditions accumulated along the paths in the graph are represented by sets of Action Update Matrix (AUM) pairs and Accumulated Condition Matrix (ACM) triplets [5] , respectively. While traversing the EFSM graph in a modified breadth-first (MBF) and a depth-first (DF) manner, inconsistencies are eliminated by splitting the nodes and edges of the EFSM graph. During this split, unnecessary growth of the number of states and transitions is avoided. Only the edges with feasible conditions and the nodes that can be reached from the initial node are selected from the split nodes and edges to be included in the resulting FSM. (See paper [5] in these proceedings for a detailed presentation of the inconsistencies removal algorithms.)
In the methodology presented in this paper, the inconsistency removal algorithms are adapted for handling the conflicts caused by multiple timers, and are incorporated in the proposed technique as follows:
Step 1-Graph augmentation: Augment an original graph with vertex v t , edges of e on and e off , and a number of observer edges as described in Section 3 (see Figure 6 for an example). Mark and queue vertex v 0 as v 0.0 .
Step 2-Inconsistencies removal: Unqueue vertex v 0.k (copy of the initial state state v 0 ). Apply VHDL inconsistencies removal algorithms in MBF and DF manners starting from v 0.k until v 0.k is reached again through a set of edges denoted by E 0.k (the set of incoming edges of v 0.k ).
Step 3-Initial state splitting: Split vertex v 0.k into a set of vertices V 0.k ∪ {v 0.k }; V 0.k 's cardinality is equal to the number of distinct AUMs associated with edges in E 0.k (note: v 0.k may belong to V 0.k ). The set of V 0.k is further divided into V inc 0.k , which contains vertices associated with AUMs corresponding to all timers inactive, and V act 0.k , containing the remaining vertices in V 0.k . The set of edges E 0.k is divided accordingly into E inc 0.k and E act 0.k . Edge e on , whose traversal is mandatory in the test sequence, is incoming only to vertex v 0 ; an edge e off is outgoing from each vertex in V inc 0.k . All copies of e off are optional to traverse-they will be included in the test sequence only when necessary.
Step 4-Redundant paths pruning: Remove from the graph edges in E inc 0.k using the following two-phase heuristic procedure. First, any edge e i ∈ E inc 0.k is deleted if ∃ e j ∈ E inc 0.k such that:
• AU M j includes AU M i . Since all timers are inactive in V inc 0.k , a sufficient condition for AU M j to include AU M i is as follows:
p,l . This means that AU M j allows testing more self-loops than AU M i .
• All edges in the paths from v 0.k to vertices in V inc 0.k associated with AU M i have their copies in the paths from v 0.k to vertices in V inc 0.k associated with AU M j . Second, any edge e i ∈ E inc 0.k is deleted if neither of the following conditions is true:
• A new edge can be traversed by keeping e i in the graph, i.e., the paths from v 0.k to vertices in V inc 0.k associated with AU M i should contain at least one edge that has not been traversed before v 0.k was unqueued.
• Some untested self-loops can be traversed by keeping e i in the graph, i.e., (
Step 5-Queueing and marking copies of the initial state: Queue all unmarked vertices in V act 0.k and unmarked vertices in V inc 0.k with at least one undeleted edge in E inc 0.k . Mark queued vertices. If the queue is empty, terminate the algorithm; otherwise, go back to
Step (2) . 2 Typically, a test sequence is divided into a number of subtourssubsequences of a full test sequence that start and stop in v 0 . Each subtour may or may not be preceded by a system power-down/power-up; therefore, when an IUT starts executing, not only should it be brought to state v 0 , in addition, all timers must be inactive. To ensure this behavior, each v 0 's copy corresponding to an AUM with all timers inactive (i.e., any vertex in V inc 0.k ) may be considered the start state of a subtour. Let us now apply the above algorithm to the FSM of Figure 5 from Section 5. In the first step, the FSM is augmented with the auxiliary edges of e on and e off , and a number of observer edges as shown in Figure 6 . The conditions and actions of the observer edges are defined based on (2) through (3) as follows: An application of the algorithm described in this section to the graph of Figure 6 produces the final graph shown in Figure 7 . A minimum-cost test sequence, given by (5)- (7), can be derived as a solution to the Rural Chinese Postman Problem [1] on this final graph. The test sequence of (5)- (7) consists of three subtours containing the edges defined in the original graph ( Figure 5 ) and the auxiliary edges of e on and e off ; the observer edges are dropped. All edges defined in the graph of Figure 5 are included without the explicit delaying of timers tm 1 and tm 2 ; therefore, the technique presented in Section 4 need not be applied in this case. Note that the test sequence of Table 1 , which was derived manually, corresponds to Subtour 1 of (5). 
CONCLUSION
As a recent result of on-going collaboration between UD and CCNY, this paper presents the study of conformance test generation when multiple timers are running simultaneously. CCNY's inconsistency removal algorithms are applied to a new model for real-time protocols with multiple timers. As introduced in this paper, the new model captures complex timing dependencies by using simple linear expressions. This modeling technique, combined with the inconsistency removal algorithms, is expected to significantly shorten the test sequences without compromising their fault coverage. Currently, a software tool applying inconsistency 19 removal algorithms to EFSMs models is being implemented at CCNY. A successful completion of this software project will enable the application of the presented methodology to MIL-STD 188-220. The methodology presented in this paper is expected to detect transfer and output faults, where an IUT moves into a wrong state (a state other than the one specified) or generates a wrong output (an output other than the one specified) to a given input. As future work, fault detection issues will be pursued further. In particular, a fault model taking into account specific faults caused by the violation of timing constraints and time conditions should be considered. Computing the fault coverage of the presented methodology also needs to be investigated. 2 
