The PARAGON toolset provides an environment for the modular and hierarchical design of resource-bound, real-time systems. It offers well-integrated graphical and textual specification languages with formal semantics. Both languages are based on the Algebra of Communicating Shared Resources (ACSR), a process algebra with explicit notions of time, resources and priority. The integration of the three notions widens the applicability of the PARAGON formalisms to embedded systems, control systems, and faulttolerant systems where run-time resource requirements must be considered during the design phase. To facilitate the design of complex systems, PARAGON allows a designer to describe a system incrementally through refinement steps that preserve system properties. To increase dependentability of system models, PARAGON offers three types of analysis: automated verification of system requirements, interactive simulation, and testing. In this paper, we demonstrate the design methodology that PARAGON offers through examples.
I. INTRODUCTION
There has been significant progress in the development of formal methods for the design of real-time systems in an effort towards increasing reliability in these systems. Formal approaches to the specification and analysis of real-time systems take many forms, including state machines? logics, and process algebras. We focus here on the algebraic paradigm, which involves the description of processes using an algebraic language and the derivation of their correctness proofs through equivalence checking? testing, and state space exploration. The algebra we use is the Algebra of Communicating Shared Resources (ACSR) [5] .
ACSR is a timed process algebra that facilitates description of concurrent real-time systems with finite supplies of serially reusable resources. Most current real-time process algebras adequately capture delays due to process synchronization, e.g., timed extensions of the classic untimed process algebras CSP and CCS [l] , [ll] , [16] , [23] , [24] , [29] .
These process algebras, however, abstract out resource-specific details. In contrast, the computation model of ACSR is based on the view that a real-time system consists of a set of communicating processes that compete for shared resources. The use of shared resources is modeled by timed actions whose executions are subject to the availability of resources. Contention for resources is arbitrated according to the priorities of competing actions. To ensure the uniform progression of time, processes execute timed actions synchronously.
In addition to timed actions, ACSR supports instantaneous actions, called events, that do not consume any resource. Processes execute events asynchronously except when two processes synchronize through matching events. When multiple events are possible their relative importance can be prioritized.
The novelty of ACSR relative to existing real-time formalisms is its representation of resources and priority. Without an explicit notion of resources, the specification of resource-bound systems requires that some artificial means be used to model resource requirements, such as defining processes to represent resources. Models that lack explicit priorities require that a process be created for the sole purpose of arbitrating priorities and implementing preemption. Providing explicit notions of resources and priority within ACSR results in specifications that are closer analogues of the systems they model and that are easier to modify to reflect different resource allocations and scheduling disciplines.
The algebraic nature of the ACSR formalism makes it attractive in several ways. One is that the various operators allow it to support common software design methodologies such as modular and hierarchical description of a large-scale system. A second attraction is that both design (i.e. detailed) and requirements (i.e. abstract) specifications are described in the same language. Another attractive aspect is that the behavioral equivalence relation of ACSR is a congruence. This facilitates modular and hierarchical analysis of large-scale systems because it is possible to verify the whole system by reasoning about its parts. Yet another attractive aspect is that automated and semi-automated formal analysis techniques such as equivalence checking, testing, and simulation can be applied within the ACSR paradigm.
While the virtues of formal approaches to specification and analysis of software systems are well-known, it is equally well-known that 1) their textual, mathematical notation often produces obtuse descriptions, and this has impeded their application within industrial settings, and 2) their manual application to realistic problems is time consuming and error prone. As a result, many formalisms have adopted graphical notation [15] , [17] , [27] and are supported by automated tools [9] , [lo] , [12] , [all, [as] , [26] that perform tasks such as syntax checking, semantic equivalences (e.g., CWB [9] for CCS) or pre-orders checking (e.g., FDR [la] for CSP), model checking (e.g., MT [lo] for Modecharts and the TTM/RTTL verifier [25] ), and interactive execution.
To avoid the mathematicalnotation and facilitate the use of ACSR by practitioners that are not necessarily experts in process algebras, we have developed the Graphical Communicating Shared Resources (GCSR) [4] language. The graphical syntax of GCSR has been carefully defined so that it produces modular, hierarchical and thus scalable specifications. In addition, the semantics of GCSR and ACSR are tightly connected, which allows a designer to combine graphical and textual notations, for example to describe the high level structure of a system graphically and fill in the details textually. Furthermore, to facilitate the design within the ACSR paradigm, we have developed a toolset, called PARAGON, that assists in the graphical and textual description of real-time system models and that supports verification based on automated equivalence checking, syntactic transformations that preserve behavioral equivalence, testing and interact ive execution. The ACSR paradigm is based on the view that a real-time system consists of a set of communicating processes that execute on a finite set of serially reusable resources and synchronize with one another through communication channels. The use of shared resources is represented by time and resource consuming actions, and synchronization is supported by instantaneous events.
An action consists of a possibly empty set of pairs ( r , p ) where r is the resource name and p is its priority, with the restriction that each resource is represented in the set at most once. The action 8 represents the idling action since no resources are used. The execution of an action is assumed to take nonzero time units with respect to a global clock, and to consume a set of resources during that time. The execution of an action is subject to the availability of the resources that it uses. Contention for resources is arbitrated according to the priorities of competing actions; priorities are static, i.e., fixed and are drawn from the set of natural numbers. To ensure uniform progress of time, processes execute act ions synchronously.
An event in ACSR consists of a pair ( e , p ) where e is a label and p is its priority. The special event label T represents synchronization of two events with complementary event labels e and E. Unlike an action, the execution of an event is instantaneous and never consumes any resource. Processes execute events asynchronously except when two processes synchronize through matching event labels.
Let P range over the domain of terms, A range over the domain of actions, e range over the domain of event labels or T , b range over the domain of event labels, F range over the set of event labels, I range over the set of resource names, and let C range over the domain of process names. The syntax of ACSR is defined by the following grammar:
The semantics of an ACSR process is defined in terms of a labeled transition system together with a notion of prioritized transition represented by a preemption relation.
We informally describe the ACSR semantics next; for a detailed description, please refer to [19] .
NIL is a process that executes no action, i.e., it is initially deadlocked. There are two prefix operators that correspond to the two types of actions. The first, At : P , executes a timed, resource-consuming action A for t E N + time units (i.e. t is a positive integer) and proceeds to the process P . The second prefix operator, ( e , p The second is based on weak bisimulation, x,, which ensures that equivalent processes match each other's transitions that are labeled with actions and non-7 events but allows one process to make transitions on T that an equivalent process does not match.
B. GCSR
One motivation for the development of Graphical Communicating Shared Resources (GCSR) is that, like other textual formalisms, the syntax of ACSR produces obtuse specifications that are hard to understand even in the case of simple examples.
In addition, the development of GCSR ad- [27] .
The semantics of GCSR can be defined either directly as a labeled transition system or through a translation to ACSR. As shown in [4], the second way of defining the semantics of GCSR allows a designer to interchangeably use the graphical and textual notations; for example, to specify the highlevel view of a system graphically and fill the details of components textually. In addition, it allows a designer to use the notions of equivalence of ACSR to verify the correctness of a GCSR specification, as we will see shortly. Equivalence checking also distinguishes GCSR from other graphical languages for real-time systems. We next briefly describe the syntax of GCSR and its semantics through a correspondence to ACSR.
Syntax. Graphically, a GCSR process is represented by a finite set of nodes that are connected with directed edges. Figure 1 shows the graphical symbols for the five types of GCSR nodes. The Resource attribute of a time-consuming node is a set of (resource, priority) pairs, with the restriction that each resource is listed once; this enforces the notion of non-shared resource usage. The Name attribute of a reference node refers to and Close attributes of a compound node are sets of event names and resource names, respect ively.
The motivation for various node symbols in GCSR is a succinct and scalable representation of the different system activities and components. The instantaneous node requires that no delay is allowed before the next activity. In contrast , the time-consuming node describes a time and resource consuming activity. Note that the explicit specification of the required resources by a system activity makes it easy to modify any resource requirement to reflect different resource allocation and scheduling disciplines.
The nil node describes a halting process, i.e., end of system execution. The reference node allows the decomposition of a large specification into subspecifications which eases the visual structuring of such a specification. On the other hand, the compound node visually distinguishes a system action from a system component. It is essential in supporting scalable and modular specifications since it allows a designer to 1) group GCSR processes into a higher level entity, 2) connect several GCSR processes that are executed sequentially, and 3) reflect the fact that system components execute in parallel. In addition to the structural modularity, compound nodes also provide for semantic modularity by encapsulating dependencies through their Restrict and Close attributes. The Restrict attribute identifies a set of events that are visible only among the GCSR processes inside the node; the Close attribute identifies a set of resources that are reserved for the nested GCSR processes, even if their actions do not explicitly request them.
Normal edges
The circle node is any node. unlabeled edge (event-name, priority) event-labeled edge time-labeled edge w
Exception edges
The source node is any box node We call unlabeled, event-labeled, and timelabeled edges normal edges. The distinct symbols for a normal edge and an exception edge are motivated by the desire to support a structured, hierarchical specification in which edges do not cross node boundaries and to graphically distinguish two types of control flow: one that is externally controlled by an interacting process and one that is triggered internally through voluntary release of control by raising an exception. The first type of control flow is described by a normal edge and the second by an exception edge. Control moves to the destination node of an exception edge when the process of the source node executes an exception event that labels the ex-? ception edge. The transfer of control through an exception edge allows synchronization between a process inside a compound node with 4 an outside node and thus emulates a transition between nodes at different levels of nest-1 ing.
5
In [4] we define a set of simple syntactic rules for a well-formed GCSR process. These rules basically disallow 1) an edge to cross a node boundary, 2) an edge to connect nodes in parallel components inside a compound node, 3) a node to have multiple time-labeled outgoing edges, and 4) an instantaneous node to have a time-labeled outgoing edge.
GCSR-ACSR Correspondence. Figure where the translation function is denoted as T.
The translation starts from the initial node of a GCSR process and recursively traverses all reachable nodes.
Step 1 binds the translation of an initial node to the ACSR process variable name C and returns the ACSR process variable C ; this step is done for each initial GCSR node. In step 2, the nil node is translated to the NIL ACSR process. In step 3, an instantaneous node is translated to an ACSR Choice process; each ACSR subprocess in the Choice process corresponds either to the translation of the target node of an unlabeled edge out of the instantaneous node, or to an event-prefix ACSR process where the event is the label of an edge out of the instantaneous node and the next process in the event-prefix process is the translation of the target node of the edge. Note that in this translation the event syntax must be converted from GCSR to ACSR, i.e., ( u ! , p ) and (u?,p) are converted to ( E , p ) and ( u ? , p ) , respectively. In step 4, a time-consuming node is translated to an action-prefix ACSR process where the duration of the action is the label of the time-labeled edge out of the timeconsuming node. In step 5, the translation of the box node produces a Scope ACSR process P A; (PI, P2, P3) where the main process P is the translation of the box node without its outgoing edges.
Note that due to space limitations, Figure 3 abstracts out several details such as how loops are handled, and equivalence preserving optimizations applied when some edges are missing in a GCSR specification. The reverse translation, from ACSR to GCSR, is also possible.
C. Example: Aircraft Landing Gear
The landing gear system is a case study of the Swedish JAS 39 Gripen defense and fighter aircraft [as] . In [28] , the authors used an automaton-based language to model the system and prove that their model ensures one safety property: the door and landing gear do not collide while in motion. In this section, we illustrate how to model the aircraft landing gear system using the GCSR and ACSR formalisms. In subsequent sections, we will analyze our model for the above safety requirement and additional timeliness requirements. The physical system, i.e. plant consists of a door and a landing gear. The goal of the case study is to model a software controller that receives commands from a pilot to lower or raise the landing gear. To function autonomously, the plant is equipped with sensors that report the status of the plant to the controller, and actuators, for the controller to operate the plant. The software controller operates the door and landing gear within a set of timing and safety requirements. The timing assumptions about the system are summarized in Table I . The controller must report to the pilot the result of executing a command within a fixed deadline. One safety requirement in the original case study [28] is that the controller must ensure that the door and gear never collide while in motion. In addition, our design will check for and report failures in the door and gear. Our design. Our design models a Sample of both unshared and shared resources. The unshared resources door and gear represent physical components in the plant each of which is only manipulated by its corresponding software/hardware component. In addition, our design models the shared and critical resource space which describes the space in which both the gear and door move during their operation. This resource can be used by one component at a time. An attempt by the door and gear components to use it simultaneously indicates a collision between the door and gear, which is a safety violation.
Each sensor and actuator is represented by a communication event. Since our formalisms lack continuous data, sensory information only reflects the critical status of the plant, e.g. door completely open or completely closed. Intermediate sensory information is ignored. The synchronization events for the set of sensors and actuators in the system are summarized in Table 11 . Figure 4 shows the high-level structure of our design which contains three components: the processes Door and Gearwhich model the two components in the plant, and the process Controller which is the software controller. The three components execute concurrently and privately coordinate with one another through the synchronization events shown in Table 11 . In addition, the three components reserve the resources door, gear and space. and remain closed; instantaneously receive the event cd at priority level 1 after which it remains closed; instantaneously receive the event od at priority level 2 after which it starts behaving as described by the process Opening; or idles by consuming time and no resources. As shown in Figure 5 , within the System process the Door process synchronizes its behavior with the ControZZer process through the events dc, cd and od. Thus, when synchronization occurs, these events will become the special, internal event T. The prioritized semantics of ACSR and GCSR is such that when any synchronization is possible, the Door process favors it over idling. Also, when all synchronizations are possible, the Door process favors the event od over the other possible behaviors; this is reflected by the high priority of the event od. However, the selection between the events dc and cd is nondeterministic since they have equal priorities.
The process Opening describes the activity of opening the door: the process starts behaving like the process DoorBusyO for Tdoor time units. The process DoorBusyO can consume the resource door at priority level 1 together with the resource space at priority level 1 for one time unit. The process DoorBusy0 uses the resources in a non-preemptive way. In addition, the process DoorBusyO can receive the event (od,l) which instructs it to open the door. Since it is already opening the door, the process receives the event and goes on carrying out the door-opening activ- ity. The execution of the process DoorBusyO erence node marked with Controller. At this can be aborted in two ways within the pro-time, the controller starts idling as described cess Opening: One is through a timeout after by the Wait process. The idling can be interTdoor time units from its instantiation and rupted by the reception of the event em-dn after which the process Open is started; a sec-at priority level 3, at which time execution ond way is through receiving the event (2, 2) moves inside the top compound node. Inside from the controller, in which case the process this node, two processes execute in parallel: Closing is started to close the door. Synchro-one process, LowerGear, describes the connization with the controller has a higher pri-troller's instructions to open the door, lower ority than consuming time and the resource the gear, and then close the door again; the door as long as the timer Tdoor has not ex-second describes the fact that the controller pired.
The specification of the Gear process is similar to the process Door. When it is being lowered or raised, the Gear process simultaneously uses the gear and space resources in a non-preemptive mode. Figure 6 shows the GCSR specification of the Controller process. Execution starts at the refis always ready to receive the command to lower the gear-event (em_dn?,3) which is accepted without the controller initiating additional attempts to lower the gear. Execution of these two processes can be interrupted at any time by the reception of a command to raise the gear-event (cm_up?,3) . When this command is received, the controller in- Our design also includes similar error detection for the gear. The semantics of GCSR and ACSR ensures that if the controller (or any of the other parallel processes) deadlocks, so does the process System. We will use these deadlocks and special error-marking events to test for potential malfunctioning of the door and gear.
THE PARAGON TOOLSET
We have implemented a toolset, called PARAGON, to facilitate the use of the ACSR paradigm for real-time systems modeling and analysis. Figure 7 shows the overall structure of PARAGON. The user's view of the toolset is provided by the GCSR, XVERSA and VERSA user interfaces. The analysis of ACSR and GCSR specifications is carried out by the VERSA system that is accessed through these interfaces. The user interfaces are responsible for management of input/output streams. They allow processes to be entered as graphical GCSR process descriptions or as ACSR processes using a text-based notation. Graphical input of GCSR specifications is managed with drawing support functions, syntaxchecking functions, and automated translation of GCSR to ACSR. The text-based notation accepted by XVERSA enhances the ACSR process algebra with indexing, which can be used to emulate value-passing.
Within VERSA there are four major functional areas for analyzing processes: term rewriting, state space exploration, equivalence testing, and interactive execution.
The rewrite system facilitates the rewriting of ACSR process expressions according to sound algebraic laws that preserve prioritized strong equivalence, a bisimulation relation that respects priority. At the direction of the user, the rewrite system applies predefined algebraic laws to one or more processes, producing a new process that may be bound to a new, or pre-existing process variable. In this way, algebraic proofs of the equivalence of process expressions may be developed.
State space exploration, equivalence testing and interactive execution operate on a labeled transition system (LTS) representation of the system being analyzed. The LTS for one or more processes is produced by an algorithm that expands the process to produce a labeled transition system representing all possible executions. The LTS construction algorithm also prunes edges made unreachable by the semantics of the prioritized transition system, in most cases reducing the size of the resulting LTS.
State space exploration analysis can be used to determine key properties of a system's LTS. These include (1) Process equivalence can be tested using a number of different notions of equivalence including syntactic equivalence, a weaker syntactic equivalence which allows renaming of process variables and simple changes in structure, prioritized strong equivalence, and prioritized weak equivalence. In the order listed, these notions of equivalence increase in computational complexity and decrease in "strength" (i.e. equate more terms). 
IV. DESIGN SUPPORT

A . Specification
The various operators in ACSR, such as the parallel and scope operators, allow the specification and verification of a system in a modular and hierarchical fashion, which makes the development of a large scale real-time system more manageable. The precise, compositional semantics of the operators allows one to replace any component of a requirements specification by an equivalent component, and retain any correctness proved using the same equivalence. Thus, one can develop a design specification by a series of component-wise design refinements, starting with a requirements specification and gradually replacing its components with detailed components until a desired design specification is realized.
Another support of modular and hierarchical design within ACSR and GCSR is through a set of refinement operations that allow a designer to introduce implementation details gradually, e.g. add communication events, rename communication events, show the structure of a process for a timeconsuming action, and tighten an estimate resource requirements [3]. These notions of refinement are supported through a set of rewrite rules for ACSR and graphical transformations for GCSR, that syntactically manipulate an abstract specification to add details. In addition, refinement in ACSR and GCSR has a precise semantics that insures that each trace of the refined specification mimics a trace in the abstract specification in such a way that each timed occurrence of an abstract event is preserved in the refined trace.
Another feature of the ACSR paradigm that facilitates real-time system specification is the precise correspondence between ACSR and GCSR, which allows a designer to combine textual and graphical descriptions. For example, a designer can describe the high level structure of a system graphically and fill in the detailed description of components textually. This helps a designer to visualize the structure of the system and the dependencies between its component expressed as communication events.
To illustrate one of the notions of refinement in GCSR, let us revisit the landing gear example and refine our controller design shown in Figure 6 . We can refine this design by adding a report to the pilot after each command has been successfully carried out by the door and gear. For this, we rely on the modularity of refinement in GCSR and focus on refining the processes in charge of carrying out the commands, e.g., LowerGear and which are part of the Controller component of the System process. One new event is (gdn!, 4) and it is inserted between each occurrence of the event dc and the next Wait process. A similar event (gup!,4) is added to report the fact that the gear has been raised. The refined Controller process is shown in Figure 8 . 
B. Verification
The primary methods for verifying the correctness of GCSR and ACSR processes are (1) using bisimulation checking algorithms to verify the prioritized strong equivalence of a design model and a high-level correctness specification; and (2) using state space exploration to detect the presence of deadlocked states e Equivalence Testing. When a real-time system model is based on the structure of a proposed design, the model is likely to contain non-sequential operators such as parallel composition and temporal scope. Although these operators are critical for creating a model that accurately and succinctly describes the intended design, they make it difficult to determine the model's operational behavior by inspection. However, if the system's correct behavior (ignoring constraints on the design such as a need for redundancy or distributed control) has a succinct sequential specification that is correct by inspection, the correctness of the design model can be verified by proving the two descriptions are bisimilar.
For example, consider the model of System presented in Figure 4 of Section 11-C. The model contains nested processes with syn-chronization events, temporal scopes, and resource requirements to facilitate a concise description and accurately reflect the hardware implementation. The system also has a sequential correctness specification SystemSeq dAf SystemSeq -0 : SystemSeq + (cmd-dn, S).SystemSeq + (cm-up, S).SystemSeq which describes in simple terms a recursive behavior that essentially accepts commands and consumes time. The correctness of this formulation of the system requirements can be verified by inspection: the process SystemSeq never deadlocks, it is always ready to accept commands, and it never produces any failure marking event.
Deadlock Detection. An approach to verification that can be applied to nonterminating systems is to use resource contention aeadlocks to indicate that an unsafe state is reachable. Recall that the notion of resource defined in ACSR's semantic model does not allow two or more timed actions to execute simultaneously if they require the same resource. If a system model is constructed in such a way that a resource must be held while executing in a non-sharable critical region, then an attempt by two or more processes to execute simultaneously in that critical region will introduce a deadlock. For example, to ensure that our landing gear system design is safe, we need to check that there is never a collision between the door and the landing gear. First, we note that each component can separately execute forever; this is due to the recursive definition of the processes. Second, the concurrent behavior of the components consists of synchronized events (i.e. 7's) interleaved by timed usage of the door, gear and space resources, possibly at priority zero. Thus, by the operational semantics of parallel execution, if all the events are synchronized and there is no resource contention, then the components will execute forever; in other words, the system will not reach a deadlocked state. Furthermore, if we ignore the synchronization events and conceal the identities of the resources, the concurrent behavior of the components consists of infinite sequences of idling actions, i.e. 8, and reception of the command events cmd-dn and cmd-up which is described by the process SystemSeq. From this, we can conclude that our design is safe if the following bisimulation holds:
System\\{door, gear, space} M, SystemSeq where the operation 1 hides the resource names in the behavior of the process.
In our design, there are two sources of deadlocks which would make the above equivalence fail: contention on the space resource, which indicates collision between the door and gear, and miscommunication between the controller and physical devices. For the timing assumptions shown in Table I , we used our automated GCSR-to-ACSR translation and the VERSA toolset to prove that our design has no deadlocked states and it satisfies the above bisimulation; and thus our design is safe with respect to the collision criterion. This test is performed automatically by the VERSA system using its equivalence testing features. LTS's for System and SystemSeq are constructed, and a stateminimization algorithm[l8] is applied to determine whether the two LTS's are bisimilar. If they are, then the correctness of the complex System process can be verified by in-specting the SystemSeq process. If they are not equivalent, then there is some fault in TI = (cmd-dn,l).T; System that causes it to behave differently T: = (IdZeDn A 3 1 than SystemSeq. In this case, VERSA will produce a state where the two processes have distinguishing behaviors.
C. Testing (NIL, (failure, l) .NIL, (gdn, 1) . (success, 1) . N I L )
Both of the verification techniques described in Section IV-B rely on computing the LTS representation of the system model being analyzed. Therefore they are only applicable in situations where the LTS representation of the process can be computed in a reasonable amount of time and space. In cases where this is not possible, an alternative approach is to use testing techniques to explore specific system behaviors without computing the entire system state space.
Our testing technique uses parallel com- System is as shown in Figure 9 . If P is a correct implementation of the System specification for this input, then the state space of R = ( P )I T)\{cmdup,cmd-dn,gup,gdn} will contain the success event. If P accepts the cmd-dn input but produces incorrect output, or no output within 30 time units, then IE will emit failure and deadlock at time 31.
Efficient Translation for Testing. Our ability to construct the labeled transition sysposition to apply tests written in ACSR to tem corresponding to the result R of a test the system model. A test is the process depends on efficient translation of ACSR pro-R = ( P \/ T)\E, where P is the process be-cess terms into their state space representaing tested, T is the sequence of events and tion. Two approaches to this problem are actions making up the test, E is the set of common: (1) a bottom-up technique that event labels on which P and T interact, and computes the LTS for each of the sub-terms R is the result of applying T to P subject of a process, and then combines them to to the restriction of E . Tests are defined in create the LTS for the process; and (2) a such a way that the success or failure of P top-down technique that uses the algebra's tested by T can be determined by exploring semantic rules to interpret the process one the state space of R. If R contains the sen-event or action step at a time. Because tine1 event failure, P fails T . If R contains top-down translation is based on interpreting one or more occurences of the sentinel event the process to derive its behaviors, it follows success, P passes T . Exhaustive testing exercises all possible behaviors of a process by applying all possible inputs and checking the process outputs. If the process being tested accepts only finitely many inputs and has only executions of finite duration, then exhaustive testing of the input domain is sufficient to verify the correctness of the process. Process models generally have finite input domains (this can be verified by inspection of the process structure) but infinite executions are common in realistic system models. Where infinite executions exist, simplifying assumptions regarding the maximum length of a non-repeating execution, or the maximumlength of an execution that will be of interest have to be made.
Partition testing is based on a partitioning of inputs into classes, all elements of which exercise the same internal functions of the process. If the partitioning is correct, then exercising a single input from each class is sufficient to verify correctness of the process as a whole. The weakness of this method lies in the need to partition the functions of a process when the internal structure of the process is unknown. As reported in the literature[l4], partition testing has intuitive appeal, but its quantitative merits are limited.
A more complete test of cmd-up and cmd-dn inputs of the landing gear System process could be performed by exercising both the cmd-up and cmd-dn inputs and all of their possible interactions. Because S y s t e m is non-terminating, there are infinitely many inputs that exercise these scenarios. We concentrate our attention here on single inputs of each command, beginning from the start state. A test suite to exercise cmd-up and cmd-dn and a single interruption of one command by the other, beginning in the start state, is shown in Figure 10 .
Test T2 exercises the cmd-up input for the system's start state, and verifies that g u p is returned within the required interval. Test
Tz applys cmd-dn in the system's start state, and then nondeterministically applys cmd-up at every time instant up to and including the instant when g d n is returned. Then it is verified that gup is returned within the required interval. Thus, T3 verifies the ability of a cmd-dn command to be properly interrupted by cmd-up at any instant up to and including the moment when the gear is fully lowered. Test T4 performs a similar task, checking the ability of cmd-up to be properly interrupted by cmd-dn at any time.
We used VERSA to apply these tests to System and explored the state space of each of the resulting LTS's to determine that each contained success and was f a i l u r e free. Therefore, System executes the tests TI, 7'2, cmd-up, I) . (ldleUp A 3 1 ( N I L , (failure, 1) .NIL, (gup, l) . (success, 1 ) . N l L ) 0 : IdlelJp + ( g d n , l) .IdbeUp (cmd-dn, l) . (IdleDn A31 ( N I L , (failure, l ) . N J L , ( g d n , 1).T2 + (I-, O) .T2) (cmd-dn, l) . (IdleDn A31 ( N I L , (failure, l ) . N I L , ( g d n , 1).T4') 1).(1dleUp A31 ( N I L , (faiZure, l ) . N I L , ( g u p , 1 The presentation was based on the ACSR process algebra and the GCSR graphical process description language. Tools and techniques for constructing and analyzing system models using GCSR and ACSR were presented.
In our experience, no single verification technique will be effective in all cases. Exhaustive verification based on state space exploration is mainly applicable to small-scale systems, or mission-critical subsystems of a larger design. To analyze large systems, the user has to concentrate on specific aspects of the system's behavior. We think that our testing approach provides a formal basis for this. By combining the two techniques, the user can reach the desired level of confidence in correctness of a given design.
Our current research goals include the automatic derivation of tests that satisfy a timebased partition testing criteria. We intend to augment the existing toolset with: (1) a tool for creating a high-level timing specification diagram; and ( 2 ) tools that will use these timing specifications to automatically derive a complete partition test suite to check proper implementation of the timing constraints. We also want to explore how to use the generated tests to drive the graphical simulator of GCSR specifications, which is a part of the PARAGON toolset.
An important aspect of a specification paradigm is the right balance between textual and graphical specification. It seems that high-level specifications are better comprehended in the graphical form, while more detailed ones may be too tedious to enter graphically. Therefore, another area of interest lies in closer integration of graphical (GCSR) and textual (ACSR) specification paradigms.
