Abstract. Multiple timing faults, although detectable individually, can hide each other's faulty behavior making the faulty system indistinguishable from a non-faulty one. A set of graph augmentations are introduced for single timing faults. The fault detection capability of the augmentations is analyzed in the presence of multiple timing faults and shown that multiple occurrences of a class of timing faults can be detected.
Introduction
This paper analyzes the fault detection capability of the timed FSM model introduced in Ref. [7] in the presence of multiple timing faults. It is shown here that multiple timing faults, although detectable individually, can hide each other's faulty behavior thereby making the faulty system indistinguishable from a non-faulty one. A set of graph augmentations are introduced for single timing faults. It is shown that the augmentations for single faults can also detect the presence of multiple faults occurring simultaneously.
Fault coverage has been studied mostly with respect to transfer/output faults for FSMs [1, 9, 11, 15] . Petrenko et al. [9] investigate fundamental underlying concepts of fault coverage analysis, whose primary focus is protocol conformance testing. The detection of such faults, which is not part of the timing-fault analysis, depends on the adopted conformance relation, the underlying fault models, and the state verification method [4, 8, 10, 13] . If a timing fault results in a transfer/output fault, we assume that it is detected with high probability under the widely accepted assumption that the faults do not increase the number of states in an implementation under test (IUT).
The related work on testing systems with timing dependencies focuses on testing Timed Automata (TA) [2] , with a theoretical framework in Ref. [12] achieving a provably complete test coverage at the expense of a prohibitively large number of test cases. Dssouli et al. [5, 6] introduce a method based on the state characterization technique using a timed extension of the Wp-method [8] . The technique formulates fault models for timed systems by considering time specific one-clock and multi-clock timing faults in addition to FSM-like transfer/output faults. The aim of a complete test coverage is relaxed-by choosing a proper granularity, a "good" fault coverage is achieved with reasonably long test sequences. Dssouli et al. are the first to present a classification of timing faults [6] , and formally prove that their technique detects all single faults of a given type [5] . None of the above techniques are shown to have the ability to detect multiple simultaneous timing faults. A major contribution of this paper is a formal analysis of such a fault detection capability for the testing methodology introduced in Ref. [7] . Section 2 of this paper gives the basic definitions. The simplified version of the timed FSM model of [7] is given in Section 3. Single and multiple timing faults are discussed in Sections 4 and 5, respectively.
Definitions
A communicating protocol can be modeled as a Finite State Machine (FSM) represented by a directed graph G(V, E). Vertex set V and edge set E represent the states and transitions triggered by events of a system, respectively. For timerelated FSM, FSM can be extended to consider of a set of timers T that may be arbitrarily started or stopped.
Timed FSM is a tuple M = (V, A, O, T , E, v 0 ) where V is a finite set of states, v 0 ∈ V is the initial state, A is a finite set of inputs, O is a finite set of outputs, T is a finite set of timers, and E ⊆ V × (A × T × O) × V is a set of transitions V × A × T −→ O × V .
In the presence of timers, an FSM becomes an Extended Finite State Machine (EFSM). Timer-related variables will appear in addition to the variables from the tuple above, in the form of conditions t j on the timer variables and of actions {t j }on variable values. A tuple e i = (v p , v q , a i , o i , t j , {t j }) is a transition e i ∈ E, where v p is a current state, v q is a next state, a i is the input defined in current state v p or in current transition v p ei → v q , o i is the output from current transition v p ei → v q , t j is a vector of timer variables, t j are the conditions on time-related variables, and {t j } are the actions which update time-related variables.
A timer T j ∈ T can be defined with a timer vector t j = (T j , D j , f j , L p ) where T j ∈ {0, 1} is a timer running status variable denoted by a boolean variable,
•+ is a time-characteristic variable that indicates the length of timer T j , f j ∈ R ∞ is a time-keeping variable that indicates the time elapsed since timer T j started, and L p ∈ {0, 1} is a flow enforcing variable that forces the test sequence to traverse the augmented graph according to model specific rules. Timer T j ∈ T is expired iff (T j == 1) ∧ (f j D j ) and is running iff (T j == 1) ∧ (f j < D j ) .
T j == 1 (depicted as T j henceforth) denotes a timer is running and T j == 0 (depicted as ¬T j henceforth) denotes a timer is not running (i.e., stopped, expired or not started yet). D j is the length for T j and ∀ f j ∈ Z ∞ is the time elapsed since its start. When T j has just started, f j := 0, and f j := −∞ if T j is not running. Over an edge e i the value of f j is increased by the cost c i of e i as f j := f j + c i . Once f j becomes (f j D j ), T j is said to be expired or timed-out. The difference of (D j − f j ) represents the remaining time until T j 's expiry. L p is a flow enforcing variable where L p = 0 implies that no transition can leave the current state v p and L p = 1 means that all transitions are allowed to leave v p .
For
, a finite transition sequence is represented as ρ = h 1 , · · · h k , h k+1 , · · · h n in the graph G associated with M . For any ∀k ∈ [1, n − 1], h k was progressed before h k+1 .
Assume that there are K running timers:
•+ is the amount of time required to completely traverse the current edge e i . Timeout transition e i = (v p , v q , a i , o i , t j , {t j }) is triggered by T j expiry and it becomes feasible if at least one of the running timers T j expires, ∀T k = T j , which can be described as follows:
A transition in which timer T j , ∀j ∈ [1, K], does not expire is defined as a non-timeout transition. A timer can be started in an action as follows:
A timer can be stopped as follows:
Modeling Timed FSM
To simplify the test generation from timed FSM models (which are essentially EFSMs due to the timing variables as described in Section 2), we introduce a graph augmentation for conversion of G to G as follows:
Step (i): All the self loops in G are represented as ordinary (i.e., state-tostate) edges in G ;
Step (ii): For every state v p in G, an additional state called v p is introduced in G , which becomes the ending state for all of self-loops defined in v p ;
Step (iii): For self-loops of v p in G, the return from v p to v p is ensured by the introduction of an additional edge called return edge e ret p in G : In this model, the new states in G are introduced to convert the self-loop transitions as state-to-state transitions. The role of the observer state is to "consume" pending timeouts and enable outgoing edges by setting L p to 1. Figure 1 shows, for state v p , an example conversion of self-loops to state-to-state transitions and the introduction of observer states/edges by our model. Augmented graph G will contain two types of transitions, as defined below: Type 2 Non-timeout transition e i , which may start/stop a timer, may be a regular, non-timeout, state-to-state transition or may have been converted from a non-timeout self-loop transition.
Edge Conditions and Actions for New Model
The original edge conditions and the actions of G are modified by appending timer-related conditions and actions, as described below.
Edge conditions that need to be satisfied before an edge can be traversed are formulated using the three variable types described in Section (2): timer status variables (T j -on or off), time-keeping variables (D j -timer length, f jtime elapsed) and flow-enforcing variables (L p -edge traversal control). Below are the edge conditions used by our model:
A Type 1 (timeout) transition is feasible if all of the following conditions are true during the traversal:
• at least one of the running timers expires (for any two running timers, T j and T k , either T j or T k expires, and thus enables the timeout edge):
• the timer that expired was the timer with the least remaining time (i.e., if some T k was also running, and if T j 's remaining time was less, then it was T j that expired):
flow-enforcing variable is set as follows:
L p == 0, if the edge was a timeout self loop edge in G 1, if the edge was a timeout state-to-state edge in G These three components of a Type 1 edge condition can be, therefore, combined and formalized as:
• for a converted edge in G (i.e., a self-loop edge in G):
The above equations imply that before a timeout transition, T j should be still running, remaining time should be the least among all other running timers and the flow-enforcing variable is appropriately set for either a converted or an original edge in G . Any nondeterminism due to multiple timeouts can be detected during test-sequence generation, e.g., if tm j and tm k are to expire simultaneously, then (D j −f j = D k −f k ) and their conditions cannot be satisfied.
Similarly, during the traversal, a Type 2 (non-timeout) transition becomes feasible if both of the following conditions are true:
• either there is no running timer started in a previous transition (there may be a timer started on the current transition): ¬T j ; or, if there is, it did not expire over a previous transition (time variable f j of running timer T j is less than timer's length D j ):
• the flow-enforcing variable is set as:
0, if the edge was a non-timeout self-loop in G 1, if the edge was a non-timeout state-to-state edge in G Therefore, the time conditions for Type 2 edges can be formalized as follows:
The time condition for the wait edge e p,wait and observer edge e p,obs , from the original state v p to the observer state v p is formulated as: L p == 0 .
The return edges (i.e., e ret p and e ret p,obs ) added by the graph augmentation to G are no-cost edges with time condition as true: 1 .
Action list can be executed by an edge whose traversal was determined by its time condition being satisfied. Such an edge may proceed and update all variables that changed during the current transition accordingly:
• If a timer expires, the timeout edge will reset the status variable T j to 0 and the time-keeping variable to −∞: T j := 0; f j := −∞ • If a timer started on a previous transition is still running, the current edge e i will update its value with its cost c i (which may bring f j D j , and thus timeout T j and trigger a timeout transition):
• If a timer is started on the current transition, the current action list will initialize the timer state T j to 1 and the time-keeping variable f j to 0: T j := 1; f j := 0 • The flow-enforcing variable L p is also set by every edge according to its type:
1, set by observer edge to allow traversal of state-to-state edges 0, set by either Type 1 or Type 2 edges
Each edge type will perform a subset of the above listed actions, according to its specifics, as follows:
is the remaining time of timer T j to timeout
(i.e., there is no actions for this edge) Since both edge types, namely Type 1 and Type 2, disable outgoing transitions by setting L p := 0 the only edges whose actions will enable these transitions are the artificially-created observer edges.
Modeling Timing Faults
In general, timing faults in an IUT can be classified into: (i) 1-clock interval faults, (ii) n-clock interval faults (introduced by Dssouli et al. [5, 6] ), and (iii) incorrect settings of timer lengths. The goal is to detect such faults during testing through special-purpose timers and graph augmentations that force a test sequence to take a different path for a faulty IUT than for the conformant one.
In our model during the testing of transition
after input a i is applied, the expected output o i should be generated no later than θ time units, θ ∈ R + . If there is no output observed in θ time units (represented as ¬o i ) or output o i is observed after θ time units, a fault occurs. The θ time units is part of a test harness rather than the IUT.
1-Clock Interval Faults
1-Clock Interval Faults are related to timing conflicts due to one clock/timer regardless of other concurrent clocks/timers. Unacceptable input timing (i.e., an input may be 'rushed' or 'delayed') results either in an unacceptable output value for a transition or unexpected output timing (i.e., an output may be 'rushed' or 'delayed'). 1-clock interval faults occur either when at least one input interval boundary is violated in the IUT or no interval boundary is modified but no output is observed.
Timing Requirement:
can correctly trigger only if applied input a i is within the required time interval [α, β] measured from the traversal of h k -an edge prior to e i in a test sequence.
Based on this requirement, two faults, namely Timing Faults I and II, can be defined as follows:
Timing Fault I: Input a i is applied either too early (δ < α) or too late (δ > β), but output o i may still be observed and state v q be verified in no later than θ time units from the instance input a i is applied. Timing Fault II: Input a i is applied within the required time interval [α, β], but either the output is not observed (i.e., ¬o i ) or state v q cannot be verified in less than δ + θ time units. The detection of Fault II has not been included in the analysis presented in this paper since it has been handled by transfer fault detection models reported in literature [9] .
Graph Augmentation to Detect Timing Fault I: The modeling of 1-clock timing requirement for an edge e i = (v p , v q , a i , o i , t j , {t j }), is accomplished by using two special purpose timers and creating the so-called observer states/edges. The special purpose timers are called T α and T β with lengths D α = α and D β = β time units, respectively, where α < β. Note that timers T α and T β are not the part of the IUT, but maintained by the test harness run by the tester.
The edge e i triggers only after input a i is applied within time interval [α, β] (i.e., after timer T α but before timer T β expires), and in its action stops timer T β . Therefore, in our augmentation, the modified timing conditions for h k (which starts T α and T β timers) and e i are as follows:
Two new observer states, namely v p,1 and v p,2 , with their associated observer edges, e p,1,obs and e p,2,obs , are appended to v p,1 and v p,2 , respectively. The new wait edges e p,1,wait from v p,1 to v p,1 (with cost c p,1,wait = 1 time unit) and e p,2,wait from v p,2 to v p,2 (with cost c p,2,wait = 1 time unit), and their return edges, namely e ret p,1 and e ret p,2 (both with zero cost), are created:
]), respectively, the sequence is forced to move into state S F −I . In other words, when input a i is applied, if the following timing conditions are true, the IUT will be assumed to be in state S F −I , where the test will be declared as failed:
T α := 0; f α := −∞;
Therefore, e i triggers only when a i is applied after T α 's and before T β 's expiry. But if the input interval condition is not satisfied, G forces the traversal of either e p,1,f ault , or e p,2,f ault , making the tester declare the IUT in the fault state of S F −I (Figure 2 ).
n-Clock Interval Fault
Timing conflicts due to n-clock interval faults are concerned with n clocks/timers running concurrently. In a faulty IUT, this fault may result in an altered traversal sequence which can go unnoticed during testing. n-clock interval fault occurs when at least one edge is traversed out of the required testing sequence.
Timing Requirement: Edge e i = (v p , v q , a i , o i , t j , {t j }), can be only traversed after a sequence of transitions ρ = h 1 , h k , h k+1 · · · h n , such that h k was executed before h k+1 (∀k ∈ [2, n] ⊂ Z + ). Timing Fault III: The required order of edges is not respected and the relation between them does not hold true (i.e., for at least one edge ∃k ∈ [2, n], h k+1 was executed before h k ). As a result, for a test sequence, the final state v q = v q is verified and the final output o i = o i is observed.
The graph augmentation for this case has been skipped due to space constraints, but an extensive study can be found in Refs. [3, 14] . 
Incorrect Timer Setting Faults
Timing conflicts which arise due to faulty timer length settings in an IUT are called incorrect timer setting faults where the timer length is incorrectly set either too short or too long (i.e., the timer expires too early or too late).
Timing Requirement: In a test sequence, edge h k starts timer T j and is traversed before e i . Timeout transition e i = (v p , v q , a i , o i , t j , {t j }) triggers exactly in D j time units, where D j is the timer length.
Timing Fault IV: Timeout transition e i triggers in D j time units and output o i is observed and state v q is verified in shorter than the expected time (i.e., D j < D j ).
Timing Fault V: Timeout transition e i triggers in D j time units and output o i is observed and state v q is verified in longer than the expected time (i.e., D j > D j ).
Graph Augmentation to Detect Timing Fault IV: Let us consider timer T j with length D j defined by the specification to be started by the actions of edge h k and to be expired at edge e i (reachable from h k ). To detect if the length for T j is set to D j which is shorter than D j , we introduce a special purpose timer T s where D s is the correct timer length as defined by the specification. Timer T s will be started by edge h k , which also starts T j . Therefore, after the augmentation, the time-related conditions and actions for h k are modeled as:
An observer state v p is appended to state v p via a new observer edge e p,obs , wait edge e p,wait and return edge e 
Finally, a new fault state S F −IV is created which is connected to v p via e p,f ault . The edge condition of e p,f ault is modified such that if timer T j expires earlier than expected, the sequence is forced to move to state S F −IV where the tester declares the verdict of the test as failure:
The edge condition of e i is also modified such that it traverses only when f s D s and T j expires as shown in Figure 3 :
T s := 0; f s := −∞;
Graph Augmentation to Detect Timing Fault V: Graph augmentation for Fault V is similar to that of Fault IV (Figure 3 ), except that the edge conditions are formulated differently:
L p := 0
Multiple Faults
It is possible that, for a given test sequence, a single timing fault, occurring simultaneously with a fault of different type, can exhibit a behavior indistinguishable from an IUT without any faults. We prove in this section that the graph augmentations introduced for single timing faults in Section 4 are capable of detecting such multiple faults. Due to space constraints, only the pairwise combinations of Timing Faults I, IV and V are presented in detail. The other combinations with Timing Fault III are available in [3, 14] .
Multiple Faults of I and V
It is possible that a single Fault I and a single Fault V can hide each other such that the observable behavior of a faulty system is not distinguishable from a non-faulty system. Lemma 1: Graph augmentation for Fault I (Section 4.1) and Fault V (Section 4.3) can detect simultaneous presence of a single Fault I and a single Fault V in an IUT, irrespective of the order they occur in an edge sequence.
Proof: It is possible to construct an edge sequence such that an input applied too early violating a timing interval requirement of a specification (i.e., Fault I) followed by a timer expiring too late (i.e., Fault V) can generate an output as if the IUT is non-faulty. For the general case, consider a test sequence containing · · · , h x , · · · , e i , · · · , e j , · · · , e k , · · · (Figure 4 ) where:
• Edge e i has a timing interval requirement that input a i be applied within the interval of [α, β] (i.e. δ ∈ [α, β], where δ is the instant at which input is applied, measured from edge h x ).
• Edge e j from state v j to state v j+1 starts timer T z with length D z . e j :
¬T z T z := 1; f z = 0 • T z timeout triggers edge e k which generates an observable output o k in δ + c i + c (i+1−→j+1) + D z + c k time units from h x , where c (i+1−→j+1) is the total cost of all edges used in the sequence between states v i+1 and v j+1 . If input a i is applied too early (i.e., Fault I where δ < α) and, at the same time, D z is incorrectly implemented as too long (i.e., Fault V where 
Similarly, a special purpose timer T s at the test harness with length D s is introduced to define the correct timer length for T z . Therefore, edge e j starts both T z and T s :
For Fault I augmentation, v i (starting state of e i ) is replaced by two new states, v i,1 and v i,2 , connected via e i,1,2 . S F −I and its incoming edges (e i,1,f ault and e i,2,f ault ) are created for states v i,1 and v i,2 , respectively. Then, an observer state v i,1 with its associated edges e i,1,wait , e i,1,obs and e ret i,1 to the v i,1 are introduced. Similarly, v i,2 , e i,2,wait , e i,2,obs and e ret i,2 are created for T β (Section 4.1). Fig. 6. Timed FSM: T3 is started by applying i10 within time interval [6, 15] For Fault V, state v k with edges e k,wait , e k,obs and e ret k are attached to v k whose outgoing edge is the T j timeout edge e k . also state S F −V and edge e k,f ault are added to the graph:
After augmentation for both Faults I and V, a correct edge traversal sequence for a non-faulty IUT can be given as: · · · , h x , · · · , e i,1,wait , e An example test sequence of containing · · · , e 8 , e 9 , e 10 , e 11 , e 12 , · · · is given for the FSM of Figure 6 . Suppose the FSM specification defines that, for e 10 , the input i 10 should be applied within time interval of [6, 15] seconds (measured from e 8 ) and that e 10 starts T 3 with length D 3 = 4 seconds. Edge e 12 is a timeout transition for T 3 , and for edges e 9 , e 10 , e 11 , and e 12 the costs are c 9 = 4, c 10 = 1, c 11 = 4, and c 12 = 2 seconds, respectively. In a correct implementation, i 10 is Proof: Let us first prove that timing faults can hide each other such that the observable behavior for an IUT with Faults IV and V, and a non-faulty IUT are identical. Consider an edge sequence over which two timers, namely T x and T y , are started and expired. For the general case, such a sequence can be defined as · · · , h x , · · · , e i , · · · , e j , · · · , e k , · · · ( Figure 7 ) where:
• Edge h x from state v x to v x+1 starts timer T x with length D x . h x : 1 T x := 1; f x := 0 • Expiry of T x triggers edge e i , for which no observable output is generated. Applying the graph augmentation methods described in Section 4.3, the generalized case of Figure 7 can be modified to include the new wait and fault states with their associated edges. As shown in Figure 8 , our graph augmentation introduces special purpose timers T sx and T sy with lengths D sx and D sy , respectively, to define the correct timer lengths for timer T x and T y , where D sx ≡ D x and D sy ≡ D y time units. In the augmented graph, h x starts both T x and T sx , and e j starts both T y and T sy : h x : ¬T x ∧ ¬T sx T x := 1; f x := 0; T sx := 1; f sx := 0 e j : ¬T y ∧ ¬T sy T y := 1; f y := 0; T sy := 1; f sy := 0
For Fault IV augmentation, a wait state v i with its associated edges e i,wait , e i,obs and e ret i are attached to v i whose outgoing edge is the timeout edge e i . A new state S F −IV and its edge e i,f ault is added to state v i : Similarly, for Fault V augmentation, an observer state v k with its associated edges e k,wait , e k,obs and e ret k are attached to v k whose outgoing edge is the timeout edge e k . A new state S F −V and its associated edge e k,f ault is added to state v k : After these augmentations, a test sequence for a non-faulty IUT is h x , · · · , e i,wait , e ret i , e i,obs , e ret i , e i , · · · , e j , · · · , e k,wait , e ret k , e k,obs , e ret k , e k . For a faulty IUT where Fault IV is reached before Fault V, the test sequence will end up in state S F −IV (i.e., the edge e i,f ault will be traversed instead of e i ), and hence will detect Fault IV.
Similarly, it can be shown that a test sequence can be constructed such that, if a single Fault V is traversed before a single Fault IV, the test sequence will be forced to state S F −V . Therefore, a single Fault IV and a single Fault V, irrespective of the order of their occurrence, can be detected by augmentations given in Section 4.3.
Let us illustrate the simultaneous occurrence of Faults IV and V with an example. In Figure 9 , the FSM specification defines that edges e 21 and e 23 start timers T 1 (expires in e 23 with D 1 = 5 seconds) and T 2 (expires in e25 with D 2 = 4 seconds), respectively. The costs for the edges e 22 , e 23 , e 24 and e 25 are given as c 22 = 5, c 23 = 2, c 24 = 4 and c 25 = 3 seconds, respectively.
The test sequence for a non-faulty IUT can be constructed as e 21 , e 22 , e 23 , e 24 , e 25 such that timer T 1 expires in 5 seconds and T 2 in 4 seconds. Therefore, using this test sequence, a non-faulty IUT will generate o 25 by e 25 14 seconds after e 21 traversal (i.e., D 1 + c 23 + D 2 + c 25 = 5 + 2 + 4 + 3 seconds). Now suppose T 1 is incorrectly implemented as D 1 = 4 seconds and T 2 as D 2 = 5 seconds. This faulty IUT would also generate o 25 in 14 seconds after e 21 is traversed (i.e., D 1 + c 23 + D 2 + c 25 = 4 + 2 + 5 + 3 seconds). This example illustrates that, without our augmentations, simultaneous occurrence of single Faults IV and V may be indistinguishable from the non-faulty IUT for certain test cases. However, after graph augmentations, the sequence will detect single occurrences of Fault IV and V by forcing the faulty IUT into state S F −IV .
Corollary 3: The multiple occurrences of Faults IV and V, irrespective of their occurrence order, are detectable after the graph is augmented for single Faults IV and V as in Section 4.3.
A number of individually detectable timing faults can hide each other's faulty behavior, making the faulty system indistinguishable from a non-faulty one. A set of augmentations for the timed FSM model introduced in Ref. [7] is presented for single timing faults. The augmentations for the single faults are shown to be capable of detecting multiple occurrences of pairwise combinations of these timing faults. Fault detection capabilities of existing timed automata models and the model studied in this paper will be compared as an extension of this work.
