Test Derivation from Timed Automata by Brandan Briones, Laura & Rohl, Mathias
8 Test Derivation from Timed Automata
Laura Branda´n Briones1 and Mathias Ro¨hl2
1 University of Twente
brandanl@cs.utwente.nl
2 University of Rostock
mroehl@informatik.uni-rostock.de
8.1 Introduction
A real-time system is a discrete system whose state changes occur in real-
numbered time [AH97]. For testing real-time systems, specification languages
must be extended with constructs for expressing real-time constraints, the im-
plementation relation must be generalized to consider the temporal dimension,
and the data structures and algorithms used to generate tests must be revised
to operate on a potentially infinite set of states.
There are various formalisms that use fictitious clocks for expressing tim-
ing constraints. These simplify reasoning about time by recording the timing
of events with finite precision only and thereby approximate precise timing of
activities. The set of nonnegative integers could be used as a time domain, with
the restriction that the sequence of integer times must be non-decreasing. Be-
havior on a discrete time scale could be modeled with ordinary finite automata
by adding a distinguished tick event to the set of its actions.
In dense time domains, which could be sub-domains of Q≥0 or R≥0, events
may occur at different time points that lay arbitrarily close together. Detecting
arbitrarily small variations would require infinite test cases. However, if two
events may occur on different times but for an observer their ordering makes no
difference for testing purposes these events may be considered to take place at
the same point in time. Henzinger et al. showed that the digitization of clocks
allows to distinguish all systems which are distinguishable in the dense time
domain if the system can be modeled as a timed transition system [HMP92].
We start with a general introduction to timed automata and associated con-
cepts. The main part presents three different techniques for the generation of
real-time black-box conformance tests from timed automata with a dense time
domain. The first approach allows for testing (a subclass of) nondeterministic
timed automata, the second one concentrates on the exhaustive testing of de-
terministic timed automata, while the last approach facilitates the testing of
deterministic timed automata with silent transitions. An automatic light switch
is used as a running example for specifications and test suite derivation.
8.2 Timed Automata
Timed automata extend finite state automata with a finite set of clocks over a
dense time domain [AD94]. All clocks increase monotonically at a uniform rate,
M. Broy et al. (Eds.): Model-Based Testing of Reactive Systems, LNCS 3472, pp. 201-231, 2005.
 Springer-Verlag Berlin Heidelberg 2005
202 Laura Branda´n Briones and Mathias Ro¨hl
and measure the amount of time that has elapsed since they were started or
reset. The choice of the next state of a timed automaton depends, in addition to
the kind of an input symbol, on the occurrence time of the input symbol relative
to the occurrence of previously read symbols. Each transition of the system may
reset some of the clocks and have an associated enabling condition which is a
constraint on the values of the clocks. A transition can be taken only if the
current clock values satisfy its enabling condition. Timing constraints on clocks
may be expressed by the following syntax.
Definition 8.1. For a set C of clock variables, the set Φ(C ) of clock con-
straints ϕ, where c ∈ C and k ∈ Q≥0, is defined inductively by
ϕ
def
= c < k | c > k | c ≤ k | c ≥ k | ϕ1 ∧ ϕ2
Often, c = k
def
= c ≤ k ∧ c ≥ k and true def= 0 ≤ c are used as abbreviations.
Definition 8.2. A timed automaton A is a tuple 〈S ,S0, Σ,C , Inv ,E 〉, where
• S is a finite set of locations
• S0 ⊆ S is a set of initial locations
• Σ is a finite alphabet that denotes the set of actions
• C is a finite set of clocks
• Inv : S → Φ(C ) associates a clock invariant to each location
• E ⊆ S ×Σ × Φ(C ) × 2C × S gives the set of transitions [Alu99].
A transition (s , a, ϕ, λ, s ′) ∈ E represents a change of location from s ∈ S to
s ′ ∈ S on symbol a ∈ Σ. The clock constraint (guard) ϕ ∈ Φ specifies when the
transition is enabled, and the set λ ⊆ C gives the set of clocks to be reset when
this transition is taken. Clock invariants constrain how long the automaton is
allowed to stay in a certain location.
Example. We adopt the automatic Light Switch from Springintveld et al. as an
example [SVD01]. The Light Switch can be specified by a timed automaton A ,
with
• S = {s0, s1}
• S0 = {s0}
• Σ = {on, off }
• C = {c}
• Inv(s0) = true, Inv(s1) = c ≤ 5
• E = {(s0, on, true, {c}, s1), (s1, on, c < 5, {c}, s1), (s1, off , c = 5, ∅, s0)}
Its behavior can be explained as follows. The state of the system in which the
light is off is represented by s0, and the state s1 represents the situation where
the light is on. The light can be turned on by pushing the on button. After five
time units the switch turns itself off . Before that happens, the on button may
be pushed again, which will leave the light on (cf. Figure 8.2).
8 Test Derivation from Timed Automata 203
s0
s1
c ≤ 5
on, c < 5,
{c}
on, true, {c}
off , c = 5, ∅
Fig. 8.1. A timed automaton specification of an automatic Light Switch
Remark 8.3. Timed automata were introduced by Alur and Dill [AD94] as a gen-
eralization of finite-state machines over infinite words [Tho90]. We only consider
timed automata without acceptance conditions which are usually referred to as
timed safety automata [HNSY92]. An introduction to acceptance is given in
Section 19.2, whereas a discussion of acceptance conditions in the context of
timed automata can be found elsewhere [HKWT95].
The behavior of a timed automaton A depends on both its current location
and the actual values of all its clocks.
Definition 8.4. A clock valuation over a set of clocks C is a map ν that
assigns to each clock c ∈ C a value in R≥0. With V (C ) we denote the set of
clock valuations over C . For d ∈ R≥0, ν + d denotes the clock interpretation
which maps every clock c to the value ν(c) + d . For λ ⊆ C , ν[λ := 0] denotes
the clock interpretation for C which assigns 0 to each c ∈ λ, and agrees with ν
over the rest of the clocks.
A labeled transition system M with uncountably many states can be used
to define the possible behavior of a timed automata A . A state of M has to
be a pair 〈s , ν〉 such that s is a location of A and ν is a clock valuation for C
satisfying invariant InvA (s). Transitions of M represent either an elapse of time
or a transition of A .
Definition 8.5. The semantics of a timed automaton A is given by the LTS
M = 〈Q ,Q0,L,→〉, where
• Q = {〈s , ν〉 ∈ SA ×V (CA ) | ν |= InvA (s)}
• Q0 ⊆ Q with 〈s , ν〉 ∈ Q0 iff s ∈ S0A and ν(c) = 0 for all clocks c ∈ CA
• L = ΣA ∪ R≥0
• →⊆ Q × L×Q , which could be either
– (〈s , ν〉, d , 〈s , ν +d〉) iff d ∈ R≥0 and for all 0 ≤ d ′ ≤ d , ν +d ′ |= InvA (s)
– (〈s , ν〉, a, 〈s ′, ν[λ := 0]〉) iff (s , a, ϕ, λ, s ′) ∈ EA and ν |= ϕ
Due to dense-time clocks, the transition system M for a timed automaton A
has infinitely many states and operates on infinitely many symbols. Analysis of
204 Laura Branda´n Briones and Mathias Ro¨hl
safety requirements of real-time systems can be formulated as reachability prob-
lems for timed automata. Since the transition system M for a timed automaton
A is infinite, reachability analysis constructs a quotient called the region au-
tomaton by partitioning the uncountable state space into finitely many regions
[Alu99].
A timed automaton can be seen as accepting (or generating) timed words
and thereby defining a timed language. Two timed automata are said to be
equivalent if they accept the same timed language.
Definition 8.6. A timed word over an alphabet Σ is a finite sequence (a1, t1)
. . . (an , tn) of symbols ai ∈ Σ paired with nonnegative real numbers ti ∈ R≥0
that are nondecreasing (∀ i < n.ti < ti+1). A timed language over Σ is a set
of timed words over Σ.
Remark 8.7. Alur and Dill showed that a Bu¨chi automaton (called region au-
tomaton) can be constructed that accepts exactly the set of untimed words that
are consistent with the timed words accepted by a timed automaton [AD94].
The construction of the region automaton is PSPACE-complete.
Remark 8.8. Alur and Dill showed the language inclusion problem to be undecid-
able for nondeterministic timed automata but solvable in PSPACE for determin-
istic timed automata. The problem of deciding the emptiness of the language of
a given timed automaton is PSPACE-complete for deterministic timed automata
[AD94].
Deterministic timed automata form an important subclass of timed automata
that are strictly less expressive than nondeterministic timed automata [AD94].
For timed automata to be deterministic multiple transitions starting at the same
location with the same label are only allowed if their clock constraints are mu-
tually exclusive. Thus, at most one of the transitions with the same action is
enabled at a given time.
Definition 8.9. A timed automaton 〈S ,S0, Σ,C , Inv ,E 〉 is called determin-
istic iff
• |S0| = 1, and
• for all s ∈ S , for all a ∈ Σ, for every pair of transitions of the form
〈s , a, ϕ1, λ1, s1〉 ∈ E and 〈s , a, ϕ2, λ2, s2〉 ∈ E , ϕ1 ∧ ϕ2 is unsatisfiable.
Definition 8.10. Timed automata with silent transitions are gained by ex-
tending Definition 8.2 such that for a transition (s , a, ϕ, λ, s ′) ∈ E an action a
can be in Σ ∪ τ , where Σ ∩ τ = ∅. A transition (s , a, ϕ, λ, s ′) is called a silent
transition (often called -transition) when a = τ . If, in addition λ = ∅ then we
speak of a silent transition without reset.
Remark 8.11. Whereas silent transition do not increase the expressiveness of
untimed automata they strictly increase the power of timed automata. Be´rard
et al. showed silent transitions with clock resets that lie on a directed cycle to
be responsible for this increase in expressiveness [BPDG98].
8 Test Derivation from Timed Automata 205
8.3 Testing Event Recording Automata
Nielsen and Skou present a technique for the automatic generation of real-time
black-box conformance tests for non-deterministic systems [NS03]. They start
from a determinizable class of timed automata specifications called ERA, with a
dense time interpretation. The tests are generated using a coarse grained equiv-
alence class partition of the specification.
8.3.1 Model
Event Recording Automata (ERA) were proposed by Alur, Fix and Henzinger
[AFH94] as a determinizable subclass of timed automata and have language
inclusion as a decidable property (like all deterministic timed automata).
Like a timed automaton [AD94], an ERA has a set of clocks, which can be
used in guards (clock constrains) and be reset when an action is taken. In ERA,
however, each action a is uniquely associated with a clock ca , called the event
clock of a. Whenever an action a is executed the event clock ca is automatically
reset. No further clock assignments are permitted. The event clock ca thus records
the amount of time passed since the last occurrence of a. No silent τ -actions or
location invariants are permitted. These restrictions ensure determinizability
[AFH94].
Definition 8.12. An Event Recording Automaton (ERA) A is a tuple
〈S , s0, Σ,E 〉, where
• S is a non-empty (finite) set of locations
• s0 ∈ S is the initial location
• Σ is a finite set of actions
• E ⊆ S ×Σ × Φ(C ) × S is the set of transitions
where
– C = {ca | a ∈ Σ} is the set of real-valued clocks
– Φ(C ) is the set of clock constraints (or guards), these guards are gen-
erated by the syntax ϕ ::= γ | ϕ ∧ ϕ, where γ is a constraint of the
form c1 ∼ k or c1 − c2 ∼ k with: ∼ ∈ {≤, <,=, >,≥}, k a non-negative
integer constant, and c1, c2 ∈ C .
All actions are urgent, meaning that synchronization between two automata
takes place immediately when the parties have enabled a pair of complementary
actions. The complementary actions are actions by which the automata syn-
chronize, in our cases input and output actions, denoted as ?, ! respectively.
The requirement of urgent actions is needed because with non-urgent observable
actions the synchronization delay could be unbounded.
Example. Figure 8.2 shows an ERA which describe the behavior of the automatic
Light Switch. The initial location is indicated by double circle. Formally, the
ERA is given by 〈S , s0, Σ,E 〉, where
• S = {s0, s1}
• s0 is the initial state
206 Laura Branda´n Briones and Mathias Ro¨hl
• Σ = {on?, off !}
• E = {(s0, on?, true, s1), (s1, on?, con < 5, s1), (s1, off !, con = 5, s0)}
s0 s1
on?, true
off !,
con = 5
on?,
con < 5
Fig. 8.2. ERA specification for an automatic Light Switch [SVD01]
The determinization procedure for ERAs is given by Alur, Fix and Henzinger
[AFH94], and is conceptually a simple extension of the method used for the
untimed case, only now the guards must be taken into account.
8.3.2 Symbolic Representation
Timed automata (a network of ERAs) with a dense time interpretation cannot be
analyzed by finite state techniques, since the timed transition system associated
with it has infinitely many states. Therefore, it must be analyzed symbolically
[NS03]. Similar to the region automaton [Alu99] which partitions the state space
into finitely many regions, here zone is used instead, in the following way.
The state of a network of timed automata is represented by a pair 〈s , ν〉,
where s is the vector of the automata’s current location, and ν is the vector of
their current clock values. A zone z is a conjunction of clock constraints of the
form c1 ∼ k or c1−c2 ∼ k with ∼ ∈ {≤, <,=, >,≥} or equivalently, the solution
set to these constraints. A symbolic state [s , z ] represents the (infinite) set of
states {〈s , ν〉 | ν ∈ z}.
Example. The graphical view of the symbolic state [s1, z ] for the ERA of example
8.3.1, with z = con < 5 is shown in Figure 8.3.
Zones can be represented and manipulated efficiently by the difference bound
matrix (DBM) data structure [Bel57]. The use of zones allows us to compute:
• The symbolic state that results after take a transition from a given source
symbolic state
• The reachable state space. Forward reachability analysis starts in the initial
state (s0, 0) and computes the symbolic states that can be reached by execute
an action from an exists one, or by let time pass. When a new symbolic state
is included in one previously visited, no further exploration of the new state
needs to take place. Forward the reachability analysis terminates when no
new state can be reached
8 Test Derivation from Timed Automata 207
[s1, z ],
z = con < 5,
0 1 2 3 4 5
0
1
2
3
con
coff 














































































































































)
Fig. 8.3. A symbolic state and the solution set corresponding to the zone z
• Given a symbolic path to a symbolic state, a concrete timed trace leading
to it (or a subset thereof) can be computed by propagating its constraints
back along the symbolic path used to reach it, and by choosing specific time
points along this trace
Remark 8.13. To ensure soundness of the produced tests, symbolic reachability
analysis is needed to select only states for testing that are reachable, and to
compute only timed traces that are actually part of the specification.
8.3.3 Testing
As opposed to exhaustive testing, a test selection criterion is used in this case (or
coverage criterion), i.e. a rule that describe which behavior or which requirements
should be tested. Coverage is a metric of completeness with respect to a test
selection criterion.
For real-time systems it is proposed to partition the clock valuations into
domains and ensure that each such domain is tested systematically.
Example. In our example of the automatic Light Switch, a partition domain for
con could be as shown in Figure 8.4.
0 1 2 3 4 5 con
coff
)(dom1
dom2
dom3
Fig. 8.4. ERA Domains Graph
The selection criterion used here is based on partition the state space of the
specification into coarse equivalence classes, and require that the test suite for
208 Laura Branda´n Briones and Mathias Ro¨hl
each class yields a set of required observations of the implementation when it is
expected to be a state in that class. Like in the Hennessy’s works [HN83], the
following abstract syntax is used:
(1) after σ must A,
(2) can σ,
(3) after σ must ∅
where σ ∈ Act∗ and A ⊂ Act . Informally, (1) is successful if at least one of
the observations in A (called a must set) can be observed whenever the trace
σ is served, (2) is successful if σ is a prefix of the observed system, and (3) is
successful if this not case (i.e. σ is not a prefix). Using this notation, each class
is decorated with the simple deadlock observations of the forms after ε must
A (a must property), after a must ∅ (a refusal property), and can a (a may
property) that should be satisfied in that class (this idea was taken from the
testing preorder).
A test case consists of a timed trace which lead to a desired state in a coarse
equivalence class followed by one of the simple deadlock observations.
Now, we present the state partitioning definition, which is used to construct
the equivalence class graph. This graph is a transformation of the initial au-
tomata, which preserve all the information from it. And moreover, the equiva-
lence class graph is what is effectively used in the test derivation process.
The State Partitioning works as follows. Let S ′ be a vector location in the
determinized automaton, note that S ′ can be a set of locations of the original
automaton. Therefore, this control location S ′ will have the clock valuations
partitioned such that two clock valuations belong to the same equivalence class
if and only if they enable precisely the same outgoing transitions from S ′, i.e.
the locations are equivalent with respect to the enabled transitions.
An equivalence class is represented by a pair [S ′, p], where S ′ is a set of
location vectors, and p is the inequation which describe the clock constraints
that must hold for that class, i.e. [S ′, p] is the set of states {〈S ′, ν〉 | ν ∈ p}.
Further, to obtain equivalence classes that are continuous convex polyhedra, and
to enable the reuse of existing efficient symbolic techniques (as used in model
checking), this constraint is rewritten in disjunctive normal form. Each disjunct
form is treated as an equivalence class.
Definition 8.14. State Partitioning Ψ(S ′)
Let S ′ be a set of location vectors, E (S ′) the set of transitions from a location
in S ′. If E is a set of transitions with Γ (E ) we denote the set of guards of the
set E .
Γ (E ) = {ϕ ∈ Φ(C ) | s ϕ,a−→ s ′ ∈ E}
Let P be a constraint over clock inequations γ composed using the logical
connectives (∧,∨, or ¬). DNF(P) denotes a function that rewrites constraint
P to its equivalent disjunctive normal form, i.e. such that
∨
i
∧
j γij = P . Each
conjunct in disjunctive form can be written as a guard ϕ ∈ Φ(C ). The disjunctive
normal form can be interpreted as a disjunction of guards such that
∨
i ϕi =∨
i
∧
j γij . Let
8 Test Derivation from Timed Automata 209
Ψ(S ′) = {PE ′ | E ′ ∈ 2E(S ′) ∧ PE ′ =
∧
ϕ∈Γ (E ′)
ϕ ∧ ∧
ϕ∈Γ (E(S ′)−E ′)
¬ϕ}
Then, the set of guards ϕi whose disjunction equals the disjunctive normal form
is denoted as GDNF, i.e,
GDNF(PE ′) = {ϕi ∈ Φ(C ) |
∨
i ϕi = DNF (PE ′)}
and finally Ψdnf (S ′) is:
Ψdnf (S ′) =
⋃
PE′∈Ψ(S ′)
GDNF (PE ′).
To make this definition more understandable we show the next example.
Using our example of the automatic Light Switch, we present the procedure for
find the equivalences classes for S ′ = {s1}.
Example. Let S ′ = {s1}, then the transitions from S ′ are:
E (S ′) = {(s1, on?, con < 5, s1), (s1, off !, con = 5, s0)}
the guards of E (S ′) are:
Γ (E (S ′)) = {con < 5, con = 5}
only for simplicity we will present 2Γ (E(S
′)) instead of 2E(S
′):
2Γ (E(S
′)) = {∅, {con < 5, con = 5}, {con < 5}, {con = 5}}
and:
Ψ(S ′) = {(con ≥ 5) ∧ (con = 5), (con < 5) ∧ (con = 5),
(con ≥ 5) ∧ (con = 5), (con < 5) ∧ (con = 5)}
the disjunctive normal form of Ψ(S ′) is :
Ψdnf (S ′) = {con > 5, con < 5, con = 5, ∅}
Then we have: [s1, con > 5], [s1, con < 5] and [s1, con = 5] as states for our
equivalence class graph.
The state space of the ERA specification is a graph of equivalence classes.
A node in this graph corresponds to an equivalence class. A transition between
two nodes is labeled with an action, and represents the possibility of execute
an action in a state in the source node, wait some amount of time, and thereby
enter in a state in the target node. The graph is constructed by start from
an existing node [S ′, p] (initially the equivalence class of the initial location),
and then for each enabled action a, compute the set of locations S ′′ that can
be entered by execute the a action from the current equivalence class. Then
the partitions p′ of location S ′′ can be computed according to Definition 8.14.
Every [S ′′, p′] is then an a successor of [S ′, p]. Only equivalence classes whose
constraints have solutions need to be represented. The equivalence class graph
is defined inductively in the Algorithm 11.
Each equivalence class [S ′, p] is decorated with the action sets M ,C ,R from
the testing preorder, as it is shows in definition 8.15.
210 Laura Branda´n Briones and Mathias Ro¨hl
Algorithm 11 Equivalence Class Graph
input: ERA determinized specification Spec
output: A equivalence Class Graph
1 S ′0 = {s0}
2 E = ∅ // E the set of transition
3 N = {[S ′0, p] | p ∈ Ψdnf (S ′0) ∧ p = ∅} // N is the set of nodes
4 N ′ = N // N’ is the set of new nodes
5 while N ′ = ∅ then
6 N ′′′ = ∅
7 foreach [S ′, p] ∈ N ′
8 foreach a ∈ Σ :
9 S ′′ = {s ′ | ∃ s ∈ S ′ : s ϕ,a−→ s ′}
10 i f S ′′ = ∅ then
11 N ′′ = {[S ′′, p′] | p′ ∈ Ψdnf (S ′′) ∧ p′ = ∅}
12 E = E
⋃{([S ′, p], a, [S ′′, p′]) | [S ′′, p′] ∈ N ′′ ∧ (p ∧ ϕ) = ∅}
13 N ′′′ = N ′′′
⋃
N ′′
14 N ′ = N ′′′ − (N ′′′ ⋂ N )
15 N = N
⋃
N ′
Definition 8.15. Decorated Equivalence Classes
Define Must([S ′, p])={A | ∃ 〈S ′, ν〉 : 〈S ′, ν〉∈ [S ′, p] : 〈S ′, ν〉 |= after  must A}
Sort([S ′, p]) = {a | ∃ 〈S ′, ν〉 : 〈S ′, ν〉 ∈ [S ′, p] : 〈S ′, ν〉 a→}
• M ([S ′, p]) = Must([S ′, p])
• C ([S ′, p]) = Sort([S ′, p])
• R([S ′, p]) = Σ − Sort([S ′, p])
where  denote the empty sequence.
If σ is a timed trace that lead to [S ′, p] and A ∈ M ([S ′, p]) then: after σ
must A, is a test to be passed for that class. Similarly: after σ · a must ∅, is a
test to be passed if a ∈ R([S ′, p]), and can σ · a if a ∈ C ([S ′, p]). The number
of generated tests can be reduced by remove tests that are logically passed by
another test, i.e. the must sets can be reduced to M ([S ′, p]) = min⊆Must([S ′, p])
(where min⊆(M ) gives the set of minimal elements of M under subset inclusion),
and the actions observed during the execution of a must test can be removed
from the may tests, i.e. C ([S ′, p]) = Sort([S ′, p]) − ⋃
A∈M ([S ′,p])
A.
Example. The equivalence classes graph for the automatic Light Switch are
shown in Figure 8.5.
The equivalence class graph preserves all timed traces of the specification, and
the required deadlock information for the Hennessy test [HN83] of the specifica-
tion by the M , C and R action sets is stored in each node. The non-determinism
found in the original specification is therefore maintained, but is represented dif-
ferently, in a way that is more convenient for test generation: a test is composed
8 Test Derivation from Timed Automata 211
{s0}, p0
p0 : tt
{s1}, p1
p1 : con > 5
{s1}, p2
p2 : con < 5
{s1}, p3
p3 : con = 5
on?
on?
on?
on?
on?
on?
off!
Fig. 8.5. ERA Equivalence Class Graph for the Light Switch
of a trace (a deadlock observation possible in the specification thereafter) and
its associated verdict. This information can be simply found by following a path
in the equivalence class graph.
Even the equivalence class graph have the necessary information for gener-
ate timed Hennessy tests, it also contains behavior and states not found in the
specification, and use such behavior will result in irrelevant and unsound tests
(in the same way as in model checking after use zones it is necessary to make a
reachability analysis). To ensure soundness, only traces and deadlock properties
actually contained in the specification should be used in a generated test. There-
fore, the specification is interpreted symbolically, and the tests is generated from
a representation of only the reachable states and behavior.
Algorithm 12 represents the test generation procedure. Step 1 constructs the
equivalence class graph. The result of step 2 is the symbolic reachability graph.
Nodes in this graph consist of symbolic states [S ′, z/p] where S ′ is a set of
location vectors, and z is a constraint characterizing a set of reachable clock
valuations also in p, i.e. z ⊆ p. A transition represents that the target state is
reachable by execute an action from the source state and then wait for some
amount of time. The nodes in the reachability graph are decorated with the set
M , C and R. Step 4 initializes an empty set Tested that contains the symbolic
states from which test have to be generated so far. Steps 5 and further contain
the test generation process.
This algorithm only generates tests for the first symbolic state that reaches a
given partition, and uses the set Tested to ignore subsequent passes over the same
partition. This ensures that all the may, must, and refusal properties are only
generated once per partition, thus reduce the number of produced test cases.
This theory and algorithm have been implemented in a prototype tool called
RTCAT. RTCAT inputs an ERA specification in AUTOGRAPH format, see
[BRRdS96]. A specification may consist of several ERA operating in parallel and
communicating via shared clocks and integer variables, but no silent actions (τ)
212 Laura Branda´n Briones and Mathias Ro¨hl
Algorithm 12 Overall Test Case Generation
input: ERA specification Spec
output: A complete cover set of timed Hennessy properties
1 Compute Specp = Equivalence Class Graph(Spec)
2 Compute Specr = Reachability Graph(Specp)
3 Label every [S ′, z/p] ∈ Specr with the sets M ,C ,R
4 Tested := ∅
5 foreach [S ′, z/p] ∈ Specr // traverse Specr
6 i f  ∃ z ′ : [S ′, z ′/p] ∈ Tested then
7 Tested := Tested ∪ {[S ′, z/p]} // enumerate tests
8 Choose 〈s , ν〉 ∈ [S ′, z/p]
9 Compute a concrete timed trace σ from 〈s0, 0〉 to 〈s , ν〉
10 Make Test Cases:
11 i f A ∈ M ([S ′, p]) then after σ must A, is a relevant test
12 i f a ∈ C ([S ′, p]) then can σ · a, is a relevant test
13 i f a ∈ R([S ′, p]) then after σ · a must ∅, is a relevant test
are allowed. The application of this technique to a realistic specification shows
“promising results: the test suite is quite small, is constructed quickly, and with
a reasonable memory usage” [NS03].
8.4 Testing Deterministic Timed Automaton
Springintveld, Vaandrager and D’Argenio [SVD01] showed that exhaustive test-
ing of trace equivalence for deterministic timed automaton with dense time in-
terpretation is theoretically possible, but quite infeasible in practice. A grid
algorithm for bounded time-domain automaton is presented, which capture the
real-time behaviors using finitely many points.
8.4.1 Model
The timed I/O automaton model is used here, which is a finite (untimed) au-
tomaton together with a timing annotation. This model is equivalent to the
original timed automaton [AD94] with some restrictions in order to makes ex-
haustive test derivation feasible. A timed I/O automaton makes exhaustive test
derivation feasible if it does not have silent τ -transitions, is deterministic, is
input enabled and has isolated output as we will show later.
A finite automaton A ′1 is a rooted labeled transition system with Q (the
set of states) and E (the transition relation →) finite. We will fix some useful
notations and definitions. An execution fragment of the LTS A ′ is a finite or
infinite alternating sequence q0a1q1a2q2 . . . of states and actions of A ′ (ai ∈ LA ′
and qi ∈ LA ′), beginning with a state, and if it is finite also ending with a state,
1 the reason why we use A ′ instead of A here, is only notational. Then A ′ denote a
automaton and A will denote a timed automaton
8 Test Derivation from Timed Automata 213
such that for all i > 0, qi−1
ai→ qi . An execution of A ′ is an execution fragment
that begins with the initial state q0 of A ′. A state q of A ′ is reachable if it is
the last state of some finite execution of A ′. σ is a distinguishing trace of
q and q ′ if it is either a trace of q but not of q ′, or the other way around (for
the definition of traces see Appendix: Label Transition Systems). If δ ∈ E and
δ = (q, a, q ′) we denote src(δ) = q, act(δ) = a and trg(δ) = q ′.
Definition 8.16. Let B be an LTS. A relation R ⊆ QB×QB is a bisimulation
on B iff whenever R(q1, q2), then
• q1 a→ q ′1 implies that there is a q ′2 ∈ QB such that q2 a→ q ′2 and R(q ′1, q ′2)
• q2 a→ q ′2 implies that there is a q ′1 ∈ QB such that q1 a→ q ′1 and R(q ′1, q ′2)
States q, q ′ of LTSs B and B′, respectively, are bisimilar if there exists a bisim-
ulation R on the disjoint union of B and B′ (with arbitrary initial state) that
relates q to q ′. In such a case, we write : q  q ′. LTSs B and B′ are bisimilar,
notation B  B′, if q0  q ′0 for q0 the initial state of B and q ′0 the initial states
of B′.
It is well known that if B is deterministic, for all states q, q ′ of B, B : q  q ′
if and only if traces (q) = traces(q ′). As a consequence, two deterministic LTSs
B and B′ are bisimilar iff they have the same sets of traces.
Let C be a set of clocks with c ∈ C , then define dom(c) def= J ∪ {∞},
were J is a bounded interval over R with infimum and supremum in Z and
intv(c)
def
= dom(c)−{∞}. The terms over C (denoted as T (C )) are expressions
generated by the grammar e := c | k | e+k , with c ∈ C and k ∈ Z∞, i.e. Z∪{∞}.
Let F (C ) be the boolean combinations of inequalities of the form e ≤ e ′ or e < e ′
with e, e ′ ∈ T (C ). A (simultaneous) assignment over C is a function µ from C
to T (C ), the set of all these functions is denoted as M (C ). If ϕ is a constraint
over C and µ an assignment, then ϕ[µ] denotes the constraint obtained from ϕ
by replacing each variable c ∈ C by µ(c). Finally a clock valuation over C
is a map ν that assigns to each clock c ∈ C a value in its domain (this set of
valuations is denoted as V (C )). We say that ν satisfies ϕ, notation ν  ϕ, if ϕ
evaluates to true under valuation ν.
In the next definition is presented the timing annotation for a finite automa-
ton, which is a set of clocks, a set of invariants for each state, a set of guards,
which allowed the transition to be made of not, Ass the assignments for each
transition, and ν0 the initial clock valuation.
Definition 8.17. A timing annotation for a given finite automaton A ′ =
〈Q , q0,E 〉 is a tuple T = 〈C , Inv , Φ,Ass , ν0〉, where
• C is a finite set of clocks
• Inv : Q → F (C ) associates an invariant to each state
• Φ : E → F (C ) associates a guard to each transition
214 Laura Branda´n Briones and Mathias Ro¨hl
• Ass : E → M (C ) associates an assignment to each transition s.t. for each
δ ∈ E :
Inv(src(δ)) ∧ Φ(δ) ⇒ ∧
c∈C
(Ass(δ)(c) ∈ dom(c)) ∧ Inv(trg(δ))[Ass(δ)]
• ν0 ∈ V (C ) is the initial clock valuation. It should hold that ν0  Inv(q0)
and, for all c, ν0(c) ∈ Z∞.
Above all, we present the timed I/O automata, which, as we already say, is a
finite automaton together with a timed annotation and some restrictions. These
restrictions are fundamentals to prove future theorems for the discretization of
the state space.
Definition 8.18. A timed I/O automaton (TIOA) is a triple A = 〈A ′,T ,P〉,
where A ′ is a finite automaton with LA ′ ∩R>0 = ∅ (to do not confuse labels of
actions with labels of time), T is a timing annotation for A ′ and P = (I,O) is a
partitioning of LA ′ in input actions and output actions. The following properties
must hold, for all δ, δ′ ∈ EA ′ and q ∈ QA ′ :
• (Determinism) if src(δ) = src(δ′), act(δ) = act(δ′) and Φ(δ) ∧ Φ(δ′) is
satisfiable then δ = δ′
• (Isolated outputs) if src(δ) = src(δ′), act(δ) ∈ O and Φ(δ) ∧ Φ(δ′) is satis-
fiable then δ = δ′
• (Input enabling) every input is always enabled within the interior of the
invariant of each location and only within it
• (Progressiveness) for every state of its operational semantics (OS (A ), de-
fined as follows) there exists an infinite execution fragment that starts in
this state, contains no input actions, and in which the sum of the delays
diverges.
In order to not confuse, and following the previous implicit convention, in a
TIOA A we will use S as the set of locations and Σ as the set of actions. In
contrast to the associated operational semantics OS (A ), where Q is the set of
states and L is the set of actions.
Example. Figure 8.6 depicts the timed I/O automaton which represent the Light
Switch.
The operational semantics of A (denoted as OS (A )) is defined as the LTS
〈Q ,L, q0,〉, with Q , L and q0 similarly as in previous Definition 8.5, and
 being the smallest relation that satisfies the following two rules, for all
(s , ν), (s ′, ν′) ∈ Q , a ∈ Σ, δ ∈ E and d ∈ R>0:
• δ:s
a→s ′, ν|=Φ(δ), ν′= ν◦Ass(δ)
(s ,ν)
a (s ′,ν′)
8 Test Derivation from Timed Automata 215
s0
c = ∞
s1
c  5
on?, c = ∞,
c := 0
off !, c = 5,
c := ∞
on?, c < 5,
c := 0
Fig. 8.6. TIOA specification for a Light Switch [SVD01]
• ∀ 0≤d
′≤d : ν⊕d ′|=Inv(s)
(s ,ν)
d (s ,ν⊕d)
where the actions in R>0 are referred to as time delays and
(ν ⊕ d)(c) def=
{
ν(c) + d if (ν(c) + d) ∈ intv(c)
∞ otherwise
The following lemma, which is a direct corollary of the definitions, gives four
basic properties of the operational semantics of a timed I/O automaton.
Lemma 8.19. Let A be a TIOA, then
• OS (A ) is deterministic
• OS (A ) possesses Wang’s time additivity property:
q
d+d′ q ′ iff ∃ q ′′ : q d q ′′ ∧ q ′′ d
′
 q ′
• Each state of OS (A ) has either
– a single outgoing transition labeled with
an output action, or 
o!

– both outgoing delay transitions and outgoing
input transitions (one for each input action),
but no outgoing output transitions

d



in?

i1? · · ·
States of the second type are called stable
• For each state q ∈ QOS (A ), there exists a unique finite sequence of output
actions σ and a unique stable state q ′ such that q
σ q ′.
8.4.2 Discretization
The construction of a finite subautomaton used, for the discretization of the
state space, is based on the fundamental concept of a region due to Alur and
216 Laura Branda´n Briones and Mathias Ro¨hl
Dill [AD94]. The key idea behind the definition of a region is that, even though
the number of states of the LTS OS (A ) is infinite, not all of these states are
distinguishable via constraints. If two states corresponding to the same location
agree on the internal parts of all the clock values, and also in the order of the
fractional parts of all the clocks, then these two states cannot be distinguished.
Definition 8.20. The equivalence relation ∼= over the set V (C ) of clocks valu-
ations is given by: ν ∼= ν′ if and only if ∀ c, c′ ∈ C :
• ν(c) = ∞ iff ν′(c) = ∞
• if ν(c) = ∞ then ν(c) = ν′(c) and (fract(ν(c)) = 0 iff fract(ν′(c)) = 0)
• if ν(c) = ∞ = ν(c′) then fract(ν(c)) ≤ fract(ν(c′)) iff fract(ν′(c)) ≤
fract(ν′(c′))
where ∀ k ∈ R (in this case a valuation of a clock), k denotes the largest number
in Z that is not greater than k , and k denotes the smallest number in Z that is
not smaller than k and fract(k) is the fractional part of k (so fract(k)= k −k).
A region is an equivalence class of valuations induced by ∼=.
Example. Figure 8.7 shows the 11 regions of the con clock from the Light Switch.
0 1 2 3 4 5 con
coff

( )

( )

( )

( )

( )[ → ∞
Fig. 8.7. Regions of the con clock from the Light Switch example
Lemma 8.21. For all clock constraints ϕ:
if ν ∼= ν′ then ν  ϕ iff ν′  ϕ
The equivalence relation∼= on the clock valuations of a TIOA can be extended
to an equivalence relation on states, by defining
(s , ν) ∼= (s ′, ν′) def= (s = s ′ ∧ ν ∼= ν′)
A region of a TIOA is an equivalence class of states induced by ∼=.
Because testing is based on distinguishing sequences (cf. Chapter 4), it is
necessary to have an automaton that can distinguish each sequences that is
used. Correspondingly, the Grid Automaton will be presented after present all
its necessary ingredients.
Let Gn be the set of integer multiples of 2−n , for some sufficiently large
natural number n. If t is a real number, we use the notation2 tn for the largest
2 do not confuse with the notation   without subindice
8 Test Derivation from Timed Automata 217
number in Gn that is not greater than t , and tn for the smallest number in
Gn that is not smaller than t . We write [t ]n for the fraction (tn + tn)/2,
note that [t ]n ∈ Gn+1. For a TIOA A and its OS (A ) associated, write Qn for
the set of states (s , ν) ∈ Q such that, for each clock c, ν(c) ∈ Gn ∪ {∞}.
The following lemma shown that given any state (q) in Gn for all a ∈ Σ and
d ∈ Gn , labels of a transition in the semantic (), the target state (q ′) of that
transition is also in Gn .
Lemma 8.22. Let q ∈ Qn , then
• If q a q ′ with a ∈ Σ then q ′ ∈ Qn
• If q d q ′ with d ∈ Gn then q ′ ∈ Qn .
Moreover, for a distinguishing trace of length m for two states in Qn , a trace
can be derived in which all delay actions are in the grid set Gn+m .
Theorem 8.23. Let A ,B be TIOAs and theirs associated semantics OS (A ),
OS (B), let (r , r ′) ∼= (s , s ′) for states r ∈ QA , r ′ ∈ QB, s ∈ QnA and s ′ ∈ QnB,
and let σ = a1a2 . . . am be a distinguishing trace for r and r ′. Then there exists a
distinguishing trace τ = b1b2 . . . bm for s and s ′ such that, for all j ∈ [1, . . . ,m],
if aj is an input or output action then bj = aj , and if aj is a delay action then
bj ∈ Gn+j with aj  ≤ bj ≤ aj .
This theorem allows to transform each distinguishing trace into one in which
all delay actions are in a grid set, and shown that there is a dependency between
the length of the trace and the granularity of the grid: the longer the trace the
finer the grid. This is due to the fact that the distinguish power of a distinguishing
trace for two states r and r ′ entirely depends on the regions traversed when
applying σ to r and r ′, respectively. Moreover, we can conclude that the grid
size depends on the number of states, not just on the number of clocks.
In order to obtain a grid size that is fine enough to distinguish all pairs of
different states, the following theorem establishes an upper bound on the length
of minimal distinguishing traces.
Theorem 8.24. Suppose A and B are TIOAs with the same input actions,
and r and s are states of OS (A ) and OS (B), respectively : r  s (with 
denoting bisimilarity 8.16). Then, there exists a distinguishing trace for r and
s of length at most the number of regions of QA ×QB.
Finally, we are in position of define the Grid Automaton. For each TIOA
A and natural number n, the grid automaton G (A ,n) is defined as the subau-
tomaton of OS (A ) in which each clock value is in the set Gn ∪ {∞}, and the
only delay action is 2−n . Note that since in the initial state of OS (A ) all clocks
take values in Z∞, it is always included as a state of G (A ,n). Moreover, since
G (A ,n) has a finite number of states and actions, G (A ,n) is a finite automaton.
Definition 8.25. Let A = 〈S , Σ, s0,E 〉 be a TIOA, its OS (A ) = 〈Q ,L, q0,〉
and n ∈ N . The grid automaton G (A ,n) is the LTS A ′′ = 〈Q ′,L′, q ′0,′〉 given
by
218 Laura Branda´n Briones and Mathias Ro¨hl
• Q ′ = Qn
• L′ = Σ ∪ {2−n}
• q ′0 = q0
• for all q, q ′ ∈ Q ′ and a ∈ L′, q
a
′ q ′ iff q a q ′.
The grid automaton is the restriction of OS (A ) to the time steps in 2−n ,
therefore G (A ,n) is finite.
Example. In Figure 8.8 the grid automaton of our example of the Light Switch
for n = 2 is presented. Here we denote the initial state as << >>, for distinguish
it from the double circle denoting the initial state in a TIOA.
〈〈s0, c = ∞〉〉
〈s1,
c = 5〉
〈s1,
c = 92 〉
〈s1,
c = 4〉
〈s1,
c = 72 〉
〈s1,
c = 3〉
〈s1,
c = 52 〉
〈s1,
c = 2〉
〈s1,
c = 32 〉
〈s1,
c = 1〉
〈s1,
c = 12 〉
〈s1,
c = 0〉
1
2
1
2
1
2
1
2
1
2
1
2
1
2
1
2
1
2
1
2
1
2
on?
on?
on?
on?
on?on?on?
on?
on?
on?
off !
Fig. 8.8. The grid automaton G (A , n) with A as the Light Switch automaton and
n = 2
Corollary 8.26. Let A and B be TIOA with the same input actions, and let
n be at least the number of regions of SA × SB, then
A  B iff G (A ,n)  G (B,n).
Using the grid automaton with the appropriate degree of granularity the
problem of decide bisimulation equivalence of TIOA is reduced to the problem
of decide bisimulation equivalence of their finite subautomata.
8.4.3 Testing
A test sequence for a TIOA A is a finite sequence of delays and input actions
of A (we denoted the set of this sequences as Exp). A test sequence σ can be
8 Test Derivation from Timed Automata 219
applied to A starting from any state s of its OS (A ). The application of σ to
A in s uniquely determines a finite, maximal execution fragment in OS (A ).
How to perform a test sequence is shown in the following definition. The
outcome of performing a test sequence on A is described in terms of an auxiliary
labeled transition system T .
Definition 8.27. The test sequence is the LTS T = 〈(Exp × Q), Σ, (, s0),〉
with (Exp×Q) as its set of states, where Exp is the test sequence to be executed,
Σ is a set of actions, (, s0) is (arbitrarily chosen) initial state, and a transition
relation  that is inductively defined as the least relation satisfying the following
four rules, for all q, q ′ ∈ Q , σ ∈ Exp, i ∈ I, o ∈ O and d , d ′ ∈ R>0:
• q
o! q ′
(σ,q)
o! (σ,q ′)
• q
i? q ′
(i?σ,q)
i? (σ,q ′)
• q
d q ′
(dσ,q)
d (σ,q ′)
• q
d′ q ′, sup{t∈R>0|q t}=d ′<d
(dσ,q)
d′ ((d−d ′)σ,q ′)
The first rule says that output actions are always performed autonomously,
i.e. independently of the input of the intended test sequence. Instead, input
actions are only performed if they are explicitly specified in the test sequence.
This is stated by the second rule. Similarly, the third rule says that a delay can
occur only when it is both specified by the test sequence and allowed by A .
In some cases, a delay specified in the test sequence cannot occur since it is
interrupted by an autonomous output action of A . In such a case, the part of
the delay up to the output action is executed, while the rest is postponed until
A stops doing output actions autonomously. This last case is expressed by the
fourth rule.
Theorem 8.28. Let A a TIOA and T its test sequence, then
• each state of T has at most one outgoing transition, and
• T does not have an infinite execution fragment.
Theorem 8.28 allows us to define exec(σ, q) as the execution fragment of
OS (A ) obtained by projecting the states in the unique maximal execution
fragment of T that starts in (σ, q) on their second component. We define
outcome(σ, q), the outcome of the sequence σ in state q, as the trace of the
execution fragment that is induced by performing the test sequence:
outcome(σ, q)
def
= trace(exec(σ, q))
220 Laura Branda´n Briones and Mathias Ro¨hl
Deriving and Applying a Test Suite It is assumed that the behavior of the
IUT (Implementation Under Test) is accurately modeled by a TIOA Impl. Then
the IUT conforms to the specification Spec if Impl is bisimilar to Spec.
The method of building test suites is similar to Chow’s classical algorithm
for Mealy machines [Cho78] (cf. Chapter 4). A test suite consists of a finite set
of test sequences which should be applied to the implementation. Each sequence
consists of the concatenation of two sequences. The initial part of a test sequence
is taken from a transition cover P for a grid subautomaton of Spec, i.e. a set of
test sequences that together exercise every transition of the subautomaton.
Definition 8.29. Let A be a TIOA, n ∈ N, A ′′ = G (A ,n). A transition cover
for A ′′ is a finite collection P ⊆ Expn of test sequences, such that  ∈ P and,
for all transitions q
a
′ q ′ of A ′′ with q reachable (within A ′′) and stable
(Definition 8.19), P contains test sequences σ and σ · a such that q0
σ
′ q.
The trailing part of a test sequence is taken from a set Z , which is a char-
acterization set for a grid subautomaton of Impl, meaning that for every pair
of non-bisimilar grid states, Z contains a sequence that distinguishes between
them.
Definition 8.30. Let p a state of A , q a state of B, and let σ be a test sequence
for A and B. σ distinguishes p from q if outcomeA (σ, p) = outcomeB(σ, q). If
Z is a set of test sequences for A and B, written p ≈Z q means that no test
sequence in Z distinguishes p from q.
The ability of always being able to bring the machine back to its initial
state is used. In the timed case, it is not reasonable to consider the reset as an
instantaneous operation: typically, some time will elapse between the moment
when it is requested the machine to go to its initial state, and the moment at
which the reset operation has been completed. But, it is not difficult to prove
that the maximal time that can elapse between the occurrence of a reset action
and the time at which the initial state is reached is always less than the number
of regions of A .
Then, the test suite is defined for a given TIOA as follows.
Definition 8.31. Let A be a TIOA and n ∈ N. Let P be a transition cover for
G (A ,n) and Z a characterization set for the TIOA model of the IUT. The test
suite for A generated from P and Z with grid size n is defined by
test-suite(A ,n,P ,Z )
def
= P · Z · {reset max}
i.e. the concatenation of the transition cover, the characterization set and the
reset time.
Definition 8.32. A state of a TIOA is quiescent if each execution fragment
starting in that state that contains an output action also contains an input
action.
8 Test Derivation from Timed Automata 221
Algorithm 13 is the testing algorithm that applies each test case from the
test suite to an implementation (the prove of correctness is showed in [SVD01]).
This algorithm is restricted to TIOAs with a quiescent initial state, where the
machine waits for stimulus from its environment before producing any output.
Algorithm 13 Test Generation
input: A TIOA Spec, the specification automaton, with reset action reset,
reset time max, and a quiescent initial state.
An Implementation Under Test (IUT), a device that accepts inputs from
ISpec and produces outputs in OSpec.
A natural number n.
A natural number m.
output: A verdict PASS or FAIL
1 Let X = ISpec ∪ {2−n}
2 Determine a (minimal) finite transition cover P for G (Spec, n)
3 For all test sequences σ ∈ test-suite(Spec, n,P ,Xm−1) do
4 Apply test sequence σ to the IUT
5 Return FAIL and halt if outcome of the IUT differs from
outcomeSpec(σ, s
0
Spec)
6 Return PASS and halt
This algorithm results in a huge number of sequences. Therefore, it cannot be
claimed to be itself of practical value. Rather, the major contribution here is the
TIOA model and the demonstration that an algorithm to derive a (complete)
test suite does exist. Moreover, there are ways to reduce the number of tests,
and make the time delays within the tests manageable [SVD01].
8.5 Testing Networks of UPPAAL Timed Automata
Cardell-Oliver [CO00] presents a test generation method for networks of deter-
ministic timed automata on a dense time base. Timed automata are extended
with persistent data variables and are allowed to have silent transitions. Test
generation is based on test views that partition events into visible (relevant) and
hidden events according to a certain test purpose. By only testing for visible
events the size of the resulting test suite can be reduced. The work presented
is a generalization of previous work by Cardell-Oliver and Glover [COG98] that
was applicable only for specifications with a discrete clock model.
8.5.1 Model
For model specification, UPPAAL timed automata [LPY97] are adopted. UP-
PAAL timed automata (UTA) extend Alur and Dill’s model of timed automata
with (integer) data variables. With UTA, networks of deterministic timed au-
tomata can be specified. This allows for closed world specifications of systems, i.e.
222 Laura Branda´n Briones and Mathias Ro¨hl
the behavior of an system’s environment can be specified explicitly. Synchroniza-
tion between components takes place by complementary actions of automata, i.e.
by simultaneous occurrence of an output event a! and an input event a?, with
a ∈ Σ, respectively. Each automaton Ai can use a set of integer variables Vari
that is a subset of a set of global integer variables Var . Guards on transitions
are extended to apply for both clocks and data variables.
Definition 8.33. An UPPAAL timed automata A is a tuple
〈S , s0, Σ,C , Inv ,E 〉, where
• S is a finite set of locations
• s0 is the initial location
• Σ = I ∪ O ∪ {τ} is a finite set of actions, partitioned into input actions,
output actions, and the silent action
• C is a finite set of (real-valued) clocks
• Inv : S → Φ(C ) assigns clock invariants to locations
• E ⊆ S ×Σ × Φ(C ,VarAi )× 2R × S is the set of transitions.
Transitions (s , a, ϕ, r , s ′) ∈ E are denoted by s a,ϕ,r−→ s ′, where a is the action
to be performed, ϕ the guard of the transition, and r a set of assignments for
clocks and data variables. Clock variables can be reset to an integer constant
l ∈ Z ∪ {−1}. A reset to −1 denotes a turn-off of the according clock variable.
Data variables can be reset to integer expressions of the form v := k ∗ v + k ′,
where v ∈ VarAi and k , k ′ ∈ Z. R is used to denote the set of all possible reset
operations.
Remark 8.34. The definition of UTA mainly follows the one presented by Bengts-
son et al. [BLL+95]. The definition given here omits urgent synchronization but
includes silent transitions as well as location invariants.
For testing purposes, clock constraints in guards and invariants are required
to be closed (< and > are not allowed) and domains for clocks and data variables
are required to be finite.
Asw
s0
s1
c ≤ 5
on?,
c ≤ 5,
{c :=0}
on?, true,
{c :=0}
off !, c = 5,
{c :=−1}
Aen
s0
on!, true, ∅
off ?, true, ∅
Fig. 8.9. UTA specification of the Light Switch Asw and its environment Aen
8 Test Derivation from Timed Automata 223
Example. The Light Switch can be defined by an UTA
Asw = 〈S , s0, Σ,C , Inv ,E 〉, where
• S = {s0, s1}
• Σ = {on, off }, with I = {on} and O = {off }
• C = {c}
• Inv(s0) = true, Inv(s1) = c ≤ 5
• E = {(s0, on?, true, {c := 0}, s1), (s1, on?, c ≤ 5, {c := 0}, s1),
(s1, on?, c = 5, {c := -1}, s0)}.
Specification of the environment can be done analogously (cf. Figure 8.9).
The definition of the semantics of UPPAAL timed automata is based on
timed transition systems with an uncountable set of states.
Definition 8.35. A timed transition system (TTS) over a set of actions
Σ and a time domain R≥0 is a tuple M = 〈Q ,L,−→, q0〉 of a set of states
Q , an initial state q0 ∈ Q , and a set of labels L ⊆ Σ ∪ R≥0, a transition
relation −→⊆ Q×L×Q that has to satisfy the following properties (∀ q, q ′, q ′′ ∈
Q ∧ ∀ d , d1, d2 ∈ R≥0):
• time determinism: if q d−→ q ′ ∧ q d−→ q ′′ then q ′ = q ′′
• time additivity: q d1+d2−→ q ′′ iff q d1−→ q ′ d2−→ q ′′
• 0-delay: q 0−→ q ′ iff q = q ′.
Since specifications of real-time systems in UPPAAL are generally networks
of automata, a LTS M has to be constructed for parallel compositions of UTA.
The set P = {p1, . . . , pn} is used to contain the names of all components that
are part of the specification, with pi being the name of the component specified
by the automaton Ai . The set of channels usable for synchronization is given by
Ch = (
⋃
i IAi ) ∩ (
⋃
i OAi ).
States of M are pairs (s , ν), where s is a vector holding the current control
locations for each component (automaton) and ν maps each clock to a value in
the time domain as well as each data variable to an integer value.
Transition labels of M are either delays d ∈ R≥0 or event triples (pi , a, r)
with pi being the name of the automaton executing an action a, that could
either be a silent action or an output action (which implies the occurrence of
an complementary input actions of another automaton). An action a leads to
the execution of a set of resets r that contains resets for clocks, variables, and
locations. Location resets explicitly denote a change of location of a component
which results in an update of the according element in s . The set of all possible
reset statements is given by R ⊆ 2
⋃
i RAi∪Rsi , with RAi being the usual resets of
Ai and Rsi being the set of resets for locations of Ai .
Definition 8.36. The semantics of a network of UTA A1, . . . ,An is given by
the TTS M = 〈Q ,L,→, q0〉, where
• Q = {〈s , ν〉 | s[i ] ∈ SAi , ν |= InvAi (CAi )}, ∀ 1 ≤ i ≤ n
• q0 = 〈s0, ν0〉 with s0[i ] = s0Ai and ν0[i ] = 0, ∀ 1 ≤ i ≤ n
224 Laura Branda´n Briones and Mathias Ro¨hl
• L = R≥0 ∪ (P ,Ch ∪ {τ},R)
• →⊆ Q × L×Q , that could be either
– 〈s , ν〉 d−→ 〈s , ν ⊕ d〉 iff ∀ i : ν ⊕ d |= InvAi (s [i ])
– 〈s , ν〉 pi ,τ,r−−−→ 〈s [s ′Ai /sAi ], ri(ν)〉 iff (si , ϕ, τ, ri , s ′i) ∈ EAi and ν |= ϕ, with
r = ri ∪ {sAi :=s ′Ai }
– 〈s , ν〉 pi ,a,r−−−→ 〈s [s ′Ai /sAi , s ′Aj /sAj ], (ri ∪ rj )(ν)〉 iff (si , ϕi , a!, ri , s ′i) ∈ EAi ,
(sj , ϕj , a?, rj , s ′j ) ∈ EAj , ν |= ϕi , and ν |= ϕj , with r = ri ∪ rj ∪ {sAi :=
s ′Ai , sAj :=s
′
Aj
}
For a variable assignment ν and a delay d , ν ⊕ d denotes the variable as-
signment after d . ⊕ models time-insensitiveness of all data variables and that
all enabled clocks progress at the same rate:
∀ v ∈ Var : (ν ⊕ d)(v) = ν(v), and
∀ c ∈ ⋃i CAi : (ν ⊕ d)(c) =
{
ν(c) + d if ν(c) ≥ 0
ν(c) if ν(c) = −1
Silent transitions result in the change of location of one component. Accord-
ing transitions in M express this change by replacing the ith element of the
location vector s by a new location s ′Ai and applying the resets r to ν. Syn-
chronizations between two components involve two location transitions, one for
the sender Ai and one for the receiver Aj . Consequently the ith and the j th
element of s have to be replaced with s ′Ai and s
′
Aj
respectively, and the union of
transition resets ri ∪ rj has to be applied to ν.
Remark 8.37. The definition given here follows Bengtsson et al. [BLL+95] in
defining states as pairs of a location vector s and variable valuations ν.
An alternative to the use of a location vector would be to include for every
component pi a special variable loci , which holds the current location of the
according process, into the set Var . States could then be defined as S ⊆ (Var →
Z) ∪ (C → R≥0) [CO00].
Example. The possible behavior of the Light Switch specified by Asw in the
environment Aen is given by a TTS Ms = 〈Q ,L,−→, q0〉, where
• Q =
〈(
sAsw
sAen
)
, c → [0, 8]
〉
, with sAsw ∈ SAsw and sAen ∈ SAen
• q0 =
〈(
s0
s0
)
, c=0.0
〉
• L = [0, 8] ∪ ({sw , en}, {on, off }, {{c := 0, sAsw := s1}, {c := -1, sAsw := s0}})
(Resets for locations of the environment are omitted since Aen has only one
location.)
For testing we constrain the time domain to [0, 8]. Note that due to the dense
time domain, Ms has infinitely many states and infinitely many transitions (cf.
Figure 8.10).
8 Test Derivation from Timed Automata 225
〈(
s0
s0
)
,c=0.0
〉
. . .
〈(
s0
s0
)
,c=8.0
〉
〈(
s0
s0
)
,c=−1
〉
d′
8.0
〈(
s1
s0
)
,c=0.0
〉
. . .
〈(
s1
s0
)
,c=d
〉
. . .
〈(
s1
s0
)
,c=5.0
〉
en, on,
{c :=0,
sAsw
:= s1}
en, on, {c:=0, sAsw := s1}
en, on,
{c :=0,
sAsw
:= s1}
d
5.0
en, on,
{c :=0,
sAsw
:= s1}
en, on, {c :=0, sAsw := s1}
en, on, {c :=0, sAsw := s1}
sw, off ,
{c :=−1
sAsw
:= s0}
Fig. 8.10. Timed transition system Ms for Asw‖Aen
8.5.2 Digitization
Timed transition systems are not directly amenable to testing. Besides their
infiniteness, TTS traces include some traces that cannot be observed, e.g. de-
lays that are not followed by visible events. Furthermore, observable TTS traces
do not contain sufficient information to distinguish between input and output
events.
A testable timed transition systems is a TTS but also a (deterministic)
FSM. A TTTS Spec = 〈Q ,L,−→, q0〉 uses a subset Q ⊂ QM of states of the
original TTS. Labels of the TTTS are timed event 4-tuples (d , io, a, r) with
discrete delay d ∈ N, io ∈ {inp, out}, and a and r as in M . It is derived from a
TTS M executing the following steps:
(1) Digitize clocks: Each timed trace with times in R≥0 is mapped onto a set of
traces with times in Z. For each reachable state q and for each delay d ∈ R≥0
within a lower and upper bound LB ≤ d ≤ UB after which an event a can
occur include for every i ∈ {LB ,LB +1, . . . ,UB} a transition from 〈s , ν〉 to
〈s , ν ⊕ i〉 into the TTTS.
(2) Distinguish between inputs and outputs of the SUT: The set of network com-
ponents can be partitioned into automata specifying the system under test S
and automata describing the environment E of the SUT, with S ∩ E = ∅.
Each transition (pi , a, r) of a TTS becomes in the TTTS (0, inp, a, r) if
Ai ∈ E , or (0, out , a, r) if Ai ∈ S respectively.
(3) Distinguish between visible and invisible actions: Visible events of a TTTS
are defined by a test view V = (P ′ ⊆ P ,Var ′ ⊆ Var ,C ′ ⊆ C ,Ch′ ⊆ Ch). In
the TTTS all a ∈ Ch\Ch′ are replaced by τ . The reset set is reduced to only
contain resets for elements of s with p ∈ P ′, for variables v ∈ Var ′, and for
clocks c ∈ C ′. All states with equal values for visible variables are considered
to belong to the same visible equivalence class (q =V q ′
def
= ∀ pi ∈ P ′ ∀ v ∈
(Var ′ ∪ C ′) : ν(v) = ν′(v) ∧ s [i ] = s ′[i ], with q = (s , ν) and q ′ = (s ′, ν′)).
226 Laura Branda´n Briones and Mathias Ro¨hl
(4) Normalize TTTS: Not observable events could not be tested. Therefor, silent
events are elided and delays of these omitted events are added to their fol-
lowing visible events. Each transition sequence of the form q0
d1,inp,τ,{}−−−−−−−−−→
q1
d2,out,a,r−−−−−−−−−→ q2 is replaced by q0
d1+d2,out,a,r−−−−−−−−−→ q2.
Subsequently, the TTTS has to be re-transformed into a deterministic tran-
sition system, since omitting events may have introduced non-determinism.
Note that, normalization is not allowed to remove cycles of silent actions. At
least one of the actions on such a cycle has to be made visible, i.e. the test
view V has to be changed, to get a proper TTTS.
(5) Minimize TTTS: remove all states that are redundant, i.e. all but one that
are in the same visible equivalence class and have the same set of traces.
There might be states that are in the same visible equivalence class but do
not have the same set of visible traces. Such states have to be kept.
〈(
s0
s0
)
,c=0
〉
. . .
〈(
s0
s0
)
,c=8
〉
〈(
s0
s0
)
,c=−1
〉
8, inp, τ, {}
1, inp, τ, {}
〈(
s1
s0
)
,c=0
〉 〈(
s1
s0
)
,c=1
〉 〈(
s1
s0
)
,c=2
〉 〈(
s1
s0
)
,c=3
〉 〈(
s1
s0
)
,c=4
〉 〈(
s1
s0
)
,c=5
〉
0, inp, on,
{c :=0
sAsw
:= s1}
0, inp, on,
{c :=0,
sAsw
:= s1} 0, inp, on, {c :=0, sAsw := s1}
1, inp,
τ, {}
2, inp, τ, {}
3, inp, τ, {}
4, inp, τ, {}
5, inp, τ, {}
1, inp,
τ, {}
1, inp,
τ, {}
1, inp,
τ, {}
1, inp,
τ, {}
0, inp,
on,
{c :=0,
sAsw
:= s1}
0, inp, on, {c :=0, sAsw := s1}
0, inp, on, {c :=0, sAsw := s1}
0, inp, on, {c :=0, sAsw := s1}
0, inp, on, {c :=0, sAsw := s1}
0, inp, on, {c :=0, sAsw := s1}
0, out, off ,
{c :=−1
sAsw
:= s0}
Fig. 8.11. A TTTS gained from TTS Ms after digitization and label transformation
Example. After digitization the TTS Ms is reduced to a TTTS with 15 states
(cf. Figure 8.11).
Let us now assume a test view V = (P ′,Var ′,C ′,Ch′), where P ′ = {pen},
Var ′ = Var = ∅, C ′ = C = {c}, and Ch′ = Ch = {on, off }. Since P ′ ⊂ P
does not contain the name of the switch component psw , valuations and resets
of the locations of the Switch become invisible. By using this view, and applying
normalization the set of states can be reduced to contain only 3 states. We get
the TTTS Spec = (Q ,L,−→, q0) , where
8 Test Derivation from Timed Automata 227
〈(
s0
s0
)
,c=0
〉 〈(
s0
s0
)
,c=−1
〉〈(
s1
s0
)
,c=0
〉 0, inp, on, {c :=0}
5, out, off , {c :=−1}
0, inp, on, {c :=0}
1, inp, on, {c :=0}
. . .
8, inp, on, {c :=0}
0, inp, on,
{c :=0}
. . .
5, inp, on, {c :=0}
Fig. 8.12. The TTTS Spec after the application of a test view, normalization, and
minimization
• Q = {q0, q1, q2} =
{〈(
s0
s0
)
, c=0
〉
,
〈(
s1
s0
)
, c=0
〉
,
〈(
s0
s0
)
, c=-1
〉}
• −→= {t1, . . . , t16} =
{
q0
0,inp,on,{c:=0}−−−−−−−−−→ q1, . . . , q0
8,inp,on,{c:=0}−−−−−−−−−→ q1,
q1
0,inp,on,{c:=0}
−−−−−−−−−→ q1, . . . , q1
5,inp,on,{c:=0}
−−−−−−−−−→ q1,
q1
5,out,off ,{c:=-1}−−−−−−−−−→ q2, q2
0,inp,on,{c:=0}−−−−−−−−−→ q1
}
(cf. Figure 8.12)
8.5.3 Testing
The conformance relation for testable timed transition systems is trace equiva-
lence. Formally, Conf(Spec)
def
= {S | traces(Spec) = traces(S )}. A test suite for
a TTTS Spec consists of one test case for every transition in Spec. A test case
essentially consists of three parts. The first part reaches the source state of a
transition. Secondly, the transition is executed. The third part has to verify that
the execution of the transition has resulted in the target state specified by Spec,
i.e. it is a state verification sequence.
The usage of test views dramatically simplifies the search for these separat-
ing sequences. With classical FSM testing techniques (without data variables and
test views) each state needs to be distinguished form any other in the automa-
ton (cf. Chapter 4). Since the normalization of the TTTS ensures that Spec is
minimal and does only contain visible events we know exactly in which state we
are after the execution of a certain trace (except for states that are in the same
visible equivalence class). Hence, the third part of a transition test needs only
to distinguish the target state of the transition to be tested from other states in
their visible equivalence class. There may not exist a unique separating sequence
for each such state (cf. Chapter 3), since traces of one state may be included
in traces of other states. To distinguish these states, the separating sequences
are paired with oracles that states whether the final event of the trace shall be
observed.
228 Laura Branda´n Briones and Mathias Ro¨hl
Please note, that even if Impl is deterministic, from the tester’s perspective
it does not behave deterministically, because events produced by the implemen-
tation may occur at different points in time. Since the tester has no capability to
control when output events of the SUT will eventually occur any possible trace
has to be considered for both reaching a state and distinguishing a state. One
of all possible reach traces, or separating traces respectively, had to be chosen on
the fly during execution of the test, depending on the actual occurrence of an
output event. If there is a trace that does not depend on the choices of the SUT
we only need to consider this one for testing.
The conformance test algorithm (cf. Algorithm 14) takes a TTTS Spec, con-
structed using a View V , as input and produces a finite set of traces each ac-
companied with an oracle (yes/no) for observing its final event.
Algorithm 14 TTTS Conformance Test Algorithm
input: TTTS Spec = 〈Q ,L,−→, q0〉, Test View V
output: Test(Spec)
1 Test(Spec) = ∅
2 for every q ∈ Q do
3 // find all acyclic traces, i.e. that visit no state more than once, ending at q
4 reach(q) = {σ | q0 σ−→ q ∧ acyclic(σ)}
5 for every q ∈ Q that is a transition’s destination state do
6 for each q ′ =V q do
7 // distinguish q from all states in the same visible equivalence class
8 if q = q ′ then σ = 〈〉
9 else // non trivial distinction of states
10 for every σ = l1 . . . ln with l1 . . . ln−1 ∈ traces(q) ∩ traces(q ′) do
11 if σ ∈traces(q) ∩ traces(q ′) then // σ distinguishes between q and q ′
12 // pair σ with oracle whether the final event should be observed
13 if σ ∈ traces(q) then diff(q , q ′)+ = σ ∗ yes
14 else if σ ∈ traces(q ′) then diff(q , q ′)+ = σ ∗ no
15 // Compose a test for every transition
16 for every t = (q1, l , q2) ∈−→ do
17 for each qi =V q2
18 Testfor(t) += σ1 · l · σi ∗ Ri , with σ1 ∈ reach(q1) and σi ∗ Ri ∈ diff (q2, qi)
19 Test(Spec) += Testfor(t)
Previous work did allow implementations to have extra states [COG98]. Now
it is claimed that “the assumption of a bounded, small number of extra states
is not appropriate for real-time systems” [CO00], because minor changes of a
timed automata specification can result in a very large change in the size of its
TTTS.
Definition 8.38. Real-Time Faults for TTTS: Impl ∈ NonConf(Spec) if and
only if
8 Test Derivation from Timed Automata 229
• Impl has no more states then Spec and
• Impl has a single transition fault or Impl can be transformed to Spec by a
sequence of single transition faults.
It can be shown that for a TTTS specification Spec, the test suite Test(Spec)
that is generated by the TTTS Test generation Algorithm detects any Impl
∈ Nonconf(Spec) [CO00]. If the implementation satisfies the test hypotheses
then all tests for Spec will be passed by the implementation if and only if the
implementation is trace equivalent to Spec.
Example. Spec = 〈QSpec,L,−→, q0〉, V = ({sen}, ∅, {c}, {on, off })
(1) Reach all states
• reach(q0) = {〈〉}
• reach(q1) = {〈0, inp, on, {c :=0}〉, . . . , 〈8, inp, on, {c :=0}〉}
• reach(q2) = {〈0, inp, on, {c := 0} · 5, out , off , {c := -1}〉, . . . , 〈3, inp, on,
{c :=0} · 5, out , off , {c :=-1}〉}
(2) Distinguish states in the same visible equivalence class: Since q0 is not a
destination state for some transition we do not need to distinguish between
q0 and q1 although both are in the same visible equivalence class. q2 has no
other state in its visible equivalence class. Therefor, all distinguishing traces
are trivial, i.e. {〈〉}
(3) Pair traces with oracles.
• diff(q1, q1) = {〈〉 ∗ yes}
• diff(q2, q2) = {〈〉 ∗ yes}
(4) Compose tests for every transition.
• testfor(t1) = 〈0, inp, on, {c :=0}〉 ∗ yes
• . . .
• testfor(t10) = 〈0, inp, on, {c :=0} · 1, inp, on, {c :=0}〉 ∗ yes
• . . .
• testfor(t15) = 〈0, inp, on, {c :=0} · 5, out , off , {c :=-1}〉 ∗ yes
• testfor(t16) = 〈0, inp, on, {c := 0} · 5, out , off , {c := -1} · 0, inp, on, {c :=
0}〉 ∗ yes
Since the tester has control over the event on we can choose one trace of all
possible reach() traces for each state, although the states may be reached by
different traces. If on were under control of the SUT we had to include all
possible reach() traces for the according states. Furthermore, if we allowed off
events to occur between an lower and upper time bound we had to include all
possible traces including an off event into the according reach sets.
Please note, that transitions with yes oracles may be included in longer tran-
sitions, e.g. testfor(t16) subsumes testfor(t1) and testfor(t15).
230 Laura Branda´n Briones and Mathias Ro¨hl
8.6 Summary
All three approaches use timed automata with a dense time model for testing
real-time systems. All need to partition the uncountable state space of the se-
mantics of (networks of) timed automata into a finite number of states considered
equivalent.
Nielsen and Skou use coarse-grained domains [NS03]. A fully automatic
method for the generation of real-time test sequences from a subclass of timed
automata called event-recording automata is proposed. The technique is based
on the symbolic analysis of timed automata inspired by the UPPAAL model-
checker. Test sequences are selected by covering a coarse equivalence class parti-
tioning of the state space. They argue that the approach provides a heuristic that
guarantees that a well-defined set of interesting scenarios in the specification has
been automatically, completely, and systematically explored.
Springintveld, Vaandrager and D’Argenio proved that exhaustive testing with
respect to bisimulation3 of deterministic timed automata with a dense time inter-
pretation is theoretically possible [SVD01]. Testing of timed systems is described
as a variant of the bounded time-domain automaton (TA). The TA describing
the specification is transformed into a region automaton, which in turn is trans-
formed into another finite state automaton, referred to as a Grid Automaton.
Test sequences are then generated from the Grid Automaton. The idea behind
the construction of the Grid Automaton is to represent each clock region with
a finite set of clock valuations, referred to as the representatives of the clock
region. However, although being exact, their grid method is impractical because
it generates “an astronomically large number of test sequences” [SVD01].
Cardell-Oliver presents a testing method for networks of deterministic timed
automata extended with integer data variables [CO00]. Checking of trace equiva-
lence is done only for parts of a system that are visibly observable. In addition to
the usual time-discretization test views are used to discriminate between states
depending on a test-purpose. Test views partition variables and events into vis-
ible and hidden ones. Equivalence on visible clocks and variables induces an
equivalence relation on states. States that are evidently different, i.e. that are in
different visible equivalence classes, need not be distinguished from each other.
This significantly reduces the length of test suites.
specs time det. τ network impl. rel. based on exhaustive
[NS03] ERA R>0
√
trace inclusion testing preorder
[SVD01] TIOA R>0
√
bisimulation W method
√
[CO00] UTA R>0
√ √ √
bisimulation W method
Table 8.1. Comparison
In practice, time resources used for test case generation and execution should
be as small as possible and test coverage as high as possible. This general need on
3 In the case of determinism, bisimulation and trace equivalence coincide [vG01]
8 Test Derivation from Timed Automata 231
effectiveness becomes even more evident in real-time testing. Exhaustive testing
becomes infeasible for any system of considerable size. Some approaches for
testing real-time systems (cf. Chapter 13) gain practicability by dropping formal
rigorousness. However, safety-critical systems require for justified confidence into
their behavior. Make timed automata based testing applicable to systems of
realistic size, remains to be done.
