Testing timed automata  by Springintveld, Jan et al.
Theoretical Computer Science 254 (2001) 225–257
www.elsevier.com/locate/tcs
Testing timed automata
Jan Springintveld a;1, Frits Vaandrager a, Pedro R. D’Argenio b;∗
a Computing Science Institute, University of Nijmegen, P.O. Box 9010, 6500 GL Nijmegen,
The Netherlands
bDepartment of Computer Science, University of Twente, P.O. Box 217, 7500 AE Enschede,
The Netherlands
Received May 1998; revised February 1999
Communicated by M. Nivat
Abstract
We present a generalization of the classical theory of testing for Mealy machines to a setting
of dense real-time systems. A model of timed I=O automata is introduced, inspired by the timed
automaton model of Alur and Dill, together with a notion of test sequence for this model. Our
main contributions is a test suite derivation algorithm for black-box conformance testing of timed
I=O automata. Black-box testing amounts to checking whether an implementation conforms to a
speci;cation of its external behavior, by means of a set of tests derived solely from speci;cation.
The main problem is to derive a .nite set of tests from a possibly in;nite, dense time transition
system representing the speci;cation. The solution is to reduce the dense time transition system
to an appropriate ;nite discrete subautomaton, the grid automaton, which contains enough in-
formation to completely represent the speci;cation from a test perspective. Although the method
results in a test suite of high exponential size and cannot be claimed to be of practical value, it
gives the ;rst algorithm that yields a ;nite and complete set of tests for dense real-time systems.
c© 2001 Elsevier Science B.V. All rights reserved.
Keywords: (Black-box) conformance testing; Real-time systems; Timed automata;
I=O automata; Bisimulation
1. Introduction
It is widely recognized that testing is an essential component of the life cycle of
computer systems [29]. One approach to testing is black-box testing. In order to derive
 Research supported by the Netherlands Organization for Scienti;c Research (NWO) under contract SION
612-33-006 and by the HCM network EXPRESS.
∗ Corresponding author.
E-mail addresses: springtv@natlab.research.philips.com (J. Springintveld), fvaan@cs.kun.nl (F.
Vaandrager), dargenio@cs.utwente.nl (P. R. D’Argenio).
1 Current address: Philips Research Laboratories Eindhoven, Prof. Holstlaan 4, 5656 AA Eindhoven, The
Netherlands.
0304-3975/01/$ - see front matter c© 2001 Elsevier Science B.V. All rights reserved.
PII: S0304 -3975(99)00134 -6
226 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
test cases, black-box testing relies on the speci;cation of the system that is being
tested, the so called implementation under test. It permits to de;ne the notion of a
conformance relation linking the implementation under test to the speci;cation, and the
notion of a verdict associated to the application of a test case. Since the implementation
under test is a real object, such as a hardware component or a protocol, it is as such
not amenable to formalization. However, we may have reasons to believe that the
system behaves according to some unkown formal model which belongs to a known
;nite class of formal models. Under this assumption, which is usually referred to as
the test hypothesis [31], it is in some cases possible to generate a ;nite and complete
set of test cases (the test suite) and use it to demonstrate the absence of system
faults. The last two decades have witnessed a lot of research activity in the area of
(black-box) conformance testing. Especially for the class of ;nite state models, many
algorithms to derive test suites have been devised, which have been used successfully
for the validation of hardware circuits and communication protocols [23, 11, 10, 1, 22].
So far, however, little work has been done to incorporate timing aspects [12, 26, 7].
An important reason for this has no doubt been the lack of a suitable model for timed
systems.
Recently, Alur and Dill [2] have proposed the model of timed automata, which is
an extension of the ;nite automaton model with clock variables and simple constraints
over clocks and states. The timed automata model and its variants have been used quite
successfully for veri;cation purposes and form the basis for several model-checking
tools [5, 24, 14, 19]. Although the algorithms involved are theoretically of high com-
plexity, analysis of non-trivial timed systems turns out to be feasible, as is witnessed
by several case studies [6, 13, 15, 21].
This article is a ;rst step towards a theory of testing for timed automata. We propose
a model of timed I=O automata, which borrows ideas from both Alur and Dill’s model
and from the timed I=O automata of Lynch et al. [28]. Apart from supporting the
automatic generation of timed tests, our model allows a loose coupling of inputs and
outputs, unlike the usual Mealy style ;nite state machines where inputs and outputs
occur simultaneously in a single transition. A similar (even more Iexible) modeling
of input and outputs is presented in [33, 32, 17], but this approach does not deal with
time.
We provide a method to derive a complete test suite in the style of well-known
;nite state machine based methods (see, e.g., [11, 10, 1]). The main problem involved
is that in general the state space of a timed automaton is (uncountably) in;nite. To
obtain a ;nite test suite, a discretization of the state space is required. In addition,
such a discretization should be suJciently re;ned to detect all possible errors. There-
fore, we determine the smallest time diKerence that we need to consider between two
states that diKer only in the value of the clock variables. To determine it, we use
region [2] and uniform mapping [9] techniques. It turns out that it suJces to con-
sider only time steps that are (integer) multiples of the smallest time diKerence. This
time diKerence can be treated as a discrete, “untimed” transition. It is then straight-
forward to construct a ;nite subautomaton of the state space, which we call a grid
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 227
automaton. Therefore, suitable adaptations of well-known ;nite state test derivation
methods [11, 10, 1] can be applied to the grid automaton. In fact, based on the tech-
niques presented in this article, [16] gives an explicit algorithm for an approxima-
tion of the grid automaton. Once the grid automaton is derived, a complete test suite
can be derived. To do so, we provide an algorithm which is a generalization of that
from [11].
To the best of our knowledge, this article proposes the ;rst algorithm that (albeit
under some strong assumptions) yields a ;nite and complete test suite for (dense) real-
time systems. Even though the method results in a test suite of high exponential size and
cannot be claimed to be of practical value, we believe that the concepts and techniques
developed in this article will allow for more practical algorithms. We have not yet been
able to provide lower bounds to the size of complete test suites for timed systems. We
do give an example that shows that for timed systems very small time steps have to be
considered, resulting in large test suites. In any case, we will sketch several possible
optimizations to substantiate the belief that our approach can be more practical, at
least in more restrictive settings. Furthermore, we hope that our approach may also
support incomplete but practically useful methods for testing timed systems such as in
[12, 26].
The organization of this article is as follows. In Section 2, we present the model
of timed I=O automata. This model requires a new, timed notion of distinguishing
sequence, which is the subject of Section 3. In Section 4 we present the basic def-
initions and theorems for the discretization of state spaces. These are employed in
Section 5, where we present an algorithm for test generation and a proof of its cor-
rectness. Finally, in Section 6 we discuss several options to obtain more practical
algorithms. An appendix lists some notational conventions.
2. Timed I=O automata
In this section we present the model of timed I=O automata. Timed I=O automata
are a particular class of timed automata [2, 20] carefully customized to ful;ll a set of
“testability” constraints similar to those present in the timed I=O automata of Lynch
et al. [28], such as a separation between input and output activity, and input enabling.
Our model is de;ned in several steps.
First, we recall some basic de;nitions in order to ;x notation. Afterwards, we present
the bounded time domain automata model from [30], which is a varaint of the model
of Alur and Dill [2] or, more precisely, from the version of this model proposed
by Henzinger et al. [20]. Roughly speaking, a bounded time domain automaton is a
;nite (untimed) automaton together with a timing annotation. This timing annotation
extends the automaton with a ;nite set of clocks and functions that allow one to
express, for each transition, under what timing conditions the transition may be taken,
what the updated clock values will be, and under what timing conditions one may
idle in each state. Thereafter, timed I=O automata are de;ned as bounded time domain
228 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
automata together with a partitioning of the set of actions into input and output actions.
We impose certain restrictions on the model to ensure ‘testability’ of the model. The
de;nitions are illustrated in Example 9. Example 10 shows how timed I=O automata
can be viewed naturally as a generalization of the classical Mealy machines.
2.1. Preliminaries
Let R denote the set of reals, R¿0 the set of nonnegative reals, R¿0 the set of
positive reals, and R∞ the set of reals together with the single element ∞. We ex-
tend the standard partial ordering 6 and addition operator + over R to R∞ in the
usual way: for every t ∈R∞; t6∞ and t +∞=∞+ t=∞. Let Z denote the set of
integers, Z∞ the set Z∪{∞}, and N the set of nonnegative integers. For t ∈R; t
denotes the largest number in Z that is not greater than t, and t	 denotes the smallest
number in Z that is not smaller than t. With fract(t) we denote the fractional part of
t (so fract(t)= t − t).
Concatenation of a ;nite sequence with a ;nite or in;nite sequence is denoted by
juxtaposition;  denotes the empty sequence and the sequence containing a single el-
ement a is simply denoted a. If  is a nonempty sequence then .rst() returns the
;rst element of . Moreover, if  is ;nite, then last() returns the last element of
. If  is a sequence and X is a set, then X denotes the sequence obtained by
projecting  on X . If V is a set of ;nite sequences, W a set of sequences, and  a
;nite sequence, then W = { | ∈W} and VW = ⋃∈V W . For X a set of symbols,
we de;ne X 0 = {} and, for i¿0; X i =X i−1 ∪XX i−1. As usual, X ∗= ⋃i∈N X i.
2.2. Labeled transition systems
For technical reasons, our de;nition of a labeled transition system is slightly diKerent
from the standard one in which a transition is a triple of a state, an action and a state.
According to our de;nition there can be multiple transitions with the same action label
between any given pair of states.
Denition 1. A labeled transition system (LTS) is a rooted, edge-labeled multigraph.
Formally, an LTS is a strucuture A=(Q; E; ; src; act; trg; q0), where Q is a set of
states, E a set of transitions,  a set of actions, functions src :E→Q; act :E→
and trg :E→Q associate to each transition a source, action and target, respectively,
and q0 ∈Q is the initial state. We write QA; EA, etc., for the components of an LTS
A, but often omit subscripts when they are clear from the context. Also, we write
 : q a→ q′ if  is a transition with src()= q; act()= a and trg()= q′. With q a→ q′
we denote that  : q a→ q′ for some .
Example 2. Fig. 1 shows a labeled transition system describing the behavior of an
automatic switch as used, e.g., for staircases in hotels. Circles represent states. Their
names are given inside. The initial state is indicated with a little incoming arrow.
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 229
Fig. 1. An LTS representing a switch.
Arrows represent transitions and their labels are given next to them. The switch can
be described formally as the LTS A=(Q; E; ; src; act; trg; q0) where
• Q= {q0; q1},
• E= {0; 1; 2},
• = {on; o: },
• src(0)= q0; src(1)= src(2)= q1,
• act(0)= act(2)= on; act(1)= o: ,
• trg(0)= trg(2)= q1; trg(1)= q0,
• q0 is the initial state.
Its behavior can be explained as follows. The state of the system in which the light is
oK is represented by q0, and the state q1 represents the situation where the light on.
People arrive at the stairway and turn on the switch. After a while the switch turns
itself o:. Before that happens, people may push the on button, which will leave the
light on.
We will use the automatic switch as a running exmple. The intention is to show
how the diKerent models we discuss in this section are built one on top of the other.
In order to de;ne the timed I=O automata model, we will need the generality of
LTSs. However, to study its semantics, it will be enough to restrict to a subclass of
LTSs which we choose to call lean LTSs. An LTS A is lean if each transition is fully
determined by its source, action and target, i.e.,
src()= src(′) ∧ act()= act(′) ∧ trg()= trg(′)⇒ = ′;
and deterministic if it satis;es the stronger property
src()= src(′) ∧ act()= act(′)⇒ = ′;
We say that A is a .nite automaton if both Q and E are ;nite. An execution frag-
ment of a lean 2 LTS A is a ;nite or in;nite alternating sequence q0a1q1a2q2 · · ·
of states and actions of A, beginning with a state, and if it is ;nite also ending
with a state, such that for all i¿0; qi−1
ai→ qi. An execution of A is an execution
fragment that begins with the initial state of A. A state q of A is reachable if it
2 For non lean LTSs this notion of execution fragments is less natural since it does not record all infor-
mation about the dynamic behavior of such systems.
230 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
is the last state of some ;nite execution of A. For  = q0a1q1a2q2 · · · an execution
fragment of A; trace() is de;ned as the sequence of a1a2 · · · . We write q → q′ if A
has a ;nite execution fragment  with .rst()= q; last()= q′, and trace()= . We
say that  is a trace of q, and write q →, if there exists a q′ such that q → q′. More-
over,  is a trace of A if it is a trace of the initial state of A. We write traces∗(q)
for the set of traces of q. We say that  is a distinguishing trace of q and q′ if either
it is a trace of q but not of q′, or the other way around.
The main equivalence relation between LTSs that we consider in this paper is bisim-
ulation equivalence: according to our de;nition in Section 5 an Implementation Under
Test (IUT) conforms to a speci;cation Spec iK certain associated LTSs are bisimilar.
However, as a consequence of the fact that these LTSs are deterministic, the reader
may equally well think of conformance in terms of trace equivalence, and view bisim-
ulations as a convenient characterization of trace equivalence. In fact, our choice to
use bisimulation instead of trace equivalence is merely pragmatic.
Denition 3. Let A be an LTS. A relation R⊆QA × QA is a bisimulation on A iK
whenever R(q1; q2), then
• q1 a→ q′1 implies that there is a q′2 ∈QA such that q2 a→ q′2 and R(q′1; q′2),
• q2 a→ q′2 implies that there is a q′1 ∈QA such that q1 a→ q′1 and R(q′1; q′2).
States q; q′ of A are bisimilar, notation q A q′, if there exists a bisimulation R on
A with R(q; q′).
States q; q′ of LTSs A and A′, respectively, are bisimilar if there exists a bisimu-
lation R on the disjoint union of A and A′ (with arbitrary initial state) that relates q
to q′. In such a case, we write A;A′ : q  q′. LTSs A and A′ are bisimilar, notation
A A′, if A;A′ : q0A  q0A′ .
It is well known that if A is deterministic, for all states q; q′ of A;A : q  q′ iK
traces∗(q)= traces∗(q′). As a consequence, two deterministic LTSs A and A′ are
bisimilar iK they have the same sets of traces.
2.3. Bounded time domain automata
In this subsection we recall the bounded time domain automata model from [30],
which is a variant of the time automata model [2, 20]. A timed automaton is basically
an automaton extended with clocks. A clock is a variable that allows to record the
passage of time. Like a chronometer, a clock can be set to a certain value and inspected
at any moment to see how much time has passed. By having several diKerent clock
variables we can measure and compare the timing of diKerent events. For this reason,
all clocks increase at the same rate. In the Alur–Dill model, clocks range over R¿ 0,
and the only assignments that are allowed are clocks resets of the form x := 0. In the
BTDA model the domain dom(x) of a clock x is the union of a bounded interval and
the singleton {∞}. Intuitively, the value of x is only relevant when contained in the
interval: beyond the upper bound of the interval one only knows that the value of x
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 231
is “large”. The BTDA model also allows for more general assignments of the form
x := n or x :=y + n, for x and y clocks and n∈Z∞.
As shown in [30], the BTDA model is essentially equivalent to the Alur–Dill model
but often allows for more compact representations of timed systems. Also, it turns out
that the use of ∞ simpli;es the technical development in the rest of this paper.
Below we ;rst de;ne the auxiliary concepts of clocks and constraints, before pro-
ceeding to the de;nition of BTDAs and their operational semantics.
2.3.1. Clocks and constraints
A clock is a variable x with a domain dom(x) of the form J ∪{∞}, where J is
an interval over R with in;mum and supremum in Z. Let C be a ;nite set of clocks.
We write intv(x), dom(x)− {∞}. A term over C is an expression generated by the
grammar e ::= x | n | e+n, where x is a clock in C and n∈Z∞. We denote the set of all
such terms by T (C). A constraint over C is a Boolean combination ’ of inequalities
of the form e6e′ or e¡e′ with e; e′ ∈T (C). We denote the set of all such formulas
by F(C). The Boolean constants T and F, denoting truth and falsehood, respectively,
as well as equations of the form x= n are de;nable by constraints. In fact, for each
term e and each interval J with integer bounds, the predicate e∈ J can be expressed
as a constraint. A (simultaneous) assignment over C is a function  from C to T (C).
We denote the set of all such assignments by M (C), and (for instance) write x := 5
for the assignment  with (x)= 5. If ’ is a constraint and  an assignment, then
’[] denotes the constraint obtained from ’ by replacing each variable x by (x).
A clock valuation over C is a map v that assigns to each clock x∈C a value in its
domain. With V (C) we denote the set of clock valuations over C. In the obvious way,
a clock valuations over v is lifted to a function Qv that takes a term and returns a value.
We say that v satis.es ’, notation v |= ’, if ’ evaluates to true under valuation v. A
constraint ’ is satis.able if there is a valuation v such that v |= ’; constraint ’ holds
if for all valuations v; v |= ’. If d∈R¿0 then v⊕ d is the clock valuation de;ned by
(v⊕ d)(x),
{
v(x) + d if v(x) + d∈ intv(x);
∞ otherwise:
The hull of ’ is the set of clock valuations v that satisfy, for all d∈R¿0; v⊕d |= ’ iK
d=0. The interior of ’ is the set of all valuations that satisfy ’ but are not in its hull.
So if a clock valuation v is in the hull of ’, then any nonzero increment of the value
of clocks under v will violate ’. For each constraint ’, let hull(’) be a constraint
such that, for all v; v |= hull(’) iK v is in the hull of ’. Similarly, let interior(’) be a
constraint such that, for all v; v |= interior(’) iK v is in the interior of ’. It is not hard
to see that such constraints always exist and can be eKectively computed. For example,
hull(x65)= (x = 5); hull(x¡5)= F, and interior(x65)= (x¡5)= interior(x¡5).
2.3.2. BTDAs and their operational semantics
A bounded time domain automaton is a ;nite automaton together with some an-
notations to restrict real-time behavior. To start with, a set of clocks is associated
232 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
with the automaton. Each clock gets an initial value, and when time advances with an
amount d, the value of all clocks is incremented uniformly (according to ⊕)
with d. To each state we associate an invariant; we require that the automaton may
only reside in a state as long as the invariant remains true. In addition, a clock con-
straint is associated to each transition; we require that a transition may be taken only
if the current valuation of the clocks satis;es this constraint. When a transition occurs,
the clock values are updated according to a given assignment. We require that in the
new state the invariant holds and each clock again takes a value in its domain. All
this is formalized in the two following de;nitions.
Denition 4. A timing annotation for a given automaton A is a tuple T=(C; Inv; G;
A; v0), where
• C is a ;nite set of clocks.
• Inv : Q→F(C) associates an invariant to each state.
• G : E→F(C) associates a guard to each transition.
• A : E→M (C) associates an assignment to each transition s.t. the constraint Inv
(src())∧G()⇒ ∧x∈C (A()(x)∈ dom(x))∧Inv(trg())[A()] holds for each ∈E.
• v0 ∈V (C) is the initial valuation. We require that v0 |= Inv(q0) and, for all x; v0(x)∈
Z∞.
A bounded time domain automaton (BTDA) is a pair B=(A; T), where A is a
;nite automaton with A ∩ R¿0 = ∅, and T is a timing annotation for A. We write
QB; EB; CB, etc., for the components of A and T.
Example 5. In this example we extend the switch from Example 2 with an explicit
notion of time. We ;x the period after which the light turns oK automatically to 5 time
units. To express this formally, the LTS A of Example 2 is extended into a BTDA
B=(A; T), where T is the timing annotation T=(C; Inv; G; A; v0) with
• C = {x} with dom(x)= [0; 5] ∪ {∞},
• Inv(q0)= (x=∞); Inv(q1)= (x65),
• G(0)= (x=∞); G(1)= (x=5); G(2)= (x¡5),
• A(0)= (x := 0); A(1)= (x :=∞); A(2)= (x := 0),
• v0(x)=∞.
The BTDA model of the switch is depicted in Fig. 2. In location q0 clock x is not
used; therefore x has been given the value ∞. The value of x becomes relevant as soon
as the action on occurs and the transition to location q1 is made. After this transition,
the action on is enabled in the interior while (x¡5). As soon as 5 time units have
passed after the last on action, the hull of the invariant is reached and time cannot
advance any longer. At this point the switch automaton performs the now enabled
action o:, to return to its initial state.
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 233
Fig. 2. A BTDA representing a switch.
Denition 6. The operational semantics OS(B) of a BTDA B is the lean LTS A
which, up to identity of transitions, is speci;ed by
QA = {(q; v)∈QB × V (CB) |v|= InvB(q)};
A =B ∪R¿0;
q0A = (q
0
B; v
0
B)
and →A is the smallest relation that satis;es the following two rules, for all (q; v); (q′;
v′)∈QA; a∈B; ∈EB and d∈R¿0,
 : q a→ q′; v |=GB(); v′= Qv ◦ AB()
(q; v) a→A(q′; v′)
q= q′; v′= v⊕ d; ∀06d′6d : v⊕ d′ |= InvB(q)
(q; v) d→A(q′; v′)
The actions in R¿0 are referred to as time delays. In order not to confuse the states of a
BTDA with those of its operational semantics, we will refer to the states of a BTDA B
as locations. We will use q; :: to range over locations, and r; s; :: to range over the states
of the operational semantics OS(B). We write SB for the set of states QA of OS(B).
2.4. Timed I=O automata
In this subsection, we de;ne the model of timed I=O automata (TIOAs) as an ex-
tension of the BTDA model in which the actions are partitioned into input and output
actions. We impose some restrictions in order to ensure “testability” of the model.
Intuitively (a formal de;nition will be presented in Section 3), a test sequence for a
TIOA is a ;nite sequence of delays and input actions that can be applied to the TIOA.
In order to fully test a TIOA by test sequences the TIOA should be controllable in
the sense that it should be possible for an environment to drive a TIOA through all of
its transitions. An obvious prerequisite for controllability is that a TIOA is determin-
istic. However this is not enough. We also need to require that a TIOA has isolated
outputs: for each state, if an output is enabled then no other input or output transition
is enabled. In this way we exclude that a TIOA can autonomously choose between
performing diKerent outputs, or between performing an output and accepting an input.
234 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
Since input actions are under control of the environment of a TIOA, a TIOA should
always accept inputs. Traditionally [25, 28], this leads to the requirement that every
input is enabled in every state. This however is in conIict with the condition of
isolated outputs. We therefore impose a slightly weaker input enabling condition: each
input is enabled only in the interior of the invariant of each location. This means that
inputs are enabled as long as time can progress. Since inputs and outputs are mutually
exclusive, this in addition ensures that a TIOA cannot choose to avoid executing output
actions by letting time pass. Together, the conditions of determinism, isolated outputs
and input enabling ensure that a TIOA is controllable.
According to our de;nitions, there are BTDAs in which from some (or even all)
states no outgoing execution fragment  exists such that the sum of time delays in 
diverges, i.e., grows to in;nity. It may for instance occur that a state has no outgoing
transition at all (‘time deadlock’), or that there is an in;nite sequence of consecutive
output actions without any time delays in between (‘Zeno behavior’). Since (we be-
lieve) these behaviors cannot occur in the real world and we need to exclude them in
order to develop our testing approach, we demand as ;nal requirement that a TIOA is
progressive: from each state there should be an outgoing execution fragment containing
no input actions in which the sum of the time delays diverges. Progressiveness implies
that in each state on the hull of an invariant an output action is enabled. Moreover, after
a ;nite number of consecutive output actions time will be allowed to advance and, con-
sequently, input actions will be enabled again. As a result, a TIOA can never preempt
input actions inde;nitely by performing output actions. So, although within our model
input actions are not enabled in every state, they are accepted at every time instance.
Denition 7. A timed I=O automaton (TIOA) is a pair M=(B;P), where B is a
BTDA and P=(I; O) is a partitioning of B in input actions and output actions. We
require that the following properties hold, for all ; ′ ∈E; q∈Q, and i∈ I :
(1) (Determinism) if src()= src(′); act()= act(′) and G() ∧ G(′) is satis;able
then = ′
(2) (Isolated outputs) if scr()= src(′); act()∈O and G()∧G(′) is satis;able then
= ′
(3) (Input enabling) interior(Inv(q))⇒ ∨∈from(q; i) G() holds, where from (q; i) ,
{∈E | src()= q ∧ act()= i}
(4) (Progressiveness) For every state of OS(B) there exists an in;nite execution
fragment that starts in this state, contains no input actions, and in which the sum
of the delays diverges
We write QM; M; CM; InvM; IM; etc., for the components of B and P. The
operational semantics OS(M) of M is just the operational semantics of the contained
BTDA B. Moreover, we write M M′ whenever OS(M)  OS(M′).
The following lemma, which is a direct corollary of the de;nitions, gives four basic
properties of the operational semantics of a timed I=O automaton.
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 235
Lemma 8. Let M be a TIOA. Then
(1) OS(M) is deterministic.
(2) OS(M) has Wang’s [35] time additivity property: s d+d
′
→ s′⇔∃r : s d→ r∧r d
′
→ s′.
(3) Each state of OS(M) has either (a) a single outgoing transition labeled with
an output action; or (b) both outgoing delay transitions and outgoing input tran-
sitions (one for each input action); but no outgoing output transitions. States of
type (b) are called stable.
(4) For each state s∈ SM; there exists a unique .nite sequence of output actions 
and a unique stable state s′ such that s → s′.
Example 9. It is not diJcult to see that for the switch of Example 2 there is a natural
separation between input and output actions. Action on is purely controlled by the
environment; so we say that it is an input action. Instead, action o: can only be
observed by the environment and it is controlled exclusively by the system, which
makes it an output action.
Formally, we can construct the TIOA M=(B;P) where B is the BTDA given in
Example 5 and the partitioning P=(I; O) consists of I = {on} and O= {o: }. It is not
diJcult to check that M is indeed a TIOA. In particular notice that hull(Inv(q1))=
hull(x65)= (x=5)=G(1), which isolates the output action o: in location q1, and
interior(Inv(q1))= interior(x65)= (x¡5)=G(2). which makes location q1 input en-
abling. In fact, it is straightforward to check determinism, isolated outputs, and input
enabled. Less simple is to check that the TIOA is progressive. This is, however, not
diJcult either since it reduces to model check a simple TCTL formula which is de-
cidable and can be carried on automatically [5, 24, 14, 19]. 3
The intention of the next example is to show that timed I=O automata form a natural
generalization of the classical Mealy machines [23], which are a well established model
in black-box testing theory and often used in practice.
Example 10. Recall that a Mealy machine is a tuple F=(I; O; Q; ; /; q0), where
I; O; Q are ;nite, nonempty sets of inputs, outputs, and states, respectively,
•  : I × Q→Q is the transition function,
• / : I × Q→O is the output function, and
• q0 is the initial state.
To a Mealy machine F we associate a timed I=O automaton M with locations Q ∪
(I × Q), inputs I , outputs O, and initial location q0. For each state q∈Q and input
action i∈ I ,we introduce a pair of transitions
q i→ (i; q) and (i; q) /(i; q)→ (i; q):
3 The TCTL formula to be checked is ∀ (T⇒∃61T)
236 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
We equip M with a single clock x with domain {0;∞}. In order to model that
Mealy machines accept inputs at any time, a constraint x=∞ is associated to each
location q∈Q and to each input transition q i→ (i; q). To capture the intuition that in
a Mealy machine each input is immediately followed by an output, a constraint x=0
is associated to each location (i; q)∈ I × Q and to each output transition (i; q) o→ q′.
Finally, to make M into a proper TIOA, we assign ∞ as initial value to x, annotate
each input transition with an assignment x := 0, and each output transition with an
assignment x :=∞.
Besides the above translation from Mealy machines to TIOAs, many other possible
translations exist. The TIOA model allows one to express, for instance, that some
amount of time may elapse in between an input and the subsequent output. In this
case one has to specify what happens if another input arrives before the output is
produced. One possibility here is to jump to a newly added error state, but one may
also decide to ignore such an input.
3. Test sequences
We view timed I=O automata as machines to which one can apply tests. A test
sequence for a TIOA M is a ;nite sequence of delays and input actions of M. We
denote the set of all test sequences for M by ExpM. A test sequence  can be applied
to the machine M starting from any state s. The application of  to M in s uniquely
determines a ;nite, maximal execution fragment in OS(M). The existence of such
an execution fragment is guaranteed by the properties that we demand of TIOAs. For
black box testing, one is only interested in the observable behavior induced by the
execution, that is, actions and passage of time, but not states. For instance, if the test
sequence on 6 — which may be read as “press input on and observe the system during
6 units of time” — is applied to the initial state of the automaton from Example 9, it
determines a unique execution whose observable behavior is the trace on 5 o: 1, that
is, “after pressing input on and waiting for 5 time units, the switch turns automatically
o:; in the next unit of time nothing happens”.
In the following we formally de;ne what it means to perform a test sequence, and
we prove that a test sequence induces a unique execution fragment. The outcome of
performing a test sequence onM is described in terms of an auxiliary labeled transition
system EM.
Denition 11. The test sequence LTS EM is the lean LTS with ExpM× SM as its set
of states, TM as its set of actions, (; s0M) as its (arbitrarily chosen) initial state, and
a transition relation → that is inductively de;ned as the least relation satisfying the
following four rules, for all s; s′ ∈ SM, ∈ExpM, i∈ IM, o ∈ OM and d; d′ ∈R¿0,
s o→ OS(M) s′
(; s) o→ (; s′)
(1)
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 237
s i→ OS(M) s′
(i; s) i→ (; s′)
(2)
s d→ OS(M) s′
(d; s) d→ (; s′)
(3)
s d
′
→ OS(M) s′; sup{t ∈R¿0 | s t→ OS(M)}=d′¡d
(d; s) d
′→ ((d− d′); s′)
(4)
Rule (1) says that output actions are always performed autonomously, independently
of the input of the intended test sequence. Instead, input actions are only performed if
they are explicitly speci;ed in the test sequence. This is stated by rule (2). Similarly,
rule (3) says that a delay can occur only when it is both speci;ed by the test sequence
and allowed by M. In some cases, a delay speci;ed in the test sequence cannot occur
since it is interrupted by an autonomous output action of M. In such a case, the part
of the delay up to the output action is executed, while the rest is postponed until M
stops doing output actions autonomously. This last case is explained by rule (4).
The following theorem basically says that for each test sequence and each state there
is a unique corresponding ;nite execution fragment in the test sequence automaton.
Theorem 12. Let M be a TIOA. Then
(1) each state of EM has at most one outgoing transition; and
(2) EM does not have an in.nite execution fragment.
Proof. Part (1) follows directly from the de;nition of EM together with Lemma 8.
Part (2) is proved by contradiction. Suppose that 0 is an in;nite execution fragment
of EM. Because test sequences have a ;nite length, transitions of types (2) and (3)
reduce the length of the test sequence, and the two other types of transitions leave
the length of test sequences unchanged, 0 has an (in;nite) suJx 0′ that contains
no transitions of types (2) and (3). If we project all states in 0′ on their second
component, then we obtain an in;nite execution fragment  of the LTS OS(M) that
contains no input actions, and in which the sum of the delays converges. Let s be the
;rst state of . Since M is progressive, OS(M) has an in;nite execution fragment
′ that starts in s, that contains no input actions, and in which the sum of the delays
diverges. Let = s0a1s1a2s2 · · · and let ′= s′0a′1s′1a′2s′2 · · ·. Then s= s0 = s′0. Inductively,
we construct a monotonic function f :N→N that satis;es, for all i∈N, the following
two properties:
(1) si = s′f(i)
(2) s′f(i)
ai+1→ s′f(i+1)
238 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
For the induction base, we de;ne f(0)= 0. Since both  and ′ start with s, we have
s0 = s= s′f(0). Now suppose that f has been de;ned for all j6k and sk = s
′
f(k). In
order to de;ne f(k + 1) we distinguish between two cases.
(1) ak+1 is an output action. In this case de;ne f(k+1)=f(k)+1. Using Lemma 8(3)
we obtain sk+1 = s′f(k+1) and s
′
f(k)
ak+1→ s′f(k+1).
(2) ak+1 is a delay. Then the transition sk
ak+1→ sk+1 originates from a transition of type
(4) in EM. This implies that ak+1 is the maximal delay transition that is enabled
in sk . Using the fact that ′ diverges and Lemma 8, we can infer that there exists
an index m¿f(k) such that all actions a′j for f(k)¡j6m are delays, with a sum
equal to ak+1, and sk+1 = s′m. Now de;ne f(k+1)=m. Clearly sk+1 = s
′
f(k+1) and
s′f(k)
ak+1→ s′f(k+1).
From the construction together with Lemma 8 it follows that, for all i, the sum D(i) of
the delays in s0a1s1a2s2 · · · si is equal to the sum D′(i) of the delays in the fragment
s′0a
′
1s
′
1a
′
2s
′
2 · · · s′f(i). Since f is monotonic and the sum of the delays in ′ diverges, the
value of D′(i) increases without bound if i→∞. This contradicts the fact that the sum
of the delays in the test sequence part of s gives a ;nite upper bound for all the sums
D(i).
Theorem 12(1) allows us to de;ne execM(; s) as the execution fragment of OS(M)
obtained by projecting the states in the unique maximal execution fragment of EM that
starts in (; s) on their second component. Theorem 12(2) implies that it is a ;nite
execution fragment. Write s ⇒ s′ if s′ is the last state of execM(; s) (note that s′ is
stable). For instance, the application of the test sequence = on 6 to the switch of
Example 9 from its initial state determines the following execution:
execM(; (q0; x=∞))
= (q0; x=∞) on (q1; x=0) 5 (q1; x=5) o: (q0; x=∞) 1 (q0; x=∞):
Hence, (q0; x=∞) ⇒ (q0; x=∞). As we said, for black-box testing, one is only
interested in observable behavior, not in states. We de;ne outcomeM(; s), the outcome
of test sequence  in state s ofM, as the trace of the execution fragment that is induced
by performing the test sequence:
outcomeM(; s), trace(execM(; s)):
Thus, the outcome of the previous test sequence is outcomeM(; (q0; x=∞))= on 5
o: 1.
We end this section with a small lemma stating that each trace  that leads from a
given state s to a stable state s′ can be retrieved as the outcome of the test sequence
obtained by projecting  on input actions and delays.
Lemma 13. Suppose s → s′; s′ is stable; and ′= (IM ∪R¿0). Then outcomeM(′;
s)=  and s 
′
⇒ s′.
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 239
Proof. Let  be the unique execution fragment of OS(M) with .rst()= s, last()=
s′, and trace()= . By induction on the number n of transitions in  we prove
execM(′; s)= .
Suppose n=0. Then s= s′=  and = ′= . Since s is stable, state (; s) of EM
has no outgoing transitions. Thus execM(′; s)= s= .
For the induction step, suppose that n¿0. Let s a→ s′′ be the ;rst transition of , and
let ′ be the unique execution fragment satisfying = s a ′. We distinguish between
two cases:
(1) a is an output action. Then, by rule (1), EM contains a transition (′; s)
a→ (′; s′′).
By induction hypothesis execM(′; s′′)= ′. Since execM(′; s)= s a execM(′; s′′),
we infer execM(′; s)= .
(2) a is an input or delay action. Then ′ is of the form a ′′. Hence, by application
of rule (2) or rule (3), respectively, EM contains a transition (′; s)
a→ (′′; s′′). By
induction hypothesis execM(′′; s′′)= ′. Since clearly execM(′; s)= s a execM(′′;
s′′), we infer execM(′; s)= .
Since outcomeM(′; s)= trace(execM(′; s))= trace()= , the lemma follows imme-
diately.
4. Discretization of the state space
Even though our tests are very simple, the set ExpM of test sequences for a given
TIOA M is uncountable large, due to the possible occurrence of real numbers within
test sequences. Also the LTS OS(M), which gives the operational behavior of M, is
a highly in;nite object. It is thus unclear how we should select a ;nite collection of
tests if we want to establish that an IUT conforms to a speci;cation M. Fortunately
however, the technical results of this section will enable us to restrict attention to
a ;nite subautomaton of OS(M) which contains enough information to characterize
OS(M) itself. We call it a 7grid automaton. In fact, for each pair M;M′ of TIOAs,
we can eKectively ;nd two grid automata such that M is bisimilar to M′ iK the grid
automata are bisimilar. In this way, whenever we want to establish that some black
box conforms to the original TIOA speci;cation, we can restrict attention to their grid
automata. Using the fact that, in the context of deterministic machines, bisimulation
coincides with trace equivalence, checking bisimulation reduces to the application of
an appropriate set of test sequences. The grid automata can be fully and eKectively
explored by a ;nite number of test sequences in ExpM, using standard techniques for
testing ;nite automata.
4.1. Regions
Our construction of a ;nite subautomaton uses the fundamental concept of a region,
due to Alur and Dill [2]. The key idea behind the de;nition of a region is that, even
though the number of states of an LTS OS(M) is in;nite, not all of these states
240 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
are distinguishable via constraints. If two states corresponding to the same location
agree on the integral parts of all the clock values, and also on the ordering of the
fractional parts of all the clocks, then these two states cannot be distinguished by
constraints.
Denition 14. The equivalence relation ∼= over the set V (C) of valuations of a set C
of clocks is given by: v ∼= v′ iK, for all x; y∈C,
(1) v(x)=∞ iK v′(x)=∞,
(2) if v(x) =∞ then v(x)= v′(x) and ( fract(v(x))= 0 iK fract(v′(x))= 0),
(3) if v(x) =∞ = v(y) then fract(v(x))6 fract(v(y)) iK fract(v′(x))6 fract(v′(y)).
A region is an equivalence class of valuations induced by ∼=.
Lemma 15. If v ∼= v′ then v |= ’⇔ v′ |= ’.
The equivalence relation ∼= on the clock valuations of a TIOA M is lifted to an
equivalence relation ∼= on SM by de;ning
(q; v) ∼= (q′; v′), q= q′ ∧ v ∼= v′
A region of M is an equivalence class of states induced by ∼=. Similarly, for M1
and M2 TIOAs with clocks C1 and C2, respectively, the equivalence relation ∼= on
V (C1 ∪C2) (w.l.o.g. we assume that C1 and C2 are disjoint) is lifted to an equivalence
relation ∼= on SM1 × SM2 by de;ning
((q1; v1); (q2; v2)) ∼= ((q′1; v′1); (q′2; v′2))
, q1 = q′1 ∧ q2 = q′2 ∧ v1 ∪ v2 ∼= v′1 ∪ v′2:
A region of M1 and M2 is an equivalence class of pairs of states induced by ∼=. Note
that (r1; r2) ∼= (s1; s2) implies r1 ∼= s1 ∧ r2 ∼= s2, but that the converse implication does
not hold in general.
Alur and Dill [2] show that for a set of clocks C the number of regions of V (C) is
bounded by |C|!2|C|∏x∈C (2cx + 2), where for each clock x; cx denotes the length of
the domain interval intv(x). This means that also the number of regions of a TIOA is
(in the worst case) exponential in the number of clocks. In practice the use of invariants
may keep the number of regions small. The switch TIOA of Example 9 has 12 regions,
and the TIOA associated to a Mealy machine in Example 10 has |Q|(|I |+ 1) regions.
4.2. Uniform mappings
The concept of a uniform mapping was introduced by VCerQans [9, 8]. Uniform map-
pings provide a convenient characterization of regions. They play a central role in
VCerQans’ proof that bisimulation equivalence is decidable for timed automata, and are
also used heavily in this section.
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 241
Denition 16. A continuous mapping 4 8 :R∞→R∞ is uniform if
(1) 8 is strictly monotone (so t¿u implies 8(t)¿8(u)),
(2) 8(0)= 0,
(3) 8(t + n)= 8(t) + n, for every real number t and integer n.
A uniform mapping 8 is extended in a homomorphic manner to any structure con-
taining elements of R∞. In particular, for any clock valuation v; 8(v) is equal to the
function v′ given by v′(x), 8(v(x)), for all x.
Note that conditions (1)–(3) in De;nition 16 together imply that 8(n)= n, for all
n∈Z∞. Below we rephrase the basic results of VCerQans [9, 8] about uniform mappings
in our setting. We ;rst need to prove ;ve technical lemmas to prepare for the main
results of this subsection, which say that uniform mappings “preserve” the transition
relation. The proofs of Lemmas 17, 19 and 20 easily follow from the de;nitions. The
proofs of Lemmas 18 and 21 are somewhat more tricky and therefore outlines have
been included below.
Lemma 17. Suppose v is a clock valuation over a set of clocks C and 8 is a uniform
mapping. Then 8(v) is a clock valuation over C.
Lemma 18. v∼= v′ i: there exists a uniform mapping 8; such that v′= 8(v).
Proof. “⇐” Routine checking. Use the observation that, for each uniform mapping 8,
the inverse mapping 8−1 is de;ned and also uniform.
“⇒” Let C = {x1; : : : ; xn}. We order the clocks according to the value of their frac-
tional part in v, placing the clocks with value ∞ to the right: let (i1; : : : ; in) be a
permutation of (1; : : : ; n) such that, for all 16j ¡ k6n,
(1) v(xij)=∞⇒ v(xik )=∞, and
(2) v(xij) =∞ = v(xik )⇒ fract(v(xij))6 fract(v(xik )).
From v∼= v′ and the de;nition of region equivalence it follows that Properties (1)
and (2) also hold if we replace each occurrence of v by v′. Using the properties of
region equivalence, we infer that there exists a continuous, strongly monotone func-
tion 8′ : [0; 1)→ [0; 1) with 8′(0)= 0 and, for all j with v(xij) =∞; 8′( fract(v(xij)))=
fract(v′(xij)). We extend 8
′ to a uniform mapping 8 with the required property by
de;ning 8(∞)=∞ and, for t ∈R; 8(t), t+ 8′( fract(t)).
Lemma 19. 8(v)(e)= 8( Qv(e)).
Lemma 20. Whenever 8 is a uniform mapping then for every d∈R¿0 the mapping
8d; de.ned by 8d(t), 8(t − d)− 8(−d) for every t ∈R∞; is also uniform.
Lemma 21. 8d(v⊕d)= 8(v)⊕ − 8(−d).
4 VCerQans [9, 8] does not require uniform mappings to be continuous as he should have since his proof of
Lemma 3.7 in [9] (which coincides with Lemma 11.7 in [8]) uses the property that a uniform mapping has
an inverse that is also uniform.
242 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
Proof.
(1) Assume x is a clock with v(x) + d∈ intv(x). Then
8d(v⊕d)(x) = 8d((v⊕d)(x))= 8d(v(x) + d)
= 8(v(x) + d− d)− 8(−d)= 8(v)(x)− 8(−d):
(2) Assume x is a clock with v(x) + d =∈ intv(x). In this case
8d(v⊕d)(x)= 8d((v⊕d)(x))= 8d(∞)=∞:
(3) We claim that v(x) + d∈ intv(x)⇔ 8(v)(x) − 8(−d)∈ intv(x). In fact, using the
uniformity of 8 and 8−1, we derive, for any integer n and ∈{¡;6;¿;¿},
v(x) + d n⇔ v(x) n− d⇔ 8(v)(x) n+ 8(−d)
⇔ 8(v)(x)− 8(−d) n:
Since intv(x) has integer bounds, the claim follows from the combination of the
derived inequalities.
The lemma now follows from (1)–(3) and the de;nition of ⊕.
The next two lemmas, which are the main results about uniform mappings, assert
that uniform mappings “preserve” transitions between states.
Lemma 22. If s a→ s′ and a∈M then 8(s) a→ 8(s′).
Proof. Assume s a→ s′ and 8 is a uniform mapping. Let s=(q; v); s′=(q′; v′); 8(v)=w
and 8(v′)=w′. We must prove that (q; w) a→ (q′; w′).
Because s a→ s′, there exists a transition  such that  : q a→ q′; v |=G() and v′=
Qv ◦A().
Since w= 8(v), Lemma 18 implies v∼=w. Hence, according to Lemma 15, w |=G().
Assume that x is a clock. Then we derive, using the assumptions, de;nitions and
Lemma 19,
w′(x) = 8(v′)(x)= 8(v′(x))
= 8( Qv ◦A()(x))= 8( Qv(A()(x)))= 8(v)(A()(x))
= Qw(A()(x))= Qw ◦A()(x):
This means that w′= Qw ◦A(). Combining this fact with  : q a→ q′ and w |=G(), we
may now conclude that (q; w) a→ (q′; w′), as required.
Lemma 23. If s d→ s′ then 8(s) −8(−d)−→ 8d(s′).
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 243
Proof. Assume s d→ s′. Let s=(q; v); s′=(q; v′); 8(v)=w and 8d(v′)=w′. We must
prove that (q; w)
−8(−d)−→ (q; w′).
Since s d→ s′, we know that v′= v⊕d and, for all 06d′6d: v⊕d′ |= Inv(q). By
Lemma 21,
w′= 8d(v⊕d)= 8(v)⊕ − 8(−d)=w⊕ − 8(−d):
Choose 06d′6− 8(−d). Let d′′=−8−1(−d′). We derive
06d′6− 8(−d)⇔ 0¿− d′¿8(−d)⇔ 0¿8−1(−d)′¿− d
⇔ 06d′′6d:
This implies that v⊕d′′ |= Inv(q). Since 8d′′ is uniform (Lemma 20), uniform map-
pings preserve regions (Lemma 18), and regions preserve constraints (Lemma 15),
8d′′(v⊕d′′) |= Inv(q). By Lemma 21,
8d′′(v⊕d′′)= 8(v)⊕ − 8(−d′′)= 8(v)⊕d′:
Hence 8(v)⊕d′ |= Inv(q). Since we have now proved that w′=w⊕ − 8(−d) and, for
all 06d′6− 8(−d); 8(v)⊕d′ |= Inv(q), it follows that (q; w) −8(−d)−→ (q; w′).
4.3. Grid automata
After the preparatory subsections on regions and uniform mappings, we can now
state and prove the key theorems that will enable us to restrict to ;nite subautomata
when testing in;nite timed transition systems. These subautomata will only contain
states in which each clock value is either ∞ or in the grid set Gn, i.e., the set of
integer multiples of 2−n, for some suJciently large natural number n.
For t a real number, let tn denote the largest number in Gn that is not greater
than t, and let t	n denote the smallest number in Gn that is not smaller than t. Write
[t]n for the fraction (tn + t	n)=2 (note that [t]n ∈Gn+1). For M a TIOA, write SnM
for the set of states (q; v)∈ SM such that, for each clock x; v(x)∈Gn ∪{∞}.
The two small technical lemmas below are easy to prove.
Lemma 24. Let s∈ SnM.
(1) If s a→ s′ with a∈M then s′ ∈ SnM.
(2) If s d→ s′ with d∈Gn ∩R¿0 then s′ ∈ SnM.
Lemma 25. Let 8 be a uniform mapping; u∈R and n∈N. Then there exists a
uniform mapping 8′ such that; for all t ∈R;
• if 8(t)∈Gn then 8′(t)= 8(t);
• 8′(u)= [8(u)]n.
244 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
The next theorem is an important step towards the discretization of state spaces. It as-
serts that whenever we have a distinguishing trace of length m for two states in SnM, we
can ‘massage’ this trace into a trace in which all delay actions are in the grid set Gn+m.
Theorem 26. Let M;M′ be TIOAs; let (r; r′)∼=(s; s′) for states r ∈ SM; r′ ∈ SM′ ; s∈
SnM and s
′ ∈ SnM′ ; and let = a1a2 · · · am be a distinguishing trace for r and r′. Then
there exists a distinguishing trace = b1b2 · · · bm for s and s′ such that; for all
j∈ [1; : : : ; m]; if aj is an input or output action then bj = aj; and if aj is a delay
action then bj ∈Gn+j with aj6bj6aj	.
Proof. Without loss of generality we may assume that r has the trace ; r′ does not, am
is an ouput action, and r′ has the trace ′= a1a2 · · · am−1. Let r0a1r1a2r2 · · · rm−1amrm
be the unique execution fragment of M with r= r0 and trace , and let r′0a1r
′
1a2r
′
2 · · ·
r′m−2am−1r
′
m−1 be the unique execution fragment ofM
′ with r′= r′0 and trace 
′. Induc-
tively we de;ne states s0; : : : ; sm−1 and s′0 : : : ; s
′
m−1, actions b1; : : : ; bm−1, and uniform
mappings 80; : : : ; 8m−1 such that, for all j∈ [0; : : : ; m− 1], if j¿0 then bj satis;es the
conditions from the theorem, 8j(rj; r′j )= (sj; s
′
j); sj ∈ Sn+jM ; s′j ∈ Sn+jM′ , and if j¡m − 1
then sj
bj+1→ sj+1 and s′j
bj+1→ s′j+1.
To start with, de;ne s0 = s and s′0 = s
′. Since (r; r′)∼=(s; s′) there exists, by
Lemma 18, a uniform mapping 80 with 80(r0; r′0)= (s0; s
′
0).
Now suppose that, for some j∈[0; : : : ; m−2]; 8 j(rj; r′j )=(sj; s′j); sj∈Sn+jM and s′j ∈Sn+jM′ .
We distinguish between two cases:
• aj+1 is an input or output action. Then de;ne sj+1 = 8j(rj+1); s′j+1 = 8j(r′j+1); bj+1
= aj+1, and 8j+1 = 8j. Since rj
aj+1→ rj+1 and r′j
aj+1→ r′j+1, it follows by Lemma 22 that
sj
bj+1→ sj+1 and s′j
bj+1→ s′j+1. By construction 8j+1(rj+1; r′j+1)= (sj+1; s′j+1). By Lemma
24.1 we may conclude that sj+1 ∈ Sn+j+1M and s′j+1 ∈ Sn+j+1M′ .
• aj+1 =d is a delay action. By Lemma 25 there exists a uniform mapping 8 such that
8(rj; r′j )= (sj; s
′
j) and 8(−d)= [8j(−d)]n+j ∈Gn+j+1. De;ne 8j+1 = 8d. Then 8j+1
is a uniform mapping by Lemma 20. Let sj+1 = 8j+1(rj+1); s′j+1 = 8
j+1(r′j+1), and
bj+1 =−8(−d). Then Lemma 23 yields sj bj+1→ sj+1 and s′j
bj+1→ s′j+1. Straightfor-
ward calculations give aj+16bj+16aj+1	. Moreover, by Lemma 24.2, we obtain
sj+1 ∈ Sn+j+1M and s′j+1 ∈ Sn+j+1M′ .
Lemma 18 yields rm−1∼= sm−1 and r′m−1∼= s′m−1. Let bm= am. Using Lemma 15, we
infer that sm−1
bm→ and not s′m−1 bm→. This implies that = b1b2 · · · bm is a distinguishing
trace of s and s′.
Theorem 26 allows us to ‘massage’ each distinguishing trace into one in which all
delay actions are in a grid set, but there is a dependence between the length of the
trace and the granularity of the grid: the longer the trace the ;ner the grid. This is due
to the fact that the distinguishing power of a distinguishing trace for two states r and
r′ entirely depends on the regions traversed when applying  to r and r′, respectively.
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 245
Fig. 3. The TIOA Mn.
In certain cases even a tiny delay in  may cause the traversal to a new region as we
will see in the next example.
Example 27. Consider the family of TIOAs de;ned as follows. For each n∈N we
de;ne the TIOA Mn with input action in and output action out. It has two clocks
x and y, both with domain [0; 1]∪{∞}. The set of locations is {qj | 06j6n}∪ {p}
where qn is the initial location and the initial valuation v0 sets all clocks to 0. The
transitions are annotated as follows:
qj
in; (x¿0&y¡1); x :=0−−−−−−−−−−→ qj−1 if 0¡j6n q0
in; (y¡1)−−−−→p
qj
in; (x=0&y¡1)−−−−−−−→p if 0¡j6n p in; T−−−−→p
qj
out; (y=1)−−−−→p if 06 j6n
Finally, the invariant is de;ned by Inv(qj)= (y61) for all j, and Inv(p)= T. Fig. 3
depicts automaton Mn.
Clearly, if m¡n, the TIOA Mm is simply the TIOA Mn whose initial location is
changed into qm (up to removal of unreachable locations).
The TIOA Mn has the property that if within 1 time unit at most n inputs have
occurred at diKerent (non-zero) time points, an output action will be generated at
time 1. If more inputs arrive in this interval, or the system is fed two inputs at the
same point in time, no ouput is generated. In fact, this property can be seen from the
following observations. Supppose that the system Mn has just arrived to a location
qj; 0¡j6n. Then it is in the region (qj; x=0¡y¡1); 0¡j¡n, or (qn; x=y=0).
In any case, the input in would take the system to location p and hence it prevents the
occurrence of the ouput out. Otherwise, by waiting a little while, the system moves to
the successor region (qj; 0¡x¡y¡1) (respectively, (qn; 0¡x=y¡1)). At this point,
the input action would take the system to the next location qj−1, more precisely to the
246 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
region (qj−1; x=0¡y¡1), and hence the ouput action would still be enabled. Notice
that, while the system is at location q0, performing ‘an extra’ in also disables the
occurrence of out.
It is easy to check that Mn and Mm behave diKerently for n and m diKerent. Yet
in order to observe this diKerence a grid size of at most 1=(2+min(n; m)) is required.
Note that this also means that the grid size depends on the number of states, not just
on the number of clocks.
In order to obtain a grid size that is ;ne enough to distinguish all pairs of diKerent
states, we need to establish an upper bound on the length of minimal distinguishing
traces. This is done in the following theorem.
Theorem 28. Suppose M and M′ are TIOAs with the same input actions; and r and
s are states of M and M′; respectively; with OS(M);OS(M′): r  s. Then there
exists a distinguishing trace for r and s of length at most equal to the number of
regions of SM × SM′ .
Proof. Since r and s are not bisimilar there exists a trace that distinguishes between
the two states. In fact, it is easy to see that there exists a distinguishing trace that
ends with an output action. Among the distinguishing traces that end with an output
action, let  be a trace with minimal length. Assume that this length is greater than
the number of regions of SM × SM′ . We derive a contradiction.
Assume, without loss of generality, that  is a trace of r but not of s. Let
0= r0a1r1a2 · · · an−1rn−1anrn
= s0a1s1a2 · · · an−1sn−1
be the (uniquely determined) execution fragments of M and M′, respectively, with
r= r0; s= s0 and = a1 · · · an. Since n is greater than the number of regions of
SM × SM′ , there exists indices 06i¡j¡n such that (ri; si)∼=(rj; sj). By Lemma 18,
there exists a uniform mapping 8 such that 8(rj; sj) = (ri; si). Repeated application of
Lemmas 22 and 23 now allows us to construct a distinguishing trace for ri and si of
length n − j that ends with an output action. But this means that there also exists a
distinguishing trace for r and s of length n + i − j that ends with an output action.
Contradiction.
The upper bound on the length of distinguishing traces of Theorem 28 is of course
astronomic in general. In speci;c cases, one can often give a much more reason-
able upper bound. For instance, any pair of distinct states of the switch TIOA of
Example 9 can be distinguished by a trace of length one (just wait long enough). In
Example 10, any pair of inequivalent states of the TIOA associated to a Mealy ma-
chine can be distinguished by a trace with a length less than 2|Q|. (The factor 2 arises
from the fact that we have split each transition in the Mealy machine into an input
and an output part.) For each Mn in Example 27, any pair of diKerent states can be
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 247
Fig. 4. The grid automaton G(M1; 1):
distinguished by a trace of length at most 2n+1: n input actions interleaved with n+1
appropriate delays.
For each TIOA M and natural number n, we de;ne the grid automaton G(M; n)
as the subautomaton of OS(M) in which each clock value is in the set Gn ∪{∞};
and the only delay action is 2−n. Note that since in the initial state of OS(M) all
clocks take values in Z∞, it is always included as a state of G(M; n). Also observe
that, since G(M; n) is lean and has a ;nite number of states and actions, G(M; n) is
a ;nite automaton.
Denition 29. Let M be a TIOA and let n ∈ N. The grid automaton G(M; n) is the
lean LTS A given by
• QA = SnM;
• A = M ∪{2−n};
• q0A = s0M;
• for all s; s′ ∈ QA and a ∈ A; s a→A s′⇔ s a→OS(M) s′.
Example 30. The reader is invited to check that the picture of Fig. 4 is the grid
automaton G(M1; 1) where M1 is the TIOA from Example 27. To shorten notation,
each state (q; v) has been denoted by (q; v(x); v(y)).
From the combination of Theorems 26 and 28, it now follows that two TIOAs are
bisimilar if and only if their associated grid automata are bisimilar, provided the grid
has been chosen suJciently ;ne.
Corollary 31. Let M and M′ be TIOAs with the same input actions; and let n
be greater than or equal to the number of regions of SM × SM′ . Then MM′ ⇔
G(M; n)  G(M′; n).
248 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
Proof. “⇒”: Immediate, using Lemma 24, since G(M; n) and G(M′; n) are proper
subautomata of M and M′, respectively.
“⇐”: Suppose M M′. Then, by Theorem 28, there exists a trace  of length
at most n that distinguishes s0M and s
0
M′ . Since s
0
M ∈ S0M and s0M′ ∈ S0M′ , application
of Theorem 26 gives that there exists a trace  that also distinguishes s0M from s
0
M′
such that all delays in  are elements of Gn. Let ′ be the trace obtained from 
by replacing each occurrence of a delay action m × 2−n, for m a positive natural
number, by a sequence of m delay actions 2−n. Using Wang’s time additivity property
(Lemma 8.2), we obtain that ′ also distinguishes s0M and s
0
M′ . Assume, w.l.o.g., that 
′
is a trace of s0M but not of s
0
M′ . Since all the actions occurring in 
′ are also actions of
G(M; n), it follows that ′ is a trace of G(M; n), but not of G(M′; n). This contradicts
G(M; n)  G(M′; n).
We have now reduced the problem of deciding bisimulation equivalence of TIOAs
to the problem of deciding bisimulation equivalence of two ;nite subautomata of the
(highly in;nite) operational semantics of these TIOAs. The main implication of this
result for the conformance testing of TIOAs is that in the testing process we only need
to explore ;nite subautomata, something that can be done eKectively in ;nite time.
Before we will address this issue in Section 5, we will prove as the ;nal result of this
section that if one applies a test sequence in which the only delay action is 2−n to a
TIOA M, the resulting execution is fully contained in the grid automaton G(M; n).
This result (which is not entirely trivial) makes it possible to fully explore the grid
subautomaton of a TIOA during the testing process. We need two small technical
lemmas.
Lemma 32. Suppose v |= hull(’). Then there exists at least one clock x with v(x)∈Z.
Proof. By contradiction, suppose that for all clocks x; v(x) =∈Z. Let d= 12(1 − maxx
fract(v(x))) and v′= v⊕d. It is easy to check that v∼= v′. Therefore, by Lemma 15,
v′ |= hull(’). But since d¿0 this contradicts the assumption that v lies on the hull
of ’.
Lemma 33. Let M be a TIOA; n∈N; and s∈ SnM. Suppose that s
2−n
→ . Then; for
some output action o∈OM; s o→.
Proof. Assume that s does not enable an output action. As a consequence, by
Lemma 8.3, s enables a delay action. However, because of Wang’s additivity axiom
(Lemma 8.2), all delay action that are enabled in s are less than 2−n. Using
Lemmas 8.2 and 8.3 once more, we infer that there exists a delay 0¡d¡2−n, a
state s′=(q′; v′), and an output action o such that s d→ s′ o→. Clearly, in s′ none
of the clocks has a value in Gn. However, s′ o→ implies that v′ |= hull(Inv(q′)). By
Lemma 32, this means that at least one clock has an integer value in v′. Contradiction.
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 249
For M a TIOA and n∈N, write ExpnM for the set of test sequences of M in which
all the delays are equal to 2−n.
Lemma 34. Let ∈ExpnM and s∈ SnM. Then execM(; s) is an execution fragment of
G(M; n).
Proof. By straightforward induction on the length of execM(; s). Use Lemma 33 to
prove that rule (4) in De;nition 11 can never be applied.
5. Deriving and applying a test suite
Based on the results of Section 4, we introduce a test suite to test a timed imple-
mentation under test (IUT) for conformance with respect to a speci;cation TIOA Spec.
To prove that the test suite is indeed correct and complete relative to certain assump-
tions about the choice of parameters, we give in Fig. 5 a simple test algorithm that
applies each test case from the test suite to an implementation. Theorem 41 states that
the algorithm is indeed correct. Our notion of conformance is as follows. We assume
that the behavior of the IUT is accurately modeled by a TIOA Impl. Then the IUT
conforms to the speci;cation Spec if Impl is bisimilar to Spec. Note that we do not
consider — as is often done — isomorphism between implementation and speci;cation
as conformance relation. This is due to the fact that we do not assume timed automata
or their grid machines to be minimal.
Our method of building test suites is similar to Chow’s classical algorithm for ;nite
state Mealy machines [11]. A test suite consists of a ;nite set of test sequences which
should be applied to the implementation. Each sequence consists of the concatenation
of two sequences. The initial part of a test sequence is taken from a transition cover
P for a grid subautomaton of Spec, i.e., a set of test sequences that together exercise
every transition of the subautomaton.
Denition 35. Let M be a TIOA, n∈N, A=G(M; n). A transition cover for A is
a ;nite collection P⊆ExpnM of test sequences, such that ∈P and, for all transitions
s a→ s′ of A with s reachable (within A) and stable, P contains test sequences  and
a such that s0M
⇒ s.
The trailing part of a test sequence is taken from a set Z , which is a characterization
set for a grid subautomaton of Impl, meaning that for every pair of non-bisimilar grid
states, Z contains a sequence that distinguishes between them.
Denition 36. Let s∈ SM, s′ ∈ SM′ ; and let  be a test sequence for M and M′. We
say that  distinguishes s from s′ if outcomeM(; s) = outcomeM′(; s′). If Z is a set
of test sequences for M and M′; then we write s ≈Z s′ if no test sequence in Z
distinguishes s from s′ .
250 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
Input
(1) A TIOA Spec, the speci.cation automaton, with reset action reset,
reset time max, and a quiescent initial state
(2) An Implementation Under Test (IUT), a device that accepts inputs
from ISpec and produces outputs in OSpec
(3) A natural number n
(4) A natural number m
Output
A verdict PASS or FAIL
Algorithm
Let X = ISpec ∪ {2−n}
(1) Determine a (minimal) ;nite transition cover P for G(Spec; n)
(2) For all test sequences ∈ test suite(M ; n; P; X m−1) do
a. Apply test sequence  to the IUT
b. Return FAIL and halt if outcome of (a) diKers from
outcomeSpec(; s0Spec)
(3) Return PASS and halt
Fig. 5. Application of test suite to TIOAs.
Let n∈N. Then Z is a characterization set for G(M; n) if, for all s; s′ ∈ SnM, s ≈Z s′
implies s G(M; n) s′.
To apply multiple test sequences to the IUT, we need, as in Chow’s algorithm, the
ability to always bring the machine back to its initial state. In the untimed setting
of Mealy machines, one usually assumes the presence of a reliable reset, a special
input action that brings the machine to its initial state from any given state. A sim-
ilar requirement is needed in our timed setting, but in this case, it is not reasonable
to consider the reset as an instantaneous operation: typically, some time will elapse
between the moment when we request the machine to go to its initial state, and the mo-
ment at which the reset operation has been completed. 5 This motivates the following
de;nition.
Denition 37. An input action a is a reset of a TIOA M if for each reachable, stable
state s, M has an execution fragment of the form sa, where  contains no input
actions and has s0M as its last state. We denote that action by reset. We say that M
has reset time max if the maximal time that can elapse between the occurrence of
reset and the return to the initial state is at most max.
5 Martin Wirsing came with the suggestive example of the control software on board of a BMW, in a
state where the car races downhill with a speed of 200 km=h.
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 251
It is not diJcult to prove that the maximal time that can elapse between the occur-
rence of a reset action and the time at which the initial state is reached is always less
than the number of regions of M.
We ;nd it convenient to further restrict attention to TIOAs with a quiescent initial
state. In a quiescent state a machine waits for stimulus from its environment before
producing any output. For instance, the switch of Example 9, in its initial state, always
waits for the input action on and no output action can be (autonomously) generated.
Similarly, the Mealy machine of Example 10 is also quiescent in its initial state since in
location q0 only input actions are enabled. In contrast, the TIOAsMn from Example 27
are not quiescent in their initial state since within 1 time unit the output action out is
generated without any previous stimuli from the environment.
Denition 38. A state of a TIOA is quiescent if each outgoing execution fragment
from that state that contains an output action also contains an input action.
Now, we are in a position to formally de;ne what a test suite for a given TIOA is.
Denition 39. Let M be a TIOA and n∈N. Let P be a transition cover for G(M; n)
and Z a characterization set for the TIOA model of the IUT. The test suite for M
generated from P and Z with grid size n is de;ned by
test suite(M; n; P; Z),PZ{resetmax}
where concatenation of sets of sequences is as de;ned in Section 2.1.
Fig. 5 presents an algorithm that applies a test suite generated by our test method to
an implementation. To prove its correctness, for appropriate values of its parameters,
we need one more auxiliary lemma.
Lemma 40. Let M be a TIOA; n∈N; and let m be greater than or equal to the
number of states of G(M; n). Let Z =Xm−1; where X = IM ∪{2−n}. Then Z is a
characterization set for G(M; n).
Proof. We prove that, for all states s; s′ ∈ SnM, s ≈Z s′ implies s G(M; n) s′. Assume
that s G(M; n) s′. Since G(M; n) is deterministic, there exists a distinguishing trace
 for s and s′ of length m − 1 or less [23]. W.l.o.g. assume that s → r, for some
stable state r and sequence of output actions , and not s′ →. then, by Lemma 13,
s ≈Z s′:
Like Chow, we need to give correct estimates of the size of the state spaces involved
in order to obtain correctness of our method. Since, in general, the operational semantics
of a TIOA has uncountably many states and transitions, measuring the state space of
a TIOA gives no meaningful estimates. Instead, we provide estimates in terms of the
number of regions of the product TIOA and the size of a grid subautomaton of the
implementation.
252 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
The implications of the following theorem are twofold. It states that (a) the set
test suite(M; n; P; X m−1) is a complete test suite for appropriate m and n, and (b) the
algorithm of Fig. 5, when it takes such a test suite as an input, is correct in the sense
that it returns PASS if and only if the IUT conforms to the given TIOA speci;cation.
Theorem 41. Let IUT and Spec be as in the algorithm of Fig. 5. Assume that the
behavior of IUT is accurately modeled by a TIOA Impl with reset action reset; reset
time max; a quiescent initial state; and the same input and output actions as Spec.
Assume that n is greater than or equal to the number of regions of SImpl × SSpec; and
m is greater than or equal to the number of states of G(Impl ; n).
Then the algorithm of Fig. 5, when provided with these inputs; returns PASS i:
Spec  Impl.
Proof. The if part is straightforward. As to the only if part, suppose that the algorithm
returns PASS. By Corollary 31 it suJces to prove G(Spec; n)  G(Impl ; n). Let
P and X be de;ned as in the description of the algorithm. De;ne Z = xm−1. Since
IUT is accurately modeled by Impl, which has reset action reset and a quiescent
initial state, and because the algorithm returns PASS, it follows that, for all ∈P and
∈Z ,
outcomeSpec(; s0Spec)= outcomeImpl(; s
0
Impl):
Let R be the relation between states given by
R= {(s; r)∈ SnSpec × SnImpl | ∃∈P ∃01; 02; 1; 2:
∧ execSpec(; s0Spec)= 0102
∧ execImpl(; s0Impl)= 12
∧ s= last(01)
∧ r= last(1)
∧ trace(01)= trace(1)
∧ trace(02)= trace(2)∈ (OSpec)∗}:
Note that s R r implies s≈Z r. Write A=G(Impl ; n). We claim that the relation R′=
R ◦ A is a bisimulation between G(Spec; n) and G(Impl ; n).
Since ∈P and ∈Z , we obtain outcomeSpec(; s0Spec)= outcomeImpl(; s0Impl). This
implies that s0Spec R s
0
Impl . Hence, since A is reIexive, s0Spec R′ s0Impl .
For the proof of the transfer property, assume that s R′ r and s a→ s′. Then there
exists a state u such that s R u A r. We distinguish between two cases:
(1) a is an output action. From the de;nition of R in combination with Lemma 8.3
it follows that u a→ u′, for some state u′ with s′ R u′. Since A is a bisimulation,
there exists a state r′ such that r a→ r′ and u′ A r′. Then s′ R′ r′, as required.
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 253
(2) a is an input or delay action. Then it follows from the de;nition of R in combina-
tion with Lemma 8.3 that both s and u are stable states. By de;nition of R, there
exists a test sequence ∈P such that s0Spec ⇒ s and s0Impl
⇒ u. This implies in par-
ticular that s is a reachable state, and therefore, since P is a transition cover, P con-
tains test sequences  and  a such that s0Spec
⇒ s. Let u′′= last(execImpl(; s0Impl)).
Then s R u′′. Since s≈Z u, s≈Z u′′ and ≈Z is an equivalence relation, u≈Z u′′. By
Lemma 40, this implies uA u′′. Since also uA r and A is an equivalence
relation, this implies u′′A r. Let u′ be the unique state satisfying u′′ a→ u′. Using
that outcomeSpec(a; s0Spec)= outcomeImpl(a; s
0
Impl), we infer s
′ R u′. Now we use
the fact that u′′ A r to infer that there exists a state r′ such that r a→ r′ and
u′ A r′. Then s′ R′ r′, as required.
The other transfer property can be proved similarly.
6. Discussion
The algorithm presented in the previous section results in an astronomically large
number of test sequences. On top of that, the time delays that occur in these test
sequences are microscopically small. Clearly, our algorithm cannot be claimed to be
itself of practical value. Rather, the major contribution of our paper is the TIOA model
and the demonstration that an algorithm to derive a (complete!) test suite at least exists.
In this section we discuss ways to reduce the number of tests, and to make the time
delays within the tests manageable.
We have deliberately tried to impose as few restrictions on the model as possible
and, as a consequence, our model is extremely ;ne-grained. It is for instance possible
to model situations where occurrences of an input action at two distinct but arbitrar-
ily close moments (see Example 27) lead to completely diKerent behavior. Obviously,
much of this subtlety can be sacri;ced while retaining a suJciently expressive model.
Finding suitable special cases of our model is therefore an urgent issue. One possi-
bility in this direction is to obtain more robust versions (in the sense of [18]) of our
timed I=O automata. Basically, a TIOA is robust if, whenever it accepts a trace, it
accepts a ‘neighboring’ trace as well, under some reasonable topology on the set of
traces. We hope that a more robust model will yield signi;cantly smaller test sets.
A more pragmatic approach proposed in [7] is to explicitly consider the environment.
In many occasions states are obviously distinguished by simply checking the envi-
ronment. For instance, we only have to observe if the light is on to distinguish if
the switch is in location q0 or q1 (see Examples 2, 5 and 9). As a consequence no
explicit test is necessary to distinguish evidently diKerent states. In fact, Cardell and
Glover [7] already proposed to combine our approach and theirs to test dense real-time
systems.
An alternative line of attack is to optimize on the granularity of the grid. In our
approach, the granularity of the grid is directly derived from an upper bound on the
254 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
length of distinguishing traces: the shorter the distinguishing traces, the coarser the
grid. So in order for our approach to become practical, it is vital to derive good upper
bounds on the length of distinguishing traces. We hope that modi;cations of algorithms
for deciding bisimulation equivalence (such as presented in [9, 8, 34]) can yield such
bounds. These algorithms might also be helpful to improve on the construction of
distinguishing sequences.
A remarkable property of our method is that, unlike most testing approaches for
Mealy machines (with some exceptions, e.g., [27]), we do not assume minimality of
the speci;cation and implementation automata. Nevertheless, for reasons of eJciency it
is of course desirable to work with minimal automata. Minimization of timed automata,
however, is a non-trivial issue; in particular timed automata in the Alur–Dill model
[2] (and BTDAs) cannot be minimized in general. To solve this problem, in [30] the
minimizable timed automata (MTA) model is introduced as an extension of the BTDA
model. This model does allow minimization: for every MTA there exists a minimal
MTA with bisimilar operational semantics. We hope that by working with minimal
timed automata the size of test sets can be further reduced by using, for instance,
techniques for discrete time automata, like in [7].
Finally, we expect that our approach may also support incomplete but practically
useful methods for testing timed systems such as in [12, 26]. In fact, it is always an
option to use the grid automaton construction heuristically. Instead of taking the worst-
case grid size right away, one might start oK with a coarse grid to obtain a small,
incomplete set of useful tests. If desired, the grid can be subsequently re;ned, thus
approximating the required grid size. After all, the bound for the grid size that we
require is indeed very small, and we hope that there is room for some improvement.
In fact, we do not know of any counterexample that states that such a bound is tight.
Example 27 only points out that for general TIOAs the grid size can never be based
on the number of clocks alone but it also suggests that a still appropriate grid size
might be far above the bound we obtained.
Notation
a action
d nonnegative real number
e term
i input action, index
j; k index
m; n integer or ∞
o output action
q; r; s state or location
t; u real number or ∞
v; w clock valuation
x; y; z clock
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 255
A mapping from transitions to assignments
C ;nite set of clocks
E set of transitions
F(C) the set of constraints over C
G mapping from transitions to constraints
I set of input actions
J interval
M (C) the set of assignments over C
O set of output actions
P transition cover
Q set of states or locations
R relation
S set of states
T (C) the set of terms over C
V (C) set of clock valuations over C
X set of actions
Z set of sequences of actions
A labeled transition system
B bounded time domain automaton
E test sequence LTS
G grid automaton
M timed I=O automaton
OS(B) the operational semantics of B
P input=output partition of action set
T timing annotation
F falsehood
Gn the set of integer multiples of 2−n
N the set of natural numbers
R the set of real numbers
T truth
Z the set of integers
> region
0;  execution fragment
 transition
 the empty sequence
 assignment
8 uniform mapping
;  sequence
’ constraint
 set of actions
256 J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257
References
[1] A.V. Aho, A.T. Dahbura, D. Lee, M. ZU. Uyar, An optimization technique for protocol conformance test
generation based on UIO sequences and Rural Chinese Postman Tours, IEEE Trans. Comm. 39(11)
(1991) 1604–1615.
[2] R. Alur, D.L. Dill, A theory of timed automata, Theoret. Comput. Sci. 126 (1994) 183–235. Preliminary
versions of this paper appear in the Proc. 17th Internat. Colloq. on Automata, Languages, and
Programming (1990), and in the Proc. REX workshop “Real-Time: Theory in Practice” (1991).
[3] R. Alur, T.A. Henzinger (Eds.), Proc. 8th Internat. Conf. Computer Aided Veri;cation, New Brunswick,
NJ, USA, Lecture Notes in Computer Science, Vol. 1102, Springer, Berlin, July=August 1996.
[4] R. Alur, T.A. Henzinger, E.D. Sontag (Eds.), Hybrid Systems III, Lecture Notes in Computer Science,
Vol. 1066, Springer, Berlin, 1996.
[5] R. Alur, R.P. Kurshan, Timing analysis in COSPAN, in: Alur et al. (Eds.), Hybrid Systems III, Lecture
Notes in Computer Science, Vol. 1066, Springer, Berlin, 1996, pp. 220–231.
[6] J. Bengtsson, W.O.D. GriJoen, K.J. KristoKersen, K.G. Larsen, F. Larsson, P. Pettersson, Wang Yi,
Veri;cation of an audio protocol with bus collision using UPPAAL, in: Alur, Henzinger (Eds.), Proc.
8th Internat. Conf. Computer Aided Veri;cation, New Brunswick, NJ, USA, Lecture Notes in Computer
Science, Vol. 1102, Springer, Berlin, July=August 1996, pp. 244–256.
[7] R. Cardell-Oliver, T. Glover, A practical and complete algorithm for testing real-time systems, in:
A.P. Ravn, H. Rischel (Eds.), Proc. 5th Internat. Symp. in Formal Techniques in Real-Time and Fault
Tolerant Systems, Lyngby, Denmark, Lecture Notes in Computer Science, Vol. 1486, Springer, Berlin,
1998, pp. 251–261.
[8] K. VCerQans, Algorithmic problems in analysis of real time system speci;cations, Dr.sc.comp. Thesis,
University of Latvia, RQ\ga, 1992.
[9] K. VCerQans, Decidability of bisimulation equivalences for parallel timer processes, in: G.V. Bochmann,
D.K. Probst (Eds.), Proc. 4th Internat. Workshop on Computer Aided Veri;cation, Montreal, Canada,
Lecture Notes in Computer Science, Vol. 663, Springer, Berlin, 1992, pp. 302–315.
[10] W.Y.L. Chan, S.T. Vuong, M.R. Ito, An improved protocol test generation procedure based on UIOs,
in Proc. ACM Symp. on Communication Architectures and Protocols, ACM, 1989, pp. 283–294.
[11] T.S. Chow, Testing software design modeled by ;nite-state machines, IEEE Trans. Software Eng. 4(3)
(1978) 178–187.
[12] D. Clarke, I. Lee, Automatic generation of tests for timing constraints from requirements, in Proc. 3rd
Internat. Workshop on Object Oriented Real-Time Dependable Systems, Newport Beach, California,
February 1997.
[13] P.R. D’Argenio, J.-P. Katoen, T.C. Ruys, J. Tretmans, The bounded retransmission protocol must be
on time! in: E. Brinksma (Ed.), Proc. 3rd Workshop on Tools and Algorithms for the Construction
and Analysis of Systems, Enschede, The Netherlands, Lecture Notes in Computer Science, Vol. 1217,
Springer, Berlin, April 1997, pp. 416–431.
[14] C. Daws, A. Olivero, S. Tripakis, S. Yovine, The tool KRONOS, in: Alur et al. (Eds.), Hybrid Systems
III, Lecture Notes in Computer Science, Vol. 1066, Springer, Berlin, 1996, pp. 208–219.
[15] C. Daws, S. Yovine, Two examples of veri;cation of multirate timed automata with KRONOS, in Proc.
16th IEEE Real-Time Systems Symp. (RTSS’95), Pisa, Italy, IEEE Computer Society Press, Silver
Spring, MD, December 1995, pp. 66–75.
[16] A. En-Nouaary, R. Dssouli, F. Khendek, A. Elqortobi, Timed test cases generation based on state
characterization technique, in Proc. 19th IEEE Real-Time Systems Symposium (RTSS’98), Madrid,
Spain. IEEE Computer Society Press, Silver Spring, MD, December 1998, pp. 220–229.
[17] J.-C. Fernandez, C. Jard, Th. J]eron, C. Viho, Using on-the-Iy veri;cation techniques for the generation
of test suites, in: Alur, Henzinger (Eds.), Proc. 8th Internat. Conf. Computer Aided Veri;cation,
New Brunswick, NJ, USA, Lecture Notes in Computer Science, Vol. 1102, Springer, Berlin, July=August
1996, pp. 348–359.
[18] V. Gupta, T.A. Henzinger, R. Jagadeesan, Robust timed automata, in: O. Maler (Ed.), Proc.
Internat. Workshop HART’97, Lecture Notes in Computer Science, Vol. 1201, Springer, Berlin, 1997,
pp. 331–345.
[19] T.A. Henzinger, P.-H. Ho, HyTech: the Cornell HYbrid TECHnology tool, in: U.H. Engberg, K.G.
Larsen, A. Skou (Eds.), Proc. Workshop on Tools and Algorithms for the Construction and Analysis
J. Springintveld et al. / Theoretical Computer Science 254 (2001) 225–257 257
of Systems, Aarhus, Denmark, BRICS Notes Series, Vol. NS-95-2, Department of Computer Science,
University of Aarhus, May 1995, pp. 29–43.
[20] T.A. Henzinger, X. Nicollin, J. Sifakis, S. Yovine, Symbolic model checking for real-time systems,
Inform. Comput. 111 (1994) 193–244.
[21] P.-H. Ho, H. Wong-Toi, Automated analysis of an audio control protocol, in: P. Wolper (Ed.), Proc. 7th
Internat. Conf. on Computer Aided Veri;cation, Lie^ge, Belgium, Lecture Notes in Computer Science,
Vol. 939, Springer, Berlin, June 1995, pp. 381–394.
[22] G.J. Holzmann, Design and Validation of Computer Protocols, Prentice-Hall International, Englewood
CliKs, NJ, 1991.
[23] Z. Kohavi, Switching and Finite Automata Theory, 2nd Edition, McGraw-Hill, New York, 1978.
[24] K.G. Larsen, P. Pettersson, Wang Yi, UPPAAL in a nutshell, Internat. J. Software Tools Technol. Transfer
1(1=2) (1997) 134–152.
[25] N.A. Lynch, M.R. Tuttle, Hierarchical correctness proofs for distributed algorithms, in Proc. 6th Annual
ACM Symp. on Principles of Distributed Computing, August 1987, pp. 137–151. A full version is
available as MIT Technical Report MIT=LCS=TR-387.
[26] D. Mandrioli, S. Morasca, A. Morzenti, Generating test cases for real-time systems from logic
speci;cations, ACM Trans. Comput. Systems 13(4) (1995) 365–398.
[27] A. Petrenko, T. Higashino, T. Kaji, Handling redundant and additional states in protocol testing, in:
A. Cavalli, S. Budkowski (Eds.), Proc. 8th Internat. Workshop on Protocol Test Systems IWPTS ’95,
Paris, France, 1995, pp. 307–322.
[28] R. Segala, R. Gawlick, J.F. S_gaard-Andersen, N. Lynch, Liveness in timed and untimed systems,
Inform. Comput. 141 (1998) 119–171.
[29] I. Sommerville, Software Engineering, 5th edition, Addison-Wesley, Reading, MA, 1996.
[30] J.G. Springintveld, F.W. Vaandrager, Minimizable timed automata, in: B. Jonsson, J. Parrow (Eds.),
Proc. 4th Internat. Symp. on Formal Techniques in Real Time and Fault Tolerant Systems (FTRTFT
’96), Uppsala, Sweden, Lecture Notes in Computer Science, Vol. 1135, Springer, Berlin, 1996,
pp. 130–147.
[31] J. Tretmans, A formal approach to conformance testing, Ph.D. Thesis, University of Twente, December
1992.
[32] J. Tretmans, Test generation with inputs, outputs, and quiescence, in: T. Margaria, B. SteKen (Eds.),
Proc. 2nd. Workshop on Tools and Algorithms for the Construction and Analysis of Systems, Passau,
Germany, Lecture Notes in Computer Science, Vol. 1055, Springer, Berlin, April 1996, pp. 127–146.
[33] J. Tretmans, Test generation with inputs, outputs, and repetitive quiescence, Software — Concepts and
Tools 17 (1996) 103–120.
[34] C. Weise, D. Lenzkes, EJcient scaling-invariant checking of timed bisimulation, in: R. Reischuk,
M. Morvan (Eds.), Proc. 14th Symp. on Theoretical Aspects of Computer Science STACS ’97,
LZubeck, Germany, Lecture Notes in Computer Science, Vol. 1200, Springer, Berlin, February 1997,
pp. 177–188.
[35] Wang Yi, Real-time behaviour of asynchronous agents, in: J.C.M. Baeten, J.W. Klop (Eds.),
Proc. CONCUR 90, Amsterdam, Lecture Notes in Computer Science, Vol. 458, Springer, Berlin,
1990, pp. 502–520.
