A method is presented for deriving test suites with the guaranteed fault coverage for deterministic possibly partial Timed Finite State Machines (TFSMs). TFSMs have integer boundaries for time guards and the time reset operation at every transition; for TFSM implementations the upper bound on the number of states is known as well as the largest finite boundary and the smallest duration of time guards. We consider two fault models and present corresponding techniques for deriving complete test suites. In the first fault model inputs can be applied at integer time instances while in the second fault model time instances can be rational. The derivation method for integer time instances is extended to the case when the number of states of an implementation under test can be larger than the number of states of the given specification.
Introduction
Many conformance test derivation methods are based on a specification given in the form of a Finite State Machine (FSM), such as W [3] , [15] , partial W (Wp) [6] , HIS [12] , [13] , [16] and the H [4] test derivation methods. For surveys see [2] , [9] . In FSM-based testing, one usually assumes that the specification and an Implementation Under Test (IUT) can be modeled as FSMs. An IUT is faulty if it has a behavior different than the behavior of the given specification. Two types of implementation faults are usually considered, namely output faults and transfer faults. Each test derivation method mentioned above provides the following fault coverage guarantee under the assumption that the upper bound on the number of states of an IUT is known: If an FSM IUT with at most m states and a given (reduced) specification FSM has n states, m  n, a test suite can be derived by the method and the IUT will only pass this test suite if and only if it conforms to the specification, i.e. it does not contain any output nor transfer faults. In many cases, one assumes that m = n.
Many systems such as telecommunication systems, plant and traffic controllers and others are written using models with time constraints, and thus, a number of papers consider test derivation for timed automata and Timed Finite State Machines (TFSMs). Almost all proposed methods are based on deriving from a given timed automaton (or timed FSM) an untimed FSM and then applying FSM-based test derivation methods for the obtained FSM. For example, Springintveld et al. [14] proposed a rigorous strategy for deriving a complete test suite for a timed automaton. The authors show that under the assumption that the specification and an IUT have deterministic behavior and the upper bound on the number of time regions of an IUT is known a complete test suite can be derived using the well known W-method [3] . The main idea behind the approach is to divide time into very small grids such that to assure that each input is applied at some time instance of each time region of each IUT. The same grids are used for all states and inputs. The method proposed in [14] is not practical since it returns test suites with huge length; however, the method has theoretic significance as it demonstrates that there exists an opportunity to derive test suites with the guaranteed fault coverage for timed FSMs without explicit enumeration of all possible implementations. Many papers inherit the idea proposed in [14] ; for example the work in [5] extends the method to non-deterministic behaviors. Recently, Merayo et al. [8] , [10] proposed a timed possibly nondeterministic FSM model. Time constrains limit a time elapsed when an output has to be produced after an input has been applied to the FSM. When an output is produced the clock variable is reset to zero. The model also takes into account time-outs; if no input is applied at a current state for some time-out period, the (timed) FSM moves from current state to another state using a time-out function. Another timed FSM model is used in [7] . However, [10] and [7] do not consider test derivation, namely, the authors in [8] , [10] establish a number of conformance relations and the authors in [7] propose methods for distinguishing timed non-deterministic FSMs. Test derivation for stochastic non-deterministic timed FSMs is considered in [8] . A method has been reported in [18] for generating timed test cases from the model of timed transition systems. For a more detailed review of the above papers and other relevant methods the reader may refer to [5] , [8] , [14] . We note that many test derivation methods are proposed for timed systems based on simulation relations and thus these methods are not considered in this paper.
In this paper, we consider the TFSM model from [7] and show how a complete test suite can be derived under various test assumptions. We use the same idea as in [14] about the known number of time regions; however, our TFSMs can be partial and thus, time instances when inputs are applied to IUT depend also on the current state of the specification. In other words, different grids are used for different states and inputs. In particular, we consider deterministic possibly partial timed FSMs (TFSMs) where time constraints are used to limit time elapsed at states and we also use one clock variable that is reset at every transition. We consider two fault models and propose corresponding test derivation methods with the guaranteed fault coverage (i.e. methods that derive tests that detect every faulty IUT w.r.t the assumed fault model) More precisely, in the first model, we consider TFSMs with integer boundaries and implementations with the known upper bound on the number of states, known largest finite boundary, and given smallest duration of time guards. In this case timed inputs are applied to an IUT at discrete (integer) time instances. In the second TESTING TIMED FINITE STATE MACHINES WITH GUARANTEED FAULT  COVERAGE  3 fault model, input time instances can be rational (i.e. continuous). For each considered fault model we propose a complete test derivation technique for the case when the number m of states of an IUT equals the number n of states of the specification TFSM. The technique with integer time instances is adapted to the case when m > n. Our methods are based on the HIS method [12] , [13] , [16] which is an adaptation of the W method for partial, possibly non-reduced FSMs. In particular, we extend the HIS method by defining appropriate fault models and test derivation algorithms for TFSMs. This paper is organized as follows. Section 2 includes relevant definitions and notations and Section 3 includes test derivation methods for the cases when m = n and m > n for systems with discrete time inputs and a test derivation method for case m = n for systems with continuous time inputs. Section 4 concludes the paper.
Preliminaries
In this section, we introduce the notion of a timed Finite State Machine (TFSM) [7] and some other notions and notations used in the paper. A timed possibly non-deterministic and partial FSM (TFSM) is an FSM annotated with a clock, a time reset operation and time guards associated with transitions. The clock t is a real number that measures the time delay at a state and the time reset operation resets the value of the clock t to zero after the execution of a transition. A time guard g i describes the time domain when a transition can be executed and is given in the form min, max, where   {(, [},  {), ]} and min and max are nonnegative integers such that min  max. When min = max we consider the interval [min, min] = {min}. An output delay describes the time domain when an output has to be produced after an input is applied and is also given in the form min, max over integer bounds min and max where min  max. Here we assume that the time reset operation is specified at every transition of a given TFSM. The behavior of a TFSM S can be described as follows. [10] between TFSMs and thus, we do not consider output delays. In other words, in this paper, the transition relation is a 5-tuple,
is the empty set. The notion of  (s, i) is very close to the notion of time regions [1] ; however, these regions are different for different states and inputs. The latter allows to check transitions with the same input at different states at different time instances.
Given a transition (s, i, o 1 , s, min, max)   S , we refer to max -min as to the duration of the time guard of the transition. Moreover, the largest finite boundary, denoted  S or , over all guards of all transitions is called the largest boundary of the TFSM.
The machine S is (time) deterministic if for each two transitions (s, i, o, s, min 1 ,
otherwise, the machine S is (time) non-deterministic.
The TFSM S is input enabled if the underlying FSM is complete, i.e., if for each
The TFSM S is complete if the underlying FSM is complete and for each pair (s, i)  S  I of TFSM S, the union of time guards over all transitions (s, i, o, s, min, max)   S equals to [0, ); otherwise, the machine is called partial. Given a complete TFSM, the behavior of the TFSM is defined at each state for each input that can be applied at any time instance in [0, ). In this paper, we consider only deterministic but possibly partial TFSMs.
Definition 3.
Given a TFSM S = (S, I, O,  S , s 0 ), a pair (i, t), i  I and t is a nonnegative rational, is a timed input that states that an input i is applied at time t. Definition 4. Given a TFSM S, a sequence over the input (output) alphabet is called an input (output) sequence. A sequence (i 1 , t 1 ) … (i l , t l ) of timed inputs is a timed input sequence. A timed input sequence  = (i 1 , t 1 ) … (i l , t l ) is defined for TFSM S at state s if the TFSM has a sequence of transitions (s j , i j , o j , s j+1 , g j ) such that s 1 = s and for each j = 1, …, l, it holds that t j  g j . The set of all defined timed sequences at state s is denoted  S (s) while denoting  S the set of defined timed input sequences at the initial state, for short. The corresponding output sequence o 1 … o l is denoted as outS(s, ). As usual, we say that the pair (, outS(s, )) takes the machine S from state s to state s l+1 . A pair "timed_input_sequence_/output_sequence_ outS(s, )" is a timed I/O sequence or a timed trace of S at state s. For a deterministic TFSM, given state s and a timed input sequence    S (s), s  is the state in the TFSM reached by the sequence . We also say that  takes the TFSM to state s  . Given a state s of a deterministic TFSM and a timed input (i, t) defined at s, the (i, t) successor of state s is the state reached by applying (i, t) at state s.
By the above definition, given a defined timed input sequence  = (i 1 , t 1 ) … (i l , t l ), we assume that the sequence  is applied to the FSM in the following way. The input i 1 is applied at the time instance t 1 ; for each j, 1 < j  l, the input i j is applied at the
TESTING TIMED FINITE STATE MACHINES WITH GUARANTEED FAULT
COVERAGE 5 time instance t j while time starts advancing from 0 after the output has been produced to the input i j-1 .
Consider TFSM S shown in Fig. 1 shown below with three states named 1 (initial state), 2, and 3, and defined over the input alphabet {i 1 , i 2 } and over the output alphabet {o 1 , o 2 , o 3 }. TFSM S is partial and deterministic. The collection of guards
The largest finite boundary B = 10.
The set of all timed traces of S at state s is denoted TTrS(s), also denoted TTrS for short if s is the initial state of S. As usual, the TFSM S is initially connected if for each state s, there exists a timed trace that can take the machine from the initial state to state s.
As usual, the behavior of two TFSMs can be compared using their intersection. The intersection of two TFSMs S and P is not defined at state sp for a timed input (i, t) when S and P at states s and p produce disjoint sets of outputs to this timed input. Definition 5. Given TFSMs S and P, the intersection S  P is the largest connected submachine of the TFSM ( Corollary. Given complete TFSMs S and P, if the intersection S  P is completely specified then the TFSMs S and P are not f-distinguishable.
A set of timed input sequences V   S is called a state cover set of TFSM S if for each state s i of S, there is an input sequence  i  V that takes S to state s i .
Since the specification TFSM can be partial, the W-method and many of its derivatives cannot be used for deriving test suites with the guaranteed fault coverage. The reason is that, similar to untimed FSMs, a characterization set may not exist for a partial reduced TFSM. The HIS method can be applied when the specification FSM is partial and not reduced. In this paper, we adapt the HIS method for deriving a test suite with the guaranteed fault coverage; correspondingly, we define and use a separating family [17] of state identifiers, also known as a family of harmonized state identifiers [11] , [13] Given the FM <S, f  , > where  is a finite set of TFSMs, a complete test suite can be derived by explicit enumeration of TFSMs of the set  using Proposition 1. However, the set  can be huge and for this reason, we would like to develop a test
TESTING TIMED FINITE STATE MACHINES WITH GUARANTEED FAULT COVERAGE 7
derivation method without the explicit enumeration of the machines in . As usual, we impose some restrictions on the specification TFSM and on the fault domain.
Deriving Complete Test Suites for Timed FSMs
The main problem when deriving a test suite with the guaranteed fault coverage for the specification TFSM S is that the number of defined timed inputs at each state of S can be infinite. For this reason, for deriving a test suite with the guaranteed fault coverage it is not enough to limit, i.e. have the upper bound, the number of states of an IUT but also it is necessary to limit the number of time regions. Therefore, we limit the finite boundary B P of transition guards in an IUT. If we assume that each input can be applied only at integer time instances then it is enough to check at each state transitions under all the timed inputs (i, t), i  I, t  {0, …, B P + 1}. However, the number of such inputs can also be huge and as usual, we further minimize the number of such timed inputs when the low bound on time interval of guards of an IUT is known.
Separating Family
A separating family for a given reduced TFSM S can be derived in the same way As an example, consider the TFSM S shown in Fig. 1 and states 1 and 2 of S. The initial state of the intersection of S/1 and S/2 is undefined under the timed input (i 1 , 2), thus, the sequence (i 1 , 2) f-distinguishes states 1 and 2 of S. Thus, we add (i 1 , 2) into W 1 and W 2 . In this example, the sequence (i 1 , 2) also f-distinguishes states 1 and 3. Thus, we add (i 1 , 2) into W 1 and W 3 . For states 2 and 3, we derive the intersection of S/1 and S/3 and find that the sequence (i 1 Here we note that two TFSMs can be f-compatible or f-distinguishable depending if a timed input can be applied only at integer time instances. For example, if an input can be applied only at integer time instances, then TFSMs cannot be distinguished with an input that is in the intersection (a, a + 2) and (a -1, a + 1). In other words, in this case, two deterministic TFSMs S and P are f-distinguishable iff there exist a state (s, p) and an input i such that the behavior of S at state s and the behavior of P at state p are defined under (i, t) and the behavior of the intersection S  P is not defined at state (s, p) for the timed input (i, t) where t is an integer. In fact in this case, each Khaled El-Fakih1, Nina Yevtushenko2*, Hacene Fouchal3 defined timed input sequence .(i, t) where t is an integer,  takes the intersection S  P to state (s, p) and inputs of the sequence  are applied at integer time instances, fdistinguishes TFSMs S and P. We further establish a statement (Proposition 2) that takes into account such distinguishability.
On Test Derivation for Integer Time Instances
Consider a fault model where the guard boundaries of the specification TFSM specification S and of each implementation TFSM P are integers, an implementation TFSM P has at most n states, where n is the number of states of the specification TFSM S, the upper bound  on the largest finite boundary of an implementation TFSM is known and only timed inputs (i, t) where t is a nonnegative integer can be applied to an IUT.
In this case, each TFSM can be represented as an untimed FSM that for each state s has as defined inputs the finite set of timed inputs (i, t), i   S (s), t  {0, …, B + 1} intersected with the union of all guards in  (s, i) . Then the classical HIS method and its derivatives can be applied to the obtained FSM for deriving a complete test suite w.r.t. to the assumed fault model. However, this test suite will be huge. Similar to [14] it can be shown that it is not enough to apply inputs at finite boundaries of time guards of the specification. Thus, more rigorous analysis is needed to assess the limitations on time guards of an IUT and propose related test suite derivation with the guaranteed fault coverage. These issues will be addressed in the following section.
When interested in TFSMs with up to m states, we use  m (, w) to denote the finite set of deterministic complete TFSMs with at most m states, which have the same input alphabet as the specification TFSM S, the upper bound  on the largest finite boundary and the minimal duration w of a time guard of an implementation TFSM. When we want to emphasize that inputs can be applied only at integer time instances then we use  in m (, w) to denote such a set of IUTs.
Test Derivation for TFSMs with Integer Time Instances when m = n
In this subsection, we define a fault model, denoted FM_1, and then present an algorithm that returns a complete test suite w.r.t. this model. Consider the fault model FM_1 = <S,
1) The minimal (integer) duration w of a finite time guard of an IUT is known.
2) An implementation TFSM P   in n (, w) is a deterministic complete FSM that has at most n states, where n is the number of states of the specification TFSM S;
3) The upper (integer) bound  > 0 on the largest finite boundary of an implementation TFSM is known. 4) Only timed inputs (i, t) where t is a nonnegative integer can be applied to an IUT.
TESTING TIMED FINITE STATE MACHINES WITH GUARANTEED FAULT COVERAGE 9
Proposition 2. If only timed inputs (i, t) where t is a nonnegative integer can be applied to TFSM S then guards of the TFSM S can be described in the form [a, b] Step 2.
For every pair (s, i)  S  I such that there exists a transition under i at state s: test suite TS that is complete with respect to this fault model.
be an implementation TFSM that has the expected output response to each input sequence of the set TS 1 . In this case, TFSM has exactly n states and moreover, we can establish the one-to-one correspondence h between states of S and P: 
Test Derivation for TFSMs with Integer Instances when m > n
As other FSM-based test derivation methods with the guaranteed fault coverage, the method presented in this paper can be adapted for the case when the number m of states of an IUT can be larger than the number n of states of the specification FSM, i.e. m > n. In this case, the fault domain of the fault model contains all TFSM implementations up to m states, i.e.  m (, w). In this paper we show how Algorithm 1 can be adapted for deriving a complete test suite for the fault model <S, For every sequence   V l that takes the specification FSM to state s  and each timed input (i, t) that is defined at state s  :
Include into V l+1 a sequence (i, t) for every t  T ( s , i) ; Endfor Increment l by 1; Endwhile
Step 4.
For every
