A real-time system is a discrete system whose state changes occur in realnumbered time [AH97]. For testing real-time systems, specification languages must be extended with constructs for expressing real-time constraints, the implementation relation must be generalized to consider the temporal dimension, and the data structures and algorithms used to generate tests must be revised to operate on a potentially infinite set of states.
and measure the amount of time that has elapsed since they were started or reset. The choice of the next state of a timed automaton depends, in addition to the kind of an input symbol, on the occurrence time of the input symbol relative to the occurrence of previously read symbols. Each transition of the system may reset some of the clocks and have an associated enabling condition which is a constraint on the values of the clocks. A transition can be taken only if the current clock values satisfy its enabling condition. Timing constraints on clocks may be expressed by the following syntax.
Definition 8.1. For a set C of clock variables, the set Φ(C ) of clock constraints ϕ, where c ∈ C and k ∈ Q ≥0 , is defined inductively by
Often, c = k A transition (s, a, ϕ, λ, s ) ∈ E represents a change of location from s ∈ S to s ∈ S on symbol a ∈ Σ. The clock constraint (guard) ϕ ∈ Φ specifies when the transition is enabled, and the set λ ⊆ C gives the set of clocks to be reset when this transition is taken. Clock invariants constrain how long the automaton is allowed to stay in a certain location.
Example. We adopt the automatic Light Switch from Springintveld et al. as an example [SVD01] . The Light Switch can be specified by a timed automaton A , with
• E = {(s 0 , on, true, {c}, s 1 ), (s 1 , on, c < 5, {c}, s 1 ), (s 1 , off , c = 5, ∅, s 0 )} Its behavior can be explained as follows. The state of the system in which the light is off is represented by s 0 , and the state s 1 represents the situation where the light is on. The light can be turned on by pushing the on button. After five time units the switch turns itself off . Before that happens, the on button may be pushed again, which will leave the light on (cf. Figure 8 .2). Remark 8.3. Timed automata were introduced by Alur and Dill [AD94] as a generalization of finite-state machines over infinite words [Tho90] . We only consider timed automata without acceptance conditions which are usually referred to as timed safety automata [HNSY92] . An introduction to acceptance is given in Section 19.2, whereas a discussion of acceptance conditions in the context of timed automata can be found elsewhere [HKWT95] .
The behavior of a timed automaton A depends on both its current location and the actual values of all its clocks.
Definition 8.4.
A clock valuation over a set of clocks C is a map ν that assigns to each clock c ∈ C a value in R ≥0 . With V (C ) we denote the set of clock valuations over C . For d ∈ R ≥0 , ν + d denotes the clock interpretation which maps every clock c to the value ν(c) + d . For λ ⊆ C , ν[λ := 0] denotes the clock interpretation for C which assigns 0 to each c ∈ λ, and agrees with ν over the rest of the clocks.
A labeled transition system M with uncountably many states can be used to define the possible behavior of a timed automata A . A state of M has to be a pair s, ν such that s is a location of A and ν is a clock valuation for C satisfying invariant Inv A (s). Transitions of M represent either an elapse of time or a transition of A . Definition 8.5. The semantics of a timed automaton A is given by the LTS M = Q , Q 0 , L, → , where ( s, ν , a, s , ν[λ : = 0] ) iff (s, a, ϕ, λ, s ) ∈ E A and ν |= ϕ Due to dense-time clocks, the transition system M for a timed automaton A has infinitely many states and operates on infinitely many symbols. Analysis of safety requirements of real-time systems can be formulated as reachability problems for timed automata. Since the transition system M for a timed automaton A is infinite, reachability analysis constructs a quotient called the region automaton by partitioning the uncountable state space into finitely many regions [Alu99] .
A timed automaton can be seen as accepting (or generating) timed words and thereby defining a timed language. Two timed automata are said to be equivalent if they accept the same timed language. Definition 8.6. A timed word over an alphabet Σ is a finite sequence (a 1 , t 1 ) . . . (a n , t n ) of symbols a i ∈ Σ paired with nonnegative real numbers t i ∈ R ≥0 that are nondecreasing (∀ i < n.t i < t i+1 ). A timed language over Σ is a set of timed words over Σ.
Remark 8.7. Alur and Dill showed that a Büchi automaton (called region automaton) can be constructed that accepts exactly the set of untimed words that are consistent with the timed words accepted by a timed automaton [AD94] . The construction of the region automaton is PSPACE-complete.
Remark 8.8. Alur and Dill showed the language inclusion problem to be undecidable for nondeterministic timed automata but solvable in PSPACE for deterministic timed automata. The problem of deciding the emptiness of the language of a given timed automaton is PSPACE-complete for deterministic timed automata [AD94].
Deterministic timed automata form an important subclass of timed automata that are strictly less expressive than nondeterministic timed automata [AD94]. For timed automata to be deterministic multiple transitions starting at the same location with the same label are only allowed if their clock constraints are mutually exclusive. Thus, at most one of the transitions with the same action is enabled at a given time. 
Testing Event Recording Automata
Nielsen and Skou present a technique for the automatic generation of real-time black-box conformance tests for non-deterministic systems [NS03]. They start from a determinizable class of timed automata specifications called ERA, with a dense time interpretation. The tests are generated using a coarse grained equivalence class partition of the specification.
Model
Event Recording Automata (ERA) were proposed by Alur, Fix and Henzinger [AFH94] as a determinizable subclass of timed automata and have language inclusion as a decidable property (like all deterministic timed automata). Like a timed automaton [AD94], an ERA has a set of clocks, which can be used in guards (clock constrains) and be reset when an action is taken. In ERA, however, each action a is uniquely associated with a clock c a , called the event clock of a. Whenever an action a is executed the event clock c a is automatically reset. No further clock assignments are permitted. The event clock c a thus records the amount of time passed since the last occurrence of a. No silent τ -actions or location invariants are permitted. These restrictions ensure determinizability [AFH94].
Definition 8.12. An Event Recording Automaton
• S is a non-empty (finite) set of locations
where -C = {c a | a ∈ Σ} is the set of real-valued clocks -Φ(C ) is the set of clock constraints (or guards), these guards are generated by the syntax ϕ ::= γ | ϕ ∧ ϕ, where γ is a constraint of the form c 1 ∼ k or c 1 − c 2 ∼ k with: ∼ ∈ {≤, <, =, >, ≥}, k a non-negative integer constant, and c 1 , c 2 ∈ C .
All actions are urgent, meaning that synchronization between two automata takes place immediately when the parties have enabled a pair of complementary actions. The complementary actions are actions by which the automata synchronize, in our cases input and output actions, denoted as ?, ! respectively. The requirement of urgent actions is needed because with non-urgent observable actions the synchronization delay could be unbounded.
Example. Figure 8 .2 shows an ERA which describe the behavior of the automatic Light Switch. The initial location is indicated by double circle. Formally, the ERA is given by S , s 0 , Σ, E , where The determinization procedure for ERAs is given by Alur, Fix and Henzinger [AFH94], and is conceptually a simple extension of the method used for the untimed case, only now the guards must be taken into account.
Symbolic Representation
Timed automata (a network of ERAs) with a dense time interpretation cannot be analyzed by finite state techniques, since the timed transition system associated with it has infinitely many states. Therefore, it must be analyzed symbolically [NS03] . Similar to the region automaton [Alu99] which partitions the state space into finitely many regions, here zone is used instead, in the following way.
The state of a network of timed automata is represented by a pair s, ν , where s is the vector of the automata's current location, and ν is the vector of their current clock values. A zone z is a conjunction of clock constraints of the form c 1 ∼ k or c 1 − c 2 ∼ k with ∼ ∈ {≤, <, =, >, ≥} or equivalently, the solution set to these constraints. A symbolic state [s, z ] • Given a symbolic path to a symbolic state, a concrete timed trace leading to it (or a subset thereof) can be computed by propagating its constraints back along the symbolic path used to reach it, and by choosing specific time points along this trace Remark 8.13. To ensure soundness of the produced tests, symbolic reachability analysis is needed to select only states for testing that are reachable, and to compute only timed traces that are actually part of the specification.
Testing
As opposed to exhaustive testing, a test selection criterion is used in this case (or coverage criterion), i.e. a rule that describe which behavior or which requirements should be tested. Coverage is a metric of completeness with respect to a test selection criterion. For real-time systems it is proposed to partition the clock valuations into domains and ensure that each such domain is tested systematically.
Example. In our example of the automatic Light Switch, a partition domain for c on could be as shown in Figure 8 .4. The selection criterion used here is based on partition the state space of the specification into coarse equivalence classes, and require that the test suite for each class yields a set of required observations of the implementation when it is expected to be a state in that class. Like in the Hennessy's works [HN83], the following abstract syntax is used:
(1) after σ must A, (2) can σ, (3) after σ must ∅ where σ ∈ Act * and A ⊂ Act . Informally, (1) is successful if at least one of the observations in A (called a must set) can be observed whenever the trace σ is served, (2) is successful if σ is a prefix of the observed system, and (3) is successful if this not case (i.e. σ is not a prefix). Using this notation, each class is decorated with the simple deadlock observations of the forms after ε must A (a must property), after a must ∅ (a refusal property), and can a (a may property) that should be satisfied in that class (this idea was taken from the testing preorder).
A test case consists of a timed trace which lead to a desired state in a coarse equivalence class followed by one of the simple deadlock observations. Now, we present the state partitioning definition, which is used to construct the equivalence class graph. This graph is a transformation of the initial automata, which preserve all the information from it. And moreover, the equivalence class graph is what is effectively used in the test derivation process.
The State Partitioning works as follows. Let S be a vector location in the determinized automaton, note that S can be a set of locations of the original automaton. Therefore, this control location S will have the clock valuations partitioned such that two clock valuations belong to the same equivalence class if and only if they enable precisely the same outgoing transitions from S , i.e. the locations are equivalent with respect to the enabled transitions.
An equivalence class is represented by a pair [S , p] , where S is a set of location vectors, and p is the inequation which describe the clock constraints that must hold for that class, i.e. [S , p] is the set of states { S , ν | ν ∈ p}. Further, to obtain equivalence classes that are continuous convex polyhedra, and to enable the reuse of existing efficient symbolic techniques (as used in model checking), this constraint is rewritten in disjunctive normal form. Each disjunct form is treated as an equivalence class. Definition 8.14. State Partitioning Ψ (S ) Let S be a set of location vectors, E (S ) the set of transitions from a location in S . If E is a set of transitions with Γ (E ) we denote the set of guards of the set E .
Let P be a constraint over clock inequations γ composed using the logical connectives (∧, ∨, or ¬). DNF(P ) denotes a function that rewrites constraint P to its equivalent disjunctive normal form, i.e. such that i j γ ij = P . Each conjunct in disjunctive form can be written as a guard ϕ ∈ Φ(C ). The disjunctive normal form can be interpreted as a disjunction of guards such that
Then, the set of guards ϕ i whose disjunction equals the disjunctive normal form is denoted as GDNF, i.e,
and finally Ψ dnf (S ) is:
To make this definition more understandable we show the next example. Using our example of the automatic Light Switch, we present the procedure for find the equivalences classes for S = {s 1 }.
Example. Let S = {s 1 }, then the transitions from S are:
only for simplicity we will present 2
and: The state space of the ERA specification is a graph of equivalence classes. A node in this graph corresponds to an equivalence class. A transition between two nodes is labeled with an action, and represents the possibility of execute an action in a state in the source node, wait some amount of time, and thereby enter in a state in the target node. The graph is constructed by start from an existing node [S , p] (initially the equivalence class of the initial location), and then for each enabled action a, compute the set of locations S that can be entered by execute the a action from the current equivalence class. Then the partitions p of location S can be computed according to Definition 8.14. Every [S , p ] is then an a successor of [S , p] . Only equivalence classes whose constraints have solutions need to be represented. The equivalence class graph is defined inductively in the Algorithm 11.
Each equivalence class [S , p] is decorated with the action sets M , C , R from the testing preorder, as it is shows in definition 8.15.
Algorithm 11 Equivalence Class Graph
input: ERA determinized specification Spec output: A equivalence Class Graph 
where denote the empty sequence.
If σ is a timed trace that lead to [S , p] and A ∈ M ([S , p]) then: after σ must A, is a test to be passed for that class. Similarly:
The number of generated tests can be reduced by remove tests that are logically passed by another test, i.e. the must sets can be reduced to
gives the set of minimal elements of M under subset inclusion), and the actions observed during the execution of a must test can be removed from the may tests, i.e.
Example. The equivalence classes graph for the automatic Light Switch are shown in Figure 8 .5.
The equivalence class graph preserves all timed traces of the specification, and the required deadlock information for the Hennessy test [HN83] of the specification by the M , C and R action sets is stored in each node. The non-determinism found in the original specification is therefore maintained, but is represented differently, in a way that is more convenient for test generation: a test is composed of a trace (a deadlock observation possible in the specification thereafter) and its associated verdict. This information can be simply found by following a path in the equivalence class graph.
Even the equivalence class graph have the necessary information for generate timed Hennessy tests, it also contains behavior and states not found in the specification, and use such behavior will result in irrelevant and unsound tests (in the same way as in model checking after use zones it is necessary to make a reachability analysis). To ensure soundness, only traces and deadlock properties actually contained in the specification should be used in a generated test. Therefore, the specification is interpreted symbolically, and the tests is generated from a representation of only the reachable states and behavior.
Algorithm 12 represents the test generation procedure.
Step 1 constructs the equivalence class graph. The result of step 2 is the symbolic reachability graph. Nodes in this graph consist of symbolic states [S , z /p] where S is a set of location vectors, and z is a constraint characterizing a set of reachable clock valuations also in p, i.e. z ⊆ p. A transition represents that the target state is reachable by execute an action from the source state and then wait for some amount of time. The nodes in the reachability graph are decorated with the set M , C and R.
Step 4 initializes an empty set Tested that contains the symbolic states from which test have to be generated so far. Steps 5 and further contain the test generation process.
This algorithm only generates tests for the first symbolic state that reaches a given partition, and uses the set Tested to ignore subsequent passes over the same partition. This ensures that all the may, must, and refusal properties are only generated once per partition, thus reduce the number of produced test cases.
This theory and algorithm have been implemented in a prototype tool called RTCAT. RTCAT inputs an ERA specification in AUTOGRAPH format, see [BRRdS96] . A specification may consist of several ERA operating in parallel and communicating via shared clocks and integer variables, but no silent actions (τ ) Algorithm 12 Overall Test Case Generation input: ERA specification Spec output: A complete cover set of timed Hennessy properties
Compute a concrete timed trace σ from s0, 0 to s, ν 10 Make Test Cases:
are allowed. The application of this technique to a realistic specification shows "promising results: the test suite is quite small, is constructed quickly, and with a reasonable memory usage" [NS03].
Testing Deterministic Timed Automaton
Springintveld, Vaandrager and D'Argenio [SVD01] showed that exhaustive testing of trace equivalence for deterministic timed automaton with dense time interpretation is theoretically possible, but quite infeasible in practice. A grid algorithm for bounded time-domain automaton is presented, which capture the real-time behaviors using finitely many points.
Model
The timed I/O automaton model is used here, which is a finite (untimed) automaton together with a timing annotation. This model is equivalent to the original timed automaton [AD94] with some restrictions in order to makes exhaustive test derivation feasible. A timed I/O automaton makes exhaustive test derivation feasible if it does not have silent τ -transitions, is deterministic, is input enabled and has isolated output as we will show later.
A finite automaton A 1 is a rooted labeled transition system with Q (the set of states) and E (the transition relation →) finite. We will fix some useful notations and definitions. An execution fragment of the LTS A is a finite or infinite alternating sequence q 0 a 1 q 1 a 2 q 2 . . . of states and actions of A (a i ∈ L A and q i ∈ L A ), beginning with a state, and if it is finite also ending with a state, such that for all i > 0, q i−1 ai → q i . An execution of A is an execution fragment that begins with the initial state q 0 of A . A state q of A is reachable if it is the last state of some finite execution of A . σ is a distinguishing trace of q and q if it is either a trace of q but not of q , or the other way around (for the definition of traces see Appendix: Label Transition Systems). If δ ∈ E and δ = (q, a, q ) we denote src(δ) = q, act(δ) = a and trg(δ) = q .
States q, q of LTSs B and B , respectively, are bisimilar if there exists a bisimulation R on the disjoint union of B and B (with arbitrary initial state) that relates q to q . In such a case, we write :. LTSs B and B are bisimilar, notation B B , if q 0 q 0 for q 0 the initial state of B and q 0 the initial states of B .
It is well known that if B is deterministic, for all states q, q of B, B :if and only if traces (q) = traces(q ). As a consequence, two deterministic LTSs B and B are bisimilar iff they have the same sets of traces.
Let C be a set of clocks with c ∈ C , then define dom(c) def = J ∪ {∞}, were J is a bounded interval over R with infimum and supremum in Z and intv(c)
The terms over C (denoted as T (C )) are expressions generated by the grammar e := c | k | e+k , with c ∈ C and k ∈ Z ∞ , i.e. Z∪{∞}. Let F (C ) be the boolean combinations of inequalities of the form e ≤ e or e < e with e, e ∈ T (C ). A (simultaneous) assignment over C is a function µ from C to T (C ), the set of all these functions is denoted as M (C ). If ϕ is a constraint over C and µ an assignment, then ϕ[µ] denotes the constraint obtained from ϕ by replacing each variable c ∈ C by µ(c). Finally a clock valuation over C is a map ν that assigns to each clock c ∈ C a value in its domain (this set of valuations is denoted as V (C )). We say that ν satisfies ϕ, notation ν ϕ, if ϕ evaluates to true under valuation ν.
In the next definition is presented the timing annotation for a finite automaton, which is a set of clocks, a set of invariants for each state, a set of guards, which allowed the transition to be made of not, Ass the assignments for each transition, and ν 0 the initial clock valuation.
Definition 8.17. A timing annotation for a given finite automaton
• C is a finite set of clocks • Inv : Q → F (C ) associates an invariant to each state • Φ : E → F (C ) associates a guard to each transition
• Ass : E → M (C ) associates an assignment to each transition s.t. for each δ ∈ E :
• ν 0 ∈ V (C ) is the initial clock valuation. It should hold that ν 0 Inv (q 0 ) and, for all c,
Above all, we present the timed I/O automata, which, as we already say, is a finite automaton together with a timed annotation and some restrictions. These restrictions are fundamentals to prove future theorems for the discretization of the state space. 
every input is always enabled within the interior of the invariant of each location and only within it • (Progressiveness) for every state of its operational semantics (OS (A ), defined as follows) there exists an infinite execution fragment that starts in this state, contains no input actions, and in which the sum of the delays diverges.
In order to not confuse, and following the previous implicit convention, in a TIOA A we will use S as the set of locations and Σ as the set of actions. In contrast to the associated operational semantics OS (A ), where Q is the set of states and L is the set of actions.
Example. Figure 8 .6 depicts the timed I/O automaton which represent the Light Switch.
The operational semantics of A (denoted as OS (A )) is defined as the LTS
, with Q , L and q 0 similarly as in previous Definition 8.5, and being the smallest relation that satisfies the following two rules, for all • ∀ 0≤d ≤d : ν⊕d |=Inv (s)
where the actions in R >0 are referred to as time delays and
The following lemma, which is a direct corollary of the definitions, gives four basic properties of the operational semantics of a timed I/O automaton. 
Discretization
The construction of a finite subautomaton used, for the discretization of the state space, is based on the fundamental concept of a region due to Alur and Dill [AD94]. The key idea behind the definition of a region is that, even though the number of states of the LTS OS (A ) is infinite, not all of these states are distinguishable via constraints. If two states corresponding to the same location agree on the internal parts of all the clock values, and also in the order of the fractional parts of all the clocks, then these two states cannot be distinguished.
Definition 8.20. The equivalence relation ∼ = over the set V (C ) of clocks valuations is given by: ν ∼ = ν if and only if ∀ c, c ∈ C :
where ∀ k ∈ R (in this case a valuation of a clock), k denotes the largest number in Z that is not greater than k , and k denotes the smallest number in Z that is not smaller than k and fract(k ) is the fractional part of
A region is an equivalence class of valuations induced by ∼ =.
Example. Figure 8 .7 shows the 11 regions of the c on clock from the Light Switch. 
The equivalence relation ∼ = on the clock valuations of a TIOA can be extended to an equivalence relation on states, by defining
A region of a TIOA is an equivalence class of states induced by ∼ =.
Because testing is based on distinguishing sequences (cf. Chapter 4), it is necessary to have an automaton that can distinguish each sequences that is used. Correspondingly, the Grid Automaton will be presented after present all its necessary ingredients.
Let G n be the set of integer multiples of 2 −n , for some sufficiently large natural number n. If t is a real number, we use the notation 2 t n for the largest number in G n that is not greater than t , and t n for the smallest number in G n that is not smaller than t . We write [t ] n for the fraction ( t n + t n )/2, note that [t ] n ∈ G n+1 . For a TIOA A and its OS (A ) associated, write Q n for the set of states (s, ν) ∈ Q such that, for each clock c, ν(c) ∈ G n ∪ {∞}. The following lemma shown that given any state (q) in G n for all a ∈ Σ and d ∈ G n , labels of a transition in the semantic ( ), the target state (q ) of that transition is also in G n .
Lemma 8.22. Let q ∈ Q n , then
Moreover, for a distinguishing trace of length m for two states in Q n , a trace can be derived in which all delay actions are in the grid set G n+m . 
Theorem 8.23. Let A , B be TIOAs and theirs associated semantics OS (A ),
This theorem allows to transform each distinguishing trace into one in which all delay actions are in a grid set, and shown that there is a dependency between the length of the trace and the granularity of the grid: the longer the trace the finer the grid. This is due to the fact that the distinguish power of a distinguishing trace for two states r and r entirely depends on the regions traversed when applying σ to r and r , respectively. Moreover, we can conclude that the grid size depends on the number of states, not just on the number of clocks.
In order to obtain a grid size that is fine enough to distinguish all pairs of different states, the following theorem establishes an upper bound on the length of minimal distinguishing traces.
Theorem 8.24. Suppose A and B are TIOAs with the same input actions, and r and s are states of OS (A ) and OS (B), respectively : r s (with denoting bisimilarity 8.16). Then, there exists a distinguishing trace for r and s of length at most the number of regions of Q
Finally, we are in position of define the Grid Automaton. For each TIOA A and natural number n, the grid automaton G (A , n) is defined as the subautomaton of OS (A ) in which each clock value is in the set G n ∪ {∞}, and the only delay action is 2 −n . Note that since in the initial state of OS (A ) all clocks take values in Z ∞ , it is always included as a state of G (A , n) . Moreover, since G (A , n) has a finite number of states and actions, G (A , n) is a finite automaton.
Definition 8.25. Let
given by
The grid automaton is the restriction of OS (A ) to the time steps in 2 −n , therefore G (A , n) is finite.
Example. In Figure 8 .8 the grid automaton of our example of the Light Switch for n = 2 is presented. Here we denote the initial state as << >>, for distinguish it from the double circle denoting the initial state in a TIOA. 
Corollary 8.26. Let A and B be TIOA with the same input actions, and let n be at least the number of regions of S A × S B , then
Using the grid automaton with the appropriate degree of granularity the problem of decide bisimulation equivalence of TIOA is reduced to the problem of decide bisimulation equivalence of their finite subautomata.
Testing
A test sequence for a TIOA A is a finite sequence of delays and input actions of A (we denoted the set of this sequences as Exp). A test sequence σ can be applied to A starting from any state s of its OS (A ). The application of σ to A in s uniquely determines a finite, maximal execution fragment in OS (A ).
How to perform a test sequence is shown in the following definition. The outcome of performing a test sequence on A is described in terms of an auxiliary labeled transition system T . Definition 8.27. The test sequence is the LTS T = (Exp × Q ), Σ, ( , s 0 ), with (Exp ×Q ) as its set of states, where Exp is the test sequence to be executed, Σ is a set of actions, ( , s 0 ) is (arbitrarily chosen) initial state, and a transition relation that is inductively defined as the least relation satisfying the following four rules, for all q,
The first rule says that output actions are always performed autonomously, i.e. independently of the input of the intended test sequence. Instead, input actions are only performed if they are explicitly specified in the test sequence. This is stated by the second rule. Similarly, the third rule says that a delay can occur only when it is both specified by the test sequence and allowed by A . In some cases, a delay specified in the test sequence cannot occur since it is interrupted by an autonomous output action of A . In such a case, the part of the delay up to the output action is executed, while the rest is postponed until A stops doing output actions autonomously. This last case is expressed by the fourth rule.
Theorem 8.28. Let A a TIOA and T its test sequence, then

• each state of T has at most one outgoing transition, and • T does not have an infinite execution fragment.
Theorem 8.28 allows us to define exec(σ, q) as the execution fragment of OS (A ) obtained by projecting the states in the unique maximal execution fragment of T that starts in (σ, q) on their second component. We define outcome (σ, q) , the outcome of the sequence σ in state q, as the trace of the execution fragment that is induced by performing the test sequence:
Deriving and Applying a Test Suite It is assumed that the behavior of the IUT (Implementation Under Test) is accurately modeled by a TIOA Impl. Then the IUT conforms to the specification Spec if Impl is bisimilar to Spec.
The method of building test suites is similar to Chow's classical algorithm for Mealy machines [Cho78] (cf. Chapter 4). A test suite consists of a finite set of test sequences which should be applied to the implementation. Each sequence consists of the concatenation of two sequences. The initial part of a test sequence is taken from a transition cover P for a grid subautomaton of Spec, i.e. a set of test sequences that together exercise every transition of the subautomaton. The trailing part of a test sequence is taken from a set Z , which is a characterization set for a grid subautomaton of Impl, meaning that for every pair of non-bisimilar grid states, Z contains a sequence that distinguishes between them.
Definition 8.30. Let p a state of A , q a state of B, and let σ be a test sequence for A and B. σ distinguishes p from q if outcome A (σ, p) = outcome B (σ, q). If Z is a set of test sequences for A and B, written p ≈ Z q means that no test sequence in Z distinguishes p from q.
The ability of always being able to bring the machine back to its initial state is used. In the timed case, it is not reasonable to consider the reset as an instantaneous operation: typically, some time will elapse between the moment when it is requested the machine to go to its initial state, and the moment at which the reset operation has been completed. But, it is not difficult to prove that the maximal time that can elapse between the occurrence of a reset action and the time at which the initial state is reached is always less than the number of regions of A .
Then, the test suite is defined for a given TIOA as follows.
Definition 8.31. Let A be a TIOA and n ∈ N. Let P be a transition cover for G (A , n) and Z a characterization set for the TIOA model of the IUT. The test suite for A generated from P and Z with grid size n is defined by
i.e. the concatenation of the transition cover, the characterization set and the reset time.
Definition 8.32. A state of a TIOA is quiescent if each execution fragment starting in that state that contains an output action also contains an input action.
Algorithm 13 is the testing algorithm that applies each test case from the test suite to an implementation (the prove of correctness is showed in [SVD01] ). This algorithm is restricted to TIOAs with a quiescent initial state, where the machine waits for stimulus from its environment before producing any output. This algorithm results in a huge number of sequences. Therefore, it cannot be claimed to be itself of practical value. Rather, the major contribution here is the TIOA model and the demonstration that an algorithm to derive a (complete) test suite does exist. Moreover, there are ways to reduce the number of tests, and make the time delays within the tests manageable [SVD01].
Algorithm 13 Test Generation
Testing Networks of UPPAAL Timed Automata
Cardell-Oliver [CO00] presents a test generation method for networks of deterministic timed automata on a dense time base. Timed automata are extended with persistent data variables and are allowed to have silent transitions. Test generation is based on test views that partition events into visible (relevant) and hidden events according to a certain test purpose. By only testing for visible events the size of the resulting test suite can be reduced. The work presented is a generalization of previous work by Cardell-Oliver and Glover [COG98] that was applicable only for specifications with a discrete clock model.
Model
For model specification, UPPAAL timed automata [LPY97] are adopted. UP-PAAL timed automata (UTA) extend Alur and Dill's model of timed automata with (integer) data variables. With UTA, networks of deterministic timed automata can be specified. This allows for closed world specifications of systems, i.e. the behavior of an system's environment can be specified explicitly. Synchronization between components takes place by complementary actions of automata, i.e. by simultaneous occurrence of an output event a! and an input event a?, with a ∈ Σ, respectively. Each automaton A i can use a set of integer variables Var i that is a subset of a set of global integer variables Var . Guards on transitions are extended to apply for both clocks and data variables.
Definition 8.33. An UPPAAL timed automata A is a tuple S , s 0 , Σ, C , Inv , E , where
• S is a finite set of locations • s 0 is the initial location • Σ = I ∪ O ∪ {τ } is a finite set of actions, partitioned into input actions, output actions, and the silent action • C is a finite set of (real-valued) clocks
Transitions (s, a, ϕ, r , s ) ∈ E are denoted by s a,ϕ,r −→ s , where a is the action to be performed, ϕ the guard of the transition, and r a set of assignments for clocks and data variables. Clock variables can be reset to an integer constant l ∈ Z ∪ {−1}. A reset to −1 denotes a turn-off of the according clock variable. Data variables can be reset to integer expressions of the form v := k * v + k , where v ∈ Var Ai and k , k ∈ Z. R is used to denote the set of all possible reset operations.
Remark 8.34. The definition of UTA mainly follows the one presented by Bengtsson et al. [BLL + 95] . The definition given here omits urgent synchronization but includes silent transitions as well as location invariants.
For testing purposes, clock constraints in guards and invariants are required to be closed (< and > are not allowed) and domains for clocks and data variables are required to be finite. Specification of the environment can be done analogously (cf. Figure 8 .9).
The definition of the semantics of UPPAAL timed automata is based on timed transition systems with an uncountable set of states. 
Since specifications of real-time systems in UPPAAL are generally networks of automata, a LTS M has to be constructed for parallel compositions of UTA. The set P = {p 1 , . . . , p n } is used to contain the names of all components that are part of the specification, with p i being the name of the component specified by the automaton A i . The set of channels usable for synchronization is given by
States of M are pairs (s, ν), where s is a vector holding the current control locations for each component (automaton) and ν maps each clock to a value in the time domain as well as each data variable to an integer value.
Transition labels of M are either delays d ∈ R ≥0 or event triples (p i , a, r ) with p i being the name of the automaton executing an action a, that could either be a silent action or an output action (which implies the occurrence of an complementary input actions of another automaton). An action a leads to the execution of a set of resets r that contains resets for clocks, variables, and locations. Location resets explicitly denote a change of location of a component which results in an update of the according element in s. The set of all possible reset statements is given by R ⊆ 2 i R A i ∪R 
For a variable assignment ν and a delay d , ν ⊕ d denotes the variable assignment after d . ⊕ models time-insensitiveness of all data variables and that all enabled clocks progress at the same rate:
Silent transitions result in the change of location of one component. According transitions in M express this change by replacing the ith element of the location vector s by a new location s Ai and applying the resets r to ν. Synchronizations between two components involve two location transitions, one for the sender A i and one for the receiver A j . Consequently the ith and the j th element of s have to be replaced with s Ai and s Aj respectively, and the union of transition resets r i ∪ r j has to be applied to ν. An alternative to the use of a location vector would be to include for every component p i a special variable loc i , which holds the current location of the according process, into the set Var . States could then be defined as
Example. The possible behavior of the Light Switch specified by A sw in the environment A en is given by a TTS M s = Q , L, −→, q 0 , where 
(Resets for locations of the environment are omitted since A en has only one location.)
For testing we constrain the time domain to [0, 8] . Note that due to the dense time domain, M s has infinitely many states and infinitely many transitions (cf. Figure 8 .10). 
Digitization
Timed transition systems are not directly amenable to testing. Besides their infiniteness, TTS traces include some traces that cannot be observed, e.g. delays that are not followed by visible events. Furthermore, observable TTS traces do not contain sufficient information to distinguish between input and output events.
A testable timed transition systems is a TTS but also a (deterministic) 
In the TTTS all a ∈ Ch\Ch are replaced by τ . The reset set is reduced to only contain resets for elements of s with p ∈ P , for variables v ∈ Var , and for clocks c ∈ C . All states with equal values for visible variables are considered to belong to the same visible equivalence class (q
, with q = (s, ν) and q = (s , ν )). −−−−−−− −−→ q 2 . Subsequently, the TTTS has to be re-transformed into a deterministic transition system, since omitting events may have introduced non-determinism. Note that, normalization is not allowed to remove cycles of silent actions. At least one of the actions on such a cycle has to be made visible, i.e. the test view V has to be changed, to get a proper TTTS. (5 Let us now assume a test view V = (P , Var , C , Ch ), where P = {p en }, Var = Var = ∅, C = C = {c}, and Ch = Ch = {on, off }. Since P ⊂ P does not contain the name of the switch component p sw , valuations and resets of the locations of the Switch become invisible. By using this view, and applying normalization the set of states can be reduced to contain only 3 states. We get the TTTS Spec = (Q , L, −→, q 0 ) , where 
Testing
The conformance relation for testable timed transition systems is trace equivalence. Formally, Conf(Spec) def = {S | traces(Spec) = traces(S )}. A test suite for a TTTS Spec consists of one test case for every transition in Spec. A test case essentially consists of three parts. The first part reaches the source state of a transition. Secondly, the transition is executed. The third part has to verify that the execution of the transition has resulted in the target state specified by Spec, i.e. it is a state verification sequence.
The usage of test views dramatically simplifies the search for these separating sequences. With classical FSM testing techniques (without data variables and test views) each state needs to be distinguished form any other in the automaton (cf. Chapter 4). Since the normalization of the TTTS ensures that Spec is minimal and does only contain visible events we know exactly in which state we are after the execution of a certain trace (except for states that are in the same visible equivalence class). Hence, the third part of a transition test needs only to distinguish the target state of the transition to be tested from other states in their visible equivalence class. There may not exist a unique separating sequence for each such state (cf. Chapter 3), since traces of one state may be included in traces of other states. To distinguish these states, the separating sequences are paired with oracles that states whether the final event of the trace shall be observed.
Please note, that even if Impl is deterministic, from the tester's perspective it does not behave deterministically, because events produced by the implementation may occur at different points in time. Since the tester has no capability to control when output events of the SUT will eventually occur any possible trace has to be considered for both reaching a state and distinguishing a state. One of all possible reach traces, or separating traces respectively, had to be chosen on the fly during execution of the test, depending on the actual occurrence of an output event. If there is a trace that does not depend on the choices of the SUT we only need to consider this one for testing.
The conformance test algorithm (cf. Algorithm 14) takes a TTTS Spec, constructed using a View V, as input and produces a finite set of traces each accompanied with an oracle (yes/no) for observing its final event. 
Algorithm 14 TTTS Conformance Test Algorithm
Previous work did allow implementations to have extra states [COG98] . Now it is claimed that "the assumption of a bounded, small number of extra states is not appropriate for real-time systems" [CO00], because minor changes of a timed automata specification can result in a very large change in the size of its TTTS.
Definition 8.38. Real-Time Faults for TTTS: Impl ∈ NonConf(Spec) if and only if
• Impl has no more states then Spec and • Impl has a single transition fault or Impl can be transformed to Spec by a sequence of single transition faults.
It can be shown that for a TTTS specification Spec, the test suite Test (Spec) that is generated by the TTTS Test generation Algorithm detects any Impl ∈ Nonconf(Spec) [CO00] . If the implementation satisfies the test hypotheses then all tests for Spec will be passed by the implementation if and only if the implementation is trace equivalent to Spec. (2) Distinguish states in the same visible equivalence class: Since q 0 is not a destination state for some transition we do not need to distinguish between q 0 and q 1 although both are in the same visible equivalence class. q 2 has no other state in its visible equivalence class. Therefor, all distinguishing traces are trivial, i.e. { } (3) Pair traces with oracles.
• diff(q 1 , q 1 ) = { * yes} • diff(q 2 , q 2 ) = { * yes} (4) Compose tests for every transition.
• testfor(t 1 ) = 0, inp, on, {c := 0} * yes • . . .
• testfor(t 10 ) = 0, inp, on, {c := 0} · 1, inp, on, {c := 0} * yes • . . .
• testfor(t 15 ) = 0, inp, on, {c := 0} · 5, out , off , {c := -1} * yes • testfor(t 16 ) = 0, inp, on, {c := 0} · 5, out , off , {c := -1} · 0, inp, on, {c := 0} * yes
Since the tester has control over the event on we can choose one trace of all possible reach() traces for each state, although the states may be reached by different traces. If on were under control of the SUT we had to include all possible reach() traces for the according states. Furthermore, if we allowed off events to occur between an lower and upper time bound we had to include all possible traces including an off event into the according reach sets. Please note, that transitions with yes oracles may be included in longer transitions, e.g. testfor(t 16 ) subsumes testfor(t 1 ) and testfor(t 15 ).
Summary
All three approaches use timed automata with a dense time model for testing real-time systems. All need to partition the uncountable state space of the semantics of (networks of) timed automata into a finite number of states considered equivalent.
Nielsen and Skou use coarse-grained domains [NS03] . A fully automatic method for the generation of real-time test sequences from a subclass of timed automata called event-recording automata is proposed. The technique is based on the symbolic analysis of timed automata inspired by the UPPAAL modelchecker. Test sequences are selected by covering a coarse equivalence class partitioning of the state space. They argue that the approach provides a heuristic that guarantees that a well-defined set of interesting scenarios in the specification has been automatically, completely, and systematically explored.
Springintveld, Vaandrager and D'Argenio proved that exhaustive testing with respect to bisimulation 3 of deterministic timed automata with a dense time interpretation is theoretically possible [SVD01] . Testing of timed systems is described as a variant of the bounded time-domain automaton (TA). The TA describing the specification is transformed into a region automaton, which in turn is transformed into another finite state automaton, referred to as a Grid Automaton. Test sequences are then generated from the Grid Automaton. The idea behind the construction of the Grid Automaton is to represent each clock region with a finite set of clock valuations, referred to as the representatives of the clock region. However, although being exact, their grid method is impractical because it generates "an astronomically large number of test sequences" [SVD01].
Cardell-Oliver presents a testing method for networks of deterministic timed automata extended with integer data variables [CO00]. Checking of trace equivalence is done only for parts of a system that are visibly observable. In addition to the usual time-discretization test views are used to discriminate between states depending on a test-purpose. Test views partition variables and events into visible and hidden ones. Equivalence on visible clocks and variables induces an equivalence relation on states. States that are evidently different, i.e. that are in different visible equivalence classes, need not be distinguished from each other. This significantly reduces the length of test suites. In practice, time resources used for test case generation and execution should be as small as possible and test coverage as high as possible. This general need on effectiveness becomes even more evident in real-time testing. Exhaustive testing becomes infeasible for any system of considerable size. Some approaches for testing real-time systems (cf. Chapter 13) gain practicability by dropping formal rigorousness. However, safety-critical systems require for justified confidence into their behavior. Make timed automata based testing applicable to systems of realistic size, remains to be done.
