We present a generalization of the classical theory of testing for Mealy machines to a setting of dense real-time systems. A model of timed I/O automata is introduced, inspired by the timed automaton model of Alur and Dill, together with a notion of test sequence for this model. Our main contribution is a test suite derivation algorithm for black-box conformance testing of timed I/O automata. It is based on reducing the original specification into an appropriate discrete model which contains enough information to completely represent the dense time model. The test suite is then obtained from the discrete model. Although the method results in a test suite of high exponential size and cannot be claimed to be of practical value, it gives the first algorithm that yields a finite and complete set of tests for dense real-time systems.
Introduction
It is widely recognized that testing is an essential component of the life cycle of computer systems [Som96] . Black-box testing is the approach to testing which relies on the specification of the system which is being tested to derive test cases. It permits to define the notion of a conformance relation linking the system to the specification, and the notion of a verdict associated to the application of a test case. In general, testing can only demonstrate the presence, not the absence, of system faults. However, if we have reason to believe that the system behaves according to some (unknown) formal model within a given (known) finite class of formal models, then it is in some cases possible to generate a finite and complete set of test cases (the test suite) and use it to demonstrate the absence of system faults under the assumption that our belief is correct. This assumption is usually referred to as the test hypothesis [Tre92] . The last two decades have witnessed a lot of research activity in the area of (black-box) conformance testing. Especially for the class of finite state models, many algorithms to derive test suites have been devised, which have been used successfully for the validation of hardware circuits and communication [Koh78, Cho78, CVI89, ADLU91, Hol91]. So far, however, little work has been done to incorporate timing aspects [CL97, MMM95, CG98] . An important reason for this has no doubt been the lack of a suitable model for timed systems.
Recently, Alur and Dill [AD94] have proposed the model of timed automata, which is an extension of the finite automaton model with clock variables and simple constraints over clocks and states. The timed automata model and its variants have been used quite successfully for verification purposes and form the basis for several model-checking tools [AK96, LPY97, DOTY96, HH95] . Although the algorithms involved are theoretically of high complexity, analysis of non-trivial timed systems turns out to be feasible, as is witnessed by several case studies [BGK + 96, DKRT97, DY95, HWT95] .
This article is a first step towards a theory of testing for timed automata. We propose a model of timed I/O automata, which borrows ideas from both Alur and Dill's model and from the timed I/O automata of Lynch et al. [SGSL98] . Apart from supporting the automatic generation of timed tests, our model allows a loose coupling of inputs and outputs, unlike the usual Mealy style finite state machines where inputs and outputs occur simultaneously in a single transition. A similar (even more flexible) modeling of input and outputs is presented in [Tre96b, Tre96a, FJJV96] , but this approach does not deal with time.
We provide a method to derive a complete test suite in the style of well-known finite state machine based methods (see, e.g., [Cho78, CVI89, ADLU91] ). The main problem involved is that in general the state space of a timed automaton is (uncountably) infinite. To obtain a finite test suite, a discretization of the state space is required which is still sufficiently refined to detect all possible errors.
To the best of our knowledge, this article proposes the first algorithm that (albeit under some strong assumptions) yields a finite and complete test suite for (dense) real-time systems. Even though the method results in a test suite of high exponential size and cannot be claimed to be of practical value, we believe that the concepts and techniques developed in this article will allow for more practical algorithms. We have not yet been able to provide lower bounds to the size of complete test suites for timed systems. We do give an example that shows that for timed systems very small time steps have to be considered, resulting in large test suites. In any case, we will sketch several possible optimizations to substantiate the belief that our approach can be turned into practice, at least in more restrictive settings. Furthermore, we hope that our approach may also support incomplete but practically useful methods for testing timed systems such as in [CL97, MMM95] .
The organization of this article is as follows. In Section 2, we present the model of timed I/O automata. This model requires a new, timed notion of distinguishing sequence, which is the subject of Section 3. In Section 4 we present the basic definitions and theorems for the discretization of state spaces. These are employed in Section 5, where we present an algorithm for test generation and a proof of its correctness. Finally, in Section 6 we discuss several options to obtain more practical algorithms. An appendix lists some notational conventions.
Timed I/O Automata
In this section we present the model of timed I/O automata, which borrows ideas from both Alur and Dill's model [AD94] and from the timed I/O automata of Lynch et al. [SGSL98] . Our model is defined in several steps.
After recalling some basic definitions, mainly to fix notation, we present the bounded time domain automata model from [SV96] , which is a variant of the model of Alur and Dill [AD94] . Roughly speaking, a bounded time domain automaton is a finite (untimed) automaton together with a timing annotation. This timing annotation extends the automaton with a finite set of clocks and functions that allow one to express, for each transition, under what timing conditions the transition may be taken, what the updated clock values will be, and under what timing conditions one may idle in each state. Thereafter, timed I/O automata are defined as bounded time domain automata together with a partitioning of the set of actions into input and output actions. We impose certain restrictions on the model to ensure 'testability' of the model. The definitions are illustrated in Example 2.7. Example 2.8 shows how timed I/O automata can be viewed naturally as a generalization of the classical Mealy machines.
Preliminaries
Let R denote the set of reals, R ≥0 the set of nonnegative reals, R >0 the set of positive reals, and R ∞ the set of reals together with the single element ∞. We extend the standard partial ordering ≤ and addition operator + over R to R ∞ in the usual way: for every t ∈ R ∞ , t ≤ ∞ and t + ∞ = ∞ + t = ∞. Let Z denote the set of integers, Z ∞ the set Z ∪ {∞}, and N the set of nonnegative integers. For t ∈ R, ⌊t⌋ denotes the largest number in Z that is not greater than t, and ⌈t⌉ denotes the smallest number in Z that is not smaller than t. With fract(t) we denote the fractional part of t (so fract(t) = t − ⌊t⌋).
Concatenation of a finite sequence with a finite or infinite sequence is denoted by juxtaposition; ǫ denotes the empty sequence and the sequence containing a single element a is simply denoted a. If σ is a nonempty sequence then first(σ) returns the first element of σ. Moreover, if σ is finite, then last (σ) returns the last element of σ. If σ is a sequence and X is a set, then σ⌈X denotes the sequence obtained by projecting σ on X. If V is a set of finite sequences, W a set of sequences, and σ a finite sequence, then σ W = {σ τ | τ ∈ W } and V W = σ∈V σ W . For X a set of symbols, we define X 0 = {ǫ} and, for i > 0,
Labeled Transition Systems
For technical reasons, our definition of a labeled transition system is slightly different from the standard one in which a transition is a triple of a state, an action and a state. According to our definition there can be multiple transitions with the same action label between any given pair of states.
Definition 2.1. A labeled transition system (LTS) is a rooted, edge-labeled multigraph. Formally, an LTS is a structure A = (Q, E, Σ, src, act, trg, q 0 ), where Q is a set of states, E a set of transitions, Σ a set of actions, functions src : E → Q, act : E → Σ and trg : E → Q associate to each transition a source, action and target, respectively, and q 0 ∈ Q is the initial state. We write Q A , E A , etc., for the components of an LTS A, but often omit subscripts when they are clear from the context. Also, we write δ : q a → q ′ if δ is a transition with src(δ) = q, act(δ) = a and trg(δ) = q ′ . With q a → q ′ we denote that δ : q a → q ′ for some δ.
2
An LTS A is lean if each transition is fully determined by its source, action and target, i.e.,
and deterministic if it satisfies the stronger property
We say that A is a finite automaton if both Q and E are finite. An execution fragment of a lean 1 LTS A is a finite or infinite alternating sequence q 0 a 1 q 1 a 2 q 2 · · · of states and actions of A, beginning with a state, and if it is finite also ending with a state, such that for all i > 0, q i−1 ai → q i . An execution of A is an execution fragment that begins with the initial state of A. A state q of A is reachable if it is the last state of some finite execution of A. For γ = q 0 a 1 q 1 a 2 q 2 · · · an execution fragment of A, trace(γ) is defined as the sequence a 1 a 2 · · ·. We write q σ → q ′ if A has a finite execution fragment γ with first(γ) = q, last (γ) = q ′ , and trace(γ) = σ. We say that σ is a trace of q, and write q σ →, if there exists a q ′ such that q σ → q ′ . Moreover, σ is a trace of A if it is a trace of the initial state of A. We write traces * (q) for the set of traces of q. We say that σ is a distinguishing trace of q and q ′ if either it is a trace of q but not of q ′ , or the other way around.
The main equivalence relation between LTS's that we consider in this paper is bisimulation equivalence: according to our definition in Section 5 an Implementation Under Test (IUT) conforms to a specification Spec iff certain associated LTS's are bisimilar. However, as a consequence of the fact that these LTS's are deterministic, the reader may equally well think of conformance in terms of trace equivalence, and view bisimulations as a convenient characterization of trace equivalence.
States q, q ′ of A are bisimilar, notation q ≃ A q ′ , if there exists a bisimulation R on A with R(q, q ′ ). States q, q ′ of LTS's A and A ′ , respectively, are bisimilar, notation A, A ′ : q ≃ q ′ , if there exists a bisimulation R on the disjoint union of A and A ′ (with arbitrary initial state) that relates q to q ′ . LTS's A and
It is well known that if A is deterministic, for all states q, q ′ of A, A : q ≃ q ′ iff traces * (q) = traces * (q ′ ). As a consequence, two deterministic LTS's A and A ′ are bisimilar iff they have the same sets of traces.
Bounded Time Domain Automata
In this subsection we recall the bounded time domain automata model from [SV96] , which is a variant of the timed automata model of Alur and Dill [AD94] . In the Alur-Dill model clocks range over R ≥0 , and the only assignments that are allowed are clock resets of the form x := 0. This in contrast to the BTDA model, where the domain dom(x ) of a clock x is the union of a bounded interval and the singleton {∞}. Intuitively, the value of x is only relevant when contained in the interval: beyond the upper bound of the interval one only knows that the value of x is "large". The BTDA model also allows for more general assignments of the form x := n or x := y + n, for x and y clocks and n ∈ Z ∞ . As shown in [SV96] , the BTDA model is essentially equivalent to the Alur-Dill model but often allows for more compact representations of timed systems. Also, it turns out that the use of ∞ simplifies the technical development in the rest of this paper.
Below we first define the auxiliary concepts of clocks and constraints, before proceeding to the definition of BTDA's and their operational semantics.
Clocks and Constraints
A clock is a variable x with a domain dom(x ) of the form J ∪{∞}, where J is an interval over R with infimum and supremum in Z. Let C be a finite set of clocks. We write intv (x )
A term over C is an expression generated by the grammar e ::= x | n | e + n, where x is a clock in C and n ∈ Z ∞ . We denote the set of all such terms by T (C). A constraint over C is a Boolean combination ϕ of inequalities of the form e ≤ e ′ or e < e ′ with e, e ′ ∈ T (C). We denote the set of all such formulas by F (C). The Boolean constants T and F, denoting truth and falsehood, respectively, as well as equations of the form x = n are definable by constraints. In fact, for each term e and each interval J with integer bounds, the predicate e ∈ J can be expressed as a constraint. A (simultaneous) assignment over C is a function µ from C to T (C). We denote the set of all such assignments by M (C), and (for instance) write x := 5 for the assignment µ with µ(x) = 5.
A clock valuation over C is a map v that assigns to each clock x ∈ C a value in its domain. With V (C) we denote the set of clock valuations over C. In the obvious way, a clock valuation v is lifted to a function v that takes a term and returns a value. We say that v satisfies ϕ, notation v |= ϕ, if ϕ evaluates to true under valuation v. A constraint ϕ is satisfiable if there is a valuation
The hull of ϕ is the set of clock valuations v that satisfy, for all
The interior of ϕ is the set of all valuations that satisfy ϕ but are not in its hull. So if a clock valuation v is in the hull of ϕ, then any non-zero increment of the value of clocks under v will violate ϕ. For each constraint ϕ, let hull (ϕ) be a constraint such that, for all v, v |= hull (ϕ) iff v is in the hull of ϕ. Similarly, let interior (ϕ) be a constraint such that, for all v, v |= interior (ϕ) iff v is in the interior of ϕ. It is not hard to see that such constraints always exist and can be effectively computed. For example, hull (x ≤ 5) = (x = 5), hull (x < 5) = F, and interior (x ≤ 5) = (x < 5) = interior (x < 5).
BTDA's and Their Operational Semantics
A bounded time domain automaton is a finite automaton together with some annotations to restrict real-time behavior. To start with, a set of clocks is associated with the automaton. Each clock gets an initial value, and when time advances with an amount d, the value of all clocks is incremented uniformly (according to ⊕) with d. To each state we associate an invariant; we require that the automaton may only reside in a state as long as the invariant remains true. In addition, a clock constraint is associated to each transition; we require that a transition may be taken only if the current valuation of the clocks satisfies this constraint. When a transition occurs, the clock values are updated according to a given assignment. We require that in the new state each clock again takes a value in its domain. All this is formalized in the two following definitions.
Definition 2.3.
A timing annotation for an automaton A is a tuple T = (C, Inv , G, A, v 0 ), where
• C is a finite set of clocks.
• Inv : Q → F (C ) associates an invariant to each state.
• G : E → F (C) associates a guard to each transition.
• A : E → M (C) associates an assignment to each transition. We require that, for each δ ∈ E, the constraint Inv (src(δ)) ∧ G(δ) ⇒ x ∈C (A(δ)(x ) ∈ dom(x )) holds.
• v 0 ∈ V (C) is the initial valuation. We require that v 0 |= Inv (q 0 ) and, for all
A bounded time domain automaton (BTDA) is a pair B = (A, T ), where A is a finite automaton with Σ A ∩ R >0 = ∅, and T is a timing annotation for A. We write Q B , E B , C B , etc., for the components of A and T .
2
Definition 2.4. The operational semantics OS(B) of a BTDA B is the lean LTS A which, up to identity of transitions, is specified by
and → A is the smallest predicate that satisfies the following two rules, for all (q, v),
The actions in R >0 are referred to as time delays. In order not to confuse the states of a BTDA with those of its operational semantics, we will refer to the states of a BTDA B as locations. We will use q, .. to range over locations, and r, s, .. to range over the states of the operational semantics OS(B). We write S B for the set of states of OS(B), and s 
Timed I/O Automata
In this subsection, we define the model of timed I/O automata (TIOA's) as an extension of the BTDA model in which the actions are partitioned into input and output actions. We impose some restrictions in order to ensure "testability" of the model. Intuitively (a formal definition will be presented in Section 3), an experiment or test sequence for a TIOA is a finite sequence of delays and input actions that can be applied to the TIOA. In order to fully test a TIOA by test sequences the TIOA should be controllable in the sense that it should be possible for an environment to drive a TIOA through all of its transitions. An obvious prerequisite for controllability is that a TIOA is deterministic. However this is not enough. We also need to require that a TIOA has isolated outputs: for each state, if an output is enabled then no other input or output transition is enabled. In this way we exclude that a TIOA can autonomously choose between performing different outputs, or between performing an output and accepting an input.
Since input actions are under control of the environment of a TIOA, a TIOA should always accept inputs. Traditionally [LT87, SGSL98] , this leads to the requirement that every input is enabled in every state. This however is in conflict with the condition of isolated outputs. We therefore impose a slightly weaker input enabling condition: each input is enabled only in the interior of the invariant of each location. This means that inputs are enabled as long as time can progress. Since inputs and outputs are mutually exclusive, this ensures that a TIOA cannot choose to pass over output actions by letting time pass. Together, the conditions of determinism, isolated outputs and input enabling ensure that a TIOA is controllable.
According to our definitions, there are BTDA's in which from some (or even all) states no outgoing execution fragment exists in which the sum of the time delays diverges. It may for instance occur that a state has no outgoing transition at all ("time deadlock"), or that there is an infinite sequence of consecutive output actions without any time delays in between ("Zeno behavior"). Since (we believe) these behaviors can not occur in the real world and we need to exclude them in order to develop our testing approach, we demand as a final requirement that a TIOA is progressive: from each state there should be an outgoing execution fragment containing no input actions in which the sum of the time delays diverges. Progressiveness implies that in each state on the hull of an invariant an output action is enabled. Moreover, after a finite number of consecutive output actions time will be allowed to advance and, consequently, input actions will be enabled again. As a result, a TIOA can never preempt input actions indefinitely by performing output actions. So although within our model input actions are not enabled in every state, they are accepted at every time instance.
Definition 2.5.
A timed I/O automaton (TIOA) is a pair M = (B, P), where B is a BTDA and P = (I, O) is a partitioning of Σ B in input actions and output actions. We require that the following properties hold, for all δ, δ ′ ∈ E, q ∈ Q, and i ∈ I:
where from(q, i)
(Progressiveness) For every state of OS(B)
there exists an infinite execution fragment that starts in this state, contains no input actions, and in which the sum of the delays diverges
, for the components of B and P. The operational semantics OS(M) of M is just the operational semantics of the contained BTDA B. Moreover, we write M ≃ M ′ whenever OS(M) ≃ OS(M ′ ).
2
The following lemma, which is a direct corollary of the definitions, gives four basic properties of the operational semantics of a timed I/O automaton.
Lemma 2.6. Let M be a TIOA. Then
3. Each state of OS(M) has either (a) a single outgoing transition labeled with an output action, or (b) both outgoing delay transitions and outgoing input transitions (one for each input action), but no outgoing output transitions. States of type (b) are called stable.
4. For each state s ∈ S M , there exists a unique finite sequence of output actions σ and a unique stable state
Example 2.7. Consider the automaton represented in Figure 1 . It denotes a switch that can be turned on at any time and switches off automatically 5 time units after the last time it has been turned on.
The switch can be described formally as a TIOA M = (B, P), where B = (A, T ) is a BTDA, in the following way. First, the finite automaton A = (Q, E, Σ, src, act, trg, q 0 ) is given by
Secondly, the timing annotation T = (C, Inv , G, A, v 0 ) is given by
Thirdly, the partitioning P = (I, O) consists of I = {on} and O = {off }. It is not difficult to check that M is indeed a TIOA. In location l 0 clock x is not used; therefore x has been given the value ∞. The value of x becomes relevant as soon as the input action on occurs and the transition to location l 1 is made. After this transition, the input action on is enabled in the interior of Inv(l 1 ). Recall that hull (x ≤ 5) = (x = 5) and interior (x ≤ 5) = (x < 5). As soon as 5 time units have passed after the last on action, the hull of the invariant is reached, time cannot advance any longer, and the switch automaton performs its output action off to return to its initial state.
Example 2.8.
Timed I/O automata form a natural generalization of the classical Mealy machines [Koh78] . Recall that a Mealy machine is a tuple F = (I, O, Q, δ, λ, q 0 ), where I, O, Q are finite, nonempty sets of inputs, outputs, and states, respectively,
• λ : I × Q → O is the output function, and
• q 0 is the initial state.
To a Mealy machine F we associate a timed I/O automaton M with locations Q ∪ (I × Q), inputs I, outputs O, and initial location q 0 . For each state q ∈ Q and input action i ∈ I, we introduce a pair of transitions
We equip M with a single clock x with domain {0, ∞}. In order to model that Mealy machines accept inputs at any time, a constraint x = ∞ is associated to each location q ∈ Q and to each input transition q i → (i, q). To capture the intuition that in a Mealy machine each input is immediately followed by an output, a constraint x = 0 is associated to each location (i, q) ∈ I × Q and to each output transition (i, q) o → q ′ . Finally, to make M into a proper TIOA, we assign ∞ as initial value to x, annotate each input transition with an assignment x := 0, and each output transition with an assignment x := ∞.
Besides the above translation from Mealy machines to TIOA's, many other possible translations exist. The TIOA model allows one to express, for instance, that some amount of time may elapse in between an input and the subsequent output. In this case one has to specify what happens if another input arrives before the output is produced. One possibility here is to jump to a newly added error state, but one may also decide to ignore such an input.
Experiments
We view timed I/O automata as machines on which one can do experiments. An experiment or test sequence for a TIOA M is a finite sequence of delays and input actions of M. We denote the set of all experiments for M by Exp M . An experiment σ can be applied to the machine M starting from any state s. The application of σ to M in s uniquely determines a finite, maximal execution fragment in OS(M). The existence of such an execution fragment is guaranteed by the properties that we demand of TIOA's. For black box testing, one is only interested in the observable behavior induced by the execution, that is, actions and passage of time, but not states. For instance, if the experiment on 6 -which may be read as "press input on and observe the system during 6 units of time"-is applied to the initial state of Example 2.7, it determines a unique execution whose observable behavior is the trace on 5 off 1, that is, "after pressing input on and waiting for 5 time units, the switch turns automatically off; in the next unit of time nothing happens".
In the following we formally define what it means to perform an experiment, and we prove that an experiment induces a unique execution fragment. The outcome of performing an experiment on M is described in terms of an auxiliary labeled transition system E M .
Definition 3.1. The experiment LTS E M is the lean LTS with Exp M × S M as its set of states, Σ M as its set of actions, (ǫ, s 0 M ) as its (arbitrarily chosen) initial state, and a transition relation → that is inductively defined as the least relation satisfying the following four rules, for all s, s
The following theorem basically says that for each experiment and each state there is a unique corresponding finite execution fragment in the experiment automaton. Proof. Part (1) follows directly from the definition of E M together with Lemma 2.6. Part (2) is proved by contradiction. Suppose that β is an infinite execution fragment of E M . Because experiments have a finite length, transitions of type (2) and type (3) reduce the length of the experiment, and the two other types of transitions leave the length of experiments unchanged, β has an (infinite) suffix β ′ that contains no transitions of type (2) and type (3). If we project all states in β ′ on their second component, then we obtain an infinite execution fragment γ of the LTS OS(M) that contains no input actions, and in which the sum of the delays converges. Let s be the first state of γ. Since M is progressive, OS(M) has an infinite execution fragment γ ′ that starts in s, that contains no input actions, and in which the sum of the delays diverges. Let
Inductively, we construct a monotonic function f : N → N that satisfies, for all i ∈ N, the following two properties:
For the induction base, we define f (0) = 0. Since both γ and γ ′ start with s, we have s 0 = s = s ′ f (0) . Now suppose that f has been defined for all j ≤ k and s k = s ′ f (k) . In order to define f (k + 1) we distinguish between two cases.
2. a k+1 is a delay. Then the transition s k a k+1
→ s k+1 originates from a transition of type (4) in E M . This implies that a k+1 is the maximal delay transition that is enabled in s k . Using the fact that γ ′ diverges and Lemma 2.6, we can infer that there exists an index m > f (k) such that all actions a
As we said, for black box testing, one is only interested in observable behavior, not in states. We define outcome M (σ, s), the outcome of experiment σ in state s of M, as the trace of the execution fragment that is induced by performing the experiment:
In this way, the outcome of the previous experiment is outcome M (σ, (l 0 , x= ∞)) = on 5 off 1.
We end this section with a small lemma stating that each trace σ that leads from a given state s to a stable state s ′ can be retrieved as the outcome of the experiment obtained by projecting σ on input actions and delays.
Proof. Let γ be the unique execution fragment of OS(M) with first(γ) = s, last (γ) = s ′ , and trace(γ) = σ. By induction on the number n of transitions in γ we prove exec M (σ ′ , s) = γ. Suppose n = 0. Then s = s ′ = γ and σ = σ ′ = ǫ. Since s is stable, state (ǫ, s) of E M has no outgoing transitions. Thus exec M (σ ′ , s) = s = γ. For the induction step, suppose that n > 0. Let s a → s ′′ be the first transition of γ, and let γ ′ be the unique execution fragment satisfying γ = s a γ ′ . We distinguish between two cases:
1. a is an output action. Then, by rule (1),
2. a is an input or delay action. Then σ ′ is of the form a σ ′′ . Hence, by application of rule (2) or rule (3), respectively, E M contains a transition (σ ′ , s)
Now the result follows since outcome
M (σ ′ , s) = trace(exec M (σ ′ , s)) = trace(γ) = σ.
Discretization of the State Space
Even though our experiments are very simple, the set Exp M of experiments for a given TIOA M is uncountably large, due to the possible occurrence of real numbers within experiments. Also the LTS OS(M), which gives the operational behavior of M, is a highly infinite object. It is thus unclear how we should select a finite collection of tests if we want to establish that an IUT conforms to a specification M. Fortunately however, the technical results of this section will enable us to restrict attention to a finite subautomaton of OS(M) which contains enough information to characterize OS(M) itself. We call it a grid automaton. In fact, for each pair M, M ′ of TIOA's, we can effectively find two grid automata such that M is bisimilar to M ′ iff the grid automata are bisimilar. In this way, whenever we want to establish that some black box conforms to the original TIOA specification, we can restrict attention to their grid automata. Using the fact that, in the context of deterministic machines, bisimulation coincides with trace equivalence, checking bisimulation reduces to the application of an appropriate set of experiments. The grid automata can be fully and effectively explored by a finite number of experiments in Exp M , using standard techniques for testing finite automata.
Regions
Our construction of a finite subautomaton uses the fundamental concept of a region, due to Alur & Dill [AD94] . The key idea behind the definition of a region is that, even though the number of states of an LTS OS(M) is infinite, not all of these states are distinguishable via constraints. If two states corresponding to the same location agree on the integral parts of all the clock values, and also on the ordering of the fractional parts of all the clocks, then these two states cannot be distinguished by constraints.
Definition 4.1. The equivalence relation ∼ = over the set V (C) of valuations of a set C of clocks is given by: v ∼ = v ′ iff, for all x, y ∈ C,
A region is an equivalence class of valuations induced by ∼ =.
The equivalence relation ∼ = on the clock valuations of a TIOA M is lifted to an equivalence relation ∼ = on S M by defining
A region of M is an equivalence class of states induced by ∼ =. Similarly, for M 1 and M 2 TIOA's with clocks C 1 and C 2 , respectively, the equivalence relation ∼ = on V (C 1 ∪ C 2 ) (w.l.o.g. we assume that C 1 and C 2 are disjoint) is lifted to an equivalence relation ∼ = on S M1 × S M2 by defining
A region of M 1 and M 2 is an equivalence class of pairs of states induced by ∼ =. Note that (r 1 , r 2 ) ∼ = (s 1 , s 2 ) implies r 1 ∼ = s 1 ∧ r 2 ∼ = s 2 , but that the converse implication does not hold in general.
Alur & Dill [AD94] show that for a set of clocks C the number of regions of V (C) is bounded by | C |! · 2 |C| · Π x∈C (2c x + 2), where for each clock x, c x denotes the length of the domain interval intv (x ). This means that also the number of regions of a TIOA is (in the worst case) exponential in the number of clocks. In practice the use of invariants may keep the number of regions small. The switch TIOA of Example 2.7 has 12 regions, and the TIOA associated to a Mealy machine in Example 2.8 has | Q | ·(| I | +1) regions.
Uniform mappings
The concept of a uniform mapping was introduced byCerāns [Cer92b, Cer92a] . Uniform mappings provide a convenient characterization of regions. They play a central role inCerāns' proof that bisimulation equivalence is decidable for timed automata, and are also used heavily in this section.
Definition 4.3. A continuous mapping
1. ρ is strongly monotone (so t > u implies ρ(t) > ρ(u)), 2. ρ(0) = 0, 3. ρ(t + n) = ρ(t) + n, for every real number t and integer n.
A uniform mapping ρ is extended in a homomorphic manner to any structure containing elements of R ∞ . In particular, for any clock valuation v, ρ(v) is equal to the function
2 Note that conditions 1, 2 and 3 in Definition 4.3 together imply that ρ(n) = n, for all n ∈ Z ∞ . Below we rephrase the basic results ofCerāns [Cer92b, Cer92a] about uniform mappings in our setting. We first need to prove five technical lemmas to prepare for the main results of this subsection, which say that uniform mappings "preserve" the transition relation. The proofs of Lemmas 4.4, 4.6 and 4.7 easily follow from the definitions. The proofs of Lemmas 4.5 and 4.8 are somewhat more tricky and therefore outlines have been included below. Proof. "⇐" Routine checking. Use the observation that, for each uniform mapping ρ, the inverse mapping ρ −1 is defined and also uniform. "⇒" Let C = {x 1 , . . . , x n }. We order the clocks according to the value of their fractional part in v, placing the clocks with value ∞ to the right: let (i 1 , . . . , i n ) be a permutation of (1, . . . , n) such that, for all 1 ≤ j < k ≤ n,
′ and the definition of region equivalence it follows that properties (1) and (2) also hold if we replace each occurrence of v by v ′ . Using the properties of region equivalence, we infer that there exists a continuous, strongly monotone function ρ ′ : [0, 1) → [0, 1) with ρ ′ (0) = 0 and, for all j with v(
. We extend ρ ′ to a uniform mapping ρ with the required property by defining ρ(∞) = ∞ and, for t ∈ R, ρ(t)
Lemma 4.6. ρ(v)(e) = ρ(v(e)).
Lemma 4.7. Whenever ρ is a uniform mapping then for every d ∈ R ≥0 the mapping ρ d , defined
∞ , is also uniform.
2C erāns [Cer92b, Cer92a] does not require uniform mappings to be continuous as he should have since his proof of Lemma 3.7 in [Cer92b] (which coincides with Lemma 11.7 in [Cer92a] ) uses the property that a uniform mapping has an inverse that is also uniform.
Proof.
Assume x is a clock with
2. Assume x is a clock with v(x) + d ∈ intv (x ). In this case
. Using the uniformity of ρ and ρ −1 , we derive, for any integer n and 2 ∈ {<, ≤, >, ≥},
Since intv (x ) has integer bounds, the claim follows from the combination of the derived inequalities.
The lemma now follows from (1), (2), (3) and the definition of ⊕.
The next two lemmas, which are the main results about uniform mappings, assert that uniform mappings "preserve" transitions between states. Assume that x is a clock. Then we derive, using the assumptions, definitions and Lemma 4.6,
This means that w ′ = w • A(δ). Combining this fact with δ : q a → q ′ and w |= G(δ), we may now conclude that (q, w)
We must prove that (q, w)
. By Lemma 4.8, (Lemma 4.7) , uniform mappings preserve regions (Lemma 4.5), and regions preserve constraints (Lemma 4.2),
Inv (q), it follows that (q, w)
Grid Automata
After the preparatory subsections on regions and uniform mappings, we can now state and prove the key theorems that will enable us to restrict to finite subautomata when testing infinite timed transition systems. These subautomata will only contain states in which each clock value is either ∞ or in the grid set G n , i.e., the set of integer multiples of 2 −n , for some sufficiently large natural number n.
For t a real number, let ⌊t⌋ n denote the largest number in G n that is not greater than t, and let ⌈t⌉ n denote the smallest number in G n that is not smaller than t. Write [t] n for the fraction (⌊t⌋ n + ⌈t⌉ n )/2 (note that [t] n ∈ G n+1 ). For M a TIOA, write S n M for the set of states (q, v) ∈ S M such that, for each clock x, v(x) ∈ G n ∪ {∞}. The two small technical lemmas below are easy to prove.
Lemma 4.12.
Let ρ be a uniform mapping, u ∈ R and n ∈ N. Then there exists a uniform mapping ρ ′ such that, for all t ∈ R,
The next theorem is an important step towards the discretization of state spaces. It asserts that whenever we have a distinguishing trace of length m for two states in S n M , we can "massage" this trace into a trace in which all delay actions are in the grid set G n+m .
and s ′ ∈ S n M ′ , and let σ = a 1 a 2 · · · a m be a distinguishing trace for r and r ′ . Then there exists a distinguishing trace τ = b 1 b 2 · · · b m for s and s ′ such that, for all j ∈ [1, . . . , m], if a j is an input or output action then b j = a j , and if a j is a delay action then b j ∈ G n+j with ⌊a j ⌋ ≤ b j ≤ ⌈a j ⌉.
Proof.
Without loss of generality we may assume that r has the trace σ, r ′ does not, a m is an output action, and r ′ has the trace σ ′ = a 1 a 2 · · · a m−1 . Let r 0 a 1 r 1 a 2 r 2 · · · r m−1 a m r m be the unique execution fragment of M with r = r 0 and trace σ, and let r To start with, define s 0 = s and s
there exists, by Lemma 4.5, a uniform mapping ρ 0 with ρ 0 (r 0 , r
We distinguish between two cases:
• a j+1 is an input or output action. Then define 
• a j+1 = d is a delay action. By Lemma 4.12 there exists a uniform mapping ρ such that ρ(r j , r Theorem 4.13 allows us to "massage" each distinguishing trace into one in which all delay actions are in a grid set, but there is a dependence between the length of the trace and the granularity of the grid: the longer the trace the finer the grid. This is due to the fact that the distinguishing power of a distinguishing trace for two states r and r ′ entirely depends on the regions traversed when applying σ to r and r ′ , respectively. In certain cases even a tiny delay in σ may cause the traversal to a new region as we see in the next example.
Example 4.14.
Consider the family of TIOA's defined as follows. For each n ∈ N we define the TIOA M n with input action in and output action out. It has two clocks x and y, both with domain [0, 1] ∪ {∞}. The set of locations is {q j | 0 ≤ j ≤ n} ∪ {p} where q n is the initial location and the initial valuation v 0 sets all clocks to 0. The transitions are annotated as follows:
Finally, the invariant is defined by Inv (q j ) = (y ≤ 1 ) for all j, and Inv (p) = T. Figure 2 depicts automaton M n . Clearly, if m < n, the TIOA M m is simply the TIOA M n whose initial location is changed into q m (up to removal of unreachable locations).
The TIOA M n has the property that if within 1 time unit at most n inputs have occurred at different (non-zero) time points, an output action will be generated at time 1. If more inputs arrive in this interval, or the system is fed with two inputs at the same point in time, no output is generated. In fact, this property can be seen from the following observations. Suppose that the system M n has just arrived to a location q j , 0 < j ≤ n. Then it is in the region (q j , x = 0 < y < 1), 0 < j < n, or (q n , x = y = 0). In any case, the input in would take the system to location p and hence it prevents the occurrence of the output out. Otherwise, by waiting a little while, the system moves to the successor region (q j , 0 < x < y < 1) (respectively, (q n , 0 < x = y < 1)). At this point, the input action would take the system to the next location q j−1 , more precisely to the region (q j−1 , x = 0 < y < 1), and hence the output action would still be enabled. Notice that, while the system is at location q 0 , performing "an extra" in also disables the occurrence of out.
It is easy to check that M n and M m behave differently for n and m different. Yet in order to observe this difference a grid size of at most
In order to obtain a grid size that is fine enough to distinguish all pairs of different states, we need to establish an upper bound on the length of minimal distinguishing traces. This is done in the following theorem. Proof. Since r and s are not bisimilar there exists a trace that distinguishes between the two states. In fact, it is easy to see that there exists a distinguishing trace that ends with an output action. Among the distinguishing traces that end with an output action, let σ be a trace with minimal length. Assume that this length is greater than the number of regions of S M × S M ′ . We derive a contradiction.
Assume, without loss of generality, that σ is a trace of r but not of s. Let β = r 0 a 1 r 1 a 2 · · · a n−1 r n−1 a n r n γ = s 0 a 1 s 1 a 2 · · · a n−1 s n−1 be the (uniquely determined) execution fragments of M and M ′ , respectively, with r = r 0 , s = s 0 and σ = a 1 · · · a n . Since n is greater than the number of regions of S M × S M ′ , there exist indices 0 ≤ i < j < n such that (r i , s i ) ∼ = (r j , s j ). By Lemma 4.5, there exists a uniform mapping ρ such that ρ(r j , s j ) = (r i , s i ). Repeated application of Lemmas 4.9 and 4.10 now allows us to construct a distinguishing trace for r i and s i of length n − j that ends with an output action. But this means that there also exists a distinguishing trace for r and s of length n + i − j that ends with an output action. Contradiction.
The upper bound on the length of distinguishing traces of Theorem 4.15 is of course astronomic in general. In specific cases, one can often give a much more reasonable upper bound. For instance, any pair of distinct states of the switch TIOA of Example 2.7 can be distinguished by a trace of length one (just wait long enough). In Example 2.8, any pair of inequivalent states of the TIOA associated to a Mealy machine can be distinguished by a trace with a length less than 2· | Q |. (The factor 2 arises from the fact that we have split each transition in the Mealy machine into an input and an output part.) For each M n in Example 4.14, any pair of different states can be distinguished by a trace of length at most 2n+1: n input actions interleaved with n+1 appropriate delays.
For each TIOA M and natural number n, we define the grid automaton G(M, n) as the subautomaton of OS(M) in which each clock value is in the set G n ∪ {∞}, and the only delay action is 2 −n . Note that since in the initial state of OS(M) all clocks take values in Z ∞ , it is always included as a state of G(M, n). Also observe that, since G(M, n) is lean and has a finite number of states and actions, G(M, n) is a finite automaton.
Definition 4.16. Let M be a TIOA and let n ∈ N. The grid automaton G(M, n) is the lean LTS A given by
Example 4.17. The reader is invited to check that the picture of Figure 3 is the grid automaton G(M 1 , 1), where M 1 is the TIOA from Example 4.14. To shorten notation, each state (q, v) has been denoted by (q, v(x), v(y)). ′ be TIOA's with the same input actions, and let n be greater than or equal to the number of regions of 
We have now reduced the problem of deciding bisimulation equivalence of TIOA's to the problem of deciding bisimulation equivalence of two finite subautomata of the (highly infinite) operational semantics of these TIOA's. The main implication of this result for the conformance testing of TIOA's is that in the testing process we only need to explore finite subautomata, something that can be done effectively in finite time. Before we will address this issue in Section 5, we will prove as the final result of this section that if one applies a test sequence in which the only delay action is 2 −n to a TIOA M, the resulting execution is fully contained in the grid automaton G(M, n). This result (which is not entirely trivial) makes it possible to fully explore the grid subautomaton of a TIOA during the testing process. We need two small technical lemmas. 
Proof.
Assume that s does not enable an output action. Then, by Lemma 2.6.3, s enables a delay action. However, as a consequence of Wang's additivity axiom (Lemma 2.6.2), all delay action that are enabled in s are less than 2 −n . Using Lemma 2.6.2 and 2.6.3 once more, we infer that there exists a delay 0 < d < 2 −n , a state s ′ = (q ′ , v ′ ), and an output action o such that
→. Clearly, in s ′ none of the clocks has a value in G n . However, s
. By Lemma 4.19, this means that at least one clock has an integer value in v ′ . Contradiction.
For M a TIOA and n ∈ N, write Exp n M for the set of test sequences of M in which all the delays are equal to 2 −n .
By straightforward induction on the length of exec M (σ, s). Use Lemma 4.20 to prove that rule (4) in Definition 3.1 can never be applied.
Deriving and Applying a Test Suite
Based on the results of Section 4, we introduce a test suite to test a timed implementation under test (IUT) for conformance with respect to a specification TIOA Spec. To prove that the test suite is indeed correct and complete relative to certain assumptions about the choice of parameters, we give in Figure 4 a simple test algorithm that applies each test case from the test suite to an implementation. Theorem 5.7 states that the algorithm is indeed correct. Our notion of conformance is as follows. We assume that the behavior of the IUT is accurately modeled by a TIOA Impl . Then the IUT conforms to the specification Spec if Impl is bisimilar to Spec. Note that we do not consider -as is often done -isomorphism between implementation and specification as conformance relation. This is due to the fact that we do not assume timed automata or their grid machines to be minimal.
Our method of building test suites is similar to Chow's classical algorithm for finite state Mealy machines [Cho78] . A test suite consists of a finite set of test sequences which should be applied to the implementation. Each sequence consists of the concatenation of two sequences. The initial part of a test sequence is taken from a transition cover P for a grid subautomaton of Spec, i.e., a set of test sequences that together exercise every transition of the subautomaton.
Definition 5.1. Let M be a TIOA, n ∈ N, A = G(M, n). A transition cover for A is a finite collection P ⊆ Exp n M of test sequences, such that ǫ ∈ P and, for all transitions s a → s ′ of A with s reachable (within A) and stable, P contains test sequences σ and σ a such that s
2
The trailing part of a test sequence is taken from a set Z, which is a characterization set for a grid subautomaton of Impl , meaning that for every pair of non-bisimilar grid states, Z contains a sequence that distinguishes between them.
is also quiescent in its initial state since in location q 0 only input actions are enabled. In contrast, the TIOA's M n from Example 4.14 are not quiescent in their initial state since within 1 time unit the output action out is generated without any previous stimuli from the environment.
Definition 5.4. A state of a TIOA is quiescent if each outgoing execution fragment from that state that contains an output action also contains an input action.
Now, we are in a position to formally define what a test suite for a given TIOA is.
Definition 5.5.
Let M be a TIOA and n ∈ N. Let P be a transition cover for G(M, n) and Z a characterization set for the TIOA model of the IUT. The test suite for M generated from P and Z with grid size n is defined by test .suite(M, n, P, Z)
where concatenation of sets of sequences is as defined in Section 2.1.
Figure 4 presents an algorithm that applies a test suite generated by our test method to an implementation. To prove its correctness, for appropriate values of its parameters, we need one more auxiliary lemma. Lemma 5.6. Let M be a TIOA, n ∈ N, and let m be greater than or equal to the number of states of G(M, n). Let Z = X m−1 , where X = I M ∪ {2 −n }. Then Z is a characterization set for G(M, n).
Proof.
We prove that, for all states s, s Like Chow, we need to give correct estimates of the size of the state spaces involved in order to obtain correctness of our method. Since, in general, the operational semantics of a TIOA has uncountably many states and transitions, measuring the state space of a TIOA gives no meaningful estimates. Instead, we provide estimates in terms of the number of regions of the product TIOA and the size of a grid subautomaton of the implementation.
The implications of the following theorem are twofold. It states that (a) the set test .suite(M, n, P, X m−1 ) is a complete test suite for appropriate m and n, and (b) the algorithm of Figure 4 , when it takes such a test suite as an input, is correct in the sense that it returns PASS if and only if the IUT conforms to the given TIOA specification.
Theorem 5.7. Let IUT and Spec be as in the algorithm of Figure 4 . Assume that the behavior of IUT is accurately modeled by a TIOA Impl with reset action reset, reset time max, a quiescent initial state, and the same input and output actions as Spec. Assume that n is greater than or equal to the number of regions of S Impl × S Spec , and m is greater than or equal to the number of states of G(Impl , n).
Then the algorithm of Figure 4 , when provided with these inputs, returns PASS iff Spec ≃ Impl .
Proof. The if part is straightforward. As to the only if part, suppose that the algorithm returns PASS . By Corollary 4.18 it suffices to prove G(Spec, n) ≃ G(Impl , n). Let P and X be defined as in the description of the algorithm. Define Z = x m−1 . Since IUT is accurately modeled by Impl , which has reset action reset and a quiescent initial state, and because the algorithm returns PASS , it follows that, for all σ ∈ P and τ ∈ Z, outcome Spec (σ τ, s 0 Spec ) = outcome Impl (σ τ, s 0 Impl ) Let R be the relation between states given by
Note that s R r implies s ≈ Z r. Write A = G(Impl , n). We claim that the relation R ′ = R • ≃ A is a bisimulation between G(Spec, n) and G(Impl , n).
Since ǫ ∈ P and ǫ ∈ Z, we obtain outcome Spec (ǫ, s The other transfer property can be proved similarly.
Discussion
The algorithm presented in the previous section results in an astronomically large number of test sequences. On top of that, the time delays that occur in these test sequences are microscopically small. Clearly, our algorithm cannot be claimed to be itself of practical value. Rather, the major contribution of our paper is the TIOA model and the demonstration that an algorithm to derive a (complete!) test suite at least exists. In this section we discuss ways to reduce the number of tests, and to make the time delays within the tests manageable.
We have deliberately tried to impose as few restrictions on the model as possible and, as a consequence, our model is extremely fine-grained. It is for instance possible to model situations where occurrences of an input action at two distinct but arbitrarily close moments (see Example 4.14) lead to completely different behavior. Obviously, much of this subtlety can be sacrificed while retaining a sufficiently expressive model. Finding suitable special cases of our model is therefore an urgent issue. The first two authors are currently preparing a paper on Bounded Response Automata, a special case of TIOA's which appears to be sufficiently expressive for most applications but can nevertheless be fully tested by considering grid subautomata with time steps of size 1. Another possibility in this direction is to obtain more robust versions (in the sense of [GHJ97] ) of our timed I/O automata. Basically, a TIOA is robust if, whenever it accepts a trace, it accepts a "neighboring" trace as well, under some reasonable topology on the set of traces. We hope that a more robust model will yield significantly smaller test sets.
An alternative line of attack is to optimize on the granularity of the grid. In our approach, the granularity of the grid is directly derived from an upper bound on the length of distinguishing traces: the shorter the distinguishing traces, the coarser the grid. So in order for our approach to become practical, it is vital to derive good upper bounds on the length of distinguishing traces. We hope that modifications of algorithms for deciding bisimulation equivalence (such as presented in [Cer92b, Cer92a, WL97] ) can yield such bounds. These algorithms might also be helpful to improve on the construction of distinguishing sequences.
A remarkable property of our method is that, unlike most testing approaches for Mealy machines (with some exceptions, e.g., [PHK95] ), we do not assume minimality of the specification and implementation automata. Nevertheless, for reasons of efficiency it is of course desirable to work with minimal automata. Minimization of timed automata, however, is a non-trivial issue; in particular timed automata in the Alur-Dill model [AD94] (and BTDA's) cannot be minimized in general. To solve this problem, in [SV96] the minimizable timed automata (MTA) model is introduced as an extension of the BTDA model. This model does allow minimization: for every MTA there exists a minimal MTA with bisimilar operational semantics. We hope that by working with minimal timed automata the size of test sets can be further reduced by using, for instance, techniques for discrete time automata, like in [CG98] .
Finally, we expect that our approach may also support incomplete but practically useful methods for testing timed systems such as in [CL97, MMM95] . In fact, it is always an option to use the grid automaton construction heuristically. Instead of taking the worst-case grid size right away, one might start off with a coarse grid to obtain a small, incomplete set of useful tests. If desired, the grid can be subsequently refined, thus approximating the required grid size. After all, the bound for the grid size that we require is indeed very small, and we hope that there is room for some improvement. In fact, we do not know of any counterexample that states that such a bound is tight. Example 4.14 only points out that for general TIOA's the grid size can never be based on the number of clocks alone but it also suggests that a still appropriate grid size might be far above the bound we obtained.
