

Theoretical Computer Science 254 (2001) 225-257

Theoretical Computer Science

www.elsevier.com/locate/tcs

# Testing timed automata $\stackrel{\text{\tiny{themax}}}{\to}$

Jan Springintveld<sup>a,1</sup>, Frits Vaandrager<sup>a</sup>, Pedro R. D'Argenio<sup>b,\*</sup>

<sup>a</sup> Computing Science Institute, University of Nijmegen, P.O. Box 9010, 6500 GL Nijmegen, The Netherlands

<sup>b</sup> Department of Computer Science, University of Twente, P.O. Box 217, 7500 AE Enschede, The Netherlands

> Received May 1998; revised February 1999 Communicated by M. Nivat

## Abstract

We present a generalization of the classical theory of testing for Mealy machines to a setting of dense real-time systems. A model of *timed* I/O *automata* is introduced, inspired by the timed automaton model of Alur and Dill, together with a notion of test sequence for this model. Our main contributions is a test suite derivation algorithm for black-box conformance testing of timed I/O automata. Black-box testing amounts to checking whether an implementation conforms to a specification of its external behavior, by means of a set of tests derived solely from specification. The main problem is to derive a *finite* set of tests from a possibly infinite, dense time transition system representing the specification. The solution is to reduce the dense time transition system to an appropriate finite discrete subautomaton, the *grid automaton*, which contains enough information to completely represent the specification from a test perspective. Although the method results in a test suite of high exponential size and cannot be claimed to be of practical value, it gives the first algorithm that yields a finite and complete set of tests for dense real-time systems. (© 2001 Elsevier Science B.V. All rights reserved.

*Keywords:* (Black-box) conformance testing; Real-time systems; Timed automata; I/O automata; Bisimulation

# 1. Introduction

It is widely recognized that testing is an essential component of the life cycle of computer systems [29]. One approach to testing is *black-box testing*. In order to derive

0304-3975/01/\$-see front matter © 2001 Elsevier Science B.V. All rights reserved. PII: S0304-3975(99)00134-6

 $<sup>^{\</sup>ddagger}$  Research supported by the Netherlands Organization for Scientific Research (NWO) under contract SION 612-33-006 and by the HCM network EXPRESS.

<sup>\*</sup> Corresponding author.

*E-mail addresses*: springtv@natlab.research.philips.com (J. Springintveld), fvaan@cs.kun.nl (F. Vaandrager), dargenio@cs.utwente.nl (P. R. D'Argenio).

<sup>&</sup>lt;sup>1</sup>Current address: Philips Research Laboratories Eindhoven, Prof. Holstlaan 4, 5656 AA Eindhoven, The Netherlands.

226

test cases, black-box testing relies on the specification of the system that is being tested, the so called *implementation under test*. It permits to define the notion of a *conformance* relation linking the implementation under test to the specification, and the notion of a verdict associated to the application of a test case. Since the implementation under test is a real object, such as a hardware component or a protocol, it is as such not amenable to formalization. However, we may have reasons to believe that the system behaves according to some unkown formal model which belongs to a known finite class of formal models. Under this assumption, which is usually referred to as the test hypothesis [31], it is in some cases possible to generate a finite and complete set of test cases (the *test suite*) and use it to demonstrate the absence of system faults. The last two decades have witnessed a lot of research activity in the area of (black-box) conformance testing. Especially for the class of finite state models, many algorithms to derive test suites have been devised, which have been used successfully for the validation of hardware circuits and communication protocols [23, 11, 10, 1, 22]. So far, however, little work has been done to incorporate timing aspects [12, 26, 7]. An important reason for this has no doubt been the lack of a suitable model for timed systems.

Recently, Alur and Dill [2] have proposed the model of *timed automata*, which is an extension of the finite automaton model with clock variables and simple constraints over clocks and states. The timed automata model and its variants have been used quite successfully for verification purposes and form the basis for several model-checking tools [5, 24, 14, 19]. Although the algorithms involved are theoretically of high complexity, analysis of non-trivial timed systems turns out to be feasible, as is witnessed by several case studies [6, 13, 15, 21].

This article is a first step towards a theory of testing for timed automata. We propose a model of *timed* I/O *automata*, which borrows ideas from both Alur and Dill's model and from the timed I/O automata of Lynch et al. [28]. Apart from supporting the automatic generation of timed tests, our model allows a loose coupling of inputs and outputs, unlike the usual Mealy style finite state machines where inputs and outputs occur simultaneously in a single transition. A similar (even more flexible) modeling of input and outputs is presented in [33, 32, 17], but this approach does not deal with time.

We provide a method to derive a complete test suite in the style of well-known finite state machine based methods (see, e.g., [11, 10, 1]). The main problem involved is that in general the state space of a timed automaton is (uncountably) infinite. To obtain a finite test suite, a discretization of the state space is required. In addition, such a discretization should be sufficiently refined to detect all possible errors. Therefore, we determine the smallest time difference that we need to consider between two states that differ only in the value of the clock variables. To determine it, we use region [2] and uniform mapping [9] techniques. It turns out that it suffices to consider only time steps that are (integer) multiples of the smallest time difference. This time difference can be treated as a discrete, "untimed" transition. It is then straightforward to construct a finite subautomaton of the state space, which we call a *grid* 

*automaton.* Therefore, suitable adaptations of well-known finite state test derivation methods [11, 10, 1] can be applied to the grid automaton. In fact, based on the techniques presented in this article, [16] gives an explicit algorithm for an approximation of the grid automaton. Once the grid automaton is derived, a complete test suite can be derived. To do so, we provide an algorithm which is a generalization of that from [11].

To the best of our knowledge, this article proposes the first algorithm that (albeit under some strong assumptions) yields a finite and complete test suite for (dense) realtime systems. Even though the method results in a test suite of high exponential size and cannot be claimed to be of practical value, we believe that the concepts and techniques developed in this article will allow for more practical algorithms. We have not yet been able to provide lower bounds to the size of complete test suites for timed systems. We do give an example that shows that for timed systems very small time steps have to be considered, resulting in large test suites. In any case, we will sketch several possible optimizations to substantiate the belief that our approach can be more practical, at least in more restrictive settings. Furthermore, we hope that our approach may also support incomplete but practically useful methods for testing timed systems such as in [12, 26].

The organization of this article is as follows. In Section 2, we present the model of timed I/O automata. This model requires a new, timed notion of distinguishing sequence, which is the subject of Section 3. In Section 4 we present the basic definitions and theorems for the discretization of state spaces. These are employed in Section 5, where we present an algorithm for test generation and a proof of its correctness. Finally, in Section 6 we discuss several options to obtain more practical algorithms. An appendix lists some notational conventions.

# 2. Timed I/O automata

In this section we present the model of timed I/O automata. Timed I/O automata are a particular class of timed automata [2, 20] carefully customized to fulfill a set of "testability" constraints similar to those present in the timed I/O automata of Lynch et al. [28], such as a separation between input and output activity, and input enabling. Our model is defined in several steps.

First, we recall some basic definitions in order to fix notation. Afterwards, we present the bounded time domain automata model from [30], which is a varaint of the model of Alur and Dill [2] or, more precisely, from the version of this model proposed by Henzinger et al. [20]. Roughly speaking, a *bounded time domain automaton* is a finite (untimed) automaton together with a timing annotation. This timing annotation extends the automaton with a finite set of clocks and functions that allow one to express, for each transition, under what timing conditions the transition may be taken, what the updated clock values will be, and under what timing conditions one may idle in each state. Thereafter, *timed* I/O *automata* are defined as bounded time domain

automata together with a partitioning of the set of actions into input and output actions. We impose certain restrictions on the model to ensure 'testability' of the model. The definitions are illustrated in Example 9. Example 10 shows how timed I/O automata can be viewed naturally as a generalization of the classical Mealy machines.

## 2.1. Preliminaries

Let  $\mathbb{R}$  denote the set of reals,  $\mathbb{R}^{\geq 0}$  the set of nonnegative reals,  $\mathbb{R}^{>0}$  the set of positive reals, and  $\mathbb{R}^{\infty}$  the set of reals together with the single element  $\infty$ . We extend the standard partial ordering  $\leq$  and addition operator + over  $\mathbb{R}$  to  $\mathbb{R}^{\infty}$  in the usual way: for every  $t \in \mathbb{R}^{\infty}$ ,  $t \leq \infty$  and  $t + \infty = \infty + t = \infty$ . Let  $\mathbb{Z}$  denote the set of integers,  $\mathbb{Z}^{\infty}$  the set  $\mathbb{Z} \cup \{\infty\}$ , and  $\mathbb{N}$  the set of nonnegative integers. For  $t \in \mathbb{R}$ ,  $\lfloor t \rfloor$  denotes the largest number in  $\mathbb{Z}$  that is not greater than t, and  $\lceil t \rceil$  denotes the smallest number in  $\mathbb{Z}$  that is not smaller than t. With fract(t) we denote the fractional part of t (so  $fract(t) = t - \lfloor t \rfloor$ ).

Concatenation of a finite sequence with a finite or infinite sequence is denoted by juxtaposition;  $\varepsilon$  denotes the empty sequence and the sequence containing a single element *a* is simply denoted *a*. If  $\sigma$  is a nonempty sequence then  $first(\sigma)$  returns the first element of  $\sigma$ . Moreover, if  $\sigma$  is finite, then  $last(\sigma)$  returns the last element of  $\sigma$ . If  $\sigma$  is a sequence and *X* is a set, then  $\sigma | X$  denotes the sequence obtained by projecting  $\sigma$  on *X*. If *V* is a set of finite sequences, *W* a set of sequences, and  $\sigma$  a finite sequence, then  $\sigma W = \{\sigma\tau | \tau \in W\}$  and  $VW = \bigcup_{\sigma \in V} \sigma W$ . For *X* a set of symbols, we define  $X^0 = \{\varepsilon\}$  and, for i > 0,  $X^i = X^{i-1} \cup XX^{i-1}$ . As usual,  $X^* = \bigcup_{i \in \mathbb{N}} X^i$ .

## 2.2. Labeled transition systems

For technical reasons, our definition of a labeled transition system is slightly different from the standard one in which a transition is a triple of a state, an action and a state. According to our definition there can be multiple transitions with the same action label between any given pair of states.

**Definition 1.** A *labeled transition system* (LTS) is a rooted, edge-labeled multigraph. Formally, an LTS is a structure  $\mathscr{A} = (Q, E, \Sigma, \operatorname{src}, \operatorname{act}, \operatorname{trg}, q^0)$ , where Q is a set of states, E a set of *transitions*,  $\Sigma$  a set of *actions*, functions  $\operatorname{src} : E \to Q$ ,  $\operatorname{act} : E \to \Sigma$  and  $\operatorname{trg} : E \to Q$  associate to each transition a *source, action* and *target*, respectively, and  $q^0 \in Q$  is the *initial state*. We write  $Q_{\mathscr{A}}, E_{\mathscr{A}}$ , etc., for the components of an LTS  $\mathscr{A}$ , but often omit subscripts when they are clear from the context. Also, we write  $\delta : q \xrightarrow{a} q'$  if  $\delta$  is a transition with  $\operatorname{src}(\delta) = q$ ,  $\operatorname{act}(\delta) = a$  and  $\operatorname{trg}(\delta) = q'$ . With  $q \xrightarrow{a} q'$  we denote that  $\delta : q \xrightarrow{a} q'$  for some  $\delta$ .

**Example 2.** Fig. 1 shows a labeled transition system describing the behavior of an automatic switch as used, e.g., for staircases in hotels. Circles represent states. Their names are given inside. The initial state is indicated with a little incoming arrow.



Fig. 1. An LTS representing a switch.

Arrows represent transitions and their labels are given next to them. The switch can be described formally as the LTS  $\mathscr{A} = (Q, E, \Sigma, \text{src}, \text{act}, \text{trg}, q_0)$  where

- $Q = \{q_0, q_1\},$
- $E = \{\delta_0, \delta_1, \delta_2\},\$
- $\Sigma = \{on, off\},\$
- $\operatorname{src}(\delta_0) = q_0, \operatorname{src}(\delta_1) = \operatorname{src}(\delta_2) = q_1,$
- $\operatorname{act}(\delta_0) = \operatorname{act}(\delta_2) = on, \operatorname{act}(\delta_1) = off,$
- $\operatorname{trg}(\delta_0) = \operatorname{trg}(\delta_2) = q_1, \operatorname{trg}(\delta_1) = q_0,$
- $q_0$  is the initial state.

Its behavior can be explained as follows. The state of the system in which the light is off is represented by  $q_0$ , and the state  $q_1$  represents the situation where the light on. People arrive at the stairway and turn *on* the switch. After a while the switch turns itself *off*. Before that happens, people may push the *on* button, which will leave the light on.

We will use the automatic switch as a running exmple. The intention is to show how the different models we discuss in this section are built one on top of the other.

In order to define the timed I/O automata model, we will need the generality of LTSs. However, to study its semantics, it will be enough to restrict to a subclass of LTSs which we choose to call lean LTSs. An LTS  $\mathscr{A}$  is *lean* if each transition is fully determined by its source, action and target, i.e.,

$$\operatorname{src}(\delta) = \operatorname{src}(\delta') \wedge \operatorname{act}(\delta) = \operatorname{act}(\delta') \wedge \operatorname{trg}(\delta) = \operatorname{trg}(\delta') \Rightarrow \delta = \delta',$$

and *deterministic* if it satisfies the stronger property

$$\operatorname{src}(\delta) = \operatorname{src}(\delta') \wedge \operatorname{act}(\delta) = \operatorname{act}(\delta') \Rightarrow \delta = \delta',$$

We say that  $\mathscr{A}$  is a *finite automaton* if both Q and E are finite. An *execution fragment* of a lean<sup>2</sup> LTS  $\mathscr{A}$  is a finite or infinite alternating sequence  $q_0a_1q_1a_2q_2\cdots$ of states and actions of  $\mathscr{A}$ , beginning with a state, and if it is finite also ending with a state, such that for all i > 0,  $q_{i-1} \xrightarrow{a_i} q_i$ . An *execution* of  $\mathscr{A}$  is an execution fragment that begins with the initial state of  $\mathscr{A}$ . A state q of  $\mathscr{A}$  is *reachable* if it

<sup>&</sup>lt;sup>2</sup> For non lean LTSs this notion of execution fragments is less natural since it does not record all information about the dynamic behavior of such systems.

is the last state of some finite execution of  $\mathscr{A}$ . For  $\gamma = q_0 a_1 q_1 a_2 q_2 \cdots$  an execution fragment of  $\mathscr{A}$ ,  $trace(\gamma)$  is defined as the sequence of  $a_1 a_2 \cdots$ . We write  $q \xrightarrow{\sigma} q'$  if  $\mathscr{A}$ has a finite execution fragment  $\gamma$  with  $first(\gamma) = q$ ,  $last(\gamma) = q'$ , and  $trace(\gamma) = \sigma$ . We say that  $\sigma$  is a *trace* of q, and write  $q \xrightarrow{\sigma}$ , if there exists a q' such that  $q \xrightarrow{\sigma} q'$ . Moreover,  $\sigma$  is a *trace* of  $\mathscr{A}$  if it is a trace of the initial state of  $\mathscr{A}$ . We write  $traces^*(q)$ for the set of traces of q. We say that  $\sigma$  is a *distinguishing trace* of q and q' if either it is a trace of q but not of q', or the other way around.

The main equivalence relation between LTSs that we consider in this paper is bisimulation equivalence: according to our definition in Section 5 an Implementation Under Test (IUT) conforms to a specification *Spec* iff certain associated LTSs are bisimilar. However, as a consequence of the fact that these LTSs are deterministic, the reader may equally well think of conformance in terms of trace equivalence, and view bisimulations as a convenient characterization of trace equivalence. In fact, our choice to use bisimulation instead of trace equivalence is merely pragmatic.

**Definition 3.** Let  $\mathscr{A}$  be an LTS. A relation  $R \subseteq Q_{\mathscr{A}} \times Q_{\mathscr{A}}$  is a *bisimulation on*  $\mathscr{A}$  iff whenever  $R(q_1, q_2)$ , then

- $q_1 \xrightarrow{a} q'_1$  implies that there is a  $q'_2 \in Q_{\mathscr{A}}$  such that  $q_2 \xrightarrow{a} q'_2$  and  $R(q'_1, q'_2)$ ,
- $q_2 \xrightarrow{a} q'_2$  implies that there is a  $q'_1 \in Q_{\mathscr{A}}$  such that  $q_1 \xrightarrow{a} q'_1$  and  $R(q'_1, q'_2)$ .

States q,q' of  $\mathscr{A}$  are *bisimilar*, notation  $q \simeq_{\mathscr{A}} q'$ , if there exists a bisimulation R on  $\mathscr{A}$  with R(q,q').

States q, q' of LTSs  $\mathscr{A}$  and  $\mathscr{A}'$ , respectively, are *bisimilar* if there exists a bisimulation R on the disjoint union of  $\mathscr{A}$  and  $\mathscr{A}'$  (with arbitrary initial state) that relates q to q'. In such a case, we write  $\mathscr{A}, \mathscr{A}' : q \simeq q'$ . LTSs  $\mathscr{A}$  and  $\mathscr{A}'$  are *bisimilar*, notation  $\mathscr{A} \simeq \mathscr{A}'$ , if  $\mathscr{A}, \mathscr{A}' : q_{\mathscr{A}}^0 \simeq q_{\mathscr{A}'}^0$ .

It is well known that if  $\mathscr{A}$  is deterministic, for all states q, q' of  $\mathscr{A}, \mathscr{A}: q \simeq q'$  iff  $traces^*(q) = traces^*(q')$ . As a consequence, two deterministic LTSs  $\mathscr{A}$  and  $\mathscr{A}'$  are bisimilar iff they have the same sets of traces.

#### 2.3. Bounded time domain automata

In this subsection we recall the bounded time domain automata model from [30], which is a variant of the time automata model [2, 20]. A timed automaton is basically an automaton extended with *clocks*. A clock is a variable that allows to record the passage of time. Like a chronometer, a clock can be set to a certain value and inspected at any moment to see how much time has passed. By having several different clock variables we can measure and compare the timing of different events. For this reason, all clocks increase at the same rate. In the Alur–Dill model, clocks range over  $\mathbb{R}^{\geq 0}$ , and the only assignments that are allowed are *clocks resets* of the form x := 0. In the BTDA model the domain *dom*(x) of a clock x is the union of a bounded interval and the singleton  $\{\infty\}$ . Intuitively, the value of x is only relevant when contained in the interval: beyond the upper bound of the interval one only knows that the value of x

is "large". The BTDA model also allows for more general assignments of the form x := n or x := y + n, for x and y clocks and  $n \in \mathbb{Z}^{\infty}$ .

As shown in [30], the BTDA model is essentially equivalent to the Alur–Dill model but often allows for more compact representations of timed systems. Also, it turns out that the use of  $\infty$  simplifies the technical development in the rest of this paper.

Below we first define the auxiliary concepts of clocks and constraints, before proceeding to the definition of BTDAs and their operational semantics.

## 2.3.1. Clocks and constraints

A *clock* is a variable x with a domain dom(x) of the form  $J \cup \{\infty\}$ , where J is an interval over  $\mathbb{R}$  with infimum and supremum in  $\mathbb{Z}$ . Let C be a finite set of clocks. We write  $intv(x) \triangleq dom(x) - \{\infty\}$ . A *term over* C is an expression generated by the grammar  $e ::= x \mid n \mid e+n$ , where x is a clock in C and  $n \in \mathbb{Z}^{\infty}$ . We denote the set of all such terms by T(C). A *constraint over* C is a Boolean combination  $\varphi$  of inequalities of the form  $e \leq e'$  or e < e' with  $e, e' \in T(C)$ . We denote the set of all such formulas by F(C). The Boolean constants T and F, denoting truth and falsehood, respectively, as well as equations of the form x = n are definable by constraints. In fact, for each term e and each interval J with integer bounds, the predicate  $e \in J$  can be expressed as a constraint. A (*simultaneous*) assignment over C is a function  $\mu$  from C to T(C). We denote the set of all such assignments by M(C), and (for instance) write x := 5for the assignment  $\mu$  with  $\mu(x) = 5$ . If  $\varphi$  is a constraint and  $\mu$  an assignment, then  $\varphi[\mu]$  denotes the constraint obtained from  $\varphi$  by replacing each variable x by  $\mu(x)$ .

A clock valuation over C is a map v that assigns to each clock  $x \in C$  a value in its domain. With V(C) we denote the set of clock valuations over C. In the obvious way, a clock valuations over v is lifted to a function  $\bar{v}$  that takes a term and returns a value. We say that v satisfies  $\varphi$ , notation  $v \models \varphi$ , if  $\varphi$  evaluates to true under valuation v. A constraint  $\varphi$  is satisfiable if there is a valuation v such that  $v \models \varphi$ ; constraint  $\varphi$  holds if for all valuations  $v, v \models \varphi$ . If  $d \in \mathbb{R}^{\geq 0}$  then  $v \oplus d$  is the clock valuation defined by

$$(v \oplus d)(x) \triangleq \begin{cases} v(x) + d & \text{if } v(x) + d \in intv(x), \\ \infty & \text{otherwise.} \end{cases}$$

The *hull* of  $\varphi$  is the set of clock valuations v that satisfy, for all  $d \in \mathbb{R}^{\geq 0}$ ,  $v \oplus d \models \varphi$  iff d = 0. The *interior* of  $\varphi$  is the set of all valuations that satisfy  $\varphi$  but are not in its hull. So if a clock valuation v is in the hull of  $\varphi$ , then any nonzero increment of the value of clocks under v will violate  $\varphi$ . For each constraint  $\varphi$ , let *hull*( $\varphi$ ) be a constraint such that, for all  $v, v \models hull(\varphi)$  iff v is in the hull of  $\varphi$ . Similarly, let *interior*( $\varphi$ ) be a constraint to see that such constraints always exist and can be effectively computed. For example,  $hull(x \leq 5) = (x = 5), hull(x < 5) = F$ , and *interior*( $x \leq 5) = (x < 5) = interior(x < 5)$ .

#### 2.3.2. BTDAs and their operational semantics

A bounded time domain automaton is a finite automaton together with some annotations to restrict real-time behavior. To start with, a set of clocks is associated with the automaton. Each clock gets an initial value, and when time advances with an amount d, the value of all clocks is incremented uniformly (according to  $\oplus$ ) with d. To each state we associate an invariant; we require that the automaton may only reside in a state as long as the invariant remains true. In addition, a clock constraint is associated to each transition; we require that a transition may be taken only if the current valuation of the clocks satisfies this constraint. When a transition occurs, the clock values are updated according to a given assignment. We require that in the new state the invariant holds and each clock again takes a value in its domain. All this is formalized in the two following definitions.

**Definition 4.** A *timing annotation* for a given automaton  $\mathscr{A}$  is a tuple  $\mathscr{T} = (C, Inv, G, A, v^0)$ , where

- C is a finite set of clocks.
- $Inv: Q \rightarrow F(C)$  associates an *invariant* to each state.
- $G: E \rightarrow F(C)$  associates a guard to each transition.
- $A : E \to M(C)$  associates an assignment to each transition s.t. the constraint Inv $(\operatorname{src}(\delta)) \land G(\delta) \Rightarrow \bigwedge_{x \in C} (A(\delta)(x) \in dom(x)) \land Inv(\operatorname{trg}(\delta))[A(\delta)]$  holds for each  $\delta \in E$ .
- $v^0 \in V(C)$  is the *initial valuation*. We require that  $v^0 \models Inv(q^0)$  and, for all  $x, v^0(x) \in \mathbb{Z}^{\infty}$ .

A bounded time domain automaton (BTDA) is a pair  $\mathscr{B} = (\mathscr{A}, \mathscr{T})$ , where  $\mathscr{A}$  is a finite automaton with  $\Sigma_{\mathscr{A}} \cap \mathbb{R}^{>0} = \emptyset$ , and  $\mathscr{T}$  is a timing annotation for  $\mathscr{A}$ . We write  $Q_{\mathscr{B}}, E_{\mathscr{B}}, C_{\mathscr{B}}$ , etc., for the components of  $\mathscr{A}$  and  $\mathscr{T}$ .

**Example 5.** In this example we extend the switch from Example 2 with an explicit notion of time. We fix the period after which the light turns off automatically to 5 time units. To express this formally, the LTS  $\mathscr{A}$  of Example 2 is extended into a BTDA  $\mathscr{B} = (\mathscr{A}, \mathscr{T})$ , where  $\mathscr{T}$  is the timing annotation  $\mathscr{T} = (C, Inv, G, A, v^0)$  with

- $C = \{x\}$  with  $dom(x) = [0, 5] \cup \{\infty\},\$
- $Inv(q_0) = (x = \infty), Inv(q_1) = (x \le 5),$
- $G(\delta_0) = (x = \infty), G(\delta_1) = (x = 5), G(\delta_2) = (x < 5),$
- $A(\delta_0) = (x := 0), A(\delta_1) = (x := \infty), A(\delta_2) = (x := 0),$
- $v^0(x) = \infty$ .

The BTDA model of the switch is depicted in Fig. 2. In location  $q_0$  clock x is not used; therefore x has been given the value  $\infty$ . The value of x becomes relevant as soon as the action on occurs and the transition to location  $q_1$  is made. After this transition, the action on is enabled in the interior while (x < 5). As soon as 5 time units have passed after the last on action, the hull of the invariant is reached and time cannot advance any longer. At this point the switch automaton performs the now enabled action off, to return to its initial state.



Fig. 2. A BTDA representing a switch.

**Definition 6.** The *operational semantics*  $\mathcal{OS}(\mathcal{B})$  of a BTDA  $\mathcal{B}$  is the lean LTS  $\mathcal{A}$  which, up to identity of transitions, is specified by

$$\begin{aligned} & \mathcal{Q}_{\mathscr{A}} = \{(q, v) \in \mathcal{Q}_{\mathscr{B}} \times V(C_{\mathscr{B}}) \, | v \models Inv_{\mathscr{B}}(q) \}, \\ & \mathcal{\Sigma}_{\mathscr{A}} = \mathcal{\Sigma}_{\mathscr{B}} \cup \mathbb{R}^{>0}, \\ & q_{\mathscr{A}}^{0} = (q_{\mathscr{B}}^{0}, v_{\mathscr{B}}^{0}) \end{aligned}$$

and  $\rightarrow_{\mathscr{A}}$  is the smallest relation that satisfies the following two rules, for all  $(q, v), (q', v') \in Q_{\mathscr{A}}, \ a \in \Sigma_{\mathscr{B}}, \ \delta \in E_{\mathscr{B}}$  and  $d \in \mathbb{R}^{>0}$ ,

$$\frac{\delta : q \xrightarrow{a} q', v \models G_{\mathscr{R}}(\delta), v' = \overline{v} \circ A_{\mathscr{R}}(\delta)}{(q, v) \xrightarrow{a}_{\mathscr{A}}(q', v')}$$
$$\frac{q = q', v' = v \oplus d, \forall 0 \leqslant d' \leqslant d : v \oplus d' \models Inv_{\mathscr{R}}(q)}{(q, v) \xrightarrow{d}_{\mathscr{A}}(q', v')}$$

The actions in  $\mathbb{R}^{>0}$  are referred to as *time delays*. In order not to confuse the states of a BTDA with those of its operational semantics, we will refer to the states of a BTDA  $\mathscr{B}$  as *locations*. We will use q, .. to range over locations, and r, s, .. to range over the states of the operational semantics  $\mathscr{OS}(\mathscr{B})$ . We write  $S_{\mathscr{B}}$  for the set of states  $Q_{\mathscr{A}}$  of  $\mathscr{OS}(\mathscr{B})$ .

# 2.4. Timed I/O automata

In this subsection, we define the model of timed I/O automata (TIOAs) as an extension of the BTDA model in which the actions are partitioned into input and output actions. We impose some restrictions in order to ensure "testability" of the model. Intuitively (a formal definition will be presented in Section 3), a *test sequence* for a TIOA is a finite sequence of delays and input actions that can be applied to the TIOA. In order to fully test a TIOA by test sequences the TIOA should be *controllable* in the sense that it should be possible for an environment to drive a TIOA through all of its transitions. An obvious prerequisite for controllability is that a TIOA is *deterministic*. However this is not enough. We also need to require that a TIOA has *isolated outputs:* for each state, if an output is enabled then no other input or output transition is enabled. In this way we exclude that a TIOA can autonomously choose between performing different outputs, or between performing an output and accepting an input. 234

Since input actions are under control of the environment of a TIOA, a TIOA should always accept inputs. Traditionally [25, 28], this leads to the requirement that every input is enabled in every state. This however is in conflict with the condition of isolated outputs. We therefore impose a slightly weaker *input enabling* condition: each input is enabled only in the interior of the invariant of each location. This means that inputs are enabled as long as time can progress. Since inputs and outputs are mutually exclusive, this in addition ensures that a TIOA cannot choose to avoid executing output actions by letting time pass. Together, the conditions of determinism, isolated outputs and input enabling ensure that a TIOA is controllable.

According to our definitions, there are BTDAs in which from some (or even all) states no outgoing execution fragment  $\gamma$  exists such that the sum of time delays in  $\gamma$  diverges, i.e., grows to infinity. It may for instance occur that a state has no outgoing transition at all ('time deadlock'), or that there is an infinite sequence of consecutive output actions without any time delays in between ('Zeno behavior'). Since (we believe) these behaviors cannot occur in the real world and we need to exclude them in order to develop our testing approach, we demand as final requirement that a TIOA is *progressive*: from each state there should be an outgoing execution fragment containing no input actions in which the sum of the time delays diverges. Progressiveness implies that in each state on the hull of an invariant an output action is enabled. Moreover, after a finite number of consecutive output actions time will be allowed to advance and, consequently, input actions will be enabled again. As a result, a TIOA can never preempt input actions in definitely by performing output actions. So, although within our model input actions are not enabled in every *state*, they are accepted at every *time instance*.

**Definition 7.** A *timed I/O automaton (TIOA)* is a pair  $\mathcal{M} = (\mathcal{B}, \mathcal{P})$ , where  $\mathcal{B}$  is a BTDA and  $\mathcal{P} = (I, O)$  is a partitioning of  $\Sigma_{\mathcal{B}}$  in *input actions* and *output actions*. We require that the following properties hold, for all  $\delta, \delta' \in E, q \in Q$ , and  $i \in I$ :

- (1) (Determinism) if  $\operatorname{src}(\delta) = \operatorname{src}(\delta')$ ,  $\operatorname{act}(\delta) = \operatorname{act}(\delta')$  and  $G(\delta) \wedge G(\delta')$  is satisfiable then  $\delta = \delta'$
- (2) (Isolated outputs) if  $scr(\delta) = src(\delta')$ ,  $act(\delta) \in O$  and  $G(\delta) \wedge G(\delta')$  is satisfiable then  $\delta = \delta'$
- (3) (Input enabling) *interior*(Inv(q))  $\Rightarrow \bigvee_{\delta \in from(q,i)} G(\delta)$  holds, where from  $(q,i) \triangleq \{\delta \in E \mid src(\delta) = q \land act(\delta) = i\}$
- (4) (Progressiveness) For every state of OS(B) there exists an infinite execution fragment that starts in this state, contains no input actions, and in which the sum of the delays diverges

We write  $Q_{\mathcal{M}}$ ,  $\Sigma_{\mathcal{M}}$ ,  $C_{\mathcal{M}}$ ,  $Inv_{\mathcal{M}}$ ,  $I_{\mathcal{M}}$ , etc., for the components of  $\mathcal{B}$  and  $\mathcal{P}$ . The *operational semantics*  $\mathcal{OS}(\mathcal{M})$  of  $\mathcal{M}$  is just the operational semantics of the contained BTDA  $\mathcal{B}$ . Moreover, we write  $\mathcal{M} \simeq \mathcal{M}'$  whenever  $\mathcal{OS}(\mathcal{M}) \simeq \mathcal{OS}(\mathcal{M}')$ .

The following lemma, which is a direct corollary of the definitions, gives four basic properties of the operational semantics of a timed I/O automaton.

Lemma 8. Let *M* be a TIOA. Then

- (1)  $OS(\mathcal{M})$  is deterministic.
- (2)  $\mathcal{OS}(\mathcal{M})$  has Wang's [35] time additivity property:  $s \stackrel{d+d'}{\to} s' \Leftrightarrow \exists r : s \stackrel{d}{\to} r \wedge r \stackrel{d'}{\to} s'$ .
- (3) Each state of OS(M) has either (a) a single outgoing transition labeled with an output action, or (b) both outgoing delay transitions and outgoing input transitions (one for each input action), but no outgoing output transitions. States of type (b) are called stable.
- (4) For each state  $s \in S_{\mathcal{M}}$ , there exists a unique finite sequence of output actions  $\sigma$  and a unique stable state s' such that  $s \xrightarrow{\sigma} s'$ .

**Example 9.** It is not difficult to see that for the switch of Example 2 there is a natural separation between input and output actions. Action *on* is purely controlled by the environment; so we say that it is an input action. Instead, action *off* can only be observed by the environment and it is controlled exclusively by the system, which makes it an output action.

Formally, we can construct the TIOA  $\mathcal{M} = (\mathcal{B}, \mathcal{P})$  where  $\mathcal{B}$  is the BTDA given in Example 5 and the partitioning  $\mathcal{P} = (I, O)$  consists of  $I = \{on\}$  and  $O = \{off\}$ . It is not difficult to check that  $\mathcal{M}$  is indeed a TIOA. In particular notice that  $hull(Inv(q_1)) = hull(x \le 5) = (x = 5) = G(\delta_1)$ , which isolates the output action off in location  $q_1$ , and interior $(Inv(q_1)) = interior(x \le 5) = (x < 5) = G(\delta_2)$ . which makes location  $q_1$  input enabling. In fact, it is straightforward to check determinism, isolated outputs, and input enabled. Less simple is to check that the TIOA is progressive. This is, however, not difficult either since it reduces to model check a simple TCTL formula which is decidable and can be carried on automatically [5, 24, 14, 19].<sup>3</sup>

The intention of the next example is to show that timed I/O automata form a natural generalization of the classical Mealy machines [23], which are a well established model in black-box testing theory and often used in practice.

**Example 10.** Recall that a Mealy machine is a tuple  $\mathscr{F} = (I, O, Q, \delta, \lambda, q^0)$ , where I, O, Q are finite, nonempty sets of inputs, outputs, and states, respectively,

•  $\delta: I \times Q \rightarrow Q$  is the transition function,

•  $\lambda: I \times Q \rightarrow O$  is the output function, and

•  $q^0$  is the initial state.

To a Mealy machine  $\mathscr{F}$  we associate a timed I/O automaton  $\mathscr{M}$  with locations  $Q \cup (I \times Q)$ , inputs *I*, outputs *O*, and initial location  $q^0$ . For each state  $q \in Q$  and input action  $i \in I$ , we introduce a pair of transitions

$$q \stackrel{i}{\rightarrow} (i,q) \quad \text{and} \quad (i,q) \stackrel{\lambda(i,q)}{\rightarrow} \delta(i,q).$$

<sup>&</sup>lt;sup>3</sup> The TCTL formula to be checked is  $\forall \Box (\tau \Rightarrow \exists \diamondsuit_{\leq 1} \tau)$ 

We equip  $\mathscr{M}$  with a single clock x with domain  $\{0, \infty\}$ . In order to model that Mealy machines accept inputs at any time, a constraint  $x = \infty$  is associated to each location  $q \in Q$  and to each input transition  $q \stackrel{i}{\to} (i,q)$ . To capture the intuition that in a Mealy machine each input is immediately followed by an output, a constraint x = 0is associated to each location  $(i,q) \in I \times Q$  and to each output transition  $(i,q) \stackrel{o}{\to} q'$ . Finally, to make  $\mathscr{M}$  into a proper TIOA, we assign  $\infty$  as initial value to x, annotate each input transition with an assignment x := 0, and each output transition with an assignment  $x := \infty$ .

Besides the above translation from Mealy machines to TIOAs, many other possible translations exist. The TIOA model allows one to express, for instance, that some amount of time may elapse in between an input and the subsequent output. In this case one has to specify what happens if another input arrives before the output is produced. One possibility here is to jump to a newly added error state, but one may also decide to ignore such an input.

## 3. Test sequences

We view timed I/O automata as machines to which one can apply tests. A *test* sequence for a TIOA  $\mathcal{M}$  is a finite sequence of delays and input actions of  $\mathcal{M}$ . We denote the set of all test sequences for  $\mathcal{M}$  by  $Exp_{\mathcal{M}}$ . A test sequence  $\sigma$  can be applied to the machine  $\mathcal{M}$  starting from any state s. The application of  $\sigma$  to  $\mathcal{M}$  in s uniquely determines a finite, maximal execution fragment in  $\mathcal{OS}(\mathcal{M})$ . The existence of such an execution fragment is guaranteed by the properties that we demand of TIOAs. For black box testing, one is only interested in the observable behavior induced by the execution, that is, actions and passage of time, but not states. For instance, if the test sequence on 6 — which may be read as "press input on and observe the system during 6 units of time" — is applied to the initial state of the automaton from Example 9, it determines a unique execution whose observable behavior is the trace on 5 off 1, that is, "after pressing input on and waiting for 5 time units, the switch turns automatically off; in the next unit of time nothing happens".

In the following we formally define what it means to perform a test sequence, and we prove that a test sequence induces a unique execution fragment. The outcome of performing a test sequence on  $\mathcal{M}$  is described in terms of an auxiliary labeled transition system  $\mathscr{E}_{\mathcal{M}}$ .

**Definition 11.** The *test sequence LTS*  $\mathscr{E}_{\mathscr{M}}$  is the lean LTS with  $Exp_{\mathscr{M}} \times S_{\mathscr{M}}$  as its set of states,  $\Sigma_{\mathscr{M}}$  as its set of actions,  $(\varepsilon, s^0_{\mathscr{M}})$  as its (arbitrarily chosen) initial state, and a transition relation  $\rightarrow$  that is inductively defined as the least relation satisfying the following four rules, for all  $s, s' \in S_{\mathscr{M}}$ ,  $\sigma \in Exp_{\mathscr{M}}$ ,  $i \in I_{\mathscr{M}}$ ,  $o \in O_{\mathscr{M}}$  and  $d, d' \in \mathbb{R}^{>0}$ ,

$$\frac{s \xrightarrow{o} \mathcal{OS}(\mathcal{M}) s'}{(\sigma, s) \xrightarrow{o} (\sigma, s')}$$
(1)

J. Springintveld et al. | Theoretical Computer Science 254 (2001) 225–257

$$\frac{s \xrightarrow{i} \mathcal{OS}(\mathcal{M}) s'}{(i\sigma, s) \xrightarrow{i} (\sigma, s')}$$
(2)

$$\frac{s \stackrel{d}{\to} _{\mathcal{O}\mathcal{S}(\mathcal{M})} s'}{(3)}$$

$$(d\sigma, s) \xrightarrow{d} (\sigma, s') \tag{(7)}$$

$$\frac{s \stackrel{d'}{\to} \mathscr{OS}(\mathscr{M}) s', \sup\{t \in \mathbb{R}^{>0} \mid s \stackrel{t}{\to} \mathscr{OS}(\mathscr{M})\} = d' < d}{(d\sigma, s) \stackrel{d'}{\to} ((d - d')\sigma, s')}$$
(4)

Rule (1) says that output actions are always performed autonomously, independently of the input of the intended test sequence. Instead, input actions are only performed if they are explicitly specified in the test sequence. This is stated by rule (2). Similarly, rule (3) says that a delay can occur only when it is both specified by the test sequence and allowed by  $\mathcal{M}$ . In some cases, a delay specified in the test sequence cannot occur since it is interrupted by an autonomous output action of  $\mathcal{M}$ . In such a case, the part of the delay up to the output action is executed, while the rest is postponed until  $\mathcal{M}$  stops doing output actions autonomously. This last case is explained by rule (4).

The following theorem basically says that for each test sequence and each state there is a unique corresponding finite execution fragment in the test sequence automaton.

#### **Theorem 12.** Let *M* be a TIOA. Then

- (1) each state of  $\mathscr{E}_{\mathcal{M}}$  has at most one outgoing transition, and
- (2)  $\mathscr{E}_{\mathcal{M}}$  does not have an infinite execution fragment.

**Proof.** Part (1) follows directly from the definition of  $\mathscr{E}_{\mathscr{M}}$  together with Lemma 8.

Part (2) is proved by contradiction. Suppose that  $\beta$  is an infinite execution fragment of  $\mathscr{E}_{\mathscr{M}}$ . Because test sequences have a finite length, transitions of types (2) and (3) reduce the length of the test sequence, and the two other types of transitions leave the length of test sequences unchanged,  $\beta$  has an (infinite) suffix  $\beta'$  that contains no transitions of types (2) and (3). If we project all states in  $\beta'$  on their second component, then we obtain an infinite execution fragment  $\gamma$  of the LTS  $\mathscr{OS}(\mathscr{M})$  that contains no input actions, and in which the sum of the delays converges. Let s be the first state of  $\gamma$ . Since  $\mathscr{M}$  is progressive,  $\mathscr{OS}(\mathscr{M})$  has an infinite execution fragment  $\gamma'$  that starts in s, that contains no input actions, and in which the sum of the delays diverges. Let  $\gamma = s_0 a_1 s_1 a_2 s_2 \cdots$  and let  $\gamma' = s'_0 a'_1 s'_1 a'_2 s'_2 \cdots$ . Then  $s = s_0 = s'_0$ . Inductively, we construct a monotonic function  $f : \mathbb{N} \to \mathbb{N}$  that satisfies, for all  $i \in \mathbb{N}$ , the following two properties:

(1) 
$$s_i = s'_{f(i)}$$
  
(2)  $s'_{f(i)} \xrightarrow{a_{i+1}} s'_{f(i+1)}$ 

)

237

238

For the induction base, we define f(0) = 0. Since both  $\gamma$  and  $\gamma'$  start with s, we have  $s_0 = s = s'_{f(0)}$ . Now suppose that f has been defined for all  $j \leq k$  and  $s_k = s'_{f(k)}$ . In order to define f(k+1) we distinguish between two cases.

- (1)  $a_{k+1}$  is an output action. In this case define f(k+1) = f(k)+1. Using Lemma 8(3) we obtain  $s_{k+1} = s'_{f(k+1)}$  and  $s'_{f(k)} \stackrel{a_{k+1}}{\rightarrow} s'_{f(k+1)}$ .
- (2) a<sub>k+1</sub> is a delay. Then the transition s<sub>k</sub> a<sub>k+1</sub> originates from a transition of type (4) in &<sub>M</sub>. This implies that a<sub>k+1</sub> is the maximal delay transition that is enabled in s<sub>k</sub>. Using the fact that γ' diverges and Lemma 8, we can infer that there exists an index m > f(k) such that all actions a'<sub>j</sub> for f(k) < j ≤ m are delays, with a sum equal to a<sub>k+1</sub>, and s<sub>k+1</sub> = s'<sub>m</sub>. Now define f(k+1) = m. Clearly s<sub>k+1</sub> = s'<sub>f(k+1)</sub> and s'<sub>f(k)</sub> a<sub>k+1</sub>/s'<sub>f(k+1)</sub>.

From the construction together with Lemma 8 it follows that, for all *i*, the sum D(i) of the delays in  $s_0a_1s_1a_2s_2\cdots s_i$  is equal to the sum D'(i) of the delays in the fragment  $s'_0a'_1s'_1a'_2s'_2\cdots s'_{f(i)}$ . Since *f* is monotonic and the sum of the delays in  $\gamma'$  diverges, the value of D'(i) increases without bound if  $i \to \infty$ . This contradicts the fact that the sum of the delays in the test sequence part of *s* gives a finite upper bound for all the sums D(i).  $\Box$ 

Theorem 12(1) allows us to define  $exec_{\mathscr{M}}(\sigma, s)$  as the execution fragment of  $\mathscr{OS}(\mathscr{M})$  obtained by projecting the states in the unique maximal execution fragment of  $\mathscr{E}_{\mathscr{M}}$  that starts in  $(\sigma, s)$  on their second component. Theorem 12(2) implies that it is a finite execution fragment. Write  $s \stackrel{\sigma}{\Rightarrow} s'$  if s' is the last state of  $exec_{\mathscr{M}}(\sigma, s)$  (note that s' is stable). For instance, the application of the test sequence  $\sigma = on \ 6$  to the switch of Example 9 from its initial state determines the following execution:

$$exec_{\mathscr{M}}(\sigma, (q_0, x = \infty)) = (q_0, x = \infty) \text{ on } (q_1, x = 0) \text{ 5 } (q_1, x = 5) \text{ off } (q_0, x = \infty) \text{ 1 } (q_0, x = \infty).$$

Hence,  $(q_0, x = \infty) \stackrel{\sigma}{\Rightarrow} (q_0, x = \infty)$ . As we said, for black-box testing, one is only interested in observable behavior, not in states. We define  $outcome_{\mathscr{M}}(\sigma, s)$ , the *outcome* of test sequence  $\sigma$  in state s of  $\mathscr{M}$ , as the trace of the execution fragment that is induced by performing the test sequence:

 $outcome_{\mathcal{M}}(\sigma,s) \triangleq trace(exec_{\mathcal{M}}(\sigma,s)).$ 

Thus, the outcome of the previous test sequence is  $outcome_{\mathcal{M}}(\sigma, (q_0, x = \infty)) = on 5$  off 1.

We end this section with a small lemma stating that each trace  $\sigma$  that leads from a given state s to a stable state s' can be retrieved as the outcome of the test sequence obtained by projecting  $\sigma$  on input actions and delays.

**Lemma 13.** Suppose  $s \xrightarrow{\sigma} s'$ , s' is stable, and  $\sigma' = \sigma \lceil (I_{\mathcal{M}} \cup \mathbb{R}^{>0}) \rangle$ . Then  $outcome_{\mathcal{M}}(\sigma', s) = \sigma$  and  $s \xrightarrow{\sigma'} s'$ .

**Proof.** Let  $\gamma$  be the unique execution fragment of  $\mathcal{OS}(\mathcal{M})$  with  $first(\gamma) = s$ ,  $last(\gamma) = s'$ , and  $trace(\gamma) = \sigma$ . By induction on the number *n* of transitions in  $\gamma$  we prove  $exec_{\mathcal{M}}(\sigma', s) = \gamma$ .

Suppose n = 0. Then  $s = s' = \gamma$  and  $\sigma = \sigma' = \varepsilon$ . Since s is stable, state  $(\varepsilon, s)$  of  $\mathscr{E}_{\mathscr{M}}$  has no outgoing transitions. Thus  $exec_{\mathscr{M}}(\sigma', s) = s = \gamma$ .

For the induction step, suppose that n > 0. Let  $s \xrightarrow{a} s''$  be the first transition of  $\gamma$ , and let  $\gamma'$  be the unique execution fragment satisfying  $\gamma = s a \gamma'$ . We distinguish between two cases:

- (1) *a* is an output action. Then, by rule (1),  $\mathscr{E}_{\mathscr{M}}$  contains a transition  $(\sigma', s) \stackrel{a}{\to} (\sigma', s'')$ . By induction hypothesis  $exec_{\mathscr{M}}(\sigma', s'') = \gamma'$ . Since  $exec_{\mathscr{M}}(\sigma', s) = s \, a \, exec_{\mathscr{M}}(\sigma', s'')$ , we infer  $exec_{\mathscr{M}}(\sigma', s) = \gamma$ .
- (2) a is an input or delay action. Then σ' is of the form a σ''. Hence, by application of rule (2) or rule (3), respectively, E<sub>M</sub> contains a transition (σ',s) → (σ'',s''). By induction hypothesis exec<sub>M</sub>(σ'',s'') = γ'. Since clearly exec<sub>M</sub>(σ',s) = s a exec<sub>M</sub>(σ'', s''), we infer exec<sub>M</sub>(σ',s) = γ.

Since  $outcome_{\mathcal{M}}(\sigma',s) = trace(exec_{\mathcal{M}}(\sigma',s)) = trace(\gamma) = \sigma$ , the lemma follows immediately.  $\Box$ 

# 4. Discretization of the state space

Even though our tests are very simple, the set  $Exp_{\mathscr{M}}$  of test sequences for a given TIOA  $\mathcal{M}$  is uncountable large, due to the possible occurrence of real numbers within test sequences. Also the LTS  $\mathcal{OS}(\mathcal{M})$ , which gives the operational behavior of  $\mathcal{M}$ , is a highly infinite object. It is thus unclear how we should select a finite collection of tests if we want to establish that an IUT conforms to a specification  $\mathcal{M}$ . Fortunately however, the technical results of this section will enable us to restrict attention to a finite subautomaton of  $\mathcal{OS}(\mathcal{M})$  which contains enough information to characterize  $\mathcal{OS}(\mathcal{M})$  itself. We call it a grid automaton. In fact, for each pair  $\mathcal{M}, \mathcal{M}'$  of TIOAs, we can effectively find two grid automata such that  $\mathcal{M}$  is bisimilar to  $\mathcal{M}'$  iff the grid automata are bisimilar. In this way, whenever we want to establish that some black box conforms to the original TIOA specification, we can restrict attention to their grid automata. Using the fact that, in the context of deterministic machines, bisimulation coincides with trace equivalence, checking bisimulation reduces to the application of an appropriate set of test sequences. The grid automata can be fully and effectively explored by a finite number of test sequences in  $Exp_{\mathcal{M}}$ , using standard techniques for testing finite automata.

## 4.1. Regions

Our construction of a finite subautomaton uses the fundamental concept of a *region*, due to Alur and Dill [2]. The key idea behind the definition of a region is that, even though the number of states of an LTS  $\mathcal{OS}(\mathcal{M})$  is infinite, not all of these states

are distinguishable via constraints. If two states corresponding to the same location agree on the integral parts of all the clock values, and also on the ordering of the fractional parts of all the clocks, then these two states cannot be distinguished by constraints.

**Definition 14.** The equivalence relation  $\cong$  over the set V(C) of valuations of a set C of clocks is given by:  $v \cong v'$  iff, for all  $x, y \in C$ ,

(1)  $v(x) = \infty$  iff  $v'(x) = \infty$ ,

(2) if v(x) ≠∞ then ⌊v(x)⌋ = ⌊v'(x)⌋ and (fract(v(x)) = 0 iff fract(v'(x)) = 0),
(3) if v(x) ≠∞ ≠ v(y) then fract(v(x)) ≤ fract(v(y)) iff fract(v'(x)) ≤ fract(v'(y)). A region is an equivalence class of valuations induced by ≅.

**Lemma 15.** If  $v \cong v'$  then  $v \models \varphi \Leftrightarrow v' \models \varphi$ .

The equivalence relation  $\cong$  on the clock valuations of a TIOA  $\mathcal{M}$  is lifted to an equivalence relation  $\cong$  on  $S_{\mathcal{M}}$  by defining

$$(q,v) \cong (q',v') \triangleq q = q' \land v \cong v'$$

A region of  $\mathcal{M}$  is an equivalence class of states induced by  $\cong$ . Similarly, for  $\mathcal{M}_1$  and  $\mathcal{M}_2$  TIOAs with clocks  $C_1$  and  $C_2$ , respectively, the equivalence relation  $\cong$  on  $V(C_1 \cup C_2)$  (w.l.o.g. we assume that  $C_1$  and  $C_2$  are disjoint) is lifted to an equivalence relation  $\cong$  on  $S_{\mathcal{M}_1} \times S_{\mathcal{M}_2}$  by defining

$$((q_1, v_1), (q_2, v_2)) \cong ((q'_1, v'_1), (q'_2, v'_2))$$
  
$$\triangleq q_1 = q'_1 \land q_2 = q'_2 \land v_1 \cup v_2 \cong v'_1 \cup v'_2.$$

A region of  $\mathcal{M}_1$  and  $\mathcal{M}_2$  is an equivalence class of pairs of states induced by  $\cong$ . Note that  $(r_1, r_2) \cong (s_1, s_2)$  implies  $r_1 \cong s_1 \wedge r_2 \cong s_2$ , but that the converse implication does not hold in general.

Alur and Dill [2] show that for a set of clocks *C* the number of regions of V(C) is bounded by  $|C|!2^{|C|} \prod_{x \in C} (2c_x + 2)$ , where for each clock *x*,  $c_x$  denotes the length of the domain interval *intv*(*x*). This means that also the number of regions of a TIOA is (in the worst case) exponential in the number of clocks. In practice the use of invariants may keep the number of regions small. The switch TIOA of Example 9 has 12 regions, and the TIOA associated to a Mealy machine in Example 10 has |Q|(|I| + 1) regions.

## 4.2. Uniform mappings

The concept of a *uniform mapping* was introduced by Čerāns [9, 8]. Uniform mappings provide a convenient characterization of regions. They play a central role in Čerāns' proof that bisimulation equivalence is decidable for timed automata, and are also used heavily in this section.

**Definition 16.** A continuous mapping  ${}^4 \rho : \mathbb{R}^{\infty} \to \mathbb{R}^{\infty}$  is *uniform* if

- (1)  $\rho$  is strictly monotone (so t > u implies  $\rho(t) > \rho(u)$ ),
- (2)  $\rho(0) = 0$ ,

(3)  $\rho(t+n) = \rho(t) + n$ , for every real number t and integer n.

A uniform mapping  $\rho$  is extended in a homomorphic manner to any structure containing elements of  $\mathbb{R}^{\infty}$ . In particular, for any clock valuation v,  $\rho(v)$  is equal to the function v' given by  $v'(x) \triangleq \rho(v(x))$ , for all x.

Note that conditions (1)-(3) in Definition 16 together imply that  $\rho(n) = n$ , for all  $n \in \mathbb{Z}^{\infty}$ . Below we rephrase the basic results of Čerāns [9, 8] about uniform mappings in our setting. We first need to prove five technical lemmas to prepare for the main results of this subsection, which say that uniform mappings "preserve" the transition relation. The proofs of Lemmas 17, 19 and 20 easily follow from the definitions. The proofs of Lemmas 18 and 21 are somewhat more tricky and therefore outlines have been included below.

**Lemma 17.** Suppose v is a clock valuation over a set of clocks C and  $\rho$  is a uniform mapping. Then  $\rho(v)$  is a clock valuation over C.

**Lemma 18.**  $v \cong v'$  iff there exists a uniform mapping  $\rho$ , such that  $v' = \rho(v)$ .

**Proof.** " $\Leftarrow$ " Routine checking. Use the observation that, for each uniform mapping  $\rho$ , the inverse mapping  $\rho^{-1}$  is defined and also uniform.

"⇒" Let  $C = \{x_1, ..., x_n\}$ . We order the clocks according to the value of their fractional part in *v*, placing the clocks with value ∞ to the right: let  $(i_1, ..., i_n)$  be a permutation of (1, ..., n) such that, for all  $1 \le j < k \le n$ ,

(1)  $v(x_{i_j}) = \infty \Rightarrow v(x_{i_k}) = \infty$ , and

(2)  $v(x_{i_i}) \neq \infty \neq v(x_{i_k}) \Rightarrow fract(v(x_{i_i})) \leq fract(v(x_{i_k})).$ 

From  $v \cong v'$  and the definition of region equivalence it follows that Properties (1) and (2) also hold if we replace each occurrence of v by v'. Using the properties of region equivalence, we infer that there exists a continuous, strongly monotone function  $\rho': [0,1) \rightarrow [0,1)$  with  $\rho'(0) = 0$  and, for all j with  $v(x_{i_j}) \neq \infty$ ,  $\rho'(fract(v(x_{i_j}))) = fract(v'(x_{i_j}))$ . We extend  $\rho'$  to a uniform mapping  $\rho$  with the required property by defining  $\rho(\infty) = \infty$  and, for  $t \in \mathbb{R}$ ,  $\rho(t) \triangleq \lfloor t \rfloor + \rho'(fract(t))$ .  $\Box$ 

Lemma 19.  $\overline{\rho(v)}(e) = \rho(\overline{v}(e)).$ 

**Lemma 20.** Whenever  $\rho$  is a uniform mapping then for every  $d \in \mathbb{R}^{\geq 0}$  the mapping  $\rho_d$ , defined by  $\rho_d(t) \triangleq \rho(t-d) - \rho(-d)$  for every  $t \in \mathbb{R}^{\infty}$ , is also uniform.

Lemma 21.  $\rho_d(v \oplus d) = \rho(v) \oplus -\rho(-d)$ .

<sup>&</sup>lt;sup>4</sup> Čerāns [9, 8] does not require uniform mappings to be continuous as he should have since his proof of Lemma 3.7 in [9] (which coincides with Lemma 11.7 in [8]) uses the property that a uniform mapping has an inverse that is also uniform.

#### Proof.

242

(1) Assume x is a clock with  $v(x) + d \in intv(x)$ . Then

$$\rho_d(v \oplus d)(x) = \rho_d((v \oplus d)(x)) = \rho_d(v(x) + d)$$
  
=  $\rho(v(x) + d - d) - \rho(-d) = \rho(v)(x) - \rho(-d)$ 

(2) Assume x is a clock with  $v(x) + d \notin intv(x)$ . In this case

$$\rho_d(v \oplus d)(x) = \rho_d((v \oplus d)(x)) = \rho_d(\infty) = \infty.$$

(3) We claim that  $v(x) + d \in intv(x) \Leftrightarrow \rho(v)(x) - \rho(-d) \in intv(x)$ . In fact, using the uniformity of  $\rho$  and  $\rho^{-1}$ , we derive, for any integer n and  $\Box \in \{<, \leq, >, \geq\}$ ,

$$v(x) + d \Box n \Leftrightarrow v(x) \Box n - d \Leftrightarrow \rho(v)(x) \Box n + \rho(-d)$$
$$\Leftrightarrow \rho(v)(x) - \rho(-d) \Box n.$$

Since intv(x) has integer bounds, the claim follows from the combination of the derived inequalities.

The lemma now follows from (1)–(3) and the definition of  $\oplus$ .  $\Box$ 

The next two lemmas, which are the main results about uniform mappings, assert that uniform mappings "preserve" transitions between states.

**Lemma 22.** If  $s \xrightarrow{a} s'$  and  $a \in \Sigma_{\mathcal{M}}$  then  $\rho(s) \xrightarrow{a} \rho(s')$ .

**Proof.** Assume  $s \xrightarrow{a} s'$  and  $\rho$  is a uniform mapping. Let s = (q, v), s' = (q', v'),  $\rho(v) = w$  and  $\rho(v') = w'$ . We must prove that  $(q, w) \xrightarrow{a} (q', w')$ .

Because  $s \xrightarrow{a} s'$ , there exists a transition  $\delta$  such that  $\delta : q \xrightarrow{a} q'$ ,  $v \models G(\delta)$  and  $v' = \overline{v} \circ A(\delta)$ .

Since  $w = \rho(v)$ , Lemma 18 implies  $v \cong w$ . Hence, according to Lemma 15,  $w \models G(\delta)$ .

Assume that x is a clock. Then we derive, using the assumptions, definitions and Lemma 19,

$$w'(x) = \rho(v')(x) = \rho(v'(x))$$
  
=  $\rho(\bar{v} \circ A(\delta)(x)) = \rho(\bar{v}(A(\delta)(x))) = \overline{\rho(v)}(A(\delta)(x))$   
=  $\bar{w}(A(\delta)(x)) = \bar{w} \circ A(\delta)(x).$ 

This means that  $w' = \bar{w} \circ A(\delta)$ . Combining this fact with  $\delta : q \xrightarrow{a} q'$  and  $w \models G(\delta)$ , we may now conclude that  $(q, w) \xrightarrow{a} (q', w')$ , as required.  $\Box$ 

**Lemma 23.** If  $s \stackrel{d}{\rightarrow} s'$  then  $\rho(s) \stackrel{-\rho(-d)}{\longrightarrow} \rho_d(s')$ .

**Proof.** Assume  $s \stackrel{d}{\to} s'$ . Let s = (q, v), s' = (q, v'),  $\rho(v) = w$  and  $\rho_d(v') = w'$ . We must prove that  $(q, w) \stackrel{-\rho(-d)}{\longrightarrow} (q, w')$ .

Since  $s \xrightarrow{d} s'$ , we know that  $v' = v \oplus d$  and, for all  $0 \leq d' \leq d : v \oplus d' \models Inv(q)$ . By Lemma 21,

$$w' = 
ho_d(v \oplus d) = 
ho(v) \oplus - 
ho(-d) = w \oplus - 
ho(-d).$$

Choose  $0 \leq d' \leq -\rho(-d)$ . Let  $d'' = -\rho^{-1}(-d')$ . We derive

$$0 \leq d' \leq -\rho(-d) \Leftrightarrow 0 \geq -d' \geq \rho(-d) \Leftrightarrow 0 \geq \rho^{-1}(-d)' \geq -d$$
$$\Leftrightarrow 0 \leq d'' \leq d.$$

This implies that  $v \oplus d'' \models Inv(q)$ . Since  $\rho_{d''}$  is uniform (Lemma 20), uniform mappings preserve regions (Lemma 18), and regions preserve constraints (Lemma 15),  $\rho_{d''}(v \oplus d'') \models Inv(q)$ . By Lemma 21,

$$\rho_{d''}(v \oplus d'') = \rho(v) \oplus -\rho(-d'') = \rho(v) \oplus d'.$$

Hence  $\rho(v) \oplus d' \models Inv(q)$ . Since we have now proved that  $w' = w \oplus -\rho(-d)$  and, for all  $0 \leq d' \leq -\rho(-d)$ ,  $\rho(v) \oplus d' \models Inv(q)$ , it follows that  $(q,w) \xrightarrow{-\rho(-d)} (q,w')$ .  $\Box$ 

#### 4.3. Grid automata

After the preparatory subsections on regions and uniform mappings, we can now state and prove the key theorems that will enable us to restrict to finite subautomata when testing infinite timed transition systems. These subautomata will only contain states in which each clock value is either  $\infty$  or in the *grid set*  $\mathbb{G}^n$ , i.e., the set of integer multiples of  $2^{-n}$ , for some sufficiently large natural number *n*.

For t a real number, let  $\lfloor t \rfloor_n$  denote the largest number in  $\mathbb{G}^n$  that is not greater than t, and let  $\lceil t \rceil_n$  denote the smallest number in  $\mathbb{G}^n$  that is not smaller than t. Write  $\lfloor t \rceil_n$  for the fraction  $(\lfloor t \rfloor_n + \lceil t \rceil_n)/2$  (note that  $\lfloor t \rceil_n \in \mathbb{G}^{n+1}$ ). For  $\mathscr{M}$  a TIOA, write  $S^n_{\mathscr{M}}$ for the set of states  $(q, v) \in S_{\mathscr{M}}$  such that, for each clock  $x, v(x) \in \mathbb{G}^n \cup \{\infty\}$ .

The two small technical lemmas below are easy to prove.

**Lemma 24.** Let  $s \in S^n_{\mathcal{M}}$ . (1) If  $s \stackrel{a}{\to} s'$  with  $a \in \Sigma_{\mathcal{M}}$  then  $s' \in S^n_{\mathcal{M}}$ . (2) If  $s \stackrel{d}{\to} s'$  with  $d \in \mathbb{G}^n \cap \mathbb{R}^{>0}$  then  $s' \in S^n_{\mathcal{M}}$ .

**Lemma 25.** Let  $\rho$  be a uniform mapping,  $u \in \mathbb{R}$  and  $n \in \mathbb{N}$ . Then there exists a uniform mapping  $\rho'$  such that, for all  $t \in \mathbb{R}$ ,

• if 
$$\rho(t) \in \mathbb{G}^n$$
 then  $\rho'(t) = \rho(t)$ ,

• 
$$\rho'(u) = [\rho(u)]_n$$
.

The next theorem is an important step towards the discretization of state spaces. It asserts that whenever we have a distinguishing trace of length *m* for two states in  $S^n_{\mathcal{M}}$ , we can 'massage' this trace into a trace in which all delay actions are in the grid set  $\mathbb{G}^{n+m}$ .

**Theorem 26.** Let  $\mathcal{M}, \mathcal{M}'$  be TIOAs, let  $(r, r') \cong (s, s')$  for states  $r \in S_{\mathcal{M}}, r' \in S_{\mathcal{M}'}, s \in S_{\mathcal{M}}^n$  and  $s' \in S_{\mathcal{M}'}^n$ , and let  $\sigma = a_1 a_2 \cdots a_m$  be a distinguishing trace for r and r'. Then there exists a distinguishing trace  $\tau = b_1 b_2 \cdots b_m$  for s and s' such that, for all  $j \in [1, \ldots, m]$ , if  $a_j$  is an input or output action then  $b_j = a_j$ , and if  $a_j$  is a delay action then  $b_j \in \mathbb{G}^{n+j}$  with  $\lfloor a_j \rfloor \leq b_j \leq \lceil a_j \rceil$ .

**Proof.** Without loss of generality we may assume that *r* has the trace  $\sigma$ , r' does not,  $a_m$  is an ouput action, and r' has the trace  $\sigma' = a_1 a_2 \cdots a_{m-1}$ . Let  $r_0 a_1 r_1 a_2 r_2 \cdots r_{m-1} a_m r_m$  be the unique execution fragment of  $\mathscr{M}$  with  $r = r_0$  and trace  $\sigma$ , and let  $r'_0 a_1 r'_1 a_2 r'_2 \cdots r'_{m-2} a_{m-1} r'_{m-1}$  be the unique execution fragment of  $\mathscr{M}'$  with  $r' = r'_0$  and trace  $\sigma'$ . Inductively we define states  $s_0, \ldots, s_{m-1}$  and  $s'_0 \ldots, s'_{m-1}$ , actions  $b_1, \ldots, b_{m-1}$ , and uniform mappings  $\rho^0, \ldots, \rho^{m-1}$  such that, for all  $j \in [0, \ldots, m-1]$ , if j > 0 then  $b_j$  satisfies the conditions from the theorem,  $\rho^j(r_j, r'_j) = (s_j, s'_j)$ ,  $s_j \in S^{n+j}_{\mathscr{M}}$ ,  $s'_j \in S^{n+j}_{\mathscr{M}'}$ , and if j < m-1 then  $s_j \stackrel{b_{j+1}}{\longrightarrow} s_{j+1}$  and  $s'_i \stackrel{b_{j+1}}{\longrightarrow} s'_{i+1}$ .

To start with, define  $s_0 = s$  and  $s'_0 = s'$ . Since  $(r, r') \cong (s, s')$  there exists, by Lemma 18, a uniform mapping  $\rho^0$  with  $\rho^0(r_0, r'_0) = (s_0, s'_0)$ .

Now suppose that, for some  $j \in [0, ..., m-2]$ ,  $\rho^j(r_j, r'_j) = (s_j, s'_j)$ ,  $s_j \in S_{\mathcal{M}}^{n+j}$  and  $s'_j \in S_{\mathcal{M}'}^{n+j}$ . We distinguish between two cases:

- $a_{j+1}$  is an input or output action. Then define  $s_{j+1} = \rho^j(r_{j+1})$ ,  $s'_{j+1} = \rho^j(r'_{j+1})$ ,  $b_{j+1} = a_{j+1}$ , and  $\rho^{j+1} = \rho^j$ . Since  $r_j \xrightarrow{a_{j+1}} r_{j+1}$  and  $r'_j \xrightarrow{a_{j+1}} r'_{j+1}$ , it follows by Lemma 22 that  $s_j \xrightarrow{b_{j+1}} s_{j+1}$  and  $s'_j \xrightarrow{b_{j+1}} s'_{j+1}$ . By construction  $\rho^{j+1}(r_{j+1}, r'_{j+1}) = (s_{j+1}, s'_{j+1})$ . By Lemma 24.1 we may conclude that  $s_{j+1} \in S_{\mathcal{M}}^{n+j+1}$  and  $s'_{j+1} \in S_{\mathcal{M}'}^{n+j+1}$ .
- $a_{j+1} = d$  is a delay action. By Lemma 25 there exists a uniform mapping  $\rho$  such that  $\rho(r_j, r'_j) = (s_j, s'_j)$  and  $\rho(-d) = [\rho^j(-d)]_{n+j} \in \mathbb{G}^{n+j+1}$ . Define  $\rho^{j+1} = \rho_d$ . Then  $\rho^{j+1}$  is a uniform mapping by Lemma 20. Let  $s_{j+1} = \rho^{j+1}(r_{j+1})$ ,  $s'_{j+1} = \rho^{j+1}(r'_{j+1})$ , and  $b_{j+1} = -\rho(-d)$ . Then Lemma 23 yields  $s_j \stackrel{b_{j+1}}{\to} s_{j+1}$  and  $s'_j \stackrel{b_{j+1}}{\to} s'_{j+1}$ . Straightforward calculations give  $\lfloor a_{j+1} \rfloor \leq b_{j+1} \leq \lceil a_{j+1} \rceil$ . Moreover, by Lemma 24.2, we obtain  $s_{j+1} \in S_{\mathcal{M}}^{n+j+1}$  and  $s'_{j+1} \in S_{\mathcal{M}'}^{n+j+1}$ .

Lemma 18 yields  $r_{m-1} \cong s_{m-1}$  and  $r'_{m-1} \cong s'_{m-1}$ . Let  $b_m = a_m$ . Using Lemma 15, we infer that  $s_{m-1} \xrightarrow{b_m}$  and not  $s'_{m-1} \xrightarrow{b_m}$ . This implies that  $\tau = b_1 b_2 \cdots b_m$  is a distinguishing trace of s and s'.  $\Box$ 

Theorem 26 allows us to 'massage' each distinguishing trace into one in which all delay actions are in a grid set, but there is a dependence between the length of the trace and the granularity of the grid: the longer the trace the finer the grid. This is due to the fact that the distinguishing power of a distinguishing trace for two states r and r' entirely depends on the regions traversed when applying  $\sigma$  to r and r', respectively.



Fig. 3. The TIOA  $\mathcal{M}_n$ .

In certain cases even a tiny delay in  $\sigma$  may cause the traversal to a new region as we will see in the next example.

**Example 27.** Consider the family of TIOAs defined as follows. For each  $n \in \mathbb{N}$  we define the TIOA  $\mathcal{M}_n$  with input action *in* and output action *out*. It has two clocks *x* and *y*, both with domain  $[0,1] \cup \{\infty\}$ . The set of locations is  $\{q_j | 0 \leq j \leq n\} \cup \{p\}$  where  $q_n$  is the initial location and the initial valuation  $v_0$  sets all clocks to 0. The transitions are annotated as follows:

$$q_{j} \xrightarrow{in,(x>0\&y<1),x:=0} q_{j-1} \quad \text{if } 0 < j \le n \qquad q_{0} \xrightarrow{in,(y<1)} p$$
$$q_{j} \xrightarrow{in,(x=0\&y<1)} p \qquad \text{if } 0 < j \le n \qquad p \xrightarrow{in,\tau} p$$
$$q_{j} \xrightarrow{out,(y=1)} p \qquad \text{if } 0 \le j \le n$$

Finally, the invariant is defined by  $Inv(q_j) = (y \le 1)$  for all j, and Inv(p) = T. Fig. 3 depicts automaton  $\mathcal{M}_n$ .

Clearly, if m < n, the TIOA  $\mathcal{M}_m$  is simply the TIOA  $\mathcal{M}_n$  whose initial location is changed into  $q_m$  (up to removal of unreachable locations).

The TIOA  $\mathcal{M}_n$  has the property that if within 1 time unit at most *n* inputs have occurred at different (non-zero) time points, an output action will be generated at time 1. If more inputs arrive in this interval, or the system is fed two inputs at the same point in time, no ouput is generated. In fact, this property can be seen from the following observations. Suppose that the system  $\mathcal{M}_n$  has just arrived to a location  $q_j$ ,  $0 < j \le n$ . Then it is in the region  $(q_j, x = 0 < y < 1)$ , 0 < j < n, or  $(q_n, x = y = 0)$ . In any case, the input *in* would take the system to location *p* and hence it prevents the occurrence of the ouput *out*. Otherwise, by waiting a little while, the system moves to the successor region  $(q_j, 0 < x < y < 1)$  (respectively,  $(q_n, 0 < x = y < 1)$ ). At this point, the input action would take the system to the next location  $q_{j-1}$ , more precisely to the region  $(q_{j-1}, x = 0 < y < 1)$ , and hence the ouput action would still be enabled. Notice that, while the system is at location  $q_0$ , performing 'an extra' *in* also disables the occurrence of *out*.

It is easy to check that  $\mathcal{M}_n$  and  $\mathcal{M}_m$  behave differently for *n* and *m* different. Yet in order to observe this difference a grid size of at most  $1/(2 + \min(n, m))$  is required. Note that this also means that the grid size depends on the number of states, not just on the number of clocks.

In order to obtain a grid size that is fine enough to distinguish all pairs of different states, we need to establish an upper bound on the length of minimal distinguishing traces. This is done in the following theorem.

**Theorem 28.** Suppose  $\mathcal{M}$  and  $\mathcal{M}'$  are TIOAs with the same input actions, and r and s are states of  $\mathcal{M}$  and  $\mathcal{M}'$ , respectively, with  $\mathcal{OS}(\mathcal{M}), \mathcal{OS}(\mathcal{M}'): r \not\simeq s$ . Then there exists a distinguishing trace for r and s of length at most equal to the number of regions of  $S_{\mathcal{M}} \times S_{\mathcal{M}'}$ .

**Proof.** Since r and s are not bisimilar there exists a trace that distinguishes between the two states. In fact, it is easy to see that there exists a distinguishing trace that ends with an output action. Among the distinguishing traces that end with an output action, let  $\sigma$  be a trace with minimal length. Assume that this length is greater than the number of regions of  $S_{\mathcal{M}} \times S_{\mathcal{M}'}$ . We derive a contradiction.

Assume, without loss of generality, that  $\sigma$  is a trace of r but not of s. Let

$$\beta = r_0 a_1 r_1 a_2 \cdots a_{n-1} r_{n-1} a_n r_n$$
  
$$\gamma = s_0 a_1 s_1 a_2 \cdots a_{n-1} s_{n-1}$$

be the (uniquely determined) execution fragments of  $\mathcal{M}$  and  $\mathcal{M}'$ , respectively, with  $r = r_0$ ,  $s = s_0$  and  $\sigma = a_1 \cdots a_n$ . Since *n* is greater than the number of regions of  $S_{\mathcal{M}} \times S_{\mathcal{M}'}$ , there exists indices  $0 \le i < j < n$  such that  $(r_i, s_i) \cong (r_j, s_j)$ . By Lemma 18, there exists a uniform mapping  $\rho$  such that  $\rho(r_j, s_j) = (r_i, s_i)$ . Repeated application of Lemmas 22 and 23 now allows us to construct a distinguishing trace for  $r_i$  and  $s_i$  of length n - j that ends with an output action. But this means that there also exists a distinguishing trace for r and s of length n + i - j that ends with an output action.  $\Box$ 

The upper bound on the length of distinguishing traces of Theorem 28 is of course astronomic in general. In specific cases, one can often give a much more reasonable upper bound. For instance, any pair of distinct states of the switch TIOA of Example 9 can be distinguished by a trace of length one (just wait long enough). In Example 10, any pair of inequivalent states of the TIOA associated to a Mealy machine can be distinguished by a trace with a length less than 2|Q|. (The factor 2 arises from the fact that we have split each transition in the Mealy machine into an input and an output part.) For each  $\mathcal{M}_n$  in Example 27, any pair of different states can be



Fig. 4. The grid automaton  $\mathscr{G}(\mathscr{M}_1, 1)$ .

distinguished by a trace of length at most 2n + 1: *n* input actions interleaved with n + 1 appropriate delays.

For each TIOA  $\mathscr{M}$  and natural number n, we define the grid automaton  $\mathscr{G}(\mathscr{M}, n)$  as the subautomaton of  $\mathscr{OS}(\mathscr{M})$  in which each clock value is in the set  $\mathbb{G}^n \cup \{\infty\}$ , and the only delay action is  $2^{-n}$ . Note that since in the initial state of  $\mathscr{OS}(\mathscr{M})$  all clocks take values in  $\mathbb{Z}^{\infty}$ , it is always included as a state of  $\mathscr{G}(\mathscr{M}, n)$ . Also observe that, since  $\mathscr{G}(\mathscr{M}, n)$  is lean and has a finite number of states and actions,  $\mathscr{G}(\mathscr{M}, n)$  is a finite automaton.

**Definition 29.** Let  $\mathcal{M}$  be a TIOA and let  $n \in \mathbb{N}$ . The grid automaton  $\mathcal{G}(\mathcal{M}, n)$  is the lean LTS  $\mathcal{A}$  given by

•  $Q_{\mathscr{A}} = S_{\mathscr{M}}^{n}$ , •  $\Sigma_{\mathscr{A}} = \Sigma_{\mathscr{M}} \cup \{2^{-n}\}$ , •  $q_{\mathscr{A}}^{0} = s_{\mathscr{M}}^{0}$ , • for all  $s, s' \in Q_{\mathscr{A}}$  and  $a \in \Sigma_{\mathscr{A}}, s \xrightarrow{a}_{\mathscr{A}} s' \Leftrightarrow s \xrightarrow{a}_{\mathscr{OS}(\mathscr{M})} s'$ .

**Example 30.** The reader is invited to check that the picture of Fig. 4 is the grid automaton  $\mathscr{G}(\mathscr{M}_1, 1)$  where  $\mathscr{M}_1$  is the TIOA from Example 27. To shorten notation, each state (q, v) has been denoted by (q, v(x), v(y)).

From the combination of Theorems 26 and 28, it now follows that two TIOAs are bisimilar if and only if their associated grid automata are bisimilar, provided the grid has been chosen sufficiently fine.

**Corollary 31.** Let  $\mathcal{M}$  and  $\mathcal{M}'$  be TIOAs with the same input actions, and let n be greater than or equal to the number of regions of  $S_{\mathcal{M}} \times S_{\mathcal{M}'}$ . Then  $\mathcal{M} \simeq \mathcal{M}' \Leftrightarrow \mathcal{G}(\mathcal{M}, n) \simeq \mathcal{G}(\mathcal{M}', n)$ .

**Proof.** " $\Rightarrow$ ": Immediate, using Lemma 24, since  $\mathscr{G}(\mathscr{M}, n)$  and  $\mathscr{G}(\mathscr{M}', n)$  are proper subautomata of  $\mathscr{M}$  and  $\mathscr{M}'$ , respectively.

" $\Leftarrow$ ": Suppose  $\mathcal{M} \not\simeq \mathcal{M}'$ . Then, by Theorem 28, there exists a trace  $\sigma$  of length at most *n* that distinguishes  $s^0_{\mathcal{M}}$  and  $s^0_{\mathcal{M}'}$ . Since  $s^0_{\mathcal{M}} \in S^0_{\mathcal{M}}$  and  $s^0_{\mathcal{M}'} \in S^0_{\mathcal{M}'}$ , application of Theorem 26 gives that there exists a trace  $\tau$  that also distinguishes  $s^0_{\mathcal{M}}$  from  $s^0_{\mathcal{M}'}$ such that all delays in  $\tau$  are elements of  $\mathbb{G}^n$ . Let  $\tau'$  be the trace obtained from  $\tau$ by replacing each occurrence of a delay action  $m \times 2^{-n}$ , for *m* a positive natural number, by a sequence of *m* delay actions  $2^{-n}$ . Using Wang's time additivity property (Lemma 8.2), we obtain that  $\tau'$  also distinguishes  $s^0_{\mathcal{M}}$  and  $s^0_{\mathcal{M}'}$ . Assume, w.l.o.g., that  $\tau'$ is a trace of  $s^0_{\mathcal{M}}$  but not of  $s^0_{\mathcal{M}'}$ . Since all the actions occurring in  $\tau'$  are also actions of  $\mathscr{G}(\mathcal{M}, n)$ , it follows that  $\tau'$  is a trace of  $\mathscr{G}(\mathcal{M}, n)$ , but not of  $\mathscr{G}(\mathcal{M}', n)$ . This contradicts  $\mathscr{G}(\mathcal{M}, n) \simeq \mathscr{G}(\mathcal{M}', n)$ .  $\Box$ 

We have now reduced the problem of deciding bisimulation equivalence of TIOAs to the problem of deciding bisimulation equivalence of two finite subautomata of the (highly infinite) operational semantics of these TIOAs. The main implication of this result for the conformance testing of TIOAs is that in the testing process we only need to explore finite subautomata, something that can be done effectively in finite time. Before we will address this issue in Section 5, we will prove as the final result of this section that if one applies a test sequence in which the only delay action is  $2^{-n}$  to a TIOA  $\mathcal{M}$ , the resulting execution is fully contained in the grid automaton  $\mathscr{G}(\mathcal{M}, n)$ . This result (which is not entirely trivial) makes it possible to fully explore the grid subautomaton of a TIOA during the testing process. We need two small technical lemmas.

## **Lemma 32.** Suppose $v \models hull(\varphi)$ . Then there exists at least one clock x with $v(x) \in \mathbb{Z}$ .

**Proof.** By contradiction, suppose that for all clocks  $x, v(x) \notin \mathbb{Z}$ . Let  $d = \frac{1}{2}(1 - \max_x fract(v(x)))$  and  $v' = v \oplus d$ . It is easy to check that  $v \cong v'$ . Therefore, by Lemma 15,  $v' \models hull(\varphi)$ . But since d > 0 this contradicts the assumption that v lies on the hull of  $\varphi$ .  $\Box$ 

**Lemma 33.** Let  $\mathscr{M}$  be a TIOA,  $n \in \mathbb{N}$ , and  $s \in S^n_{\mathscr{M}}$ . Suppose that  $s \stackrel{2^{-n}}{\not\to}$ . Then, for some output action  $o \in O_{\mathscr{M}}$ ,  $s \stackrel{o}{\to}$ .

**Proof.** Assume that s does not enable an output action. As a consequence, by Lemma 8.3, s enables a delay action. However, because of Wang's additivity axiom (Lemma 8.2), all delay action that are enabled in s are less than  $2^{-n}$ . Using Lemmas 8.2 and 8.3 once more, we infer that there exists a delay  $0 < d < 2^{-n}$ , a state s' = (q', v'), and an output action o such that  $s \stackrel{d}{\to} s' \stackrel{o}{\to}$ . Clearly, in s' none of the clocks has a value in  $\mathbb{G}^n$ . However,  $s' \stackrel{o}{\to}$  implies that  $v' \models hull(Inv(q'))$ . By Lemma 32, this means that at least one clock has an integer value in v'. Contradiction.

For  $\mathcal{M}$  a TIOA and  $n \in \mathbb{N}$ , write  $Exp_{\mathcal{M}}^n$  for the set of test sequences of  $\mathcal{M}$  in which all the delays are equal to  $2^{-n}$ .

**Lemma 34.** Let  $\sigma \in Exp^n_{\mathcal{M}}$  and  $s \in S^n_{\mathcal{M}}$ . Then  $exec_{\mathcal{M}}(\sigma, s)$  is an execution fragment of  $\mathscr{G}(\mathcal{M}, n)$ .

**Proof.** By straightforward induction on the length of  $exec_{\mathscr{M}}(\sigma, s)$ . Use Lemma 33 to prove that rule (4) in Definition 11 can never be applied.  $\Box$ 

#### 5. Deriving and applying a test suite

Based on the results of Section 4, we introduce a test suite to test a timed implementation under test (IUT) for conformance with respect to a specification TIOA *Spec*. To prove that the test suite is indeed correct and complete relative to certain assumptions about the choice of parameters, we give in Fig. 5 a simple test algorithm that applies each test case from the test suite to an implementation. Theorem 41 states that the algorithm is indeed correct. Our notion of conformance is as follows. We assume that the behavior of the IUT is accurately modeled by a TIOA *Impl*. Then the IUT conforms to the specification *Spec* if *Impl* is bisimilar to *Spec*. Note that we do not consider — as is often done — isomorphism between implementation and specification as conformance relation. This is due to the fact that we do not assume timed automata or their grid machines to be minimal.

Our method of building test suites is similar to Chow's classical algorithm for finite state Mealy machines [11]. A test suite consists of a finite set of test sequences which should be applied to the implementation. Each sequence consists of the concatenation of two sequences. The initial part of a test sequence is taken from a *transition cover* P for a grid subautomaton of *Spec*, i.e., a set of test sequences that together exercise every transition of the subautomaton.

**Definition 35.** Let  $\mathscr{M}$  be a TIOA,  $n \in \mathbb{N}$ ,  $\mathscr{A} = \mathscr{G}(\mathscr{M}, n)$ . A *transition cover* for  $\mathscr{A}$  is a finite collection  $P \subseteq Exp_{\mathscr{M}}^n$  of test sequences, such that  $\varepsilon \in P$  and, for all transitions  $s \xrightarrow{a} s'$  of  $\mathscr{A}$  with s reachable (within  $\mathscr{A}$ ) and stable, P contains test sequences  $\sigma$  and  $\sigma a$  such that  $s_{\mathscr{M}}^0 \xrightarrow{\sigma} s$ .

The trailing part of a test sequence is taken from a set Z, which is a *characterization* set for a grid subautomaton of *Impl*, meaning that for every pair of non-bisimilar grid states, Z contains a sequence that distinguishes between them.

**Definition 36.** Let  $s \in S_{\mathcal{M}}$ ,  $s' \in S_{\mathcal{M}'}$ , and let  $\sigma$  be a test sequence for  $\mathcal{M}$  and  $\mathcal{M}'$ . We say that  $\sigma$  distinguishes s from s' if  $outcome_{\mathcal{M}}(\sigma, s) \neq outcome_{\mathcal{M}'}(\sigma, s')$ . If Z is a set of test sequences for  $\mathcal{M}$  and  $\mathcal{M}'$ , then we write  $s \approx_Z s'$  if no test sequence in Z distinguishes s from s'.

#### Input

- (1) A TIOA *Spec*, the *specification automaton*, with reset action reset, reset time max, and a quiescent initial state
- (2) An *Implementation Under Test (IUT)*, a device that accepts inputs from  $I_{Spec}$  and produces outputs in  $O_{Spec}$
- (3) A natural number n
- (4) A natural number m

# Output

A verdict PASS or FAIL

## Algorithm

Let  $X = I_{Spec} \cup \{2^{-n}\}$ 

- (1) Determine a (minimal) finite transition cover P for  $\mathscr{G}(Spec, n)$
- (2) For all test sequences  $\sigma \in test\_suite(M, n, P, X^{m-1})$  do
  - a. Apply test sequence  $\sigma$  to the IUT
  - b. Return *FAIL* and halt if outcome of (a) differs from  $outcome_{Spec}(\sigma, s_{Spec}^0)$
- (3) Return PASS and halt

Fig. 5. Application of test suite to TIOAs.

Let  $n \in \mathbb{N}$ . Then Z is a *characterization set for*  $\mathscr{G}(\mathcal{M}, n)$  if, for all  $s, s' \in S^n_{\mathcal{M}}$ ,  $s \approx_Z s'$  implies  $s \simeq_{\mathscr{G}(\mathcal{M}, n)} s'$ .

To apply multiple test sequences to the IUT, we need, as in Chow's algorithm, the ability to always bring the machine back to its initial state. In the untimed setting of Mealy machines, one usually assumes the presence of a *reliable reset*, a special input action that brings the machine to its initial state from any given state. A similar requirement is needed in our timed setting, but in this case, it is not reasonable to consider the reset as an instantaneous operation: typically, some time will elapse between the moment when we request the machine to go to its initial state, and the moment at which the reset operation has been completed.<sup>5</sup> This motivates the following definition.

**Definition 37.** An input action *a* is a *reset* of a TIOA  $\mathcal{M}$  if for each reachable, stable state *s*,  $\mathcal{M}$  has an execution fragment of the form  $sa\gamma$ , where  $\gamma$  contains no input actions and has  $s^0_{\mathcal{M}}$  as its last state. We denote that action by reset. We say that  $\mathcal{M}$  has *reset time* max if the maximal time that can elapse between the occurrence of reset and the return to the initial state is at most max.

 $<sup>^{5}</sup>$  Martin Wirsing came with the suggestive example of the control software on board of a BMW, in a state where the car races downhill with a speed of 200 km/h.

It is not difficult to prove that the maximal time that can elapse between the occurrence of a reset action and the time at which the initial state is reached is always less than the number of regions of  $\mathcal{M}$ .

We find it convenient to further restrict attention to TIOAs with a *quiescent* initial state. In a quiescent state a machine waits for stimulus from its environment before producing any output. For instance, the switch of Example 9, in its initial state, always waits for the input action *on* and no output action can be (autonomously) generated. Similarly, the Mealy machine of Example 10 is also quiescent in its initial state since in location  $q_0$  only input actions are enabled. In contrast, the TIOAs  $\mathcal{M}_n$  from Example 27 are not quiescent in their initial state since within 1 time unit the output action *out* is generated without any previous stimuli from the environment.

**Definition 38.** A state of a TIOA is *quiescent* if each outgoing execution fragment from that state that contains an output action also contains an input action.

Now, we are in a position to formally define what a test suite for a given TIOA is.

**Definition 39.** Let  $\mathcal{M}$  be a TIOA and  $n \in \mathbb{N}$ . Let P be a transition cover for  $\mathcal{G}(\mathcal{M}, n)$  and Z a characterization set for the TIOA model of the IUT. The *test suite for*  $\mathcal{M}$  generated from P and Z with grid size n is defined by

 $test\_suite(\mathcal{M}, n, P, Z) \triangleq PZ\{reset max\}$ 

where concatenation of sets of sequences is as defined in Section 2.1.

Fig. 5 presents an algorithm that applies a test suite generated by our test method to an implementation. To prove its correctness, for appropriate values of its parameters, we need one more auxiliary lemma.

**Lemma 40.** Let  $\mathcal{M}$  be a TIOA,  $n \in \mathbb{N}$ , and let m be greater than or equal to the number of states of  $\mathcal{G}(\mathcal{M}, n)$ . Let  $Z = X^{m-1}$ , where  $X = I_{\mathcal{M}} \cup \{2^{-n}\}$ . Then Z is a characterization set for  $\mathcal{G}(\mathcal{M}, n)$ .

**Proof.** We prove that, for all states  $s, s' \in S^n_{\mathcal{M}}$ ,  $s \approx_Z s'$  implies  $s \simeq_{\mathscr{G}(\mathcal{M},n)} s'$ . Assume that  $s \not\simeq_{\mathscr{G}(\mathcal{M},n)} s'$ . Since  $\mathscr{G}(\mathcal{M},n)$  is deterministic, there exists a distinguishing trace  $\sigma$  for s and s' of length m-1 or less [23]. W.l.o.g. assume that  $s \xrightarrow{\sigma\tau} r$ , for some stable state r and sequence of output actions  $\tau$ , and not  $s' \xrightarrow{\sigma\tau}$ . then, by Lemma 13,  $s \not\approx_Z s'$ .  $\Box$ 

Like Chow, we need to give correct estimates of the size of the state spaces involved in order to obtain correctness of our method. Since, in general, the operational semantics of a TIOA has uncountably many states and transitions, measuring the state space of a TIOA gives no meaningful estimates. Instead, we provide estimates in terms of the number of regions of the product TIOA and the size of a grid subautomaton of the implementation. The implications of the following theorem are twofold. It states that (a) the set  $test\_suite(\mathcal{M}, n, P, X^{m-1})$  is a complete test suite for appropriate *m* and *n*, and (b) the algorithm of Fig. 5, when it takes such a test suite as an input, is correct in the sense that it returns *PASS* if and only if the IUT conforms to the given TIOA specification.

**Theorem 41.** Let IUT and Spec be as in the algorithm of Fig. 5. Assume that the behavior of IUT is accurately modeled by a TIOA Impl with reset action reset, reset time max, a quiescent initial state, and the same input and output actions as Spec. Assume that n is greater than or equal to the number of regions of  $S_{Impl} \times S_{Spec}$ , and m is greater than or equal to the number of states of  $\mathscr{G}(Impl, n)$ .

Then the algorithm of Fig. 5, when provided with these inputs, returns PASS iff Spec  $\simeq$  Impl.

**Proof.** The *if* part is straightforward. As to the *only if* part, suppose that the algorithm returns *PASS*. By Corollary 31 it suffices to prove  $\mathscr{G}(Spec, n) \simeq \mathscr{G}(Impl, n)$ . Let *P* and *X* be defined as in the description of the algorithm. Define  $Z = x^{m-1}$ . Since IUT is accurately modeled by *Impl*, which has reset action reset and a quiescent initial state, and because the algorithm returns *PASS*, it follows that, for all  $\sigma \in P$  and  $\tau \in Z$ ,

$$outcome_{Spec}(\sigma\tau, s_{Spec}^{0}) = outcome_{Impl}(\sigma\tau, s_{Impl}^{0}).$$

Let R be the relation between states given by

$$R = \{(s,r) \in S_{Spec}^{n} \times S_{Impl}^{n} \mid \exists \sigma \in P \ \exists \beta_{1}, \beta_{2}, \gamma_{1}, \gamma_{2}:$$

$$\land exec_{Spec}(\sigma, s_{Spec}^{0}) = \beta_{1}\beta_{2}$$

$$\land exec_{Impl}(\sigma, s_{Impl}^{0}) = \gamma_{1}\gamma_{2}$$

$$\land s = last(\beta_{1})$$

$$\land r = last(\gamma_{1})$$

$$\land trace(\beta_{1}) = trace(\gamma_{1})$$

$$\land trace(\beta_{2}) = trace(\gamma_{2}) \in (O_{Spec})^{*}\}.$$

Note that s R r implies  $s \approx_Z r$ . Write  $\mathscr{A} = \mathscr{G}(Impl, n)$ . We claim that the relation  $R' = R \circ \simeq_{\mathscr{A}}$  is a bisimulation between  $\mathscr{G}(Spec, n)$  and  $\mathscr{G}(Impl, n)$ .

Since  $\varepsilon \in P$  and  $\varepsilon \in Z$ , we obtain  $outcome_{Spec}(\varepsilon, s^0_{Spec}) = outcome_{Impl}(\varepsilon, s^0_{Impl})$ . This implies that  $s^0_{Spec} R s^0_{Impl}$ . Hence, since  $\simeq_{\mathscr{A}}$  is reflexive,  $s^0_{Spec} R' s^0_{Impl}$ .

For the proof of the transfer property, assume that s R' r and  $s \xrightarrow{a} s'$ . Then there exists a state u such that  $s R u \simeq_A r$ . We distinguish between two cases:

(1) *a* is an output action. From the definition of *R* in combination with Lemma 8.3 it follows that  $u \xrightarrow{a} u'$ , for some state u' with s' R u'. Since  $\simeq_{\mathscr{A}}$  is a bisimulation, there exists a state r' such that  $r \xrightarrow{a} r'$  and  $u' \simeq_A r'$ . Then s' R' r', as required.

(2) a is an input or delay action. Then it follows from the definition of R in combination with Lemma 8.3 that both s and u are stable states. By definition of R, there exists a test sequence σ ∈ P such that s<sup>0</sup><sub>Spec</sub> <sup>σ</sup>→ s and s<sup>0</sup><sub>Impl</sub> <sup>σ</sup>→ u. This implies in particular that s is a reachable state, and therefore, since P is a transition cover, P contains test sequences τ and τ a such that s<sup>0</sup><sub>Spec</sub> <sup>τ</sup>→ s. Let u'' = last(exec<sub>Impl</sub>(τ, s<sup>0</sup><sub>Impl</sub>)). Then s R u''. Since s ≈<sub>Z</sub> u, s ≈<sub>Z</sub> u'' and ≈<sub>Z</sub> is an equivalence relation, u ≈<sub>Z</sub> u''. By Lemma 40, this implies u ≃<sub>A</sub> u''. Since also u ≃<sub>A</sub> r and ≃<sub>A</sub> is an equivalence relation, this implies u'' ≃<sub>A</sub> r. Let u' be the unique state satisfying u'' <sup>a</sup>→ u'. Using that outcome<sub>Spec</sub>(τa, s<sup>0</sup><sub>Spec</sub>) = outcome<sub>Impl</sub>(τa, s<sup>0</sup><sub>Impl</sub>), we infer s' R u'. Now we use the fact that u'' ≃<sub>A</sub> r to infer that there exists a state r' such that r <sup>a</sup>→ r' and u' ≃<sub>A</sub> r'. Then s' R'r', as required.

The other transfer property can be proved similarly.  $\Box$ 

## 6. Discussion

The algorithm presented in the previous section results in an astronomically large number of test sequences. On top of that, the time delays that occur in these test sequences are microscopically small. Clearly, our algorithm cannot be claimed to be itself of practical value. Rather, the major contribution of our paper is the TIOA model and the demonstration that an algorithm to derive a (complete!) test suite at least exists. In this section we discuss ways to reduce the number of tests, and to make the time delays within the tests manageable.

We have deliberately tried to impose as few restrictions on the model as possible and, as a consequence, our model is extremely fine-grained. It is for instance possible to model situations where occurrences of an input action at two distinct but arbitrarily close moments (see Example 27) lead to completely different behavior. Obviously, much of this subtlety can be sacrificed while retaining a sufficiently expressive model. Finding suitable special cases of our model is therefore an urgent issue. One possibility in this direction is to obtain more *robust* versions (in the sense of [18]) of our timed I/O automata. Basically, a TIOA is robust if, whenever it accepts a trace, it accepts a 'neighboring' trace as well, under some reasonable topology on the set of traces. We hope that a more robust model will yield significantly smaller test sets. A more pragmatic approach proposed in [7] is to explicitly consider the environment. In many occasions states are obviously distinguished by simply checking the environment. For instance, we only have to observe if the light is on to distinguish if the switch is in location  $q_0$  or  $q_1$  (see Examples 2, 5 and 9). As a consequence no explicit test is necessary to distinguish evidently different states. In fact, Cardell and Glover [7] already proposed to combine our approach and theirs to test dense real-time systems.

An alternative line of attack is to optimize on the granularity of the grid. In our approach, the granularity of the grid is directly derived from an upper bound on the

length of distinguishing traces: the shorter the distinguishing traces, the coarser the grid. So in order for our approach to become practical, it is vital to derive good upper bounds on the length of distinguishing traces. We hope that modifications of algorithms for deciding bisimulation equivalence (such as presented in [9, 8, 34]) can yield such bounds. These algorithms might also be helpful to improve on the construction of distinguishing sequences.

A remarkable property of our method is that, unlike most testing approaches for Mealy machines (with some exceptions, e.g., [27]), we do not assume minimality of the specification and implementation automata. Nevertheless, for reasons of efficiency it is of course desirable to work with minimal automata. Minimization of timed automata, however, is a non-trivial issue; in particular timed automata in the Alur–Dill model [2] (and BTDAs) cannot be minimized in general. To solve this problem, in [30] the *minimizable timed automata* (MTA) model is introduced as an extension of the BTDA model. This model does allow minimization: for every MTA there exists a minimal MTA with bisimilar operational semantics. We hope that by working with minimal timed automata the size of test sets can be further reduced by using, for instance, techniques for discrete time automata, like in [7].

Finally, we expect that our approach may also support incomplete but practically useful methods for testing timed systems such as in [12, 26]. In fact, it is always an option to use the grid automaton construction heuristically. Instead of taking the worst-case grid size right away, one might start off with a coarse grid to obtain a small, incomplete set of useful tests. If desired, the grid can be subsequently refined, thus approximating the required grid size. After all, the bound for the grid size that we require is indeed very small, and we hope that there is room for some improvement. In fact, we do not know of any counterexample that states that such a bound is tight. Example 27 only points out that for general TIOAs the grid size can never be based on the number of clocks alone but it also suggests that a still appropriate grid size might be far above the bound we obtained.

# Notation

| a                              | action                  |
|--------------------------------|-------------------------|
| d                              | nonnegative real number |
| е                              | term                    |
| i                              | input action, index     |
| <i>j</i> , <i>k</i>            | index                   |
| m, n                           | integer or $\infty$     |
| 0                              | output action           |
| q, r, s                        | state or location       |
| <i>t</i> , <i>u</i>            | real number or $\infty$ |
| v, w                           | clock valuation         |
| <i>x</i> , <i>y</i> , <i>z</i> | clock                   |
|                                |                         |

| 4              | manning from transitions to againments                       |
|----------------|--------------------------------------------------------------|
| A<br>C         | mapping from transitions to assignments finite set of clocks |
| E<br>E         | set of transitions                                           |
|                |                                                              |
| F(C)           | the set of constraints over <i>C</i>                         |
| G              | mapping from transitions to constraints                      |
| I              | set of input actions interval                                |
| J $M(C)$       |                                                              |
| M(C)           | the set of assignments over $C$                              |
| 0<br>D         | set of output actions                                        |
| P<br>O         | transition cover                                             |
| Q<br>R         | set of states or locations                                   |
| R<br>S         | relation                                                     |
|                | set of states                                                |
| T(C)           | the set of terms over C                                      |
| V(C)           | set of clock valuations over C                               |
| X              | set of actions                                               |
| Z<br>A         | set of sequences of actions                                  |
|                | labeled transition system<br>bounded time domain automaton   |
| R<br>E         |                                                              |
| 6<br>G         | test sequence LTS                                            |
| 9<br>M         | grid automaton<br>timed I/O automaton                        |
| м<br>0S(B)     |                                                              |
| 9<br>P         | input/output partition of action set                         |
| 5<br>T         | timing annotation                                            |
| F              | falsehood                                                    |
| $\mathbb{G}^n$ | the set of integer multiples of $2^{-n}$                     |
| N              | the set of natural numbers                                   |
| R              | the set of real numbers                                      |
| т              | truth                                                        |
| $\mathbb{Z}$   | the set of integers                                          |
| α              | region                                                       |
| β,γ            | execution fragment                                           |
| δ              | transition                                                   |
| 3              | the empty sequence                                           |
| $\mu$          | assignment                                                   |
| ho             | uniform mapping                                              |
| $\sigma, \tau$ | sequence                                                     |
| $\varphi$      | constraint                                                   |
| $\Sigma$       | set of actions                                               |

#### References

- A.V. Aho, A.T. Dahbura, D. Lee, M.Ü. Uyar, An optimization technique for protocol conformance test generation based on UIO sequences and Rural Chinese Postman Tours, IEEE Trans. Comm. 39(11) (1991) 1604–1615.
- [2] R. Alur, D.L. Dill, A theory of timed automata, Theoret. Comput. Sci. 126 (1994) 183–235. Preliminary versions of this paper appear in the Proc. 17th Internat. Colloq. on Automata, Languages, and Programming (1990), and in the Proc. REX workshop "Real-Time: Theory in Practice" (1991).
- [3] R. Alur, T.A. Henzinger (Eds.), Proc. 8th Internat. Conf. Computer Aided Verification, New Brunswick, NJ, USA, Lecture Notes in Computer Science, Vol. 1102, Springer, Berlin, July/August 1996.
- [4] R. Alur, T.A. Henzinger, E.D. Sontag (Eds.), Hybrid Systems III, Lecture Notes in Computer Science, Vol. 1066, Springer, Berlin, 1996.
- [5] R. Alur, R.P. Kurshan, Timing analysis in COSPAN, in: Alur et al. (Eds.), Hybrid Systems III, Lecture Notes in Computer Science, Vol. 1066, Springer, Berlin, 1996, pp. 220–231.
- [6] J. Bengtsson, W.O.D. Griffioen, K.J. Kristoffersen, K.G. Larsen, F. Larsson, P. Pettersson, Wang Yi, Verification of an audio protocol with bus collision using UPPAAL, in: Alur, Henzinger (Eds.), Proc. 8th Internat. Conf. Computer Aided Verification, New Brunswick, NJ, USA, Lecture Notes in Computer Science, Vol. 1102, Springer, Berlin, July/August 1996, pp. 244–256.
- [7] R. Cardell-Oliver, T. Glover, A practical and complete algorithm for testing real-time systems, in: A.P. Ravn, H. Rischel (Eds.), Proc. 5th Internat. Symp. in Formal Techniques in Real-Time and Fault Tolerant Systems, Lyngby, Denmark, Lecture Notes in Computer Science, Vol. 1486, Springer, Berlin, 1998, pp. 251–261.
- [8] K. Čerāns, Algorithmic problems in analysis of real time system specifications, Dr.sc.comp. Thesis, University of Latvia, Rīga, 1992.
- [9] K. Čerāns, Decidability of bisimulation equivalences for parallel timer processes, in: G.V. Bochmann, D.K. Probst (Eds.), Proc. 4th Internat. Workshop on Computer Aided Verification, Montreal, Canada, Lecture Notes in Computer Science, Vol. 663, Springer, Berlin, 1992, pp. 302–315.
- [10] W.Y.L. Chan, S.T. Vuong, M.R. Ito, An improved protocol test generation procedure based on UIOs, in Proc. ACM Symp. on Communication Architectures and Protocols, ACM, 1989, pp. 283–294.
- [11] T.S. Chow, Testing software design modeled by finite-state machines, IEEE Trans. Software Eng. 4(3) (1978) 178–187.
- [12] D. Clarke, I. Lee, Automatic generation of tests for timing constraints from requirements, in Proc. 3rd Internat. Workshop on Object Oriented Real-Time Dependable Systems, Newport Beach, California, February 1997.
- [13] P.R. D'Argenio, J.-P. Katoen, T.C. Ruys, J. Tretmans, The bounded retransmission protocol must be on time! in: E. Brinksma (Ed.), Proc. 3rd Workshop on Tools and Algorithms for the Construction and Analysis of Systems, Enschede, The Netherlands, Lecture Notes in Computer Science, Vol. 1217, Springer, Berlin, April 1997, pp. 416–431.
- [14] C. Daws, A. Olivero, S. Tripakis, S. Yovine, The tool KRONOS, in: Alur et al. (Eds.), Hybrid Systems III, Lecture Notes in Computer Science, Vol. 1066, Springer, Berlin, 1996, pp. 208–219.
- [15] C. Daws, S. Yovine, Two examples of verification of multirate timed automata with KRONOS, in Proc. 16th IEEE Real-Time Systems Symp. (RTSS'95), Pisa, Italy, IEEE Computer Society Press, Silver Spring, MD, December 1995, pp. 66–75.
- [16] A. En-Nouaary, R. Dssouli, F. Khendek, A. Elqortobi, Timed test cases generation based on state characterization technique, in Proc. 19th IEEE Real-Time Systems Symposium (RTSS'98), Madrid, Spain. IEEE Computer Society Press, Silver Spring, MD, December 1998, pp. 220–229.
- [17] J.-C. Fernandez, C. Jard, Th. Jéron, C. Viho, Using on-the-fly verification techniques for the generation of test suites, in: Alur, Henzinger (Eds.), Proc. 8th Internat. Conf. Computer Aided Verification, New Brunswick, NJ, USA, Lecture Notes in Computer Science, Vol. 1102, Springer, Berlin, July/August 1996, pp. 348–359.
- [18] V. Gupta, T.A. Henzinger, R. Jagadeesan, Robust timed automata, in: O. Maler (Ed.), Proc. Internat. Workshop HART'97, Lecture Notes in Computer Science, Vol. 1201, Springer, Berlin, 1997, pp. 331–345.
- [19] T.A. Henzinger, P.-H. Ho, HyTech: the Cornell HYbrid TECHnology tool, in: U.H. Engberg, K.G. Larsen, A. Skou (Eds.), Proc. Workshop on Tools and Algorithms for the Construction and Analysis

256

of Systems, Aarhus, Denmark, BRICS Notes Series, Vol. NS-95-2, Department of Computer Science, University of Aarhus, May 1995, pp. 29-43.

- [20] T.A. Henzinger, X. Nicollin, J. Sifakis, S. Yovine, Symbolic model checking for real-time systems, Inform. Comput. 111 (1994) 193–244.
- [21] P.-H. Ho, H. Wong-Toi, Automated analysis of an audio control protocol, in: P. Wolper (Ed.), Proc. 7th Internat. Conf. on Computer Aided Verification, Liège, Belgium, Lecture Notes in Computer Science, Vol. 939, Springer, Berlin, June 1995, pp. 381–394.
- [22] G.J. Holzmann, Design and Validation of Computer Protocols, Prentice-Hall International, Englewood Cliffs, NJ, 1991.
- [23] Z. Kohavi, Switching and Finite Automata Theory, 2nd Edition, McGraw-Hill, New York, 1978.
- [24] K.G. Larsen, P. Pettersson, Wang Yi, UPPAAL in a nutshell, Internat. J. Software Tools Technol. Transfer 1(1/2) (1997) 134–152.
- [25] N.A. Lynch, M.R. Tuttle, Hierarchical correctness proofs for distributed algorithms, in Proc. 6th Annual ACM Symp. on Principles of Distributed Computing, August 1987, pp. 137–151. A full version is available as MIT Technical Report MIT/LCS/TR-387.
- [26] D. Mandrioli, S. Morasca, A. Morzenti, Generating test cases for real-time systems from logic specifications, ACM Trans. Comput. Systems 13(4) (1995) 365–398.
- [27] A. Petrenko, T. Higashino, T. Kaji, Handling redundant and additional states in protocol testing, in: A. Cavalli, S. Budkowski (Eds.), Proc. 8th Internat. Workshop on Protocol Test Systems IWPTS '95, Paris, France, 1995, pp. 307–322.
- [28] R. Segala, R. Gawlick, J.F. Søgaard-Andersen, N. Lynch, Liveness in timed and untimed systems, Inform. Comput. 141 (1998) 119–171.
- [29] I. Sommerville, Software Engineering, 5th edition, Addison-Wesley, Reading, MA, 1996.
- [30] J.G. Springintveld, F.W. Vaandrager, Minimizable timed automata, in: B. Jonsson, J. Parrow (Eds.), Proc. 4th Internat. Symp. on Formal Techniques in Real Time and Fault Tolerant Systems (FTRTFT '96), Uppsala, Sweden, Lecture Notes in Computer Science, Vol. 1135, Springer, Berlin, 1996, pp. 130–147.
- [31] J. Tretmans, A formal approach to conformance testing, Ph.D. Thesis, University of Twente, December 1992.
- [32] J. Tretmans, Test generation with inputs, outputs, and quiescence, in: T. Margaria, B. Steffen (Eds.), Proc. 2nd. Workshop on Tools and Algorithms for the Construction and Analysis of Systems, Passau, Germany, Lecture Notes in Computer Science, Vol. 1055, Springer, Berlin, April 1996, pp. 127–146.
- [33] J. Tretmans, Test generation with inputs, outputs, and repetitive quiescence, Software Concepts and Tools 17 (1996) 103–120.
- [34] C. Weise, D. Lenzkes, Efficient scaling-invariant checking of timed bisimulation, in: R. Reischuk, M. Morvan (Eds.), Proc. 14th Symp. on Theoretical Aspects of Computer Science STACS '97, Lübeck, Germany, Lecture Notes in Computer Science, Vol. 1200, Springer, Berlin, February 1997, pp. 177–188.
- [35] Wang Yi, Real-time behaviour of asynchronous agents, in: J.C.M. Baeten, J.W. Klop (Eds.), Proc. CONCUR 90, Amsterdam, Lecture Notes in Computer Science, Vol. 458, Springer, Berlin, 1990, pp. 502–520.