Testing Embedded Real-Time Systems'

Abdeslam En-Nouaary
Depart. d'IRO, UniversitC de MontrCal,
C.P. 6 128, succ. Centre-ville, MontrCal,
H3C 3J7, Quebec, Canada
Email: ennouaar@iro.umontreal.ca

Ferhat Khendek
Electrical and Computer Engineering,
Concordia University, 1455 Maisonneuve Blvd. W.,
Montreal, H3G 1M8, Quebec, Canada
Email: khendek@ece.concordia.ca

Rachida Dssouli
Depart. d'IRO, UniversitC de MontrCal,
C.P. 6128, succ. Centre-ville, MontrCal,
H3C 3J7, Quebec, Canada
Email: dssouli@iro.umontreal.ca

Abstract
Keywords: Conformance Testing, Testing in Context,
Real-Time Systems, Embedded Systems, Timed Input Output
Automata, Communicating Timed Input Ouput Automata.

A n embedded real-time system consists of a number of

components (processes) that run concurrently and communicate with each other under predefined timing constraints.
The correctness of such systems is important, since they are
used in an increasing number of safety critical systems. To
improve the quality of these systems, two techniques can be
used, namely verification of the specification and testing of
the implementation. In this paper, we consider the testing of
embedded real-time components. In our model, the system
is modeled as a set of Communicating Timed Input Output
Automata (CTIOA). One CTIOA specifies the component to
be tested and the remaining CTIOAs represent the context.
The relationship between the component to be tested and
the other ones should be taken into account for test cases
generation. We discuss how testing in context differs from
testing in isolation. We review the fault model in the
context of CTIOA and we propose an approach for test
cases generation from an embedded CTIOA. This approach
consists of three steps. First, we avoid the composition of
all machines by selecting, based on a specific criterion,
only some parts of the CTIOA's context that affect (or
are affected by) the specification. Then, we determine the
partial product of the specification and the selected parts
of the context. Finally, we apply Timed Wp-Method [7] on
the resulting timed input output automata. The quality of
the resulting partial product is strongly dependent on the
criterion used to select the parts of the context to consider
in test cases generation.

1. Introduction
Real-time software systems are time dependent. Examples of such systems include safety critical systems, patient
monitoring systems, and multimedia applications. In the
last two decades, real-time systems were intensively studied
in order to improve the correctness of their specifications
and implementations. Two techniques are usually used to
cope with the correctness of a software system, namely
verification and testing.
Verification techniques deal
with a system specification to prove that it satisfies some
predefined properties like liveness, safety, etc. On the other
hand, testing techniques deal with a system implementation
to assess its conformance to its reference specification
according to predefined conformance relations (see for
instance [lo, 16,3,23,7]).
Several formal models and techniques have been developed and used for real-time systems [l,7, 24, 5,4, 17, 181.
They differ in their expressiveness and their complexities.
Recently, the testing of real-time systems has been investigated by several researchers using "isolated" timed models
[7, 8, 6, 23, 5, 151. For Communicating Timed Input
Output Automata, other methods have to be investigated.
To the best of our knowledge, works have been done to test
communicating (extended) finite state machines [19,2], but

'This work is supported by NSERC Grants #OG20629188 for Dssouli

and #OGP0194234 for Khendek.

417
1530-1427/00$10.000 2000 IEEE

not for communicating timed models.

inputs and outputs.

In this paper, we are interested in testing components

in contexts. We refer to this type of testing as testing
in context or embedded testing (see [ll, 19, 14, 21 for
untimed models). A typical architecture of the system
we consider is shown in Figure 1. This architecture is
composed of two entities: The CTIOA component to be
tested denoted by IUT (Implementation Under Test), and
the rest of the system which forms the test context. Testing
in context differs from testing in isolation at least in the
following points. The IUT is not tested based only on
the specification. First, we must take into account the
possible effects of the context. Indeed, the context of
the implementation may tolerate some faults and some
non-conform implementations in isolation become conform
to the specification in context. Secondly, the context is
not required to be tested. In fact, the components of the
context are generally assumed to be tested in isolation
before. Thirdly, the executability of each transition in the
specification is not guaranteed. A transition may not be
fed because no component of the context can produce the
action of the transition within the allowable time space.
Finally, since the implementation communicates with its
context via intemal actions and with the environment via
extemal actions, its complete input/output behavior is not
directly controllable and observable.

In this paper, we present a framework for generating

timed test cases for an embedded real-time component.
The whole system is modeled as a set of CTIOAs. One
CTIOA specifies the component to be tested and the
remaining CTIOAs represent the context. Contrary to
other communicating timed models [21, 12, 201, CTIOA
model uses a general form of time constraints for the
transitions and an asynchronous communication model
between its components via bounded reliable channels. To
generate timed test cases, our approach consists of three
steps. First, we avoid the composition of all machines by
selecting, based on a specific criterion, only some parts
of the CTIOA's context that affect (or are affected by) the
specification. Then, we determine the partial product of the
specification and the selected parts of the context. Finally,
we generate test cases for the resulting timed input output
automata by applying Timed Wp-Method [7]. We notice
that the quality of the partial product is strongly dependent
on the criterion used to select the parts of the context to
consider in test cases generation.

IUT
A

I1

E1

--

The remainder of this paper is organized as follows. In

Section 2, we present the CTIOA model. In Section 3, we
review our fault model in the context of CTIOA. In Section 4, we develop our approach to generate timed test cases
from CTIOA for testing an embedded component. In Section 5, we conclude and discuss future work.

2. Communicating Timed Input Output Automata Model

EO

IO

Test Context

An embedded real-time system consists of a certain

number of processes that run concurrently and communicate with each other under certain timing constraints via
reliable bounded channels. To describe formally such systems, we use the Communicating Timed Input Output Automata (CTIOA) model.

* EO

Figure 1. An Embedded System

Definition 2.1 Communicating Timed Input Output Automata

A
Communicating
Timed
Input
Output Automata CT is fomally defined as a tuple CT =
( I c t 7 o c t ,L c t e t c c t , T c t Fct ) where:

One trivial method to test a CTIOA component consists

of composing all the machines into one and test this
machine. This solution is not efficient since it may lead to
a state explosion in the case of large systems. One solution
therefore is to develop an approach to test the CTIOA
machine in the context formed by the remaining machines.
The IUT and test context communicate with each other
through hidden interfaces via intemal inputs and outputs.
The test context and (possibly) the IUT communicate with
the environment using observable interfaces via extemal

Ict is a finite set of input actions; each input begins

with "?",
0,t is afinite set of output actions; each output begins
with "!",

LCtis afinite set of locations,

1$ E LCtis the initial location,
418

Cct is afinite set of clocks all initialized to zero in &,

Tct is afinite set of transitions, and

outputs are EI = { e l , e 2 } and Eo = 0 respectively. However, the set of intemal inputs and outputs is I = { i l ,i2}.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F,t is a FIFO channel.

!
i
2
m
1

A transition in Tct consists of a tuple (l,, {?,! } a ,R, G, l,),

I _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ )

The Context

A real-time system is a collection of communicating

timed input output automata (CT1,CT2, ..., CT,) , where
each CTi, 1 5 i 5 n, represents the behavior of a system
process. We use the following assumptions about the communication between the different processes of the system.

A CTIOA can not communicate with itself (Le, V i =

1, 2, n ICT, n OCT, = 0>,
Each intemal action has only one sender and one receiver,

For each intemal input ?a (intemal output ! a ) in a

CTIOA CT,, there exists a corresponding intemal output !a (intemal input ?a) in another CTIOA CT, (i #
j),

I
I

?il,z<=2

I
I

The Spec

Figure 2. An Example of CTlOAs

The whole behavior of a real-time system is described

by a global TIOA representing the global locations and
the global transitions of the system. A global location
of a real-time system (CT1,CT2, ...,CT,) is a tuple
( 1 1 , 1 2 ,...,1,,3'1, F2, ...,F,), where l i , 1 5 i 5 n, is a
location in CTi, 1 5 i 5 n, and Fi, 1 5 i 5 n, is the FIFO
associated with CTi, 1 5 i 5 n.
A global transition of
a real-time system
(CT1,CT2, ..., CT,) is a transition between two global
locations caused by a transition in a component of the
system. The global TIOA, T,, of a real-time system
is obtained by computing the product of all communicating timed input output automata ( C T ) l ~ i (i.e,
~,
Tg = CT1 x CT2 x ... x CT,).

We distinguish extemal inputs EIfrom intemal inputs

I I , and extemal outputs Eo from intemal outputs I o .
We have EI n EO = 0 and I I n IO = 0.

As in [24, 71, we assume in this paper that the time domain for each clock 2 E Cct has the form [0, M,] U {co},
where M , is the maximum natural number the clock
z is compared to in a constraint. We also note that
VE > O,Mx + E = 00.

?el,x:=O,x<=l

{?,!}a,R,G

+ l,, where
denoted in the rest of this paper by 1,
1, and 1, are respectively the source and target locations,
{?,!}U is an input or an output action, R is the set of
clocks to be reset within the transition, and G is the guard
condition (time constraint) of the transition. The guard
condition is the conjunction of the boolean formulas of the
form x o p m , wherex E C , op E {<, <,=,>, >}, andm
is a natural number. We define the time space of a transition
as the set of clock valuations satisfying the time constraint
of the transition.

'

This complete product is costly to construct because it

is exponential to the number of locations and transitions of
CTIOAs. Moreover, we usually need to construct only a
partial product of the system implying a small set of transitions T S = { t l ,t2, ...,t,}.

Communications are performed asynchronously via

bounded reliable channels. In the example given in
this paper, we assume that the length of all channels is
1, and

Product Of cTIoAs
Definition 2.2
Let (CT1,CT2, ..., CT,) be a collection of CTIOAs describing a real-time system. The Partial Product of CT,,
i = 1 , 2 , ...,n, denoted PP(CT,)l<,<,over the set of transitions T S = { t l ,t2, ...,t,} is definedas CT, x T S . Notice
that PP(CT,) (CT1 x CT2 x ... x CT,).

All the system processes begin their executions (start

at their initial locations) at thexime time.

Figure 2 shows three CTIOAs. They interact with the

environment via extemal actions and with each other via
intemal actions. The sets of extemal inputs and extemal

419

can produce an intemal output only within a time subspace

of the internal input of the specification. So, any restriction of the time constraint of the corresponding input to this
time subspace is not a fault. Let us consider the transition
?il z<2
c1 4 eo of the specification in Figure 2. Here are some
restrictions of the time constraint of this transition:

The semantics of a real-time system is given by the region graph [ 13 of its global TIOA, Tg. It shows all the possible executions of the system. A state of a region graph is
defined as a couple (1, w), where Z is a location in Tg and w
is a clock valuation that assigns a real value to each clock
in Tg.The initial state of the system is ( l o , 00) such that 10
is the initial location of Tgand 00(z) = 0 for each clock z.
There are two types of transitions in a region graph:
0

Delay transitions: Starting from a state s = (1, w),

when time progresses with d units (d is a real number),
the system enters a new state s = (1, w d ) , where
w + d is a mapping (clock valuation) that associates to
each clock 2 the real value w(z) d.

?21,2<1

+ eo. This is an effective fault because

the states (cl, 1 < z 5 2) are reachable. The
sequence 1/4.?e1.1/4.?e2.1/4.1/4.1/4.1/4
is a trace
that brings the system from the state (ao,C O , z = z =
0) to the state (ao,q,,z = 5/4&z = 6/4).
c1

c1
-+ CO. This restriction of time constraint is not an effective fault because the transition
,z<2
?il,l>z&z<2
c1
+ CO is equivalent to c1 ?it+
CO in context. There is no trace that can bring the system from
the initial state to a state where z 5 1.
?il,l>z&z<2

Explicit transitions: Starting from a state ( l , w ) , the

system makes many delay transitions, and when it
reaches a state s = (Z,w) where v = v + d for
some time increment d, it may execute a transition
{?,!hJ&
I provided U
G. Consequently, the
system enters a new state s = (Z, [ R := Olv), where
[R := O]w is a mapping (clock valuation) that assigns
0 to a clock z if it belongs to R and ~ ( zotherwise.
)

Similarly, even if an implementation enlarges a time constraint of an intemal input, the extra time space of the input cannot be reached if the context always produces the
intemal output in a time subspace of the initial time con?a1

,z<2

straint. As an example, consider the transition c1 --f CO

of the specification in Figure 2. The enlargement of time
?a1 , 2 > 2 & ~ < 4
constraint by c 1
-+
CO is an effective fault because the extra time space (2 < z < 3) is reachable
from the intial state of the system. If we now change the
?a1 , z < 2
transition c1 --+CO of the specification in Figure 2 by

3. Timed Fault Model for CTIOA

The fault model describes, at some level of abstraction,
the effects of failures in a system implementation. It is
strongly dependent on the formal model used as a basis
for the system specification. In this section, we review
the TIOA fault model [S, 91 in the context of CTIOA.
We specially illustrate the effects of the context on a fault
in a particular component, and the propagation of faults
between the components of the system.

?a1 2<4

4 C O , the fault c 1

?a1 z<4

CO is not effective because

the state ( c 1 , z = 4) is not reachable in context. There
is no trace that can bring the system from its initial state
(ao,co,z = z = 0) to a state (a,,cl,z = w,z = 4). So,
?ai z < 4
?Zl,2<4
the transition c1
CO is equivalent to c 1 -+ CO in
context.

c1

The timed fault model consists of two types of faults:

timing faults and output/transfer fault. A timing fault is a
fault that affects the time constraint of a transition. In the
case of TIOA like model, a timing fault can be either a reset of a clock, a non reset of a clock, a restriction and the
enlargement of time constraint of a transition. However, an
output/transfer fault is a fault that affects the output or the
target state of a transition. In the case of CTIOA, we focus
on the restriction and enlargement of time constraints for
transitions on internal inputs and outputs. The other types
of faults are the same as those presented in [S, 91, since they
are observable by the environment or they are not affected
by the context.

3.2. Internal Outputs Timing Faults

As the case of inputs, the restriction and enlargement of
time constraints of outputs are not always considered as
faults. Indeed, an implementation that narrows the time
constraint of an output is not considered faulty when the
context does not accept the output in the missed time space.
Similarly, we do not talk about a fault if an implementation enlarges a time constraint of an output and the context
does not accept the output in the extra time space. As an
example, we consider again the Figure 2 but we replace
?a1 2<2

!i1,~:=0,~>1&~<3

the transitions c1 if CO and a1

-+
a0
!~1,~>2&2<4
>1&~<3
by ~1
-+ - CO and ai ?il,z:=O1z+
a0 respectively. If the implementation changes the time constraint

3.1. Internal Inputs Timing Faults

The restriction and the enlargement of time constraints
are not always considered as faults because of the context. For the restriction of a time constraint, the context

!i1,2>2&2<4

!ii,z>2&~<3

of the transition c1
-+
CO by c 1
-+
CO
but the context can not accept the intemal input ? i l when

420

3 5 z 5 4, the implementation will be declared con-

procedure is repeated recursively for each marked transition

of the context. When selecting a path in the context, we try
to end the path with an extemal output action in order to
observe the possible faults regarding the internal input or
output. If such extemal output action does not exist, some
faults may remain undetected.

form to its specification in context. Also, if the implementatation enlarges the time constraint of the transition
!al,z>2&z<4

,2>2&~<5

--+ - CO to be c1
--+ CO but the context
can not accept the internal input ?il when 4 < z 5 5, the
implementation will be declared conform to its specification
in context.
c1

The choice of the paths is very important since it affects

the quality of testing. In fact, for each marked transition
t,, there may exist an infinity of paths that may induce
the execution of t,. This is mainly due to the infinity of
preambules that end at the source location of the transition
t, corresponding to t,. Choosing one preambule or another
depends strongly on the objective of test. To deal with
this issue, we next define some criteria based on the
executability of a path and its ability to detect faults.

4. Our Approach for Testing an Embedded

CTIOA
A straightforward method for testing an embedded
CTIOA consists of composing all the machines into one and
test the resulting machine. This solution ensures that all the
functionalities of the system are tested, and so guarantees a
complete fault coverage. However, the construction of the
complete product of the system leads to a state explosion
problem. Moreover, the context needs not to be entirely
tested. To cope with this complexity, we make a tradeoff
between the fault coverage and the cost related to the composition of all components of the system. We aim to achieve
a good fault coverage by constructing only a subset of the
systems complete product. Our methodology consists of
three steps:
0

Given a transition t, in the specification and its corresponding transition t , in the context, we choose only
the preambules that allows t , to be executed. The other
preambules will lead to a deadlock in the source location
oft,. This condition is called the Executability Criterion.
In addition to this criterion, we define two other simple
criteria based on the ability to detect faults. The Shorted
Preambule Criterion consists of choosing the shortest
preambule, among the executable ones, to reach the
source location of t,. However, the Most Representative
Preambule consists of choosing the preambule, among the
executable ones, that allows to test a large time space of
t,. The executable preambules are obtained by propagating
the time constraint of each transition to its target location
[22], and verifying the satisfaction of the time constraint
of any outgoing transition from this location. The process
is repeated until the transition t , will be reached. In this
paper, we use the shortest preambule criterion to select the
paths of the context that influence (or are influenced by) a
transition t , in the specification.

the selection of the context transitions that affect (or

are affected by) the execution of the CTIOA component to be tested (the specification),
the construction of the partial product of the system,
and
the application of Timed Wp-method [7] on the resulting partial product.

4.1. Selection of Contexts Implied Transitions

This step consists of searching the transitions of the
specification and context to consider when testing an
implementation in context. The approach is recursive and
is based on the marking technique.

Following this approach, we use only the relevant

transitions of the context to generate timed test cases.
We avoid therefore the state explosion problem due to
the complete product of the context and the specification.
Notice that testing two CTIOAs (one for the specification
and the other for the context) is equivalent to testing the
complete product of the two machines, because all the
context transitions will be marked. Therefore, the proposed
approach is suitable only if the number of CTIOAs in the
system is greater than 2.

We want to test an implementation against its specification in context, therefore all the transitions of the
specification must first be marked. For each marked transition t, of the specificationwe look for the set of paths in the
context that may induce the execution of the transition t,.
Each path is a set of consecutive transitions and consists of
three parts: the transition t , corresponding to the transition
t,, the preamble that starts at the initial location and ends
at the source location oft,, and a post-amble that starts at
the target location of t, and ends at some location I,. All
the transitions of the selected paths will be marked. The

The complete algorithm to select the needed transitions

for test cases generation can be described as follows.

42 1

7,!}a,R,G j

The Transitions Selection Algorithm

begin
MarkedTransitions = All the transitions of the specification.
HandledTransitions = 0.
While MarlcedTransitions\HandledTransitions # 0

do begin
Choose a transition t , from MarkedTransitions\
HandledTransitions.
Add t , to HandledTransitions.
Let t , be the corresponding transition oft, in the context.
Let Source and Target be the source and the target
locations of the transition t , respectively.
Find a preambule in the context that ends at Source and
satisfies the selection criterion.
Find a postambule of the transition t , that contains at
least one extemal output.
Mark the transition t , and the transitions of preambule
and postambule and add them to MarlcedTransitions

EndWhile
EndAlgorithm
The algorithm takes as inputs a set of CTIOAs representing an embedded real-time system and a transition selection criterion to be satisfied by the selected transitions.
One CTIOA specifies the component to be tested and the
remaining CTIOAs represent its context. As outputs, the algorithm gives a set of transitions to be used for test cases
generation. In the worst case, the set of marked transitions
is formed of all transitions of the system. But it is, in most
cases, very small.

If there is a marked transition 1; {. + 1, then

If a is an internal input and F! = a.Fi
then F! = FL
else if a is an internal output and the channel Fj is
not full then F! = F/.a

EndIF

Create a new location 1 = (l:, 11, ..., li,...,l r , F:, F:,

..., F:, ..., F,'") and add it to LocationsSet if it does
not exist.
Add the corresponding transition ( l i , 15, ..., la, ...,lp,
F:, F:,
F:, F:,

{?,!}a,R,G

...,F l , ...,F?) + ( l i , 15, ..., l g , ...,l r ,

...,F:, ...,F,'") to TransitionsSet.

EndWhile
EndAlgorithm
The size of the resulting partial product depends mainly
on the number of transitions selected during the previous
step (see section 4.1). In the worst case, the partial product
is equal to the complete product. But in practical cases,
only a small portion of the latter is constructed. On the
other hand, the quality of the partial product can be measured by the fault coverage of the test cases generated from
it. This fault coverage is basically related to the criterion
used for the selection of transitions to be considered in the
construction of partial product. The stronger the criterion
is, the better is the quality of the partial product.
The partial product of the Figure 2 is shown in Figure 3.
/

*>l&<=2

4.2. Construction of a Partial Product

After applying the previous step, we obtain a set of transitions that affect (or are affected by) the execution of the
component to be tested. These transitions are used to compute the partial product of the system following the Definition 2.2 in Section 2. The resulting partial product is generally much smaller than the complete product. The algorithm
to generate the partial product of a system with respect to a
set of transitions { t l , t 2 , ..., t n }is as follows.

Figure 3. The Partial Product of our Example

4.3. Generation of Timed Test Cases

The Partial Product Algorithm
begin

The resulting partial product of the previous subsection

is a Timed Input Output Automata (TIOA). This TIOA is
used by Timed Wp-method to generate timed test cases.
This is done in three steps.

Let ( C T ) I-~ ~the< set

~ ,of CTIOAs.
LocationsSet = ( l y , I:, ...,l z , E , E , ...,E ) (the initial
Location of the system).
TransitionsSet = 0.
HandledLocations = 0.
While LocationsSet\HandledLocations # 0

First, we sample [ 131 the region graph of the TIOA with

a certain granularity in order to construct a subautomata
easily testable called Grid Automata. The granularity of
sampling depends only on the number of clocks, n, in
TIOA. It is equal to 1 / 2 or l / ( n 2 ) depending on either

do begin
Choose a Location 1 = (l:, 15, ..., E a , ..., 17, F:, F:, ...,
F:, ...,F r ) from LocationsSet\HandledLocations.

422

2 2 respectively. This granularity is sufficient to

reach all the clock regions in the region graph. Each clock
region will be represented at least by one representative
able to detect faults in the implementation. In our example
of Figure 3, the granularity of sampling is 1/4 since the
number of clocks is 2. The resulting grid automaton has
the property that each state has an outgoing delay transition
labeled with the granularity of sampling. Secondly, we
translate the grid automata into a nondeterministic FSM
in order to use the existing FSM based test generation
methods. The nondeterminism is mainly due to the time
occurrence of outputs actions because they are controllable
by the implementation and not by the tester. Finally, we
apply the Timed Wp-method [7] on the resulting FSM.
The Timed Wp-method is an adaptation of the generalized
Wp-method [16, 101 which takes into account the semantics
of time. We refer the reader to [7] for more details.

transitions selection criterion and the fault coverage. We

are also planning to tackle the synchronization problem for
the distributed execution of the test cases. Indeed every
generated test case will be decomposed and implemented
in different components composing the context of the
component under test and the real-time synchronization of
these components is a real issue.

n = 1or n

References
R. Alur and D. Dill. A Theory of Timed Automata. Theoretical Comput. Sci., 126:183-235, 1994.
C. Bourhlir, R. Dssouli, E. Aboulhamid, and N. Rico. A
Guided Incremental Test Case Generation for Conformance
Testing for CEFSM Specified Protocols. In Cluwer Academic Publishers, editor, Proceedings of the I I th Inter-

national Workshop of communicating Systems IWTCS'Y8

(Tomsk. Russia), September 1998.

The fault coverage of our method depends on the quality

of the partial product we have constructed. Obviously,
the generated test cases do not cover all the fault model
discussed in Section 3 but they detect all the potential
faults related to the partial product. The uncovered faults
are mainly due to the criterion used for the selection of
the transitions to consider in the construction of the partial
product .

E. Brinksma, G. Scollo, and C. Steenbergen. LOTOS

Specification, Their Implementations and Their Tests. In
B. Sarikaya and G. Bochmann, editors, Pi-otocol Specification, Testing, and Verification, VI, Montreal, Quebec,
Canada, June 10-13, 1986, pages 349-360. North-Holland,
1986.
K. cer2ns. Decidability of Bisimulation Equivalences for
Parallel Timer Processes. In G. v. Bochmann and D. Probst,
editors, Proceedings of the 4th International Workshop on
Computer Aided Verification, Montreal, Canada, volume
663 of Lecture Notes in Computer Science, pages 302-315.
Springer-Verlag, 1992.
D. Clarke and I. Lee. Automatic Generation of Tests for
Timing Constraints from Requirements. In Proceedings of

5. Conclusion
In this paper, we presented a method to test an embedded real-time component in a system modeled as a set of
communicating timed input output automata (CTIOA);
one CTIOA specifies the component to be tested and the
other ones represent its context. We introduced the CTIOA
model, and showed how to entirely or partially compose a
set of CTIOAs. Then, we reviewed the timed fault model
in the context of CTIOA. Finally, we proposed an approach
for testing an embedded CTIOA. This is based on the
computation of a partial product of the specification and its
context. For that, we select, based on certain criterion, only
some paths in the context that affect (or are affected by)
the transitions of the specification. The timed test cases are
generated from the resulting partial product using Timed
Wp-method [7].

the Third International Workshop on Object-Oriented RealTime Dependable Systems, Newport Beach, Califomia, Feb.
1997.
A. En-Nouaary, R. Dssouli, and A. Elqortobi. GCnCration de
Tests TemporisCs. In Proceedings of the 6th Colloque Francophone de I'inge'nieriedes Pi-otocoles,HERMES, ISBN 2 86601-639-4, 1997.
[7] A. En-Nouaary, R. Dssouli, F. Khendek, and A. Elqortobi.
Timed Test Cases Generation Based on State Characterisation Technique. In 19th IEEE Real-Time Systems Symposium (RTSS'Y8),Madrid, Spain, December, 2-4 1998.
[8] A. En-Nouaary, F. Khendek, and R. Dssouli. Fault Coverage
in Testing Real-Time Systems. In 6th International Confer-

ence on Real-Time Systems Computing Svstems and Applications (RTCSA'YY),Hong Kong, December, 13-15 1999.

Our method generates executable timed test cases with

good fault coverage. This fault coverage can be improved
by choosing a strong criterion for the selection of the
transitions to consider in the construction of the partial
product. The right balance between the fault coverage
and the test suite length has to be investigated. As future
work, we intend to deeply address the relation between the

[9] A. En-Nouaary, F. Khendek, and R. Dssouli. Fault Coverage

in Testing Real-time Systems. technical report TR-1162,
DCpartement IRO, UniversitC de MontrCal, September 1999.
[lo] S. Fujiwara, G. Bochmann, F. Khendek, M. Amalou, and
A. Ghedamsi. Test Selection Based on Finite-State Models. IEEE Transactions Software Engineering, SE-17, NO.
6591-603. 1991.

423

[ 111 ISO. Conformance Testing Methodology and Framework.

[12]

[13]

[ 141

[ 151

[16]

[ 171
[ 181

[19]

[20]

International Standard IS-9646 9646, International Organization for Standardization - Information Technology Open Systems Interconnection, Genkve, 1991.
I. Kang. CTSM A Formalism for Real-Time System Analysis
based on State-Space Exploration. PhD Thesis, University
of Pennsylvania, 1995.
K. Larsen and W. Yi. Time abstracted bisimulation: Implicit specifications and decidability. In Proceedings Mathematical Foundations of Programming Semantics (MFPS 9),
volume 802 of Lecture Notes in Computer Science, New Orleans, USA, Apr. 1993. Springer-Verlag.
L. P.Lima and A. Cavalli. A Pragmatic Approach to Generating Test Sequences for Embedded Systems. In Proceedings of the International Workshop on Testing Communica
ring Systems (IWTCS97), Cheju Islands, Korea, 1997.
F. Liu. Test Generation based on an FSM Model with Timers
and Counters. Master thesis, DCpartement dInformatique et
de Recherche Operationnelle, Universite de Montreal, 1993.
G. Luo, G. V. Bochmann, and A. Petrenko. Test Selection Based on Communicating Nondeterministic FiniteState Machines Using a Generalized Wp-Method. IEEE
TransactionsSoftware Engineering, SE-20, NO. 2: 149-162,
1994.
N. Lynch and H. Attiya. Using Mappings to Prove Timing
Properties. Distributed Computing, 6(2): 121-139, 1992.
P. Merlin and D. Farber. Recoverability of communication
protocols. IEEE transactions on Communication Protocols,
24(9), 1976.
A. Petrenko, N. Yevtushenko, G. V. Bochmann, and
R. Dssouli. Testing in Context: Framework and Test Derivation. A Special Issue on Protocol Engineering of Computer
Communication, 1997.
0. Rafiq and L. Cacciari. Protocoles, Contraintes Temporelles et Validation. In Acres du Colloque Francophone

[21]

[22]

[23]

[24]

pour Ilngtnierie des Protocoles CFIP95, France, pages

257-272, 1995.
A. C. Shaw. Communicating Real-Time State Machines.
IEEE Transactions on Software Engineering, 125305-816,
1992.
S. T. SomC. Un Cadre dlngenierie des Exigences par
Sctnarios &Interaction. Phd thesis, UniversitC de Montreal,
Oct. 1997.
J. Springintveld, F. Vaadranger, and P. Dargenio. Testing
Timed Automata. Technical Report CTIT97-17, University
of Twente, Amesterdam, 1997.
J. Springintveld and E Vaandrager. Minimizable Timed Automata. In B. Jonsson and J. Parrow, editors, Proceedings
of the 4th International School and Symposium on Formal
Techniques in Real Time and Fault Tolerant Systems, Uppsala, Sweden, volume 1135 of Lecture Notes in Computer
Science. Springer-Verlag, 1996.

424