1

Soundness test cases generation for durationsystems

Lotfi MAJDOUB and Riadh ROBBANA

LIP2 Laboratory

Tunisia Polytechnic School

lotfi.majdoub@ensi.rnu.tn and riadh.robbana@fst.rnu.tn

Abstract–In this paper, we are interested in testing dura-tion systems. Duration systems are an extension of real-timesystems for which delays that separate events depend on theaccumulated times spent by the computation at some particularlocations of the system.

We present an automatic testing method for durationsystems that uses the approximation method. This methodextends a model using an over approximation, the approximatemodel, containing the digitization timed words of all the realcomputations of the duration system. Second, we present ourconformance relation applied on the approximate mdel, wedemonstrate that test cases generated from the approximatemodel are soundness test cases. At the end, we propose analgorithm that generate a set of test case presented in a treeby considering a discrete time and how we execute those testcases on the implementation by considering a continuous time.

Index Terms–duration systems, test, approximation, con-formance relation.

I. Introduction

Duration systems are an extension of real-time systemsfor which in addition to constraints on delays separatingcertain events that must be satisfied, constraints onaccumulated times spent by computation must also besatisfied.Timed automata constitute a powerful formalism widely

adopted for modeling real-time systems [2]. DurationVariables Timed Graphs with Inputs Outputs (DVTG-IOs) are an extension of timed automata [4], which areused as a formalism to describe duration systems. DVTG-IOs are supplied with a finite set of continuous realvariables that can be stopped in some locations andresumed in other locations. These variables are calledduration variables.Testing is an important validation activity, particularly

for real-time systems, which aims to check whether animplementation, referred to as an Implementation UnderTest (IUT), conforms to its specification. Testing processis difficult, expensive and time-consuming. A promisingapproach to improve testing consists in automaticallygenerating test cases from formal models of specification.Using tools to automatically generate test cases mayreduce the cost of the testing process.For testing real-time systems, most works borrow sev-

eral techniques from the real-time verification field dueto similarities that exist between model-based testing and

system verification (e.g., symbolic techniques, region graphand its variations, model checking techniques, etc.). Thosetechniques are used particularly to reduce the infinitestate space to a finite (or at least countable) state space.Then they adapt the existing untimed test case generationalgorithm. We cite as example [7][10][11][16].It is well known that the verification of real-time systems

is possible due to the decidability of reachability problemfor real-time systems [1]. However, it has been shown thatthe reachability problem is undecidable for timed graphsextended with one duration variable [6] and, consequently,it is not possible to use classical verification techniques togenerate test cases for DVTG-IO.We give in this paper a method for testing duration

systems. We describe the specification as well as theimplementation under test with DVTG-IO. In order toreduce the infinite state space to a finite state space,we use the approximation method that extends a givenDVTG-IO specification to anohter called the approximatemodel that contains the initial test cases as well as theirdiscretisations. An algorithm of generating soundness setof test cases is given. We present this set of test cases by atree which respects a conformance relation inspired fromthe well known ioco conformance relation [21].This paper is organized as follows: In the next section,

we present the duration variables timed graphs with inputsoutputs used to model specification. Section 3 shows theapproximation method. Section 4 defines the conformancerelation. Our testing method, is introduced in section 5.Concluding remarks are presented in section 6.

II. Duration Variables Timed Graphs with InputsOutputs

A DVTG-IO is described by a finite set of locations anda transition relation between these locations. In addition,the system has a finite set of duration variables that areconstant slope continuous variables, each of them changingcontinuously with a rate in {0,1} at each location of thesystem. Transitions between locations are conditioned byarithmetical constraints on the values of the durationvariables. When a transition is taken, a subset of durationvariables should be reset and an action should be executed.This action can be either an input action, an output actionor an unobservable action (known also as quiescent [21]).

2

A. Formal definition

We consider X a finite set of duration variables. A guardon X is a boolean combination of constraints of the formx ≺ c where x ∈ X,c ∈ N,≺∈ {<, ≤, >, ≥}. Let Γ(X) bethe set of guards on X. A DVTG-IO describing durationsystems is a tuple M = (Q,q0, E,X,Act, γ, α, δ, ∂) whereQ is a finite set of locations, q0 is the initial location, E ⊆Q×Q is a finite set of transitions between locations, Act =ActIn∪ActOut∪{τ} is a finite set of input actions (denotedby ?a), output actions (denoted by !a) and unobservableaction τ , γ : E −→ Γ(X) associates to each transition aguard which should be satisfied by the duration variableswhenever the transition is taken, α : E −→ 2X gives foreach transition the set of duration variables that should bereset when the transition is taken, δ : E −→ Act gives foreach transition the action that should be executed whenthe transition is taken, ∂ : Q × X −→ {0,1} associateswith each location q and each duration variable x the rateat which x changes continuously in q.

B. Example

We give a simple example in figure 1 that illustratesDuration Variables timed Graphs with Inputs Outputs.In this figure, DVTG-IO is supplied with a set of inputactions {a, c}, output actions {b, d} and three continuousreal variables t, x, z. Input actions are denoted ?a, ?c, andoutput actions are denoted !b, !d. Duration variables t

and x are clocks used to make constraints on the timeexecution, z is a duration variable, it is stopped (

.

z= 0) inlocations q1, q3 and it is used to make constraint on theaccumulated time spent by the system.

q 0

q 1q 2

q 3q 4

10 ≤≤ t 1=t 1=x 12 =∧= zt

0=•z 0=

•z0:=x ? a ! b ? c ! d

Fig. 1. example of DVTG-IO

C. State graph

The semantic of DVTG-IO is defined in terms of a state

graph over states of the form s = (q, ν) where q ∈ Q and

ν : X −→ R+ is a valuation function that assigns a real

value to each duration variable. Let StM be the set of

states of M. We notice that StM is an infinite set due

to the value of duration variables taken on R+. A state

(q, ν) is called integer state if ν : X −→ N. We denote by

N(StM ) the set of integer states of M.

Given a valuation ν and a guard g, we denote by ν |= g

the fact that valuation of g under the valuation ν is true.

We define two families of relation between states

: discrete transition (q, ν)a� (q′, ν ′) where (q, q′) ∈

E, δ(q, q′) = a, ν |= γ(q, q′) is true and ν′(x) = ν(x)∀x ∈ X\α(q, q′) , ν′(x) = 0 ∀x ∈ α(q, q′), that

corresponds to moves between locations using transition

in E, timed transition (q, ν)t

� (q, ν′) such that t ∈

R and ν′(x) = ν(x)+∂(q, x) ∗ t ∀x ∈ X, that corresponds

to transitions due to time progress at some location q.

The state graph associated with M is (StM ,�) where� denotes the union of all discrete and timed transitions.

D. Computation sequences and timed words

A Computation sequence of a DVTG-IO is defined as a

finite sequence of configurations. A configuration is a pair

(s, τ ) where s is a state and τ is a time value. Let CM be

the set of configurations of M . Intuitively, a computation

sequence is a finite path in the state graph of an extension

of M by an observation clock that records the global

elapsed time since the beginning of the computation.

Formally, if we extend each transition relation from states

to configurations, then a computation sequence of M is

σ = (s0,0)� (s1, τ 1)� ...� (sn, τn), where si = (qi, νi)and τ i−1 ≤ τ i for i = 1..n. Let CS(M) be the set of

computations sequences of M.

A timed word is a finite sequence of timed actions. A

timed action is a pair aτ where a ∈ Act and τ ∈ R+,

meaning that action a takes place when the observation

clock is equal to τ. A timed action aτ is called integer

timed action if τ ∈ N. A timed word is a sequence ω =a1τ 1a2τ 2...anτn where ai is an action and τ i is a value

of the observation clock. We notice that τ i ≤ τ i+1. Let

L(M) be the set of timed words of M.

A sequence ω = a1τ 1a2τ 2...anτn is considered a timed

word of L(M) if and only if there exists a computation se-

quence σ = (s0, τ 0) � (s1, τ 1) � ...� (sn, τn) ∈ CS(M)such that ai = δ(qi−1, qi) for i = 1, .., n and si = (qi, νi).For simplicity, we may write (s0, τ0)

ω� (sn, τn). We

suppose that empty timed word belongs to L(M).Let ω = a1τ 1a2τ 2...anτn be a timed word and a ∈

Act, τ ∈ R+ such that τn ≤ τ then we denote by

ω.aτ the timed word obtained by adding aτ to ω and we

have ω.aτ = a1τ 1a2τ 2...anτnaτ .

III. Approximation

The approximation method is presented in detail in[19]. We present in this section a discretisation technique(called digitization) associating to each real computationof the specification model a discrete computation. We showvia an example that those discrete computations maynot belong to the specification model. So, we give theapproximate model, obtained by approximation methodfrom the specification model, that contains all discretecomputations.

3

A. Digitization

We present the notion of digitization [8], which issuitable for the systems in which we are interested.Let us introduce some definition and notations. Let τ ∈

R+ . For every ε ∈ [0, 1[ called digitization quantum, we

define the integer [τ ]ε =if τ ≤ (�τ�+ ε) then �τ� else �τ� .

Before giving the definition of the digitization of com-

putation sequence, let us introduce how we calculate at

each step the valuation of variables.

Given a computation sequence σ = (q0, ν0, τ 0) �(q1, ν1, τ 1)� ...� (qn, νn, τn)

The value of x ∈ X at position k in σ is : νk(x) =k−1∑

i=jk+1

∂(qi, x).(τ i+1 − τ i)where jk denotes the greatest index j such that j ≤ k,

and the transition�j is of the forma� with x ∈ α(qj, qj+1)

i.e. , x is reset by (qj , qj+1) . We take jk = −1 if such anindex does not exist.According to [8], given a digitization quantum ε ∈

[0, 1[, the digitization of σ is the integer computationsequence [σ]ε = (q0, νε0, [τ 0]ε) � (q1, νε

1, [τ 1]ε) � ... �

(qn, νε

n, [τn]ε)

where the valuation of x at position k in [σ]ε is

: νεk(x) =

k−1∑

i=jk+1

∂(qi, x).([τ i+1]ε − [τ i]ε)

The definition of the digitization can be extended tothe timed words. The digitization of a timed word ω =a1τ1a2τ2...anτn is [ω]ε = a1 [τ 1]ε a2 [τ 2]ε...an [τn]εTherefore, it is not difficult to see that: [ω.at]ε =

[ω]ε.a[t]εMoreover, it is easier to relate digitizations of a compu-

tation sequence and its timed word. If σ is a computationsequence and ω is its corresponding timed word then forε ∈ [0,1[, [ω]ε is the corresponding timed word of [σ]ε.We denote by Digit(L(M)) the set of all the digitiza-

tions of all the real timed word of M. We notice thatDigit(L(M)) is finite.The digitization is a technique used to reduce the infinite

set of states to a finite set of states. A question that onemay ask is whether Digit(L(M)) ⊆ L(M) or not.ExampleIn the following example, we will see that we can have a

DVTG-IO with only one integrator for which there existsa real timed word such that all their digitizations are nottimed words of the system.Let ω be the real timed word of the DVTG given in the

figure 1 ω =?a 0.5 !b 1 ?c 1.5 !d 2There are two digitizations of ω :[ω]ε =?a 0 !b 1 ?c 1 !d 2 with 0.5 < ε < 1[ω]ε =?a 1 !b 1 ?c 2 !d 2 with 0 ≤ ε ≤ 0.5It is easier to verify on the DVTG-IO given in figure

1 that ω is a computation sequence, however their twodigitizations [ω]ε for 0.5 < ε < 1 and 0.5 < ε < 1 are nottimed words of the considered DVTG-IO.

B. Approximate model

As we have seen in the previous example, some timedwords of a given DVTG-IO do not have any digitizations in

M. The idea given in [19] consists of over approximatingthe model M by an approximate model M ′ such thatDigit(L(M)) ⊆ L(M ′). In other words, the system M ′

contains all the digitizations of all the computations ofthe initial system M .Definition 1The function β : X × E −→ N calculates for each

variable x ∈ X and each transition e = (q, q′) themaximum of restarts of x from the last reset of x untilthe location q in each way.β(x, e) = Maximum{#restarts(x) from the last reset

of x until the location q in each way}.A restart of a variable x is the change of its rate from 0

to 1. After a reset of a variable x, if the rate of a variable xin the current location is 1, then the access to this locationis considered as a restart of x. For example, if in the firstlocation x has a rate equal to 1 then the access to theinitial state is considered as restart. That is why, for theclocks, the function β is equal to 1 for each transition.Proposition 1 [19]For every computation σ ofM , every quantum ε ∈ [0,1[,

every variable x ∈ X, every transition e ∈ E and everyk ∈ N, we have

• β(x, e) = 0 =⇒ νkε(x)− νk(x) = 0

• β(x, e) > 0 =⇒−β(x, e) < νkε(x)− νk(x) < β(x, e)

Definition 2

The approximate modelM ′ = App(M) is obtained from

M by transforming each guard of a transition e of the form

u ≺ y ≺ w by the guard:

• if u − β(y, e) ≥ −1 then u − β(y, e) + 1 ≤ y ≤ w +β(y, e)− 1

• otherwise 0 ≤ y ≤ w + β(y, e)− 1

where u,w ∈ N, x ∈ X, and ≺∈ {<,≤}

C. Example

If we apply the approximation method on the DVTG-IO

of figure 1, we obtain the approximate model of figure 2,

that consists of replacing the guard t = 2∧z = 1 associatedto the transition (q3, q4) by the guard t = 2 ∧ 0 ≤ z ≤ 2,because we have β(z, (q3, q4)) = 2.It is easier to verify that the digitizations of the previous

example belong to the approximate model.

q 0q 1 q 2 q 3 q 4

10 ≤≤ t 1=t 1=x 202 ≤≤∧= zt

0.

=z 0.

=z0:=x a ? b ! c ? d !

Fig. 2. The approximate model

4

Proposition 2 [19]Let σ be a computation sequence of M. Then for each

ε ∈ [0,1[ ; [σ]ε is a computation of M ′= App(M)�

Proposition 3

Let ω = a1τ 1a2τ 2...anτn be a timed word

if ω ∈ L(M) then [ω]ε ∈ L(M ′) for each ε ∈ [0, 1[Proof

First, let us apply the definition of a timed word.

ω = a1τ 1a2τ 2...anτn ∈ L(M) if and only if there exists

a computation sequence σ = (s0, τ 0) � (s1, τ 1) � ... �

(sn, τn) ∈ CS(M) such that ai = δ(qi−1, qi) for i = 1, .., n,where si = (qi, νi).

Let [σ]ε be the digitization of σ for ε ∈ [0,1[, [σ]ε =(q0, [ν0]ε, [τ 0]ε)� (q1, [ν1]ε, [τ1]ε)� ...� (q

n, [ν

n]ε, [τ

n]ε)

From proposition 2, [σ]ε ∈ CS(M ′).Its corresponding timed word is a1[τ1]εa2[τ2]ε...an[τn]ε

because we have ai = δ(qi−1, qi) for i = 1, .., n.so we have [ω]ε ∈ L(M ′) �

IV. The conformance relation

We will introduce in this section the duration input-output conformance relation dioco which is an extension ofthe timed input-output conformance relation tioco definedin [11] [3] and which is in turn inspired from the untimedconformance relation ioco of [21].In order to formally define the conformance relation, we

define a number of operators.For (s, τ) ∈ CM , ω ∈ L(M), (s, τ ) after ω is the set of

all configurations of M that can be reached from (s, τ )after the execution of the timed word ω.

(s, τ ) after ω = {(s′, τ ′) ∈ CSP | (s, τ )ω� (s′, τ ′)}

and for C ⊆ CM ; C after ω = ∪(s,τ)∈C(s, τ) after ω

We define M after ω = (s0, τ 0) after ω, where (s0, τ 0)is the initial configuration.Furthermore, for (s, τ ) ∈ CM , Out((s, τ )) (resp.

In((s, τ))) is the set of all timed output actions (resp.timed input actions) that can occur when the system isat configuration (s, τ ).Out((s, τ )) = {oτ ′, o ∈ ActOut, τ

′∈

R+ | (s, τ )

t

� (s′, τ ′)o� (s′′, τ ′), for t > 0}

In((s, τ )) = {iτ ′ ∈, i ∈ ActIn, τ′ ∈ R

+ | (s, τ )t

�

(s′, τ ′)i� (s′′, τ ′), for t > 0}

For C ⊆ CM , Out(C) = ∪(s,τ )∈COut((s, τ )) and

In(C) = ∪(s,τ )∈CIn((s, τ )).Let M be a DVTG-IO representing the synchronous

product of the specification and the test purpose of a

duration system and Imp a DVTG-IO representing the

IUT. The duration input-output conformance relation

denoted dioco is defined as:

Imp dioco M ⇐⇒def ∀ω ∈ L(SP ) :Out(Imp after ω) ⊆ Out(M after ω)

We define now the conformance relation for the approx-

imate model of the synchronous product.

First, let us define the digitization of the operator Out,

given a digitization quantum ε ∈ [0, 1[, and for C ⊆ CM is

a set of configurations [Out(C)]ε = {oτ ′, o ∈ ActOut, τ′ ∈

N | ∃τ ∈ R+, oτ ∈ Out(C) and [τ ]ε = τ ′}.Proposition 4

∀ω ∈ L(M)if Out(Imp after ω) ⊆ Out(M after ω) then for

ε ∈ [0,1[[Out(Imp after ω)]ε ⊆ [Out(M after ω)]εProof

Let oτ ′ ∈ [Out(Imp after ω)]ε

We remember the definition of the digitization of the op-

erator Out, ∃τ ∈ R+, oτ ∈ Out(Imp after ω) and [oτ ]ε =oτ ′

From the hypothesis of this proposition we have that

oτ ∈ Out(M after ω)The definition of the digitization of the o

perator Out ensures that, [oτ ]ε ∈ [Out(M after ω)]εSo oτ ′

∈ [Out(M after ω)]εThen we conclude that [Out(Imp after ω)]

ε⊆

[Out(M after ω)]ε �We deduce from this result that

Imp dioco M =⇒def ∀ω ∈ L(M) ∀ε ∈ [0,1[[Out(Imp after ω)]ε ⊆ [Out(M after ω)]ε

Test cases can be generated with respect to theconformance relation. A test case respecting the aboveconformance relation is called sound, meaning that if animplementation conforms to its specification, it will passall tests (timed words) belonging to the set of tests. Inother words, if the implementation fails at least one test(timed word) then the implementation does not conformto its specification.It is well known that soundness property is achievable

for practical testing. It is shown in [21] that it is the-oretically possible to produce a complete test case (i.e.soundness and exhaustiveness test cases) but in practiceit is not possible to execute an infinite number of tests ina limited period of time.

V. Testing method

Here, we introduce our testing method for durationsystems that is based on the approximation method. Wesuggest to reduce the infinite state graph associated tothe approximate model to a countable state graph whichcontains all digitizations of the initial model.

A. Test generation with the approximate model

First, let us introduce the notion of an observationwhich is a sequence of controllable (inputs) and ob-servable (outputs) actions that are either executed orproduced by the IUT followed with its occurrence time.Formally, we describe an observation by a timed wordω = a1τ 1a2τ 2...anτn where ai ∈ Act and τ i ∈ R

+.

Our result is based on a reduction of the infinite state

graph associated with M′= App(M) to the countable

state graph (N(StM ′),1

� ∪a

�), where the space of states

is the set of integer states. Transitions between states

5

are either discrete transition (q, ν)a

� (q′,ν′) labeled with

action in Act, or timed transition (q, ν)1

� (q, ν′) labeled

with a constant delay of time equal to 1. Notice that ν

and ν′∈ [X → N]. Clearly, the digitizations of all timed

words Digit(L(M)) are included in (N(StM ′),1

� ∪a

�).

B. The test tree

We use the countable state graph (N(StM ′),1

� ∪a

�)to generate a finite set of soundness test cases. This set

of soundness test cases are represented by a tree that we

call test tree .

The test tree is composed by nodes that are sets

of integer configurations and transitions between those

nodes. A node in the test tree is a finite set of integer

configurations (s, τ ) such that s ∈ N(StM ′) , τ ∈ N

and represents the possible current integer configurations

of the IUT. The root is the initial configuration of

(N(StM ′),1

� ∪a

�) that is (s0, τ 0). We remember that we

consider a nondeterministic duration system and that the

current system configuration are not known precisely. The

transition between one node and its successor is labelled

with a timed action aτ such that a ∈ Act and τ ∈ N. A

path from the root to one leaf of the tree represents a

digitization of a timed word.

Example

An example of test tree is given in figure 3. That is

the test tree constructed from the approximate model of

figure 2. Each path of the test tree from the root to a

leaf corresponds to an integer computation sequence of

the approximate model.

{ ( q 0 , 0 , 0 , 0 , 0 ) }

{( q 1 , 0 , 0 , 0 , 0 ) } { ( q 1 , 1 , 0 , 1 , 1 )}

{ ( q 2 , 1 , 0 , 1 , 1 )}{( q 2 , 1 , 1 , 0 , 1 ) }

{ ( q 3 , 2 , 1 , 2 , 2 )}{( q 3 , 1 , 1 , 0 , 1 )}

{( q 4 , 2 , 2 , 0 , 2 ) } { ( q 4 , 2 , 1 , 2 , 2 ) }

a 0 a 1

b 1b 1

c 1 c 2

d 2 d 2

Fig. 3. The test tree

C. Algorithm of generating test tree

In order to construct the test tree, we adapt the untimedtest generation algorithm of [21].

1 Algorithm : generating test tree

2 Input : N(GS′) = (N(StS′),1

� ∪a

�)3 Output : Test Tree T

4 T = {(s0,0)} the one-node tree5 while True

6 for each leaf C of T distinct from pass

7 Out(C)8 In(C)9 if Out(C) ∪ In(C) = ∅ then10 C = pass

11 else12 do randomly {1; 2}13 case 1 :14 for each aτ ∈ Out(C) ∪ In(C)15 C′ = C after aτ

16 append edge Caτ

� C ′ to T

17 case 2 :18 C = pass

19 End while

Algorithm : generating test tree

The generating test tree algorithm operates as follows

: initially the test tree contains one node that is the

initial configuration of M ′ : (s0,0). For every leaf C of

the tree, the algorithm calculates the set of integer timed

actions (In(C) and Out(C)). For each timed action aτ

the algorithm claculates C ′ = C after aτ and appends

the edge Caτ

� C′ to the tree. The algorithm can stop a

path of the tree by appending the node pass in the leaf.

We show now how we can execute a test case obtained

from the test tree by considering a discrete time on the

implementation under test where the time is continuous.

Proposition 5

Let ω ∈ L(M) be a timed word and [ω]ε ∈ L(M ′) its

digitization for ε ∈ [0,1[if ∃ a ∈ Act and ∃τ ′ ∈ N such that [ω]ε.aτ

′∈ L(M ′)

then ∀τ ∈]τ ′ − 1 + ε, τ ′ + ε ] we have ω.aτ ∈ L(M)Proof

Let ω = a1τ1a2τ 2...anτn be a timed word and [ω]ε =a1[τ 1]εa2[τ 2]ε...an[τn]ε its digitization for ε ∈ [0,1[We suppose that there exists a ∈ Act and τ ′

∈ N

such that [ω]ε.aτ′= a1[τ 1]εa2[τ 2]ε...an[τn]εaτ ′ is a timed

word of L(M ′) from the definition of timed word there

exists a computation sequence σ′ = (q0, ν0ε , [τ 0]ε) �(q1, ν1ε , [τ 1]ε) � ... � (qn, νnε , [τn]ε) � (q, ν′

, τ′) of M ′

such that ai = δ(qi−1, qi) for i = 1, .., n and a = δ(qn, q)Proposition 1 ensures that σ′ is the digitization of one

computation sequence σ of M ( [σ]ε = σ′) with σ =(q0, ν0, τ 0)� (q1, ν1, τ 1)� ...� (qn, νn, τn)� (q, ν, τ) if

we have

∀x ∈ X, −β(x, (qn, q)) < ν′(x)− ν(x) < β(x, (qn, q)).We remember that from digitization valuation defini-

tion, we have ∀x ∈ X, ν′(x) = νnε(x)+∂(q, x)∗ (τ ′− [τ

n]ε)

and ν(x) = νn(x) + ∂(q, x) ∗ (τ − τn) which implies :

=⇒−β(x, (qn, q)) < νnε(x)+∂(q, x)(τ ′−[τn]ε)−νn(x)−

∂(q, x) ∗ (τ − τn) < β(x, (qn, q))

6

=⇒−β(x, (qn, q)) < νnε(x)−νn(x)+(τ ′

−τ )− ([τn]ε)−τn) < β(x, (qn, q))

=⇒ −β(x, (qn, q)) − (νnε(x) − νn(x)) + ([τn]ε − τn) <

τ ′− τ < β(x, (qn, q)) − (νn

ε(x)− νn(x)) + ([τn]ε − τn)

We remember that we have −β(x, (qn−1, qn)) < νnε(x)−

νn(x) < β(x, (qn−1, qn)) and −1 + ε < [τn]ε − τn ≤ ε

So we obtain −β(x, (qn, q))− β(x, (qn−1, qn))− 1 + ε <

τ ′− τ < β(x, (qn, q)) + β(x, (qn−1, qn)) + ε

In other terms, we have τ ∈]τ ′− 1 + ε− β(x, (qn, q)) −

β(x, (qn−1, qn)), τ ′ + ε+ β(x, (qn, q)) + β(x, (qn−1, qn))].From the digitization quantum definition, we have τ ∈

]τ ′− 1+ ε, τ ′ + ε] which is included in the above interval.We conclude that ω.aτ ∈ L(M) ∀τ ∈]τ ′−1+ε, τ ′+ε] �The test generation from the approximate specification

model can give to the tester the action and the integertime value of its execution on the IUT in discrete time.The above proposition shows that if the tester executesthe action (input or output) within a real-time interval,defined by the proposition, then the conformance of theobservation recorded on the IUT is preserved accordingto the approximate model.Proposition 6Let ω = a1τ 1a2τ 2...anτn be a timed word that corre-

sponds to a path from the root to a leaf in TM .

then ∃ ω′ ∈ L(M) such that [ω′]ε = ω

Proof

We proceed by a recursif proof on the size of ω.

Let ωi = a1τ1a2τ2...aiτ i with i ≤ n be the timed word

obtained in the level i of the test tree, we have ωn = ω

For i = 0, ω0 = ∅ the proposition is true because (ω′

0=

∅) ω′

0∈ L(M) and we have [ω′

0]ε = ω0

For i < n we suppose that the proposition is true for i

and we try to demonstrate for i +1

∃ ω′

i∈ L(M) such that [ω′

i]ε = ωi

Given aτ ∈ Out(M ′ after ωi) ∪ In(M ′ after ωi)We have ωi.aτ ∈ L(M ′)From the proposition 5, ∀τ ′ ∈] τ − 1 + ε, τ + ε ] we

have ω′

i.aτ ′ ∈ L(M)

So [ω′

i.aτ ′]ε = ωi.aτ �

Let remenber that a path in the test tree is a dis-

crete timed word obtained from the coutable state graph

(N(StM ′),1

� ∪a

�) associated to the approximate model

M ′= app(M). Proposition 6 demonstrates that a path in

the test tree is the digistization of a timed word belonging

to the initial model M . By considering this result and

the result obtained in the proposition 5, we can use the

test tree to generate a discrete test case, then we can

apply every action given in the test case in a point of

time belonging to an interval defined by the proposition

5. For generating an input timed action that should be

executed on the IUT, the tester chooses one integer timed

action aτ from the set In(M ′ after ω) by considering

(N(StM ′),1

� ∪a

�). By proposition 5, the action a can be

applied within the real-time interval ]τ − 1 + ε, τ + ε].

VI. Conclusion

We have introduced a method for testing duration

systems. First, we used the DVTG-IO as a formalism to

model specification. Second, we presented the approxima-

tion method. This method extends a given DVTG-IO to

another called approximate model that contains the initial

test cases as well as their digitizations. Then, we presented

our conformance relation applied on the approximate

mdel, we demonstrated that test cases generated from

the approximate model are soundness test cases. At the

end, we proposed an algorithm that generate a set of test

case presented in a tree by considering a discrete time and

how we executed those test cases on the implementation

by considering a continous time.

In the future work we plan to see how we can extend our

approach to test duration systems with quiescence actions

and how we can use this approach to test hybrid systems.

References

[1] R. Alur, C. Courcoubetis, and D. Dill, Model-Checking for Real-Time Systems, 5th Symp. on logic in Computer Science, 1990.

[2] R. Alur and D. Dill, A Theory of Timed Automata, TheoreticalComputer Science, 126 : 183-235, 1994

[3] S.Bensalem, M.Krichen, L.Majdoub, R.Robbana, S.Tripakis,Test Generation for duration System, VECoS’2007, Algiers,Algeria, 5-6 May 2007.

[4] A. Bouajjani, R. Echahed, R. Robbana, Verifying InvarianceProperties of Timed Systems with Duration Variables, FormalTechniques in Real-Time and Fault Tolerant Systems, 1994

[5] F. Cassez, K.G Larsen, The Impressive Power of Stopwatches,In Proc. Conference on Concurrency Theory (CONCUR’00),Penssylvania, USA, 2000

[6] K.Cerans, Decidability of Bisimulation Equivalence for Par-allel timer Processes, In Proc. Computer Aided Verification(CAV’92), Springer-Verlag, 1992, LNCS 663

[7] A. En-Nouaary, R. Dssouli, F. Khender, and A. Elqortobi,Timed Test cases generation based on state characterisationtechnique, In RTSS’98. IEEE, 1998

[8] T. Henzinger, Z. Manna, and A. Pnuelli, What good are digitalclocks?, In ICALP’92, LNCS 623, 1992

[9] A. Hessel, K.G. Larsen, B. Nielsen, P. Pettersson and A.Skou, Time-optimal Real-Time Test Case Generation usingUPPAAL, In Proceeding of third International Workshop onFormal Approaches to Testing of Software, FATES’03, 2003

[10] A. Hessel, P. Pettersson, A Test Case Generation Algorithmfor Real-Time Systems, In Proceeding of 4th internationalConference on Quality software QSIC’04 pages 268-273, 2004

[11] M. Krichen, S. Tripakis, Black-Box Conformance Testing forReal-Time Systems, SPIN’04 Workshop on Model CheckingSoftware, 2004

[12] D. Lee, M. Yannakakis, Principles and Methods of Testing FiniteState Machines, Proc. of the IEEE, 84 : 1099-1123, August 1996

[13] L. Majdoub and R. Robbana , Test Purpose of DurationSystems, 4th MSVVEIS, pages 67-75, Cyprus, May 2006.

[14] L.Majdoub and R.Robbana, Testing Duration Systems usingan Approximation Method, Depcos-RELCOMEX 2007, pages119-126, Szklarska Poreba, Poland, June 2007.

[15] L. Majdoub and R. Robbana, Testing Duration systems, JournalEuropéen des Systèmes Automatisés : le numéro spécial JESAles méthodes formelles temps-réel, 2008.

[16] M. Mikucionis, K G. Larsen, B. Nielsen, Online On-the-flyTesting of Real-time systems, Basic Research in ComputerScience, BRICS Report Series RS-03-49, December 2003

[17] P. Morel, Une algorithmique efficace pour la génération automa-tique de tests de conformité, these of Rennes University, 2000

[18] R. Robbana, Spécification et Vérification des Systèmes Hy-brides, Thesis, Joseph Fourier University Grenoble, 1995

[19] R. Robbana, Verification of Duration Systems using an Approxi-mation Approach, Journal of Computer Science and Technology,Vol 18, No2, pp. 153-162, March 2003

[20] J. Springintveld, F. Vaandrager, and P.D’Argenio, TestingTimed Automata, Theoretical Computer Science, 254, 2001

[21] J. Tretmans, Testing Concurrent Systems : A Formal Approach,CONCUR’99 , 10th Int, conference on Concurrency Theory,pages 46-65, 1999