Timed Wp-Method: Testing Real-Time Systems Abdeslam En-Nouaary, Rachida Dssouli, and Ferhat Khendek Abstract—Real-time systems interact with their environment using time constrained input/output signals. Examples of real-time systems include patient monitoring systems, air traffic control systems, and telecommunication systems. For such systems, a functional misbehavior or a deviation from the specified time constraints may have catastrophic consequences [27]. Therefore, ensuring the correctness of real-time systems becomes necessary. Two different techniques are usually used to cope with the correctness of a software system prior to its deployment, namely, verification and testing. In this paper, we address the issue of testing real-time software systems specified as a Timed Input Output Automaton (TIOA). TIOA is a variant of timed automaton [1], [2], [22], [29]. We introduce the syntax and semantics of TIOA. We present the potential faults that can be encountered in a timed system implementation. We study these different faults based on TIOA model and look at their effects on the execution of the system using the region graph. We present a method for generating timed test cases. This method is based on a state characterization technique and consists of the following three steps: First, we sample the region graph using a suitable granularity, in order to construct a subautomaton easily testable, called Grid Automaton. Then, we transform the Grid Automaton into a Nondeterministic Timed Finite State Machine (NTFSM). Finally, we adapt the Generalized Wp-method [23] to generate timed test cases from NTFSM. We assess the fault coverage of our test cases generation method and prove its ability to detect all the possible faults. Throughout the paper, we use examples to illustrate the various concepts and techniques used in our approach. Index Terms—Testing, specification, implementation, timed automaton, real-time systems, fault coverage. æ 1 INTRODUCTION N OWADAYS, software is used to control safety critical systems such as patient monitoring, air traffic control, plant control, and telecommunication equipments. More- over, we witness the rapid development and deployment of new time dependent applications such as multimedia applications. Contrary to nontimed systems, the functions of real-time systems are time constrained and dependent. Indeed, the behavior of a real-time system does not depend only on the values of input and output signals, but also on their time of occurrence. Ensuring the correctness of such systems before the deployment, i.e., ensuring that it functions correctly within the specified time constaints, is a difficult and complex task. Formal methods are often used as means to cope with complexity. Many formal models have been proposed for real-time systems [2], [26]. They are mainly real-time enrichments of well-known models, such as Finite State Machines, Petri Nets, etc. It has been reported in [27] that misbehaviors of time dependent systems are often due to nonrespect of time constraints. Verification and testing are two different techniques that are usually used to cope with the correctness of a system. Verification deals with the specification of the system under consideration and aims to ensure that the designed specification satisfies predefined functional and timing requirements (see [2] for instance). The correctness of the system specification does not guarantee the correctness of its implementation (the end product). Testing is an important activity, which aims to ensure the quality of the implementation. Testing procedure consists of generating test suites and applying them to the implementation which is referred to as an Implementation Under Test (IUT). There exist mainly three testing strategies: white-box testing, black-box testing, and gray-box testing. In white-box testing, the structure of the implementation is known and the test suite is generated from the implemented structures. In black-box testing, however, the structure of the implementation is not known; we use the specification of the required functionality at defined interfaces for test generation, execution, and evaluation. Finally, in gray-box testing, we assume that the modular structure of the implementation is known but not the details of the programs within each component. In this paper, we focus on gray-box testing and we refer to it as testing. An important aspect in the testing of an implementation of a system is the fault model. It refers to all the potential basic faults that can exist in an implementation. The test cases we generate, with a test cases generation technique, are intended to detect these faults. Actually, some techniques may be able to detect all the potential faults, while other techniques may fail in detecting some faults. The power of a test cases generation technique to detect faults in an implementation is referred to as fault coverage [36], [39], [38], [6], [8]. Test cases generation methods can be compared based on their respective fault coverage. We can say that a method A is more powerful than a method B, if A has a better fault coverage than B. In other words, a method A is more powerful than a method B, if A detects more faults than B. However, for a more accurate comparison between test cases generation techniques, other parameters such as the length of test suites should be taken into account. IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 28, NO. 11, NOVEMBER 2002 1023 . The authors are with the Department of Electrical and Computer Engineering, Concordia University, 1455 de Maisonneuve W., Montreal, Quebec H3G 1M8, Canada. E-mail: {ennouaar, dssouli, khendek}@ece.concordia.ca. Manuscript received 31 Jan. 2000; revised 15 June 2001; accepted 21 Dec. 2001. Recommended for acceptance by A.A. Andrews. For information on obtaining reprints of this article, please send e-mail to: tse@computer.org, and reference IEEECS Log Number 111424. 0098-5589/02/$17.00 ß 2002 IEEE