FSM abstraction based method for deriving test suites with guaranteed fault coverage against nondeterministic Finite State Machines with timed guards and timeouts

. Finite State Machine (FSM) based approaches are widely used for deriving tests with guaranteed fault coverage for discrete event systems and as the behavior of many nowadays information and control systems depends on time, classical FSMs are extended by clock variables. Moreover, optionality in the real system’s specifications motivates the studying test derivation against models with the nondeterministic behavior. In this paper, we adapt classical FSM based test derivation methods for nondeterministic FSMs with timed guards and timeouts (TFSMs). We show that unlike classical FSM conformance relation, the check cannot be reduced to checking the correspondence between TFSMs transitions and this violates the main principle of FSM based test derivation methods. Respectively, a proposed approach and the appropriate fault model are based on the FSM abstraction of the given TFSM specification that is used to adequately describe the behavior of a TFSM. The fault domain contains TFSMs with the known upper boundary on the number of FSM abstraction states and allows to avoid explicit enumeration of implementations under test. We study properties of the FSM abstraction for a nondeterministic TFSM and justify that the use of an FSM abstraction allows to adapt classical FSM based test derivation methods when deriving tests with guaranteed fault coverage for TFSMs. A method is proposed for deriving a complete test suite for a complete possibly nondeterministic TFSM when an implementation under test is a deterministic complete TFSM.


Introduction
Finite State Machines (FSMs) are widely used for analysis and synthesis of discrete event systems [1]. In particular, FSM based approaches can be effectively used when deriving test sequences for determining whether a given implementation considered as a «black box» conforms to its specification. A number of methods exist for deriving complete test suites with respect to various fault models [see, for example, 2-5] without the explicit enumeration of possible FSMs under test. Well-known W-method [2] and many its derivatives have been developed including those for FSMs with the nondeterministic behavior [4,6]. In many papers, researchers consider the case when the specification is a nondeterministic FSM, while an implementation FSM is deterministic and conforms to the specification if the implementation behavior is contained in that of the specification [6,7]. In other words, the specification nondeterminism occurs according to the optionality of the informal requirements' description and the behavior of a conforming implementation must not violate the specification. Nowadays time aspects become very important when describing the behavior of digital and hybrid control systems, and, respectively, similar to automata [8] classical FSMs were extended with clock variables [5,[9][10][11][12][13][14]. When the behavior of a system under test is described by a Timed Finite State Machine (TFSM), classical FSM-based methods have to be modified and extensions of the W-based methods are considered in the context of systems with timed constraints [9], [14]. In [11], Merayo et al. consider timed possibly nondeterministic FSMs where time elapsed when an output has to be produced after an input has been applied to an FSM under test is limited. The model also takes into account input timeouts at states. However, the authors do not consider test derivation; yet establish a number of conformance relations. El-Fakih et al. [10] consider the test derivation and assessment for FSMs with timed guards; such an FSM has a single clock that is reset at every transition. In the paper by Zhigulin et al. [13], a method is proposed for deriving complete test suites for FSMs with timeouts. The authors consider a traditional fault domain assuming that the number of states of an implementation TFSM (Implementation Under Test) does not exceed that of the state reduced specification TFSM as well as the maximal finite timeout of the IUT does not exceed that of the specification. However, as we further show, two reduced TFSMs with timeouts can be equivalent but not isomorphic and this fact violates the main idea of W-based methods of checking the isomorphism or homomorphism between the specification and implementation under test. In [12], the authors show that the behavior of a deterministic TFSM can be adequately described by its FSM abstraction and this is a hint that a fault model can be derived based on such abstraction for which well elaborated FSM based methods for deriving tests with guaranteed fault coverage can be applied. Such a fault model is considered in [15] for deriving a complete test suite against deterministic TFSMs.
In this paper, we consider FSMs with timed guards, timeouts and output delays (TFSM) which generalize the TFSM model that has only timed guards or only input timeouts [12]. Moreover, in our case, a TFSM can be nondeterministic. Timed guards describe the system behavior depending on a time instance when an input is applied. If no input is applied until an (input) timeout expires then the system can spontaneously move to another state. An output delay describes a time for processing a given transition. We propose a method for deriving a test suite with guaranteed fault coverage against a complete possibly nondeterministic specification FSM with timed guards, input timeouts and output delays with respect to the reduction relation assuming that an implementation TFSM under test is complete and deterministic. The fault model and a procedure for deriving a complete test suite are based on the FSM abstraction of a given TFSM specification since according to [12], the behavior of a TFSM can be adequately described by its corresponding (untimed) FSM abstraction. The structure of the paper is as follows. Section 2 contains the preliminaries for classical and timed FSMs. It also contains the explanation how the behavior of a TFSM can be described using an appropriate FSM abstraction. In Section 3, a brief sketch of related work on test derivation methods for nondeterministic FSMs with respect to the reduction relation is presented while Section 4 contains such a review on test derivation against Timed FSMs. In Section 5, a method is proposed for deriving a complete test suite against a nondeterministic FSM with timed guards and timeouts by determining an appropriate fault model based on their FSM abstractions; the section also contains an example for a test derivation procedure. Section 6 concludes the paper.

Preliminaries
This section contains basic definitions of classical Finite State Machines as well as of Timed Finite State Machines as their extension. We also show how the behavior of a TFSM can be adequately described by the corresponding FSM and establish some useful properties of such FSM abstractions.

Timed Finite State Machines
A Timed FSM (TFSM) is extended with a clock variable, timed guards, timeouts and output delays [12,13]. The timed guards at a state have less time upper bounds than the timeout at the state and describe the behavior at a given state for inputs which arrive at different time instances. The clock variable accumulates time and is reset to zero when applying an input, producing an output and moving between states by timeout transitions. Correspondingly, an initialized TFSM is a 6-tuple S = (I, S, O, hS, ΔS, s0) where S is a finite non-empty set of states with the designated initial state s0, I and O are input and output alphabets, hS  S  I  O  S    Z is the transition relation and ΔS is the timeout function. The set  is a set of input timed guards and Z is the set of output delays which are non-negative integers. The timeout function is the function ΔS: where N is the set of positive integers: for each state this function specifies the maximum time for waiting for an input. If no input is applied until an (input) timeout expires then the system can spontaneously move to another state. By definition, for each state of TFSM exactly one timeout is specified. An input timed guard g  describes the time domain of clock variable when a transition can be executed and is given in the form of interval <min, max> , ]} and T is the input timeout at the current state. We also denote the largest finite boundary of timed guards and timeouts as BS. The transition (s, i, o, s, g, d)  S  I  O  S   Z means that TFSM S being at state s accepts an input i applied at time t  g measured from the initial moment or from the moment when TFSM S has moved to the current state; the clock then is set to zero and S produces output o exactly after d time units and moves to state s. Given state s of TFSM S such that ΔS(s) = (s', T), if no input is applied before the timeout T expires, the TFSM S moves to state s'. If ΔS(s) = (s', ) then s' = s, and this means that the TFSM can stay at state s indefinitely long waiting for an input.
Given TFSM S, S is a complete TFSM if the union of all input timed guards at any state s under every input i equals [0; T) when ΔS(s) = (s', T). In this paper, we consider only complete TFSMs and the question about the interpretation of undefined transitions in partial machines and their augmentation is out of the scope of this paper [17]. TFSM S is a deterministic TFSM if for each two transitions (s, i, o1, s1, g1, d1), (s, i, o2, s2, g2, d2) hS, s1  s2, d1  d2 or o1  o2, it holds that g1  g2 = , otherwise, TFSM S is nondeterministic. In this paper, we assume that the system specification is a complete observable, possibly nondeterministic TFSM while the behavior of an implementation under test (IUT) is described by a complete deterministic TFSM. In other words, the specification describes a set of possible permissible behaviors of an IUT and a conforming implementation must be one of them.
Example. Consider a TFSM S in Figure 1 with two states, one input and three outputs, where a is the initial state and ΔS(a) = (b, 2), i.e., the timeout at state a is 2. For state b, ΔS(b) = (b, ), and this loop is not shown in the figure. If input i is applied to the TFSM at state a at time instance 1 measured from the initial moment then S moves to state b producing output o2 after one time unit. However, if no input is applied to the TFSM until time value reaches 2 then S moves to state b using a timeout transition. At state b, TFSM S can wait for an input infinitely long.

Fig. 1. Timed Finite State Machine S
A timed input is a pair (i, t) where i  I and t is a real; a timed input (i, t) means that input i is applied to the TFSM at time instance t measured from the initial moment or from the moment when TFSM S has produced the last output. A timed output is a pair (o, d) where o  O and d is the output delay measured from the moment when an input has been applied. In order to determine the output response of the TFSM at state s to a timed input (i, t), state s', which is reached by the TFSM by timeout transitions at time instance t, is calculated first [13]. State s' is a state where TFSM moves from state s via timeout transitions such that the maximum sum  of all timeouts starting from state s is less than t. At the second step, a transition (or several transitions for nondeterministic TFSM) (s', i, o, s'', g, d) such that t -  g is considered. According to this transition, the machine produces the timed output (o, d) to a timed input (i, t) applied at state s and moves to the next state s''.
A sequence of timed inputs  = (i1, t1) … (in, tn) is a timed input sequence, a sequence of timed outputs  = (o1, d1) … (on, dn) is a timed output sequence. Given the initialized TFSM at state s1 with the value of the clock variable equal to 0 at the initial moment and a timed input sequence (i1, t1) … (in, tn), an input i1 is applied when the value of the clock variable reaches t1' = t1 -1 where 1 that is the maximum sum of timeouts for the sequence of timeout transitions starting from state s1 is less than t1, but becomes equal or bigger when adding the timeout at the current state s1'; after applying the input at state s1' the clock variable is set to 0 and the machine produces an output o1 and moves to a prescribed state s2 when clock value is equal to d1. After producing the output o1 the clock is reset and the machine is waiting for another input i2 that is applied when the clock variable value equals t2' = t2 -2, etc. A sequence / = (i1, t1)/(o1, d1) … (in, tn)/(on, dn) of consecutive pairs of timed inputs and timed outputs starting at the state s is a timed I/O sequence or a timed trace of TFSM S at state s. Note that time of the first timed input in the sequence is counted from startup of the system at state s while time of all next inputs is counted from the time instance when a previous output has been produced. Similar to FSMs,  is an applied timed input sequence while  is the 180 corresponding output response of the TFSM to sequence  of applied inputs. Given a state of a complete nondeterministic TFSM, there can exist several output responses to a timed input sequence. Similar to FSMs, the set of all timed traces at the initial state specifies the behavior of an initialized TFSM.
Example. Consider TFSM S in fig. 1. If a timed input sequence (i. 2.5).(i, 0) is applied to S at state a then TFSM first moves to state b by the timeout transition when the clock variable value reaches 2. The clock is reset and output (o1, 2) or (o3, 2) is produced, the system moves back to state a and the clock is reset. When the next input (i, 0) is immediately applied, the TFSM moves either to state a with timed output (o3, 0) or to state b with timed output (o1, 1). Given states s and p of complete TFSMs S and P, state p is a reduction of s (written, p ≤ s) if the set of timed I/O sequences of TFSM P at state p is contained in the set of timed I/O sequences of TFSM S at state s. TFSM P is a reduction of TFSM S if the reduction relation holds between the initial states of the machines. For deterministic TFSMs S and P, the reductions relation is reduced to the equivalence relation.

FSM abstraction
The behavior of a TFSM can be adequately described using a classical FSM that is called the FSM abstraction of the TFSM and is derived similar to [12]; however, in [12], output delays are not considered. I is the same as for the timed input (i, t) and (o, d) is the response of the TFSM to timed input (i, t). Thus, the output sequence of the FSM abstraction FSM can be transformed into corresponding timed output sequence  by removing all outputs I. The following statement can be established. Thus, the conclusion about the reduction relation between two TFSMs can be drawn based on their FSM abstractions and there exist methods for checking the reduction relation between two FSM states or between two FSMs.

Fault models and test suites
FSM based testing can be preset and adaptive. We first consider the preset testing where test cases which are (timed) input sequences, are derived from the given TFSM specification to determine whether a given IUT, which is assumed to have the FSM behavior, conforms to the given specification.
In this paper, an implementation FSM P conforms to the specification if FSM P is a reduction of the specification FSM. In other words, an implementation FSM P conforms to the specification FSM if for each input sequence the output response of the FSM P is contained in the set of output responses of the specification FSM to this input sequence. In this case, the fault model FMm FSM = <S, ≤, m> is considered where S is the specification that is a complete observable possibly nondeterministic FSM, ≤ is the reduction relation, m is the fault domain which contains each deterministic complete FSM with at most m states over the same input alphabet as the specification. Here we notice that differently from the paper [18] where only deterministic FSMs are considered, the specification can be nondeterministic and the conformance relation is not the equivalence but the reduction relation. A test suite is complete with respect to the FMm FSM = <S, ≤, m> if for each FSM P ∈ m that is not a reduction of S, the test suite has a sequence for which an output response of P is not in the set of output responses of S to this sequence. A complete test suite with respect to FMm FSM can be derived using an appropriate modification of FSM based methods for nondeterministic FSMs [6] which are based on deterministically-transfer (d-transfer) and separating sequences. A state s is deterministically reachable (d-reachable) from the initial state of the FSM S if there exists an input sequence α such that for any output response β to α, the machine S moves from the initial state to state s when α is applied. In this case, α is a dtransfer sequence for state s. States s1 and s2 of an FSM S are separable if there exists an input sequence α such that the sets of output responses of the FSM at states s1 and s2 to α do not intersect; in this case, sequence α is called a separating sequence for states s1 and s2. If a sequence separates each pair of different states of the FSM S then this sequence is a separating sequence for FSM S.
Once again we remind that differently from [18], not each input sequence is a d-transfer of the nondeterministic specification and separable states and separating sequences for the nondeterministic specification are defined in a different way.
If FSM S has a separating sequence  and each state is d-reachable from the initial state, the procedure for deriving a complete test suite w.r.t. the fault model FMn FSM = <S, ≤, n> where n is the number of states of S, has the following steps: 1. A d-cover set of the FSM S is derived. This set contains a d-transfer sequence for each state of the FSM S. 2. Each sequence of the d-cover set is appended with the separating sequence  of the FSM S and every input that also is appended with the separating sequence . If an adaptive test suite is derived, an adaptive distinguishing sequence can be used instead of a separating sequence while d-transfer sequences can be replaced by adaptive transfer sequences (if they exist) [19]. Adaptive distinguishing (separating) and d-transfer sequences can be shorter then preset, and moreover, they exist more often. An input sequence α is adaptive if the next input depends on the outputs of the FSM. Such an input sequence can be represented by an FSM called a test case [19]. At each state of a test case, either there are transitions for one input with all outputs or there are no transitions and in the latter case, a state is called terminal. Given a test case (TC) D for FSM S, an adaptive sequence specified by is applied in the following way. If input i1 is defined at the initial state d0 of D then first the input i1 is applied to FSM S and TC D moves to the i1o-successor d1 of state d0 if o is the output the response of S to the input i1. The next input to apply is the input defined at state d1, etc. The procedure terminates when a terminal state is reached. A test case represents an adaptive separating sequence for states s1 and s2 of the FSM S if each input-output sequence from the initial to the terminal state of the test case can happen at most at one of states s1 or s2. In the former case, the state s1 is identified, while in the latter case it will be state s2. States s1 and s2 of the FSM S are adaptively separable if there is a test case that represents an adaptive separating sequence for states s1 and s2. In this case, the corresponding trace from the initial state to a terminal state of an adaptive separating test case allows to determine what was a state of the FSM S before the experiment. If an adaptive sequence separates each pair of different states of the FSM S, then such a sequence is an adaptive separating sequence for the FSM S. A test case can also represent an adaptive sequence from the initial state of the FSM S to the state s if each input-output sequence of the test case from the initial to a terminal state is ended at state s [19,20]. In this case, state s is adaptively reachable from the initial state. The derivation of a complete adaptive test suite is almost the same as the preset: the only difference is that adaptive distinguishing sequences are used instead of separating sequences and adaptive transfer sequences are used instead of d-transfer sequences. If FSM S has no (adaptive) separating sequence or S has states which are not d-reachable from the initial state then a complete test suite cannot be derived using the above procedure. In this case, the so-called state counting reduction (SCR) method should be applied [6]. Below, we describe the main steps of the general SCR-method when deriving a complete preset test suite with respect to the fault model FMm FSM = <S, ≤, m>. Step 3 when terminating an input sequence of the set Nk, k = 1, …, p. Here we notice that in general case, complete test suites derived by SCR method are much longer than for the case when the specification FSM has a separating sequence and the derivation method is much more complex. To minimize our efforts for deriving a complete test suite with respect to the fault model FMm FSM = <S, ≤, m>, the adaptive testing can be used instead of the preset [19]. It is known that a test suite can be usually shorter if the specification FSM has a sequence, which separates every two states [6]. In this case, set Wj contains only one separating sequences  and R = {S}. However, such a separating sequence does not always exist and thus, we are obliged to use a set of separating sequences for test derivation. Adaptive distinguishing (separating) sequences exist more often than the preset and are usually shorter, thus, adaptive distinguishing sequences can be preferable for test derivation. Anyway, using adaptive distinguishing sequences can increase the size of subsets of pairwise distinguishable states from R, and thus, shorten sets Wj and the sets Nk, and correspondingly, minimize a complete test suite. In the next section, we consider an existing approach for adaptation classical FSM based test derivation methods for Timed FSM.

Related work on TFSM based testing
The problem of deriving a complete test suite against a nondeterministic FSM with timed guards with respect to the reduction relation has been considered in [20]. The proposed approach is based on the FSM abstraction of TFSM but that abstraction is a bit different from that considered in the «Preliminaries» section. In that case, one-to-one mapping between sets of states of TFSM and corresponding FSM abstraction has been established. The latter allows to inherit the above described steps for deriving a complete test with respect to the fault domain which contains each deterministic complete TFSMs with timed guards with at most m states over the same input alphabet as the specification TFSM S and the largest boundary BS for input timed guards. However, in general case, this approach cannot be applied for FSMs with time guards and timeouts since the one-to-one mapping between transitions of two state reduced equivalent TFSMs with timeouts not always can be established. In [15], it is shown that initialized reduced deterministic TFSM specification and TFSM implementation with timeouts can be equivalent yet not isomorphic; moreover, they can have Tvardovskii A., Yevtushenko N. FSM abstraction based method for deriving test suites with guaranteed fault coverage against nondeterministic Finite State Machines with timed guards and timeouts. Trudy ISP RAN/Proc. ISP RAS, vol. 31, issue 4, 2019, pp. 175-188 184 different number of states. The latter violates the main assumption of W-based methods about checking the correspondence between FSM transitions. As an example, consider TFSMs in fig. 3. Each state in R and Q is reachable from the initial state and each two different states of each machine are not equivalent, i.e., both TFSMs are connected and state reduced. By direct inspection, one can assure that equivalent machines in Figure 3 have different number of states and thus, are not isomorphic.  fig. 4. Thus, in order to derive a complete test suite for deterministic TFSMs we considered the fault domain containing every TFSM P over the same input alphabet as S such that the reduced form of the FSM abstraction of P has at most m > 1 states [15]. A similar approach can be applied for the test derivation against nondeterministic FSMs with timeouts and timed guards; in the next section, corresponding fault model and test derivation method are proposed.

Test derivation method for nondeterministic FSM with timed guards and timeouts
In order to derive a test suite with guaranteed fault coverage against the nondeterministic specification TFSM, we propose a fault model based on the FSM abstraction of the TFSM and algorithm of applying the SCR-method to such abstraction. Given a nondeterministic TFSM S with n states ( fig. 1), two deterministic equivalent TFSM implementations R and Q ( fig. 3) which are reductions of S can have different number of states. However, the reduced forms of their FSM abstractions are isomorphic and are reductions of FSM abstraction AS. Another example in Figure 5 demonstrates that for nondeterministic TFSM Y there can exist a deterministic TFSM Y with the same number of states and the boundary BS, such that the reduced form [16] of FSM abstraction AY has more states than that of AY. Given the TFSM specification S, we consider the fault model FMm TFSM = <S, ≤, m>, where S is the complete observable, possibly nondeterministic TFSM specification, ≤ is the reduction relation, m is the fault domain that contains each deterministic complete TFSM P over the same input alphabet as the specification such that the reduced form of its FSM abstraction AP has at most m > 1 states. As it is demonstrated below it can well happen that some timed FSMs with less states than the specification TFSM are not included into the fault domain and vice versa, a number of timed FSMs which have more states than the specification TFSM are included into the fault domain. Example. Consider TFSM specification S ( fig. 1) with two states. Fault domain m of the fault model FMm TFSM = <S, ≤, m> contains TFSM R ( fig. 3) with three states since the FSM abstraction AR has not more states than the FSM abstraction AS. At the same time, in Figure 5 the TFSM specification Y and its non-conforming implementation Y are shown such that both TFSMs have three states and the finite timed guards' boundary equal two. However, the fault domain m does not contain Y since the reduced form of its FSM abstraction has more states than AY. Thus, it can happen that nonconforming implementations with the same number of states as the specification TFSM can pass a complete test suite with respect to <S, ≤, m>. Note that the FSM abstraction of TFSM S can have non-separable states, i.e., the FSM abstraction can have a pair of states for which a separating sequence does not exist when the specification TFSM S has a separating sequence, i.e., all states of the TFSM S are pairwise separable. For example, TFSM S in Figure 1 has a separating sequence (i, 1) while the corresponding FSM abstraction AS has a pair of non-separable states (b, 0) and (b, (0, )), for which the sets of input/output sequences coincide. In order to derive a complete test suite for such FSM, the SCR method can be used. As mentioned above, similar to a deterministic FSM abstraction [15], a nondeterministic FSM abstraction can be minimized using the method from [16]. As an example, for FSM abstraction AS ( fig. 2) of TFSM S (Figure 1), equivalent states (b, 0) and (b, (0, )) can be merged into one state. However, unlike deterministic machines, such optimization does not always allow to merge pairs of non-separable states of the FSM abstraction of the specification and thus, the SCR method is still used for test derivation. Algorithm for deriving a complete test suite with respect to the fault model FMm TFSM = <S, ≤, m> where m is the number of states of the reduced form of the FSM abstraction of S Input: The complete observable possibly nondeterministic specification TFSM S Output: A complete test suite TS with respect to the fault model FMm TFSM = <S, ≤, m>, where m contains every TFSM P over the same input alphabet as S such that the reduced form of the FSM abstraction of P has at most m > 1 states Step 1. Derive the reduced form of the FSM abstraction AS of TFSM S.
Step 2. Derive a test suite TSA with respect to the fault model FMm FSM = <AS, ≤, m> using the SCRmethod described above, where m is number of states of the FSM abstraction AS.
Step 3. According to Proposition 1, transform sequences of the test suite TSA into corresponding timed sequences over the TFSM S and obtain the test suite TS. Proposition 4. The test suite TS returned by the above Algorithm is complete with respect to the fault model FMm TFSM = <S, ≤, m>.
Proof. Let a test suite TS be returned by the above algorithm and TFSM P which is not a reduction of specification TFSM S is in the set m. By definition of the fault domain m, the reduced form of the FSM abstraction AP has at most m states. Since P is not a reduction of S, the FSM AP is not a reduction of AS (Proposition 3). Thus, a test suite TSA derived at Step 2 contains an input sequence FSM, which separates FSMs AP and AS. By Proposition 2, for sequence FSM of the FSM AP there exists the corresponding timed input sequence  of the TFSM P that will demonstrate that P is not a reduction of the TFSM S. The latter guarantees that each non-conforming implementation P of the set m is detected by the test suite TS. The fault domain in the above algorithm can be extended and for TFSM S with the reduced form of its FSM abstraction AS which has n states, a complete test suite can be derived by SCR-method with respect to m when m > n. However, in this case length of a complete test suite significantly increases [21]. In the worst case, the length of a test suite derived by SCR-method exponentially depends on the number of states of FSM and this also holds for FSM with timed aspects. As experimental results show, in practice, length of adaptive distinguishing sequences is usually polynomial with respect to the number of FSM states when such a sequence exists [20,7]. Respectively, similar results can be derived for a TFSM when proposed algorithm is used and the boundary on timed guards is not too big. Note that length of the test suite also significantly depends on timed aspects of the specification TFSM such as the upper bounds of timed guards and value of timeouts [20,21]. We note again that the FSM abstraction of TFSM S can have non-separable states while all states of the TFSM are pairwise separable. However, we underline that the FSM abstraction inherits the dreachability of states from the specification TFSM and the following proposition holds. Example. Consider TFSM S in Figure 1 and its FSM abstraction AS in Figure 2. We derive a complete test suite with respect to the fault model FM6 TFSM = <S, ≤, 6>. For state (b, 0) of AS there exists a d-transfer sequence I.i and respectively, state b of TFSM S has a timed d-transfer sequence (i, 0,5). Other states of FSM abstraction are d-reachable from states (a, 0) and (b, 0) by a sequence of I inputs. Thus, all states of AS are d-reachable from the initial state and for the FSM abstraction AS, Sd = {(a, 0), (a, (0, 1)), (a, 1), (a, (1, 2)), (b, 0), (b, (0, ))}. Given FSM AS, we can also determine two maximal subsets of pairwise separable states R1 = {(a, 0), (a, (0, 1)), (a, 1), (a, (1, 2)), (b, 0)}, R2 = {(a, 0), (a, (0, 1)), (a, 1), (a, (1, 2)), (b, (0, ))} and corresponding distinguishing sets W1 = W2 = { i, I.i, I.I.i}. Note that R1 = R1d and R2 = R2d since all states of AS are d-reachable. Consider state (b, 0) and the set N(b, 0) of input sequences derived at Step 3 of the SCR-method when a test suite is derived with respect to the fault model <S, ≤, 6>. Input/Output sequences with the input projection of the set N(b, 0) should traverse states of some Rj at least 2 = 6  5 + 1 times while this does not hold for any proper prefix of the input sequence, and respectively, i.i is in the set N(b, 0) which traverses states (a, 0) and (b, 0) of R1. Other sequences at state (b, 0) are i.I (traverses (a, 0), (a, (0, 1))), I.i (traverses (b, (0, )), (a, 0)), I.I (traverses (b, (0, )), (b, (0, ))) and thus, N(b, 0) = {i.i, i.I, I.i, I.I, i, I}. A fragment of the tree that is obtained when deriving a test suite, is shown in fig. 6. One of test sequences of TSA is I.i.i.i.I.I.i and a corresponding timed input sequence of test TS is (i, 0,5).(i, 0).(i, 0).(i, 1) =  where (i, 0,5) is a d-transfer sequence and (i, 1) is a separating sequence from W1. Each sequence of the test suite is applied to TFSM implementation at the initial state. First input i of  is applied when clock value is equal to 0,5; after applying the input the clock is set to 0 and the machine produces corresponding output when clock value is equal to 1 when an implementation is conforming. After producing the output o2 the clock is reset and the machine is waiting for the next input i from timed input (i, 0) that is immediately applied after resetting the clock. After applying this input the clock is reset again and the machine produces an output o1 or o3 when the clock value is equal to 2. After producing any of outputs by the TFSM the clock is reset and the machine is waiting for a next input, etc.

Conclusion
In this paper, we have proposed an approach for deriving complete test suites with respect to the reduction relation against nondeterministic Finite State Machines with timed guards and timeouts. Both, a proposed approach and a corresponding fault model are based on the FSM abstraction of machines with timed guards and timeouts and this allows inheriting the known FSM based SCRmethod when deriving test suites with guaranteed fault coverage for nondeterministic TFSMs.