Abstract. The introduction of multiple remote testers to apply a test or checking sequence in a test architecture brings out the possibility of controllability and observability problems. These problems often require the use of external coordination message exchanges among testers. In this paper, we consider constructing a test or checking sequence from the specification of the system under test such that it will be free from these problems and will not require the use of external coordination messages. We give an algorithm that can check whether it is possible to construct subsequences from a given specification that eliminate the need for using external coordination message exchanges, and when it is possible actually produces such subsequences.
Introduction
In a distributed test architecture, a tester is placed at each port of the system under test (SUT) N to apply an input sequence constructed from the specification M of N . When N is a state based system whose externally observable behaviour is specified as a finite state machine (FSM) M , the input sequence applied to N is called a test sequence [13, 14] or a checking sequence [6, 8, 10] . The application of a test/checking sequence in the distributed test architecture introduces the possibility of controllability and observability problems. These problems occur if a tester cannot determine either when to apply a particular input to N , or whether a particular output from N has been generated in response to a specific input, respectively [12] .
It is nesessary to construct a test or checking sequence that causes no controllability or observability problems during its application in a distributed test architecture (see, for example, [1, 5, 7, 9, 11, [15] [16] [17] ). For some specifications, there exists such an input sequence in which the coordination among testers is achieved indirectly via their interactions with N [14, 12] . However, for some other specifications, there may not exist an input sequence in which the testers can coordinate solely via their interactions with N [1, 15] . In this case it is necessary for testers to communicate directly by exchanging external coordination messages among themselves over a dedicated channel during the application of the input sequence [2] .
It is argued that both controllability and observability problems may be overcome through the use of external coordination messages among remote testers [2] . However, there is often a cost associated with the use of such messages which is composed of the cost of setting up the infrastructure required to allow the exchange of such messages and the cost of delays introduced by exchanging these messages. It is thus desirable to construct a test or checking sequence from the specification of the system under test such that it will not cause controllability and observability problems and will not require the use of external coordination message exchanges.
In [4] we have given a necessary and sufficient condition so that each transition involved in a potentially undetectable output shift fault can be independently verified at port p. By verified at port p, we mean we are able to conclude that the output of this transition at port p is correct according to the correct output sequence of a certain transition path. By indepedently, we mean that the above conclusion on the output at port p of each transition does not rely on the correctness of any other transitions. Independence here can be helpful for fault diagnoses: in the case that the system under test contains only undetectable output shift faults, we will be able to identify them. In [3] we have given a necessary and sufficient condition so that each transition involved in a potentially undetectable output shift fault and has a non-empty output at port p can be independently verified at port p. Based on this we can conclude that each transition involved in a potentially undetectable output shift fault can be verified at port p. In this way, we have a weaker condition than that of [4] but we will no more be able to diagnose the undetectable output shift faults: in the case that the system under test contains only undetectable output shift faults, we can only identify those incorrect non-empty outputs at port p. In this paper, we do not consider the fault diagnosis problem and we show that in this context, we can have more specifications than those satisfying the conditions in [4] or [3] with which we can construct a subsequence for each transition involved in a potentially undetectable output shift fault so that we can conclude that the outputs at port p of these transitions are correct according to the correct output sequences of the constructed subsequences. We present an algorithm that identifies whether a given specification falls in this category and when it does so constructs the subsequences.
The rest of the paper is organized as follows. Section 2 introduces the preliminary terminology. Section 3 gives a formal definition of the problem and identifies the condition that the specification of the system under test is checked against. Section 4 presents an algorithm for constructing subsequences that eliminate the need for using external coordination messages, proves the correctness of the algorithm, and gives its computational complexity. Section 5 discusses the related work. Section 6 gives the concluding remarks.
Preliminaries
An n-port Finite State Machine M (simply called an FSM M ) is defined as M = (S, I, O, δ, λ, s 0 ) where S is a finite set of states of M ; s 0 ∈ S is the initial state of M ; I = n i=1 I i , where I i is the input alphabet of port i, and
where O i is the output alphabet of port i, and − means null output; δ is the transition function that maps S × I to S; and λ is the output function that maps
We use * to denote any possible output, including −, at a port and + to denote non-empty output. We also use * to denote any possible input or any possible vector of outputs. In the following, 
When ρ is non-empty, we use first(ρ) and last(ρ) to denote the first and last transitions of path ρ respectively and pre(ρ) to denote the path obtained from ρ by removing its last transition.
We will use 2-port FSMs to show some examples. In a 2-port FSM, ports U and L stand for the upper interface and the lower interface of the FSM. An output vector y = o 1 , o 2 on the label of a transition of the 2-port FSM is a pair of outputs with
Given an FSM M and an input/output sequence x 1 /y 1 x 2 /y 2 . . . x k /y k of M a controllability (also called synchronization) problem occurs when, in the labels x i /y i and x i+1 /y i+1 of two consecutive transitions, there exists p ∈ [1, n] We assume that for every pair of transitions (t, t ) there is a synchronizable path that starts with t and ends with t . If this condition does not hold, then the FSM is called intrinsically non-synchronizable [1] .
A same-port-output-cycle in an FSM is a path (
A transition t is involved in a potentially undetectable output shift fault at p if and only if there exists a transition t and a transition path ρ such that at least one of the following holds.
1. tρt is a synchronizable path, no transition in ρt contains input at p, the ouputs at p in all transitions contained in ρ are empty, and t
In this case an undetectable output shift fault can occur between t and t in tρt . If t | p = − we call it a backward output shift fault and if t | p = − we call it a forward output shift fault. 2. t ρt is a synchronizable path, no transition in ρt contains input at p, the ouputs at p in all transitions contained in ρ are empty, and
In this case an undetectable output shift fault can occur between t and t in t ρt. If t | p = − we call it a forward output shift fault and if t | p = − we call it a backward output shift fault.
When ρ is empty, we also say that t is involved in a potentially undetectable 1-shift output fault.
The observability problem occurs when we have potentially undetectable output shift faults in the specification of the FSM.
We will use T p to denote the set of transitions that are involved in potentially undetectable output shift faults at p.
T p denotes the set of transitions that are involved in potentially undetectable output shift fault at p and whose output at p are non-empty.
A relation R between elements of a set A and elements of a set B is a subset of A × B. If (a, b) is an element of relation R then a is related to b under R and we also write aRb. The set of elements related to a ∈ A under R is denoted R(a) and thus R(a) = {b ∈ B|(a, b) ∈ R}.
Given a set A, a relation R between A and A is a partial order if it satisfies the following conditions. 
For all a ∈

Verifiability of Outputs
To verify the output of transition t at port p, we search for a path ρ containing t such that -ρ is synchronizable; -we are able to determine the output sequence of ρ at p from applying the input portion of ρ from the starting state of ρ; -from the correct output sequence of ρ at p we can determine that the output of t at p is correct.
We require that first(ρ) and last(ρ) have input at p in order to identify a certain output sequence: no matter how ρ is concatenated with other subsequences, we can always determine the output sequence produced at p in response to the first |pre(ρ)| inputs of ρ since this output sequence is immediately preceded and followed by input at p.
To determine the correct output of (t, p) from the correct output sequence of ρ at p, we require that -If the output of (t, p) is nonempty, then all the outputs at p in pre(ρ) are either also nonempty or already known to be correct. -If the output of (t, p) is empty, then all the outputs at p in pre(ρ) are either also empty or already known to be correct.
Example 1.
In the given specification in Figure 1 , there is an undetectable output shift fault in t 1 t 3 at port U , because the input of t 3 is not at U while there is a potential output shift of o from t 3 to t 1 . We are interested in constructing a path to verify that the output of transition t 1 and that of t 3 at this port are correct. ρ 1 = t 1 t 2 is such a synchronizable path for t 1 : it has input at U in t 1 (first(ρ)) and input at U in t 2 (last(ρ)), and according to the output at U between these two inputs when ρ 1 is applied as a subsequence, we are able to verify that the output of t 1 at U is correct.
If we know that the output of t 1 at U is correct, then ρ 2 = t 1 t 3 t 1 is also a desirable synchronizable path for t 2 : it has input at U in t 1 (for both first(ρ) and last(ρ)), and according to the output at U between these two inputs when ρ 2 is applied as a subsequence, we are able to verify that the output of t 2 at U is correct since we already know that the output of t 1 at U is correct.
Formally, we introduce the following concept. 
Definition 1. Let t be a transition, and v a set of transitions in
Note that given t and ρ we will typically consider a minimal set v that satisfies the above conditions:
Example 2. In Example 1, -t 1 t 2 is an absolute verifying path upon ∅ for (t 1 , U).
-t 1 t 3 t 1 is an absolute verifying path upon {t 1 } for (t 3 , U).
Directly from this definition, we have: Suppose that m inputs from pre(ρ) lead to non-empty output at p in M . Thus, if we observe the correct output sequence in response to the first |pre(ρ)| inputs of ρ then we must observe m outputs at p in response to these inputs.
Proposition 1. If ρ is an absolute verifying path upon v for (t, p) and v is a minimal such set, then ρ is an absolute verifying path upon v for (t , p) for any
Since t | p = −, and ρ is an absolute verifying path upon v for (t, p), we know by definition that for all t in ρ such that t | p = −, the output of t at p is correct (and so is −) in the SUT. So, we know that the corresponding |pre(ρ)|−m inputs in pre(ρ) lead to empty output at p. Thus we can map the observed outputs at p, in response to the input portion of pre(ρ), to the inputs that caused them and so if the correct output sequence is observed then the output of p at t must be correct.
To verify the output of (t, p), we try to find a path ρ that is an absolute verifying path upon v for (t, p) for some set v such that the output at p for every transition in v is verified. So in general, we search for an acyclic digraph of transitions such that each transition in this digraph has an absolute verifying path upon a set of transitions that appear as its successors in the digraph. Such an acyclic graph can be represented as a partial order in the following way. 
Definition 2. Suppose that U is a set of transitions of M , R is a relation from
(a) For all t ∈ U, P(t) is an absolute verifying path upon R(t) for (t, p); (b) R ∪ {(t, t)|t ∈ U} is a partial order.
Where such R and P exist we also say that U is verifiable at p.
Suppose that U is verifiable at p under R and P and we observe correct output sequence corresponding to the first |pre(P(t))| output of P(t) for each t ∈ U. Then according to Proposition 2, we know that the output of t at p is correct for each t ∈ U. So our goal is to find a set U that is verifiable at p such that T p ⊆ U.
Example 3. In Example 1, for port U , we have T U = {t 1 , t 3 }. T U is verifiable at U because -t 1 t 2 is an absolute verifying path upon ∅ for (t 1 , U).
-t 1 t 3 t 1 is an absolute verifying path upon {t 1 } for (t 3 , U). 3 } is verifiable at U under P and R.
Proposition 3. If ρ is an absolute verifying path upon v for (t, p) and v is a minimal such set then v ⊆ T p .
Proof. Let ρ = t 1 . . . t k (for k ≥ 2) where t = t i for some i ∈ [1, k − 1]. Suppose t i | p = − (the case for t i | p = − is analogous). Consider an arbitrary transition t ∈ v: it is sufficient to prove that t ∈ T p .
By the minimality of v we have t is contained in pre(ρ) and so t = t j for some j ∈ [1, k − 1]. Since ρ is an absolute verifying path upon v for (t i , p), t i ∈ v and so j = i. Suppose i < j (the case for i > j is analogous).
Since t j ∈ v, by the minimality of v we have that t j | p = −. Now as i < j, t i | p = −, t j | p = −, there exists some maximal l with i ≤ l < j such that t l | p = −. Let ρ = t l . . . t j . By Definition 1, no transition in ρ has input at p. By considering ρ we see that t j ∈ T p . This result allows us to consider only transitions in T p for U.
Proposition 4. Suppose M is an FSM that is not intrinsically nonsynchronizable, p is a port of M and U is a set of transitions verifiable at port
Proof. Suppose U is verifiable under R and P and that R is a minimal such relation (i.e. U is not verifiable using a relation that contains fewer pairs).
First, consider the case that T p ⊆ U. According to Theorem 2 in [3] , there exists an absolute verifying path upon T p for (t, p) for every t ∈ T p . Since T p ⊆ U, there exists ρ p,t , the absolute verifying path upon T p for (t, p), for t ∈ T p − U. Now define relation R and function P in the following way.
R = R ∪ {(t, t )|t ∈ T p − U ∧ t ∈ T p } 2. P = P ∪ {(t, ρ p,t )|t ∈ T p − U}
It is easy to check that T p is verifiable at p under R and P as required. Now consider the case that T − T p ⊆ U. Similar to Theorem 2 in [3] , we can prove that there exists an absolute verifying path upon T p − T p for (t, p) for every t ∈ T − T p . The proof is then similar to that for the case where T p ⊆ U.
Algorithm
To Figure 2 gives such an algorithm. Here, U is a set of transitions that is verifiable at p. It is initially set to empty. We search for transitions to be added into U and try to make U ⊇ T p . According to Proposition 3, we only need to consider transitions in T p to be added into U, so in fact, we seek a set U such that U = T p .
If we succeed, we have an absolute verifying path ρ p,t kept in P(t) for each t ∈ U. Of course, if we do not need the absolute verifying paths but just want to output("success", P) 29: else 30:
output("no such set of sequences exists.") 31: end if Fig. 2 . Algorithm 1: generating a set of paths check whether T p is verifiable at p, the algorithm can be easily modified so that it stops whenever
If T p is empty, then we do not need to do anything (lines 7-10). If T p = ∅, then we start to check if there exists a transition t ∈ T p that has an absolute verifying path (upon ∅) for (t, p). We use checkset to denote the current set of transitions that we need to search for absolute verifying paths and initially checkset = T p . Thus if checkset becomes ∅ then we terminate the loop and the algorithm has found a sufficient set of paths. At the end of an iteration the set checkset denotes the value of checkset before the iteration of the while loop and thus if there is no progress (checkset = checkset at this point) the algorithm terminates with failure.
Whenever we find an absolute verifying path ρ p,t upon U, we can add t to U for all t contained in pre(ρ) and t | p = − ⇔ t| p = −. This is based on Proposition 1. At the same time, we update checkset.
To find an absolute verifying path ρ upon U for (t, p), we can construct G[t, U] which is obtained from G by removing all edges except those corresponding to a transition t in one of the following cases:
We then search for a synchronizable path in G[t, U] that contains t, starts with input at p, and ends with input at p. We can search for such a path similar to standard algorithms (e.g. find all vertices reachable from all ending vertex of edges representing t and all vertices that get us to the starting vertex of edges representing t). Note that we do not need to consider cycles in G[t, U]: if there exists an absolute verifying path with a cycle then there is such a path that has no cycles.
The following two results show that Algorithm 1 is correct.
Theorem 1. Suppose that Algorithm 1 outputs "success" and P. Then there exists a relation R such that T p is verifiable at p under R and P.
Proof. Define a relation R in the following way. Given a transition t ∈ T p consider the iteration in which t is added to U and let U t denote the value of U at the beginning of this iteration. Then, since we could add t to U on this iteration, there is an absolute verifying path upon U t for (t, p). Thus, we let R be the relation such that for all t ∈ T p , R(t) = U t . Clearly T p is verifiable at p under R and P as required.
Theorem 2. Suppose that Algorithm 1 does not output "success". Then T p is not verifiable at p.
Proof. Proof by contradiction: suppose that there exists R and P such that T p is verifiable at p under R and P and that Algorithm 1 terminates with a set U such that T p ⊆ U. Define a function depth from T p to the integers in the following way. The base case is depth(t) = 1 if R(t) = {t}. The recursive case is if R(t) = {t} then depth(t) = 1 + max t ∈R(t)\{t} depth(t ). Let t denote an element of T p \ U that minimises depth(t). But, every element of R(t) is in U and thus there exists an absolute verifying path upon R(t) for (p, t). This contradicts the algorithm terminating with set U such that T p ⊆ U as required. Now we turn to the complexity of the algorithm. Let m = |T p | be the number of transitions involved in output shift faults at p. For each while-loop (line 14-26), we construct an absolute verifying path upon U for one of the transitions in checkset, and we can remove at least one transition from checkset. As initially |checkset| = m, the while-loop will be executed at most m times.
Within each while-loop in lines 14-26, we need to check if we can find an absolute verifying path ρ p,t upon U for (t, p) for some t ∈ checkset. This can be realized by trying to construct ρ p,t for each t ∈ checkset until such a ρ p,t is found. This takes at most |checkset| times of effort for each attempt.
For each attempt to construct an absolute verifying path upon U for a given transition t, it takes O(wv) times to construct a path where w is the number of the states in M and v is the number of transitions in M .
For the for-loop in lines 17-20, we can keep a set α of all transitions t contained in pre(ρ p,t ) such that t ∈ U and t | p = − ⇔ t| p = − during the construction of ρ p,t . This does not affect our estimated time O(wv). After we have found such an ρ p,t successfully, we can move all transitions in α from checkset to U. For each such move, there will be one less while-loop executed, and thus the time for the operation of the for-loop in lines 17-20 can be ignored.
In summary, the time complexity of Algorithm 1 is O(m 2 wv).
Relationship with Previous Work
To make sure that each transition involved in a potentially undetectable output shift fault can be independently verified at port p, we need to have ρ 1 @t@ρ 2 as an absolute verifying path upon ∅ for (t, p) for all transition t involved in a potentially undetectable output shift fault. This result is presented in terms of 1-shift output faults while it holds also for general output shift faults.
Apparently, when the above condition holds, there exists an absolute verifying path upon ∅ for (t, p) for every t ∈ T p , and thus T p is verifiable. In other words, we presented in [4] a condition to guarantee that for each t ∈ T p , there exists an absolute verifying path upon ∅ for (t, p), and this condition is sufficient for T p to be verifiable.
In [3] , we have given a weaker condition than the one in [4 
(ii) (t 0 , p) has an absolute trailing path for every t 0 ∈ T p , if and only if
The above theorem gives a condition and declares that under this condition, it is guaranteed the existence of absolute leading path and absolute trailing path for (t, p) only for all those transitions involved in potentially undetectable output shift and have non-empty output at p. So it guarantees that for each transition t of this category, (t, p) has an absolute verifying path upon ∅.
Then it is proved there that for other transitions t involved in potentially undetectable output shift but with empty output at p, there is an absolute verifying path upon T p for (t , p):
Theorem 4. Given any FSM M that is not intrinsically non-synchronizable and port p, every t ∈ T p has an absolute verifying path upon T p .
According to these two theorems, the condition in Theorem 3 is sufficient for T p to be verifiable.
On the other hand, the conditions in [4, 3] are not necessary for T p to be verifiable.
Example 4. In Example 1 we have shown that T p is verifiable at U . However, the conditions in [4, 3] do not hold. This is because for (t 3 , U), t 3 does not have input at U and there is no transition ending at s 2 with non-empty output at U .
The following shows another example where T p is verifiable at U while the conditions in [4, 3] do not hold.
Example 5. In Figure 3 , there are undetectable output shift faults at port U in t 1 t 2 and in t 2 t 5 . T U = {t 1 , t 2 , t 5 }. T U = {t 1 , t 5 
}.
The conditions in [4, 3] do not hold because for (t 1 , U), there is no transition starting from s 2 that has either input at U or non-empty output at U . However, T U is verifiable at U : 
Conclusion
This paper has presented a sound procedure to check for the possibility of constructing a test/checking sequence that will not cause controllability and observability problems and will not require external coordination message exchanges among remote testers during its application in a distributed test architecture. This is realized by constructing a path that can help checking the output of a transition t at a certain port p, for each transition t involved in a potentially undetectable output shift fault. The effectiveness of this path on checking the output of transition t at port p must not be affected by controllability and observability problems. The correct output of transition t at port p is actually derived from the correct output sequence when applying the input portion of this path during the test. It remains as an interesting problem to produce an efficient test or checking sequence from an FSM, that is guaranteed to determine the correctness of the SUT for the considered fault model.
