Introduction
In distributed testing, a distributed test architecture is used where a tester is placed at each port of the system under test (SUT) N and an input sequence is applied. When N is a state based system specified as a finite state machine (FSM) M an input sequence to be applied to N can be constructed from M; the input sequence is then called a test sequence or a checking sequence. The application of a test/checking sequence [5] in the distributed test architecture introduces the possibility of controllability and observability problems. These problems occur if a tester cannot determine either when to apply a particular input to N, or whether a particular output from N has been generated in response to a specific input, respectively [6] .
For some specifications there does not exist an input sequence in which the testers can coordinate solely via their interactions with N [2, 8] . In this case it is necessary for the testers to exchange external coordination messages over a dedicated channel during the application of the input sequence. Similarly, such coordination messages can be used to overcome observability problems [2, 7] . However, sometimes we want to avoid the use of coordination messages since they require us to set up an additional communications network and this makes testing more expensive. In addition, coordination messages introduce delays and these delays can cause problems if we have timing issues in our testing. Let us suppose, for example, that in testing we wish to follow the input of x 1 at port p 1 with the input of x 2 at port p 2 (p 1 = p 2 ) and in order to achieve this we sent a coordination message from the tester at p 1 to the tester at p 2 after x 1 has been input. If we require that the time between x 1 and x 2 being sent is at most t and the process of sending coordination messages takes time t > t then this approach is not appropriate. The timing issues can be particularly problematic if the SUT responds rapidly to inputs, relative to the network used for coordination messages 1 . See [4] for a discussion of some of the timing issues that arise in using coordination messages. This paper investigates conditions that must be satisfied by an FSM for the existence of input sequences that can be applied in a distributed test architecture without encountering controllability and observability problems and without using external coordination messages. Such conditions have two potential values. First, they can be used to determine whether we require coordination messages and thus a network that connects the testers. Second, if we wish to avoid the use of coordination messages in testing then these conditions can be seen as testability conditions that can inform the design process. Results given in this paper differ from those in [3] in the following ways. First, the conditions are strictly weaker than those in [3] since we are less restrictive in the ways we achieve our goals. Second, [3] only considered observability problems; we consider both controllability and observability problems. In addition, [3] only considered a particular type of observability problem and we generalize this. Finally, we investigate the situation in which we need only add input sequences to complement a given test/checking sequence ρ and prove that the conditions for this problem are equivalent to those for the original problem.
Preliminaries
An n-port Finite State Machine M (simply called an FSM M) is defined as M = (S, I, O, δ, λ, s 0 ) where S is a finite set of states; s 0 ∈ S is the initial state; I = n i=1 I i , where I i is the input alphabet of port i, and
where O i is the output alphabet of port i, and − means null output; δ : S × I → S is the transition function; and λ :
We use * to denote any possible output, including −, at a port. We also use * to denote any possible input or any possible vector of outputs. In the following, p ∈ [1, n] is a port, x ∈ I is a general input, and x p ∈ I p is an input at p. We use y | p to denote the output at p in y. 
Given an FSM M and a sequence tt of consecutive transitions, t = (s 1 , s 2 , x/y) and t = (s 2 , s 3 , x /y ), a controllability problem occurs if the port p at which x is input is not involved in t: x ∈ X p and y | p = −. If this problem occurs then the tester at p does not know when to send x and so tt cannot be applied in testing. Consecutive transitions t and t form a synchronizable pair of transitions if t can follow t without causing a controllability problem. A path in which every pair of transitions is synchronizable is called a synchronizable path. An input/output sequence is synchronizable if it is the label of a synchronizable path. We assume that for every pair of transitions (t, t ) there is a synchronizable path that starts with t and ends with t . If this condition does not hold, then the FSM is called intrinsically non-synchronizable and we cannot expect to be able to overcome the controllability problem [1] .
, and there exists a port p with
If such a cycle exists then there is no bound on the number of outputs the tester at port p can see without providing an input, a situation not too dissimilar to a livelock. We assume that any FSM considered is not intrinsically non-synchronizable and has no same-port-output-cycles.
Suppose that we are given an FSM M and a synchronizable path t 1 
Here the output o shifts from being produced in response to x i to being produced in response to x j and the shift is between t i and t j .
. . x l−1 , and N produces output o at p in response to x i after x 1 . . . x i−1 . Here the output o shifts from being produced in response to x j to being produced in response to x i and the shift is between t j and t i . [3] only considers observability problems in which the two transitions involved in the shift are adjacent and thus j = i + 1; these are called 1-shift output faults.
Definitions of leading and trailing paths
To verify the output of a transition t at port p a test/checking sequence must contain t within a context that leads to its output at p being identified. If we have a verifying path ρ 1 tρ 2 for (t, p) then we can embed this within any test/checking sequence and we know that if no failure is observed when the test/checking sequence is applied to the SUT then the SUT must have produced the expected output at p in response to the input x that was intended to trigger t. This allows us to check the output of t at p but relies on us knowing that the corresponding transition of N is executed when expected. This is the case if either it is known that every transition of N has the required final state or if the final state of each transition is verified in another part of the test/checking sequence. This paper concerns the issue of overcoming observability problems and so we assume that the final state of each transition is either known to be correct or is verified through some other means. In this paper, we consider the existence of absolute verifying paths for (t, p) where t has non-empty output. No matter how ρ = ρ 1 tρ 2 is concatenated with other sequences, we can determine the output sequence at p in response to the first |ρ| − 1 inputs of ρ as this is immediately preceded and followed by input at p. Further, since we expect |ρ| − 1 outputs at p within this output sequence, and there are |ρ| − 1 corresponding inputs, the output of t at p must have been correct if the correct sequence of observations was seen at p. Thus, absolute verifying paths are verifying paths. Note that the conditions ensure that ρ 1 and ρ 2 cannot be shortened without violating the required properties.
Definition 1 Given transition
t = (s 1 , s 2 , x/y),
Definition 2 Given transition
t = (s 1 , s 2 , x/y) where y | p = −, ρ 1 is an absolute leading path for (t, p) if either ρ 1 = ε and x ∈ I p or ρ 1 = ε and: ρ 1 t is a synchronizable path; all transitions in ρ 1 have non
The goals
Recall that T p denotes the set of transitions involved in potentially undetectable output shift faults at port p in M. If transition t has output y then t| p denotes y| p . Let T p = T p ∩ {t | t| p = −} denote the set of transitions involved in potentially undetectable output shift faults at p whose output at p are non-empty. The first goal is to determine if (t, p) is verifiable for every p ∈ [1, n] and t ∈ T p . If this is the case then we can produce a verifying path for each (t, p) and include these in a test or checking sequence to check the output of every transition of the SUT at every port without suffering from controllability or observability problems.
Let T ρ,p denote the set of transitions involved in potentially undetectable 1-shift output fault at p in ρ: t ∈ T ρ,p if there exists a transition t such that tt or t t is a synchronizable path in which there is a potentially undetectable output shift fault at p. T ρ,p = T ρ,p ∩ {t | t| p = −} denotes the set of transitions that are involved in potentially undetectable 1-shift output faults at p in ρ and have non-empty output at p. The second goal is: given a test/checking sequence ρ, determine if (t, p) is verifiable for every p and t such that t is the first or last transition in ρ or t ∈ T ρ,p . This appears to weaken the requirements since we are simply verifying that there is no potentially undetectable 1-shift output faults within a given ρ or at the first/last transition.
Below, we present necessary and sufficient condition for (t, p) to have an absolute verifying path for every p and t ∈ T p and show that this achieves the first goal. Then, we prove that the condition is the same for the second goal.
Theorem 1 Let M be a given FSM which is not intrinsically non-synchronizable and has no same-port-output-cycles. Let p be any port of M.
( 
Proof
We prove part (i); part (ii) follows in a similar way. (⇐) Consider some t 0 ∈ T p ; we prove that there is an absolute leading path σ 0 . If the input of t 0 is at p, σ 0 = ε. Suppose that the input of t 0 is not at p. We use proof by contradiction: suppose t 0 has no absolute leading path and let σ denote a longest path such that σt 0 is synchronizable, every transition in σ has non-empty output at p and no transition in σ has input at p. Since M has no same-port-outputcycles and has a finite number of states there must exist such a (finite) σ. Let t 2 = (r 3 , r 4 , x 2 /y 2 ) be the first transition of σ and thus x 2 ∈ I p .
Suppose t 2 ∈ T p . Since x 2 ∈ I p , according to the condition, there exists a transition t 3 = (r 5 , r 3 , x 3 /y 3 ), such that t 3 t 2 is synchronizable and y 3 | p = −. Suppose instead that t 2 ∈ T p . Since M is not intrinsically non-synchronizable, there exists a transition t 3 = (r 5 , r 3 , x 3 /y 3 ) such that t 3 t 2 is synchronizable.
As t 2 ∈ T p , we know that y 3 | p = −. In each case, since t 0 has no absolute leading path, x 3 ∈ I p and so by considering t 3 σ we contradict the maximality of σ as required.
(⇒) Consider a transition t = (r 1 , r 2 , x/y) ∈ T p where x ∈ I p , y | p = −. Let σ denote an absolute leading path for t. Since x ∈ I p , σ = ε. By definition, the last transition of σ must have non-empty output at p and must be synchronizable with t and so the result follows. 2
We now consider the problem of checking the output of transition t at p where t| p = −. We prove that if we can verify the output of every transition t at p such that t| p = − then we can verify the output of every transition at p.
Definition 3 Let R be a set of transitions in M.
The synchronizable path ρ is an absolute verifying path for (t, p) upon R if we know that the output of t at p must be correct whenever the following hold:
(1) The output at p of every transition in R is correct in the SUT N; and (2) There exists a synchronizable path ρ ρρ in M that starts at s 0 such that the tester at p sees the expected sequence of observations when the input portion of ρ ρρ is applied to N.
This This allows us to use weaker hypotheses than in [3] : the result in [3] included conditions that deal with transitions in T p \ T p . In addition, [3] does not consider the controllability problem and considered only 1-shift output faults.
The second goal concerns the problem of verifying the outputs of those transitions that could be involved in a potentially undetectable 1-shift output fault in a test/checking sequence ρ plus the first and last transitions 2 . We therefore assume that ρ contains every transition of M and prove that the conditions given above cannot be weakened. Observe that this problem was not considered in [3] . Again, we first consider pairs (t, p) such that t| p = −. We prove the first part (the proof of the second part is similar). If the input of t 2 is at p, then is a leading path of (t 2 , p) . If the input of t 2 is not at p, since the outputs of t 1 and t 2 at p are non-empty, ρ is an absolute leading path of (t 1 , p) implies ρt 1 is an absolute leading path of (t 2 , p). Thus, there exist sequences to find all potentially undetectable 1-shift output faults in a test/checking sequence ρ, that contains every transition of M, if and only if we can overcome all possible observability problems in M.
Lemma 1 Given an FSM

Conclusions
This paper investigated conditions that must be satisfied by a specification in order for us to be able to produce a test/checking sequence that is free from controllability and observability problems. This problem is represented in the following way. For each transition t and port p we wish to produce a path ρ 1 tρ 2 that checks the output of t at p. The effectiveness of ρ 1 tρ 2 , at checking the output of t at p, must not be affected by controllability and observability problems. This paper gives conditions for the existence of such a path for each transition t and port p for a class of FSMs. This class of FSMs is strictly larger than that considered in [3] and the conditions produced are strictly weaker than those given in [3] . Interestingly, we also proved that these conditions are not weakened if we only wish to find potentially undetectable 1-shift output faults in a given test/checking sequence.
