Abstract. Controllability and observability problems may manifest themselves during the application of a test or checking sequence in a test architecture where there are multiple remote testers. These problems often require the use of external coordination message exchanges among testers during testing. It is desired to construct a test or checking sequence from the specification of the system under test such that it will be free from these problems without requiring the use of external coordination messages. This paper investigates conditions that allow us to construct such a test or checking sequence. For specifications satisfying these conditions, procedures for constructing subsequences that eliminate the need for using external coordination messages are given.
Introduction
Testing an implementation of a system is often carried out by constructing an input sequence from the specification of the system, applying the input sequence in a test architecture, and analyzing the resulting output sequence to determine whether the implementation conforms to the specification on this input sequence. In distributed testing, a distributed test architecture is used where a tester is placed at each port of the system under test (SUT) N and an input sequence constructed from the specification M modeling the externally observable behaviour of N is applied. Such an input sequence is called a test sequence [11, 12] or checking sequence [4, 6] and is constructed from M to determine whether N is a correct or faulty implementation of M .
During the application of a test or checking sequence to N in a distributed test architecture, the existence of multiple testers brings out the possibility of coordination problems among remote testers known as controllability and observability problems. These problems occur if a tester cannot determine either when to apply a particular input to an SUT, or whether a particular output from an SUT is generated in response to a specific input, respectively. Without loss of generality, let us consider a distributed architecture where there are two testers called, for instance, the lower tester (L) and the upper tester (U ). In this architecture, U and L are two remote testers that are required to coordinate the application of a test or checking sequence. The controllability (synchronization) problem manifests itself when L (or U ) is expected to send an input to N after N responds to an input from U (or L) with an output to U (or L), but L (or U ) is unable to determine whether N sent that output. It is therefore important to construct a synchronizable test or checking sequence that causes no controllability problems during its application in the distributed test architecture. For some specifications, an input sequence can be constructed such that no two consecutive inputs will cause a controllability problem, and hence the coordination among testers is achieved indirectly through their interactions with N [12] . However, for some other specifications, there may not exist an input sequence in which the testers can coordinate solely via their interactions with N [1] . In this case it is necessary for testers to communicate directly by exchanging external coordination messages among themselves over a dedicated channel during the application of the input sequence [2] .
During the application of even a synchronizable input sequence in a distributed test architecture, the observability problem manifests itself when L (or U ) is expected to receive an output from N in response to either the previous input or the current input and because L (or U ) is not the one to send the current input, L (or U ) is unable to determine when to start and stop waiting. Such observability problems hamper the detectability of output shift faults in N i.e., an output associated with the current input is generated by N in response to either the previous input or the next input. To ensure the detectability of potential output shift faults in N the test or checking sequence needs to be augmented either by additional input subsequences selected from the specification M [10] or by external coordination message exchanges between testers [2] such that during the application of the input sequence testers can determine whether the output observed is received in response to the correct input as specified in M . Again, for some specifications, an input sequence can be constructed without using external coordination messages among testers such that no potential output shift faults will remain undetected, and hence the coordination among testers is achieved indirectly through their interactions with N . However, for some other specifications, there may not exist an input sequence in which observability problems can be resolved without using direct external coordination message exchanges among testers.
Both controllability problems and observability problems may be overcome through the use of external coordination messages. However, there is often a cost associated with the use of such messages. This cost includes the expense of implementing the infrastructure required in order to allow the messages to be sent and may also include a cost of a delay introduced by the sending of each message. It is thus desirable to construct a test or checking sequence from the specification of the system under test such that it will be free of controllability and observability problems without requiring the use of external coordination message exchanges. Previous authors have investigated the problem of producing a test or checking sequence that either has no controllability problems or no controllability and observability problems and that either uses no external coordination message exchanges or uses a minimum number of external coordination message exchanges (see, for example, [1, 3, 5, [7] [8] [9] [13] [14] [15] [16] ). This paper investigates conditions that allow us to construct a test or checking sequence without encountering controllability and observability problems and without using external coordination messages among testers. The rest of the paper is organized as follows: Section 2 introduces the terminology. Section 3 gives a formal definition of the problem and identifies the conditions that the specification of the system under test is checked against. Section 4 presents new procedures for constructing subsequences that eliminate the need for using external coordination messages: for a transition t and port p we produce a subsequence that does not allow a fault in the output of t at p to be masked by an output shift fault. Section 5 gives the concluding remarks. 
Preliminaries

FSM and its Graphical Representation
where O i is the output alphabet of port i, and − means null output; -δ is the transition function that maps S × I to S, i.e., δ : S × I → S; -λ is the output function that maps S × I to O, i.e., λ : S × I → O.
Note that each y ∈ O is a vector of outputs, i.e.,
We will use * to denote any possible output, including −, at a port. We also use * to denote any possible input or any possible vector of outputs of a transition. In the following, p ∈ [1, n] is a port, x ∈ I is a general input, and x p ∈ I p is an input at specific port p. We use y[p, c] to denote the output vector y of a transition whose output at port p is c. Alternatively, we use y | p to denote the output at port p in y.
A transition of an FSM M is a triple t = (s 1 , s 2 , x/y), where s 1 , s 2 ∈ S, x ∈ I, and y ∈ O such that δ(s 1 , x) = s 2 , λ(s 1 , x) = y. s 1 and s 2 are called the starting state and the ending state of t respectively. The input/output pair x/y is called the label of the transition. A transition (s 1 , s 2 , x/y) will also be denoted as s 1
A path ρ = t 1 t 2 . . . t k (k ≥ 0) is a finite sequence of transitions such that for k ≥ 2, the ending state of t i is the starting state of t i+1 for all i ∈ [1, k − 1]. When the ending state of the last transition of path ρ 1 is the starting state of the first transition of path ρ 2 , we use ρ 1 @ρ 2 to denote the concatenation of paths ρ 1 and ρ 2 . The label of a path (s 1 , s 2 ,
is the sequence of input/output pairs x 1 /y 1 x 2 /y 2 . . . x k /y k which is called an input/output sequence. We will consider FSMs that are free from sameport-output-cycles and isolated-port-cycles. A same-port-output-cycle in an FSM is a path (s 1 , s 2 ,
, and there exists a port p with y i | p = − and
We will use 2-port FSMs to show some examples. In a 2-port FSM, we will denote the ports U and L to stand for the upper interface and the lower interface of the FSM. We use u, u 1 , u 2 , . . . to denote inputs at port U , and l, l 1 , l 2 , . . . to denote the inputs at port L. The output vector y = o 1 , o 2 on the label of a transition of the 2-port FSM are pairs of output o 1 ∈ O 1 at port U and output
Controllability (Synchronization) Problem
Given an FSM M and an input/output sequence x 1 /y 1 x 2 /y 2 . . . x k /y k of M , where x i ∈ I and y i ∈ O, i ∈ [1, k], a controllability (synchronization) problem occurs when, in the labels x i /y i and x i+1 /y i+1 of any two consecutive transi-
Two consecutive transitions t i and t i+1 whose labels are x i /y i and x i+1 /y i+1 , form a synchronizable pair of transitions if t i+1 can follow t i without causing a synchronization problem. Any (sub)sequence of transitions in which every pair of transitions is synchronizable is called a synchronizable transition (sub)sequence. An input/output sequence is said to be synchronizable if it is the label of a synchronizable transition sequence.
Observability Problem
Suppose we are given an FSM M and an input/output sequence x 1 /y 1 x 2 /y 2 . . . x k /y k of M , where x i ∈ I and y i ∈ O, i ∈ [1, k]. A 1-shift output fault in an implementation N of M exists when, in the labels x i /y i and x i+1 /y i+1 of any two consecutive transitions, one of the following holds:
output o at p in response to x i after x 1 . . . x i−1 , and N produces output − at p in response to x i+1 after x 1 . . . x i .
An instance of the observability problem manifests itself as a potentially undetectable 1-shift output fault if there is a 1-shift output fault related to o ∈ O p in any two consecutive transitions whose labels are x i /y i and x i+1 /y i+1 , such that x i+1 ∈ I p . In this case, we say that the tester at port p is involved in the shift, and would not be able to detect it.
Problem Definition and Conditions
Problem Definition
Suppose that a specification of the system under test is given as an n-port FSM. Each potential undetectable 1-shift output fault in the given FSM is related to a pair of transitions t 1 and t 2 adjacent at a state of the FSM. Clearly, one can identify all potential undetectable 1-shift output faults in the given FSM using the definition in Section 2.
Therefore, one has to determine, for each pair of transitions t 1 and t 2 related to a potential undetectable shift of an output at a specific port p, whether there exists a missing/extra output at port p of transition t, for each transition t in t 1 t 2 . In order to do this without using external coordination messages among testers, one has to determine whether there is a subsequence of transitions in the given FSM that will detect a missing/extra output at port p of transition t and then construct such a subsequence. Clearly, we also need to check whether every incoming transition of each state of the FSM forms a synchronizable pair of transitions with at least one of the outgoing transitions of that state and every outgoing transition of each state of the FSM forms a synchronizable pair of transitions with at least one of the incoming transitions of that state. If this condition does not hold, then the FSM is called intrinsically non-synchronizable. In this paper, we consider FSMs that are not intrinsically non-synchronizable.
Hence, the problem we consider is the following: for each transition t in each pair of transitions t 1 and t 2 of the FSM related to a potential undetectable shift of an output at a specific port p, we wish to produce a single subsequence ρ 1 @t@ρ 2 that checks whether the output produced by t at p represents a missing/extra output at port p. In addition, the subsequence ρ 1 @t@ρ 2 must have the following properties: it must be synchronized and it cannot contain an undetectable output shift fault involving t at port p. This places conditions on ρ 1 (called the leading path) and ρ 2 (called the trailing path). We give conditions under which such ρ 1 and ρ 2 exists. We also give algorithms that, when these conditions hold, generate ρ 1 and ρ 2 for given t and p. Where such subsequences exist for both t 1 and t 2 we say that they resolve the potential undetectable shift of the output at port p in t 1 t 2 . In the rest of the paper, we will not qualify a subsequence or sequence as "synchronizable" as only synchronizable sequences and subsequences will be considered.
Conditions
Suppose that two transitions in the given FSM may be sequenced in a manner that gives a potential undetectable shift of an output at port p. The following gives conditions under which these two transitions may be checked separately for a missing/extra output at p, without using external coordination messages, in a manner that does not allow them to be involved in an undetectable shift of an output at p. Further, it will transpire that under these conditions, this may be achieved for every pair t 1 t 2 of transitions from the FSM. In Section 5 we will discuss how these conditions may be weakened when we are considering a given test or checking sequence derived from the given FSM.
Given an FSM with no same-port-output-cycles or isolated-port-cycles, we can resolve all of its potential undetectable 1-shift output faults without using then there exists at least one transition to s with a null output at port p, and at least one transition from s with either an input or a non-empty output at port p. b if there exists a potential undetectable backward shift of an output at port p, then there exists at least one transition to s with a non-empty output at port p, and at least one transition from s with either an input or a null output at port p.
Below we show that the condition for the case of potential undetectable forward shift (i.e. part a.) is necessary. The necessity of the condition for the case of potential undetectable backward shift is analogous. In Section 4 we will show how, under these conditions, the potential undetectable output shift faults may be resolved without the use of external coordination messages and thus that these conditions are sufficient conditions. -Suppose that the condition does not hold, and ∀s ′ such that s
In this situation, the output at port p on any transition leading to s may be shifted to transition t 2 , and these potential shifts are undetectable. So we have no way to check that transition t 2 has null output at port p in the implementation, because no matter how we get to state s, there is always a possibility of an undetectable forward output shift at port p to t 2 .
-Suppose that the condition does not hold, and ∀s ′ such that s
we have x ′ ∈ I p and y ′ | p = −. In this situation, the output d on transition t 1 may be shifted to any transition starting from s, and these potential shifts are undetectable. So we have no way to check that transition t 1 has output d at port p in the implementation, because no matter how we continue from state s, there is always a possibility of an undetectable forward shift of output d from t 1 . Figure 1 illustrates an example of a 2-port FSM where the condition is satisfied. In this figure, we have potential undetectable forward output shift fault in (a) and potential undetectable backward output shift fault in (b), as the dashed arrows show. For such potential faults, we have transition from s 2 to s and transition from s to r 2 , so the condition holds. In fact, in (a), transition from s to r 2 will be used to check if there is a missing output d in transition s 1 * /<d, * > −−−−−−→ s, as a result of a forward output shift. The transition from s 2 to s will be used to check if there is an extra output in transition s l1/<−, * > − −−−−−− → r 1 as a result of a forward output shift. The transitions from s 2 to s and from s to r 2 in (b) will be used analogously.
Note that
− −−−−−− → r 1 (x ∈ I p ), having checked that the first transition does not have a missing output d at port p cannot guarantee that the second transition does not have an extra output at port p. In Figure 2 When the above condition holds, given a transition t, we show below how to check if there is a missing output or an extra output at a specific port on this transition in the implementation. To do so, we construct a leading path ρ 1 that leads to the starting state of t and a trailing path ρ 2 that starts from the ending state of t so that by applying subsequence ρ 1 @t@ρ 2 to the implementation, we can detect if there is a missing/extra output at a specific port in transition t.
Note that we consider FSM with no same-port-output-cycles and no isolatedport-cycles. In this setting, our procedures to construct the leading paths and trailing paths will always terminate with subsequences that are adequate.
In Section 5 we will discuss the case where a test or checking sequence ρ has been given and we wish to produce subsequences to check for any 1-shift output faults that are undetectable in ρ.
Generating subsequences
Checking the potential missing data output
Given a transition t = s 1 * /y [p,d] − −−−−− → s 2 (d = −), in order to check that there is no missing output d at port p in this transition in the implementation, we construct a leading path to s 1 such that (i) it starts with a transition that has an input at port p; (ii) except for the first one, there is no other transition along the path that has an input at port p; (iii) on any transition of the path, there is no possibility of an extra output d at port p.
The leading path should start with a transition which can be used to help identify the potential missing output d in transition t. Obviously, such a transition should contain input or output at port p. Note that the leading path may be preceded in testing by other transitions that are capable of producing extra output at p. Thus it is not sufficient to define a leading path starting with a transition that has non-empty output at port p: We require that the leading path start with an input at port p. Furthermore, to minimize the length of the leading path, we require that the input at port p at the beginning is the only input at port p in the leading path. We require that along the leading path there is no possibility of an extra output d at port p, because the occurrence of such an extra output d will prevent us from detecting the missing output d at port p in transition t.
The following procedure constructs the leading path ρ 1 .
Where a test architecture has remote testers it is necessary to consider controllability and observability issues. These problems often require the use of external coordination message exchanges among testers during testing. However, there is often a cost associated with the use of such messages: the cost of implementing the infrastructure required in order to allow the messages to be sent and possibly also a cost (or delay) due to the sending of each message. It is thus desirable to construct a test or checking sequence from the specification of the system under test such that it will be free of controllability and observability problems without requiring the use of external coordination message exchanges. This paper investigates conditions that must be satisfied by the specification of the system under test for us to be able to produce a test for each transitions such that the test is free from controllability and observability problems. This problem is represented in the following way.
For each potential undetectable 1-shift output fault in the FSM, we have a pair of transitions t 1 t 2 . For each transition t in t 1 t 2 , we wish to produce a single subsequence ρ 1 @t@ρ 2 that checks the output produced by transition t at port p. It is necessary to precede t by some appropriate sequence as the starting state of t must be reached in order to execute t and the sequence used to reach this state must not be able to lead to a potentially undetectable shift of the same output involving t. It is necessary to follow t with some appropriate sequence since we must ensure that the sequence following t does not allow a potentially undetectable shift of the same output involving t 1 . The effectiveness of the subsequence ρ 1 @t@ρ 2 , at checking the output of t at p, must not be affected by controllability and observability problems. This paper gives necessary and sufficient conditions for there to be such a subsequence for each t in a pair of transitions t 1 t 2 representing a potential undetectable output shift fault related to an output at port p. Further, given a transition t and port p, we have given algorithms that (if these conditions hold) produce a subsequence that checks the output of t at p without suffering from controllability and observability problems.
In practice, weaker conditions than those given in this paper will often suffice since:
1. it may not be necessary to consider all pairs of transitions; and 2. it may be possible to use more than one subsequence to check a transition t.
We will now briefly discuss these factors. First, we may be concerned with potential observability problems in a given test or checking sequence ρ. Since some transition pairs representing potentially undetectable output shift faults may not be in ρ and since the paths leading to and trailing from those t 1 t 2 pairs in ρ representing potential undetectable output shift faults are already determined in ρ, weaker conditions may suffice.
Suppose that ρ contains the subsequence t 1 t 2 for transitions t 1 and t 2 and that these can participate in a potentially undetectable 1-shift output fault at port p. Sometimes we can eliminate this potentially undetectable 1-shift output fault by using a subsequence that checks the output of t 1 at p or a subsequence that checks the output of t 2 at p but not both. We now explain why this is the case. Suppose that we test the output of t 1 at p and find this to be correct; the case where we have checked the output of t 2 at p is similar. If we know that the subsequence t 1 t 2 produces the (overall) correct output at p then we also know that t 2 produces the expected output at p. Naturally, further conditions must be placed on ρ in order for it to determine the overall output of t 1 t 2 at p in the SUT.
This paper has investigated conditions under which it is possible to resolve potentially undetectable output shift faults. However, a number of questions remain. As already noted, weaker conditions sometimes suffice -the challenge is to produce general necessary and sufficient conditions. Suppose we produce a subsequence for each transition/port combination and generate a single sequence ρ that contains each of these subsequences. Then ρ is guaranteed to determine correctness under the fault model in which only output faults are possible. However, this need not be an efficient sequence for this fault model. There is also the problem of producing an efficient test or checking sequence, from an FSM, that is guaranteed to determine correctness for more general fault models.
