Reduced length checking sequences by Hierons, RM & Ural, H
 1 
Reduced Length Checking Sequences 
Robert M. Hierons1 and Hasan Ural2 
1 Department of Information Systems and Computing, Brunel University, Middlesex, UB8 3PH, United Kingdom 
2 School of Information Technology and Engineering, University of Ottawa, Ottawa, Ontario, K1N 6N5, Canada 
Abstract -- Here the method proposed in [13] for constructing minimal-length checking sequences 
based on distinguishing sequences is improved. The improvement is based on optimizations of the state 
recognition sequences and their use in constructing test segments. It is shown that the proposed 
improvement further reduces the length of checking sequences produced from minimal, completely 
specified, and deterministic finite state machines. 
Index Terms -- Finite State Machine, Checking Sequence, Test Minimization, Distinguishing Sequence. 
1 INTRODUCTION  
Finite state machines (FSMs) have been used to model many types of systems including control 
circuits [11], pattern matching systems, machine learning systems, and communication protocols 
[1, 4]. FSM based modelling techniques are also often employed in defining the control structure 
of a system specified using languages such as SDL [2], Estelle [3], and State Charts [7]. 
Principles of testing an implementation I of a system modelled as an FSM M can be found in 
sequential circuit and switching system testing literature [5], where determining, under certain 
assumptions, whether I is a correct implementation of M is referred to as a fault detection 
experiment. This experiment consists of applying an input sequence (derived from M) to I, 
observing the actual output sequence produced by I in response to the application of the input 
sequence, and comparing the actual output sequence with the expected output sequence. The 
applied input sequence and the expected output sequence form a checking sequence.  
Given an FSM M, that models the required behaviour of an implementation I, it is common 
to assume that I behaves like some unknown FSM (i.e., a "black box") with the same input and 
output sets as M, and that the faults in I do not increase the number of states in I but may alter the 
output and destinations of transitions in I.  A further common assumption is that M is minimal, 
completely specified, and represented by a strongly connected digraph [8]. 
During the construction of a checking sequence from M, the following steps must be carried 
out in order to verify the correct implementation of each state transition of M by I, (say, from 
state sj to state sk under input x), 
a) before the application of x, I must be transferred to the state recognized as state sj, 
b) the output produced by I in response to the application of x must be as specified in M, 
c) the state reached by I after the application of x must be recognized as sk. 
Steps b) and c) are collectively called a test segment for the transition. 
 2 
Clearly, a crucial part of testing the correct implementation of each transition is recognizing 
the starting and terminating states of the transition. The recognition of a state of an FSM M can 
be achieved by a distinguishing sequence which is an input sequence for which the output 
sequence produced by M in response to this input sequence  is different for each state of M [5]. It 
is known that a distinguishing  sequence may not exist for every minimal FSM [5], and 
determining the existence of a distinguishing sequence of an FSM is PSPACE-complete [9]. 
Nevertheless, based on distinguishing sequences, a variety of methods for the construction of 
checking sequences have been proposed in the literature [5, 6, 8, 12, 13, 14]. An excellent survey 
on testing FSMs is given by Lee and Yannakakis [10]. However, the particular problem of 
constructing minimal length checking sequences remains open [6, 13].  
This paper considers the problem of generating a minimal length checking sequence in the 
presence of a distinguishing sequence and improves the work of Ural et al. [13] by modifying it 
in two ways, each contributing to a reduction in the length of the checking sequence produced. 
These two modifications are related to extending the definition and the use of α-sequences which 
are state recognition sequences such that each α-sequence recognizes a subset of states of a given 
FSM. Firstly, the notion of α-sequences [13] is extended to α′-sequences. The essential 
difference between α-sequences and α′-sequences is that an α-sequence αk must end in a section 
from within its own body while an α′-sequence α′k can end in a section from within the body of 
some other α′-sequence α′k′. It is shown in this paper that α′-sequences have two main 
advantages: α′-sequences may be shorter than α-sequences and the use of α′-sequences increases 
the set of checking sequences over which optimization occurs.  
A second improvement is the use of α′-sequences in forming test segments for some 
transitions. Ural et al. form a test segment for each transition of the given FSM by appending 
explicitly a distinguishing sequence at the end of the transition to verify the state reached by the 
transition. Since an α′-sequence starts with a distinguishing sequence, its use in a checking 
sequence for state recognition eliminates the need for the explicit use of distinguishing sequences 
for state recognition and hence further reduces the length of the resulting checking sequence. 
The rest of the paper is structured as follows. Section 2 provides an overview of related 
material. Section 3 then describes the new approach, contrasting it with that in [13], applies both 
approaches to an example, and compares these approaches. Section 4 gives the conclusions.  
2 PRELIMINARIES 
A finite state machine  (FSM) is a quintuple M = (S, X, Y, δ, λ), where S is a finite set of states, X 
is a finite set of inputs, Y is a finite set of outputs, δ is a state transition function that maps S×X to 
S, and λ is an output function that maps S×X to Y. Functions δ and λ can be extended to take 
 3 
input sequences in the normal way [13]. s1 ∈ S is considered as the initial state of M. States     si, 
sj ∈ S, i ≠ j, are equivalent  if, for every input sequence I ∈ X*, λ(si, I) = λ(sj, I). M is minimal if 
there is no pair of states si, sj ∈ S, i ≠ j, that are equivalent. 
M can be represented by a digraph G = (V, E) where vertex set V = {v1, v2, ..., vn} represents 
the set S of states of M, |S| = n, and an edge e = (vj, vk; x/y) ∈ E represents a transition from state 
sj to state sk with input x ∈ X and output y ∈ Y. Here vj and vk are the head and tail of e, denoted 
head(e) and tail(e), respectively and input/output (i/o pair) x/y is the label of e, denoted label(e). 
A path P = (n1, n2; x1/y1)(n2, n3; x2/y2) ... (nr-1, nr; xr-1/yr-1),  r > 1, of G is a finite sequence of (not 
necessarily distinct) adjacent edges in E, where each node ni represents a vertex from V; n1 and nr 
are the head and tail of P, denoted head(P) and tail(P), respectively; and (x1/y1)(x2/y2) ... (xr-1/yr-1) 
is the label of P, denoted label(P). For convenience, P will be represented by (n1, nr; I/O) where 
label(P) = I/O is the IO-sequence (x1/y1)(x2/y2) ... (xr-1/yr-1), input sequence I = (x1x2 ... xr-1) is the 
input portion of I/O, and output sequence O = (y1y2 ... yr-1) is the output portion of I/O. G is 
strongly connected if for all vi,vj ∈ V, there is a path from vi to vj. The cost (or length) of an edge 
is the number of i/o pairs in the label of the edge. The cost (or length) of path P is the sum of the 
costs of edges in P. The concatenation of two sequences (or paths) P and Q is denoted by PQ.  
Digraph G′ = (V′, E′) is a subgraph of G = (V, E) if V′ ⊆ V and E′ ⊆ E. Digraph G = (V, E) is 
symmetric if every vertex v ∈ V has the same number of edges from E entering it as leaving it. A 
rural postman path (RPP) from vi to vj over E′ ⊆ E in G = (V, E) is a path from vi to vj that 
includes all edges of E′. A rural Chinese postman path (RCPP) from vi to vj over E′ ⊆ E in G = 
(V, E) is a minimum-cost RPP. A tour is a path that starts and terminates at the same vertex. An 
Euler tour of G = (V, E) is a tour that contains every edge in E exactly once. 
Consider a minimal FSM M = (S, X, Y, δ, λ) represented by strongly connected digraph G = 
(V, E). A transfer sequence T of M from state si to state sj is the label of a path from si to sj. A 
distinguishing sequence of M is an input sequence D for which the output sequence produced by 
M in response to D identifies the state of M: for all si, sj ∈ S, i ≠ j, λ(si, D) ≠ λ(sj, D). Let Φ(M) be 
the set of FSMs that have at most n states and the same input and output sets as M and suppose 
M* ∈ Φ(M). M and M* are equivalent if and only if for every state in M there is a corresponding 
equivalent state in M*, and vice versa. A checking sequence of M is an IO-sequence I/O starting 
at a specific state of M that distinguishes M from any M* ∈ Φ(M) that is not equivalent to M.  
Let D  denote a distinguishing sequence of M and let an IO-sequence Q of M be the label of a 
path P = (n1, nr; Q) = (n1, n2; L1)(n2, n3; L2) ... (nr-1, nr; Lr-1) of G (cf. Fig. 1a). Hence, Q = L1 L2 ... 
Lr-1 where r > 1, Lj = xj/yj, 1 ≤ j ≤ r-1. It is shown in [13] that if every edge of G is verified in the 
IO-sequence Q, then Q is a checking sequence of M that starts at v1.  
 4 
In the following, we recall  the definitions of recognition of a node ni of P in Q as some state of 
M and verification of an edge e = (a, b; x/y) of G in Q given in [13].  
Definition 1 A node ni of P is d-recognized in Q as some state a of M if ni is the head of a 
subpath of P whose label is an IO-sequence D/λ(a, D).  
Definition 2 Suppose  that (nq, ni; T) and (nj, nk; T) are subpaths of P and D/λ(a, D) is a prefix of 
T, and thus nodes nq and nj are d-recognized in Q as state a of M. Suppose also that node nk is d-
recognized in Q  as some state a′ of M. Then, node ni is t-recognized in Q as state a′ of M.  
Definition 3 Suppose that (nq, ni; T) and (nj, nk; T) are subpaths of P such that nodes nq and nj are 
either d-recognized or t-recognized in Q as some state a of M, and node nk is either d-recognized 
or t-recognized in Q as some state a′ of M. Then, node ni is t-recognized in Q as state a′ of M.  
If node ni of P is d-recognized or t-recognized in Q as some state a of M, then it is said to be 
recognized as state a. A node of P is said to be recognized  if  it is recognized as some state a. 
Definition 4 An edge e = (a, b; x/y) of G is verified in Q if there is a subpath (ni, ni+1; xi/yi) of P 
such that ni and ni+1 are recognized in Q as states a and b of M, and xi/yi =x/y.  
Thus, for edge e to be verified in Q, it is sufficient for P to contain a subpath (ni, nj; (xD)/λ(a, 
xD)) with head((ni, nj; (xD)/λ(a, xD))) recognized in Q as a.  
Definition 5 The subpath (ni, nj; (xD)/λ(a, xD)) of P used to verify e is called the test segment for 
e.  
Figure 1 depicts the notions captured by the definitions above. 
3 CHECKING SEQUENCE CONSTRUCTION 
The problem studied in this paper is defined as follows: Given a strongly connected digraph G = 
(V, E) representing a minimal FSM M with distinguishing sequence D, find a minimum-length 
path P of G such that every edge of G is verified in label(P) = Q. By definition, for an edge e = 
(a, b; x/y) of G to be verified in label(P) = Q it is sufficient for the following conditions to be 
satisfied: 1) P contains a test segment (ni, nj; (xD)/λ(a, xD)) for e; and 2) head((ni, nj; (xD)/λ(a, 
xD))) is recognized in Q as state a of M. If condition 1) and 2) hold for every edge of G, then 
every transition of M is verified in Q. Thus, Q is a checking sequence of M that starts at v1 
(Theorem 1, [13]). 
3.1 An Existing Solution 
The proposed solution to this problem is an enhancement of the solution given in [13] where first 
a digraph G′ = (V′, E′) is obtained by augmenting the given digraph G = (V, E), representing an 
 5 
n1
1         1     1L   = x  / y 
. . .n2 n3
r-1         r-1     r-1
L     = x    / y   
nr-1 nr
2         2     2









nq . . .ni nj nk
t-recognized  











nq . . .ni nj nk
t-recognized  
as  a'  
d- or t-recognized  
as  a
T
d- or t-recognized  
as  a

















Fig.1 Path P = (n1, nr; Q), (b) d-recognition, (c) t-recognition, (d) t-recognition, (e) edge 
verification, (f) test segment for edge e = (a, b; x/y) 
FSM M, with a set of edges (Eα) that recognize each state, and a set of edges (EC) that verifies 
each transition. A checking sequence is then derived from G′ = (V′, E′) as the label of a path P 
constructed by combining elements of these two sets of edges in a judicious manner [13]. The 
enhancements to the solution in [13] will be given after the steps of the solution in [13] are 
outlined as follows. 
 6 
Edges in Eα are constructed such that the label of each edge (an α-sequence) recognizes a 
subset of the states of M and that each state of M is recognized at least once by the labels of the 
edges in Eα. The construction of Eα is facilitated by forming a set of paths P1, ..., Pq of G where 
each path Pk induces an edge of Eα whose label is label(Pk) = α-sequence αk, 1 ≤ k ≤ q. That is, 
a) the set of vertices Vk ⊆ V covered by Pk, 1 ≤ k ≤ q, is { ,, 21
kk vv …, kmkv };  
b) the union of the Vk is V; and  




w TDvD ),(/λ  where for 1 ≤ j ≤ km , )/( kjkjkj OIT =  is a transfer sequence from 
),( Dvkjδ  to kjv 1+ , kwkm vv k =+1 , and 
k
wv  is any member of Vk.  
So, when Pk, a path whose label is αk, 1 ≤ k ≤ q, is contained in the solution P of G then  
a) kjv , 1 ≤ j ≤ km , is d-recognized in αk;  
b) ),( kj
k
j DIvδ , 1 ≤ j ≤ km , is d-recognized in αk; and  
c) tail(Pk) is recognized in αk.  
The labels α1, ..., αq of paths P1, ..., Pq form an α−set. From the elements of the α−set, a set of 
transfer sequences, called T-set, is formed as a set of labels of subpaths R1, ..., Rp of paths P1, ..., 








j TDvD ),(/λ ): 1 ≤ k ≤ q and 1 ≤ j ≤ mk}. Thus, head(Ri) is recognized in some αk because D is 
applied to head(Ri) and tail(Ri) is recognized in some αk because tail(Ri) is ),( kj
k
j DIvδ to which D 
is applied. The set of paths P1, ..., Pq and the set of subpaths R1, ..., Rp are included in G′ as edges 
in Eα 
 
⊂ E′ and in ET 
 
⊂ E′, respectively,  in order to facilitate the recognition of vertices in the 
label Q of the solution P. Moreover, a test segment for each edge of G is included in G′ as edges 
in EC
  
⊂ E′ in order to verify every transition of M in label(P) = Q. Furthermore, two more sets of 
edges are included in G′ as edges in Eε 
 
⊂ E′ and in E′′ 
 
⊂ E′ to increase the connectivity of the 
vertices in G′.  
Formally, G′ = (V′, E′) is obtained from G = (V, E) as follows:  
V′ = V ∪ U′ where U′ = {v′i: for every vi ∈ V} and E′ = E ∪ Eα 
 
∪ ET  ∪ EC ∪ Eε ∪ E′′,  
Eα={(head(Pk), (tail(Pk))′;  αk): 1 ≤ k ≤  q}: for every αk, (tail(Pk))′ is recognized in αk;  
ET ={(head(Ri), (tail(Ri))′; Ti): 1 ≤ I ≤ p}: for every Ri, (tail(Ri))′  is recognized in some αk; 
EC={(v′i, (δ(vi, xD kjI ))′; (xD kjI )/λ(vi, xD kjI )): (vi, vj; x/y) ∈ Ε}: (δ(vi, xD kjI ))′ is recognized; 
Eε={(v′i, vi;  ε): vi ∈ V}; 
E′′ is a subset of {(v′i, v′j; x/y): (vi, vj; x/y) ∈ E} such that G′′ = (U′, E′′) has no tour and G′ is 
strongly connected. 
Once G′ is formed, an RPP P′ of G′ is found that contains all edges in Eα
 
∪ EC. Since G′ is 
obtained from G, P′ represents a path P of G. It is proven in [13] that, for each edge of G, P 
 7 
satisfies conditions 1) and 2) above, and thus Q = label(P) is a checking sequence of M that starts 
at v1. In [13] an RPP P is found through two steps. First, the minimal symmetric augmentation 
G′′ of (V′, Eα
 
∪ EC), that may be produced by adding edges from E′, is found. If G′′, with its 
isolated vertices removed, is connected, G′′ has an Euler tour and this forms P. Otherwise, a 
heuristic is applied to make G′′ connected and an Euler tour is formed. If G′′ is connected, P is an 
RCPP over Eα
 
∪ EC [13]. 
3.2 The Proposed Enhancement 
Our enhancements to the solution in [13] are based on modifying the definition of G′.  
Modification 1 
The first modification is on the formation of the elements of the α−set. We observed that if the 
final section of an α-sequence is not required, unlike in [13], to end in a section within its own 
body, then the lengths of some α-sequences can be reduced which may reduce the overall length 
of a checking sequence. We call an α-sequence that does not necessarily end in a section within 
its own body an α′-sequence. The following is an outline of a procedure that constructs the α′-
sequence label(Pk), 1 ≤  k ≤  q, called α′k as opposed to αk in [13], which can be used to form the 
Pk of G: Choose subsets Vk ⊆  V (1 ≤ k ≤ q) of V whose union is V and order the elements in each 
Vk, giving Vk = { kk vv 21 , ,…,
k
mk
v }, 1 ≤ k ≤ q. Given a Vk, obtain α′k as: α′k = kk TDvD 11 ),(/ λ  
kk TDvD 22 ),(/λ … kmkm kk TDvD ),(/λ  
'TD'vD kw
k
w ),(/λ  where )/( kjkjkj OIT =  is a (possibly empty) 
transfer sequence from ),( Dvkjδ  to kjv 1+  for 1 ≤ j ≤ km , 'vv kwkmk =+1 , and 
'v kw  is contained in any 
Vk', 1 ≤ k′ ≤ q and 1 ≤ w ≤ 'mk .This definition differs from that, for αk, in [13] in one important 
way: unlike αk, the final section of an α′k need not be contained in this α′k but could be contained 
in any α′k'. Thus, every αk is an α′k but the converse is not true.  
Using the definition of α′k, the set of labels α′1, ..., α′q of paths P1, ..., Pq, called an α′−set, 
can be formed. From the definition of α′k, it follows that, given an α′k,  
a) kjv , 1 ≤ j ≤ mk, is d-recognized in α′k,  
b) δ( kjv , D kjI ), 1 ≤ j ≤ mk, is d-recognized in α′k, and  
c) tail(Pk) is recognized in some α′k', 1 ≤ k′ ≤q.  
Example 1 
Consider the α−set and α′-set for FSM M0, in Fig. 2, where D = aba and empty transfer 
sequences are used in forming every αk and α′k. The α-set for M0 is {α1, α2} where α1, the label 
of P1 = (s5, s4; α1), is D/λ(s5, D) D/λ(s2, D) D/λ(s4, D) D/λ(s1, D) D/λ(s2, D) and α2, the label of 
P2 = (s3, s2; α2), is D/λ(s3, D) D/λ(s1, D) D/λ(s2, D) D/λ(s4, D) D/λ(s1, D). The α′-set for M0 is 
 8 
Fig. 2: FSM M0 represented by G = (V, E) 
{α′1 , α′2} where α′1 , the label of P′1 = (s5, s4; α′1), is D/λ(s5, D) D/λ(s2, D) D/λ(s4, D) D/λ(s1, D) 
D/λ(s2, D) and α′2, the label of P′2 = (s3, s2; α′2), is D/λ(s3, D) D/λ(s1, D). It is observed that the 
final section of α′2 (the application of D at s1) is contained in α′1 but not α′2. Thus α′2 is not an 
α-sequence and the α′-set contains 7 instances of D while the α-set contains 10 instances of D. 
As we shall show later, the difference between α′k and αk may have a significant impact on the 
length of a checking sequence.                !  
Modification 2 
The second modification is in the formation of the elements of the subset EC of E′ and stems 
from the following two observations. Since label(Pk), 1 ≤ k ≤ q, starts with the application of D, 
the head of Pk is recognized and since label(Ri) = Ti, 1 ≤ i ≤ p, starts with the application of D, the 
head of Ri is recognized. Thus, an α′k or Ti can be used to verify the end state of a transition in 
forming a test segment for that transition. These properties of αk or Ti were not utilized in [13] 
and their use will also contribute to the reduction in the length of the checking sequence.  
These two modifications give rise to the following changes in the definition of G′ = (V′, E′): 
(1) replace all occurrences of αk by α′k 
(2) replace EC in [13]  by EC = {(v′i, vj; x/y): (vi, vj; x/y) ∈ Ε} 
(3) eliminate E and Eε 
(1) ensures that α′k is used rather than αk; (2) stands for the test segments for all edges of G since 
each edge in EC terminates at a vertex in V and is to be followed by an edge leaving a vertex in V 
whose label is either an α′k or Ti; and (3) eliminates a precautionary measure in the previous 
definition of G′ = (V′, E′) in [13] to provide connectivity that is now guaranteed without these 
edge sets. Since these changes do not alter the semantics of the definition of G′ = (V′, E′), a path 
P′ of G′ that contains all edges in Eα
 
∪ EC is an RPP of G′ over Eα
 
∪ EC. It is proven in [13] that 
this path is in fact a path P of G and for each edge of G, P of G satisfies the conditions 1) and 2). 
 s2 s3
         a/x     b/y        b/x
      b/y        a/x  s5    a/y
         a/y       b/x
 s1 s4
       b/y       a/x
 9 
Thus, it follows that the label Q of P is a checking sequence of M that starts at v1.  
Example 2 
Consider now the problem of generating a checking sequence for FSM M0 in Fig. 2 using the 
algorithm from [13], the α-set {α1, α2} given earlier, and the test segments in Table 1.  
Table 1 Edges of EC 
(xD)/λ(vi, xD) = Lijk (v'i, v'k; Lijk) 
(aD)/(xxyy) = L124 (v'1, v'4; L124)
(bD)/(yxyx) = L112 (v'1, v'2; L112)
(aD)/(xyyx) = L252 (v'2, v'2; L252)
(bD)/(yxyx) = L212 (v'2, v'2; L212)
(aD)/(yxxy) = L341 (v'3, v'1; L341)
(bD)/(xyyx) = L352 (v'3, v'2; L352)
(aD)/(xxxy) = L441 (v'4, v'4; L441)
(bD)/(xyyx) = L452 (v'4, v'2; L452)
(aD)/(yxyx) = L512 (v'5, v'2; L512)
(bD)/(yyxy) = L531 (v'5, v'1; L531)
In Table 1 a label of the form Lijr represents a test segment, that ends at sr, for a transition from si 
to sj. This leads to the digraph shown in Fig. 3, in which the edges from E and Eε (which are used 
for connectivity) are not shown and dashed lines are used for the edges that are not in Eα
 
∪ EC.  
 
Fig. 3: G′ = (V′, E′) with α-sequences 
Here Eα is {(v5, v′4; α1), (v3, v′2; α2)} and ET is {(v1, v′2; T1), (v2, v′4; T2), (v3, v′1; T3), (v4, v′1; T4), 
(v5, v′2; T5)}. The minimal symmetric augmentation, of the edge set Eα
 
∪ EC of G′, is now 
produced: this is the smallest symmetric digraph G′′ that can be formed from Eα
 
∪ EC by adding 
edges from G′. Digraph G′′ is shown in Fig. 4. Since G′′, with its isolated vertices removed, is 
α2
 L352
   L212 v′2 v′3 v2 v3
   L252       L452
    b/y      T2              T3
      L112 L512          L341  T5
v′5               v5
     L531         b/x     α1          
L124
v′1 v′4    T1 v1 v4 
L441
        T4
 10 
connected an Euler tour P of G′′ exists and the label of P forms a checking sequence [13].  
Fig. 4: G′′ = (V′′, E′′) with α-sequences  
This leads to the checking sequence, of length 92, represented by the following: 
L112, L212, L252, T2, L441, L124, b/x, L531, a/x, a/x, α1, b/x, L512, a/x, b/y, α2, T2, L452, T2, b/x, b/y, 
L352, T2, b/x, b/y, L341 
Consider now the use of the α′-set {α′1, α′2} and the modification proposed in this paper. 
The digraph G′ is shown in Fig. 5, in which all the edges except the edges in Eα
 
∪ EC are 
represented by dashed-lines. Here the set Eα is {(v5, v′4; α′1), (v3, v′2; α′2)} and ET is as above.  




  L212 v'2 v'3 v2 v3
  L252      L452              2*b/y
       L512         4*T2    2*a/x                b/y
     L112         L341
v'5          a/x v5
     α1
     L531        4*b/x
       L124
 v'1 v'4 v1 
       L441




 v'2 v'3 v2 v3
                 a/x          b/y
      a/x         T3
                       b/y         b/x
  T1 v'5               v5
        a/y   T2
 a/x     1α′              b/x      a/y
  v'1 b/y v'4 v1 v4
             a/x         T4
b/y
 11 
Note that, as mentioned earlier, each edge from V represents an α′k or Ti and thus a sequence 
that recognizes its initial node. It follows that the inclusion, in a tour, of an edge e from EC leads 
to the inclusion of a test segment for e. Thus a tour that includes every edge in EC must include a 
test segment for every transition. The minimal symmetric augmentation of the edge set Eα
 
∪ EC, 
formed by adding edges from G′, is G′′ which is shown in Fig. 6. G′′ is connected and thus has an 
Euler tour which leads to the following checking sequence, of length 61, and thus to a reduction 
of one third in the checking sequence length: 
b/y, D/λ(s1,D), b/y, D/λ(s1,D), a/x, α'1, a/x, D/λ(s4,D), a/x, D/λ(s2,D), b/x, D/λ(s5,D), a/x, b/y, α'2, 
a/x, a/y, D/λ(s1,D), a/x, b/y, b/x, D/λ(s5,D), a/x, b/y, a/y, D/λ(s4,D)             ! 
Fig. 6: G′′ = (V′′, E′′) with α′-sequences 
3.3 Comparison Between Two Approaches  
First we note that the method proposed in this paper and that given in [13] involve solving the 
RCPP for digraphs of the same order. They thus have the same algorithmic complexity. Then, we 
compare the relative lengths of the sequences that are constructed by the two methods. For this, 
we will first consider an infinite class of FSMs and focus on our claim that: α′-sets yield shorter 
sequences than α-sets. It will transpire that the elements of this class have α′-sets that are 
significantly smaller than the corresponding α-sets. This shows that the proposed improvements 
are significant for a range of FSMs. After this analytical comparison, we will give the results of 




 v'2 v'3 v2 v3
                 a/x          b/y
     4*a/x 
                      2* b/y         b/x
  3*T1 v'5               v5
        a/y   T2
 a/x     1α′              b/x      a/y
  v'1 b/y v'4 v1 v4
             a/x         2*T4
b/y
 12 
The α-set and α′-set produced for an FSM M are defined by the digraph GT=(V, ET) in which 
ET = {head(Ri), tail(Ri); Ti}: each α-sequence and α′-sequence is formed from a path in GT. 
Given GT, derived from an FSM with n states, there is always an α′-set formed from no more 
than 2n edges of GT. We will now consider a class of such digraphs, with n=2m, for which any 
α–set is significantly larger than this. Given m, consider TmG  = (Vm, 
T
mE ) where Vm={v1, …, v2m}; 
for all i, 1 ≤ i ≤ m, there is an edge in TmE  from vi to vi+1 mod m; and for all i, m < i ≤ 2m, there is an 
edge in TmE  from vi to an element of {v1, …, vm}. This is illustrated in Fig. 7. It is straightforward 
to show that each TmG  may arise from a real FSM. 
  vm+1 
  vm+2 
       v1   v2         vm 
 
  v2m 
Fig. 7: The digraph TmG  
Consider a minimal α-set that may be produced from TmG . Each vj∈{vm+1, …, v2m} leads to 
the inclusion of the α-sequence: an initial edge to some vi, the cycle back to vi, and one further 
edge. Thus the α-set contains m sequences, each comprising of m + 2 edges from TmG , and so 
O(m2) = O(n2) edges from TmG . As noted above, there are α′-sets formed from O(n) edges of 
T
mG . 
Here such an α′-set may be formed in the following way. Create one α′-sequence 1α′  in the form 
of an edge from vm+1 to some vi, then the cycle followed by one further edge. For each vertex 
vj∈{vm+2, …, v2m} there is a further α′-sequence generated from the path of length 2 from vj, 
since the second edge is contained in 1α′ . Thus, if each edge from 
T
mG  has cost at most c (c ≥ |D|) 
then an α-set generated from TmG  must have size of O(cn
2) while there is an α′-set with size 
O(cn). Further, the costs of the test segments is of O(c|X|n) and thus this difference, in the sizes 
of the α-set and α′-set, is significant and grows more significant as the number of states 
increases. This class of examples also shows that in general α-sets have size O(cn2) while α′-sets 
have size O(cn). Moreover, since every α-set is an α′-set, any checking sequence allowed by the 
method of [13] is allowed by the method proposed in this paper, that is reduction in the lengths 
of checking sequences achieved by the method of [13] occurs over a larger set of checking 
sequences when our modifications are applied.  
In order to further investigate the differences in sizes of α′-sets and α-sets, 10 digraphs 
representing GT were randomly generated for each FSM in the set of: FSMs with 10 states; FSMs 
 13 
with 20 states; FSMs with 30 states; and FSMs with 50 states. In each case the number of edges 
used from GT was recorded. The results, which are summarized in Table 2, suggest that α′-sets 
are significantly smaller than α-sets and that this difference increases as the number of states 
increases. This observation is consistent with the analytical comparison given above. 
Table 2  Mean sizes of randomly generated sets 
n Mean size of α-set Mean size of α′-set Saving 
10 20.7 14.4 30% 
20 54.8 28.4 48% 
30 98.3 41.7 58% 
50 214.5 69.4 68% 
4 CONCLUSIONS 
This paper has introduced a method, for generating checking sequences, that enhances that given 
in [13] in two ways. Firstly, the notion of α-sequences has been generalized to α′-sequences. 
Essentially, an α-sequence αk must end in a section from within its own body while an α′-
sequence α′k can end in a section from within the body of some other α′-sequence α′k'. Thus, 
while every α-sequence is an α′-sequence, the converse is not the case. The use of α′-sequences, 
as opposed to α-sequences, allows two main advantages: α′-sequences may be shorter than α-
sequences; and using α′-sequences increases the set of checking sequences over which 
optimization occurs. 
The second improvement upon [13] is based upon the observation that an α′-sequence may 
be used to check the final state of a transition. This property is utilized, in the generation of 
checking sequences, to allow overlap between the α′-sequences and the test segments. This 
further contributes to a reduction in the length of the checking sequence. 
The method given in this paper might be further enhanced in two ways. Firstly, the 
connecting transitions might be chosen from the set of transitions of the given FSM M during 
optimization, rather than being drawn from a cycle-free subset (E′′) found prior to optimization. 
This may be achieved by including a copy of each transition and relying upon properties of the 
optimization algorithm, that starts with the production of a minimal symmetric augmentation, 
that guarantee that the set chosen is cycle free. Secondly, prefixes of the distinguishing sequence 
may be used to recognize states.  
ACKNOWLEDGEMENTS 
This work is supported in part by the Natural Sciences and Engineering Research Council of 
Canada under grant OGP0000976. The authors wish to thank the anonymous referees for their 
comments and suggestions. 
 14 
REFERENCES 
[1] A.V.  Aho, A.T. Dahbura, D. Lee, and M.U. Uyar, “An optimization technique for protocol 
conformance test sequence generation based on UIO sequences and rural Chinese postman 
tours”, IEEE Trans. on Communications, vol. 39, pp.1604-1615, 1991. 
[2] F. Belina and D. Hogrefe, "The CCITT-Specification and Description Language SDL", 
Computer Networks and ISDN Systems , vol. 16, pp. 311-341, 1989.  
[3] S. Budkowski and P. Dembinski, “An introduction to ESTELLE: A specification language 
for distributed systems”, Computer Networks and ISDN Systems, vol. 14, pp. 3-23, 1987. 
[4] A.T. Dahbura, K.K. Sabnani, and M.U. Uyar, “Formal methods for generating protocol 
conformance test sequences”, Proceedings of the IEEE, vol. 78, pp. 1317-1325, 1990. 
[5] A. Gill, Intro. to the Theory of Finite-State Machines, New York: McGraw-Hill, 1962. 
[6] G. Gonenc, “A method for the design of fault detection experiments”, IEEE Trans. on 
Computers, vol. 19, pp. 551-558, 1970. 
[7] D. Harel, “Statecharts: A visual formalism for complex systems", Science of Computer 
Programming, vol. 8, pp.231-274, 1987. 
[8] F.C. Hennie,  "Fault detecting experiments for sequential circuits", Proc. Fifth Ann. Symp. 
Switching Circuit Theory and Logical Design, pp. 95-110, Princeton, N.J., 1964. 
[9] D. Lee and M. Yannakakis, "Testing finite state machines: state identification and 
verification", IEEE Trans. on Computers, vol. 43, pp. 306-320, 1994. 
[10] D. Lee and M. Yannakakis, "Principles and methods of testing FSMs: a survey", 
Proceedings of the IEEE, vol. 84, pp. 1089-1123, 1996. 
[11] I. Pomeranz and S. M. Reddy, "Test generation for multiple state-table faults in finite-state 
machines", IEEE Trans. on Computers, vol. 46, pp. 783-794, 1997. 
[12] D.P. Sidhu and T.K. Leung, “Formal methods for protocol testing: a detailed study”, IEEE 
Trans. on Software Engineering, vol. 15, pp. 413-426, 1989. 
[13] H. Ural, X. Wu, and F. Zhang, "On minimizing the lengths of checking sequences", IEEE 
Trans. on Computers, vol. 46, pp. 93-99, 1997. 
[14] M. Yannakakis and D. Lee,  "Testing finite state machines: fault detection", Journal of 
Computer and System Sciences, vol. 50, pp. 209-227, 1995. 
