There has been much interest in testing from finite state machines (FSMs) as a result of their suitability for modelling or specifying state-based systems. Where there are multiple ports/interfaces a multi-port FSM is used and in testing a tester is placed at each port. If the testers cannot communicate with one another directly and there is no global clock then we are testing in the distributed test architecture. It is known that the use of the distributed test architecture can affect the power of testing and recent work has characterised this in terms of local s-equivalence: in the distributed test architecture we can distinguish two FSMs, such as an implementation and a specification, if and only if they are not locally s-equivalent. However, there may be many FSMs that are locally s-equivalent to a given FSM and the nature of these FSMs has not been explored. This paper examines the set of FSMs that are locally s-equivalent to a given FSM M . It shows that there is a unique smallest FSM χ min (M ) and a unique largest FSM χ max (M ) that are locally s-equivalent to M . Here smallest and largest refer to the set of traces defined by an FSM and thus to its semantics. We also show that for a given FSM M the set of FSMs that are locally s-equivalent to M defines a bounded lattice. Finally, we define an FSM that, amongst all FSMs locally s-equivalent to M , has fewest states. We thus give three alternative canonical FSMs that are locally s-equivalent to an FSM M : one that defines the smallest set of traces, one that defines the largest set of traces, and one with fewest states. All three provide valuable information and the first two can be produced in time that is polynomial in terms of the number of states of M . We prove that the problem of finding an s-equivalent FSM with fewest states is NP-hard in general but can be solved in polynomial time for the special case where there are two ports.
SUT Tester at p
Tester at q 
Introduction
Finite state machines (FSMs), and their extensions, are widely used to specify or model state-based systems. In addition, FSM based test techniques have been applied to systems specified in languages such as SDL [17, 31] and Statecharts [3, 15] and are used in Model Based Testing (see, for example, [1, 2, 11, 12] ). There has thus been much interest in testing from FSMs (see [16, 25] for surveys).
A system with physically distributed ports or interfaces is said to be a multiport system. When testing such a system it is usual to place a tester at each port and each tester sees only the interactions that occur at its port. If these testers cannot directly communicate with one another and there is no global clock then we are testing in the distributed test architecture and this can introduce controllability and observability problems (see, for example, [4] [5] [6] [7] [8] [9] 13, 18, 26, 27, 29, 30] ). Controllability problems occur when a tester at a port p is expected to apply an input but because it was not involved in the previous operation it does not know when to apply this input. For example, if a test involves input x 1 at port p, this should lead to output at p only and input x 2 should then be applied at a port q = p then there is a controllability problem since the tester at port q does not know when to apply x 2 as it did not participate in the previous operation. This is illustrated in Figure 1 in which each vertical line represents a timeline, time progressing as we move down a line.
Observability problems occur if a tester at a port q is expecting an output in response to an input, possibly sent by another tester, but does not know when to start and stop waiting for this output. Let us suppose, for example, that input x 1 at port p should lead to output y p at p and y q at q = p, this is to be followed by input x 2 at p and this should lead to output y ′ p at p only. Then the tester at port q expects to observe y q only and the tester at p expects to observe x 1 y p x 2 y ′ p and this is still the case if the response to x 1 is y p and the response to x 2 is y ′ p at p and y q at q. These two scenarios are illustrated in Figure 2 . Here, two faults can mask one another in this test sequence but these faults may be observed in use if different sequences are used.
Consider, for example, the FSM M 0 shown in Figure 3 , originally given in [19] , in which x U and x L are inputs at U and L respectively and y U and y L are outputs at U and L respectively. Here, for example, there is a controllability problem if we apply input x L x U in state s 0 since the first input is at L and leads to output at L only but the second input is at U. Similarly, there can be an observability problem if we apply x L x L in state s 1 since the first input should lead to output (y U , y L ) and the second should lead to output y L at L only: this cannot be distinguished from the case where the first output is y L at L and the second output is (y U , y L ).
Sometimes it is possible to connect the testers using an external communications network and overcome controllability and observability problems through the exchange of coordination messages by the testers (see, for example, [5, 29] ). However, the introduction of such a network can increase the cost of testing and it may not be possible to overcome controllability and observability problems in this manner if there are timing constraints (see [24] for a discussion of timing issues). If the testers cannot exchange coordination messages and there is no global clock then we are testing in the distributed test architecture [21] .
The power of testing in the distributed test architecture has been characterised in terms of local s-equivalence and local s-distinguishability: it is possible for testing to distinguish a specification FSM M and an implementation FSM N in the distributed test architecture without introducing controllability problems if and only if M and N are locally s-distinguishable [19] .
Previous work left open the question of whether, for a given FSM M, there is a sensible notion of a 'best' or 'canonical' FSM that is locally s-equivalent to M. This paper discusses three such possibilities. The first two are a smallest locally s-equivalent FSM and a largest locally s-equivalent FSM, where smallest and largest correspond to the set of traces defined by the FSM while the third is an FSM with fewest states. The smallest locally s-equivalent FSM defines the set of traces of the specification that must be implemented in order for the system under test (SUT) not to be distinguishable from the specification in the distributed test architecture when using input sequences that do not introduce controllability problems. If the use of the SUT corresponds to these conditions then the smallest locally s-equivalent FSM χ min (M) defines exactly the traces that must be implemented. The largest locally s-equivalent FSM χ max (M) defines the set of traces that the SUT can have while not being distinguishable from the specification when testing in the distributed test architecture without introducing controllability problems. By examining this largest locally s-equivalent FSM we can explore the potential consequences of testing in the distributed test architecture. There is a natural partial ordering on FSMs defined by their languages and it transpires that under this partial order the FSMs χ min (M) and χ max (M) give minimal and maximal elements of the bounded lattice defined by the set of FSMs that are locally s-equivalent to M. If in use the SUT will only ever receive input sequences that have no controllability problems and observations are made locally then it is sufficient to have an SUT that is locally s-equivalent to M. This paper thus also investigates the problem of finding a design with fewest states that is locally s-equivalent to M. The problems of finding χ min (M) and χ max (M) can be solved in time that is polynomial in the number of states of M. In addition, while we prove that the problem of finding an s-equivalent FSM with fewest states is NP-hard, this problem can be solved in polynomial time for the case often considered in the literature, in which there are only two ports This paper is structured as follows. First background material is described and extended in Section 2. In Sections 3 and 4 we show how the FSMs χ min (M) and χ max (M) can be constructed. In Section 5 we prove that the set of FSMs that are locally s-equivalent to M defines a bounded lattice. In Section 6 we show how from an FSM M we can produce a locally s-equivalent FSM with fewest states if there are only two ports and prove that the general problem is NP-hard. Finally, in Section 7, conclusions are drawn.
Preliminaries

Basic notation
In this paper sequences are represented by listing their elements. For example, 01 denotes the sequence that contains two values, 0 followed by 1. Where a variable represents a sequence its name will have a bar above it, an example beingx, and ǫ denotes the empty sequence. Given a set X, P(X) denotes the powerset of X: the set of subsets of X. Given a set A of sequences, P re(A) denotes the set of prefixes of sequences from A.
Multi-port finite state machines
A multi-port FSM has m > 1 interfaces/ports at which it interacts with its environment. We label the ports with the integers 1 to m and so the ports are represented by P = {1, . . . , m}. In this paper all examples have two ports called U and L and in an abuse of notation we use U and L in place of port names 1 and 2. Note, however, that the results are proved for the general case. The use of the names U and L for the ports is traditional since the original motivation for work in this area was protocol conformance testing, in which a protocol is tested through the use of an upper tester and a lower tester [21] .
A multi-port FSM M with m ports is defined by a tuple (S, s 0 , X, Y, T ) in which:
• S is the finite set of states of M; • s 0 ∈ S is the initial state of M; • X = X 1 ∪ . . . ∪ X m is the finite input alphabet of M, where for 1 ≤ i ≤ m, X i is the input alphabet at port i and for all 1 ≤ i < j ≤ m we have that
is the output alphabet of M, where for 1 ≤ i ≤ m, Y i is the output alphabet at port i, − denotes no output, and for all 1 ≤ i < j ≤ m we have that Y i ∩ Y j = ∅; and • T is a set of transitions of the form (s i , s j , x/y) for s i , s j ∈ S, x ∈ X, and y ∈ Y .
Multi-port FSMs are similar to transducers and were initially introduced for communications protocols. They have the property that a transition is triggered by a single input but may lead to multiple outputs. This may seem to preclude the specification of a system that has operations that receive inputs at different ports but such systems can be modelled by including transitions that produce no output. Some recent work [14] has looked at the testing of distributed systems in which an operation can be triggered by multiple events at different ports and such models may well be more suitable for some systems. However, in this paper we focus on the type of model traditionally considered, the multi-port FSM, and we simply call these FSMs.
An FSM can be represented by a directed graph whose edges are labelled with the corresponding input/output pair. For example, the FSM M 0 in Figure 3 has the transition (s 3 , s 2 , x U /(y U , −)).
While we assume that the X i are disjoint and so are the Y i , this is not a restriction since if the same values can be received or sent at different ports then we can simply label these.
Throughout this paper M = (S, s 0 , X, Y, T ) denotes an FSM with m ports and n states. A transition t = (s i , s j , x/y) ∈ T should be interpreted in the following way: if M receives input x when in state s i then it can output y and move to state s j . The state s i is said to be the starting state of t, the state s j is the ending state of t, x/y is the label of t and x is the input portion of x/y.
An FSM M is deterministic if for every state s ∈ S and input x ∈ X there is at most one transition in T that has starting state s and whose label has input portion x. Further, M is completely specified if for every state s ∈ S and input x ∈ X there is at least one transition in T that has starting state s and whose label has input portion x. It is straightforward to see that M 0 is deterministic and completely specified.
A sequenceρ of consecutive transitions (s 1 , s 2 , 
) is a path of M 0 with starting state s 0 , ending state s 2 and label
Given FSM M and state s of M, we let L M (s) denote the regular language formed from the labels of the paths of M that have starting state s and we
In testing when there is only one port it is common to use input sequences that distinguish states of the FSM from which tests are being generated. Given input sequencex let L M (s,x) denote the set of traces from L M (s) that have input portionx. An input sequencex globally distinguishes state s 1 and s 2 
with the same input and output alphabets and in which S ∩ Q = ∅ we define
The key point is that
. This allows us to transfer results regarding comparing states to problems in which we compare FSMs.
Given an input/output sequencez and a port i it is possible to define the projection π i (z) ofz at i (see, for example, [19] ).
Given an input/output pair x/y, ports(x/y) will denote the set of ports involved in x/y and so ports(x/y) = {i ∈ P |π i (x/y) = ǫ}. Given a transition t = (s i , s j , x/y), ports(t) = ports(x/y) and port(x) denotes the port i such that x ∈ X i .
Controllability and observability problems
In the distributed test architecture, formalised by ISO [21] , there are multiple ports/interfaces, a tester at each port, the testers cannot directly communicate with one another, and there is no global clock. Each tester is given a test script and is required to apply this test script. A controllability problem occurs if a tester is to apply an input and does not know when to apply this input since it was not involved in the previous transition. Let us suppose, for example, that input of x U at U should lead to output y U at U only and this is to be followed by input of x L at L. Then the tester at L does not know whether the input x U has been supplied and so does not know when to apply input x L . If there are no controllability problems in a path then it and its label are said to be synchronisable (Definition 2).
There are no controllability problems in a path of the FSM with label x 1 /y 1 , . . . , x k /y k if this global trace has the property that for all 1 < i ≤ k the tester to apply input x i knows when to send x i . The tester can only know when to send input x i if it knows that x i−1 has already been sent and it can only know this if either it sent x i−1 or if it should receive an output produced by the SUT in response to x i−1 . If for all 1 < i ≤ k the tester to apply x i knows when to send
Definition 2 Let us suppose thatρ is a path in an FSM with starting state s and labelz = x 1 /y 1 , . . . , x k /y k that has input portionx. Thenρ andz are synchronisable if for all 1 < i ≤ k we have that port(x i ) ∈ ports(x i−1 /y i−1 ). In addition, we say thatx is synchronisable from s.
If a path with label x 1 /y 1 , . . . , x k /y k and starting state s 0 is not synchronisable and we attempt to apply input sequence x 1 , . . . , x k then we cannot know whether the SUT actually received the inputs in this order. This is a result of controllability problems and since we wish to avoid such controllability problems it is normal to aim to test with input sequences that correspond to synchronisable paths.
Note that by definition, all sequences and paths of length 0 and 1 are synchronisable. In the distributed test architecture each tester observes only the behaviour at its port and not the entire global behaviour. The tester thus compares the behaviour observed at its port with the expected behaviour and detects a failure if these are different. Observability problems occur when there is a difference in the global behaviour and yet no tester detects a failure: fault masking has occurred. Let us suppose, for example, that input x U is to be applied at port U, this should lead to output y U at U only, and we then apply input x U at U that in turn should lead to output y U at U and y L at L. Then no tester observes a failure if the first input leads to output y U and y L and the second leads to output y U only: the tester at U observes the expected trace x U y U x U y U and the tester at L observes the expected trace x L . Two faulty transitions have masked one another in this test sequence but may lead to failures observed in use if the transitions are included in different sequences.
When we are testing in the distributed test architecture, we can only apply an input sequence without introducing controllability problems if the corresponding trace in M is synchronisable. Since we only consider input sequences that do not cause controllability problems in M, we can relax the usual restriction that an FSM considered is deterministic and completely specified and this will prove to be useful. Essentially, we can allow an FSM to be incompletely specified or nondeterministic in response to input sequences that we will not apply in testing since they cause controllability problems. This will give us scope to allow an FSM that we are comparing with M to be incompletely specified or nondeterministic as long as it is completely specified and deterministic for every input sequence that we might use in testing. Throughout this paper we assume that M is a deterministic and completely specified FSM. We let Φ denote the set of s M -deterministic FSMs with the same set of ports as M and the same input and output alphabets. Clearly, in discussing FSMs that are s-equivalent to M it is sufficient to only consider FSMs from Φ.
Definition 3 Given FSMs
Locally s-distinguishing states and FSMs
This paper considers testing in the distributed test architecture. We wish to avoid controllability problems and thus, as usual, we assume that in testing we will only apply an input sequence if it is the input portion of the label of a synchronisable path of M. We also assume that observations are made locally. This scenario leads to the notion of locally s-distinguishing states introduced for deterministic FSMs [19] . The basic idea is that an input sequencex locally s-distinguishes two states s 1 and s 2 if it leads to no controllability problems when applied in states s 1 and s 2 and there is a port i such that the tester at i makes different observations whenx is applied in states s 1 and s 2 .
In this paper we allow a restricted form of nondeterminism: an FSM can be nondeterministic as long as it is s M -deterministic. We now extend the notion of locally s-distinguishing two states to such FSMs, restricting testing to applying an input sequence for which there is only one corresponding path. This will allow us to compare an FSM M with FSMs that are s M -deterministic. Consider again the FSM M 0 given in Figure 3 . It is straightforward to see that no two states of M 0 are globally equivalent. However, we can observe that the only paths from states s 0 and s 3 that are synchronisable are paths whose label has an input portion of the form of either a sequence of zero or more instances of x L or a sequence of zero or more instances of x U . Further, for all such input sequences the traces from s 0 and s 3 are identical and so s 0 and s 3 are locally s-equivalent.
We can extend the definition from [19] to say what it means to locally sdistinguish two deterministic FSMs: it is sufficient to locally s-distinguish their initial states. However, for the purposes of this paper M is deterministic and we allow FSMs other than M to be nondeterministic as long as they are s Mdeterministic. 
Definition 5 Input sequencex locally s-distinguishes the FSM M and the
This follows from the fact that the uniqueness ofρ andρ 1 is guaranteed by M being deterministic and M 1 being s M -deterministic. 2
A smallest locally s-equivalent FSM
This section describes how we can produce an s M -deterministic FSM χ min (M) that is locally s-equivalent to the completely specified deterministic FSM M and is minimal in the sense that for all
The motivation is that in order for an implementation N to be locally s-equivalent to M it must implement all of the traces in L(χ min (M)). Thus, these are the traces that must be included if we are building an implementation that should be indistinguishable from M when the use corresponds to the application of synchronisable input sequences and observations are made locally.
Previous work has shown how we can produce a rooted digraph G ′ in which there is a correspondence between the synchronisable paths in M and the paths from the root of G ′ [18] . However, this previous work only considers the case where there are two ports and in addition G ′ contains edges with no corresponding input or output and so cannot be directly converted into an FSM. In this section we use a related construction to generate an s Mdeterministic FSM χ min (M) in which every path in χ min (M) corresponds to a synchronisable path in M and every synchronisable path in M corresponds to a path in χ min (M). We then prove that χ min (M) is the FSM we are looking for.
For each state s i ∈ S and port k ∈ P we define Depart k (s i ) = {(s i , s j , x/y) ∈ T |x ∈ X k } which is the set of transitions of M whose starting state is s i and whose input is at port k [18] . Similarly, for state s i and set P ⊆ P of ports we define Arrive P (s i ) = {(s j , s i , x/y) ∈ T |ports(x/y) = P}. Arrive P (s i ) is the set of transitions of M whose ending state is s i and that involve the set P of ports and so can only be followed by input at a port j if j ∈ P; otherwise there will be controllability problems [18] . Thus, in a synchronisable path a transition from Arrive P (s i ) can only be followed by a transition t if t is in Depart j (s i ) for some j ∈ P.
We can now define χ min (M) = (S ′ , s ′ 0 , X, Y, T ′ ). For each state s i ∈ S and P ⊆ P there can be a vertex s P i that represents the situation in which the next input must be at a port in P. We define S ′ in the following way.
(1) For all 1 ≤ i ≤ n and P ⊆ P we include s
We include s P 0 in S ′ since we need to represent the situation in which we are in the initial state and have yet to apply any input; here we can apply input at any port. We can now define T ′ in the following way: for each transition t = (s i , s j , x/y) and s Table 1 The Depart p and Arrive p sets for M 0 Naturally, any unreachable states can be removed from χ min (M) but this will not affect the results since they do not contribute to L(χ min (M)).
The construction guarantees that for each transition t ∈ T that occurs in a synchronisable path in M there is at least one corresponding transition in T ′ . Naturally, transitions that are not in synchronisable paths need not be included. Consider, for example, the FSM M 0 shown in Figure 3 . The sets produced in the process of constructing χ min (M 0 ) are shown in Table 1 
Proof
Proof will proceed by induction on the length ofρ. Clearly the result holds for the base cases of paths of length 0 and 1.
Inductive case: let us suppose thatρ =ρ 1 t for non-empty pathρ 1 and transition t. Sinceρ is a synchronisable path in M that starts at s 0 ,ρ 1 must also be a synchronisable path in M that starts at s 0 . Then, by the inductive hypothesis, there is a unique synchronisable pathρ
Consider now the final transition t 
. Let p denote the port such that the input from t is in X p and so p ∈ ports(t ′ 0 ) sinceρ is synchronisable. By the definition of χ min (M), the final vertex ofρ ′ 1 is s P i for some P such that p ∈ P. Thus, by the definition of χ min (M), it is possible to followρ Consider the final transition t 0 ofρ 1 and let s i be the ending state ofρ 1 . Let p denote the port such that the input from t ′ is in X p and so by the definition of χ min (M) we have that p ∈ ports(t 0 ). Since t ′ has input at port p and it is possible to followρ 1 by input at p without causing a controllability problem, we have that there exists a transition t of M such thatρ 1 
This result follows from Propositions 2 and 3 and the definition of χ min (M). 2
The following three results are similar to results proved in [19] . In contrast to [19] they allow some nondeterminism in the FSMs considered but the results contain hypotheses that essentially insist that the behaviour along the relevant paths is deterministic. 
For s i , i ∈ {1, 2}, letρ i denote the unique path with starting state s i that has a label with input portionx ′ . For i ∈ {1, 2} letρ ′ i denote the path formed by deleting the last element ofρ i . By the minimality ofx, label(ρ
and so for all i ∈ P we must have that π i (label(ρ
, there must be a port i such that the output of the last transitions ofρ 
We can combine these to get the following result. 
We will consider the initial states of N and M in the FSM M ⊕ N formed by taking the disjoint union of M and N.
First assume that N and M are locally s-distinguishable and thatx locally sdistinguishes them. By definition,x is synchronisable from the initial states of N and M. Since M is deterministic and N is s M -deterministic, by Proposition 5 we have thatx globally distinguishes N and M as required. Now assume that there exists an input sequencex such thatx is synchronisable from the initial states of N and M andx globally distinguishes N and M.
Then by Proposition 6 we have that N and M are locally s-distinguishable as required. 2
We can now prove the main result of this section.
Theorem 1 For a deterministic and completely specified FSM
M, if N ∈ Φ then N is locally s-equivalent to M if and only if L(χ min (M)) ⊆ L(N).
Proof
First assume that N is locally s-equivalent to M and letx/ȳ be an element of L(χ min (M)). Thus, there is a pathρ ′ of χ min (M) that has starting state s P 0 and labelx/ȳ. By Proposition 3 we know that there is a synchronisable pathρ of M that has starting state s 0 and labelx/ȳ. Thus, since N is s Mdeterministic, N and M are locally s-equivalent andρ is a synchronisable path of M, by Propositions 6 and 7 there must be a path from the initial state of N that has labelx/ȳ and thusx/ȳ ∈ L(N). Since this holds for an arbitrary element of L(χ min (M)) we must have L(χ min (M)) ⊆ L(N) as required. Now assume that L(χ min (M)) ⊆ L(N); we require to prove that N is locally s-equivalent to M. Proof by contradiction: assume that N is not locally sequivalent to M. By Proposition 8 there are synchronisable paths from the initial states of M and N whose labels have input portionx for an input sequencex that globally distinguishes M and N. Then, since M is deterministic and N is s M -deterministic, there is exactly one output sequenceȳ such thatx/ȳ ∈ L(M) and there is exactly one output sequenceȳ ′ such that x/ȳ ′ ∈ L(N) and we must have thatȳ =ȳ ′ . By Proposition 2 we have that x/ȳ ∈ L(χ min (M)) and sox/ȳ ∈ L(N). This provides a contradiction as required.
2
The FSM χ min (M) thus defines those traces from M that must be implemented in order for an s M -deterministic FSM to be locally s-equivalent to M. As a result, the other traces from M can be seen as optional and further traces can be added as long as they do not stop the implementation being s M -deterministic. In the next section we show how we can complete χ min (M) in a maximal manner.
The FSM χ min (M) can be constructed in time that is polynomial in the number of states of M.
Proposition 9 Given a completely specified deterministic FSM M with transition set T and input alphabet X we have that χ min (M) has at most |T | + 1 states and at most |X|(|T | + 1) transitions.
Proof
We only include the state s P i if Arrive P (s i ) is non-empty and this requires there to be a transition t with ending state s i such that ports(t) = P. As a result, in the worst case we obtain one state in χ min (M) for every transition of M in addition to s P 0 and so χ min (M) has at most |T | + 1 states. In addition, since χ min (M) is deterministic it has at most |X| transitions leaving each state and so no more than |X|(|T | + 1) transitions. 2
A largest locally s-equivalent FSM
The use of the distributed test architecture reduces the ability of testing to distinguish between FSMs. A natural question is: For a given FSM specification M, what traces that are not in L(M) might be contained in an implementation despite the implementation being locally s-equivalent to M? This section shows how we can answer this question by producing an s M -deterministic FSM χ max (M) that is locally s-equivalent to M and that has the property that for an FSM N ∈ Φ we have that N is locally s-equivalent to M if and only if L(N) ⊆ L(χ max (M)). This result has the following practical ramifications:
(1) Let us suppose that the use of the SUT N reflects the constraints placed on testing by the distributed test architecture: in use only synchronisable input sequences will be applied and observations can only be made locally at individual ports. Then N is acceptable if and only if N is a reduction of χ max (M) and N does not have to be a reduction of M. Even if we can overcome controllability and observability problems through the use of coordination messages when testing the SUT N, we should not test to check that N is a reduction of M since N may be indistinguishable from M in use but still not be a reduction of M: we may get a false negative. Instead we should test to check that N is a reduction of χ max (M). (2) The traces in L(χ max (M)) \ L(M) are the traces that are not in the specification and that can occur in machines indistinguishable from M if we are testing in the distributed test architecture. Thus, we can explore properties of L(χ max (M)) in order to investigate the potential impact of the limitations placed on testing by the distributed test architecture and this might be used to help decide whether it is worth introducing an external network through which coordination messages can be sent.
We will produce χ max (M) by completing χ min (M). We will want to be able to include multiple possible outputs in response to an input and so will introduce the symbol * whose use as an output represents all outputs from Y . Thus a transition of the form (s, s ′ , x/ * ) in χ max (M) will represent the situation where if x is received when χ max (M) is in state s then χ max (M) can move to state s ′ and produce any output from Y . The following is the algorithm for generating χ max (M). and input x ∈ X such that M 1 has no transition from s with input x, add the transition (s, s c , x/ * ). (6) Return χ max (M).
Proposition 10 Given deterministic and completely specified FSM
M, χ max (M) is s M -deterministic.
Proof
By Proposition 2, for every synchronisable pathρ in M from s 1 , there is a unique synchronisable pathρ ′ in χ min (M) from s P 0 such that label(ρ) = label(ρ ′ ) and corresponding paths must exist in χ max (M). Further, by Proposition 4 we know that χ min (M) is s M -deterministic. The result now follows from observing that ifρ is a synchronisable path in χ min (M) from s P 0 that can be followed by input at p ∈ P without causing a controllability problem and x ∈ X p then there is a transition in χ min (M) from tail(ρ) that has input x and thus the addition of transitions in Step 5 does not introduce nondeterminism in such situations.
Proposition 11 Given deterministic and completely specified FSM M we have that M is locally s-equivalent to
. By Proposition 10, χ max (M) is s Mdeterministic and so the result follows from Theorem 1. 2
Proposition 12 Given deterministic and completely specified FSM M and FSM
N ∈ Φ, if L(N) ⊆ L(χ max (M)) then N is locally s-equivalent to M.
Proof
Proof by contradiction: let us suppose that N is not locally s-equivalent to M. Then there exist input sequences that locally s-distinguish N and M and letx denote a minimal such input sequence. Letx/ȳ andx/ȳ ′ denote the labels of the synchronisable paths from the initial states of M and N respectively. Since M is deterministic and N is s M -deterministic the sequencesx/ȳ andx/ȳ ′ are uniquely defined and soȳ =ȳ
) but this gives a contradiction since, by Proposition 10 we know that χ max (M) is s M -deterministic. 2
Proposition 13 Given deterministic and completely specified FSM M and
Assume that N is locally s-equivalent to M and letx/ȳ be some element of L(N) and so it is sufficient to prove thatx/ȳ ∈ L(χ max (M)). We will use proof by induction on the length ofx/ȳ. The result clearly holds for the base case of sequences of length 0 or 1.
Inductive case: letx/ȳ =x 1 x/ȳ 1 y where x ∈ X and y ∈ Y . By the inductive hypothesisx 1 /ȳ 1 ∈ L(χ max (M)). Ifx 1 /ȳ 1 is not the label of a synchronisable path of M from s 0 then by the definition of χ max (M) we know that for all y ′ ∈ Y we have thatx 1 x/ȳ 1 y ′ ∈ L(χ max (M)) and so the result follows. Similarly, if x 1 x/ȳ 1 y is not synchronisable then χ max (M) can produce all possible output in response to x afterx 1 /ȳ 1 and so the result follows. Finally, consider the case wherex 1 /ȳ 1 is the label of a synchronisable path of M from s 0 andx 1 x/ȳ 1 y is synchronisable. Since N is locally s-equivalent to M we have that, by Definition 5,x 1 x/ȳ 1 y is the label of a synchronisable path of M from s 0 . By Proposition 2 we have thatx 1 
Theorem 2 Given deterministic and completely specified FSM M, for every
The result follows from Propositions 12 and 13. 2
It is clear that the complexity of producing χ max (M) is dominated by the step that devises χ min (M).
Proposition 14 Given a completely specified deterministic FSM M with transition set T and input alphabet X we have that χ max (M) has at most |T | + 2 states and at most (|T | + 2)|X| transitions.
Proof
This follows from χ max (M) having at most one more state than χ min (M) and the fact that for each state s it has |X| transitions that leave s. 2
The set of locally s-equivalent FSMs
We have seen that there exist minimal and maximal elements of the set of FSMs that are locally s-equivalent to M. This section proves that the set of s M -deterministic FSMs that are locally s-equivalent to M defines a bounded lattice. This will be achieved by, for two FSMs M 1 and M 2 , defining an
with the same input and output alphabets we define
The following are important properties of Int(M 1 , M 2 ) and U(M 1 , M 2 ) and follow directly from the definitions.
are s Mdeterministic and locally s-equivalent to M then the following hold: 
We let Φ M denote the set of s M -deterministic FSMs that are locally s-equivalent to M: these are the FSMs we consider in this section. There is a natural partial order on the languages defined by FSMs in Φ M . This is not a partial order on the set of FSMs in Φ M since two such FSMs may define the same languages. However, it becomes a partial order once we quotient out FSM equivalence.
Definition 7 If two FSMs
We letΦ M denote the set of equivalence classes of Φ M under ∼ and given an FSM M 1 ∈ Φ M we let M 1 denote the set of FSMs from Φ M that are globally equivalent to M 1 and thus
For set A and partial order ≤ on A, (A, ≤) is a lattice if for each pair a 1 , a 2 ∈ A we have that: there exists an element a + , called the join of a 1 and a 2 , that is the least upper bound of a 1 and a 2 ; and there exists an element a − , called the meet of a 1 and a 2 , that is the greatest lower bound of a 1 and a 2 . A lattice (A, ≤) is a bounded lattice if it contains a greatest element and a least element. We know from Propositions 16 and 17, that (Φ M , ⊑) is a lattice. In addition, from Theorems 1 and 2, we know that (Φ M , ⊑) contains minimal and maximal elements ||χ min (M)|| and ||χ max (M)|| respectively. Theorem 3 Given deterministic completely specified FSM M, (Φ M , ⊑) is a bounded lattice.
A locally s-equivalent FSM with fewest states
So far we have shown that there are unique minimal and maximal members of the set of FSMs that are locally s-equivalent to M. However, the notions of minimal and maximal were defined in terms of the language specified by an FSM, not by the size of its representation. If we intend to produce an implementation of M and the restrictions imposed by the distributed test architecture are also imposed in use (only synchronisable sequences are used and behaviour is observed locally) then we may want to implement a smallest deterministic complete design that is locally s-equivalent to M. In this section we therefore investigate the problem of producing a completely-specified deterministic FSM M ′ that has fewest states amongst all completely-specified deterministic FSMs that are locally s-equivalent to M.
The first observation that can be made is that we are looking for a completelyspecified deterministic FSM that contains the behaviour of χ min (M) and has fewest states amongst all completely-specified deterministic FSMs whose behaviour contains χ min (M). This problem can be seen as that of minimising the partially specified FSM χ min (M). The general problem of minimising a partially specified FSM is known to be NP-hard [28] . However, in this section we show that χ min (M) can be minimised in polynomial time in the special case often considered in the literature in which there are two ports. We then consider the general case.
FSMs with two ports
In this section we only consider FSMs that have two ports U and L. Two states s 1 and s 2 of an FSM M 1 are globally equivalent if they define the same language:
. However, it is sometimes possible to merge two states that are not globally equivalent when minimising an incompletely specified FSM: we just require that the two states produce the same output for every input sequencex such that the response tox is defined from both states. More formally, states s 1 and s 2 of an FSM M 1 are compatible if for every input sequencex such that there is a pathρ i from s i whose label has input portionx, i ∈ {1, 2}, we have that the labels ofρ 1 andρ 2 are identical.
The process of minimising χ min (M) will proceed via two phases: merging states that are globally equivalent and then merging states that are compatible. The approach described in this section is based on the following observations regarding χ min (M). We start by removing unreachable states, then merge globally equivalent states, and finally merge compatible states. The algorithm for generating the FSM χ s (M) is given in Figure 5 .
It is known that for an FSM with n states it is possible to decide whether two states are globally equivalent in O(n log n) time [20] . It has also been proved that the problem of deciding whether two states of an n state FSM are locally and M ′ must have at least k states that are locally s-equivalent to these states.
For port α ∈ P let k α denote the number of pairwise globally distinguishable states of the form s α i in χ min (M) that are not locally s-equivalent to any state of the form s U,L j at α. Then clearly, for α ∈ P , M ′ must have at least k α states in addition to the k states that are locally s-equivalent to states of the form s
But this is the number of states of χ s (M) and so the result follows. 2
General multi-port FSMs
We now consider the general case in which there are m > 2 ports. This problem is similar to minimising a partially specified FSM, a problem that is known to be NP-hard in general. Pfleeger [28] proves that this is NP-hard by reducing an NP-hard graph colouring problem to it. A graph G is defined by a pair (V, E) in which V is a set of vertices and E is a set of unordered pairs of vertices, each element of E being an edge. An edge between vertices v and v ′ is represented by the unordered pair (v, v ′ ), which is equal to (v ′ , v). Let G = (V, E) be a graph with vertices
. Then the following graph colouring problem is NP-hard [23] : given G and c, does such a colouring function f exist?
We now adapt the proof of Pfleeger. We define an FSM M(G, c) that is similar to a finite automaton used by Pfleeger. However, we require M(G, c) to be completely-specified, so we introduce the opportunity for there to be many locally s-equivalent FSMs by including transitions that are not in any synchronisable path. 
) The set T of transitions is defined by:
• For all
Note that every transition with ending state S F has output (1, . . . , 1) and every transition with ending state S N has output (0, . . . , 0). It should be clear that the transitions in M(G, c) that are not contained in any synchronisable paths are those from a state v j with input a i such that i = j and (v i , v j ) ∈ E since the edge from S 0 to v j has input a j at j and has output at port i if and only if (v i , v j ) ∈ E. Let T 1 denote the set of transitions of M(G, c) that are contained in synchronisable paths and so a transition from v i with input a k is in T 1 if and only if either i = k or (v i , v k ) ∈ E. Then the FSM χ min (M(G, c) ) is equivalent to the FSM formed by removing from M(G, c) all transitions not in T 1 .
Proposition 18
Given M(G, c) = (S, s 0 , X, Y, T ), in which T 1 is the set of transitions contained in synchronisable paths that start at s 0 , the FSM χ min (M(G, c) ) is globally equivalent to (S, s 0 , X, Y, T 1 ).
Proof
First observe that a path of M(G, C) is synchronised if and only if it only contains transitions from T 1 . The result thus follows from Proposition 2 and 3.
Pfleeger considers two approaches to minimising an incompletely specified FSM: completing the FSM or state splitting. Here we only investigate the process of completing χ min (M) in order to produce a completely-specified and deterministic FSM with fewest states that is locally s-equivalent to M and we prove that this problem is NP-hard. The proof that using state splitting is NP-hard is similar. 
We define a set T 
) is deterministic and completelyspecified. We now prove that T 1 ⊆ T ′ 1 and so M ′ (G, c) can be produced from M(G, c) by deleting the transitions that are in no synchronisable path and then adding transitions. First consider a transition (v i , S N , a k /(0, . . . , 0)) ∈ T 1 . We must have that E contains an edge between v i and v k and so by definition,
and there is an edge in E between v k and v ′ i then we would contradict f being a colouring since this would imply that
There is a transition with starting state v i , input a k and ending state S N if and only if (v 
then we must have that for all a k , there is a transition with starting state v i , We define a function f by: f (v i ) = p if v i ∈ C p and so it is sufficient to prove that f colours G. Let us suppose that E contains an edge between v i and v j . We can note that:
(1) M(G, c) contains the edge (S 0 , v i , a i /ȳ(i)) and this can be followed in a synchronisable path by the edge (v i , S F , a i /(1, . . . , 1)) (2) M(G, c) contains the edge (S 0 , v j , a j /ȳ(j)) that has output at port i and thus this can be followed in a synchronisable path by the edge (v j , S N , a i /(0, . . . , 0)).
Thus v i and v j lie in different C l and so the result follows. 2
Theorem 6
The following problem is NP-complete. Given a completely specified and deterministic FSM M and k > 0 is it possible to complete χ min (M) to produce a completely specified and deterministic FSM M ′ that is locally s-equivalent to M and that has at most k states?
Proof
This follows from Proposition 18, Lemmas 1 and 2 and the fact that the graph colouring problem is NP-hard.
This shows that the problem of producing a smallest FSM M ′ that is locally equivalent to M, by completing χ min (M), is NP-hard. However, it is worth noting that this is an instance of the problem of minimising an incompletely specified FSM for which heuristics have been developed (see, for example [10, 22] ).
Conclusions
A system under test (SUT) with multiple interfaces/ports can be tested in the distributed test architecture in which a tester is placed at each interface/port, these testers cannot directly communicate with one another and there is no global clock. It is known that the use of the distributed test architecture introduces limits in testing and recent work has characterised the effectiveness of testing a finite state machine (FSM) in the distributed test architecture in terms of local s-equivalence: it is possible to distinguish two FSMs in the distributed test architecture if and only if they are not locally s-equivalent [19] . Previous work has studied deterministic and completely-specified FSMs but for an FSM M we have considered s M -deterministic FSMs, which are completely-specified and deterministic for each input sequencex that causes no controllability problems in M. This paper has explored the set of s Mdeterministic FSMs that are locally s-equivalent to a given deterministic and completely specified FSM M.
We have shown that it is possible to construct an FSM χ min (M) that, amongst the FSMs that are locally s-equivalent to M, defines the smallest set of traces. Let us suppose that for an FSM M ′ we use L(M ′ ) to denote the set of traces defined by M ′ . Then an s M -deterministic FSM is locally s-equivalent to M if and only if L(χ min (M)) ⊆ L(M ′ ). Thus, χ min (M) defines the set of traces that must be included in an implementation in order for it to be locally s-equivalent to M. As a result, if we are building an implementation of M and this is to be placed in a context in which its use will correspond to the restrictions imposed by the distributed test architecture then χ min (M) defines the set of behaviours that we have to implement.
As well as defining an FSM with a minimal language, we have defined an FSM χ max (M) that, amongst the FSMs that are locally s-equivalent to M, has the largest language. An s M -deterministic FSM M ′ is locally s-equivalent to M if and only if L(M ′ ) ⊆ χ max (M). The FSM χ max (M) thus defines the set of behaviours that can be contained in an SUT without it being possible to distinguish between the SUT and M in testing in the distributed test architecture. Thus χ max (M) can be used to explore the consequences of the limitations introduced by using the distributed test architecture and thus potentially to inform the decision as to whether it is worth incurring the additional expense of introducing an external network through which the testers can communicate in order to overcome these problems (see, for example, [5, 29] for a description of such an external network).
Given an FSM M with multiple ports there is a set of locally s-equivalent FSMs. If we use set inclusion on the languages defined by the FSMs then we get a natural partial order between these FSMs. In this paper we proved that this defines a bounded lattice, with minimal element L(χ min (M)) and maximal element L(χ max (M)).
The definitions of χ min (M) and χ max (M) refer to the semantics of the FSMs and not the size of their representation. Let us suppose that we are developing a system and its use will correspond to the restrictions imposed by the distributed test architecture: only input sequences corresponding to synchronisable paths are applied and observations are made locally. Then we may want a smallest design that is locally s-equivalent to M: a deterministic and completely specified FSM M that has fewest states. The problem of producing such an FSM corresponds to minimising the incompletely specified FSM χ min (M) and we have proved that in general this problem is NP-hard. However, we have also proved that the problem can be solved in polynomial time for the special case, often considered in the literature, in which there are two ports.
This paper has considered three alternative notions of a canonical FSM that is locally s-equivalent to M. The FSMs χ min (M) and χ max (M) can be constructed in time that is polynomial in terms of the number of states of M and a locally s-equivalent FSM with fewest states can be constructed in polynomial time if M has two ports. Recent work [14] has looked at the testing of distributed systems in which an operation can be triggered by the SUT receiving multiple events at different ports and it would be interesting to extend the work described in this paper to such a situation.
