Abstract Given a finite state machine M, a checking sequence is an input sequence that is guaranteed to lead to a failure if the implementation under test is faulty and has no more states than M. There has been much interest in the automated generation of a short checking sequence from a finite state machine. However, such sequences can contain reset transitions whose use can adversely affect both the cost of applying the checking sequence and the effectiveness of the checking sequence. Thus, we sometimes want a checking sequence with a minimum number of reset transitions rather than a shortest checking sequence. This paper describes a new algorithm for generating a checking sequence, based on a distinguishing sequence, that minimises the number of reset transitions used.
Introduction
The importance and cost of testing has led to much interest in automated test generation. Automation is facilitated by the presence of a model or a formal spec-ification that describes the required behaviour of the implementation under test (IUT). State-based systems are often specified or modelled using finite state machines (FSMs) or languages such as Statecharts (Harel and Politi 1998) and SDL (ITU-T 1999) that are based on extended finite state machines (EFSMs). When testing from an EFSM it is common to produce a corresponding FSM by either abstracting out the internal data or expanding this out, possibly after putting limits on this data. FSM based test generation techniques can then be applied. If an abstraction is used then it is possible to choose paths that are feasible in the abstraction and infeasible in the original EFSM, but this problem has been solved for certain classes of EFSM (Duale and Uyar 2004) . Since state-based systems can be represented using FSMs there has been much interest in the problem of automatically generating a test sequence from an FSM (Chow 1978; Hennie 1964; Hierons and Ural 2002, 2006; Ural et al. 1997) .
FSM based test sequence generation has received attention in several domains. It is normal to specify communications protocols and embedded systems using statebased languages and here FSM based techniques are applicable (Broekman and Notenboom 2003; Lee and Yannakakis 1996) . The use of FSM based techniques has also been proposed in the testing of object-oriented systems (Binder 1999) , web services (Haydar et al. 2004 ) and model-based testing (Barnett et al. 2003; Farchi et al. 2002) . It transpires that FSM based test generation techniques assist testing from a specification in a formal language such as Z, VDM or B (Dick and Faivre 1993) .
It is normal to use a criterion that states what it means for a test sequence to be adequate. One criterion is that the test sequence is a checking sequence: it is guaranteed to determine correctness as long as the IUT has no more states than the specification FSM. The notion of a checking sequence was introduced by Moore (1956) and Hennie showed how a checking sequence can be produced when the FSM has a known distinguishing sequence 1 (Hennie 1964 ). Hennie represented checking sequence generation in terms of testing the transitions of an FSM but also showed that there are other types of checking sequence. Since Hennie's paper, research in this area has focussed on the problem of producing a short checking sequence for an FSM that has a known distinguishing sequence (see, for example, Gonenc 1970; Hierons and Ural 2002, 2006; Ural et al. 1997) . The resultant checking sequence generation algorithms are based on a sufficient condition for an input sequence to be a checking sequence, the sufficient condition requiring that each transition is tested, and aim to produce a shortest input sequence that satisfies this condition.
This paper considers the testing of a resetable IUT: one that has a reset operation that is known to (correctly) return the IUT to its initial state. The transitions triggered by this reset operation are known as reset transitions. The reset of a system can require the reconfiguration of the system and can involve human actions and so each use of a reset transition significantly increases the cost of testing (Friske and Schlingloff 2007; Fujiwara et al. 1991; Hierons 2004; Yao et al. 1993) . If a fault in a system is associated with there being extra states then we may require long checking sequences in order to detect this fault (Broekman and Notenboom 2003; Friske and Schlingloff 2007; Fujiwara et al. 1991) . However, reset transitions split a checking sequence into separate subsequences and so reduce the chance of finding such faults: they reduce the effectiveness of a checking sequence. Since a reset transition can significantly increase the cost of applying a checking sequence and reduce the effectiveness of a checking sequence, for some applications we wish to produce a checking sequence with a minimum number of reset transitions. This paper adapts a class of algorithms for producing a checking sequence (Hierons and Ural 2002, 2006; Ural et al. 1997 ) so that we get a checking sequence that, amongst those that can be produced by this class of algorithms, has the fewest reset transitions. Such a checking sequence is said to be optimal. In contrast to other algorithms for generating a checking sequence, the proposed algorithm does not require the FSM to be strongly connected. The use of adaptive checking sequences may well provide additional benefits, and in particular the use of adaptive distinguishing sequences (Lee and Yannakakis 1996) . However, this is left as a topic for future work. There has also been recent work that shows how short checking sequences can be produced using weaker sufficient conditions for an input sequence to be a checking sequence (da Silva Simão and Petrenko 2008) . However, this work produces many separate subsequences separated by resets and so is not appropriate when we wish to minimise the number of resets.
The checking sequence generation algorithms described in (Hierons and Ural 2002, 2006; Ural et al. 1997 ) operate in the following manner. First, they produce two sets of walks from the digraph G(M) that represents the FSM M: a set E α of walks that check that the distinguishing sequenceD used works correctly in the IUT and a set E t of walks that useD to test the transitions. For each walk in E t ∪ E α an edge is added to G(M) and this produces a digraph TestG (M) . A minimum cost walk of TestG(M) that includes each edge in E t ∪ E α is produced and a checking sequence generated from this. This walk is devised using two steps. In the first step, a minimum number of copies of edges from TestG(M) are added to E t ∪ E α in order to make the resultant digraph Aug(M) symmetric: for each vertex v of Aug (M) there are the same number of edges that enter v as leave v. If Aug(M) is connected then the checking sequence is produced from this. Otherwise walks are added to connect the components of Aug(M) and a checking sequence is generated. This approach chooses the set of edges and walks, added to E t ∪ E α , in a manner that guarantees that additions are acyclic as this is required in order to satisfy the sufficient condition from (Ural et al. 1997) for an input sequence to be a checking sequence.
The algorithm given in this paper adapts this approach in several ways. First, the edges in G(M) that represent resets are given a cost that is sufficiently high to ensure that a minimum cost walk that contains every edge in E t ∪ E α also minimises the number of resets. Again, a walk is produced through two steps. First, a digraph TestG(M) is defined and a minimum cost set of copies of edges from TestG(M) is added to E t ∪ E α in order to produce a symmetric digraph Aug(M). If Aug(M) is connected then we produce a checking sequence and it is guaranteed that this minimises the number of resets. If Aug(M) is not connected then we need to add walks to connect it but we wish to do so in a way that adds as few resets as possible. In this paper we prove that the sufficient condition from (Ural et al. 1997) , for an input sequence to be a checking sequence, can be weakened and that we can always add a set of walks with no resets that connect Aug(M) and does not invalidate the new sufficient condition. As a result, the step that connects the components of Aug(M) adds no resets and so the resultant checking sequence minimises the number of resets. Interestingly, while the checking sequence generation algorithms in (Hierons and Ural 2002, 2006; Ural et al. 1997 ) require an NP-hard optimisation problem to be solved if we want to be guaranteed to return a shortest checking sequence, the algorithm given in this paper minimises the number of resets and has low order polynomial time complexity.
The rest of the paper is organised as follows. Section 2 describes finite state machines and digraphs. Section 3 gives a sufficient condition, for a test sequence to be a checking sequence, that forms the basis of checking sequence generations. Section 4 gives the algorithm for generating a checking sequence and Sect. 5 reports the results of experiments. Finally, Sect. 6 draws conclusions.
Preliminaries

Notation
Throughout this paper denotes the empty sequence. We will put a bar above the name of a variable (e.g.x) if this variable represents a sequence. Given a sequencē ρ = z 1 , . . . , z k , for all 1 ≤ i ≤ k we have that z 1 , . . . , z i is a prefix ofρ and z i , . . . , z k is a suffix ofρ.
Directed graphs
Given a set L of labels, a directed graph (digraph) G is defined by a pair (V , E) where V is a set of vertices and E ⊆ V × V × L is a set of directed edges between the vertices. Given edge e = (v, v , l) , v is the starting vertex of e, v is the ending vertex of e, and l is the label of e. G is symmetric if for every vertex v of V the number of edges whose starting vertex is v is equal to the number of edges whose ending vertex is v.
The test generation algorithm proposed in this paper will require us to use digraphs in which there can be more than one copy of an edge. In such situations we use a multiset of edges rather than a set of edges. Multisets differ from sets in one important way: each element of a multiset occurs a specified number of times in that multiset. Thus, if E is a multiset of elements of set E then we can represent E as a set of pairs of the form (e, k) where e ∈ E and k is the number of times that e occurs in E .
A walk in G is a sequence e 1 , . . . , e m of successive pairs of adjacent edges from G. Given digraph G = (V , E) and a set E ⊆ E of edges, the rural Chinese postman problem (RCPP) is to find a shortest tour of G that contains every edge from E . While the RCPP is NP-hard (Lenstra and Khan 1976) , a polynomial time heuristic is often applied when test sequence generation is represented in terms of the RCPP. In this heuristic (Aho et al. 1988) , we first find a minimum cost symmetric augmentation of E : a minimum cost symmetric multiset of elements of E that contains E . This is a multiset since it may be necessary to include multiple copies of some edges. If the resultant digraph is strongly connected then an Euler Tour of this digraph is a solution to the RCPP; if the digraph isn't strongly connected then we add edges to connect its components and the resultant tour may be suboptimal.
Given
where V is the set of vertices from V that are either starting vertices or ending vertices of edges from E :
there is no edge in G from a vertex in V to a vertex not in V , and every edge e in E that is between vertices from V is also in E :
Finite state machines and resets
A (completely specified and deterministic) FSM M is defined by a tuple (S, X, Y, δ, λ, s 1 ) in which S is the finite set of states; s 1 ∈ S is the initial state; X is the finite input alphabet; Y is the finite output alphabet; δ is the state transfer function of type S × X → S; and λ is the output function of type S × X → Y . FSMs are sometimes called Mealy machines or finite state transducers. If we input x ∈ X when M is in state s ∈ S then we get output y = λ (s, x) and M moves to state s = δ (s, x) . This defines a transition (s, s , x/y) that has starting state s and ending state s . The functions δ and λ can be extended to take input sequences in the usual way. Throughout this paper we assume that a completely specified and deterministic FSM M = (S, X, Y, δ, λ, s 1 ) with n states describes the required behaviour of the IUT. Consider the FSM M 0 in Fig. 1 . Here, for example, δ(s 2 , a) = s 4 , λ(s 2 , a) = 0 and so M 0 contains the transition (s 2 , s 4 , a/0). If we consider the application of sequence ab from state s 2 we find that δ(s 2 , ab) = s 2 and λ(s 2 , ab) = 00.
The FSM M can be represented by a digraph G(M) = (V , E) in which each state s i is represented by a corresponding vertex v i , |V | = n, and
As a result we can use graph theory terminology and notation when discussing FSMs. (Hopcroft 1971) . 2 If the FSM being considered is not minimal then we require an initial preprocessing phase that minimises it.
The IUT has a reliable reset feature if there is a process that is known to correctly take it from any state to its initial state. In this paper the use of such a process is represented by the input of r; r takes the IUT from any state to its initial state and produces no output. The transitions triggered by r are reset transitions and thus for every state s of M we add the reset transition (s, s 1 , r/−) where − represents null output. In order to simplify the exposition we assume that r is not contained within the input alphabet X since there is no need to test the reset transitions; the reset transitions are implicit. As a result the digraph G(M) that represents M does not include edges that represent the reset transitions and so we define the set E R = {(v i , v 1 , r/−)|1 ≤ i ≤ n} of additional edges that represent these transitions. If we apply a reset then we lose all information about the state before this and thus reset transitions cannot assist in distinguishing states. We thus assume that the distinguishing sequenceD used does not contain r. IfD contains r then we can produce a shorter distinguishing sequence by deleting this instance of r fromD and all inputs that are after r. This is because the response of M to the reset r and the inputs after r does not depend on the state in which we appliedD and so provides no information about this state.
In testing it is normal to assume that the IUT behaves like an unknown FSM M I from a given fault domain. One standard fault domain is the set Φ M of FSMs with the same input and output alphabets as M and no more states than M. An input sequencē x is a checking sequence if it distinguishes between M and every FSM from Φ M that is not equivalent to M. In this paper we assume that the IUT behaves like an unknown FSM M I ∈ Φ M . An alternative that has been considered in the literature is to assume that the IUT has at most k more states than M for some value k that is chosen by the tester (see, for example, Chow 1978; Luo et al. 1994; Vasilevskii 1973) . However, the size of the resultant test grows exponentially as k increases. In addition, such methods produce (exponentially) many test sequences and separate these using resets. As a result they are not suitable when trying to produce a test sequence that contains very few resets.
LetP denote a walk e 1 , . . . , e m in G(M) with starting vertex v 1 andQ = label(P ). In order to reason about the state of the IUT reached by a prefix ofQ, we will define a digraph Linear(Q).
The vertices of Linear(Q) are called nodes.
Given an input/output sequenceQ = x 1 /y 1 , . . . , x m /y m and a subsequenceQ = x i /y i , . . . , x j /y j ofQ, 1 ≤ i < j ≤ m, we say that n i is the initial node ofQ and n j +1 is the final node ofQ .
Defining checking sequences
Let us suppose thatD is a distinguishing sequence for FSM M with n states, we apply an input sequence to the IUT M I , and for every state s i of M the resulting and so has at most n states,D must also be a distinguishing sequence for M I . Further, D defines a bijection between the states of M and M I . This motivates the following definitions, based on those in (Ural et al. 1997) , of what it means to recognise a node in the labelQ of a walkP and to verify a transition inQ.
Definition 2 Let us suppose thatP is a walk of G(M) with starting vertex v 1 and labelQ.
label of a walk of Linear(Q) with starting node n i . This is illustrated in Fig. 2 part 1).
of a walk of Linear(Q) that ends at node n i . This is illustrated in Fig. 2 
part 2). 3. Let us suppose that (n q , n i ,T ) and (n j , n k ,T ) are walks of Linear(Q) and D/λ(s,D) is a prefix ofT (and thus n q and n j are d-recognised inQ as state s).
Suppose also that node n k is d-recognised as state s of M. Then n i is t-recognised inQ as s . This is illustrated in Fig. 2 part 3 ). 4. Let us suppose that (n q , n i ,T ) and (n j , n k ,T ) are walks of Linear(Q) such that n q and n j are either d-recognised or t-recognised inQ as state s and n k is either d-recognised or t-recognised inQ as state s . Then n i is t-recognised inQ as s . This is illustrated in Fig. 2 
part 4). 5. If node n i of Linear(Q) is either d-recognised or t-recognised inQ as state s then
n i is recognised inQ as state s.
The difference between this and the definition in (Ural et al. 1997 ) is the inclusion of the rule that the node following a reset is recognised as s 1 . This rule has been added in order to reflect the reset being a reliable reset. Note that the distinguishing sequenceD is an implicit parameter of this definition. These terms can be used to define a sufficient condition for an input sequence to be a checking sequence. The following result is based on Theorem 1 from (Ural et al. 1997) .
Theorem 1 LetP be a walk of G(M) that starts at v 1 ,Q = label(P ), and let us suppose that the initial node of Linear(Q) is d-recognised as state s 1 inQ. If every transition of M is verified inQ then the input portion ofQ is a checking sequence of M.
There is only one small difference between this result and Theorem 1 from (Ural et al. 1997) . This is that (Ural et al. 1997) gives a different definition of a checking sequence in that a checking sequence is required to distinguish between M and any element of Φ M that is not isomorphic to M. As a result, a checking sequence under the definition of (Ural et al. 1997) need not detect the IUT starting in the wrong state. Since we require that the IUT and M have equivalent initial states we add the condition that the initial node of Linear(Q) is d-recognised as state s 1 .
In checking sequence generation we recognise the ending vertex of an edge of G(M) that represents transition τ through the use of a distinguishing sequenceD; the corresponding subsequence included in a walkP is called a test subsequence for τ .
Generating a checking sequence
This section gives an algorithm for generating a checking sequence from M on the basis of a distinguishing sequenceD. It starts by defining α -sequences (Hierons and Ural 2006) . We then adapt the algorithm of (Hierons and Ural 2006) in order to minimise the number of reset transitions in the resultant checking sequence.
Defining α -sequences
In previous work (Hierons and Ural 2006) 
The proposed approach will be parameterised by theT i and in practice we will produce the α -sequences once theT i have been defined. First we define α -sequences and we then outline how they can be generated once theT i have been defined, explaining the algorithm of (Hierons and Ural 2006) .
Before defining α -sequences we define a set of transfer sequences. The α -sequences can be defined in the following way.
Definition 4 Given a transfer set T = {T 1 , . . . ,T n } a set A of input/output sequences that are labels of walks of G(M) is an α -set if it satisfies the following conditions. 
For each elementᾱ
Each element of an α -set is called an α -sequence.
Definition 4 ensures that the α -sequences have the following properties when included in an input/output sequence that is the input portion of the labelQ of a walk P in G(M) that starts at v 1 and contains each α -sequence.
1. As a result of the first requirement in the definition: The input portion of an α -sequence starts withD and so an α -sequence can be used to check the ending state of a transition. 2. As a result of the second requirement in the definition: If the α -sequences are labels of walks in M I thenD must be a distinguishing sequence in M I since M I has at most n states and n distinct responses toD are observed in the α -sequences. To construct an α -set A we can first produce a set P = {ρ 1 , . . . ,ρ q } of paths and cycles of GD such that every edge of GD is included exactly once in an element of P . For eachρ k ∈ P , we then produce the input/output sequence seq(
, where v i is the ending vertex ofρ k . This gives the α -set A = {seq(ρ k )|ρ k ∈ P }. The problem of generating an α -set can thus be reduced to that of producing such a set P of paths and cycles given GD (and thus from theT i ). A low order polynomial algorithm has been devised for producing such an α -set that minimises its overall contribution to the checking sequence length (Hierons and Ural 2006) 3 . We do not repeat this algorithm here. 
, and δ(s 4 , aa) = s 2 . The digraph GD produced for M 0 , using empty transfer sequences, is given in Fig. 3 . We could choose any one of several sets of paths and cycles for P including the set that contains a path of length 1 from v 1 to v 4 and a cycle of length 3 from v 2 to v 2 . This leads to the following α -set:
1. sequenceᾱ 1 =DD/0011 from state s 1 ; and 2. sequenceᾱ 2 =DDDD/01101101 from state s 2 .
We can see that this is an α -set since in each case the final application ofD is contained in the body of one of the α -sequences:ᾱ 1 ends inD from s 4 and this is in the body ofᾱ 2 ;ᾱ 2 ends inD from s 2 and this is in the body ofᾱ 2 . There are alternative choices such as one sequenceDDDDD, which labels a walk of G(M) with starting vertex v 1 .
A sufficient condition
We now give a sufficient condition, from (Hierons and Ural 2006) , for a test sequence to be a checking sequence. This defines a set of checking sequences, for an FSM M and α -set A and in Sect. 4.4 we consider the problem of finding a checking sequence from this set with a minimum number of reset transitions. Note that later, in Theorem 4, we prove a more general result and so we do not include a proof of Theorem 2 here. Throughout the paper, when we generate a tour Υ with a required set of edges E we use E con to denote the set of edges that are in Υ but not in E .
Theorem 2 Let
Given M, distinguishing sequenceD and α -set A, the set E T is not uniquely defined. Thus, checking sequence generation can be seen in terms of choosing some E T and generating a checking sequence from this. However, the two parts of this process can be combined into one optimisation algorithm that chooses the optimal E T and a corresponding optimal checking sequence (Hierons and Ural 2006) .
The α -sequences are defined in terms of a set of transfer sequencesT 1 , . . . ,T n . The algorithm given in this paper can thus be seen as being parameterised by this set of transfer sequences. Section 5 reports the results of experiments that explore a heuristic: using empty transfer sequences in the α -sequences. The intuition behind this heuristic is that using emptyT i allows greater freedom of choice regarding the transitions that follow the verification of a transition and this might assist in limiting the number of resets used. Note that this heuristic was used in the case where we simply wish to produce a shortest checking sequence and do not consider the number of resets included (Hierons and Ural 2006) .
An optimisation algorithm
This section gives an algorithm that represents checking sequence generation as an optimisation problem. The first step is to represent the problem as an instance of the RCPP for a new digraph TestG(M) that is produced such that a minimum cost tour, that contains the required edges, defines an optimal checking sequence. We then produce a minimum cost symmetric augmentation of the set of required edges. If the resultant digraph Aug(M) is strongly connected then it has an Euler tour and we form the checking sequence from this Euler Tour. If Aug(M) is not strongly connected then we need to add walks from G(M) in order to connect its components. In Sect. 4.5 we show how such walks, that contain no reset transitions, can be generated. We now describe the optimisation algorithm used.
Recall that M without reset transitions is represented by G(M) = (V , E) and the edge set E R represents the reset transitions. We want to produce a walkP of digraph (V , E ∪ E R ) that satisfies the conditions of Theorem 2. We can consider the problem as being one of connecting a set of subsequences where each subsequence is either an α -sequence or is a (non-reset) transition τ = (s i , s j , x/y) followed by either a walk with labelD/λ(s j ,D)T j or an α -sequence. Further, we require that the set of additional connecting transitions defines an acyclic digraph.
In a similar way to (Hierons 2004) we define an upper bound on the length of the checking sequence; this will be used to punish reset transitions in the checking sequence generation algorithm. By Theorem 2, at worst the checking sequence is a set of test subsequences and α -sequences connected to form one sequence. The sum of the lengths of the subsequences connected to form a checking sequence is bounded above by the sum of the lengths of the subsequences formed by following each transition τ (with ending state s i ) by a walk with labelD/λ(s i ,D)T i and the sum of the lengths of the α -sequences. Let T m = max{|T i |, 1 ≤ i ≤ n}. Since M has |X||S| transitions, this gives an upper bound of |X||S|(1 + |D| + T m ) + k i=1 |ᾱ i | on the overall length of the subsequences to be connected. In forming a tour from these |X||S| + |A| subsequences, there are connecting walks between any two subsequences and each of these has length at most |S| − 1. Thus, the overall checking sequence length is bounded above by U = |X||S|(1 + |D| + T m ) + k i=1 |ᾱ i | + (|X||S| + |A|)(|S| − 1). In the example M 0 , we have T m = 0, |X| = 2, |S| = 4, |D| = 2, |A| = 2, and k i=1 |ᾱ i | = 12 and so we use U = 2 × 4 × (1 + 2 + 0) + 12 + (2 × 4 + 2) × 3 = 66. Given walkP of G(M) we can associate a cost withP . We give each edge in E cost 1 and each edge in E R cost U . Since U is an upper bound on the overall checking sequence length, a minimum cost tour is also a tour with a minimum number of reset transitions (Proposition 3 below). We include a cost for each edge in E since ideally we would like to produce a shortest checking sequence amongst those that minimise the number of resets. We now give an algorithm for producing a minimum cost tour. This algorithm represents the problem in terms of the RCPP in a digraph TestG(M). Algorithm 1 shows how TestG(M) = (V , E ) can be produced, where The following is the key property of TestG(M) that corresponds to the requirements of Theorem 2. Proof We choose a set P T in the following way:
Proposition 1 Let us suppose that Υ is a tour of TestG(M) that includes every edge from E t ∪ E α . Then label(Υ ) is the label of a tour of G(M) with subwalks from a set
1. For every edge e ∈ E α representing an α -sequence choose a subwalkw of Υ of length two that has e as its second edge and include in P T a walk of G(M) with label label(w). This is possible since we require that Υ contains every edge from E α . 
Algorithm 1 Generating TestG(M)
Comment: The edges from E represent the transitions of M and allow us to connect the transition tests. 
Comment: These edges represent reset transitions.
2. For each transition τ = (s i , s j , x/y) of M such that a walk representing τ followed by an α -sequenceᾱ k ∈ A with prefixD/λ(s j ,D)T j orD/λ(s j ,D)T j has not been chosen, include in P T a walk of G(M) with a label that is the label of a subwalk of Υ of length two whose first edge is (v i , v j , x/y). We can always choose some such walk since Υ is required to include every edge from E t . Fig. 4 The digraph
We now consider the three properties in the proposition. The first property follows from the fact that a transition τ = (s i , s j , x/y) is represented by an edge in E t from v i to v j and in a tour this must be followed by an edge that either represents an α -sequenceᾱ k ∈ A with prefixD/λ(s j ,D)T j or D/λ(s j ,D)T j since these are the only edges of TestG(M) that can have starting vertex v j .
The second property is a consequence of the requirement that P T contains every α -sequence.
For the third property observe that the label of a walk in P T is the label of a walk of TestG(M) with length two whose first edge has ending vertex v j for some 1 ≤ j ≤ n. In addition, the first edge of such a walk cannot represent a reset transition and can only represent an edge from E if the second edge represents an α -sequence.
Each edge from E ∪ E t is given cost 1, as each of these edges represents a single transition that is not a reset transition. Each edge from E R is given cost U . An edge from E is given cost 0, while edges from ED and E α are given a cost that represents the length of the corresponding input/output sequence. 4 We introduce some notation before proving that minimum cost tours minimise the number of resets.
Definition 5 Let Υ (E t , E α ) denote the set of tours of TestG(M) that include every edge from E t ∪ E α exactly once.
We have the following property, which tells us that we lose nothing by considering only tours in Υ (E t , E α ).
Proposition 2 Every tour Υ of TestG(M) that includes every edge from E t ∪ E α at least once has the same label as a tour of TestG(M) that includes every edge from E t ∪ E α exactly once.
Proof To see this let us first suppose that an edge e ∈ E t is repeated in a tour Υ of Υ (E t , E α ). Then we can take a subwalk of Υ with length two that contains e and does not include an edge from E α only included once in Υ . We can then replace this subwalk by a sequence of edges from E. We can repeat this process until the tour contains exactly one instance of each edge from E t . Finally, if an edge from E α with labelD/λ(s i ,D)T i is repeated then we can replace all but one of the copies of this edge by the edge from ED with starting vertex v i followed by a walk in (V , E) with labelT .
Proposition 3 Let us suppose that Υ is a minimum cost element of Υ (E t , E α ). Then Υ is an element of Υ (E t , E α ) with fewest reset transitions.
Proof Let Υ (E t , E α ) denote the set of tours of TestG(M) in Υ (E t , E α ) with the property that every cycle in a tour from Υ (E t , E α ) contains at least one edge from E t ∪ E α . Given a tour Υ 1 from Υ (E t , E α ) \ Υ (E t , E α ), we can delete at least one cycle from Υ 1 to produce a shorter tour Υ 2 from Υ (E t , E α ) such that Υ 2 contains no more reset transitions than Υ 1 . It is thus sufficient to only consider tours in
Υ (E t , E α ).
Since Υ is a minimum cost element of Υ
(E t , E α ) we have that Υ is in Υ (E t , E α ). Further, it is a minimum cost member of Υ (E t , E α ). The result now follows from the cost of each edge representing a reset transition having cost U for a value U that is an upper bound on the length of the tours in Υ (E t , E α ).
Checking sequence generation can be seen as the problem of finding a minimum cost element of Υ (E t , E α ): this is an instance of the RCPP. Naturally, we must ensure that the set E con of connecting transitions defines an acyclic digraph. We apply the following procedure, used in (Aho et al. 1988) , for solving the RCPP. 5 First we find a minimum cost symmetric augmentation Aug(M) = (V , E Aug ) of the set E t ∪ E α in TestG(M) by adding copies of some edges from the set E ∪ ED ∪ E ∪ E R . This can be found in polynomial time (Aho et al. 1988) . If Aug(M) is connected then it has an Euler Tour Υ and this provides a solution to the RCPP. If Aug(M) is not strongly connected then it defines a set of components. In Sect. 4.5 we show how walks can be added in order to connect these components without adding reset transitions. If Aug(M) is strongly connected then we produce a checking sequence in the following way. We choose an edge e in Υ that starts at the vertex v i reached from v 1 by a walk with labelD/λ(s 1 ,D)T 1 . We start Υ with e to give walkP and return the input portion ofD/λ(s 1 ,D)T 1 label(P ) as the checking sequence. This is summarised in Algorithm 2.
Proposition 4 Let us suppose that Aug(M) = (V , E Aug ) is the minimum cost symmetric augmentation of the set E t ∪ E α in TestG(M) and let E con denote the set of edges in E Aug
\ (E t ∪ ED ∪ E α ∪ E R ∪ E ).
Algorithm 2 Checking sequence generation algorithm if Aug(M) is connected
Calculate U = |X||S|(1 + |D| + T m ) + k i=1 |ᾱ i | + (|X||S| + |A|)(|S| − 1), where A = {ᾱ 1 , . . . ,ᾱ k } is the α -set used, T m is an upper bound on the lengths of the transfer sequences used, X is the input alphabet of M and S is the state set of M.
Define the digraph TestG(M) and find a minimum cost symmetric augmentation Aug(M) of E t ∪ E α in TestG(M).
Find an Euler Tour Υ of Aug(M).
Let e denote an edge from Υ that has starting vertex v i reached from v 1 by a walk with labelD/λ(s 1 ,D)T 1 . LetP denote the walk produced by starting Υ with e.
Return the input portion ofQ =D/λ(s 1 ,D)T 1 label(P ).
Theorem 3 Let us suppose that when Algorithm 2 is applied the digraph Aug(M) is strongly connected. Then the resultant input portion ofQ =D/λ(s 1 ,D)T 1 label(P ) is a checking sequence that has a minimal number of reset transitions amongst those that satisfy the conditions of Theorem 2.
Proof From Theorem 2, Proposition 1 and Proposition 4 we know thatQ is a checking sequence. From Proposition 3 we know that it minimises the number of reset transitions.
Consider the FSM M 0 . Here, solving the RCPP for the digraph TestG(M) and the set of required edges leads to a strongly connected digraph that has the following Euler Tour.
We can thus obtain the following checking sequence by starting the tour at v 4 after the application ofD since δ(s 1 ,D) = s 4 . If we choose the first instance of v 4 above we get a checking sequence that contains three resets that is defined by:
This leads to the following checking sequence aaaaabaaaaaaaabaaaaaraaaaa arbaaraaaabaa. In this case the tour contains the vertex v 1 . Where this is the case, we have an alternative way of creating a checking sequence: we can start the tour at v 1 and add an instance ofD to the end of the resultant sequence. In this case the final reset (and additionalD) can be eliminated giving a checking sequence with two resets.
aaaa(=ᾱ 1 )bDaDbaaaaaaaa(=ᾱ 2 )bDaDraDaDrbD.
There are two reasons why we can reduce the number of resets by one in this example. First, an α -sequence starts at state s 1 and so we can start the checking sequence with this α -sequence. Second, no transition ends at state s 1 and so in the tour the α -sequence is not used in order to check the final state of a transition and it is preceded by a reset transition that can be eliminated. We require two resets since we cannot return to state s 1 once we have left it and the method requires us to have three edges that start at s 1 : one for each transition with starting state s 1 and one for the α -sequence α 1 . This concludes our analysis of the case in which Aug(M) is strongly connected.
Connecting components
This subsection considers the case where Aug(M) is not strongly connected. We show how walks from TestG(M) can be added to Aug(M) in order to produce a strongly connected digraph Aug (M) such that the walks added contain no reset transitions and a checking sequence can be produced from Aug (M). We could adapt the results in (Hierons 2004) to show that we can add walks to Aug(M) to make it connected without using reset transitions. However, such walks might introduce cycles into the set E con of connecting edges and this is not allowed under Theorem 2.
The following weakening, of the condition for a test sequence to be a checking sequence, helps us to overcome this issue. This allows us to add walks, without including them in the set E con of connecting edges, if each walkP added satisfies the following condition: the label ofP ends in a subsequence of the formD/λ(s i ,D)T i for some s i ∈ S. The reason we can add such a walk is that its final node is t-recognised as the corresponding state of M. Proof From Theorem 1, it is sufficient to prove that each transition of M is verified inQ. Since E con is acyclic it is possible to place a partial ordering ∝ on V such that v i ∝ v j if and only if there is a path in (V , E con ) from v i to v j . This partial ordering can be extended to the nodes of Linear(Q), which are ordered according to their corresponding vertices.
Theorem 4 Let
A proof by contradiction will be produced: assume that the input portion ofQ does not represent a checking sequence. Then, by Theorem 1, some of the nodes of Linear(Q) are not recognised. By definition, any node that is not recognised must follow an edge from E con .
Amongst the nodes that are not recognised, take some n i that corresponds to a vertex v j that is minimal according to ∝. Here node n i corresponds to vertex v j of G(M) if the prefix ofQ of length i is a walk of M with ending state s j . There may be more than one such minimal node, but any one will suffice.
It is now sufficient to look at the node n i−1 that precedes n i (i cannot be 1, as the initial node is d-recognised as s 1 byD/λ(s 1 ,D)T 1 ). The edge from n i−1 to n i must represent some edge e ∈ E con , as its final node is not recognised, and thus n i−1 ∝ n i . By the minimality of n i , n i−1 is recognised.
The edge e represents a transition τ of M. Linear(Q) contains a subsequence, from node n j say, that represents a test subsequence for τ . As n j ∝ n i , by the minimality of n i the node n j must be recognised inQ. Thus, in e , the transition τ exists within a context in which it is followed byD/λ(s,D) for some state s (possibly as part of an α -sequence) and its initial node is recognised. Thus, by the definition of a node being recognised, as n i−1 is recognised n i is also recognised. This provides a contradiction as required.
We now prove a number of results regarding Aug(M) that form the basis of the algorithm for adding walks to connect the components of Aug(M).
Proposition 5 If Aug(M) is not strongly connected then it can be partitioned into a set of components.
Proof This follows from the fact that Aug(M) is symmetric and any weakly connected symmetric subgraph is strongly connected.
Thus the edge set E Aug of Aug(M) can be partitioned into maximal sets C 1 , . . . , C m such that each Aug(M) [C i ] is strongly connected. We assume that such a partition exists and that v 1 is a vertex of the component Aug(M) [C 1 ]. We use the notion of the closure of a set of edges defined in (Hierons 2004) .
Definition 6 Let us suppose that C ⊆ E Aug and Aug
If C i is the edge set of a component G i of Aug(M) then cl(C i ) contains an edge with starting vertex v 1 . 
Theorem 5 Let us suppose that Aug(M) is the minimum cost symmetric augmentation of set E t ∪ E α in TestG(M) and Aug(M) has components represented by edge
Consider the corresponding edge e = (v l , v j , x/y) from E t and some edge e in E Aug that has starting vertex v j . Since TestG(M) is symmetric there must be some such e and e must represent either an α-sequence or a sequence whose input portion starts withD. Recall that e represents a sequence of edges from E and thus contains no reset transitions and so since no edge of E \ cl(C i ) has a starting vertex from TestG(M) [cl(C i )], the ending vertex of e must be in
Further, e and e must be in the same component of Aug(M) since the ending vertex of e is the starting vertex of e . Thus since e ∈ E \ cl(C i ), TestG(M) [cl(C i and some edge e in E Aug that has starting vertex v j . Since e represents a sequence that contains no reset transitions, TestG(M) [cl(C i )] is strongly connected, and e ∈ cl(C i ), the ending vertex of e cannot be in TestG(M) [cl(C i )] . Since e and e are in the same component of TestG(M) they are in some C j such that cl(C j ) = cl(C i ). Since cl(C i ) and cl(C j ) both have edges connected to the starting vertex of e , cl(C i ) = cl (C j ). This provides a contradiction as required.
In (Hierons 2004 ) a similar result is used to show that for each component
we can add a cycle of edges from E that connects Aug(M) [C i ] to v 1 such that the cycle contains no reset transitions (recall that the reset transitions are not represented by edges from E). However, in producing a checking sequence as opposed to a test sequence we require more: we need to ensure that the walks we add lead to a tour that satisfies the conditions of Theorem 4 and thus lead to a checking sequence.
We will introduce an iterative algorithm, Algorithm 3, that adds edges to Aug(M) in order to create a strongly connected symmetric digraph Aug (M). This is based on the following consequence of Theorem 5.
Proposition 6 Let us suppose that Aug (M) has been formed from Aug(M) by adding zero or more cycles formed by edges of E and Aug (M) is not strongly connected. If C is the edge set of the component of Aug (M) that contains v 1 then there is another edge set C a of a component of Aug (M) such that there is an edge e in E from a vertex from Aug (M)[C a ] to a vertex of Aug (M)[C].
Proof Given C i = C, the closure of C i contains an edge with starting vertex v 1 and is strongly connected. Thus, there must be a walk in TestG (M) , that contains no reset transitions, from a vertex in Aug (M) [C i ] to v 1 . In addition, Aug (M) [C i ] must contain vertices from V and since Aug (M) [C i ] is strongly connected we can choose a walk that starts at a vertex from V . Now observe that this walk starts at a vertex v i in V , ends in a vertex v 1 in V , and contains no resets and so there must also be a walk in TestG(M) from v i to v 1 that contains only edges from E. Since all vertices of Aug (M) are either starting or ending vertices of edges of the C j , this path must include an edge e from a vertex in Aug (M) [C a ] to a vertex in Aug (M) [C] for some C a = C and so the result follows.
We can therefore choose such an edge e = (v i , v j , x/y) from a component C a of Aug(M) to the component C 1 . Aug(M) also contains a walk that represents the testing of the transition corresponding to e by following edge (v i , v j , x/y) by an edge from v j to some v k whose labelT is either aD/λ(s iD )T i or an α -sequence with prefixD/λ(
We can therefore define an edge e from v j to v k with labelT that corresponds to a walk in TestG(M). Since Aug(M) [C a ] is strongly connected there is a pathP 1 in Aug(M) [C a ] from the ending vertex v k of e to the starting vertex v i of e. If we add e, e , and an edge e 1 representingP 1 to Aug(M) then we have connected C and C a and the new digraph is symmetric since the edges added form a cycle. This is illustrated in Fig. 5 . The edge e can be included in a tour without having to add it to the set E con of connecting edges in the conditions of Theorem 4, since it ends in a subsequence of the formD/λ(s iD )T i . We do not have to add any of the edges inP 1 to E con since these are already in Aug(M). Below, in Proposition 7 we prove that the addition of e to E con cannot introduce cycles.
Algorithm 3 Connecting the components
Input
Comment: By Proposition 6, there must be some such e and C a .
Find the edge e = (v j , v k ,T ) of Aug(M)
that represents a sequence that can be used to check the final state of the transition corresponding to e. Since Aug(M) is strongly connected there must be some such e . In addition,T is eitherD/λ(s jD )T j or an α -sequence.
Let e = (v j , v k ,T ).
Produce a walkP 1 from the ending vertex v k of e to the starting vertex v i of e using edges from C a only and representP 1 by an edge e 1 .
Comment: This is possible since Aug(M)[C a ] is strongly connected. Further, we know that C a does not contain edges from
Let C = C ∪ C a ∪ {e, e , e 1 }, C = C \ {C a }, and E = E ∪ {e}. end while Output C and E .
At each step of Algorithm 3 some edges e, e and e 1 are added to connect some C a to C. Edge e represents a path that, according to Theorem 4, can be added without including it in E con . Edge e 1 represents a sequence of edges already included in C a and thus it can be added without being added to E con . Thus e is the only edge that we have to add to E con in an iteration. The edges added in an iteration connect the components Aug(M) [C] and Aug(M)[C a ], do not include edges from E R , and preserve the property of the digraph being symmetric.
Proposition 7 If Algorithm 3 is applied to digraph Aug(M) that is not strongly connected then the edge set E returned has the property that (V , E ) is acyclic.
Proof Each iteration of the algorithm involves adding an edge e to E such that e goes from a vertex of some Aug(M) [C a ] to a vertex of the current Aug(M) [C] . Let E I denote the set E before the algorithm is applied, let E F denote the set E after the algorithm is applied, and let E F \ E I = {e 1 , . . . , e m } where the ith iteration of the algorithm adds the edge e i to E , 1 ≤ i ≤ m.
Proof by contradiction: let us suppose that (V , E F ) contains at least one cycle. First observe that, by Proposition 4, (V , E I ) is acyclic. Let j be the integer such that (V , E I ∪ {e 1 , . . . e j −1 }) is acyclic and (V , E I ∪ {e 1 , . . . e j }) contains cycles and letP be a minimum length cycle in (V , E I ∪ {e 1 , . . . e j }). Let us suppose that the j th iteration involved adding an edge to connect C a to C. Since Aug(M) [C a ] and Aug(M) [C] are strongly connected components that have no vertices in common and E I ∪ {e 1 , . . . e j } contains no edge from Aug(M) [C] to Aug(M)[C a ],P cannot contain e j and thus must be a cycle in (V , E I ∪ {e 1 , . . . e j −1 }). This contradicts the minimality of j as required.
Proposition 8 Let us suppose that Algorithm 3 returns the sets C and E . Then Aug (M) = (V , C ∪ E ) is symmetric and strongly connected.
Proof We know that Aug (M) is strongly connected since in each iteration the edges added connect an element of C to C. In addition, Aug (M) is symmetric since in each iteration we add a set of edges that forms a cycle.
The overall checking sequence generation algorithm
We can now state the complete checking sequence algorithm, Algorithm 4. The proof of the following is equivalent to that of Proposition 3.
Proposition 9 Let us suppose that Υ is a minimum cost tour of Aug (M) that contains every element of E t ∪ E α . Then amongst all tours of Aug (M) that contain every element of E t ∪ E α , Υ minimises the number of reset transitions.
Theorem 6 The input portion ofQ produced by Algorithm 4 is a checking sequence that, amongst the checking sequences satisfying the conditions of Theorem 4, minimises the number of reset transitions used.
Proof We know that the input portion ofQ is a checking sequence from Theorem 4, Proposition 7, and Proposition 8. The optimality ofQ follows from Proposition 9 and the fact that the walks added to form Aug (M) from Aug(M) contain no reset transitions.
We can now consider the time complexity of Algorithm 4.
Proposition 10 For an FSM with n states and p inputs, Algorithm 4 can be completed in time of O(pn 2 log n).
Proof The most computationally intensive parts of Algorithm 4 are the steps that produce Aug(M) and that apply Algorithm 3. The first of these involves finding a min cost/max flow and for a digraph with v vertices and e edges this can be found in O(ev log v) (see, for example, Aho et al. 1988 ). Thus, this step takes time of O(pn 2 log n). Algorithm 3 has O(n) iterations. Each iteration of Algorithm 3 involves finding two paths in a digraph with n vertices and pn edges; if a breadth-first search is used then each iteration takes time of O(pn). Thus Algorithm 3 takes time of O(pn 2 ) and the result follows.
Observe that it is possible for the walk produced by Algorithm 4 to end with a reset followed by connecting edges from E con . If this is the case then the final reset can be eliminated from the checking sequence.
We now make some final observations regarding the proposed method. This assumed that the resets are implemented correctly and so are not included in the input alphabet X. If the resets are not known to be reliable then it is necessary to test these by following each byD/λ(s 1 ,D)T 1 . This can be achieved by making the following changes to the algorithm: replace X by X ∪ {r}, add the set E r = {(v i , v 1 , r/−)|1 ≤ i ≤ n} to the digraph TestG(M) and include E r in the set of required edges. The proposed algorithm uses distinguishing sequences, as is usual in checking sequence generation. Instead, it is possible to use adaptive distinguishing sequences and these provide a number of benefits. However, this is a topic of future work.
Experimental results
The proposed algorithm is parameterised by the α -sequences and thus by theT i , 1 ≤ i ≤ n. As explained in Sect. 4, we propose the heuristic of using empty transfer sequences. This is because the use of empty transfer sequences provides the optimisation algorithm with greater flexibility in choosing a walk that follows the test of a transition. In this section we report on the results of experiments, with randomly generated FSMs, that investigated the following questions:
1. How good are the results if we produce the α -sequences using empty transfer sequences? This question concerns the effectiveness of the proposed heuristic of using emptyT i . 2. What impact does the choice of transfer sequences have on the number of resets in the resultant checking sequence (what is the variability)? Here we are interested in the effect of the choice of transfer sequences since we want to know how robust our method is to a suboptimal choice of theT i . 3. How do the results compare with those produced using a method that does not attempt to minimise the number of resets and instead aims to minimise the checking sequence length? We consider this since we want to know whether the process of attempting to minimise the number of resets does actually reduce the number of resets.
The FSMs were randomly generated by inputting the number of states (n), the number of inputs (p) and the number of outputs (q) and for each state s and input x, randomly choosing the end state s and output y. For each FSM M produced in this way we only kept M if it had a distinguishing sequence, was minimal and initially connected, and was not strongly connected. In order to allow a fair comparison between the proposed method and that described in (Hierons and Ural 2006) one small change was made to each of the two methods.
1. The method in (Hierons and Ural 2006 ) finds a walk that goes through the required set of edges, rather than a tour. The use of a walk can lead to shorter checking sequences, since there is no need to return to the initial state. We adapted the proposed method so that it produces a walk rather than a tour in order to avoid biasing the measurements of checking sequence length against it. 6 2. The method in (Hierons and Ural 2006) makes not attempt to avoid the use of resets in theT i . Instead, in the experiments when randomT i are generated for (Hierons and Ural 2006) we avoid the inclusion of resets in order to avoid biasing the experiments against the method of (Hierons and Ural 2006) .
While this paper is concerned with minimising the number of resets used, we wanted to investigate the impact of this minimisation on the length of the resulting checking sequences. Thus for each checking sequence produced we recorded its length as well as the number of resets it contained. This also allowed us to compare the length of the checking sequence produced by the proposed method with one that aims to minimise the checking sequence length, not the number of resets (Hierons and Ural 2006) . For each FSM used in the experiments we did the following:
1. We produced a checking sequence using α -sequences with empty transfer sequences and recorded the checking sequence length and the number of reset transitions included in the checking sequence. 2. We randomly generated transfer sequences that did not contain reset transitions and produced α -sequences using this. Given state s i the transfer sequenceT i was randomly chosen in the following way: randomly select state s j that can be reached from s i without using reset transitions and letT i be a minimum length path from s i to s j that contains no reset transitions. We produced a checking sequence, using these α -sequences, and determined its length and the number of reset transitions it contained. For each FSM this process was repeated 100 times with independently randomly selected transfer sequences.
A total of 20 FSMs were randomly generated. In Table 1 , the first three columns show the FSM number, the number of states of the FSM, and the size of the input and output alphabets 7 respectively. This is followed by two with MR denoting the proposed method, modified to use walks rather than tours, and M06 denoting the modified (Hierons and Ural 2006) . The two columns give the number of resets produced using emptyT i . A final column gives the number of resets produced with M06 divided by the number of resets produced with MR. The number of resets are also shown in the graph in Fig. 6 .
We observe from Table 1 and Fig. 6 that MR's number of resets for emptyT i is always less than that produced using M06 and emptyT i . Table 2 reports the results of experiments with the same FSMs but using randomly generatedT i . The first column gives the FSM number and this is followed by columns giving number of resets. Again, MR denotes the proposed method, modified to use walks rather than tours, and M06 denotes the modified (Hierons and Ural 2006) . There are four pairs of columns that report the number of resets in the checking sequences produced in 100 experiments with randomly generatedT i : columns 2 and 3 give the minimum number of resets, columns 4 and 5 give the mean, while columns 7 and 8 give the maximum. Column 6 gives the ratio between the mean number of resets using M06 and the mean number of resets using MR. The last two columns give the number of checking sequences that ended in a reset in the 100 experiments for each method: such resets can be removed. The mean number of resets are shown in Fig. 7 . The first observation to make relates to the heuristic of using emptyT i for the proposed method. Here, in every case the proposed method did not find a checking sequence with fewer resets than that produced using emptyT i . From Table 1 we see that MR's number of resets for emptyT i is always less then that produced using M06 and emptyT i . In addition, as shown in Fig. 7 , MR's mean number of resets for randomT i is consistently lower than that of M06. It is interesting to note that when we applied the method of (Hierons and Ural 2006 ) 100 times and used the checking sequence with fewest resets we obtained a checking sequence with the same number of resets as that produced using the proposed method with emptyT i . In addition, the proposed method always included the same number of resets when randomT i were used while there is much more variability in the method of (Hierons and Ural 2006) when considering the number of resets. For example, with FSM 16 the minimum number of resets in a checking sequence found by the method of (Hierons and Ural 2006) was 10 but with emptyT i it produced a checking sequence with 39 resets and the experiments produced a checking sequence with 66 resets. These experiments suggest that, as would be expected, the proposed method is better at producing checking sequences with few resets than the method of (Hierons and Ural 2006) . While the aim of the proposed algorithm is to minimise the number of resets used, we often also want a short checking sequence. Table 3 reports on the lengths of the checking sequences produced in the experiments with emptyT i . From Table 3 , we observe that MR's length of checking sequence for emptyT i is very similar to that of M06 and in half of the cases it is identical. The largest difference in checking sequence length is 10 and this is for checking sequences of length greater than 700. Despite these similarities in length, we have seen that there are considerable differences in the number of resets in these sequences. Table 4 gives the results for checking sequences with randomly generatedT i . Again, the results for MR and MR06 are similar when considering minimum length, mean length and maximum length. In fact, the largest difference is for the minimum length checking sequences for FSM 10 and this is just over 10%. If instead we consider the mean figures, the largest difference is less than 3%. The results in Tables 3 and 4 also show that as well as minimising the number of resets, the choice of emptȳ T i leads to the shortest checking sequences produced for each FSM. In the experiments the proposed method produced checking sequences of similar length to those of (Hierons and Ural 2006) suggesting that the process of minimising the number of resets has relatively little impact on the overall checking sequence length.
The proposed algorithm can be applied with strongly connected FSMs and so we ran experiments with six such FSMs. Tables 5 and 6 shows the number of resets in Fig. 9 The number of resets with randomT i the checking sequences returned, MR always returning checking sequences with no resets. These are illustrated in Figs. 8 and 9 respectively. In contrast, in all cases M06 included resets for some choice ofT i and in half of the cases it included resets when using emptyT i . The lengths of the checking sequences are given in Tables 7 and 8 , which again shows that MR produced checking sequences of a similar length to those returned by M06. 
Conclusions and observations
A checking sequence for a finite state machine (FSM) M is an input sequence that is guaranteed to lead to a failure if the implementation under test (IUT) is faulty and has no more states than M. It is desirable to use a short checking sequence and there has thus been much interest in automatically generating such a checking sequence. However, in some situations the use of resets increases the cost of testing and reduces the expected effectiveness of the checking sequence and in such cases we may want to minimise the number of reset transitions used. This paper investigated the problem of producing a checking sequence that has a minimum number of resets. It considered a class of checking sequences that is defined by recent checking sequence generation algorithms. The proposed algorithm returns a checking sequence that, amongst those in this class, has a minimum number of resets. For an FSM with n states and p inputs, the algorithm has time complexity of O(pn 2 log n). In contrast to other checking sequence generation algorithms, the approach given in this paper does not require the FSM to be strongly connected.
The proposed checking sequence generation algorithm is parameterised by a set of transfer sequences. This paper reported on experiments used to investigate the effectiveness of one heuristic: using empty transfer sequences. A total of 20 randomly generated FSMs were used in the experiments: for each a checking sequence was produced using emptyT i and checking sequences were produced using 100 randomly generatedT i . In all of the experiments the checking sequence with emptyT i was both the shortest checking sequence and the checking sequence with fewest resets.
Experiments were used to compare the proposed method with a recent checking sequence generation method that aims to minimise the checking sequence length (Hi-erons and Ural 2006). As expected, it was found that the proposed method was never outperformed by the algorithm of (Hierons and Ural 2006) , when considering the number of resets in the checking sequence returned. In addition, the heuristic of using emptyT i appeared to be less effective with the method of (Hierons and Ural 2006) . The lengths of the checking sequences returned by the proposed method were similar to the lengths of the checking sequences returned by (Hierons and Ural 2006) . Similar results were obtained when the two methods were applied to completely specified FSMs. It should be remembered that the method of (Hierons and Ural 2006) requires us to solve an NP-hard optimisation problem while the proposed method requires low order polynomial time.
The checking sequence generated by the proposed algorithm is the input portion ofD/λ(s 1 ,D)T 1 followed by the input portion of the label of a tour Υ started at the vertex reached from v 1 by a walk with labelD/λ(s 1 ,D)T 1 . If there is a walkP 1 from state s i to s 1 that contains no reset transitions, and Υ contains reset transitions, then we can eliminate one reset transition from the checking sequence. If it is possible to eliminate a reset transition when using non-empty transfer sequences, then it is also possible to eliminate a reset transition when using empty transfer sequences. Thus the observation, that it is sometimes possible to eliminate one reset transition, does not invalidate the experiments reported in Sect. 5, that investigated the effectiveness of using empty transfer sequences.
