Checking sequences for distributed test architectures by Hierons, RM & Ural, H
Noname manuscript No.
(will be inserted by the editor)
R. M. Hierons · H. Ural
Checking Sequences for Distributed Test Architectures
the date of receipt and acceptance should be inserted later
Abstract Controllability and observability problems may
manifest themselves during the application of a check-
ing sequence in a test architecture where there are mul-
tiple remote testers. These problems often require the
use of external coordination message exchanges among
testers during testing. However, the use of coordination
messages requires the existence of an external network
that can increase the cost of testing and can be diffi-
cult to implement. In addition, the use of coordination
messages introduces delays and this can cause problems
where there are timing constraints. Thus, sometimes it is
desired to construct a checking sequence from the specifi-
cation of the system under test that will be free from con-
R. M. Hierons
School of Information Systems, Computing and Mathemat-
ics, Brunel University, Uxbridge, Middlesex, UB8 3PH, UK
E-mail: rob.hierons@brunel.ac.uk
H. Ural
School of Information Technology and Engineering, Univer-
sity of Ottawa, Ottawa, Ontario, K1N 6N5, Canada E-mail:
ural@site.uottawa.ca
trollability and observability problems without requir-
ing the use of external coordination message exchanges.
This paper gives conditions under which it is possible to
produce such a checking sequence, using multiple distin-
guishing sequences, and an algorithm that achieves this.
Keywords Testing · Checking sequence · distributed
test architecture · coordination problems · observability
problems
1 Introduction
The importance and high cost of software testing has led
to much interest in automated test generation. Among
various testing activities in software development that
benefited most from automated test generation is model
based testing [1,13,16] where a model of the software
under test is used for generating tests. A particular area
of application of model based testing is system level test-
ing of reactive systems where the required externally ob-
servable behavior of the system under test (SUT) is mod-
eled by a syntactically finite representation of all possible
2valid sequences of interactions of the system components
with their external environment. Within the context of
testing state-based systems, the externally observable
behavior of the SUT is typically expressed in terms of
a Finite State Machine (FSM) M .
Then the system testing of the SUT is carried out
by applying a test sequence, that has been generated
from M , at its interfaces with its environment. In some
cases it is possible to produce a checking sequence: a test
sequence that is guaranteed to determine whether the
SUT behaves as specified in the FSM M representing
its desired behavior [14,15,19,23,44]. A test or checking
sequence is applied within a given test architecture and
the resulting output sequence is checked against the FSM
M .
A multi-port FSM can be used to express the ex-
pected externally observable behavior of potential im-
plementations of a distributed system which can have
multiple interfaces, called ports. In a multi-port FSM,
each transition is labelled with an input from a port and
an output vector consisting of a (possibly empty) output
to each port. In system testing of a distributed system
N , a distributed test architecture can be used where a
tester is placed at each port of the SUT N , the testers
cannot communicate with one another and there is no
global clock.
During the application of a checking sequence to N
in a distributed test architecture, the use of multiple
testers introduces the possibility of coordination prob-
lems amongst remote testers (see, for example, [2,4,5,8,
11,12,17,24,36,37,41–43,45,47]). These potential prob-
lems are known as controllability and observability prob-
lems. These problems occur if a tester cannot determine
either when to apply a particular input to N , or whether
a particular output from N was generated in response to
a specific input, respectively. The controllability (syn-
chronization) problem occurs when the tester at a port
p is expected to send an input to N after N responds to
an input from the tester at some q 6= p, without send-
ing an output to p. For example, consider a distributed
test architecture in which there are remote testers at two
ports U and L. If the input of x at port U is expected to
lead to output y at U only and this is to be followed by
input x′ at L then the tester at L does not know when
to send x′ since it did not observe either x or y. The ob-
servability problem occurs when the tester at some port
p is expected to receive an output from N in response to
a given input and is unable to determine when to start
and stop waiting. Observability problems hamper the de-
tectability of output-shifting faults in N i.e., an output
associated with the current input is generated by N in
response to either some earlier input or some later input.
Let us suppose, for example, that in testing the input of
x at U is expected to lead to the output of yU at U and
yL at L, this is to be followed by input x
′ at U , and this
should result in the output of y′U at U . Then, the ex-
pected sequences of observations are seen by each tester
if instead the input of x leads to output of yU at U and
3then the input of x′ leads to output y′U at U and yL at
L: the tester at U sees xyUx
′y′U and the tester at L sees
yL.
The use of the distributed test architecture can lead
to controllability and observability problems and so can
make test generation complex and reduce test effective-
ness. However, if the interfaces are physically distributed
then the alternative is to connect the testers through an
external network. The deployment of such a network can
make testing more expensive and the delays introduced
by the exchange of external coordination messages be-
tween testers can make testing take longer. In addition,
the exchange of such messages between testers can lead
to delays that mean that some tests with timing con-
straints cannot be implemented. For example, let us sup-
pose that we wish to follow input x at port pi by input x
′
at port pj 6= pi and this is to be achieved by an external
coordination message being sent from the tester at pi to
the tester at pj after the input of x. If the external co-
ordination messages take time t to arrive and the input
of x′ must occur within time t′ of x with t′ < t then this
approach will not work. The timing issues can be partic-
ularly problematic if the SUT responds rapidly relative
to the network used for external coordination messages.
See [31] for a discussion of some timing issues that arise
when using external coordination messages. Naturally, if
we have access to the source code of the SUT, and poten-
tially can change this, there are other ways of overcoming
these problems.
This paper considers the problem of testing from an
FSM in the distributed test architecture where the focus
is system level testing. This problem has largely been
studied in the context of protocol conformance testing.
However, it is potentially relevant whenever testing a
deterministic state-based system that has physically dis-
tributed interfaces. If the system is implemented through
a set of state-based subsystems that interact, then there
is the potential to combine the FSM models of these sub-
systems to form a single FSM for system level testing.
However, if the focus of testing is unit level or integration
testing then Communicating FSM (CFSM) based models
can be employed to facilitate automated test generation
where interactions among the subsystems are taken into
consideration [9]. Naturally, distributed systems are of-
ten nondeterministic and it would thus be interesting to
extend the work to the problem of testing from a non-
deterministic FSM in this architecture. However, there
is the potential to adapt approaches, such as the one
given in this paper, to testing from a deterministic FSM
by using deterministic testing : test methods that make
a nondeterministic distributed system behave in a de-
terministic manner during testing by forcing a given se-
quence of interleavings to occur (see, for example, [18,
26,34,35]).
This paper makes the following contributions. It gives
a method for constructing checking sequences from multi-
port FSMs that can be applied in a distributed test archi-
tecture without encountering controllability and observ-
4ability problems and without using external coordination
messages among testers. First we show how a checking
sequence can be produced where there are controllabil-
ity problems but not observability problems. This is the
case, for example, when a global clock can be used to
timestamp the inputs and outputs and it is guaranteed
that all of the outputs produced in response to an in-
put are observed before the next input. We then show
how this can be extended to a checking sequence in the
case where there can be observability problems. Natu-
rally, since such checking sequences do not always exist,
the algorithms work under certain stated assumptions.
This is the first paper that shows how such checking
sequences can be produced without using a reliable reset
operation1. In this paper we rely on the existence of dis-
tinguishing sequences2 for state verification rather than
alternatives such as unique input/output sequences or a
characterization set. This choice was made because even
for single-port FSMs there is no known method for gen-
erating a polynomial size checking sequence using these
alternative approaches for state verification. Note that
1 A reliable reset is a function that is guaranteed to take
the implementation back to its initial state irrespective of
its current state. The SUT need not have a reliable reset
and even when it does the inclusion of resets can reduce test
effectiveness and may require human involvement and thus
greatly increase the cost of test execution [3,20,46]
2 Given an FSM M , an input sequence is a distinguishing
sequence for M if it leads to n different output sequence from
the n different states of M . Distinguishing sequences are for-
mally defined in Section 2.
some recent work has investigated the problem of check-
ing the output of transitions while avoiding controlla-
bility and observability problems but this previous work
assumes that each transition of the SUT has the correct
final state [5–7].
The rest of the paper is organized as follows: Section
2 introduces the terminology used in this paper. Sec-
tion 3 defines a property, of a set D of distinguishing
sequences, that must hold in order for us to be able to
use D to check the final state of each transition of the
multi-port FSM M . Section 4 then gives an algorithm
for generating a checking sequence that has no control-
lability problems. Section 5 introduces additional con-
ditions and shows how, under these conditions, we can
produce a checking sequence even if there can be observ-
ability problems. Finally Section 6 gives the concluding
remarks.
2 Preliminaries
2.1 Multi-port FSMs
A (deterministic) multi-port FSM M has m > 1 ports at
which it interacts with its environment. The m ports of
M are identified by integers in the set [1,m] = {1, . . . ,m}.
A multi-port FSM with m ports is defined by a tuple
(S,X, Y, δ, λ, s1) in which:
– S is the finite set of states of M ;
– s1 ∈ S is the initial state of M ;
5– X =
⋃m
i=1 Xi is the finite input alphabet of M , where
Xi is the input alphabet of port i, Xi ∩ Xj = ∅ for
all i, j ∈ [1,m], i 6= j;
– Y =
∏m
i=1(Yi ∪ {−}) is the finite output alphabet of
M , where Yi is the output alphabet of port i, Yi∩Yj =
∅ for all i, j ∈ [1,m], i 6= j, and − means null output;
– δ is the transition function of type S ×X → S; and
– λ is the output function of type S ×X → Y .
This paper deals with multi-port FSMs and so a multi-
port FSM is called an FSM; an FSM with only one
port is called a single-port FSM. M denotes a multi-
port FSM that models the expected behaviour of the
SUT N = (U,X, Y, δN , λN , u1). A variable name has a
bar over it (for example, x¯) if this variable represents a
sequence and  denotes the empty sequence. A sequence
can be represented by listing its elements. For example
abc represents the sequence with three elements: a then
b and then c.
Note that each y ∈ Y is a vector of outputs, i.e., y =
〈o1, o2, . . . , om〉 where oi ∈ Yi ∪{−} for i ∈ [1,m]. In the
following, p ∈ [1,m] is a port, x ∈ X is a general input,
and the label y[p, o] is used to denote an output vector
y of a transition where the output at port p is o. We use
y |p to denote the output at port p in y. It is possible
to extend δ and λ to input sequences in the following
way: δ(s, ) = s, δ(s, xx¯) = δ(δ(s, x), x¯), λ(s, ) = , and
λ(s, xx¯) = λ(s, x)λ(δ(s, x), x¯). A transition τ of an FSM
M is a triple (sj , sk, x/y), where sj , sk ∈ S, x ∈ X,
and y ∈ Y such that δ(sj , x) = sk, λ(sj , x) = y, and sj
and sk are the starting state and the ending state of τ ,
respectively. The input/output pair x/y is the label of τ .
A path ρ¯ = τ1 τ2 . . . τk (k ≥ 0) is a finite sequence of
transitions such that if k ≥ 2 then the ending state of τi is
the starting state of τi+1 for all i ∈ [1, k−1]. Path ρ¯ is said
to start at the starting state of τ1. When the ending state
of the last transition of path ρ¯1 is the starting state of
the first transition of path ρ¯2, we use ρ¯1ρ¯2 to denote the
concatenation of paths ρ¯1 and ρ¯2. The label of a path ρ¯ =
(s1, s2, x1/y1) (s2, s3, x2/y2) . . . (sk, sk+1, xk/yk) (k ≥ 1)
is the sequence of input/output pairs x1/y1x2/y2 . . .
xk/yk, which is called an input/output sequence. At times
we will want to reason about the state of the SUT af-
ter a prefix of an input/output sequence and in order
to assist with this we will consider an input/output se-
quence x1/y1x2/y2 . . . xk/yk to be a sequence of edges
(n1, n2, x1/y1) . . . (nk, nk+1, xk/yk) in which n1, . . . , nk+1
are called nodes. The input portion and output portion of
an input/output sequence x1/y1x2/y2 . . . xk/yk are the
input sequence x1x2 . . . xk and output sequence y1y2
. . . yk, respectively. The input sequence x1 . . . xk (or in-
put/output sequence x1/y1x2/y2 . . . xk/yk) is said to la-
bel ρ¯. Note that we call a sequence of input/output pairs
x1/y1x2/y2 . . . xk/yk, or x¯/y¯ (x¯ = x1 . . . xk and y¯ =
y1 . . . yk) or any combination of these an input/output
sequence.
6An FSM M is said to be globally minimal3 if none of
its states are globally equivalent4 (i.e., for all si, sj ∈ S,
si 6= sj , there exists an input sequence x¯ ∈ X
∗ such
that λ(si, x¯) 6= λ(sj , x¯)). Any FSM can be converted
into an equivalent globally minimal FSM: this process is
equivalent to the minimization of a single-port FSM and
for an n state FSM with p inputs this can be achieved in
time of O(pn log n) [25]. Throughout this paper we thus
assume that any FSM considered is globally minimal.
In order to reason about test effectiveness it is nor-
mal to use a fault model: a set ΦM of FSMs such that we
believe that the SUT behaves like an unknown element
of ΦM [29]. The purpose of the fault model is to capture
the types of faults that it is believed can occur and to
therefore make it possible to reason about test effective-
ness. We use a standard fault model ΦM from protocol
conformance testing, which is the set of FSMs that have
the same input and output alphabets as M and no more
states than M . Input sequence x¯ is a checking sequence if
x¯ distinguishes M from every element of ΦM that is not
equivalent to M . In this paper we are concerned with the
problem of generating a checking sequence and thus ob-
taining a sequence that provides full fault coverage with
3 Normally such an FSM is said to be minimal. In this paper
the phrase globally minimal is used in order to distinguish
this from the notion of local minimality described in Section
2.4.
4 The term globally equivalent is used, rather than equiva-
lent, in order to distinguish this from the term locally equiv-
alent described in Section 2.4.
respect to the fault model. We will see that the notions
of equivalence of SUT N ∈ ΦM and M and distinguish-
ing N from M depends upon the test architecture used
and whether there can be observability problems.
There are several benefits to producing a checking
sequence rather than a test sequence that, for example,
includes subsequences that aim to check each transition
of M . First, we know that if the SUT passes a checking
sequence then either it is correct or our initial assump-
tion was incorrect: the SUT is not equivalent to a mem-
ber of the fault model. This gives information regarding
the types of faults that can be missed and provides some
guarantees. Second, there is experimental evidence that
checking sequences are more effective in distinguishing
between an FSM M and faulty FSMs [10]. Naturally,
there is scope for using a larger fault model, such as the
set of FSMs with the same input and output alphabets
as M and at most δ extra states for some predetermined
δ as it was shown in [33] but the use of such fault mod-
els in the problem studied in this paper is a topic for
future work. It would also be interesting to extend this
test method to the case where the externally observable
behavior of the system is modelled as a nondeterministic
FSM.
2.2 The distributed test architecture
An FSM M defines the set of expected global behaviours
of any potential implementation. Each expected global
behaviour is expressed as the label of a sequence of tran-
7SUT SUT
a) b)
Global
Tester
Upper Tester
Lower Tester
Fig. 1 Two test architectures: a) local; b) distributed
sitions from M . An expected global behaviour is called
a global input/output sequence.
Testing SUT N ∈ ΦM whose expected externally ob-
servable behaviour is defined by FSM M can be carried
out as a fault detection experiment [14,19] in a specific
test architecture. Two standardized architectures [28] are
shown in Figure 1 for a two-port SUT. The two ports, U
and L, represent the upper interface and lower interface
of the SUT respectively. The local architecture in Figure
1a) has a global tester that controls and observes both
interfaces of the SUT. Figure 1b) shows the distributed
test architecture where the lower interface and the up-
per interface of the SUT are controlled and observed by
separate testers. Each tester applies its own local view
constructed from a global input/output sequence for the
SUT. In the local view, a tester can’t observe the inputs
or outputs of the other testers.
In Figure 1b) there is no global tester. Instead, U and
L are two remote testers that are required to coordinate
the application of a global input/output sequence. How-
ever, they cannot directly communicate with one another
and there may be no global clock. This requirement can
lead to controllability and observability problems that
are defined below.
2.3 Controllability (synchronization) and observability
problems
Let us suppose that in testing input x at port U is ex-
pected to lead to output yU at U only and this is to
be followed by the input of x′ at L. Then we have a
controllability problem since the tester at L does not ob-
serve either the input or output from the previous tran-
sition and so does not know when to send input x′ to the
SUT. In general, given an FSM M and input/output se-
quence x1/y1x2/y2 . . . xk/yk of M , a controllability (syn-
chronization) problem occurs when, in the labels xi/yi
and xi+1/yi+1 of two consecutive transitions, there ex-
ists a port p ∈ [1,m] such that xi+1 ∈ Xp, xi 6∈ Xp,
and yi |p= −. If there is such a synchronization problem
then we cannot apply xi+1 after xi when testing in the
distributed test architecture since the tester at port p
cannot know when to apply xi+1. Two consecutive tran-
sitions τi and τi+1 whose labels are xi/yi and xi+1/yi+1,
form a synchronizable pair of transitions if τi+1 can fol-
low τi without causing a synchronization problem. Any
(sub)sequence of transitions in which every pair of con-
secutive transitions is synchronizable is called a syn-
chronizable transition (sub)sequence. An input/output
sequence is synchronizable if it is the label of a synchro-
nizable transition sequence. An FSM may have proper-
8ties that make it inherently untestable within the dis-
tributed test architecture without using external coordi-
nation messages. For example, there may be no synchro-
nizable input/output sequence that is the label of a path
that includes a particular transition τ , in which case we
cannot test transition τ without introducing a controlla-
bility problem. We thus make the following assumption
regarding M .
Assumption 1 For every pair τ, τ ′ of transitions of M
there is some synchronizable transition sequence ρ¯ =
τ1 . . . τk of M in which τ1 = τ and τk = τ
′.
Given transitions τ and τ ′ there are low order poly-
nomial algorithms for producing such a minimal length
transition sequence based on a directed graph in which
paths correspond to synchronizable transition sequences
(see, for example, [17]).
In the distributed test architecture each tester sees
only the behaviour at a single port. Suppose that a se-
quence of interactions has occurred. Then the tester at
each port sees only a portion of this: the parts that in-
volved that port. We call this the actual local behaviour.
The tester compares this with the expected local behaviour.
If z¯ is an input/output sequence then we use pip(z¯) to de-
note the corresponding sequence of inputs and outputs
at port p. The projection function pip can be defined by
the following in which z¯ is an input/output sequence and
x is an input.
pip() = 
pip((x/y[p,−])z¯) = pip(z¯) if x 6∈ Xp
pip((x/y[p,−])z¯) = xpip(z¯) if x ∈ Xp
pip((x/y[p, o])z¯) = opip(z¯) if x 6∈ Xp
pip((x/y[p, o])z¯) = xopip(z¯) if x ∈ Xp
Given a sequence τ1 . . . τk of transitions, τi = (si, si+1,
xi/yi), and port p, pip(τ1 . . . τk) denotes the sequence
pip(x1/y1 . . . xk/yk).
Suppose the distributed test architecture is being used
in testing SUT N ∈ ΦM against an FSM M where m = 2
and the ports of M are denoted U and L. Suppose also
that xx′ is to be input when M is in state s, x, x′ ∈ XU , x
is expected to trigger output (yU , yL) and x
′ is expected
to trigger output (y′U ,−). Then xyUx
′y′U should occur
at U and yL should be observed at L. This is the case if
(yU ,−) is produced in response to x and (y
′
U , yL) is pro-
duced in response to x′. Since each tester only sees the
interactions at its port, neither tester can observe these
output faults5 in this subsequence — the two output
faults mask one another. This situation is represented in
Figure 2 in which the differences in the two sequences of
interactions cannot be observed by either tester. Natu-
rally, we want to use tests in which output faults cannot
mask one another in this way. Note that if x′ had been
from XL, this combination of faults would have been de-
5 An output fault is a fault in which a transition produces
the wrong output.
9Tester 1 Tester 2FSM Tester 1 Tester 2SUT
x x
x’x’
y
L
y
L yUyU
y’Uy’U
Fig. 2 Two behaviours that look equivalent to each tester
tected by the tester at L since x′yL would have occurred
rather than yLx
′.
The faults described above mask one another because
the correct value yL is observed at L, but due to the
wrong transition, and the tester at port L does not know
when to stop waiting for yL. This corresponds to the
notion of an undetectable forward output-shifting fault.
Definition 1 Let τ ρ¯τ ′ denote a synchronizable path with
τ = (si, sj , x/y) and τ
′ = (sj , sk, x
′/y′). Suppose also
that for some q ∈ [1,m] we have that y |q= o 6= −,
y′ |q= −, and no transition in ρ¯ has output at q. Sup-
pose there are faults in which the output at p ∈ [1,m] is
correct for τ and τ ′ (for all p 6= q) and at q the output
in response to x is − and the output at q in response
to x′ is o. This combination of faults is called a forward
output-shifting fault [47]. It is an undetectable forward
output-shifting fault if x′ 6∈ Xq and no transition from ρ¯
has input at q; otherwise it is a detectable forward output-
shifting fault.
A similar situation occurs if output at L is expected
in response to x′ but not x and instead it was produced
in response to x.
Definition 2 Let τ ρ¯τ ′ denote a synchronizable path with
τ = (si, sj , x/y) and τ
′ = (sj , sk, x
′/y′) and for some
q ∈ [1,m] we have that y |q= −, y
′ |q= o 6= −, and no
transition in ρ¯ has output at q. Suppose there are faults
in which the output at p ∈ [1,m] is correct for τ and
τ ′ (for all p 6= q) and at q the output in response to
x is o and the output at q in response to x′ is −. This
combination of faults is called a backward output-shifting
fault [47]. It is an undetectable backward output-shifting
fault if x′ 6∈ Xq and no transition from ρ¯ has input at q;
otherwise it is a detectable backward output-shifting fault.
Definition 3 A fault is an output-shifting fault [36] if it
is either a forward output-shifting fault or a backward
output-shifting fault. An output-shifting fault is a de-
tectable output-shifting fault if it is either a detectable
forward output-shifting fault or a detectable backward
output-shifting fault; otherwise it is an undetectable output-
shifting fault.
Where output is shifted between two adjacent tran-
sitions, such output-shifting faults have been called 1-
output-shifting faults [2]. In this paper we consider the
general case and not just 1-output-shifting faults.
The observability problem manifests itself in a check-
ing sequence as an undetectable output-shifting fault.
The following, which is proved in [22], relates the no-
10
tion of an output-shifting fault being detectable to the
definition of the projection pip.
Proposition 1 Given transitions τ and τ ′ of M such
that ττ ′ is synchronizable, an output-shifting fault in ττ ′,
which leads to the (faulty) transition sequence τ1τ
′
1 in
SUT N ∈ ΦM , is a detectable output-shifting fault if and
only if there is some port p ∈ [1,m] such that pip(ττ
′) 6=
pip(τ1τ
′
1).
2.4 Globally distinguishing and locally distinguishing
states
This subsection, which is based on [22], defines what it
means for an input sequence to distinguish two states in
the distributed test architecture.
If there is a global tester, input sequence x¯ distin-
guishes two states if the input of x¯ leads to different
output sequences when applied in these states. More for-
mally, x¯ globally distinguishes states si and sj of M if
and only if λ(si, x¯) 6= λ(sj , x¯). This corresponds to the
classical notion of distinguishing states of a single-port
FSM. States si and sj of M are globally equivalent if
no input sequence globally distinguishes them and two
FSMs are globally equivalent if their initial states are
globally equivalent. Input sequence x¯ is a distinguishing
sequence for M if for every pair (si, sj) of states of M ,
x¯ globally distinguishes si and sj .
In the distributed test architecture, if the testers can
access a global clock then they could record the times at
s
s
s1 2
3
x /(a ,b)1 1
x /(a ,-)1 1x /(a ,-)1 1
x /(a ,b)22
x /(a ,b)22
x /(a ,-)22
Fig. 3 The 2-port FSM M0
which inputs were applied and outputs observed. This
would allow the reconstruction of the global input/output
sequence if communication is synchronous or all outputs
in response to an input are observed before the next
input is sent (there is a slow environment). If the in-
put/output sequence can be reconstructed then there are
no observability problems and so global distinguishabil-
ity applies.
Consider the FSM M0 given in Figure 3 in which
x1, x2 ∈ XU , a1, a2 ∈ YU , and b ∈ YL. The input se-
quence x1x2 is a distinguishing sequence since it leads to
three different output sequences: (a1, b)(a2,−) from s1,
(a1,−)(a2, b) from s2, and (a1,−)(a2,−) from s3.
In M0, x1x2 globally distinguishes states s1 and s2.
However, neither tester observes a difference since for
each state the expected local behaviour at L is b and
the expected local behaviour at U is x1a1x2a2. In the
distributed test architecture, if there is no global clock
then x1x2 does not distinguish between s1 and s2 since it
is necessary to observe some different sequence of input
11
and output values at one of the ports: there is an observ-
ability problem. Given state s and input sequence x¯, we
use γ(s, x¯) to denote the input/output sequence result-
ing from applying x¯ when M is in state s. This can be
recursively defined in the following manner: γ(s, ) = ;
γ(s, xx¯) = (x/λ(s, x))γ(δ(s, x), x¯). The function γN , for
the SUT N , can similarly be defined. If input sequence x¯
is applied when M is in state si the sequence pip(γ(si, x¯))
is observed at port p.
Definition 4 Input sequence x¯ locally distinguishes states
si and sj of M at port p ∈ [1,m] if x¯ labels a syn-
chronizable path from both si and sj and pip(γ(si, x¯)) 6=
pip(γ(sj , x¯)). Input sequence x¯ locally distinguishes states
si and sj of M if there exists a port p ∈ [1,m] such that
x¯ locally distinguishes si and sj at p.
The following is proved in [22].
Proposition 2 An input sequence may globally distin-
guish two states si and sj but not locally distinguish
them. Further, if x¯ ∈ X∗ locally distinguishes states si
and sj then x¯ globally distinguishes si and sj.
Where there can be observability problems and ex-
ternal coordination messages are not used, in order to
distinguish between states it is necessary to locally dis-
tinguish them. States si and sj of M are locally equiva-
lent if no input sequence locally distinguishes si and sj .
M is locally minimal if for every pair (si, sj) of states of
M , if si 6= sj then si and sj are locally distinguishable.
It is possible to extend the notion of a distinguishing
sequence to the distributed test architecture where there
can be observability problems and external coordination
messages are not used. Input sequence x¯ is a locally dis-
tinguishing sequence for M if for all si, sj ∈ S, si 6= sj ,
x¯ locally distinguishes si and sj .
The problem of deciding whether an FSM has a dis-
tinguishing sequence is PSPACE-complete [32]. Thus,
the problem of deciding whether an FSM has a locally
distinguishing sequence is PSPACE-hard.
2.5 The proposed approach
Most checking sequence generation algorithms are based
on a distinguishing sequence D¯. Typically, they produce
a set of subsequences and connect these subsequences in
order to produce a checking sequence. Some of the subse-
quences check that D¯ is a distinguishing sequence in the
SUT and so D¯ defines a bijection (one-to-one correspon-
dence) between the states of the model and the states of
the SUT. The bijection for a distinguishing sequence D¯
is defined by: state s of M corresponds to state u of N if
and only if the response of N to D¯ when in state u is the
same as the response of M to D¯ when in state s. Other
subsequences use D¯ to check the transitions of the SUT.
In order to check a transition (s, s′, x/y) we need to move
to a state of the SUT that corresponds to s, apply input
x, check that the SUT generates the output y and then
apply D¯ to check that the SUT is in the correct state
after the transition.
12
This paper adapts this approach to the case where we
are testing in the distributed test architecture. Again, the
test generation algorithm produces a set of subsequences
that can be connected to form a checking sequence. Since
a transition t must be followed by input at a port that is
involved in t, we may require a set {D¯1, . . . , D¯r} of dis-
tinguishing sequences rather than a single distinguish-
ing sequence. Section 3 gives a sufficient condition under
which D¯1, . . . , D¯r can be used to check the final state
of every transition. It is thus not sufficient to check that
each D¯i is a distinguishing sequence in the SUT and thus
defines a bijection between the states of the SUT and the
states of the model: it is essential that the distinguishing
sequences define the same bijection. In Section 4, Algo-
rithm 1 shows how we can generate subsequences that
check that a single distinguishing sequence D¯1 is also a
distinguishing sequence in the SUT. Algorithm 2 shows
how additional subsequence can be produced that use D¯1
to check that D¯1, . . . , D¯r are distinguishing sequences of
the SUT that define the same bijection as D¯1. Algorithm
3 then shows how we can devise subsequences that check
a transition using D¯1, . . . , D¯r and finally Algorithm 4
simply involves forming a single checking sequence from
the subsequences returned by Algorithms 1, 2, and 3.
3 Using multiple distinguishing sequences
An input sequence D¯ is a (globally) distinguishing se-
quence for M if it produces n different output sequences
from the n different states of M . If these n different
output sequences are seen in response to D¯ in the SUT
N ∈ ΦM then since N has at most n states we know that
D¯ is also a distinguishing sequence for N . Where this is
the case, D¯ recognizes each state of N as a state of M .
Since we are testing in the distributed test architecture
we also require that for each state s of M the path from
s with label D¯/λ(s, D¯) is synchronizable. The following
adapts the definitions provided in [44] of what it means
to recognize a node in a path ρ¯ and to verify a transition
of M in the label (input/output sequence) Q¯ of ρ¯. The
base case is that the distinguishing sequence recognizes
its starting state. The recursive cases essentially say that
if an input sequence x¯ is repeated in Q and in the two
cases we know that the current state of the SUT must be
the same before x¯ is applied then the state of the SUT
must be the same after these two occurrences of x¯.
In order to prove that an input/output sequence z¯ de-
fines a checking sequence we will reason about the states
of the SUT reached by prefixes of z¯ and thus how the
nodes visited by z¯ correspond to states of M . This rea-
soning will be based on the use of distinguishing sequence
D¯ and the assumption that this defines a bijection be-
tween the states of the SUT and M : later we will see how
we can produce subsequences with the property that if
an SUT passes a test that contains these subsequences
then D¯ must define a bijection between the states of the
SUT and M .
13
Definition 5 1. A node ni of ρ¯ is d-recognized in Q¯
by D¯ as state s of M if D¯/λ(s, D¯) is the label of a
subpath of Q¯ that starts at ni. This says that, since
we assume that D¯ defines a bijection between the
states of M and those of the SUT, if a node ni is
followed by a subpath labelled by D¯/λ(s, D¯) then ni
must correspond to state s.
2. Suppose that (nq, ni, T¯ ) and (nj , nk, T¯ ) are subpaths
of ρ¯ and D¯/λ(s, D¯) is a prefix of T¯ (and thus nq and
nj are d-recognized in Q¯ by D¯ as state s). Suppose
also that node nk is d-recognized by D¯ as state s
′ of
M . Then ni is t-recognized in Q¯ by D¯ as s
′. This says
that if we know that two nodes nq and nj correspond
to the same state, T¯ labels a path from nj to nk and
we know that nk corresponds to state s then if there
is a path with label T¯ from nq to ni then, since the
SUT is deterministic, ni must correspond to state s.
3. Suppose that (nq, ni, T¯ ) and (nj , nk, T¯ ) are subpaths
of ρ¯ such that nq and nj are either d-recognized or
t-recognized in Q¯ by D¯ as state s and nk is either
d-recognized or t-recognized in Q¯ by D¯ as state s′.
Then ni is t-recognized in Q¯ by D¯ as s
′. This extends
the previous case to allow the nodes nq, nj , and nk
to be t-recognized rather than being d-recognized.
4. If node ni of ρ¯ is either d-recognized or t-recognized
in Q¯ by D¯ as state s then ni is recognized in Q¯ by D¯ as
state s. Where D¯ is clear we say that ni is recognized
in Q¯ as state s.
5. Transition τ = (sa, sb, x/y) of M is verified in Q¯ by
D¯ if there is a subpath (ni, ni+1, xi/yi) of ρ¯ such that
ni is recognized in Q¯ by D¯ as sa, ni+1 is recognized
in Q¯ by D¯ as sb, xi = x and yi = y.
Given a transition τ of M , we use P (τ) to denote the
set of ports that are involved in τ : the port that receives
the input of τ and each port that receives non-empty
output from τ . Transition τ can be followed by an input
at port p, without causing a synchronization problem,
if and only if p ∈ P (τ). Given an input sequence D¯,
inport(D¯) denotes the port whose tester sends the first
input from D¯.
A distinguishing sequence D¯ can only be used in or-
der to verify the ending state of a transition τ , with-
out causing a controllability problem, if it starts with
an input at a port from P (τ). Thus, it may be neces-
sary to use more than one distinguishing sequence, the
different distinguishing sequences starting with input at
different ports. Consider, for example, the 2-port FSM
M1 given in Figure 4 that has input alphabet defined by
XL = {a, c} and XU = {b} and output alphabet defined
by YL = {2, 3} and YU = {0, 1}. Then D¯1 = ba and
D¯2 = ab are locally distinguishing sequences M1, as can
be seen from Table 1.
Suppose we wish to use a set D = {D¯1, . . . , D¯r} of
distinguishing sequences to check the ending states of the
transitions of M . If Υ denotes the transitions of M then
D must satisfy the following.
14
ss1 2
t4 = a/(1,3)
t5 = b/(0,2)
t9 = 
a/(1,3)
t3 = 
c/(-,2)
t6 = a/(0,2)
t10 = b/(0,2)
t8 = c/(0,2)
t7 = 
b/(1,3)
t2 = 
b/(0,3)
t1 = a/(1,2)
s4s3
Fig. 4 The 2-port FSM M1
State At U At L At U At L
for ba for ba for ab for ab
s1 b00 3a2 1b0 a23
s2 b01 2a2 1b0 a33
s3 b11 3a2 0b0 a22
s4 b00 2a2 1b0 a32
Table 1 The responses to ab and ba
Definition 6 The set D is complete for M if for every
transition τ ∈ Υ there exists some D¯ ∈ D such that
inport(D¯) ∈ P (τ).
Given a set K and a set A of subsets of K (A ⊆
P(K)), a set K ′ ⊆ K is a hitting set for A if every
set in A contains at least one element of K ′. Let in(D)
denote {inport(D¯)|D¯ ∈ D}. Further, let in(Υ ) denote
{P (τ)|τ ∈ Υ}. Then the set D is complete for M if and
only if for every A ∈ in(Υ ) there exists some p ∈ in(D)
such that p ∈ A.
Proposition 3 The set D is complete for M if and only
if in(D) is a hitting set for in(Υ ).
Suppose Z is a minimum size hitting set for in(Υ ).
Then, any set D of distinguishing sequences to be used
must have size at least |Z|. Thus it is desirable to use a
set D of distinguishing sequences with the property that
in(D) is a minimum size hitting set for in(Υ ). Note that
while the problem of finding a minimum size hitting set is
NP-complete [30], normally the number of ports will not
be large; in such cases it is practical to solve this prob-
lem. Throughout this paper we use D = {D¯1, . . . , D¯r} to
denote a complete set of distinguishing sequences to be
used in checking sequence generation.
4 Overcoming controllability problems
This section shows how, under certain conditions, a syn-
chronizable checking sequence can be produced without
the addition of external coordination message exchanges.
Under some situations there is no observability problem
in which case such a checking sequence is sufficient. An
example of such a situation is when there is a global
clock and a slow environment. This section is structured
in the following way. First, we show how we can generate
subsequences that verify that the given distinguishing se-
quences for M are also distinguishing sequences for the
SUT N = (U,X, Y, δN , λN , u1) ∈ ΦM . We then show
15
how these subsequences can be used in the construction
of a checking sequence by including each transition τ in
a context in which we know that its starting state is rec-
ognized and τ is followed by a distinguishing sequence.
4.1 Verifying the distinguishing sequences
It might appear that, in order to verify that the elements
of D = {D¯1, . . . , D¯r} can be used to identify the states
of the SUT N ∈ ΦM , it is sufficient to use an input
sequence that should lead to the n different responses
from N to each distinguishing sequence in D. This would
demonstrate that each distinguishing sequence is also a
distinguishing sequence in the SUT and so each defines
a bijection between the states of M and the states of the
SUT.
While such an input sequence is capable of showing
that each element of D is a distinguishing sequence for
SUT N ∈ ΦM , it need not be able to demonstrate that
the elements of D recognize states of N in a consistent
manner; the bijection between states of M and N defined
by different distinguishing sequences may differ. For ex-
ample, there could exist states u and u′ of N , states s
and s′ of M , and D¯i, D¯j ∈ D such that:
1. N produces λ(s, D¯i) and λ(s
′, D¯j) in response to D¯i
and D¯j respectively from state u; and
2. N produces λ(s′, D¯i) and λ(s, D¯j) in response to D¯i
and D¯j respectively from state u
′.
ss1 2
a/0,b/0 a/1,b/1
c/1,d/1
c/1,d/1
ss3 4
a/0,b/1,d/1 a/1,b/0,d/1
c/1
c/1
Fig. 5 FSMs M ′ and M ′′
Consider, for example, the single-port FSMs M ′ and
M ′′ shown in Figure 5 and let us suppose that we are
testing an SUT that is equivalent to M ′′ against M ′.
Here it is clear that a and b are distinguishing sequences
of both M ′ and M ′′. Let us suppose that we test the
SUT with input sequence acadbcb. The SUT passes this
test because we observe that the output produced by
M ′′ in response to this input sequence is the expected
output sequence 0111011. Since the SUT passes this test
we must have that a and b are distinguishing sequences
for the SUT. However, under the distinguishing sequence
a we find that s3 corresponds to s1 and s4 corresponds
to s2 while under the distinguishing sequence b, s4 cor-
responds to s1 and s3 corresponds to s2. The two dis-
tinguishing sequences thus define different bijections be-
tween the states of M ′ and M ′′ even though each is a
distinguishing sequence for both FSMs.
In constructing a checking sequence on the basis of
multiple distinguishing sequences we use the distinguish-
ing sequences to verify the state transition structure of
N and thus require that they recognize the states of N
in a consistent manner.
Definition 7 Set D = {D¯1, . . . , D¯r} is a consistent set
of distinguishing sequences for N ∈ ΦM if:
16
1. Each input sequence in D is a distinguishing sequence
for N ; and
2. All r elements of D recognize the states of N in a
consistent manner: i.e. if u is a state of N then there
exists a state s of M such that for all i ∈ [1, r],
λN (u, D¯i) = λ(s, D¯i).
Definition 8 State u of N ∈ ΦM is recognized as s by
D if D is a consistent set of distinguishing sequences for
N and u is recognized as state s of M by some D¯i ∈ D.
Given the set D we want to find an input sequence
x¯ with the property that if the SUT N ∈ ΦM produces
the same output sequence as M in response to x¯ then we
can conclude that D is a consistent set of distinguishing
sequences for N . If this can be done then we can use the
elements of D in the knowledge that if N produces the
same output sequence as M in response to x¯ then the
distinguishing sequences in D recognize the states of N
in a consistent manner.
Definition 9 Input sequence x¯ is said to verify D if
D is a consistent set of distinguishing sequences for ev-
ery FSM N ∈ ΦM for which we have that λN (u1, x¯) =
λ(s1, x¯).
The key point in this definition is that since we as-
sume that the SUT N is contained in ΦM , if x¯ verifies
D and we observe the input/output sequence x¯/λ(s1, x¯)
from the initial state of N then we know that D must
be a consistent set of distinguishing sequences for N .
Thus, if we start a test with x¯ then there are two pos-
sibilities: either we observe a failure or we observe the
input/output sequence x¯/λ(s1, x¯) and so can conclude
that D is a consistent set of distinguishing sequences for
N and so its elements can be used to check the ending
states of transitions of N .
Algorithm 1 produces a subsequence that, when in-
cluded in a path ρ¯ from s1, ensures that the input se-
quence x¯ that labels ρ¯ verifies {D¯1} for some D¯1 ∈ D.
Further subsequences, to verify the remaining elements
of D, are then produced in Algorithm 2 using a recursive
approach.
Let si denote the state δ(si, D¯1) of M reached from
si by the input of D¯1. In order to verify {D¯1} we produce
a subsequence using the following algorithm.
Algorithm 1 1. For each state si (1 ≤ i < n) define
a transfer sequence T¯ 1i that labels a path of M from
si to si+1 such that D¯1/λ(si, D¯1)T¯
1
i is the label of
a synchronizable path from si to si+1 that may be
followed by input at port inport(D¯1) without causing
a synchronization problem.
2. Return the subsequence from s1 that has label D¯1/
λ(s1, D¯1)T¯
1
1 D¯1/λ(s2, D¯1)T¯
1
2 . . . D¯1/λ(sn, D¯1).
The subsequence returned by this process is denoted
α¯1. For example, the sequence α¯1 that is obtained by
applying Algorithm 1 to 2-port FSM M1 is formed by
the concatenation of the following subsequences: t2t6t9;
t5t1t2; t7t1t2t6; and t10t6.
17
Recall that Assumption 1 states that for any pair τ, τ ′
of transitions there is a synchronizable path that starts
with τ and ends in τ ′.
Proposition 4 Given an FSM M and a distinguish-
ing sequence D¯1 for M , the subsequence α¯1 can be con-
structed using D¯1.
Proposition 5 The length of the sequence α¯1 produced
by Algorithm 1 is of O(n(n + |D¯1|)).
Proposition 6 If the label of α¯1 is the label of a path
in N ∈ ΦM from some state u of N then D¯1 is a distin-
guishing sequence for N .
Proof
This follows since N has at most n states and in α¯1
it produces n different responses to D¯1. 
Having produced a subsequence that verifies {D¯1},
we get the following definition of what it means to verify
that an element of D is a distinguishing sequence for N
and that it recognizes states of N in the same way as
D¯1. Essentially this says that we require that if the SUT
passes a test starting with input sequence x¯ then every
D¯i ∈ D defines the same bijection between the states of
the SUT and the states of M .
Definition 10 Sequence D¯i ∈ D, 1 < i ≤ r, is verified
relative to D¯1 by input sequence x¯ if the following hold:
1. The response of M to x¯ contains n different output
sequences produced in response to D¯i; and
2. Whenever an SUT N produces the expected output
sequence in response to x¯, for every u ∈ U of N such
that D¯1/λ(s, D¯1) labels a path from u (some state s
of M) we have that D¯i/λ(s, D¯i) labels a path from
u.
Proposition 7 If all the D¯i ∈ D are verified relative to
D¯1 by input sequence x¯ then x¯ verifies D.
Proof
This simply follows from the fact that if D¯i is verified
relative to D¯1 then D¯1 and D¯i must define the same
bijection between states of M and states of N . 
We now explain how subsequences can be generated
to verify the elements of D \ {D¯1} relative to D¯1. We
define this process in a recursive manner: we assume that
we have produced subsequences that verify D¯1, . . . , D¯i−1
relative to D¯1 and show how, on the basis of this, D¯i can
be verified relative to D¯1.
The algorithm for producing subsequences that ver-
ify some D¯i relative to D¯1 operates in the following way.
For each state sk we wish to apply D¯i after a path ρ¯
from M whose ending state is sk and whose starting
and ending states have been recognized using a distin-
guishing sequence already verified. We ensure that the
starting state of ρ¯ is recognized by beginning it with a
distinguishing sequence already verified. We ensure that
the ending state of ρ¯ has been recognized by including
ρ¯ followed by D¯j/λ(sk, D¯j) for some D¯j with j < i that
has already been verified. We add a further subsequence
18
in the form of ρ¯ followed by D¯i/λ(sk, D¯i). Since D¯j has
already been verified relative to D¯1, we know that D¯i is
being applied in the state recognized as sk by D¯1. Note
that this procedure requires that we can follow ρ¯ with
either D¯i or D¯j and this places constraints on the ports
involved in the final transition of ρ¯.
We could apply this procedure for every state sk of
M . However, this is not necessary. Instead, it is sufficient
to apply this procedure for n − 1 states and also apply
D¯i in the remaining state: by observing an nth different
response to D¯i we show that D¯i is a distinguishing se-
quence for N and also, by a process of elimination, show
that it recognizes the states of N in a manner that is
consistent with D¯1.
Algorithm 2 1. For i = 2 to r do
2. Choose some subset Si ⊆ S with size at least n −
1 such that for every state sk ∈ Si there is some
transition τ isk with ending state sk and 1 ≤ j < i
such that inport(D¯i), inport(D¯j) ∈ P (τ
i
sk
). Here τ isk
is any transition that has ending state sk and can be
followed both by the distinguishing sequence D¯i and a
distinguishing sequence D¯j already considered.
3. For all sk ∈ Si, choose a state s and produce two syn-
chronizable paths from s with labels D¯a/λ(s, D¯a)T¯
i
k
D¯j/λ(sk, D¯j) and D¯a/λ(s, D¯a)T¯
i
kD¯i/λ(sk, D¯i) such
that
(a) T¯ ik ends in τ
i
sk
; and
(b) 1 ≤ a, j < i.
Here T¯ ik is any input/output sequence that can follow
D¯a/λ(s, D¯a), for some D¯a already considered, and
ends in τ isk .
Let us assume that these sequences label paths of the
SUT N and that the sequences produced in earlier it-
erations and Algorithm 1 are also paths of N . The
key point is that since D¯a has already been consid-
ered, we know that D¯a/λ(s, D¯a)T¯
i
kD¯j/λ(sk, D¯j) and
D¯a/λ(s, D¯a)T¯
i
kD¯i/λ(sk, D¯i) must be applied in the
same state of N if these are labels of paths in N . In
addition, the first of these sequences verifies the node
that follows D¯a/λ(s, D¯a)T¯
i
k and thus for the second
we know that D¯i is being applied in a state of N that
is recognized as sk by D¯1.
4. If |Si| < n then let {s} = S \ Si and generate a path
with label D¯i/λ(s, D¯i) starting at s.
5. end for
Using Algorithm 2 with S2 = {s2, s3, s4} to 2-port
FSM M1 yields t2t6t9t4t2 and t2t6t9t5t1 for s2, t5t1t2t6t10
and t5t1t2t7t1 for s3, t7t1t2t6t9t5 and t7t1t2t6t10t6 for s4,
t1t2 for s1.
We now show that the sequences produced by Algo-
rithms 1 and 2 verify D and then give a sufficient condi-
tion for us to be able to apply these algorithms6.
Proposition 8 Suppose that for input sequence x¯ we
have that x¯/λ(s1, x¯) contains the subsequence α¯1 pro-
duced by Algorithm 1 and also the set of subsequences
produced by Algorithm 2. Then x¯ verifies D.
6 The proof of Proposition 8 is in the Appendix.
19
Proposition 9 Let d = max{|D¯1|, . . . , |D¯r|}. Then Al-
gorithm 2 returns O(nr) sequences whose total length is
of O(nrd).
The following gives a condition under which Algo-
rithms 1 and 2 can be applied.
Assumption 2 There is some known ordering D¯1, . . . , D¯r
of the elements of D such that for all 1 < i ≤ r there is
a subset Si ⊆ S of size at least n− 1 where for all s ∈ Si
there exists 1 ≤ j < i and a transition τ is of M with end-
ing state s such that inport(D¯i), inport(D¯j) ∈ P (τ
i
s).
Proposition 10 If Assumption 2 holds with a given or-
dering D¯1, . . . , D¯r then Algorithms 1 and 2 produce sub-
sequences that verify the elements of D.
It is now possible to simplify this condition for the
case where there are two ports U and L.
Proposition 11 Suppose M has ports U and L. Algo-
rithms 1 and 2 produce subsequences that verify the ele-
ments of D if there exist some subset S ′ ⊆ S of size at
least n−1 such that for all s ∈ S ′ there exists a transition
τ of M that ends at s such that U,L ∈ P (τ).
4.2 Producing a checking sequence with no
coordination problems
We have seen how a set of subsequences that verify the
sequences in D can be produced. The next problem is to
produce subsequences that verify the transitions of SUT
N ∈ ΦM . These subsequences can be combined, with
those produced to verify D, to form a checking sequence.
Let τ = (s, s′, x/y) be a transition of M . Then τ is
verified by any synchronizable subsequence from a state
u of N recognized as state s that has input portion xD¯i
for some D¯i ∈ D. Since D is complete it is always pos-
sible to follow τ by some element of D. Thus, the only
remaining issue is how we can apply xD¯i in a state that
is recognized as s. The following shows how this can be
achieved.
Algorithm 3 1. Input a transition τ = (s, s′, x/y) of
M .
2. Produce two synchronizable transition sequences la-
belled by
(a) The input/output sequence D¯a/λ(si, D¯a)T¯τ D¯c/λ(s, D¯c)
from state si; and
(b) The input/output sequence D¯a/λ(si, D¯a)T¯τx/yD¯b/
λ(s′, D¯b) from state si
where D¯a/λ(si, D¯a)T¯τ labels a synchronizable path of
M from si to s and D¯a, D¯b, D¯c ∈ D.
The first of these sequences checks that D¯a/λ(si, D¯a)
T¯τ reaches the correct state of the SUT while the sec-
ond checks that the input of x in this state leads to
the expected state of the SUT.
3. Return these two synchronizable transition sequences.
Applying Algorithm 3 to all of the transitions of 2-
port FSM M1 yields the sequences in Table 2.
20
Transition For D¯a/λ(si, D¯a) For D¯a/λ(si, D¯a)
τ = (s, s′, x/y) T¯ x/yD¯b/λ(s
′, D¯b) T¯ D¯c/λ(s, D¯c)
t1 t9t5t1t1t2 t9t5t1t2
t2 t9t5t2t6t10 t9t5t1t2
t3 t9t5t3t9t5 t9t5t1t2
t4 t2t6t9t4t1t2 t2t6t9t5t1
t5 t2t6t9t5t1t2 t2t6t9t5t1
t6 t6t10t6t9t5 t6t10t6t10
t7 t5t1t2t7t1t2 t5t1t2t7t1
t8 t6t10t8t7t1 t6t10t6t10
t9 t10t6t9t4t2 t10t6t9t5
t10 t10t6t10t7t1 t10t6t9t5
Table 2 Sequences that test the transitions
Proposition 12 Suppose that x¯ is the input portion of
the label of a synchronizable path ρ¯ in M that verifies D
and contains the subsequences produced by Algorithm 3
when given τ = (s, s′, x/y) as input. If the label of ρ¯ is
the label of a path in N then N includes a transition from
the state recognized as s by D¯1 to the state recognized as
s′ by D¯1 that has input/output pair x/y.
Proof
This follows from Proposition 8 and the definition of
what it means for x¯ to verify D. 
Proposition 13 Let d = max{|D¯1|, . . . , |D¯r|}. Then the
application of Algorithm 3 to all of the transitions of
M returns O(n|X|) sequences whose total length is of
O(n|X|d).
Thus, the checking sequence generation algorithm pro-
ceeds in the following way.
Algorithm 4 1. Set R = ∅.
2. Generate a path ρ¯0 on the basis of Algorithm 1 and
add this to R.
3. Apply Algorithm 2 and add the resultant paths to R.
4. For every transition τ of M , apply Algorithm 3 with
τ and add the resultant paths to R.
5. Remove from R every path that is a proper subpath
of some other path in R.
6. Choose an (arbitrary) order for the elements of R to
get paths ρ¯1, . . . , ρ¯|R| such that if some element of R
starts at state s1 then ρ¯1 starts at s1.
7. Produce a synchronizable path ρ¯ = ρ¯′1ρ¯1 . . . ρ¯
′
|R|ρ¯|R| of
M , where ρ¯′1, . . . ρ¯
′
|R| are possibly empty paths of M .
If ρ¯′1 is non-empty then it must be chosen so that it
starts with a subpath with label D¯i/λ(s1, D¯i) for some
D¯i ∈ D.
8. Return the path ρ¯.
The application of Algorithm 4 to 2-port FSM M1
with the results accumulated earlier yields:
– Step 2: t2t6t9t5t1t2t7t1t2t6t10t6
– Step 3: t2t6t9t4t2, t2t6t9t5t1, t5t1t2t6t10, t5t1t2t7t1,
t7t1t2t6t9t5, t7t1t2t6t10t6, and t1t2. Here we under-
line a sequence if it is eliminated in Step 5.
– Step 4 : Include the sequences from Table 2.
– Step 5 : Remove from R the paths that are proper
subpaths of other paths in R. We remove the paths
that are underlined in Table 3 in addition to those
indicated above (Step 3).
21
Transition For D¯a/λ(si, D¯a) For D¯a/λ(si, D¯a)
τ T¯x/yD¯b/λ(s
′, D¯b) T¯ D¯c/λ(s, D¯c)
t1 t9t5t1t1t2 t9t5t1t2
t2 t9t5t2t6t10 t9t5t1t2
t3 t9t5t3t9t5 t9t5t1t2
t4 t2t6t9t4t1t2 t2t6t9t5t1
t5 t2t6t9t5t1t2 t2t6t9t5t1
t6 t6t10t6t9t5 t6t10t6t10
t7 t5t1t2t7t1t2 t5t1t2t7t1
t8 t6t10t8t7t1 t6t10t6t10
t9 t10t6t9t4t2 t10t6t9t5
t10 t10t6t10t7t1 t10t6t9t5
Table 3 The additional sequences
Steps 6, 7, and 8 : The sequences identified are then
combined to give a path ρ¯ given below where the ρ¯′i,
that are added to connect the subsequences, are shown
in bold. For readability, the path ρ¯ is in several parts; the
entire path is formed by concatenating the subsequences
in the given order.
t2t6t9t5t1t2t7t1t2t6t10t6; t9t5t3t9t5; t2t6t9t4t2; t7t1t2t6t9t5;
t2t6t9t4t1t2 t6; t10t6t9t4t2; t6t10t6t9t5 t3; t9t5t1t1t2; t6t10t6t10;
t6t10t8t7t1 t3; t9t5t2t6t10 t6t9; t5t1t2t6t10; t6; t10t6t10t7t1.
The following shows that if there are no observability
problems then the input portion of the label of the path
ρ¯ returned by Algorithm 4 is a checking sequence.
Theorem 1 Let us suppose that x¯/y¯ is the label of the
path ρ¯ returned by Algorithm 4. If x¯/y¯ is the label of a
path from the initial state of SUT N ∈ ΦM then N is
globally equivalent to M .
Proof
This follows from Proposition 12. 
We can now state the complexity of the test genera-
tion process7.
Theorem 2 Let us suppose that x¯/y¯ is the label of the
path ρ¯ returned by Algorithm 4. Let d = max{|D¯1|, . . . ,
|D¯r|}. Then ρ¯ has length of O(n(n + d)(|X|+ r))).
Observe that if we fix the number of ports, and thus
fix an upper bound on r, this gives the same complexity
as algorithms for producing a checking sequence from a
single-port FSM using a distinguishing sequence (see, for
example, [19,15,44,23]).
5 Overcoming observability problems
We have seen how, under certain conditions, it is possi-
ble to produce a checking sequence that has no control-
lability problems. This section describes an approach to
augmenting this checking sequence for the case where
there can be observability problems. First note that,
since there can be observability problems, in order to
distinguish states it is necessary to locally distinguish
them and so we assume that the set D contains locally
distinguishing sequences. Since the problem of checking
the output of the transitions without encountering ob-
servability problems has already been considered [5–7]
we concentrate on the problem of ensuring that the in-
put sequence checks the state transition structure of the
SUT.
7 The proof of Theorem 2 is contained in the Appendix.
22
Suppose that an input sequence D¯ locally distinguishes
states s and s′ at port p and that, if D¯ is input when M
is in state s then the sequence z¯ is observed at p and if
D¯ is input when M is in state s′ then the sequence oz¯ is
observed at p for some o ∈ Yp. Suppose further that, in
testing, we follow a transition τ = (si, s, x/y) with input
D¯ and that y|p = o. Then, if the input of x in state si
instead leads to output y′ that differs from y only at p,
where it produces −, and moves to s′ then the expected
sequence oz¯ is seen at p. Thus D¯ has failed to detect
the state transfer fault: this has been masked by an out-
put fault. Naturally, similar problems can occur due to
incorrect output after the application of D¯.
If we consider the label z¯ of a synchronizable path ρ¯ of
M and the projection pip(z¯) observed at port p, this can
be represented as pip(z¯) = o¯1x1o¯2 . . . o¯kxko¯k+1 for some
o¯1, . . . , o¯k+1 ∈ Y
∗
p and x1, . . . , xk ∈ Xp. Each transition
in the path ρ¯ has (possibly null) output at p that falls
into one of the o¯i and so for each transition in ρ¯ there
is a corresponding o¯i. The output sequences o¯1, . . . o¯k+1
are separated by the inputs x1, . . . , xk at p and so there
cannot be undetectable output-shifting faults at p be-
tween two transitions whose corresponding subsequences
o¯i and o¯j are different (i 6= j). Naturally, there might be
undetectable output-shifting faults between two transi-
tions with the same corresponding subsequence o¯i. This
observation inspires the following definition.
Definition 11 Locally distinguishing sequence D¯ = x1
. . . xk is resilient if for every pair s, s
′ ∈ S, with s 6=
s′, there exists a port p and 1 ≤ i < j ≤ k, D¯ = x¯′1
xix¯
′
2xj x¯
′
3 with xi, xj ∈ Xp and pip(γ(δ(s, x¯
′
1), xix¯
′
2)) 6=
pip(γ(δ(s
′, x¯′1), xix¯
′
2)).
This says that for any pair of states, there must be a
port p such that the response to D¯i differs at p between
two inputs at p and thus this difference cannot be masked
by previous or following input at p8.
An important property of a resilient distinguishing
sequence D¯ is that for an input sequence that should
trigger the n responses to D¯ allowed by M we have that
if an SUT N ∈ ΦM passes this test we must have that
not only is D¯ a distinguishing sequence for N but it must
be a resilient distinguishing sequence for N .
Proposition 14 Suppose that ρ¯ is a path of M starting
at s1 that has input portion x¯, D¯ is a resilient locally
distinguishing sequence for M and ρ¯ contains subpaths
corresponding to the application of D¯ in each of the n
states of M . If x¯ does not locally distinguish M and N ∈
ΦM then D¯ is a resilient locally distinguishing sequence
for N .
Proposition 15 Let us suppose that D is a complete set
of resilient locally distinguishing sequences and x¯ is an
input sequence returned by Algorithm 4. If pip(γ(s1, x¯)) =
pip(γN (u1, x¯)) for all p ∈ [1,m] then D is a consistent set
of resilient locally distinguishing sequences for N .
Proof
8 The proof of Proposition 14 is in the Appendix.
23
State At U At L At U At L
for abab for abab for baba for baba
s1 1b00b0 a23a22 b00b00 3a22a2
s2 1b00b0 a33a22 b01b00 2a23a2
s3 0b00b0 a22a22 b11b00 3a23a2
s4 1b01b0 a32a23 b00b00 2a22a2
Table 4 The responses to abab and baba
First note that by Proposition 14, if N ∈ ΦM and M
are not locally distinguished by x¯ then each element of D
is a resilient locally distinguishing sequence for N . The
result thus follows in a similar manner to Proposition 8.

Assumption 3 The elements of D are resilient locally
distinguishing sequences.
It is clear that a locally distinguishing sequence need
not be resilient. The set D given earlier for the 2-port
FSM M1 does not satisfy Assumption 3. However, as we
can see in Table 4, the sequences abab and baba do satisfy
Assumption 3.
Suppose that Algorithm 4 is applied using a set D
of resilient locally distinguishing sequences and returns
path ρ¯ whose label has input portion x¯. We define a
property of the SUT N ∈ ΦM and prove that this must
hold if x¯ does not locally distinguish N and M .
Definition 12 SUT N ∈ ΦM has the same transition
structure as M if there is a bijection f from the states
of N to the states of M such that:
1. f(u1) = s1.
2. If u is a state of N and there is a transition from u
to u′ in N with input x then M has a transition from
f(u) to f(u′) with input x.
The input sequence produced by Algorithm 4 checks
the transition structure of N 9.
Theorem 3 Suppose that Algorithm 4 is applied using
a set D of resilient locally distinguishing sequences and
returns path ρ¯ whose label has input portion x¯. If x¯ does
not locally distinguish SUT N ∈ ΦM from M then N has
the same transition structure as M .
It is now sufficient to add sequences that check the
output produced by each transition τ at each port p. The
following definition captures this requirement.
Definition 13 An input sequence x¯ checks the outputs
of M if N ∈ ΦM is globally equivalent to M whenever
the following hold
1. N has the same transition structure as M ; and
2. pip(γ(s1, x¯)) = pip(γN (u1, x¯)) for all p ∈ [1,m].
The following shows that even if there are observabil-
ity and controllability problems then we can augment the
sequences produced in Algorithm 4 with sequences that
check the output of M to form a checking sequence.
Theorem 4 If x¯ is an input sequence that checks the
output of M and starts with the label of a path of M pro-
duced by Algorithm 4 using resilient locally distinguish-
ing sequences then x¯ is a checking sequence that has no
controllability or observability problems.
9 The proof of Theorem 3 is contained in the Appendix
24
Proof
This result follows from Theorem 3 and Definition
13. 
6 Conclusions and Discussion
In the distributed test architecture a tester is placed at
each port of the SUT N . If the individual testers can-
not communicate with each other then the presence of
multiple testers introduces additional controllability and
observability problems. It is then important that any
checking sequence that we intend to use is free from such
problems.
This paper is the first to show how a single checking
sequence can be produced for a multi-port FSM without
the use of either a reliable reset operation or external
coordination messages. Since, in general, such a check-
ing sequence need not exist we introduce conditions to
be placed on the specification M under which our al-
gorithm returns checking sequences. If the distributed
test architecture is to be used then these could be seen
as testability conditions that might be designed into a
system.
This paper focused on the generation of checking
sequences since such sequences are guaranteed to pro-
vide full fault coverage under the assumption that the
SUT contains no extra states. Algorithms for generating
a checking sequence for a single-port FSM use distin-
guishing sequences, unique input/output sequences, or a
characterization set to verify states of the SUT. In this
paper we used distinguishing sequences since even for
single-port FSMs there is no checking sequence genera-
tion algorithm that uses the alternative approaches and
returns a checking sequence of length that is polynomial
in terms of the number of states.
First, we investigated the situation in which there are
no observability problems. This is the case, for example,
when there is a global clock and the SUT responds to
inputs sufficiently quickly so that the next input is not
applied until after all of the outputs from the previous
inputs have been observed. In such a case observability
problems can be overcome by the testers timestamping
the events they see and so there are no additional observ-
ability problems. We showed how multiple distinguishing
sequences can be used in forming a checking sequence
that does not suffer from controllability problems.
If there are observability problems then these can
lead to fault masking and thus to incorrect output not
being observed. We showed how the checking sequence
can be extended to create a checking sequence that does
not suffer from either controllability or observability prob-
lems.
This paper has shown how checking sequences can
be produced for multi-port FSMs. There remain four
main avenues for future work. There is the question as to
whether the conditions given in this paper, under which
checking sequences are produced, can be weakened. An-
other question is how to optimize the resultant check-
25
ing sequence such that significantly shorter checking se-
quences can be constructed. This may be achieved by
solving an optimization problem posed considering the
following. First, the selection of the transition sequences
used to verify the distinguishing sequences. The second
issue is the selection of the subsets and the choice of
distinguishing sequences used in forming paths to verify
the distinguishing sequences. Similar choices are needed
in the generation of transition sequences to verify the
transitions and additional choices are required when con-
sidering potential observability problems. There is also
the issue of how we can produce a minimal length se-
quence that contains the necessary subsequences. There
is the issue of generating resilient locally distinguishing
sequences for which a possibly breadth-first search can
be used. There may also be scope in adding input to the
end of a locally distinguishing sequence in order to make
it resilient. Finally, distributed systems are often non-
deterministic and it would thus be interesting to extend
the approach to such systems, potentially by either using
methods such as deterministic testing (see, for example,
[18,26,34,35]) in order to ensure that the SUT is deter-
ministic in testing or by using methods from the area
of testing from nondeterministic FSMs (see, for example
[21,27,38–40]).
Acknowledgements We would like to thank Dr Jessica Chen
for many useful discussion around this topic. This work was
supported in part by Leverhulme Trust grant number F/00275/D,
Natural Sciences and Engineering Research Council (NSERC)
of Canada grant number OGP00000976, Testing State Based
Systems, and Engineering and Physical Sciences Research
Council grant number GR/R43150, Formal Methods and Test-
ing (FORTEST).
References
1. M. Barnett, W. Grieskamp, L. Nachmanson, W. Schulte,
N. Tillmann, and M. Veanes. Towards a tool environ-
ment for model-based testing with AsmL. In Formal
Approaches to Testing, volume 2931 of Lecture Notes
in Computer Science, pages 252–266, Montreal, Canada,
2003. Springer-Verlag.
2. S. Boyd and H. Ural. The synchronization problem in
protocol testing and its complexity. Information Pro-
cessing Letters, 40(3):131–136, 1991.
3. B. Broekman and E. Notenboom. Testing Embedded Soft-
ware. Addison–Wesley, London, 2003.
4. L. Cacciari and O. Rafiq. Controllability and observ-
ability in distributed testing. Information and Software
Technology, 41(11–12):767–780, 1999.
5. J. Chen, R. M. Hierons, and H. Ural. Conditions for
resolving observability problems in distributed testing.
In 24rd IFIP International Conference on Formal Tech-
niques for Networked and Distributed Systems (FORTE
2004), volume 3235 of Lecture Notes in Computer Sci-
ence, pages 229–242. Springer–Verlag, 2004.
6. J. Chen, R. M. Hierons, and H. Ural. Resolving observ-
ability problems in distributed test architectures. In 25th
IFIP International Conference on Formal Techniques for
Networked and Distributed Systems (FORTE 2005), vol-
ume 3731 of Lecture Notes in Computer Science, pages
219–232. Springer–Verlag, 2005.
7. J. Chen, R. M. Hierons, and H. Ural. Overcoming ob-
servability problems in distributed test architectures. In-
formation Processing Letters, 98(5):177–182, 2006.
26
8. W. Chen and H. Ural. Synchronizable checking sequences
based on multiple UIO sequences. IEEE/ACM Transac-
tions on Networking, 3:152–157, 1995.
9. Karnig Derderian, Robert M. Hierons, Mark Harman,
and Qiang Guo. Input sequence generation for testing of
communicating finite state machines (cfsms). In Genetic
and Evolutionary Computation (GECCO 2004), volume
3103 of Lecture Notes in Computer Science, pages 1429–
1430, Seattle, WA, USA, 2004. Springer.
10. Rita Dorofeeva, Nina Yevtushenko, Khaled El-Fakih, and
Ana R. Cavalli. Experimental evaluation of fsm-based
testing methods. In Third IEEE International Con-
ference on Software Engineering and Formal Methods
(SEFM 2005), pages 23–32. IEEE Computer Society,
2005.
11. R. Dssouli and G. von Bochmann. Error detection with
multiple observers. In Protocol Specification, Testing and
Verification V, pages 483–494. Elsevier Science (North
Holland), 1985.
12. R. Dssouli and G. von Bochmann. Conformance testing
with multiple observers. In Protocol Specification, Test-
ing and Verification VI, pages 217–229. Elsevier Science
(North Holland), 1986.
13. E. Farchi, A. Hartman, and S. Pinter. Using a model-
based test generator to test for standard conformance.
IBM systems journal, 41(1):89–110, 2002.
14. A. Gill. Introduction to The Theory of Finite State Ma-
chines. McGraw–Hill, New York, 1962.
15. G. Gonenc. A method for the design of fault detection
experiments. IEEE Transactions on Computers, 19:551–
558, 1970.
16. W. Grieskamp, Y. Gurevich, W. Schulte, and M. Veanes.
Generating finite state machines from abstract state ma-
chines. In Proceedings of the ACM SIGSOFT Symposium
on Software Testing and Analysis, pages 112–122, 2002.
17. S. Guyot and H. Ural. Synchronizable checking sequences
based on UIO sequences. In Protocol Test Systems, VIII,
pages 385–397, Evry, France, September 1995. Chapman
and Hall.
18. Craig Harvey and Paul A. Strooper. Testing java moni-
tors through deterministic execution. In 13th Australian
Software Engineering Conference (ASWEC 2001), pages
61–67. IEEE Computer Society, 2001.
19. F. C. Hennie. Fault–detecting experiments for sequential
circuits. In Proceedings of Fifth Annual Symposium on
Switching Circuit Theory and Logical Design, pages 95–
110, Princeton, New Jersey, November 1964.
20. R. M. Hierons. Minimizing the number of resets when
testing from a finite state machine. Information Process-
ing Letters, 90(6):287–292, 2004.
21. R. M. Hierons. Testing from a non-deterministic fi-
nite state machine using adaptive state counting. IEEE
Transactions on Computers, 53(10):1330–1342, 2004.
22. R. M. Hierons and H. Ural. Redefining testing (from a
finite state machine) in the distributed test architecture.
submitted.
23. R. M. Hierons and H. Ural. Reduced length checking se-
quences. IEEE Transactions on Computers, 51(9):1111–
1117, 2002.
24. R. M. Hierons and H. Ural. UIO sequence based checking
sequences for distributed test architectures. Information
and Software Technology, 45(12):793–803, 2003.
25. J. E. Hopcroft. An n log n algorithm for minimizing
the states in a finite automaton. In Z. Kohavi, editor,
The theory of Machines and Computation, pages 189–
196. Academic Press, 1971.
26. Gwan-Hwan Hwang, Kuo-Chung Tai, and Ting-Lu
Huang. Reachability testing: an approach to testing con-
current software. In First Asia-Pacific Software Engi-
neering Conference, pages 246–255, 1994.
27
27. I. Hwang, T. Kim, S. Hong, and J. Lee. Test selection
for a nondeterministic FSM. Computer Communications,
24(12):1213–1223, 2001.
28. Joint Technical Committee ISO/IEC JTC 1. Interna-
tional Standard ISO/IEC 9646-1. Information Technol-
ogy – Open Systems Interconnection – Conformance test-
ing methodology and framework – Part 1: General con-
cepts. ISO/IEC, 1994.
29. ITU-T. Recommendation Z.500 Framework on formal
methods in conformance testing. International Telecom-
munications Union, Geneva, Switzerland, 1997.
30. R. M. Karp. Reducibility among combinatorial problems.
In R. E. Miller and J. W. Thatcher, editors, Complexity
of Computer Computations. Plenum Press, New York–
London, 1972. 85–103.
31. A. Khoumsi. A temporal approach for testing distributed
systems. IEEE Transactions on Software Engineering,
28(11):1085–1103, 2002.
32. D. Lee and M. Yannakakis. Testing finite-state machines:
State identification and verification. IEEE Transactions
on Computers, 43(3):306–320, 1994.
33. D. Lee and M. Yannakakis. Principles and methods of
testing finite–state machines – a survey. Proceedings of
the IEEE, 84(8):1089–1123, 1996.
34. Yu Lei and Richard H. Carver. A new algorithm for
reachability testing of concurrent programs. In 16th In-
ternational Symposium on Software Reliability Engineer-
ing (ISSRE 2005), pages 346–355. IEEE Computer Soci-
ety, 8–11 November 2005.
35. Yu Lei and Richard H. Carver. Reachability testing of
concurrent programs. IEEE Transactions on Software
Engineering, 32(6):382–403, 2006.
36. G. Luo, R. Dssouli, and G. v. Bochmann. Generating syn-
chronizable test sequences based on finite state machine
with distributed ports. In The 6th IFIP Workshop on
Protocol Test Systems, pages 139–153. Elsevier (North-
Holland), 1993.
37. G. Luo, R. Dssouli, G. v. Bochmann, P. Venkataram, and
A. Ghedamsi. Test generation with respect to distributed
interfaces. Computer Standards and Interfaces, 16:119–
132, 1994.
38. G. Luo, A. Petrenko, and G. v. Bochmann. Selecting test
sequences for partially-specified nondeterministic finite
state machines. In The 7th IFIP Workshop on Protocol
Test Systems, pages 95–110, Tokyo, Japan, November 8–
10 1994. Chapman and Hall.
39. G. L. Luo, G. v. Bochmann, and A. Petrenko. Test se-
lection based on communicating nondeterministic finite-
state machines using a generalized Wp-method. IEEE
Transactions on Software Engineering, 20(2):149–161,
1994.
40. A. Petrenko, N. Yevtushenko, A. Lebedev, and A. Das.
Nondeterministic state machines in protocol conformance
testing. In Proceedings of Protocol Test Systems, VI (C–
19), pages 363–378, Pau, France, 28-30 September 1994.
Elsevier Science (North-Holland).
41. O. Rafiq and L. Cacciari. Coordination algorithm for
distributed testing. The Journal of Supercomputing,
24(2):203–211, 2003.
42. B. Sarikaya and G. v. Bochmann. Synchronization and
specification issues in protocol testing. IEEE Transac-
tions on Communications, 32:389–395, April 1984.
43. K.-C. Tai and Y.-C. Young. Synchronizable test se-
quences of finite state machines. Computer Networks and
ISDN Systems, 30(12):1111–1134, 1998.
44. H. Ural, X. Wu, and F. Zhang. On minimizing the lengths
of checking sequences. IEEE Transactions on Computers,
46(1):93–99, 1997.
45. W.-J. Wu, W.-H. Chen, and C. Y. Tang. Synchroniz-
able test sequence for multi–party protocol conformance
28
testing. Computer Communications, 21(13):1177–1183,
1998.
46. M. Yao, A. Petrenko, and G. v. Bochmann. Conformance
testing of protocol machines without reset. In Proto-
col Specification, Testing and Verification, XIII (C–16),
pages 241–256. Elsevier (North–Holland), 1993.
47. Y. C. Young and K. C. Tai. Observational inaccuracy
in conformance testing with multiple testers. In IEEE
1st workshop on application-specific software engineering
and technology, pages 80–85, 1998.
Appendix
Proof of Proposition 8
By Proposition 7 it is sufficient to prove that for all
i ∈ [1, r], x¯ verifies D¯i relative to D¯1. Proof by induc-
tion on i: the base case with i = 1 follows immediately.
Inductive hypothesis: for i < h (h ≤ r), x¯ verifies D¯i
relative to D¯1. It is now sufficient to prove that x¯ verifies
D¯h relative to D¯1.
First observe that the subsequences include the in-
put/output sequence D¯h/λ(s, D¯h) for each state s of M
and thus, if contained in the label of a path of N , verify
that D¯h is a distinguishing sequence for N . Now consider
some state u of N that is recognized as state sk of M by
D¯1. There are two cases to consider.
1. sk ∈ Sh. Then we have two paths with labels D¯a/
λ(s, D¯a)T¯
h
k D¯j/λ(sk, D¯j) and D¯a/λ(s, D¯a)T¯
h
k D¯h/λ(sk, D¯h)
for some s ∈ S and D¯a and D¯j with 1 ≤ a, j < h.
By the inductive hypothesis, if these input/output
subsequences label paths of N then their input por-
tions are applied in a state u of N recognized as s
by D¯1 and the path from u whose label is the in-
put/output sequence D¯a/λ(s, D¯a)T¯
h
k takes N to a
state uk recognized as sk by D¯j and thus by D¯1. Thus,
D¯h/λ(sk, D¯h) labels a path from uk as required.
2. sk 6∈ Sh. First note that every other state u of N is
recognized as some unique state s of M by both D¯h
and D¯1. The result follows from observing that there
is one remaining output sequence λ(sk, D¯h) produced
by N in response to D¯h; by a process of elimination
this can only occur at a state uk recognized as sk by
D¯1.

Proof of Theorem 2
By Proposition 9, Algorithm 2 returns O(nr) sequences
with total length of O(nrd). By Proposition 13, Algo-
rithm 3 returns O(n|X|) paths whose total length is of
O(n|X|d). Thus ρ¯ is produced by connecting O(nr +
n|X|) paths whose total length is of O(nrd + n|X|d).
Each path added to connect the paths in R has length of
O(n) and thus the total length of the paths added to con-
nect those in R is of O(n(nr +n|X|)). Thus ρ¯ has length
of O(n(nr+n|X|)+nrd+n|X|d) = O((n+d)(nr+n|X|).

Proof of Proposition 14
Let x¯1, . . . , x¯n denote prefixes of x¯ such that in ρ¯
each is followed by the input of D¯ and δ(s1, x¯α) = sα
(1 ≤ α ≤ n). Let uα denote the state δN (u1, x¯α) of N
29
(1 ≤ α ≤ n). Consider arbitrary states uα and uβ with
1 ≤ α < β ≤ n.
Since D¯ = x1 . . . xk is a resilient locally distinguish-
ing sequence for M there exists port p and 1 ≤ i < j ≤ k,
D¯ = x¯′1xix¯
′
2xj x¯
′
3 with xi, xj ∈ Xp and pip(γ(δ(sα, x¯
′
1), xix¯
′
2))
6= pip(γ(δ(sβ , x¯
′
1), xix¯
′
2)). Since M and N are not locally
distinguished by x¯, the response of N to D¯ in states uα
and uβ must include the substrings pip(γ(δ(sα, x¯
′
1), xix¯
′
2))
and pip(γ(δ(sβ , x¯
′
1), xix¯
′
2)) respectively after the prefix x¯
′
1
of D¯. Further, these subsequences start with and are fol-
lowed by input at p. Thus, uα and uβ are locally distin-
guished by D¯ as required. By the definition of a locally
distinguishing sequence being resilient, since this holds
for every pair of distinct states of N , D¯ is a resilient
locally distinguishing sequence for N . 
Proof of Theorem 3
By Proposition 15, D is a consistent set of resilient
locally distinguishing sequences for N . Define a function
f from S to U by: given u ∈ U of N , f(u) = s if and
only if u is reached by some prefix x¯u of x¯ such that
δ(s1, x¯u) = s and x¯u is followed by an element of D in x¯.
Since N has no more states than M and D is a consis-
tent set of resilient locally distinguishing sequences for
both M and N , f is a bijection. Proof by contradiction:
suppose that x¯ does not locally distinguish N from M
and N does not have the same transition structure as
M .
Since x¯ does not locally distinguish N from M and
x¯ starts with some D¯i ∈ D, f(u1) = s1. Thus, since N
does not have the same transition structure as M , there
is a state u of N and a transition from u to u′ in N with
input x such that M does not have a transition from
f(u) to f(u′) with input x. Let s = f(u), s′ = f(u′), and
s′′ = δ(s, x) (s′ 6= s′′).
Applying x¯ to M produces a synchronizable transi-
tion sequence that includes subsequences defined by:
1. The input/output sequence D¯a/λ(si, D¯a)T¯ x/yD¯b/λ(s
′′, D¯b)
from state si; and
2. The input/output sequence D¯a/λ(si, D¯a)T¯ D¯c/λ(s, D¯c)
from state si
for some output y and state si of M such that D¯a/λ(si, D¯a)T¯
labels a path from si to s. Since the distinguishing se-
quences in D are resilient and x¯ does not locally distin-
guish M and N , in N the sequence D¯a/λ(si, D¯a)T¯ labels
a path from the state ui of N with f(ui) = si to u. Fur-
ther, since D¯a/λ(si, D¯a)T¯ x/yD¯b/λ(s
′′, D¯b) labels a path
in N , D¯a/λ(si, D¯a)T¯ x/y goes from ui to the state u
′′ of
N with f(u′′) = s′′. Thus, if N receives input x when
in state u it moves to state u′′. Since N is deterministic,
u′ = u′′ and so s′ = s′′. This provides a contradiction as
required. 
