This study addresses the construction of a preset checking sequence that will not pose controllability (synchronization) and observability (undetectable output shift) problems when applied in a distributed test architectures that utilize remote testers. The controllability problem manifests itself when a tester is required to send the current input and because it did not send the previous input nor did it receive the previous output it cannot determine when to send the input. The observability problem manifests itself when a tester is expecting an output in response to either the previous input or the current input and because it is not the one to send the current input, it cannot determine when to start and stop waiting for the output. Based on UIO sequences, a checking sequence construction method is proposed to yield a sequence that is free from controllability and observability problems.
INTRODUCTION
Determining, under certain assumptions, whether a given "black box" implementation N of a Finite State Machine (FSM) M is functioning correctly is referred to as a fault detection (checking) experiment. Foundations of fault detection experiments can be found in the sequential circuit testing literature [GI 62, HE 64 ]. This experiment is based on an input sequence called a checking sequence constructed from a given deterministic and minimal FSM M with a designated initial state that determines whether a given FSM N is a correct implementation of M. The construction of a checking sequence must deal with the "black box" nature of a given implementation N of M which allows only limited controllability and observability of N. The limited controllability refers to not being able to directly transfer N to a designated state and the limited observability refers to not being able to directly recognize the current state of N. In order to overcome the restrictions imposed by the limited controllability and observability, some special input sequences must be utilized in the construction of a checking sequence such that the output sequences produced by N in response to these input sequences provide sufficient information to deduce that every state transition of M is implemented correctly by N.
In order to verify the state transition from state a to b under input x, 1) before the application of x, N must be transferred to the state recognized as a, 2) the output produced by N in response to the application of x must be as specified in M, and 3) the state reached by N after the application of x must be recognized as b. Hence, a crucial part of testing the correct implementation of each transition is recognizing the starting and terminating states of the transition. The recognition of a state of an FSM M can be achieved by a distinguishing sequence [ In this architecture, U and L are two remote testers that are required to coordinate the application of a preset checking sequence through their interactions with N. However, this requirement may lead to controllability and observability problems, in addition to those that stem from the black box nature of N. The controllability (synchronization) problem manifests itself when L (or U) is expected to send an input to N after N responds to an input from U (or L) with an output to U (or L), but L (or U) is unable to determine whether N sent that output. It is therefore important to construct a synchronizable checking sequence that causes no controllability problem during its application in the distributed test architecture.
During the application of even a synchronizable checking sequence in a distributed test architecture, the observability problem manifests itself when L (or U) is expected to receive an output from N in response to either the previous input or the current input and because L (or U) is not the one to send the current input, L (or U) is unable to determine when to start and stop waiting. Such observability problems hamper the detectability of output shift faults in N i.e., an output associated with the current input is generated by N in response to either the previous input or the next input. To ensure the detectability of output shift faults in N the checking sequence needs to be augmented by additional input subsequences.
Based on the work presented in [GU 95], this paper proposes a method for constructing a checking sequence that does not pose controllability and observability problems during its application in a distributed test architecture. Earlier work on the controllability problem [SB 84, BU 91, UW 93, CU 95, TY 98] and that of on the observability problem [LB 94, YT 98, CR 99] consider the construction of a test sequence rather than a checking sequence. It is well known that the complete fault coverage of a checking sequence cannot be directly achieved by a test sequence where transition verification is not necessarily based on state verification.
The rest of the paper is organized as follows: Related terminology is reviewed in Section 2. In Section 3, the proposed method is presented and a proof for the resulting sequence to be a checking sequence is given. An illustrative example of the application of the proposed method is provided in Section 4. In Section 5, some minimization techniques are proposed and concluding remarks are given. A path P = (n 1 , n 2 ; x 1 /y 1 )(n 2 , n 3 ; x 2 /y 2 ) ..
PRELIMINARIES

FSM and its Graphical Representation
is a finite sequence of adjacent (not necessarily distinct) edges in G, where n 1 and n k , are called the head and the tail of P, denoted head(P) and tail(P), respectively, and (x 1 /y 1 )(x 2 /y 2 ) ... (x k-1 /y k-1 ), is called the label of P, denoted label(P). For convenience, a path P = (n 1 , n 2 ; x 1 /y 1 )(n 2 , n 3 ; x 2 /y 2 ) ... (n k-1 , n k ; x k-1 /y k-1 ) will be represented by (n 1 , n k ; I/O) where label(P) = I/O is the input-output (or in short, IO-) sequence (x 1 /y 1 )(x 2 /y 2 ) .. 
Controllability (Synchronization) Problem
Let each transition t of an FSM M have one of the following labels, 
Observability Problem
An observability problem exists when a tester θ (= U or L) is expecting an output in response to either the previous input or the current input and because it is not the one to send the current input, it cannot determine when to start and stop waiting for the output. In general, if there is an output shift fault related to an output o θ in any two consecutive transitions whose labels are x j /y j and x j+1 /y j+1 , this fault will not be detected by tester θ that satisfies the following condition
is not sent by tester θ. In this case, we say that the tester θ is involved in the shift.
THE PROPOSED METHOD
Let M = (S, X, Y, δ, λ) hereafter stand for a minimal FSM which is represented by a strongly
where there is a non-empty subset of outgoing edges of vertex v j specified as eligible successors of e (tail(e)=v j ), for each edge e ∈ E. Let |S| be n and s 1 ∈ S be the initial state of M. The construction of a synchronizable checking sequence of M is based on the construction of a digraph G' = (V', E') such that there is a one-to-one mapping from the edges in G to the edges in G', and that every pair of edges (corresponding to a pair of adjacent edges in G) covered by some path in G' is a synchronizable pair of transitions in M. Thus, finding a synchronizable checking sequence on G will be reduced to finding a checking sequence on G'. After the checking sequence is formed, it is examined for potentially undetectable output shift faults. Each potentially undetectable output shift fault is eliminated in the checking sequence without creating any synchronization problem by adding some subsequences to the checking sequence. The resulting checking sequence can then be applied in a distributed test architecture without creating controllability or observability problems.
Construction of the Digraph G'
Note that the edges in [v] .
1, 2 or 3 vertices are created in G', depending on the labels of edges arriving and departing v, so that if an edge arrives at a vertex in V', it can take as its eligible successor any of the edges departing at this vertex. The procedure of constructing the digraph
, one of the following is performed: a) In the case that vertex
It follows from the construction of G' = (V', E') that -for each edge e ∈ E of G there is exactly one corresponding edge e' ∈ E c of G' -for each edge e' ∈ E c of G' there is exactly one corresponding edge e ∈ E of G. Given an edge e ∈ E of G, let f(e) denote the corresponding edge e' ∈ E c of G'. Then f can be extended to be applied to sequences of edges. Given 
Construction of Synchronizable Checking Sequences
Checking sequences that will be formulated in this paper will utilize synchronizable UIO A general approach for the construction of synchronizable checking sequences based on UIO sequences is first to construct a state cover which is an input sequence used to verify that an implementation N of a given FSM M has all the states of M. This is followed by a transition cover which is an input sequence used to verify that N implements all transitions of M. In order to verify each state s of M in N, not only the input portion of the UIO(s) is applied to s, but also the input portions of UIOs of every other state is also applied to s so that the uniqueness of UIOs in N can also be established. If N passes the state cover then, the verification of each transition t = (s i , s j ; x/y) of M in N is attempted by bringing N to s i , applying the input x, verifying that the observed output is y, and verifying that N reaches s j by applying the input portion of UIO(s j ).
The proposed method for the construction of a synchronizable checking sequence from M is based on the following observations regarding an FSM from which we may generate a synchronizable checking sequence using SUIOs: Before the proposed method is presented the following assumptions are made: 1) The implementation N of M implements the reset feature of M correctly. A reset transition has label r/(-, -) and the reset input r can be sent by any of the testers and can be followed by any input from any tester without causing any synchronization problem. N is deterministic, minimal, composed of at most n states, and complete. The first assumption dramatically reduces the length of the state cover. Without this assumption, the resulting synchronizable checking sequence of the FSM will be restrictively long as it will have to rely on locating sequences [HE 64] which in general have exponential length. In addition, the application of a reset breaks the connection in most real protocols, and thus can be utilized to form test cases from the resulting synchronizable checking sequence. The last four assumptions are necessary for any method that will attempt to construct a synchronizable checking sequence of a given FSM using UIOs. The second assumption assures that every transition of the FSM is part of a synchronizable transition sequence starting at the initial state. The third assumption assures that for each transition of the FSM, there is an SUIO synchronizable with the transition so that one can construct the state and transition covers. The fourth assumption requires that there should be at least one state that is reached by transitions whose inputs are related to U (or L). The fifth assumption requires that any SUIO should be a synchronizable sequence for all states of the FSM. The last two assumptions assure that the uniqueness of the SUIOs in an implementation of the given FSM can be verified. It follows from the asumptions that,
Thus, there will be v L and v U ∈ V' for each v ∈ V and one can modify the procedure given in Section 3.1 by deleting the conditions for creating v L and v U in (1) and for creating v U,L in (3)c.
The proposed method utilizes G'=(V', E') constructed from G=(V, E) and proceeds as follows:
Step 1: Let I v U and I v L denote the input portions of SUIO U (v) and SUIO L (v), respectively. 
Step 2: Assume that when a reset input r is applied, the next vertex is v 1 U,L .
Denote by T i U and T i L the shortest transfer sequence on
, that contains: a) a state cover which is the concatenation of
b) a transition cover which consists of a test segment rT head(e) xI tail(e)
for each edge e' in E c corresponding to the edge e in G=(V, E) where T head(e) is the same transfer sequence on G'=(V', E') from v 1 U,L to head(e) as the one used in a). Clearly, given an appropriate choice of transfer sequences, the state cover contains a test segment for each edge that is the last edge traversed by a transfer sequence before a state is verified. Therefore, a test segment for each such edge in E c need not be included in the transition cover. 
Since r is correctly implemented in N and N is deterministic, if T is some transfer sequence, N will always be in the same state after the application of rT. Thus, since R 1 is an IO- Let G' = (V', E') be a digraph constructed from a given digraph G = (V, E) representing an FSM M. Let transition cover C 2 of G' be the input portion of an IO-sequence R 2 which is the label of a path P 2 starting at vertex v 1 U,L of G' and let state cover C 1 be the input portion of an IO-sequence R 1 which is the label of a path P 1 starting and ending at vertex v 1 U,L of G'. Then the input portion of R = R 1 R 2 is a synchronizable checking sequence of M.
Proof:
First, R is a synchronizable IO-sequence of M since, by construction, C 1 C 2 is an input sequence on G'. Second, by Theorem 1, if R is also an IO-sequence for an implementation N in Φ(M) then N has n states and the SUIO sequences for each state of M are also unique in N. Thus there is a one-to-one correspondence f from the states of M to the states of N defined by the SUIOs.
In order to complete the proof, the following must be shown: suppose R is an IO-sequence for an implementation N in Φ(M 
Elimination of Potential Undetectable Output Shift Faults
The cover C, defined in the previous section, is a checking sequence in so far as it distinguishes M from any faulty FSM N in Φ(M) that does not conform to M. However, under this definition M is distinguished from a faulty FSM N in Φ(M) by observing the responses of N to the checking sequence during testing. Since in the distributed test architecture the responses of N is observed by local testers, with no global clock, there may be an observability problem and output shift faults may go undetected, although the checking sequence is synchronizable. This section considers the problem of adapting the cover C to avoid the observability problem and gives a sufficient condition under which output shift faults cannot occur in the cover C. This condition is based around the notion of the SUIOs used being resilient to output shift faults. This is followed by the description of a method that augments the cover C to eliminate undetectable output shift faults.
Before considering output shift faults, a number of terms will be defined. (s', I)) ).
The Effects of Resilient SUIOs in Detecting Output Shift Faults
For an FSM M, let Xθ ⊂ X represent inputs that can be received from tester θ, Yθ represent outputs (including -) that can be sent to θ, and Y ⊆ YU×YL. Let also πθ denote the projection function defined over an output sequence O or input-output sequence I/O such that πθ(O) returns the sequence of outputs where each output y ∈ Yθ \ {-} and πθ(I/O) returns the sequence of inputs and outputs where each input x ∈ Xθ and each output y ∈ Yθ \ {-}. Then, an input sequence I locally distinguishes states s and s' of M if there is some tester θ such that πθ(I/λ(s, I)) ≠ πθ(I/λ(s', I)). Further, an input sequence I, upon which the behaviour of M is defined, locally distinguishes an FSM N in Φ(M) from M if I locally distinguishes the initial states of N and M. Also, in the following, an SUIO sequence I/λ(s, I) for a state s of M is taken as an IO-sequence with the property that for every state s' in S \ {s} there is a tester θ such that πθ(I/λ(s, I) ≠ πθ (I/λ(s', I) ).
This subsection considers the case where the effectiveness of the SUIOs used in the cover C cannot be affected by output shift faults either within the SUIOs or between SUIOs and transitions immediately preceding the SUIOs. Such SUIOs will be said to be resilient to output shift faults. It will transpire that if the SUIOs used are resilient to output shift faults then the cover C has no observability problem. The following defines what it means for an SUIO to be resilient to output shift faults. An SUIO I/O for state s is said to be resilient to output shift faults if for every state s' ∈ S \ {s} there is a tester θ such that:
The first condition states that I locally distinguishes states s and s'. The second condition ensures that if I is input when M is in state s' the different behaviour is observed by θ even if extra output is produced at θ prior to the input I. It thus ensures that a backward output shift fault cannot occur between the SUIO and the transitions immediately preceding the SUIO. The third condition ensures that if I is input when M is in state s' the different behaviour is observed by θ even if some expected output fails to be produced at θ prior to the input I. It thus ensures that a forward output shift fault cannot occur between the SUIO and the transitions immediately preceding the SUIO. The following provides a sufficient condition for SUIO I/O of state s is resilient to output shift faults.
Proposition 5:
SUIO I/O for state s is resilient to output shift faults if for each s' ≠ s there is a tester θ such that: I=I 1 xI 2 for some input x ∈ Xθ such that πθ(λ(δ(s, I 1 ), xI 2 )) ≠ πθ(λ(δ(s', I 1 ), xI 2 )).
Informally this means that the behaviours produced by the input of I in states s and s' differ at θ after the input x ∈ Xθ. This is a sufficient condition because differences at θ after the input x at θ cannot be involved in output shift faults with transitions before the input of x.
Suppose the SUIOs used in forming a cover C are resilient to output shift faults. Based on this, it is possible to make the following observations about C and any FSM N∈Φ(M) that is not locally distinguished from M by C. a) N has n states and the SUIOs (locally) identify the states of N. b) A transfer sequence for state s of M, used in forming C, reaches the corresponding state of N. From these observations it is possible to conclude that the test segment, in the transition cover, for transition t of M executes the corresponding transition of N and then checks its final state. Further, since the SUIOs are resilient to output shift faults, any fault in this transition would locally distinguish N from M. The result below follows from these observations.
Theorem 3:
If the cover C, the synchronizable checking sequence of an FSM M, has been produced using SUIOs that are resilient to output shift faults then C is free from the observability problems.
Elimination of Undetectable Output Shift Faults in the Cover
This subsection will consider the problem of augmenting the cover C, in order to eliminate undetectable output shift faults, when some SUIOs used are not resilient to output shift faults. Suppose input sequence x 1 , …, x q is being used and the tester wished to detect output shift faults within this. It has been noted [YT 98 ] that this can be achieved by executing every prefix of x 1 , …, x q . Since this may lead to a massive increase in the size of the checking sequence we will analyse the structure of C in order to limit the number of prefixes that need to be added.
Suppose the cover C does not locally distinguish an N∈Φ(M) from M. Consider the state cover. Since the role of this is to verify the transfer sequences and the uniqueness of SUIOs it is only important to determine whether output may be shifted between the input/output pairs induced by the last inputs of transfer sequences and SUIOs. Let τ(T) represent the input-output sequence induced by a transfer sequence T. Thus, τ(T) = T/λ(s 1 , T). We may observe that τ(T) of any transfer sequence T that is followed by an SUIO L cannot have an output shift fault, between τ(T) and SUIO L , at port L since SUIO L starts with input at L. Thus, in C there can be no output shift faults, involving L, between τ(T) of a transfer sequence T and any of the SUIO L s. From this it follows that τ(T) must lead to the expected output at L and thus τ(T) cannot participate in an output shift fault involving L. A similar argument shows that τ(T) of any transfer sequence T that is followed by an SUIO U cannot have an output shift fault, between τ(T) and SUIO U , at U. Thus, Consider now the transition cover and the sequence from this that tests transition t=(s i , s j ; x/y). Here t is tested by an input sequence in the form of a transfer sequence T followed by the input of x and then the input portion of an SUIO U (SUIO L ) I/O to check the state reached after x. Given any transfer sequence T, the correct behaviour being observed by each tester, when applying the (possibly augmented) state cover guarantees that there can be no output shift fault between τ(T) and the following transitions. It is now sufficient to determine whether there may be an output shift fault between x/λ(s i , x) and I/λ(s j , I). Here we may note that if x is followed by I then an output shift fault between x/λ(s i , x) and I/λ(s j , I) can at most involve one output value being shifted at L(U). Further, since the result of executing the SUIOs from each state has been verified during the application of the state cover, an output shift fault may only occur if an incorrect output in t compensates for SUIO U (SUIO L ) I/O being executed from some state other than s j . Thus an output shift fault may occur between x/λ(s i , x) and I/λ(s j , I) only if there is some state s' ∈ S\{s j } such that one of the following holds. (s', I) ). This might allow a backward output shift fault to go undetected, a fault leading to t not producing z at L being masked by the final state of t being s'. It is important to note that, due to their role in the cover C, it is not necessary to consider the possibility of output shift faults within the transfer sequences. This is because a transfer sequence T is only used to reach a state of N and not to (directly) check the input/output behaviour of any transition triggered by T. Having eliminate the possibility of output shift faults between the transfer sequences and the SUIOs in the state cover then, assuming each tester sees the expected behaviour when N is tested with C, each transfer sequence must reach the appropriate state of N (given the mapping between states of M and N defined by the SUIOs). Based on this, the transition cover then tests the individual transitions.
AN EXAMPLE
Consider the FSM M, represented by the digraph depicted in Figure 2 , where input a is applied by upper tester U and input b is applied by lower tester L. The output 0 is sent to U and output 1 and 2 are sent to L. Edge types and eligible successors are: 
SUIO sequences for each state are: Figure 2 .Edges in F are dashed.
Hence, the input portions of the SUIO sequences are:
The construction of a cover C of G' proceeds as follows:
1) State Cover: Hence the transition cover is raaaarabbrbbbbrbbabrbb.
The state cover and the transition cover will result in the cover C of G as raarbraaarabrbbaarbbbraaaarabbrbbbbrbbabrbb. C is a synchronizable checking sequence of length 43.
It is straightforward to demonstrate that the SUIOs used in C satisfy the sufficient conditions, given in Proposition 5, for SUIOs to be resilient to output shift faults. Consider, for example, the input of b at L. This forms the input of the SUIO L s for each state. The expected output is: 2 at L for s 1 ; 1 at L for s 2 ; and 0 at U (and thus null at L) for s 3 . For each pair of states there is a difference in the output at L after the input of b at L. By Theorem 3, since the SUIOs are resilient to output shift faults, the checking sequence is free from observability problems.
CONCLUSIONS
A method for constructing a checking sequence of a given FSM M using UIOs has been proposed. The resulting checking sequence does not pose controllability and observability problems during its application in a distributed test architecture. The length of the checking sequence constructed by this method may be easily reduced by eliminating redundancies and by making a wise choice of the transition sequences, and of the SUIO sequences to apply. The reduction in length can be achieved by three complementary approaches: The first approach is to eliminate rI, I∈X*, in the state or transition cover if there is an rI', I'∈X* in the state or transition cover such that I is a prefix of I'. By following this approach, the cover C in our example, is reduced to rbbaaraaaarabbrbbbbrbbab with a length of 24 inputs by eliminating raa, rb, raaa, rab, and rbbb from the state cover and rbb from the transition cover.
In the proposed method, the same transfer sequences are used in both state and transition verification parts. By choosing different transfer sequences, the second approach of length reduction could increase the possibility of overlapping the test segments or of using shorter transfer sequences to a given state prior to verifying its outgoing edges. For instance, in the cover C in our example, the test segment (e' 4 ) = rbbbb. One could use transfer sequence T 3 L =b to form the test segment(e' 4 ) = rbbb which would reduce the length of C by 1.
In the case that both SUIO U and SUIO L exists for a state s, the proposed method requires that I v U,L should be the shorter of {I v U, I v L}. The third approach of length reduction is to choose the one that contributes to the greater reduction in the length of C. For instance, in the cover C in our example, for e' 4 , there would be two possible test segments : rbbbb and rbbbaa and for e' 5 there also would be two possible test segments : rbbab or rbbaaa. Choosing test segment(e' 5 ) = rbbaaa implies that rbbaa can be deleted from C. Combining these three approaches yields C = raaaarabbrbbbrbbaaa which is of length 19.
Naturally, when considering possible optimizations, it is import to guarantee that any changes made maintain the cover being a checking sequence that is free from observability problems. For example, when eliminating a prefix rI of rI' it is important to verify that this change cannot allow an output shift fault to go undetected. The introduction of safe optimizations will form part of future research.
