Checking sequence construction using adaptive and preset distinguishing sequences by Hierons, RM et al.
Checking Sequence Construction Using Adaptive
and Preset Distinguishing Sequences
Robert M. Hierons∗, Guy-Vincent Jourdan†, Hasan Ural† and Husnu Yenigun‡
∗School of Inf. Systems, Comp. and Mathematics
Brunel University, Uxbridge, Middlesex, UK
rob.hierons@brunel.ac.uk
†School of Information Tech. and Engineering
University of Ottawa, 800 King Edward Avenue
Ottawa, Ontario, CANADA K1N 6N5
{gvj,ural}@site.uottawa.ca
‡Faculty of Engineering and Natural Sciences
Sabanci University, Istanbul 34956, TURKEY
yenigun@sabanciuniv.edu
Abstract—Methods for testing from Finite State Machine-
based specifications often require the existence of a preset dis-
tinguishing sequence for constructing checking sequences. It has
been shown that an adaptive distinguishing sequence is sufficient
for these methods. This result is significant because adaptive
distinguishing sequences are strictly more common and up to
exponentially shorter than preset ones. However, there has been
no study on the actual effect of using adaptive distinguishing se-
quences on the length of checking sequences. This paper describes
experiments that show that checking sequences constructed using
adaptive distinguishing sequences are almost consistently shorter
than those based on preset distinguishing sequences. This is
investigated for three different checking sequence generation
methods and the results obtained from an extensive experimental
study are given.
I. INTRODUCTION
The Finite State Machine (FSM) model and its extensions
such as Specification and Description Language (SDL) or
State-Charts are often used to specify state-based systems.
As a result, testing from an FSM has been utilized in a
number of application domains such as sequential circuits,
telecommunications systems, communications protocols, em-
bedded systems, object-oriented systems, web services, pattern
matching and machine learning. When testing from an FSM
M, a fault model Φ(M) for M is used to represent the types
of faults that can occur in a potential implementation of M. A
particular implementation to be tested is then assumed to be
functionally equivalent to an unknown FSM N in Φ(M). In
order to determine whether N is a correct implementation of
M, a test sequence (a sequence of input/expected output pairs
constructed from M) is applied to N [18]. This test sequence
is a checking sequence if it has the following property: if
N ∈Φ(M) then N passes the test sequence if and only if N is
equivalent to M [10], [12].
Several methods have been reported in the literature for
constructing a checking sequence from an FSM M. These
methods use a distinguishing sequence [10], [17], a set of char-
acterizing sequences [5], [8], or a set of unique input/output
(UIO) sequences [19], [7]. The methods that use a set of
characterizing sequences or UIO sequences either require that
there is a reset that is known to have been implemented
correctly by N or produce a checking sequence whose length
is at least exponential in terms of the number of states of M
and the lengths of the sequences used. The methods that use
a distinguishing sequence1 D of M yield checking sequences
whose lengths are polynomial in the number of states and the
length of the distinguishing sequence that is used [22], [13],
[4], [21], [14]. They recognize a state of N as a state of M
by applying D at that state of N and verify a transition of M
from state si to state s j under input x in N by
1) transferring N to the state recognized as state si of M;
2) checking that the output produced by N in response to
x is as specified in M (to detect an output fault); and
3) recognizing the state reached by N after the application
of x as state s j of M (to detect a transfer fault).
Step 1. is realized indirectly by making sure that each state s
is reached by the application of a DI, for some input sequence
I, in a given state s′ and this is followed by another D in the
checking sequence. Step 3. is realized by applying D at the
state reached by N after the application of x.
These methods make use of the graphical representation of
the FSM and first form three sets of paths: set A of state
recognition paths used to recognize each state of the FSM
(e.g., α-sequences, α ′-sequences or α-elements in different
methods); set B of transition verification paths used to verify
each transition of the FSM (e.g., test segments); set C of
transfer paths used to concatenate paths in A and B. They
place various constraints on the selection of C. Earlier methods
use some predefined strategies to reduce the length of transfer
paths [12], [11]. These strategies do not guarantee that transfer
paths found yield minimized checking sequences. An opti-
mization model has been proposed to solve this problem [22]
and it is adopted by successive checking sequence generation
1an input sequence for which the response of each state of M is distinct
2009 Seventh IEEE International Conference on Software Engineering and Formal Methods
978-0-7695-3870-9/09 $26.00 © 2009 IEEE
DOI 10.1109/SEFM.2009.12
157
Authorized licensed use limited to: Brunel University. Downloaded on February 17,2010 at 09:46:31 EST from IEEE Xplore.  Restrictions apply. 
methods [13], [4], [14].
All of these methods utilized a preset distinguishing se-
quence (henceforth called a PDS), that is, a sequence of inputs
which is the same for every state of the given FSM. There ex-
ists another type of distinguishing sequence called an adaptive
distinguishing sequence (henceforth called an ADS) that is a
rooted decision tree where each root to leaf path represents an
input sequence that is specific to the state represented by the
leaf. It was first conjectured in [16] that ADSs can be used
for checking sequence construction. Later, Boute proved in [2],
[3] that ADSs (which are called distinguishing sets in [2], [3])
can really be used to construct checking sequences. There are
also some recent methods making use of ADSs [6].
Lee and Yannakakis have reported a polynomial time al-
gorithm to check the existence and to construct an ADS for
an FSM, whereas checking the existence and constructing a
PDS is PSPACE–complete [17]. It is also known that there
are FSMs with ADSs for which no PDS exist. These results
already make it advantageous to use ADSs rather than PDSs.
Furthermore, the least upper bound of the length of PDSs is
known to be exponential whereas there is a lower bound of the
length of ADSs that is quadratic in the number of states [20],
[17]. For a given FSM it is known that the shortest ADS is no
longer than the shortest PDS, if both exist. This suggests that
using ADSs will lead to shorter checking sequences. However,
no practical study on this has been conducted.
In this paper, first we show how three different checking
sequence generation methods that were originally described
to use PDSs can be modified to use ADSs instead.
A preliminary version of this work appeared in [15] where
there were only some informal explanations on how the
checking sequence construction methods can be modified in
order to use ADSs. In this paper, we provide formal details of
the changes needed and explicitly give the modified algorithms
for each method. In addition in this paper, these algorithms
are proved to generate checking sequences. Finally, in order
to be able to understand the practical improvements provided
by using ADSs in these methods, this paper also includes an
extensive experimental study for all the methods considered.
The rest of the paper is organized as follows: Section 2
reviews the terminology used throughout the paper. Section
3 formalizes the use of ADSs for constructing a checking
sequence, and presents the advantages of their use over PDSs.
Section 4 reviews several checking sequence construction
methods and shows that they can be adapted to use ADSs.
Section 5 presents the results of experiments conducted to
compare the lengths of the checking sequences constructed
using ADSs with those constructed using PDSs. Section 6
gives our concluding remarks.
II. PRELIMINARIES
A deterministic finite state machine (FSM) is defined as
(S,X ,Y,δ ,λ ), where S is a finite set of states with n = |S|,
s1 ∈ S is the initial state, X is a finite set of inputs with p= |X |,
Y is a finite set of outputs with q = |Y |, δ is a state transition
function that maps S×X to S and λ is an output function that
maps S×X to Y . These two functions are extended to input
sequences I ∈ X∗ in the usual manner.
An FSM is minimal if, for every pair of states si,s j ∈ S,
si = s j, there is an input sequence I ∈ X∗ such that λ (si, I) =
λ (s j, I). An FSM is completely specified, if for each input
x ∈ X and state si ∈ S, δ (si,x) is defined. An FSM M can be
represented by a directed graph (digraph) G=(V,E) where the
set V of vertices represents the set S of states of M and the set
E of directed edges represents the transitions of M. An edge
e= (vi,v j;x/y)∈ E represents a transition t = (si,s j;x/y) from
state si to state s j with input x ∈ X and output y ∈ Y , where
vi and v j are the starting and terminating vertices of e (states
of t), and input/output pair x/y is the label of e.
Path P = (n1,n2;x1/y1)(n2,n3;x2/y2) . . .
(nr−1,nr;xr−1/yr−1), r > 1, of G = (V,E) is a finite
sequence of adjacent (not necessarily distinct) edges in E ,
where each node ni,1 ≤ i ≤ r represents a vertex of V ; n1
and nr are starting and terminating nodes of P, and the
input/output sequence (x1/y1)(x2/y2) . . . (xr−1/yr−1) is the
label of P. P is often represented by (n1,nr; I/O), where
I/O is the label of P, I = x1x2 . . .xr−1 is the input portion
of I/O, and O = y1y2 . . .yr−1 is the output portion of I/O.
I/O is said to label a path from n1 to nr if there is a path
(n1,nr; I/O). Also, the label I/O of path (n1,nr; I/O) is a
transfer sequence T (from n1 to nr). The length of input
sequence I (or input/output sequence I/O) is its number of
inputs, denoted by |I| (or |I/O|). The length (or cost) of an
edge or path is the length of its label.
G = (V,E) is strongly connected, if for all vi,v j ∈V , there
exists a path from vi to v j. In G = (V,E), indegreeE(vi) and
outdegreeE(vi) represent the number of edges in E terminating
and starting at vi ∈V , respectively. An Euler path of G=(V,E)
is a path that contains every edge in E exactly once. A rural
postman path from vertex vi to vertex v j over E ′ ⊆ E is a
path that starts at vi, ends at v j, and includes all edges of E ′.
A rural Chinese postman path from vi to v j over E ′ ⊆ E is
a rural postman path of minimum-cost. A tour is a path that
starts and terminates at the same vertex. Sequence i1i2 . . . ik is
a subsequence of x1x2 . . .xm if there exists Δ,0 ≤ Δ ≤ m− k,
such that for all j,1 ≤ j ≤ k, i j = x j+Δ.
Let M = (S,X ,Y,δ ,λ ) henceforth denote a completely
specified, minimal and deterministic FSM represented by
strongly connected digraph G = (V,E). Let the fault model
for M,Φ(M), be the set of FSMs with at most n states and
the same input and output sets as M. Let N be an FSM of
Φ(M). N is isomorphic to M if there is a one-to-one and onto
function f on the state sets of M and N such that for any
transition (si,s j;x/y) of M, ( f (si), f (s j);x/y) is a transition
of N. A checking sequence of M is an input/output sequence
starting at the initial state s1 of M that distinguishes M from
any N of Φ(M) that is not isomorphic to M. (i.e., the output
sequence produced by any such N of Φ(M) is different from
the output sequence produced by M). This means that in
response to the input portion of the checking sequence, any
faulty implementation N from Φ(M) will produce an output
sequence different from the output portion of the checking
158
Authorized licensed use limited to: Brunel University. Downloaded on February 17,2010 at 09:46:31 EST from IEEE Xplore.  Restrictions apply. 
sequence, indicating the presence of faults.
Under this definition of a checking sequence we do not care
about the initial state of N; isomorphism does not require that
the initial states of M and N correspond. Since we apply the
checking sequence in the state of N that corresponds to the
initial state of M we can precede it by a process that takes M to
its initial state irrespective of its current state. Such a process
can be produced by starting with a homing sequence [18],
whose output identifies the current state, and then moving to
the initial state. If we also wish to find initialization faults,
where N starts in a different state to M, we should start the
checking sequence with a distinguishing sequence and some
methods do this (see, for example, [14]).
Recall that the recognition of each distinct state in N as a
distinct state of M and verification of whether each transition
of M is correctly implemented in N are based on distinguishing
sequences for the methods considered in this paper. A preset
distinguishing sequence (PDS) D of M is an input sequence
such that the output sequence produced by M in response to
D is different for each state of M (i.e., ∀si,s j ∈ S,si = s j ⇒
λ (si,D) = λ (s j,D)). A distinguishing sequence D of a given
M is then used as follows:
Consider a path P of G representing M and the nodes within
it. Let Q = label(P).
1) A node ni of P is recognized in Q as state s of M if
a) ni is the starting node of a subpath of P whose
label is DI/λ (s,DI) for some I which is the input
portion of a transfer sequence T or
b) (nq,ni; I/λ (s′, I)) and (n j,nk; I/λ (s′, I)) are sub-
paths of P, nq and n j are recognized in Q as state
s′ of M, and nk is recognized in Q as state s of M.
2) A transition t = (s j,sk;x/y) is verified in Q if there is a
subpath (ni,ni+1;xi/yi) of P such that ni is recognized
in Q as s j, ni+1 is recognized in Q as sk, xi/yi = x/y.
A subpath of P used to recognize a state is a state
recognition path for that state. A subpath of P used to
verify transition t is a transition verification path for t. Paths
used to concatenate recognition/verification paths are called
transfer paths and their labels are called transfer sequences.
For the methods considered in this paper, if path P starts
from s1 and verifies all transitions of M, then this path’s
label is a checking sequence of M. Several checking sequence
generation algorithms are based on the following result [22]:
Theorem 2.1: Let G be a digraph representing M and Q be
the label of a path P of G starting at v1. If every edge of G
is verified in Q then Q is a checking sequence of M.
III. CHECKING SEQUENCES BASED ON ADAPTIVE
DISTINGUISHING SEQUENCES
In this section, we define ADSs and recap their advantages
over PDSs. We then give an intuitive idea of why ADSs
can often be used instead of PDSs and present a sufficient
condition for a sequence to be a checking sequence of M.
A. Advantages of Adaptive Distinguishing Sequences
While a PDS is a single input sequence that can be used
to distinguish each state of M, an adaptive distinguishing se-
quence is a rooted tree where each root to leaf path represents
an input sequence specific to the state represented by the leaf.
Definition 3.1 ([17]): An adaptive distinguishing sequence
(ADS) is a rooted tree θ with exactly n leaves; the internal
nodes are labeled with input symbols, the edges are labeled
with output symbols, and the leaves are labeled with states of
the FSM such that:
1) edges emanating from a common node have distinct
output symbols, and
2) for every leaf of θ , if x, y are the input and output strings
respectively formed by the node and edge labels on the
path from the root to the leaf, and if the leaf is labeled
by state si of the FSM then y = λ (si,x).
The length of the sequence is the depth of the tree.
In the following, Di denotes the ADS of state si of M. ADSs
and PDSs can be used for state identification but ADSs offer
several advantages:
• ADSs are strictly more general than PDSs: A PDS is an
ADS where every path from the root of the tree to a leaf
has the same input portion. However, the converse is not
true. As a result the set of FSMs having ADSs strictly
contains the set of FSMs having PDSs. So if a method
based on PDSs can be adapted to use ADSs instead, then
this method can be applied to a strictly larger set of FSMs.
• It is easier to find ADSs than PDSs. Current algorithms
for determining whether an FSM has a PDS require expo-
nential time [10]. Moreover, this is probably unavoidable
since it is PSPACE-complete to decide whether an FSM
has a PDS [17]. However, it can be decided whether an
FSM has an ADS in O(pn log(n)) and, if such a sequence
exists, one can be constructed in O(pn2) [17]. Thus any
method based on PDSs is at least PSPACE-complete,
while a method based on ADSs can take polynomial time.
• ADSs can be up to exponentially shorter than PDSs. If an
FSM has an ADS, it has one of length O(n2) [20] and the
O(pn2) algorithm of [17] will produce one of length at
most n(n−1)/2. There are FSMs for which the shortest
PDS is of exponential length [17].
Thus, if a method to generate checking sequence based on
PDSs can be modified to use ADSs instead, then
1) this method will be more generally usable (that is, will
be usable on a strictly larger set of FSMs),
2) we can decide in polynomial time whether an FSM can
be used with this method (instead of exponential time
in the worst case when using PDSs),
3) finding the distinguishing sequence will require polyno-
mial time in the worst case, as opposed to exponential
time in the worst case for PDSs, and
4) the resulting checking sequence might be up to expo-
nentially shorter.
In the following, we show that many methods can be
adapted to use ADSs instead, with the benefits outlined above.
159
Authorized licensed use limited to: Brunel University. Downloaded on February 17,2010 at 09:46:31 EST from IEEE Xplore.  Restrictions apply. 
B. From Preset to Adaptive Distinguishing Sequences
PDSs seem easier to handle than ADSs because the input se-
quence is the same regardless of the current state. A checking
sequence is “preset” in that it does not have any branching, so
it seems to require PDSs. However, the input sequence being
the same regardless of the current state is only important if
there are several possibilities for the current state and this
usually is not the case for checking sequences. Indeed, they
typically anticipate that the implementation must be in a given
state and check that the implementation reacts appropriately.
When this is the case, it is possible to replace the PDS with
the input of the ADS corresponding to the anticipated current
state and reach the same conclusion.
Thus, in general, if a method for constructing a checking
sequence is based on a PDS and uses this sequence only for
state verification purposes, then this method can be adapted
to use ADSs. In fact, most of the published methods are of
this nature. It should also be noted that the checking sequence
itself is still a preset sequence even if it uses ADSs.
C. A Sufficient Condition
Theorem 1 from [22] shows that it is sufficient to verify
all the transitions of an FSM to obtain a checking sequence.
This result is the basis for several of the checking sequence
generation methods published. The theorem is based on PDSs.
In this section, we will extend it to the case of ADSs. This will
allow us to extend checking sequence generation algorithms
based on this result to the case of ADSs. Section IV will
explain how this can be done.
We first extend the definitions of state recognition and
transition verification to the case of ADSs. Consider a path
P of G representing M and the nodes within it and let θ be
an ADS of M. Let Q = label(P).
Definition 3.2: A node ni of P is θ -recognized in Q as state
sm of M if
1) ni is the starting node of a subpath of P whose label is
DmI/λ (sm,DmI); or
2) (nq,ni; I/λ (s′, I)) and (n j,nk; I/λ (s′, I)) are subpaths of
P, nq and n j are θ -recognized in Q as state s′ of M, and
node nk is θ -recognized in Q as state sm of M.
In the first case, we say that depth(ni) = 0.
In the second case, we say that depth(ni) =
1+max{depth(nq),depth(n j),depth(nk)}.
Definition 3.3: A transition t = (s j,sk;x/y) is θ -verified in
Q if there is a subpath (ni,ni+1;xi/yi) of P such that ni is
θ -recognized in Q as s j, ni+1 is θ -recognized in Q as sk, and
xi/yi = x/y.
The following propositions and theorem are adapted
from [22] to prove that it is sufficient to verify all transitions
in generating a checking sequence.
Proposition 3.1: Let G be a digraph representing M, Q be
the label of a path P of G starting at v1, and θ be an ADS of
M. If every edge of G is θ -verified in Q then for every vertex
v j of G we have that D j/λ (s j,D j) is a subsequence of Q.
Proof: Let P = (n1,nr;Q). Given state s j of M, let np
denote a node of P with minimum depth that is θ -recognized
in Q as s j . Note that there must be at least one such node
since G is strongly connected (hence there is at least one
transition leaving s j) and every edge of G is θ -verified in Q. If
depth(np)> 0 then there exist subpaths (nq,np; I/λ (s′, I)) and
(ni,nk; I/λ (s′, I)) of P such that nq and ni are θ -recognized
in Q as state s′ of M, nk is θ -recognized in Q as s j
and depth(np) > depth(nk), contradicting the minimality of
depth(np). Thus, depth(np) = 0 and so in P the node np is
followed by a subpath with label D j/λ (s j,D j) as required.
Proposition 3.2: Let G be a digraph representing M, Q
be the label of a path P of G starting at v1, and θ be
an ADS of M. Let x1 . . .xr−1 be the input portion of Q.
Suppose that every edge of G is θ -verified in Q. Also let
M∗ = (S∗,X ,Y,δ ∗,λ ∗) be a member of Φ(M) and P∗ be
a path of the digraph representing M∗ such that P∗ has
label Q and starts at v∗1, which represents the initial state
s∗1 of M∗. If node ni is θ -recognized in Q as state s j of
M then λ ∗(δ ∗(v∗1,x1 . . .xi−1),D j) = λ (δ (v1,x1 . . .xi−1),D j) =
λ (s j,D j).
Proof: The proof will proceed by induction on depth(ni)
where the base case is depth(ni) = 0. Here, ni is followed
by a subpath with label λ (s j,D j) and so the result follows.
Inductive hypothesis: the result holds for every node of depth
less than l, l > 0, and let depth(ni) = l. Since depth(ni)> 0
there exist subpaths (nq,ni; I/λ (sm, I)) and (np,nk; I/λ (sm, I))
of P such that nq and np are θ -recognized in Q as sm, nk
is θ -recognized in Q as s j and depth(ni) is greater than
depth(nk),depth(np), and depth(nq).
By Proposition 3.1 we know that M∗ has n states and
θ is an ADS of M∗. By using the induction hypothesis
λ ∗(δ ∗(v∗1,x1 . . .xq−1),Dm) = λ (δ (v1,x1 . . .xq−1),Dm) =
λ (sm,Dm). Again by using the induction hypothesis we have
that λ ∗(δ ∗(v∗1,x1 . . .xp−1),Dm) = λ (δ (v1,x1 . . .xp−1),Dm) =
λ (sm,Dm). Therefore δ ∗(v∗1,x1 . . .xq−1) = δ ∗(v∗1,x1 . . .xp−1)
and δ (v1,x1 . . .xq−1) = δ (v1,x1 . . .xp−1). Thus,
δ ∗(v∗1,x1 . . .xi−1) = δ ∗(v∗1,x1 . . .xk−1) and δ (v1,x1 . . .xi−1) =
δ (v1,x1 . . .xk−1). The result follows since by the
inductive hypothesis, λ ∗(δ ∗(v∗1,x1 . . .xi−1),D j) =
λ (δ (v1,x1 . . .xi−1),D j) = λ (s j,D j).
Theorem 3.3: Let G be a digraph representing M, Q be the
label of a path P of G starting at v1, and θ be an ADS of M.
If every edge of G is θ -verified in Q then Q is a checking
sequence of M.
Proof: Let M∗ = (S∗,X ,Y,δ ∗,λ ∗) be a member of Φ(M)
and P∗ be a path of the digraph representing M∗ such that
P∗ has label Q and starts at v∗1, which represents the initial
state s∗1 of M∗. Let x1 . . .xr denote the input portion of Q.
By Proposition 3.1 we know that M∗ has n states s∗1, . . . ,s∗n
such that for all 1≤ i≤ n we have that λ ∗(s∗i ,Di) = λ (si,Di).
It is sufficient to prove that under these conditions we
have that for every transition (si,s j;x/y) of M we have
that (s∗i ,s∗j ;x/y) is a transition of M∗; from this we can
deduce that M and M∗ are isomorphic. Given transition
(si,s j;x/y) of M there is a corresponding edge (np,np+1;x/y)
of P such that np is θ recognized in Q as si and np+1
is θ -recognized in Q as s j. By Proposition 3.2 we know
160
Authorized licensed use limited to: Brunel University. Downloaded on February 17,2010 at 09:46:31 EST from IEEE Xplore.  Restrictions apply. 
that λ ∗(δ ∗(v∗1,x1 . . .xp−1),Di) = λ (δ (v1,x1 . . .xp−1),Di) =
λ (si,Di) and λ ∗(δ ∗(v∗1,x1 . . .xp),D j) =
λ (δ (v1,x1 . . .xp),D j) = λ (s j,D j) and so (s∗i ,s∗j ;x/y) is
a transition of M∗ as required.
IV. USING ADAPTIVE DISTINGUISHING SEQUENCES IN
CHECKING SEQUENCE CONSTRUCTION
In this section we describe three methods for producing a
checking sequence on the basis of a distinguishing sequence
and update them to use an ADS. These methods are chosen
for the following purposes. The first method considered in
Section IV-A is the first method in the literature. The method
considered in SectionIV-B originally formalized the sufficient
condition given in Section III-C and is taken as a base by
a series of other methods. Finally, the method considered in
Section IV-C is the most advanced method in this series of
studies mentioned above.
A. The Method of Hennie
In the method proposed by Hennie [12], henceforth called
HEN64, the states are recognized in a specific order that
is based on a permutation s1, . . . ,sn of the states of M.
Given this order, for each si we define a (possibly empty)
transfer sequence Ti such that D/λ (si,D)Ti labels a path with
starting state si and terminating state si+1 for 1≤ i≤ n. Since
s1, . . . ,sn is a permutation we have that sn+1 denotes s1 and s0
denotes sn. A single state recognition sequence D/λ (s1,D)T1
D/λ (s2,D)T2 . . .D/λ (sn,D)TnD/λ (s1,D) with starting state s1
is formed. This state recognition sequence is capable of check-
ing that the distinguishing sequence D is also a distinguishing
sequence of N, and so that the mapping between states of M
and N defined by D is a bijection.
The checking sequence is generated by extending
the state recognition sequence D/λ (s1,D)T1D/λ (s2,D)T2 . . .
D/λ (sn,D)TnD/λ (s1,D) with subsequences that verify the
transitions. Assuming that the current sequence is the label of
a path with terminating state si, and there remain transitions to
be verified, we choose a transition (s j,sk;x/y) not yet verified.
We extend the current sequence with a transfer sequence T
to s j and then apply xD. The transfer sequence T must lead
to x being applied in a state recognized as s j and so T is
a transfer sequence that ends with D/λ (s j−1,D)Tj−1. This
process iterates until transition verification sequences for all
transitions are included. Transition verification sequences for
the transitions are added in the order in which the transitions
appear in the transition table.
When an ADS is used, the path used to θ -recognize
the states is formed in the same manner. We define a
permutation of the states s1, . . . ,sn with s1 as the initial
state. For each si, 1 ≤ i ≤ n, we define transfer sequence
Ti such that Di/λ (si,Di)Ti labels a path with starting state
si and terminating state si+1. We obtain state recogni-
tion sequence D1/λ (s1,D1)T1D2/λ (s2,D2)T2 . . .Dn/λ (sn,Dn)
TnD1/λ (s1,D1) with starting state s1. To check transition
(s j,sk;x/y) we extend the current sequence with a transfer
sequence T to s j and apply xDk. As before, T must lead to x
being applied in a state θ -recognized as s j and so T ends
with D j−1/λ (s j−1,D j−1)Tj−1. This iterates until transition
verification sequences for all transitions are included.
This is summarized in Algorithm 1.
Algorithm 1 checking sequence generation algorithm [12]
1: Input M and ADS θ of M.
2: Define a permutation s1, . . . ,sn of the states of M.
3: for all 1 ≤ i≤ n do
4: define a transfer sequence Ti such that Di/λ (si,Di)Ti
labels a path with starting state si and terminating state
si+1, where sn+1 denotes s1
5: end for
6: Let CS = D1/λ (s1,D1)T1D2/λ (s2,D2)T2 . . .Dn/λ (sn,Dn)
TnD1/λ (s1,D1)
7: Let Tr denote the transitions of M listed in the order in
which they appear in the transition table.
8: while Tr = ε do
9: Let CSI be the input portion of CS
10: Let si = δ (s1,CSI)
11: Let (s j,sk;x/y) = head(Tr)
12: Choose some transfer sequence T that ends with
D j−1/λ (s j−1,D j−1)Tj−1 and that is the label of a path
with starting state si.
13: let CS =CSTx/yDk/λ (sk,Dk).
14: Let Tr = tail(Tr)
15: end while
16: Output CS.
Proposition 4.1: The I/O sequence CS returned by Algo-
rithm 1 is a checking sequence of M.
Proof:
Let G be a digraph representing M and the label of a path
P of G starting at v1 be CS. Let (s j,sk;x/y) denote a transition
of M. It is clear that P contains a node n j that is θ -recognized
in CS as state s j and is followed by an edge with label x/y
whose terminating node is θ -recognized in CS as sk. Thus,
every edge of G is verified in CS. Further, the starting node
of P is θ -recognized in CS as state s1 by D1. The result thus
follows from Theorem 3.3.
The worst case time complexity of this algorithm is the
same as that of HEN64, which is of O(pn3).
B. The method of Ural, Wang and Zhang
The method proposed by Ural et al. [22], henceforth called
UWZ97, forms state recognition paths as concatenations of
D/λ (si,D) followed by a transfer sequence Ti at each state
si until the application of the last D/λ (si,D)Ti is a repeat
of an earlier D/λ (si,D)Ti in the path. The sequences used are
defined in the following way. The first step is to choose subsets
Vk ⊆V (1≤ k≤ q) of V whose union is V . The elements within
each Vk are ordered giving Vk = {vk1, . . . ,vknk}, where the state
represented by vki is denoted sm(i,k). For each vki , they obtain
a sequence D/λ (sm(i,k),D)T ki , which is the result of applying
D in state sm(i,k) followed by a transfer sequence T ki whose
161
Authorized licensed use limited to: Brunel University. Downloaded on February 17,2010 at 09:46:31 EST from IEEE Xplore.  Restrictions apply. 
terminating state corresponds to vki+1 (vknk+1 can be any vkw,
1 ≤ w ≤ nk). For each Vk, they form a path Pk with starting
state sm(1,k) and label αk = D/λ (sm(1,k),D)T k1 D/λ (sm(2,k),D)
T k2 . . .D/λ (sm(nk,k),D)T knk D/λ (sm(w,k),D)T
k
w , 1 ≤ w ≤ nk. The
set A = {α1, . . . ,αq} is called an α-set and each sequence αi ∈
A is called an α-sequence from A. If A is clear, its members
are called α-sequences. The transfer sequence, that follows
the execution of D from state si, is denoted Ti.
Transition verification paths are formed by applying D
after the transition’s input. UWZ97 finds a shortest sequence
containing all α-sequences and transition verification paths,
possibly connected by transfer paths. A preset acyclic subset
of transitions is chosen and the transfer paths are only allowed
to contain transitions from this subset in addition to subpaths
of the form (si,s j;D/λ (si,D)Ti). It is proved that any I/O
sequence constructed in this way defines a checking sequence.
We now describe this method in detail, showing how it can
be applied using ADSs.
When ADSs are used, the state recognition paths are
formed by using the ADS of the corresponding states. The
α-sequences are defined in the following way. First we
choose Vk ⊆ V (1 ≤ k ≤ q) whose union is V and order
the elements in each Vk, giving Vk = {vk1, . . . ,vknk}, the state
represented by vki being called sm(i,k). For each vki , we obtain
Dm(i,k)/λ (sm(i,k),Dm(i,k))T ki ; the result of applying Dm(i,k)
in state sm(i,k) followed by a transfer sequence T ki whose
terminating state corresponds to vki+1, where vknk+1 can be
any vkw, 1 ≤ w ≤ nk. For each Vk, we form a path Pk from
vk1 with label αk = Dm(1,k)/λ (sm(1,k),Dm(1,k))T k1 Dm(2,k)/
λ (sm(2,k),Dm(2,k))T k2 . . . . . .Dm(nk,k)/λ (sm(nk,k),Dm(nk ,k))
T knk Dm(w,k)/λ (sm(w,k),Dm(w,k))T kw , 1 ≤ w ≤ nk. The set
A = {α1, . . . ,αq} is an α-set and each αi ∈ A is an α-
sequence from A. If A is clear, its members are simply
called α-sequences. The transfer sequence, that follows the
execution of Di from state si, is denoted Ti and its input
portion is denoted Ii. The transition verification path of
(s j,sk;x/y) will have label x/yDk/λ (sk,Dk)Tk and starting
state s j. Again, a single sequence is constructed from the
α-sequences and transition verification sequences using a
preset acyclic subset of transitions and subpaths of the form
(si,s j;Di/λ (si,Di)Ti) as follows.
An auxiliary digraph G′ = (V ′,E ′) is formed using G =
(V,E) in which V ′ =V ∪U ′ where U ′ = {v′i|vi ∈V} and E ′ =
E ∪Eα ∪ET ∪Ec∪Eε ∪E ′′ defined by the following.
1) Eα = {(vi,v′j,αk)|1 ≤ k ≤ q∧ vi is the starting node of
Pk ∧ v j is the terminating node of Pk} is a set of edges
representing the α-sequences.
2) ET = {(vi,v′j,Di/λ (si,Di)Ti)|δ (si,DiIi) = s j} is a set
of edges each representing the ADS followed by the
corresponding transfer sequence.
3) Ec = {(v′i,v′j,xDl/λ (si,xDl)Tl)|δ (si,x) = sl ∧
δ (si,xDlIl) = s j} is a set of edges representing
transition verification paths.
4) Eε = {(v′i,vi,ε)|1≤ i≤ n} is a set of edges that, for each
state si, connects v′i to vi without introducing any input
or output.
5) E ′′ ⊂ {(v′i,v′j,x/y)|δ (si,x) = s j∧λ (si,x) = y} is a set of
edges that are copies of edges of E with the property
that (U ′,E ′′) is acyclic, E ′′ is a spanning tree for U ′,
and G′ is strongly connected.
The set E ′′ can be generated in the manner described in
[22] and so we do not give the details of this process here.
The key point is that if we use a path P in G′ that includes
every edge in Eα then every edge of P that ends at a vertex in
U ′ and is not in E ′′ has a terminating node that is θ -recognized
in the label of P as the corresponding state. In addition, for
each transition of M there is a transition verification path in
Ec with a starting vertex in U ′. Checking sequence generation
involves finding a Rural Chinese Postman path of G′ that starts
at v1 and contains every edge in Eα ∪Ec; it is sufficient to
prove that by requiring (U ′,E ′′) to be acyclic we ensure that
every edge of G is verified. The above checking sequence
generation process is summarized in Algorithm 2.
Algorithm 2 checking sequence generation algorithm [22]
1: Input M, ADS θ of M and α-set A with transfer sequences
T1, . . . ,Tn.
2: Generate the digraph G′.
3: Obtain G∗ = (V ∗,E∗) from G′ by adding a new vertex
σ and new edges (vi,σ ;ε), i = 1, . . . , |V ′|, and (σ ,v1;γ).
Then, V ∗ = V ′ ∪ {σ} and E∗ = E ′ ∪ {(vi,σ ;ε), i =
1, . . . , |V ′|}∪{(σ ,v1;γ)}.
4: Let the cost of every new edge be zero except the cost of
edge (σ ,v1;γ) which is very large.
5: Let E+ ⊂ E∗ be {(σ ,v1;γ)} ∪ Eα ∪ Ec and find a
minimum-cost tour Γ in G∗ containing every edge of E+.
6: Delete vertex σ from Γ to obtain a minimum-cost path
(Rural Chinese Postman Path) P of G∗ that starts at v1
and contains every edge in Eα ∪Ec.
7: Return the I/O sequence Q = label(P).
We now prove that Algorithm 2 returns a checking sequence
by adapting the proof from [22].
Theorem 4.2: The I/O sequence Q= label(P) produced by
Algorithm 2 is a checking sequence of M.
Proof: We will use proof by contradiction, assuming that
Q is not a checking sequence. Let R denote the starting nodes
of edges from Ec that are in P: by Theorem 3.3 it is sufficient
to prove that each node from R is θ -recognized in Q.
Since (U ′,E ′′) is acyclic and E ′′ forms a spanning tree for
U ′, the edges in E ′′ define a partial order ∝ on V by vi ∝ v j if
and only if there is a path in (U ′,E ′′) from v′i to v′j and we can
order the nodes in R according to their corresponding vertices.
Thus, amongst the nodes in R that are not θ -recognized in Q
we can choose a node ni that is minimal according to ∝.
We can now consider the node ni−1; ni cannot be n1 since P
starts at v1 and not a vertex in U ′. Observe that the terminating
node of an edge from Eα ∪ET ∪Ec is θ -recognized in Q and
so the edge from ni−1 to ni must represent an edge from E ′′
that corresponds to a transition t = (sk,sl ;x/y) of M. By the
162
Authorized licensed use limited to: Brunel University. Downloaded on February 17,2010 at 09:46:31 EST from IEEE Xplore.  Restrictions apply. 
minimality of ni we know that ni−1 is θ -recognized in Q as
sk. In addition, P contains an edge (nr,n j,xDl/λ (sk,xDl)Tl)
representing a transition verification path for t. But nr ∝ ni and
so by the minimality of ni we must have that nr is θ -recognized
in Q. By the definition of a node being θ -recognized, as ni−1 is
θ -recognized in Q and there is a transition verification path for
t we must have that ni is θ -recognized in Q and this provides
a contradiction as required.
Given M and an ADS θ of M the worst case time complexity
of this algorithm is the same as that of UWZ97, which is of
O(pn2 logn) if algorithms described in [1] for finding a Rural
Chinese Postman Tour are used.
C. The method of Hierons and Ural
The method of Hierons and Ural [14], henceforth called
HIU06, is an enhanced version of UWZ97. There are three
main differences between HIU06 and UWZ97. The first is
that, while forming state recognition paths, HIU06 permits the
application of the last D in the concatenation to be a replication
of an application of D at this state but not necessarily in the
same concatenated path. Thus, a state recognition path can ter-
minate once the last D in the concatenation is a replication of
an application of D at the same state in another path, yielding
shorter state recognition paths. The elements formed in this
manner are called α ′-sequences [14]. The second difference
is that the optimization algorithm used allows optimization
to occur over a larger set of checking sequences. The third
difference is that, although a transition verification path is
formed by applying a D after the transition’s input, a state
recognition path is allowed to overlap a transition verification
path, as long as the overlap is on the entire length of D. The
method decides whether this overlapping should be used or
not while forming the checking sequence. We now update the
HIU06 method to the use of an ADS θ .
The α ′-sequences are defined in the following way. The
first step is to partition V into V1, . . . ,Vq and to order the
elements within each Vk giving Vk = {vk1, . . . ,vknk}, where
sm(i,k) denotes the state represented by vki . For each vki ,
produce a sequence Dm(i,k)/λ (sm(i,k),Dm(i,k))T ki ; the result
of applying Dm(i,k) in state sm(i,k) followed by a transfer
sequence T ki whose terminating state corresponds to vki+1
(vknk+1 can be any v
j
w, 1 ≤ j ≤ q,1 ≤ w ≤ n j). For each
Vk, form a path Pk from sm(1,k) with label αk where αk
= Dm(1,k)/λ (sm(1,k),Dm(1,k))T k1 Dm(2,k)/λ (sm(2,k),Dm(2,k))
T k2 . . . . . .Dm(nk,k)/λ (sm(nk,k),Dm(nk,k))T kmk Dm(w, j)/λ (sm(w, j),
Dm(w, j))T
j
w (1 ≤ j ≤ q, 1 ≤ w ≤ n j). The set {α1, . . . ,αq} is
called an α ′-set. Given A, each sequence αi ∈ A is called an
α ′-sequence from A. If A is clear, its members are simply
called α ′-sequences. The transfer sequence, that follows Di
from state si, is denoted Ti.
The α ′-sequences play the following roles in checking
sequence generation. First they verify that the ADS θ used
is also an ADS of the SUT. For each state si they also θ -
recognize the terminating state (say s j) of the path from si
with label Di/λ (si,Di)Ti. Finally, an α ′-sequence αk from A
that has stating state si begins with Di and thus its starting
node is θ -recognized. Thus, an α ′-sequence can be used to
check the terminating state of a transition.
Each α ′-sequence is represented by an edge in a set called
Eα : for every αi ∈A with starting state s j and terminating state
sk, Eα contains an edge from v j to vk with label αi.
The problem of producing an α ′-set using an ADS is almost
identical to that of producing an α ′-set with a PDS, a problem
addressed in detail in [14]. We therefore assume that an α ′-set
A = {α1, . . . ,αq} has been found for the ADS θ .
The following gives a sufficient condition for an I/O
sequence to be a checking sequence of a given M and is a
result from [14] changed in order to allow an ADS to be used.
Theorem 4.3: Let G be a digraph representing M, A denote
an α ′-set and Gϒ = (V,E ∪Eϒ) for some Eϒ that satisfies the
following properties:
1) For each transition τ , with terminating state s j, Eϒ
contains one edge representing τ followed by a path
whose label is either D j/λ (s j,D j)Tj or is from A.
2) For every α ′-sequence αk ∈A, Eϒ contains one edge that
represents a path with label αk or a transition τ followed
by a path with label αk.
3) Every edge from Eϒ represents a path whose label is
an α ′-sequence or a transition τ , with terminating state
s j, followed by a path whose label is either a sequence
from A or D j/λ (s j,D j)Tj.
Let us suppose that Γ is a tour of Gϒ that contains every
edge from Eϒ. Let e ∈ Eϒ represent the transition verification
path for a transition τ whose terminating state is s1. Let
Γ′ denote Γ with e replaced by the corresponding sequence
e1, . . . ,ek of edges from G (so e1 represents τ) and let P denote
the path formed by starting Γ′ with edge e2. Let G[EC] denote
the digraph induced by the set of edges in P that are not in
Eϒ and let us suppose that G[EC] is acyclic. If Q = label(P)
then QD1/λ (s1,D1) is a checking sequence of M.
Proof:
A proof by contradiction will be produced: assume that
QD1/λ (s1,D1) does not represent a checking sequence. Then,
by Theorem 3.3, some of the nodes of P are not θ -recognized
in QD1/λ (s1,D1). As every node following an edge from
Eϒ is θ -recognized in QD1/λ (s1,D1), any node that is not
recognized must follow an edge from EC.
It is possible to place a partial order ∝ on the vertices of Gϒ
such that vi ∝ v j if and only if there is a path in G[EC] from vi
to v j. This partial order can be extended to the nodes, which
are ordered according to their corresponding vertices. Amongst
the nodes that are not θ -recognized in QD1/λ (s1,D1), take
some ni that represents a vertex that is minimal according
to ∝. There may be more than one such node, but any one
will suffice. Clearly, i cannot be 1 as n1 is θ -recognized in
QD1/λ (s1,D1) as s1 by D1.
It is sufficient to look at the node ni−1 that precedes ni. The
edge from ni−1 to ni must represent some transition t that is
represented by an edge in EC, as its terminating node is not
θ -recognized in QD1/λ (s1,D1), and thus ni−1 ∝ ni. By the
minimality of ni, ni−1 is θ -recognized in QD1/λ (s1,D1).
163
Authorized licensed use limited to: Brunel University. Downloaded on February 17,2010 at 09:46:31 EST from IEEE Xplore.  Restrictions apply. 
The path P contains an edge e, from node n j to n j+1 say,
that tests t. As n j ∝ ni, by the minimality of ni the node n j must
be θ -recognized in QD1/λ (s1,D1). Thus, in e, the transition
t exists within a context in which it is followed by some path
with label Dl/λ (sl,Dl)Tl (possibly as part of an α ′-sequence)
and its starting node is θ -recognized in QD1/λ (s1,D1). Thus,
by the definition of a node being θ -recognized, as ni−1 is θ -
recognized in QD1/λ (s1,D1)we have that ni is θ -recognized
in QD1/λ (s1,D1). This provides a contradiction as required.
We now investigate the problem of producing a minimal
length tour satisfying these conditions. We produce a network
W from G = (V,E) and derive the minimum cost/maximum
flow (min cost/max flow) F of W . W has vertex set {s,t}∪
{s′1, . . . ,s′n}∪{t ′1, . . . ,t ′n} with source s and sink t. A node of
the form s′i represents being in state si after a transition being
tested and before an α ′-sequence or Di/λ (si,Di)Ti and the
t ′i represent nodes before the start of a transition verification
path. The edges are defined by the following.
1) For each i, there is an edge from s to s′i with capacity
indegreeE(vi) and cost 0 since each edge of G with
terminating vertex vi represents a transition that needs
to be followed by a path whose label is an α ′-sequence
or Di/λ (si,Di)Ti.
2) For each i, there is an edge from t ′i to t with capac-
ity outdegreeE(vi) and cost 0 as outdegreeE(vi) edges
leaving vi represent transitions to be tested.
3) For each αk ∈ A from vi to v j there is an edge from s′i
to t ′j with capacity 1 and cost |αk| that represents the
execution of αk for verifying a transition.
4) For states si and s j that are the starting and terminat-
ing states of a path with label Di/λ (si,Di)Ti there is
an edge from s′i to t ′j with capacity indegreeE(vi)−
outdegreeEα′ (vi) and cost |Di/λ (si,Di)Ti|. This edge
represents the use of the sequence Di/λ (si,Di)Ti to
θ -recognize the terminating state of a transition in a
transition verification path. The capacity is the number
of transitions that will be followed by a path with label
Di/λ (si,Di)Ti but not an α ′-sequence in the tour.
5) For each transition from si to s j there is an edge from
t ′i to t ′j with infinite capacity and cost 1 representing an
edge used to connect elements of Eϒ.
The execution of (si,s j,x/y) as part of a transition verifi-
cation path is represented by flow from t ′i to t and flow from
s to s′j while the execution of D j/λ (s j,D j)Tj for verifying a
transition is represented by flow from s′j to some t ′k.
The min cost/max flow F is found and this can be produced
in low order polynomial time (see, for example, [1]). As in
[14], we produce a digraph G′ = (V ′,E ′) on the basis of F .
G′ has vertex set V ′ = {a1, . . . ,an}∪{b1, . . .bn} and edge set
E ′ that is defined by the following.
1) For each transition τ from si to s j in M there is an edge
from bi to a j representing the execution of τ as part of
a transition verification path.
2) Given an edge from s′i to t ′j in W with flow f in F
there are f corresponding edges from ai to b j, each
representing the use of some αk or Di/λ (si,Di)Ti.
3) Given an edge from t ′i to t ′j in W with flow f in F , there
are f corresponding edges from bi to b j, representing
the execution of transitions used to connect transition
verification paths.
As flow is conserved at vertices the digraph G′ is symmetric
and so if G′ is connected then it has an Euler Tour Γ [9]
and from this we can produce a checking sequence of length
cost(F)+ n× p+ |D|, where cost(F) denotes the cost of the
flow F . If G′ is not connected then a set of tours can be
produced. Otherwise the tours can be connected by adding
further transitions in an identical way to that described in [14].
We now choose an edge e in Γ that represents a transition
verification path for a transition with terminating state s1 and
in Γ we replace e by the corresponding sequence e1, . . . ,ek of
edges from G to give a tour Γ′. We start Γ′ with e2 to form a
path P with label Q. The I/O sequence QD1/λ (s1,D1) forms
a checking sequence of M. Algorithm 3 summarizes this.
Algorithm 3 checking sequence generation algorithm [14]
1: Input M, ADS θ of M and α ′-set A with transfer sequences
T1, . . . ,Tn.
2: Produce network W and a min cost/max flow F for W .
3: Generate the digraph G′.
4: if G′ is strongly connected then
5: produce an Euler Tour Γ of G′ and otherwise produce
a set of tours and connect these tours to form a single
tour Γ.
6: end if
7: Choose an edge e in Γ that represents a transition verifi-
cation path for a transition with terminating state s1.
8: Replace e in Γ by the sequence e1, . . . ,ek of edges of G
that correspond to e to form Γ′.
9: Let P denote the path produced by starting Γ′ with e2.
10: Let Q = label(P).
11: Return the I/O sequence QD1/λ (s1,D1).
The proof of the following is identical to the proof of the
corresponding result in [14].
Lemma 4.4: The set of edges between the t ′i , with non-zero
flow in F , defines an acyclic subgraph of G.
We now prove that Algorithm 3 produces a checking
sequence.
Theorem 4.5: The I/O sequence produced by Algorithm 3
is a checking sequence of M.
Proof: By Lemma 4.4 the set of edges between the t ′i , that
have non-zero flow in F , define an acyclic digraph. Further,
each edge from Eϒ is included in the resultant sequence. The
result thus follows from Theorem 4.3.
The time complexity is identical to that of the algorithm
given in [14], which is O(pn2 logn).
V. EXPERIMENTAL STUDY
In this section we describe the experiments carried out to
compare the performance of the checking sequence gener-
164
Authorized licensed use limited to: Brunel University. Downloaded on February 17,2010 at 09:46:31 EST from IEEE Xplore.  Restrictions apply. 
ation methods when PDSs and ADSs are used. Below an
“improvement” will mean an improvement that is obtained
when an ADS is used instead of a PDS. Therefore, a negative
improvement will mean that the method performs better when
a PDS is used.
For the experiments, deterministic, minimal, completely
specified FSMs with PDSs and that are represented by strongly
connected digraphs were used. These FSMs were randomly
generated as follows. To generate such a random FSM with
n states, p inputs and q outputs, first a random digraph with
n nodes, each with outdegree p, was created by randomly
assigning the terminating vertex of an edge to be any one of
the n vertices. We required strongly connected digraphs so
the set of strongly connected components was found. If there
were more than one such component, then a set of edges was
picked from each component (which we call free edges) such
that the removal of these edges did not stop this component
being strongly connected. The terminating vertices of the free
edges were reassigned randomly to vertices in other strongly
connected components. This redirection of the free edges was
performed iteratively until a strongly connected graph was
formed. Once a strongly connected graph was formed, p input
labels are randomly assigned to the p outgoing edges of each
node. The output labels were randomly assigned to the edges
in the graph where q = p. This was followed by a minimality
check and then a check for the existence of a PDS. If the FSM
passes both of these two tests, then it was included into the
set of FSMs to be used for the experimental study.
Note that, using ADSs for checking sequence generation is
obviously superior to using PDSs when FSMs without a PDS
but with an ADS are considered. In order to understand how
the performance of the checking sequence generation methods
are improved when both PDS and ADS exist, FSMs with a
PDS were used (which also implies the existence of an ADS
for these FSMs). No special type of PDS or ADS was searched
for and the distinguishing sequences that found first were used.
There were 10 groups of FSMs where each FSM in the
same group has the same number of states n, where n ∈
{10,20, . . . ,100}. There were 800 FSMs in each group, hence
there were 8000 FSMs in total.
One performance measure for the checking sequence gen-
eration methods is the time it takes to generate checking
sequences. The generation of PDS and ADS can be consid-
ered as part of the checking sequence generation methods.
However, it is not the aim of this work to compare the
time performances of PDS and ADS generation methods.
Therefore in our measurements we consider only the time for
the methods to form checking sequences by using a given a
PDS or an ADS.
Time requirements of the methods should not be affected
noticeably by the type of the distinguishing sequence used.
The experiments support this expectation. The percentage
execution time differences between PDS and ADS cases are
very small, and quickly approaches to 0 as the size of the
FSMs increase. Figure 1 presents the results in terms of the
average percentage decrease in the time it takes to construct
2%
4%
6%
8%
-2%
-4%
-6%
20 40 60 80 100 # of
states
Av
er
ag
e
Im
pr
ov
em
en
ti
n
Ti
m
e HEN64
UWZ97
HIU06
Fig. 1. Improvement in time for generating checking sequences
5%
10%
15%
20%
25%
30%
20 40 60 80 100
# of statesAv
er
ag
e
Im
pr
ov
em
en
ti
n
Le
ng
th HEN64
UWZ97
HIU06
Fig. 2. Improvement in the length of checking sequences
checking sequences if ADSs are used instead of PDSs. As can
be seen from the figure, using ADSs can occasionally increase
the time requirement (negative values in the figure).
Another and possibly more important performance measure
is the improvement on the length of the checking sequences.
In other words, how much shorter will checking sequences
get when ADSs are used instead of PDSs? The results of the
experiments in this aspect are shown in Figure 2 and Figure 3.
As the size of the FSMs increase, an improvement of at
least 10% is obtained. Depending on the method, the average
improvement can be as high as 20-25%. When individual
FSMs are considered, it is possible that for some FSMs the
checking sequences generated by using ADSs are longer than
the ones generated by using the PDSs. This happens around
20% of the cases when we consider the FSM set with 10
states only, but quickly decreases as we consider larger and
larger FSMs and seen only in (less than) 1% of the cases for
the FSMs with 100 states. However, on the average there is a
consistent improvement.
We also explored the minimum and maximum improve-
ments in checking sequences for each method and how these
varied with the number of states. As the size of the FSMs
increases, the minimum improvement on the length of the
checking sequences also increases. For the methods HEN64
and HIU06, when we consider FSMs with 90 and 100 states,
165
Authorized licensed use limited to: Brunel University. Downloaded on February 17,2010 at 09:46:31 EST from IEEE Xplore.  Restrictions apply. 
2000
4000
6000
8000
10000
12000
20 40 60 80 100
# of states
Av
er
ag
e
Ch
ec
ki
ng
Se
qu
en
ce
Le
n
gt
h
HEN64(PDS)
HEN64(ADS)
UWZ97(PDS)
UWZ97(ADS)
HIU06(PDS)
HIU06(ADS)
Fig. 3. Length of checking sequences
we see that minimum improvement is not negative. In other
words among the 800 FSMs in these two groups there is not
one single FSM for which using ADS causes the generation
of a longer checking sequence than using PDS. The maximum
improvement is more or less steady around 25%, 30% and 60%
for the methods UWZ97, HIU06 and HEN64 respectively.
Note that although it is possible to get an exponential
reduction in length by using ADS instead of PDS, this will be
realized when an FSM with exponentially long PDS is used,
which did not appear to happen in any one of our randomly
generated test FSMs. Also note that we do not compare the
performance of the methods considered here to the methods
originally defined by using ADS (e.g. [3], [6]) as the main
focus of this paper is to see the performance in those methods
originally defined by using PDS when switched to ADS.
VI. CONCLUSION
A checking sequence generated from an FSM is guaranteed
to lead to failures in a faulty implementation of this FSM un-
der some commonly advocated assumptions. Many checking
sequence generation methods are based on the use of a PDS
that distinguishes the states of an FSM, despite the negative
computational complexity results regarding the existence and
length of PDSs.
This paper has investigated the use of ADSs for the con-
struction of checking sequences. One of the benefits of using
an ADS, rather than a PDS, is that there are FSMs for which
there exists an ADS but no PDS and the converse is not the
case. Further, in contrast to PDSs, there are polynomial time
algorithms that decide whether an FSM has an ADS and, if it
does, generate such an ADS.
We have shown that when a checking sequence is being
produced, ADSs can be used in place of PDSs. In addition,
recent checking sequence generation algorithms are based on
a sufficient condition by Ural et al. [22] and we have proved
that the corresponding result holds for ADSs. We have also
shown how several checking sequence generation algorithms
can be altered to use ADSs. Experimental results showed that
the checking sequences constructed by using ADSs are almost
consistently shorter than those based on PDSs.
ACKNOWLEDGMENT
This work was supported in part by grants from the Natural
Sciences and Engineering Research Council of Canada, the
Ontario Centers of Excellence, the Marie Curie project MRTN-
CT-2003-505121/TAROT, and Sabancı University.
REFERENCES
[1] A. V. Aho, A. T. Dahbura, D. Lee, and M. U. Uyar, “An optimization
technique for protocol conformance test generation based on UIO
sequences and Rural Chinese Postman Tours,” in Protocol Specification,
Testing, and Verification VIII. Atlantic City: Elsevier (North-Holland),
1988, pp. 75–86.
[2] R. Boute, “Adaptive design methods for checking experiments,” Digital
Systems Laboratory, Stanford University, Tech. Rep. 30, July 1972.
[3] ——, “Distinguishing sets for optimal state identification in checking
experiments,” Computers, IEEE Transactions on, vol. C-23, no. 8, pp.
874–877, August 1974.
[4] J. Chen, R. M. Hierons, H. Ural, and H. Yenigu¨n, “Eliminating redundant
tests in a checking sequence,” in TestCom, ser. Lecture Notes in Com-
puter Science, F. Khendek and R. Dssouli, Eds., vol. 3502. Springer,
2005, pp. 146–158.
[5] T. S. Chow, “Testing software design modeled by finite-state machines,”
IEEE Trans. Softw. Eng., vol. 4, no. 3, pp. 178–187, 1978.
[6] A. da Silva Sima˜o and A. Petrenko, “Generating checking sequences
for partial reduced finite state machines,” in TestCom/FATES, 2008, pp.
153–168.
[7] A. Dahbura, K. Sabnani, and M. Uyar, “Formal methods for generating
protocol conformance test sequences,” Proceedings of the IEEE, vol. 78,
no. 8, pp. 1317–1326, 1990.
[8] S. Fujiwara, G. von Bochmann, F. Khendek, M. Amalou, and
A. Ghedamsi, “Test selection based on finite state models,” IEEE Trans.
Softw. Eng., vol. 17, no. 6, pp. 591–603, 1991.
[9] A. Gibbons, Algorithmic Graph Theory. Cambridge University Press,
1985.
[10] A. Gill, Introduction to the Theory of Finite-State Machines. New-York:
McGraw-Hill, 1962.
[11] G. Gonenc, “A method for the design of fault detection experiments,”
IEEE Trans. Comput., vol. 19, no. 6, pp. 551–558, 1970.
[12] F. C. Hennie, “Fault-detecting experiments for sequential circuits,” in
Proceedings of Fifth Annual Symposium on Switching Circuit Theory
and Logical Design, Princeton, New Jersey, November 1964, pp. 95–
110.
[13] R. M. Hierons and H. Ural, “Reduced length checking sequences,” IEEE
Trans. Comput., vol. 51, no. 9, pp. 1111–1117, 2002.
[14] ——, “Optimizing the length of checking sequences,” IEEE Trans.
Comput., vol. 55, no. 5, pp. 618–629, 2006.
[15] R. M. Hierons, G.-V. Jourdan, H. Ural, and H. Yenigun, “Using adaptive
distinguishing dequences in checking sequence constructions,” in SAC
’08: Proceedings of the 2008 ACM Symposium on Applied computing.
New York, NY, USA: ACM, 2008, pp. 682–687.
[16] I. Kohavi and Z. Kohavi, “Variable-length distinguishing sequences
and their application to the design of fault-detection experiments,”
Computers, IEEE Transactions on, vol. C-17, no. 8, pp. 792–795, Aug.
1968.
[17] D. Lee and M. Yannakakis, “Testing finite-state machines: State iden-
tification and verification,” IEEE Trans. Comput., vol. 43, no. 3, pp.
306–320, 1994.
[18] ——, “Principles and methods of testing finite state machines - A
survey,” in Proceedings of the IEEE, vol. 84, 1996, pp. 1090–1126.
[Online]. Available: citeseer.ist.psu.edu/lee96principles.html
[19] K. S. Sabnani and A. Dahbura, “A protocol test generation procedure,”
Comput. Netw. ISDN Syst., vol. 15, no. 4, pp. 285–297, 1988.
[20] M. N. Sokolovskii, “Diagnostic experiments with automata,” Kiber-
netika, no. 6, pp. 44–49, 1971.
[21] K. T. Tekle, H. Ural, M. C. Yalcin, and H. Yenigu¨n, “Generalizing
redundancy elimination in checking sequences,” in ISCIS, ser. Lecture
Notes in Computer Science, P. Yolum, T. Gu¨ngo¨r, F. Gu¨rgen, and
C. ¨Ozturan, Eds., vol. 3733. Springer, 2005, pp. 915–926.
[22] H. Ural, X. Wu, and F. Zhang, “On minimizing the lengths of checking
sequences,” IEEE Trans. Comput., vol. 46, no. 1, pp. 93–99, 1997.
166
Authorized licensed use limited to: Brunel University. Downloaded on February 17,2010 at 09:46:31 EST from IEEE Xplore.  Restrictions apply. 
