Abstract Controllability and observability problems may manifest themselves during the application of a checking sequence in a test architecture where there are multiple remote testers. These problems often require the use of external coordination message exchanges among testers during testing. However, the use of coordination messages requires the existence of an external network that can increase the cost of testing and can be difficult to implement. In addition, the use of coordination messages introduces delays and this can cause problems where there are timing constraints. Thus, sometimes it is desired to construct a checking sequence from the specification of the system under test that will be free from controllability and observability problems without requiring the use of external coordination message exchanges. This paper gives conditions under which it is possible to produce such a checking sequence, using multiple distinguishing sequences, and an algorithm that achieves this.
most from automated test generation is model based testing [1, 13, 16] where a model of the software under test is used for generating tests. A particular area of application of model based testing is system level testing of reactive systems where the required externally observable behaviour of the system under test (SUT) is modelled by a syntactically finite representation of all possible valid sequences of interactions of the system components with their external environment. Within the context of testing state-based systems, the externally observable behaviour of the SUT is typically expressed in terms of a Finite State Machine (FSM) M.
Then the system testing of the SUT is carried out by applying a test sequence, that has been generated from M, at its interfaces with its environment. In some cases it is possible to produce a checking sequence: a test sequence that is guaranteed to determine whether the SUT behaves as specified in the FSM M representing its desired behaviour [14, 15, 19, 23, 44] . A test or checking sequence is applied within a given test architecture and the resulting output sequence is checked against the FSM M.
A multi-port FSM can be used to express the expected externally observable behaviour of potential implementations of a distributed system which can have multiple interfaces, called ports. In a multi-port FSM, each transition is labelled with an input from a port and an output vector consisting of a (possibly empty) output to each port. In system testing of a distributed system N , a distributed test architecture can be used where a tester is placed at each port of the SUT N , the testers cannot communicate with one another and there is no global clock.
During the application of a checking sequence to N in a distributed test architecture, the use of multiple testers introduces the possibility of coordination problems amongst remote testers (see, for example, [2, 4, 5, 8, 11, 12, 17, 24, 36, 37, [41] [42] [43] 45, 47] ). These potential problems are known as controllability and observability problems. These problems occur if a tester cannot determine either when to apply a particular input to N , or whether a particular output from N was generated in response to a specific input, respectively. The controllability (synchronization) problem occurs when the tester at a port p is expected to send an input to N after N responds to an input from the tester at some q = p, without sending an output to p. For example, consider a distributed test architecture in which there are remote testers at two ports U and L. If the input of x at port U is expected to lead to output y at U only and this is to be followed by input x at L then the tester at L does not know when to send x since it did not observe either x or y. The observability problem occurs when the tester at some port p is expected to receive an output from N in response to a given input and is unable to determine when to start and stop waiting. Observability problems hamper the detectability of output-shifting faults in N , i.e. an output associated with the current input is generated by N in response to either some earlier input or some later input. Let us suppose, for example, that in testing the input of x at U is expected to lead to the output of y U at U and y L at L, this is to be followed by input x at U , and this should result in the output of y U at U . Then, the expected sequences of observations are seen by each tester if instead the input of x leads to output of y U at U and then the input of x leads to output y U at U and y L at L: the tester at U sees x y U x y U and the tester at L sees y L .
The use of the distributed test architecture can lead to controllability and observability problems and so can make test generation complex and reduce test effectiveness. However, if the interfaces are physically distributed then the alternative is to connect the testers through an external network. The deployment of such a network can make testing more expensive and the delays introduced by the exchange of external coordination messages between testers can make testing take longer. In addition, the exchange of such messages between testers can lead to delays that mean that some tests with timing constraints cannot be implemented. For example, let us suppose that we wish to follow input x at port p i by input x at port p j = p i and this is to be achieved by an external coordination message being sent from the tester at p i to the tester at p j after the input of x. If the external coordination messages take time t to arrive and the input of x must occur within time t of x with t < t then this approach will not work. The timing issues can be particularly problematic if the SUT responds rapidly relative to the network used for external coordination messages. See [31] for a discussion of some timing issues that arise when using external coordination messages. Naturally, if we have access to the source code of the SUT, and potentially can change this, there are other ways of overcoming these problems.
This paper considers the problem of testing from an FSM in the distributed test architecture where the focus is system level testing. This problem has largely been studied in the context of protocol conformance testing. However, it is potentially relevant whenever testing a deterministic state-based system that has physically distributed interfaces. If the system is implemented through a set of state-based subsystems that interact, then there is the potential to combine the FSM models of these subsystems to form a single FSM for system level testing. However, if the focus of testing is unit level or integration testing then Communicating FSM (CFSM) based models can be employed to facilitate automated test generation where interactions among the subsystems are taken into consideration [9] . Naturally, distributed systems are often nondeterministic and it would thus be interesting to extend the work to the problem of testing from a nondeterministic FSM in this architecture. However, there is the potential to adapt approaches, such as the one given in this paper, to testing from a deterministic FSM by using deterministic testing: test methods that make a nondeterministic distributed system behave in a deterministic manner during testing by forcing a given sequence of interleavings to occur (see, for example, [18, 26, 34, 35] ).
This paper makes the following contributions. It gives a method for constructing checking sequences from multiport FSMs that can be applied in a distributed test architecture without encountering controllability and observability problems and without using external coordination messages among testers. First we show how a checking sequence can be produced where there are controllability problems but not observability problems. This is the case, for example, when a global clock can be used to timestamp the inputs and outputs and it is guaranteed that all of the outputs produced in response to an input are observed before the next input. We then show how this can be extended to a checking sequence in the case where there can be observability problems. Naturally, since such checking sequences do not always exist, the algorithms work under certain stated assumptions. This is the first paper that shows how such checking sequences can be produced without using a reliable reset operation. 1 In this paper we rely on the existence of distinguishing sequences 2 for state verification rather than alternatives such as unique input/output sequences or a characterization set. This choice was made because even for single-port FSMs there is no known method for generating a polynomial size checking sequence using these alternative approaches for state verification. Note that some recent 1 A reliable reset is a function that is guaranteed to take the implementation back to its initial state irrespective of its current state. The SUT need not have a reliable reset and even when it does the inclusion of resets can reduce test effectiveness and may require human involvement and thus greatly increase the cost of test execution [3, 20, 46] . 2 Given an FSM M, an input sequence is a distinguishing sequence for M if it leads to n different output sequence from the n different states of M. Distinguishing sequences are formally defined in Sect. 2. work has investigated the problem of checking the output of transitions while avoiding controllability and observability problems but this previous work assumes that each transition of the SUT has the correct final state [5] [6] [7] .
The rest of the paper is organized as follows: Sect. 2 introduces the terminology used in this paper. Section 3 defines a property, of a set D of distinguishing sequences, that must hold in order for us to be able to use D to check the final state of each transition of the multi-port FSM M. Section 4 then gives an algorithm for generating a checking sequence that has no controllability problems. Section 5 introduces additional conditions and shows how, under these conditions, we can produce a checking sequence even if there can be observability problems. Finally, Sect. 6 gives the concluding remarks.
Preliminaries

Multi-port FSMs
A (deterministic) multi-port FSM M has m > 1 ports at which it interacts with its environment. -S is the finite set of states of M; 
is the sequence of input/output pairs x 1 /y 1 x 2 /y 2 . . . x k /y k , which is called an input/output sequence. At times we will want to reason about the state of the SUT after a prefix of an input/output sequence and in order to assist with this we will consider an input/output sequence ,x) ). Any FSM can be converted into an equivalent globally minimal FSM: this process is equivalent to the minimization of a single-port FSM and for an n state FSM with p inputs this can be achieved in time of O( pn log n) [25] . Throughout this paper we thus assume that any FSM considered is globally minimal.
In order to reason about test effectiveness it is normal to use a fault model: a set Φ M of FSMs such that we believe that the SUT behaves like an unknown element of Φ M [29] . The purpose of the fault model is to capture the types of faults that it is believed can occur and to therefore make it possible to reason about test effectiveness. We use a standard fault model Φ M from protocol conformance testing, which is the set of FSMs that have the same input and output alphabets as M and no more states than M. Input sequencex is a checking sequence ifx distinguishes M from every element of Φ M that is not equivalent to M. In this paper we are concerned with the problem of generating a checking sequence and thus obtaining a sequence that provides full fault coverage with respect to the fault model. We will see that the notions of equivalence of SUT N ∈ Φ M and M and distinguishing N from M depends upon the test architecture used and whether there can be observability problems.
There are several benefits to producing a checking sequence rather than a test sequence that, for example, includes subsequences that aim to check each transition of M. First, we know that if the SUT passes a checking sequence then either it is correct or our initial assumption was incorrect: the SUT is not equivalent to a member of the fault model. This gives information regarding the types of faults that can be missed and provides some guarantees. Second, there is experimental evidence that checking sequences are more effective in distinguishing between an FSM M and faulty FSMs [10] . Naturally, there is scope for using a larger fault model, such as the set of FSMs with the same input and output alphabets as M and at most δ extra states for some predetermined δ as it was shown in [33] but the use of such fault models in the problem studied in this paper is a topic for future work. It would also be interesting to extend this test method to the case where the externally observable behaviour of the system is modelled as a nondeterministic FSM.
The distributed test architecture
An FSM M defines the set of expected global behaviours of any potential implementation. Each expected global behaviour is expressed as the label of a sequence of transitions from M. An expected global behaviour is called a global input/output sequence.
Testing SUT N ∈ Φ M whose expected externally observable behaviour is defined by FSM M can be carried out as a fault detection experiment [14, 19] in a specific test architecture. Two standardized architectures [28] are shown in Fig. 1 for a two-port SUT. The two ports, U and L, represent the upper interface and lower interface of the SUT respectively. The local architecture in Fig. 1a has a global tester that controls and observes both interfaces of the SUT. Figure 1b shows the distributed test architecture where the lower interface and the upper interface of the SUT are controlled and observed by separate testers. Each tester applies its own local view constructed from a global input/output sequence for the SUT. In the local view, a tester cannot observe the inputs or outputs of the other testers.
In Fig. 1b there is no global tester. Instead, U and L are two remote testers that are required to coordinate the application of a global input/output sequence. However, they cannot directly communicate with one another and there may be no global clock. This requirement can lead to controllability and observability problems that are defined below.
Controllability (synchronization) and observability problems
Let us suppose that in testing input x at port U is expected to lead to output y U at U only and this is to be followed by the input of x at L. Then we have a controllability problem since the tester at L does not observe either the input or output from the previous transition and so does not know when to send input x to the SUT. In general, given an FSM M and input/output sequence An input/output sequence is synchronizable if it is the label of a synchronizable transition sequence. An FSM may have properties that make it inherently untestable within the distributed test architecture without using external coordination messages. For example, there may be no synchronizable input/output sequence that is the label of a path that includes a particular transition τ , in which case we cannot test transition τ without introducing a controllability problem. We thus make the following assumption regarding M.
Assumption 1 For every pair τ, τ of transitions of M there is some synchronizable transition sequenceρ
Given transitions τ and τ there are low order polynomial algorithms for producing such a minimal length transition sequence based on a directed graph in which paths correspond to synchronizable transition sequences (see, for example, [17] ).
In the distributed test architecture each tester sees only the behaviour at a single port. Suppose that a sequence of interactions has occurred. Then the tester at each port sees only a portion of this: the parts that involved that port. We call this the actual local behaviour. The tester compares this with the expected local behaviour. Ifz is an input/output sequence then we use π p (z) to denote the corresponding sequence of inputs and outputs at port p. The projection function π p can be defined by the following in whichz is an input/output sequence and x is an input.
Suppose the distributed test architecture is being used in testing SUT N ∈ Φ M against an FSM M where m = 2 and the ports of M are denoted U and L. Suppose also that x x is to be input when M is in state s, x, x ∈ X U , x is expected to trigger output (y U , y L ) and x is expected to trigger output (y U , −). Then x y U x y U should occur at U and y L should be observed at L. This is the case if (y U , −) is produced in response to x and (y U , y L ) is produced in response to x . Since each tester only sees the interactions at its port, neither tester can observe these output faults 5 in this subsequence-the two output faults mask one another. This situation is represented in Fig. 2 in which the differences in the two sequences of interactions cannot be observed by either tester. Naturally, we want to use tests in which output faults cannot mask one another in this way. Note that if x had been from X L , this combination of faults would have been detected by the tester at L since x y L would have occurred rather than y L x .
The faults described above mask one another because the correct value y L is observed at L, but due to the wrong transition, and the tester at port L does not know when to stop waiting for y L . This corresponds to the notion of an undetectable forward output-shifting fault.
Definition 1 Let τρτ denote a synchronizable path with
Suppose also that 5 An output fault is a fault in which a transition produces the wrong output. A similar situation occurs if output at L is expected in response to x but not x and instead it was produced in response to x. Definition 2 Let τρτ denote a synchronizable path with τ = (s i , s j , x/y) and τ = (s j , s k , x /y ) and for some q ∈ [1, m] we have that y | q = −, y | q = o = −, and no transition inρ has output at q. Suppose there are faults in which the output at p ∈ [1, m] is correct for τ and τ (for all p = q) and at q the output in response to x is o and the output at q in response to x is −. This combination of faults is called a backward output-shifting fault [47] . It is an undetectable backward output-shifting fault if x ∈ X q and no transition fromρ has input at q; otherwise it is a detectable backward output-shifting fault. [36] if it is either a forward output-shifting fault or a backward outputshifting fault. An output-shifting fault is a detectable outputshifting fault if it is either a detectable forward output-shifting fault or a detectable backward output-shifting fault; otherwise it is an undetectable output-shifting fault.
Definition 3 A fault is an output-shifting fault
Where output is shifted between two adjacent transitions, such output-shifting faults have been called 1-output-shifting faults [2] . In this paper we consider the general case and not just 1-output-shifting faults.
The observability problem manifests itself in a checking sequence as an undetectable output-shifting fault. The following, which is proved in [22] , relates the notion of an output-shifting fault being detectable to the definition of the projection π p . x /(a ,-)
Proposition 1 Given transitions τ and τ of M such that τ τ is synchronizable, an output-shifting fault in τ τ , which leads
1 1 x /(a ,-) 1 1 x /(a ,b) 2 2 x /(a ,b) 2 2 x /(a ,-) 2 2 Fig. 3 The 2-port FSM M 0 to the (faulty) transition sequence τ 1 τ 1 in SUT N ∈ Φ M ,
is a detectable output-shifting fault if and only if there is some
port p ∈ [1, m] such that π p (τ τ ) = π p (τ 1 τ 1 ).
Globally distinguishing and locally distinguishing states
This subsection, which is based on [22] In the distributed test architecture, if the testers can access a global clock then they could record the times at which inputs were applied and outputs observed. This would allow the reconstruction of the global input/output sequence if communication is synchronous or all outputs in response to an input are observed before the next input is sent (there is a slow environment). If the input/output sequence can be reconstructed then there are no observability problems and so global distinguishability applies.
Consider the FSM M 0 given in Fig. 3 in which x 1 , x 2 ∈ X U , a 1 , a 2 ∈ Y U , and b ∈ Y L . The input sequence x 1 x 2 is a distinguishing sequence since it leads to three different output sequences:
In M 0 , x 1 x 2 globally distinguishes states s 1 and s 2 . However, neither tester observes a difference since for each state the expected local behaviour at L is b and the expected local behaviour at U is x 1 a 1 x 2 a 2 . In the distributed test architecture, if there is no global clock then x 1 x 2 does not distinguish between s 1 and s 2 since it is necessary to observe some different sequence of input and output values at one of the ports: there is an observability problem. Given state s and input sequencex, we use γ (s,x) to denote the input/output sequence resulting from applyingx when M is in state s. This can be recursively defined in the following manner: , x),x) . The function γ N , for the SUT N , can similarly be defined. If input sequencex is applied when M is in state s i the sequence π p (γ (s i ,x) ) is observed at port p.
Definition 4
The following is proved in [22] . It is possible to extend the notion of a distinguishing sequence to the distributed test architecture where there can be observability problems and external coordination messages are not used. Input sequencex is a locally distinguishing sequence for M if for all s i , s j ∈ S, s i = s j ,x locally distinguishes s i and s j .
The problem of deciding whether an FSM has a distinguishing sequence is PSPACE-complete [32] . Thus, the problem of deciding whether an FSM has a locally distinguishing sequence is PSPACE-hard.
The proposed approach
Most checking sequence generation algorithms are based on a distinguishing sequenceD. Typically, they produce a set of subsequences and connect these subsequences in order to produce a checking sequence. Some of the subsequences check thatD is a distinguishing sequence in the SUT and sō D defines a bijection (one-to-one correspondence) between the states of the model and the states of the SUT. The bijection for a distinguishing sequenceD is defined by: state s of M corresponds to state u of N if and only if the response of N tō D when in state u is the same as the response of M toD when in state s. Other subsequences useD to check the transitions of the SUT. In order to check a transition (s, s , x/y) we need to move to a state of the SUT that corresponds to s, apply input x, check that the SUT generates the output y and then applyD to check that the SUT is in the correct state after the transition.
This paper adapts this approach to the case where we are testing in the distributed test architecture. Again, the test generation algorithm produces a set of subsequences that can be connected to form a checking sequence. Since a transition t must be followed by input at a port that is involved in t, we may require a set {D 1 , . . . ,D r } of distinguishing sequences rather than a single distinguishing sequence. Section 3 gives a sufficient condition under whichD 1 , . . . ,D r can be used to check the final state of every transition. It is thus not sufficient to check that eachD i is a distinguishing sequence in the SUT and thus defines a bijection between the states of the SUT and the states of the model: it is essential that the distinguishing sequences define the same bijection. In Sect. 4, Algorithm 1 shows how we can generate subsequences that check that a single distinguishing sequenceD 1 is also a distinguishing sequence in the SUT. Algorithm 2 shows how additional subsequence can be produced that usē D 1 to check thatD 1 , . . . ,D r are distinguishing sequences of the SUT that define the same bijection asD 1 . Algorithm 3 then shows how we can devise subsequences that check a transition usingD 1 , . . . ,D r and finally Algorithm 4 simply involves forming a single checking sequence from the subsequences returned by Algorithms 1, 2, and 3.
Using multiple distinguishing sequences
An input sequenceD is a (globally) distinguishing sequence for M if it produces n different output sequences from the n different states of M. If these n different output sequences are seen in response toD in the SUT N ∈ Φ M then since N has at most n states we know thatD is also a distinguishing sequence for N . Where this is the case,D recognizes each state of N as a state of M. Since we are testing in the distributed test architecture we also require that for each state s of M the path from s with labelD/λ(s,D) is synchronizable. The following adapts the definitions provided in [44] of what it means to recognize a node in a pathρ and to verify a transition of M in the label (input/output sequence)Q ofρ. The base case is that the distinguishing sequence recognizes its starting state. The recursive cases essentially say that if an input sequencex is repeated in Q and in the two cases we know that the current state of the SUT must be the same beforex is applied then the state of the SUT must be the same after these two occurrences ofx.
In order to prove that an input/output sequencez defines a checking sequence we will reason about the states of the SUT reached by prefixes ofz and thus how the nodes visited byz correspond to states of M. This reasoning will be based on the use of distinguishing sequenceD and the assumption that this defines a bijection between the states of the SUT and M: later we will see how we can produce subsequences with the property that if an SUT passes a test that contains these subsequences thenD must define a bijection between the states of the SUT and M.
Definition 5 1. A node n i ofρ is d-recognized inQ byD
as state s of M ifD/λ(s,D) is the label of a subpath of Q that starts at n i . This says that, since we assume that D defines a bijection between the states of M and those of the SUT, if a node n i is followed by a subpath labelled byD/λ(s,D) then n i must correspond to state s. 2. Suppose that (n q , n i ,T ) and (n j , n k ,T ) are subpaths of ρ andD/λ(s,D) is a prefix ofT (and thus n q and n j are d-recognized inQ byD as state s). Suppose also that node n k is d-recognized byD as state s of M. Then n i is t-recognized inQ byD as s . This says that if we know that two nodes n q and n j correspond to the same state,T labels a path from n j to n k and we know that n k corresponds to state s then if there is a path with label T from n q to n i then, since the SUT is deterministic, n i must correspond to state s . 3. Suppose that (n q , n i ,T ) and (n j , n k ,T ) are subpaths ofρ such that n q and n j are either d-recognized or t-recognized inQ byD as state s and n k is either d-recognized or t-recognized inQ byD as state s . Then n i is t-recognized inQ byD as s . This extends the previous case to allow the nodes n q , n j , and n k to be t-recognized rather than being d-recognized. 4. If node n i ofρ is either d-recognized or t-recognized in Q byD as state s then n i is recognized inQ byD as state s. WhereD is clear we say that n i is recognized in Q as state s.
if there is a subpath (n i , n i+1 , x i /y i ) ofρ such that n i is recognized inQ byD as s a , n i+1 is recognized inQ bȳ D as s b , x i = x and y i = y.
Given a transition τ of M, we use P(τ ) to denote the set of ports that are involved in τ : the port that receives the input of τ and each port that receives nonempty output from τ . Transition τ can be followed by an input at port p, without causing a synchronization problem, if and only if p ∈ P(τ ). Given an input sequenceD, inport (D) denotes the port whose tester sends the first input fromD.
A distinguishing sequenceD can only be used in order to verify the ending state of a transition τ , without causing a controllability problem, if it starts with an input at a port from P(τ ). Thus, it may be necessary to use more than one distinguishing sequence, the different distinguishing sequences starting with input at different ports. Consider, for example, the 2-port FSM M 1 given in Fig. 4 that has input alphabet defined by X L = {a, c} and X U = {b} and output alphabet defined by Y L = {2, 3} and Y U = {0, 1}. ThenD 1 = ba and D 2 = ab are locally distinguishing sequences M 1 , as can be seen from Table 1 . Suppose we wish to use a set D = {D 1 , . . . ,D r } of distinguishing sequences to check the ending states of the transitions of M. If Υ denotes the transitions of M then D must satisfy the following.
Definition 6 The set D is complete for M if for every transition τ ∈ Υ there exists someD ∈ D such that inport (D) ∈ P(τ ).
Given a set K and a set A of subsets of K (A ⊆ P(K )), a set K ⊆ K is a hitting set for A if every set in A contains at least one element of K . Let in(D) denote {inport (D)|D ∈ D}. Further, let in(Υ ) denote {P(τ )|τ ∈ Υ }. Then the set D is complete for M if and only if for every A ∈ in(Υ ) there exists some p ∈ in(D) such that p ∈ A.
Proposition 3 The set D is complete for M if and only if in(D) is a hitting set for in(Υ ).
Suppose Z is a minimum size hitting set for in(Υ ). Then, any set D of distinguishing sequences to be used must have size at least |Z |. Thus it is desirable to use a set D of distinguishing sequences with the property that in(D) is a minimum size hitting set for in(Υ ). Note that while the problem of finding a minimum size hitting set is NP-complete [30] , normally the number of ports will not be large; in such cases it is practical to solve this problem. Throughout this paper we use D = {D 1 , . . . ,D r } to denote a complete set of distinguishing sequences to be used in checking sequence generation.
Overcoming controllability problems
This section shows how, under certain conditions, a synchronizable checking sequence can be produced without the addition of external coordination message exchanges. Under some situations there is no observability problem in which case such a checking sequence is sufficient. An example of such a situation is when there is a global clock and a slow environment. This section is structured in the following way. First, we show how we can generate subsequences that verify that the given distinguishing sequences for M are also distinguishing sequences for the SUT
We then show how these subsequences can be used in the construction of a checking sequence by including each transition τ in a context in which we know that its starting state is recognized and τ is followed by a distinguishing sequence.
Verifying the distinguishing sequences
It might appear that, in order to verify that the elements of D = {D 1 , . . . ,D r } can be used to identify the states of the SUT N ∈ Φ M , it is sufficient to use an input sequence that should lead to the n different responses from N to each distinguishing sequence in D. This would demonstrate that each distinguishing sequence is also a distinguishing sequence in the SUT and so each defines a bijection between the states of M and the states of the SUT.
While such an input sequence is capable of showing that each element of D is a distinguishing sequence for SUT N ∈ Φ M , it need not be able to demonstrate that the elements of D recognize states of N in a consistent manner; the bijection between states of M and N defined by different distinguishing sequences may differ. Consider, for example, the single-port FSMs M and M shown in Fig. 5 and let us suppose that we are testing an SUT that is equivalent to M against M . Here it is clear that a and b are distinguishing sequences of both M and M . Let us suppose that we test the SUT with input sequence acadbcb. The SUT passes this test because we observe that the output produced by M in response to this input sequence is the expected output sequence 0111011. Since the SUT passes this test we must have that a and b are distinguishing sequences for the SUT. However, under the distinguishing sequence a we find that s 3 corresponds to s 1 and s 4 corresponds to s 2 while under the distinguishing sequence b, s 4 corresponds to s 1 and s 3 corresponds to s 2 . The two distinguishing sequences thus define different bijections between the states of M and M even though each is a distinguishing sequence for both FSMs.
In constructing a checking sequence on the basis of multiple distinguishing sequences we use the distinguishing sequences to verify the state transition structure of N and thus require that they recognize the states of N in a consistent manner. Given the set D we want to find an input sequencex with the property that if the SUT N ∈ Φ M produces the same output sequence as M in response tox then we can conclude that D is a consistent set of distinguishing sequences for N . If this can be done then we can use the elements of D in the knowledge that if N produces the same output sequence as M in response tox then the distinguishing sequences in D recognize the states of N in a consistent manner.
Definition 9 Input sequencex is said to verify D if D is a consistent set of distinguishing sequences for every
The key point in this definition is that since we assume that the SUT N is contained in Φ M , ifx verifies D and we observe the input/output sequencex/λ(s 1 ,x) from the initial state of N then we know that D must be a consistent set of distinguishing sequences for N . Thus, if we start a test withx then there are two possibilities: either we observe a failure or we observe the input/output sequencex/λ(s 1 ,x) and so can conclude that D is a consistent set of distinguishing sequences for N and so its elements can be used to check the ending states of transitions of N .
Algorithm 1 produces a subsequence that, when included in a pathρ from s 1 , ensures that the input sequencex that labelsρ verifies {D 1 } for someD 1 ∈ D. Further subsequences, to verify the remaining elements of D, are then produced in Algorithm 2 using a recursive approach.
Let s i denote the state δ(s i ,D 1 ) of M reached from s i by the input ofD 1 . In order to verify {D 1 } we produce a subsequence using the following algorithm.
Algorithm 1 1. For each state s i (1 ≤ i < n) define a transfer sequenceT 1 i that labels a path of M from s i to s i+1 such thatD
1 /λ(s i ,D 1 )T 1 i
is the label of a synchronizable path from s i to s i+1 that may be followed by input at port inpor t (D 1 ) without causing a synchronization problem.
Return the subsequence from s 1 that has labelD
The subsequence returned by this process is denotedᾱ 1 . For example, the sequenceᾱ 1 that is obtained by applying Algorithm 1 to 2-port FSM M 1 is formed by the concatenation of the following subsequences: t 2 t 6 t 9 ; t 5 t 1 t 2 ; t 7 t 1 t 2 t 6 ; and t 10 t 6 .
Recall that Assumption 1 states that for any pair τ, τ of transitions there is a synchronizable path that starts with τ and ends in τ .
Proposition 4
Given an FSM M and a distinguishing sequenceD 1 for M, the subsequenceᾱ 1 can be constructed usingD 1 .
Proposition 5
The length of the sequenceᾱ 1 produced by Algorithm 1 is of O(n(n + |D 1 |)). Proof This follows since N has at most n states and inᾱ 1 it produces n different responses toD 1 .
Having produced a subsequence that verifies {D 1 }, we get the following definition of what it means to verify that an element of D is a distinguishing sequence for N and that it recognizes states of N in the same way asD 1 . Essentially this says that we require that if the SUT passes a test starting with input sequencex then everyD i ∈ D defines the same bijection between the states of the SUT and the states of M. Proof This simply follows from the fact that ifD i is verified relative toD 1 thenD 1 andD i must define the same bijection between states of M and states of N .
Definition 10 SequenceD
We now explain how subsequences can be generated to verify the elements of D\{D 1 } relative toD 1 . We define this process in a recursive manner: we assume that we have produced subsequences that verifyD 1 , . . . ,D i−1 relative tō D 1 and show how, on the basis of this,D i can be verified relative toD 1 .
The algorithm for producing subsequences that verify someD i relative toD 1 operates in the following way. For each state s k we wish to applyD i after a pathρ from M whose ending state is s k and whose starting and ending states have been recognized using a distinguishing sequence already verified. We ensure that the starting state ofρ is recognized by beginning it with a distinguishing sequence already verified. We ensure that the ending state ofρ has been recognized by includingρ followed byD j /λ(s k ,D j ) for someD j with j < i that has already been verified. We add a further subsequence in the form ofρ followed byD i /λ(s k ,D i ). SinceD j has already been verified relative toD 1 , we know thatD i is being applied in the state recognized as s k byD 1 . Note that this procedure requires that we can followρ with eitherD i orD j and this places constraints on the ports involved in the final transition ofρ.
We could apply this procedure for every state s k of M. However, this is not necessary. Instead, it is sufficient to apply this procedure for n − 1 states and also applyD i in the remaining state: by observing an nth different response toD i we show thatD i is a distinguishing sequence for N and also, by a process of elimination, show that it recognizes the states of N in a manner that is consistent withD 1 . 
Algorithm 2
1. For i = 2 to r do 2./λ(s,D a )T i kD j / λ(s k ,D j ) andD a /λ(s,D a )T i kD i /λ(s k ,D i ) such that (a)T i k ends in τ i s k ; and (b) 1 ≤ a, j < iD a /λ(s,D a )T i kD j /λ(s k ,D j ) andD a /λ(s,D a )T i kD i / λ(s k ,D i ) must
end for
Using Algorithm 2 with S 2 = {s 2 , s 3 , s 4 } to 2-port FSM M 1 yields t 2 t 6 t 9 t 4 t 2 and t 2 t 6 t 9 t 5 t 1 for s 2 , t 5 t 1 t 2 t 6 t 10 and t 5 t 1 t 2 t 7 t 1 for s 3 , t 7 t 1 t 2 t 6 t 9 t 5 and t 7 t 1 t 2 t 6 t 10 t 6 for s 4 , t 1 t 2 for s 1 .
We now show that the sequences produced by Algorithms 1 and 2 verify D and then give a sufficient condition for us to be able to apply these algorithms. 6 Proposition 8 Suppose that for input sequencex we have thatx/λ(s 1 ,x) contains the subsequenceᾱ 1 produced by Algorithm 1 and also the set of subsequences produced by Algorithm 2. Thenx verifies D.
returns O(nr) sequences whose total length is of O(nrd).
The following gives a condition under which Algorithms 1 and 2 can be applied.
Assumption 2
There is some known orderingD 1 , . . . ,D r of the elements of D such that for all 1 < i ≤ r there is a subset S i ⊆ S of size at least n − 1 where for all s ∈ S i there exists 1 ≤ j < i and a transition τ i s of M with ending state Observe that if we fix the number of ports, and thus fix an upper bound on r , this gives the same complexity as algorithms for producing a checking sequence from a singleport FSM using a distinguishing sequence (see, for example, [15, 19, 23, 44] ).
Overcoming observability problems
We have seen how, under certain conditions, it is possible to produce a checking sequence that has no controllability 7 The proof of Theorem 2 is contained in the Appendix.
problems. This section describes an approach to augmenting this checking sequence for the case where there can be observability problems. First note that, since there can be observability problems, in order to distinguish states it is necessary to locally distinguish them and so we assume that the set D contains locally distinguishing sequences. Since the problem of checking the output of the transitions without encountering observability problems has already been considered [5] [6] [7] we concentrate on the problem of ensuring that the input sequence checks the state transition structure of the SUT.
Suppose that an input sequenceD locally distinguishes states s and s at port p and that, ifD is input when M is in state s then the sequencez is observed at p and ifD is input when M is in state s then the sequence oz is observed at p for some o ∈ Y p . Suppose further that, in testing, we follow a transition τ = (s i , s, x/y) with inputD and that y| p = o. Then, if the input of x in state s i instead leads to output y that differs from y only at p, where it produces −, and moves to s then the expected sequence oz is seen at p. ThusD has failed to detect the state transfer fault: this has been masked by an output fault. Naturally, similar problems can occur due to incorrect output after the application ofD.
If we consider the labelz of a synchronizable pathρ of M and the projection π p (z) observed at port p, this can be represented as
Each transition in the pathρ has (possibly null) output at p that falls into one of theō i and so for each transition inρ there is a correspondinḡ o i . The output sequencesō 1 , . . .ō k+1 are separated by the inputs x 1 , . . . , x k at p and so there cannot be undetectable output-shifting faults at p between two transitions whose corresponding subsequencesō i andō j are different (i = j). Naturally, there might be undetectable output-shifting faults between two transitions with the same corresponding subsequenceō i . This observation inspires the following definition.
Definition 11
Locally distinguishing sequenceD = x 1 . . . x k is resilient if for every pair s, s ∈ S, with s = s , there exists a port p and 1
This says that for any pair of states, there must be a port p such that the response toD i differs at p between two inputs at p and thus this difference cannot be masked by previous or following input at p. 8 An important property of a resilient distinguishing sequenceD is that for an input sequence that should trigger the n responses toD allowed by M we have that if an SUT N ∈ Φ M passes this test we must have that not only is D a distinguishing sequence for N but it must be a resilient distinguishing sequence for N . 
Assumption 3
The elements of D are resilient locally distinguishing sequences.
It is clear that a locally distinguishing sequence need not be resilient. The set D given earlier for the 2-port FSM M 1 does not satisfy Assumption 3. However, as we can see in Table 4 , the sequences abab and baba do satisfy Assumption 3.
Suppose that Algorithm 4 is applied using a set D of resilient locally distinguishing sequences and returns path ρ whose label has input portionx. We define a property of the SUT N ∈ Φ M and prove that this must hold ifx does not locally distinguish N and M. The input sequence produced by Algorithm 4 checks the transition structure of N . 9 9 The proof of Theorem 3 is contained in the Appendix Theorem 3 Suppose that Algorithm 4 is applied using a set D of resilient locally distinguishing sequences and returns pathρ whose label has input portionx. Ifx does not locally distinguish SUT N ∈ Φ M from M then N has the same transition structure as M.
It is now sufficient to add sequences that check the output produced by each transition τ at each port p. The following definition captures this requirement.
Definition 13
An input sequencex checks the outputs of M if N ∈ Φ M is globally equivalent to M whenever the following hold 1. N has the same transition structure as M; and 2. π p (γ (s 1 ,x) 
The following shows that even if there are observability and controllability problems then we can augment the sequences produced in Algorithm 4 with sequences that check the output of M to form a checking sequence.
Theorem 4 Ifx is an input sequence that checks the output of M and starts with the label of a path of M produced by Algorithm 4 using resilient locally distinguishing sequences thenx is a checking sequence that has no controllability or observability problems.
Proof This result follows from Theorem 3 and Definition 13.
Conclusions and discussion
In the distributed test architecture a tester is placed at each port of the SUT N . If the individual testers cannot communicate with each other then the presence of multiple testers introduces additional controllability and observability problems. It is then important that any checking sequence that we intend to use is free from such problems. This paper is the first to show how a single checking sequence can be produced for a multi-port FSM without the use of either a reliable reset operation or external coordination messages. Since, in general, such a checking sequence need not exist we introduce conditions to be placed on the specification M under which our algorithm returns checking sequences. If the distributed test architecture is to be used then these could be seen as testability conditions that might be designed into a system. This paper focused on the generation of checking sequences since such sequences are guaranteed to provide full fault coverage under the assumption that the SUT contains no extra states. Algorithms for generating a checking sequence for a single-port FSM use distinguishing sequences, unique input/output sequences, or a characterization set to verify states of the SUT. In this paper we used distinguishing sequences since even for single-port FSMs there is no checking sequence generation algorithm that uses the alternative approaches and returns a checking sequence of length that is polynomial in terms of the number of states.
First, we investigated the situation in which there are no observability problems. This is the case, for example, when there is a global clock and the SUT responds to inputs sufficiently quickly so that the next input is not applied until after all of the outputs from the previous inputs have been observed. In such a case observability problems can be overcome by the testers timestamping the events they see and so there are no additional observability problems. We showed how multiple distinguishing sequences can be used in forming a checking sequence that does not suffer from controllability problems.
If there are observability problems then these can lead to fault masking and thus to incorrect output not being observed. We showed how the checking sequence can be extended to create a checking sequence that does not suffer from either controllability or observability problems.
This paper has shown how checking sequences can be produced for multi-port FSMs. There remain four main avenues for future work. There is the question as to whether the conditions given in this paper, under which checking sequences are produced, can be weakened. Another question is how to optimize the resultant checking sequence such that significantly shorter checking sequences can be constructed. This may be achieved by solving an optimization problem posed considering the following. First, the selection of the transition sequences used to verify the distinguishing sequences. The second issue is the selection of the subsets and the choice of distinguishing sequences used in forming paths to verify the distinguishing sequences. Similar choices are needed in the generation of transition sequences to verify the transitions and additional choices are required when considering potential observability problems. There is also the issue of how we can produce a minimal length sequence that contains the necessary subsequences. There is the issue of generating resilient locally distinguishing sequences for which a possibly breadth-first search can be used. There may also be scope in adding input to the end of a locally distinguishing sequence in order to make it resilient. Finally, distributed systems are often nondeterministic and it would thus be interesting to extend the approach to such systems, potentially by either using methods such as deterministic testing (see, for example, [18, 26, 34, 35] ) in order to ensure that the SUT is deterministic in testing or by using methods from the area of testing from nondeterministic FSMs (see, for example [21, 27, [38] [39] [40] ). SinceD = x 1 . . . x k is a resilient locally distinguishing sequence for M there exists port p and 1 ≤ i < j ≤ k,D = x 1 x ix 2 x jx 3 with x i , x j ∈ X p and π p (γ (δ(s α ,x 1 ), x ix 2 )) = π p (γ (δ(s β ,x 1 ), x ix 2 ) ). Since M and N are not locally distinguished byx, the response of N toD in states u α and u β must include the substrings π p (γ (δ(s α ,x 1 ), x ix 2 )) and π p (γ (δ(s β ,x 1 ), x ix 2 ) ) respectively after the prefixx 1 ofD. Further, these subsequences start with and are followed by input at p. Thus, u α and u β are locally distinguished bȳ D as required. By the definition of a locally distinguishing sequence being resilient, since this holds for every pair of distinct states of N ,D is a resilient locally distinguishing sequence for N . 
Proof of Theorem 3
