ULRIKEBRANDT
Technische Universität Darmstadt e-mail:brandt@informatik.tu-darmstadt.de
and
HERMANNK.-G. WALTER
Technische Universität Darmstadt e-mail:walter@informatik.tu-darmstadt.de
ABSTRACT
McCluskey et al. introduced a very general fault model for finite automata. In this paper we will show that all testable output faults can be tested by a single input word in this model. Furthermore, in the case of irreducible automata we will show that this is true for all output faults. Our main tool to prove the results is a careful analysis of the structure of automata especially considering subautomata and edge-(state)traverses of the transition graph induced by input words.
Keywords:finite automata, faults, testability, subautomata, irreducible automata, traverses
0. Introduction
In [1], [4] and following papers McCluskey et al. developed a very general fault model for finite automata. A fault of an automatonAis any different automaton with the same inputs, outputs and states. They considered various classes of faults and gave algorithms for calcu- lating test sets, i.e. sets of input words so that the resulting outputs indicate whether a fault is present or not. Testing a fault can be done assuming that the automaton always starts with the same state (testability) or in (possibly) different states (strong testability). The latter one is closely related to the structure of the given automaton. This is also true for output faults – faults which affect only the output-unit. An output fault has the same transitions as the given automaton. We can show that for a given automaton the class of all its strongly testable output faults can be tested by a single word. Fault diagnosis is connected to experiments on automata first studied by Moore [3]. Though faults are not mentioned one can find a few remarks in [2] touching on this connection. Moreover, McCluskey et al. put some emphasis on reset mechanisms, though they are not part of the automaton and operate faultfree. In con- nection with traverses of edges respectively states we will make heavy use of resets. But we do not assume that they are an additional faultfree part of the automaton under consideration.
1. Basic Notations and Definitions
Analphabet Xis a finite set ofletters. The set ofwords(overX) is the free monoidX∗over Xwith theemptywordas identity. Ifw=x1. . .xn(xi∈X for 1≤i≤n)thelengthofwis
|w|=n. ForL1,2⊆X∗thecomplex productis defined byL1L2={w1w2|w1∈L1and w2∈ L2}. We use the usual convention for singletons in identifyingwwith {w}, if no confusion is possible.X∗can be partially ordered by theprefixrelation defined by
w≤v(pref)⇐⇒v∈wX∗.
Definition 1.1 A(Mealy-)automatonis a quadruple A= (I,S,O,δ,λ)where
• I and O are alphabets(inputsrespectivelyoutputs)
• S is a finite set(states)
• δ:I×S→S andλ:I×S→O are thetransitionandoutputfunctions respectively.
We extendδ andλ to words by the formulas below, wherew,v∈I∗,s∈S δ(,s) =s,δ(wv,s) =δ(v,δ(w,s)) (transitionformula) and λ(,s) =,λ(wv,s) =λ(w,s)λ(v,δ(w,s)) (responseformula).
For letters these extensions are the givenδ andλ. Fixings∈Sas a starting state we define the(realized)functionλs(w) =λ(w,s)forw∈I∗. Note that|λs(w)|=|w|always holds. An automatonAisminimalif and only if
∀s,s0∈S:λs=λs
0⇒s=s0.
For two automataAandA0withI=I0andO=O0a mappingφ:S→S0is ahomomorphism if and only if
∀x∈I,s∈S:δ0(x,φ(s)) =φ(δ(x,s))andλ0(x,φ(s)) =λ(x,s).
If a homomorphismφis given, it is easy to prove thatλs=λ0φ(s)for alls∈S. A bijectiveφ is anisomorphismand we writeA=eA0orA=eφA0. Note thatφ−1is also an isomorphism.
Another model for a device with finite memory is theMoore-automaton; it is a Mealy- automaton where the output function is given by
λ(x,s) =µ(δ(x,s)) (x∈I,s∈S)
with a functionµ:S→O(marking). Our constructions will considerably simplify, if we use Moore-automata. This will be discussed at the proper places.
In the following we will fixIandOand denote the collection of all automata with state setS byAutom(S). A fault for A∈Autom(S)is anyAf ∈Autom(S) withAf 6=A. By symmetryAis then a fault ofAf. We use the subscript “f” to denote the fault automaton.
We shall discuss two forms of testability. In the weaker one the test is started with the same initial state for both automata. In the stronger form they may start in different states.
Definition 1.2 Let A,Af ∈Autom(S)and s∈S.
• Af is s-testable (for A) ifλs6=λsf.
• Af is strongly s-testable (for A) ifλs6=λs
0
f for all s0∈S.
We extend this definition to subsetsS0⊆Sby callingAf (strongly)S0-testable(forA) ifAf is (strongly) s-testable for everys∈S0.Af is (strongly)testableforAif it is (strongly)S-testable forA.
Note that in the case #(O) =1 noAf is testable on nonemptyS0. We assume for the following
#(O)>1. Strong testability respects isomorphisms in the sense thatAf is not strongly testable on any nonempty subset ofSifAf =e A. This is not true for testability. Fig. 1.1 shows such a pair of isomorphic automata which are both testable for each other. In this situation testability depends on the isomorphism.
Figure 1.1 Isomorphisms and faults
Observation 1.3 Let A,Af ∈Autom(S)with A=eAf and A minimal. Af is testable for A if and only if there exists an isomorphismφwith Af =eφA andφ(s)6=s for all s∈S, i.e.φmust be free of fixpoints.
Proof. If s∈S exists with φ(s) =s then λs=λsf and Af is nots-testable. Conversely, suppose there existss∈Swithλsf =λs. We knowλφ(s)=λsf, henceλs=λφ(s). SinceAis minimals=φ(s)and we find a fixpoint – a contradiction. 2 The second extension of our definitions deals with fault classes. For a givenA∈Autom(S) afault classF(forA) is a subset ofAutom(S)withA∈/F. Such fault classes are mainly derived from a common schema of automata – both for Mealy- and Moore-type presented in fig. 1.2. Typical faults can affect the logical units Transition and Output, the Memory and the connections between these components.
Figure 1.2 Basic structure of automata, Mealy: dotted line, Moore: hollow line
We get for example Fout(A) =
Af ∈Autom(S)|δ =δf andλ6=λf as the class of output faults. For a Moore-automaton A we can single out Fmout = {Af ∈
Fout|Af is a Moore-automaton}. Note that an output faultAf of a Moore-automaton does not need to be a Moore-automaton.
ForS0⊆Ssuch a fault classFis (strongly)S0-testable(forA) if everyAf∈Fis (strongly) S0-testable. IfFis (strongly)S-testable thenFis (strongly)testableforA.
We turn our interest to fault-testing. ConsiderA∈Autom(S),S0⊆Sand a fault classFof A. A setT⊆I∗is aS0-testforAandF if and only if
∀Af ∈F,s ∈S0,λs6=λsf ∃w∈T :λs(w)6=λsf(w)
SinceAutom(S),IandOare all finite sets a finiteS0-testT always exists for a givenAand F. Note, thatF need not beS0-testable.T is astrong S0-testforAandFif and only if
∀Af ∈F,s∈S,s0∈S0∃w∈T:λs
0(w)6=λsf(w).
In this case, a strong (finite)S0-test exists if and only ifF is stronglyS0-testable forA. A strongS0-test is always aS0-test. As before,T is a (strong)test(forAandF) if and only if Tis a (strong)S-test. In connection with tests the following fact is fundamental.
Observation 1.4 If A, Af ∈Autom(S)and s, s0∈ S then for all v, w∈I∗ λs(vw) =λs
0
f (vw)⇔(λs(v) =λs
0
f(v)andλδ(v,s)(w) =λδf(v,s
0) f (w)).
Proof. By the response formula we know λ(vw,s) =λs(v)λδ(v,s)(w)andλs
0
f (vw) =λs
0
f (v)λδf(v,s
0)
f (w).
Ifλs(vw) =λsf0(vw)thenλs(v) =λsf0(v),since|λs(v)|=|λfs0(v)|.But then by cancellation λδ(v,s)(w) =λδf(v,s
0)
f (w) 2
For example, we directly obtain from this fact, that(T\w)∪ ww0is a (strong)S0-test for any (strong)S0-testT,w0∈ I∗andw∈ T .
Example 1.5 (reset automata) Consider an alphabet X andB={0,1}. The (letter-)reset automaton ResX= (X,X,B,δ,λ)is given by
δ(x,y) =xandλ(x,y) =δδδx,y (δδδ: Kronecker symbol) (x,y∈X).
The fault class is given in the following way. Consider a mappingσ:X →X. Then define Resσ,X = (X,X,B,δσ,λ)withδσ(x,y) =σ(x)(x,y∈X) leavingλ unchanged. The fault class is under consideration the collection of all these automata whereσ is not the identity onX. This fault class includes quite typical faults considering fig. 1.2. For example some of the register cells may be stuck at a certain value. Note that cuts in the connections may also cause such faults.
Now for a given faultAf =Resσ,X we use input words of the formw=xx(x∈X). We get for ally∈X:λ(xx,y) =δδδx,y1 andλf(xx,y) =δδδx,yδδδx,σ(x). Sinceσis not the identity on Xax∈X exists withσ(x)6=x. But nowxxtests this fault. This shows that{xx|x∈X}is a test for ResX and this fault class. Moreover, it is a strong test. In the next section we shall
prove that this fact is true in a more general setting, where the automaton ResXserves as an
example.
Our second example deals with a more refined look at faults.
Example 1.6 (switching circuits) We consider realizations of automata by switching circuits.
If we follow the standard schema for automata, the transition and output unit are usually realized by switching circuits without feedbacks. To do this we need a binary encoding of all three sets – inputs, outputs and states. Then transition and output become boolean functions which can be realized by switching circuits without feedbacks. We make free use of a basic system of gates containing the boolean functionsx·y(AND),x+y(OR),x⊕y(EXOR) and their complementationsx·cy(NAND),x+cy(NOR) andx⊕cy(NEXOR). Now consider a four letter alphabetX={a,b,c,d}and ResX. Encoding of the letters is given by
a b c d
00 01 10 11.
If we use the encodingsx1x2 for the letter xands1s2for the state swe see the output z= (x1⊕s1) +c(x2⊕s2). The reader should bear in mind that EXOR tests for inequality of bits. The corresponding switching circuit is shown in fig. 1.3 together with three faults – a cut, a contact and their combination.
Figure 1.3 Fault testing
We assume that the hardware implementation of this circuit results for the cut in a stuck- at-0-fault and for the contact in an additional OR-gate. The resulting output functions in the presence of these faults are
zCut=x2⊕cs2,zContact= (x1⊕(x2+s1)) +c(s2⊕(x2+s1)),zComb= (x2+s1)⊕cs2. Decoding yields for example
λCut(x,s) = (δδδx,a+δδδx,c)·(δδδa,s+δδδc,s) + δδδx,b+δδδx,d
· δδδb,s+δδδd,s .
The following table summarizes the values for all possible inputs.
Output patternz zcut zcontactzcomb
a b c d
a 1111 0000 0101 0000 b 0000 1101 0000 0111 c 0100 0000 1100 0000 d 0001 0101 0011 1111
Inspection of this table yields possible tests for these faults together with the corresponding tests for the faulty automation, as shown in the next table.
Fault tests
Cut Contact Comb
00 10ca 01 01bb 00 11da 01 11db 10 10cc 01 11db 10 00ac 10 11dc 10 00ac 11 01bd 11 01bd 10 10cc 10 11dc 11 01bd
The test 1101 is the only test for all three faults. It corresponds to the inputbd, i.e. first the inputbsends Resxto the state b and then use the inputdfor fault detection.
2. Subautomata and Testability
In dealing with testability it is quite reasonable to study for an automatonA∈Autom(S)and a faultAf the setnontest(A,Af) ={s∈S| ∃s0∈S:λs=λfs0}.
Observation 2.1 For any two automata A,Af ∈Autom(S):
∀x∈I:s∈nontest(A,Af)⇒δ(x,s)∈nontest(A,Af).
Proof. Lets,s0∈Swithλs=λs
0
f. Applying fact 1.6 forx∈ Iandw∈ I∗we find λδ(x,s)=λδf(x,s
0)
f , i.e.δ(x,s)∈nontest(A,Af). 2
Definition 2.2 Let S0 ⊆S,A∈Autom(S) and A0∈Autom(S0). A0 is a subautomaton of A(A0∈sub(A))if and only ifδ0(x,s) =δ(x,s)andλ0(x,s) =λ(x,s)for all x∈I and s∈S0. IfA0∈sub(A)then for anyx∈I ands∈S0:δ(x,s)∈S0. Conversely, ifS0⊆S satisfies this condition then a subautomaton with state setS0 is defined by the restriction ofδ and λ toI×S0. Therefore we do not distinguish subautomata and subsets ofS satisfying this condition. In this way we get∅,S∈sub(A). By obs. 2.1nontest(A,Af)∈sub(A)for all
A,Af ∈Autom(S). There are some canonical subautomata ofA∈Autom(S). To anys∈S we can consider
reach(s,A) ={δ(w,s)|w∈I∗}.
By the transition formula for anyx∈Iands0=δ(w,s):δ(x,s0) =δ(x,δ(w,s)) =δ(wx,s).
This provesreach(s,A)∈sub(A). reach is a consistent monotonic operation, that means s∈reach(s,A)andreach(δ(w,s),A)⊆reach(s,A)for alls∈S andw∈I∗. We want to apply obs. 2.1 to automata which have no nontrivial subautomata.
Definition 2.3 A∈Autom(S)isirreducibleif and only ifreach(s,A) =A for all s∈S.
Equivalently, an automatonA∈Autom(S) is irreducible if and only if a function reset: S×S→I∗exists with:δ(reset(s,s0),s) =s0for alls,s0∈S.
IfSis a singleton or empty thenAis always irreducible. The automata ResXare irreducible with the functionreset(y,y0) =y0(y,y0∈X).
Another way to define irreducibility is given by the following
Observation 2.4 A∈Autom(S)is irreducible if and only if for all S0∈sub(A):S06=/0⇒ S0=S.
Lemma 2.5 If A∈Autom(S)is minimal and irreducible then Af ∈Autom(S)is strongly testable for A if and only if A6=eAf.
Proof. SupposeA6=e Af andAf is not strongly testable forA. But thennontest(A,Af)6=∅ and therefore by Observation 2.4: nontest(A,Af) =S. By symmetrynontest(Af,A)6=∅, too. Defineψ:nontest(Af,A)→S byψ(s0) =swith λsf0 =λs. SinceA is minimal ψ is well-defined. SinceS=nontest(A,Af),ψ is surjective, and therefore ψ is a bijection.
By thisnontest(Af,A) =S. Moreover,ψ is obviously a homomorphism. In totalψ is an isomorphism and we get a contradiction. The reverse direction is trivial. 2 For an automatonAthe irreducible subautomata play an important role. We introduce
bottom(A) ={s∈S| ∀s0∈reach(A,s):s∈reach(A,s0)}.
IfSis not empty,bottom(A)is also not empty. This can be seen easily by looking at the set system{reach(A,s)|s∈S}. This system is partially ordered by inclusion. SinceSis finite we findbottom(A)as the union of the minimal elements. Clearly,bottom(A)∈sub(A). If A0∈sub(A)with state sets, then for alls∈S0reach(A,s) =reach(A0,s), hencebottom(A0)∈ sub(bottom(A)). Moreover, for anys∈bottom(A)reach(A,s)is by definition irreducible.
Conversely, ifA0∈sub(A)is irreducible thenA0∈sub(bottom(A)).
Observation 2.6 If A∈Autom(S)then there exists a functiondown:S→I∗with
∀s∈S:δ(down(s),s)∈bottom(A).
Proof. We use induction on #(S). If #(S) =1, A=bottom(A)and the empty word will do.
Let #(S)>1. Ifbottom(A) =Awe can use again the empty word. Supposebottom(A)6=
A. Fix s6∈bottom(A). Thens0∈reach(A,s)exists with s6∈reach(A,s0). Consider the setS0={s0∈S|s0∈reach(A,s)ands6∈reach(A,s0)}then #(S0)<#(S), S0 is not empty andS0 defines a subautomaton A0 of A. By induction hypothesis we find for any s0∈S0 downA0(s0)withδ(downA0(s0),s0)∈bottom(A0)∈sub(bottom(A)). Moreover, for such as0 exists a wordw∈I∗withδ(w,s) =s0 and we can definedownA(s) =wdownA0(s0). Using the transition formula we get
δ(wdownA0(s0),s) =δ(downA0(s0),δ(w,s)) =δ(downA0(s0),s0)∈bottom(A). 2 Ifd:S→I∗satisfies fors∈Sδ(d(s),s)∈bottom(A), then for anyw∈I∗δ((d(s)w),s)∈ bottom(A).Hence, there are infinitely many choices fordownA.
Lemma 2.7 Let A,Af ∈Autom(S), then Af is strongly testable for A if and only if Af is stronglybottom(A)-testable for A.
Proof. Considers,s0∈S.
IfAf is stronglybottom(A)-testable forAthere existsw0∈I∗with λδ(downA(s,),s)(w0)6=λδf(downA(s,),s
0)
f (w0).
But then by fact 1.6λs(downA(s)w0)6=λsf(downA(s)w0). 2 We can strengthen obs 2.6 in such a way that the wordsdownA(s)can be combined to a single word sending all states tobottom(A).
Theorem 2.8 To any A∈Autom(S)there existsdown(A)∈I∗such that
∀s∈S:δ(down(A),s)∈bottom(A).
Proof. We use adown(s)as in obs. 2.6. Numbering the states ofSfrom 1, . . . ,mwe use the following programming piece to constructdown(A):
down(A):
w:=
fori:=1;i≤m;i=i+1do w:=wdownδ(w,si) end for
return w
If 1≤i≤mwe can decomposedown(A) =udownδ(u,si)vwith suitableu,v∈I∗. But then δ(down(A),si) =δ(v,δ(down(δ(u,si)),δ(u,si))).We know
δ(down(δ(u,si)),δ(u,si))∈bottom(A)
andδ(v,s)∈bottom(A)for alls∈bottom(A). By thisδ(down(A),si)∈bottom(A). 2
Example 2.9 Construction ofdown(A). For k > 0 consider the Moore-automataAkwithI= {a,b},O=B,Sk= [0 .. 2k + 1] andδk,µkdefined by
δk(a,0) =δk(b,0) =δk(b,1) =δk(a,2) =0,
δk(a,2i+1) =2(i+1) +1(0≤i<k),δk(a,2i) =2(i−1)(1<i≤k),δk(a,2k+1) =2k, δk(b,2i+1) =2(i−1) +1(0<i≤k),δk(b,2i) =2(i+1)(1≤i<k),δk(b,2k) =2k+1,
µk(j) =jmod2(j∈Sk).
Clearly,bottom(Ak)has only one state, namely 0. A possibledownAis given by downA(0) =2,downA(2i+1) =bi+1(0≤i≤k),downA(2i) =ai+1(1≤i≤k).
Consider the construction in the proof of th. 2.7 starting with state 0. The outcome depends on the choices made during this construction. Choosing the odd numbers first in ascending order and then the even ones in descending order yieldsdown(A)=b2k+1. Proceeding the other way round - first even, then odd ones - yieldsdown(A)= a2k+1. We get the following with respect to tests. IfT ⊆I∗is a strongbottom(A)-test forAand Af thendown(A)T is a strong test forAandAf. So the size of the test remains unchanged.
We mentioned above thatbottom(A)is the union of the irreducible subautomata ofA.
With respect to fault testing we refine this observation by introducing thedirect sumof au- tomata.
LetA1,2∈sub(A)with state setsS1,2. IfS1∩S2=∅andS1∪S2=S,Ais thedirect sumof A1andA2(A=A1⊕A2). The direct sum is associative and commutative and we extend it to finitely manyAi(1≤i≤k)obtainingA=A1⊕ · · · ⊕Akin the usual way.
Lemma 2.10 For any A∈Autom(S)bottom(A) =A1⊕ · · · ⊕Akwhere all Aiare irreducible.
Moreover, this decomposition is unique up to permutations of the components.
Proof. We know that any irreducibleA0∈sub(A)is of the formA0=reach(A,s)for some s∈S. Lets0∈S. If there exists s00∈reach(A,s)∩reach(A,s0), then s∈reach(A,s00)⊆ reach(A,s0), and therefore by irreducibilityreach(A,s)=reach(A,s0)
But then consider a systems1, . . . ,skof states with
• reach(A,si)irreducible,reach(A,si)∩reach(A,sj) =∅ (1≤i6= j≤k)and
• ∀s∈S,reach(A,s)irreducible∃1≤i≤k:s∈reach(A,si).
Now thereach(A,si)constitute the desired decomposition withAi=reach(A,si). 2 3. Edge- and state-traverses
Traversing the transitions is an important tool to study testability and design tests. Such traverses are quite familiar in graph-theory. In our case an additional feature is present. The traverse must be triggered by inputs.
Therefore we define the following two functionsevisitA: I∗×S→2I×SandsvisitA:I∗→ 2Sby
evisitA(w,s) ={(x,s0)∈I×S
∃u∈I∗:ux≤w(pre f)andδ(u,s) =s0}.
and
svisitA(w,s) ={s0∈S
∃u∈I∗:u6=,u≤w(pre f)andδ(u,s) =s0}(w∈I∗,s∈S).
Definition 3.1 Let A∈Autom(S), s∈S and w∈I∗. w is anedge-traversefor s, if evisitA(w, s) = I×S, and astate-traversefor s, ifsvisitA(w,s)= S.
We callw∈I∗anedge-(state-)traverseofAifwis an edge-(state-)traverse for alls∈S.
Clearly, an edge-traverse forsis always a state-traverse fors. If a state-traverse exists,Amust be irreducible.
Example 3.2 We study again the automataAkfrom ex. 2.8. We calculate δk(bi,2i+1) =δk(bk+i,2(k−i+1)) =1(0≤i≤k).
Thenaba2k+1is a state-traverse for 1,bia2k+1is a state-traverse for 2i + 1 (i >0) andbk+i a2k+1 a state-traverse for 2(k - i + 1)(1≤i ≤k). For 0 no state-traverse exists. Suppose s∈Skexists such that an edge-traversewfor scan be found. But then both (b, 1) and (a, 2) are elements ofevisitAk(w,s). Sinceδk(a,0)=δk(b,0)= 0 this is impossible. Hence, for no states∈Sk an edge-traverse can be found. Look for example at state 1. ThenevisitAk
(a2kb2k+1ab,1)= {a,b}×Sk\(a,2).
Lemma 3.3 Let A∈Autom(S), s∈S and w∈I∗. Then w is an edge-traverse for s if and only ifλs(w)6=λsf(w)for all Af ∈Fout(A).
Proof. Consider Af ∈Fout(A). Then there exists (x,s0)∈I×S withλ(x,s0)6=λf(x,s0).
Sincewis an edge-traverse fors,w=uxvwithδ(u,s) =s0. By fact 1.6 we getλs(ux)6=λsf(ux) and thenλs(w) =λs(uxv)6=λsf(uxv) =λsf(w). Hencewis as-test.
Conversly, assumewis not an edge-traverse for s. Then (x,s0)∈I×Sexists with (x, s’)
∈/evisitA(w,s). Consider the faultAf ∈Fout(A)given byλf(x,s00) =λ(x,s00)ifs006=s0and λf(x,s0)6=λ(x,s0)(x∈I,s00∈S) (#(O)>1!). Thenλs(w) =λsf(w)- a contradiction. Hence
wmust be an edge-traverse fors. 2
We get a lower bound for the length of thosew∈I∗which are edge-traverses forsonA, because we have to meet every pair(x,s0). Ifn=#(X)and #(S) =mthen|w| ≥nm.
With little changes the same result is true for Moore-automataAandFmout(A)and state- traverses.
Lemma 3.4 Let A∈Autom(S)a Moore-automaton, and w∈I∗. Then w is a state-traverse for s if and only ifλs(w)6=λsf for all Af ∈Fmout(A)
Proof. Consider Af ∈Fmout(A). Then there exists s0 ∈S with µ(s0)6=µf(s0). Since w is a state-traverse for s,w=uxv with δ(ux,s) =s0. Note λ(ux,s) =λ(u,s)µ(s0)6=
λf(u,s)µf(s0) =λf(ux,s). Again by fact 1.6λs(w)6=λsf(w).
Conversly, assumewis not a state-traverse fors. Thens0∈Sexists withs0∈/svisitA(w,s).
Consider the faultAf ∈Fmout(A)given byµf(s00) =µ(s00)ifs006=s0andµf(s0)6=µ(s0)(x∈ I,s00∈S). Thenλs(w) =λsf(w)- a contradiction. Hencewmust be a state-traverse fors. 2
For a state-traversewwe clearly have the lower bound|w| ≥m. Note at this point that turning a Mealy-automaton into an equivalent Moore-automaton changes the character of the fault.
An output fault becomes a transition fault.
Applying the transition formula we get straight forward that for an edge-(state-)traversew ofsand for anyv∈I∗wvis an edge-(state-)traverse fors, too. Moreover, ifwis an edge- (state-)traverse forAthen for anyu,v∈I∗uwvis also an edge-(state-)traverse ofA.
The existence of such traverses for irreducible automata is asserted by the following two results where the proofs additionally exhibit algorithms to find these traverses. We start with the easier task determining state-traverses.
Lemma 3.5 For any irreducible A∈Autom(S)a state-traverse for A exists.
Proof. We use a function reset with reset(s,s)6=2 for s∈S associated to (the irre- ducible) A and number the set of states S={s1, . . . ,sm}. Consider the word start= reset(s1,s2). . .reset(sm−1,sm). Ifs∈Sandu∈I∗then the wordureset(δ(u,s),s1)startis always a state-traverse fors. We obtain a state-traverse ofAby the following programming piece which uses the functionstrav(w) ={s∈S|wis a state-traverse fors}(w∈I∗)
strav(A):
w :=
trav :=∅
whiletrav⊂Sdo choose(s∈S\trav)
w :=wreset(δ(w,s),s1)start trav :=trav(w)
end while
return w 2
We get the following worst-case estimate for|strav(A)|. Clearly, we can choosereset(s,s0) such that|reset(s,s0)| ≤m−1. Then|start| ≤(m−1)2. Suppose we can eliminate only one state in each turn of the loop then there aremsuch turns. In total|strav(A)| ≤m(m−1)2. It is not surprising that this upper bound is independent of the numbers of inputs.
We refine this construction to get an edge-traverse visiting all outgoing edges of a statesif we meetsduring a state-traverse.
Theorem 3.6 For any irreducible A∈Autom(S)there exists an edge-traverse.
Proof. Consider again a functionreset(s,s0)forA. Again letS={S1,,Sm}furthermore let I={x1, . . . ,xn}. Define a functionedge:S→I∗by
edge(s) =x1reset(δ(x1,s),s). . .reset(δ(xn−1,s)xn.
edge(s) traverses all outgoing edges of s if we perform δ(edge(s),s), i.e. for all x∈ I there exists u ∈I∗ with ux≤ edge(s)(pref). This time consider the word start = edge(s1)reset(s1,s2)edge(s2)...reset(sm−1,sm−2)edge(sm).
We use the functionetrav(w)= {s∈S |wis an edge-traverse for s} for the following programming piece:
etrav(A):
w:=
etrav=∅
whileetrav⊂Sdo choose(s∈S\etrav) w:=wreset(δ(w,s),s1)start etrav :=etrav(w)
end while return w
2 A worst case estimate can be derived as follows. As before|reset(s,s0)| ≤m−1. Then
|edge(s)| ≤(n−1)(m−1) +1, and then
|start| ≤m((n−1)(m−1) +1) + (m−1)m=nm(m−1) +m
In the worst case only one state is eliminated at each turn of the loop. At each turn
|reset(δ(w,s),s1)start|is added to|w|. Since there aremsuch turns we obtain|strav(A)| ≤ m2(n(m−1) +1).
Example 3.7 (edge- and state-traverses)Consider for n > 0X={x1, . . . ,xn}and ResX. We use the function reset(y,x) =x(x,y∈X). Then the construction given for state-traverses yieldsstart=x2. . .xnand starting with statex1after the first run of the loopw=x1. . .xn. Nowtrav(w) =S. Hence, no further loop follows and we obtainstrav(ResX) =x1. . .xn. Turning to edge-traverses the construction of th.3.6 gives fors∈S edge(s) =x1sx2. . .sxn. There are n runs of the loop. We obtainetrav(ResX) =x1edge(x1)x2edge(x2). . .xnedge(xn).
Note that|etrav(ResX)|=2n2.
4. Output faults
We are now in the position to deal with testing output faults. In other words we design tests forA∈Autom(S)andFout(A), respectivelyFmout(A)in caseAis a Moore-automaton.
Theorem 4.1 If A∈Autom(S)is irreducible thenFout(A)is strongly testable for A and any edge-traverse is a test forFout(A)and A. If A is a Moore-automaton, then any state-traverse is a test forFmout(A)and A.
Proof. By th.3.6 an edge-traversewforAexists. By le.3.2Fout(A)is testable andwis a test
forFout(A). 2
Next we consider direct sums of irreducible automata.
Lemma 4.2 If A∈Autom(S)with A=bottom(A)then a w∈I∗exists such that w is a test for A andFout(A).
Proof. We knowA=A1⊕· · ·⊕AkwhereAi∈Autom(Si)is irreducible for 1≤i≤k. Choose an edge-traversewi for any Ai. Letw=w1. . .wk. Then w is an edge-traverse forA and allAi. IfAf ∈Fout(A)thenbottom(Af) =Af. Since δ =δf we get the corresponding decompositionAf =Af1⊕ · · · ⊕Af kwhereAi=Af iorAf i∈Fout(Ai) (1≤i≤k). Consider s∈Swithλs6=λfsthen for some 1≤i≤k:s∈Si. In this caseAf i∈Fout(Ai)andwis a test forAi. But thenλs(w) =λis(w)6=λf is(w) =λfs(w). 2 Theorem 4.3 If A∈Autom(S)and Af ∈Fout(A), then Af is testable if and only if Af is bottom(A)-testable. Moreover, a w ∈I∗ exists, such that w is a test for all testable Af ∈ Fout(A).
Proof. IfAf is testable, we know a fortiori thatAf isbottom(A)-testable.
Conversely, supposeAf isbottom(A)-testable. Sinceδ =δf bottom(Af)is a testable fault for bottom(A). By le. 4.2 there exists awo∈I∗ (independent of Af) such that wo is a test forbottom(A)andbottom(Af). Butwois also a test forbottom(A)andAf. Letw= down(A)wo. Usingδ =δf, fact 1.6 and the same argument as in the proof of le.3.2 we can show, thatAf ist testable andwis a test forAandAf. 2 Example 4.4 (testing output faults)Consider the automataAkfrom ex. 2.6 whereI= {a, b}.
LetAf ∈Fmout(A)withµf(0) =1. ThenAf isbottom(Ak)-testable and anyw∈I∗\2is abottom(Ak)-test. By th.4.3Af is testable and in connection with ex. 3.1a2k+1wis a test forAf, buta2k+1alone ist a test forAf. Ifµ(0) =0,Af is not testable. Ifw∈I∗is a test, thenw=xw0for x∈Iandw0∈I∗. If x = a, then the fault given byµf(2)= 1 cannot be tested, and if x = b the fault given byµ(1) =0 is not testable. Hence, any test forAf needs at least two testwords. ForAk ands∈Sk\0 we findevisitAk(a2kb2kab,1) = (I×Sk)\(a,2).
But thenevisitAk (bia2kb2kab,2i+1)=evisitAk(bk+ia2kb2kab,2(k−i+1))=(I×Sk)\(a,2) (0≤i≤k). Now,T0= {bia2kb2kab|0≤i≤k} ∪ {bk+ia2kb2kab|0≤i≤k}is a test for every Af ∈Fout(Ak)withλf(a,2)= 0. ForAf ∈Fout(Ak)withλf(a,2)= 1a2k+1is a test. In total
T=To∪a2k+1is a test forAkandFout(Ak).
References
[1] R. BOUTEand E.J. MCCLUSKEY, “Fault Equivalence in Sequential Machines”, Tech- nical Report No. 5, Computer Systems Laboratory, Stanford University (June 1971) [2] W. BRAUER, “Automatentheorie”, B.G. Teubner, 1984
[3] E. F. MOORE, Gedanken-Experiments on sequential machines, in: C.E. SHANNON, J. MCCARTHY, Automata Studies, Ann. Math. Studies 34, Princeton University Press, Princeton 1956
[4] J.F. POAGEand E.J. MCCLUSKEY, “Derivation of Optimum Test Sequences for Se- quential Machines”, Proc. 5th Ann. Sympos. on Switching Theory and Logical Design, pp. 121-132 (1964).
