We propose an algorithm that localizes faults in a state transition system represented by a set of guarded commands with respect to safety properties and desired system scenarios represented by a specification that the system should branching simulate a lower-bound Kripke structure KLB and should be branching simulated by an upper-bound Kripke structure KUB. Our algorithm is a branch-and-bound algorithm with two phases. In the first phase, certain sets of suspicious variable occurrences in some guarded commands are iteratively chosen, and those guarded commands with occurrences of suspicious variables are suspended and then all combinations of suspicious variable occurrences in those guarded commands are added to the system. This phase is looped until the modified system simulates KLB. In the second phase, those guarded commands which are added to the system are iteratively removed until the modified system satisfies the specification or all possible systems are tested. If no system which satisfies the specification is found, the two phases will iterate again and again until the system satisfies the specification. Once a modified system satisfies the specification, the set of suspicious variable occurrences in the guarded commands is returned to the user as the faults. Moreover, several factors that affect the performance of our algorithm and the quality of found solutions are discussed.