

Computer Communications 23 (2000) 1196-1213

<u>computer</u> communications

www.elsevier.com/locate/comcom

# A success story of formal description techniques: Estelle specification and test generation for MIL-STD 188-220<sup>☆</sup>

M.A. Fecko<sup>a,\*</sup>, M.Ü. Uyar<sup>b</sup>, P.D. Amer<sup>a</sup>, A.S. Sethi<sup>a</sup>, T. Dzik<sup>c</sup>, R. Menell<sup>c</sup>, M. McMahon<sup>d</sup>

<sup>a</sup>Computer and Information Sciences Department, University of Delaware, Newark, DE, USA <sup>b</sup>Electrical Engineering Department, The City College of the City University of New York, New York, NY, USA <sup>c</sup>US Army CECOM, Fort Monmouth, NJ, USA

<sup>d</sup>ARINC, Inc., Shrewsbury, NJ, USA

### Abstract

This paper presents a success story of specifying a complex real-life protocol (MIL-STD 188-220) in Estelle and generating test sequences from the formal specification. 188-220 is being developed in the US Army, Navy and Marine Corps systems for mobile combat network radios. A key factor in this success story has been the collaboration among the researchers of the University of Delaware and the City College of the City University of New York, the developers of the US Army Communications–Electronics Command (CECOM), and the protocol designers in the Joint Combat Net Radio Working Group. Based on the research results, 188-220 test sequences are realizable without timer interruptions while providing a 200% increase in test coverage. The test cases are being installed at a CECOM test facility. © 2000 Elsevier Science B.V. All rights reserved.

Keywords: Conformance testing; Test case generation; Protocol specification; Testing; Estelle; MIL-STD 188-220

### 1. Introduction

Formal methods in conformance testing are becoming widely used in the testing of real-life protocols [6,16,17,24,35,36,76]. OSI conformance testing has been applied to the Internet protocols such as Hypertext Transfer Protocol [24], Simple Mail Transfer Protocol [6], and TCP/ IP [36]. Another area of successful application of conformance testing are ATM/B-ISDN protocols, e.g. the testing of ATM Adaptation Layer protocol [76], ATM switching systems [16,35], and B-ISDN signalling [17].

There have also been several reports on successful application of Estelle to real-life systems [8,14,34,49,58,69]. Estelle was used to automatically implement TP4/IP protocol [69], to uncover ISO Remote Operations Service Element [29] protocol errors [34], and to specify, detect, and resolve feature interactions in Intelligent Networks [8]. Most recently, simulation studies [49] of the Estelle specification of Service Specific Connection-Oriented Protocol [33] revealed some specification errors and flow control inefficiencies of the protocol definition. Catrina et al. [14] showed that it is possible to use an Estelle specification to automate implementation of a sophisticated transport protocol (XTP 4.0 [75]). These [58] compared performance of the XTP 4.0 implementations automatically generated from the Estelle specification with hand-coded implementations. Both studies point out numerous advantages (and potential problems) of using Formal Description Techniques (FDTs) for XTP code generation.

This paper presents a success story of specifying a complex real-life protocol in Estelle, and automatically generating conformance tests from the formal specification. The US Department of Defense (DoD)/Joint protocol, called Military Standard (MIL-STD) 188-220, is being developed in the US Army, Navy and Marine Corps systems for mobile combat network radios [19]. With the understanding of the power of formal description techniques, a key factor in this success story has been the collaboration among the four groups: the researchers of the University of Delaware (UD) and the City College of the City University of New York (CCNY), the developers of the US Army Communications–Electronics Command (CECOM) in New Jersey, and the protocol designers in the Joint Combat

<sup>&</sup>lt;sup>\*</sup> This work was supported by the US Army Research Office (DAAH04-94-G-0093), and prepared through collaborative participation in the Advanced Telecommunications/Information Distribution Research Program (ATIRP) Consortium sponsored by the U.S. Army Research Laboratory under the Federated Laboratory Program, Cooperative Agreement DAAL01-96-2-0002.

<sup>\*</sup> Corresponding author. Tel.: + 1-302-831-8013; fax: + 1-302-831-8458.

E-mail address: fecko@mail.eecis.udel.edu (M.A. Fecko).



Fig. 1. History of MIL-STD 188-220 development.

Net Radio (CNR) Working Group (WG). As a result of this success story, the synergistic framework to develop  $C^4I$  (Command, Control, Communications, Computers, and Intelligence) systems with the help of formal methods serves as a model for future DoD standards development [19].

Since this paper is a case study promoting a successful application of Estelle to a real-life protocol, it includes a cross-section of activities over the past few years. Section 2 provides the background on the collaboration among the MIL-STD 188-220 sponsors, research and development teams, and standards organizations. Sections 3 and 4 briefly overview the formal description technique Estelle and 188-220, respectively. Section 5 presents a part of the Estelle specification of 188-220, and gives examples of errors and ambiguities found thanks to formally specifying the protocol. A general approach adopted at UD and CCNY to test generation from an Estelle formal specification is described in Section 6. This section also summarizes recent research results obtained in minimum-length test generation based on Estelle specifications. Section 7 contains information on practical results in test generation and delivery. Finally, Section 8 presents the authors' view on the improvements to the protocol development process due to using formal methods.

### 2. History of MIL-STD 188-220 development

In 1994, UD's Protocol Engineering Laboratory began its involvement with the US Army in using Estelle [11,28,57,60] to formally specify a military standard MIL-STD 188-220 [18]. An initial small contract with the Army Research Laboratory supported both simulation and specification of the 1993 version of 188-220 [13,45]. The formal specification research effort received the attention of the CECOM Software Engineering Center, which leads the effort to evolve 188-220 to meet the Army's requirements for battlefield digitization, through the Joint CNR WG, itself responsible for the evolving 188-220 standard.

From 1995 to 1998, at least fifty changes to the English specification of 188-220 resulted from UD's efforts using Estelle to formally specify the standard [2,18] (see Fig. 1). While the English text takes precedence in case of disagreement with the formal specification, *the Estelle specification* 

of 188-220 is an official part of the military standard. To the best of our knowledge, 188-220<sup>1</sup> represents one of the first major national or international standards officially including an Estelle specification. There are other examples of international standards that include Estelle specifications such as OSI session protocols [30,48], OSI Distributed Transaction Processing [31], and OSI File Transfer, Access and Management protocol [27].

CECOM is developing a Conformance Tester that automatically evaluates a 188-220 implementation identifying where it differs from the standard. The test generation research was initiated as part of the US Army's Advanced Telecommunication and Information Distribution Research Program (ATIRP) in January 1996, when UD's Protocol Engineering Lab began research collaboration with CCNY. Efforts were focused on automatically generating test cases from the Estelle specifications. Generating tests from formal specifications such as pure finite state machines (FSMs) has been extensively studied in the literature. But the inherent complexity of 188-220 is far beyond specifying with pure FSMs, hence the need to use a more powerful specification language such as Estelle, ISO 9074. Unfortunately, generating tests from Estelle specifications presents difficult theoretical and practical problems. UD and CCNY faculty and students continue to investigate these problems with the practical motivation of applying the results towards 188-220 test case generation.

As mentioned above, automatic generation of tests from Estelle specifications presented various theoretical problems:

- During testing, if active timers are not taken into account, they can disrupt the test sequences, failing correct implementations (or worse, passing incorrect ones). Therefore, timers have to be incorporated as constraints into the extended FSM (EFSM) model of an Estelle specification.
- 2. Test sequence generation is limited by the controllability of an Implementation Under Test (IUT) [7]. Testers may not have direct access to all interface(s) in which the IUT accepts inputs (typically, the interfaces with upper layers, or with timers). In this case, some inputs cannot be directly applied; the interactions involving such interfaces may render some portions of the protocol untestable, and may introduce non-determinism and/or race conditions during testing.
- 3. Infeasible test sequences may be generated unless conflicting conditions based on protocol's timers that may be running simultaneously are resolved (the so-called *conflicting timers problem*).

The timing and controllability issues were present in the EFSM model of the Estelle specification of MIL-STD 188-220 [3,20]. Based on the results of the investigating problems (1) and (2) by the UD and CCNY joint group

<sup>&</sup>lt;sup>1</sup> In the rest of the paper, 188-220 refers to the version "B" of the standard, completed in January 1998.





• Architecture: Hierarchy and Interconnections of EFSMs

- modules

interaction points
 channels



Fig. 2. Estelle: ISO international standard 9074.

[20,23,66], UD has been providing CECOM with automatically generated test sets since 1997. The sizes of the resulting FSMs derived from the Estelle specification range from 48 to 303 states, and from 119 to 925 transitions. The corresponding test sequences range from 145 to 2803 test steps. These tests are free of interruptions due to unexpected timeouts while their coverage of the number of testable transitions increased from approximately 200 to over 700 by utilizing multiple interfaces without controllability conflicts. Current research focuses on the conflicting timers problem.

### 3. Estelle

In 1989, Estelle was published as one of two ISO International Standard Formal Description Techniques (FDT) for the specification of computer communication protocols [11,28]. As shown in Fig. 2, Estelle specifies a protocol's behavior as a set of communicating extended finite state machines. To avoid ambiguity among different readers of a specification, the Estelle language itself has a formal, mathematical, implementation-independent semantics.

Estelle is an expressive, well-defined, well-structured language that is capable of specifying distributed, concurrent information processing systems in a complete, consistent, concise, and unambiguous manner. An Estelle specification aims at discovering and resolving ambiguities



Fig. 3. MIL-STD 188-220 protocol architecture. Parts of the protocol where FDTs were used during the development are circled.

in the original English document that would cause interpretation problems for implementors.

An Estelle specification consists of two parts: architecture and its behavior. The architecture specifies a collection of systems of nested modules. Each module's behavior is described by an extended FSM. These EFSMs interact via the sending of interactions over a set of channels. The interactions are conceptually stored in infinite FIFO queues enabling transitions in the receiving module which are fired when all enabling conditions are satisfied. A complex set of rules define either a parallel or synchronous firing of transitions within each EFSM. Overall, the many features of Estelle allow a user to formally specify a wide variety of network protocol behaviors. Further information about Estelle can be found in Refs. [57,60].

One major benefit of an Estelle specification as a model of a communication protocol is that it can be used as input to a conformance test generation tool. Since Estelle makes it possible to create a complete and unambiguous protocol model, the test cases generated from it can potentially achieve higher fault coverage than hand-generated ones, and are reproducible with far less effort as 188-220 evolves in the future. These advantages are the primary motivations for using Estelle to specify 188-220.

### 4. MIL-STD 188-220

The Protocol Engineering Lab researchers at UD used Estelle to specify parts of the 188-220 protocol suite. This suite was developed to meet the requirements for horizontal integration, seamless Internet communications and increased mobility using combat network radios [19]. This protocol, a critical piece of the new Joint Technical Architecture, is now mandated for CNR communications. It is being implemented in US Army, Navy and Marine Corps systems, and has been demonstrated initially during the Army's Advanced Warfighting Experiment in 1997. 188-220 is now receiving allied/international attention, while portions of its protocol architecture have been promulgated in the Internet Engineering Task Force. Expected outcomes from its use are: seamless connectivity of  $C^4I$  systems (discussed briefly in Section 8), horizontally integrated information networks, and joint interoperable  $C^4I$  systems for the warfighter.

188-220, originally developed in 1993, evolved to 188-220A with substantial new functionality, including support for new radio technology and integration with Internet protocols (commercial IP, TCP, and UDP at the network and transport layers). Version 188-220B, whose architecture is depicted in Fig. 3, describes the protocols needed to exchange messages using CNR as the transmission media. These protocols include the physical, data link and part of the network layer of the OSI model. The protocols apply to the interface between host systems and radio systems. Hosts usually include communications processors



Fig. 4. Network layer interface and architecture.

or modems that implement these lower layer protocols. The unshaded portions of Fig. 3 indicate those protocols and extensions that were developed specifically for use with CNR.

MIL-STD 188-220 Datalink layer specifies several service types, each intended to handle different types of traffic with different quality of service (QoS) demands. A 188-220 station can actually process several different types of traffic simultaneously (and almost orthogonally). MIL-STD 188-220 Network Layer consists of Internet (IP) Layer, Subnetwork Dependent Convergence Function (SNDCF), and Intranet Layer. The Intranet Layer has been dedicated to routing intranet packets between a source and possibly multiple destinations within the same radio network. The Intranet Layer also accommodates the rapid exchange of topology and connectivity information—each node on the radio network needs to determine which nodes are on the network and how many hops away they are currently located.

### 5. 188-220 Estelle specification

To help a reader realize the magnitude of formally specifying a protocol of 188-220 size and complexity, let us give some numbers. The Datalink (Network) layer specification consists of 69 (19) documents describing architecture, interfaces, EFSM, and state table of each module. The Datalink layer specification is accompanied by three (for Datalink classes A, B, and C) Estelle source code files with approximately 1600, 8700, and 2400 lines of code, respectively. The Estelle source code for the Network layer has 7150 lines of code, defining 34 states and 370 transitions in seven EFSMs.

Due to its large size, it is not possible to include the actual Estelle specifications in this paper. For a more detailed description of the semantics of Estelle specification components (communication channels, interactions, etc.), the reader may consult our paper on Datalink Layer specification [2], or may visit the Web site at http://www.cis.ude-l.edu/~amer/CECOM. In the next section, we present an overview of the Network Layer architecture with a focus on the Topology Update and Source Directed Relay functions of the Intranet sublayer.

### 5.1. Intranet layer architecture

Fig. 4 shows the interface and general architecture of the Network layer. The architecture represents the protocol stack at a single station, as well as an interface with operator "module" which can interact with several different layers in the stack. The operator module abstracts the link layer's interactions with both a human operator and a system management process.<sup>2</sup>

Fig. 5 shows the internal structure of the Intranet Layer. The two main Intranet Layer functionalities, Source Directed Relay (SDR) and Topology Update (TU) exchange, were encapsulated in separate component modules of the Intranet Layer module. This simplifies the design of the

<sup>&</sup>lt;sup>2</sup> Note that the numbers in Figs. 4 and 5 refer to interactions, and are consistent throughout the figures (e.g. number 12 refers to *OP-min-update-per* in all three figures).



Fig. 5. Intranet layer architecture.

FSMs that model the entire layer, and also allows for generating test cases for each functionality separately.

The SDR module receives *IL\_Unitdata\_Req* messages through *SNDCFSAP* interaction point. It starts/stops a varying number of *END\_END\_ACK* timers, one for each IP packet that has been sent but not yet acknowledged. The TU module interacts with the SDR module by notifying it of any topology changes that take place dynamically. The TU module communicates with two timers: *Topology\_Update Timer* and *Topology\_Update\_Request Timer*. The former is started after a topology update message is sent by the station. According to 188-220A, a station is not allowed to send another topology update message until the timer expires. The latter performs the same role for topology update request messages.

Both SDR and TU modules can send and receive messages from the datalink layer through their *lower\_mux* interaction points—the messages from the two modules are multiplexed by the parent Intranet Layer module. A peer operator or management component is connected directly to the Topology Update module and can set parameters that are relevant in topology update mechanism. Part of the diagram inside the dash-lined rectangular contains modules that handle XNP procedures: joining and leaving the net with either centralized or distributed control, and parameter update requests.

### 5.2. Problems and ambiguities found in 188-220 through formal specification

Primary goals in developing an Estelle formal specification are:

- discover and document problems and ambiguities that are commonly seen in a standard written in natural language;
- 2. verify the protocol;
- 3. simulate the protocol;
- 4. automate code implementation;
- 5. automate test generation process.

MIL-STD 188-220 project focuses on goals (1), (3), and (5), with simulation studies done by the US Army as reported in Ref. [19]. Although the formal verification of 188-220 is not part of the project, some of the errors found during the formal specification can also be classified as part of goal (2). Achieving goal (4) is an open issue; manufacturers, who were already developing implementations before the Estelle specification was created, now have an option to use the Estelle specifications for automated code generation.

In the process of developing the Estelle specifications of the Data Link layer and, most recently, the Intranet Layer, more than fifty problems in the original English specification have been documented. Here we present a representative cross-section of examples of ambiguities found and corrected, demonstrating the difficulty of defining protocol operations in a natural language.

Examples range from ambiguities such as:

- "...a station shall wait for some period of time *bounded by the probability* of the remote ack time expiration."
- the Intranet Layer allows a station to enter *Quiet mode* whereas the Data Link layer refers to a station being in *response mode off.* It was unclear how these two terms differ, if at all;

to more serious examples of correctness/completeness such as:

- Intranet routing was originally defined based on spanning trees of the Intranet topology. However the draft standard's examples did not comply with the mathematical definition of a spanning tree.
- The phrase "may report to the higher layer protocol, and may initiate appropriate error recovery action" was added in several locations when the datalink layer identified an error condition such as a lack of acknowledgment after the maximum allowed number of retransmissions.

A few more selected examples are presented in Appendix A to illustrate the nature of errors found in the protocol. All



Fig. 6. Test generation from extended FSMs.

these problems were reported back to the CNR Working Group and subsequently removed from the standard.

### 6. Test case generation

Test scripts (test cases) specify a logical sequence of test steps that are performed by a Conformance Tester to individually test a given protocol entity. The test scripts are input to the Conformance Tester which in turn stimulates an IUT, and assesses the IUT's responses to determine if the IUT correctly implements the protocols. Since it is impossible to exhaustively test an implementation in practice, a good set of test scripts should at least check those events that affect state/transition, boundary conditions, and stress points. The test scripts themselves should be structured as independent modular components to facilitate modifying and adding to the scripts in response to 188-220's continuing evolution.

A number of techniques have been proposed to generate test sequences from Estelle specifications [42,43,61,62,74]. However, full Estelle specifications of large systems may prove to be too complex for direct test case generation. As shown in Fig. 6, there are several ways of generating test sequences from Estelle specifications. One approach would be to *expand* Estelle's EFSMs thereby converting them to pure FSMs. This would be useful since methods exist for generating tests directly from pure FSMs (e.g. [1]). Unfortunately, converting even simple EFSMs can result in the state explosion problem, that is, the converted FSM may have so many states and/or transitions that either it takes too long to generate tests, or the number of tests generated is too large for practical use.

As an alternative, UD and CCNY joint group uses an intermediate approach, where an Estelle EFSM is partially expanded (hence resulting in some more states and transitions), but not expanded completely to a pure FSM. The EFSM is expanded partially just enough to generate a set of tests that is feasible and practical in size. Determining which

features to expand in the general case is the difficult aspect of this research.

*Test Case Generation Research*: Conformance test generation techniques reported in the literature [1,7,39,46,55,62], using a deterministic finite-state machine (FSM) model of a protocol specification, focus on the optimization of the test sequence length. However, an IUT may have timing constraints imposed by active timers. If these constraints are not considered during test sequence generation, the sequence may not be realizable in a test laboratory. As a result, valid implementations may incorrectly fail the conformance tests (or, nonconformant IUTs may incorrectly pass the tests).

Another problem in test sequence generation is due to the limited controllability of an IUT. Typically, the inputs defined for the interfaces with upper layers or with timers cannot be directly applied by the tester. In this case, the testability of an IUT may severely be reduced; in addition, non-determinism and/or race conditions may occur during testing.

In Sections 6.1 and 6.2, the research results to eliminate the timing constraints and controllability problems which appear in the EFSM model of the 188-220 are outlined. The current research is focusing on the so-called *conflicting timers problem*, where infeasible test sequences may be generated unless conflicting conditions based on timers are resolved, as described in Section 6.3.

#### 6.1. Timing constraint problem

During testing, traversing each state transition of an IUT requires a certain amount of time. A test sequence that traverses too many *self-loops* (a *self-loop* is a state transition that starts and ends at the same state) in a given state will not be realizable in a test laboratory if the time to traverse the self-loops exceeds a timer limit as defined by another transition originating in this state. In this case, a timeout will inadvertently trigger forcing the IUT into a different state, and thereby disrupting the test sequence before all of the self-loops are traversed. If this unrealizable test sequence is not avoided during test generation, most IUTs will fail the test even when they meet the specification. Clearly, this is not the goal of testing. Therefore, a properly generated test sequence must take timer constraints into account.

The presented methodology [66,67] optimizes the test sequence length and cost, under the constraint that an IUT can remain only a limited amount of time in some states during testing, before a timer's expiration forces a state change. The solution first augments an original graph representation of the protocol FSM model. Then it formulates a Rural Chinese Postman Problem solution [44] to generate a minimum-length tour. In the final test sequence generated, the number of consecutive self-loops never exceeds any state's specified limit. In most cases, this test sequence will be longer than one without the constraint since limiting the number of self-loop traversals likely requires additional



Fig. 7. Conversion of  $v_i$  in G (part (a)) to  $v'_i$  in G' (part (b)) and to  $v^{*(1)}_i, v^{*(2)}_i$  in  $G^*$  (part (c)).

visits to a state which otherwise would have been unnecessary.

The methodology uses UIO sequences for state verification. However, the results presented also are applicable to test generation that uses distinguishing or characterizing sequences. Earlier results of this study, limited to verification sequences that are self-loops, are presented in Ref. [66]. The later paper [67] generalizes these earlier results to both self-loop and non-self-loop verification sequences.

### 6.1.1. Practical motivation

Examples of protocols that contain many self-loop transitions in their FSM models include ISDN Q.931 for supplementary voice services, MIL-STD 188-220 [18] for Combat Net Radio communication, and LAPD [68], the data link protocol for the ISDN's D channel. For example, in ISDN Q.931 protocol (Basic voice services, for the user side), each state has an average of nine inopportune transitions, which requires the traversal of 18 self-loop transitions during testing. A Q.931 implementation has several active timers that are running in certain states, e.g. timer T304 running in state Overlap sending, and timer T310 in state Outgoing call proceeding. An EFSM modeling the TU functionality of the Intranet Layer has three active states in which one or two timers are running [66].

It is not always possible to delay the timeout at a tester's convenience. In real protocols, there may be timers whose timeouts are difficult to set by the tester, e.g. acknowledgment timers' timeout values often are computed by the implementation. Moreover, a tester may want to test an IUT's behavior for different settings of the IUT's internal timers, to be able to test the IUT's correctness for various configurations of the timers.

In addition to the original self-loops of a specification model, additional self-loops are typically created when generated test sequences use state verification techniques such as unique input/output (UIO) sequences [54], distinguishing sequences [5,38], or characterizing sequences [5,38].

### 6.1.2. Optimizing tests under timing constraints

Let  $E_{self}$  and  $E_{vnsl}$  be the sets of self-loop and non-self-loop edges to be tested, respectively. Let  $d_{self}(v_i)$ , the number of self-loops of vertex  $v_i$ , be defined as the number of edges in

 $E_{self}$  incident on  $v_i$ . Let  $d_{min \ self}(v_i)$  be the minimum number of times any tour covering all edges of  $E_{vnsl} \cup E_{self}$  must include vertex  $v_i \in V$ .

Let  $d_{state\_ver}(v_i)$  be the number of self-loop transitions used to verify whether an IUT is in state  $v_i$ . Suppose that during testing, a given vertex  $v_i \in V$  can tolerate at most  $max\_self(v_i)$  self-loops executed at one visit to vertex  $v_i$ . Attempting to remain in state  $v_i$  to execute 1 +  $max\_self(v_i)$  self-loops would result in disruption of a test sequence. Testing a self-loop transition involves traversing the self-loop transition followed by applying the state verification self-loop sequence, which contains  $d_{state ver}(v_i)$ transitions.

Due to space limitations, we are unable to include the detailed derivation of  $d_{min self}(v_i)$ . In Ref. [66], we prove that the minimum number of times vertex  $v_i$  must be visited in a test sequence is as follows:

$$d_{\min\_self}(v_i) = \begin{cases} d_{in}(v_i) & \text{if } d_{self}(v_i) \le (d_{in}(v_i) \ast \Delta_1(v_i)) \\ \Gamma(v_i) & \text{if } d_{self}(v_i) > (d_{in}(v_i) \ast \Delta_1(v_i)) \end{cases}$$
(1)

where  $d_{out}(v_i)$  and  $d_{in}(v_i)$  are, respectively, the out-degree and the in-degree of vertex  $v_i$  in  $E_{vnsl}$ , and where

$$\Gamma(v_i) = d_{in}(v_i) + \left\lceil \frac{d_{self}(v_i) - (d_{in}(v_i) * \Delta_1(v_i))}{\Delta_2(v_i)} \right\rceil$$
(2)

$$\Delta_1(v_i) = \left\lfloor \frac{max\_self(v_i) - d_{state\_ver}(v_i)}{1 + d_{state\_ver}(v_i)} \right\rfloor$$
(3)

$$\Delta_2(v_i) = \left\lfloor \frac{max\_self(v_i)}{1 + d_{state\_ver}(v_i)} \right\rfloor$$
(4)

G'(V', E') (G' is obtained from G by removing self-loop edges) is converted to  $G^*(V^*, E^*)$  by splitting each vertex  $v'_i \in V'$  satisfying

$$d_{min\_self}(v_i) > max(d_{in}(v_i), d_{out}(v_i))$$
(5)

into the two vertices  $v_i^{*(1)}, v_i^{*(2)} \in V^*$  (Fig. 7). Then,  $v_i^{*(1)}$  is connected to  $v_i^{*(2)}$  with a set of edges with cardinality of  $d_{min\_self}(v_i) : E_1^* \stackrel{def}{=} \bigcup_{v_i' \in V'} g((v_i^{*(1)}, v_i^{*(2)}),$  $d_{min \ self}(v_i)$ ). Each edge in  $E_1^*$  is assigned infinite capacity  $\beta$ 



Fig. 8. Minimum-cost test sequence without self-loop repetition constraint.

and a zero cost  $\psi$ . These fake edges will force additional visits to  $v_i$  in a minimum-cost tour of *G*.

We then use network flow techniques (similar to Aho et al. [1]) to maximize the flow on graph  $G^*$  with minimum cost. This flow defines a minimum-cost tour of G under timing constraints.

*Example*: Consider the FSM (represented by the graph G(V, E)) with self-loop transitions shown in Fig. 8. Suppose that vertices  $v_0$ ,  $v_2$ , and  $v_3$  of the FSM can tolerate at most three, and  $v_1$  at most two self-loop transitions during each visit. Let transitions *e*10 and *e*11 correspond to timeouts. After either *e*10 or *e*11 is triggered, the FSM is brought into state  $v_3$ .

UIO sequences and the values of  $max\_self$ ,  $d_{state\_ver}$  and  $d_{min\ self}$  for vertices  $v_0$ ,  $v_1$ ,  $v_2$ , and  $v_3$  are as follows:

| Vertex | UIO        | max_self | $d_{state\_ver}$ | $d_{min\_self}$ |
|--------|------------|----------|------------------|-----------------|
| $v_0$  | <i>e</i> 0 | 3        | 1                | 2               |
| $v_1$  | e2         | 2        | 1                | 3               |
| $v_2$  | e6,e7      | 3        | 2                | 4               |
| $v_3$  | <i>e</i> 9 | 3        | 1                | 2               |

The Chinese postman method [63] when applied to the graph without any self-loop repetition constraint results in the test sequence

containing 34 edges. Edges used for the purpose of state verification appear in bold.

As can be seen from the underlined part of the above test sequence, after e1 is traversed, the IUT should stay in state  $v_1$  for a time that allows at least three self-loop traversals. However, this part of the test sequence is not realizable in a test laboratory because the timeout edge e10 will be trig-



e0 e0 e1 e2 e10 e9 e9 e9 e12 e0 e1 e2 e2 e4 e6 e7 e11 e9 e12 e1 e3 e2 e4 e6 e6 e7 e5 e0 e1 e4 e7 e6 e7 e5 e1 e4 e8 e6 e7 e5

Fig. 9. Minimum-cost test sequence with self-loop repetition constraint.

gered after the second consecutive self-loop traversal (i.e.  $max\_self(v_1) = 2$ ). The IUT will prematurely move into  $v_3$  and the test sequence will be disrupted.

To address the problem of test sequence disruption due to timeouts, the graph of Fig. 8 is converted to the graph shown in Fig. 9. Since in this example all UIO sequences are self-loops, the simplified conversion presented in Ref. [66] is sufficient. The vertices for which a premature timeout may disrupt a test sequence, which are  $v_1$  and  $v_2$ , are split and then connected by  $d_{min\_self}(v_1) = 3$  and  $d_{min\_self}(v_2) = 4$  edges, respectively.

Considering the constrained self-loop problem, the test sequence for the graph of Fig. 9 is obtained as

containing 40 edges.

Although longer than that of Fig. 8, the test sequence in Fig. 9 is minimum-length with the introduced self-loop constraint. During each visit to vertices  $v_0$ ,  $v_1$ ,  $v_2$  and  $v_3$ , the number of consecutive self-loop edges traversed is less than or equal to the maximum allowed number of self-loop traversals. Therefore, this test sequence is realizable in the test laboratory.

### 6.2. Controllability problem

Consider a testing framework where the interface  $I_1$  between the IUT and the (*N*)-layer in the System Under Test (SUT) [7] is not externally accessible (Fig. 10). In other words, the inputs from (N + 1)-layer cannot be directly applied to the IUT, nor can the outputs generated by the IUT be observed at (N + 1)-layer. Such an interface  $I_1$  is called *semicontrollable* if  $FSM_1$  can be utilized to supply inputs to the IUT. On the other hand, the tester can apply inputs to the IUT directly by using



Fig. 10. Testing (*N*)-layer IUT with an (N + 1)-layer semicontrollable interface.

a lower tester, which exchanges *N*-PDUs with the IUT by using the (N - 1)-Service Provider. The interface  $I_0$  between the lower tester and the IUT is therefore *directly controllable*.

The methodology presented in Ref. [23] addresses the problem of generating optimal realizable test sequences in an environment with multiple semicontrollable interfaces. The methodology fully utilizes semicontrollable interfaces in an IUT while avoiding the race conditions. An algorithm is introduced in Ref. [23] to modify the directed graph representation of the IUT such that its semicontrollable portions become directly controllable, where possible. In the most general case, obtaining such a graph conversion may end up with exponentially large number of nodes. However, it is shown [23] that special considerations such as the small number of interfaces interacting with an IUT and diagnostics considerations make the problem size feasible for most practical cases.

### 6.2.1. Practical motivation

As motivation for solving the controllability problem, a real protocol is considered where an SUT's (N + 1)-layer must be utilized indirectly to test certain transitions within the (N)-layer IUT.

188-220 focuses on three layers: Physical, Datalink, and Network. The Network layer contains an Intranet sublayer.

An SUT contains the (N)-layer IUT implemented in the Datalink layer, and the Intranet sublayer, which is part of the (N + 1)-layer, as shown in Fig. 11.

In the CECOM's environment used for testing 188-220 implementations, the upper layers cannot be directly controlled. Therefore, the IUT's transitions that are triggered by the inputs coming from the Network layer are not directly testable. An example SUT transition that causes a controllability problem is the transition that causes a controllability problem is the transition the Class A-Type 1 Service Datalink module [18,20], shown in Fig. 11. The *input/event* field for this transition requires a *DL\_Unitdata\_Req* from the (N + 1)-layer. Unfortunately, the interface between the IUT and the (N + 1)-layer is not directly accessible for generating this input. Initially, it appears that transition t1 is untestable.

To trigger this transition, which requires the (N + 1)layer to pass a *DL-Unitdata.Req* down to the (N)-layer, feedback from the (N + 1)-layer must be used. To force a *DL-Unitdata.Req* from the (N + 1)-layer, the tester sends a *PL-Unitdata.Ind* to the IUT (similar to the message *a* in Fig. 10) that contains an intranet layer message telling the (N + 1)-layer to relay the frame to a different network node. The IUT outputs this message to the (N + 1)-layer (see message *b* in Fig. 10), and the (N + 1)-layer FSM responds by outputting the desired *DL-Unitdata.Req* (message *c* in Fig. 10). Finally, the datalink layer generates the desired output *PL-Unitdata.Req* (corresponding to message *d* in Fig. 10) which can be observed by the lower tester.

In fact, 70% of the transitions the Class A-Type 1 Datalink Service module are based on not directly controllable inputs. Without indirect testing, test coverage would be seriously limited—only approximately 200 transitions out of 750 would be testable. However, by applying the technique outlined in this paper, over 700 of defined transitions (>95%) can be tested. The application of the presented technique to 188-220 is described in detail in Ref. [21].

Similar controllability problems can also be pointed out in testing the IEEE 802.2 LLC Connection Component [23,32].



Fig. 11. MIL-STD 188-220: example of the controllability problem.



Fig. 12. Classes of edges in G' (dashed-lined outputs are optional).

Table 1

### 6.2.2. Optimizing tests with multiple semicontrollable interfaces

To optimize tests with multiple semicontrollable interfaces, modeling SUT as a single FSM was proposed [22,23]. A semicontrollable interface  $I_i$  is implemented as a separate FIFO buffer. During testing, a buffer may be empty or store an arbitrary sequence of inputs to the IUT generated indirectly through  $I_i$ . For each  $I_i$ , we define variable  $\omega_i$  that has a distinct value for each permutation of inputs that the *i*th buffer can hold. The proposed model consists of graph G (which represents the IUT's FSM) and the variables  $\omega_1, \omega_2, ..., \omega_F$ .

An FSM modeling the SUT can be obtained by expanding G and  $\omega_1, \omega_2, ..., \omega_F$  into G'(V', E'). An algorithm for converting G(V, E) to G'(V', E') proceeds as follows (a detailed description of the algorithm along with its pseudo-code is available in Refs. [22,23]):

### **Step 0—Definitions:**

Let  $B_i$  denote a sequence of inputs buffered at the *i*th semicontrollable interface. Each state  $v' \in V'$  has two components: the original state  $v \in V$ , and the current configuration of *F* buffers, i.e.  $v' = (v, \hat{B}_1, ..., \hat{B}_F)$ . The algorithm constructs all possible buffer configurations with up to  $b_i$  inputs buffered at  $I_i$ .

### Step 1—Initialize:

r', root of G', as  $(r, \emptyset, ..., \emptyset)$  (root of G and configuration of empty buffers); E' as empty set; V' as  $\{r'\}$ ; Q, queue of vertices, as V'.

### Step 2—Repeat until Q is empty:

(1) extract  $v' = (v_{start}, \hat{B}_1, ... \hat{B}_F)$  as first element from Q, where  $(\hat{B}_1, ... \hat{B}_F)$  is current configuration

(2) given the current vertex  $v' = (v_{start}, \hat{B}_1, ..., \hat{B}_F)$ , perform the following steps for each original outgoing edge  $e = (v_{start}, v_{end}) \in E$ :

• create new configuration  $(B_1, \dots B_F)$  based on the class

of e (Fig. 12):

Class 1: *e* is triggered by an input from and generates output(s) to an LT;

Class 2: *e* is triggered by an input from an LT and generates an output  $o_{q,l}$  (buffered in  $B_q$  to create a new configuration) at  $I_q$ ;

Class 3: *e* is triggered by  $a_{p,k}$  (extracted from  $B_p$  to create a new configuration) from  $I_p$  and generates output(s) to an LT;

Class 4: *e* is triggered by an input  $a_{p,k}$  from  $I_p$  and generates an output  $o_{q,l}$  at  $I_q$ . Apply rules for Class 3 and Class 2 to create a new configuration.

- create new vertex  $v'_{new} = (v_{end}, B_1, \dots B_F) \in V'$ , and new edge  $e'_{new} = (v', v'_{new}) \in E'$
- include new edges in E' iff inputs in  $(\hat{B}_1, ..., \hat{B}_F)$  cannot trigger other edges outgoing from  $v_{start}$
- append to Q end vertices  $v'_{new} \in V'$  of new edges included in E'.

### Step 3—Retain only strongly connected states:

remove from V' all vertices from which r' cannot be reached, and remove from E' all edges incident to such vertices.

Based on the practical considerations discussed in Ref. [23], the algorithm can be refined to meet the following

Inputs and outputs for the edges of Fig. 13. A?x denotes receiving input x from A. B!y denotes sending output y to B

| Edge       | Input           | Output            | Edge       | Input           | Output      |
|------------|-----------------|-------------------|------------|-----------------|-------------|
| e1         | $LT ?x_1$       | $FSM_1!o_{1,1}$   | <i>e</i> 6 | $LT ?x_6$       | $LT!y_6$    |
| e2         | $LT ?x_2$       | $FSM_{2}!o_{2,1}$ | e7         | $LT ?x_7$       | $LT!y_7$    |
| е3         | $FSM_1?a_{1,1}$ | $LT!y_3$          | e8         | $FSM_1?a_{1,2}$ | $LT!y_8$    |
| <i>e</i> 4 | $FSM_2?a_{2,1}$ | $FSM_1!o_{1,2}$   | e9         | $LT ?x_9$       | $LT!y_9$    |
| e5         | $LT ? x_5$      | $FSM_{2}!o_{2,2}$ | e10        | $LT ?x_{10}$    | $LT!y_{10}$ |



Fig. 13. IUT interacting with two semicontrollable interfaces.

objective: "generate a test sequence that, at any point in time, avoids storing more than one input in only one of the buffers (where possible)." Satisfying this objective yields a linear running time in the number of semicontrollable interfaces and the number of edges in G. If this objective cannot be satisfied, the running time grows and nondeterminism may not be avoided during testing.

Example: Consider the IUT of Fig. 13 which is interacting with semicontrollable  $FSM_1$  and  $FSM_2$  through the semicontrollable interfaces  $I_1$  and  $I_2$ , respectively. The IUT's FSM (represented by graph G) is described in Table 1. Transition e1, triggered by input  $x_1$  from the lower tester, generates output  $o_{1,1}$  to  $FSM_1$ . In response,  $FSM_1$  sends input  $a_{1,1}$  which triggers transition e3. (In general,  $a_{i,i}$  is the expected response to  $o_{i, j}$ .) Transition e2, which is triggered by a lower tester's input  $x_2$ , outputs  $o_{2,1}$  to  $FSM_2$ , which responds with input  $a_{2,1}$  triggering e4. Then e4 outputs  $o_{1,2}$ to  $FSM_1$ , which responds with  $a_{1,2}$  triggering e8. On the other hand, transitions e5, e6, e7, e9, and e10 can be triggered directly by the lower tester. e6, e7, e9, and e10 do not generate outputs to the semicontrollable interfaces. e5 generates output  $o_{2,2}$  to  $FSM_2$ , which does not send any input to the IUT.

After conversion (Fig. 14), each state of G is replaced with at most four related states in G' corresponding to the buffer configurations at a semicontrollable interface. Each edge e is annotated as e.x, where x = 0, 1, 2, 3, depending on the input buffered in the e.x's start state, as shown in Fig. 14. The solid edges in Fig. 14 are the mandatory edges that are incident to nodes that corre-

Table 2 Minimum-length test sequence for the IUT of Fig. 13



Fig. 14. Graph transformation applied to the graph of Fig. 13. Mandatory and optional edges appear in solid and dashed lines, respectively.

spond to the case where both buffers are empty; the dashedline edges are the ones that can be traversed only when either buffer contains an input. Due to the practical diagnostic considerations [23], we prefer testing edges when no inputs are buffered in semicontrollable interfaces. The Aho et al. [1] optimization technique gives the minimumlength test sequence for G' shown in Table 2. Steps with  $(\rightarrow)$  indicate that an edge is tested in this step. Note that, for simplicity, the UIO sequences [54] are not included in this sequence.

### 6.3. Conflicting timers problem

Suppose that a protocol specification defines a number of timers,  $c_1, ..., c_k$ , such that a timer  $c_i$  may be started and stopped in transitions defined in states  $v_i$  and  $u_i$ , respectively. Each timer  $c_i$  can be associated with a boolean variable  $T_i$  whose value is *TRUE* if  $c_i$  is running, and *FALSE* if  $c_i$  is not running. Let  $\phi$  be a formula obtained from variables  $T_1, ..., T_k$  by using logical connectives  $\land$ ,  $\lor$ , and  $\neg$ . Suppose that a specification contains transitions with conditions of a form "if  $\phi$ " for some formula  $\phi$ . It is clear that there may exist infeasible paths in the FSM modeling a protocol, if two or more edges in a path have inconsistent

| Step            | Edge | Input           | Output            | Step             | Edge         | Input           | Output            |
|-----------------|------|-----------------|-------------------|------------------|--------------|-----------------|-------------------|
| $\rightarrow 1$ | e1.0 | $LT ?x_1$       | $FSM_1!o_{1,1}$   | 8                | e7.2         | $LT?x_7$        | $LT!y_7$          |
| 2               | e5.1 | $LT ?x_5$       | $FSM_{2}!o_{2,2}$ | $\rightarrow 9$  | e8.2         | $FSM_1?a_{1,2}$ | $LT!y_8$          |
| $\rightarrow 3$ | e3.1 | $FSM_1?a_{1,1}$ | $LT!y_3$          | 10               | e7.0         | $LT?x_7$        | $LT!y_7$          |
| $\rightarrow 4$ | e6.0 | $LT ?x_6$       | $LT!y_6$          | $\rightarrow 11$ | e5.0         | $LT?x_5$        | $FSM_{2}!o_{2,2}$ |
| $\rightarrow 5$ | e7.0 | $LT ?x_7$       | $LT!y_7$          | $\rightarrow 12$ | e9.0         | $LT?x_9$        | $LT!y_9$          |
| $\rightarrow 6$ | e2.0 | $LT ?x_2$       | $FSM_{2}!o_{2,1}$ | 13               | e10.0        | $LT?x_{10}$     | $LT!y_{10}$       |
| $\rightarrow 7$ | e4.3 | $FSM_2?a_{2,1}$ | $FSM_1!o_{1,2}$   | 14               | <i>e</i> 6.0 | $LT?x_6$        | $LT!y_6$          |

Table 3 188-220 Datalink tests: a single step corresponds to one input/output exchange

| Test set              | # of states | # of transitions | # of test steps |
|-----------------------|-------------|------------------|-----------------|
| Class A Type 1 servio | re          |                  |                 |
| General behavior      | 298         | 799              | 1732            |
| Precedence            | 303         | 401              | 1316            |
| Multidestination      | 112         | 119              | 145             |
| Class C Type 1 servio | ce          |                  |                 |
| General behavior      | 298         | 799              | 1732            |
| Precedence            | 193         | 357              | 1314            |
| Multidestination      | 112         | 119              | 145             |
| Class C Type 4 servio | ce          |                  |                 |
| General behavior      | 235         | 925              | 2803            |
| Outstanding frames    | 48          | 172              | 264             |
| Multidestination      | 112         | 119              | 145             |

conditions. For example, for transitions e1: *if*  $(T_i)$  *then* { } and e2: *if*  $(\neg T_i)$  *then* { }, a path e1, e2 is inconsistent unless e1 sets  $T_i$  to *FALSE* (which happens when timer  $c_i$  expires in transition e1). The problem of generating tests free of such conflicts is called the *conflicting timers problem*.

Note that the conflicting timers problem is a special case of the general feasibility problem of test sequences. There are two distinctive features of the conflicting timers problem: (1) time variables are linear, and (2) time variable values implicitly increase as time elapses. By considering these two features, we expect to solve this case more efficiently than we could solve the general feasibility problem; hence, it is beneficial to formulate this problem separately.

188-220 Datalink Layer defines several timers that can run concurrently and affect behavior of the protocol. For example, *BUSY* and *ACK* timers may be running independently in a *FRAME\_BUFFERED* state. If either timer is running, a buffered frame cannot be transmitted. If *ACK* timer expires while *BUSY* timer is *not* running, a buffered frame is retransmitted. If, however, *ACK* timer expires while *BUSY* timer is running, no output is generated.

In the test cases delivered to CECOM, such conflicts are handled by manually expanding EFSMs based on the number of conflicting timers. An efficient solution to the conflicting timers problem that eliminates the redundancies of manual state expansion is expected to significantly shorten the test sequences while providing the same fault coverage.

Similar inconsistencies, but based on arbitrary linear variables, are present in EFSMs modeling VHDL specifications [64]. Uyar and Duale presented algorithms for detecting [64] and removing [65] inconsistencies in VHDL specifications. Current research in UD and CCNY is focused on adapting these algorithms for detecting and removing inconsistencies caused by a protocol's conflicting timers.

#### 7. Results: generation and delivery of test scripts

Using the initial results, UD and CCNY collaboratively generated tests for the SAP components of 188-220's Data Link Layer Class A. Class A stations implement Type 1 (Unacknowledged and Coupled Acknowledged Datalink Connectionless) Service, with the original EFSM consisting of 1 state and 15 transitions. Based on the Class A SAP functionalities, the original EFSM was divided into three EFSMs modeling: (1) general behavior of the SAP component interacting with two destinations; (2) datalink precedence; and (3) an IUT's behavior when interacting with up to 16 destinations. Since the total number of states/transitions that would be obtained after full expansion to a pure FSM was infeasibly large, each of the three EFSMs was expanded to a form closer to a pure FSM, but still containing some extensions.

To avoid state explosion problem, each expanded EFSM focused on certain protocol functionalities while restricting others. For example, in 188-220, a sender can interact with up to 16 destinations, each of which may be free or busy. In general behavior tests, destinations are allowed transit between free or busy mode, but the sender is restricted to communicate with at most two of them. In multidestination tests, the sender communicates with up to 16 destinations, which are forced to remain in free mode at all times.

Each expanded EFSM was then used in automated test generation. Table 3 shows the sizes of the expanded EFSMs and the tests that were generated from them. For example, the precedence tests set for Class A-Type 1 Service was based on an expanded EFSM of 303 states and 401 transitions. The minimum-length test sequence generated for this machine consists of 1316 input/output pairs covering every transition in the expanded EFSM at least once.

In 1997, these Class A tests were delivered to CECOM for use in its 188-220 testing facility. Fig. 15 shows a sample of the delivered test scripts. The figure depicts the test group #92 from Datalink Class A-Type 1 service tests. Each test group is a subsequence of a full test sequence that starts and ends in the initial state. In the first step, the technique of utilizing semicontrollable interfaces presented in Section 6.2 is used. The lower tester sends a packet with three destination addresses: IUT\_addr, des\_addr\_1, and des\_addr\_2. The setting Relay = Yes in the INTRANET clause tells the first addressee, i.e. the IUT, to relay the packet to the two remaining addressees. As a result, the IUT sends a packet with its address as a source, and des addr 1 and des\_addr\_2 as destinations, as if it were originated by the IUT's Intranet Layer. In the second and third steps, the IUT's packet sent in the first step is acknowledged by des\_addr\_2 and des\_addr\_1, respectively. Each test step is further annotated with the test description, the number of the corresponding Estelle transition(s), and

 $\parallel$ 

Test Group #92 TESTGROUP=92; LAYER=Datalink; // Test 1 STIMULUS=send; // PL-Unitdata.Ind TIME=long; // DL1 INTRANET={ Type=IP: LowDelay=Yes; HighThroughput=No; HighReliability=No; Precedence=1; // PRIORITY OrgAddr=des\_addr\_17; DestRelay={ Addr=IUT addr; Distance=1: Des=No: Relay=Yes: Ack=No; DestRelay={ Addr=des\_addr\_1; Distance=2: Des=Yes: Relay=No; Ack=No; DestRelay={ Addr=des\_addr\_2; Distance=2: Des=Yes; Relay=No; Ack=No; }; DATALINK={ CtrlField= SendSeq=1; RecSeq=1; ControlSpare=1; DLPrec=1; // PRIORITY IDNum=1: PDU=ui\_0; Command=Yes; SrcAddr=des addr 17; DestAddr=IUT\_addr; }: RESULTS=receive; // PL-Unitdata.Req TIME=normal; // DL1 DATALINK={ CtrlField={ SendSeq=1; RecSeq=1; ControlSpare=1 DLPrec=1; // PRIORITY IDNum=1; PDU=ui\_1; Command=Yes; SrcAddr=IUT\_addr; }. DestAddr=des\_addr\_1;des\_addr\_2;

TESTDESCRIPTION={ Intranet layer passes down a multidestination packet which is queued by datalink layer. Packet requires a coupled ack. There are no outstanding frames. No outstanding frame. Queued frame transmitted to multiple destinations. Frame requires a coupled ack. Ack timer started. // ESTELLE TYPE1SAP\_3,4,TYPE1SAP\_18 // SECTION(S) 5.3.16 5.3.6.1.1 C4.3.5.3.4.2.2.2.1 5.3.6.1.1 // Test 2 STIMULUS=send; // PL-Unitdata.Ind TIME=normal; // DL1 DATALINK={ CtrlField={ SendSeq=1; RecSeq=1; ControlSpare=1; DLPrec=2; // ROUTINE IDNum=1: PDU=urr 0; Command=No; SrcAddr=des\_addr\_2; DestAddr=IUT\_addr; RESULTS=noop; // none TESTDESCRIPTION={ Second destination acks a multidestination packet. First has not acked yet. // ESTELLE TYPE1SAP 12 // SECTION(S) 5.3.7.1.5.5\_5.3.6.1.6\_C4.3 // Test 3 STIMULUS=send; // PL-Unitdata.Ind TIME=normal; // DL1 DATALINK={ CtrlField={ SendSeq=1; RecSeq=1; ControlSpare=1; DLPrec=2; // ROUTINE IDNum=1; PDU=urr\_0; Command=No; SrcAddr=des\_addr\_1; DestAddr=IUT\_addr; RESULTS=noop; // none TESTDESCRIPTION={ First destination acks a packet. Ack timer is stopped. No frame queued for transmission. // ESTELLE TYPE1SAP\_12 // SECTION(S) 5.3.7.1.5.5 5.3.6.1.6 C4.3

Fig. 15. A sample of test scripts delivered to CECOM.

the appropriate section(s) from the 188-220 official document.

Since the summer of 1997, the work on test generation expanded to include Class C. Class C also allows Type 1 Service as in Class A, but it additionally defines Type 4

(Decoupled Acknowledged Connectionless) Service. As in the case of Class A, three EFSMs were used to generate three sets of tests for each Class C service. The sizes of the EFSMs and the corresponding minimum-length tests are shown in Table 3. For example, the general behavior



Fig. 16. Estelle as part of synergistic efforts to develop  $C^4I$  systems.

tests set for Class C Type 4 Service was based on an EFSM of 235 states and 925 transitions. The minimum-length test sequence generated for this machine consists of 2803 input/ output pairs. These tests were delivered to CECOM in 1998.

At the time this paper was written, the implementations from three major manufacturers were being tested at CECOM. The tests generated by the UD and CCNY team have uncovered several implementation errors, including lack of mandatory capabilities in Datalink layer, and problems with multi-hop Intranet Relaying.

### 8. Conclusions: improvements to protocol development process

### 8.1. Integration of Estelle into system development

Traditional sequential process of system development is known to be inefficient since it allows unnecessary duplication and does not facilitate tracking of rapidly changing technology. With 188-220 as a critical component, a synergistic framework for  $C^4I$  (Command, Control, Communications, Computers, and Intelligence) systems development has been established [19] (Fig. 16). It combined several parallel activities: developing protocol standards and specifications, formally specifying protocols in Estelle, building conformance tester hardware and software, "field testing", modeling and simulation, as well as resolving and documenting the solutions to standards-related technical issues by the Joint CNR Working Group. (WG participants include representatives from DoD services/agencies, industry, and academia.)

Using formal methods as part of this process helped create a high quality protocol standard, which is robust, efficient, and relatively error-free. Also, due to the structured nature of Estelle, the specification process progressed at an accelerated pace compared to the English specifications (188-220 was completed on time, setting a rare example in protocol standards arena).

Since it is relatively easier to extract modeling information from a formal specification, the researchers at UD and CCNY were able to solve a number of theoretical problems, which resulted in the development of new testing methodologies. By applying these new results, the conformance tests for 188-220 were generated while the protocol was still evolving. Performing initial conformance tests on prototypes uncovered several interoperability errors very early in the development process.

Following this success of the 188-220 development, the synergistic efforts to develop  $C^4I$  systems with the help of formal methods serves as a model for DoD standards process and development for the future [19].

## 8.2. Advantages of formal methods in eliminating protocol errors

The difficulties of describing protocol operations with clarity, precision, and consistency by using a natural language are illustrated by the examples in Section 5.2. In addition to the vagueness introduced by a natural language description, ambiguities and contradictions are difficult to detect when related protocol functionalities are defined in different document sections separated by pages of unrelated text. Such problems are eliminated in a formal Estelle specification. All actions in a particular context are defined in one place within the Estelle specification. The specifications make the conditions for state transitions explicit through Estelle constructs. Indeed, the very process of creating these constructs enables formal specifiers to detect some of these types of ambiguities which are difficult to see in normal reading.

### 8.3. Observations on applicability of formal methods

As concluding remarks for this paper, we report the following observations based on our experience during the formal specification and test generation for 188-200.

To develop an Estelle formal specification of a protocol, we must not only define its architecture and interface components (e.g. as in Figs. 4 and 5 for 188-220), but we must also carefully specify the behavior of each module of these components. This definition, achieved through the creation of EFSMs, is the most difficult and time-consuming step of creating a formal specification. A syntax-directed editor improves the readability for testers who are not FDT-trained; it also is useful in writing non-trivial specifications. Moreover, the modeling and specification languages, such as SDL [25,26] and UML [50], enjoy widespread industrial popularity, partially due to their standard graphical representation. Therefore, it will be a natural extension for Estelle to include a graphical editor (such an editor has recently been created [56]). Once all states and transitions of a protocol (including inputs and outputs) are finalized, the writing of the Estelle code itself is fast and straightforward.

Since 188-220 is a multilayer, multifunction protocol of a considerable size and complexity, manual generation of conformance test sequences would be both inefficient and ineffective. As seen from Table 3, the tests already delivered

to CECOM contain approximately 10,000 test steps. It is clear that manually generating test sets of this size from the protocol textual description is not a trivial task.

A number of conformance test generation techniques have been proposed [1,7,9,46,53,55,59,62], each of which is expected to give better results for a certain class of protocol specifications depending on the nature and size of the protocol. The experience obtained in generating tests for 188-220 suggests that to successfully test today's complex protocols by using formal methods, an ideal test generation tool should support multiple test generation techniques [41]. They can range from Postman tours [1] or fault-oriented tests [70,72] for mid-size protocols (i.e. the number of states in the order of thousands), to guided random walk approaches [39,73] for large protocols (i.e. the number of states larger than tens of thousands).

State explosion problem has been a major issue for generating FSM models out of EFSM representations of protocols [15,52,71,72]. One common procedure for converting EFSMs into FSMs simultaneously performs reachability analysis and online minimization [15,40]; this conversion is based on combining *equivalent states* [54] by using the notion of *bisimulation equivalence* [47]. Another approach proposes the elimination of inconsistencies in EFSM models [64,65]. Efficient algorithms such as these should be implemented in any test generation tool using FSM models. If the final FSM model is not confined to a manageable size, the test sequences generated from it will be infeasibly long regardless of the test generation method.

Finally, a test house may require its own proprietary format for the executable tests. Although TTCN is accepted as input by many test tools, a proprietary test format may be preferable for a given protocol, if this format is more readable by the domain experts, or is simpler to parse by software tools. The output of a test generation tool should easily be custom-tailored for a particular format, possibly by using simple application generators.

### Acknowledgements

We would like to thank Brian Kind of ARINC, Inc., Annapolis, MD, for his valuable suggestions and comments. We are also grateful to the anonymous reviewers for providing many insightful comments that have improved the quality of this paper.

### Appendix A

A.1. Examples of errors found in 188-220

• The standard indicates in Section<sup>3</sup> 5.3.8.1.2.e that *k* is a link parameter defined to be the "maximum number of

outstanding I PDU's." But in Section 5.3.7.2.5.1, we see that the "...RR command is sent to a destination station when the k value at the originating station reaches half of the k value for that connection." In Section 5.3.7.2.5.1, the first reference to k indicates that k is a variable which is being used as a counter, while the second reference to k has k being a static parameter for that connection. In this case, the standard was changed such that the variable counting the number of outstanding I PDUs was not referred to as k.

- Section 5.3.7.2.5.4.2 states that "When an I PDU has been received and not more than one frame is missing, the station may retain the information field of the out-of-sequence I PDUs and send a SREJ PDU for the missing I PDU." This sentence implies at most one missing I PDU when sending an SREJ PDU. The next sentence, however, states "A station may transmit one or more SREJ PDUs, each containing a different N(R) with P-bit set to 0." This sentence implies that there can be more than one missing I PDU (otherwise why send multiple SREJ PDUs with different N(R)?). At the 13 March meeting, the WG changed this section to indicate that an SREJ PDU may be sent when *at least one*, rather than "no more than one," I PDU is detected as missing.
- In Section 5.3.6.1.9, the standard indicates that "the URNR response PDU shall be used to reply to a UI command PDU with the P-bit set to 1, if the UI command cannot be processed due to a busy condition." Since the UI cannot be processed, this indicates the URNR does not acknowledge the UI. However, Section 5.3.5.2.3.2 states that "the F-bit set to 1 shall be used to acknowledge the receipt of a command PDU with the P-bit set to 1." And Section 5.3.7.1.5.4 indicates that "a URNR response PDU, with F-bit set to 1, may be sent by the remote station to advise the originator of the associated UI command PDU that it is experiencing a busy condition and is unable to accept UI PDUs." The combination of the last two excerpts implies that URNR response PDUs do acknowledge the corresponding UI PDU. A correction of this contradiction was approved at the 13 March 96 WG meeting. Section 5.3.5.2.3.2 was changed to read "the F-bit set to 1 shall be used to respond to the receipt of a command PDU with P-bit set to 1." No acknowledgment is implied.

### References

- A.V. Aho, A.T. Dahbura, D. Lee, M.U. Uyar, An optimization technique for protocol conformance test generation based on UIO sequences and rural Chinese postman tours, IEEE Trans. Commun. 39 (11) (1991) 1604–1615.
- [2] P.D. Amer, G. Burch, A.S. Sethi, D. Zhu, T. Dzik, R. Menell, M. McMahon, Estelle specification of MIL-STD 188-220A DLL, in: Proc. IEEE Milit. Commun. Conf. (MILCOM), October 1996.
- [3] P.D. Amer, M.A. Fecko, A.S. Sethi, M.U. Uyar, T.J. Dzik, R. Menell, M. McMahon, Using Estelle to evolve MIL-STD 188-220, in: S. Budkowski, S. Fisher, R. Gotzhein (Eds.), Proc. Int. Workshop

<sup>&</sup>lt;sup>3</sup> Section numbers refer to the MIL-STD 188-220 official document.

FDT Estelle, Evry, France, Institut National des Telecommunications (INT), Evry, France, 1998, pp. 55–58.

- [5] A. Bhattacharyya, Checking Experiments in Sequential Machines, Wiley, New York, 1989.
- [6] J. Bi, J. Wu, Application of a TTCN-based conformance test environment to the Internet email protocol, in: M. Kim, S. Kang, K. Hong (Eds.), Proc. IFIP Int. Workshop Test. of Commun. Syst. (IWTCS), Cheju Island, Korea, Kluwer, Boston, MA, 1997, pp. 324–330.
- [7] B.S. Bosik, M.U. Uyar, FSM-based formal methods in protocol conformance testing: from theory to implementation, Comput. Networks ISDN System 22 (1) (1991) 7–34.
- [8] J. Bredereke, R. Gotzhein, Specification, detection, and resolution of IN feature interactions with Estelle, Proc. IFIP Formal Desc. Tech. (FORTE)Chapman & Hall, London, 1995, pp. 376–378.
- [9] E. Brinksma, A theory for the derivation of tests, Proc. IFIP Protocol Specif., Test., & Verif. (PSTV), North-Holland, Amsterdam, 1988.
- [11] S. Budkowski, P. Dembinski, An introduction to Estelle: a specification language for distributed systems, Comput. Networks ISDN System 14 (1) (1991) 3–24.
- [13] R. Burch, P. Amer, S. Chamberlain, Performance evaluation of MIL-STD 188-220A: interoperability standard for digital message transfer device subsystems, in: Proc. IEEE Milit. Commun. Conf. (MILCOM), San Diego, CA, November 1995.
- [14] O. Catrina, E. Lallet, S. Budkowski, Automated implementation of the Xpress Transport Protocol (XTP) from an Estelle specification, Electronic J. Networks Distrib. Process 7 (1998) 3–19.
- [15] K.T. Cheng, A.S. Krishnakumar, Automatic generation of functional vectors using the extended finite state machine model, ACM Trans. Design Automation Electron. Systems 1 (1) (1996) 57–79.
- [16] S.-K. Cheong, K.-H. Lee, T.-W. Jeong, The analysis of integrating test results for ATM switching systems, in: B. Baumgarten, H.-J. Burkhardt, A. Giessler (Eds.), Proc. IFIP Int. Workshop Test. of Commun. Syst. (IWTCS), Darmstadt, Germany, Kluwer, Boston, MA, 1996, pp. 83–89.
- [17] J.Y. Choi, B.K. Hong, Generation of conformance test suites for B-ISDN signalling relevent to multi-party testing architecture, in: B. Baumgarten, H.-J. Burkhardt, A. Giessler (Eds.), Proc. IFIP Int. Workshop Test. of Commun. Syst. (IWTCS), Darmstadt, Germany, Kluwer, Boston, MA, 1996, pp. 316–330.
- [18] DoD, Military Standard—Interoperability Standard for Digital Message Device Subsystems (MIL-STD 188-220B), January 1998.
- [19] T. Dzik, M. McMahon, MIL-STD 188-220A evolution: a model for technical architecture standards development, in: Proc. IEEE Milit. Commun. Conf. (MILCOM), Monterey, CA, November 1997.
- [20] M.A. Fecko, P.D. Amer, A.S. Sethi, M.U. Uyar, T. Dzik, R. Menell, M. McMahon, Formal design and testing of MIL-STD 188-220A based on Estelle, in: Proc. IEEE Milit. Commun. Conf. (MILCOM), Monterey, CA, November 1997.
- [21] M.A. Fecko, M.U. Uyar, P.D. Amer, A.S. Sethi, Using semicontrollable interfaces in testing Army communications protocols: Application to MIL-STD 188-220B, in: Proc. IEEE Milit. Commun. Conf. (MILCOM), Atlantic City, NJ, October 1999.
- [22] M.A. Fecko, M.U. Uyar, A.S. Sethi, P.D. Amer, Conformance testing in systems with semicontrollable interfaces, Technical Report TR-98-18, CIS Department, University of Delaware, Newark, DE, 1998, submitted for publication.
- [23] M.A. Fecko, M.U. Uyar, A.S. Sethi, P.D. Amer, Issues in conformance testing: multiple semicontrollable interfaces, in: S. Budkowski, A. Cavalli, E. najm (Eds.), Proc. IFIP Joint Int. Conf. FORTE/PSTV, Paris, France, Kluwer, Boston, MA, 1998, pp. 111–126.
- [24] R. Gecse, Conformance testing methodology of Internet protocols: Internet application-layer protocol testing—HTTP, in: A. Petrenko, N. Yevtushenko (Eds.), Proc. IFIP Int. Workshop Test. of Commun. Syst. (IWTCS), Tomsk, Russia, Kluwer, Boston, MA, 1998, pp. 35–48.
- [25] D. Hogrefe, Validation of SDL systems, Comput. Networks ISDN System 28 (12) (1996) 1659–1667.

- [26] International Telecomm. Union, Geneva, Switzerland, ITU Recommendation Z100: Specification and Description Language (SDL), 1989.
- [27] ISO, Information Processing Systems—OSI, Geneva, Switzerland, ISO/IEC International Standard 8571-1: File Transfer, Access and Management—Part 1: General introduction, 1988.
- [28] ISO, Information Processing Systems—OSI, ISO International Standard 9074: Estelle—a Formal Description Technique Based on an Extended State Transition Model, 1989.
- [29] ISO, Information Technology—OSI, Geneva, Switzerland, ISO/IEC International Standard 13712-3: Remote Operations: OSI realizations—Remote Operations Service Element (ROSE) protocol specification, 1995.
- [30] ISO, Information Technology—OSI, Geneva, Switzerland, ISO/IEC International Standard 8327-1: Connection-oriented Session Protocol—protocol specification, 1996.
- [31] ISO, Information Technology—OSI, Geneva, Switzerland, ISO/IEC International Standard 10026-3: Distributed Transaction Processing—Part 3: Protocol specification, 1998.
- [32] ISO/IEC, International Standard ISO/IEC 8802-2, ANSI/IEEE Std. 802.2, 2nd edition 1994.
- [33] ITU, Recommendation Q.2110: Service Specific Connection-Oriented Protocol (SSCOP).
- [34] A. Jirachiefpattana, R. Lai, Uncovering ISO ROSE protocol errors using Estelle, Comput. Stand. Interf. 17 (5/6) (1995) 559–583.
- [35] S. Kang, Y. Seo, D. Kang, M. Hong, J. Yang, I. Koh, J. Shin, S. Yoo, M. Kim, Development and application of ATM protocol conformance test system, in: Proc. IFIP International Workshop Test. of Communicat. Syst. (IWTCS), Budapest, Hungary, September 1999.
- [36] T. Kato, T. Ogishi, A. Idoue, K. Suzuki, Intelligent protocol analyzer with TCP behavior emulation for interoperability testing of TCP/IP protocols, in: Proc. IFIP Joint International Conf. FORTE/PSTV, pp. 449–464, Osaka, Japan, November 1997.
- [38] Z. Kohavi, Switching and Finite Automata Theory, McGraw-Hill, New York, 1978.
- [39] D. Lee, K.K. Sabnani, D.M. Kristol, S. Paul, Conformance testing of protocols specified as communicating FSMs—a guided random walk approach, IEEE Trans. Commun. 44 (5) (1996) 632–640.
- [40] D. Lee, M. Yannakakis, Online minimization of transition systems, in: Proc. 24th Annual ACM, Victoria, Canada, 1992.
- [41] D. Lee, M. Yannakakis, Principles and methods of testing finite state machines—a survey, Proc. IEEE 84 (8) (1996) 1090–1123.
- [42] D.Y. Lee, J.Y. Lee, Test generation for the specification written in Estelle, in: Proc. IFIP Protocol Specif., Test. Verif. (PSTV), Stockholm, Sweden, June 1991.
- [43] D.Y. Lee, J.Y. Lee, A well-defined Estelle specification for the automatic test generation, IEEE Trans. Comput. 40 (4) (1991) 0.
- [44] J.K. Lenstra, A.H.G. Rinnooy, K. an, On general routing problems, Networks 6 (1976) 273–280.
- [45] H. Li, P. Amer, S. Chamberlain, Estelle specification of MIL-STD 188-220A: interoperability standard for digital message transfer device subsystems, in: Proc. IEEE Milit. Commun. Conf. (MILCOM), San Diego, CA, November 1995.
- [46] R.E. Miller, S. Paul, On the generation of minimal-length conformance tests for communication protocols, IEEE/ACM Trans. Networking 2 (1) (1993) 116–129.
- [47] R. Milner, Communication and Concurrency, Prentice-Hall, Englewood Cliffs, NJ, 1989.
- [48] P. Mondain-Monval, ISO Session Service specification in Estelle, Technical Report SEDOS Rep. 70, ESPRIT Project, November 1986.
- [49] C. Negulescu, E. Borcoci, SSCOP protocol throughput evaluation simulation based on Estelle specification, in: S. Budkowski, S. Fischer, R. Gotzein (Eds.), Proc. Int. Workshop FDT Estelle, Evry, France, Institut National des Telecommunications (INT), France, 1998, pp. 75–98.
- [50] Object Management Group, Framingham, MA. OMG Standard: Unified Modeling Language (UML) 1.1, 1997.

- [52] D.H. Pitt, D. Freestone, The derivation of conformance tests from LOTOS specifications, IEEE Trans. Software Engng 16 (12) (1990) 1337–1343.
- [53] J. Romijn, J. Springintveld, Exploiting symmetry in protocol testing, in: S. Budkowski, A. Cavalli, E. Najm (Eds.), Proc. IFIP Joint Int. Conf. FORTE/PSTV, Paris, France, Kluwer, Boston, MA, 1998, pp. 337–351.
- [54] K.K. Sabnani, A.T. Dahbura, A protocol test generation procedure, Comput. Networks ISDN Systems 15 (1988) 285–297.
- [55] B. Sarikaya, G. von Bochmann, E. Cerny, A test design methodology for protocol testing, IEEE Trans. Software Engng 13 (5) (1987) 518– 531.
- [56] J. Templemore-Finlayson, J.I. Raffy, P. Kritzinger, S. Budkowski, A graphical representation and prototype editor for the formal description technique Estelle, in: S. Budkowski, A. Cavalli, E. Najm (Eds.), Proc. IFIP Joint Int. Conf. FORTE/PSTV, Paris, France, Kluwer, Boston, MA, 1998, pp. 37–55.
- [57] R. Tenney, A tutorial introduction to Estelle. Technical Report 88-1, University of Massachusetts, Boston, June 1988.
- [58] J. Thees, Protocol implementation with Estelle—from prototypes to efficient implementations, in: S. Budkowski, S. Fischer, R. Gotzhein (Eds.), Proc. Int. Workshop FDT Estelle, Evry, France, Institut National des Telecommunications (INT), France, 1998, pp. 187–193.
- [59] J. Tretmans, Conformance testing with labelled transitions systems: Implementation relations and test generation, Comput. Networks ISDN Systems 29 (1) (1996) 49–79.
- [60] K. Turner, Formal Description Techniques, North-Holland, Amsterdam, 1989.
- [61] H. Ural, B. Yang, A test sequence selection method for protocols specified in Estelle, Technical Report TR-88-18, University of Ottawa, June 1988.
- [62] H. Ural, B. Yang, A test sequence selection method for protocol testing, IEEE Trans. Commun. 39 (4) (1991) 514–523.
- [63] M.U. Uyar, A.T. Dahbura, Optimal test sequence generation for protocols: the Chinese postman algorithm applied to Q.931, in: Proc. IEEE GLOBECOM, December 1986, pp. 68–72.
- [64] M.U. Uyar, A.Y. Duale, Modeling VHDL specifications as consistent EFSMs, in: Proc. IEEE Milit. Commun. Conf. (MILCOM), Monterey, CA, November 1997.
- [65] M.U. Uyar, A.Y. Duale, Removal of inconsistencies in VHDL specifications, in: Proc. US Army Research Lab./ATIRP Conf., College Park, MD, February 1998.
- [66] M.U. Uyar, M.A. Fecko, A.S. Sethi, P.D. Amer, Minimum-cost solutions for testing protocols with timers, in: Proc. IEEE International Performance, Comput., & Commun. Conf. (IPCCC), pp. 346–354, Phoenix, AZ, February 1998.
- [67] M.U. Uyar, M.A. Fecko, A.S. Sethi, P.D. Amer, Testing protocols modeled as FSMs with timing parameters, Comput. Networks 31 (18) (1999) 1967–1988.
- [68] M.U. Uyar, M.H. Sherif, Protocol modeling for conformance testing: case study for the ISDN LAPD protocol, AT&T Technical J. 69 (1) (1990) 17–31.
- [69] E. Vázquez, P. Sandoval, M. Sedano, J. Vinyes, Automatic implementation of TP4/IP with an Estelle workstation—development methodology and performance evaluation, Proc. IFIP Protocol Specif., Test., & Verif. (PSTV)North-Holland, Amsterdam, 1992, pp. 125–139.
- [70] G. von Bochmann, A. Das, R. Dssouli, M. Dubuc, A. Ghedamsi, G. Luo, Fault Models in Testing, Proc. IFIP International Workshop Protocol Test Systems (IWPTS), Amsterdam, North-Holland, 1992, pp. 17–30.
- [71] C.J. Wang, M.T. Liu, Axiomatic test sequence generation for extended finite state machines, in: Proc. 12th Conf. on Distrib. Comput. Syst., 1992, pp. 252–259.
- [72] C.J. Wang, M.T. Liu, Generating test cases for EFSM with given fault models, in: Proc. IEEE INFOCOM, 1993, pp. 774–781.
- [73] C. West, Protocol Validation by Random State Exploration, Proc.

IFIP Protocol Specif., Test., & Verif. (PSTV), North-Holland, Amsterdam, 1986.

- [74] J. Wytrębowicz, P. Roliński, Analysis tools for Estelle specifications, in: S. Budkowski, S. Fischer, R. Gotzhein (Eds.), Proc. Int. Workshop FDT Estelle, Evry, France, Institut National des Telecommunications (INT), France, 1998, pp. 141–155.
- [75] XTP Forum, Santa Barbara, CA, Xpress Transport Protocol Specification, Rev. 4.0, 1995.
- [76] S. Yoo, L. Collica, M. Kim, Conformance testing of ATM Adaptation Layer protocol, in: B. Baumgarten, H.-J. Burkhardt, A. Giessler (Eds.), Proc. IFIP Int. Workshop Test. of Commun. Syst. (IWTCS), Darmstadt, Germany, Kluwer, Boston, MA, 1996, pp. 237–252.



Mariusz A. Fecko received an M.S.Eng. in electronics in 1993 and an M.S.Eng. in computer science in 1994, both from the Stanislaw Staszic University, Cracow, Poland. He earned an M.S. in 1996 and a Ph.D. in 1999 in computer and information sciences from the University of Delaware, USA. Dr Fecko's interests focus on design, formal specification, and conformance testing of communications protocols as well as IP network technologies and protocols. He

worked as a Research Assistant at the Applied Science and Eng. Labs, Wilmington, Delaware, from 1995 to 1996, and at the Protocol Engineering Laboratory of the University of Delaware, from 1996 to 1999. He designed a formal Estelle specification of the Network Layer of MIL-STD 188-220, the US Army protocol for combat network radios. He jointly developed methodologies and software for conformance test generation, which have been used in US Army CECOM's 188-220 conformance tester. Currently, Dr Fecko holds a post-doctoral position with the Computer and Information Sciences Dept. of the University of Delaware.



Dr M. Umit Uyar has a B.S. degree from Istanbul Teknik Universitesi, and M.S. and Ph.D. degrees from Cornell University, Ithaca, New York, all in electrical engineering. Dr Uyar is currently an Associate Professor with the Electrical Engineering Department of the City College of the City University of New York. He was a Distinguished Member of Technical Staff at AT&T Bell Labs until 1993. Dr Uyar's research interests include the formal methods to specify and test commu-

nication protocols and computer systems. Currently, the methodologies and tools that he jointly developed are being applied to test the Estelle specifications of the protocols used in the US Army CECOM and to the VHDL specifications used in the ARL Federated Laboratories of the US Army, Advanced Telecommunications and Information Distribution. In Bell Labs, he received a Vice Presidential Quality Award in 1987 for the software tools that he jointly developed, a Best Paper Award in AT&T Electronic Testing Conference for his co-authored paper in VLSI testing in 1988, and three AT&T Bell Labs Vice Presidential Research Appreciation Awards (1987-1991). He was granted the title of "Docent" by The National University Council of Turkey in 1992. He holds two US patents in the areas of synchronization and testing. He co-chaired the 12th Int. Symp. on Protocol Specification, Testing and Verification in 1992, and 6th Int. Conf. on Formal Description Techniques in 1993. Dr Uyar is a senior member of the IEEE.



Paul D. Amer received the BS degree summa cum laude in Mathematics from SUNY at Albany in 1974, and the MS and PhD degrees in Computer and Information Science in 1976 and 1979, respectively, from The Ohio State University. Since 1979, he has been at the University of Delaware where currently he is professor of computer science. From 1978 to 1987, he was concurrently employed part-time as a Research Computer Scientist for the National Bureau of Standards in Washington,

DC. In 1985, he spent a sabbatical year in Paris at the Ecole Nationale Superieure des Telecommunications, and the Agence de l'Informatique contributing to the development of the formal description technique Estelle as part of the ESPRIT Project SEDOS. In 1992, he spent his second sabbatical year in Toulouse at the Laboratoire d'Automatique et d'Analyse des Systemes (LAAS du CNRS) investigating a partial order transport protocol to support multimedia applications (see RFC1693). In 1996, he spent one year as a University Research Fellow within the Center for Advanced Studies at the University of Delaware. Currently, Professor Amer is back in Toulouse for one year half-time at LAAS and half-time at the Ecole Nationale Superieure d'Ingenieurs de Constructions Aeronautiques (ENSICA). He is investigating data compression in multimedia, transport layer services and protocols, and the formal specification, verification, and testing of protocols using Estelle.



Adarshpal S. Sethi is an Associate Professor in the Department of Computer & Information Sciences at the University of Delaware, Newark, Delaware, USA. He has an MS in Electrical Engineering and a PhD in Computer Science, both from the Indian Institute of Technology, Kanpur, India. He has served on the faculty at IIT Kanpur, was a visiting faculty at Washington State University, Pullman, WA, and Visiting Scientist at IBM Research Laboratories, Zurich, Switzerland,

and at the US Army Research Laboratory, Aberdeen, MD. He is a Senior Technical Editor for the Journal of Network and Systems Management, an Associate Editor for the Electronic Commerce Research Journal, and a co-Guest Editor for the ACM/Baltzer journal MONET. He was co-Chair of the Program Committee for ISINM '95, and was General and Program Chair for DSOM '98; he has also been on the program committees of numerous conferences. His research interests include architectures and protocols for network management, quality-of-service and resource management, and management of wireless networks.



Mr Dzik recieved a BSEE, Penn State (1976), MSEE, Rutgers (1981), and PhDEE studies at Lehigh (1988). In 1976, he began working for the US Army Communications–Electronics Command's R&D Center at Ft Monmouth, NJ, where he performed software engineering for Command, Control, Communications & Computer systems. In 1983, he was research coordinator/principal investigator directing the Wide-Area Communications R&D program. Principal systems engineer on the

Mobile Subscriber Equipment system from 1987 until fielding. From 1989–1998, he managed the Army Interoperability Network for system-of-systems interoperability and integration. He chaired the Joint Combat Network Radio Working Group developing the MIL-STD-188-220 protocol for Battlefield Digitization. Currently, he is the CECOM Y2K Project Manager, ensuring Y2K readiness of all CECOM systems, worldwide. Mr Dzik has authored numerous publications, is a senior member of the Institute for Electrical & Electronics Engineers (IEEE), the Armed Forces Communications–Electronics Association (AFCEA), the Association of the US Army (AUSA), the American Society for Quality (ASQ) and the American Management Association (AMA), and is a certified member of the Army Acquisition Corps.



Mr Menell received a BS (1977), MSCS (1985), and MSSE (1995) from Monmouth University. In 1981 he began working for the US Army Communication–Electronics Command's Electronics Technology and Device Laboratory at Fort Monmouth, NJ, where as a computer engineer, he developed programs for computer aided design systems. In 1984, he worked for US Army CECOM Software Engineering Center in the development of software engineering technology for

insertion into Command, Control, Communications and Computer systems. For the past five years, Mr Menell has served as the lead engineer for the development of the 188-220 Protocol Test Tool. Mr Menell has authored numerous publications and is a certified member of the Army Acquisition Corps.