This paper describes the formalization and validation of the Radio Link Protocol (RLP1) and the effect of the validation on its standardization. RLP1, which was recently standardized by the Telecommunications Industry Association (TIA) working group, TR45.3.2 (TDMA Cellular Systems Data Services Working Group), appears to be the first protocol that was standardized using a formal language, namely SDL, and validated before publication. The validation strategy used for RLP1 is discussed, along with some observations on the requirements of industrial strength validation tools to aid the standardization process. This paper also discusses the use of SDL as a language for specifying standards, noting some of its advantages, disadvantages, and shortcomings. It then argues that a suite of accepted formal notations is necessary to formalize the many different parts of a protocol standard. Keywords: protocol validation, specification, formal methods, SDL, Promela/SPIN, radio link protocol, stan...

This paper presents a series of TLA specification/implementations that lead to an implementation of the retransmission policy of RLP1, the Radio Link Protocol proposed for TDMAbased digital cellular radio. Both safety and liveness properties are proved for SWPInitial, a very abstract, but formal, specification of a sliding window protocol. The rest of the work consists of a series of refinements which finally result in a model of RLP1. Each refinement step is formally proved. In all cases the most difficult part of the proof is for liveness. We prove, formally and rigorously, and parametrised by the window size N, that the model of RLP1 obtained from the last refinement step is an implementation of the initial specification SWPInitial, and thus inherits safety and liveness properties proved for all the higher-level specifications. The specifications are written in TLA, a formal language based on TLA, and proofs are given in Lamport's hierarchical proof-style. Most proof steps are checked mechanically in Eves.