We introduce a comparative case study on the application of formal methods and techniques to the Tree Identify Protocol of the IEEE standard 1394 serial multimedia bus. The Tree Identify Protocol makes an ideal subject for this purpose because it is small yet complex, and may be modelled in a variety of ways. We provide an informal explanation of the protocol, describe how the case study was conducted, and give an overview of the results.
Background
Networks of multimedia devices and equipment are increasingly common in homes and offices. Sophisticated systems have been developed for connecting the components of such networks, such as the Universal Serial Bus (USB) and the IEEE 1394 High Performance Serial Bus ('FireWire', 'Lynx', 'i.Link'). A key feature of these interconnection systems is that they allow dynamic reconfiguration of the network without requiring devices on the network to be switched off, a feature known as 'Plug-and-Play', 'hot-plugging', etc. To support such versatility, these systems have a complex architecture and behaviour, involving multiple layers of structure and multiple phases of activity, each of which may incorporate a variety of protocols and algorithms.
A full understanding of such a system is difficult to achieve. Many factors need to be taken into account, from the abstract, high-level structure, to low-level details such as timing characteristics. Complex behaviours must be analysed, both within each phase of the system's functioning and at the inter-phase boundaries, where subtle, unexpected behaviours may emerge. Yet there are high requirements for reliability, accuracy and performance placed upon such systems, and widespread commercial interest in their correctness, so it is essential that they are well understood.
Formal methods can be of great value in helping to understand such a system. By appropriate choice of formal method, and of an appropriate formal model within the possibilities afforded by that method, it is possible to study the system at different levels of abstraction, or to zoom in on particular aspects of its behaviour. The papers in this special issue of Formal Aspects of Computing give an idea of the wide range of choices for modelling and analysis that are provided by formal methods at the present state of the art. The majority of the works presented deal with the formalisation of the same problem, namely the protocol used in the Tree Identify Phase in the physical layer of the IEEE 1394 serial multimedia bus. This collection therefore constitutes a comparative case study in the use of formal methods, and adds to the growing body of work of this kind (e.g., [ABL96, BoG00, BMS96, FrH01, LeL95]) which serve an important purpose in broadening awareness of the scope and possibilities of formal methods.
The Workshop
The papers in this collection were submitted following a workshop held in Berlin in March 2001, as a satellite of the Formal Methods Europe conference. The IEEE 1394 bus was chosen as the subject of this study for several reasons. Firstly, it is an international standard; therefore there is a clear and widely available statement of its definition [IEE95] . Secondly, there have already been several efforts at applying formal methods to aspects of IEEE 1394 ([BLd00, BLT00, DAr99, DGR00, GrV98, Rom01, Svd98, ShV01, SiS01, StV99] ; also see surveys in [MaS00, Rom01, Sto03] ). These provide a departure point for new modelling attempts. Finally, there is a wide and varied range of technical issues to be considered in formalising IEEE 1394, so that it poses a challenge to the capabilities of formal methods.
The main focus of the workshop was the protocol prescribed for the Tree Identify Phase of IEEE 1394. For convenience, we shall refer to this protocol as the 'Tree Identify Protocol', though this name is not used in the standard. Before the workshop, would-be contributers were provided with excerpts from IEEE 1394 comprising the description of the Tree Identify Protocol. After the workshop, participants were encouraged to evaluate their contribution by comparison with those of other participants, and by reflecting upon the answers to a number of questions, given in Section 3.
IEEE 1394

Overview
The 1394 bus is designed to connect together a number of distributed components (multimedia systems and devices). To provide maximum usability, the bus must be scalable and cope easily with changing network configurations. Each node has a number of ports which may be connected to other nodes. To render the complexity of the system more accessible, the behaviour of the bus is described in layers in the style of OSI, with physical, link and transaction layers, and a vertical management layer, as illustrated in Fig. 1 . In this collection of papers we are concerned with behaviour of the physical layer (referred to in the standard [IEE95] 1 as PHY). The behaviour of each layer is in turn split into different phases, each associated with a different task. Figure 2 shows that the PHY layer comprises the four phases Bus Reset, Tree Identify, Self Identify and Normal Operation.
The Tree Identify Phase spans a tree in the network, and the node that is the root has the special task of being the cycle master (which we will not explain further). The idea behind the Tree Identify Phase is that since the network configuration is not fixed it makes no sense to expect a particular component to always be present and be the root. Therefore, any of the components may be the root, 2 and a new root is elected every time the network configuration changes. The Tree Identify Phase elects the new root.
The description of the whole bus was published as an IEEE standard in 1995 [IEE95] , and amended in the Supplement of 2000 [IEE00] . These documents use a combination of informal English text, state transition diagrams and C code to describe the behaviour of the bus. We present the protocol informally, but in detail, below. The authors of the other papers in this collection worked directly from the standard IEEE 1394 documentation, including the C code which describes the activity in each state more formally and concretely. Figures 4-23 Tree-ID state machine and Tables 4-45 Tree-ID actions and conditions are reprinted in the Appendix with permission from IEEE Std 1394-1995 'IEEE Standard for a High Performance Serial Bus' Copyright c 1996, by IEEE. The IEEE disclaims any responsibility or liability resulting from the placement and use in the described manner.
For analysis purposes, the liveness and safety properties required of the protocol are as follows:
1 In the following 'the standard' should be taken to mean [IEE95] . The changes described in the Supplement [IEE00] do not affect the basic description of the protocol (although some important time parameters are changed). 2 Actually, not all nodes may have the capabilities to be cycle master. If a node turns out to be root and not capable of being cycle master, other 1394 functionality tries to find a more suitable candidate, sets the FORCE ROOT flag at that node, clears the FORCE ROOT flags at all other nodes and forces a new bus reset. The implications for the Tree Identify Protocol of setting this flag are discussed in Section 2.2.3. 
Tree Identify Phase
On entering the Tree Identify Phase all nodes in the network have equal status. They have only information about themselves; in particular, they know which of their ports are connected to other nodes. This is illustrated in Fig. 3 ; there are connections, shown by solid lines, but no tree structure. Note that each link connects exactly two ports. Note also that nodes may actually enter the Tree Identify Phase at different times, caused mainly by the difference in times at which they signalled the preceding bus reset. We shall not go into the details here; see the contribution of Romijn, which deals specifically with this timing problem [Rom03] . All nodes behave in essentially the same way, modulo differences between manufacturers (which should still comply with the IEEE standard). This ensures that the election protocol is unbiased in the normal case. Special cases, including the use of a parameter (FORCE ROOT) to bias the choice, are described in Section 2. As we shall see, the authors have used a variety of approaches to modelling communication, necessarily abstracting from the actual physical implementation. We discuss the implications of these choices in Section 4.
The Tree Identify Phase
The basic operation of the Tree Identify Phase is shown in Fig. 4 , which is based on [IEE95] (Figs 4-23) reprinted here as Fig. 7 . In the simplest situation, a node will move through the three states T0: Tree-ID Start, T1: Child Handshake and T2: Parent Handshake, and pass on to the Self Identify Phase. Broadly, the decision to move from one state to the next is based on the number of neighbour nodes requesting to be a child, c, the total number of neighbours, n, and interactions with those neighbours.
The node enters T0: Tree-ID Start from the Bus Reset Phase. If n − c > 1 in T0 the node waits in T0 for RX PARENT NOTIFY, 'be my parent' requests, from its neighbours (potential children). As each request arrives, it is noted that that neighbour is now a child, and c is updated. When n − c 6 1 the node transitions to state T1: Child Handshake. Upon entering state T1: Child Handshake, the node starts transmitting TX CHILD NOTIFY, 'you are my child' acknowledgements, to all children. In the case that n − c = 1 (in state T1) then the node has one neighbour which did not transmit a 'be my parent' request. It asks to be a child of that neighbour by transmitting its own TX PARENT NOTIFY, 'be my parent' request, on that port.
Then, in state T1 the node waits for a handshake with each of its children. The handshake corresponds to receiving an RX CHILD HANDSHAKE, 'I know you are my parent' acknowledgement. This signal is produced by the combination of TX CHILD NOTIFY from the parent and IDLE from the child. Upon reception, the node transitions to state T2: Parent Handshake. The IDLE signal from the child means it has transitioned to state S0: Self-ID Start, which is not described here. So the children of a node must finish the whole Tree Identify Phase before the node itself can move beyond state T1.
In state T2: Parent Handshake the node waits only for a handshake with its parent. The handshake corresponds to receiving an RX PARENT HANDSHAKE, 'I am your parent' acknowledgement. This signal is produced by the combination of TX PARENT NOTIFY from the child and TX CHILD NOTIFY from the parent. Upon reception, the node transitions to state S0: Self ID start, and starts transmitting the IDLE signal to all its neighbours. It takes no further part in the election; it knows its children and its parent. One node will make this transition instantly, because it has n − c = 0, has no parent with whom to perform a handshake and is therefore the root node.
In the case where n − c = 1 in T0 (i.e. leaf nodes), n − c 6 1 is true immediately and the nodes transition from T0 without waiting for parent requests. The spanning tree over the network is therefore built from the leaves inwards.
Example
To illustrate the tree identify process, given the network in Fig. 3 and assuming D is transmitting IDLE initially, the following sequence of signals might be observed on the link between node D and E.
From To Signal
Meaning
and E have established parent-child relation
The signals and growing tree structure of the entire network are depicted in Fig. 5 . Here, labels inside nodes indicate the state of that node in the tree identify process. Dotted arrows are labelled with the signal that is sent in the direction of the arrow. The absence of an arrow indicates the IDLE signal. Solid arrows indicate that a parent-child relationship has been established, with the arrow pointing in the direction of the parent. Problems occur if the expected confirmation is not received in state T2; this leads to root contention. Root contention is rather complex, and is dealt with in the next section. 
Special Cases
Root Contention
Since signals experience a delay and may cross, requests are not atomic and root contention may arise (two nodes simultaneously transmit TX PARENT NOTIFY, 'be my parent' requests, to each other yielding RX ROOT CONTENTION). This can only occur on one connection in the network, between the last two nodes that transition from state T0 to T1, and the node that wins the contention will be the root of the tree.
Since only one node can be the root, the contention must be resolved; this is achieved through randomisation and timing. The standard specifies that each node chooses a random Boolean and waits for a long or short time, depending on the value of that Boolean. If, after the wait period is over, there is an RX PARENT NOTIFY signal from the other node ('be my parent') then this node becomes the root. If there is no such message then this node retransmits its own TX PARENT NOTIFY, 'be my parent' message, and root contention may result again. In state T3: Root Contention a random Boolean is drawn, and a timer is set to expire after a short time (ROOT CONTEND FAST, if the Boolean is 0), or a long time (ROOT CONTEND SLOW, if the Boolean is 1). The node then waits for the timeout. When this occurs, if the node receives IDLE on the link in contention it transitions to state T2, starts transmitting TX PARENT NOTIFY to the neighbour once again, and waits for a parent handshake, or root contention. If the node receives RX PARENT NOTIFY, it transitions to state T1, where it transmits the TX CHILD NOTIFY, 'you are my child' acknowledgement, and waits for a child handshake. When a node ends up in state T1 from T3, it is the winner of the contention and the root of the tree.
For example, given the network status in Fig. 3 At this point D will be in state T2. B is either still waiting in state T3, or has sent a parent request and is also in T2, but network delay means that D did not see the request before sending its own request again. In the first case the spanning tree shown in Fig. 5 (f) results, while in the second case contention results again. The protocol here is similar to one presented in Distributed Algorithms [Lyn96] , where a different method of contention resolution is used (the node with the highest identifier becomes the root). This approach will not work for IEEE 1394 because the nodes do not have usable identifiers during the Tree Identification Phase.
3
Such identifiers are not assigned until the Self Identify Phase. The protocols were developed independently.
Loop Detection
The protocol of the Tree Identify Phase automatically detects loop configurations. If there is a loop in the network, as in Fig. 6 , then for each node on the loop the transition from T0 to T1 does not get enabled because they will be waiting for two neighbours to communicate, so n − c > 1. Instead, a timeout generates an error message. The states resulting when the Tree Identify process gets stuck can be seen in Fig. 6 .
With reference to the state transition diagram of Fig. 4 , this works as follows. Upon entering state T0, a timer is started. When this timer reaches the value CONFIG TIMEOUT, a loop is detected, and an error message for other 1394 layers is generated. The FORCE ROOT flag Lastly, the Tree Identify Protocol can be biased by use of the FORCE ROOT parameter. This is a local Boolean parameter to the physical layer of each node, which can be set and cleared locally by the node itself, or remotely by any other node in the network. If the FORCE ROOT parameter is set this builds in extra delay to state T0, potentially stopping the node from taking the T0:T1 transition when n − c 6 1 is true, and waiting for a timeout, at which point n − c = 0 should hold. The intention is that if exactly one node in the network has FORCE ROOT set, that node becomes the root of the tree in the Tree Identify Phase. The 1394 management layer ensures that this is the case. However, because of the dynamic plug-and-play functionality, a network may (temporarily) have more than one node with FORCE ROOT set, in which case any node on a path between two biased nodes may become root in the Tree Identify Phase.
With reference to the state transition diagram of Fig. 4 , this works as follows. Upon entering state T0, a timer is started (the same timer as used for loop detection). The transition to state T1 is enabled if either n − c = 0, or if n − c = 1 and FORCE ROOT is not set, or if n − c = 1 and FORCE ROOT is set and the timer has reached the value FORCE ROOT TIMEOUT.
Timing Constraints of the Tree Identify Phase
The standard [IEE95] (Tables 4-32 ) and the amendment [IEE00] (Tables 8-14) define certain timing constants used in root contention. These are presented in Table 3 .
The standard also lays down certain physical limitations, which in turn affect timing values. Cable length is defined to have a maximum value of 4.5 m. Signal velocity is defined to be less than 5.05 ns/m. These two determine the maximum delay in transmitting a message from one node to its neighbour of 22.725 ns.
1394-1995 versus 1394a-2000
The amendment [IEE00] to the IEEE 1394 standard [IEE95] contains some adjustments to the 1394 functionality. Any device being sold as IEEE 1394 compliant may now be compliant with either [IEE95] or as amended by [IEE00] , and hence with all the adjustments of that amendment. For the Tree Identify Phase the adjustments in the amendment concern only the timing constraints. This means that a 1394 network may consist of nodes, some of which have the 1394 timing constraints, with the others having 1394a [IEE00] timing constraints.
In all contributions to this special issue, networks are assumed to have uniform timing, i.e. either 1394 or 1394a time constants, but not both. We defer a more detailed explanation of the use of the timing constraints in these contributions to Section 4.
Points to Address
Taking our lead from the helpful questions posted by Abrial et al. in the Steam Boiler case study [ABL96] , we asked authors to evaluate their contribution by considering the following questions:
• Which parts of the system are specified, at which level, and in which way (informally, rigorously, formally)? Do you consider your chosen approach to be particularly expressive or particularly awkward for this sort of problem? • Which parts of the system are analysed, and in what way (manual, informal, partially or fully automated)?
• Have assumptions about the architecture or the behaviour of the system been made explicit and are they documented?
• Is the solution easy to change? Following a change, can analyses be reused, or are all proofs invalidated?
• How long did it take: -How much time has been spent on producing the solution? Give the number of person months, if possible, for the various parts of the solution. -How much preparation is needed to become sufficiently expert in the used specification framework in order to be able to produce a solution to such a problem in that framework? Indicate the number of weeks of training which is believed necessary for an average engineer to learn the methods. The answers to these questions are given by the authors in their respective papers. Below, we attempt to answer the last question in more depth, i.e. how do the solutions compare to each other?
Results
The papers submitted after the workshop were refereed by at least one other workshop participant, and at least one external reviewer supplied by the Formal Aspects of Computing editorial team. This modified corefereeing approach allowed the reviewing process to benefit both from the domain expertise of the workshop participants, and the independence of the external reviewers.
Eight contributions were accepted for publication. Seven of these are formalisations of the Tree Identify Protocol. Section 4.1 contains a brief overview of these. The eighth paper, by Stoelinga [Sto03] , is a survey of formalisations of the strategy for resolving root contention that is used in the Tree Identify Protocol, and is regarded as an interesting companion to the other papers in this collection.
The Formalisations of the Tree Identify Protocol
For each contribution, we give the following information: the formalism that is used; the techniques and tools used to support that formalism; the aspects of the Tree Identify Protocol that are formalised; the properties that were verified. The discussion in this selection is very brief; the reader is encouraged to consult the papers directly for full explanations.
• Abrial et al. [ACM03] use the B Method formalism, which is applied using an event driven approach. The technique used is proof-based development, which is supported by the tool Atelier B. The Tree Identify Protocol is modelled as a series of refinements, starting from an abstract description of the underlying graph. The models do not cover real-time behaviour, performance or probabilistic issues, and the treatment of root contention is left at an abstract level. The correctness of the protocol is demonstrated by proving basic graph properties as well as proof obligations arising from refinement.
• Verdejo et al. [VPM03] use the formalism of rewriting logic. The techniques used are formal specification, execution of the specification, formal model-checking analysis and formal proof. The proof was carried out manually, while the other techniques were supported by the tool Maude. The model consists of three descriptions, at different levels of abstraction, and covers both synchronous and asynchronous communication, and timing aspects of the protocol. The properties that were verified include safety, liveness and total correctness. • Calder and Miller [CaM03] use the modelling language Promela and the model-checking tool SPIN. A Perl script is used to automatically generate all network configurations within certain bounds, and modelchecking is used to verify a number of safety and liveness properties, expressed in Linear Temporal Logic Which part of the protocol? Tree spanning
(LTL), for each of these configurations. There is a discussion of how these results can be extrapolated to any size of network with a particular shape.
• Schuppan and Biere [ScB03] also apply a model-checking approach, this time using various implementations of the tool SMV. The protocol is modelled using state machines and the properties to be verified are stated using LTL and computation tree logic (CTL). Various models are checked, including some representing a specific network configuration, and some which leave the network topology unspecified. Timing constraints are modelled using counters, and the FORCE ROOT flag is also represented. Bounded model-checking is used to verify a number of safety and liveness properties for the given configuration.
• Fidge and Shankland [FiS03] use the probabilistic Guarded Command Language to model the root contention aspect of the Tree Identify Protocol in a highly abstract fashion. Formal proof (conducted manually) is used to derive probabilistic and timing results about the root contention protocol. Note that time is not part of the model, but that timing results are derived from those on probability.
• Kwiatkowska et al. [KNS03] also deal with probability, using the formalism of probabilistic timed automata and the technique of probabilistic model checking. Like the previous paper, they focus on the behaviour of the root contention protocol. The aim of their analysis is to calculate the probability of successful contention resolution within a particular deadline. Their analyses are carried out with the help of the tools PRISM and HYTECH, and their paper includes a comparison of the performance of these tools.
• Romijn [Rom03] uses the formalism of timed automata and the technique of model-checking, as supported by the tool UPPAAL. Her model concerns both the Bus Reset and the Tree Identify Phase of IEEE 1394 and is focused on a specific, problematic network configuration. She demonstrates the presence of a bug in the Tree Identify Protocol: in certain situations, the protocol will falsely conclude that there is a loop present in the network, and will generate an error message accordingly.
Comparison of the Contributions
To aid the reader in comparing the above approaches, we summarise in Table 4 how (and if) particular issues are dealt with by each contributor. An '•' entry means that a feature is explicitly addressed or used in the paper. A blank means not relevant or not addressed. Some entries have an '•'; these are explained below.
Which Part of the Protocol?
Most of the contributions to this special issue choose to address the tree spanning algorithm as described in the Tree Identify Phase. Some [KNS03, FiS03] focus more tightly on analysis of the sub-protocol of root contention resolution, using probability and/or time in the modelling. Other authors [VPM03, ScB03] model root contention explicitly but do not particularly analyse this aspect, while others [ACM03, CaM03] simply model contention resolution by non-determinism or a single coin toss (this is represented in the table by a '•' since contention resolution is modelled rather abstractly).
The model can be made more realistic by incorporating details such as probabilistic choice or timing; the point then is to carry out an analysis using that extra detail, as is done for probabilities in [FiS03] and [KNS03] . The contributions dealing with timing do so in different ways.
In the table, [FiS03] has a '•' for time, since time is not included in their model, but the final analysis makes some comments about time. In [ScB03, VPM03] , counters over the domain of the natural numbers are used. In [ScB03] , one counter per node is incremented from zero to the timeout value in one-tick steps, where one tick is exactly the delay of a message. The model is synchronous, in that each node in the network must perform exactly one transition (possibly without effect) per time tick. The timeout values used in [ScB03] are not related to the values of the standard. In [VPM03] , there is one counter for each message being transmitted, and per node one counter for the FORCE ROOT flag (if set) and one for loop detection. All counters are decremented from the timeout value to zero in delay steps which are as large as possible, but minimally 1 ns. The delays steps are performed only when no other step is possible. The timeout values for the FORCE ROOT flag and for loop detection are within the 1394 value ranges. The timeout values for communication delay are constrained only in the analysis, and not by the 1394 physical limits. In [KNS03] and [Rom03] , clocks over the domain of the real numbers are used, corresponding directly to the timers in the 1394 state machines. Both contributions assume one rate for all clocks. In [KNS03] , the timeout values are from 1394a. The communication delay varies: in some experiments this is the value as constrained by the 1394 physical limits (rounded up somewhat), and in some it is the larger, maximal value for which root contention was earlier shown to be correct (see also the survey contribution [Sto03] ). In [Rom03] , the timeout values are from 1394a. The communication delays are not modelled, but it is argued that these are not significant for the error that is shown.
The overall behaviour of the protocol is affected by the FORCE ROOT parameter. This is ignored by many authors. Although FORCE ROOT affects timing in the protocol overall, and is intended to influence the choice of root, it does not, for example, affect the time to resolve root contention, and it should not affect the fact that a root is chosen. However, see [Rom03] for a particular situation in which it has an effect on loop detection.
Loop detection as implemented in the standard is explicitly modelled by some [VPM03, ScB03, Rom03] and plays an important part in the analysis. [CaM03] uses a more abstract means of modelling loop detection: in the analysis a stronger condition is checked by detecting infinite paths (in which the node does not make the desired transition, T0 to T1 in this case). This approach is represented in the table by a '•'. Others, such as [ACM03] and [FiS03] , describe the system at a more abstract level, and assume the network is acyclic.
Method of Analysis
Although modelling the system can on its own be very useful, the advantage of using a formal method is that the modelling language is supported by analysis and reasoning techniques, and often tools to automate reasoning. A variety of analysis techniques were used. While [FiS03] made a manual proof, all other authors used tools to support their reasoning. In some cases, manual proof supported the abstractions made in the model checking (as in [KNS03] ), or extended the results given by the model-checking (as in [CaM03] ). [ACM03] are unique in using a refinement approach to the problem. This is supported through formal computer-assisted proof.
Most approaches use some form of model-checking. An important question for those using model-checking relates to the range of models checked; is a single, fixed topology checked, or is the analysis somehow more abstract? The analysis done by [Rom03] is focused on a specific, problematic network configuration, and the question of generalising the results is not tackled. By contrast, although the basic method of model-checking used by [VPM03, ScB03, CaM03] uses a fixed topology, they all also generalise their results in some way. [CaM03] , for example, uses Perl scripts to automatically generate configurations up to a fixed size and run the model checker automatically. In addition, manual proof is used to generalise the result to all networks of a particular form (of any size). [VPM03] uses model-checking as a prototype stage, building confidence in the description before a full (manual) formal analysis is carried out. Similarly, [ScB03] go on to further model-checking using a symbolic model checker to check networks of unspecified topology. They also use a C preprocessor to help them set up particular topologies for checking. [KNS03] also use a symbolic model checker, since using probabilities adds to the complexity of the model-checking problem.
Other Modelling Issues
Finally, we note that several authors make modelling decisions which diverge to some degree from the IEEE description of the protocol. For example, [VPM03] model messages as discrete, and assume that the network is secure -no messages are lost or corrupted. This is a useful abstraction used by many authors, and makes the protocol simpler; however, in some models, the effect of assuming no loss is that there is no 'child acknowledgement' phase, and the parent node spends less (or even zero) time in T1. In contrast, [ScB03, Rom03] model line states, rather than discrete messages.
Another simplification is the decision of [CaM03] to model contention resolution in one step. In a model checker it is important to reduce state space as much as possible. In this case, adding more attempts to resolve contention would not have affected the validity of the properties checked, but would have seriously affected the performance of the model checker. Moreover, if an artificial limit is to be imposed on a value, then it makes sense to choose as small a value as possible.
A different modification of the root contention procedure can be seen in [VPM03] , where contention resolution is modelled in an eager way. That is, rather than waiting the specified time and then checking for a message, the node constantly monitors for a message while waiting. [VPM03] allows the wait to be aborted early, meaning that a contention round may take less than the time specified in the standard. This does not affect the final result, i.e. the same node will become root; however, the time taken to resolve contention is likely to be lower than in the standard.
In fact, the crux of successful formal modelling is choosing a sensible abstraction. The aim is to remove detail which unnecessarily complicates the model or reasoning about that model, but without throwing away crucial information. Some of the models presented are relatively high level: they view the network as a whole, and simply model the changes from one network state to another. [FiS03] , for example, does not make the topology of the network explicit, therefore modelling all state changes over all possible network topologies. The approach taken by [ACM03] is similarly general, though in their final refinement the global view of the network is augmented with local views from the point of view of each node.
One of the benefits of a comparative case study like this one is that it helps to draw out the differences and similarities in approach of various formal methods (and their proponents).
Conclusions
In an ideal world we would like to see more widespread use of formal methods in developing standards such as the IEEE 1394; however, the people who develop such standards often have no training in formal methods and are perhaps not yet appreciative of the benefits of using them. As part of a drive to promote the use of formal methods, comparative studies such as this have an important role to play. For formal methods practitioners this study is offered as a benchmark, allowing them to apply their particular language, method and tools to a well-understood but tricky problem. For industrialists, we hope that this issue of Formal Aspects of Computing will be educational, allowing them to use their understanding of the basic problem to gain understanding of the formal approaches being applied.
The contributions contained herein span a range of different techniques and styles of abstraction. Many techniques used previously in the literature have been event-based models; while there are some more of those here, there are also state-based models and property-based models. More than anything, the papers which follow demonstrate that there is no ideal formalisation which meets all needs (even for this relatively small example). Each approach described here has something new to offer, some aspect in which it is particularly useful. For example, the benefits of refinement are shown in the contribution of [ACM03] , allowing the model to be developed highly abstractly at first. The model of [FiS03] is also rather abstract, but this allows concentration on the probabilistic aspects of the protocol while ignoring other concerns. In contrast, the analyses of [KNS03, Rom03] are much more detailed, bringing out particular timing and probabilistic details. The model-checking approaches of [CaM03, ScB03, VPM03] allow the model to be executed in some sense, which may be a more appealing technique for industrialists more used to programming.
Formal approaches are most effective when applied in tandem with the system development process, so that bugs can be detected early. In this case, the IEEE 1394 and 1394a standards were developed without the benefits of formal methods; therefore all formal analysis is post hoc, with the disadvantage that there is no possibility to change the standard when errors are discovered. Since the standards have been fixed for some time, and explored by others fairly extensively, we did not expect any bugs to turn up. We were therefore surprised that a significant yet rare error situation was detected by [Rom03] . Other authors have identified areas where the standard is ambiguous, or where there is a seeming inconsistency between different areas of the standard. We are grateful to one of the anonymous referees for alerting us to an ambiguity of this kind. We hope that the experience of work on formalising and analysing the Tree Identify Protocol will be useful in future efforts to incorporate the use of formal methods in the development of such standards. 
A. Excerpts from the IEEE Standard
The main description of the tree identify protocol is in Section 4.4.2.2 of the IEEE standard [IEE95] . The major transitions of the protocol are described using state machine diagrams, and the actions of the states themselves are described by C code and informal text. Other information about the protocol, such as the physical realisation of messages as voltages, and timing information, can be found elsewhere in Section 4 (Cable PHY Specification). There is an informative example of operation of the protocol in Annex E of the standard [IEE95] .
For reference purposes we reproduce here (as Note that there appears to be a right brace missing from tree ID start actions and child handshake actions. These omissions are consistent with the standard, but their position can be inferred from the indentation of the code.
