Deploy LOTOS to Europe โ ISO 8807 Process Algebra (INRIA Sophia-Antipolis ๐ซ๐ท 1985), the Formal Specification Language That Standardised OSI Protocols on EU Infrastructure in 2026
In the 1980s and 1990s, the telecommunications industry faced a coordination problem of remarkable scale. Dozens of manufacturers across Europe, North America, and Japan were building telephone exchanges, network switches, and protocol stacks that all needed to interoperate. The CHILL language (CCITT/ITU, Geneva, 1980) gave them a common implementation language. But implementation is downstream of specification: before you can implement a protocol, you must specify it precisely enough that two independent implementations interoperate correctly. For that problem โ the formal specification of distributed communication protocols โ the answer that emerged from European computer science research was LOTOS.
LOTOS stands for Language of Temporal Ordering Specifications. It is a formal specification language based on process algebra โ a branch of mathematics that describes concurrent systems as collections of processes that communicate by exchanging events. LOTOS was developed in the mid-1980s, principally at INRIA Sophia-Antipolis ๐ซ๐ท and the University of Twente ๐ณ๐ฑ, standardised by ISO as ISO 8807 in 1989, and used throughout the 1990s and 2000s to formally specify OSI (Open Systems Interconnection) communication protocols used by every major European telecommunications company.
The Coordination Problem: Specifying the OSI Stack
The OSI reference model โ the seven-layer architecture for network communication published by ISO in 1984 โ was itself a product of European-driven international standardisation. But a reference model is only a framework; the actual protocols that implement each layer need detailed specifications precise enough to allow multiple independent implementations to interoperate. Imprecise natural-language specifications create ambiguity. Two implementers reading the same specification may make different choices about edge cases, producing implementations that fail to interoperate in practice. The ISO Open Systems Interconnection effort recognised this problem early and sought a formal specification language as part of the standardisation process.
Several candidates were considered. SDL (Specification and Description Language, ITU-T Z.100, 1976/1988) was already in use for behavioural specifications in the telecom industry and remained important โ particularly at Ericsson and Nokia for CHILL-based system specification. But SDL was graphical and state-machine-based, which made it less suitable for compositional reasoning about protocol interactions. What was needed was a language grounded in the mathematics of concurrent process interaction โ one where specifications could be analysed and composed by formal reasoning.
The answer drew on process algebra theory that had been developing in European universities since the late 1970s. Robin Milner ๐ด๓ ง๓ ข๓ ณ๓ ฃ๓ ด๓ ท๓ ฆ๓ ฟ at the University of Edinburgh (later Cambridge; Turing Award 1991) had published his Calculus of Communicating Systems (CCS) in 1980 โ a mathematical theory of processes that communicate synchronously by matching events. Tony Hoare ๐ฌ๐ง at Oxford University had published CSP (Communicating Sequential Processes) in 1978. Both provided rigorous mathematical foundations for reasoning about concurrency.
LOTOS drew primarily on CCS for its process algebra core, supplementing it with mechanisms for data specification. The result was a language that could express both the behaviour of a protocol (how its processes synchronise on events) and the data values those events carry.
Key Architects: INRIA Sophia-Antipolis and University of Twente
The development of LOTOS was a genuinely collaborative European research project, coordinated through the ISO/TC 97/SC 21 (Open Systems Interconnection) standardisation process.
Francis Boudol ๐ซ๐ท at INRIA Sophia-Antipolis (Institut National de Recherche en Informatique et en Automatique, Sophia-Antipolis Science Park near Nice, French Riviera) was a central contributor to the theoretical foundations of LOTOS. Boudol was one of the leading European researchers in process algebra and concurrency theory in the 1980s, working on the semantics of CCS and related formalisms. INRIA Sophia-Antipolis, founded in 1983 in the Sophia Antipolis technology park that France had established in 1969 as its own Silicon Valley, became a hub for the kind of programming language theory and formal methods research that LOTOS required.
Ed Brinksma ๐ณ๐ฑ at the University of Twente (Enschede, Overijssel, Netherlands) was the principal editor of the ISO LOTOS standard and the most prominent figure in the standardisation process. Brinksma's work on LOTOS covered both its theoretical foundations โ particularly its denotational semantics โ and its practical application to protocol specification. His 1988 doctoral thesis at Twente provided the formal semantic foundations that the ISO standard was built on. The University of Twente, founded in 1961 in the industrial east of the Netherlands, had strong traditions in computer science and formal methods that made it a natural home for this work.
Tommaso Bolognesi ๐ฎ๐น at the IEI-CNR (Istituto di Elaborazione dell'Informazione, Consiglio Nazionale delle Ricerche โ the National Research Council of Italy, Pisa) was another major contributor. Bolognesi's work with Brinksma produced what became the standard introductory tutorial to LOTOS, published in Computer Networks and ISDN Systems in 1987 and widely cited. CNR Pisa, in the same city as the University of Pisa and the Scuola Normale Superiore, was part of a rich Italian research ecosystem.
Luigi Logrippo ๐ฎ๐น๐จ๐ฆ contributed from the University of Ottawa and later the Universitรฉ du Quรฉbec en Outaouais, representing the transatlantic dimension of LOTOS development. He worked extensively on conformance testing from LOTOS specifications โ how to verify that an implementation correctly realises its formal specification.
The ISO working group that produced the standard included representatives from major European industrial organisations: Alcatel ๐ซ๐ท (Paris), Philips ๐ณ๐ฑ (Eindhoven), Siemens ๐ฉ๐ช (Munich), Bull ๐ซ๐ท (Paris), and British Telecom ๐ฌ๐ง (London). These companies had direct operational interest in the outcome: they were building the systems that LOTOS would specify.
Language Design: Basic LOTOS and Full LOTOS
LOTOS as standardised by ISO 8807 in 1989 came in two variants.
Basic LOTOS contained only the process algebra part โ no data types. In Basic LOTOS, processes synchronise on events (called gates in LOTOS terminology), with events carrying no data values. A protocol is specified as a collection of processes that synchronise on shared gates, enabling events to occur only when all participating processes are ready. This pure synchronisation model was sufficient for specifying the control flow of protocols, though not their data handling.
Full LOTOS added an Abstract Data Type (ADT) sublanguage based on algebraic specifications โ specifically, the ACT ONE formalism developed by Hartmut Ehrig ๐ฉ๐ช and colleagues at the Technical University of Berlin. ADTs allow data values to be specified algebraically: a type is defined by a set of operations and equations that those operations must satisfy, rather than by a concrete implementation. A queue type, for example, is specified by equations stating how enqueue and dequeue operations relate, without committing to any particular storage representation.
The combination of CCS-based process algebra (for behaviour) and ACT ONE ADTs (for data) gave Full LOTOS the expressive power to specify complete protocols, including both control flow and data values.
LOTOS operators. The process algebra of LOTOS is built from a small set of operators that compose processes:
-- Process that accepts an event on gate g, then behaves like P
g; P
-- Choice: either event on g1 followed by P, or event on g2 followed by Q
g1; P [] g2; Q
-- Parallel composition synchronising on shared gate g
P |[g]| Q
-- Parallel composition with no synchronisation (interleaving)
P ||| Q
-- Process that does nothing (deadlock)
stop
-- Process that terminates successfully
exit
-- Sequential composition: P then Q
P >> Q
-- Hiding: make gate g internal (unobservable)
hide g in P
A simple protocol specification โ a handshake where a sender sends a message and waits for acknowledgement:
process Sender [send, ack] : noexit :=
send; ack; Sender [send, ack]
endproc
process Receiver [send, ack] : noexit :=
send; ack; Receiver [send, ack]
endproc
process Protocol [send, ack] : noexit :=
Sender [send, ack] |[send, ack]| Receiver [send, ack]
endproc
In this specification, send is a gate that both Sender and Receiver must synchronise on โ the send event can only occur when both are ready. Similarly for ack. The |[send, ack]| operator enforces this synchronisation.
OSI Protocol Specifications in LOTOS
LOTOS was used to formally specify several protocols in the ISO OSI family:
ISO 8571 FTAM (File Transfer, Access and Management) โ the OSI file transfer protocol โ was specified in LOTOS as part of the ISO standardisation process.
ISDN Q.931 โ the ISDN (Integrated Services Digital Network) call control protocol, which governed how calls were set up and released in the ISDN networks that Deutsche Telekom ๐ฉ๐ช (EWSD), France Tรฉlรฉcom ๐ซ๐ท, and British Telecom ๐ฌ๐ง deployed across Europe in the late 1980s and 1990s โ received LOTOS formal specifications as part of the verification effort by European researchers.
X.400 Message Handling Systems โ the OSI electronic mail protocol used in corporate and government networks in Europe before SMTP/internet email became dominant โ was specified in LOTOS by researchers working with Alcatel and other European mail system implementers.
OSI Session Layer (ISO 8327) and Presentation Layer (ISO 8823) specifications were also developed using LOTOS, as these layers formed the middle tiers of the OSI stack that European corporate networking relied on.
The formal LOTOS specifications served two purposes. First, they acted as precise references that implementers at Alcatel, Philips, Siemens, and other companies could use to verify their implementations. Second, they were input to formal conformance testing: testing methodologies that, given a LOTOS specification, automatically derive test cases that check whether an implementation correctly implements the specification.
CADP: The Modern LOTOS Toolchain
The most significant tool in the LOTOS ecosystem is CADP (Construction and Analysis of Distributed Processes), developed and maintained by the VASY team (Vรฉrification d'Algorithmes, Systรจmes et protocoles) at INRIA Grenoble โ Rhรดne-Alpes ๐ซ๐ท by Hubert Garavel and his colleagues since the early 1990s.
CADP is a comprehensive toolbox for the design, simulation, verification, and testing of distributed systems described in process-algebraic languages including LOTOS and its successors. CADP implements:
- CAESAR and CAESAR.ADT compilers: Translate LOTOS (Basic LOTOS and Full LOTOS) specifications into C code and into labelled transition systems (LTS).
- BCG tools: Manage labelled transition system (LTS) representations in the Binary Coded Graphs (BCG) format.
- Bisimulation and equivalence checkers: Verify that two LOTOS specifications describe the same observable behaviour, under various equivalence notions (strong bisimulation, weak bisimulation, trace equivalence).
- Model checkers (EVALUATOR): Verify temporal logic properties of LOTOS specifications โ checking that safety properties (bad things never happen) and liveness properties (good things eventually happen) hold.
- Compositional verification: Verify properties of large systems by composing proofs about smaller components, making verification tractable for industrial-scale specifications.
CADP generates C from LOTOS specifications via CAESAR. This means a LOTOS formal specification can be compiled through: LOTOS โ CAESAR โ C โ GCC โ binary. The resulting binary implements the behaviour described in the formal specification, with a correctness guarantee grounded in the formal semantics of LOTOS. For safety-critical systems, this compilation chain provides stronger guarantees than informal implementation.
The CADP toolbox is available from INRIA under a research licence and has been used by industrial partners including STMicroelectronics ๐ซ๐ท๐ฎ๐น (Grenoble + Crolles + Agrate Brianza, EU Chips Act beneficiary), Airbus ๐ซ๐ท๐ฉ๐ช๐ช๐ธ (Toulouse), and EDF ๐ซ๐ท (nuclear) for protocol verification and system design.
E-LOTOS: The Extended Standard
A limitation of the original LOTOS standard was that it lacked explicit support for time โ real-time constraints such as timeouts, durations, and deadlines. For telecom applications, timing is critical: a call that does not receive a dial tone within a few hundred milliseconds, a data session that times out after thirty seconds of inactivity. The original LOTOS could model the ordering of events but not the time between them.
E-LOTOS (Extended LOTOS), standardised as ISO/IEC 15437:2001, addressed this. E-LOTOS added:
- A real-time extension with clocks and timing constraints
- Improved data type mechanisms, removing dependencies on the ACT ONE formalism and providing a cleaner algebraic data type sublanguage
- Better support for parameterised processes
- Mechanisms for expressing priority
E-LOTOS was accompanied by the mCRL2 process algebra developed at Eindhoven University of Technology ๐ณ๐ฑ (TU/e, Technische Universiteit Eindhoven), which evolved the LOTOS tradition further. mCRL2, developed by Jan Friso Groote ๐ณ๐ฑ and colleagues at TU/e's Department of Mathematics and Computer Science, is the state-of-the-art successor to LOTOS for process-algebraic specification and verification. mCRL2 tools are maintained at TU/e and used in verification of industrial systems.
The Telecom Cluster: CHILL Implements What LOTOS Specified
The relationship between LOTOS and CHILL is direct and complementary. CHILL (CCITT/ITU, Geneva, 1980) was the implementation language for European telecom exchange software. LOTOS was the specification language for the protocols those exchanges implemented.
When Ericsson ๐ธ๐ช implemented the SS7 signalling stack in CHILL for the AXE exchange, the SS7 protocols had been formally specified in SDL and LOTOS. When Siemens ๐ฉ๐ช implemented ISDN Q.931 in CHILL for the EWSD exchange, the Q.931 protocol behaviour had been formally specified in LOTOS by researchers at Siemens Research and the University of Twente. When Alcatel ๐ซ๐ท implemented X.400 mail handling, Alcatel researchers working with LOTOS had produced formal specifications that guided the implementation.
The formal specification layer (LOTOS) and the implementation layer (CHILL) together constituted the European approach to building reliable, interoperable telecommunications infrastructure: specify formally, implement strongly-typed. The result was telephone exchange software that ran for decades without downtime โ the "five nines" (99.999%) reliability that the PSTN achieved.
SDL (ITU-T Z.100) sits alongside LOTOS in this ecosystem. SDL used a graphical state-machine notation (SDL diagrams) plus MSC (Message Sequence Charts, ITU-T Z.120) for interaction scenarios. Ericsson, Nokia, and other exchange vendors used SDL for their system-level specifications, with LOTOS used more by academic researchers for formal verification. The two languages were complementary: SDL for operational system design, LOTOS for mathematical verification.
GDPR and EU AI Act: Formal Verification as Compliance Evidence
The formal methods tradition represented by LOTOS โ and its successors mCRL2, CADP, and the model-checking tools used by Airbus and EDF โ is directly relevant to modern European compliance frameworks.
EU AI Act (Regulation EU 2024/1689) โ which entered into force in August 2024 โ requires high-risk AI systems to meet accuracy, robustness, and cybersecurity requirements (Article 15), to provide appropriate technical documentation (Article 11), and to undergo conformity assessment (Article 43). For safety-critical AI in aviation, medical devices, and critical infrastructure, formal verification methods analogous to LOTOS-based verification provide the mathematical guarantees that compliance assessment requires.
GDPR Article 25 (Data Protection by Design and by Default) requires that controllers implement technical measures that ensure data protection principles are met by default. Process-algebraic specifications like LOTOS can formally verify that a system's information flow satisfies non-interference properties โ that personal data flowing through one process cannot leak to an observable output in another. This is a stronger guarantee than testing: a formal proof over all possible inputs and all possible execution paths.
NIS2 Directive (EU) 2022/2555 requires operators of essential services in the electronic communications sector to implement appropriate security measures. For critical protocol implementations โ ISDN, SS7, VoIP signalling โ formal verification via CADP/mCRL2 that protocol implementations correctly conform to their specifications provides documentary evidence of the security analysis that NIS2 requires.
Deploying LOTOS-Derived Systems to Europe with sota.io
A LOTOS specification, compiled through CADP's CAESAR compiler, produces C code that implements the specified protocol behaviour. This C code โ or a service built around it โ can be containerised and deployed to European infrastructure.
# Compile LOTOS specification to C via CADP CAESAR
caesar my_protocol.lotos
# Build the generated C code
gcc -o protocol_impl protocol_impl.c
# Containerise for deployment
cat > Dockerfile << 'EOF'
FROM debian:bookworm-slim
COPY protocol_impl /usr/local/bin/
CMD ["/usr/local/bin/protocol_impl"]
EOF
docker build -t my-lotos-service .
Whether you are deploying a LOTOS-derived protocol implementation, a formal verification service that checks protocol conformance, or a modern distributed system whose design draws on process-algebraic principles, you need EU infrastructure that satisfies the regulatory requirements of your European customers.
sota.io is the EU-native platform-as-a-service built for exactly this. Your services run on German infrastructure, in data centres that comply with ISO 27001 and the data sovereignty requirements of the EU General Data Protection Regulation. Managed PostgreSQL is included โ no configuration, no cross-border data transfers, no Schrems II risk.
# Deploy your LOTOS-derived service to EU infrastructure
curl -fsSL https://cli.sota.io/install.sh | sh
sota login
sota deploy --region eu-central-1
The INRIA Sophia-Antipolis researchers who built LOTOS, and the University of Twente researchers who standardised it, were working to create a mathematically precise common language for European network infrastructure โ a language that transcended any single vendor's proprietary notation and could be reasoned about formally. sota.io is built on the same principle: EU-native infrastructure that any developer can deploy to, with the compliance and sovereignty guarantees that European law demands.
See also: Deploy E-LOTOS to Europe โ โ Ed Brinksma ๐ณ๐ฑ (University of Twente), ISO/IEC 15437:2001 โ LOTOS's direct ISO successor with unified value-passing and integrated data types. Deploy CHILL to Europe โ โ the CCITT/ITU implementation language for the telecom systems that LOTOS formally specified. Deploy Esterel to Europe โ โ the synchronous reactive language from the same INRIA Sophia-Antipolis tradition. Deploy Lustre to Europe โ โ the synchronous dataflow language from IMAG Grenoble/VERIMAG used for Airbus fly-by-wire. Deploy SIGNAL to Europe โ โ Pierre Le Guernic ๐ซ๐ท (IRISA Rennes), the polychronous synchronous language with multi-rate clock algebra. Deploy mCRL2 to Europe โ โ Jan Friso Groote ๐ณ๐ฑ (TU/e Eindhoven), the direct LOTOS successor and modern process algebra toolset.