Deploy B-Method to Europe β Jean-Raymond Abrial π«π· (1989), the Formal Method Behind Paris Metro Line 14, on EU Infrastructure in 2026
On 15 October 1998, the first passengers boarded Paris Metro Line 14 β the METEOR line β at BibliothΓ¨que FranΓ§ois Mitterrand station. Line 14 was the first fully automated metro line in the world: no drivers, no manual intervention, 86,000 lines of formally verified software. Every function of the train control system had been mathematically specified and proven correct before a single train ran. The method used to achieve this was B-Method.
B-Method β also known as the B formal method or simply B β is a formal software development method created by Jean-Raymond Abrial π«π·, a French computer scientist who spent his career at research institutions across France and Europe. B is built around the concept of abstract machines: mathematical objects that encapsulate state (invariants, variables) and operations (pre/post-conditions), composable through refinement and inclusion. A system is developed by writing an abstract machine, refining it through increasingly concrete layers, and finally generating executable code β with a proof obligation discharged at every step. When all proofs pass, the implementation is guaranteed to preserve the specification's invariants by construction.
Jean-Raymond Abrial and the Origins of B
Jean-Raymond Abrial π«π· began developing the ideas behind B in the 1970s and 1980s, drawing on the Z notation (which he had also contributed to at Oxford University) and on the concept of refinement calculus developed by Edsger Dijkstra and Tony Hoare. Abrial formalised B-Method in a 1989 technical report and fully presented it in his 1996 book The B-Book: Assigning Programs to Meanings (Cambridge University Press) β the canonical reference for B practitioners.
Abrial's trajectory illustrates B's fundamentally European academic ecosystem:
- Oxford University π¬π§ β contributed to Z notation (alongside Ib Holm SΓΈrensen and others)
- Grenoble (France) π«π· β developed B core methodology
- ETH Zurich π¨π β developed Event-B, the concurrent/distributed extension
- University of Newcastle π¬π§ β collaborated on Rodin platform development
Z Notation (Oxford π¬π§, 1970s) β set-theory specification language
Jean-Raymond Abrial π«π· β contributor to Z + creator of B
β
B-Method (Abrial, 1989 report, 1996 book)
Abstract Machine Notation (AMN)
State machines with invariants + proof obligations
β
Industrial Tools
B-Toolkit (Formal Systems Europe π¬π§, Bristol)
Atelier B (ClearSy π«π·, Aix-en-Provence, 1994βpresent)
β
Paris Metro Line 14 / METEOR (1998)
RATP π«π· + Alstom π«π· + GEC Alsthom
86,000 lines formally verified Β· 111,000 proof obligations
β
Event-B (Abrial at ETH Zurich π¨π + Newcastle π¬π§, 2000s)
Rodin Platform (Eclipse, EU FP6 project, 2004β2007)
Concurrent + distributed systems
β
ProB (Michael Leuschel π©πͺ, University of DΓΌsseldorf, 2003βpresent)
Model checker + constraint solver for B/Event-B
Abstract Machine Notation
B's formal language is the Abstract Machine Notation (AMN). An abstract machine in B is a self-contained component with:
- SETS β carrier sets (types at the abstract level)
- CONSTANTS and PROPERTIES β axioms and constraints
- VARIABLES β the state
- INVARIANT β predicates that must hold in every reachable state
- INITIALISATION β establishes the invariant from the start
- OPERATIONS β state transformations with preconditions and postconditions
MACHINE BankAccount
SETS
ACCOUNT_ID
VARIABLES
balance
INVARIANT
balance β ACCOUNT_ID β β -- each account has a non-negative integer balance
INITIALISATION
balance := β
OPERATIONS
Deposit(acc, amount) β
PRE acc β dom(balance) β§ amount β β β§ amount > 0
THEN balance(acc) := balance(acc) + amount
END;
Withdraw(acc, amount) β
PRE acc β dom(balance) β§ amount β β β§ balance(acc) β₯ amount
THEN balance(acc) := balance(acc) - amount
END
END
From this abstract machine, the developer writes a refinement β a more concrete implementation β and B generates proof obligations: mathematical statements that, when proven, guarantee the refinement correctly implements the abstraction. Obligations include:
- Invariant Preservation: every operation leaves the invariant true
- Refinement Correctness: every concrete operation correctly simulates the abstract one
- Feasibility: every operation has at least one valid result when its precondition holds
Proof obligations are either discharged automatically (by Atelier B's internal provers or ProB's constraint solver) or manually by the engineer using a proof assistant. In METEOR's case, 94% of 111,000 proof obligations were discharged automatically β the remainder required human-guided proof.
Paris Metro Line 14: 86,000 Lines, Zero Runtime Errors
The METEOR project (MΓ©tro Est-Ouest Rapide β the name came first, the acronym second) was contracted to Alstom π«π· and GEC Alsthom in the early 1990s. The client, RATP (RΓ©gie Autonome des Transports Parisiens), required a fully driverless metro with Safety Integrity Level 4 (SIL 4) certification β the highest level under IEC 61508, applicable when a single failure can cause catastrophic consequences.
The onboard train control software β the Automatic Train Operation (ATO) and Automatic Train Protection (ATP) systems β was developed in B-Method using Atelier B, the industrial tool from ClearSy π«π· (then called Digilog). The numbers from the project remain striking:
| Metric | Value |
|---|---|
| Lines of B specification | ~86,000 |
| Proof obligations generated | ~111,000 |
| Automatically discharged | ~94% |
| Manually proved | ~6% |
| Generated Ada code | ~87,000 lines |
| Runtime errors in production | 0 |
The B specifications were refined into concrete implementations and then translated automatically to Ada code by Atelier B's code generator β a validated translation that preserves all proved properties. No hand-written Ada was used for safety-critical components. The formal proof guarantee propagated directly from specification to executable binary.
Line 14 has been operating continuously since 1998, carrying more than 200,000 passengers per day by 2024. It has never experienced a safety-critical software failure attributable to the formally verified components.
Brussels Metro and European Expansion
Following METEOR's success, B-Method was adopted for other European rail projects:
Brussels Metro Line 1 π§πͺ β STIB/MIVB extended its existing metro with B-verified software for automatic train operation on portions of the network. The Brussels deployment used similar Alstom/Atelier B toolchain.
SNCF TGV-related signalling π«π· β French rail safety systems increasingly incorporate B-verified components as EN 50128 SIL 3/4 certification requirements align naturally with B's proof obligations.
Siemens Mobility π©πͺ β uses formal methods including B for railway signalling systems deployed across Europe under EN 50128.
The pattern is consistent: B-Method is the preferred formal method in European railway safety, where EN 50128 SIL 4 requirements effectively mandate formal verification for the most critical components.
Atelier B and ClearSy
ClearSy π«π· (Aix-en-Provence, Provence-Alpes-CΓ΄te d'Azur) is the primary industrial custodian of B-Method. Founded in 1998 as a spin-off from the METEOR project, ClearSy develops and maintains Atelier B β the industrial-grade B toolset used in all major B deployments.
Atelier B provides:
- Type checker for AMN specifications
- Proof obligation generator (PO generator)
- Automated provers: Force-0 (syntactic), Force-1, Force-2, Force-3 (increasingly powerful)
- B0 code generator: translates refined B0 specifications to C, Ada, or C++
- Project manager: tracks proof status across large specification sets
Atelier B is available under a licence that allows academic use and offers a commercial industrial edition. ClearSy also provides consulting and training across Europe.
Event-B and the Rodin Platform
In the 2000s, Jean-Raymond Abrial developed Event-B β an evolution of B designed for modelling concurrent and distributed systems. Where classical B focuses on sequential program development, Event-B uses events (guarded state transitions) as the primary modelling primitive, making it suitable for:
- Distributed protocols (consensus, fault-tolerant replication)
- Hardware/software co-design
- Security policies and access control
- Critical infrastructure control systems
The Rodin Platform β developed through the EU FP6 project (2004β2007) with partners including ETH Zurich π¨π, University of Southampton π¬π§, University of Newcastle π¬π§, Systerel π«π·, and Siemens CT π©πͺ β provides Eclipse-based tooling for Event-B. Rodin is open source and actively maintained.
ProB (University of DΓΌsseldorf π©πͺ, Michael Leuschel, 2003βpresent) provides model checking and constraint-based validation for both classical B and Event-B. ProB can:
- Animate B/Event-B specifications interactively
- Find counterexamples to invariants automatically
- Solve constraint satisfaction problems over B's mathematical types
- Integrate with Atelier B and Rodin as plugins
EU Regulatory Alignment
B-Method's proof-obligation model maps directly onto European regulatory requirements for safety-critical and AI systems:
EN 50128 (Railway Software): SIL 3 and SIL 4 explicitly recommend formal methods including "model-oriented specification languages" with proof obligations. B-Method with Atelier B is a widely accepted evidence of compliance.
IEC 61508 (Functional Safety): SIL 3/4 requires formal verification. B proof obligations constitute direct evidence of invariant preservation.
EU AI Act (2024) Art. 9: High-risk AI systems require risk management systems with evidence of correct behaviour. Formally verified B specifications provide machine-checked evidence that the system meets its specification β directly applicable to autonomous transport (Article 6, Annex II).
GDPR Art. 25 (Data Protection by Design): B invariants can encode data minimisation and access control policies as formally proved properties, not policy documents.
EU Cyber Resilience Act (2024): Exploitability requires reachable unsafe states. B proof obligations eliminate entire classes of reachable unsafe states by construction β before the system ships.
NIS2 Directive: Critical infrastructure operators (transport, energy) must demonstrate systematic risk management. Formally proved software components reduce residual risk to provably bounded levels.
Deploying B-Method Tooling on EU Infrastructure
Running Atelier B, Rodin, and ProB on EU-sovereign infrastructure serves several concrete purposes:
Compliance-as-infrastructure: SIL 3/4 certification evidence (proof obligation logs, prover outputs) must be retained and accessible. EU-resident storage satisfies data residency requirements for regulated industries without cross-border transfer agreements.
Air-gapped analysis environments: Defence and nuclear B deployments require isolated networks. EU data centres offer private network configurations that US hyperscalers complicate with shared control planes.
CI/CD integration for formal verification: ProB and Atelier B can be containerised and run in CI pipelines β each commit triggers a proof obligation re-check, catching invariant violations before code review.
Deploy Atelier B CLI in Docker on sota.io
FROM debian:bookworm-slim
# Install Java (Atelier B GUI requires Java; CLI can run headless)
RUN apt-get update && apt-get install -y \
openjdk-17-jre-headless \
curl \
&& rm -rf /var/lib/apt/lists/*
# Install Atelier B (academic/community version)
# ClearSy provides academic licences at https://www.atelierb.eu
WORKDIR /opt/atelierb
COPY AtelierB-community-linux-x86_64.tar.gz .
RUN tar xzf AtelierB-community-linux-x86_64.tar.gz && rm *.tar.gz
ENV PATH="/opt/atelierb/bin:$PATH"
WORKDIR /workspace
# docker-compose.yml β B proof server
services:
atelier-b:
build: .
volumes:
- ./specs:/workspace/specs
- ./proofs:/workspace/proofs
command: ["bpmo", "--check-all", "/workspace/specs"]
environment:
- ATELIERB_LICENSE_SERVER=your-license-server
prob:
image: ghcr.io/hhu-stups/prob2-ui:latest
volumes:
- ./specs:/workspace/specs
ports:
- "3000:3000"
Deploy ProB Model Checker
ProB is open source (Eclipse Public License) and installable via pip or direct download:
# ProB CLI (probcli) β model check a B specification
docker run --rm -v $(pwd)/specs:/specs \
ghcr.io/hhu-stups/probcli:latest \
/specs/bank_account.mch -model-check -df
# Expected output: No counterexample found (invariant preserved in all reachable states)
sota.io Deployment
# sota.toml
[app]
name = "b-method-proof-server"
region = "eu-central" # Frankfurt β GDPR-compliant, EN 50128 documentation retention
[build]
dockerfile = "Dockerfile"
[service]
port = 8080
memory = "2GB" # ProB model checking is memory-intensive for large specifications
[volume]
name = "proof-archive"
mount = "/workspace/proofs"
size = "50GB" # Long-term retention of proof obligations for certification audits
sota deploy
# β Deploying b-method-proof-server to eu-central (Frankfurt)
# β Build: 2m 14s
# β Live: https://b-method-proof-server.sota.app
# β GDPR-compliant Β· PostgreSQL managed Β· EN 50128 documentation retained in EU
See Also
- Deploy VDM-SL to Europe β β IBM Vienna Scientific Center π¦πΉ (1970s), ISO/IEC 13817-1 formal specification, Overture Tool
- Deploy SPARK Ada to Europe β β AdaCore Paris π«π· (1988), GNATprove formal verification, Airbus A350/EUROCONTROL
- Deploy Lustre to Europe β β IMAG Grenoble π«π· (1984), SCADE KCG, Airbus fly-by-wire formally verified
- Deploy Esterel to Europe β β INRIA Sophia-Antipolis π«π· (1983), GΓ©rard Berry, synchronous reactive programming
- Deploy Alloy to Europe β β Daniel Jackson πΊπΈ (MIT, 2002), SAT-based relational model checking; Alloy is to B-Method what a sketch is to a blueprint β Alloy for lightweight structural exploration, B-Method for rigorous constructive refinement to implementation
sota.io is an EU-native PaaS running on German infrastructure. Deploy B-Method tooling, Atelier B proof servers, Rodin/Event-B environments, and ProB model checkers to Frankfurt in minutes β with managed PostgreSQL for proof obligation databases, GDPR-compliant storage for certification evidence, and zero DevOps overhead. From RATP's Line 14 to your next safety-critical project: formally verified software deserves formally compliant infrastructure.