Deploy Esterel to Europe — Safety-Critical Reactive Programming on EU Infrastructure in 2026

Most programming languages describe computation as a sequence of steps. Esterel describes computation as a sequence of instants.

In Esterel, a reactive program runs forever, processing one logical instant at a time. At each instant, it reads its inputs, computes its outputs, and transitions to a new state — entirely within a single atomic step. Concurrency in Esterel is not asynchronous threads competing for shared state: it is parallel statements that all execute within the same instant, synchronised by the language runtime. When two Esterel processes run in parallel, they both complete before the instant ends. There is no scheduling, no preemption, and no data race — because there is no moment when one process is running while another can observe its intermediate state.

This synchronous execution model makes Esterel programs amenable to formal verification at a level not achievable by conventional concurrent programs. The state space of an Esterel program is finite and deterministically reachable: a model checker can enumerate it exhaustively and prove properties about it. This is not testing. It is mathematical proof.

The Airbus A320 flies on software written in languages derived from Esterel. So does the Airbus A380. So do the control systems of EDF nuclear power stations and SNCF high-speed trains. This is not a coincidence. It is the result of forty years of French industrial investment in formal methods for safety-critical systems — and it begins with one researcher at INRIA on the French Riviera in 1983.

Gérard Berry and INRIA Sophia-Antipolis

Gérard Berry 🇫🇷 created Esterel in 1983 at two French institutions: INRIA Sophia-Antipolis (the national computing research centre in Valbonne, near Nice, on the French Riviera) and the CMA (Centre de Mathématiques Appliquées) at the École des Mines de Paris. Berry is now a professor at the Collège de France in Paris — the oldest and most prestigious research institution in France — where he holds the chair in Algorithms, Machines and Languages. He is a member of the Académie des Sciences (French Academy of Sciences) and a Fellow of both ACM and IEEE.

INRIA — the Institut National de Recherche en Informatique et en Automatique — is France's national computing research institute, with sites across France including Sophia-Antipolis, Paris-Rocquencourt, Grenoble, Bordeaux, Lille, and Rennes. INRIA has produced a remarkable density of foundational programming language research: Caml/OCaml (Xavier Leroy 🇫🇷, Damien Doligez 🇫🇷), Esterel (Berry 🇫🇷), Coq/Rocq (Coquand 🇫🇷, Paulin-Mohring 🇫🇷, Huet 🇫🇷), and Lustre (Halbwachs 🇫🇷, Caspi 🇫🇷, Ratel 🇫🇷 — IMAG Grenoble). The synchronous programming paradigm — which includes both Esterel and Lustre — emerged entirely from French academic institutions in the 1980s.

% Esterel: synchronous reactive model
% Gérard Berry 🇫🇷 (INRIA Sophia-Antipolis + CMA École des Mines de Paris, 1983)
% Each "await" suspends until the next instant where the signal is present

module GDPR_CONSENT_WORKFLOW:
  % Input signals (arrive from the environment at each instant)
  input REQUEST_CONSENT, GRANT, DENY, REVOKE;
  
  % Output signals (emitted to the environment at each instant)
  output PROCESS_DATA, DELETE_DATA, SEND_REJECTION;

  % Loop: process one consent cycle per iteration
  loop
    % Await REQUEST_CONSENT: suspend until the signal is present
    await REQUEST_CONSENT;
    
    % Parallel: wait for GRANT or DENY — deterministic branching
    [
      await GRANT;
      emit PROCESS_DATA;
      % Process until REVOKE arrives (GDPR Art. 7(3): right to withdraw)
      await REVOKE;
      emit DELETE_DATA;
    ||
      await DENY;
      emit SEND_REJECTION;
    ]
  end loop
end module

The synchronous model makes this program's behaviour unambiguous. At each instant, exactly one of the parallel branches progresses: the one whose awaited signal is present. There are no race conditions between GRANT and DENY because they cannot both be present in the same instant (by external protocol definition). The REVOKE → DELETE_DATA path is guaranteed to execute before any further PROCESS_DATA emissions. This is not programmer discipline — it is a structural property of the synchronous execution semantics, verifiable by the Esterel compiler itself.

The Synchronous Hypothesis and Formal Verification

Esterel is based on the synchronous hypothesis: the program reacts infinitely fast relative to its environment. Each instant of computation completes before the next input arrives. In practice, this means the program's reaction time must be provably bounded and shorter than the fastest possible input change rate. For hardware-implemented systems (like Airbus flight computers running at known clock rates processing sensor inputs at known sample rates), this is a verified physical property. For software systems, it is a timing analysis obligation.

The synchronous hypothesis yields a critical engineering benefit: deterministic concurrency. Because all parallel threads in an Esterel program execute within the same instant, the program's output for a given input sequence is unique, regardless of the underlying scheduler. There is no "scheduling nondeterminism" to test against. Two executions with the same inputs always produce the same outputs. This property makes Esterel programs testable to 100% coverage — not statistical coverage of some execution paths, but exhaustive coverage of the state space.

% Safety-critical state machine: flight control surface
% Formal verification target for DO-178C Level A certification

module FLIGHT_SURFACE_CONTROL:
  input PILOT_UP, PILOT_DOWN, FAULT_DETECTED, GROUND_SPEED: integer;
  output SURFACE_UP, SURFACE_DOWN, FAULT_ALERT, SAFE_MODE;
  
  % Invariant: SURFACE_UP and SURFACE_DOWN cannot both be emitted
  % The Esterel compiler verifies this statically — no runtime check needed
  
  signal ARMED in
    every 1 do
      present FAULT_DETECTED then
        emit FAULT_ALERT;
        emit SAFE_MODE;
        % Halt: no further surface commands after fault
        halt
      else
        present PILOT_UP then
          emit SURFACE_UP
        end;
        present PILOT_DOWN then
          emit SURFACE_DOWN
        end
      end
    end every
  end signal
end module

The Esterel compiler checks this program for causality (no signal is defined by its own presence), determinism (no two parallel branches can produce contradictory outputs), and termination (every instant terminates). These are compile-time guarantees, not runtime assertions. A program that fails any check does not compile.

SCADE: Esterel in Airbus, EDF, and SNCF

The industrial deployment of Esterel's synchronous model is SCADE — the Safety Critical Application Development Environment. SCADE was developed by Esterel Technologies 🇫🇷, a company founded in 2000 in Sophia-Antipolis 🇫🇷 (French Riviera) and Toulouse 🇫🇷 by researchers from INRIA and the aerospace industry. Esterel Technologies was acquired by Ansys in 2012, and SCADE is now maintained as Ansys SCADE with engineering centres in Toulouse 🇫🇷, Grenoble 🇫🇷, and Massy 🇫🇷.

SCADE is not a research tool. It is certified to DO-178C Level A — the highest software assurance level in civil aviation, required for software whose failure would cause catastrophic loss of the aircraft. It has been used to develop flight management and flight control software for:

• Airbus A320 🇫🇷 family — the world's most successful narrow-body airliner, manufactured in Toulouse 🇫🇷. The A320's flight management computer contains SCADE-generated code. Over 10,000 A320-family aircraft are in service.
• Airbus A380 🇫🇷 — the world's largest commercial airliner, manufactured in Toulouse. The A380's fly-by-wire flight control laws were developed and verified in SCADE.
• Airbus A350 XWB 🇫🇷 — Airbus's newest long-haul aircraft. SCADE was used for flight control system development.
• EDF nuclear power stations 🇫🇷 — Électricité de France operates the world's largest nuclear fleet (58 reactors). Control systems in EDF's safety-critical reactor protection systems use SCADE-derived components, subject to IEC 61511 and IEC 61513 (nuclear functional safety standards).
• SNCF TGV 🇫🇷 — Société Nationale des Chemins de Fer Français high-speed trains. Traction and safety control systems in TGV equipment use synchronous programming methods derived from Esterel/SCADE, subject to EN 50128 (railway functional safety).

Esterel (1983)        Gérard Berry 🇫🇷 (INRIA Sophia-Antipolis)
    │
    ├── SCADE (1993)  Thomson-CSF/Aerospatiale 🇫🇷 research prototype
    │       │         → Esterel Technologies 🇫🇷 (Sophia-Antipolis + Toulouse, 2000)
    │       │         → Ansys SCADE 🇫🇷 (Toulouse + Grenoble + Massy, 2012–)
    │       │
    │       ├── Airbus A320 🇫🇷 (Toulouse) — FMS + FCS DO-178C Level A
    │       ├── Airbus A380 🇫🇷 (Toulouse) — fly-by-wire FCS DO-178C Level A
    │       ├── Airbus A350 🇫🇷 (Toulouse) — FCS components
    │       ├── EDF nuclear 🇫🇷 — IEC 61511/61513 reactor protection
    │       └── SNCF TGV 🇫🇷 — EN 50128 traction safety
    │
    ├── Lustre (1987) Halbwachs 🇫🇷 + Caspi 🇫🇷 + Ratel 🇫🇷 (IMAG Grenoble)
    │       └── SCADE 6 data-flow layer (merged Lustre + Esterel in SCADE 6)
    │
    └── Signal (1986) Le Guernic 🇫🇷 (IRISA Rennes) — multi-clock synchronous

Lustre, the companion language developed by Nicolas Halbwachs 🇫🇷, Paul Caspi 🇫🇷, and Claude Ratel 🇫🇷 at IMAG (Institut d'Informatique et de Mathématiques Appliquées de Grenoble 🇫🇷), provides the data-flow layer that complements Esterel's control-flow model. SCADE 6 integrates both into a unified modelling environment. The synchronous programming paradigm — Esterel + Lustre + Signal — is a coherent French contribution to embedded systems verification that has no equivalent outside France.

Deploying Esterel via the Open-Source Compiler on sota.io

The reference Esterel compiler (esterel) is available as open-source software. It translates Esterel source to C, which can then be compiled with any standard C compiler and deployed to any Linux infrastructure. For production systems that require DO-178C or IEC 61511 certification, SCADE provides the qualified toolchain — but for research, prototyping, and non-certified reactive backends, the open-source esterel compiler produces fully functional native binaries.

Step 1 — Write a reactive HTTP service in Esterel:

% health-monitor.strl — Esterel reactive health monitor
% Compiled with esterel → C → gcc
% Gérard Berry 🇫🇷 (INRIA Sophia-Antipolis, 1983)

module HEALTH_MONITOR:
  % Input: health check trigger arrives from the scheduler
  input TICK, SERVICE_UP, SERVICE_DOWN, RESET;
  
  % Output: status signals consumed by HTTP response layer
  output EMIT_HEALTHY, EMIT_DEGRADED, EMIT_CRITICAL, EMIT_ALERT;
  
  signal FAULT_COUNT: combine integer with + in
    loop
      % Wait for next tick (one per scheduler instant)
      await TICK;
      
      present SERVICE_DOWN then
        % Increment fault counter (signal combination: + operator)
        emit FAULT_COUNT(1);
        
        present FAULT_COUNT >= 3 then
          emit EMIT_CRITICAL;
          emit EMIT_ALERT
        else
          emit EMIT_DEGRADED
        end
      else
        present SERVICE_UP then
          emit EMIT_HEALTHY
        end
      end;
      
      present RESET then
        % Reset: restart from clean state
        exit HEALTH_MONITOR
      end
    end loop
  end signal
end module

Step 2 — Compile with the Esterel compiler:

# Install Esterel compiler (Debian bookworm)
apt-get install -y esterel gcc

# Compile Esterel → C
esterel health-monitor.strl -simul -o health-monitor.c

# Compile C → native binary
gcc -O2 -o health-monitor health-monitor.c \
    $(esterel-config --cflags --libs)

# Run the reactive simulation
./health-monitor
# → Reactive loop initialised
# → Awaiting inputs: TICK, SERVICE_UP, SERVICE_DOWN, RESET

Step 3 — Wrap in HTTP for sota.io deployment:

/* http-wrapper.c — HTTP adapter for Esterel reactive module */
/* Calls the generated health-monitor.c API per HTTP request */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "health-monitor.h"  /* Esterel-generated C header */

/* Esterel module state — one instance per service */
static HEALTH_MONITOR_state hm_state;
static int initialised = 0;

void handle_request(const char *path, char *response, size_t response_len) {
  if (!initialised) {
    HEALTH_MONITOR_reset(&hm_state);
    initialised = 1;
  }
  
  /* Map HTTP path to Esterel input signals */
  HEALTH_MONITOR_inputs inputs = {0};
  inputs.TICK = 1;
  
  if (strstr(path, "/up"))   inputs.SERVICE_UP   = 1;
  if (strstr(path, "/down")) inputs.SERVICE_DOWN = 1;
  if (strstr(path, "/reset")) inputs.RESET       = 1;
  
  /* Execute one Esterel instant — deterministic, no side effects */
  HEALTH_MONITOR_outputs outputs;
  HEALTH_MONITOR_react(&hm_state, &inputs, &outputs);
  
  /* Map Esterel output signals to HTTP response */
  const char *status =
    outputs.EMIT_CRITICAL ? "critical" :
    outputs.EMIT_DEGRADED ? "degraded"  :
    outputs.EMIT_ALERT    ? "alert"     : "healthy";
  
  /* GDPR Art. 5(1)(f): state is owned by this process, no shared memory */
  snprintf(response, response_len,
    "HTTP/1.1 200 OK\r\n"
    "Content-Type: application/json\r\n\r\n"
    "{\"status\":\"%s\",\"runtime\":\"esterel\",\"region\":\"eu\"}\n",
    status);
}

Step 4 — Containerise for sota.io:

FROM debian:bookworm-slim AS builder

RUN apt-get update \
    && apt-get install -y --no-install-recommends \
       esterel \
       gcc \
       libc6-dev \
       make \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /build
COPY health-monitor.strl http-wrapper.c Makefile ./

# Compile Esterel → C → native binary
RUN esterel health-monitor.strl -simul -o health-monitor.c \
    && make

FROM debian:bookworm-slim
WORKDIR /app
COPY --from=builder /build/health-server .

EXPOSE 8080
CMD ["./health-server"]

Step 5 — Deploy to EU infrastructure:

# Deploy Esterel reactive service to Germany via sota.io
sota login
sota init --name esterel-backend --region eu-central-1
sota deploy

# Output:
# ✓ Build completed (esterel → C → native ELF on Debian bookworm-slim)
# ✓ Deployed to fra1.sota.io (Frankfurt, Germany)
# ✓ GDPR: data residency EU enforced
# ✓ No CLOUD Act exposure (no US parent entity)
# ✓ Heritage: Berry 🇫🇷 (INRIA Sophia-Antipolis) + Airbus 🇫🇷 (Toulouse)
# ✓ URL: https://esterel-backend.sota.io

Esterel and EU AI Act Article 9 — Formal Safety Proofs

The EU AI Act's Article 9 requires high-risk AI systems to implement risk management systems including analysis and testing of known risks. For safety-critical AI embedded systems — autonomous vehicle controllers, medical device firmware, industrial process control — Article 9 demands evidence that the system behaves correctly across its operational domain, not merely that it passed a test suite.

Esterel's synchronous model provides exactly this evidence. The Esterel compiler performs static causality analysis on every program: it verifies that no signal is defined in terms of its own presence, that no two parallel branches produce contradictory outputs, and that every instant terminates. These are properties over all possible inputs, not just tested inputs. The compiler either produces a verified C translation or rejects the program with a specific causality error.

For programs that pass the compiler checks, external model checkers — including SCADE Design Verifier (Prover Technologies 🇸🇪, integrated in SCADE suite) and Lustre/Esterel model checkers from INRIA — can verify arbitrary temporal properties: "the fault alert is always emitted within 3 instants of a fault", "the data deletion output always follows the revocation input before any further processing", "the control surface never moves in both directions in the same instant". These are formal proofs, not statistical confidence bounds.

EU AI Act Article 9 evidence chain for Esterel-based systems:
─────────────────────────────────────────────────────────────
1. Esterel compiler causality check
   → Proves: no causal loop, no contradiction, no non-terminating instant
   → Artefact: clean compilation (or rejected program with error)
   
2. Esterel → C code generation
   → The generated C is structurally equivalent to the Esterel source
   → Property: same inputs → same outputs (determinism by construction)
   
3. Model checking (SCADE Design Verifier / Prover)
   → Proves: temporal safety properties over all execution paths
   → Artefact: formal proof certificate
   
4. DO-178C / IEC 61511 qualified toolchain (SCADE)
   → Qualified code generator: the C matches the model
   → Artefact: qualification evidence package (TQL-1 / DO-330)
   
EU AI Act Art. 9 requirement: "analyse known risks" + "testing measures"
Esterel answer: mathematical proof over all paths (not testing, not coverage)

For high-risk AI under the EU AI Act — robotic surgical systems, autonomous vehicle ECUs, industrial safety PLCs — this proof chain is the strongest available engineering argument. It is the argument that has satisfied Airbus certification authorities, EDF nuclear safety regulators, and SNCF railway safety bodies for four decades.

GDPR and Synchronous Data Ownership

The GDPR's Article 5(1)(f) requires integrity and confidentiality of personal data processing. In Esterel, data ownership is enforced by the synchronous model: within each instant, each signal is produced by exactly one source and consumed by designated receivers. There is no moment when a signal is "in transit" and observable by an unintended process. The signal either exists (is present) or does not (is absent) in a given instant — there is no partial read, no buffer window, no concurrent access.

GDPR Article 17 (Right to Erasure) maps naturally onto Esterel's halt statement and module termination: when a deletion request is processed, the module that holds the personal data terminates, releasing its state. The signal that carried the data is absent in all subsequent instants. No garbage collection race, no delayed deallocation, no lingering pointer to freed memory.

GDPR Article 25 (Data Protection by Design) is satisfied structurally: Esterel programs cannot accidentally retain data beyond the instant boundary. Each instant is a complete input-process-output cycle with no persistent state other than the module's declared signals. The data minimisation principle is enforced by the language's execution model, not by policy.

The French Synchronous School and EU Critical Infrastructure

Esterel is not an isolated invention. It is the control-flow representative of the French synchronous school — a coherent research programme that produced three synchronous languages at three French institutions in the 1980s:

• Esterel (1983) — Berry 🇫🇷, INRIA Sophia-Antipolis. Control-flow imperative synchronous language.
• Lustre (1987) — Halbwachs 🇫🇷 + Caspi 🇫🇷 + Ratel 🇫🇷, IMAG Grenoble 🇫🇷. Data-flow synchronous language. Used directly in SCADE 6 data-flow layer.
• Signal (1986) — Le Guernic 🇫🇷, IRISA Rennes 🇫🇷. Multi-clock synchronous language for distributed real-time systems.

All three emerged from French public research institutions funded by the French government. All three were developed in response to real industrial demand from French aerospace (Aerospatiale 🇫🇷), nuclear (EDF 🇫🇷), and defence sectors. The pathway from INRIA research to Airbus production code is a forty-year-old established pipeline, institutionalised through the SCADE toolchain and the Esterel Technologies / Ansys certification programme.

This is what EU industrial sovereignty in computing looks like in practice: a language created at a publicly funded French research institute, refined through French-government-funded aerospace and nuclear contracts, productised by a French startup, deployed in the world's most safety-critical software — and now maintained by a US company that needs to comply with European certification authorities to keep its customers.

Why sota.io for Esterel on EU Infrastructure

Esterel's entire history is French and European. INRIA created it. Airbus 🇫🇷 (Toulouse) validated it. EDF 🇫🇷 deployed it in nuclear safety systems. SNCF 🇫🇷 uses its successors in TGV control. Esterel Technologies was a French company before Ansys acquired it. The synchronous paradigm — Esterel, Lustre, Signal — is the most successful example of EU-originated programming language research translating directly into EU critical industrial infrastructure.

sota.io provides EU-native infrastructure for this heritage. German Hetzner hardware in Frankfurt, GDPR-compliant data residency, no US CLOUD Act exposure, managed PostgreSQL with automatic DATABASE_URL injection, zero DevOps overhead. Push a Dockerfile with the Esterel compiler, get a Frankfurt URL, scale automatically.

# Esterel on sota.io: synchronous reactive computing on EU infrastructure
sota login
sota init --name esterel-service --region eu-central-1
sota deploy

# Output:
# ✓ Build: esterel → C → native ELF (Debian bookworm-slim)
# ✓ Region: Frankfurt, Germany (eu-central-1)
# ✓ GDPR: EU data residency enforced
# ✓ EU AI Act Art. 9: formal safety proofs via Esterel compiler + model checker
# ✓ Synchronous model: deterministic, formally verified, DO-178C heritage
# ✓ Heritage: Berry 🇫🇷 (INRIA Sophia-Antipolis) + Airbus 🇫🇷 (Toulouse)
# ✓ No shared state: GDPR Art. 5(1)(f) integrity by synchronous semantics
# ✓ URL: https://esterel-service.sota.io

Gérard Berry invented Esterel at INRIA because French aerospace engineers needed a language that could be formally verified before it was deployed in aircraft. The French government funded both the research and the aerospace industry that demanded it. The result is a language whose safety record is measured in hundreds of millions of flight hours on the world's safest commercial aircraft. sota.io runs its heritage where it belongs: on EU soil, under EU law, with the formal verification guarantees and structural data integrity that GDPR, EU AI Act, and NIS2 demand.

Deploy your Esterel application to Europe today at sota.io. EU-native infrastructure, GDPR-compliant by default, managed PostgreSQL, zero DevOps overhead.

See also: Deploy Lustre to Europe — French Synchronous School dataflow companion (Nicolas Halbwachs 🇫🇷 + Paul Caspi 🇫🇷, IMAG Grenoble, 1984), SCADE data-flow layer, Airbus fly-by-wire + TGV + EDF nuclear · Deploy SIGNAL to Europe — French Synchronous School third member (Pierre Le Guernic 🇫🇷, IRISA Rennes, 1986), polychronous multi-rate clock algebra, Thales 🇫🇷 + Dassault Aviation 🇫🇷 · Deploy Occam to Europe — CSP concurrency model (Tony Hoare 🇬🇧 Oxford + David May 🇬🇧 Bristol), no shared state by construction, FDR4 formal verification · Deploy F* to Europe — verified programming language (INRIA Saclay 🇫🇷 + MSR Cambridge 🇬🇧), miTLS in Firefox, HACL in Linux kernel · All languages on sota.io*