Deploy Event-B to Europe β Jean-Raymond Abrial π«π· (ETH Zurich, 2000s), the Refinement-Based Formal Method Behind European Rail Safety, on EU Infrastructure in 2026
When Paris Metro Line 14 opened in 1998 as the world's first fully automated driverless metro line, the software controlling its train movements was not tested β it was proved. The proof was produced using the B-Method, developed by Jean-Raymond Abrial π«π·. Two decades later, Abrial refined that method into Event-B β a cleaner, more expressive formal language designed for concurrent and distributed systems, now embedded in the open-source Rodin Platform and used from Swiss railway interlocking to Belgian air traffic management. If your system must be provably correct rather than merely probably correct, Event-B is where Europe's formal methods tradition converges.
What Event-B Is β and Why It Matters in 2026
Event-B is a state-based formal method for modelling and verifying discrete systems. A system is described as a set of machines (state variables, invariants, and events that transition state) and contexts (constants, axioms, and theorems). The key discipline is refinement: you start with an abstract model, prove it correct, then systematically add implementation detail through a series of verified refinement steps β each step provably preserving the properties of the one before it.
The result is software that is correct by construction. Runtime exceptions, race conditions, and invariant violations are not tested away β they are proved impossible. For systems certified to EN 50128 SIL4 (railway), DO-178C Level A (avionics), or IEC 62443 (industrial control), this is not optional β it is the certification requirement.
Jean-Raymond Abrial π«π· is French. He developed the original B-Method in the 1980sβ90s and codified Event-B during his period at ETH Zurich in the 2000s, supported by the EU-funded RODIN project (Rigorous Open Development Environment for Complex Systems, FP6 IST 511599). The Rodin Platform β the Eclipse-based IDE for Event-B β was built by a consortium including Systerel π«π·, Heinrich-Heine-UniversitΓ€t DΓΌsseldorf π©πͺ, and the University of Southampton π¬π§. Event-B is a deeply European technology.
From B-Method to Event-B: The Refinement Lineage
Z Notation (Oxford π¬π§, 1970s) β set-theory specification language
Jean-Raymond Abrial π«π· β contributor to Z + creator of B
β
B-Method (Abrial, 1989 report, 1996 The B-Book)
Abstract Machine Notation (AMN): state + invariants + proof obligations
β
Paris Metro Line 14 / METEOR (1998)
86,000 lines formally verified Β· 111,000 proof obligations Β· 0 runtime errors
β
Event-B (Abrial at ETH Zurich π¨π + Newcastle π¬π§, 2000s)
Events replace operations β concurrent/distributed systems
Contexts decouple static from dynamic parts
Refinement calculus preserved and extended
β
Rodin Platform (Eclipse, EU FP6 project, 2004β2007)
ETH Zurich + Southampton + Newcastle + Systerel π«π· + Siemens CT π©πͺ
β
ProB (Michael Leuschel π©πͺ, University of DΓΌsseldorf, 2003βpresent)
Model checker + constraint solver for B/Event-B, open source
Where classical B focuses on sequential program development (operations transform state), Event-B uses events (guarded state transitions that may fire non-deterministically) as its primary primitive. This makes Event-B natural for modelling concurrent protocols, distributed algorithms, and reactive systems where multiple events may be enabled simultaneously.
An Event-B Machine: Structure and Proof Obligations
An Event-B development consists of machines (dynamic parts) and contexts (static parts, shared across machines). A simple machine:
MACHINE TrainControl
SEES TrackContext
VARIABLES position, moving
INVARIANT
position β TRACK β§
moving β BOOL β§
(moving = TRUE β position β safe_zones)
INITIALISATION
position := start_position β₯
moving := FALSE
EVENTS
Depart β
when moving = FALSE β§ position β departure_zones
then moving := TRUE
end
Arrive β
when moving = TRUE β§ position β arrival_zones
then moving := FALSE
end
Move β
any next_pos
where moving = TRUE β§ next_pos β reachable(position) β§ next_pos β safe_zones
then position := next_pos
end
END
From this machine, Rodin generates proof obligations:
- Invariant Preservation: each event, when its guard holds, leaves the invariant true
- Feasibility: each event's guard is satisfiable from the invariant
- Refinement Correctness (in refinements): concrete events correctly simulate abstract ones
These obligations are discharged by Rodin's built-in provers, by ProB's constraint solver, or by user-guided interactive proof. The invariant moving = TRUE β position β safe_zones must be proved preserved by every event that modifies position or moving β the proof is the safety argument, not a comment in the code.
The EU Formal Methods Industrial Cluster
Event-B anchors a cluster of European safety-critical engineering companies:
| Company | Country | Role |
|---|---|---|
| CLEARSY | France π«π· (Aix-en-Provence) | Atelier B, industrial B/Event-B toolchain. SNCF, RATP, Siemens Mobility, Alstom, Thales. |
| Systerel | France π«π· | Rodin co-developer, Event-B proofs for nuclear and aerospace. |
| Siemens Mobility | Germany π©πͺ / Austria π¦πΉ | EN 50128 SIL4 railway interlocking, formal methods in CENELEC certification pipeline. |
| Alstom | France π«π· / Belgium π§πͺ | CBTC systems across European metro networks, B-Method in signalling software. |
| EUROCONTROL | Belgium π§πͺ (Brussels) | European air traffic management, formal specification in safety-critical ATC software. |
Every time a Paris, Brussels, or Copenhagen metro train moves without a driver, Event-B or its predecessor B-Method is part of the safety argument. This is documented in certification filings and academic literature spanning 25+ years of industrial track record.
Event-B in the Formal Methods Landscape
The sota.io blog documents Europe's formal methods tradition across multiple posts:
| Method | Origin | Style | EU Use Cases |
|---|---|---|---|
| VDM-SL | IBM Vienna π¦πΉ, 1970s | Model-based spec | Pacemakers, financial systems |
| SPARK Ada | Southampton π¬π§, 1988 | Verified subset language | Airbus A350, EUROCONTROL SESAR |
| B-Method | Abrial π«π·, 1989 | Abstract Machine Notation | Railway, metro (Paris Line 14) |
| Event-B | Abrial π«π·, ETH Zurich π¨π, 2000s | Refinement-based events | Railway, distributed, nuclear |
| Isabelle/HOL | Cambridge π¬π§/TU Munich π©πͺ | Proof assistant | seL4, mathematical proofs |
| F* | INRIA Paris π«π· + MSR | Verified programming | Cryptographic protocols |
Event-B occupies the concurrent/distributed safety-critical niche. The refinement calculus inherited from B-Method makes it uniquely suited to systems where you must evolve specifications incrementally while maintaining a provable chain of verified properties.
Deploy Event-B / Rodin Tooling on EU Infrastructure
The primary Event-B development environment is the Rodin Platform β a Java-based Eclipse IDE. Supporting tools include:
- ProB β model checker for Event-B machines (Heinrich-Heine-UniversitΓ€t DΓΌsseldorf π©πͺ)
- Atelier B β CLEARSY's industrial B/Event-B toolchain (Aix-en-Provence π«π·)
- Rodin API β programmatic access for CI/CD integration
- iUML-B β UML state machine β Event-B translation (Southampton π¬π§)
Rodin runs as a Java application. Containerising it for cloud deployment β to run automated proof checking as part of a CI pipeline β follows the standard Docker + Java pattern:
FROM eclipse-temurin:21-jre-alpine
# Rodin Platform headless install
WORKDIR /opt/rodin
COPY rodin-platform/ .
# ProB model checker CLI
RUN apk add --no-cache bash curl && \
curl -L https://prob.hhu.de/download/ProBCli-linux.tar.gz | tar xz
ENV PATH="/opt/rodin:${PATH}"
EXPOSE 8080
CMD ["./rodin", "-application", "de.prob2.kernel.cli", "--headless"]
Deploy to EU infrastructure with the sota.io CLI:
# Install sota CLI
npm install -g sota
# Deploy Rodin CI service to Frankfurt region (EU-West)
sota deploy --region eu-west --name event-b-ci
# Attach managed PostgreSQL for proof audit logs
sota db attach event-b-ci --plan starter
Your Event-B proof-checking service runs on EU servers, under EU jurisdiction, with GDPR-compliant data handling from day one.
sota.io Configuration
# sota.toml
[app]
name = "event-b-proof-server"
region = "eu-central" # Frankfurt β GDPR-compliant, EN 50128 documentation retention
[build]
dockerfile = "Dockerfile"
[service]
port = 8080
memory = "2GB" # ProB model checking is memory-intensive for large specifications
[volume]
name = "proof-archive"
mount = "/workspace/proofs"
size = "50GB" # Long-term retention of proof obligations for certification audits
sota deploy
# β Deploying event-b-proof-server to eu-central (Frankfurt)
# β Build: 2m 18s
# β Live: https://event-b-proof-server.sota.app
# β GDPR-compliant Β· PostgreSQL managed Β· EN 50128 documentation retained in EU
GDPR, NIS2, and the EU AI Act: Formal Methods in the Compliance Era
The EU regulatory environment is accelerating the relevance of formal methods in 2026:
EU AI Act (Regulation 2024/1689) β Article 9: High-risk AI systems (Article 6, Annex III) must demonstrate technical robustness. Formal verification with Event-B provides machine-checkable evidence of property satisfaction β directly relevant for healthcare AI, critical infrastructure AI, and transportation AI deployed in the EU. Event-B invariants can encode the safety properties required by Art. 9 risk management systems.
NIS2 Directive: Operators of Essential Services (energy, transport, banking, health) must implement appropriate technical measures. Formally verified control software eliminates entire vulnerability classes that penetration testing cannot reliably find.
EU Cyber Resilience Act (CRA, 2024): Products with digital elements must meet security requirements. Event-B proof obligations provide evidence of absence of specific vulnerability classes (buffer overruns, invalid state transitions) that is stronger than any dynamic testing regime.
Data Sovereignty: CLEARSY, Systerel, and the primary European Event-B tooling vendors are French companies. When you host Event-B CI/CD pipelines, proof artifacts, and audit logs on US cloud providers, those assets are potentially subject to the US CLOUD Act (18 U.S.C. Β§ 2713), regardless of physical server location. sota.io operates entirely within EU jurisdiction β no US parent company, no CLOUD Act exposure.
| Provider | Jurisdiction | GDPR Art. 44 | CLOUD Act Risk |
|---|---|---|---|
| sota.io | Germany / EU | Compliant | None |
| Vercel | USA (Delaware) | SCCs only | Yes |
| Railway | USA (Delaware) | SCCs only | Yes |
| AWS Frankfurt | USA (Delaware parent) | SCCs only | Yes |
Who Is Deploying Event-B Tooling to the Cloud?
Primary use cases for cloud-hosted Event-B infrastructure in 2026:
CI/CD Proof Checking β Automated Rodin proof verification on every commit. A developer modifies an Event-B machine; the CI pipeline runs ProB to check for counterexamples and Rodin's provers to discharge proof obligations before merge.
Collaborative Formal Specification β Teams in Paris, Munich, and Brussels working on shared Event-B models. A central EU-hosted Rodin server with version control integration.
Audit Trail and Compliance Artefacts β EN 50128 and DO-178C require documentation of verification activities. Cloud-hosted proof artifact storage with immutable audit logs for certification filings.
Education β Universities including ETH Zurich π¨π, TU Munich π©πͺ, UniversitΓ© Paris-Saclay π«π·, and KU Leuven π§πͺ teach Event-B. Cloud instances for student access without local installation.
Why sota.io for Formal Methods Tooling
EU-native from day one. Server in Frankfurt. Incorporated in Germany. No data ever leaves EU jurisdiction.
Managed PostgreSQL. Proof audit logs, model version history, and certification artifact storage β all in a managed, GDPR-compliant database with automated backups.
No DevOps overhead. The formal methods engineers on your team are not DevOps engineers. sota.io handles infrastructure so the proof engineers can focus on proofs.
Flat-rate pricing. Safety-critical software projects run on tight budgets and fixed contracts. No surprise egress charges. No usage-based billing that spikes during intensive proof runs.
Start with a free tier deployment β no credit card required. Your first Event-B CI service can be live in under five minutes.
See Also
- Deploy B-Method to Europe β β Jean-Raymond Abrial π«π· (1989), Paris Metro Line 14 METEOR 1998, Atelier B (ClearSy π«π·), ProB (DΓΌsseldorf π©πͺ)
- Deploy VDM-SL to Europe β β IBM Vienna Scientific Center π¦πΉ (1970s), ISO/IEC 13817-1 formal specification, Overture Tool
- Deploy SPARK Ada to Europe β β AdaCore Paris π«π· (1988), GNATprove formal verification, Airbus A350/EUROCONTROL
- Deploy Isabelle to Europe β β Lawrence Paulson π¬π§ (Cambridge, 1988), seL4 formally verified OS kernel
- Deploy TLA+ to Europe β β Leslie Lamport πΊπΈ (DEC SRC, 1994), temporal logic for distributed systems; TLA+ and Event-B are both used in EU railway and distributed system verification β TLA+ for protocol properties, Event-B for refinement-based safety proofs
Jean-Raymond Abrial π«π· (born 1938) developed the B-Method in the 1980sβ90s and Event-B during his period at ETH Zurich in the early 2000s. The RODIN project (EU FP6, 2004β2007) built the open-source Rodin Platform. Abrial's book "Modeling in Event-B" (Cambridge University Press, 2010) remains the definitive reference. The industrial record of B-Method and Event-B in European railway safety β Paris Line 14, Brussels Metro, Swiss Federal Railways, Copenhagen Metro β is unmatched by any other formal method in production deployment.
sota.io is an EU-native PaaS running on German infrastructure. Deploy Event-B Rodin environments, ProB model checkers, and proof CI pipelines to Frankfurt in minutes β with managed PostgreSQL for proof obligation databases, GDPR-compliant storage for certification evidence, and zero DevOps overhead.