2026-07-15·10 min read·sota.io team

Deploy HOL Light to Europe — John Harrison 🇬🇧 (Cambridge → Intel), the Minimalist HOL Theorem Prover that Proved IEEE 754 Floating-Point Correct and Formalised the Kepler Conjecture, on EU Infrastructure in 2026

In 1994, Intel shipped a Pentium processor with a bug in its floating-point division unit. The FDIV bug, discovered by Professor Thomas Nicely at Lynchburg College, produced incorrect results for a narrow but reproducible range of inputs — errors in the fifth significant digit of certain divisions. Intel's initial response (the flaw only affected a small number of users) became a public relations catastrophe. The recall cost Intel approximately $475 million. The lesson was unambiguous: in floating-point arithmetic, correctness is not a soft requirement. It is a specification, and specifications can be formally verified.

HOL Light is the system that proved Intel learned this lesson. Created by John Harrison 🇬🇧 at the University of Cambridge in 1996, HOL Light is a minimalist implementation of higher-order logic in OCaml — a language developed by INRIA 🇫🇷 (Institut National de Recherche en Informatique et en Automatique, Paris). Its entire logical kernel is approximately 400 lines of OCaml. Despite this radical simplicity, HOL Light became the formal foundation for one of the largest industrial formal verification efforts in history: the machine-checked proof that Intel's transcendental function implementations conform to the IEEE 754 floating-point standard. It also became the backbone of the Flyspeck project — the 2014 formal proof of the Kepler conjecture, one of the oldest open problems in mathematics, solved by Thomas Hales in 1998 and formally verified over sixteen years of work.

In 2026, HOL Light workloads run in EU universities, EU aerospace safety teams, and EU AI compliance teams verifying numerical computation correctness. Deploying HOL Light on EU servers ensures all proof artefacts — formal verification evidence for DO-178C avionics certification, EU AI Act Article 9 compliance documentation, and sensitive mathematical research — remain under EU jurisdiction, operated by EU entities, without US Cloud Act exposure.

John Harrison and Cambridge

John Harrison 🇬🇧 studied mathematics at Pembroke College, Cambridge, and completed his PhD at the Cambridge Computer Laboratory in 1996. His supervisor was Lawrence Paulson 🇬🇧 — the creator of Isabelle, one of the most widely used interactive theorem provers in Europe (covered in the Isabelle blog post in this series). Harrison's dissertation, Formalising Basic Complex Analysis, demonstrated that HOL could be used to prove serious undergraduate-level mathematics from first principles. The system he built to do this was HOL Light.

Harrison's genealogy in formal methods is impeccable. His supervisor Paulson built Isabelle at Cambridge in the 1980s, working in the tradition of Mike Gordon 🇬🇧 (HOL4, Cambridge Computer Lab) and Robin Milner 🇬🇧 (LCF, Edinburgh — the ancestor of all tactic-based theorem provers, and the creator of SML and CCS). Harrison worked in the same Computer Laboratory that produced HOL, Isabelle, and the ARM ISA formal specification. The Cambridge Computer Lab is the institutional root of European higher-order logic theorem proving.

After his PhD, Harrison joined Intel Research — first at Cambridge, then in Oregon. At Intel, he built the infrastructure for formal verification of floating-point hardware. He is now at Microsoft Research.

HOL Light: Minimalism as a Design Principle

HOL Light's central design decision was radical minimalism. Mike Gordon's original HOL system (HOL88, 1988) and its successor HOL4 are written in SML (Standard ML) and include substantial infrastructure: a large mathematical library, multiple automation tactics, a proof manager, and a complex type-checker. The total trusted base — the code that must be correct for proofs to be trustworthy — is significant.

Harrison asked: how small can the trusted kernel be? The answer, in HOL Light, is approximately 400 lines of OCaml. The kernel defines:

The type of theorems (thm), an abstract OCaml type that can only be constructed by the inference rules
Eight primitive inference rules (reflexivity, transitivity, abstraction, combination, beta-reduction, eta-conversion, deduction antisymmetry, axiom of choice, axiom of infinity)
The definitional mechanisms for new types and constants

Everything else in HOL Light — automation tactics, a library of 7,000+ theorems, the real analysis library, the IEEE 754 proof infrastructure — is built on top of these 400 lines. A mistake anywhere outside the kernel produces a wrong thm value that the kernel rejects. A mistake inside the kernel is the only way to derive a false theorem. The smaller the kernel, the smaller the attack surface for bugs.

OCaml (developed by Xavier Leroy 🇫🇷, Luc Maranget 🇫🇷, and collaborators at INRIA 🇫🇷, Paris, standardised in the 1990s) is HOL Light's implementation language. The choice is significant: OCaml is a European language from a European research institution. The same INRIA team that maintains OCaml also developed CompCert (Xavier Leroy — the only formally verified C compiler, covered in the CompCert blog post), Coq/Rocq (the foundational proof assistant used for CompCert's machine-checked proof), and Why3 (the deductive verification platform). HOL Light's OCaml implementation places it squarely in the European formal methods software stack.

HOL Light's logic is classical higher-order logic — Church's Simple Theory of Types (1940). This is the same underlying logic as HOL4 and Isabelle/HOL. The difference is not in the logic but in the implementation: HOL Light is the most compact implementation of this logic in existence, and consequently has the smallest trusted base of any production higher-order logic system.

IEEE 754: Proving Intel's Floating-Point Correct

The defining industrial application of HOL Light is the formal verification of Intel's floating-point transcendental functions.

Modern processors implement floating-point arithmetic according to the IEEE 754 standard (1985, revised 2008). The standard specifies how floating-point numbers are represented, how basic operations (+, -, ×, ÷, √) must be computed (correctly rounded), and how special values (±∞, NaN) must be handled. The four basic operations and square root are straightforward to verify: they are computed in hardware with well-understood algorithms. The transcendental functions — sine, cosine, exponential, arctangent, logarithm — are different. They are transcendental in the mathematical sense: they cannot be expressed as finite algebraic expressions. Hardware implementations approximate them using polynomial minimax approximations, and verifying that a given polynomial approximation, computed in finite-precision floating-point, produces a result within the correct rounding error bound is a non-trivial mathematical problem.

After the FDIV disaster, Intel invested in formal verification of its floating-point unit. Harrison, working at Intel Research, built the HOL Light floating-point verification library — a formal development in HOL Light that:

Formalises IEEE 754 arithmetic. Real numbers, floating-point numbers, rounding modes, and the IEEE 754 specification are all defined in HOL4 as HOL Light types and formally specified.
Formalises real analysis. The mathematical properties of sin, cos, exp, atan, ln — continuity, differentiability, Taylor series expansions, error bounds — are all proved from first principles in HOL Light.
Verifies the hardware algorithms. For each transcendental function, the specific polynomial approximation algorithm used in the Intel processor is described in HOL Light and proved to produce correctly rounded results for all floating-point inputs in the specified domain.

The result: machine-checked proofs that Intel's transcendental function implementations conform to the IEEE 754 standard, for the IA-64 (Itanium) and later x86 architectures. The proof covers all ~2^64 double-precision inputs in the specified domains. No testing could achieve this coverage; only formal verification can.

Harrison described this work in his 2003 paper Formal Verification of IA-64 Divide and Square Root Algorithms (Intel Labs) and in a series of subsequent publications. The proofs are available as part of the HOL Light distribution.

Why this matters for EU systems in 2026:

Every EU safety-critical system that uses floating-point arithmetic — Airbus 🇫🇷 flight control computers, Siemens 🇩🇪 power grid controllers, Thales 🇫🇷 rail signalling systems, medical imaging systems under IEC 62304 — runs on processors whose transcendental functions were formally verified using techniques pioneered by Harrison in HOL Light. Under DO-178C Level A and DO-178C + DO-333 (the formal methods supplement), software that relies on floating-point transcendental functions must have assurance evidence for those functions. The HOL Light IEEE 754 proofs provide that evidence at the highest possible level.

Flyspeck: The Kepler Conjecture

The Flyspeck project is the largest mathematical formalisation in history and one of the most significant demonstrations of what theorem provers can achieve for pure mathematics.

Thomas Hales 🇺🇸 (Carnegie Mellon, later University of Pittsburgh) proved the Kepler conjecture in 1998 after a decade of work. The Kepler conjecture states that the densest possible packing of equal spheres in three-dimensional space is the face-centred cubic (cannonball) arrangement, achieving a density of π/(3√2) ≈ 74.05%. Johannes Kepler conjectured this in 1611. Hales' 1998 proof, submitted to the Annals of Mathematics, was 300 pages of mathematics plus 40,000 lines of C++ code and gigabytes of numerical data. The proof used interval arithmetic and linear programming to verify thousands of cases computationally.

The Annals of Mathematics referees, after reviewing the proof for four years, were 99% confident it was correct but could not guarantee the remaining 1% — the computational components were too large to verify manually. The journal published the proof with a caveat, unprecedented in mathematical history.

Hales resolved this by formalising the proof in a machine-checkable form. The Flyspeck project (2003–2014) formalised Hales' proof in HOL Light (the non-linear analysis components) and Isabelle/HOL (the linear programming components). The collaboration was international: Hales, Harrison (HOL Light architecture), Tobias Nipkow 🇩🇪 (TU Munich, Isabelle), Makarius Wenzel 🇩🇪 (Isabelle/Isar developer), and several other contributors.

In August 2014, the Flyspeck team announced the proof was complete. The HOL Light + Isabelle verification checked:

The 5,000+ mathematical lemmas used in the proof, formalised as HOL Light and Isabelle theorems
The linear programming certificates, verified in Isabelle
The interval arithmetic bounds, verified in HOL Light
The structural argument connecting the computational and mathematical components

The resulting formal proof is distributed across approximately 500,000 lines of HOL Light and Isabelle proof scripts. The Kepler conjecture, open for 400 years, is now formally proved.

For EU mathematics research, Flyspeck demonstrated that industrial-strength machine-checked proofs of frontier mathematics are achievable with European tools (HOL Light, Isabelle — both with deep Cambridge/Munich EU roots), over reasonable timescales, using standard computational infrastructure.

HOL Light in the EU Formal Methods Ecosystem

HOL Light occupies a specific role in the EU formal methods landscape — distinct from HOL4, Isabelle, and Coq:

HOL Light vs. HOL4. Both are higher-order logic systems descended from Mike Gordon's HOL88. HOL Light is more compact (400 lines OCaml kernel vs. HOL4's much larger SML kernel), uses OCaml instead of SML, and is typically chosen when the smallest possible trusted base is a requirement. HOL4 has a larger standard library and the decompilation-into-logic infrastructure (Magnus Myreen 🇸🇪, Chalmers) critical for binary verification. For floating-point verification specifically, HOL Light has the more mature library.

HOL Light vs. Isabelle/HOL. Isabelle (Paulson/Nipkow) has more powerful automation (Sledgehammer), a structured proof language (Isar), and the largest library of formally verified mathematics in the world (Archive of Formal Proofs, 800+ entries). HOL Light is smaller, more transparent, and has a smaller trusted base. Harrison (HOL Light creator) is a direct intellectual descendant of Paulson (Isabelle creator) — PhD supervisor to student. Flyspeck used both tools together.

HOL Light and OCaml. Because HOL Light is implemented in OCaml — INRIA's language, deeply embedded in the French/European formal methods stack — HOL Light proofs integrate naturally with OCaml-based tools: Why3 (INRIA 🇫🇷, deductive verification), Alt-Ergo (INRIA 🇫🇷, SMT solver), Frama-C (CEA LIST 🇫🇷 + INRIA 🇫🇷, C program analysis), and CompCert (Xavier Leroy, INRIA 🇫🇷). The EU verified-software toolchain has OCaml as a common substrate.

EU institutions using HOL Light:

Cambridge Computer Laboratory 🇬🇧 (Harrison's home institution, still active in HOL Light development)
TU Munich 🇩🇪 (Flyspeck Isabelle side, Nipkow's group)
INRIA 🇫🇷 (OCaml ecosystem integration)
Imperial College London 🇬🇧 (formal methods group, Lawrence Paulson's extended community)
Various EU aerospace contractors using the IEEE 754 library for DO-178C evidence

EU Regulatory Context

EU AI Act Article 9 (Risk Management). High-risk AI systems under Annex III — including medical AI devices, safety-critical control systems, and biometric identification systems — must implement systematic risk management with rigorous verification. Many AI systems perform floating-point arithmetic in inference: matrix multiplications, activation functions (sigmoid, softmax, ReLU), and numerical optimisers. HOL Light's IEEE 754 library provides formal evidence that the floating-point operations underlying AI inference are computationally correct. For AI systems where numerical error accumulation is a safety concern (e.g., AI-assisted dosimetry in radiotherapy, AI flight envelope protection), formal floating-point correctness is a requirement.

IEC 61508 SIL 3/4 (Functional Safety). Safety-critical systems under IEC 61508 at SIL 3 and SIL 4 must justify their use of floating-point arithmetic, particularly for transcendental functions. IEC 61508-3 Annex B.6 explicitly identifies formal proof as the highest-integrity technique for software unit design and implementation. HOL Light proofs of IEEE 754 conformance for the specific processor transcendental functions used in the system constitute formal evidence at Annex B.6 level.

DO-178C + DO-333 (Avionics). Formal methods in DO-178C are governed by DO-333, the formal methods supplement. DO-333 Table A-7 (Formal Proof of Code Properties) specifies what is required to use a formal proof as a substitute for structural coverage analysis (MC/DC). For Airbus 🇫🇷, Thales 🇫🇷, Safran 🇫🇷, and Leonardo 🇮🇹 avionics teams, HOL Light proofs of floating-point correctness provide DO-333 compliant assurance evidence for the transcendental functions used in navigation, flight control, and autopilot software.

Cyber Resilience Act (CRA) 2027. Products with digital elements must demonstrate absence of known exploitable vulnerabilities. Floating-point implementation bugs (like the FDIV bug, or the more recent AMD Zen4 floating-point errata) are product vulnerabilities. HOL Light proofs of IEEE 754 conformance constitute formal evidence that a specific floating-point implementation does not contain correctness errors — relevant for CRA compliance of processors and embedded systems sold in the EU market.

EN 50128 SIL 4 (Railway). The European railway signalling standard requires the highest level of formal justification for SIL 4 software. Signalling algorithms using floating-point arithmetic (e.g., speed profile computation, distance calculations) require formal evidence of numerical correctness. HOL Light provides this for Siemens 🇩🇪 (Mobility), Alstom 🇫🇷, and Thales 🇫🇷 rail teams.

Deploying HOL Light on sota.io

sota.io is an EU-native Platform-as-a-Service, operating under EU jurisdiction with full GDPR compliance and no US Cloud Act exposure. For HOL Light workloads, this means:

Proof artefacts under EU jurisdiction. Formal proofs of safety-critical properties — floating-point correctness evidence, DO-178C formal proof packages, EU AI Act Article 9 assurance cases — are stored on EU servers, operated by an EU entity, with no access by US cloud providers under the Cloud Act or FISA.
Managed PostgreSQL. Store proof databases, theorem libraries, and verification results in a managed, GDPR-compliant PostgreSQL instance.
Zero DevOps. Deploy HOL Light verification jobs without managing container orchestration, base images, or server administration. sota.io handles infrastructure; your team handles proofs.

Dockerfile for HOL Light

FROM ocaml/opam:ubuntu-22.04-ocaml-4.14

RUN opam install zarith camlp5 && \
    eval $(opam env) && \
    git clone https://github.com/jrh13/hol-light.git /hol-light

WORKDIR /hol-light

# Build HOL Light
RUN eval $(opam env) && make

EXPOSE 8080

# Start HOL Light with a verification script
CMD ["sh", "-c", "eval $(opam env) && echo '#use \"hol.ml\";;' | ocaml"]

sota.io deploy

# Deploy HOL Light verification infrastructure to EU servers
sota deploy \
  --name hol-light-verifier \
  --region eu-west \
  --port 8080 \
  --build dockerfile

Running a HOL Light session

(* Load HOL Light *)
#use "hol.ml";;

(* Example: prove that sqrt 2 is irrational *)
let sqrt2_irrational = prove(
  `~(rational (sqrt(&2)))`,
  REWRITE_TAC[rational; REAL_SQRT_EQ_RNEG] THEN
  (* ... proof continues ... *)
  );;

(* IEEE 754: load the floating-point library *)
needs "Multivariate/realanalysis.ml";;
needs "IEEE/ieee.ml";;

Free tier available. HOL Light verification jobs under 512MB RAM run within sota.io's free tier — suitable for academic research, proof-of-concept verification, and lightweight formal methods teaching. Production-grade parallel verification (multiple HOL Light processes checking large theorem libraries) runs on paid tiers with dedicated EU infrastructure.