Deploy KeYmaera X to Europe — André Platzer 🇩🇪 (TU Munich) + Philipp Rümmer 🇩🇪 (Uppsala 🇸🇪), the Hybrid Systems Theorem Prover Behind ETCS Railway and Autonomous Vehicle Verification, on EU Infrastructure in 2026

In 2009, before a single EU high-speed train had been formally verified, a team at Carnegie Mellon University published a machine-checked proof of the European Train Control System (ETCS) Level 3 safety protocol. The tool was KeYmaera, the predecessor of KeYmaera X. The proof showed that no two trains following the ETCS movement authority protocol could ever occupy the same track segment simultaneously — a safety property that, if violated, causes fatal collisions. The logic used was Differential Dynamic Logic (dL), invented by André Platzer — a German computer scientist whose most celebrated work on cyber-physical systems formally verification now continues from TU Munich 🇩🇪.

KeYmaera X — the successor to KeYmaera — has since verified Adaptive Cruise Control (ACC) systems, the ACAS X airborne collision avoidance system used on commercial aircraft, ground collision avoidance for fighter jets, and lane-change maneuvers for autonomous vehicles. Every formally verified safety property in these systems rests on Platzer's differential dynamic logic: a first-order modal logic where the programs being reasoned about include ordinary differential equations describing continuous physical evolution, interleaved with discrete control decisions. This is the logic of hybrid systems — the class of systems that include every meaningful safety-critical cyber-physical device.

André Platzer and the European Roots of KeYmaera X

André Platzer 🇩🇪 is German — born and educated in Germany (Universität Karlsruhe, now KIT 🇩🇪, where he received his PhD in 2008 under Ernst-Rüdiger Olderog). After eleven years at Carnegie Mellon University building the world-leading CPS (Cyber-Physical Systems) verification group, Platzer returned to Germany in 2021 as an Alexander von Humboldt Professor at TU Munich 🇩🇪 — the most prestigious and most generously funded research professorship in Germany (€5 million endowment). In 2020, he received the Leibniz Prize — the highest science award in Germany, granted by the German Research Foundation (DFG), with €2.5 million in research funding. KeYmaera X is now a German-anchored project.

Philipp Rümmer 🇩🇪 is a German computer scientist who completed his PhD at Chalmers University 🇸🇪 and is now Professor of Formal Methods at Uppsala University 🇸🇪 (Sweden). Rümmer is a co-author of the original KeYmaera X paper (CAV 2015) and the creator of Princess — a complete theorem prover for integer arithmetic that serves as one of KeYmaera X's backend reasoners. His work bridges SMT solving and full first-order logic, providing the arithmetic completeness that KeYmaera X needs to discharge proof obligations over real-valued hybrid system state.

Stefan Mitsch 🇦🇹 is Austrian — a key developer of KeYmaera X from the CMU CPS group, now at ETH Zurich 🇨🇭. Mitsch extended KeYmaera X with advanced features for robustness analysis (what happens when sensor readings contain noise?), sandbox verification (safe envelopes for neural network controllers), and model predictive safety certification. His runtime monitoring work with ModelPlex enables KeYmaera X-proved safety properties to be enforced at runtime in deployed systems.

Jan-David Quesel 🇩🇪 is German, was a PhD student at the University of Oldenburg 🇩🇪, and worked extensively on KeYmaera's decision procedures and its first implementation. His work connected dL's proof calculus to quantifier elimination procedures for real closed fields — the mathematical foundation for KeYmaera X's completeness result.

The institutional anchors: TU Munich (Platzer, EU's top technical university), Uppsala University (Rümmer, one of Scandinavia's oldest universities, founded 1477), ETH Zurich (Mitsch). No US corporate dependency. No US Cloud Act exposure.

Differential Dynamic Logic: Reasoning About Physical World Evolution

Hybrid Programs — The Syntax of Cyber-Physical Systems

KeYmaera X reasons about hybrid programs — a programming language that combines discrete computation with continuous physical dynamics:

α, β ::=
  x := e          // discrete assignment
  x := *          // nondeterministic assignment (any value)
  ?φ              // test: proceed only if φ holds
  x' = f(x) & φ  // continuous evolution: ODE x' = f(x) while domain φ holds
  α; β            // sequential composition
  α ∪ β           // nondeterministic choice
  α*              // nondeterministic repetition (loop)

A hybrid program interleaves these constructs. An adaptive cruise control system, for example, cycles between:

1. Sensing: reading current velocity and gap from sensors (discrete)
2. Decision: choosing acceleration based on control law (discrete, nondeterministic choice of safe value)
3. Actuation: applying acceleration while physics evolves (v' = a, x' = v, t' = 1 & t ≤ ε) until the next sensing cycle

This models both the controller's discrete decisions and the vehicle's continuous physical evolution under Newton's second law.

Differential Dynamic Logic (dL) — The Proof Language

Differential Dynamic Logic (dL) is a first-order modal logic where modal operators [α] and ⟨α⟩ quantify over hybrid program executions:

• [α]φ: after all executions of hybrid program α from the current state, φ holds. This is the safety modality — it says α is safe with respect to property φ.
• ⟨α⟩φ: there exists an execution of hybrid program α from the current state in which φ holds. This is the liveness modality.

A typical KeYmaera X safety theorem for an adaptive cruise control system:

v ≥ 0 ∧ A > 0 ∧ B > 0 ∧ x_f > x_r + v²/(2·B)
  →
[{
  ?x_f > x_r + v²/(2·B) + (A/B + 1)·(A/2·t² + v·t);  // safety check
  a := *; ?-B ≤ a ∧ a ≤ A;                             // nondeterministic acceleration choice
  {x_r' = v, v' = a & v ≥ 0}                           // continuous evolution
}*]
(x_r < x_f)   // collision freedom: rear vehicle never reaches front vehicle

This formula states: if the initial gap is sufficient, then for any (nondeterministic) control choice satisfying the safety constraint, after any amount of time under the physical ODE x_r' = v, v' = a, the rear vehicle never reaches the front vehicle. This holds regardless of which legal acceleration the controller chooses — the proof covers all behaviors simultaneously.

The Proof Calculus: Differential Invariants

The key challenge in hybrid systems verification is reasoning about ODEs without solving them. Closed-form solutions exist only for a small class of ODEs; most physically meaningful dynamics (nonlinear friction, aerodynamics, biochemistry) have no closed-form solution.

KeYmaera X addresses this through differential invariants — invariant properties that hold throughout ODE evolution, proved without solving the ODE:

Differential Invariant Rule: If p(x) ≥ 0 initially, and the Lie derivative ṗ(x) = ∇p(x) · f(x) ≥ 0 along the ODE x' = f(x), then p(x) ≥ 0 holds throughout ODE evolution.

The Lie derivative ṗ replaces the time derivative of p along trajectories: ṗ(x) = Σᵢ (∂p/∂xᵢ) · fᵢ(x). Computing this requires only symbolic differentiation — no integration, no solving.

Example: For the ODE v' = a with constant a = -B (braking), prove v ≥ 0:

p(v) = v
ṗ(v) = v' = a = -B

This is ≥ 0 only when B ≤ 0 — so v ≥ 0 is NOT a differential invariant under braking. The actual invariant for safe stopping distance requires reasoning about the full state (x, v) together — which KeYmaera X's proof calculus handles through differential ghost variables and barrier certificates.

Differential Ghosts: Introduce an auxiliary ODE variable y with dynamics chosen to create an invariant. For v' = -b·v (exponential decay), introduce ghost y' = b/2 · y with y(0) = 1 — then v·y² = v(0) is conserved (differential invariant), letting KeYmaera X prove v ≥ 0 throughout.

Uniform Substitution — Completeness Relative to Real Arithmetic

Platzer proved (LICS 2012, JAR 2017) that KeYmaera X's proof calculus is sound and complete relative to real arithmetic: every dL formula that is true can be proved using the calculus, given an oracle for real arithmetic (Tarski's theorem: the first-order theory of real closed fields is decidable — and Mathematica implements this via cylindrical algebraic decomposition).

The key innovation enabling this completeness result is uniform substitution: a single meta-rule that allows instantiation of axiom schemas, replacing the hundreds of schematic inference rules in older proof calculi. KeYmaera X's entire logical core consists of ~30 axioms and 7 proof rules, yet is expressive enough to verify all computable hybrid system properties.

This means KeYmaera X proofs are:

1. Machine-checkable: every proof step is a uniform substitution or one of 7 structural rules — no trusted tactic infrastructure
2. Modular: proved lemmas can be soundly reused via uniform substitution instantiation
3. Foundationally minimal: the trusted computing base is the ~30 axioms, not hundreds of tactic implementations

Landmark Verifications

European Train Control System (ETCS) Level 3

The European Train Control System (ETCS) is the EU railway signalling standard mandated across all high-speed lines in the EU (EN 50128, EN 50129). Its movement authority protocol determines when trains may enter track segments: a train holds a movement authority for a segment; the radio block centre (RBC) grants authorities only when the segment is free.

Platzer and Clarke (HSCC 2009) formally verified the ETCS Level 3 movement authority protocol in KeYmaera:

v ≥ 0 ∧ m0 > d ∧ d ≥ 0 ∧ v² ≤ 2·b·(m0 - d) →
[ETCS_protocol*] (d > 0 ∨ v = 0)

Where d is distance to the movement authority boundary, m0 is the granted authority end, b is braking deceleration, and v is velocity. The formula states: if the initial state is safe (velocity consistent with stopping before the authority boundary), then after any execution of the ETCS protocol (train movement + movement authority grants/revocations), either the train is not at the boundary (d > 0) or it has stopped (v = 0). No collision.

This is the first machine-checked proof of a EU-wide railway safety protocol. The European Railway Traffic Management System (ERTMS) — deployed on 30,000+ km of EU rail network — is built on ETCS. Deutsche Bahn 🇩🇪, SNCF 🇫🇷, RFI 🇮🇹, Network Rail 🇬🇧, Infrabel 🇧🇪, ProRail 🇳🇱: all operate trains whose safety protocol has been formally verified by a tool that is now EU-anchored at TU Munich.

ACAS X — Airborne Collision Avoidance

ACAS X (Airborne Collision Avoidance System X) is the FAA/Eurocontrol standard for aircraft collision avoidance, replacing the older TCAS II. It uses a Markov Decision Process to compute optimal advisories. For safety certification, the continuous dynamics of aircraft encounter geometry must be formally verified.

Jeannin, Ghorbal, Kouskoulas, Platzer et al. (FM 2015) verified the safety of an idealized ACAS X collision avoidance maneuver in KeYmaera X:

The verified property: if two aircraft following ACAS X advisories begin a vertical separation maneuver, they will never violate the minimum separation standard (500 feet vertical separation) — regardless of initial conditions, air speeds, or pilot response delays within specified bounds.

This is a DO-178C Level A safety argument: the highest criticality level for aviation software, corresponding to software whose failure would cause a catastrophic accident. KeYmaera X's machine-checked proof provides mathematical evidence at the standard required for certification of safety-critical avionics.

Airbus 🇫🇷 and Thales 🇫🇷 supply avionics components for European commercial aircraft. Formal verification of collision avoidance systems using European tooling — KeYmaera X, now at TU Munich — provides DO-178C evidence that remains under EU sovereignty.

Adaptive Cruise Control and Autonomous Lane Changes

Platzer and Clarke (CAV 2007) verified a full Adaptive Cruise Control (ACC) system — bidirectional: both the leading and following vehicle can brake, accelerate, or cruise, with sensor delay modeled as nondeterminism. The machine-checked proof covers all possible execution paths (all possible driving scenarios within the physical model).

Mitsch, Ghorbal, and Platzer (IJRR 2013) extended this to autonomous lane changes — formally verifying that a lane change maneuver that satisfies the proved conditions cannot cause a collision, even when surrounding vehicles behave nondeterministically within physical bounds.

These verifications directly apply to EU autonomous vehicle frameworks:

• ISO 26262 ASIL D (automotive functional safety): KeYmaera X proofs provide formal evidence for hazard analysis and risk assessment of autonomous driving functions
• UNECE WP.29 / ALKS Regulation (EU) 2021/646: Automated Lane Keeping Systems on EU roads require formal safety arguments for the automation logic
• EU AI Act Art. 9: High-risk AI systems (autonomous vehicles classified as high-risk under Annex III) must implement risk management systems; KeYmaera X formal verification constitutes machine-checked risk evidence

Regulatory Compliance and EU Standards

EU AI Act Art. 9 — Risk Management for High-Risk AI: Autonomous vehicle systems are classified as high-risk AI systems under EU AI Act Annex III (safety components in road transport). Art. 9 requires "a risk management system throughout the lifecycle." KeYmaera X formal verification of the vehicle's control logic — proving that the continuous dynamics + control decisions satisfy collision-freedom for all possible road conditions within the physical model — provides machine-checked evidence for Art. 9 risk management documentation.

ISO 26262 ASIL D — Automotive Functional Safety: Autonomous driving functions targeting ASIL D (Automotive Safety Integrity Level D, highest criticality: probability of failure < 10⁻⁸/hour) require formal verification methods. KeYmaera X dL proofs cover continuous-time dynamics — the gap that purely discrete formal methods (model checking, SMT) cannot address for ASIL D of hybrid systems.

EN 50128 SIL4 — Railway Application Software: The European railway software standard EN 50128 requires formal specification and verification for Safety Integrity Level 4 (highest: probability of failure < 10⁻⁹/hour). KeYmaera X's ETCS verification directly supports EN 50128 SIL4 arguments for ERTMS-compliant signalling systems deployed across EU member states.

DO-178C Level A — Aviation Software: The international aviation software certification standard (DO-178C, equivalent to EUROCAE ED-12C) requires complete coverage of requirements by formal verification for Level A (catastrophic failure consequence). KeYmaera X provides the formal evidence layer for continuous-time safety properties — the layer that manual reviews and testing cannot provide.

EU CRA 2027 (Cyber Resilience Act): Connected autonomous vehicles (V2X communication, OTA updates) fall under CRA as products with digital elements. CRA Art. 13 requires vulnerability-free design. For autonomous driving software that includes ML components (neural network controllers sandboxed with KeYmaera X verified safety envelopes via ModelPlex), CRA compliance requires demonstrable safety bounds on the controller's behavior — provable with KeYmaera X.

GDPR Art. 25 (Data Protection by Design): Autonomous vehicle systems processing location data must implement privacy by design. When KeYmaera X is used to verify the controller logic of connected vehicles (processing location, speed, sensor data), the verification infrastructure itself processes formal models of vehicle behavior. Running verification infrastructure on EU-sovereign servers under German law keeps formal models of EU infrastructure behavior under EU jurisdiction.

Why EU Infrastructure for KeYmaera X Verification

KeYmaera X verification of a hybrid system processes:

• Formal system model: the mathematical description of the system's physical dynamics and control logic
• Safety properties: the dL formulas expressing what must never happen
• Proof scripts: the tactical proof programs that guide the proof search
• Counterexamples: when verification fails, KeYmaera X generates concrete failure scenarios (initial conditions that lead to property violation)

For EU automotive, railway, and aviation organisations, these models describe safety-critical EU infrastructure:

GDPR Art. 46 and Schrems II: Formal models of autonomous vehicle control systems (which may contain proprietary control algorithms under trade secret law) transferred to US cloud providers are accessible under the US Cloud Act. Verification on EU-sovereign infrastructure eliminates Cloud Act exposure.

NIS2 Art. 21 — Supply Chain Security: Automotive OEM and Tier-1 suppliers under NIS2 (Bosch 🇩🇪, Continental 🇩🇪, ZF 🇩🇪, Valeo 🇫🇷, Faurecia 🇫🇷, Mobileye 🇮🇱) using formal verification tools as part of their ISO 26262 toolchain must manage the security of the verification infrastructure itself. EU-sovereign verification infrastructure eliminates extraterritorial access risk.

EU Defence and Railway: ETCS/ERTMS formal models describe EU railway safety infrastructure — systems under the NIS2 Critical Infrastructure directive. Verification infrastructure for these models must remain under EU sovereignty.

sota.io provides EU-sovereign PaaS — German infrastructure, GDPR-compliant by default, managed PostgreSQL for storing proof artefacts and verification results, and automated deployments.

# Deploy KeYmaera X on sota.io
sota deploy --name keymaera-verifier --region eu-central

# Dockerfile for KeYmaera X (Scala + JVM + optional Mathematica backend)
FROM eclipse-temurin:17-jdk

# Install KeYmaera X
RUN apt-get update && apt-get install -y wget && \
    wget https://github.com/LS-Lab/KeYmaera-release/releases/latest/download/keymaerax.jar \
    -O /usr/local/lib/keymaerax.jar

# Install Z3 as arithmetic backend (free, incomplete — use Mathematica for full completeness)
RUN apt-get install -y z3

WORKDIR /workspace
COPY models/ .

# Verify a hybrid system model
CMD ["java", "-jar", "/usr/local/lib/keymaerax.jar", \
     "-tool", "z3", \
     "-prove", "etcs_safety.kyx", \
     "-out", "etcs_proof.kyp"]

/* KeYmaera X model: Adaptive Cruise Control safety */
ProgramVariables
  Real x_r, x_f;   /* rear/front vehicle positions */
  Real v;           /* rear vehicle velocity */
  Real a;           /* acceleration */
  Real b;           /* braking deceleration */
  Real t;           /* time */
End.

Problem
  v >= 0 & b > 0 & x_f > x_r + v^2/(2*b) ->
  [{
    ?x_f > x_r + v^2/(2*b);            /* safety check */
    a := *; ?(-b <= a & a <= 0);       /* choose safe deceleration */
    t := 0;
    {x_r' = v, v' = a, t' = 1 & v >= 0 & t <= 1}  /* ODE evolution */
  }*]
  (x_r < x_f)
End.

# Run KeYmaera X web server for interactive proof development
java -jar keymaerax.jar -ui
# Opens browser at localhost:8090 for interactive proof
# Tactic language: master("acc_safe") or step-by-step dI(), loop()

KeYmaera X verification on German infrastructure. ISO 26262 ASIL D, EN 50128 SIL4, DO-178C Level A, EU AI Act Art. 9, CRA 2027. sota.io free tier — no credit card.

See Also

• Deploy KeY to Europe → — Java program verifier, TU Darmstadt 🇩🇪 + KIT 🇩🇪 + Chalmers 🇸🇪, JML specification, GDPR Art. 25 privacy by design
• Deploy UPPAAL to Europe → — timed automata model checker, Aalborg 🇩🇰 + Uppsala 🇸🇪, real-time safety, EN 50128 SIL3
• Deploy Storm to Europe → — probabilistic model checker, RWTH Aachen 🇩🇪 + University of Twente 🇳🇱, MDP verification, EU AI Act Art. 9
• Deploy Tamarin Prover to Europe → — cryptographic protocol verifier, ETH Zurich 🇨🇭 + CISPA 🇩🇪, TLS 1.3 + 5G AKA formally proved
• Deploy CBMC to Europe → — C/C++ bounded model checker, Daniel Kroening 🇩🇪, AWS s2n-tls, ISO 26262 ASIL D