2026-04-02·9 min read·sota.io team

Deploy mCRL2 to Europe — Jan Friso Groote 🇳🇱 (TU/e Eindhoven 2001), the Process Algebra Toolset That Succeeded LOTOS on EU Infrastructure in 2026

When the ISO 8807 LOTOS standard was published in 1989, it gave European telecommunications engineers a rigorous language for specifying the behaviour of concurrent distributed systems — the protocols that would underpin ISDN, X.400 mail, and the OSI protocol stack. But formal specification is only valuable if accompanied by effective tools. The CADP toolbox (Hubert Garavel 🇫🇷, INRIA Grenoble) became the primary industrial-strength tool for LOTOS, but the academic community continued to seek a cleaner, more expressive successor that would address LOTOS's limitations in data specification and bring modern tool support for model checking.

The result was mCRL2 — the micro Common Representation Language 2, developed at Technische Universiteit Eindhoven (TU/e) 🇳🇱 in Eindhoven, the Netherlands, under Jan Friso Groote 🇳🇱 and his colleagues. Released in 2001, mCRL2 is today the primary open-source process algebra toolset for formal verification of concurrent and distributed systems in Europe and worldwide. It is the direct intellectual descendant of LOTOS, refined through twenty years of experience with the limitations of both LOTOS and its intermediate predecessor µCRL.

TU/e Eindhoven and the Dutch Formal Methods Tradition

The Netherlands has a disproportionate concentration of formal methods research relative to its size. This concentration is not accidental: it traces to the presence of CWI — the Centrum Wiskunde & Informatica (Centre for Mathematics and Computer Science) in Amsterdam, and to a cluster of strong Dutch universities with research strengths in concurrency theory and programming languages.

CWI Amsterdam 🇳🇱 is arguably the most productive single institution in the history of European computer science. CWI produced or incubated: ALGOL 60 (Adriaan van Wijngaarden 🇳🇱, GAMM/ACM joint effort); ABC (Lambert Meertens 🇳🇱 + Leo Geurts 🇳🇱, Python's direct ancestor); Sather contributions via Clemens Szyperski 🇩🇪; ACP (Algebra of Communicating Processes, Jan Bergstra 🇳🇱 + Jan Willem Klop 🇳🇱, 1984 — the algebraic foundation for mCRL2); µCRL (Jan Friso Groote 🇳🇱 + Alban Ponse 🇳🇱, 1994 — mCRL2's immediate predecessor). The lineage is explicit: ACP → µCRL → mCRL2.

Jan Friso Groote 🇳🇱 began his formal methods career at CWI Amsterdam, where he developed µCRL in the early 1990s. He moved to TU/e Eindhoven, where he became a professor and created mCRL2 in collaboration with Jos Baeten 🇳🇱 (also TU/e, a leading ACP researcher), Jan Peleska 🇩🇪, and a team of Dutch and international researchers. The mCRL2 toolset was initially developed as part of the CAESAR project (in coordination with the CADP group at INRIA Grenoble) and has been maintained and extended at TU/e continuously since 2001.

TU/e Eindhoven is also notable as the home institution of Edsger Dijkstra 🇳🇱 (Turing Award 1972), who held a chair there from 1962 to 1984, and of E.J. Brouwer's mathematical intuitionism tradition — a philosophical stance that influenced the constructive approach to formal verification. The university is embedded in Eindhoven's high-tech industrial cluster, anchored by ASML 🇳🇱 (the world's only supplier of extreme ultraviolet lithography machines, essential for semiconductor manufacturing) and the heritage of Philips 🇳🇱 (NatLab, Philips Research Laboratories, where the first transistor radios and CDs were developed, and where formal methods for VLSI design were pioneered).

From ACP to µCRL to mCRL2: A Twenty-Year Refinement

To understand mCRL2, it is necessary to trace the lineage from ACP.

ACP — Algebra of Communicating Processes (Jan Bergstra 🇳🇱 + Jan Willem Klop 🇳🇱, CWI Amsterdam, 1984): ACP provided an algebraic framework for reasoning about communicating processes. Processes are modelled as terms in an algebra with operators for sequential composition (·), choice (+), parallel composition (‖), communication synchronisation, and abstraction (hiding internal actions). ACP's key contribution over CCS (Robin Milner, Edinburgh) and CSP (Tony Hoare, Oxford) was its emphasis on the equational theory of processes — proving process equivalence by algebraic rewriting rather than by bisimulation checking alone.

µCRL — micro Common Representation Language (Jan Friso Groote 🇳🇱 + Alban Ponse 🇳🇱, CWI Amsterdam, 1994): µCRL extended ACP with a data specification mechanism based on Abstract Data Types (similar to the ADT component of Full LOTOS), allowing processes to be parameterised over data values and data structures. This was the missing piece that made LOTOS difficult to use in practice: LOTOS's Full profile had a powerful but awkward ADT mechanism (ACT ONE), and many practitioners used Basic LOTOS (without data) and added data handling informally. µCRL integrated data and process specification cleanly.

mCRL2 (Jan Friso Groote 🇳🇱 et al., TU/e Eindhoven, 2001): mCRL2 built on µCRL with a significantly redesigned data language (based on typed lambda calculus rather than first-order term rewriting), improved tool support, and a complete redesign of the toolset architecture. The core mCRL2 specification language includes:

Process algebra: Sequential composition, choice, parallel composition, communication, abstraction — derived from ACP
Data language: Rich type system with lists, sets, bags, functions, and user-defined sorts — based on typed lambda calculus
Modal µ-calculus: The property specification language for model checking — verifying LTL, CTL, and more expressive temporal logic properties
LPS (Linear Process Specification): An intermediate normalised form to which all mCRL2 specifications can be reduced, enabling efficient state space exploration

% Simple producer-consumer in mCRL2
sort Item = struct item1 | item2 | item3;

act produce, consume, transfer: Item;

proc Producer(i: Item) = produce(i) . Producer(i);

proc Consumer = sum i: Item . consume(i) . Consumer;

proc Buffer(q: List(Item)) =
  (q != []) -> transfer(head(q)) . Buffer(tail(q))
  + sum i: Item . produce(i) . Buffer(q ++ [i]);

init hide({transfer},
       allow({produce, consume, transfer},
         comm({produce|produce -> transfer, transfer|consume -> transfer},
           Producer(item1) || Buffer([]) || Consumer)));

The mCRL2 Toolset

The mCRL2 toolset is a comprehensive open-source suite of command-line tools and GUI applications, available under a Boost licence from the mCRL2 project at TU/e. The key tools include:

mcrl22lps — Translates an mCRL2 specification to a Linear Process Specification (LPS), the normal form used for analysis. The LPS linearises the parallel composition and communication structure of the specification.

lps2lts — Generates the Labelled Transition System (LTS) — the state space — of an LPS. Supports multiple exploration strategies (breadth-first, depth-first) and state space reductions.

ltsconvert — Converts between LTS formats and applies bisimulation reductions (strong bisimulation, branching bisimulation, weak bisimulation). Branching bisimulation is the standard equivalence notion for hiding internal actions.

lts2pbes — Translates a model checking problem (an LTS + a µ-calculus formula) to a Parameterised Boolean Equation System (PBES), the key intermediate representation for efficient model checking.

pbes2bool / pbessolvesymbolic — Solves the PBES to determine whether the property holds. Supports symbolic methods (using BDDs) for large state spaces.

ltsgraph / ltsview — GUI tools for interactive visualisation of LTSs — essential for understanding small to medium state spaces and for teaching.

mcrl2-gui — Integrated IDE for writing, simulating, and verifying mCRL2 specifications.

# Install mCRL2 toolset (Debian/Ubuntu)
sudo apt-get install mcrl2

# Or build from source (TU/e repository)
git clone https://github.com/mCRL2org/mCRL2.git
cmake -DCMAKE_BUILD_TYPE=Release ..
make -j4

# Linearise a specification
mcrl22lps producer_consumer.mcrl2 producer_consumer.lps

# Generate state space
lps2lts producer_consumer.lps producer_consumer.lts

# Model check a deadlock-freedom property
lts2pbes -f no_deadlock.mcf producer_consumer.lts producer_consumer.pbes
pbes2bool producer_consumer.pbes

Process Algebra in the Dutch Industrial Ecosystem

The formal methods tradition of CWI and TU/e has had direct industrial impact through two routes: direct collaboration with Dutch companies and through the broader adoption of mCRL2 in European industry.

Philips 🇳🇱 (now split into Philips Healthcare, Signify, and NXP Semiconductors) has a long history of collaboration with CWI and TU/e on formal methods. Philips Research Laboratories (NatLab) in Eindhoven collaborated on the verification of communication protocols — particularly the protocols underlying audio/video equipment (the Philips CD-I protocol, SCART, and later HDMI and DisplayPort specifications). NXP Semiconductors 🇳🇱, the Philips semiconductor spin-off that produces automotive microcontrollers, NFC chips, and secure elements, uses formal verification for hardware design correctness.

ASML 🇳🇱 (Veldhoven, near Eindhoven), the manufacturer of lithography machines that are essential to semiconductor manufacturing — every chip at 7nm and below requires ASML's extreme ultraviolet machines — uses formal methods for verifying the software that controls its machines. An ASML lithography machine contains millions of lines of software controlling precision mechanics, optics, and real-time scanning at nanometre tolerances; correctness failures would be catastrophic. TU/e's proximity and the formal methods ecosystem built around ACP/mCRL2 have made it a natural partner.

Ericsson 🇸🇪 (with research at EAB Stockholm and Göteborg) has used process algebra — including both CCS-based approaches and ACP/mCRL2 approaches — for protocol verification in telecommunications equipment.

European space agencies: ESA 🇪🇺 (European Space Agency, Noordwijk 🇳🇱, with mission control at ESOC Darmstadt 🇩🇪) uses formal verification for on-board software in spacecraft. The proximity of ESA's ESTEC research centre in Noordwijk to TU/e and CWI creates a natural channel for mCRL2 adoption.

mCRL2 and the OSI/LOTOS Heritage

mCRL2 sits at the end of a lineage that runs directly through LOTOS: CCS (Milner 🏴󠁧󠁢󠁳󠁣󠁴󠁷󠁦󠁿 Edinburgh, 1980) → ACP (Bergstra + Klop 🇳🇱, CWI, 1984) → LOTOS (Boudol 🇫🇷 + Brinksma 🇳🇱, INRIA/Twente, 1985/1989) → µCRL (Groote + Ponse 🇳🇱, CWI, 1994) → mCRL2 (Groote et al. 🇳🇱, TU/e, 2001).

The relationship to LOTOS is explicit. Ed Brinksma 🇳🇱 — who edited the ISO 8807 LOTOS standard at the University of Twente — is in the same Dutch formal methods community as Jan Friso Groote. The University of Twente (Enschede) and TU/e (Eindhoven) are both in the Netherlands, and their formal methods groups have overlapping research agendas. Groote's µCRL was explicitly designed as an improvement on Full LOTOS's data specification mechanism.

In practice, mCRL2 today fills the role that LOTOS filled in the 1980s and 1990s: it is the tool for formally specifying and verifying the behaviour of concurrent distributed protocols, used in both academic research and industrial verification. Protocols and systems that would once have been specified in LOTOS are now specified in mCRL2.

The CADP toolbox (INRIA Grenoble) continues to support LOTOS and has added support for more expressive languages, including a degree of interoperability with mCRL2. The two toolsets represent the two major traditions in European process algebra — the French INRIA tradition (LOTOS → CADP) and the Dutch CWI/TU/e tradition (ACP → µCRL → mCRL2).

µ-Calculus Model Checking and LTL Verification

The primary application of mCRL2 is model checking — the automated verification that a finite-state model of a concurrent system satisfies a specified correctness property. Model checking was developed independently by Edmund Clarke 🇺🇸 + Allen Emerson 🇺🇸 (Carnegie Mellon/Texas) and Joseph Sifakis 🇬🇷🇫🇷 (VERIMAG, Grenoble — Turing Award 2007 shared with Clarke and Emerson). The French and Dutch formal methods traditions fed directly into the tools that make model checking industrially applicable.

mCRL2 supports property specification in the modal µ-calculus — a very expressive logic that subsumes both LTL (Linear Temporal Logic) and CTL (Computation Tree Logic):

% No deadlock: for all reachable states, some action is possible
nu X. (<true>true && [true]X)

% Eventually the system produces an item (liveness)
mu X. (<produce(item1)>true || <true>X)

% A dangerous state is never reached (safety)
[true*.dangerous_action]false

The mCRL2 property specification language (MCF — Modal mu-calculus Formula) allows specifying:

Safety properties: Nothing bad ever happens (e.g., no deadlock, no data corruption)
Liveness properties: Something good eventually happens (e.g., every request is eventually answered)
Fairness properties: Components are not indefinitely starved
Bisimulation equivalence: Two specifications describe the same observable behaviour

For industrial systems, the workflow is: specify the protocol in mCRL2 → verify safety properties (deadlock freedom, mutual exclusion) → verify liveness properties (service termination, fairness) → reduce the verified specification to a bisimulation normal form → implement in the target language.

The formal verification capabilities of mCRL2 have increasing relevance under EU regulatory frameworks.

NIS2 Directive (EU) 2022/2555 (Network and Information Security Directive), Article 21, requires operators of essential services to implement measures to manage cybersecurity risks. For critical infrastructure protocols — communication protocols in energy grid management, financial clearing systems, healthcare data exchange — formal verification that protocol implementations correctly implement their specifications and do not admit deadlock, race conditions, or unexpected information flows provides technical evidence for the security documentation that NIS2 requires.

EU AI Act (Regulation EU 2024/1689), Article 9 (Risk Management System) and Article 15 (Accuracy, Robustness, Cybersecurity): High-risk AI systems deployed in safety-critical contexts — medical devices, autonomous vehicles, critical infrastructure — must demonstrate robustness. For AI components that interact with concurrent distributed systems (multi-agent systems, distributed inference, federated learning), mCRL2 specifications of the communication protocols can formally verify absence of communication deadlocks and race conditions that would compromise AI system safety.

GDPR Article 5(1)(f) (Integrity and Confidentiality) and Article 25 (Data Protection by Design): For systems that process personal data across multiple concurrent processing components, mCRL2 specifications can formally verify non-interference properties — that personal data from one processing context cannot be inadvertently exposed to another context through protocol-level information leakage. The process algebraic notion of information hiding (τ-abstraction) directly models the GDPR principle of purpose limitation.

Deploying mCRL2-Verified Systems to Europe with sota.io

mCRL2 generates executable models and can interface with system implementations through several paths. A verified mCRL2 specification can be compiled to C++ (via lps2torx and integration with test generation tools), used to generate test suites for conformance testing of protocol implementations, or serve as the formal specification that guides a reference implementation.

# Install mCRL2 on Debian-based systems
sudo apt-get install -y mcrl2

# Specify a concurrent system
cat > protocol.mcrl2 << 'EOF'
act send, receive, ack: Nat;

proc Sender(n: Nat) = send(n) . ack(n) . Sender(n + 1);
proc Receiver = sum n: Nat . receive(n) . ack(n) . Receiver;

init allow({send, receive, ack},
       comm({send|receive -> send},
         Sender(0) || Receiver));
EOF

# Verify no deadlock
mcrl22lps protocol.mcrl2 protocol.lps
lps2lts protocol.lps protocol.lts
echo "[true*]<true>true" > liveness.mcf
lts2pbes -f liveness.mcf protocol.lts liveness.pbes
pbes2bool liveness.pbes

# Build verified implementation as container
cat > Dockerfile << 'EOF'
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y mcrl2
COPY protocol.mcrl2 /app/
WORKDIR /app
CMD ["mcrl22lps", "protocol.mcrl2", "protocol.lps"]
EOF

docker build -t my-mcrl2-service .

Whether you are deploying a mCRL2-verified protocol implementation, a formal verification service that checks system conformance, or a distributed system whose design was validated using process algebraic methods, you need EU infrastructure that satisfies the regulatory requirements of your European customers.

sota.io is the EU-native platform-as-a-service built precisely for this. Your services run on German infrastructure, in data centres that comply with ISO 27001 and the data sovereignty requirements of the EU General Data Protection Regulation. Managed PostgreSQL is included — no configuration, no cross-border data transfers, no Schrems II risk.

# Deploy your mCRL2-verified service to EU infrastructure
curl -fsSL https://cli.sota.io/install.sh | sh
sota login
sota deploy --region eu-central-1

Jan Friso Groote and the TU/e Eindhoven team built mCRL2 to make process algebraic verification practical for industrial concurrent systems — the protocols and distributed systems that underpin European infrastructure. sota.io is built on the same principle: EU-native infrastructure where formal correctness guarantees, regulatory compliance, and developer ergonomics are not trade-offs but design requirements met simultaneously.