2026-06-18·9 min read·sota.io team

Deploy NuSMV to Europe — Alessandro Cimatti 🇮🇹 (FBK Trento 2002), the EU-Native Symbolic Model Checker Behind Industrial Safety Verification, on EU Infrastructure in 2026

When Siemens engineers verify the safety properties of a programmable logic controller — that it will never enter a forbidden state, that a protective relay will always trip within specification, that a control loop invariant holds under all possible input sequences — they reach for NuSMV. Not a testing framework, not a simulation tool: a symbolic model checker that can exhaustively explore all reachable states of a finite-state system and prove, with mathematical certainty, that a temporal logic property holds or produce a concrete counterexample when it does not.

NuSMV (New Symbolic Model Verifier) was built in 2002 by Alessandro Cimatti 🇮🇹 and colleagues at FBK Trento — Fondazione Bruno Kessler, the Italian public research foundation funded by the Trentino regional government in northern Italy. NuSMV is a clean re-implementation and extension of CMU SMV, the original symbolic model checker created in 1993 by Edmund M. Clarke 🇺🇸 at Carnegie Mellon University, who shared the 2007 ACM Turing Award with Allen Emerson and Joseph Sifakis for founding the field of model checking. Clarke's BDD-based SMV proved hardware correctness properties that no testing regime could match; NuSMV brought that capability to a carefully engineered, open-source platform with industrial-grade reliability — and kept the primary development centre in the EU.

In 2014, the same FBK Trento group released nuXmv — extending NuSMV to infinite-state systems, adding the IC3/PDR algorithm (Aaron Bradley's 2011 property-directed reachability method), and integrating MathSAT5, the SMT solver also developed at FBK Trento. The result is that the entire verification stack — model checker, SAT backend, SMT backend — traces to a single EU institution in Trento, Italy.

In 2026, with EU AI Act Article 9 requiring systematic verification of high-risk AI systems and NIS2 demanding formal protocol verification for critical infrastructure, NuSMV and nuXmv offer something none of their US-origin competitors can: a model checker whose entire provenance — source code, development team, institutional home — is within the European Union. Running NuSMV on EU infrastructure is not just an operational preference. It is a supply-chain decision that keeps both the verification toolchain and the safety artefacts under EU jurisdiction.

What NuSMV Is — Symbolic Model Checking

NuSMV implements symbolic model checking: instead of enumerating states one by one (as SPIN's explicit-state approach does), NuSMV represents sets of states as Boolean formulae and manipulates them using Binary Decision Diagrams (BDDs) — a canonical, compact representation of Boolean functions introduced by Randal Bryant at CMU in 1986. A BDD can represent millions of system states in kilobytes of memory; symbolic model checking exploits this to verify properties of systems with state spaces too large for explicit enumeration.

The input language — SMV (Symbolic Model Verifier language) — describes reactive systems as networks of finite-state machines:

-- NuSMV: mutual exclusion protocol (Peterson's Algorithm)
-- Proves: AG !(proc0.state = critical & proc1.state = critical)
-- "It is globally always the case that process 0 and process 1 are never simultaneously critical"

MODULE process(other)
  VAR
    state : {idle, trying, critical};
    flag  : boolean;
  ASSIGN
    init(state) := idle;
    init(flag)  := FALSE;
    next(state) :=
      case
        state = idle             : {idle, trying};
        state = trying & !other.flag : critical;
        state = trying           : trying;
        state = critical         : idle;
        TRUE                     : state;
      esac;
    next(flag) :=
      case
        state = idle    : FALSE;
        state = trying  : TRUE;
        state = critical : FALSE;
        TRUE             : flag;
      esac;

MODULE main
  VAR
    proc0 : process(proc1);
    proc1 : process(proc0);
  SPEC
    AG !(proc0.state = critical & proc1.state = critical)
  LTLSPEC
    G (proc0.state = trying -> F proc0.state = critical)

The SPEC line is a CTL (Computation Tree Logic) formula: AG P means "for All paths, Globally P" — the classic safety property. NuSMV either confirms the property holds for all reachable states, or returns a counterexample trace — a concrete sequence of state assignments that witnesses the violation. The LTLSPEC line is an LTL (Linear Temporal Logic) formula: G (p -> F q) means "it is always the case that whenever trying, eventually critical" — a liveness property (freedom from starvation).

NuSMV supports three complementary verification approaches:

BDD-based symbolic model checking — the original CMU SMV algorithm. The transition relation and property are both encoded as BDDs; the model checker computes fixed points (reachable state sets, pre-image computations) symbolically. Effective for hardware circuits and protocol state machines with tens to hundreds of state bits; performance degrades on arithmetic-heavy or large-integer systems.

Bounded Model Checking (BMC) — introduced in NuSMV 2.x. Unrolls the transition relation k steps and encodes the property as a SAT problem. If the property can be violated within k steps, a SAT solver (originally zChaff, now MathSAT5 in nuXmv) finds the counterexample. BMC is faster than BDD methods for finding bugs and enables verification of properties that BDDs cannot represent compactly. The k bound must be chosen; BMC cannot prove correctness unconditionally.

IC3/PDR (in nuXmv) — Aaron Bradley's 2011 algorithm, the state of the art for safety verification. IC3 maintains a series of over-approximations of the reachable state sets and incrementally refines them using SAT queries, without BDD explosion and without a fixed unrolling bound. IC3/PDR has largely superseded pure BDD methods for industrial safety verification on large systems — nuXmv's MathSAT5 integration makes this the production choice for EU industrial users in 2026.

Edmund M. Clarke and the Origins of Model Checking

The intellectual foundation of NuSMV is Edmund M. Clarke's invention of model checking at Carnegie Mellon University in 1981. Clarke, together with E. Allen Emerson (University of Texas Austin) and independently Joseph Sifakis 🇬🇷🇫🇷 (VERIMAG/INRIA Grenoble 🇫🇷), formulated the central idea: that temporal logic properties of finite-state systems could be checked automatically — without human-guided proofs — by systematic state-space traversal.

The 2007 ACM Turing Award citation states: "Clarke, Emerson and Sifakis introduced model checking as a formal verification technique — a method for automatically verifying correctness properties of hardware and software designs. This automatic verification technique has helped thousands of organizations find and fix hardware and software errors in critical systems."

Clarke's group at CMU developed SMV (Symbolic Model Verifier) in 1993 using Kenneth McMillan's BDD-based symbolic representation. SMV proved the IEEE Futurebus+ cache coherence protocol correct — one of the first industrial applications of model checking to a real engineering standard, discovering two previously unknown bugs in the draft specification. This result established model checking as a practical engineering tool, not merely an academic technique.

The NuSMV project at ITC-IRST (now FBK Trento) was initiated in the late 1990s to address limitations of the original CMU SMV: the codebase had become difficult to extend, lacked modular design, and did not support SAT-based BMC. Alessandro Cimatti, Marco Roveri, and colleagues re-implemented SMV from scratch in C, incorporating BMC from the outset. The collaboration between FBK Trento and CMU brought Clarke's theoretical depth to a European engineering team with industrial reliability requirements.

Alessandro Cimatti 🇮🇹 has led the formal methods unit at FBK Trento since the late 1990s. His research covers model checking algorithms, SAT/SMT-based verification, and hybrid systems — the intersection of discrete state machines with continuous dynamics. His group created not only NuSMV and nuXmv but also MathSAT, the SMT solver used by nuXmv for arithmetic reasoning over integers, reals, bit-vectors, and arrays. The combination of NuSMV + MathSAT is a vertically integrated EU verification stack: both tools designed and maintained by the same group, in the same building, in Trento, Italy.

nuXmv — The Modern Evolution

nuXmv (2014) extends NuSMV with:

Infinite-state verification: NuSMV's BDD engine is restricted to finite-state systems (bounded integer domains, explicit enum types). nuXmv adds SMT-based model checking for systems with unbounded integers, real-valued variables, and arrays — enabling verification of embedded controllers with arithmetic, memory management, or data structure properties.

IC3/PDR for finite- and infinite-state: The state-of-the-art safety algorithm. In benchmarks, IC3/PDR consistently outperforms BDD methods on industrial hardware and protocol verification tasks — finding proofs and counterexamples faster and with lower memory consumption. nuXmv's implementation integrates directly with MathSAT5 for both the SAT and SMT layers.

MathSAT5 integration: MathSAT5 is a competitive SMT solver supporting linear arithmetic over integers and reals (LIA, LRA), non-linear arithmetic (NIA, NRA), bit-vectors, arrays, and combinations thereof. It is used in nuXmv for both BMC formula encoding and IC3 relative induction queries. MathSAT5 participates annually in the SMT-COMP competition and consistently ranks among the top SMT solvers. Developed at FBK Trento — same institution, same group.

Simulink integration: nuXmv supports direct import of Simulink models (via translation toolchains), enabling verification of Matlab/Simulink control system designs that are ubiquitous in automotive (AUTOSAR, ISO 26262) and aerospace (DO-178C) development workflows. This connects nuXmv directly to the EU industrial design tool chain.

-- nuXmv: infinite-state example with integer arithmetic
-- Verifies: the counter never overflows (stays <= MAX)
MODULE main
  VAR
    counter  : integer;
    overflow : boolean;
  DEFINE
    MAX := 2147483647;
  ASSIGN
    init(counter)  := 0;
    init(overflow) := FALSE;
    next(counter)  := counter + 1;
    next(overflow) := counter >= MAX;
  INVARSPEC
    !(overflow = TRUE)
  -- nuXmv IC3/PDR proves this in milliseconds via integer arithmetic

The INVARSPEC assertion is a safety invariant: nuXmv's IC3 engine proves it holds for all reachable states using MathSAT5 arithmetic queries, without BDD encoding of unbounded integers.

FBK Trento — 100% EU Provenance

Fondazione Bruno Kessler (FBK) in Trento, Italy, is the institutional home of NuSMV and nuXmv. It is named after Bruno Kessler (1924–1991), the Italian politician and president of the Trentino Autonomous Province who founded the research centre as ITC-IRST (Istituto Trentino di Cultura — Istituto per la Ricerca Scientifica e Tecnologica) in 1976. The foundation became FBK in 2007, retaining its mission as a public research institution funded by the Trentino regional government and the Italian Ministry of Education.

FBK's formal methods unit — the Embedded Systems Unit and the Formal Methods and Tools group — has produced a remarkable concentration of foundational tools:

NuSMV (1998–2002): BDD + SAT symbolic model checker, LGPL open-source
nuXmv (2014): IC3/PDR + infinite-state extension, free academic licence
MathSAT (2002–present): competitive SMT solver, free for non-commercial use
HRELTL: hybrid reactive linear temporal logic for cyber-physical systems
xSAP (Safety Analysis Platform): fault tree analysis + model checking for IEC 61508

The FBK formal methods group has collaborated with the EU's premier industrial safety organisations: Siemens AG 🇩🇪 (Munich), STMicroelectronics 🇮🇹 (Agrate Brianza), Bosch 🇩🇪 (Stuttgart), Leonardo SpA 🇮🇹 (Rome, aerospace+defence), and Alstom 🇫🇷 (railway signalling). EU research funding: FP6 PROSYD (Property-Based System Design), FP7 CRYSTAL (Critical Systems Engineering Acceleration), Horizon 2020 EMPHYSIS (embedded systems for hybrid and autonomous vehicles).

The EU provenance is unambiguous: NuSMV and nuXmv were designed, implemented, maintained, and funded within the European Union. No US export control, no Cloud Act, no ITAR concern for the toolchain itself.

Industrial Applications in EU Critical Infrastructure

NuSMV and nuXmv have been deployed across EU industrial sectors where formal verification is not optional — it is mandated by safety standards:

Siemens AG 🇩🇪 — The Munich-based automation and power technology group uses symbolic model checking for verification of programmable logic controllers (PLCs) and railway interlocking logic. NuSMV's CTL model checking verifies safety conditions for industrial control systems developed under IEC 61508 (functional safety for electrical/electronic/programmable electronic safety-related systems). Siemens Mobility uses formal methods for EN 50128 SIL 4 railway signalling.

STMicroelectronics 🇮🇹 — The Franco-Italian semiconductor company (Geneva + Crolles, FR + Agrate Brianza, IT) applies NuSMV-based verification to microcontroller designs, particularly for automotive (ISO 26262) and industrial (IEC 61508) safety-qualified chips. STMicro is the maker of ARM Cortex-M microcontrollers used in virtually every EU automotive ECU.

Bosch 🇩🇪 — The Stuttgart-based automotive supplier uses model checking for verification of safety-critical embedded software under ISO 26262 ASIL D (the highest automotive safety integrity level). AUTOSAR safety mechanisms are modelled and verified using NuSMV-compatible workflows.

Alstom 🇫🇷 — The French railway signalling company (manufacturer of TGV, Eurotram, Metropolis Metro) applies formal methods to EN 50128 SIL 4 interlocking software. NuSMV has been used to verify state machine models of train protection logic.

Leonardo SpA 🇮🇹 — Italy's aerospace and defence group applies nuXmv-based verification to avionics software under DO-178C/DO-333 (formal methods credit for airborne software). The integration with the FBK Trento group enables direct research-to-industry technology transfer.

European Space Agency (ESA) 🇪🇺 — ESA Estec (Noordwijk 🇳🇱) has explored NuSMV-based verification of spacecraft onboard software, particularly for satellite FDIR (Fault Detection, Isolation and Recovery) logic.

EU AI Act Art. 9 and NIS2 — Model Checking as Compliance Evidence

The EU AI Act, fully enforced from August 2026, establishes verification requirements for high-risk AI systems that formal model checking is uniquely positioned to satisfy:

Article 9 (Risk Management System) requires that high-risk AI systems undergo verification of safety properties. For discrete decision logic — finite-state controllers, decision trees, rule-based AI systems, protocol stacks in AI agents — NuSMV's exhaustive CTL/LTL verification provides the highest assurance level: proof for all reachable states, not merely tested ones. The NuSMV property specification itself constitutes the "technical documentation" that conformity assessment bodies require.

Annex III high-risk systems include autonomous vehicles, medical device software, critical infrastructure control, and employment/credit decision systems. For any system where the decision logic can be modelled as a finite-state machine or extended finite automaton, NuSMV's CTL model checking produces evidence directly comparable to the IEC 61508 SIL 3/4 verification regime that EU industrial safety standards mandate.

NIS2 Directive (Network and Information Security) requires operators of essential services to verify the security properties of their control systems. SCADA, PLC, and industrial automation software — the target domain of NuSMV's industrial users — must demonstrate systematic security verification. NuSMV's INVARSPEC and LTLSPEC properties can encode security invariants (no unauthorized access to critical state, no replay attack success) that NIS2 conformity requires.

GDPR Art. 25 (Data Protection by Design): nuXmv's infinite-state verification enables formal proof of data handling invariants — that personal data is never retained beyond its stated lifecycle, that access control state machines correctly enforce purpose limitation. The arithmetic extension handles real data flow logic that pure finite-state BDD methods cannot express.

The EU provenance of NuSMV/nuXmv strengthens the compliance case: an EU AI Act conformity assessment under ENISA guidelines will look more favourably on a verification toolchain from an EU public research institution than on equivalent tools from US industry, where Cloud Act data disclosure obligations create structural ambiguity about tool artefact sovereignty.

Deploying NuSMV and nuXmv on sota.io

sota.io is a European PaaS — infrastructure in EU data centres, GDPR-compliant by design, managed PostgreSQL, zero DevOps overhead, and a free tier. For NuSMV and nuXmv workloads, EU infrastructure keeps both the models being verified and the verification artefacts (proof logs, counterexample traces, specification files) within EU jurisdiction — a supply-chain requirement for EU critical infrastructure operators and AI Act-regulated organisations.

NuSMV CI verification pipeline:

# Install NuSMV (Debian/Ubuntu)
apt-get install -y nusmv

# Or download binary from nusmv.fbk.eu
wget https://nusmv.fbk.eu/distrib/NuSMV-2.6.0-linux64.tar.gz
tar xzf NuSMV-2.6.0-linux64.tar.gz

# Run NuSMV on a model
NuSMV model.smv

# Batch mode (CI pipeline)
NuSMV -int -source verify.cmd model.smv

# Dockerfile: NuSMV verification in CI
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y nusmv
WORKDIR /workspace
COPY models/ ./models/
COPY specs/ ./specs/
RUN find models/ -name "*.smv" -exec NuSMV {} \; > verification.log
CMD ["cat", "verification.log"]

nuXmv with IC3/PDR for infinite-state:

# Download nuXmv (free, non-commercial)
# https://nuxmv.fbk.eu/
wget https://nuxmv.fbk.eu/downloads/nuXmv-2.0.0-linux64.tar.gz
tar xzf nuXmv-2.0.0-linux64.tar.gz

# IC3 verification (fastest for safety properties)
nuXmv -int << 'EOF'
read_model -i controller.smv
go_msat
check_invar_ic3
quit
EOF

# Dockerfile: nuXmv with IC3 for industrial controller verification
FROM ubuntu:22.04
COPY nuXmv-2.0.0-linux64/ /opt/nuxmv/
ENV PATH="/opt/nuxmv/bin:$PATH"
WORKDIR /workspace
COPY . .
# Run IC3 on all safety specs, output counterexamples if found
RUN nuXmv -int -source ic3_batch.cmd safety_model.smv | tee ic3_result.log
CMD ["cat", "ic3_result.log"]

# ic3_batch.cmd — nuXmv IC3 batch script
read_model -i $1
go_msat
check_invar_ic3
show_traces -v
quit

sota.io free tier (512 MB RAM, 0.5 vCPU) is sufficient for NuSMV BDD verification of small to medium models (≤ 50 state bits, ≤ 10^6 BDD nodes). nuXmv IC3 is more memory-efficient than BDD methods and runs within the free tier for most protocol verification tasks. Large industrial controllers (AUTOSAR system models, full PLC ladder logic) benefit from the Standard tier (€9/month, 2 GB RAM).