Deploy UPPAAL to Europe — Uppsala University & Aalborg University (1995), the Timed Automata Verifier Behind EU Automotive and Aerospace Safety, on EU Infrastructure in 2026

When Volvo engineers needed to formally verify the timing behaviour of an automotive turn indicator system against ISO 26262 safety requirements, they did not reach for a general-purpose theorem prover. They reached for UPPAAL — the timed automata model checker jointly developed by Uppsala University 🇸🇪 and Aalborg University 🇩🇰, first released in 1995, and today the most widely used formal verification tool for real-time and cyber-physical systems across European industry. The choice was not incidental. UPPAAL was built for exactly this class of problem: systems where correctness depends not just on logical behaviour but on when events happen. An automotive seat belt pretensioner that fires 2 milliseconds too late. A railway signalling system whose safe zone clearance window is measured in seconds. A medical infusion pump whose dosing interval must be verified against hard timing constraints. UPPAAL models these systems as networks of timed automata — finite state machines extended with real-valued clocks — and verifies properties expressed in a subset of computation tree logic (CTL) against those models. It finds violations. It produces counterexample traces. And it does so for systems whose timing behaviour matters in ways that untimed formalisms like TLA+ or Alloy cannot directly express.

In 2026, as EU AI Act Article 9 requires systematic verification for high-risk AI systems that include autonomous vehicles, medical devices, and industrial automation, UPPAAL's role in the European safety-critical engineering landscape has only grown. The UPPAAL tool suite is EU-funded research made into industrial practice — and running it on EU infrastructure is not merely convenient, it is the appropriate choice for organisations operating under GDPR, the NIS2 Directive, and the Cyber Resilience Act.

What UPPAAL Is — Timed Automata Model Checking

UPPAAL operates on a formalism called timed automata: finite automata augmented with a finite set of real-valued clocks. Clocks advance uniformly with time. Guards on transitions check whether a clock has reached a threshold before the transition can fire. Invariants on states enforce upper bounds on how long the system can remain in that state. This simple extension to finite automata gives timed automata enormous expressive power for real-time systems: you can directly express deadlines, minimum separations, periodic behaviours, and timing dependencies between concurrent components.

A network of timed automata models a concurrent system: each component — a sensor, a controller, a communication channel — is described as its own automaton, and the network runs them in parallel with synchronisation on shared actions. UPPAAL then verifies properties of this network using symbolic model checking: rather than explicitly enumerating all reachable states (which would be infinite due to continuous clock values), UPPAAL represents sets of states symbolically using difference bound matrices (DBMs), a data structure that efficiently encodes clock constraints. This makes UPPAAL tractable on systems that explicit-state model checkers like SPIN cannot handle when timing matters.

The UPPAAL verification query language is based on a subset of CTL (Computation Tree Logic):

• A[] p — property p holds in all reachable states (invariant)
• E<> p — there exists a reachable state satisfying p (reachability)
• A<> p — all paths eventually reach a state satisfying p (liveness)
• E[] p — there exists a path along which p always holds (possibility)
• p --> q — whenever p holds, q eventually holds (leads-to)

These five query types cover the vast majority of safety and liveness properties engineers care about in real-time systems.

The EU Origins: Uppsala and Aalborg

UPPAAL's creation story is inseparable from European computer science in the 1990s. The tool emerged from a collaboration between two research groups working independently on timed automata theory:

Uppsala University 🇸🇪, specifically the DARTS group (Design and Analysis of Real-Time Systems) led by Wang Yi, had been developing theory and algorithms for timed automata verification since the early 1990s. Yi's work — including the semantics paper "CCS + Time = an Interleaving Model for Real Time Systems" (1991) — laid the algorithmic foundations for what would become UPPAAL's verification engine.

Aalborg University 🇩🇰, specifically the group around Kim Guldstrand Larsen, had been working in parallel on tools for timed systems, including work on the TASS tool. Larsen had co-authored the original timed automata decidability results and was a central figure in developing practical model-checking algorithms for the formalism.

The two groups merged their efforts in 1995, combining UPpsala and AALborg to produce UPPAAL. The tool has been in continuous development since — the 2026 release continues an unbroken lineage from the original 1995 release. Crucially, the development has always been EU-supported: UPPAAL received funding from the European Union Seventh Framework Programme (FP7) under grant agreements 318490 (SENSATION), 601148 (CASSTING), and EU ARTEMIS grant agreement 269335 (MBAT). It is EU research infrastructure in the fullest sense.

The scale of European UPPAAL adoption is visible in publication data: Denmark leads with 30 publications per year, Italy contributes 21, France 19, Germany 12, Belgium 10, Sweden 13. The United States contributes 11. UPPAAL is, by any measure, a European tool used primarily by European engineers.

Industrial Applications: From Volvo to Aerospace

UPPAAL's industrial footprint in Europe is wide:

Automotive (ISO 26262): ISO 26262, the EU-harmonised functional safety standard for automotive electrical and electronic systems, recommends formal methods for achieving required safety integrity levels. UPPAAL SMC (Statistical Model Checker) and UPPAAL MC (Model Checker) have been applied to automotive turn indicator systems, brake-by-wire timing verification, AUTOSAR component interaction analysis, and autonomous driving scenario verification. The statistical model checking extension (UPPAAL SMC, available since 2012) allows probabilistic verification of timing properties — particularly relevant for ADAS systems where absolute verification is infeasible but statistical confidence bounds are accepted by safety assessors.

Aerospace and Defence: UPPAAL has been applied to scheduling verification for spacecraft on-board computers, communication protocol analysis for avionics data buses (ARINC 429, AFDX), and timing verification of military embedded systems. The EU ARTEMIS project MBAT (Combined Model-Based Analysis and Testing) explicitly used UPPAAL as a verification engine within a broader model-based development framework.

Medical Devices (IEC 62304): Infusion pump timing, insulin delivery protocols, and robotic surgery timing constraints have been modelled and verified in UPPAAL. The combination of timed automata expressiveness and the tool's GUI-based graphical editor makes UPPAAL accessible to domain engineers who are not formal methods specialists.

Rail (EN 50128): UPPAAL has been applied to interlocking logic timing verification for European Rail Traffic Management System (ERTMS) components, and to collision avoidance protocol analysis in high-speed rail systems.

The UPPAAL Tool Suite: More Than a Model Checker

UPPAAL in 2026 is not a single tool but a suite of verification environments:

UPPAAL (core): The original symbolic model checker for networks of timed automata. Verification of safety, liveness, and reachability properties using DBM-based symbolic state space exploration. GUI editor for drawing timed automata graphically.

UPPAAL SMC (Statistical Model Checking): Extends UPPAAL with statistical model checking — sampling executions and estimating probabilities and expected values using hypothesis testing and Monte Carlo simulation. Required for probabilistic real-time systems where exact verification is computationally infeasible.

UPPAAL Stratego: Adds strategy synthesis for timed games — finding optimal controllers that guarantee system properties against adversarial environments. Relevant for autonomous systems, energy management, and resource scheduling.

UPPAAL Tiga (Timed Games): Verification and synthesis for two-player timed games, finding winning strategies for safety and reachability objectives against uncontrollable components.

UPPAAL Yggdrasil: Model-based testing environment generating test cases from UPPAAL timed automata models — bridging formal verification and conformance testing.

UPPAAL CORA (Cost-Optimal Reachability Analysis): Minimum-cost reachability in priced timed automata — finding the cheapest way to reach a target state under time and resource constraints.

All variants share a common modelling language and can be deployed as services within a CI/CD pipeline, with UPPAAL accepting models in XML format (.xml) and accepting verification queries via command-line invocation.

Deploying UPPAAL on sota.io

UPPAAL requires a Java runtime and the UPPAAL binary distribution. For CI/CD integration, the command-line verifyta tool is the central entry point: it accepts a model file and a query file and returns verification results that can be parsed in automated pipelines.

FROM eclipse-temurin:21-jdk-jammy

# Install UPPAAL verifyta (command-line verification engine)
WORKDIR /opt/uppaal
RUN apt-get update && apt-get install -y wget unzip && \
    wget -q https://uppaal.org/downloads/latest/uppaal-linux64.zip && \
    unzip -q uppaal-linux64.zip && \
    mv uppaal-*/bin/verifyta /usr/local/bin/verifyta && \
    chmod +x /usr/local/bin/verifyta && \
    rm -rf uppaal-linux64.zip uppaal-*/

# Application layer: verification service
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev

COPY . .

EXPOSE 3000
CMD ["node", "server.js"]

A minimal Node.js verification service wrapping verifyta:

// server.js — UPPAAL verification as a service
import { execFile } from "node:child_process";
import { writeFile, unlink } from "node:fs/promises";
import { tmpdir } from "node:os";
import { join } from "node:path";
import express from "express";

const app = express();
app.use(express.json({ limit: "1mb" }));

app.post("/verify", async (req, res) => {
  const { model, query } = req.body;
  if (!model || !query) {
    return res.status(400).json({ error: "model and query required" });
  }

  const modelPath = join(tmpdir(), `model-${Date.now()}.xml`);
  const queryPath = join(tmpdir(), `query-${Date.now()}.q`);

  try {
    await writeFile(modelPath, model);
    await writeFile(queryPath, query);

    const result = await new Promise((resolve, reject) => {
      execFile(
        "verifyta",
        ["-q", modelPath, queryPath],
        { timeout: 30_000 },
        (err, stdout, stderr) => {
          if (err && err.code !== 1) return reject(err);
          resolve({ stdout, stderr });
        }
      );
    });

    res.json({
      satisfied: result.stdout.includes("-- Property is satisfied"),
      output: result.stdout,
    });
  } finally {
    await Promise.allSettled([unlink(modelPath), unlink(queryPath)]);
  }
});

app.listen(3000, () => console.log("UPPAAL service running on :3000"));

Deploy to sota.io:

# Install sota CLI
npm install -g sota-cli

# Login and deploy
sota login
sota deploy --name uppaal-verifier --port 3000

# Set EU region (Frankfurt)
sota scale --region eu-central-1

Your UPPAAL verification service is now running on EU infrastructure, accessible via a sota.io subdomain, with managed HTTPS and zero DevOps overhead.

UPPAAL vs Other Formal Methods Tools

UPPAAL is the first choice when timing matters — when the question is not just whether a system does the right thing but whether it does the right thing within a deadline. For automotive, aerospace, medical devices, and industrial automation under EU safety standards, this is almost always the relevant question.

EU AI Act Art. 9 and Real-Time AI Systems

EU AI Act Article 9 requires that providers of high-risk AI systems establish "a risk management system" involving "testing of the AI system to identify the most appropriate risk management measures." For high-risk AI systems that include real-time components — autonomous vehicles (Annex III, point 4), medical devices (Annex III, point 5b), critical infrastructure (Annex III, point 2) — timing correctness is a core safety property.

UPPAAL provides exactly the kind of evidence Article 9 compliance requires: formal models with machine-checkable proofs that timing constraints are satisfied, counterexample traces that document discovered violations, and audit-ready verification reports generated by verifyta. This is not documentation of intent — it is machine-generated evidence of verified correctness. EU notified bodies conducting conformity assessment under the AI Act increasingly expect this kind of formal evidence for high-risk categories.

Why EU Infrastructure Matters for UPPAAL Users

UPPAAL verification services process safety-critical system models — intellectual property that represents years of engineering effort and contains proprietary system specifications. Under the US CLOUD Act, US-based cloud providers can be compelled to disclose customer data to US authorities regardless of where the data is physically stored. European automotive, aerospace, and defence organisations operating under ITAR (International Traffic in Arms Regulations) export control restrictions cannot use US-hosted infrastructure for certain system models.

sota.io runs on Hetzner infrastructure in Frankfurt, Germany — servers physically located in the EU, operated under German law, subject to GDPR data processing requirements, and outside US jurisdiction. For EU companies verifying safety-critical system specifications:

For ITAR-adjacent aerospace work and EU AI Act compliance documentation, sota.io's data residency guarantee is not a nice-to-have — it is a requirement.

Getting Started

# Clone the UPPAAL service template
git clone https://github.com/sota-io/examples uppaal-service
cd uppaal-service/uppaal

# Deploy
npm install -g sota-cli
sota login
sota deploy --name my-uppaal-verifier --port 3000

Free tier includes sufficient compute for development-scale UPPAAL verification queries. For production CI/CD pipelines running hundreds of verification queries per build, the Pro tier provides dedicated compute and guaranteed response times.

The full UPPAAL tool suite documentation is available at uppaal.org. The UPPAAL model editor (GUI) runs locally; the verification backend (verifyta) is what sota.io hosts as a service for automated pipelines.

Related: Deploy TLA+ to Europe — Deploy Alloy to Europe — Deploy Promela/SPIN to Europe — Deploy Event-B to Europe — Deploy mCRL2 to Europe