Formal Verification of Spacecraft Control Programs Using a Metalanguage for State Transformers

TL;DR

This paper introduces a formal verification method for spacecraft control programs using a metalanguage embedded in Haskell, enabling efficient correctness proofs and reducing verification effort for space electronics.

Contribution

It presents a novel metalanguage for describing program semantics as state transformers, integrated with a strongly-typed host language for formal verification and code generation.

Findings

Successfully verified a control program for the REDFIN space processing core.

Demonstrated reduction in verification effort through type-level proofs.

Applied the approach to an industrial case study with promising results.

Abstract

Verification of functional correctness of control programs is an essential task for the development of space electronics; it is difficult and time-consuming and typically outweighs design and programming tasks in terms of development hours. We present a verification approach designed to help spacecraft engineers reduce the effort required for formal verification of low-level control programs executed on custom hardware. The approach uses a metalanguage to describe the semantics of a program as a state transformer, which can be compiled to multiple targets for testing, formal verification, and code generation. The metalanguage itself is embedded in a strongly-typed host language (Haskell), providing a way to prove program properties at the type level, which can shorten the feedback loop and further increase the productivity of engineers. The verification approach is demonstrated on an industrial case study. We present REDFIN, a processing core used in space missions, and its formal semantics expressed using the proposed metalanguage, followed by a detailed example of verification of a simple control program.