Demonstrating SPARK with a Mars Rover (Part 1): Cyber-Physical Systems

Cyber‑physical systems (CPS) blend computation with physical processes, forming the backbone of autonomous vehicles, robotics and aerospace. AdaCore’s recent demonstration with a Mars‑rover prototype showcases how SPARK, Ada’s formal verification language, can bring mathematical certainty to such complex embedded software. By constructing a hardware abstraction layer (HAL) that isolates sensor and actuator calls, developers gain a single point of substitution for simulators, simplifying testing and certification. The effort illustrates that high‑integrity CPS can be built with provable guarantees rather than relying solely on extensive testing.

The HAL adds a façade that unifies rover components and introduces ghost getters for turn, power and sonar distance. Ghost functions exist only in contracts, so SPARK can reason about state without runtime code. Post‑conditions on setters tie the ghost values to hardware actions, enabling proofs such as “setting left motor power to zero leaves right motor unchanged.” With the HAL complete, the rover stack passed SPARK Silver—no run‑time exceptions—and a gold‑level safety property was verified to block forward motion when an obstacle is within the safety threshold.

Formal verification of CPS like the Mars rover signals a shift toward mathematically assured safety in industries where failure is costly. SPARK’s ability to prove both low‑level exception freedom and high‑level functional requirements reduces reliance on costly hardware redundancy and extensive field testing. As aerospace, automotive and industrial automation adopt similar methodologies, development cycles can shorten while certification confidence rises. AdaCore’s demonstration also lowers the barrier for engineers by providing reusable HAL patterns and ghost‑getter techniques, paving the way for broader use of formal methods in next‑generation autonomous systems.