Our author asks: "but how can you actually prove that your design is error-free?"
The answer is it is difficult but possible. It requires the use of technologies people are generally not familiarized with, such as proof assistants -- prominent examples are Coq, Isabelle/HOL, and ACL2.
There exist, at this point, actual formally verified software artifacts of quite substantial complexity -- the seL4 microkernel, the CompCert C compiler, the Quark browser, and a number of others.
Sadly, very few people outside of academia are familiar with the existence of formal verification tools for software, and the documentation for such systems is (to say the least) non-transparent. The best tool at the moment, Coq, practically requires that its users learn quite a bit about Martin-Löf type theory in order to work effectively in it.
That said, such tools are clearly the way to deal with such things going forward.
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." --Brian Kernighan
Now, add a complex physical system interacting with the code under test and things become even worse... My first reaction is that you can "asymptotically" check the code of a system such as the one you describe, but the coverage will never be perfect -- no matter if you do it by hand or using an automated tool.
It requires the use of technologies people are generally not familiarized with, such as proof assistants -- prominent examples are Coq, Isabelle/HOL, and ACL2.
FWIW I did a google search and came up with this book which looks like one place to start. As you say all the references look highly theoretical. Do you know of any practical courses on the subject (perhaps even at EE Live!).
I'd recommend Coq at this point, rather than Isabelle.
The path to understanding how to use the tool for purposes like this is not, unfortunately, easy. Good examples of projects that have been formally verified using Coq would include CompCert (publications: http://compcert.inria.fr/publi.html ) and Quark ( http://goto.ucsd.edu/quark/ ) -- looking at them may give you some hint of what is possible and how difficult it might be.
Benjamin Pierce's "Software Foundations" ( http://www.cis.upenn.edu/~bcpierce/sf/ ) is probably a good place to get some background while simultaneously learning a bit of Coq. The book Certified Programming with Dependent Types ( http://adam.chlipala.net/cpdt/ ) intends to teach one specifically how to use Coq to write verified programs, but I caution it is not easy going. There is also a book on Coq itself called CoqArt ( http://www.labri.fr/perso/casteran/CoqArt/index.html ) that is not bad.
If this all makes it sound like this is Not An Easy Thing To Learn, that's because it isn't. The state of the art has advanced dramatically in 20 years, from the point where contemplating proving something as big as a compiler correct was impossible to the point where it is feasible for very dedicated PhD students to work on such a thing. However, productizing the work of the innovators in this field is something that has not yet happened. Documentation is sketchy, tools are difficult to use, and the level of complexity remains very high.
That said, it is in fact now feasible for smart people to do this stuff, and the result of formally verified programs is true assurance of correctness.
Languages like Haskell are very cool things, but they're not per se ways of producing formally verified code. To do that, you need to produce a statement of what your program is supposed to do in formal logic and then demonstrate that your program actually does it with something like a proof assistant -- not something Haskell or Spark ADA are designed for. That said, Haskell was used to produce the executable model against which the C code used in the seL4 project was validated.
"But it still doesn't prove the widget will do what you actually wanted it to do - only that the two models do the same thing under a (hopefully) more exhaustive set of conditions" -- well, sort of.
It is true that you have to be able to explain in logic what you want the system to do, and the need for such specifications has often been held out as a reason that formal methods can never work. However, I think that's just sour grapes from the days when formal methods were *really* impractical twenty years ago. Not that long ago we *couldn't* actually prove significant systems correct, and so we convinced ourselves that even if we could we would never be able to figure out what properties we wanted proven correct anyway -- just like the fox and the grapes. In practice, I think people often overestimate how troublesome it is to produce a logical statement of the desired behavior vs. implementation.
Consider as a trivial example a sorting routine. The output is supposed to be a permutation of the input in which no element is larger than the next (or smaller than the next depending on sort direction). This is very compact to express in logic -- but there are dozens and dozens of algorithms that will do it, and expressing most of them is substantially more complicated than the correctness condition.
That said, doing things like producing the formal semantics for C to permit the statement of the correctness condition for CompCert was certainly a huge effort, and I don't want to claim that it is not a significant effort in many cases to produce a good statement in formal logic. What I'm trying to claim is that this problem is not, in fact, insurmountable.
Indeed, producing statements about correctness constraints in a safety critical system is often quite straightforward. In particular, the control problem described by the original article has safety conditions that are likely quite compactly described.