This work addresses the prevalence of erroneous conclusions in scientific experimental design due to overlooked confounding variables and the absence of formal verification methods meeting the rigorous standards of programming language communities. It presents the first probability-free semantic characterization of the d-separation criterion in causal inference, establishing its equivalence to non-interference semantics from security theory. By integrating graph theory, formal semantics, and program analysis, the authors mechanize this result in the theorem prover Rocq, thereby formally verifying the semantic correctness of d-separation. This foundational contribution enables automated, falsifiable, and formally verifiable modeling of real-world systems, offering a principled basis for assessing the quality of experimental designs.

The design of scientific experiments deserves its own variation of formal verification to catch cases where scientists made important mistakes, such as forgetting to take confounding variables into account. One of the most fundamental underpinnings of science is causality, or what it means for interventions in the world to cause other outcomes, as formalized by computer scientists like Judea Pearl. However, these ideas had not previously been made rigorous to the standards of the programming-languages community, where one expects a (syntactic) program analysis to be proved sound with respect to a natural semantics. In the domain of causality, as the relevant "program analysis," we focus on $d$-separation, a classic condition on graphs that can be used to decide when the design of an experiment controls for sufficiently many confounding variables, even though the reason that this condition works is often unintuitive. Our central result (mechanized in Rocq) is that $d$-separation exactly coincides with a novel semantic definition inspired by noninterference from the theory of security. This characterization provides a structural semantic foundation for $d$-separation and helps explain why the graph-theoretic condition is correct, independently of probabilistic assumptions. For each given automated test on the quality of an experiment design, our theorem justifies an associated method for falsifying the world-modeling hypothesis behind the experiment.