Spark is a formally defined programming language and a set of verification tools specifically designed to support the development of high integrity software. Using Spark, developers can formally verify properties of their code such as

1. • information flow,

2. • freedom from runtime errors,

3. • functional correctness,

4. • security policies, and

5. • safety policies.

Spark meets the requirements of all high integrity software safety standards, including DO-178B/C (and the Formal Methods supplement DO-333), CENELEC 50128, IEC 61508, and DEFSTAN 00-56. Spark can be used to support software assurance at the highest levels specified in the Common Criteria Information Technology Security Evaluation standard.

It has been twenty years since the first proof of a nontrivial system was written in Spark (Chapman and Schanda, 2014). The 27,000 lines of Spark code for SHOLIS, a system that assists with the safe operation of helicopters at sea, generated nearly 9,000 verification conditions (VCs). Of these VCs, 75.5% were proven automatically by the Spark tools. The remaining VCs were proven by hand using an interactive proof assistance tool. Fast-forward to 2011 when the NATS iFACTS enroute air traffic control system went online in the United Kingdom. The 529,000 lines of Spark code were proven to be “crash proof.” The Spark tools had improved to the point where 98.76% of the 152,927 VCs were proven automatically. Most of the remaining proofs were accomplished by the addition of user-defined rules, leaving only 200 proofs to be done “by review.”

Although Spark and other proof tools have significant successes, their use is still limited. Many software engineers presume that the intellectual challenges of proof are too high to consider using these technologies on their projects. Therefore, an important goal in the design of the latest version of Spark, called Spark 2014, was to provide a less demanding approach for working with proof tools. The first step toward this goal was the arrival of Ada 2012 with its new syntax for contracts. We no longer need to write Spark assertions as special comments in the Ada code. The subset of Ada that is legal as Spark language has grown to encompass a larger subset of Ada, giving developers a much richer set of constructs from which to develop their code.