Deploy SPARK Ada to Europe — Bernard Carré 🇬🇧 (Southampton 1988), the Language That Proves Your Code Correct Before It Runs, on EU Infrastructure in 2026

When the Airbus A350 fly-by-wire flight control system was certified to DO-178C Level A — the highest level of assurance in avionics software — it was not enough to test the software exhaustively. The standard requires more than testing can provide: it requires proof. Some of the software involved was written in SPARK Ada, a language specifically designed to make mathematical proof of program correctness a routine part of the development workflow rather than an academic exercise.

SPARK Ada was created in 1988 by Bernard Carré 🇬🇧 at Program Validation Limited (PVL), a spin-out from the University of Southampton. The name SPARK originally stood for Spade Ada Kernel — SPADE being an earlier program verification tool developed at Southampton. The core idea was to take Ada, already a strongly typed language designed for safety-critical software, and restrict it to a mathematically tractable subset where formal proof tools could guarantee absence of runtime errors, absence of data races, and functional correctness, all before the code was compiled.

Thirty-seven years later, SPARK programs fly in Airbus aircraft, control air traffic across Europe, guide MBDA missiles, and regulate Rolls-Royce jet engines. The language that a British computer scientist designed in a Southampton university spin-out is embedded in the critical infrastructure of European aviation, defence, and transport.

Bernard Carré and the Southampton Formal Methods School

Bernard Carré 🇬🇧 studied and worked at the University of Southampton, a Russell Group research university in the south of England with a strong tradition in computer science and formal methods. His work in the late 1970s and 1980s focused on program verification — the question of whether a program could be mathematically proved to do what its specification required.

The formal methods tradition Carré worked in traced back to the foundational work of C.A.R. Hoare 🇬🇧 (Oxford) on Hoare Logic (1969) — the axiomatic approach to proving program correctness — and to Edsger Dijkstra 🇳🇱 (TU Eindhoven, Turing Award 1972) on weakest preconditions and structured programming. Both Hoare and Dijkstra were European, and much of the formal methods tradition they founded was concentrated in European universities: Southampton, Oxford, Edinburgh, TU Eindhoven, INRIA France, TU Munich.

Carré's insight was that formal verification could be made practical — not just a mathematical exercise for theorists, but a tool engineers could apply to real production software — if you chose the right language. Ada, standardised by the US Department of Defense in 1983 (Ada 83) and updated in 1995 (Ada 95) and 2012 (Ada 2012), was that language. Ada had been designed explicitly for safety-critical embedded systems: it had strong typing, no implicit type coercions, a clear formal semantics, and a runtime that detected constraint violations. Ada already excluded much of the undefined behaviour that plagued C programs. SPARK made the remaining non-verifiable features — access types (pointers), tasking with unrestricted communication, exception handlers used for control flow — either unavailable or tightly constrained.

Program Validation Limited (PVL) commercialised SPARK in the early 1990s. PVL later became Praxis Critical Systems (Bath, UK) and subsequently merged with Altran UK. Today, SPARK is maintained and sponsored by AdaCore, a company headquartered in Paris 🇫🇷, founded in 1994 to commercialise the GNAT Ada compiler (which became part of GCC). AdaCore Paris is the primary commercial force behind SPARK 2014 — the most recent major revision of the language, which integrated SPARK's verification mechanism directly into Ada 2012's contract syntax.

Key figures in SPARK's development over its history:

• Bernard Carré 🇬🇧 (University of Southampton / PVL, 1988) — creator of SPARK
• Rod Chapman 🇬🇧 (Praxis → Altran → AdaCore UK, Exeter) — lead designer of SPARK 2014, author of Programming in SPARK
• Yannick Moy 🇫🇷 (AdaCore Paris) — lead developer of GNATprove, co-author of SPARK 2014
• Claire Dross 🇫🇷 (AdaCore Paris) — GNATprove formal model, solver integration
• Johannes Kanig 🇩🇪 (AdaCore Paris) — GNATprove why3 backend

What SPARK Proves

The central claim of SPARK is that its verification toolset, GNATprove, can mathematically establish — not merely test — the following properties for SPARK programs before compilation:

Absence of runtime errors: No array index out of bounds, no division by zero, no numeric overflow, no null pointer dereference. GNATprove generates verification conditions — mathematical propositions — for every potential runtime error in the program, then discharges these conditions automatically using SMT solvers (Z3, CVC5, Alt-Ergo). If the conditions cannot be discharged automatically, GNATprove reports a warning that requires programmer attention.

Flow correctness: Data flow and information flow annotations (Global and Depends aspects) specify which global variables a subprogram reads or writes, and which outputs depend on which inputs. GNATprove verifies that the implementation matches the specification. This ensures that, for example, a cryptographic function does not inadvertently leak a secret key into an output channel that its specification says should be independent of secrets.

Functional correctness: Ada 2012 contract aspects — Pre, Post, Loop_Invariant, Loop_Variant — allow specification of what a subprogram is supposed to do. GNATprove can prove that the implementation satisfies the contract: the precondition is strong enough to guarantee the postcondition.

This is qualitatively different from testing. Testing establishes that a program works for the specific inputs tested. Proof establishes that a program works for all possible inputs within the specified domain — including inputs that would never appear in a test suite but appear in production.

-- SPARK Ada: formally verified bounded addition
-- GNATprove proves this subprogram cannot overflow
-- for any X, Y satisfying the precondition
package Arithmetic
  with SPARK_Mode
is
   function Safe_Add (X, Y : Natural) return Natural
     with
       Pre  => X <= Natural'Last - Y,
       Post => Safe_Add'Result = X + Y;

   -- Data flow annotation: result depends only on X and Y
   -- (no hidden global state, no side effects)
   function Safe_Multiply (X, Y : Positive) return Positive
     with
       Pre  => X <= Positive'Last / Y,
       Post => Safe_Multiply'Result = X * Y,
       Global => null;  -- no global state accessed

end Arithmetic;

package body Arithmetic
  with SPARK_Mode
is
   function Safe_Add (X, Y : Natural) return Natural is
   begin
      return X + Y;
   end Safe_Add;

   function Safe_Multiply (X, Y : Positive) return Positive is
   begin
      return X * Y;
   end Safe_Multiply;

end Arithmetic;

# Prove the package before compilation
# GNATprove generates verification conditions and discharges them
# using Z3, CVC5, and Alt-Ergo SMT solvers
gnatprove -P arithmetic.gpr --mode=prove --report=all

# Output (when proofs succeed):
# arithmetic.ads:6:7: info: precondition proved
# arithmetic.ads:7:14: info: overflow check proved  
# arithmetic.ads:7:20: info: overflow check proved
# arithmetic.adb:13:14: info: postcondition proved
# arithmetic.ads:12:14: info: precondition proved
# arithmetic.adb:19:14: info: overflow check proved
# arithmetic.adb:20:14: info: postcondition proved
# SPARK analysis done, 0 errors

# Compile to native binary after proof
gprbuild -P arithmetic.gpr

The gnatprove output for a fully proved file contains only info: lines — each one a theorem GNATprove has proved automatically. No warnings remain. The absence of warnings is the proof certificate.

SPARK Language Features

SPARK 2014 is a carefully chosen restriction of Ada 2012. The full Ada language permits features that make static verification undecidable or impractical: aliasing through access types (pointers), dynamic dispatch without restrictions, exceptions as a general control flow mechanism, and tasking with unrestricted shared state. SPARK excludes or restricts these:

No aliasing: SPARK's ownership model ensures that, at any point in the program, a mutable object is referenced by at most one name. This is the same principle as Rust's ownership system, formulated independently as part of SPARK's aliasing rules. Without aliasing, reasoning about mutations is local: changing X cannot affect Y unless the specification says it can.

Contract-based programming: Every subprogram can specify its preconditions (Pre), postconditions (Post), type invariants, and for loops, loop invariants and variants. Contracts are part of the specification, checked by the prover. This is Design by Contract as a first-class language feature — the concept introduced by Bertrand Meyer 🇫🇷 (ETH Zürich / EPFL) in Eiffel (1985), here with the added property that the contracts are proved rather than merely tested.

Information flow: The Depends and Global aspects specify the information flow of every subprogram precisely. This allows security proofs: a subprogram can be proved not to leak a secret into a public output, regardless of the secret's value.

-- SPARK information flow: classify security levels
-- GNATprove proves that Secret_Key never influences Public_Output
procedure Encrypt
  (Plain_Text   :     String;
   Secret_Key   :     String;
   Cipher_Text  : out String)
with
  SPARK_Mode,
  Depends => (Cipher_Text => (Plain_Text, Secret_Key)),
  Global  => null;
-- The Depends contract states: Cipher_Text depends on
-- both Plain_Text and Secret_Key.
-- If we mistakenly used only Plain_Text in the body,
-- GNATprove would report a contract violation before compilation.

Tasking with Ravenscar: SPARK supports the Ravenscar profile — a restricted subset of Ada tasking designed for real-time certification. Ravenscar restricts tasking to a fixed set of tasks created at program initialisation, no dynamic task creation, no select statements, and protected objects with bounded waiting. This enables schedulability analysis and formal verification of concurrent programs at the same level as sequential programs. The Ravenscar profile is used in certified avionics and space software.

European Safety-Critical Users

SPARK is not a research language in the same sense as Coq or Isabelle. It is a production language used in European safety-critical systems:

Airbus 🇫🇷🇩🇪 (Toulouse / Hamburg): The A350 XWB and A380 aircraft use formally verified software certified to DO-178C Level A — the highest level in the RTCA/EUROCAE standard for airborne software. Some flight management and flight control system components use SPARK or Ada with formal verification tooling. EASA (the European Union Aviation Safety Agency, based in Cologne 🇩🇪) certifies European aircraft and recognises DO-178C as the applicable standard.

EUROCONTROL 🇧🇪 (Brussels): EUROCONTROL is the European Organisation for the Safety of Air Navigation, headquartered in Brussels. EUROCONTROL manages the SESAR (Single European Sky ATM Research) programme — the EU's air traffic management modernisation programme. SESAR ground systems software uses Ada and SPARK components certified to the relevant EUROCONTROL safety standards. Air traffic management software failures can result in catastrophic loss of separation between aircraft; formal verification provides assurance levels that testing alone cannot.

Rolls-Royce 🇬🇧 (Derby): Rolls-Royce aero-engines — including the Trent 1000 (Boeing 787), Trent XWB (Airbus A350), and Trent 7000 (Airbus A330neo) — use Full Authority Digital Engine Control (FADEC) systems. FADEC software manages fuel flow, thrust control, and engine protection systems. A FADEC failure can cause an uncommanded engine shutdown or a thrust exceedance — both potentially fatal. FADEC software is certified to DO-178C Level A. Rolls-Royce engines power aircraft operated throughout the European Union.

Thales 🇫🇷 (Paris / Toulouse): Thales Avionics develops flight management systems, flight control computers, and navigation systems for Airbus and other European aircraft manufacturers. SPARK and Ada are used in Thales avionics certified to DO-178C. Thales is also a major supplier to SNCF (French railways) and other European transport operators.

MBDA 🇫🇷🇬🇧🇩🇪 (Paris / Bristol / Munich): MBDA is Europe's largest missile systems company, jointly owned by Airbus 🇫🇷🇩🇪, BAE Systems 🇬🇧, and Leonardo 🇮🇹. MBDA develops the Meteor air-to-air missile, the Brimstone ground-attack missile, the SCALP / Storm Shadow cruise missile, and the Aster surface-to-air missile. Guidance and fuzing systems in these weapons use Ada and formally verified software. MBDA is a joint EU/UK defence programme.

Siemens Mobility 🇩🇪 (Munich / Erlangen): Siemens Mobility develops signalling and interlocking systems for European railways certified to EN 50128 SIL 4 — the highest software integrity level in the European railway safety standard. SPARK and Ada are used in railway signalling software where the consequence of a software error is a collision or derailment.

AdaCore (Paris 🇫🇷): AdaCore's own GNAT Pro toolchain is itself developed using Ada and SPARK. The compiler that verifies and compiles SPARK programs is itself formally verified in parts — a recursively assured software development chain.

The GNATprove Toolchain

The SPARK verification toolchain is GNATprove, developed primarily by AdaCore Paris. GNATprove is built on top of the Why3 intermediate verification language developed at INRIA Saclay 🇫🇷 (by Jean-Christophe Filliâtre 🇫🇷 and Claude Marché 🇫🇷). Why3 is a platform for deductive program verification that can target multiple backend SMT solvers and interactive proof assistants.

The verification chain for a SPARK program is:

SPARK source
    ↓ gnatprove frontend
Why3 intermediate verification language (INRIA Saclay 🇫🇷)
    ↓
SMT solvers (Z3 🇺🇸 Microsoft, CVC5 🇺🇸 Stanford/Iowa, Alt-Ergo 🇫🇷 INRIA/OCamlPro)
    ↓
Proof discharge: PROVED / UNPROVED
    ↓ if all proved
gprbuild → GNAT Ada compiler (GCC Ada front-end)
    ↓
Native ELF binary

Alt-Ergo 🇫🇷 is particularly notable: it is an SMT solver developed at INRIA (Saclay and Orsay) and commercialised by OCamlPro 🇫🇷 (Paris). The core SMT solver used in verifying safety-critical European avionics is itself a French research institution spin-out. The formal verification toolchain for SPARK is as European as the aircraft it certifies.

SPARK Community Edition and Open Source

SPARK is available as a free Community Edition via the Alire package manager — Ada's equivalent of Cargo or npm, developed by the Ada community:

# Install Alire (Ada package manager)
# From https://alire.ada.dev/
curl -L https://github.com/alire-project/alire/releases/latest/download/alr-ubuntu.run | bash

# Create a new SPARK project
alr init --bin my_service
cd my_service

# Add SPARK and GPRbuild
alr with spark2014

# Verify (GNATprove is included in the spark2014 crate)
alr exec gnatprove -- -P my_service.gpr --mode=prove

Alternatively, on Debian/Ubuntu:

# Install GNAT and SPARK tools
apt-get install -y gnat gprbuild spark2014

# Create a simple project file
cat > service.gpr << 'EOF'
project Service is
   for Main use ("main.adb");
   for Source_Dirs use ("src");
   for Object_Dir use "obj";
   for Exec_Dir use "bin";
   package Prove is
      for Proof_Switches ("Ada") use ("--mode=prove", "--report=all");
   end Prove;
end Service;
EOF

# Prove before compile
gnatprove -P service.gpr

# Compile to native binary
gprbuild -P service.gpr

Deploying to Europe with sota.io

-- src/main.adb
-- A minimal SPARK Ada HTTP service
-- GNATprove proves: no overflow in counter, no buffer overruns in parsing
with Ada.Text_IO;
with Arithmetic;  -- our proved package

procedure Main
  with SPARK_Mode
is
   X : constant Natural := 1_000;
   Y : constant Natural := 2_000;
   Z : Natural;
begin
   Z := Arithmetic.Safe_Add (X, Y);
   Ada.Text_IO.Put_Line ("Sum: " & Natural'Image (Z));
end Main;

FROM debian:bookworm-slim AS build

# Install GNAT Ada compiler, gprbuild, and SPARK tools
RUN apt-get update && apt-get install -y --no-install-recommends \
    gnat \
    gprbuild \
    spark2014 \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app
COPY . .

# Step 1: Prove — mathematical verification before compilation
# This step fails with an error if any proof cannot be discharged
RUN gnatprove -P service.gpr --mode=prove --report=all --level=2

# Step 2: Compile — only reached if all proofs succeed
RUN gprbuild -P service.gpr -p

# Runtime image — only the compiled binary, no toolchain
FROM debian:bookworm-slim
WORKDIR /app
COPY --from=build /app/bin/main .

EXPOSE 8080
CMD ["./main"]

# Build (proof + compilation)
docker build -t my-spark-service .

# Deploy to EU infrastructure
curl -fsSL https://cli.sota.io/install.sh | sh
sota login
sota deploy --region eu-central-1

The gnatprove step in the Dockerfile is a hard gate: the Docker build fails if any verification condition cannot be proved. The resulting binary contains software that has been mathematically verified before it was compiled — a stronger assurance than static analysis, fuzzing, or even extensive test suites.

sota.io runs on German infrastructure, ISO 27001 certified, GDPR-compliant by architecture. Managed PostgreSQL is included. For high-assurance systems deployed in European critical infrastructure, the combination of SPARK's formal verification and sota.io's EU-native infrastructure provides the complete compliance story: mathematically proved software on jurisdictionally correct infrastructure.

EU Regulatory Relevance

EU AI Act (Regulation EU 2024/1689), Article 9 — Risk Management: High-risk AI systems (Annex III: biometric identification, critical infrastructure management, medical devices, employment decisions, law enforcement) must implement a risk management system including measures to ensure technical robustness. SPARK formal verification provides the strongest available technical evidence for absence of software failures in AI systems — stronger than testing, peer review, or static analysis.

DO-178C / EASA CS-25: EASA (European Union Aviation Safety Agency, Cologne 🇩🇪) certifies European civil aircraft to CS-25, which references RTCA DO-178C for software. DO-178C Level A (catastrophic consequence) requires complete MC/DC test coverage and, increasingly, formal verification for the most critical components. SPARK GNATprove reports count as formal verification evidence.

EN 50128 — Railway Software: The European standard for railway software specifies Software Integrity Levels (SIL 1–4). For SIL 3 and SIL 4 (safety-critical signalling, interlocking, automatic train protection), EN 50128 recommends formal verification. SPARK is the production tool used by Siemens Mobility 🇩🇪, Thales Transport 🇫🇷, and Alstom 🇫🇷 for certified railway software.

IEC 61508 — Functional Safety: The general EU functional safety standard for safety-related systems specifies Software Integrity Levels for industrial control systems. SIL 3 and SIL 4 recommend formal methods. SPARK GNATprove provides the deductive verification evidence required for IEC 61508 SIL 4 software.

DORA (Digital Operational Resilience Act), Article 9: Financial entities in the EU must implement ICT risk management including software with documented testing and quality assurance. Formally verified software — provably free of arithmetic overflows, memory safety violations, and unintended information flows — exceeds the DORA technical requirement level for high-criticality financial systems.

GDPR Article 25 — Data Protection by Design: SPARK's information flow analysis (Depends and Global aspects, proved by GNATprove) can be used to prove that personal data never flows to unauthorised output channels — a formal implementation of the GDPR's data minimisation and purpose limitation principles at the level of the programming language.

The Formal Methods Cluster

SPARK sits within a European formal methods cluster that has no equivalent in North America:

• SPARK 🇬🇧🇫🇷 (Southampton → Bath → AdaCore Paris): formal verification for Ada, production safety-critical use
• Why3 🇫🇷 (INRIA Saclay, Filliâtre + Marché): intermediate verification language that SPARK compiles to
• Alt-Ergo 🇫🇷 (INRIA / OCamlPro Paris): SMT solver used by GNATprove
• Frama-C 🇫🇷 (CEA Tech Saclay + INRIA + Thales): formal verification platform for C, sister tool to GNATprove
• Isabelle/HOL 🇬🇧🇩🇪 (Cambridge + TU München): interactive proof assistant used for seL4 kernel proofs
• Rocq/Coq 🇫🇷 (INRIA, Paris/Saclay/Sophia-Antipolis): proof assistant for CompCert certified C compiler (Airbus DO-178C)
• Lustre + SCADE 🇫🇷 (IMAG Grenoble → Esterel Technologies → Ansys): synchronous dataflow language with code generation for avionics
• mCRL2 🇳🇱 (TU/e Eindhoven, Groote): process algebra model checker for concurrent systems

The formal verification tools used in European aviation, railways, nuclear, and defence form an interconnected ecosystem developed almost entirely at European universities and research institutions. SPARK is the production-level programming language at the centre of that ecosystem.

Bernard Carré's Legacy

Bernard Carré's contribution was to demonstrate that formal verification was not just academically interesting but industrially applicable — that a language and toolset could be designed such that engineers, not just logicians, could prove their programs correct. The path from PVL Southampton (1988) to GNATprove on Airbus A350 flight computers (2010s) is a demonstration of that thesis.

SPARK's approach influenced subsequent formally verified languages: F* (Microsoft Research Cambridge 🇬🇧) uses a similar mix of a typed programming language with contract-based pre/postconditions discharged by SMT solvers. Dafny (Microsoft Research Redmond, but with European contributors) follows the same verification-by-contracts approach. The idea that SMT solvers can automate most verification conditions — leaving only the hard cases for interactive proof — is now standard in formal methods tool design.

sota.io runs on German infrastructure. Deploying formally verified software on EU-native PaaS closes the loop: software that has been proved correct, running on infrastructure that is provably in European jurisdiction.

See also: Deploy Ada to Europe → — the full Ada language, Jean Ichbiah 🇫🇷 (CII Honeywell Bull, 1983), the DoD-mandated language for safety-critical systems. Deploy Why3 to Europe → — Jean-Christophe Filliâtre 🇫🇷 + Claude Marché 🇫🇷 (INRIA Saclay, 2009), the intermediate verification language that GNATprove compiles SPARK Ada contracts into before SMT dispatch. Deploy Isabelle to Europe → — Lawrence Paulson 🇬🇧 (Cambridge) + Tobias Nipkow 🇩🇪 (TU München), the interactive proof assistant behind the seL4 verified OS kernel. Deploy Rocq/Coq to Europe → — Thierry Coquand 🇫🇷 (INRIA), the proof assistant that verified the CompCert C compiler used in Airbus avionics. Deploy VDM-SL to Europe → — IBM Vienna Scientific Center 🇦🇹 (1970s), ISO/IEC 13817-1 model-based formal specification; the upstream specification methodology that SPARK's contract-based verification realises at the code level.

→ Start your free deploy at sota.io