Traditionally, e.g. when using DO-178B, we have relied on structured and formalized testing to assure safety, but the limitations of testing are well known. On the other hand, it is not feasible to use proof techniques for an entire application. That's partly a limitation of our proving capabilities, but partly fundamental. For instance we can't easily prove that the specification itself is correct or that the hardware operates as expected. So we will always be stuck with some testing. This paper discusses how testing and proof are used in practice, and considers the issue of how to combine tests and proofs in a single application.