Computer systems are increasingly employed in circumstances where thei
r failure (or even their correct operation, if they are built to flawe
d requirements) can have serious consequences. There is a surprising d
iversity of opinion concerning the properties that such critical syste
ms' should possess, and the best methods to develop them. The dependab
ility approach grew out of the tradition of ultra-reliable and fault-t
olerant systems, while the safety approach grew out of the tradition o
f hazard analysis and system safety engineering. Yet another tradition
is found in the security community, and there are further specialized
approaches in the tradition of real-time systems. In this article are
examined the critical properties considered in each approach, and the
techniques that have been developed to specify them and to ensure the
ir satisfaction. Since systems are now being constructed that must sat
isfy several of these critical system properties simultaneously, there
is particular interest in the extent to which techniques from one tra
dition support or conflict with those of another, and in whether certa
in critical system properties are fundamentally compatible or incompat
ible with each other. As a step toward improved understanding of these
issues, it is suggested that a taxonomy, based on Perrow's analysis (
Perrow, C. Normal Accidents: Living with High Risk Technologies. Basic
Books, New York, 1984), that considers the complexity of component in
teractions and tightness of coupling as primary factors, is used.