When building dependable systems by integrating untrusted software components that were not originally designed to interact with each other, it is inevitable the occurrence of architectural mismatches related to assumptions in the failure behaviours. These mismatches if not prevented during system design have to be tolerated during runtime. This paper presents an architectural abstraction based on exception handling for structuring fault-tolerant software systems. This abstraction comprises several components and connectors that transform an existing untrusted software element into an idealised fault-tolerant architectural element. The proposed rigorous approach relies on a formal representation for analysing exception propagation, and verifying important dependability properties. Beyond this, the formal models are also used for generating unit and integration test cases that would be used for validating the final software product. The feasibility of the proposed approach was evaluated on an embedded critical case study. © Springer-Verlag Berlin Heidelberg 2007.4746 LNCS 7594Abrial, J.-R., (1996) The B-book: Assigning programs to meanings, , Cambridge University Press, New YorkAmnell, T., Behrmann, G., Bengtsson, J., D'Argenio, P.R., David, A., Fehnker, A., Hune, T., Yi, W., Uppaal - Now, Next, and Future (2001) LNCS, 2067, pp. 100-125. , Cassez, F, Jard, C, Rozoy, B, Ryan, M, eds, MOVEP 2000, Springer, HeidelbergAnderson, T., Lee, P.A., (1981) Fault Tolerance: Principles and Practice, , Prentice-Hall, Englewood CliffsBass, L., Clements, P.C., Kazman, R., (2003) Software Architecture in Practice, , 2nd edn. Addison-Wesley, ReadingBertolino, A., Marchetti, E., Muccini, H.: Introducing a reasonably complete and coherent approach for model-based testing. Electr. Notes Theor. Comput. Sci. 116, 85-97 (2005)Binder, R.V., (1999) Testing object-oriented systems: Models, patterns, and tools, , Addison-Wesley Longman Publishing Co, Inc, Redwood City, CA, USABrito, P.H.S., de Lemos, R., Martins, E., Rubira, C.M.F., Verification and validation of a fault-tolerant architectural abstraction (2007) DSN Workshop on Architecting Dependable Systems (WADS, , Edinburgh, Scotland, UK Accepted for publicationBrookes, S.D., Hoare, C.A.R., Roscoe, A.W., A theory of communicating sequential processes (1984) J. ACM, 31 (3), pp. 560-599Castor Filho, F., Cacho, N., Figueiredo, E., Ferreira, R., Garcia, A., Rubira, C.M.F., Exceptions and aspects: The devil is in the details (2006) Proceedings of the 14th ACM SIGSOFT FSE, pp. 152-162. , NovemberCastor Filho, F., da Silva Brito, P.H., Rubira, C.M.F., Specification of exception flow in software architectures (2006) Journal of Systems and Software, , OctoberCastor Filho, F., de Castro Guerra, P.A., Rubira, C.M.F.: An architectural-level exception-handling system for component-based applications. In: de Lemos, R., Weber, T.S., Camargo Jr., J.B. (eds.) LADC 2003. LNCS, 2847, pp. 321-340. Springer, Heidelberg (2003)Clements, P., (2003) Documenting Software Architectures: Views and Beyond, , Addison-Wesley, ReadingCristian, F., Exception handling (1989) Dependability of Resilient Computers, pp. 68-97. , Blackwellda Silva Brito, P.H., de Lemos, R., Filho, F.C., Rubira, C.M.F., Architecturecentric fault tolerance with exception handling (2007), Technical Report IC-07-04. State University of Campinas FebruaryBrito, P.H.S., Rocha, C.R., Castor Filho, F., Martins, E., Rubira, C.M.F.: A method for modeling and testing exceptions in component-based software development. In: Maziero, C.A., Silva, J.G., Andrade, A.M.S., Assis Silva, F.M.d. (eds.) LADC 2005. LNCS, 3747, pp. 61-79. Springer, Heidelberg (2005)de Castro Guerra, P.A., Rubira, C., de Lemos, R., A fault-tolerant software architecture for component-based systems (2003) LNCS, 2677, pp. 129-149. , de Lemos, R, Gacek, C, Romanovsky, A, eds, Architecting Dependable Systems, Springer, Heidelbergde Lemos, R., de Castro Guerra, P.A., Rubira, C.M.F., A fault-tolerant architectural approach for dependable system (2006) IEEE Software, 23 (2), pp. 80-87McMillan, K.L., The SMV system (1992), Technical Report CMU-CS-92-131, Carnegie Mellon UniversityGray, J., Reuter, A., (1993) Transaction Processing: Concepts and Techniques, , Morgan Kaufmann, San FranciscoIssarny, V., Banatre, J.P., Architecture-based exception handling (2001) Proceedings of the 34th Annual Hawaii International Conference on System SciencesJackson, D., Alloy: A lightweight object modelling notation (2002) Software Engineering and Methodology, 11 (2), pp. 256-290Jackson, D., Schechter, I., Shlyahter, H., Alcoa: The alloy constraint analyzer (2000) ICSE '00: Proceedings of the 22nd international conference on Software engineering, pp. 730-733. , ACM Press, New YorkLee, P.A., Anderson, T., Fault Tolerance: Principles and Practice (1990) Dependable computing and fault-tolerant systems, , 2nd edn, Springer, Berlin, New YorkLeuschel, M., Butler, M.J.: Prob: A model checker for b. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, 2805, pp. 855-874. Springer, Heidelberg (2003)Parnas, D.L., Würges, H., Response to undesired events in software systems (1976) Proceedings of the 2nd International Conference on Software Engineering, pp. 437-446. , San Francisco, USA, pp, OctoberRandell, B., System structure for software fault tolerance (1975) IEEE Transactions on Software Engineering, 1 (2), pp. 221-232Reimer, D., Srinivasan, H., Analyzing exception usage in large java applications (2003) LNCS, 2743. , Cardelli, L, ed, ECOOP 2003, Springer, HeidelbergSchneider, S., Treharne, H., Communicating b machines (2002) LNCS, 2272, pp. 416-435. , Bert, D, Bowen, J.P, Henson, M.C, Robinson, K, eds, B 2002 and ZB 2002, Springer, HeidelbergSloman, M., Kramer, J., (1987) Distributed systems and computer networks, , Prentice Hall International (UK) Ltd, Hertfordshire, UKTaylor, R.N., Medvidovic, N., Anderson, K., Whitehead, J.E.J., Robbins, J., A component- and message- based architectural style for GUI software (1995) Proceedings of the 17th International Conference on Software Engineering, pp. 295-304. , AprilWeimer, W., Necula, G., Finding and preventing run-time error handling mistakes (2004) Proceedings of OOPSLA, pp. 419-433. , Vancouver, Canada, pp, October