The proposed research addresses the problem of designing computer systems and networks that must simultaneously and dependably satisfy a set of critical system requirements, e.g., involving protection of human lives and other valuable resources. It seeks to establish generalized notion of trust and trustworthiness for the entire set of visible system properties (namely requirements such as human safety, reliability, and security) and other internal properties, to pursue design structures that explicitly reflect the generalized trustworthiness, to formulate specific properties at the various design layers, and to derive dependencies among these properties--including the behavior of the constituent computer systems, the environment, and relevant people in the loop. Thus, the proposed work will attempt to extend recent work in formal modeling and formal analysis of security and fault tolerance, encompassing intuitive, semiformal, and formal representations of the relevant properties, as appropriate.