An exercise in systematically deriving fault-tolerance specifications