Providing assurance that a software system satisfies its critical properties is difficult, particularly when the system must satisfy many classes of properties, such as safety, fault-tolerance, timing, and security. This paper describes the application of an incremental development and verification approach [13, 14], based on composition and refinement, to an airlock system. Initially, a model of the basic functional behavior of the system is developed and proved to satisfy a set of safety properties. This basic model is then extended with timing behavior. This timed model is a full refinement of the basic model, and related safety properties are shown to still hold for the timed model. In the third and last step, the timed model is extended with fault handling behavior. This “fault-tolerant” model, a partial refinement of the other two models, is shown to satisfy both weakened versions of the safety properties and additional fault-tolerance properties.