Formal Validation of Fault-tolerance Mechanisms