An operating system's reliability is its ability to supply service despite all abnormal software (and most abnormal hardware) conditions, whether accidental or malicious. Operating system integrity exists when the system functions correctly under all circumstances. Since there is no major software system that has withstood determined penetration efforts, the most that can be currently achieved is to develop as much security and reliability into the software as possible and minimize the impact of a malfunction. In efforts to maximize these goals, numerous computer scientists have observed that it is possible to simplify the design of an operating system and improve its integrity by a careful decomposition, separating the most critical functions from the successively less critical functions, as well as separating systemwide functions from user-related functions. The VM/370 system accomplishes this by enabling a single System/370 to appear functionally as if it were multiple independent System/370's. Thus, a VMM can make one computer system function as if it were multiple physically isolated systems. In the conventional two-level operating system approach, a single logical error in the operating system software can invalidate the entire security mechanism. Furthermore, there is no more protection between the programs of differing application subsystems or the operating system than there is between the programs of a single application subsystem. A virtual machine facility, such as the VM/370, can convert a two-level conventional operating system into a three-level hierarchically structured operating system. In so doing, redundant security mechanisms are provided. Illustrations and 30 references are provided.