Clock synchronization in an N-modular redundant system

High integrity computer systems such as those found in aircraft and spacecraft often rely on fault tolerance to maintain functionality in the presence of one or more faults. A common strategy consists in comparing the output of functionally identical computers, allowing the output of healthy computers to mask out the output of faulty computers. This approach is generally known as N-Modular redundancy and requires that the redundant computers maintain a high degree of synchronization, as comparing the output of well functioning but out sync computers would defeat the fault detection strategy. The challenge is to devise a robust method for keeping healthy computers synchronized in the presence of potentially malfunctioning computers. The novice might suggest synchronizing the redundant computers to a common hardware clock, but this leads to a single point of failure should this hardware clock become faulty. The solution is not to rely on one hardware clock, but to synchronize the clocks in the redundant computers, thereby defining a distributed global common clock. This paper describes the clock synchronization strategy and implementation used in the Redundancy Management System (RMS) developed at Honeywell Aerospace Electronic Systems.