A fault-tolerant clock by Daley, W. P. & Mckenna, J. F., Jr.
S A Clock Element 
A2 
A4 
August 1973	 B73-10218 
NASA TECH BRIEF 
Lyndon B. Johnson Space Center 
NASA Tech Briefs announce now technology derived from the U.S. space program. They are issued to encourage 
Commercial application. Tech Briefs are available on a subscription basis from the National Technical Information 
Service, Springfield, Virginia 22151. Requests for individual copies or questions relating to the Tech Brief program may 
be directed to the Technology Utilization Office, NASA, Code KT, Washington, D.C. 20546. 
A Fault-Tolerant Clock 
.
The problem: 
In many applications, computers must be fault 
tolerant. They must continue to operate correctly even 
though one or more of the components have failed. 
Such computers must have, among other things, a fault 
tolerant clock to insure that all operations occur in the 
proper sequence. 
The solution: 
An electronic clock has been designed to be in-
sensitive to the occurrence of faults. It is a substantial 
advance over any known electronic clock. 
How it's done: 
Let A 1 , A2 , and A 3
 be three independent determi-
nations of the same quantity; then the value of a simple 
majority voter function 
A = (A 1 A2
 +A1A3+A2A3) 
will change if only one A , say A 3 , fails as long as A 1 = 
A2 . But, without accurate timing it is possible for A 1 to 
fail and for A 1 and A 2
 to be out of step so that 
A 1 =AA2 . In this case A = A 3 , and the failure is propa-
gated; since the clock is itself the timing mechanism, the 
majority voter function will not insure fault tolerance. 
Instead, quorum functions are used. The quorum 
function QP is defined to be logical "1" if at - least i of 
the variables A 1 , A 2
 ,.., A are "1", and logical "0" 
otherwise. For example: 
Q A 1 +A2 +A 3+A 4 "1" when at least one A, "I" 
Q4 	 lc^l
 
A 1 A 2 +A 1 A 3+A 1 A4+A 2 A 3+A 2 A4+A 3 A4 = 1 
when at least two At's = "1" 
Q4= A 1 A 2A 3 +A 1 A 2 A4+A 1 A 3 A4+A 2 A 3A4 = I 
when at least three A . 's = "1" 
Q = AA 2 A 3A = "1" when all four A 1 's = 4C1". 
A change in the value of Q is represented by Q + for 
a 610" to "1" change and by Q- for a 44 1" to 160" 
change. 
A general fault-tolerant clock can be understood from 
the design of a single-fault-tolerant clock with i1,2,3, or 
4 (see figure). The first element generates Q and Q. 
Each A1
 is the output of one of four R-S flip-flops. The 
events 
Q+, Q-, Q+, or Q- 
•
(continued overleaf) 
This document was prepared under the sponsorship of the National
	 Government assumes any liability resulting from the use of the 
Aeronautics and Space Administration. Neither the United States
	 information Contained in this document, or warrants that such use 
Government nor any person acting on behalf of the United States
	 will be free from privately owned rights.
https://ntrs.nasa.gov/search.jsp?R=19730000218 2020-03-17T07:12:09+00:00Z
may occur. The signals from these events will drive the 
differentiators which set and reset each flip-flop corre-
sponding to an A1 in the following manner: 
Q4+ Will set the A to logical "1". 
Q- will be delayed by AT and then set the A i to "1". 
Q4_ will reset the A to the logical "0". 
Q+ will be delayed by /.T and then reset the A to "0". 
The normal mode of operation is as follows 
When two of the four A t's become 1, the event Q+ 
occurs. 
The event Q+ sets the remaining Al's to 64 1 1 . 
The setting of the third and fourth A i to "1" causes Q+ to occur. 
The signal from Q- is delayed T and then resets A 
to "0". 
When any two At's become "0", Q4 _ occurs and resets the 
remaining two A1 's to "0 2 . 
The resetting of the third A 1 to "0" causes Q- to 
occur. 
The signal from Q- is delayed AT and sets the Ai to 
''1 
When two of the four A1's become "1", the event Q+ 
occurs. 
With a single fault one A 1 is replaced with an 
indeterminante quantity. The behavior of the four-
variable quorum function may, in this case, be described 
in terms of three-variable functions of the nonfailed 
elements. 
For instance, the event Q+ will occur at Q+ (if the 
indeterminante A1 happens to be "1") or at Q+ (if the 
indeterminante A1 happens to be "0"). In this way, four-
and three-group functions are related as below: 
Q+ will occur between Q+ and Q+; 
Q+ will occur between Q+ and Q+; 
Q- will occur between Q-and Q -; and 
Q . will occur between Q - and Q-.
A cycle of events occurs as in the unfailed case. Sini 
however, only three of the At's are known, the cycle is 
defined in terms of the three-group functions. 
The sequence of events is unchanged in the failed 
mode because the interval in which Q is indeterminate 
does not overlap the interval in which Q is indetermi- 
nate. Because the sequence is unchanged, the frequency 
is unchanged. 
A general fault-tolerant clock, which will tolerate r 
faults, can be made by using functions Q and Q where 
x and y are chosen as follows: 
n >_3r+ l,x >_r+ l, and y >_2r+ 1. 
The modes of operation are essentially the same as in 
the single-fault-tolerant clock. A system element can 
generate a valid clock signal 'by a simple majority vote 
among any 2r + 1 of the 3r + 1 Al's. 
Note: 
Requests for further information may be directed to: 
Technology Utilization Officer 
Lyndon B. Johnson Space Center 
Code JM7 
Houston, Texas 77058 
Reference: TSP73-10218 
Patent status: 
This invention is owned by NASA, and a patent 
application has been filed. Inquiries concerning non-
exclusive or exclusive license for its commercial develop-
ment should be directed to: 
Patent Counsel 
Lyndon B. Johnson Space Center 
Code AM 
Houston, Texas 77058 
Source: W. P. Daley and J. F. McKenna, Jr, of 
Massachusetts Institute of Technology 
under contract to
Johnson Space Center
(MSC-12531)
. 
. 
B73-10218	 Category 09
