A survey of provably correct fault-tolerant clock synchronization techniques by Butler, Ricky W.
i' 
NASA Technical Memorandum 00553 
A SURVEY OF PROVABLY CORRECT 
SYNCHRONIZATION TECHNIQUES 
FAULT-TOLERANT CLOCK 
(&ASA-TM-100553) A SURVEY CF ElrCVAELP 188-2C894 
CGBRECT FAULT-TCLEEANX CLCCK ~ Y 6 C H A 6 1 1 2 A T f O N  
% K H l J l Q U E S  (LASh) 28 p CSCL 09B 
Uoclas 
G3/62 01345S8 
Ricky W. Butler 
February 1988 
National Aeronautics and 
Space Administration 
Langley Research Center 
Hampton, Virginia 23665-5225 
https://ntrs.nasa.gov/search.jsp?R=19880011510 2020-03-20T06:29:21+00:00Z
INTRODUCTION 
The reliability of a fault-tolerant computer system depends critically upon 
adequate synchronization between its redundant processors. 
that the synchronization algorithm maintain proper synchronization of the good 
clocks even in the presence of other faulty clocks. 
techniques are used to develop the synchronization system of a fault-tolerant 
system. 
careful Failure Modes and Effects Analysis (FMEA), yet be susceptible to subtle 
failures. For example, the "intuitively correct" 3-clock, mid-value select 
synchronization algorithm is not fault-tolerant. A single faulty clock can 
cause the other two good clocks to become desynchronized. 
synchronization problem is far more subtle than it appears on the surface. 
Ad hoc algorithms are often assumed to be correct without rigorous analysis. 
Furthermore, despite the fact that the synchronization algorithm is the 
foundation of many fault-tolerant systems, the probability of system failure 
due to a synchronization failure traditionally has not been included in the 
reliability analysis of such systems (ref. 1.). 
Recently, many provably correct fault-tolerant clock synchronization 
algorithms have appeared in the literature. Provided with each algorithm is a 
mathematical theorem which provides a bound on the clock skew as a function of 
measurable system parameters such as the maximum drift rate between good clocks 
or the maximum error in reading another non-failed processor's clock. It is no 
more difficult to build a system using one of these provably correct algorithms 
than it is to build one using an algorithm based on intuition. 
necessary for fault-tolerant system designers to invent new algorithms and 
perform elaborate mathematical proofs, since such work is readily available. 
System designers can concentrate on methods to efficiently implement these 
existing algorithms. 
Appendix A. 
It is the goal of this paper to present (in a consistent notation) the 
fault-tolerant clock synchronization algorithms which have appeared in the 
literature. 
a discussion of the assuniptions of the techniques. 
It is important 
Many times ad-hoc 
Unfortunately, synchronization systems can appear to be sound under a 
The clock 
It is not 
Some important implementation issues are discussed in 
The associated performance theorems'will be presented along with 
SrnOLS 
mean time for a processor to read another processor's clock 
clock p's  value at real time t 
clock read error -- the error in the clock value obtained by 
processor p when reading clock q 
number of faulty clocks in the system 
total number of clocks in the system 
the real time when clock p's value is T 
time between resynchronizations (i.e. synchronization period) 
time required to execute/perform synchronization algorithm 
the ith synchronization period 
maximum skew between any two clocks in the system 
initial skew between clocks in the system 
the apparent clock skew between processors q and p as perceived 
by processor p. 
the correction to clock p during the irh resynchronization period 
the maximum clock read error (eqp ) 
maximum drift rate of all the clocks in the system 
PRELIMINARY CONCEPTS 
Definition of a clock 
It is convenient to define a clock as a function from real time t to clock 
time T: 
of small letters for real time and capital letters for clock time. The concept 
of a clock function is illustrated in figure 1. 
clock is a monotonic increasing function, its inverse function is well-defined. 
C(t) = T. Real time will be distinguished from clock time by the use 
Since a properly functioning 
Some of the clock synchronization theorems are formulated using the clock 
function and others using the inverse function: r(T) = C 1 ( T )  = t. A clock 
function will be designated by a capital C and the inverse function by a 
lowercase r . , 
1 A l t h o u g h  C ( t )  a n d  r ( T )  a r e  d i f f e r e n t  f u n c t i o n s ,  t h e y  r e p r e s e n t  t h e  s a m e  
c l o c k  from'two d i f f e P e n t  p e r s p e c t i v e s .  S o m e t i m e s  i t  i s  n e c e s s a r y  t o  s w i t c h  
f r o m  o n e  v i e w  t o  t h e  o t h e r .  T h i s  d o e s  n o t  c h a n g e  t h e  c l o c k  i t s e l f .  
2 
C(t)=t (a perfect clock) 
real time (t) 
Figure 1. - The clock function 
Subscripts will be used to distinguish different clocks, for example, 
Cp (t) 
C,(t) 
rp(T) 
-- clock p's value at real time t 
-- clock q ' s  value at real time t 
-- the real time when clock p's  value is T 
We will let n represent the total number of clocks in the system and m the 
number of faulty clocks. 
Drift Rates of Nonfaulty Clocks 
A fault tolerant system typically consists of several processors each with 
its own local clock. 
clock does not maintain perfect time. 
concept of clock drift rate. 
Unfortunately, even when a processor is non-faulty its 
Therefore, it is necessary to define the 
DEFINITION '. A clock r(T) has an instantaneous drift rate D(T) = 
Ir'(T) - 11 at clock time T. 
DEFINITION 2a A clock is nonfaulty if r(T) is a monotonic, 
differentiable function of T and there exists a p such that: 
D(T) = 1 r'(T) - 1 I < p/2. 
3 
Thus, the drift rate of a nonfaulty clock is bounded by 
of p is 1 psec/sec or An alternate formula for p in terms of r(T) 
is easily derived: 
p/2. A typical value 
-p/2 < r‘(T) - 1 < p/2 
T2 T2 T2 
Tl Tl Tl 
J 1-p/2 dT < J r‘(T) dT < J l+p/2 dT ( 4 )  
Letting t, = r(T2) and t, = r(T,), we can write C(t,) = T, and C(t,) = T,. 
the above formula can then be rewritten as 
It is possible to start with this formula as the definition of clock drift. If 
this is done, the requirement of differentiability of the clock function can be 
removed. 
Some synchronization algorithms are defined using the following alternative 
definitions of a good clock: 
DEFINITION 2b A clock C is a nonfaulty clock if there exists a p2 such 
that for all t,, t,: 
4 
DEFINITION 2c A clock C is a nonfaulty clock if there exists a p3 such 
that for all t,, t2: 
The near equivalence of these definitions can be seen by examining the 
Taylor series expansion of (l+p)-I: 
(l+p)-l = 1 - p + p2 - p3 + p4 - ... (10) 
Thus for small p: 
(l-p)-1 = 1 + p (12) 
For the typical value of p = the difference between (1-p) and (l+p)-l is 
on the order of 10-l2. Thus p2 = p, = p/2. 
Synchronization 
DEFINITION 3 TWO clocks rp and rq are synchronized to within 6 of each 
other at clock time T i f  
Since the clocks drift apart, it is necessary to periodically resynchronize 
the clocks of the system. 
algorithms: continuous-update and discrete-update. 
class, the frequency of the clock oscillator is continuously updated by analog 
circuitry. In the discrete-update 
algorithms, the clock value and/or frequency is changed at discrete intervals. 
The time of resynchronization is typically determined by each processor from 
its own local clock. The period of time between resynchronizations is usually 
There are two basic classes of synchronization 
In the continuous update 
This method is used in phase-lock methods. 
5 
constant, say R. Using T ( i )  as the clock time at the beginning of the i t h  
period, TCi) = T ( O )  + iR. For each period there is a different clock 
definition : 
where f&,(i) is the ith clock correction. 
formally represented by a sequence of mathematical functions each applicable to 
a different interval of real time. 
Thus, the time base of the system is 
This is illustrated in figure 2 .  
T 
Figure 2. Sequence of clock functions 
Each function differs from its predecessor by a constant. 
required to execute the synchronization algorithm must be less than 
The time S 
R. 
Clock Read Error 
In clock synchronization algorithms, it is necessary that a processor 
determine its clock skew with respect to every other clock in the system. 
is logically equivalent to reading another processorrs clock. Since the 
process of reading another processor‘s clock is subject to error, 
can only obtain an approximate view of its skew with respect to other 
processors. The notation Aqqp will be used to represent processor p’s 
approximate view of its skew with respect to processor q. The following 
definition formalizes this concept: 
This 
a processor 
6 
DEFINITION 4 When processor p reads processor q ' s  clock, processor p 
obtains an approximate skew A q p .  Processor p's error eqp in reading 
processor q 's  clock is: 
DEFINITION 5 If processors p and q are nonfaulty then processor p 
obtains an approximate skew Aqp such that 
Thus, E is a bound on the clock read error and will be referred to as the 
maximum clock read error. 
usually the approximate skew A, is determined by reading another 
processor's clock. First, processor p reads q ' s  clock at real time t, 
and obtains Cq(t,). If processor p subsequently reads its own clock at real 
time 
processor's clocks can be calculated as follows: 
t, obtaining Cp(t2), then the approximate skew between the two 
where b is an implementation parameter. The value of b is the mean time 
for processor p to read processor q ' s  clock., In any real system, there 
will be some variation in the time to read another processor's clock. 
error in Aqp is attributable to the variation in the time it takes to read 
the other processor's clock. 
assumption of a bounded read error. 
variation in the communication times between the processors, 
shown to be a bound on the communication variation, i.e., the communication 
time is greater than 13-c and less than b+c. 
the next section. 
The 
All clock synchronization algorithms discussed in this paper depend on the 
Since the cause of the read error is the 
c can also be 
This relationship is derived in 
2 T h e r e  m a y  b e  m a n y  c o m p o n e n t s  o f  b -- t i m e  t o  r e a d  c l o c k  p ,  t i m e  t o  r e a d  
c l o c k  q ,  t i m e  t o  t r a n s m i t  c l o c k  q t o  p r o c e s s o r  p ,  t i m e  f o r  p r o c e s s o r  p 
t o  r e c o g n i z e  r e c e i p t  o f  c l o c k  q ,  e t c .  
7 
Read error and communication delay. The relationship between clock read 
error and the communication-time variation is easily derived from the last two 
definitions. By substituting equation (17) in (15), we have 
# 
(T) = rPci)(T + C,(t,) - [C,(t,) + bl) - rq(i)(T) 
e¶ P 
By definition 5 we have, 
Since the above formula is true for all T it is certainly true for T=T,. 
we have 
Thus 
Since T, = Cq (t, 1 , 
Using the highly accurate approximation in lemma 1 of the appendix B which is 
valid for small b, 
I t, - t, - b I < E 
This yields 
Thus, the communication delay t, - t, 
delay - + max. clock read error). 
( 2 4 )  
is bounded by b - + E (i.e. the average 
8 
Initial Synchronization 
Many fault-tolerant clock synchronization algorithms are dependant on a 
close initial synchronization. 
initialization process is not critical (if it fails, you just start over), the 
initialization procedure does not have to be fault tolerant. 
provide an alternate algorithm for initialization or explicitly provide for it 
in the main algorithm. If a fault-tolerant initialization procedure is not 
provided it is necessary to at least develop a technique to detect when the 
level of initial synchronization is not adequate. 
Some authors argue that since the system 
Others either 
LAMPORT, MELLIAR-SMITH INTERACTIVE CONVERGENCE ALGORITHM 
The Lamport and Melliar-Smith algorithm (LMS) is based on a modified 
average. (See ref. 2 . )  This algorithm is in the class of discrete-update 
algorithms. 
the processor first estimates its skew relative to every other processor in the 
system. All skews which are greater than a fixed value Q are ignored. The 
mean of the remaining clock skews is used as the correction factor. 
When a processor's clock reaches the next resynchronization time, 
ALGORITHM: for all processors p 
where 
n 
if r # p and \ A r p  I < R then arp = A r e  
Lamport and Melliar-Smith proved the following theorem which characterizes 
the worst-case performance of this algorithm in terms of low-level system 
parameters. (See ref. 2 . )  
9 
THEOREM: I f  
3m < n 
n 
6 2 Max [ - 3m [,,R + 2 - n - m S  I ]  , 6, + p R }  
n 
6 << Min { R, &/p } 
Then the ALGORITHM satisfies the following: 
SI. If  up to time T(i+l) processors p and q are nonLdulty, Len for all T in 
the interval [T(i) , T ( i + l )  I :  
S2. If process p is nonfaulty up to time T(i+l), then 
Statement (Sl) of the theorem states that the maximum skew between any two 
nonfaulty clocks will be less than 6 .  
theorem as a function of parameters n, m, E ,  p ,  52, R ,  and S. Statement ( S 2 )  
guarantees that the maximum correction will be less than 9. 
true for any value of 6 which satisfies the above constraints. The 
constraint 6 < 6, + pR reveals that the algorithm cannot guarantee that 
synchronization will ever be any tighter than the initial degree of 
synchronization + the maximum amount of separation that can occur between two 
non-faulty clocks during an interval of length R . 3  
The lower bound on 6 is given in the 
The theorem is 
The second constraint is 
2 & + p ( R  + 2 - 
n 
n 
n - 3m 6 2  
3 T h e  t h e o r e m  is p r o v e d  u s i n g  a “worst c a s e ”  a n a l y s i s .  S i n c e  t h e  worst-case 
a n a l y s i s  i n c l u d e s  t h e  e f f e c t  of malicious f a i l u r e  which is r a r e ,  the 
a l g o r i t h m  typically performs much better than the worst c a s e  result suggests. 
A s t o c h a s t i c  a n a l y s i s  which determines an expected level of synchronization 
h a s  n o t  y e t  b e e n  p e r f o r m e d .  H o w e v e r ,  for life-critical a p p l i c a t i o n s ,  it is 
essential t h a t  a l l  s y s t e m  f u n c t i o n s  must p e r f o r m  c o r r e c t l y  in t h e  p r e s e n c e  o f  
t h e  w o r st-case b e h a v i o r  of t h e  s y n c h r o n i z a t i o n  a l g o r i t h m .  T h i s  o f t e n  results 
i n  a p e r f o r m a n c e  l o s s ,  but is unavoidable. 
* 
10 
It is noteworthy that this bound on the clock skew is not only a function of 
clock read error 
processors n and m respectively. Thus, the worst-case performance of the 
algorithm will vary when processors fail and when the system reconfigures. 
This can significantly complicate the reliability analysis of the system. (See 
ref. 1.) 
communicate with every other processor in the system. 
E but also a function of the number of active and faulty 
This algorithm implicitly assumes that every processor can directly 
LUNDELIUS AND LYNCH ALGORITHM 
The Lundelius and Lynch algorithm (LL) runs periodically on each of the 
processors in the system (ref. 3 )  and thus is a discrete-update algorithm. 
When each processor's clock reaches T(i), it broadcasts a message. The 
algorithm is based on the assumption that each processor can directly 
communicate with every other processor. The processor collects clock messages 
from the other processors until TCi) + (l+p)(G+b+~). These messages are used 
to create an ordered set of skews with respect to the other processors: 
and 
Dl < D, < D3 < ... < 9. 
(Note. For each j there exists a q such that Dj = AqP and for each p 
there exists an j such that Dj = & . I  
ALGORITHM: For each processor p and a specific level of fault tolerance 
f, the following is performed: 
where 
11 
THEOREM: If 
3m 5 3f < n 
R 2 2(l+p)(6+~) + (l+p)max{b,b+s} + pb 
R 5 6/4p - E/p - p(b+b+&) - 26 - b - 2s 
6 2 4~ + 4 p ( 3 6 + b + 3 ~ )  + 8 p 2  (6+b+s) 
Then the ALGORITHM satisfies the following: 
S1. If up to time T(i+l) processes p and q are nonfaulty, then for all T in 
the interval [TCi) ,T(i+l) 1: 
S2. If process p is nonfaulty up to time T ( i + l ) ,  then 
The theorem reveals that the algorithm will maintain synchronization to 
within b as long as the specified constraints are met. The first constraint 
3m < 3f < n shows that the algorithm can only tolerate a certain number of 
failures. The last 3 formulas can be used to determine the level of 
synchronization obtainable by the algorithm. For a particular system, the 
parameters p ,  E, and b are fixed. Therefore, these formulas define the 
relationship between 6 and R for a particular system. The first of these 
three formulas constrains the synchronization period. 
containing 
Ignoring terms 
this formula becomes: p (since it is usually very small -- 
Since b, 6, E are typically on the order of seconds and R is on the 
order of l o m 1 ,  this constraint is usually insignificant. 
equations impose a lower bound on 6. 
equations can be written as: 
The last two 
By simple algebraic manipulation these 
12 
4pR + 4€(1+2p+p2 ) + 4p(l+p)b 
U '  
1 - 8 p  - 4p' 
( 2 7 )  
4~ + 4p(b+3~) + 8 p 2 ( b + c )  
6 5  
1 - 12p - 8p2 
( 2 8 )  
Once again, since P is a dimensionless quantity which is very small, these 
equations can be rewritten as: 
6 5 4pR + 4~ +4pb 
6 S4E + 4 P ( b + & )  
The above two constraints are satisfied whenever: 
This formula can be used as the maximum clock skew which will occur in a system 
which uses this algorithm. 
drift rates and assuming direct communication between the processors of the 
system. 
The theorem was proved using definition 2c for 
HALPERN, SIMMONS, STRONG, DOLEV ALGORITHM 
The Halpern, Simmons, Strong, Dolev (HSSD) algorithm is a discrete-update 
algorithm, but differs from the LMS and LL algorithms in that it does not 
rely on some form of averaging. (See ref. 4.) Periodically each processor 
seeks to be the synchronizer of the system. The non-faulty processors each 
know what time the next synchronization interval will occur. 
become the synchronizer at approximately the same time. 
processors are not faulty, only one of the processors becomes the 
synchronizer. If the synchronizer fails, the algorithm is designed such that 
the remaining good processors effectively take over and synchronize despite 
the erroneous behavior of the synchronizer. 
They all seek to 
When all of the 
13 
The algorithm relies on the use of unforgeable digital signatures. It is 
necessary that each processor be able to encode a message using a unique 
encoding function such that no other processor can generate or alter the 
message without invalidating it. 
digital signatures. (See ref. 5.) Furthermore, every processor can determine 
who encoded the message. 
authentic or forged. 
clock read error is not directly specified. 
the algorithm was proved under the assumption that the comication delay is 
bounded by 0 and an upper bound (i.e. & E ) .  This is less restrictive than is 
implied by definition 2. Thus, the theorem should still be true if the clock 
read error were defined in terms of definition 2. 
Standard techniques exist for implementing 
Thus, a processor can determine if a message is 
The bound on the clock drift rate is defined using definition 2c. The 
The theorem which characterizes 
Each processor p executes the following two concurrent tasks: 
Task TM: 
IF Cp(t) = ET THEN 
SIGN - -  AND SEND "The time is ET"; 
Cp(t) := ET; 
ET := ET + R; 
ENDIF; 
Task MSG: 
IF an authentic message M is received saying "The time is T" THEN 
S := the number of distinct signatures 
IF %ET and ET-S*D < C,(t) THEN 
SIGN AND SEND M; 
C,(t) := ET; ET := ET + R; 
- -  
END1 F 
ENDIF 
These tasks execute as concurrent processes on a processor. If an 
authentic message is received on a processor before its clock reaches the next 
synchronization time ET, then task MSG is executed. 
has been received and a processor's clock reaches ET then task TM is executed. 
Note, that after TM sends a message, ET is incremented. Thus, after TM is 
complete all the other synchronization messages for this period are ignored. 
If no authentic message 
14 
Likewise, after task MSG signs a message, ET is incremented so that TM cannot 
send a message until the next synchronization period. 
algorithm is the ET-S*D < C,(t) test of task MSG. 
is a function of the number of signatures of the message. 
signature, then the message must arrive in the interval [ET-D,ET], in order 
for the message to be signed and forwarded. 
the message must arrive in the interval [ET-3*D,ET]. 
tasks are non-preemptable. 
A key aspect of this 
The "window" of acceptance 
If there is one 
If there are 3 signatures, then 
It is assumed that these 
THEOREM If 
6 = ( l + p ) S  + p(2+p)R 
D >= 6 
R 2 S(l+p) + mD 
Then 
s1: 
s2 : 
This algorithm does not require direct comication between all of the 
processors of the system. 
with another good processor they remain synchronized. 
this algorithm are S and R. The parameter S represents the maximum time 
required to execute the synchronization algorithm. 
theorem, this is shown to be the maximum delay in sending a message from a 
good processor to another good processor in the network. 
function of the structure of the network. 
the good processors can communicate, they will remain synchronized to within 
6. But since 6 is a function of S and S is a function of network 
connectivity, the level of synchronization obtainable may degrade as 
connections are lost in the network. The parameter R is the period of 
resynchronization. As expected, increasing the frequency of resynchronization 
increases the degree of synchronization obtained. 
their algorithm which can synchronize an unsynchronized clock. 
In fact as long as a good processor is in contact 
The key parameters in 
In the proof of the 
This is obviously a 
The theorem states that as long as 
Halpern, Simons, Strong and Dolev also presented a more powerful form of 
This extended 
15 
algorithm 
synchronization with the rest of the processors. 
basic algorithm with a Byzantine broadcast among the active processors in 
order to agree when to allow a processor to join them. 
algorithm will not be presented here, but can be found in reference 4. 
is capable of bringing a repaired processor back into 
This algorithm extends the 
The details of this 
KESSEL'S ALGORITHM 
In this section one of the two algorithms developed by J. L. W. Kessels is 
presented. (See ref. 6.) The other algorithm is basically the same as the 
one discussed in this section, except that it utilizes an analog circuit which 
was not characterized formally. No proof of correctness was given for this 
algorithm. 
in the class of continuous-update algorithms. 
assumption that the transmission delays between the separate clocks are 
negligible. 
algorithm will not work. 
between two states. 
value of the clock is the number of the last transition. 
defined to be synchronized if their values are equal for at least some part of 
their state interval. 
maximum clock skew is 1/(2u). 
He later demonstrates that it is equivalent to a concurrent program whose 
correctness can be formally analyzed. 
algorithm will be presented. For details on an appropriate hardware solution 
and details about the correctness proof the reader is referred to reference 6. 
values of j for which P(j) is true. For example 
Kessel's synchronization method is a hardware solution and falls 
It depends fundamentally on the 
If there is a significant variation in these delays, the 
Thus, this algorithm assumes that E = 0. 
A clock is defined in terms of signal that periodically transitions 
The states of this clock are numbered sequentially. 
W o  clocks are 
If the minimum frequency of the clocks is u, the 
The 
Kessels first presents his algorithm in terms of a circuit block diagram. 
In this section only the concurrent 
The notation Nj: P(j) will be used as an abbreviation for the number of 
Nj: C,(t) > C,(t) 
is an abbreviation for 
16 
which is the number of clocks which are greater than clock j .  
commands. (See ref. 7 . )  Each command separated by I is a guarded command. 
The guarded command consists of a guard (i.e. a Boolean expression) followed 
by a + and a statement. 
loop, which are separated by I execute concurrently. 
Boolean expressions is true the loop is continued. 
currently true then one of them is selected nondeterministically (i.e. which 
one is selected is determined randomly.) 
The algorithm 
for the ith process (on processor i) is: 
The concurrent algorithm is described using Dijkstra's concept of guarded 
All of the guarded commands within the do - od 
As long as one of the 
If more than one guard is 
The Kessels algorithm consists of n concurrent processes. 
I [Nj: C,(t) < Cj(t)] > f or k, = K - 1 
od 
+ ki := 0; Ci(t) := C,(t) + 1 
Since it is impossible that all of the guards become false simultaneously, the 
loop never terminates. 
ability of a good clock to read all of the other clocks with negligible error. 
Exactly what constitutes a negligible read error is never defined. 
Furthermore, there is no mathematical proof which relates the impact of read 
error on the synchronization. The parameter K determines the rate at which 
the clock counter is incremented. The clock rate is K times the time 
required to execute the loop. Kessels shows how a circuit can be designed to 
insure that all the good processors compare their values with the other clocks 
when none of the clocks are in transition. He refers to this as the 
"interlude" phase. 
The correctness of the above algorithm depends on the 
17 
ALGORITHMS BASED ON PHASE-LOCKING 
Given two non-faulty voltage-controlled oscillators, phase-locked loop 
For more details on such circuitry can be used to keep them synchronized. 
circuitry the reader is referred to ref. 8. 
algorithms which use this phase locking technique will be discussed. 
these algorithms depend on the assumption that the phase-locking circuitry 
maintains adequate synchronization between two non-faulty oscillators. 
basic problem is how to select a "standard" signal for each clock in the 
system in a manner that guarantees that all non-faulty clocks will remain 
synchronized despite the arbitrary behavior of the faulty clocks. 
T. Basil Smith designed a fault-tolerant four-clock, phase-locking 
synchronization algorithm for the Fault-Tolerant Multi-Processor (FTMP). (See 
refs. 8 and 9.) 
three clocks continuously and determines its phase difference with respect to 
each of them. These phase differences are ordered:: TI 2 T, 2 T,. Each clock 
selects the second signal as the reference signal to which it can phase-lock. 
Phase-lock algorithms are continuous-update algorithms. 
of the phase-lock circuitry. 
belongs to the class of continuous-update algorithms. 
clock synchronization algorithms have not included a mathematical analysis of 
the phase-lock circuitry used in their algorithm. 
disadvantage of the phase-clock algorithms -- the maximum clock skew has not 
been characterized in terms of the specific parameters of the phase-lock 
circuitry. 
In this section fault-tolerant 
Each of 
The 
Each clock in the system observes the outputs of the other 
The degree of synchronization obtained is dependent on the effectiveness 
This circuitry is intrinsically analog and 
The developers of these 
This is a distinct 
KFUSHNA, SHIN, BUTLER ALGORITHM 
The algorithm presented by Krishna, Shin, and Butler (see ref. 10) is a 
generalization of Smith's algorithm for more than four clocks. 
the median signal does not work for higher levels of redundancy. 
median select algorithm, it is possible for malicious failures to partition 
the set of clocks into two or more separate "cliques" which are internally 
Surprisingly, 
With a 
synchronized but 
have a system of 
not synchronized with other cliques. To see this, 
7 clocks. Such a system should be able to mask the 
suppose we 
failure of 
18 
two clocks. Suppose that the 5 good clocks are named a, b, c, d, e and the 
bad clocks are named x and y. If the transmission delays between clocks 
are negligible, then the order of arrival of all the signals from the good 
clocks should be the same on all the processors. If the bad processors fail 
maliciously, their order may be seen differently by different processors. 
Consider the following ordering of signals seen by each of the processors in 
the system. 
order seen by a: 
order seen by b: 
order seen by c: 
order seen by d: 
order seen by e: 
x y a b c d e 
x y a 6 c d e 
a b c d e x y 
a b c d e x y 
a b ?  - d e x y 
The order of the signals from the good processors a,b,c,d and e 
consistently by all the processors. The faulty processors x and y are 
seen differently by the processors of the system. Letting c + b represent 
the relation that b synchronizes to c, If each processor selects the 
median signal (i.e. the third signal; underlined above) not including itself, 
then the following synchronizations will occur from the above scenario: 
is seen 
a - b  e - + c * d  
Thus {a,b} and (c,d,e) form non-synchronizing cliques. 
The following algorithm has been shown to prevent the creation of non- 
synchronized cliques. 
THEOREM If n 2 3m+l and the signal selected on processor p, f,(N,m), is 
defined as follows 
2m if % < n-m 
m+l if Ap 2 n-m 
f,(n,m) = 
where % is the order of processor p in the temporal sequence of arriving 
clock signals, then all the non-faulty clocks of the system will synchronize. 
For the situation above n=7, -2: 
19 
thus 
fa  = 4 and a -+ b 
f, = 4 and b + c 
f, = 4 and c + e 
f, = 4 and d -+ e 
f, = 3 and e + c 
The following synchronizing relationship results with no cliques: 
This algorithm depends on the use of phase-lock circuitry which was not 
characterized formally. 
skew to parameters of the phase-lock circuitry. 
No theorem was presented which relates maximum clock 
CONCLUDING REMARKS 
The synchronization of the clocks of a multi-processor system is a 
critical function in a fault-tolerant system. 
redundancy in the system, if the clocks become deskewed, total system failure 
is almost always certain. 
be used in the design of a fault-tolerant computer system. 
algorithms have appeared in the engineering literature. Unfortunately, these 
algorithms and their associated performance theorems are difficult to decipher 
and compare, since they are presented in different notations. 
presents in the same notation six different algorithms which have appeared in 
the literature. 
take advantage of these algorithms whose performance properties have been 
analyzed mathematically. 
difficult to implement than ad-hoc techniques. It is suggested that future 
system designers either exploit the available algorithms and concentrate on 
efficient and correct implementation or mathematically prove the algorithms 
which they develop for their systems. 
Regardless of the level of 
It is imperative that provably correct algorithms 
Many such 
This paper 
It is hoped that future critical system developments will 
The provably correct algorithms are no more 
20 
APPENDIX A 
IMPLEMENTATION OF SYNCHRONIZATION ALGORITHMS 
There are three basic problems to be solved when implementing a clock 
synchronization algorithm: 
(1) scheduling the synchronization algorithm on the local processors 
(2) reading all the other processor's clocks in the system 
( 3 )  computing a correction based upon the algorithm and updating the local 
clock 
In the next two sections these steps will be discussed. 
Step 1 - Scheduling the Synchronization Task 
The clock synchronization algorithms discussed in this paper depend upon 
Most real-time systems are based on a cyclic scheduler, so periodic execu'tion. 
the clock synchronization algorithms fit naturally into such a system. 
systems are driven by a clock-interrupt. The interrupt is set to fire 
periodically. When the interrupt fires, the processor immediately transfers 
control to the scheduler which then transfers control to a task. This can 
usually be accomplished with only a minimum overhead. 
requirements of the clock synchronization task can usually be met with a high 
degree of accuracy. 
These 
The scheduling 
Step 2 - Reading Clocks 
There are two basic approaches to implementing the clock read function in a 
system of multiple processors -- (1) a distributed read (2) coordinated 
broadcast. 
21 
METHOD 1 - distributed read. - If the system is desigr 3 such that a 
processor can read the clock of another processor (say be direct memory 
access), then the read error becomes a func'ion of the worst case memory 
contention time. 
Conceptually, this represents the simplest method of implementing the 
distributed clock read function. 
implemented so that a processor can only read a portion of another processor's 
memory. 
the local processor by contending for its memory. 
synchronization obtainable, will depend on the magnitude and variation in the 
times required to read another processor's clock. 
to-point access will provide the most accurate clock-reading capability. 
The clock could be a multi-ported memory-mapped i/c device. 
It is essential that the global read be 
In this way, another processor cannot interfere with the activities of 
The degree of 
Direct bi-directional point- 
METHOD 2 - coordinated broadcast. - If a system of processors has a 
broadcast capability, a global clock read capability can be implemented using 
this facility. This was done for the SIFT computer. (See ref. 1.) It should 
be noted that when this is done, the clock read function depends on the 
synchronization alg~rithm.~ The beginning of the synchronization task is 
divided into a sequence of "windows", one window per processor. 
transmit window, a processor repeatedly reads its clock and broadcasts its 
value. All other processors wait until either the clock value arrives or the 
window ends. Since the accuracy of processor p's perception of clock q 
depends on how quickly processor p recognizes receipt of clock q's  value, 
processor p executes a tight "wait-for loop" until clock q ' s  value arrives. 
When the clock value is received, processor p reads its clock. The skew is 
calculated as the difference between the two clocks minus the approximate 
communication delay. When all windows are completed, the correction is 
calculated, and the clock is corrected. Within its broadcast window, a 
processor q reads its clock at real time t, and transmits the value Cq(tl) 
to process p. Upon receiving the message at t,, processor p immediately 
reads its clock to obtain 
During its 
C P ( t 2  1. This is illustrated in figure 3 .  
4 T h u s ,  t h e r e  i s  a m u t u a l  d e p e n d e n c y  -- t h e  s y n c h r o n i z a t i o n  a l g o r i t h m  d e p e n d s  
o n  t h e  c l o c k  r e a d  f u n c t i o n  a n d  t h e  c l o c k  r e a d  f u n c t i o n  d e p e n d s  o n  t h e  
s y n c h r o n i z a t i o n .  I f  t h i s  t e c h n i q u e  i s  u s e d ,  t h e n  t h e  c o r r e c t n e s s  p r o o f  o f  
t h e  s y n c h r o n i z a t i o n  s y s t e m  m u s t  d e a l  w i t h  t h e  c l o c k  r e a d  m e t h o d  a n d  
s y n c h r o n i z a t i o n  a l g o r i t h m  s i m u l t a n e o u s l y .  T h e  p r o o f s  c a n n o t  b e  d e c o u p l e d .  
22 
processor q: read Cq (t, ) , send it 
\ 
processor p: receive it, read Cp ( t, 
I I > 
t 1 t2 
Figure 3 .  - reading another processor’s clock 
If the exact communication delay 
the exact skew %p at real time t, could be calculated by 
Bqp (i.e. Cq (t2 ) - Cq (tl ) )  were known, then 
Since the communication delay is variable, 
never exactly known by the synchronization algorithm. 
the synchronization system chooses a value b approximately equal to E(Bqp) 
which is used to compute an apparent skew 
Bqp is a random variable and is 
Thus, the designer of 
Aqp by the following formula: 
These apparent skews are used to calculate the clock correction value 
according to the synchronization algorithm. 
The apparent skew Aqp differs from the actual skew php by an error 
= Aqp - %p = Bqp - b. There are two components to this error: e¶ P 
where p = E(Bqp) - b. The first component, Bqp - E(Bqp), is the variation 
due to the random nature of the communication. The second component, ,u, is a 
bias due to the error in choosing b. Also, it follows from the above formula 
that 
23 
The performance of the theoretical algorithms are typically specified by 
theorems which are expressed in terms of 
eqp. Unfortunately, eqp is defined in terms of real time rather than 
observable clock time. The formula 
E, a theoretical upper bound on 
which relates the theoretical eqp 
highly accurate approximation in appendix A. 
to observable clock values is shown to be a 
The major source of read error in the broadcast method is the busy-wait in 
If the looping time of the software which waits for the arrival of a 
If special circuitry is designed to recognize the arrival of 
the CW. 
broadcasted clock value is w milliseconds, the maximum read error is at least 
w milliseconds. 
a clock value and immediately latch the current value of its own clock this can 
decrease the read error considerably. 
identical to the broadcast method. However, message facilities are often 
implemented with hardware interrupts. It is very dangerous to allow a 
processor to interrupt another processor in a fault-tolerant computer. 
systems for a critical system are best implemented by periodically having the 
receiving processors examine their mail-boxes. 
The concept of sending a specific processor a message is essentially 
Message 
Step 3 - Correcting Local Clocks 
Once the values Aqp have been determined by a processor p, the fault- 
tolerant clock synchronization algorithms require the determination of a 
correction factor 4. These calculations are usually very simple, e.g. a mean 
or median. Next, the processor must correct its local clock. Note, that it is 
not enough to merely maintain a "correction value" in local memory. 
necessary that the internal state of the clock which fires the clock-interrupt 
be changed, since this interrupt triggers the periodic execution of the 
synchronization task. 
instruction must be provided by the processor to enable program-level 
modification of the clock. 
It is 
In software-implemented algorithms, a special 
24 
APPENDIX B 
USEFUL APPROXIMATIONS INVOLVING CLOCK FUNCTIONS 
. 
Lemma 1 If clock r is non-faulty and A is small, then r(T,+A) = r(T,) 
+ A .  
From the definition of p we have 
Letting A = T2-~, : 
Since p is typically on the order of loh6 and A is usually much less than 
and r is typically on the order of we have 
lr(Tl+A) - r(T,) - AI ( p / 2 ) A  lo-* 
r(T, 1 r(T,) l o e 2  
rel. error - < - < - 10-6 
Thus, r(T,+A) = r(T,) + A .  
Lemma 2 If clock C is non-faulty and A is small, then C(y+A) = C(y) + A 
Proof: L e t  x = r(T+A) and y = r(T). Then C(x) = T + A and C(y) = T since C is 
the inverse function of r. 
1, we have: x = y + A .  Hence, C(x) = C(y+A). Substituting C(y) + A for C(x), 
we have C(y+c\) = C(y)+A. 
It directly follows that C(x) = C(y) + A .  By Lemma 
proof: By definition eqp = rP(T+Aqp)-rq(T). 
r,(T) implies C,(x) = T + Aqp and Cq(t) = T. 
by the definition eqP = x - t, we have C,(eqp+t) = Cq(t) + A q p .  
we conclude that e,, + C, (t) = Cq (t) + A , , .  
Letting x = r,(T+A,,) and t = 
Thus, Cp(x) = Cq(t) + A q P .  Since 
From lemma 2 
25 
REFERENCES 
1. Butler, Ricky W.; Palumbo, Daniel L.; and Johnson, Sally C.: Application of 
a Clock Synchronization Validation Methodology to the SIFT Computer System, 
IEEE Fifteenth International Symposium on Fault-Tolerant Computing (FTCS- 
15), June 19-21, 1985 
r 
2. Lamport, Leslie; and Melliar-Smith, P. M.: Synchronizing Clocks in the 
Presence of Faults, Journal of the ACM, Vol. 32, No l., January 1985. 
3 .  Lundelius, Jennifer; and Lynch, Nancy: A New Fault-Tolerant Algorithm for 
Clock Synchronization, ACM Conference on Principles of Distributed 
Computing, 1984. 
4. Halpern, Joseph Y; Simmons, Barbara; Strong, Ray and Dolev, DaMy: Fault- 
Tolerant Clock Synchronization, ACM Conference on Principles of Distributed 
Computing, 1984. 
5. Rivest, R. L.; Shamir, A; and Adleman, L: A Method for Obtaining Digital 
Signatures and Public-key Cryptosystems, Communications of the ACM, Vol. 
21, NO. 2, 1978, pp.120-126. 
6. Kessels, J. L. W.: TWO Designs of a Fault-Tolerant Clocking System, IEEE 
Transactions on Computers, Vol. C-33, No. 10, October 1984. 
7. Dijkstra, Edsger W.: A Discipline of Programming, Prentice-Hall, Inc. 1976. 
8. Smith, T. B.: Fault-Tolerant Clocking System, IEEE Eleventh International 
Symposium on Fault-Tolerant Computing (FTCS-111, 1981, pp. 262-264. 
9. Hopkins, A. L., et. al.: FTMP -- A highly reliable fault-tolerant 
multiprocessor for Aircraft, Proceedings of the IEEE, Vol. 66, pp. 1221- 
1239, Oct. 1978. 
10. Krishna, C. M.; Shin, Kang G.; and Butler, Ricky W.: Ensuring Fault 
Tolerance of Phase-Locked Clocks, IEEE Transactions on Computers, Vol. c- 
34, No. 8, August 1985. 
26 
Report Documentation Page 
1. Report No. 
NASA TM- 100553 
2. Government Accession No. 
7. Author(s1 
17. Key Words (Suggested by Author(s)) 
R i cky  !,I. B u t l e r  
18. Distribution Statement 
9. Performing Organization Name and Address 
19. Security Classif. (of this report) 20. Security Classif. (of this pagel 21. No. of pages 
NASA Lang ley  Research Center  
Hampton, VA 23665-5225 
12. Sponsoring Agency Name and Address 
N a t i o n a l  Ae ronau t i cs  and Space Admini s t r a t i o n  
Washington , DC 20546-0001 
15. Supplementary Notes 
22. Price 
3. Recipient‘s Catalog No. 
5. Report Date 
Februarv 1988 
6. Performing Organization Code 
~ 
8. Performing Organization Report No. 
10. Work Unit No. 
505-66-2 1-0 1 
11. Contract or Grant No. 
13. Type of Report and Period Covered 
Techn ica l  Memorandum 
14. Sponsoring Agency Code 
Clock s y n c h r o n i z a t i o n  
F a u l t  t o l e r a n t  
Formal v e r i f i c a t i o n  
Design p r o o f  
U n c l a s s i f i e d  - U n l i m i t e d  
S t a r  Category 62 
I U n c l a s s i f i e d  I 27 I U n c l a s s i f i e d  1 A03 
1 
NASA FORM 1626 OCT 86 
I 
