# 32DL Clock Synchronisation Standard v1.0 **Document status:** Draft for review **Date:** 2 June 2026 **Author:** Jon Stiles · I/C1408 · BGA Chief Engineer & Inspector **Reviewed by:** DeepSeek (Architect), Grok (Hostile Reviewer), Mistral (Arbitrator) --- ## Preamble This document defines the clock synchronisation standard for agents participating in 32DL autonomous coordination. It covers hardware requirements, pre-mission preparation, operational procedures, wire format encoding, and failure handling. 32DL uses temporal operators — `timeout(expr, ms)` and `duration(expr, ms)` — that require a shared, reliable timebase to be meaningful. This standard defines how that timebase is established and maintained. --- ## 1. The Core Principle **The clock is prepared. Not acquired.** Each agent carries its own independent internal clock. That clock is synchronised to atomic time before the mission begins. Once the mission starts, the internal clock runs solo. An agent does not depend on any ongoing external signal during a mission. Two agents coordinating via 32DL agree on time not because they are communicating about it mid-mission, but because both clocks were independently set to the same atomic standard before departure. This is analogous to a ship's chronometer. Before GPS, a navigator set the chronometer against a known time signal at port and trusted it for the entire voyage. The chronometer was prepared — not continuously acquired. The accuracy of the navigation depended on the accuracy of the preparation, not on any ongoing signal at sea. For 32DL: the pre-mission synchronisation is the chronometer winding. The OCXO is the chronometer. The pre-launch checklist is the navigator confirming the chronometer is set before departure. ### Standing Readiness The clock system runs continuously on permanently powered platforms. It draws minimal power. It does not need to be started before a mission — it is always running, always disciplined, always ready. A commercial aircraft at the gate is on ground power. Its clock has been running for hours. A fleet vehicle in the depot is plugged in. Its clock has been running since the last shift. When the call comes or the pushback begins, the pre-mission check is a five-second confirmation that five lights are green. The 35-minute discipline procedure is a **first power-on and post-maintenance procedure only**. It is not part of normal operations. The system is always ready because it never stops. --- ## 2. Hardware Requirements ### 2.1 Time Receivers (Dual Redundancy) Each agent requires four independent time receivers: | Receiver | Type | Primary reference | Notes | |---|---|---|---| | GPS 1 | GNSS receiver with PPS output | GPS/Galileo atomic time | Independent antenna, Power Supply A | | GPS 2 | GNSS receiver with PPS output | GPS/Galileo atomic time | Independent antenna, Power Supply B | | MSF 1 | Longwave receiver, 60 kHz | NPL caesium clock, Anthorn | Ferrite antenna, Power Supply A | | MSF 2 | Longwave receiver, 60 kHz | NPL caesium clock, Anthorn | Ferrite antenna, Power Supply B | For European deployment, DCF77 (77.5 kHz, PTB Braunschweig) may substitute for or supplement MSF. For North American deployment, WWVB (60 kHz, NIST Colorado) applies. GPS and MSF are physically independent dissemination paths — L-band satellite versus longwave groundwave — with root time sources at different national laboratories. A failure mode that takes down both simultaneously is significantly harder to achieve than one that takes down either alone. **Both GPS and both MSF receivers run simultaneously at all times.** There is no primary/backup switching. All four are hot. If any single receiver fails, the remaining three carry on without interruption. ### 2.2 Internal Clock (OCXO) Each agent requires an oven-controlled crystal oscillator (OCXO) as its internal timekeeping element. **Minimum specification:** | Parameter | Requirement | Notes | |---|---|---| | Frequency stability | ≤ 5 × 10⁻¹¹ per day | After discipline | | Temperature stability | ≤ ±5 × 10⁻¹¹ over operating range | Enclosure-assisted | | G-sensitivity | ≤ ±1 × 10⁻¹⁰ per G | Commercial traffic only | | Operating temperature | −20°C to +70°C | Enclosure maintains OCXO within ±2°C | | Warm-up time | 15 minutes to within spec | Allow 35 minutes for full discipline | **Recommended components:** - Vectron OX-208 — primary recommendation for aircraft and drone use - Connor-Winfield PX-744 — lower cost, adequate for 1-hour missions - Morion MV89 — premium choice for extended missions beyond 4 hours ### 2.3 Thermal Enclosure The OCXO must be housed in a thermally stabilised enclosure maintaining the crystal within ±2°C of its operating temperature across the full ambient range of the platform. The enclosure may use a heater element, thermostat, and/or fan as appropriate to the installation. This is a standard avionics packaging requirement and is not an open engineering problem. ### 2.4 Power Supplies (Dual Redundancy) Two independent power supplies are required: - **Power Supply A** — primary. Powers GPS 1, MSF 1, OCXO - **Power Supply B** — secondary, hot standby. Powers GPS 2, MSF 2 Both power supplies are active simultaneously. If Power Supply A fails, Power Supply B immediately carries the full load with no interruption. If both power supplies fail, the system goes offline. A small buffer capacitor or UPS on the OCXO power rail is recommended to bridge any transient during power supply switchover. ### 2.5 Status Indicators Five status indicators, visible to the operator or pilot: | Indicator | Solid green | Flashing amber | Solid red | |---|---|---|---| | GPS 1 | Locked | Degraded signal | Failed | | GPS 2 | Locked | Degraded signal | Failed | | MSF 1 | Locked | Degraded signal | Failed | | MSF 2 | Locked | Degraded signal | Failed | | OCXO | Disciplined within 24h | Discipline age > 24h | Hardware fault | --- ## 3. Pre-Mission Synchronisation Procedure ### 3.1 Timing **Permanently powered platforms** — commercial aircraft, fleet vehicles, fixed installations — run the clock system continuously. The OCXO is always disciplined. Pre-mission preparation is a five-second check that all five indicators are green. No delay required. **First power-on or post-maintenance only:** Allow a minimum of 35 minutes from cold power-on to completion of discipline before authorising coordination. This is not a routine pre-mission procedure — it applies only when the system has been completely powered down. ### 3.2 Discipline Procedure | Phase | Duration | Action | |---|---|---| | Warm-up | 10 minutes | Power OCXO, allow oven to stabilise crystal at operating temperature | | Coarse discipline | 5 minutes | Compare OCXO to GPS/MSF 1PPS signal. Adjust frequency control voltage until phase error < 100 ns | | Fine discipline | 15 minutes | PID controller with 100-second time constant. Minimise phase error to < 10 ns RMS | | Validation | 5 minutes | Measure frequency error without adjusting. Must be < ±1 × 10⁻¹¹ for 5 consecutive minutes | | **Total** | **35 minutes** | | At completion, the OCXO phase error is < 10 ns RMS from GPS/MSF atomic reference. ### 3.3 Pre-Launch Checklist Before 32DL coordination is authorised, the operator confirms: ``` GPS 1: SOLID GREEN ✓ GPS 2: SOLID GREEN ✓ MSF 1: SOLID GREEN ✓ MSF 2: SOLID GREEN ✓ OCXO: DISCIPLINED ✓ Power Supply A: ONLINE ✓ Power Supply B: ONLINE ✓ 32DL COORDINATION: AUTHORISED ``` **An agent that has not completed this checklist must not participate in safety-critical 32DL coordination.** If any indicator is not solid green, the fault must be resolved before departure. Do not launch with amber or red showing. On permanently powered platforms this checklist takes seconds — the clock has been running continuously and the OCXO is already disciplined. The check confirms it, nothing more. --- ## 4. In-Mission Clock Operation ### 4.1 Solo Operation Once the pre-launch checklist is complete, the OCXO is the sole timing authority. External signals are no longer required. ### 4.2 Opportunistic Verification If GPS or MSF signals are available during taxi, early climb, or at any point during the mission, the system automatically cross-checks the OCXO against the external reference. If the OCXO is within tolerance, no action is taken. If the OCXO has drifted outside tolerance, the system flags this to the operator and re-disciplines if conditions permit. Opportunistic verification is a confirmation, not a dependency. The mission does not require it. ### 4.3 Drift Budget The following drift figures apply to a Vectron OX-208 or equivalent in a correctly maintained thermal enclosure under commercial traffic conditions (max 0.5G continuous, occasional 2G): | Duration | Single agent drift | Relative drift (two agents) | % of 500ms timeout | |---|---|---|---| | 1 hour | 270–360 ns | 540–720 ns | 0.00014% | | 4 hours | 1.1–1.4 µs | 2.2–2.9 µs | 0.00058% | | 8 hours | 2.2–2.9 µs | 4.3–5.8 µs | 0.00115% | **Minimum safe timeout value for 32DL expressions: 6 milliseconds.** Below 6ms, relative drift could theoretically become relevant at the 8-hour point. Above 6ms, the drift is negligible — the relative timing error between two agents after a full 8-hour shift is 86,000 times smaller than a 500ms coordination window. For practical 32DL coordination, typical timeout values of 500ms to 5 seconds are unaffected by clock drift for the full operating life of a mission. --- ## 5. Failure Handling ### 5.1 Failure Matrix | Scenario | System response | Indicator | Operator action | |---|---|---|---| | GPS 1 fails | GPS 2 carries load | GPS 1 red, others green | None — monitor | | GPS 2 fails | GPS 1 carries load | GPS 2 red, others green | None — monitor | | Both GPS fail | MSF takes over instantly (warm) | GPS amber/red, MSF green | Monitor — amber condition | | MSF 1 fails | MSF 2 carries load | MSF 1 red, others green | None — monitor | | MSF 2 fails | MSF 1 carries load | MSF 2 red, others green | None — monitor | | Both GPS + both MSF fail | OCXO holdover | All amber/red | Land/RTB at next opportunity | | Power Supply A fails | Power Supply B takes full load | No interruption | Note for maintenance | | Power Supply B fails | Power Supply A continues | No interruption | Note for maintenance | | Both power supplies fail | System offline | All red | Abort mission | | OCXO hardware fault | No internal reference | OCXO red | Abort mission | ### 5.2 In-Flight Amber If any indicator goes amber in flight, the agent remains within 32DL coordination tolerances for the remainder of the mission (see drift budget, Section 4.3). The mission may continue. The amber condition should be logged and investigated after landing. If all GPS and MSF receivers show amber or red simultaneously, the system is in OCXO holdover. The clock remains valid within the drift budget. Land or return to base at the next safe opportunity. ### 5.3 In-Flight Red If a single receiver shows red, the remaining receivers carry the load with no impact on coordination. If both power supplies show red simultaneously, the system is offline. Abort coordination immediately. --- ## 6. Wire Format: ClockInfo Extension (32DL v2.1) The 32DL v2.0 wire format is extended with an optional 2-byte ClockInfo field appended to the frame header. v2.0 parsers that do not recognise the field ignore it. No breaking change. ### Byte 0: Clock Source and Quality ``` Bit 7: Pre-launch certificate valid (1 = checklist completed and verified) Bit 6: Primary source (0 = GPS, 1 = MSF/DCF77) Bit 5-4: Source quality 00 = Dual lock (both receivers of primary source locked) 01 = Single lock (one receiver locked) 10 = OCXO holdover 11 = Peer negotiation (last resort) Bit 3-2: OCXO discipline age 00 = < 1 hour since discipline 01 = 1–6 hours 10 = 6–24 hours 11 = > 24 hours or never disciplined Bit 1-0: Reserved (set to 00 for v2.0 compatibility) ``` ### Byte 1: Extended Health Status ``` Bit 7: OCXO health (1 = within spec, 0 = fault or unverified) Bit 6-4: Fault indicator 000 = All green 001 = GPS 1 degraded 010 = GPS 2 degraded 011 = MSF 1 degraded 100 = MSF 2 degraded 101 = OCXO discipline age > 24h 110 = One power supply failed 111 = Multiple failures Bit 3: Peer negotiation active Bit 2: Fleet certificate check passed Bit 1-0: Reserved ``` ### Receiver Behaviour When receiving a frame from an agent with lower clock quality: - **Same or higher quality:** Accept timestamps without modification - **Lower quality (MSF vs GPS):** Accept frame, mark timestamps as degraded tier internally, do not use for critical duration calculations - **Holdover:** Accept frame, treat all temporal constraints as approximate, flag to operator - **Peer negotiation:** Reject for safety-critical coordination unless expression carries explicit `peer-ok` qualifier ### Fleet Monitoring A fleet monitoring system reads the ClockInfo byte from each agent's heartbeat. A simultaneous transition from GPS to MSF across multiple agents is a detectable jamming signature even while individual agents remain synchronised. The monitoring system logs source transitions and alerts the operator to any agent showing holdover or peer negotiation status. --- ## 7. Pre-Launch Synchronisation Certificate Each agent that has completed the pre-launch checklist generates a 12-byte certificate: ``` Bytes 0–3: Agent ID (32-bit, e.g. serial number) Bytes 4–5: Discipline completion timestamp (seconds, 16-bit, rolls over every 18 hours) Byte 6: Discipline quality flags Bit 7: GPS 1 locked at discipline Bit 6: GPS 2 locked at discipline Bit 5: MSF 1 locked at discipline Bit 4: MSF 2 locked at discipline Bit 3: GPS and MSF in agreement (< 50 ns deviation) Bit 2: Discipline duration ≥ 30 minutes Bit 1: Validation passed Bit 0: Both power supplies online during discipline Byte 7: Discipline accuracy (units of 0.1 ns RMS, 0–255) Bytes 8–11: HMAC-SHA256 truncated to 32 bits, keyed with fleet pre-shared key ``` The certificate provides accountability — it records what happened and when. It does not provide cryptographic proof of hardware state. For safety-critical deployment requiring stronger guarantees, a PKI-based identity authority should be used (see 32DL Identity Authority, open item). --- ## 8. Operational Guide for Pilots and Operators ### What hardware do I need? Two GPS receivers, two MSF/DCF77 receivers, dual power supplies, one thermally stabilised OCXO, and a five-LED status panel. All four receivers run simultaneously, all the time. ### What do I check before flight? All five LEDs solid green. GPS 1, GPS 2, MSF 1, MSF 2, OCXO. Both power supplies online. If anything is not solid green, do not fly until it is resolved. On a permanently powered platform — commercial aircraft, fleet vehicle — this takes five seconds. The clock has been running since the aircraft was last on ground power or the vehicle was last in the depot. It is already disciplined. You are confirming it, not starting it. ### What do the LEDs mean? **Solid green** — locked and healthy. No action needed. **Flashing amber** — degraded signal or elevated discipline age. Before flight: resolve before departure. In flight: mission continues, log for maintenance. **Solid red** — receiver failed. Before flight: abort until repaired. In flight: backup carries load if single failure; if OCXO shows red, abort mission. **Amber-red (OCXO holdover)** — all external references lost, running on internal clock alone. In flight: clock remains valid within drift budget. Land at next safe opportunity. ### What if amber appears in flight? A single amber does not affect 32DL coordination. The drift budget shows the clock remains valid for the full mission duration. Log it, investigate after landing. If all four receivers go amber or red simultaneously — GPS jammed and MSF unavailable — the OCXO carries the mission. The relative timing error between two agents is under 6 microseconds even after 8 hours. A 500ms coordination window is unaffected. Land when practical. ### Emergency vehicles The vehicle is connected to depot power during standby. The synchronisation system runs continuously — drawing minimal power, always disciplined, always green. Before a shift begins, a single glance confirms all five LEDs are green. When a call comes, depart immediately. The clock has been prepared. No GPS lock is needed on a blue-light run. The 35-minute discipline procedure applies only to first power-on after installation or post-maintenance. In normal operations it is never needed. --- ## 9. Open Items The following related standards are under development: - **32DL Identity Authority** — PKI-based agent identity and certificate model - **32DL Denotational Semantics** — formal mathematical model for safety property proofs - **32DL Fleet Coordination Protocol** — multi-agent pre-mission readiness verification --- ## Appendix: Drift Calculation **OCXO:** Vectron OX-208, ±3 × 10⁻¹⁰/day ageing, ±5 × 10⁻¹¹ temperature stability, ±1 × 10⁻¹⁰/G **Drift contributions at 8 hours under commercial conditions:** | Source | Contribution | |---|---| | Ageing (3 × 10⁻¹⁰/day) | ~2,880 ns | | Temperature (±5 × 10⁻¹¹, ±2°C enclosure) | ~1,440 ns | | Vibration (0.5G continuous) | ~1,440 ns | | Initial discipline error (< 10 ns RMS) | ~30 ns | | **Total worst-case single agent** | **~2,880–5,790 ns** | | **Relative drift between two agents** | **~5.76 µs** | Minimum safe 32DL timeout value: **6 ms** Safety margin at 500 ms timeout: **86,000×**