A fail-silent node is a self-checking node that either functions correctly or stops functioning after an internal failure is detected. Such a node can be constructed from a number of conventional processors. In a software-implemented fail-silent node, the non-faulty processors of the node need to execute message order and comparison protocols to 'keep in step' and check each other respectively. In this paper the design and implementation of efficient protocols for a two processor fail-silent node are described in detail. The performance figures obtained indicate that in a wide class of applications requiring a high degree of fault-tolerance, software-implemented failsilent nodes constructed simply by utilising standard 'off-the-shelf' components are an attractive alternative to their hardware-implemented counterparts that do require special-purpose hardware components, such as fault-tolerant clocks, comparator and bus interface circuits. replica state divergence. Synchronisation at the level of processor micro-instructions is logically the most straightforward way to achieve replica synchronism. In this approach, processors are driven by a common clock source which guarantees that they execute the same steps at each clock pulse (of course, the logic of the individual processors must be deterministic). Outputs are evaluated (compared/voted) by apossibly replicated-hardware component at appropriate times (e.g., at each bus access). Asynchronous events must be distributed to the processors of a node through special circuits which ensure that all the correct processors will perceive such an event at the same point of their instruction stream [12,23]. Since every correct processor of a node executes the same instruction stream, all the programs that run on the non-redundant version can be made to run, without any changes, on the node. This is the major advantage gained by synchronising at the level of microinstructions. Such implementations of two processor fail-silent nodes have been in use widely; Stratus [27] and Sequoia [2] are two well-known examples. In these systems, a common (reliable) clock source is used for driving a pair of processors which execute in lock-step. Access to the bus is controlled by a (reliable) comparator circuit which only enables access to the bus if the signals generated by the two processors are the same. Another example of a fail-controlled node is presented in [6]; this design employs tight synchronisation of redundant processors and in addition, uses coding techniques for detecting/correcting memory bit corruptions.There are however a few problems with the micro-instruction level approach to synchronisation. First, as indicated before, individual processors must be built in such a way that they will have a deterministic behaviour at each clock pulse, so that they will produce identical outputs ("don't care" transitions, for instance, where a bit can be either one or zero, are not allowed in the design of the processors). Second, the introduction of special circuits such as reliable co...