In systems in which the individual communication stations perform important functions and in which the communication taking place between the communication stations must be carried out in an uninterrupted manner, use is normally made of redundantly arranged communication channels such that even if one channel fails a data transmission can take place on the corresponding other channel between communication stations. The communication stations themselves can be e.g. field devices or control units in an automation system. In this context, the communication connection between the central control unit and the field devices is normally referred to as a field bus. Field bus components, i.e. the communication stations, are e.g. field bus controllers, field bus devices, switches, routers, cables and WLAN sections in this case. Apart from an automation system, e.g. in the context of a monitoring system, e.g. a building monitoring system or a flight traffic monitoring system, other components are also conceivable as communication stations instead of the control unit and the field devices. For example, security-oriented cameras can likewise transfer their data via secure communication channels as communication stations for the monitoring of public spaces.
In such an automation system or monitoring system, the reliability-relevant components or the communication stations are usually arranged in a redundant manner, i.e. at least duplicated, such that if a corresponding component or communication station fails, the redundant partner can intervene on behalf of the failed communication station. By virtue of the redundant arrangement of the reliability-relevant components and by virtue of the two-channel arrangement of the communication connection, it is always possible to provide a reserve communication path via which the relevant security-oriented components can reliably communicate. This means that the communication can continue without interruption via a reserve path in the event of any faults that may occur in the context of the automation system or monitoring system.
Existing solutions offer a plurality of possibilities for maintaining communication in the event of a fault. In a system such as Profibus DP, for example, system redundancy can be realized in such a way that there are two physical connections between the relevant components. As long as both communication channels are intact in this context, one of the two connections is the preferred channel or primary channel, and the other connection functions as a reserve channel or backup channel. Data is transferred between the communication stations via both data channels in this type of arrangement, but only the data of the preferred channel is valid for analysis by the components that are attached. However, data telegrams are also carried on the reserve channel in order to test the connection continuously. If a field bus controller detects a communication fault in the preferred channel to a field bus device in the system, for example, the field bus controller sends a special switchover telegram on the reserve connection, which switchover telegram tells the field bus device to switch over to the corresponding reserve channel and hence to utilize this as the preferred channel subsequently. However, it is disadvantageous in this context that the switchover telegrams which are transferred when the fault is detected are transmitted asynchronously relative to the cyclical payload data, and additional measures are therefore required, e.g. the introduction of a wait time or a delay time, in order to prevent a so-called switchover impact. In this context, a switchover impact is understood to signify that, as a result of the switchover, data from an application cycle prior to the most recently received application cycle is accepted by the data recipient. Although such an erroneous receipt would be recognized as an error, a security response would nonetheless be initiated if a security protocol were concurrently in use, e.g. disconnection of the equipment, which should be prevented by a so-called smooth switchover. In particular, such a solution is not suitable for redundant connections having significantly differing propagation times, where the redundantly arranged components are widely dispersed in the framework of the network topology or are situated at different locations of the network such that the data telegrams require significantly differing propagation times in order to be sent from a corresponding sender to the redundant components, since the switchover telegram possibly reaches the redundant partners at a time which differs significantly between the redundant partners. A corresponding delay time must therefore be introduced in order to ensure a correct switchover between the preferred channel and the reserve channel.
In the case of a further system, the Profibus DP with Flying Redundancy, there can be one or two physical connections for communication. The field bus can be supported by one or two field bus controllers in this type of arrangement. The field bus devices can have one or two interfaces to the field bus. However, it is a fundamental property that there is logically only one field bus, irrespective of how many cables are used to carry the communication. In principle, all components are connected together. As described above, there is also a preferred channel and a reserve channel here, with the same principles except that said channels share a logical field bus. In the case of Flying Redundancy, the field bus station addresses are automatically exchanged at the field bus device in the case of each switchover. In this context, the preferred channel is always a connection between a field bus controller and a fixed address at the field bus device, irrespective of which of the two interfaces currently has the address. The reserve channel exists between the field bus controller and a field bus interface having the address of the preferred channel, which address is increased by a fixed offset. In this type of arrangement, the disadvantage is again that switchover telegrams are required for switching over between the preferred channel and the reserve channel, wherein said switchover telegrams are transmitted asynchronously relative to the cyclical payload data.
When using Ethernet, there are likewise two physical connections and communication takes place via both of these. All telegrams are numbered in this context. The telegrams having the most recent number are accepted. This method has the disadvantage of being very costly and requires a close coupling between the two redundantly arranged recipients since the telegram numbers must be compared continuously in order to decide which is the most recent data telegram and hence which data telegram is to be used. Such an architecture or this method can only be used if the corresponding communication stations, e.g. the field bus controllers, are very close to each other (<1 m) and have a dedicated communication connection. However, such a method is unsuitable e.g. in the case of systems which are widely distributed in physical terms, where the redundant components, e.g. the control units in an automation system, are widely separated and therefore the distance between the redundant field bus controllers can be greater than 1000 m. Moreover, in such a case the field bus controllers would not be able to feature a dedicated individual communication connection via which the number comparison can take place.