In many industrial applications automation systems are used for controlling technical processes. A failure of these automation systems inevitably leads to a fault in the technical execution and thereby for example to a failure of production of goods or energy.
To prevent an interruption of the production process the use of so-called high-availability automation devices based on Programmable Logic Controllers within the framework of the automation system is known, with the automation devices being duplicated in such cases and means being available for switchover between the automation devices in the event of an error.
These types of automation solution require a major financial investment since the known systems are highly specialized and technically very complex and thus also very expensive.
Errors which can occur during the control of a technical process with regard to the automation systems on the one hand relate to the control software running on the automation devices, but on the other hand also relate to the hardware components used.
As regards the last-mentioned errors, problems do not usually arise as a result of a total failure of an automation device, but as a result of static and/or sporadic faults of individual hardware components of the automation devices.
In such cases output signals then occur as a result relating to the faulty automation device, which although present and thus theoretically also able to be switched to the technical process, are however affected by errors.
These types of error can be of a transitory nature, for example if a hardware component of an automation device merely has a random error for a short time, caused by a temporary overheating of the component for example.
It is also conceivable however that one or more hardware components are permanently producing corrupted output signals right from the onset of a fault.
If two automation devices are now employed in parallel in a redundant automation system, which feature different output signals from each other in the form of a corresponding process image, in practice this device can only be identified as faulty for certain on total failure of an automation device. Otherwise, if there are discrepancies between the process images of the automation devices of a redundant automation system, it is not possible to simply decide which of the relevant process images involved is to be viewed as incorrect.