Such known transmission systems are used in safety-critical cases in process engineering plants, or stationary or mobile work devices, for example work vehicles such as cranes or the like.
It is important that the data be transmitted reliably from the first network to the at least one second network. Such safety-critical data transmission is especially important when the data is transmitted via a wireless transmission path. For this purpose, there has already been one improvement such that not only one transmission path, but at least two, and preferably exactly two, transmission paths are used for this safety application. An additional improvement of this redundant data transmission has taken place in that this is used wirelessly, which is to say via radio or light, using the Parallel Redundancy Protocol (PRP) that is a layer-2 redundancy method that is independent of higher layers and is above all suitable for real-time Ethernet mechanisms.
From safety aspects, such a transmission system already operates satisfactorily since redundancy of the two transmission paths is provided. For example, when a disturbance or failure of one wireless transmission path occurs, the at least one second transmission path can be used to ensure the transmission of data from the first to the second network.
However, it cannot be precluded, despite this redundancy, that data transmission between the two networks is impermissibly disturbed under safety-critical aspects.
While the redundancy is considerably increased and safety-critical aspects were taken into account in such transmission systems having at least two transmission paths, there is still a risk that such a transmission system does not operate absolutely free from faults. Due to the redundancy mechanism that is implemented by the wireless data transmission using PRP via two transmission paths that are independent of one another, there is a risk, due to the error compensation using PRP, that a seemingly fault-free transmission system is present, while in fact this is not the case since the redundancy mechanism is able to detect and compensate for internal system faults. For example, it is not possible for the operator of the transmission system to identify individual data packets that were lost on the transmission path. Due to the redundancy mechanism, the impression may thus be created that the transmission system is operating without fault; this, however, is not the case since the transmission system can independently compensate for errors. For example, in the event that one of the at least two transmission paths is permanently disturbed or has completely failed, data transmission can still take place via the other available transmission path, resulting in a transmission system that operates in a seemingly fault-free manner. However, a risk then exists that the only transmission path still available can no longer ensure reliable data transmission in the event of a disturbance or a failure, and consequently safety-critical situations may arise that in fact should absolutely be avoided due to the redundancy. In such a case, the redundancy mechanism would be permanently active, and the data would only be transmitted via the only transmission path still available, while the at least additional transmission path is no longer available, which, however, is not, or not readily, apparent to a user of the transmission system. From this follows that no redundancy reserve is available any more, since the actual redundancy mechanism, which is to say the separate transmission of data from the one network to the other, is permanently disturbed.
Such a case is illustrated in FIG. 2. From this, it is apparent that data is transmitted permanently and without fault via the one transmission path, while the same data being transmitted via the further transmission path is lost 100%, for example because this transmission path has completely failed. The data that was transmitted 100% fault-free via the one transmission path then arrives at the second network fault-free, so that data transmission can be maintained, and the fault-free operation of the transmission system is ensured. However, if a disturbance of the transmission path occurs that was used to previously transmit 100% of the data, the redundancy mechanism is impaired, or in the worst-case scenario even completely suspended, and the disadvantage of critical situations may occur.