Communications networks are finding ever broader application for measuring and performing open-loop and closed-loop control of complex technical systems. For example, increasingly networks are being used in motor vehicles in order to form vehicle control systems. In corresponding complex and safety-relevant technical systems stringent requirements are made of the availability of the control elements which are provided as network devices. When individual components fail, such as, for example, sensors or control devices, this must not lead to failure of the entire system. Particularly safety-relevant systems are drive-by-wire systems, for example, steer-by-wire systems in which the steering wheel position is converted electromotively into wheel positions by means of network coupling of the sensor devices, control devices and actuator devices.
In the past, redundant designs of particularly critical components were used so that in the event of a failure the respective backup or redundant components can take over the respective function. When there are a plurality of redundant components it is necessary to ensure that only one of the two or more control devices has the respective control priority. Furthermore, contradictory control instructions for the same control functionalities must not arise. It is therefore necessary for all the control components to have the same information or data in the network.
In this respect, errors in the form of inconsistent data, which may be corrupted, for example, in the case of data transmission via the network which is being used, have to be detected. A standard network environment which is widely distributed is based on the Ethernet protocol. The use of Ethernet infrastructures has the advantage that standardized network devices and methods can be used. However, in the past, proprietary data_buses were also used to link control components to one another with internal redundancy, that is to say with double functionality.
Furthermore, it is possible that nodes in the network being used are faulty. Fault types are known for example in which a network device transmits at a high frequency into the network data which does not contain any data which can be used by the other control devices. The term “Babbling Idiot” is used. The network infrastructure can be overloaded by high data rates in such a way that genuine control data or sensor data can no longer be exchanged between the still functioning network devices. It is desirable to treat, in particular, such faulty behavior in safety-relevant networks and to process suitably the data which is present in order to ensure reliable operation of the unaffected devices in the network.
In the past, methods were proposed in which the data exchange between predefined communication partners was bandwidth-limited. Defective network nodes can, however, also generate data packets with inadequate address data, and within the scope of a dedicated bandwidth limitation, this cannot be handled satisfactorily in every network topology, in particular, not in a ring-shaped network topology.
Furthermore, methods are known that are based on synchronized communication of the network nodes with one another. In this context, certain timeslots are defined for the data exchange between predefined communication partners. Such timeslot methods require complex synchronization and special hardware devices.
Document EP 1 548 992 A1 discloses a method which is directed to preventing “Babbling Idiot” faults in a CAN bus system of an aircraft. The problem of a network device transmitting data at a high frequency into the network is prevented in that a bus guardian disconnects the faulty network device from the network as soon as the fault is detected.
Document WO 2005/053223 A2 also discloses avoiding a “Babbling Idiot” fault in a CAN bus system with master and slave stations. According to this disclosure, the problem is solved in that a master station isolates a faulty slave station from the network.
Document US 2009/122812 A1 discloses a method for safely powering up a “time-triggered” ring network. The central guardian of the network ensures that every station which exhibits a “Babbling Idiot” behavior becomes invisible from the network. The guardian determines the behavior of each station in the network. If the data transmission rate of a station exceeds a transmission bandwidth which is predefined for the latter, the guardian detects the station as faulty.