In automation technology, so-called redundancy controllers are used for applications that are designed for high availability, such as tunnel surveillance. A control device which is usually referred to as a controller controls the process, and the other control device runs in standby mode in order to be able to take over process control when certain events occur. The program sequence is synchronized between the control devices via a synchronization connection, so that after a switching event the process can continue to be controlled in the same way. Besides this synchronization of the application program, further information is also exchanged between the control devices to ensure consistent operation. Each of the control devices must be informed about the status and operation of the other control device in order to synchronize its own sequence.
In general, an appropriate redundancy control system comprises two control devices which are synchronized with each other, and lower level input/output stations which are connected to both control devices via an appropriate communication network.
For example, a redundant control system including control computers and a peripheral unit is known from DE 100 30 329 C1, in which the control computers are outputting heartbeats which change cyclically, and in the absence of a heartbeat change, the peripheral unit switches to the respective other control computer.
Furthermore, DE 10 2006 047 026 B4 describes a control and data transmission system having at least two control devices and at least one slave device, which are interconnected via a communication network, wherein the slave device has a plurality of addressable output interfaces for receiving output and status data, and each control device comprises a device for generating and transmitting status and output data to a separate output interface of the slave device, and wherein the slave device comprises an evaluation device which, in response to the status signals received from the control devices, controls the forwarding of received output data for further use.
If a failure occurs in a redundantly configured control system, i.e. a failure in both redundant control devices, the lower level process can no longer be served because there will not be any controller left that could process the input and output data. The same applies to a failure in the communication network.