In many systems in which high availability and system stability is required, for example in automation systems in manufacturing engineering (for example in the pharmaceutical industry, the chemical industry, the motor industry or the utility industry) or in automated tunnel lighting systems, the automation technology is designed to be redundant. If a part of the automation technology fails, a part having the same function, two of said part being provided, can take over the faulty function, whereby the proper functioning of the system is ensured.
Such a system is generally constructed as follows (see FIG. 1):
A redundant, communication network with high availability is connected to a central control unit, which network in turn constitutes the connection to the input and output units (sensors/actuators) of the system. Typically, everything from the controller to the communication plane is designed to be redundant, whereas the sensor/actuator plane is often designed to not be redundant. The redundancy in terms of the control is achieved by a first control unit taking over the control of the system as a master controller, while a second control unit waits for a failure of the master controller as a slave controller. For this purpose, constant alignment takes place between the two control units via a communication connection. The controller (master/slave) then communicates with the sensor/actuator plane via a communication path. The sensors provide the data to either the master or the two controllers. The actuators are operated by the master controller and provided with data. In the master controller fails, the slave controller takes over the communication with the sensors and actuators, the sensor/actuator plane not noticing this at all. The actuators do not influence the origin of the control data.
DE 10 2005 027 666 B3 and WO 91/08535 A1 disclose system control methods using master and slave controllers that communicate with one another.
DE 199 29 645 A1, DE 10 2007 061 754 A1 and DE 196 44 126 A1 disclose systems for actuating an escape route illumination means.
In this context, establishing communication between the master controller and the slave controller so as to achieve redundancy on the control plane is in some cases associated with particularly high complexity and costs.