Communication networks are being used to an ever greater extent for measuring, controlling and regulating complex technical systems. By way of example, networks are increasingly used in motor vehicles in order to form vehicle control systems. Corresponding complex and safety-relevant technical systems make great demands on the availability of the control elements provided as network devices. When single components fail, such as sensors or control devices, this must not result in the failure of the overall system. Particular relevance to safety applies to drive by wire systems, e.g. steer by wire systems, in which the steering wheel position is converted into wheel positions by electric motor using a network coupling comprising sensor, control and actuator devices.
In the past, redundant designs of particularly critical components have been used, so that in the event of an error the respective backup or redundant component can undertake the respective task. When there are a plurality of redundant components, it is necessary to ensure that only one of the two or more control devices has the respective control sovereignty. Furthermore, contradictory control demands must not arise for the same control functionalities. It is therefore desirable for all the control components to have the same information or data in the network.
In this respect, errors in the form of inconsistent data, which may be corrupt in the event of data transmission via the network that is used, for example, need to be recognized A standard network environment that is in widespread use is based on the Ethernet protocol. The use of Ethernet infrastructures has the advantage that standardized network devices and methods can be used. In the past, however, proprietary data buses were also used in order to link control components having internal redundancy, that is to say duplicate functionality, to one another.
Furthermore, it is possible for nodes used in the network to be erroneous. By way of example, error types that involve a network device using a high frequency to send data to the network that contains no data that the other control devices can use are known. The term “babbling idiot” is also used. The network infrastructure can then be burdened by high data rates such that it is no longer possible for genuine control or sensor data to be interchanged between the network devices that are still functioning. It is desirable to deal with particularly such erroneous behavior in safety-relevant networks and to process the available data in a suitable manner in order to ensure reliable operation of the unaffected devices in the network.
In the past, methods have been proposed in which the data interchange between prescribed communication partners has been subject to bandwidth limiting. However, faulty network nodes can also produce data packets with incorrect address data, this being unable to be handled satisfactorily for dedicated bandwidth limiting in every network topology, particularly in a ring-shaped network topology.
Furthermore, methods are known that are based on synchronized communication among the network nodes. In this case, particular time slots are defined for the data interchange between prescribed communication partners. Such time slot methods require sophisticated synchronization and special hardware devices.