1. Patent Search
  2. Details

Process Data Exchange with Guaranteed Minimum Transmission Intervals

20230236558 · 2023-07-27

    Inventors

    Cpc classification

    International classification

    Abstract

    A control device includes first and second control modules. The first control module is configured to generate process data at t.sub.1, send the process data to the second control module via a communication channel, receive a response to the process data, and process the process data at t.sub.4. The second control module is configured to receive the process data from the first control module, process the process data at t.sub.2, generate the response at t.sub.3, and send the response to the first control module. The times t.sub.1, t.sub.2, t.sub.3, and t.sub.4 are in chronological order. In various implementations, the first and second control modules jointly guarantee a minimum duration Δ1 between t.sub.1 and t.sub.2. In various implementations, the second control module guarantees a minimum duration Δ2 between t.sub.2 and t.sub.3. In various implementations, the first and second control modules jointly guarantee a minimum duration Δ3 between t.sub.3 and t.sub.4.

    Claims

    1. A control device for controlling an automated system, the control device comprising: a first control module; a second control module; and a communication channel via which the first control module and the second control module are configured to exchange process data of the automated system, wherein: the first control module is configured to generate process data at a first time t.sub.1, send the process data to the second control module via the communication channel, receive a response to the process data from the second control module, and process the process data at a fourth time t.sub.4; the second control module is configured to receive the process data from the first control module, process the process data at a second time t.sub.2, generate the response at a third time t.sub.3, and send the response to the first control module; and the times t.sub.1, t.sub.2, t.sub.3, and t.sub.4 are in chronological order, and wherein at least one of: (i) the first control module and the second control module are jointly configured to guarantee a first minimum duration Δ1 between the first time t.sub.1 and the second time t.sub.2; (ii) the second control module is configured to guarantee a second minimum duration Δ2 between the second time t.sub.2 and the third time t.sub.3; and (iii) the first control module and the second control module are jointly configured to guarantee a third minimum duration Δ3 between the third time t.sub.3 and the fourth time t.sub.4.

    2. The control device of claim 1 wherein the first control module and the second control module guarantee at least one of the first minimum duration Δ1 and the third minimum duration Δ3 by transmitting the process data redundantly and ensuring specific time characteristics.

    3. The control device of claim 2 wherein: the first control module transmits the process data redundantly by shifting a first instance of the process data into a transmit buffer of the communication channel at a first point of time t.sub.a and by shifting a second instance of the process data into the transmit buffer of the communication channel at a second point of time t.sub.b; and the first control module ensures the specific time characteristics by starting a first time monitoring, which determines a first time interval between the points of time t.sub.a and t.sub.b, and by shifting the second instance of the process data into the transmit buffer only in case the determined first time interval exceeds a defined minimum value.

    4. The control device of claim 2 wherein: the second control module transmits the response to the process data redundantly by shifting a first instance of the response into a transmit buffer of the communication channel at a third point of time t.sub.a and by shifting a second instance of the response into the transmit buffer of the communication channel at a fourth point of time t.sub.b; and the second control module ensures the specific time characteristics by starting a second time monitoring, which determines a second time interval between the points of time t.sub.a and t.sub.b, and by shifting the second instance of the response into the transmit buffer only in case the determined second time interval exceeds a defined minimum value.

    5. The control device of claim 2 wherein the second control module ensures the specific time characteristics by starting a third time monitoring, which determines a time interval between reception of a first instance of the process data and reception of a second instance of the process data, only in case the second control module receives a first instance of the process data.

    6. The control device of claim 2 wherein the first control module ensures the time characteristics by starting a fourth time monitor, which determines a time interval between reception of a first instance of the response and reception of a second instance of the response, only in case the first control module receives a first instance of the response.

    7. The control device of claim 3 wherein: the first instance of the process data and the second instance of the process data are redundant data telegrams of the process data; and the first control module provides the first instance of the process data and the second instance of the process data with consecutive instance numbers.

    8. The control device of claim 4 wherein: the first instance of the response and the second instance of the response are redundant data telegrams of the response; and the second control module provides the first instance of the response and the second instance of the response with consecutive instance numbers.

    9. The control device of claim 1 wherein: the second control module starts a fifth time monitoring at the second time t.sub.2 for determining a time interval to the third time t.sub.3; and the second control module generates the response at the third time t.sub.3 only after the second minimum duration Δ2 has elapsed.

    10. The control device of claim 1 wherein the first control module sends and receives the process data cyclically, monitors a number of cycles between the first time t.sub.1 and the fourth time t.sub.4 as a round-trip time and triggers a safety-related action in case the round-trip time exceeds a defined value.

    11. The control device of claim 1 wherein: the first control module processes the process data according to a first local cycle; the second control module processes the process data according to a second local cycle; the first local cycle and the second local cycle have the same period; and the first minimum duration Δ1, the second minimum duration Δ2 and the third minimum duration Δ3 are each shorter than the period.

    12. The control device of claim 11 wherein the first control module sends a first instance and at least a second instance of the process data to the second control module within the first local cycle.

    13. The control device of claim 11 wherein the second control module sends a first instance and at least a second instance of the response of the process data to the first control module within the second local cycle.

    14. The control device of claim 1 wherein the first control module and the second control module each have a fail-safe implemented processing unit that enables at least one of a fail-safe execution of a user program and a fail-safe input/output of the process data.

    15. The control device of claim 14 wherein each fail-safe implemented processing unit is configured to ensure a fail-safe communication via the communication channel independent of a design of the communication channel.

    16. The control device of claim 14 wherein each fail-safe implemented processing unit is configured to provide fail-safe time monitoring on the respective first control module and the second control module.

    17. A control device for controlling an automated system, the control device comprising: a first control module; a second control module; and a communication channel via which the first control module and the second control module are configured to exchange process data of the automated system, wherein: the first control module is configured to generate process data at a first time t.sub.1, send the process data to the second control module via the communication channel, receive a response to the process data from the second control module, and process the process data at a fourth time t.sub.4; the second control module is configured to receive the process data from the first control module, process the process data at a second time t.sub.2, generate the response at a third time t.sub.3, and send the response to the first control module; the times t.sub.1, t.sub.2, t.sub.3, and t.sub.4 are in chronological order; the first control module processes the process data according to a first local cycle; and the first control module sends a first instance of the process data and at least a second instance of the process data to the second control module within the first local cycle.

    18. The control device of claim 17 wherein: the second control module processes the response of the process data according to a second local cycle; and the second control module sends a first instance of the response of the process data and at least a second instance of the response of the process data to the first control module within the second local cycle.

    19. A method for controlling an automated system including a communication channel connecting a first control module and a second control module for exchanging process data of the automated system, the method comprising: generating process data at a first time t.sub.1; sending the process data from the first control module to the second control module via the communication channel; at the first control module, receiving a response to the process data from the second control module; at the first control module, processing the process data at a fourth time t.sub.4; at the second control module, receiving the process data from the first control module; at the second control module, processing the received process data at a second time t.sub.2; at the second control module, generating the response at a third time t.sub.3 and sending it to the first control module, wherein the times t.sub.1, t.sub.2, t.sub.3, and t.sub.4 are in chronological order, and wherein the method further comprises at least one of: (i) jointly guaranteeing, using the first control module and the second control module, a first minimum duration Δ1 between the first time t.sub.1 and the second time t.sub.2; (ii) guaranteeing, using the second control module, a second minimum duration Δ2 between the second time t.sub.2 and the third time t.sub.3; (iii) jointly guaranteeing, using the first control module and the second control module, a third minimum duration Δ3 between the third time t.sub.3 and the fourth time t.sub.4.

    20. A method for controlling an automated system including a communication channel connecting a first control module and a second control module for exchanging process data of the automated system, the method comprising: generating, at the first control module, process data at a first time t.sub.1; sending the process data from the first control module to the second control module via the communication channel; receiving, at the first control module, a response to the process data from the second control module and processing the process data at a fourth time t.sub.4; receiving, at the second control module, the process data from the first control module; processing, at the second control module, the received process data at a second time t.sub.2; generating, at the second control module, the response at a third time t.sub.3, wherein the times t.sub.1, t.sub.2, t.sub.3, and t.sub.4 are in chronological order; sending the response from the second control module to the first control module; processing, at the first control module, the process data according to a first local cycle; and sending a first instance and a second instance of the process data from the first control module to the second control module within the first local cycle.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0046] Embodiments of the invention are shown in the drawings and are explained in more detail in the following description.

    [0047] FIG. 1 is a schematic representation of an embodiment of a control device having a first control module and a second control module.

    [0048] FIG. 2 is a schematic representation of a communication between two control modules according to a first aspect.

    [0049] FIG. 3 is a schematic representation of a communication between two control modules according to a second aspect.

    [0050] FIG. 4 is a schematic representation of data processing within a control module according to a third aspect

    [0051] FIG. 5 is a sequence diagram of a redundant transmission of process data of a first instance and a second instance.

    [0052] FIG. 6 is a sequence diagram of the redundant transmission according to FIG. 5 in case the process data of the first instance is lost

    [0053] FIG. 7 is a sequence diagram of the redundant transmission according to FIG. 5 in case the process data of the second instance is lost.

    DETAILED DESCRIPTION

    [0054] FIG. 1 shows a schematic representation of a control device according to an embodiment of the present invention. The control device in its entirety is designated here by reference numeral 10.

    [0055] The control device 10 is a modular control device comprising three individual modules in the embodiment shown here. A first control module 12 is a central processing unit of the control device 10 (head module). A second control module 14 and a third control module 16 are input/output modules via which the control device 10 is connected to a technical system.

    [0056] The modules 12-16 are individual assemblies that are arranged together in a housing 18 or a housing frame. Typically, the modules are individual units that are plugged together to form the control device 10. Thereby, the control device 10 can be individually assembled and adapted to a respective control and regulation task. The expandability is indicated here by another module slot 20 as a placeholder for additional modules. Thus, the control device 10 is not limited to the number of modules shown here but may be expanded by additional modules.

    [0057] Usually, a control device 10 of this type is housed in a control cabinet (not shown here) and the input/output modules 14, 16 are connected directly or indirectly (for example, via a field bus) to the periphery 22 of the technical system. The periphery may include input devices, such as light barriers 24 or emergency stop buttons 26, and output devices that function as actuators. Actuators can be, for example, motors 28 or contactors 30. It is understood that the invention is not limited to specific peripheral elements shown here.

    [0058] In the present embodiment, the second control module 14 and the third control module 16 have connections to input devices and output devices, respectively. In other words, here both control modules 14, 16 have respective inputs and outputs 32 through which the modules are connected to the periphery 22. It is understood that in other embodiments a control module may have only inputs or only outputs. The inputs and outputs 32 of the modules can be arranged in a separate module part (connection module part 34).

    [0059] Processing of the input and output signals applied to the inputs and outputs 32 is performed in a logic module part 36 of the control modules. In various embodiments, the logic module part 36 includes a fail-safe processing unit 38 comprising, for example, two separate processing units 40a and 40b. The processing units 40a, 40b may be microcontrollers, ASICs, or FPGAs, and can be of diverse types. In addition, the logic module part 36 has an interface 42 to a communication bus 44. Like the processing units 40a, 40b, the interface 42 may be redundant. In principle, the control modules 12-16 have a fail-safe design in the sense of SIL2 or higher according to EN 61508 and/or PL d or higher according to ISO 13849-1.

    [0060] The communication bus 44 enables the control modules of the control device 10 to establish a communication channel with each other. In particular, the control modules 14, 16, which function as input/output modules, may communicate with the head module via the communication bus 44. The communication bus 44 may be formed by bus module parts 46 that belong to the individual control modules 12-16. The bus module parts 46 arranged in a row may form a so-called modular backplane. Alternatively, the communication bus 44 may also be formed by a fixed rear panel of the housing 18 of the control device 10.

    [0061] The first control module 12, which functions as the head module in the present embodiment, has a similar logic module part 36 as the input/output modules. The fail-safe implemented processing unit 38 of the head module is configured to process a user program. The user program may be stored, for example, in a memory 48 of the logic module part 36. The user program can be processed according to the input-process-output (IPO) principle. In a first step, the fail-safe implemented processing unit 38 generates a process image of the inputs (PII) and then sequentially executes instructions of the user program based on the PII. Finally, the fail-safe implemented processing unit 38 of the head module writes a process image of the outputs (PIO), based on which the outputs are controlled.

    [0062] The inputs are read in via the input modules and the outputs are set via the output modules. For the input/output modules, the fail-safe implemented processing unit 38 is configured to provide input and output in a fail-safe manner. The communication between the modules is realized by the communication bus 44. Thus, in the present embodiment, the first control module 12 is not directly provided with inputs and outputs 32 to the periphery and can therefore do without its own connection module part 34. However, the first control module 12 may have an additional interface 50 that can be used to establish a connection to other control devices or diagnostic equipment.

    [0063] Using FIG. 2 as an example, the communication between two control modules is explained below. FIG. 2 shows in a schematic representation an example of the transmission of a process image of the inputs between a head module (first control module 12) and an input/output module (second control module 14) via the communication bus 44. Specifically, FIG. 2 represents a worst-case analysis of a fail-safe transmission of a PII (FS-PII).

    [0064] In the diagram according to FIG. 2, the time t is plotted in the longitudinal direction. The first control module 12 (top) and the second control module 14 (bottom) operate with fixed local cycles 52 having defined cycle times. The cycle time is the time for processing a cycle including all communication tasks. “Local” in this context means that the cycles of the first control module 12 and the second control module 14 do not necessarily have to be synchronized. Specifically, the cycles do not have to be synchronized in a functionally safe manner. In other words, the cycles may be regularly synchronized, but this need not necessarily be done in a fail-safe manner in order to perform the method according to the present disclosure. Generally, it is assumed that there is a certain time offset 54 between the local cycles 52 of the individual control modules 12, 14.

    [0065] The control module 12 creates a process data frame and prepares it for transmission, as indicated here by reference numeral 56. The process data frame is then moved to an output buffer of the communication channel provided by the communication bus 44 and is thus transferred to an area of responsibility of the communication bus 44 (time t.sub.1). Subsequently, transmission via the communication bus 44 to the second control module 14 occurs. The reception of the data is indicated here by reference numeral 58. Time t.sub.2 marks the start of the processing of the process data by the second control module 14, i.e., the reading of the process data from the received frame and its evaluation. The first control module 12 and the second control module 14 are jointly configured to ensure a minimum duration Δ1 between the two times t.sub.1 and t.sub.2. This can be achieved, for example, by preparing and sending the process data from the control module 12 not just once within the local cycle, but twice. Such processing will be further explained in detail with reference to FIG. 5-7.

    [0066] The second control module 14 generates a response to the received process data and places the response in an output buffer of the communication channel provided by the communication bus 44 at a time t.sub.3. Creating the response includes reading the inputs of the second control module 14 and writing the appropriate states to the frame for dispatch. After being received by the first control module 12, the response is processed by the control module 12 at time t.sub.4. The first control module 12 and the second control module 14 also guarantee a minimum duration Δ3 between the two times t.sub.3 and t.sub.4 for the response. This can be achieved in the same way as for sending the process data, namely in that the response is prepared and sent by the second control module 14 several times (at least twice) within the local cycle of the second control module.

    [0067] For a worst-case analysis, event 60 of FIG. 2 (shown here by the arrow) is analyzed in the following. The event 60 may be, for example, the actuation of an emergency stop button, which changes the state of an input of the second control module 14. For the present analysis, the event 60 is timed in such a way that processing (indicated here by reference numeral 62) of the event can just no longer be taken into account for the response at time t.sub.3 and thus takes place completely in the subsequent cycle (reference numeral 62′). This assumption is permissible, since it is required that a signal must be present at the inputs for at least two local cycle times. Thus, in the present case, the event 60 is not considered until the subsequent cycle, and the corresponding state of the input is stored and sent in the response to the process data 58′. This response is then also transmitted to the first control module 12 and processed by it at time t′.sub.4.

    [0068] In the worst-case analysis of the FS-PII transmission time, the time duration from the occurrence of the event 60 to the (guaranteed) processing by the first control module 12 is considered. Taking redundant transmission into account, the latter time is here time t′.sub.4. Without additional ensured time characteristics of transmission or processing, the entire round-trip 64 from time t.sub.1 to time t′.sub.4 is to be used for the worst-case analysis.

    [0069] For a more favorable worst-case analysis, the control modules 12, 14, as described previously, are configured to guarantee certain minimum intervals (minimum durations) between individual operations either jointly or individually. In the present case, the first control module 12 and the second control module 14 are configured to ensure jointly a minimum duration Δ1 between time t.sub.1 and time t.sub.2, and a minimum duration Δ3 between time t.sub.3 and time t.sub.4 (or t′.sub.3 and t′.sub.4). Furthermore, the second control module 14 can ensure a minimum duration Δ2 between the time t.sub.2 and the time t.sub.3 by itself.

    [0070] By setting the minimum intervals as described above, additional time characteristics of transmission and processing are known and guaranteed so that they can be considered in the worst-case analysis. In the present case, this means that a period 65 (time t.sub.1 to time t.sub.3) can be disregarded in the analysis, since this period is needed at least until the response is generated and is therefore fixed. One way to guarantee these minimum intervals by transmitting the process data multiple times is explained in more detail with reference to FIG. 5-7.

    [0071] Before this, however, an example of the transmission of a process image of the outputs PIO (FS-PIO) between the head module (first control module 12) and the input/output module (second control module 14) is described with reference to FIG. 3. As in FIG. 2, the diagram in FIG. 3 also shows the time t plotted in the longitudinal direction. Analogous to FIG. 2, the control module 12 creates a process data frame and prepares it for transmission, as indicated here by reference numeral 66. The process data frame is then moved to an output buffer of the communication channel provided by the communication bus 44 and is thus transferred to an area of responsibility of the communication bus 44 (time t.sub.1).

    [0072] After reception 68 of the process data by the second control module 14, the second control module 14 starts processing the process data at the second time t.sub.2. The output generated at the outputs is indicated by reference numeral 70. Following the output 70, the desired state 72, such as a stop of the machine, is assumed by the machine. At the third time t.sub.3, the second control module 14 generates a corresponding response and prepares it for transmission 74. After reception 76 of the response by the first control module 12, the response is evaluated at the fourth time t.sub.4.

    [0073] For the worst-case analysis of the FS-PIO transmission duration, the duration from the sending of the process data to the reception of the corresponding response is relevant, provided that no other time characteristics can be ensured. In other words, the entire round-trip 78 is initially relevant for the analysis here.

    [0074] For a more favorable worst-case analysis, minimum intervals between individual operations should also be guaranteed here. The second minimum duration Δ2 between the second time t.sub.2 and the third time t.sub.3 corresponds to the second minimum duration Δ2 previously indicated with reference to FIG. 2. Furthermore, a third minimum duration Δ3 can be guaranteed by the interaction of the first control module 12 and the second control module 14. The third minimum duration Δ3 relates to a time span between the third time t.sub.3 and the fourth time t.sub.4.

    [0075] As before, by guaranteeing these minimum intervals, a more favorable worst-case analysis can be achieved with respect to the transmission of the process image of the outputs. Due to these ensured time characteristics, a time span 79 starting from the second time t.sub.2 to the fourth time t.sub.4 can be disregarded in the analysis.

    [0076] Having shown above the beneficial effects of the minimum intervals for worst-case analysis for the transmission duration of PII and PIO, it will be shown in the following how the control modules can be configured to ensure the minimum intervals.

    [0077] As shown above, three minimum intervals Δ1, Δ2, and Δ3 are relevant. The minimum duration Δ2 can be ensured by a single control module. The minimum duration Δ1 and the minimum duration Δ3, on the other hand, can only be ensured by the interaction of two modules. The latter can make use of redundant (multiple) transmission of process data to guarantee the minimum intervals. In the following, with reference to FIG. 4, it will be discussed how the minimum duration Δ2 can be guaranteed by a single control module.

    [0078] FIG. 4 is a detail of FIG. 2 or 3 showing only the second control module 14. The same reference signs denote the same parts as in FIG. 2 and FIG. 3.

    [0079] The detail shows two local cycles 52 of the second control module 14. As described above, after receiving process data from another control module, the second control module 14 processes the data starting at time t.sub.2. At the same time, the control module 14 starts a timer for time monitoring. By means of the time monitoring, a time period is defined within which the control module 14 prevents a transmission of the process data (i.e., the response to the received process data). Only after the specified time period has elapsed, the control module 14 will be able to generate and send a response back to the other control module. The period during which the second control module 14 is prevented from sending the response corresponds to the second minimum duration Δ2.

    [0080] Time monitoring can be achieved with a timer having a fixed duration. Such a timer can be easily implemented by the fail-safe implemented processing unit 38 provided in the control module. In this regard, the redundant design of the fail-safe implemented processing unit 38 also allows the timer to be set up in a fail-safe manner. For example, each processing unit of the second control module may execute a timer, respectively, to ensure the minimum duration. Timers are usually already integrated in common microcontrollers or can be easily emulated in software. Thus, no additional hardware is required for the implementation of time monitoring, so that it can also be retrofitted to existing control modules by a software update.

    [0081] With reference to FIGS. 5 to 7, it will be described in the following how two control modules can interact to ensure minimum intervals between individual operations/events. One possibility is to send the process data multiple times within the cycle time, so that a first instance and at least a second instance of the process data are always transmitted in a single cycle.

    [0082] In order to make these instances recognizable, distinguishable and sortable, the control modules can be configured to provide the redundant instances, i.e., the redundant packets of a particular process data object (PDO), with consecutive instance numbers. The instance numbers serve to make the redundant instances distinguishable and can consequently be an addition to an already existing sequence numbering of the process data. It is understood that other measures may be taken to achieve this distinctiveness.

    [0083] With the help of the distinguishability of the individual instances and by taking advantage of redundant transmission, a minimum duration can be guaranteed between the creation of the process data on one control module and its processing on another control module, as will be explained in more detail below.

    [0084] FIG. 5 shows a sequence diagram of the transmission of redundant process data from a first control module 12 to a second control module 14. The control module 12 includes a fail-safe process image generator 82 and a transmit buffer 84. The control module 14 includes a receive buffer 86 and a fail-safe process image consumer 88. The process image generator 82 generates a process image for transmission, while the process image consumer 88 evaluates a received process image. The process image generator 82 and the process image consumer 88 are fail-safe devices. On the other hand, the transmit buffer 84 and the receive buffer 86 may be non-fail-safe devices (also referred to as standard devices) of a communication bus.

    [0085] It is understood that the control module 12 may include a receive buffer and a process image consumer, analogous to the control module 14. Similarly, the control module 14 may include a transmit buffer and a process image generator. In this way, a two-way communication between the two modules can be realized. However, for the sake of simplicity, these components have been omitted here.

    [0086] FIG. 5 shows the redundant transmission of a first instance and a second instance of process data. More specifically, FIG. 5 shows the transmission of a first-instance process data object (FS-PDO instance 1) followed by a transmission of a second-instance process data object (FS-PDO instance 2). The first process data object and the second process data object have the same control-relevant content, but are distinguished by the instance numbering described above.

    [0087] In the following, it will be explained how a minimum time interval can be maintained in such a transmission (cf. FIGS. 2 and 3: minimum duration Δ1 and minimum duration Δ3). FIG. 5 shows the case in which all process data objects arrive at the receiver (second control module 14) and none of the redundant process data objects is lost.

    [0088] In a step S100, the fail-safe process image generator 82 creates a first-instance process data object and stores the object in the transmit buffer at a time t.sub.a in the step S102. Subsequently, the process data object is in the send buffer 84 (S103) and can be sent via the communication bus 44. From this point on, the fail-safe process image generator 82 can no longer influence when and how the process data object is sent over the communication bus 44. Accordingly, after storing the process data object of the first instance (FS-PDO instance 1) in the transmit buffer 84, the first control module 12 starts a time monitoring to ensure a minimum interval for the creation of the second process data object (FS-PDO instance 2). Time monitoring can be implemented by a timer set to a defined period of time (timer runtime). In addition, the first control module 12 is configured not to create another process data object or to move such an object into the transmit buffer if the defined time period has not yet expired. Thus, the second-instance process data object is placed in the transmit buffer 84 only after the timer has expired, i.e., when no time underrun has been detected. The second-instance process data object can also be created only after the timer has expired (S106).

    [0089] The second-instance process data object is thus placed in the transmit buffer 84 while maintaining a minimum interval in step S108 and is then ready for transmission (S109). The first control module 12 thus guarantees that a minimum interval Δa is maintained between the creation of the first-instance process data object and the creation of the second-instance process data object.

    [0090] If none of the process data objects are lost during transmission, the second control module 14 first receives the first-instance process data object stored in the receive buffer 86, which is read by the process image consumer 88 in step S110. Subsequently, the process data object is evaluated in step S112.

    [0091] The second control module 14 then starts time monitoring to ensure the minimum interval for processing and evaluation of a second-instance process data object (S114). The time monitoring can be configured analogous to the time monitoring of the first control module, whereby during the timer runtime not the sending of a process data object is prevented, but its processing and evaluation. This can be achieved by the second control module 14 being configured to read out a second-instance process data object located in the receive buffer 86, but to execute processing and evaluation of this object only if no time underrun has been detected and thus a minimum interval Δb can be ensured. In other words, an evaluation of the process data object of the second instance is performed conditionally in step S116, depending on whether the timer has been terminated (S115).

    [0092] By having the two control modules 12, 14 each guarantee the minimum intervals Δa and Δb, it is possible for the process image generator 82 in the first control module 12 and the process image consumer 88 in the second control module 14 to jointly ensure that there is a minimum time interval between the creation (S100) and processing (S116) of the process data. This minimum time interval corresponds to the minimum durations Δ1 and Δ3 as described with reference to FIGS. 2 and 3. Taking advantage of redundant transmission, the required minimum duration (minimum durations Δ1 and Δ3) can thus be easily ensured by ensuring defined time spans between operations within the individual control modules.

    [0093] As will be shown in the following, these minimum durations can also be guaranteed even if one of the two process data objects should be lost. FIG. 6 depicts a case in which the first-instance process data object is lost during transmission. FIG. 7 subsequently shows the case in which the second-instance process data object does not reach its destination.

    [0094] In FIGS. 6 and 7, the operations in the first control module 12 are the same as in the first control module 12 according to FIG. 5, and the first control module 12 transmits the redundant process data in accordance with the previously mentioned steps S100 to S108. Accordingly, a renewed description of these steps is omitted.

    [0095] However, in contrast to FIG. 5, the transmission of the first-instance process data object (FS-PDO instance 1) is lost in the case according to FIG. 6. Thus, the first-instance process data object does not reach the receive buffer 86 of the second control module 14, or the process image consumer 88 cannot read the first-instance process data object from the receive buffer 86. In this case, the first-instance process data object is not processed and evaluated by the process image consumer 88. Likewise, no time monitoring is started. Meanwhile, the second control module 14 receives the second-instance process data object. The second-instance process data object is read out by the process image consumer 88 in step S118 and processed directly in step S120. Since the process image consumer 88 recognizes that it is processing a second-instance process data object, no time monitoring is started.

    [0096] According to this processing, even in the case when the first-instance process data object is lost, the minimum time interval between the creation and processing can be guaranteed.

    [0097] The same results for the case if the second-instance process data object is lost. This case is depicted in FIG. 7. Again, the steps performed by the first control module 12 are initially identical to those of the first control module 12 of FIG. 5.

    [0098] The second control module 14 thus receives the first-instance process data object and executes steps S110 to S114 as already described with reference to FIG. 5. Accordingly, the process image consumer 88 starts time monitoring (S114) after evaluating the process data object of the first instance (S112), but then does not receive another process data object (S122) after the specified time period has elapsed. Thus, the process image consumer 88 re-evaluates the process data object of the first instance after the time monitoring has expired in order to complete the process data evaluation (S124). Since the renewed evaluation of the process data object of the first instance is also delayed by the minimum time interval Δb, the minimum interval between the creation of the process data (S100) and the final evaluation (S124) of the process data is again ensured.

    [0099] It is understood that the above-mentioned possibility for establishing minimum intervals between transmissions are only to be understood as examples and that other variants are conceivable for this purpose. Thus, the subject matter of the present disclosure is not limited by the present description. Rather, the subject matter of the invention is defined exclusively by the following claims.

    [0100] The phrase at least one of A, B, and C should be construed to mean a logical (A OR B OR C), using a non-exclusive logical OR, and should not be construed to mean “at least one of A, at least one of B, and at least one of C.”