Fault-tolerant, serviceable automation system

1 . A fault-tolerant, maintainable automation system comprising: at least two central computers, and a process periphery that is preferably remote, wherein the at least two central computers are configured to communicate with the process periphery and/or control it, wherein the at least two central computers are fail-silent FCUs and represent autonomous exchange units, wherein one of the at least two central computers is configured to assume the role of an active central computer and at least one other central computer of the at least two central computers is configured to assume the role of a passive central computer, wherein the active central computer is configured to carry out communications with the process periphery and/or the control of the process periphery, wherein the active central computer and the process periphery are configured to exchange timed status messages via communication channels, preferably via wireless and in particular local wireless communication channels, and at least the active central computer is configured to save the current status of the process periphery, wherein the active central computer is configured to transmit a sign-of-life message to the passive central computer, preferably periodically, wherein the passive central computer is configured to acknowledge the receipt of a sign-of-life message from the active central computer in a periodic sign-of-life message and to monitor it through a time-out, and wherein the passive central computer is configured to assume the role of the active central computer if the sign-of-life messages fail to appear after the time-out, and wherein the faulty, previously active central computer is configured to autonomously attempt to restart and, following a successful restart, is configured to monitor the communications traffic within a cluster, the cluster containing the central computer, in order to ascertain the current status of the cluster, and wherein the computer assumes the role of the passive central computer and informs the now-active central computer by means of preferably periodic sign-of-life messages that it is performing the role of the passive central computer, and wherein, if the restart is unsuccessful, the faulty central computer is configured to indicate a permanent error, e.g. by means of a display means, such as in the form of an indicator light. 2 . A fault-tolerant, maintainable automation system comprising: at least two central computers; a process periphery that is preferably remote; and one or more gateway computers, in particular a multitude of gateway computers, wherein the at least two central computers are fail-silent FCUs and represent autonomous exchange units, and wherein the multitude of gateway computers are fail-silent FCUs and represent autonomous exchange units, wherein the central computers and the gateway computers are configured to exchange timed status messages via communications channels, preferably via wireless and in particular local wireless communications channels, and wherein each gateway computer is configured to establish the link to the process periphery associated with the gateway computer and to save the current status of the process periphery associated with the gateway computer, wherein one of the at least two central computers is configured to assume the role of an active central computer and at least one other central computer of the at least two central computers is configured to assume the role of a passive central computer, wherein the active central computer is configured to exert control over the gateway computers, wherein the active central computer is configured to transmit a sign-of-life message to the passive central computer, preferably periodically, wherein the passive central computer is configured to acknowledge the receipt of a sign-of-life message from the active central computer in a periodic sign-of-life message and to monitor it through a time-out, and wherein the passive central computer is configured to assume the role of the active central computer if the sign-of-life messages fail to appear after the time-out, wherein the faulty, previously active central computer autonomously is configured to attempt to restart and, following a successful restart, to monitor the communications traffic within a cluster, namely the cluster containing the central computer and the gateway computers, in order to ascertain the current status of the cluster, and wherein the computer is configured to assume the role of the passive central computer and to inform the now-active central computer by means of preferably periodic sign-of-life messages that it is performing the role of the passive central computer, and wherein, if the restart is unsuccessful, the faulty central computer is configured to indicate a permanent error, e.g. by means of a display means, such as in the form of an indicator light. 3 . The automation system of claim 1 , wherein a central computer is configured to monitor the communications traffic within the cluster after power-up in order to determine a cluster identifier, wherein an initialization state associated with the cluster identifier is subsequently downloaded from a cloud or a memory medium, and wherein the communications traffic within the cluster is monitored after the successful start-up of the preferably new central computer in order to ascertain the current status of the cluster and wherein the new central computer is configured to assume the role of the passive central computer from then on and to inform the active central computer by means of preferably periodic sign-of-life messages that it is performing the role of the passive central computer. 4 . The automation system of claim 2 , wherein the at least two central computers and/or the one or more gateway computers have access to a global time. 5 . The automation system of claim 2 , wherein the central computer that assumes the role of the active central computer after the time-out is configured to assume control over the process periphery and the one or more gateway computers. 6 . The automation system of claim 1 , wherein the sign-of-life messages sent by the central computer contain a unique identifier for the central computer transmitting them. 7 . The automation system of claim 1 , wherein when two of the at least two central computers power up simultaneously, the central computer with the smaller identification number is configured to assume the role of the active central computer. 8 . The automation system of claim 2 , wherein a data field containing a unique identifier of the cluster identity is included in a payload of the internal cluster messages from one of the one or more gateway computers to the central computer. 9 . The automation system of claim 1 , wherein at least one of the at least two central computers is configured to exchange the messages with its environment in the cluster, i.e. at least with the at least one further central computer and/or at least with the gateway computers, via a Bluetooth communications system. 10 . The automation system of claim 1 , wherein at least one of the at least two central computers is configured to exchange the messages with its environment in the cluster, i.e. at least with the at least one further central computer and/or at least with the gateway computers, via a WiFi communications system. 11 . The automation system of claim 1 , wherein at least one of the at least two central computers is configured to exchange the messages with its environment in the cluster, i.e. at least with the at least one further central computer and/or at least with the gateway computers, via a ZigBee communications system.