The invention relates to a fault-tolerant, maintainable automation system comprising two central computers, a process periphery and gateway computers, wherein the central computers and the gateway computers are fail-silent FCUs and represent autonomous exchange units, and the central computers and gateway computers exchange timed status messages via communications channels, and wherein each gateway computer establishes the link to the process periphery associated with the gateway computer and saves the current status of the process periphery associated with the gateway computer, and wherein a central computer assumes the role of an active central computer and another central computer assumes the role of a passive central computer, and wherein the active central computer exerts control over the gateway computers, and wherein the active central computer transmits a sign-of-life message to the passive central computer, preferably periodically, and wherein the passive central computer acknowledges the receipt of a sign-of-life message from the active central computer in a periodic sign-of-life message and monitors it through a time-out, and wherein the passive central computer assumes the role of the active central computer if the sign-of-life messages fail to appear after the time-out, and wherein the faulty, previously active central computer autonomously attempts to restart and, following a successful restart, monitors the communications traffic within a cluster, the cluster containing the central computer, in order to ascertain the current status of the cluster, and wherein the computer assumes the role of the passive central computer and informs the now-active central computer by means of preferably periodic sign-of-life messages that it is performing the role of the passive central computer, and wherein, if the restart is unsuccessful, the faulty central computer indicates the permanent error by means of a display means.