MANUFACTURING agility has emerged as an important

796 IEEE TRANSACTIONS ON ROBOTICS AND AUTOMATION, VOL. 14, NO. 5, OCTOBER 1998 A Correct and Scalable Deadlock Avoidance Policy for Flexible Manufacturing Systems Mark A. Lawley, Spyros A. Reveliotis, and Placid M. Ferreira Abstract Configuration flexibility and deadlock-free operation are two essential properties of control systems for highly automated flexible manufacturing systems. Configuration flexibility, the ability to quickly modify manufacturing system components and their logical relationships, requires automatic generation of control executables from high level system specifications. These control executables must guarantee deadlock-free operation. The resource order policy is a configurable controller that provides the deadlock-free guarantee for buffer space allocation. It uses a total ordering of system machines and routing information to generate a set of configuration specific linear constraints. These constraints encode the system state along with a buffer capacity function and define a deadlock-free region of operation. Constraint generation and execution are of polynomial complexity. Index Terms Deadlock avoidance, discrete event systems, flexible manufacturing. I. INTRODUCTION MANUFACTURING agility has emerged as an important strategic goal for manufacturing enterprises. In a highly automated environment, rapid redeployment of technological resources requires flexible system control software. Unfortunately, control software issues spawn the most difficult problems associated with building highly automated flexible manufacturing systems (FMS s) [1]. Traditionally, system designers developed FMS control software for specific system configurations, hard coding the control logic for specific part types, routes, and machines into the FMS controller. Adding new part types or machines to the configuration required development of new control software. Manufacturing agility, however, precludes these time consuming and error prone bouts of manual software modification and development. Indeed, agility concepts compel researchers to seek methods for developing flexible controllers that automatically reflect changes in system configuration. Automatic control software development is, therefore, an important area of manufacturing systems research. Good surveys of this research area are found in [2] and [3]. A common theme is that the control function can be formally modeled, typically with Petri nets, while control Manuscript received September 22, 1997; revised July 4, 1998. This paper was recommended for publication by Associate Editor R. Uzsoy upon evaluation of the reviewers comments. M. A. Lawley is with the School of Industrial Engineering, Purdue University, West Lafayette, IN 47907-1287 USA. S. A. Reveliotis is with the School of Industrial and Systems Engineering, Georgia Institute of Technology, Atlanta, GA 30332-0205 USA. P. M. Ferreira is with the Department of Mechanical and Industrial Engineering, University of Illinois at Urbana-Champaign, Urbana, IL 61801 USA. Publisher Item Identifier S 1042-296X(98)07729-5. executables can be automatically generated from these models [4], [5]. Controller configuration is the process of updating a system specification template from which control models and code are generated. Current research in this area includes [6] [9]. Control code must direct system operation so that the processing requirements of parts passing through the system are met in a timely fashion. This requires some strategy for handling deadlock, an insidious halting condition prevalent in many types of discrete event systems [10]. When an FMS enters deadlock, the whole system can cease to operate, making deadlock-free operation a primary concern in designing configurable FMS controllers. FMS deadlock typically results from imprudent allocation of system resources such as buffer space, tooling, and material handling equipment [11]. Because each resource type exhibits unique deadlocking characteristics, FMS controllers must integrate a variety of strategies for handling these different deadlock scenarios. For example, a controller that allocates buffer capacity to parts and guidepath segments to AGV s will likely require different allocation control methods for each since parts follow predetermined routes and eventually terminate, whereas AGV s plan new paths and persist in the system. This work focuses on control policies for allocating buffer capacity in a deadlock-free manner. An FMS deadlocks with respect to buffer capacity when there exists a set of parts in the system with each part in the set awaiting buffer capacity occupied by another part in the set. The objective of a deadlock avoidance policy (DAP) is to constrain allocation so that this situation never occurs. To accomplish this, DAP s define regions of operation within which systems must work. They do not direct operation within these regions, this task being left to performance oriented order release, dispatching, and scheduling techniques. DAP s must demonstrate four important properties: 1) correctness; 2) scalability; 3) operational flexibility; 4) configurability. Correct DAP s provide the deadlock-free guarantee, that is, they constrain buffer allocation so that all parts eventually complete their routes under normal system operation. Scalable DAP s are computationally tractable and can be executed in real time. Because optimal deadlock avoidance (restraining buffer allocation only when necessary) is computationally intensive, scalable DAP s typically sacrifice optimality for real time execution. DAP operational flexibility measures how much system operating space a scalable DAP sacrifices 1042 296X/98$10.00 1998 IEEE

LAWLEY et al.: CORRECT AND SCALABLE DEADLOCK AVOIDANCE POLICY 797 (how much stricture it imposes) to achieve scalability. Higher operational flexibility provides greater leeway for performance oriented control policies. Regarding DAP configurability, we make the following observations: the composition and frequency of deadlocked part sets depends on the interaction of part routes. In environments where new part types are continually being produced, system deadlock characteristics will vary widely over time depending on part mix. This fact has two implications. First, handling deadlock tends to be a control rather than a design problem. For instance, two ways to handle deadlock in the design phase would be either: 1) adding significant processing redundancy so that part routes can be highly restricted; 2) adding extra buffer capacity to reduce competition among parts. Both approaches only reduce the probability of deadlock, neither guarantees deadlock-free operation. We discount the first alternative based on expense, and note that the second does not support the concept of agile manufacturing. Increased system buffer capacity invariably leads to higher levels of work in process and poorer system response. We therefore approach deadlock as a system control problem. The second implication of the time-variance of system deadlock properties is that DAP s requiring configuration specific deadlock analysis are not applicable in an agile manufacturing environment. A DAP developed by analyzing the interactions among a given set of part types applies for those part types only. When new part types are added, the DAP no longer works, and new deadlock analysis is required. The allocation constraints of configurable DAP s are quickly generated and updated without configuration specific deadlock analysis. Analysis must occur in the DAP design stage where properties are established, not in DAP application. Our work treats deadlock as a real time operational problem and emphasizes correctness, scalability, and configurability over optimal allocation. Once we develop a DAP that satisfies these properties, we investigate and develop methods for improving its operational flexibility. In [12], we provide a detailed review of manufacturing research dealing with buffer capacity allocation and deadlock handling strategies that includes [13], [11], [14] [24]. The following section presents an FMS buffer allocation model that sets the stage for discussing DAP properties. Section III then presents a DAP called the Resource Order Policy (RO), establishes its properties, and applies it to a realistic example. Section IV develops methods for improving RO s operational flexibility and provides empirical verification of corresponding enhancements in system flexibility. The paper then concludes by discussing current and future research directions. II. BUFFER ALLOCATION MODEL AND DEADLOCK AVOIDANCE POLICIES Buffer capacity allocation is a fundamental control function in automated manufacturing. The FMS controller regulates part flow through the system by granting and rejecting capacity requests made by parts. We define a unit of buffer capacity to be any physical location where a part can sit or be held. This includes locations for part staging as well as machine processing (these are identical in terms of deadlock). Furthermore, we assume that: 1) a part visits the sequence of machines specified in its route; 2) a part requires a single unit of buffer capacity at each machine in its route; 3) a part occupies one and only one unit of buffer capacity at a time; 4) a unit of buffer capacity can accommodate only one part at a time; 5) preemption is not allowed (the controller allocates unoccupied buffer capacity only). To visit a machine, a part first requests a single unit of that machine s capacity. It then waits at its current location until the system controller grants the request. The part then releases its currently held capacity and proceeds to the next machine. Because this scenario contains the four necessary conditions for deadlock [10], the system controller must allocate prudently, otherwise the system will stall. The allocation state captures the distribution of parts in their various stages of processing across the system. It implicitly provides information regarding future requirements since routes are known. The system changes its allocation state in one of three ways: 1) a new part is loaded into the system; 2) some part already in the system is advanced one step in its route; 3) a finished part leaves the system. The allocation state space is the set of all such states augmented with state transition information. Such a space is conveniently represented by a directed graph, where vertices represent states and directed edges represent state transition. (Fig. 1 presents a small system and a portion of its allocation state space). Directed edge is present if and only if the single step advancement of one part in state results in state A state is safe if and only if there exists a path in the state space leading to the empty state. If no such path exists, then there is some set of parts in the system that cannot be completed under normal system operation, and the state is deemed unsafe (deadlock is unavoidable). Note that unsafe states are either deadlock or deadlock-free. In Fig. 1, is a deadlock-free unsafe state, that is, does not exhibit deadlock, but once it is reached, deadlock cannot be avoided. Optimal deadlock avoidance (the policy that allows all safe states and rejects all unsafe states) is hard (NP-complete) due to states like [25]. Because of these states, we must sacrifice optimality for scalability. Finally, we note the existence of states such as and in Fig. 1 that are not reachable under normal FMS operation. We are now prepared to discuss DAP properties. A. DAP Correctness A DAP is an algorithm that partitions or cuts the FMS state space into admissible and inadmissible regions. The admissible region, the set of all states that the DAP permits the system to

798 IEEE TRANSACTIONS ON ROBOTICS AND AUTOMATION, VOL. 14, NO. 5, OCTOBER 1998 Fig. 1. Example system with portion of state space. visit, must satisfy certain properties if the DAP is to guarantee deadlock-free operation. Let be the set of states admitted by a DAP under normal FMS operation (we assume contains only reachable states). Further, let be the subspace induced by that is, where Finally, for every let is reachable from in. Then, a DAP is correct if and only if (1) and (2) In essence, this says that a DAP is correct (guarantees deadlockfree allocation) if and only if for every reachable allocation state that it admits, there exists a sequence of admissible allocation states leading to the empty state. In Fig. 1, a DAP cutting the subspace at admits the region and is correct though highly restrictive. A DAP that does single step look ahead

LAWLEY et al.: CORRECT AND SCALABLE DEADLOCK AVOIDANCE POLICY 799 for deadlock would cut the subspace at The resulting admissible region does not satisfy (2), and, therefore, the policy is not correct. Reference [20] provides a formal framework for proving DAP correctness. B. DAP Scalability Real time control policies must use computationally tractable algorithms. Formally, an algorithm is characterized as tractable if its time and space requirements are bounded by polynomial functions of problem encoding size [26], since, in theory, computational requirements do not become unmanageable as input sizes grow. (As a matter of practicality, these bounding polynomials need to be of relatively low order with execution times measured in seconds.) We say that a DAP is scalable if the time and space required for constraint execution is bounded by polynomial function of FMS configuration size, where configuration size is measured by the number of machines, the number of part types, and CRL the cumulative route length. C. DAP Configurability As discussed in the introduction, configuration flexibility is an increasingly important characteristic for automated manufacturing systems. A DAP is configurable if the operating constraints that it imposes can be quickly generated for new FMS configurations. This implies that DAP correctness and scalability must be independent of FMS configuration. As with scalability, we say that a DAP is configurable if the time and space required for constraint generation is bounded by a polynomial function of FMS configuration size: and CRL. D. DAP Operational Flexibility As previously noted, a DAP is optimal if it admits every safe state and rejects every unsafe state. The optimal DAP is not generally tractable since state safety is NP-complete for FMS buffer allocation. This, together with the DAP scalability requirement, implies DAP sub-optimality, that is, scalable DAP s generally reject some safe states. If too many such states are rejected, however, the DAP will be too restrictive to use. One measure of DAP operational flexibility is the proportion of the safe state space that it admits, that is, This measure essentially compares the DAP to the optimal policy. Because closed form solutions for these quantities are unknown, we develop an empirical approach for estimating this ratio (see [27] for statistical details). To get a point estimate of we collect a sample of safe states and let be the number of admissible states in the sample. is a hypergeometric random variable, that is, the probability distribution of is (see Table I) where the total number of items in the population is the number of admissible items in the population is and the number of items sampled from the population is It is a standard result that the ratio is an unbiased estimator of To get an interval estimate of we invoke the binomial approximation to the hypergeometric (we approximate with where This holds when (we argue that because the size of the state space is typically huge, and samples are relatively small). If is large enough then by the Central Limit Theorem the statistic follows the standard normal distribution (where and From this, we compute the following 100% confidence interval on (where is the probability of a type I error). By selecting (where is a specified error), we can be at least 100% confident that the interval covers At this point, we need a method of generating samples of safe states for the given FMS configuration. Random state generation is not feasible since the general problem of deciding whether a state is safe or unsafe is NP-complete. Define the co-space of the state space digraph to be where Note that reverses the sense of all arcs in and states that are reachable from the empty state in are safe in (see [28] for proof). To generate a safe sample from we traverse the edges of starting at and randomly save a sample of the states encountered. This is accomplished by reversing the routes of the given FMS configuration and running it backward. Although this approach does not guarantee unbiased sampling, no other tractable method is known. It is currently unclear whether this sampling method affects the validity of the confidence intervals developed earlier. After state collection is completed, the states are sorted and redundant states removed. Estimates can then be computed. We have now established sufficient background to present the Resource Order Policy, a correct, scalable, and configurable DAP that provides good operational flexibility for most FMS configurations tested. III. THE RESOURCE ORDER POLICY A. Introduction The resource order policy (RO) is a DAP based on the intuition that parts traveling through the same machines but in opposing directions must at some point be able to pass. The policy arose from an analysis of the deadlock characteristics of counter-flow systems [12]. In this policy, the machines are ordered, and each part is categorized according to how it flows with respect to that order. Allocation is constrained so that there never simultaneously exists a machine low in the order filled with parts moving up the order and a machine high in the order filled with parts moving down the order. RO is expressible as a set of linear inequalities that defines a deadlock-free convex region of FMS operation. Because the categorization of parts as moving up or down the order depends on the ordering used, as many as independent constraint sets can be generated (and thus RO forms a family of DAP s). Mathematical programming is used to develop methods for selecting good orders (those yielding less restrictive constraint sets) from among the possibilities available.

800 IEEE TRANSACTIONS ON ROBOTICS AND AUTOMATION, VOL. 14, NO. 5, OCTOBER 1998 TABLE I NOTATION B. Policy Statement RO uses a total ordering, of FMS machines to categorize each part as right, left, or undirected. Let be the remaining route of part stage If the sequence is monotone increasing, then is right. If is monotone decreasing, then is a left. Otherwise, is undirected. If then is terminal and is ignored. Note that the remaining moves of a right (left) part are always to machines of increasing (decreasing) order, whereas an undirected part requires at least one more move up the order and at least one more move down the order. RO can now be expressed as the following set of linear constraints: where is the set of right and undirected part stages produced by is the set of left and undirected part stages produced by and is any

LAWLEY et al.: CORRECT AND SCALABLE DEADLOCK AVOIDANCE POLICY 801 bijective mapping. This policy precludes states exhibiting a machine high in the order filled with left/undirected parts and a machine low in the order filled with right/undirected parts. We now demonstrate the logic of this policy by applying it to a relevant technology in semi-conductor manufacturing, cluster tools. C. Example Cluster tools are an emerging technology in the semiconductor industry. These systems provide an enclosed clean room environment for processing silicon wafers. Cluster tools typically consist of a set of processing chambers within which wafer operations are performed. Some type of material handling device, such as a pick and place robot, transfers individual wafers between chambers. Each wafer type requires a predetermined sequence of operations and may revisit some chambers several times. These systems therefore share the deadlock characteristics found in highly automated systems with limited buffer space. For a more complete discussion of cluster tools, see [29]. This reference also provides several cluster tool examples to demonstrate their deadlocking potential. We will use Case III, Section VII-B of [29] to demonstrate the setup and execution of RO constraints. The process plans of two wafer types to be produced in a cluster tool with four processing chambers A, B, C, D one orientation chamber OR and one cool down chamber CD are shown at the bottom of this page. Operations are assigned to chambers as follows: Note that each chamber has one assigned operation, and that, with this chamber assignment, wafer routes are computed to be: OR, C, B, A, CD and OR, D, C, OR, D, C, CD We will assume that each chamber can accommodate only one wafer at a time. To construct RO constraints, we use the chamber ordering Note that we could have used any one of the 6! 720 different chamber orders available (later in the paper, we will discuss methods for selecting orders). We now categorize each wafer stage as right, left, or undirected (OR), (C), (B), (A), (CD) : left (C), (B), (A), (CD) : left (B), (A), (CD) : left (A), (CD) : left (OR), (D), (C), (OR), (D), (C), (CD) : undirected (D), (C), (OR), (D), C), (CD) : undirected (C), (OR), (D), (C), (CD) : undirected (OR), (D), (C), (CD) : left (D), (C), (CD) : left (C), (CD) : left. We next generate the sets RU and LU for each chamber. Recall that RU is the set of right and undirected wafer stages produced by chamber and LU is the set of left and undirected wafer stages produced by chamber as shown at the bottom of this page. RO constraints are now generated as In the first twelve constraints, RU and, thus, these constraints do not enforce any new limitations on the system. Constraints (13) (15) do effectively preclude certain states. Among these are the deadlock states of Fig. 2. We will now establish that these constraints guarantee deadlock-free operation. D. Policy Correctness In this section, we formally establish the correctness of the RO DAP. In this proof, we let and Theorem 1: RO is correct. Wafer Type Process Plan

802 IEEE TRANSACTIONS ON ROBOTICS AND AUTOMATION, VOL. 14, NO. 5, OCTOBER 1998 Fig. 2. Cluster tool with deadlock states. Proof: In this proof, we must show that for every state admitted by the policy, there exists a sequence of admissible states leading to the empty state. We start by assuming that the policy is not correct, that the FMS has been emptied of all parts that can be completed, and that no new part is allowed to enter the system. Under these assumptions, there exists an admissible state, with no admissible successor state in which a part already in the system moves forward. Note that implies that the constraints such that are satisfied. If any part moves forward in its route, then the constraints are violated, and we have the following condition: such that and must have a machine, say such that either or since, after the movement of one part, there will be two machines, one filled with right/undirected and one filled with left/undirected. Since the movement of one part cannot cause both, one must already exist. Without loss of generality, assume to be machine of highest order for which 1. Let and note that this implies In the current state, no machine of is filled with left/undirected (since the policy is not violated) or right/undirected (since is machine of highest order for which this is true). Furthermore, if is filled with undirected, no machine of is filled with right/undirected (again since the policy is not violated). Finally, every part of needs next to enter either or We first suppose that has at least one right part. Clearly, this part needs next to enter and such a move would not violate policy constraints since it would not cause a machine in to become filled with left/undirected. Therefore, the part must be blocked from entering Suppose this part next requires Clearly, is full and must hold at least one right part. This right part needs 1 The case where 6 P 2LU jpkm j = C i is symetrically covered by the duality of the right and left concepts. next to enter and, as before, such a move would not violate policy constraints. Therefore, the part must be blocked from entering We have now established that a blocked right part in implies a blocked right part in where This is clearly a contradiction since is a finite set. Next, suppose that is filled with undirected parts. No machine of can be filled with left/undirected (since the policy is not violated) or right/undirected (by assumption), that is, any filled machine in must have at least one right part and at least one left part. No machine of can be filled with undirected or right/undirected (since the policy is not violated), that is, any filled machine of must have at least one left part. Furthermore, if there exists a left (right) part in it must be blocked, else it could move forward without violating policy constraints. Note that if such a part exists, we get the contradiction given above. Therefore, all parts in the system must be undirected, and is the only machine filled. Clearly, we can advance any part at without policy violation. Thus, the assumption that RO is not correct is invalid. This theorem guarantees that RO is correct, that is, for every state admitted by RO constraints, there exists a sequence of admissible states leading to the empty state. Thus, the constraint set developed in the cluster tool example will not allow the system to deadlock. E. Policy Configurability and Scalability To show policy configurability and scalability, we must prove that constraint setup and execution are polynomially bounded in FMS configuration size. Theorem 2: RO is configurable and scalable. Proof: The steps involved in setting up the policy are as follows: 1) order the machines; 2) categorize the part stages produced by each machine into right and left sets; 3) generate a constraint for each pair of machines. Equation (1) takes steps. For (2), we must examine no more than (CRL- ) part stages (the last stage of each part type is terminal and need not be examined). For each part type, start with the next to last part stage. It will always be either right or left but never both. Then, traverse the part type route backward one stage at a time, noting whether the machine order increases or decreases at each step. As long as the observed machine ordering remains monotonically increasing (decreasing), stages are categorized as left (right). When the observed machine ordering undergoes a switch, all remaining part stages in the route are categorized as undirected. An upper bound on (2) is, therefore, (CRL) steps. For (3), we must generate one linear constraint for each pair of machines. The number of terms in the constraint for machine pair where is which has an upper bound of CRL. Therefore, (3) will require no more than CRL steps. An upper bound for policy setup is therefore (CRL Constraint execution is also (CRL

LAWLEY et al.: CORRECT AND SCALABLE DEADLOCK AVOIDANCE POLICY 803 These bounds are intended to establish the polynomiality of constraint setup and execution in terms of system parameters. Tighter bounds may be possible. F. Operational Flexibility and the Optimal Order Problem To implement RO, it is necessary to order the machines. Although any total order will do, some orders generate more restrictive constraints than others. In the cluster tool example, if we order the chambers as follows: then we get this constraint set as shown at the bottom of this page. Although these constraints guarantee deadlock-free operation, they appear much more restrictive than those previously developed. To investigate this, we collected a sample of 490 safe states from this system using the previously discussed sampling procedure. We then computed the proportion of the sample admitted by each constraint set. To help relate operational flexibility to performance, we simulated system operation under these two DAP s and saved performance results. This information is presented below. Note the positive correlation between operational flexibility and system performance measures, as shown at the bottom of the page. One difference in the two orders is the number of undirected part stages that each generates. The first order generates three, whereas the second generates eight. Recall that any part that switches direction with respect to the order in the remainder of its route is undirected. Such a part restricts both the number of right/undirected parts of machines lower in the order and the number of left/undirected parts of machines higher in the order, that is, the undirected part appears in both the right hand and left hand constraints of its machine. Undirected parts are, in a sense, double counted. It seems intuitive that orders minimizing the number of undirected part stages would generate less restrictive and therefore more flexible DAP s. This is a surrogate objective for the true, yet far more computationally difficult, objective of finding the order that maximizes the size of the admissible region. We note that even the surrogate problem of minimizing undirected part stages is NP-complete by restriction, that is, a restricted version of the problem in which each part route is acyclic with three machines is equivalent to BETWEENESS, an NPcomplete problem documented by [26] (for details, see [30]). Fortunately, computing good orderings needs to be done only when the system is re-configured, not in real time. We therefore address this problem by developing a linear integer programming (IP) model (see Fig. 3). For reasonably sized systems the proposed IP model can be solved to optimality, while for larger systems and/or stricter time constraints, improved but suboptimal solutions can be obtained by terminating the branch and bound search early. We now present this model using the previous example. (For the remainder of this discussion, optimal order refers to a machine ordering that minimizes the number of undirected stages.) Consider the cluster tool example with chambers A, B, C, D, OR, CD For notational convenience, we refer to chamber A as B as C as D as OR as and CD as Wafer types and routes are thus and We need to order the chambers so that the number of undirected part stages in these two routes is minimized. Let be an integer variable that represents the order of and consider the data structure of Fig. 4. This is a 2 CRL matrix where the row headings Sample Proportion Average Average Chamber Order Admitted Production Rate Machine Utilization wafers/hr wafers/hr

804 IEEE TRANSACTIONS ON ROBOTICS AND AUTOMATION, VOL. 14, NO. 5, OCTOBER 1998 one to one Next, we discuss constraints on the Note that since the last stage of each part type is ignored (since the part at this point is leaving the system), 0. Also, observe that the next to last stage of each part type is either right or left but never undirected, since a sequence of two natural numbers cannot have a switch. Therefore, we have Finally, note that for For example, in Fig. 5 we have Intuitively, if a part stage is categorized as right, all preceding part stages in the route must also be categorized as right (similarly for left). In general, these constraints are expressed as for (1) (2) Fig. 3. General integer programming formulation for the optimal order problem. indicate right and left, the column headings represent the order assigned to the machines in each route, and the binary variables, indicate whether the part stage is right, left, or undirected. Observe that the subscript denotes right/left, denotes part type, and denotes stage. For example, consider Fig. 5 where that is, 3, etc. We see that is undirected, i.e., 1, since the sequence 52 316 has a switch. Furthermore, we see that is right only, i.e., and 0, since the inclusive remainder of s route is increasing with respect to i.e., the sequence 16 has no switch. Using this structure, it is possible to develop the following constraints. We start with constraints that guarantee a one to one mapping from the set to A well known expression from analysis is that for any natural number 1 2 2 (in the cluster tool example, the variables must sum to 21). We introduce a binary indicator variable, where 1if zero otherwise. Assuming is some large number the following constraints are satisfied if and only if the mapping from to is Finally, note that 1if and 1 if In words, is 1 if the column heading of the next column is greater than the column heading of (the part stage represented by must next move up the order), and is 1 if the column heading of the next column is less than the column heading of (the part stage represented by must next move down the order). For example, in Fig. 5 we see that since 1. Similarly, since 4. We encode these in linear constraints as and ( 1), respectively. To express these constraints in general, we let be 1 if is the ( 1)st machine in route 1if is the th machine in route and 0 otherwise (note that indicates machine, indicates the route, and indicates stage). All required constraints are then generated by for Finally, we must select an appropriate objective. Because of the structure of these constraints, minimizing the summation of the binary variables is equivalent to minimizing the number (3)

LAWLEY et al.: CORRECT AND SCALABLE DEADLOCK AVOIDANCE POLICY 805 Fig. 4. Stage direction matrix. Fig. 5. Right left categorization for order CD 6 A 1 B 3 C 2 D 4 OR 5 : of undirected part stages (similarly, maximizing the summation of the binary variables is equivalent to maximizing the number of undirected part stages). We therefore have Fig. 6 provides the constraints generated by the cluster tool example. We solved the program of Fig. 6 using branch and bound and obtained the order The reader can easily verify that this order generates three undirected part stages. We are able to characterize the number of variables and constraints generated for a system with machines and part types each with route length as follows: Number of Variables Number of Constraints In the program of Fig. 6, there are 36 2 12 60 variables and 1 3 2 1.5 (36 6) 2 (12 2) 4 3 6 5 114 constraints. These derivations rely on simple counting. We make the following observations regarding the solvability of this IP. First, we applied and easily solved the IP for eight experimental systems presented in the next section. The largest of these systems consisted of nine machines producing nine different part types with a cumulative route length of forty-five stages. For larger systems, where the required computation might be intractable, the proposed formulation can still provide efficient but suboptimal orderings by using the incumbent solution(s) obtained by a branch and bound search over a constrained time budget. In fact, more than one of the currently obtained best solutions can be used in a disjunctive RO implementation, which admits a buffer allocation state if the policy implementation based on any of the considered resource orderings admits the state. For additional discussion on DAP disjunction and the computation of complementary orderings for such schemes, see [31]. IV. EXPERIMENTS IN OPERATIONAL FLEXIBILITY A. Introduction This section presents the results of simulation experiments in which we investigate the effects of optimal orders and system parameters on operational flexibility, average machine utilization, and normalized system production rate. In this experiment, we randomly generate a set of FMS configurations (where a configuration consists of a set of machines and their capacities along with a set of part types and their routes) and then collect a sample of safe states from each using the co-space simulation method discussed earlier. We then use this sample to estimate the operational flexibility of RO using optimal and worst case orders (worst case orders maximize the number of undirected part stages). Our objective in doing this is to evaluate the effectiveness of the surrogate objective used in the IP formulation, that is, to determine the extent to which the number of undirected part stages affects the operational flexibility of the RO policy. Worst case and optimal orderings provide the maximum difference in the number of undirected part stages. We also simulate two large production runs for each system, the first with system operation constrained by RO under the worst case order, and the second with system operation constrained by RO under the optimal order. Finally, we compute and analyze system performance measures from these runs. Our intention in this

806 IEEE TRANSACTIONS ON ROBOTICS AND AUTOMATION, VOL. 14, NO. 5, OCTOBER 1998 Fig. 6. Example optimal order formulation. last set of experiments is to establish that operational flexibility can lead to improved performance, but to make effective use of this potential, sophisticated scheduling policies are needed. To neutralize effects caused by the scheduling policy, we apply an opportunistic scheduling scheme based on a push, first-come-first-serve approach to part loading and dispatching. Developing good scheduling policies for these environments is a complex problem that is part of our current research and is beyond the scope of this paper. B. Random System Generation We randomly generated FMS configurations to be tested by systematically varying the following parameters, taking one

LAWLEY et al.: CORRECT AND SCALABLE DEADLOCK AVOIDANCE POLICY 807 Fig. 7. Example configuration sheet. configuration at each of the levels for a total of eight systems, shown at the bottom of this page. For example, to produce a random configuration with both the number of machines and machine capacities at high levels, we selected the number of machines from a normal distribution with mean of 8 and variance of 1 and machine capacities from a normal distribution with mean of 6 and variance of 1. Shop type affected the structure of the routes in the system. Flow shops tended to have routes with parts flowing in a single direction, whereas the routes of job shops exhibited no apparent structure. To generate routes for a job shop type of configuration, we chose the first machine in each route uniformly from the set of machines in the system, that is, each machine had equal probability of being selected. We selected the remainder of the route uniformly with the restriction that no machine could follow itself in any route. For flow shops, we chose the first machine in each route uniformly and selected remaining machines from a binomial distribution that placed most of the weight of the distribution on machine numbers just larger than the last selected machine. In other words, for small there was high probability that followed and for large small there was high probability that followed Thus, routes tended to be increasing in machine number with occasional cycles back to machines with low numbers (see the route in the example of Fig. 7). C. Experimental Results Fig. 7 presents the data sheet for the system with low number of machines, high machine capacities, and routes that tend to have flow shop structure. We collected a sample of 417 950 safe states from this system and used them to check the operational flexibility of the worst case and optimal orders. These orders were determined by solving the formulation of Fig. 3 for this configuration. We then simulated two production runs for this system, the first with the system operating under RO constraints generated from the worst case order, and the second with the system operating under RO constraints generated from the optimal order. Each production run consisted Fig. 8. Fig. 9. Effects of experimental factors on proportion admitted. Two factor interaction between shop type and DAP. of approximately 1000 of each part type. We then computed the normalized production rates and machine utilizations from each of these runs. Note that the normalized production rate was computed by taking the ratio of the observed system production rate to the ideal system rate, the ideal rate being computed as: where is the set of all part stages operated on by machine and is the average processing time of part stage This equation essentially computes an upper bound on the output rate of the bottleneck machine, and thus represents an upper bound on system production rate. In the system of Fig. 7, optimal ordering provides a good increase in operational flexibility that leads to enhanced production rate and machine utilization. Fig. 8 summarizes the effects of DAP, shop type, capacity, and number of machines on the proportion of sample admitted. DAP and capacity are statistically significant with values of 0.09 and 0.8%, respectively. The average proportion increases from about 45% for systems under worst case RO to 83% under optimal RO. The figure further indicates that, on average, RO tends to be less constraining for higher capacity systems with routes structured after the flow shop. The negative correlation between number of machines and RO flexibility is natural since the size of RO s constraint set is quadratic in number of machines. Furthermore, in larger systems, part routes are unlikely to consist of all machines. Parameters High Level Low Level Number of Machines Normal Normal Machine Capacity Normal Normal Shop Type Job Shop Flow Shop

808 IEEE TRANSACTIONS ON ROBOTICS AND AUTOMATION, VOL. 14, NO. 5, OCTOBER 1998 Fig. 10. Fig. 11. Effects of experimental factors on normalized production rate. Effects of experimental factors on average machine utilization. Although some cases exhibit considerable improvement (systems 1, 4, and 5), others show no improvement or even slight degradation (system 7). These results emphasize that exploiting increased operational flexibility for improved system performance requires more sophisticated scheduling and dispatching than the simple first come first serve policy that we implemented. Developing such effective scheduling schemes is a nontrivial task that is the logical extension and challenge to this work. Some preliminary results along these lines can be found in [21], [32]. V. CONCLUSION In conclusion, the objective of our research is to develop rapidly configurable control policies that guarantee deadlockfree FMS operation. In this paper, we presented the Resource Order Policy, a correct, configurable, and scalable DAP. We used the FMS state space to develop the concepts of DAP correctness, configurability, scalability, and operational flexibility. We demonstrated RO setup and proved policy correctness. We also showed policy setup and execution to be polynomial in FMS configuration size. Finally, we discussed how to tune the policy for a particular FMS configuration using linear integer programming model that identifies optimal orders, and we presented experimental evidence supporting this approach. Future research will address routing flexibility under DAP supervision, the development of new DAP s, and the relationships and interactions between DAP s and FMS scheduling and dispatching policies. REFERENCES Fig. 12. Normalized production rates for optimal and worst case RO policies. Since RO constraints do not recognize this, they tend to be more conservative for larger systems. There is also a significant two-factor interaction between DAP and shop type value of 4.7%). Fig. 9 indicates that shop type is significant only for worst case RO. Route structure has little effect on RO flexibility when the optimal order is used. We perceive this effect as an additional indication that the surrogate criterion selected for the optimal order problem is a valid one. Figs. 10 and 11 show that capacity level had the most dramatic effect on normalized production rate and machine utilization values of 0.03%). We believe there are two reasons for this. First, in our simulation, each unit of capacity has its own server, that is, a workstation with two units of capacity is equivalent to two identical machines each with a single unit of capacity. Second, as capacity increases, RO constraints become less restrictive, since higher capacity levels increase the right hand side of RO constraints, and this might lead to improved performance. Finally, Fig. 12 compares the normalized production rates obtained under optimal and worst case order implementations of the RO DAP for the eight considered configurations. [1] D. Upton, A flexible structure for computer-controlled manufacturing systems, Manuf. Rev., vol. 5, pp. 58 74, Mar. 1992. [2] J. Charr, D. Teichroew, and R. Volz, Developing manufacturing control software: A survey and critique, Int. J. Flexible Manufact. Syst., vol. 5, pp. 53 88, June 1993. [3] K. D Souza and S. Khator, A survey of Petri net applications in modeling controls for automated manufacturing systems, Comput. Ind., vol. 24, pp. 5 16, 1994. [4] R. Cossins and P. Ferreira, Celeritas: A colored Petri net approach to simulation and control of flexible manufacturing systems, Int. J. Prod. Res., vol. 30, pp. 1925 1956, Aug. 1992. [5] M. Zhou, Petri Nets in Flexible Automation. Boston, MA: Kluwer, 1995. [6] C. Ausfelder, E. Castelain, and J. Gentina, A method for hierarchical modeling of the command of flexible manufacturing systems, IEEE Trans. Syst., Man, Cybern., vol. 24, pp. 564 573, Apr. 1994. [7] H. Cho and R. Wysk, Intelligent workstation controller for computerintegrated manufacturing: problems and models, J. Manufact. Syst., vol. 14, pp. 252 263, 1995. [8] S. Joshi, E. Mettala, and R. Wysk, CIMGEN A computer aided software engineering tool for development of fms control software, IIE Trans., vol. 24, pp. 84 97, July 1992. [9] J. Villarroel and P. Muro-Medrano, Using Petri net models at the coordination level for manufacturing system control, Robot. Computer- Integrated Manufact., vol. 11, pp. 41 50, 1994. [10] A. Silberschatz and G. Peterson, Operating Systems Concepts. Reading, MA: Addison-Wesley, 1991. [11] H. Cho, T. Kumaran, and R. Wysk, Graph-theoretic deadlock detection and resolution for flexible manufacturing systems, IEEE Trans. Robot. Automat., vol. 11, pp. 413 421, June 1995. [12] M. Lawley, S. Reveliotis, and P. Ferreira, Design guidelines for developing deadlock handling strategies in flexible manufacturing systems, Int. J. Flexible Manufact. Syst., vol. 9, pp. 5 30, 1997. [13] Z. Banaszak and B. Krogh, Deadlock avoidance in flexible manufacturing systems with concurrently competing process flows, IEEE Trans. Robot. Automat., vol. 6, pp. 724 734, Dec. 1990.

LAWLEY et al.: CORRECT AND SCALABLE DEADLOCK AVOIDANCE POLICY 809 [14] F. Hsieh and S. Chang, Dispatching driven deadlock avoidance controller synthesis for flexible manufacturing systems, IEEE Trans. Robot. Automat., vol. 10, pp. 196 209, Apr. 1994. [15] T. Kumaran, W. Chang, H. Cho, and R. Wysk, A structured approach to deadlock detection, avoidance, and resolution in flexible manufacturing systems, Int. J. Prod. Res., vol. 32, pp. 2361 2379, Oct. 1994. [16] M. Lawley and P. Ferreira, An automaton based framework for analysis and control of flexible manufacturing systems, in Proc. Mid-America Conf. Intell. Syst., Kansas City, KS, Oct. 1994, pp. 144 151. [17] M. Lawley, S. Reveliotis, and P. Ferreira, Configurable and scalable real time control policies for deadlock avoidance in flexible manufacturing systems, in Proc. 6th Int. FAIM Conf., Atlanta, GA, May 1996, pp. 758 767. [18], Structural control of flexible manufacturing systems and the neighborhood policy: Parts 1 & 2, IIE Trans., vol. 29, no. 10, pp. 877 899, Oct. 1997. [19] Y. Leung and G. Sheen, Resolving deadlocks in flexible manufacturing cells, J. Manufact. Syst., vol. 12, pp. 291 304, 1993. [20] S. Reveliotis and P. Ferreira, Deadlock avoidance policies for automated manufacturing cells, IEEE Trans. Robot. Automat., vol. 12, pp. 845 857, Nov. 1996. [21], Performance evaluation of structurally controlled fms: exact and approximate methods, in Proc. 6th Int. FAIM Conf., Atlanta, GA, May 1996, pp. 829 838. [22] N. Viswanadham, Y. Narahari, and T. Johnson, Deadlock prevention and deadlock avoidance in flexible manufacturing systems using Petri nets, IEEE Trans. Robot. Automat., vol. 6, pp. 712 723, Dec. 1990. [23] R. Wysk, N. Yang, and S. Joshi, Detection of deadlocks in flexible manufacturing cells, IEEE Trans. Robot. Automat., vol. 7, pp. 853 859, Dec. 1991. [24], Resolution of deadlocks in flexible manufacturing systems: avoidance and recovery approaches, J. Manufact. Syst., vol. 13, pp. 128 138, 1994. [25] S. Reveliotis, M. Lawley, and P. Ferreira Polynomial complexity deadlock avoidance policies for sequential resource allocation systems, IEEE Trans. Automat. Contr., vol. 42, Oct. 1997. [26] M. Garey and D. Johnson, Computers and Intractability: A Guide to the Theory of NP-Completeness. New York: W. H. Freeman, 1979. [27] R. Walpole and R. Myers, Probability and Statistics for Engineers and Scientists. New York: Macmillan, 1995. [28] M. Lawley and P. Ferreira, Efficiency analysis of deadlock avoidance policies in flexible manufacturing systems, Tech. Rep. UILU-ENG-96-4009, Univ. Illinois at Urbana-Champaign, Urbana, IL, 1996. [29] D. Bodner, Real-time control approaches to deadlock management in automated manufacturing systems, Ph.D. dissertation, Georgia Inst. of Technol., Atlanta, GA, 1996. [30] M. Lawley, Structural analysis and control of flexible manufacturing systems, Ph.D. dissertation, Univ. Illinois at Urbana-Champaign, Urbana, IL, 1995. [31] S. Reveliotis, Structural control of flexible manufacturing systems with a performance perspective, Ph.D. dissertation, Univ. Illinois at Urbana-Champaign, Urbana, IL, 1996. [32] M. Lawley and J. Mittenthal, Order release and deadlock avoidance interactions in counter-flow system optimization, Research Memorandum 98-09, School of Industrial Engineering, Purdue Univ., West Lafayette, IN, 1998. Mark A. Lawley received the B.S. degree in industrial engineering from Tennessee Technological University, Cookeville, the M.S. degree in manufacturing systems engineering from Auburn University, Auburn, AL, and the Ph.D degree in mechanical engineering from the University of Illinois at Urbana-Champaign. He is Assistant Professor of Industrial Engineering at Purdue University. He has held industrial positions with Westinghouse Electric Corporation and Emerson Electric Company. His research interests are in manufacturing systems modeling, analysis, and control. He is a registered professional engineer in the State of Alabama. Spyros A. Reveliotis received the Ph.D degree in industrial engineering from the University of Illinois at Urbana-Champaign, the M.S. degree in computer systems engineering/engineering software design from Northeastern University, Boston, MA, and the B.S. degree in electrical engineering from National Technical University of Athens (NTUA), Greece. He is Assistant Professor of Industrial Engineering at the Georgia Institute of Technology, Atlanta. Before coming to the United States, he held the position of Scientific Associate in the Department of Electrical Engineering, NTUA. His research interests include real time control of automated manufacturing systems and discrete event modeling and control methodologies. Placid M. Ferreira received the Ph.D. degree from Purdue University, West Lafayette, IN, in 1987. He is Associate Professor of Mechanical and Industrial Engineering at the University of Illinois at Urbana-Champaign. His research interests are in flexible automation.