A Distributed Protocol for Motion Coordination in Free-Range Vehicular Systems

A Distributed Protocol for Motion Coordination in Free-Range Vehicular Systems Elzbieta Roszkowska Spyros A. Reveliotis Institute of Computer Engineering, Control and Robotics Wroclaw University of Technology, Poland (e-mail: elzbieta.roszkowska@pwr.wroc.pl) School of Industrial & Systems Engineering Georgia Institute of Technology, USA (e-mail: spyros@isye.gatech.edu) Abstract: This paper extends the RAS-based approach to conflict resolution in multi-vehicle systems presented in Reveliotis and Roszkowska (2008). Similar to that earlier work, the employed model assumes the tesselation of the motion space into cells, which constitute the set of resources shared by the system agents. The key difference in the proposed abstraction is the admission of up to two agents in a single cell at a time, instead of only one, that was assumed earlier. This changes dramatically the complexity of the state-safety problem, from computationally hard to easy, and allows the effective deployment of a maximally permissive control scheme for the coordination of the agents motion, as well as the implementation of this scheme in the form of a distributed protocol. Keywords: Mobile Agents, Motion Coordination, Distributed Control, Deadlock Avoidance. 1. INTRODUCTION The establishment of collision-free and live vehicle motion is a prominent problem for many traffic systems. In the prevailing approaches to this problem, each vehicle is abstracted to a mobile agent, and their dynamics are described with models whose state evolves in continous time. The research into the control of such multi-agent systems is based on centralized or decentralized schemes, including in the latter case the study of communication problems among the agents. Further investigations concern the sensing capabilities, communication protocols, and the (feedback-based) motion control laws that will enable each agent to complete its mission trip while avoiding potential collisions with the remaining agents and any other present obstacles. Some indicative examples of this line of research can be found in Pallottino et al. (2007); Bicchi and Pallottino (2000); Tomlin et al. (1998); Lygeros et al. (1998); Inalhan et al. (2002); La Valle and Hutchinson (1998); Dimarogonas et al. (2006) while a higher-level but more comprehensive description of the pursued methods can be found in Kuchar and Yang (2000). Yet, a closer examination of the results presented in these references reveals that, by focusing on the continuous-time dynamics of the vehicle motion, they tend to suffer from a very high computational complexity, and therefore, their scalability to environments requesting the coordination of a large number of vehicles can become a challenging issue. Furthermore, as remarked in Pallottino et al. (2007), while many of the above works will guarantee motion safety, very few of them have actually considered the issue of motion liveness, i.e., the ability of each agent to reach successfully its destination in finite time. In this paper we approach the vehicle coordination problem using the resource-allocation paradigm introduced in our earlier works (c.f. Reveliotis and Roszkowska (2008, 2010)). As previously, the employed model assumes the tesselation of the motion space into cells, which constitute the set of resources shared by the system agents. The key difference in the proposed abstraction is the admission of up to two agents in a single cell at a time, instead of one, that was assumed earlier. This changes dramatically the complexity of the underlying decision-making process, from computationally hard to easy, and allows us to propose a maximally permissive scheme for the coordination of the agents motion, as well as to implement the resulting control policy in the form of a distributed protocol. The rest of this paper is structured as follows: In Section 2, we recall the FREE-RANGE-RAS abstraction of the considered vehicle system that was initially presented in Reveliotis and Roszkowska (2008), and introduce certain constraints on the assumed model, which reduce this RAS to the simpler class of Linear Single-Unit Resource Allocation System, or L-SU-RAS. Then, in Section 3, we discuss the problem of liveness enforcement in L-SU-RAS and present a maximally permissive policy that is applicable for the adopted abstraction of the vehicle system. The implementation of these results in the form of a distributed protocol is considered in Section 4, and Section 5 provides conclusions and directions for the further work. Copyright by the International Federation of Automatic Control (IFAC) 9530

j d + j d j d - (j - 1)d + A2 A4 A1 A3 w[0,1] w[1,1] 6 4 5 7 8 w[2,1] (j - 1) d (j - 1)d - w[0,0] 1 2 3 w[1,0] w[2,0] (i - 1)d - (i - 1) d (i - 1)d + i d - i d i d + Fig. 1. The mapping W( ) and the partitioning of the motion plane induced by it. 2. THE FREE-RANGE-RAS ABSTRACTION OF THE VEHICLE SYSTEM We consider a set of autonomous mobile agents that move in a finite planar area A R 2. Each agent is represented by a disk of radius ρ, and its center follows a pre-specified path that is given in the parametric form: x c = x c (t), y c = y c (t), t [0, T ]. It is assumed that the agents stay off the system before they start their travel, and that they are retired from the system upon reaching their destination. However, during their concurrent motion in the system, the agents share the available space, and in order to avoid collisions, they may need to modify their velocity profiles. Such a coordination can be achieved through a hybrid control based on the tesselation of the motion plane into a number of areas, called cells (c.f. Reveliotis and Roszkowska (2008, 2010)). More specifically, the motion area is abstracted as a grid of horizontal and vertical lines spaced at a distance d ρ and centered at the origin of the coordinate system (x, y). The resulting cells will be denoted by W = {w[i, j] : i { I,..., 1, 0, 1,..., I}, j { J,..., 1, 0, 1,..., J}}, where I, I, J, and J are taken large enough to encompass the entire (finite) area A, that supports the agent motion. Then, given a point (x, y) A and a cell w[i, j], we define (x, y) w[i, j] (i 1) d x i d (j 1) d y j d (1) We shall say that an agent (with its disk) centered at (x c, y c ) occupies cell w[i, j] if and only if (iff ) there exists (x, y) w[i, j] with (x, y) (x c, y c ) ρ, where denotes the Euclidean norm. Clearly, this definition induces a mapping W from the motion area, A, to the powerset of W, 2 W, that maps to any point (x, y) A the cell subset W(x, y) 2 W consisting of the cells occupied by an agent centered at (x, y). A graphical illustration of this mapping W is given in Figure 1. The adopted tesselation is defined by the grid of the solid horizontal and vertical lines, and the mobile agents are depicted by the grey disks in it. It is not hard to notice that an agent can occupy one cell (as in the case of A1), two neighboring Fig. 2. Example path of a mobile agent, and the corresponding resource allocation profile that is defined by the path partitioning into maximal segments with the same cell occupation. cells (as in the case of A2), three neighboring cells (as in the case of A3), or four neighboring cells (as in the case of A4). The figure also shows that the number of cells occupied by a mobile agent is effectively determined by the relative positioning of its center point (x c, y c ) with respect to another partitioning of the motion plane, that is induced by the original tesselation scheme and the agent geometry. In Figure 1, this induced partitioning is defined by the depicted dashed lines. In the proposed abstraction, the cells defined by the above presented tesselation constitute fictitious resources used by the agents for executing their motion process. It follows that the paths designated to the different agents are naturally segmented to a number of stages, with each stage corresponding to a maximal path segment with constant cell (i.e., resource) occupation. The resulting stage sequences define the corresponding resource allocation processes (or profiles) that must be observed by each agent. In particular, in the proposed regime, an agent must secure the cells associated with a certain stage before it can proceed to the execution of the path segment corresponding to that stage. Also, in certain cases, an agent can enter a new stage of its path by simply releasing some of the cells held in its previous stage. Figure 2 exemplifies the notion of the resource allocation profile, by applying it on the path followed by a mobile agent. The assumed tesselation scheme induces the partitioning of the path into eight segments that respectively require the following sub-sets of resources: 1) {w[0, 0]}, 2) {w[0, 0], w[0, 1], w[1, 0]}, 3) {w[0, 0], w[0, 1], w[1, 0], w[1, 1]}, 4) {w[0, 1], w[1, 0], w[1, 1]}, 5) {w[1, 0], w[1, 1]}, 6) {w[1, 1]}, 7) {w[1, 1], w[2, 1]}, 8) {w[2, 1]}. The discretization of the agents motion processes leads to a hierarchical control model based on the resource allocation concept. In the simplest case, in order to avoid collisions among agents, it is required that at any point in time, a cell can be occupied by (i.e., the corresponding resource can be allocated to) only one agent. Then, in the range of a cell, an agent controls its motion independently of the other agents, while cell crossing requires the permission of a supervisor, whose decisions depend on the 9531

w[0,1] w[0,0] w[1,1] 3 4 5 2 w[1,0] 1 6 7 w[2,1] w[2,0] ensuring the avoidance of conflicts / collisions among the agents, based on either a discrete-event or a continuoustime model. A simple example of such a policy can be the imposition of a roundabout traffic pattern within a cell. Finally, the highest control level is responsible for cell crossing by the agents, and calculates the decisions based on a formal resource allocation system (RAS) model and in a way that seeks to ensure the safety and the liveness of the vehicle motion. Next, we focus on a particular RAS sub-class that is known as the Linear Single-Unit RAS (L- SU-RAS) (c.f. Reveliotis (2005)), and adapt certain results obtained for those systems in Roszkowska and Jentink (1993); Reveliotis et al. (1997) to the purposes of this work. Fig. 3. Example path of a mobile agent that avoids the regions that correspond to the allocation of more than two resources. system state, and which may temporarily prevent an agent from proceeding on its path. The size d of the grid, that defines the length of the cell edges, cannot be less than the diameter of the agents s disk (or the maximum diameter, in the case of heterogenous agents). In this work we consider a particular structure of the agent system, that constrains the previous model in two ways. We will assume that: i) the size d of the grid is at least two diameters of the agents disk, and ii) agents paths do not traverse the regions that require the agents to possess more than two resources. That is, the paths should avoid the squares distinguished by the cusps: (id ρ, jd + ρ), (id + ρ, jd + ρ), (id ρ, jd ρ), (id ρ, jd + ρ), where i { I,..., 1, 0, 1,..., I}, j { J,..., 1, 0, 1,..., J}}. A path that satisfies this second requirement is depicted in Figure 3. The path consists of seven stages, which require the respective cell subsets: {w[0, 0]}, {w[0, 0], w[0, 1]}, {w[0, 1]}, {w[0, 1], w[1, 1]}, {w[1, 1]}, {w[1, 1], w[2, 1]}, and {w[2, 1]}. It is not hard to notice that under condition (ii), the resource allocation requests always concern one cell at a time, and the possession of two resources by an agent is temporary. Once the new resource is granted, the agent moves to a new cell and returns to the pool of free cells the one previously occupied. Thus, in the considered system, the resource allocation profile of a process is uniquely determined by a sequence of cells to be traversed by a mobile agent. In the case of the example path depicted in Figure 3, this specification has the following form: w[0, 0], w[0, 1], w[1, 1], w[2, 1]. Moreover, condition (i) ensures that a cell can accomodate two agents at a time, and provides for coordination schemes that allow each of the agents to reach any neighbor cell without any conflicts. From a more holistic viewpoint, what we propose here is a three-level hierarchical control scheme. At the lowest level, each of the agents controls its motion along a designated path with an arbitrary path-following algorithm and independently from the other agents. As it is assumed that a cell can accomodate up to two agents at a time, the role of the second control level is the cordination of the agents motion within a cell. The proposed hierarchical-control concept allows the application of any arbitrary protocol 3. THE LINEAR SINGLE-UNIT RESOURCE ALLOCATION SYSTEM A Linear Single-Unit Resource Allocation System (L-SU- RAS) is formally defined by a 4-tuple Φ =< R, C, P, D >, where: (i) R is the set of the system resource types, (ii) C : R Z + the set of strictly positive integers is the system capacity function, characterizing the number of identical units from each resource type available in the system, (iii) P = {Π 1,..., Π n } denotes the set of the system process types, where each process Π i, i = 1,..., n, consists of Ξ i1, Ξ i2,..., Ξ ili consecutive processing stages, and (iv) D : Ξ = {Ξ ij i = 1,..., n; j = 1,..., l i } R is the resource allocation function associating every processing stage Ξ ij with the resource required for its execution. At any point in time, the system contains a certain number of (possibly zero) instances of each process type that execute one of the corresponding processing stages. A process instance executing a non-terminal stage Ξ ij, i = 1,..., n; j = 1,..., l i 1, must first be allocated a resource unit of the resource type D(Ξ i,j+1 ) in order to advance to its next stage Ξ i,j+1, and only then it will release the currently held resource unit of D(Ξ ij ). The considered resource allocation protocol further requires that no resource type R R is over-allocated with respect to its capacity C(R) at any point in time. The resulting dynamics of L-SU-RAS can be represented by a Deterministic Finite State Automaton (DFSA) (c.f. Hopcroft and Ullman (1979)). Definition 1. The DFSA G(Φ) = (S, E, f, s 0, S M ) abstracting the feasible dynamics of an L-SU-RAS Φ = < R, C, P, D > is defined as follows: (1) The state set S consists of all vectors s = [s 11, s 12,..., s 1,l1, s 21, s 22,..., s n,ln ] (Z 0 + ) Ξ such that for each k {1,..., m}, i {1,...,n} j {1,...,l i} D(Ξ ij)=r k s ij C(R k ), i.e., the number of process instances executing the stages that require resource R k does not exceed its capacity. Each component s ij of s gives the number of instances of process type Π i that execute stage Ξ ij in state s. (2) The event set E = {e ij i = 1,..., n; j = 0,..., l i }, where for each i = 1,..., n, event e i0 represents the loading of a new instance of process type Π i, event e ini represents the unloading of a finished instance of process type Π i, and event e ij, j 1,..., l i 1, represents the advancement of a process instance from stage Ξ ij to stage Ξ i,j+1. 9532

(3) The state transition function f : S E S is defined by s = f(s, e qr ), where the components s ij of the resulting state s are given by: { sij 1 if i = q and j = r s ij = s ij + 1 if i = q and j = r + 1 s ij otherwise Furthermore, f(s, e qr ) is a partial function defined only if the resulting state s S. (4) The initial state s 0 = 0, which corresponds to the situation when the system is empty of any process instances. (5) The set of marked states S M is the singleton {s 0 }, and it expresses the requirement for complete process runs. In the sequel, we will use the expression state s is (resp., is not) reachable from state s to describe the fact that there exists (resp., there does not exist) a feasible sequence of events that drives the automaton from state s to state s. Moreover, in all situations where it is not ambiguous, we will interchangeably refer to a process instance of type Π i as process Π i. Then the notions of state safety and the corresponding decision problems for the above introduced system, can be formally stated as follows: Definition 2. Consider an L-SU-RAS specified by the 4- tuple Φ =< R, C, P, D >, and a state s S of the corresponding DFSA G(Φ). (1) A process instance executing stage Ξ ij is dead in state s d S iff function f(s, e ij ) is not defined for any state s reachable from s d, i.e., the process can never advance to its next stage. (2) State s is characterized as safe, iff the marked state s 0 is reachable from state s. 1 (3) The L-SU-RAS dead process problem is the decision problem that, upon input Φ and s, addresses the question of whether or not there exists a dead process in state s. (4) The L-SU-RAS state safety problem is the decision problem that, upon input Φ and s, addresses the question of whether or not state s is safe. It is clear that a process instance will never become dead if it runs alone in the system. Its progress can only be disabled by the presence of other processes, of the same or different types, and the direct reason for that is a deadlock. In L-SU-RAS, a deadlock is a situation where a subset of resources R R is allocated to its capacity to a subset of processes, and each process from this subset requires a resource from R for progressing to its next stage. Since no process can release the resource it holds until it receives one it requests, all the processes become dead. Thus, the phenomena of the dead process and the deadlock are closely related and always accompany each other. Moreover, it can be noticed that if at least one 1 The reader should notice that this definition of state safety essentially pertains to the liveness of the resource allocation function; state safety as a term has been employed extensively in the relevant RAS literature, and therefore, we decided to maintain it in spite of the fact that in the context of the coordination of vehicle systems, safety typically implies collision avoidance. In the following, we hope that the particular meaning of the term safety will be rendered clear from the context of its usage. process is dead at some state s d then s d is not safe. The opposite implication is not, however, generally true; there exist states in L-SU-RAS where no process is dead (or, equivalently, no deadlock occurs), yet these states are unsafe. To observe the above, consider a simple example. Example 1. Consider an L-SU-RAS with two process types, both consisting of three stages that subsequently require the following resources: R 1, R 2, R 3 (process Π 1 ) and R 3, R 2, R 1 (process Π 2 ). Assuming that the resources have unit capacity, we observe that in state s = [1 0 0 1 0 0] none of the two processes present in the system is dead, as the instances of both Π 1 and Π 2 can advance to their next stages. However, state s is not safe as the only feasible events in s are e 11 and e 21 that, respectively, drive the system to states s = f(s, e 11 ) = [0 1 0 1 0 0] and s = f(s, e 21 ) = [1 0 0 0 1 0], where the processes entangle in a deadlock and become dead. More specifically, in state s, process Π 1 cannot release resource R 2 before it obtains R 3, and process Π 2 cannot return R 3 until it acquires R 2. Hence neither event e 12 nor event e 21 can occur first, and both become dead. Similar situation takes place in state s, where process Π 1 cannot release resource R 1 before it obtains R 2, and process Π 2 cannot return R 2 until it acquires R 1. As neither event e 11 nor event e 22 can occur first, they both become dead. As it has been demonstrated in the literature, the problem of distinguishing between deadlock states and deadlockfree states can be solved with a polynomial algorithm; c.f., for instance, the algorithm given in Reveliotis et al. (1997). In this paper, instead of checking the presence of deadlocks, we will be interested in testing whether or not a particular process is dead. The proposed approach is based on Roszkowska and Jentink (1993) and requires depicting state s in the form of a bipartite directed graph F (s) = (V, H) such that: (1) The set of vertices consists of the union V = Ξ(s) R {R }, where Ξ(s) is the set of all stages Ξ ij Ξ such that there exists a process instant executing stage Ξ ij in state s R {R } is the extended set of resources, where R is a dummy resource of infinite capacity. (2) The set of edges consists of the union H = H H, where: H is the set of edges directed from resources to stages and consists of all pairs h = (R, Ξ ij ) such that R = D(Ξ ij ) is the resource requirement of stage Ξ ij. H is the set of edges directed from stages to resources and constitutes of all pairs h = (Ξ ij, R) such that either Ξ ij is the last stage of process Π i and R = R or Ξ ij is not a last stage and R = D(Ξ i,j+1 ). Using the graph representation F (s) of system states, we can establish the following property. Property 1. Consider an L-SU-RAS specified by the 4- tuple Φ =< R, C, P, D >, a state s S of the corresponding DFSA G(Φ), and its representation in the form of the graph F (s) = (V, H). Then, it is true that: (1) A process instance executing stage Ξ ij Ξ(s) is not dead iff in graph F (s) there exists a path p = 9533

Ξ 1, R 1, Ξ 2,..., Ξ p, R p from stage Ξ 1 = Ξ ij to a resource R p R {R } that has a free unit. (2) The fact whether or not exists a path specified in (1) can be established in time bounded by a linear function of the size of the L-SU-RAS. Proof. To prove claim (1), assume first that the above specified path p exists. Then there exists a feasible sequence of events σ = e p, e p 1,..., e 1 such that event e k, k = 1,..., p causes a transition of process instance executing stage Ξ k to its next stage. Since Ξ 1 = Ξ ij, the considered process instance is not dead. To prove the reverse implication, assume that the required path p does not exist, i.e., each resource that lies on any path starting from Ξ ij is fully allocated. The latter implies that the dummy resource R is not an element of any such path p. Hence, no process instance executing any stage that lies on any p starting from Ξ ij can ever leave the system or advance to its next stage. Consequently, there exists no state s reachable from s that enables event e ij, and so any process instance executing stage Ξ ij is dead. To prove claim (2), notice that the fact whether or not there exists the required path can be established by any graph-search algorithm. The execution time of these algorithms is bounded by a linear function of the size of the underlying graph (c.f. Cormen et al. (2001)), where the latter is measured by the number of the vertices. But the vertices of the considered graph F (s) are less than or equal to 2 Ξ(s) (since, in a well-defined RAS, every resource must be used by at least one stage). On the other hand, in order to specify the parameters of any L-SU-RAS, it is sufficient to identify the resource required at each particular stage of each particular process, and give the capacity of the resources. Since the number of these data entities does not exceed 2 Ξ, we can consider the latter as the size of L-SU-RAS. Then, since Ξ(s) Ξ, claim (2) is true. Property 1 allows us to establish the complexity of the L-SU-RAS dead process problem. Theorem 1. The L-SU-RAS dead process problem can be solved in time bounded by a square function of the RAS size. Proof. It is clear that if there are multiple process instances executing the same stage Ξ ij then one of them is dead iff all the others are dead too. Thus, to solve the L-SU-RAS dead process problem it is sufficient to check at most Ξ(s) < Ξ times whether or not a process instant is dead. Assuming, as above, that the size of L- SU-RAS is given by 2 Ξ, the theorem holds from part (2) of Property 1. The complexity of testing the existence of dead processes in the system can further be reduced if we address this problem for only those states that are directly reachable from states with no dead processes. Property 2. Consider an L-SU-RAS and a state s S such that (s.t.) no process is dead in s, and there exists a process Π executing stage Ξ ij s.t. function s = f(s, e ij ) is defined. Then, the following implication holds: if process Π is not dead in state s then none of the other processes is dead either. Proof. If Ξ ij is the last stage of the distinguished process, say process Π, then, clearly, the property holds. Otherwise, in both states, s and s, process Π holds and requests some resources, which is represented in graphs F (s) and F (s ) by the respective paths R, Ξ ij, R and R, Ξ i,j+1, R, where R = D(Ξ ij ), R = D(Ξ i,j+1 ), and R = D(Ξ i,j+3 ). Since no process is dead in state s then graph F (s) enjoys the free-resource condition given by Property 1, that is, for each vertex Ξ kl Ξ(s), there exists a path from Ξ kl to some vertex R R {R }, corresponding to resource R that has at least one free unit. Since the only resource that looses a free unit of its capacity upon the transition from s to s is R, then for all paths that end with R R, the free-resource condition still holds in F (s ). For those paths where R = R there exist two possible cases: i) path p reaches vertex R via R, Ξ ij, R, and ii) path p omits the sub-path R, Ξ ij, R on its way to R. In case (i), in graph F (s ), path p ends up with resource R that contains a free unit, the one released by process Π on its advancement to stage Ξ i,j+1. In case (ii), in graph F (s ), path p can be extended to any successor of stage Ξ i,j+1. Since process Π is not dead in s there exists a successor R of Ξ i,j+1 with a free unit, which is also a successor of all the paths covered by case (ii). Consequently, for each stage in graph F (s ), there exists a path to a vertex corresponding to a not fully allocated resource, hence none of the processes is dead in state s. Property 2 gives a very efficient way to detect transitions that would render a process dead, but it does not provide a correct i.e., liveness-enforcing supervisory policy for L- SU-RAS. As can be seen in Example 1, to ensure that each process can run to completion, it is not sufficient to make only deadlock states inaccessible, but it is necessary to forbid the state transitions that lead to unsafe states, i.e., those states where a process can no more avoid a deadlock. In other words, at the core of maximally permissive RAS liveness-enforcing supervisory control is the distinction between safe and unsafe states, since a state s should be admitted if and only if it is safe. But the effective implementation of such a policy is typically impeded by the following result. Theorem 2. The L-SU-RAS state safety problem is NPcomplete in the strong sense. The problem obtained by the restriction of the L-SU-RAS state safety problem to the case where every resource type has exactly one unit is also NP-complete in the strong sense. Proof. See Reveliotis and Roszkowska (2010). The results presented so far in this section let us make an interesting observation. Whereas, in general, recognition of unsafe states is a computationally difficult problem, there exists a subset of such states, namely the states with a dead process (or deadlock states), whose unsafe character can be established in an efficient way with an algorithm based on Property 1. Thus, although the super-polynomial complexity of the L-SU-RAS state safety problem makes it impossible to develop an efficient maximally permissive policy for the entire L-SU-RAS class, one could consider such a policy for a sub-class of this RAS in which the set of unsafe states coincides with the set of states that contain a dead process (or equivalently, with the set of deadlock states). Fortunately, such a sub-class exists, and 9534

it happens to cover the RAS abstracted in Section 2 for the representation of the vehicular systems considered in this work. More specifically, this sub-class is characterized by the following result. Property 3. In L-SU-RAS where the capacity of each resource R is C(R) 2, a state s S is unsafe iff there exists a dead process in s. Proof. See Reveliotis et al. (1997). 2 Property 3 establishes that in L-SU-RAS where every resource has a capacity of at least two units, the detection of unsafe states can be replaced with the testing of the existence of dead processes. Properties 1 and 2 indicate how to develop a relevant, computationally efficient algorithm. Next we explore the implications of these results for the maximally permissive control of the RAS abstracted in Section 2. 4. A DISTRIBUTED PROTOCOL FOR MOTION COORDINATION IN THE CONSIDERED VEHICLE SYSTEMS As discussed in Section 2, we assume a 3-level hierarchical control scheme for the considered vehicular system, where at the lowest level, each of the agents controls its motion along a designated path independently from the other agents, the second control level ensures conflict-free motion of two agents within a cell, and the highest level is responsible for cell crossing by the agents in a way that ensures the live operation of the entire system. To construct the agent resource (cell) sharing model, we will define a sub-class of L-SU-RAS, distinguished by the following attributes: (1) There is only one instance of each process type P i, i = 1,..., n, and this instance abstracts the motion of a particular agent A i. (2) The resource allocation function D must observe the resource proximity relation defined by the adopted tesselation. That is, if the resource required at stage Xi ij is D(Xi ij ) = w[k, l] then the resource required for the next stage is D(Xi i,j+1 ) {w[k 1, l], w[k + 1, l], w[k, l 1], w[k, l + 1]}. (3) The capacity of each resource R R is C(R) = 2. The subclass of L-SU-RAS that possesses the aforementioned features will be characterized as FREE-RANGE- 2-RAS. Elements of this class are specified by Φ =< R, C, P, D >, such that C is constant and equal to 2, and P is considered to be the set of processes rather than process types. Then, the dynamics of the system are described by the automaton G(Φ), of Definition 1, but with an additional constraint on the state set. To satisfy requirement (1), we demand that for each i = 1,..., n, ln j=1 s ij 1. The behavioral logic encoded by this automaton ensures that no more than two agents will ever occupy a cell at the same time. Together with the secondlevel control, this prevents the agents from colliding with one another. To ensure that each agent will eventually 2 While the aforestated result is most prominent in Reveliotis et al. (1997), it can also be traced in other works that either state the result explicitly or imply it through their developments. In particular, this result can also be traced in Roszkowska and Jentink (1993); Fanti et al. (1998) and Xing et al. (1996). reach its destination, it is necessary, as discussed in the previous section, to disable all the state transitions leading to unsafe states. Since in FREE-RANGE-2-RAS the capacity of each resource is greater than 1, i.e., it satisfies the assumptions of Property 3, the avoidance of unsafe states reduces to: (i) calculating the new state s = (s, e), (ii) checking, based on Properties 1-2, the existence of the required path in graph F (s ), and (iii) in the case of a negative answer, forbidding the state transition from state s to s. Next we present a distributed protocol for implementing the transition admissibility test described in the previous paragraph. However, due to the imposed space limitations, we shall only outline the main aspects of this protocol, postponing a more detailed description for a sequel publication. The proposed scheme assumes that each agent is aware of the tesselation of the motion area and able to sense the proximity of the cell boundaries. The agents also have knowledge of their designated paths and of the resource allocation profiles that they induce. Then, it is possible to consider two scenarios, depending on the possible communication range of the agents. In smaller systems, a message about the state-change of one of the agents is broadcasted to all the others, so that each agent maintains up-to-date information about the current state of the whole system. In larger systems, an agent is only aware of the occupancy status of its neighboring cells, and if this knowledge is not sufficient to support a control decision, it issues a request for more information to other agents in its neighborhood, which can further pass it to other agents, and these still to other agents, until the required information is received and returned to the first caller. We emphasize here that this information-request scheme is consistent with the nature of the algorithm that calculates the control decisions. To decide whether or not an advancement to the next stage is plausible, an agent first needs to check the occupancy status of the corresponding neighbor cell. Then, in order to find out whether or not the state s resulting from such a plausible advancement is safe, the agent needs to do a search for a path in graph F (s ) leading from the vertex representing the agent in the new state s to a vertex representing a cell occupied by less than two agents. The reader can notice that due to the proximity relation between the resources possessed and requested by the agents, the topology of graph F (s ) reflects the layout of the cells, and a path in F (s ) has a corresponding path in the motion area. Hence, the decision-making agent can perform the search for a path in F (s ) together with building the graph, based on information about the other agents state, acquired by propagating a request for such information from less to more distant agents. The interrogation of the agents stops if the required path is found or if all the paths starting from the decision-making agent have been generated and none of them satisfies the required condition. In order to avoid conflicting decisions among the agents acquiring new cells, that may lead to inadmissible state transitions, we assume that individual agents perform the decision-making process described in the previous paragraph, while being in a critical section, i.e., disjointly in time. This additional request can be observed through 9535

the introduction of a decision-making token that must be acquired by an agent before it enters in its critical section; the allocation of this token to the different agents can be coordinated either by a token ring protocol (c.f. Coulouris et al. (1996)) that might also reflect the neighborhood relation among the agents, or by some other competing process, e.g., like the competing scheme that is used by the well-known ALOHA protocol (c.f. Abramson (1970).) The general motion control protocol for an agent sharing the common area is thus as follows. When moving within a cell, the agent proceeds along its designated path or the path established by the cell-sharing protocol, depending, respectively, on whether it is alone in the cell or it is traversing the cell concurrently with another agent. Before advancing to a new cell, say from cell w to w, the agent needs to check the admissibility of the resulting new state, which may require establishing communication with other agents. If w is empty or currently occupied by two other agents then the decision-making agent, respectively, leaves cell w or remains there until the passage to w becomes plausible, i.e., it does not violate the capacity constraint of w. Otherwise, the agent checks the safety of the new state that would result from its transition to cell w, and depending on the result, it remains in cell w or passes to w. If the agent is temporarily suspended, it repeats the admissibility check in the consequent time slots assigned to it by the token-passing protocol, and resumes its motion when advancement to the next stage becomes possible. 5. CONCLUSIONS In this paper, we provided a new, formally correct scheme for the coordination of mobile agents sharing a common motion area. The dynamics of the agents were represented by the FREE-RANGE-2-RAS class of resource allocation systems, in which the safety problem has a polynomial solution. This allowed us to develop an efficient, maximally permissive, graph-based algorithm for testing the safety of potential state-transitions, and propose the implementation of the RAS-based control in the form of a distributed protocol. As a result, the decisions about resource acquisition are made by individual agents, under an additional token-passing protocol that prevents the occurrence of simultaneous conflicting decisions among the agents. Our future endeavors will focus on a more detailed, technical specification of the protocol outlined in this manuscript, the investigation of new token-passing protocols that will ensure non-conflicting decisions among the various agents while enabling higher levels of concurrency for their advancements among their consecutive stages, and the eventual implementation of the results in a simulated and/or a physical platform. REFERENCES Abramson, N. (1970). The aloha system - another alternative for computer communications. In Proc. AFIPS Fall Joint Computer Conf., 295 298. Bicchi, A. and Pallottino, L. (2000). On optimal cooperative conflict resolution of air traffic management systems. IEEE Trans. on Intelligent Transportation Systems, 1, 221 232. Cormen, T.H., Leiserson, C.E., and Rivest, R.L. (2001). Introduction to Algorithms, 2nd ed. MIT Press, Boston, MA. Coulouris, G., Dollimore, J., and Kindberg, T. (1996). Distributed Systems, Concepts and Design. Addison Wesley Longman Ltd., London, UK. Dimarogonas, D.V., Loizou, S.G., Kyriakopoulos, K.J., and Zavlanos, M.M. (2006). A feedback stabilization and collision avoidance scheme for multiple independent non-poin agents. Automatica, 42, 229 243. Fanti, M.P., Maione, B., and Turchiano, B. (1998). Event control for deadlock avoidance in production systems with multiple capacity resources. Studies in Informatics and Control, 7, 343 364. Hopcroft, J.E. and Ullman, J.D. (1979). Introduction to Automata Theory, Languages and Computation. Addison-Wesley, Reading, MA. Inalhan, G., Stipanovic, D.M., and Tomlin, C.J. (2002). Decentralized optimization, with application to multiple aircraft coordination. In Proc. of CDC 02, 1147 1155. IEEE. Kuchar, J.K. and Yang, L.C. (2000). A review of conflict detection and resolution modeling methods. IEEE Trans. on Intelligent Transportation Systems, 1, 179 189. La Valle, S.M. and Hutchinson, S.A. (1998). Optimal motion planning for multiple robots having independent goals. IEEE Trans. on Robotics & Automation, 14, 912 925. Lygeros, J., Godbole, D.N., and Sastry, S. (1998). Verified hybrid controllers for automated vehicles. IEEE Trans. on Automatic Control, 43, 522 539. Pallottino, L., Scordio, V.G., Bicchi, A., and Frazzoli, E. (2007). Decentralized cooperative policy for conflict resolution in multivehicle systems. IEEE Trans. on Robotics, 23, 1170 1183. Reveliotis, S.A. (2005). Real-time Management of Resource Allocation Systems: A Discrete Event Systems Approach. Springer, NY, NY. Reveliotis, S.A., Lawley, M.A., and Ferreira, P.M. (1997). Polynomial complexity deadlock avoidance policies for sequential resource allocation systems. IEEE Trans. on Automatic Control, 42, 1344 1357. Reveliotis, S.A. and Roszkowska, E. (2008). Conflict resolution in multi-vehicle systems: A resource allocation paradigm. In Proceedings of IEEE CASE 2008, 115 121. IEEE. Reveliotis, S. and Roszkowska, E. (2010). On the complexity of maximally permissive deadlock avoidance in multi-vehicle traffic systems. IEEE Trans. Automatic Control, 55(7), 1646 1651. Roszkowska, E. and Jentink, J. (1993). Minimal restrictive deadlock avoidance in FMS s. In Proc. European Control Conf. ECC 93, volume 2, 530 534. Tomlin, C., Pappas, G.J., and Sastry, S. (1998). Conflict resolution for air traffic management: a study in multiagent hybrid systems. IEEE Trans. on Automatic Control, 43, 509 521. Xing, K.Y., Hu, B.S., and Chen, H.X. (1996). Deadlock avoidance policy for petri net modeling of flexible manufacturing systems with shared resources. IEEE Trans. on Aut. Control, 41, 289 295. 9536