DESIGN OF RIVER SYSTEM DEADLOCK AVOIDANCE SUPERVISOR BY USING PETRI NET

Advanced function of the computer-based river traffic management system should automatically predict and prevent possible conflict and deadlock states between vessels by using adequate control policy (supervisor). This paper proposes a formal method for calculating maximally permissive deadlock prevention supervisor. To model the river system, the authors use a class of Petri net suitable for describing multiple re-entrant flowlines with disjoint sets of resources, jobs and control places, and matrix-based formal method to analyze the system. By using matrix algebra, the structural characteristics of the Petri net (circular waits, P-invariants, critical siphons and subsystem, key resource) have been analyzed and the steps for supervisor design proposed. The first and the second level deadlocks can be avoided by maintaining the number of tokens in the critical subsystems and ensuring that the key resource would not be the last available resource in the system. The derived supervisor has been verified by a computer simulation using MATLAB environment.


INTRODUCTION
River traffic system is a natural vessel passage which is used to connect two lakes, seas or oceans.Such a river system, for example, enables the connection of two water surfaces that have different levels of water.The vessels passing through the river system in opposite directions use various resources (canals, locks, basins).Some of these resources are nonshared (resource that can be occupied by the vessels moving in only one direction), and others are shared resources (resources that can be occupied by the vessels moving in different directions).The number of vessels in the resources is limited by a rule.Some of the problems that need to be solved are: a) How to control traffic in a way that vessels moving in opposite directions make as few stops as possible during the passage through the river traffic system (maximally permissive control policy)?b) How to resolve possible conflicts in case when more vessels try to acquire shared resource at the same time?c) How to avoid possible deadlocks in the dense traffic?
The vessels moving through the river traffic systems can generally be described as a set of discrete states and events (discrete event dynamic systems -DEDS).These events and states are normally observed by the river traffic management system (RTMS) which receives data from vessels automatic identification systems (AIS), using wireless data communication.Some of these states, such as conflicts and deadlocks are undesirable (even dangerous).To avoid these forbidden states, the RTMS software should have the socalled "supervisor".The supervisor monitors vessels' movements and forbids only such moving that can lead to forbidden states or, in other words, restricts the set of all reachable discrete states in the system to the set of allowable states (without forbidden states).The supervisor can simply advise the man responsible for traffic regulation, or can be connected to the computer-based traffic lights system which is driven by the RTMS software.In both cases, the supervisor must apply the appropriate control policy.In this paper the Petri net theory has been used, a well known tool for analysing DEDS, to calculate the desired control policy and design an appropriate supervisor.
Many authors have also tried to solve the deadlock problem by Petri nets.Barkaoui [1] developed the method of deadlock prevention by control places.
[1] Also Ezpelta et al. [2] developed an algorithm for deadlock prevention for the ordinary and conservative S 3 PR class of Petri nets.The work by Ezpelta et al. [2] is usually considered to be the first that used structural analysis to design monitor-based livnessenforcing Petri net supervisor for the flexible manufac-turing systems (FMS).Lautenbach [3] investigated the algorithm for finding the minimal siphons inside the net as well as the algorithm for deadlock prevention by control places for ordinary Petri nets which do not contain source places.Further, Lewis [4] developed an efficient algorithm for deadlock prevention in the specific class of Petri nets that describes FMS.A deadlock prevention which uses iterative siphon control method is described in Kezić [5] and Iordache [6] and Huang [7].Similar, but older approaches, can be found in Barkaoui et al. [8,9] and Tricas et al. [10] The latest iterative deadlock prevention policy, T-policy for short, is reported by Tricas et al. [11] The goal is to find maximally permissive deadlock prevention supervisor which stops vessels only in case of immediate dangerous situations in dense traffic, and this paper describes the necessary steps to achieve this.Modelling the river traffic system is the first task.The class of multiple re-entrant flowlines Petri net (MRF1PN), subclass of flowline system Petri net (FPN) is used in this paper.FPN is a class of Petri net which is basically designed for analysing finite buffer multi class re-entrant flowline systems (MRF) -a large class of flexible manufacturing systems (FMS) [12].MRF1PN contains some specific properties, which will be discussed in section II.
Next, we find simple and cyclic circular waits between the resources in the MRF1PN.The set of places called critical siphons, which are important in deadlock prevention and finally critical subsystems in the net are found.To avoid a deadlock, it is necessary to control markings in every critical subsystem.This can be achieved by adding additional control places or a supervisor which blocks firing of particular transitions and restricts the number of tokens in critical systems by adding and removing tokens in control places.But still the deadlock can exist if the system is irregular and contains the so-called key resource.The final step is to find key resources.The supervisor must ensure that the key resource is not the last available resource in the net.
The paper is organized as follows: section II reviews the basics of P/T Petri net properties and also describes notations which are used throughout the paper.In this section special attention is dedicated to class MRF1PN, subclass of FPN Petri net.Section III describes the matrix approach of supervisor design.Finally, Section IV shows a case study of a river system traffic control.The moving of vessels and adequate control policy of the supervisor is verified using Ptimed Petri nets and computer simulation.

PETRI NETS AND DEADLOCK AVOIDANCE
Place -transition P/T Petri net is a 6-tuple: [13] , , , , , , -an input incidence matrix, : , , -an output incidence matrix, -is a weight function, where M is a matrix of the same type as I O h 6 @, with items declared with , , , , , , , w t p w t p M 0 1 2 3 p t .A transition t that meets the enabled condition is free to fire.When a transition t fires, all of its input places lose a number of tokens, and all of its output places gain a number of tokens.In a P/T Petri net with m places and n transitions, the incidence matrix W is a n m # matrix defined by: The I(input matrix) and O(output matrix) are of size n m # , and provide a complete description of the structure of a Petri net.If there are no self-loops, the structure may be described by W only.The incidence matrix allows an algebraic description of the evolution of the marking of a Petri net.The marking of Petri net changes from marking m k to marking Positive elements in P mx1 ^h correspond to a set of places whose weighted token count remains a constant for all possible markings.Siphon S is a set of places such that every transition that has an output arc to one of these places also has an input arc from one of these places.For siphon S it is true that S S : : 3 .Trap T is a set of places such that every transition that has an input arc from one of these places also has an output arc to one of these places.For trap T it is true that T T : : 3 .Once the trap becomes marked, it will always be marked for all the future reachable markings.Once the siphon becomes empty, it will always remain empty.More about siphons and traps can be found in Murata [14].
The flowline system Petri net (FPN) is a subclass of P/T Petri net, which is especially designed for analysing MRF type of flexible manufacturing systems (FMS) [13].Let P be a set of distinct types of parts produced (or customers served) by FMS.Each part type k !P is characterized by predetermined sequence of jobs , , , ,, with at least one resource for each job (L k is the number of jobs for a particular part type).Let R denote the set of system resources, with each r R ! a pool of multiple copies of a given resource.In the FPN places P are divided as P R J J J in out , , , = with R, J in , J out as the set of places respectively representing the availability of resources, units waiting for arrival and finished units, and J as the set of places representing the ongoing jobs.The set of transitions T can be partitioned as ! , define the job set J r ^h as the set of jobs using r , and re- The systems described in this paper belong to the class of MRF1PN.MRF1PN is a subclass of MRF systems described by FPN which satisfy: (i) p P 6 !, p p This means that (i) there are no self loops, (ii) each unit-path has a well defined beginning and an end, (iii) every job requires one and only one resource with no two consequent jobs using the same resource, (iv) and (v), there are no choice jobs and no assembly jobs, (vi) there are shared resources.In MRF1 system (MRF1PN), for any r R ! , J r r J r J ::+ For any two , r r R i j !, r i is said to wait r j , denoted r r i j " , if the availability or r j is immediate requirement for the release or r i , i.e., r r i j To avoid such first level deadlocks we must connect control places to the transitions before and after any critical subsystems J C 0 ^h which make sure that the token sum in the critical subsystem J C 0 ^h is limited to The above system is the so-called regular system, for which it is true that avoiding CB is a necessary and sufficient condition for avoiding system deadlock.The above is not true for irregular systems.The irregular system contains key resource.It must be noted that when a system contains key resource, the system may run in the so-called cyclic circular wait relation CCW and also in the so-called second level deadlock several steps before any CB actually occurs.To avoid the second level deadlock we must find the key resource and apply control policy to make sure that the key resource does not remain the last available resource [13].
Figure 1 shows MRF1PN with one input and one output place J in 1 and J out 1 .There is a set of job places , , , J J J J J = " ,, a set of resource places , , R r r r one simple circular wait (SCW) , , C r r r = " , and one critical system , , J J J J To avoid deadlock, control places c 1 and c 2 maintain the number of tokens in the critical system to maximum 2 (less than initial marking in SCW).
To find the desired deadlock avoidance control policy, matrix-based description of MRF1PN is required.The structural properties of PN can be read from a system matrix.There are two sets of system matrices: F u , F y ,F v ,F r and S u , S v , S r , S y .Matrices F capture conditions that must be full field before firing of transitions, while matrices S are responsible for actions after firing of transitions.A number of rows of F u , F v , F r , F y define the number of transitions, while the number of columns defines the number of input places, jobs, resources and output places respectively.A number of columns of S u , S v , S r , S y define the number of transitions, while the number of rows defines the number of input places, jobs, resources and output places respectively.

MATRIX APPROACH OF SUPERVISOR DESIGN
Matrix approach of deadlock supervisor design begins with modelling of traffic system by using MRF1PN.Then, the structural properties of MRF1PN must be explored to find conflict and deadlock free control policy.To achieve this, system matrices F u , F y ,F v ,F r and S u , S v , S r , S y can be derived from MRF1PN.The procedure for finding all structural properties of MRF1PN and for deadlock free control policy can be divided in several steps: Step 1 -Find all resource loops L r ^h via computing their covering binary P-invariants; Step 2 -Find wait relation matrix G W , all SCW and CCW; Step 3 -Find critical siphons matrix S C i and critical subsystem matrix J C 0 ^h; Step 4 -Ensure that the token count in each critical subsystem The DEDS modelled by MRF1PN can be regular or irregular.For regular system the only condition for deadlock free policy is to control the token count in the critical subsystem (see Section II), and the first 4 steps are sufficient.If the system is irregular, then the second level deadlock can arise, and we must find key resources and proceed with Steps 5 and 6: Step 5 -Find key resource if the system is irregular; Step 6 -Ensure that the key resource does not remain the last available resource.Here are brief explanations of Steps 1-6: Step 1 -Determination of the resource loops L r ^h via computing their covering binary P-invariants.The binary basis for P-invariants is given by the columns of matrix P: where: I r r # -identity matrix with r resources in the system.Matrices F v t and F r t are formed by deleting rows that correspond to the terminal transitions.Matrices S v t and S r t are formed by deleting columns that correspond to the terminal transitions.Terminal transitions are transitions which have arcs to J out .
Step 2 -Find all simple resource circuits and all the CWs which the former constitute.To achieve this, the wait relation matrix between all resources in MRF1PN must be determined.All the wait relations are captured by the wait relation matrix: ) Where the matrix operation 7 is defined in and/or algebra, i.e. standard addition and multiplication of matrices elements are replaced by the logical "and" and "or", respectively.
Having obtained matrix G w , there are standard efficient techniques of polynomial complexity, such as string algebra [15], for identifying matrices C and } .Each entry f , r i j ^h in the resource-requirements matrix F r is associated with an arc connecting a place, representing resource availability, with the corresponding transition; each entry s , r i j ^h in the resource-release matrix S r expresses the connections between transitions and places that hold tokens when resources are idle.Correspondingly, each entry f , v i j ^h and s , v i j ^h in jobsequencing matrix F v and job-start matrix S v represent arcs connecting transitions and places associated operations executed by resources.The input matrix F u portrays output arcs from input places, while output matrix S y depicts input arcs to output places.Since we assume that input places are source places (places with no input transitions) and output places are sink places (places with no output transitions),v matrices F y and S u are null matrices, F S 0 y u = = 6 @.As a result, input and output incidence matrices I and O can be obtained from the system matrices: Matrices F u , F y ,F v ,F r and S u , S v , S r , S y are binary matrices.^h it is possible to determine all C i , and from scw scw ccw } # + ^h it is possible to detect which SCWs are involved in particular CCW.Columns of matrix C which contain non-shared resources denote vectors c j , and columns of matrix C which contain shared resources denote vectors c sj .
Step 3 -Find critical siphons matrix S C i and critical subsystem matrix J C 0 ^h using these equations: Where matrix operation / denotes element-by-element matrix logical "and" operation.
Columns of matrix S C i are critical siphons, and column of matrix J C 0 ^h is a critical subsystem.
Step 4 -Ensure that the token count in each critical subsystem J C i 0 ^h is limited above m C 1 i 0 -^h .This can be achieved by adding control places (supervisor) to MRF1PN.By adding or taking away tokens in control places, one can control the number of tokens in critical subsystems.
Step 5 -Before a particular control policy is applied, one has to check if MRF1PN is irregular.Key resources can be identified by analyzing interconnections of CWs and their siphons.To confirm the existence of key resources, we must determine the presence of CCW loops.These structures specify a particular sharing among circular waits, and are requisite for the existence of key resources.
The matrix test to find CCW among all CWs in the system is to find C CW : where: -^h -matrix which determines the set of transitions which decrease token counts in every critical siphon,

^h
-matrix which determines the set of transitions which increase token counts in CCWs Matrix R CCW provides for each CW the corresponding vector of key resources shared with other CWs in one or more CCW.If this matrix is zero, there are no key resources in the system [3].

CASE STUDY -RIVER TRAFFIC SYSTEM
This chapter deals with a supervisor design for the river traffic system (Figure 2).The presented case study is relatively simple.The intention of this example is to clarify the theory in the previous section.However, the above theory is applicable to more complex systems.
Suppose that a river traffic system consists of three canals K 1 , K 2 , K 3 and four basins All canals and basins represent resources of the river system.The vessels at the left end of the river system wait for the passage to the right in Direction A, and vessels on the right side wait for the passage to the left in Direction B.
The vessels can move through the canals using their own propulsion plant.The vessel in direction A must pass " " " " , and the vessel in direction B must pass " " " " .The vessels in both directions share the canals.The basins are designed only for one direction and for waiting for the availability of the next canal.If a particular resource is occupied at a moment of time, and if there are vessels waiting to use them, then these vessels wait for the availability of the occupied resource at the exit of the resource where they are at the moment of time.When the resource becomes available, it is occupied by the awaiting vessels.The moving of the vessels in the marine canal traffic system in Figure 2 is limited due to the capacity of resources.The canal capacities are , , The traffic in the river system can be fully controlled using RTMS which controls traffic lights at the entrance into resource in directions A and B. RTMS detects vessels passing from one resource to another and the number of vessels at a particular resource.The traffic light signalization system should not let vessels enter a resource in order to avoid forbidden states.The supervisor, which is implemented in RTMS software is re-quired to be maximally permissible i.e. not hinder the passage of vessels.To design a supervisor, the first step is to make an MRF1PN model of the river system.Figure 3 shows Petri net model of the river system in Figure 2 with control places.Figure 3 shows the model of empty river traffic system (without vessels in canals and basins), with 10 vessels waiting for direction A, 10 vessels waiting for direction B. The capacities of canals and basins are the same as in Figure 2.
The tokens in input places , p p 1 2

"
, will represent the vessels waiting for entering in the system.The tokens in output places , p p 26 27

"
, will represent the vessels leaving the system.The set of all places that represent jobs in the system is , , p p f " , (the number of tokens in a job place will represent the number of vessels in particular resource), and the number of tokens in resource places , , p p are in conflict (both transitions are enabled at the same time).A conflict-free supervisor enables only one direction (direction A or direction B) with equal probability.
The second problem is how to design a deadlock-free supervisor.To achieve this we must apply the matrix approach described in Section II.Here are the results: Step 1: P-invariants can be calculated applying (6).There are 7 P-invariants in the net: , P p p = " ,.
Step 2: Applying (7) and string algebra [12] we can find 2 SCWs , , , C p p p p  , , , , , , ,  J p p p p p p p p Step 5: To check the regularity of the system, matrix C CW must be calculated by applying (10).From C CW it is possible to see that the system is irregular and that SCWs C 1 , C 2 and C 3 .From R CCW applying (11) it is possible to see that the key resource in the system is p 18 (canal K2) .
Step 6: To ensure the absence of the second level deadlock the supervisor has to take care of the availability of key resource p 18 in such a way that canal K2 does not remain the last available resource in the system.
The deadlock prevention supervisor which applies the control policy derived in Steps 4 and 6 is verified using computer simulation of vessels moving through the river system.We are simulating the process of moving 10 vessels in direction A, and 10 vessels in direction B at the same time.Let us assume that every vessel must remain in the resource K1_A = 1 h, B1A_A = 0.5 h, K2_A = 2 h, B2A_A = 0.5 h, K3_A = 1 h, K3_B = 1 h, B2B_B = 0.5 h, K2_B = 2 h, B1B_B = 0.5 h K1_B=1 h.In case of conflict, we do not give priority to any direction.The simulation starts from the initial state of Petri net displayed in Figure 3.The upper 10 diagrams in Figure 4 show the number of vessels in job places p p and conflicts in the system.Control places are "traffic lights" which disable firing of transitions (logical "1" means green light -token in the control place, logical "0" means red light -no tokens in control place).
Figure 5 shows markings of input places in direction A and B (PI-A, PI-B) and output places in direction A and B (PO-A, PO-A).From Figure 5 it is possible to see that the last vessel leaves the canal system 43 hours after the process of vessels moving through the canal system has begun.The applied control policy ensures maximally permissive behaviour of the supervisor with no conflicts and no deadlocks in the system.the river traffic system.To achieve this, the first step is to make a suitable Petri net model of river traffic system using MRF1 type of flowline Petri net.Then, the structural properties of the net like P-invariants, circular waits, critical siphons and critical subsystems are investigated.To avoid conflicts, the first and second level deadlocks, the authors propose adding of control places (supervisor).To avoid conflicts and the first level deadlock, the control places disable firing of particular transitions and limit the number of vessels in critical subsystems.But still the second level deadlock can exist if the system is irregular and if it contains the so-called key resource.To avoid the second level deadlock, the supervisor must take care that the key resource is not the last available resource in the net.The calculated controller is verified using a P-timed Petri net, and computer simulation of dense traffic by using MATLAB environment.The proposed matrix-based method of supervisor design is not time-consuming, and it is suitable for complex traffic systems.Future research will be focused on deadlock avoidance problem of complex systems with more key resources.

CONCLUSION
The paper shows a straightforward matrix-based method for calculating the maximally permissible conflict and deadlock prevention control policy, which can be easily implemented by people or by traffic lights in

D
. Kezić, A. Gudelj: Design of River System Deadlock Avoidance Supervisor by Using Petri Net From C r scw ccw # + which determines the set of transitions which increase token counts in every critical siphon, v 0C -critical subsystems job set matrix of type CW J # ^h.The critical subsystem job set matrix denotes job places which belong to CWs.3When C 0 CW = 6 @ the system is regular, otherwise element , 1 i j C CW = ^h indicates that C i and C j form a CCW.Obviously C CW is symmetric matrix.To identify the key resource we must apply the following straightforward matrix formula: determines the set of transitions which decrease token counts in CCWs

4 :
The initial marking of C 1 , C 2 and C 3 are m the first level deadlock we must limit the number of vessels in critical subsystems m J 5

Figure 4 -
Figure 4 -Number of vessels in job places and tokens in control places

Figure 5 -
Figure 5 -Number of vessels in input and output places To prevent deadlock in MRF1PN we must first avoid CB conditions, which are closely related to the critical siphon.A critical siphon S is a minimal siphon that does not contain any resource loops.The next step is to find sets of job places, the socalled critical subsystems J C 0 -^h .