A Control of Collision and Deadlock Avoidance for Automated Guided Vehicles with a Fault-Tolerance Capability

Based on a novel discrete-event zone-control model, in our previous papers [1, 2], we presented a time-efficient traffic control for automated guided vehicle (AGV) systems to exclude inter-vehicle collisions and system deadlocks, together with a case study on container terminals. The traffic control allows each vehicle in an AGV system to freely choose its routes for any finite sequence of zone-to-zone transportation tasks and the routes can be constructed in an online fashion. In this paper, we extended our previous results with two practical goals: (1) to increase the utilization of the workspace area by reducing the minimally allowed area of each zone; (2) to avoid vehicle collisions and deadlocks with the occurrence of vehicle breakdowns. To achieve the first goal, we include one extra vehicle event that allows each vehicle to probe further ahead while it is moving on the guide-path. This leads to an extension of our previous discrete-event model and traffic control rules, which are presented in the first part of the paper. The second part of the paper concerns the second goal, for which an emergency traffic control scheme is designed as supplementary to the normal traffic control rules. As in our previous papers, the improved model and traffic control are applied to a simulation of quayside container transshipment at container terminals; our simulation results are compared with those from two interesting works in the literature.


Introduction
Automated guided vehicles (AGVs) are used as a transportation means in many industrial fields. Taking advantage of their flexibility in routing and scaling, AGV systems were traditionally employed in automated manufacturing systems (AMSs) as material handling systems (MHSs) to transport pieces or parts among various workstations.
Recently, AGV systems have extended their popularity to other applications, such as material transportation in warehouses and container transshipment at container terminals. See, e.g., [3,4] for comprehensive surveys of the research on the design of AGV systems.
As there are normally multiple vehicles in AGV systems, traffic control is necessary to resolve motion conflicts among the vehicles. In particular, vehicle collisions and deadlocks should be prevented to avoid substantial production interruptions. Furthermore, for an AGV system with a large number of vehicles in some applications, effective and efficient traffic control is also important to achieve desirable system performance (see, e.g., [5] for a list of performance measures).
Traditionally and still currently, AGVs move along a predefined guide-path (wired, magnetic, etc.) system connecting key locations in the workspace, which eases the motion control and guidance of the vehicles, yet sets limitations on the flexibility and scalability of the system. The literature and industrial practice have witnessed a growing interest in developing free-ranging AGV systems, in which the vehicles can choose any possible path to move between two locations. This type of system is expected by some researchers to provide shorter transportation distances (via free routing), better utilization of the workspace and more flexible deadlock and congestion avoidance mechanisms. However, performance comparisons between free-ranging AGV systems and those with a fixed guide-path are very rarely seen [6]; besides, it seems that convincing conclusions have not yet been drawn on which type would perform better with dense vehicles (i.e., a large number of vehicles in a limited area). In this paper, we choose to focus on a study of AGV systems with a fixed guide-path.
Several types of flow topologies/configurations have been proposed and investigated for the guide-path of the AGV systems. Each of them has its pros and cons and should be chosen based on specific applications. All the flow configurations contain a collections of lanes, or sequences or path segments (either unidirectional or bidirectional), connecting machines, work stations, pick-up and delivery points or other fixed infrastructures. In what is called conventional configuration, lanes can intersect each other like in a normal guide-path. In single loop configuration, AGVs travel in a fixed (usually unidirectional) loop. The advantage is that the traffic is easy to control; however, each vehicle has to travel the complete loop to visit the same point again and a vehicle breakdown can block the entire system. The tandem configuration consists of non-overlapping single loops and uses transfer stations to move materials from one loop to another. As with the single loop layout, it also requires little or even no traffic control (if only one vehicle serves one loop); hence, some researchers concluded that tandem layout performs better in large systems (see, e.g., [7]). However, any single loop is a bottleneck to the whole system; besides, extra space and equipment are required for the transfer stations. Lastly, similar to a tandem configuration, a segmented flow configuration contains one or more zones, each of which is divided into non-overlapping segments served by a single vehicle. Some papers also showed good performance (see, e.g., [8]) by using this type of guide-path, but it shares the same drawbacks as with the tandem configuration. The reader is referred to [3,4] for more details on the classification and design of the guide-path. This paper discusses the traffic control of AGV systems with conventional guidepath (as aforementioned, the traffic control of the other types of guide-path configurations is heavily reduced or even fully removed).
The most popular traffic control strategy for AGV systems is called zone-control (see [9]), in which lanes in the guidepath are composed of a number of zones. By this strategy, inter-vehicle collision avoidance becomes straightforward by only allowing one vehicle to visit one zone at a time. A key traffic control issue is then to keep the vehicles away from deadlocks that may be caused by the vehicles' competition for the occupation of the zones.
Historically, the study on deadlock problems started in the development of operating systems [10,11] and database systems [12] in computer science. In general, three strategies have been employed to address deadlocks: deadlock prevention, deadlock avoidance and deadlock detection and resolution [12]. The goal of deadlock prevention is to design rules such that any deadlock is precluded before all processes set off. In a deadlock avoidance strategy, online control is adopted such that a resource is allocated to a process only if a deadlock will not be introduced. Lastly, a deadlock detection and resolution strategy allows deadlock to happen. When a deadlock is detected, certain online rules are used to resolve the deadlock and recover the system. During the past two decades, deadlock problems have been attracting intensive research effort for the flexible manufacturing systems (FMSs), in which AGV systems play an important part. In particular, [13][14][15][16][17][18] are among many other works that investigate deadlock avoidance using Petri net formalism. The proposed methods either exclude the occurrence of deadlocks by preventing some necessary conditions, or detect and resolve deadlocks when they actually take place [19]. [20] and [21] proposed deadlock avoidance policies based on the graphic characterization of deadlocks and so-called restricted deadlocks. In [22], a variation of the Banker's algorithm was developed, which prevents deadlocks by allowing only "ordered" vehicle mission trips. The conservativeness of this algorithm is somewhat reduced in [23] and [24] at the cost of higher complexity. There are some other methods existing in the literature. [25] provides a generalized algebraic deadlock avoidance policy that ensures the absence of deadlocks by restricting the operation of the system in a subspace satisfying a set of linear inequalities. Using a graph theoretic approach, [26] presented a deadlock avoidance algorithm that consists of a quasi two-step resource allocation policy and a cyclic deadlock detection procedure. [27] offers a logic-algebraic approach for deadlock prevention by solving a constraint satisfaction problem. In addition, many works have been dedicated to guaranteeing deadlock avoidance by using smart routing algorithms (sometimes called conflict-free routing) [28][29][30][31]24]. Note also that recent years have witnessed an increasing research interest in traffic control problems for the AGV systems at automated container terminals, as the volume of goods transported via sea ports has soared in booming international trade. [32] presented several procedures to detect and recover from deadlocks caused by the interaction between the AGV system and other container handling equipment systems. [33] renders a path reservation method to prevent in advance the deadlocks and collisions of AGVs. [34] suggested a traffic control approach based on the concept of "semaphore" borrowed from computer science. In addition, inspired by [35], the work of [36] and later [1] (with core models and algorithms reformed in [2]) showed deadlock detection and avoidance schemes involving some online cyclic deadlock checking procedures for a unidirectional guide-path system.
As pointed out by [3] and [36], dealing with deadlock avoidance for relatively large AGV systems (a large number of AGVs and/or zones) is quite challenging. In fact, this makes most of the existing algorithms either too conservative with acceptable complexities, or too computationally expensive under the pursuit of least restriction. Very recently, there have been some research activities aiming at maximally permissive deadlock avoidance algorithms with complexity concerns by using the resource allocation system theory [37] and Petri net formalism [38]. However, it seems that there is still quite some distance from the current status of the development to the practical applications of these optimal algorithms for large-scale AGV systems (with tens or even hundreds of vehicles). To the authors' best knowledge, the deadlock avoidance algorithms proposed in [35,36,1,2] have the smallest computational complexities, which only quadratically increase with the number of vehicles. Note that the small complexities of these algorithms partially come from their limited applicability to guide-path systems with only unidirectional lanes. However, for large-scale AGV systems, the potential room for performance improvement using bidirectional guide-path systems shrinks with increasing vehicle interferences ( [39,29]) and comes with a sharp rise of complexity of traffic management. Furthermore, one also notes that the traffic control with bidirectional guide-path in general depends on the scheduling and routing of the vehicles, whereas the traffic control algorithm proposed in our previous work [2] has been proven able to avoid deadlocks with no restrictions to routing of the vehicles, as long as each vehicle visits a finite sequence of zones from its initial location to a depot (where it can stay without blocking other vehicles). This free-routing proper-ty is definitely a big advantage in achieving high system performance. Note also that among the algorithms proposed in [35,36,2], only the one in [2] is provably correct in guaranteeing the absence of deadlocks with the help of a formal event-based modelling. (The problems with the algorithms in [35] have been pointed out in [21]; in [36] the authors did not obtain a complete solution for what they call "multi-cycle deadlocks".) Failures can degrade the performance of or even paralyse an industrial system. Fault-tolerance is, therefore, one of the key properties that make an industrial system practically useful. In the literature of deadlock avoidance, several studies have been made on fault-tolerant deadlock avoidance for some types of automated manufacturing systems modelled by Petri nets [40,41]. In addition, some faulttolerant routing algorithms have been developed for computer networks and for communication subsystems on integrated circuits [42,43]. For deadlock avoidance for AGV systems, however, there is hardly any existing work that has the management of vehicle faults as a focus. In principle, for the AGV systems with free-ranging vehicles, vehicle breakdowns may be handled by letting the other (healthy) vehicles view the faulty vehicles as obstacles that can be steered clear of with their (i.e., the healthy vehicles') built-in obstacle avoidance algorithms. However, detailed discussion and formal proofs for collision and deadlock avoidance in this direction are rarely seen in the literature. For the AGV systems with guide-paths, vehicle breakdowns can be catastrophic for certain types of configuration of guide-path. For example, in the single loop configuration, where AGVs travel in a fixed (usually unidirectional) loop, a vehicle breakdown can block the whole system; in the tandem configuration, which consists of non-overlapping single loops, each single loop is a bottleneck to the entire system; the same problem can happen to the segmented flow configuration with each of the non-overlapping segments served by a single vehicle. For other types of guide-path, the AGV system might still be able to function after some vehicle breakdowns; however, a partial or complete re-dispatching, re-scheduling and/or re-rerouting may be necessary to ensure acceptable system performance. With most existing deadlock avoidance approaches, the adjustment has to be responsible for the deadlock avoidance of the AGV system as well.
In this paper, we follow the line of development in [1,2] to design traffic control algorithms for AGV systems that guarantee the avoidance of collision and deadlocks with full freedom of routing. We have two specific goals in mind: (1) increase the utilization of the workspace area by reducing the minimally allowed area of each zone; and (2) design an emergency traffic control scheme to avoid vehicle collisions and deadlocks with the presence of vehicle breakdowns. Both these goals are motivated by practical concerns from general applications. The key to the realization of the first goal is adding one extra event to the eventbased model previously presented in [2]. The triggering of this event allows a vehicle to probe the availability of one more zone ahead on its path than before. For applications with a large number of zones, this can lead to substantial saving of space. The second goal is clearly designed to improve the robustness of traffic control to emergency situations, which is rarely addressed in literature, at least in a formal manner. Note that the achievement of the first goal also gives some leeway to that of the second, for which we enlarge the first zone of each lane so that it contains some extra space that can be split out, if needed, into a buffer zone when a vehicle breakdown occurs.
The paper is organized as follows: the extended discreteevent zone-control model is introduced in Section 2. The traffic control rules that ensure the avoidance of collision and deadlocks in a fault-free situation are presented in Section 3. A performance study of an AGV system incorporating the proposed traffic control is mentioned in Section 4. The emergency traffic control rules that guarantee the avoidance of collision and deadlocks with vehicle breakdowns are presented in Section 5. Concluding remarks are given in Section 6. All the technical proofs are included in the appendix of the paper.

Zone-control Modelling
In this section, we present the zone-control model that defines the structure of the guide-path 1 and the eventdriven vehicle behaviour. In particular, at the end of Section 2.2, we will show how our first goal of increasing the utilization of the workspace area is achieved by this extension to our previous work [2].

Building blocks of the zone-based guide-path
The guide-path contains lanes, crossings and depots. Lanes are composed of zones and each depot is a (special) zone. For any assigned transportation task, a vehicle does nothing but move from one zone to another. Some of the content in this section can be found in [2], but is still presented here for completeness.

Lane and zone
A lane is a finite sequence of zones. Vehicles moving in a lane must visit the zones according to their order in the sequence. In the general discussion that follows, we assume that there are M , M ∈ ℕ (ℕ denotes the set of natural numbers), lanes in the network and the lane i has m i , m i ∈ ℕ, zones. In addition, we use c k i to denote the k th zone of the lane i. In particular, we call the first zone and the last zone of a lane the starting zone (SZ) and ending zone (EZ) of the lane, respectively. In practice, a zone should be large enough to accommodate at least one vehicle.
A depot is a zone that can accommodate any number of vehicles. We emphasize that a depot is not a zone of any lane; or, in other words, any zone on each lane is a nondepot zone. Each depot is affiliated with at least one entrylane and one exit-lane. Physically, an entry-lane (resp. exitlane) of a depot is a lane that allows a vehicle to move inwards (or outwards) from the depot.
We use C to denote the set of all zones in the guide-path.

Crossing
A crossing is physically a junction that joins multiple lanes. Specifically, crossing i is affiliated with a set of in-lanes, denoted by ℐ i and a set of out-lanes, denoted by O i . Each

Assumptions on the guide-path
Upon the layout of the guide-path, we impose the following guide-path layout assumptions:

Neighbouring zone
It is important to know, when a vehicle is in a zone, which zones the vehicle can move into next. For this purpose we define the concept neighbouring zone, which intuitively follows the definitions of lanes and depots. The set of neighbouring zones of each depot consists of the SZs of all its exit-lanes. The neighbouring zone of a non-EZ zone c k i , zone of the EZ of any entry-lane of a depot is the depot. The neighbouring zones of the EZ of an in-lane of a crossing are the SZs of its neighbouring lanes 2 . We use Υ c to denote the set of neighbouring zones of zone c. In addition, for any

Vehicle state and event
The state of a vehicle indicates its current location and intention of movement with respect to the guide-path. Each vehicle can have three types of states, as follows: 1. in c 1 with the next zone c 2 , denoted by (c 1 ,c 1 ,c 2 ); 2. moving from c 1 to c 2 , denoted by (c 1 ,c 2 ,c 2 ); 3. moving from c 1 to c 3 via c 2 , denoted by (c 1 ,c 2 ,c 3 ); where c 1 can be any zone in C, c 2 is one of the neighbouring zones of c 1 (i.e., c 2 ∈ Υ c 1 ) and c 3 is a neighbouring zone of c 2 but different from c 1 . In all three cases, c 1 and c 2 are called, respectively, the current zone and the next zone of the vehicle. From an implementation point of view, the body of a vehicle is supposed to be entirely inside its current zone in case (1) and may span across its current zone and the next zone in cases (2) and (3).
To ease the presentation, we define three sets that collect all possible vehicle states in each of the above three types: In addition, we let S be the union of S 1 , S 2 and S 3 . Note that, by Lemma 2 (see Section A.1), c 1 , c 2 and c 3 are distinct in the definitions of S 1 , S 2 and S 3 and thus the three sets are disjoint. For any s ∈ S, we will sometimes use s 1 ,s 2 ,s 3 to denote its first, second and third elements respectively.
Each vehicle has an initial state representing its beginning location and intention of movement. When the system is running, the state of each vehicle will change only at the occurrence of events. In other words, an event is responsible for a state transition that maps a vehicle state to another. There are three events that vehicles trigger for their normal operations: "leave", "arrive" and "go ahead" 3 . To simplify the presentation, we use LEA, ARR and GOA to denote the three events respectively. At any point in time, each vehicle can trigger at most one event; the following rules prescribe how the three events change the state (denoted by s) of a vehicle: Note that the ARR and GOA in (b) are the events that involve new zones in the state transitions and thus directly relate to the implementation of the routes of the vehicles.
The state transitions by the three events are illustrated in Figure 2. In a less formal and much simpler way, we sometimes say that: • in (a), the vehicle leaves c 1 by the LEA; • in (b), the vehicle goes ahead to pass c 2 by the GOA; • in (b) and (c), the vehicle arrives at c 2 by the ARRs. Here we give a simple example of how each vehicle is supposed to utilize these events to change its state while moving on the guide-path. Consider a vehicle that has the state (c 1 ,c 1 ,c 2 ) (i.e., it is in the zone c 1 ) and wants to be in This can be achieved by first leaving c 1 , then going ahead to pass c 2 , arrive at c 2 and finally arrive at c 3 (i.e., by the event sequence LEA→GOA→ARR→ARR 4 ).
We should emphasize that, although an event is feasible for a particular vehicle state, it does not mean that the event is always allowed to occur for the state. The traffic rules that will be presented in the following section are used to permit or inhibit events such that vehicle collisions are avoided and system deadlock can never happen. An interesting point to mention here is that an ARR is always allowed to occur by the traffic rules. Thus, the freedom in selecting the zone c 3 with the ARR in case (b) allows a vehicle to alter its route even if it has been predefined, or establish it online in an incremental fashion: a vehicle only needs to pick c 3 , the succeeding zone on its route, before it arrives at c 2 . The selection of the zone c 3 with the GOA event in (b) is also free; the only difference is that a GOA event can be prohibited by the traffic rules. Later on, we will see that there are no restrictions imposed on a route assignment before each transportation trip either. This free-routing property is a distinct advantage of the proposed traffic control.
From another perspective, considering the zones as resources that vehicles need to take up for their transportation trips, the above events, together with the traffic control, can also be seen to dictate the resource allocation for the overall system (in section 2.3, we will see that this is directly related to the states of zones). Specifically, in (a) the vehicle is allocated c 2 by the LEA, yet has not released c 1 ; by the GOA in (b) the vehicle is allocated c 3 , yet has released neither c 1 nor c 2 ; the ARRs in both (b) and (c) release the zone c 1 . Because of the last point, it is required that the vehicle has already physically moved completely out of c 1 and is inside c 2 when the ARRs are triggered. In addition, for high system performance it is good to have the ARRs triggered (so that c 1 is released) immediately after the vehicle fully enters c 2 . From case (c), we see that this implies that the vehicle is not physically occupying the zone c 3 when its state is (c 1 ,c 2 ,c 3 ), as the zone c 2 is large enough to accommodate the entire body of the vehicle.
One may notice that, compared with the discrete-event model presented in our previous work [2] (or in [1] in a different form) the driving idea behind all the modifications is the addition of the event GOA, which extends the behaviour of the vehicles. In fact, previously only two types of vehicle states were defined, i.e., the states in S 1 and S 2 and the event-driven state transitions shown in the dashed box in Figure 2.
Let us now explain the improvement brought about by the present and generalized model by using a walk-through of a typical scenario in which a vehicle tries to pass a zone. Consider a vehicle trying to pass a zone c 2 with its current state (c 1 ,c 2 ,c 2 ) and suppose it knows the next zone (after passing c 2 ) on its route is c 3 ∈ Υ c 2 . What will happen with the previous model is the following: the vehicle will have to trigger an ARR to arrive at c 2 first (c 1 will then be released).
As stated above, this requires the body of the vehicle to be fully inside c 2 . The vehicle will then try to trigger an LEA to leave c 2 (so that its state can be changed to (c 2 ,c 3 ,c 3 )). If the LEA is permitted (by the traffic control), the vehicle will keep its speed and move on, passing c 2 ; otherwise, it has to break and make a full stop with its body still completely inside c 2 . Clearly, we need the length of zone c 2 to be at least L vehicle + L break in case the LEA is denied, where L vehicle is the length of the vehicle and L break is the distance for the vehicle to make a full stop from its maximum speed. Now, for the same scenario, let us follow the vehicle's behaviour in the framework of the present model. First, the vehicle will try to trigger a GOA, which changes its state to (c 1 ,c 2 ,c 3 ).
Importantly, note that the vehicle can do this even before physically entering the zone c 2 . If the GOA is permitted (the zone c 3 is then allocated to the vehicle), it will move on, passing c 2 ; otherwise, it will need to break and fully stop inside c 2 . It is easily seen that in this case the length of c 2 will need only to be larger than max{L vehicle ,L break }. For a guidepath with a large number of zones, this improvement can be substantial if the breaking distance L break is not negligible with respect to L vehicle (e.g., with the container-carrying vehicles at container terminals). With a closer look, one may notice that the saving of required space as the vehicle passes c 2 is essentially due to the early can-pass probing via the trial of the GOA.

Zone states
Before closing this section, we introduce some properties of the zones that are directly related to the states of vehicles.
Each zone can have two states: "occupied" and "available". In particular, a depot is always available. A non-depot zone is occupied if it is allocated to a vehicle; it should not be allocated to another one before being released. Put more formally, a non-depot zone is said to be occupied by a vehicle, with state s, when (1) it is the current zone of the vehicle if s ∈ S 1 ; or (2) it appears in the expression of s if s ∈ S 2 ∪ S 3 . A non-depot zone is said to be occupied if it is occupied by at least one vehicle. A non-depot zone is available if it is not occupied. It is obvious that the states of zones change only at the occurrence of vehicle events. It is part of the responsibility of the traffic control to ensure that a zone is occupied by at most one vehicle, so that vehicle collisions are avoided.
To ease our presentation, we sometimes use colours to represent different statuses (not states) of the zones. Specifically, c. Any non-depot zone c is grey ⇔ c is occupied by only one vehicle with the state either (c,c * ,c * ) ∈ S 2 , (c,c * ,c ** ) ∈ S 3 or (c * ,c,c ** ) ∈ S 3 ; where, in (b) and (c), c * and c ** can be any zones that make sense.
One can see that a zone is black if it is occupied by a vehicle that is either in the zone or will be able to be in the zone after triggering one or two ARRs (recall that ARRs are always allowed). A zone is grey if it is occupied by a vehicle that will be able to release the zone after triggering a couple of ARRs.
It is easy to show that, if each non-depot zone is occupied by at most one vehicle, then any zone must be either white (when available), black or grey (when occupied).
Finally, we say that a vehicle starts occupying a zone by an event if the zone was not occupied by the vehicle before the state transition, caused by the event, but is occupied by the vehicle afterwards. It can be shown that such an event can be either an LEA or a GOA but not an ARR (see Lemma 4 in Section A.1).

Traffic Control
In this section, we will propose a traffic control system that guarantees the absence of (inter-vehicle) collisions and deadlocks. One may notice that the traffic control here is slightly more complex than that previously proposed in [1,2], mainly due to the added event GOA and vehicle states in the set S 3 . Basically, the traffic control permits a vehicle to trigger an ARR whenever it wishes to do so, but requires it to check with some specified traffic rules when it intends to trigger either an LEA or a GOA.
Since there are different traffic rules for different situations, we now introduce a classification of the LEA and GOA events. An LEA (or GOA) is called an off-crossing LEA (or off-crossing GOA) if it causes a vehicle to leave (GOA: go ahead to pass) an off-crossing zone; is called an at-crossing LEA (or at-crossing GOA) at a crossing if it causes a vehicle to leave (GOA: go ahead to pass) an at-crossing zone of the crossing. An event is called a crossing-passing event at a crossing if it is either an at-crossing LEA or an at-crossing GOA at the crossing. An LEA or GOA is called a depotpassing event at a depot if it causes a vehicle to either leave or go ahead to pass the depot. Clearly, a depot-passing event cannot be a crossing-passing event.

Inter-vehicle collision avoidance
The requirement for collision avoidance can be roughly stated as the following: first, any non-depot zone cannot be occupied by two or more vehicles at the same time. Second, it must be excluded that two vehicles are passing a crossing in a conflicting way or will be doing so due to the lack of further restrictions. More specifically, let s and s ′ be the states of two vehicles at the same time instant; the latter point is achieved for the crossing k if the following cases are prevented: (X3) s,s ′ ∈ S 3 with one of the possibilities: Case (X1) in fact reflects the motivation for defining the notation of conflicting crossing-passing zone pairs X k (see Section 2). The reason for the inclusion of (X2) and (X3) is that a vehicle with the state (s 1 ,s 2 ,s 3 ) ∈ S 3 is always allowed to trigger an ARR and change its state to (s 2 ,s 3 ,s 3 ) ∈ S 2 . In all three cases above, we say that the state s conflicts with the state s ′ at crossing k . In summary, the AGV system is said to be free of collisions if both the following two conditions are satisfied: (C1) Each non-depot zone is occupied by at most one vehicle.
(C2) The state of each vehicle does not conflict with that of any other at any crossing.
First, we need to prevent two vehicles leaving or going ahead to pass the same depot and start occupying the SZ of the same exit-lane of the depot simultaneously. For this purpose, the following Rule 1 is imposed: Rule 1: For each depot, at most one vehicle is allowed to trigger a depot-passing event at the depot at any time.
Similarly, we also need to avoid two vehicles triggering atcrossing LEAs or GOAs at the same crossing to start occupying the SZ of the same out-lane of the crossing simultaneously. This gives ground to the following Rule 2: Rule 2: For each crossing, at most one vehicle is allowed to trigger a crossing-passing event at the crossing at any time.
Rule 1 (or Rule 2) can be realized by requiring each vehicle to hold exclusively a local depot token (Rule 2: local crossing token) whenever triggering a depot-passing (Rule 2: crossing-passing) event at each depot (Rule 2: crossing). An example of such token assignment algorithms can be found in [1].
In addition, Rule 3 and Rule 4 below are used to make sure that a vehicle cannot start occupying a zone if the zone is occupied by another vehicle and/or doing so will give rise to two vehicles having conflicting states at a crossing. if (1) c 2 is available and (2) there is no other vehicle having its state with s ′ at crossing i; if s = (c 1 ,c 2 ,c 2 ) ∈ S 2 , where c 2 is an at-crossing zone of crossing i, then an (at-crossing) GOA is allowed to be triggered and to change the state to (2) there is no other vehicle with its state conflicting with s ′ at crossing i.
It can be proved that traffic rules guarantee that an AGV system is free of collisions if the two conditions (C1) and (C2) are satisfied initially. We refer the interested reader to Section A.2.1 for a formal proof of the collision avoidance.

Deadlock avoidance
Abstracting from many applications, we may consider that each vehicle in an AGV system does nothing but visit a series of zones to transport things from assigned pick-up points to delivery points. In the framework of our eventdriven model, to realize this a vehicle must trigger a sequence of events. We say that a vehicle is operational if it has the intention to trigger a new event in finite time; it is supposed that if a vehicle is not operational (and not faulty) it must be in a depot. Without loss of generality, we also assume that each vehicle is initially operational and terminates its operation after visiting a finite sequence of zones. It follows that each vehicle can terminate its operation after triggering finite events. In fact, if a vehicle triggers infinite events, one easily sees from Figure 2 that there must be infinite LEAs and/or infinite GOAs, which, by Lemma 4 (see Section A.1), implies that the vehicle would occupy an infinite sequence of zones.
We Note that there is a special type of deadlock scenario, i.e., cyclic deadlocks: a group of operational vehicles v i 1 ,v i 2 , ⋯ ,v i m , m ≥ 2, are respectively in m distinct zones c 1 ,c 2 , ⋯ ,c m , where c j+1 is the next zone of v i j for j = 1,2, ⋯ ,m − 1 and c 1 is the next zone of v i m . In this case, by Rules 3 and 4, none of the vehicles is allowed to trigger the only feasible event LEA. In fact, this deadlock corresponds to a black cycle in the operation graph, which is defined below.
The operation graph is a time-dependent directed graph with the vertex set C and the arc set ℰ, where C, as defined before, is the set of all zones and ℰ is the collection of every such zone pair (c 1 ,c 2 ) that satisfies either of the following two conditions: 1. c 1 is an off-crossing zone and c 2 ∈ Υ c 1 ; 2. c 1 is an at-crossing zone and c 1 and c 2 are respectively the current and next zones of an operational vehicle.
A cycle in the operation graph is a sequence of vertices It can be shown that an AGV system is free of collisions and deadlocks if initially the conditions (C1) and (C2) hold and the operation graph has no black cycle; and the occurrence of the LEAs and GOAs are governed by Rules 1, 2', 3 and 4', where the Rules 2' and 4' are shown as below:

Rule 2':
There is at most one vehicle that can trigger a crossing-passing event (at all crossings) at any time.

Rule 4':
Rule 4 together with the additional requirements that the LEA cannot lead to a black cycle in the operation graph containing c 2 and the GOA cannot lead to a black cycle containing c 3 .
Compared with Rule 2, which only imposes a local restriction on crossing-passing events, the aim of imposing the more stringent Rule 2' is two-fold. Firstly, it prevents the scenario in which simultaneous occurrences of crossingpassing events at different crossings cause a black cycle but does not otherwise. Secondly, it significantly reduces the complexity of the black cycle checking, demanded in Rule 4', for triggering a crossing-passing event, since otherwise the vehicle must be aware of all the other vehicles, possibly physically far away, that may also trigger crossing-passing events at the same time.
Rule 2' can be realized by using a global crossing token. It is required that each vehicle request the token from a central control station when it intends to trigger a crossing-passing event. After the vehicle obtains the token, it checks with Rule 4' while holding the token exclusively and releases the token after the checking (no matter whether the event is allowed to be triggered or not). Of course, we need to ensure that every vehicle that intends to trigger a crossingpassing event will be issued the token. The token assignment algorithm presented in [1], which is based on an index list of the "starving" vehicles waiting for the token, can be used for this purpose. The checking of potential black cycles can be implemented using an algorithm similar to Algorithm 1 in [1] and has the time complexity only quadratically dependent on the number of vehicles in the system.
A formal justification of the deadlock avoidance is given in Section A.2.2.

Performance of AGV Systems Using the Traffic Control
So far, we have concluded that each of the vehicles in an AGV system can finish visiting any finite sequence of zones and park in a depot where it terminates its operation without colliding with any other vehicle, as long as certain mild conditions are satisfied when the system starts and the traffic rules are followed. The overall transportation performance of the system, however, will also depend on many other factors, such as layout of guide-path, number of AGVs, scheduling of transportation tasks, routing algorithms and, last but not least, contingency (fault) handling, all of which in general can influence the traffic of the AGV system. Compared with most of the existing traffic control schemes in the literature, the proposed traffic control rules cause the latter factors to have the least impact on the collision and deadlock avoidance. To be specific, the layout design and task scheduling are completely decoupled from deadlock and collision avoidance; the limitation on the number of AGVs is only imposed by the conditions (C1) and (C2), in that too many vehicles would inevitably force a zone to accommodate more than one vehicle or the appearance of a cyclic deadlock. In addition, we have seen that the freedom rendered by the traffic control for routing is huge: a route can be fixed to a vehicle before it starts operation, partially altered after the vehicle sets off, or even built online in an incremental fashion. The minimum requirement is that a vehicle must fix all three zones in the state to which it needs to reach to trigger an immediate event.
In the rest of this section, the performance of an AGV system incorporating the traffic control presented in the previous section is evaluated in a simulation case study for automated container terminals; the result is compared with those described in two existing papers in the literature.

Simulation setup
We focus on the quayside container transshipment, where the quay cranes (QCs) and yard stackers (YSs) 6 are, respectively, in charge of the container pick-up and dropoff handling in the quay area (QA) and yard area (YA); and a team of AGVs are used to shuttle between these two areas to serve the cranes with containers (see Figure 3 for an illustration of the container transshipment operation). More specifically, in discharging a vessel, a handful of QCs take the containers off the vessel and put them in associated container buffers. These containers will be later on picked up by the AGVs and transported across the transportation area (TA) to the container buffers of scheduled YSs. The containers will then be put in container stacks by the YSs. Conversely, when loading a vessel, the containers are collected from certain stacks by the YSs and transported to designated QCs by the AGVs. To test the performance of our designed AGV system, we carry out a simulation comparison with some existing designs of AGV systems for automated container terminals. In particular, we compare our results with those in [44] and [45]. The main reason for choosing these two works is that they provide complete and detailed information of the simulation settings, including workspace dimensions, cycle times of cranes and vehicle specifications. In both the papers, the performance of two types of vehicles, i.e., vehicles with and without the capacity to lift containers by themselves, are simulated and compared. It was found that the vehicles that can lift containers by themselves (named automated lift vehicles (ALVs) in the two papers) in general achieve higher container transport efficiency. This is mainly because the container cranes do not need to hold a container while waiting for a vehicle to pick it up. In this comparison study, we only simulate the transportation with ALVs (also called AGVs hereafter). In addition, since our goal here is a fair comparison of system performance, we do not include vehicle faults in the simulations.

Guide path and routing algorithm
The AGVs are of the size 10m × 4m. For the guide-path over the TA, we apply the layout design with four roads and big crossings presented in Section 5.3 in our previous paper [1] (illustrated therein by Figure 8). It was shown therein that this layout renders the best performance among its peers. The layout designs for the QA and YA follow the same idea given also in [1], i.e., using a zone (in a lane) as a container buffer under each QC or YS and connecting the guide-path over TA with these QC and YS buffers by a couple of lanes and crossings. The specific layouts over QA and YA that we use for the two comparisons are based on the respective simulation settings (e.g., numbers of QC and YS buffers, distance between adjacent QCs or YSs, etc.) in [44] and [45].
The routing algorithm for the AGVs used in the simulation is the one presented in Section 4.2 in [1]. The algorithm takes into account both travelling distance and some online traffic information for decision making. Briefly speaking, by the routing algorithm the route of each vehicle extends online from one waypoint to another, where a waypoint can be either an at-crossing zone or a depot: before arriving at a waypoint, the vehicle needs to determine the next waypoint along with the lane leading to it.

The first comparison result
In the paper [44], four QCs are used in discharging one vessel and the containers are stored in 16 container stacks. The AGVs move along a loop guide-path to serve the QCs and YSs so that the traffic control reduces to the minimum and there are no routing issues. (See Figure 2 in [44] for an illustration of this layout.) Moreover, multiple lanes are laid in the QA, on which four container buffers are placed under each QC, such that more than one vehicle can pick up containers under one QC without conflicting with each other. The numerical details of this setting are summarized in Figure 4. The task dispatching rules in [44] can be roughly put as follows: empty vehicles are dispatched to QCs according to the nearest-vehicle-first principle and the YS with the fewest number of serving vehicles has the priority to get a new serving vehicle, i.e., a vehicle carrying a container that is to be put in a stack.
For a fair comparison, the same number of buffers and cycle time distributions of QCs and YSs are used in our simulations. However, we set the maximum deceleration of each vehicle to be 2.5m/s 2 rather than 0.5m/s 2 , which is used in [44]. According to the remarks at the end of Section 2.2, our zone-control model allows the length of each zone to be lower bounded by the maximum of the length of a vehicle and the distance for a vehicle to make a full stop from its maximum speed. Thus, by letting the deceleration be 2.5m/ s 2 , we can put the length of non-SZs and SZs on any lane at 14m and 28m respectively (see Chapter 7.5 in [46] for details). In this way, the guide-path over the TA can be designed the same as that shown in Figure 8 in [1]. We believe that the difference in the maximum deceleration of a vehicle does not do our approach much favour in a comparison of the discharging time of a vessel. This judgement is based on the following reason: in [44], because of the loop layout of the guide-path, a vehicle basically needs to make a full stop only at a handling crane. Hence, the time that a vehicle takes to make a full stop from its  [44] maximum speed only occupies a very small part of its total travel time.
In Figure 5, we depict the simulation results obtained by the two methods regarding the discharging time of a vessel with 2,000 containers (note that in [44] simulation results are not given for fewer than 16 vehicles). The two points below can be concluded from the simulation results: • The minimum number of vehicles to minimize the discharging time, i.e., to maximize the QCs' capacity, is about 17 by our design, while it is about 23 in [44].
• By our approach, the discharging time with small vehicle fleets is substantially shorter than that achieved in [44].
In addition, the use of the Manhattan-like guide-path in our approach makes the distance that a vehicle needs to travel for a QC-YS or YS-QC container transportation task much smaller than that in [44], where a vehicle has to travel the whole loop for each transportation. Nevertheless, as mentioned before, the loop-following strategy in [44] greatly simplifies the traffic control and routing for the AGVs, thus is easier to be implemented.

The second comparison result
In [47,45], a more flexible guide-path, composed of intersecting straight lanes, is used so that the travelling distance from a QC to YS, or vice versa, is drastically decreased from that in the loop layout mentioned in Section 4.3.1. However, the traffic control becomes much more complicated. The authors proposed a conflict-free routing algorithm to guarantee the absence of collisions and deadlocks. More specifically, after selecting a route for each vehicle, the route is divided into a series of occupation areas and the entry and exit time of each area is precisely scheduled to avoid conflicting with those vehicles whose movement has already been scheduled. See Figure 3 in [45] for a schematic illustration of this scheduling approach.
The dispatching strategy employed by Bae et al. is based on an inventory-based dispatching method (see [48]). This strategy basically says that each time a vehicle needs to be assigned to a QC or YS, the QC or YS with the smallest number of assigned vehicles is selected.
In [45], simulations of discharging and loading of one vessel with 3,600 containers are performed with various types of QCs. The numerical specifications of the simulation setting are given in Figure 6. Only the results with the tandem-lift QC will be used here for the comparison. For a fair comparison, the same number of buffers and cycle time distributions of QCs and YSs are used in our simulations. Moreover, we use the same dispatching algorithm as in [45]. Figure 7 shows the average number of discharged containers per QC per hour obtained by simulating the two methods. Note that the total number of vehicles used in each simulation is equal to four (i.e., the number of the QCs) times the corresponding number on the X axis. The following conclusions can be made from the simulation results: • The minimum number of vehicles required to saturate the productivity of the QCs is the same for both methods.
• Our approach makes the QCs reach the maximum possible throughput (62 containers / hour), while the one in [45] does not.
• Our approach gives slightly better performance with small fleets of vehicles.
Note that in [45] no fixed guide-path is used so that the AGVs are more flexible in choosing their routes and less space may be required to accommodate the AGV system. However, the conflict-free routing algorithm used in [45] is not robust to the changes of schedules or faults of the AGVs and QCs/YSs. This is because the conflict resolution of the AGVs is achieved by precisely pre-planning the time Simulation results with our approach and the one in [44] windows over which a vehicle visits certain areas in the workspace. If there are changes to the loading/discharging schedule or disturbances/malfunctions with some vehicles or container handling cranes, then it is possible that the routes of many AGVs may have to be rescheduled, which is very time-consuming, not only for performance guarantee but for conflict (collision and deadlock) avoidance as well. In contrast, our traffic control (for collision and deadlock avoidance) is completely decoupled from the routing, which is based on real-time traffic information and is thus quite robust to schedule changes and other sorts of disturbances.

Fault-tolerant Traffic Control Scheme with Vehicle Breakdowns
The rest of the paper is devoted to a presentation of an emergency traffic control scheme that ensures the absence of collisions and deadlocks with the occurrence of a vehicle breakdown. By a vehicle breakdown, we mean that a vehicle cannot move after the failure happens (the vehicle will be called faulty vehicle hereafter). It is, however, assumed that the breakdown can be communicated by the faulty vehicle to a central control station as well as all the other vehicles (called healthy vehicles hereafter) after it takes place.
To handle the faulty vehicle there are normally several options: (1) remove it from the guide-path; (2) get it repaired on site; or (3) leave it as is (due to some physical constraints). We will discuss in Section 5.1 how collisions and deadlocks can be avoided if the decision is made to remove the faulty vehicle. If we choose to repair the faulty vehicle on site or leave it as is, the system performance may be significantly affected by the faulty vehicle, due to one or more of the following possibilities: • There are some vehicles on the same lane and behind (thus blocked by) the faulty vehicle.
• There are some vehicles that have been assigned a route that involves the lane where the faulty vehicle stands.
• The faulty vehicle stands right at the exit of a depot and the vehicles in the depot cannot get out.
• The faulty vehicle stands in the crossing and conflicts with other vehicles that want to pass the crossing.
Therefore, it would be wise or even necessary to adjust the behaviour of the other (healthy) vehicles to mitigate the Simulation results with our approach and the one in [45] impact of the contingency. One such solution will be given in Section 5.2.
Unlike in normal traffic control, where the vehicles actively trigger events to follow their routes, they may be commanded to trigger specific events in an emergency traffic control scheme. The states of some zones may also be reset by the control station instead of varying based on the occurrence of vehicle events (as described in Section 2.3).
To make the presentation smooth, we put some supporting arguments, labelled by superscripts A, B, C..., in Section B (in the appendix) of the paper.

Fault-tolerant traffic control scheme with vehicle removal
There can be many solutions for this case; we only show a simple one here: temporarily halt the system, remove the faulty vehicle, then resume the system. To be specific, do the following: Step 1: Let each healthy vehicle only trigger a minimal number of ARRs to be in some zone and stop moving (no matter what its state is when it is commanded to do so).
Step 2: Remove the faulty vehicle and reset the states of the zones occupied by it to be available.
Step 3: Resume the system.

For
Step 1, it is easy to see from Figure 2 that any vehicle needs to trigger at most two ARRs to be in some zone, which is in fact the last zone currently occupied by the vehicle. In Step 3, by resuming the system, we suppose that each healthy vehicle has already been assigned a partial or complete remaining route, thus has a next zone to move to.
The proof for collision and deadlock avoidance using this procedure is given in Section C.1 in the appendix. The main idea is to show that the triggering of ARRs cannot lead to collisions and black cycles, nor do the removal of the faulty vehicle and the reset of the zone state. To be able to handle all the possible breakdown situations, we equip the SZ of each lane with a buffer space, such that the size of the SZ is twice that of the rest zones on the same lane. The idea behind this is that, if needed, the SZ of a lane can be split into two zones to prevent deadlocks in the system.

Fault-tolerant traffic control scheme without vehicle removal
In the rest of this section, we will address all three types of breakdown:

Fault-tolerant scheme for on-lane breakdowns
Suppose that a vehicle breaks down when it is in the zone about the breakdown. Apparently, V blocked does not contain the broken vehicle. In addition, define V change_nz to include each vehicle that is not broken and is in an at-crossing zone of the crossing k and has the SZ of lane i as the next zone when it acknowledges the breakdown D . Roughly speaking, V blocked indeed contains those vehicles that are behind and thus obstructed by the broken vehicle on lane i; the vehicles in V change_nz are those that planned to go onto lane i but have to make detours because of the vehicle failure. Figure 8 depicts an example scenario of an on-lane breakdown. (2) reroute the vehicles in V change_nz so that they head to the out-lanes of crossing k other than lane i (Step 4 below). The scheme can be described in detail as follows: Step 1: The central control station temporarily suspends the assignment of the global crossing token so that no vehicles can be granted the token and trigger crossing-passing events. (Note that Rule 1 and Rule 3 in the normal traffic control on the non-crossing-passing events still apply to all vehicles.) Step 2: All the vehicles in V blocked are only allowed to trigger ARRs and will be in zones in Ω. (On the other hand, one can show that, after Step 2 and before the emergency traffic control scheme finishes, any vehicle occupying a zone c ∈ Ω must be a vehicle in V blocked and in the zone c.) E Step 3: Split lane i at the broken vehicle and reverse the direction of the part of it behind the broken vehicle; then connect the two new lanes to the rest of the guide-path. Step 4: Change the next zone of the vehicles in V change_nz to be the SZ of an out-lane of crossing k. If this introduces black cycles in the operation graph, then remove the black cycles by splitting the SZ into two new zones (this will be explained in detail below).
Step 5: Resume the token assignment procedure. The system shall run as normal again.
We now describe the black cycle elimination procedure in Step 4. Let lane j be the lane of which the SZ is selected to be the new next zone of the vehicles in V change_nz (see Figure  10). First, note that if a black cycle appears by this procedure, then the cycle must contain the zone c 1 j ; thus c 1 j is black. This means that there is a vehicle v m G that takes one of v m to be moving from one to the other. This implies that one of the two new zones will be black, but the other will be grey. As a result, the black cycles (containing c 1 j ) are removed. More specifically, we carry out the following steps:

1.
Let v m only trigger ARRs so that it will be in c 1 j after triggering either 0, 1, or 2 events (depending on which of the above three possible states the vehicle has).

2.
Split the zone c 1 j into two new zones c 1,a j and c 1,b j ; redefine the lane j to be the zone sequence 3. Set the state of the vehicle v m to be (c 1,a j ,c 1,b j ,c 1,b j ).
Note that, as the zone c 1 j has been replaced with the two new zones c 1,a j and c 1,b j , the route of the vehicle v m should be changed accordingly.
Steps 3 and 4 are illustrated in Figures 9 and 10, where Figure 9 corresponds to a case in which the procedure in Step 4 does not introduce a black cycle; while Figure 10 shows a situation in which a black cycle is introduced and the buffer zone is used. It may have been noted that, by the end of the emergency traffic control steps for both Case 1 and Case 2, the routes of the vehicles in V blocked and V change_nz are in general not complete, as each of them is in a zone and simply has a next zone. The routes of the other healthy vehicles may need to be adjusted as well, since they could include lane i, which does not exist any more. We claim that, as achieved in the fault-free case (see Section 3), one is assured full freedom in the route re-assignment/adjustment and the system will be free of collisions and deadlocks under the normal traffic control after it resumes. The proof is shown in Section C.2.

Fault-tolerant scheme for at-depot breakdowns
The tolerance scheme for the breakdown case (F3), i.e., when the state of the broken vehicle is s = (c 1 ,c 2 ,c 2 ) ∈ S 2 with c 1 ∈ D (c 2 ∈ C \ D), is simple. Note that c 2 must be the SZ of a lane i, which is an exit-lane of the depot c 1 . We only need to reroute the vehicles in the depot that have the zone c 2 as their next zone (denoted by the set V blocked ) and disconnect lane i from the depot (so that no vehicle will try to enter it). More specifically, we perfom the following: 1. Change the next zone of each vehicle in V blocked to be the SZ of an exit-lane of the depot other than lane i (such a lane does exist due to the assumption (A5)).

Fault tolerance scheme for at-crossing breakdowns
To deal with at-crossing breakdowns, we further strengthen the guide-path layout assumption with (A6) Each lane cannot be both an in-lane and out-lane of the same crossing.
(A7) The out-lanes of each crossing or the exit-lanes of each depot cannot all be the in-lanes of one crossing.
Suppose that a vehicle breaks down when its state is (c 1 ,c 2 ,c 2 ) ∈ S 2 , where c 1 is the EZ of an in-lane, say lane i 1 , of crossing k and c 2 is the SZ of an out-lane, say lane i 2 , of the same crossing. Define the set L blocked to include lane i 1 and every other in-lane of crossing k from the EZ, of which there is no way to pass the crossing without conflicting with the broken vehicle, i.e., any lane j such that (c m j j ,c) ∈ X k (c 1 ,c 2 ) for any (c m j j ,c) ∈ ℛ k . Now we define V blocked to be the set of vehicles that occupy any non-EZs of lane i 1 and any zones on the other lanes in L blocked at the moment they are informed of the vehicle failure (all these definitions are illustrated in Figure 11). Using the same idea as in Section 5.2.1, the vehicles in V blocked can get out of the lanes in L blocked (in order to avoid being stuck by the broken vehicle) by reversing their moving directions, which is enabled by changing the directions of the corresponding lanes (see Step 3 below). In addition, define V change_nz to include those vehicles, each of which is (1) not an element of V blocked and (2) is in a zone and has the SZ of a lane in L blocked ∪ {i 2 } as the next zone when it acknowledges the breakdown. It is easy to see that the vehicles in V change_nz need to be rerouted (see Step 4 below) due to the direction changes of the lanes in L blocked and the non-entry situation of lane i 2 (caused by the occupation of the zone c 2 by the broken vehicle). Finally, from a guide-path layout point of view, we need to remove the potential future conflicts with the broken vehicle by removing the lane i 2 from the out-lanes of crossing k and reset the neighbouring lane relationship at the cross (see Step 5 below).
The fault-tolerant scheme can be described as the following: Step 1: The central control station temporarily suspends the assignment of the global crossing token and all the depot tokens.
Step 2: All the vehicles in V blocked are only allowed to trigger ARRs and will be in zones on the lanes in Step 4: Modify the next zone of each vehicle in V change_nz K such that it will not try to enter any lane in L blocked ∪ {i 2 }. We have the following two possibilities: a. Let the vehicle be in an at-crossing zone c 3 of a crossing k ′ ′ . Then, if k ′ ′ ≠ k L , the vehicle resets its next zone to be the SZ of an out-lane of the crossing k ′ ′ , which is not in Step 6: Resume the token assignment procedure. As for the on-lane vehicle breakdown case, by the end of the emergency traffic control steps for both the at-depot and at-crossing breakdowns, the routes of the vehicles in V blocked and V change_nz are in general not complete; the routes of the other healthy vehicles may need to be adjusted as well. Again, full freedom in the route re-assignment/ adjustment is guaranteed and the system will be free of collisions and deadlocks under the normal traffic control after it resumes. The proofs are similar to those for the onlane breakdown cases and are thus omitted.

Concluding Remarks
In this paper, we have extended the discrete-event zonecontrol model and traffic control for AGV systems presented in our previous work [1,2], such that the requirement on the zone size is relaxed. This improves substantially the utilization of the workspace, especially for systems with a large number of zones. We have proved that the traffic control guarantees the avoidance of collision and deadlocks. Moreover, the traffic control inherits the appealing properties of its predecessor in [1,2]: it is time-efficient and imposes no constraints for the route assignment on the vehicles. A simulation-based case study of overall system performance is presented, in which an AGV system is applied to quayside container transportation at an automated container terminal; our results are compared with those published in two existing papers.
Using the extended zone-control model, we have also proposed some emergency traffic control schemes that reconfigure the guide-path and regulate the vehicles' behaviour when a vehicle breakdown occurs. Various cases are addressed depending on whether to remove the faulty vehicle and the state of the faulty vehicle. The AGV system is guaranteed free of collisions and deadlocks within the duration of the emergency control and after the normal traffic control takes over. The freedom of routing for the healthy vehicles that is ensured in the fault-free case is retained.

A.1. Proofs of some preliminary lemmas
We consider an AGV system with N vehicles denoted by v 1 ,v 2 , ⋯ ,v N .
For convenience of the presentation, throughout this section, we use the following notations 7 : For the second part of the lemma, we first note that, if a vehicle starts occupying a zone, it must be a consequence of the occurrence of a vehicle event. Furthermore, we show that this event cannot be an ARR. By contradiction, assume that the event was an ARR; we then know that, before the event, the state of the vehicle must have the form as either s = (c 1 ,c 2 ,c 2 ) ∈ S 2 or s = (c 1 ,c 2 ,c 3 ) ∈ S 3 . If s = (c 1 ,c 2 ,c 2 ) ∈ S 2 , then the zones c 1 and c 2 were both occupied by the vehicle before the ARR, but the event would change the state of the vehicle to (c 2 ,c 2 ,c 3 ) ∈ S 1 , where c 3 ∈ Υ c 2 , which means that c 2 was the only zone occupied by the vehicle after the event (i.e., no new zone is occupied by this event). The proof is very similar for the case s = (c 1 ,c 2 ,c 3 ) ∈ S 3 hence omitted. Thus, we know that a vehicle can start occupying a zone only by either an LEA or GOA. Lastly, from the proof of the first part of the lemma we see that if the vehicle starts occupying c 2 , then it must leave or go ahead to pass a zone in c 1 ∈ Υ c 2 .□

A.2.1. Proof of the collision avoidance
First, we present a technical lemma.

Proof of collision avoidance:
We show, by contradiction, that the conditions (C1) and (C2) are both satisfied all the time. Firstly, if (C1) does not hold all the time, then there must be some event(s) occurring at a time instant t, such that each non-depot zone is occupied by at most one vehicle before t and either of the following situations appears at t: (1) at least two vehicles start occupying the same zone c, which was available before the event(s); (2) at least one vehicle starts occupying a zone c, which was occupied by one vehicle before the event(s). By Lemma 4, in both cases, the vehicles must leave or go ahead to pass the zones in Υ c . Further, note that, in case (1), the zone c ∈ C \ (D ∪ ℬ). This is because any depot is always available and, by Lemma 5, at most one vehicle can start occupying any zone in ℬ at any time. Thus, from the second claim of Lemma 3, we know that, in case (1), each of the vehicles leaves or goes ahead to pass the same non-depot zone by an LEA or GOA event, which means that the vehicles occupy the same non-depot zone before the events (a contradiction). Case (2) also cannot be true as Rule 3 and Rule 4 require that a vehicle can start occupying a zone only if the zone is available.
Next, we show that (C2) always holds, i.e., there cannot be two vehicles having conflicting states at any crossing. If this was not the case, then there exists some moment t and two vehicles v i and v j having, respectively, state s and s ′ at t, such that one of the three conflicting cases (X1)-(X3) happens at a crossing k; and there was no conflicting state at any crossing before that (for it is assumed that there is no initial collision). Here we only show that the case in which s,s ′ ∈ S 3 and (s 2 ,s 3 ) ∈ X k (s ′ that c 1 is coloured from black to grey by the off-crossing LEA. Therefore, c 2 cannot be in any black cycle.□

Lemma 9
There is no black cycle in the operation graph at any time.
Proof. First, note that it is assumed that there is no initial black cycles. Thus, by Lemma 8 and Rule 2', if there was a black cycle, it must have resulted from a crossing-passing event. By contradiction, suppose that there was a crossingpassing event that does introduce black cycles in the operation graph; and let this happen at time instant t for the first time. By Rule 2', there is only one crossing-passing event that takes place at t. Assume that the event is either an at-crossing LEA, which changes the state of a vehicle from (c 1 ,c 1 ,c 2 ) ∈ S 1 to (c 1 ,c 2 ,c 2 ) ∈ S 2 , or an at-crossing GOA, which changes the state of a vehicle from (c 1 ,c 2 ,c 2 ) ∈ S 2 to (c 1 ,c 2 ,c 3 ) ∈ S 3 . Note that c 2 (or c 3 ) is the only zone that is coloured black by the LEA (or GOA). In addition, by Lemma 7, the LEA or GOA does not add any arcs in the operation graph. As a result, any black cycle appearing due to the LEA (or GOA) must contain c 2 (or c 3 ) (otherwise, no black cycle can be caused by the crossing-passing event). This, however, violates Rule 4'.□

Proof of deadlock avoidance:
Now, by contradiction, suppose that the AGV system has a deadlock at a time when all the operational vehicles are blocked (i.e., all feasible events for each vehicle are not allowed to be triggered). Let G o denote the corresponding operation graph. First, note that the event ARR is always allowed to occur; thus, by the definitions of the vehicle events, it can be easily seen that each blocked operational vehicle must be in a zone and intends to trigger an LEA, which is not permitted by the traffic control.
We know that at least one of the operational vehicles is in a black zone, as otherwise all vehicles would be in depots (note that the non-operational vehicles are all in depots as assumed) and by Rule 3 at least one operational vehicle is not blocked. Now, taking any operational vehicle that is in a black zone c, if its next zone c * is occupied, then there must be exactly one another operational vehicle in the zone, which is black. In addition, due to the property (P3) of the operation graph, (c,c * ) is an arc in G o . Since there is no black cycle in G o , it follows that there must be an operational vehicle v i , with the state s = (c 1 ,c 1 ,c 2 ), whose next zone c 2 is available and hence white. Apparently, c 1 (the current zone of v i ) must be an at-crossing zone and belongs to A k for a k, as otherwise an LEA is allowed to occur for s by Rule 3.
In addition, we see from Rule 4' that the only reason v i is blocked is that triggering an LEA would introduce a black cycle containing c 2 in the operation graph. Note that the LEA, if that happens, would colour c 2 ∈ ℬ k black, yet not add any arcs in the graph (Lemma 7). Thus, there must be a cycle Γ in G o that contains c 2 , in which all the other zones are black. By the the property (P4) of the operation graph and noting that any depot is always white, we further see that such a cycle must be unique. In addition, it is clear that c 1 cannot be in Γ, for it would be coloured grey by the occurrence of the LEA, which would make Γ a black cycle. Hence, by the property (P2) of the operation graph and Lemma 3, there exists an operational vehicle v j (v j ≠ v i ), which is in a c 3 ∈ A k (c 3 ≠ c 1 ) contained in Γ, and is with c 2 as its next zone (i.e., v j is in the state (c 3 ,c 3 ,c 2 )). This gives rise to a contradiction, for then v j can be allowed to trigger an LEA by Rule 4', which would colour c 2 black and c 3 grey; thus v j is not blocked. In fact, this LEA would not introduce a black cycle; because if it did, then, as it does not add arcs in the operation graph, there would be a cycle other than Γ in G o , containing c 2 but not c 3 , with all the zones except c 2 black.

B. Supporting Arguments (Proofs) for Some Statements in Section 5.2
A -From an implementation point of view, this is fine, as the vehicle is not physically occupying the zone c 3 when its state is (c 1 ,c 2 ,c 3 ) (see also Section 2.2). C -This is a strengthened version of the guide-path layout assumption (A3) in Section 2.1.

B -Clearly
D -V change_nz ∩ V blocked = ∅ , because each vehicle in V change_nz is in the EZ of a lane but any vehicle in V blocked cannot be.
E -Let s be the state of a vehicle in V blocked . The conclusion is obvious if s ∈ S 1 , as the vehicle is already in a zone in Ω. For the case s = (c 1 ,c 2 ,c 2 ) ∈ S 2 , if c 2 ∈ Ω, then the vehicle will be in c 2 by triggering just one ARR; if c 1 ∈ Ω, it follows that we also have c 2 ∈ Ω, as otherwise c 2 = c j i and thus the zone c j i would be occupied by both the vehicle and the broken vehicle when the breakdown happens (which contradicts with the collision avoidance result in the previous section). Similar reasoning applies to the case where s ∈ S 3 . Now we show that, after Step 2 and before the emergency traffic control scheme finishes, any vehicle occupying a zone c ∈ Ω must be a vehicle in V blocked and in the zone c. In fact, if it was not the case then there must be a vehicle v ∉ V blocked that is not occupying any zone in Ω when the breakdown occurs, but starts occupying a zone in Ω during the emergency traffic control. However, by Lemma 4, this would require the triggering of a crossing-passing LEA or GOA (at