A fault-tolerant communication mechanism for cooperative robots

Operations in unpredictable environments require coordinating teams of robots. This coordination implies peer-to-peer communication between the team's robots, resource allocation, and coordination. We address the problem of autonomous robots which alternate between execution of individual tasks and peer-to-peer communication. Each robot keeps in its permanent memory a set of locations where it can meet some of the other robots. The proposed protocol is constructed by two layered modules (sub-algorithms: a self-stabilizing scheduling and a construction of a minimum-hop path forest). The first self-stabilizing algorithm solves the management of visits to these locations ensuring that, after the stabilizing phase, every visit to a location will lead to a communication. We model the untimed behaviour of a robot by a Petri net and the timed behaviour by an (infinite) Discrete Time Markov Chain. Theoretical results in this area are then combined in order to establish the proof of the algorithm. The second self-stabilizing algorithm computes the minimum-hop path between a specific robot's location and the locations of all the other robots of the system in order to implement routing.


Introduction
As robots become more and more autonomous and sophisticated, they are increasingly used for complex tasks. For some tasks, a team of robots is needed to achieve some goal in areas that are too dangerous or undesirable for humans. Such tasks could include maintaining nuclear reactors, as well as participating in search and rescue missions. For instance, it would be much better to deploy several robots for the maintenance of nuclear reactors, where one robot identifies the faulty component and another follows to replace it with a new one.
For many other tasks, not only are multiple robots necessary, but explicit coordination amongst them is imperative. There has been increasing research interest in coordination and cooperation as a step towards achieving systems of multiple mobile robots engaged in collective behaviour (Cao et al. 1997, Luzeaux 2000, Defago and Konagaya 2002. Furthermore, by working simultaneously, each robot of the team can achieve its own task. One such application domain is the exploration of the surface of Mars. In fact, Sojourner, a US rover, landed on Mars in 1997, and two more NASA rovers are planned to land on Mars in 2004, each having much more autonomy and capability than Sojourner. Their mission is to perform different individual tasks, such as picking up rocks, and to jointly achieve common objectives, such as communicating their readings of the atmospheric pressure and temperature.
An important reason for using several small rovers instead of a single large rover during a Mars mission is to increase efficiency. Indeed, several small rovers can provide a greater scientific return than a single large rover by exploring a greater surface area. Another important reason is cost reduction; smaller rovers are less costly to build and to land on Mars. Finally, such an organization is fault-tolerant, since the failure of a single rover will not incapacitate the whole mission. In such an environment, there are two kinds of protocols to design: a synchronization protocol between neighbouring robots in order to establish (temporary) point-to-point communications, and a routing protocol in order to exchange packets between two robots (and, in particular, distant robots). Although there has been significant work related to cooperating robots (Park and Corson 1997, Hu et al. 1998, Prencipe 2001), very few approaches have incorporated fault-tolerance mechanisms. Our research focuses on the introduction of self-stabilization as an efficient property that makes the system tolerant to faults and takes into account the limited resources of the robots in term of processor, memory and energy. Roughly speaking, a selfstabilizing protocol is designed to recover from an unsafe state caused by a fault to a safe state by itself. The study of self-stabilization started with the fundamental paper of Dijkstra (1974). Following this paper, a great amount of work has been done in this area (Schneider 1993, Dolev 2000. However, in the presence of mobility and dynamic changes, existing communication protocols, meant for self-stabilizing networks, are no longer appropriate.
In this work, we first describe, in section 2, a scheduling protocol and then we use Petri nets theory to give a new proof of its correctness. Next, in section 3, we present a transformation of the above protocol into a uniform self-stabilizing scheduling protocol that manages visits to locations, ensuring that, after the stabilizing phase, every visit to a location will lead to a communication. We model the executions of the resulting protocol by a discrete time Markov chain. Based on this stochastic semantic, we prove the correctness of our protocol in section 4. In section 5, we present how to compute the minimum-hop path between a specific robot's location and any location of another robot of the system in order to implement routing. Finally, in section 6, we give its correctness proof.

Scheduling protocol
In this section, we present the non-self-stabilizing scheduling protocol of Bracka et al. (2003) for a robotic network. Let us first describe the system model and give some assumptions.

The system model
(1) The system consists of a finite set of m robots denoted by fr 1 , . . . , r m g and an ordered set of N meeting points, henceforth locations. In this section, robots are anonymous in the sense that they do not know their identifiers (the subscript i of r i is used for convenience of explanation), they cannot be distinguished by their appearance, and they all use the same algorithm for determining the next position. Each location has its own distinct identity that does not change during the protocol execution. We will denote this set by fl 1 , . . . , l N g in increasing order. A pair of robots is associated with each location where a temporary communication can be established, if both of the robots are present.
(2) Each robot r i has hardwired an array of the locations where it can go.
This array, of length n i , is sorted in increasing order of the identifiers and each entry stores the identifier of the jth location of the robot r i given by the function f ði, jÞ for 1 i m and 0 j n i À 1. (3) Between any pair of robots r i and r i 0 , there is a sequence of robots r i ¼ r i 0 , r i 1 , . . . , r i K ¼ r i 0 such that, for all 0 k < K, r i k and r i kþ1 share a location. This hypothesis ensures that there is a (potential) global connectivity between robots.
The aim of the protocol is to schedule the visits of the locations for each robot in such a way that every location is infinitely often visited. The obvious requirement is that a robot cannot leave a location without establishing a communication with the other robot, henceforth called peer, associated with this location. In the scheduling algorithm of Bracka et al. (2003) each robot infinitely visits its locations following the order of its array starting from the first one. Bracka et al. (2003) developed a specific, yet rather lengthy, proof that no (partial or global) deadlock can occur. With the help of Petri net theory, we gave a shorter and simpler proof of the algorithm (El Haddad and Haddad 2003). We recall this proof since it will be the basis of the self-stabilizing version, presented in the following section, of the above protocol. A basic knowledge of Petri nets syntax and semantics is assumed; otherwise, a good introduction to this topic can be found in Reisig (1985).

The correctness proof of the protocol
Petri nets are generic enough to provide modelling of a wide variety of systems. Although, due to their asynchronous nature, they are more commonly used for distributed systems. However, their use in distributed systems by no means excludes applications to the field of robotics. In fact, robots themselves form part of the distributed system, and the activity of each one of them can be readily modelled by a local Petri net. Figure 1 shows the local Petri net model associated with an individual robot r i . We denote it by (1) P i ¼ f p ði, 0Þ , . . . , p ði, jÞ , . . . , p ði, n i À1Þ g is the set of locations. When p ði, j Þ is marked, r i is going to its jth location, or waiting there for its peer. (2) T i ¼ ft f ði, 0Þ , . . . , t f ði, jÞ , . . . , t f ði, n i À1Þ g is the set of transitions. When t f ði, j Þ is fired, the communication has happened at the jth location and the robot goes to its next location.
(3) Pre i is the precondition matrix, Pre i : P i Â T i ! f0, 1g, defined according to the behaviour, i.e. For instance, consider a system formed by a team of six autonomous robots and six locations. Table 1 presents the array of locations for each robot. A graphical version of the corresponding global Petri net model of the above system is given in figure 2.
By construction, the global net N belongs to a particular subclass of Petri nets called event graphs defined by the restriction that each place has exactly one input Robot r 1 r 2 r 3 r 4 r 5 r 6 transition and one output transition. In such nets, most of the behavioural properties, including liveness and deadlock avoidance, are structurally characterized. A net is said to be live when, whatever the state reached by the net, all the transitions remain fireable in the future. The following lemma of the theory of event graphs will be sufficient for our purposes. We recall the proof since the associated constructions will be used in the proof of self-stabilization.
Lemma 1: Let N be an event graph such that every cycle has an initially marked place, then N is live.
Proof: An important observation is that, given a cycle C of the event graph N , the only transitions that produce or consume tokens in the places of the cycle are the transitions of the cycle. Thus, the number of tokens in every cycle remains constant. Suppose that every cycle is initially marked. By the previous observation, we claim that every cycle of every reachable marking M is also initially marked. For such a marking M, we define a binary relation helps M between transitions such that t helps M t 0 if and only if there is a place p with Mð pÞ ¼ 0 and which is an output place for t and an input one for t 0 . Let precedes M be the transitive closure of helps M . We claim that precedes M is a partial order; otherwise, there exist two transitions t and t 0 for which t precedes M t 0 and t 0 precedes M t. According to the definition of precedes M , this implies that there is a path from t to t 0 and a path from t 0 to t where every place is unmarked. As usual, one can extract from the concatenation of these two paths an unmarked cycle contradicting the assumption.
Since every partial order on a finite set can be extended to at least one total order, let t 1 . . . t n be the ordered set of transitions induced by precedes M . We claim that t 1 . . . t n is a firing sequence starting from the marking M and we prove it by induction. Indeed, t 1 is fireable since all its input places are marked in M. Let us suppose that the firing of the sequence t 1 . . . t i , starting from M, leads to a new marking, M 0 . Thereafter, all the input places of the transition t i þ 1 are marked in M 0 since either they were already marked in M, or a token has been produced in it by the firing of some t j with j i and not consumed since a transition does not share its input places. Therefore, the firing sequence can be extended to t iþ1 . So the net N is live. oe The correctness of the protocol is expressed in the following proposition.
Proposition 1: Let N be a net modelling the protocol for some system, then N is live.
Proof: Consider a cycle C of the event graph N and let t k be the transition with the smallest identifier occurring in this cycle, p ði, j Þ the input place of t k and t k 0 the input transition of p ði, j Þ in the cycle. By construction of N , k ¼ f ði, j Þ and k 0 ¼ f ði, ð j À 1Þ modulo n i Þ. The choice of t k implies that k < k 0 . Since f is increasing with regard to its second argument the only possible value for j is 0. As p ði, 0Þ is initially marked, we have proved that every cycle has an initially marked place. By Lemma 1, N is live. oe This result can be straightforwardly generalized to the case of n-ary rendezvous between robots. However, the networks we study are useful due to their flexibility. Introducing n-ary rendezvous with n > 2 decreases such flexibility. So, for the sake of simplicity, we will restrict ourselves to the initial case of binary synchronization.

A self-stabilizing scheduling protocol
A possible enhancement to the previous protocol would be to add fault-tolerant properties. In this section, we present a randomized self-stabilizing scheduling protocol based on the previous one. In order to design such an algorithm, we add the following assumptions.
(1) The robots cannot observe the absolute time of their actions, but they have access to timers. A timer is a real-valued variable, whose value continuously decreases in time. More precisely, each robot r i has a timer, denoted timeout i , taking any value in the range 0 to N þ 1, that wakes it up on expiration. Note that these timers run exactly, in the sense that during time units (tu) they decrease by exactly . We shall discuss this assumption in the concluding remarks.
(2) The trip between two locations takes at most 1 tu. This hypothesis can always be fulfilled by an appropriate choice of the time unit. (3) Each robot r i maintains a hardwired array of its locations, sorted by increasing order of the locations' identity and denoted MP i ½0::n i À 1. (4) The robots are equipped with sensors for detecting their positions. More precisely, each robot r i has a sensor, giving its current position, denoted position i and holding any value in the set f0, . . . , n i À 1g [ fnowhereg, indicating either the index, in MP i , of the location where r i is waiting, or that r i is between two locations.

Description of the protocol
The behaviour of a robot is event-driven: the occurrence of an event triggers the execution of a code depending also on its current state. In our case, there are two events: the timer expiration and the detection of another robot. We denote such an event a peer detection with the obvious meaning that the two robots are both present at some location. We do not consider that the arrival at a location is an event; instead, when a robot reaches a location, it just stops. As a robot refills its timer to 1 tu before going to a new location, the timer will expire after the end of the trip, and then the robot will execute the actions corresponding to the arrival. The crucial point here is that, with this mechanism, the duration of a trip between two locations becomes exactly 1 tu. The variable status i , that takes as a value either moving or waiting, has a special role in the behaviour of the robot w.r.t. event handling. When this variable is set to moving, the robot can neither detect another robot, nor can it be detected by another robot. Looking at the proposed protocol, this means that even if a robot arrives at a destination where its peer is already waiting, the communication between them will happen only after the timer of the arriving robot expires.
As shown in the program depicted in figure 3, a robot has four actions: SYNC, WAIT, RECOVER and MISS. SYNC and WAIT correspond to the actions of the original algorithm. In order to recognize that a timer expiration corresponds to an arrival, we use the variable status i . It is set to moving when the robot goes to a new location, and set to waiting when the timer of a robot arriving at a location expires. However, WAIT is different from the corresponding action of the previous algorithm as the robot sets its timer to N þ 1 (recall that N is the number of locations). When the timer of a robot arriving at a location expires and a peer is already waiting, then it will firstly execute its WAIT action, and as its status is becoming waiting, both will execute their SYNC action.
When recovering from a crash, the timer of a robot triggers an action. The action RECOVER is executed by a robot at most once in our protocol (depending on the initial state), and necessarily as the first action of the robot. It happens if the robot is between two locations after the crash. Then the robot goes to its first location.
The key action for the stabilization is MISS. It happens either initially, or when the robot is waiting for a peer at a location and its timer has expired. Then the robot makes a (uniform) random choice between two behaviours: . it waits again for 1 tu; . it goes to its first location.
When it is called, the random function Uniform-Choice sets its single parameter to a value among f0, 1g.
The execution of this algorithm can be seen as an infinite timed sequence ft n , A n g n2IN , where {t n } is a strictly increasing sequence of times going to infinity and each A n is the non-empty set of actions that have been triggered at time t n (at most two actions per robot in the case when it executes WAIT and immediately after SYNC). With this formalization, we can state what is a stabilizing execution.
Definition 1: An execution ft n , A n g n2IN of the protocol is stabilizing if the number of occurrences of RECOVER and MISS is finite.
In other words, after a finite time, the protocol behaves like the original algorithm. Let us remember that RECOVER can occur at most once per robot. The next section will be devoted to prove the following proposition.
Proposition 2: Given any initial state, the probability that an execution will stabilize is 1 and the mean time until the stabilization is finite.

Proof of stabilization
Without loss of generality, we consider that the initial state is a state obtained after each robot has executed at least one action. Thus we do not have to take into

Probabilistic semantics of the protocol
We assume that the code execution is instantaneous: indeed, the time that it takes for a robot to execute an internal computation is negligibly small with regard to the time it takes for the robot to move to a new location. Thus, in our protocol, the single source of indeterminism is the random choice of the MISS action since all trips take exactly 1 tu. Consequently, the probabilistic semantics of our protocol is a Markov chain whose description is given below.
The state of this Markov chain is composed by the specification of a state for each robot. The state of a robot r i is defined by its vector hs i , l i , to i , i i, where: (1) s i : the robot's status that takes a value in the set fwaiting, movingg depending on whether the robot is waiting at a location or moving to it; (2) l i : the location where the robot is waiting or moving to; (3) to i : given by the formula dtimeout i À 1e, where dxe denotes the least integer greater than or equal to x. to i takes its value in f0, . . . , Ng; (4) i : given by the formula i ¼ timeout i À to i , it takes its value in 0::1. We will call it the residual value.
The last attributes deserve some attention. As we consider states after the execution of the actions, the variables timeout i are never null: this explains the range of these attributes. Moreover, these attributes are simply a decomposition of timeout i . The interest in this decomposition will become clear in the next paragraph. So, a state e will be defined by: e ¼ Q m i¼1 hs i , l i , to i , i i. Let us note that the set of states is infinite and even uncountable since the i 's take their values in an interval of R. However, we show that we can lump this chain into a finite Markov chain with the help of an equivalence relation that fulfills the conditions of strong lumpability (Kemeny and Snell 1960). Definition 2: Two states j . An equivalence class (denoted by c) of this relation is characterized by: c ¼ Q m i¼1 hs i , l i , to i iÂ position, where position represents the relative positions of the i 's. It is easy to show that there are at most m! Á 2 mÀ1 distinct positions. Thus, the number of equivalence classes is finite. The next proposition establishes the condition of strong lumpability.
Proposition 3: Let c and c 0 be two equivalence classes, let e 1 and e 2 be two states of the class c, then X where P denotes the transition matrix of the Markov chain.
Proof: The proof is omitted; see El Haddad and Haddad (2003). oe A Markov chain can be viewed as a graph where there is an edge between one state s and another s 0 iff there is a non-null probability to go from the former to the latter (i.e. P½s, s 0 6 ¼ 0). The edge is labelled by this probability. The following lemma (only valid for finite chains) will make the proof of correctness easier.
Lemma 1 (Feller 1968): Let S 0 be a subset of states of a finite Markov chain. Let us suppose that, for any state s, there is a path from s to some s 0 2 S 0 . Then whatever the initial state, the probability to reach (some state of ) S 0 is 1 and the mean time to reach it is finite.

Stable states
In this subsection, we show a condition on states that ensures that, in an execution starting from a state fulfilling such a condition, the MISS action will never occur. We need some preliminary definitions based on the Petri net modelling of the original protocol. In a state modelled by a deadlock-free marking, if we execute the original protocol, then no deadlock will never happen. However, due to the values of the timer, it may happen that, for a state e with M(e) being deadlock-free, a MISS action happens (for instance, on timer expiration of a waiting robot while its peer is still moving). Thus we must add timed constraints to the state e in order to forbid such behaviour.
If M is deadlock-free, then the relation helps M introduced in lemma 1 defines a directed acyclic graph (DAG) between transitions. We define level M (t) as the length of the longest path of this DAG ending in t. Here the length of a path is the number of vertices of this path. In figure 5, we present the level of transitions for the initial marking of the net of figure 2. We are now ready to define our condition on states.
Definition 5: Let e ¼ Q m i¼1 hs i , l i , to i , i i be a state of the system. Then e is stable if M(e) is deadlock-free and 8i, s i ¼ waiting ) to i ! level MðeÞ ðt l i Þ.
The next lemma shows that the definition of stable states is appropriate.
Lemma 2: In an execution starting from a stable state, the action MISS will never happen.
Proof: We will proceed by induction on the states of the system at discrete time 0, 1, 2, . . .. We denote e n the state of the system at time n. e 0 is the initial stable state. Be aware that these states do not correspond to the successive states of the Markov chain, but it does not matter since we will not use any probabilistic argument here. Our induction hypothesis is that until time n no MISS action has happened, and e n is stable. For n ¼ 0, it is just the hypothesis of the lemma. Let us examine what happens between time n and n þ 1.
Let us look at a robot waiting at a location at time n. Since its timer is greater than 1 (by the stability hypothesis and the fact that i > 0), it will not expire until n þ 1. Let us now look at a robot moving to a location at time n. It will arrive during the interval ½n::n þ 1 and will refill its timer to N þ 1. In both cases, either a SYNC will happen and the robot will be moving at time n þ 1, or it will still be waiting. Thus we have proved that no MISS action happens during this interval.
It remains to be shown that e nþ1 is a stable state. Since no MISS action happens during the interval, the execution (without taking into account the timer values) corresponds to the execution of the non-self-stabilizing protocol. Thus Mðe nþ1 Þ is a marking reached by a firing sequence from Mðe n Þ, and so all the cycles are marked in this new marking.
Let t be a transition of level 1 for M(e n ). t has its two places marked, meaning that the two associated robots are either waiting at the corresponding location, or moving to it. Thus the synchronization will happen before time n þ 1.
Let t be a transition of level >1 for M(e n ). t has one of its places unmarked, which means that one of the robots associated with the corresponding location is neither waiting at this location, nor it is moving to it. Thus a synchronization at the location is impossible during this interval. So t will not be fired during the interval. Suppose now that a robot r i is waiting at time n þ 1 at a location. If this robot has arrived during the interval, it has set its timer to N þ 1, and thus at time n þ 1, to i is still equal to N, which is an upper bound for the level.
Finally, suppose that this robot has been waiting during the whole interval. Then its timer (and so to i ) is decreased by one at time n þ 1, but the level of the corresponding transition was greater than one at time n and has not been fired. All the transitions of level 1 have been fired, so its level at time n þ 1 is also decreased by 1 (since the paths to this transition in the new DAG are exactly the paths to it in the old DAG truncated by their origin). Thus the timed constraints are still verified and e nþ1 is a stable state. oe

From an initial state to a stable state
In this section, we show that, given any initial state, there is a path from this state to a stable state in the Markov chain. Thus Proposition 2 will follow almost directly from Lemmas 1 and 2. The single non-trivial observation to make is that, given two equivalent states s and s 0 (see Definition 2), then s is stable iff s 0 is stable since the stability does not involve the residual times. Thus the path found below gives a path in the finite aggregated Markov chain where the final state is a set of stable states.
Lemma 3: Given any initial state, there is a path in the Markov chain from this state to a stable state.
Proof: As we look for a path in the Markov chain, each time the MISS action happens, we can choose its random output. So, when in the following we choose, during a part of the execution, the first choice (staying at the location), we will be saying that we simulate the original algorithm.
If the initial state is stable, then we are done. So we suppose that the initial state e is not stable. We examine the two following cases.
Here the timed constraints of stability are not verified by e. By simulating the original algorithm, we claim that a stable state will be reached. First, all successive markings associated with the states will be deadlock-free since they are reachable from M(e) in the net N. Second, we decompose time into intervals of 1 tu. During each interval, all the locations corresponding to the transitions of level 1 will be the support of SYNC actions. A robot that will execute such a SYNC action will have its timed constraint fulfilled since it is moving. Moreover, using exactly the same proof as that of Lemma 2, it can be shown that, when a timed constraint is fulfilled, it will always be fulfilled. Thus after each robot has executed at least one SYNC action, we have reached a stable state.
Since there is a chain of synchronization locations between any pair of robots, applying the original algorithm would lead us to a global deadlock. Thus we simulate the original algorithm until every robot is blocked alone at a location, and then has executed its MISS action at least once. This means that all timers have values 1. Now we choose for every robot the second alternative of the MISS action. All these actions happen in less than 1 tu. So after the last MISS action has been executed, every robot is still moving to its first location. In this state, denoted by e 0 , Mðe 0 Þ is the initial marking of the net modelling the original protocol. Thus Mðe 0 Þ is deadlock-free and we complete the current path by the path of the first case. oe

A routing table maintenance algorithm
In this section, the robots are no longer anonymous since they exchange messages using the identities to refer the destination. A natural method for routing in multirobot networks is to consider each mobile robot as a router and to run a routing protocol between them. The objective of most routing protocols is to find a path to the destination which is optimal with respect to a given metric. In this section, we present a minimum-hop, self-stabilizing algorithm for maintaining routing tables which is an extension of Dolev et al. (1989). Whereas routing via minimum-hop is still required, the routing decision made when forwarding a message depends on the destination of the message (and the contents of the routing tables) and the current position of the forwarding robot.
Since the management of each destination robot is independent, we fix an arbitrary robot r 0 called the destination robot.
The algorithm is based on a communication oriented graph where the vertices of the graph are the locations of the robots with two vertices per location (i.e. one per peer). There is an edge between u and v iff: . 9 r, r 0 two robots 9 l a common location of r and r 0 such that u ¼ ðr, l Þ and v ¼ ðr 0 , l Þ, or . 9 r i a robot 9 1 j n i such that u ¼ ðr i , f ði, j ÞÞ and v ¼ ðr i , f ði, ð j þ 1Þ modn i ÞÞ: Let us suppose that, upon stabilization, the algorithm computes a forest of n 0 trees each one rooted at a location of r 0 spanning the graph with minimum-hop paths towards r 0 . Let us consider a robot r currently at a location l shared with r 0 which needs to send a message to r 0 . If the father of ðr, l Þ is the next location of r then the robot keeps the message until it reaches the next location. Else, if the father is ðr 0 , l Þ then the robot sends the message to r 0 . With such a data structure, it is straightforward to show that the message will reach r 0 .
The self-stabilizing algorithm we propose is depicted in figure 6. Each robot r i maintains the following variables: . distance i ½0 . . . n i À 1: an array of integers, where distance i [ j ] is the estimation by r i of the distance between its location MP i [ j ] and the destination r 0 . A distance variable can store an integer value between 0 and 2N À 1, where N is the number of locations in the whole system; . exit i ½0 . . . n i À 1: an array of booleans. If exit i [ j ] is true then the father of the vertex ðr i , MP i ½ j Þ is the vertex ðr k , MP i ½ j Þ with r k corresponding to the peer of r i for the location MP i [ j ]. If exit i [ j ] is false then the father of the vertex ðr i , MP i ½ j Þ is the vertex ðr i , MP i ½ j þ 1 mod n i Þ: The example given in table 2 specifies the part of the routing table of r 1 w.r.t. the destination r 6 , in the system illustrated by the figure 2. For instance, if r 1 standing at location 5 wants to send a message to r 6 , it will wait to be at location 1 and will forward it to r 3 .
The distance table of r 0 is periodically set to 0. Thus, starting from any state, this table is correct after one iteration of this loop. An entry in the tables of any other robot corresponding to location l is updated when synchronizing at this location by: . exchange of the current estimation of the distance by the robots between this location and r 0 ; . the new estimation is the minimum between the distance of the peer incremented by one and the distance of the next location of the robot incremented by one. The corresponding entry of the exit table is set to true iff the minimum is obtained by the distance of the peer.

Proof of correctness
Since this algorithm is composed of the previous one, we suppose that, in an initial state, the scheduling algorithm has stabilized. Let us introduce some concepts associated with an execution. An execution sequence is decomposed into successive rounds. Each round starts at the end of the previous one and finishes when all the robots have performed at least one visit per location. By convention, the first round starts when r 0 has set to zero its table distance.
A floating distance in some configuration c is a value in a distance variable that is smaller than the real distance. The smallest floating distance in some configuration c is the smallest value among the floating distances. If there is no floating value in some configuration, then sfd ¼ 1. The lemma below shows that, in every execution, a safe configuration is reached.
Lemma 4: For every k ! 0 and for every configuration that follows the first k rounds, it holds that: Assertion 1: If there exists a floating distance, then the value of sfd is at least k, Assertion 2: The nodes with distance values less than or equal to k form a forest of minimum-hop trees.
Proof: Let sfd k denote the smallest floating distance at the end of the kth round and sfd 0 the initial smallest floating distance. We prove the lemma by induction over k.
For k ¼ 1, the distances stored in the variables are non-negative; thus, the value of the smallest floating distance is at least 0 in the first configuration. This proves Assertion 1. To prove Assertion 2, note that, before the first round, the destination robot r 0 sets all its distance variables to 0. Once these distances are computed, they will never be changed. Therefore, each location of r 0 is the root of a tree reduced to a single node and Assertion 2 also holds.
Assume correctness for k ! 0 and prove for k þ 1. Let m ! k be the smallest floating distance in the configuration that follows the first k rounds. During round k þ 1, each robot that recomputes its distance variables either assigns the correct value or chooses m as the smallest value and assigns m þ 1 to its distance variable. Therefore, the smallest floating distance value is m þ 1. This proves Assertion 1.
Since the smallest floating distance is m ! k, it is clear that each robot that receives the distance k of a peer computes the smaller distance value between k and the distance of its next location. The new value is either k þ 1 or the distance of its next location incremented by one. In the case of k þ 1, the robot distance value equals its real distance. In the other case, it equals a floating distance greater than or equal to k. Note that, once the value in the variable of the robot is equal to its distance from the root, then it joins one of the trees of the forest by choosing either its peer or its next location as its father in the tree. oe The next corollary is implied by Lemma 4.
Corollary 1: The routing algorithm presented above stabilizes after 2N rounds.

Concluding remarks
We have designed a uniform self-stabilizing scheduling protocol for a network of robots. The interest of this work is twofold. On one hand, self-stabilization is an important and desirable feature of protocols for these environments. On the other hand, the use of formal models for proofs of stabilizing algorithms is not so frequent. Here, with the help of Petri nets theory, we have simplified the proof of the nonstabilizing version of the algorithm. A part of the proof of stabilization is also based on this model.
The assumption that timers run exactly is only important during the stabilization step. Once the algorithm reaches a stable state, we can show that the protocol still works if the timers are prone to small deviations. Moreover, in practice, if the stabilization step is not too long, then the deviations of the timers will not disturb it.
The next stage of our research is to prove that no deterministic self-stabilizing algorithm exists for the scheduling task, to explore how new robots should be