1. Introduction
Formally guaranteeing correctness [
1] is crucial for synthesizing effective controllers for complex time-critical ground vehicle missions in applications such as disaster, agriculture, and planetary robotics. Moreover, manageable mission specifications for mobile robots must be concise, human readable, and checkable [
2], which requires coping with the incompleteness, ambiguity, and inconsistency of informal human descriptions [
3]. Linear temporal logic (LTL) offers a modal formalism that allows describing system properties over linear time using propositional and temporal logical operators [
4] with a close relation to natural language, and thus to human reasoning [
5]. Furthermore, a system whose properties are expressed by LTL formulas can be formally verified by LTL model checking [
3].
Previous works have exploited these qualities of LTL for synthesizing controllers for robotic missions. For instance, [
6] developed a framework for controlling linear systems using LTL specifications, extending the LTL controller synthesis from the discrete to continuous domain. In another study, ref. [
7] proposed an LTL formula for specifying user-defined high-level behaviors for robots that can react to dynamic environment information. Additionally, ref. [
8] extended LTL to simulate collaborative multi-robot environments, emphasizing localization and coordination among robots. Other works have addressed uncertain environments by synthesizing reactive controllers that update obstacle information from sensors during navigation. Thus, ref. [
9] developed reactive controllers to manage unpredictable conditions to improve adaptability. Moreover, ref. [
10] focused on dynamic updates for synthesized controllers, enhancing system robustness in uncertain environments. In general, these control approaches benefit from LTL specifications, which ensure that the desired task is accomplished if it is feasible.
These properties of LTL have been leveraged in other works to incorporate constraints for deliberative path planning. Thus, ref. [
11] studied motion coordination for data gathered through communication and buffer constraints where the high level mission specification for the multi-robot team is performed in LTL. In this sense, ref. [
12] analyzed inter-task dependencies, which are crucial for the efficiency of multi-robot systems in coordinated tasks. Recent works have addressed different aspects of environment complexity. In [
13], two-dimensional (2D) cells were categorized into five levels of terrain cost for a path planning method for a planetary rover, considering factors such as remaining charge, obstacles, illumination, and communication conditions. Moreover, the T* algorithm [
14] is an LTL path planner that uses A* opportunistically to generate an optimal trajectory satisfying a temporal logic formula in a 2D environment. In [
15], LTL is used to specify mission requirements for sampling-based path planning using a multi-layered framework that can be suitable for complex environments. In [
16], a high-level task planner for bipedal robots used LTL to perform reactive game synthesis between the robot and a dynamic environment with stairs leading to a higher platform. Nevertheless, these works primarily used 2D representations of the environment, so uneven terrain constraints were not explicitly considered. To the best of our knowledge, no previous work has addressed LTL path planning for high-level robot missions on digital elevation models (DEMs).
In general, a single generalized LTL formula for synthesizing a robot controller can integrate both the desired robot behavior and the assumptions about the environment [
7,
8,
10]. However, the implementation of this powerful LTL expressiveness with software tools such as a Simple Promela Interpreter (SPIN) [
17] or the Temporal Logic Planning (TuLiP) toolbox [
18] can suffer from the state-space explosion problem [
17]. The work in [
19] addressed scalability for task allocation with multiple heterogeneous robots from a global LTL specification, but individual path planning is performed at a lower level. Furthermore, ref. [
20] reduced the computation time of the path planning by modeling robot mobility as an abstract weighted transition system.
In this article, we propose a SPIN-based LTL path planning approach for uncrewed ground vehicle (UGV) missions on uneven terrain by defining a system model that includes motion constraints and performing model checking of the mission specification’s LTL property. Since UGV motion constraints for the DEM are incorporated into the system model, they can be omitted from LTL model checking for path planning according to the mission specification. Moreover, we define two SPIN-efficient general LTL formulas for representative UGV missions to reach goals in a specified order or an unspecified order, respectively. The proposed planner is implemented using the open-source model checker SPIN with customized search optimization parameters. Validation experiments conducted on synthetic and real-world DEMs demonstrate the feasibility of the LTL path planning framework for complex mission specifications, achieving a significant reduction in computation cost compared to a SPIN-based baseline approach that considers a global LTL property including both motion constraints and mission specification.
The main contributions of this work are as follows:
The definition of a system model as a transition system that includes UGV asymmetric slope traversability and maneuverability on uneven terrains represented as DEMs.
A SPIN-based LTL path planner for UGV missions with customized parameterization for effective search optimization. This LTL planner uses the system model and an LTL property that defines only the UGV mission specification based on DEM goals.
Two general LTL formulas for specifying two types of UGV missions to reach a DEM partition set, either in a specified order or an unspecified order. These formulas use the until operator, which enables efficient SPIN state-space exploration.
The remainder of the article is organized as follows.
Section 2 reviews LTL concepts for path planning, fulfilling mission specifications.
Section 3 proposes the design of the LTL-based path planner for UGV missions on uneven DEMSs.
Section 4 describes the experimental methodology.
Section 5 discusses the experimental results. Finally,
Section 6 offers conclusions and ideas for future work.
3. DEM-Based LTL Path Planning for High-Level UGV Missions
This section presents the core methodology of our framework, detailing the design of the LTL-based path planner for UGV missions on uneven terrains. First, we introduce the definition of the system model according to motion constraints. Next, the SPIN-efficient general LTL formulas designed for high-level UGV missions are proposed. Then, we describe the workflow of LTL model checking using the SPIN tool, emphasizing the optimization techniques employed to cope with state-space explosion. Finally, the section concludes with the interpretation of the LTL model checking results for path planning for UGV mission on DEMs.
3.1. System Model According to Motion Constraints
In this paper, we address path planning for UGV missions on uneven terrains that can be modeled as a DEM, which can be represented by a matrix
with the altitude in a map projection system (regular grid with distance
between points, i.e., DEM cell resolution). We propose a path planner for high-level UGV mission specifications based on DEM and LTL model checking, where UGV motion between DEM cells is constrained by asymmetric slope traversability conditions [
26], which depends on both the robot and the terrain [
27,
28]. Traversability is defined as matrix
, where each element
is a Boolean
ℓ-vector representing motion feasibility from
to its
ℓ-neighbors according to slope
, computed as
Elements of
are denoted by
,
, where
is the outward heading toward neighboring cells
, i.e., a multiple of
or
for
or
, respectively:
and
and
are the minimum and maximum UGV slope constraints, respectively. We adopted null heading for the eastern direction and counterclockwise angle increments.
The system representing the UGV motion on a DEM is modeled as
, a nondeterministic transition system whose states at discrete time
k are given by
, where
represents cell coordinates and
is the inward heading. As for transitions, we adopted reducing the number of valid transitions by defining motion constraints in order to cope with the state-space explosion and to reduce the computational cost. In particular, as shown in
Figure 1, transitions in
are defined by a conjunction of four Boolean constraints: (a) slope traversability
T; (b) DEM
limits; (c) the set
of allowed on-cell turns
, which is
for
(i.e., removing red values from
Figure 1), and can be either
(i.e., removing blue values from
Figure 1) or
for
, depending on UGV kinematics constraints; and (d) a specific constraint for diagonal transitions requiring that the adjacent four neighboring cells are traversable (e.g., the transition to
also depends on traversabilities to
and
).
3.2. LTL Formulas for High-Level UGV Mission Specifications
In this paper, we introduce two SPIN-efficient general LTL formulas for representative high-level UGV missions. With this purpose, we define a set
of non-overlapping state partitions. Each partition
consists of a set of states to which an atomic proposition
is associated:
Only mission-relevant DEM cells need to be considered in the partitions. The mission specification for a partition is fulfilled if the UGV can reach any state within the partition with the corresponding inward heading.
Regarding the optimization criterion, SPIN imposes minimization of the number of counterexample states. Thus, the objective of the path planner for high-level UGV mission is to obtain a path with the minimum number of
transitions that reaches all goal partitions of a specified set
. Furthermore, mission specifications can include (1) a partition of forbidden states,
associated to atomic proposition
,
and/or (2) the requirement to return to the initial cell coordinates
after the mission is completed using an atomic proposition
,
where
is the specified set of allowed inward headings for returning.
When verifying complex systems with SPIN, it is crucial to choose LTL formulas that enable efficient state-space exploration [
25]. LTL formulas that use the temporal operator
(
until) explicitly enforce a strict event order and avoid certain conditions, which reduces the state space, making it easier for SPIN to find counterexamples. Conversely, LTL formulas with global restrictions and nested eventualities (e.g.,
) can slow down the state-space exploration process. Therefore, we propose two general LTL formulas using
for reaching goal partitions
:
- (1)
In a given order (i.e.,
then
, and so on),
where
- (2)
Moreover, the following three simplifying conditions could be considered in actual missions:
There is a single goal partition, i.e., ;
There is no forbidden partition (), i.e., ;
The UGV must not return to the initial cell, i.e., ;
Using different combinations of these simplifying conditions in Equations (
10) and (
11) results in the well-known simple LTL formulas presented in
Table 1. This result corroborates the generality of the proposed formulas, which can be applied for more complex missions.
3.3. LTL Model Checking Workflow with SPIN
In this work, we adopted the SPIN workflow with breadth-first search (BFS) [
17] for synthesizing an LTL path planner for high-level UGV missions (see
Figure 2). Unlike the default depth-first search, which is more suitable for model checking than for planning, BFS can find a counterexample with the shortest trace at a lower computational cost.
This workflow begins with using Promela to model and the LTL property to be verified. This Promela source file is used by SPIN to generate an LTL verification program in ANSI C. Then, our compile time options for specific search optimization techniques are partial order reduction, the BFS algorithm, (-DBFS) and lossless collapse compression (-DCOLLAPSE). Then, an iterative LTL verification process is performed until either no new nodes are added to the unweighted search graph (i.e., no counterexample is found) or a trail file is generated with the shortest counterexample (i.e., does not satisfy the LTL property).
3.4. LTL Model Checking for Synthesizing a Path Planner for UGV Missions
Since
was designed considering motion constraints, these can be omitted from LTL model checking for path planning that fulfills the high-level UGV mission. The LTL property used to verify in the LTL model checking workflow (see
Figure 2) is a negated LTL mission specification
, i.e., the negation of (
10) or (
11) (or other simplified or derived formula from these). For LTL path planning, “no counterexample” means that the UGV mission cannot be satisfied; otherwise, the trail file returns the shortest counterexample, which needs to be mapped from the product automaton states to the system model states to obtain a DEM path.
4. Experimental Methodology
This section describes the hardware and software used in the experiments, defines a baseline path planner for comparison, and presents mission specifications for a synthetic DEM and a larger-scale real-world DEM.
4.1. Hardware and Software
The DEM-based LTL path planner was executed on a i7-13700F processor made by Intel Corp. (Santa Clara, CA, USA) with 16 B of RAM, running Microsoft© Windows 11 Pro. The required software was installed in a container on Docker Desktop v.4.32.0 including Ubuntu 22.04.4 LTS and MATLAB R2023b by Mathworks (Natick, MA, USA) to run the main planner script and generate graphical representations. SPIN v6.5.2 was used as the model checker, gcc 11.4.0 as the C compiler, and Promela to (1) describe the system models with embedded C-code as part of the model specification and (2) formulate DEM-based high-level UGV missions as LTL properties.
4.2. Comparison with a Baseline Path Planner
In this article, we propose an approach for SPIN-based LTL path planning on DEMs by defining a system model that incorporates the set of UGV motion constraints, allowing these constraints to be omitted from LTL model checking. This contrasts with previous works in LTL path planning [
7,
8,
10], where a single generalized LTL formula integrates both the desired robot behavior and the environment assumptions.
To the best of our knowledge, no previous works have addressed LTL path planning on DEMs. Therefore, for comparison purposes, we define a baseline SPIN-based LTL path planner with a generalized LTL formula integrating mission specification and motion constraints on DEMs, and a system model that only considers cell neighborhoods for transitions.
In this baseline planner, the generalized LTL formula is
which means that the mission specification
must be satisfied, and all motion constraints must
always be fulfilled. In particular, the truth assignments to the four motion constraints described in
Section 3.1 are defined as atomic propositions
, and
, respectively, from the current
and previous
model states, as follows:
4.3. Mission Specifications in a Synthetic DEM
We defined a synthetic DEM with obstacles, mounds, and slopes (see
Figure 3,
Figure 4,
Figure 5 and
Figure 6), with
and
1
. The DEM has a forbidden partition
indicated by cells marked with an “X”, and four mission-oriented partitions,
to
, represented by cells labeled with corresponding numbers.
Partition (and also ) exemplifies cells from different regions sharing the same role in the mission (e.g., charging stations or communication relays that could be distributed throughout the environment). Moreover, partitions and need to be given inward headings (indicated by triangle cell labels).
As for the UGV, the initial state
is depicted as a red spot with an arrow for the heading. We adopted UGV slope constraints
for downhill and
for uphill, which are representative of asymmetric behaviour of actual UGVs [
26].
Four distinctive high-level UGV missions were analyzed:
- (1)
Example of general LTL formula
, Equation (
10), see
Figure 3.
The UGV must eventually reach to in the given order, avoiding , to finally return to with any inward heading (i.e., ):
To enhance clarity, extra parentheses have been added to the LTL formula, even though the LTL grammar in
Section 2.1 specifies that the
operator is left-associative, as is typical in SPIN’s interpretation.
- (2)
Example of general LTL formula
, Equation (
11), see
Figure 4.
The UGV must eventually reach to with no specific order, avoiding , to finally return to with any inward heading:
- (3)
Example of a combination of Equations (
10) and (
11), see
Figure 5.
The UGV must eventually reach , then , and then and with no specific order, avoiding , to finally return to with any inward heading:
- (4)
The UGV must eventually reach , avoiding , to finally return to with any inward heading:
4.4. Mission Specification in a Real DEM
Additionally, to evaluate planning performance in a larger-scale real-world DEM, we used an
with
2
obtained from an aerial ortophoto (see
Figure 7). This DEM captures 135,488 m
2 of an experimental area for realistic disaster response exercises [
29], featuring dirt roads, rubble mounds, diverse vegetation, crushed vehicles, and partially buried pipelines [
30].
In this case, the high-level UGV mission specification corresponds to a casualty evacuation starting from 366,991, 4,064,448, depicted as a red spot with an arrow for the heading. The forbidden partition, marked by black cells, represents areas occupied by victims and tents. The goal partitions, marked by yellow cells, are designated areas close enough for the UGV to access and assist the victims while maintaining a safe distance. As for the UGV slope constraints, we consider appropriate values for safe casualty evacuation, i.e., for downhill and for uphill.
The mission is specified by the following LTL formula:
i.e.,
the UGV must eventually reach two geolocated victims to evacuate them to a medical tent and finally return to the robotic tent.
5. Experimental Results
This section discusses the resulting paths, compares experimental results of the proposed method with respect to the baseline LTL path planned described in
Section 4.2, and analyzes performance.
5.1. Path Planning Analysis
Figure 3,
Figure 4,
Figure 5,
Figure 6 and
Figure 7 illustrate the resulting paths (red lines) for the UGV example missions, Equations (
14)–(
18), respectively. The arrows are color-coded to show the UGV’s motion toward each goal partition in the mission sequence. The same color is used in the macron mark above the corresponding partition number in the goal cell. Different colors in the arrows indicate the UGV motion toward the next goal partition to be reached.
For the synthetic DEM,
Figure 3,
Figure 4,
Figure 5 and
Figure 6 show results for the different on-cell turn constraints
. In the first three missions, only
and
produce result paths. The limited manoueverability of
, which does not allow
turns, prevents paths from being found without encountering obstacles or reaching the DEM boundary limits. This limitation is evident in the wide loop around the elevated area on top of
Figure 6b for
, which is the only mission that achieves a path with this motion constraint.
In
Figure 3, both paths satisfy the goal partition order specified by
. However, different turn constraints cause partition
to be reached at different states. The shortest path length (84 vs. 109 states) is achieved with the least restrictive maneuverability (i.e.,
Figure 3b).
Figure 4 corresponds to
, which does not impose a specific order. As a result, the goal partition sequence is different:
and
for
(see
Figure 4a), and
and
for
(see
Figure 4b) by reducing the path length (93 vs. 70).
Figure 5 corresponds to
, where the order for the last two partitions was not specified. In this case, both turn constraints yield the same goal partition sequence, even if the least restrictive manoeuverability (see
Figure 5b) produces a shorter path (80 vs. 105).
Figure 6 corresponds to
, a simpler mission that only needs to reach
before returning to the initial position (in any heading). This figure illustrates the difference between the path length in terms of states (seen as the number of traversed cells), which is the LTL optimization criterion imposed by SPIN, and the actual path length (since diagonal cell motions are longer). Thus, paths in
Figure 6a–c have 55, 48, and 44 states that correspond to 54
,
, and
, respectively.
As for the real DEM,
Figure 7 illustrates the path for the multi-victim evacuation mission
specified by Equation (
18). In particular, the figure shows the path for
.
Figure 7a reveals that the resulting path is close to the dirt roads in the environment, which correspond mostly with low terrain gradients (as seen in
Figure 7b).
5.2. Comparison with the Baseline Path Planner
Table 2 offers a comparison of the proposed method against the baseline LTL path planner (see
Section 4.2) for mission specifications in synthetic (
to
) and real-world (
) DEMs. The table presents the total computation time
and partial times for the LTL workflow processes (see
Figure 2):
for the generation of the LTL verifier in C,
for the compilation,
for the breadth-first search for the counterexample, and
for the mapping of the shortest path. Additionally, the table shows the number of explored states and the required memory during the counterexample search phase, as well as the length (i.e., the number of
states) of the resulting shortest path. Furthermore, the path for each LTL mission specification has been computed for three different sets
of allowed on-cell turns (see
Section 3.1).
Both LTL path planners leverage SPIN’s specific search optimization techniques, which reduce the number of explored states and the required memory. Consequently, the memory requirements and the number of explored states are the same for both methods. The state-space explosion problem (i.e., reaching the memory limit of 16,384 MB in our hardware platform) occurs for both cases with in the real-world DEM, so no resulting paths are provided. This can be explained by the real-world DEM having a significantly larger number of cells and a higher ratio of children per node due to the smoother terrain compared to the synthetic DEM.
To achieve a solution with the available hardware, we selected the lossy “bitstate hashing” (
-DBITSTATE) compression method in the compile options.
Table 2 shows the results using both
-DCOLLAPSE and
-DBITSTATE. With the lossy method, the computational time for
with
was reduced by 70.4%, the state-space explosion problem was mitigated (reducing the required memory by 88.2%), and the resulting suboptimal path length was equal to the shortest path length obtained with lossless compression.
All in all,
Table 2 shows an average reduction of 52.4% in
with our proposal compared to the baseline planner. The most remarkable decrease occurs in
, where the lower complexity of the LTL property reduces the generation time of the C-file verifier (37.2%) and, consequently, the compilation time
(72%).
5.3. Performance Analysis
The results for different DEM sizes in
Table 2 (i.e.,
for
to
in the synthetic DEM, and
for
in the real-world DEM) indicate that DEM size mainly affects
but is not relevant for other processes of the SPIN workflow. The real-world environment is larger and has a smoother relief, which causes a higher number of states and valid transitions in the system model
. This can explain the higher memory (about 16
B, for the real-world mission vs. 160
B for synthetic DEMs) needed to save the nodes expanded (about
vs.
, respectively) by the BFS algorithm.
The set also influences the counterexample search time. Thus, the less restrictive set implies a higher ratio of children per node in each BFS iteration, which increases and but could reduce the resulting path length. For , a larger number of traversable neighboring cells are required to move through the environment, which, in some cases (e.g., , and ), prevents finding a path that satisfies the mission.
The complexity of the system model and/or the LTL formula describing the high-level mission specification, i.e., the number of states of the automaton product , affects and . Thus, for LTL formulas with lower complexity, i.e., and , these times are shorter. is irrelevant, with values between 100 and 500 , increasing slightly for longer path lengths.
6. Conclusions
In this paper, we proposed a SPIN-based linear temporal logic (LTL) path planner for uncrewed ground vehicle (UGV) missions on uneven terrain. Our approach leverages existing search optimization techniques available in the open-source Simple Promela Interpreter (SPIN) model checker. First, the system model incorporates UGV motion constraints for a digital elevation model (DEM), including factors such as asymmetric slope limitations and maneuverability constraints like on-cell turns. These constraints are integrated into the system model, allowing them to be omitted from the LTL model checking process and focusing solely on verifying mission specifications. To enhance the efficiency of state-space exploration, we defined two general SPIN-efficient LTL formulas for specifying UGV missions. These formulas allow for reaching a set of goal DEM partitions in either a specified or unspecified order. The proposed planner was implemented using SPIN with customized search optimization parameters.
For experimental analysis, the planner was validated on both synthetic and real-world DEMs. Specifically, we tested four representative high-level missions on a synthetic DEM and applied the framework to plan a multi-victim evacuation mission in a real large-scale DEM of 135,488 m2. The experimental results show that our approach significantly reduces the total planning time, particularly in the generation and compilation of the LTL verifier’s source code, compared to a baseline planner. While both approaches apply SPIN’s search optimization techniques, resulting in no significant differences in path search time, our method demonstrates clear advantages in the preparatory stages of the planning process. Regarding the observed limitations, the proposed method encounters scalability challenges in large-scale DEMs. This is a common issue for graph-search approaches.
In future work, it will be valuable to explore enhancements to search algorithms in directed weighted transition systems that model UGV motion over DEMs with a broader set of motion constraints. These constraints could encompass non-uniform velocities and any-angle motion primitives. Furthermore, focusing on optimizing travel time rather than just the number of cells traversed may offer a more effective criterion for path planning in time-critical missions within challenging environments. Furthermore, future work will address the integration of the planner into the control architecture of a UGV with appropriate path tracking and motion control methods for rough terrain.