SPIN-Based Linear Temporal Logic Path Planning for Ground Vehicle Missions with Motion Constraints on Digital Elevation Models

Linear temporal logic (LTL) formalism can ensure the correctness of mobile robot planning through concise, readable, and verifiable mission specifications. For uneven terrain, planning must consider motion constraints related to asymmetric slope traversability and maneuverability. However, even though model checker tools like the open-source Simple Promela Interpreter (SPIN) include search optimization techniques to address the state explosion problem, defining a global LTL property that encompasses both mission specifications and motion constraints on digital elevation models (DEMs) can lead to complex models and high computation times. In this article, we propose a system model that incorporates a set of uncrewed ground vehicle (UGV) motion constraints, allowing these constraints to be omitted from LTL model checking. This model is used in the LTL synthesizer for path planning, where an LTL property describes only the mission specification. Furthermore, we present a specific parameterization for path planning synthesis using a SPIN. We also offer two SPIN-efficient general LTL formulas for representative UGV missions to reach a DEM partition set, with a specified or unspecified order, respectively. Validation experiments performed on synthetic and real-world DEMs demonstrate the feasibility of the framework for complex mission specifications on DEMs, achieving a significant reduction in computation cost compared to a baseline approach that includes a global LTL property, even when applying appropriate search optimization techniques on both path planners.


Introduction
Formally guaranteeing correctness [1] is crucial for synthesizing effective controllers for complex time-critical ground vehicle missions in applications such as disaster, agriculture, and planetary robotics.Moreover, manageable mission specifications for mobile robots must be concise, human readable, and checkable [2], which requires coping with the incompleteness, ambiguity, and inconsistency of informal human descriptions [3].Linear temporal logic (LTL) offers a modal formalism that allows describing system properties over linear time using propositional and temporal logical operators [4] with a close relation to natural language, and thus to human reasoning [5].Furthermore, a system whose properties are expressed by LTL formulas can be formally verified by LTL model checking [3].
Previous works have exploited these qualities of LTL for synthesizing controllers for robotic missions.For instance, [6] developed a framework for controlling linear systems using LTL specifications, extending the LTL controller synthesis from the discrete to continuous domain.In another study, ref. [7] proposed an LTL formula for specifying user-defined high-level behaviors for robots that can react to dynamic environment information.Additionally, ref. [8] extended LTL to simulate collaborative multi-robot environments, emphasizing localization and coordination among robots.Other works have addressed uncertain environments by synthesizing reactive controllers that update obstacle information from sensors during navigation.Thus, ref. [9] developed reactive controllers to manage unpredictable conditions to improve adaptability.Moreover, ref. [10] focused on dynamic updates for synthesized controllers, enhancing system robustness in uncertain environments.In general, these control approaches benefit from LTL specifications, which ensure that the desired task is accomplished if it is feasible.
These properties of LTL have been leveraged in other works to incorporate constraints for deliberative path planning.Thus, ref. [11] studied motion coordination for data gathered through communication and buffer constraints where the high level mission specification for the multi-robot team is performed in LTL.In this sense, ref. [12] analyzed inter-task dependencies, which are crucial for the efficiency of multi-robot systems in coordinated tasks.Recent works have addressed different aspects of environment complexity.In [13], two-dimensional (2D) cells were categorized into five levels of terrain cost for a path planning method for a planetary rover, considering factors such as remaining charge, obstacles, illumination, and communication conditions.Moreover, the T* algorithm [14] is an LTL path planner that uses A* opportunistically to generate an optimal trajectory satisfying a temporal logic formula in a 2D environment.In [15], LTL is used to specify mission requirements for sampling-based path planning using a multi-layered framework that can be suitable for complex environments.In [16], a high-level task planner for bipedal robots used LTL to perform reactive game synthesis between the robot and a dynamic environment with stairs leading to a higher platform.Nevertheless, these works primarily used 2D representations of the environment, so uneven terrain constraints were not explicitly considered.To the best of our knowledge, no previous work has addressed LTL path planning for high-level robot missions on digital elevation models (DEMs).
In general, a single generalized LTL formula for synthesizing a robot controller can integrate both the desired robot behavior and the assumptions about the environment [7,8,10].However, the implementation of this powerful LTL expressiveness with software tools such as a Simple Promela Interpreter (SPIN) [17] or the Temporal Logic Planning (TuLiP) toolbox [18] can suffer from the state-space explosion problem [17].The work in [19] addressed scalability for task allocation with multiple heterogeneous robots from a global LTL specification, but individual path planning is performed at a lower level.Furthermore, ref. [20] reduced the computation time of the path planning by modeling robot mobility as an abstract weighted transition system.
In this article, we propose a SPIN-based LTL path planning approach for uncrewed ground vehicle (UGV) missions on uneven terrain by defining a system model that includes motion constraints and performing model checking of the mission specification's LTL property.Since UGV motion constraints for the DEM are incorporated into the system model, they can be omitted from LTL model checking for path planning according to the mission specification.Moreover, we define two SPIN-efficient general LTL formulas for representative UGV missions to reach goals in a specified order or an unspecified order, respectively.The proposed planner is implemented using the open-source model checker SPIN with customized search optimization parameters.Validation experiments conducted on synthetic and real-world DEMs demonstrate the feasibility of the LTL path planning framework for complex mission specifications, achieving a significant reduction in computation cost compared to a SPIN-based baseline approach that considers a global LTL property including both motion constraints and mission specification.
The main contributions of this work are as follows: • The definition of a system model as a transition system that includes UGV asymmetric slope traversability and maneuverability on uneven terrains represented as DEMs.

•
A SPIN-based LTL path planner for UGV missions with customized parameterization for effective search optimization.This LTL planner uses the system model and an LTL property that defines only the UGV mission specification based on DEM goals.
• Two general LTL formulas for specifying two types of UGV missions to reach a DEM partition set, either in a specified order or an unspecified order.These formulas use the until operator, which enables efficient SPIN state-space exploration.
The remainder of the article is organized as follows.Section 2 reviews LTL concepts for path planning, fulfilling mission specifications.Section 3 proposes the design of the LTL-based path planner for UGV missions on uneven DEMSs.Section 4 describes the experimental methodology.Section 5 discusses the experimental results.Finally, Section 6 offers conclusions and ideas for future work.

Review of LTL Concepts
This section reviews fundamental concepts of LTL, model checking, and LTL path planning for high-level UGV missions.

Linear Temporal Logic
Linear temporal logic (LTL) is a logical formalism that expresses the behavior of a reactive system over linear time, i.e., the relative order of events.The basic elements of LTL are a set of atomic propositions Π, and Boolean and temporal operators.An atomic proposition π ∈ Π is a statement or assertion that must be true or false.
A well-formed LTL formula ϕ is a finite sequence of symbols satisfying the following grammar: where ¬ and ∨ are Boolean operators for negation and disjunction, respectively, and ⃝ and U are the temporal operators next and until, respectively.This grammar allows defining other LTL derived operators such as the following: where ∧ denotes conjunction, and ♢ and □ are the temporal operators eventually and always, respectively.Unitary operators have the highest precedence, and U takes precedence over other binary operators and is left-associative, e.g., The semantics of ϕ are defined over infinite traces.A trace σ is a sequence σ = σ 1 σ 2 . . . of truth assignments to Π, where σ i ⊂ Π.A suffix trace is defined as σ(i) = σ i σ i+1 . . .; thus, σ = σ (1).For a given trace σ, the notation σ |= ϕ denotes that σ satisfies ϕ.The satisfaction relationship |= between σ(i) and ϕ is defined as follows: (3)

LTL Model Checking
Formal model checking systematically checks whether a formal specification property ϕ is satisfied for a system model A S defined as a transition system without terminal states.In LTL model checking, the states of this system are defined from Π, and ϕ as a deterministic finite automaton A ¬ ϕ with accepting states that recognizes the language L(A ¬ ϕ ) formed by the set of non-admissible traces.Since LTL semantics are defined over traces, model checking is reduced to a reachability problem in the product automaton A S ⊗ A ¬ ϕ .Then, i.e., the correctness of A S is verified with respect to ϕ if and only if there is no intersection between the finite traces of A S and L(A ¬ ϕ ).
Model checker tools, such as the Uppsala-Aalborg (Uppaal) suite [21], the New Symbolic Model Verifier (NuSMV) [22], TuLiP [18], or SPIN [23], automatically determine whether the model truly satisfies a given property.When the property is not fulfilled, they provide a counterexample trace, i.e, an A S execution path that reaches an undesired state.
Even if model checking has a sound mathematical foundation based on graph theory, data structures, and logic, model checkers suffer from the state-space explosion problem when the number of states needed to accurately model realistic systems or complex properties exceeds available computer memory [17].
SPIN offers features to cope with the state-space explosion and, starting from version 6.5.0, allows the conversion of LTL formulas of arbitrary length.In particular, SPIN includes search optimization techniques [17,24] to reduce the following: (i) The number of explored states; (ii) The memory required.To reduce the number of explored states, SPIN introduces partial order reduction and statement merging (atomic and deterministic step sequences).For memory reduction, SPIN includes the following state vector compression methods: • Lossless (collapse compression and minimized finite state recognizer), which preserve exhaustive verification capability at the cost of increased runtime requirements.• Lossy (bitstate hashing and hash-compact methods) to further reduce memory requirements.However, this approach does not guarantee exhaustive verification, which may result in a suboptimal solution.
SPIN supports Promela (acronym for Process Meta Language), a high-level language for modeling system and LTL properties.Promela is a C-like meta-language with very limited expressiveness in order for verification to be efficient, and supports embedded C-code as part of the model specification.

LTL Path Planning for High-Level UGV Missions
Path planning for high-level UGV missions determines a motion sequence that a UGV must aim to fulfill a given mission specification.This specification can be formulated as an LTL property ϕ, describing the order or frequency (eventually or infinitely often) in which truth assignments to atomic propositions in Π must occur for a correct mission execution.
LTL path planning for high-level UGV missions is a decision-making process through a nondeterministic A S using a model checker for ¬ ϕ [25].The nondeterministic transitions of A S correspond to UGV motions limited by the neighborhood (typically, four neighbors) regardless of the mission.The model checker searches for a counterexample trace σ |= ϕ that, by not satisfying ¬ ϕ, fulfills the given LTL property ϕ.Thus, the transitions that produce σ define the UGV motion sequence that satisfies the specified mission.

DEM-Based LTL Path Planning for High-Level UGV Missions
This section presents the core methodology of our framework, detailing the design of the LTL-based path planner for UGV missions on uneven terrains.First, we introduce the definition of the system model according to motion constraints.Next, the SPINefficient general LTL formulas designed for high-level UGV missions are proposed.Then, we describe the workflow of LTL model checking using the SPIN tool, emphasizing the optimization techniques employed to cope with state-space explosion.Finally, the section concludes with the interpretation of the LTL model checking results for path planning for UGV mission on DEMs.

System Model According to Motion Constraints
In this paper, we address path planning for UGV missions on uneven terrains that can be modeled as a DEM, which can be represented by a matrix Z ∈ M n×m (R) with the altitude in a map projection system (regular grid with distance δ between points, i.e., DEM cell resolution).We propose a path planner for high-level UGV mission specifications based on DEM and LTL model checking, where UGV motion between DEM cells is constrained by asymmetric slope traversability conditions [26], which depends on both the robot and the terrain [27,28].Traversability is defined as matrix T ∈ M n×m ({0, 1} ℓ ), where each element t(i, j) is a Boolean ℓ-vector representing motion feasibility from (i, j) to its ℓ-neighbors according to slope α, computed as Elements of t(i, j) are denoted by t(i, j, θ o ), ∀o ∈ {1, 2, . . ., ℓ}, where θ o is the outward heading toward neighboring cells (i o , j o ), i.e., a multiple of π/2 or π/4 rad for ℓ = 4 or ℓ = 8, respectively: and α min and α max are the minimum and maximum UGV slope constraints, respectively.We adopted null heading for the eastern direction and counterclockwise angle increments.
The system representing the UGV motion on a DEM is modeled as A S , a nondeterministic transition system whose states at discrete time k are given by ⟨i, j, θ⟩ k , where (i, j) represents cell coordinates and θ is the inward heading.As for transitions, we adopted reducing the number of valid transitions by defining motion constraints in order to cope with the state-space explosion and to reduce the computational cost.In particular, as shown in Figure 1, transitions in A S are defined by a conjunction of four Boolean constraints: (a) slope traversability T; (b) DEM n × m limits; (c) the set Θ of allowed on-cell turns (θ o − θ), which is Θ = {0, ±π/2} for ℓ = 4 (i.e., removing red values from Figure 1), and can be either Θ = {0, ±π/4} (i.e., removing blue values from Figure 1) or Θ = {0, ±π/4, ±π/2} for ℓ = 8, depending on UGV kinematics constraints; and (d) a specific constraint for diagonal transitions requiring that the adjacent four neighboring cells are traversable (e.g., the transition to θ k+1 = π/4 also depends on traversabilities to θ k+1 = 0 and θ k+1 = π/2).

LTL Formulas for High-Level UGV Mission Specifications
In this paper, we introduce two SPIN-efficient general LTL formulas for representative high-level UGV missions.With this purpose, we define a set X of non-overlapping state partitions.Each partition X p = {⟨i p1 , j p1 , θ p1 ⟩, ⟨i p2 , j p2 , θ p2 ⟩, . . .} ∈ X consists of a set of states to which an atomic proposition π p is associated: Only mission-relevant DEM cells need to be considered in the partitions.The mission specification for a partition is fulfilled if the UGV can reach any state within the partition with the corresponding inward heading.
Regarding the optimization criterion, SPIN imposes minimization of the number of counterexample states.Thus, the objective of the path planner for high-level UGV mission is to obtain a path with the minimum number of A S transitions that reaches all goal partitions of a specified set G = {G 1 , G 2 , . . ., G |G| } ⊆ X .Furthermore, mission specifications can include (1) a partition of forbidden states, F ∈ X : F ̸ ∈ G associated to atomic proposition π f , and/or (2) the requirement to return to the initial cell coordinates (i 0 , j 0 ) after the mission is completed using an atomic proposition π r , where Θ r is the specified set of allowed inward headings for returning.When verifying complex systems with SPIN, it is crucial to choose LTL formulas that enable efficient state-space exploration [25].LTL formulas that use the temporal operator U (until) explicitly enforce a strict event order and avoid certain conditions, which reduces the state space, making it easier for SPIN to find counterexamples.Conversely, LTL formulas with global restrictions and nested eventualities (e.g., can slow down the state-space exploration process.Therefore, we propose two general LTL formulas using U for reaching goal partitions G: 1.In a given order (i.e., G 1 then G 2 , and so on), where In an unspecified order, Moreover, the following three simplifying conditions could be considered in actual missions:

•
There is a single goal partition, i.e., |G| = 1; • There is no forbidden partition (F = ∅), i.e., π f = ⊥; • The UGV must not return to the initial cell, i.e., π r = ⊤; Using different combinations of these simplifying conditions in Equations ( 10) and ( 11) results in the well-known simple LTL formulas presented in Table 1.This result corroborates the generality of the proposed formulas, which can be applied for more complex missions.
|G| > 1 and in a given order no no |G| > 1 and no specific order no no

LTL Model Checking Workflow with SPIN
In this work, we adopted the SPIN workflow with breadth-first search (BFS) [17] for synthesizing an LTL path planner for high-level UGV missions (see Figure 2).Unlike the default depth-first search, which is more suitable for model checking than for planning, BFS can find a counterexample with the shortest trace at a lower computational cost.
This workflow begins with using Promela to model A S and the LTL property to be verified.This Promela source file is used by SPIN to generate an LTL verification program in ANSI C.Then, our compile time options for specific search optimization techniques are partial order reduction, the BFS algorithm, (-DBFS) and lossless collapse compression (-DCOLLAPSE).Then, an iterative LTL verification process is performed until either no new nodes are added to the unweighted search graph (i.e., no counterexample is found) or a trail file is generated with the shortest counterexample (i.e., A S does not satisfy the LTL property).

LTL Model Checking for Synthesizing a Path Planner for UGV Missions
Since A S was designed considering motion constraints, these can be omitted from LTL model checking for path planning that fulfills the high-level UGV mission.The LTL property used to verify in the LTL model checking workflow (see Figure 2) is a negated LTL mission specification ¬ ϕ, i.e., the negation of (10) or (11) (or other simplified or derived formula from these).For LTL path planning, "no counterexample" means that the UGV mission cannot be satisfied; otherwise, the trail file returns the shortest counterexample, which needs to be mapped from the product automaton states to the system model states to obtain a DEM path.

Experimental Methodology
This section describes the hardware and software used in the experiments, defines a baseline path planner for comparison, and presents mission specifications for a synthetic DEM and a larger-scale real-world DEM.

Hardware and Software
The DEM-based LTL path planner was executed on a 2.10 GHz i7-13700F processor made by Intel Corp. (Santa Clara, CA, USA) with 16 GB of RAM, running Microsoft© Windows 11 Pro.The required software was installed in a container on Docker Desktop v.4.32.0 including Ubuntu 22.04.4LTS and MATLAB R2023b by Mathworks (Natick, MA, USA) to run the main planner script and generate graphical representations.SPIN v6.5.2 was used as the model checker, gcc 11.4.0 as the C compiler, and Promela to (1) describe the system models with embedded C-code as part of the model specification and (2) formulate DEM-based high-level UGV missions as LTL properties.

Comparison with a Baseline Path Planner
In this article, we propose an approach for SPIN-based LTL path planning on DEMs by defining a system model that incorporates the set of UGV motion constraints, allowing these constraints to be omitted from LTL model checking.This contrasts with previous works in LTL path planning [7,8,10], where a single generalized LTL formula integrates both the desired robot behavior and the environment assumptions.
To the best of our knowledge, no previous works have addressed LTL path planning on DEMs.Therefore, for comparison purposes, we define a baseline SPIN-based LTL path planner with a generalized LTL formula integrating mission specification and motion constraints on DEMs, and a system model that only considers cell neighborhoods for transitions.
In this baseline planner, the generalized LTL formula is which means that the mission specification ϕ must be satisfied, and all motion constraints must always be fulfilled.In particular, the truth assignments to the four motion constraints described in Section 3.1 are defined as atomic propositions π a , π b , π c , and π d , respectively, from the current ⟨i, j, θ⟩ k and previous ⟨i, j, θ⟩ k−1 model states, as follows:

Mission Specifications in a Synthetic DEM
We defined a synthetic DEM with obstacles, mounds, and slopes (see Figures 3-6), with n × m = 17 × 17 and δ = 1 m.The DEM has a forbidden partition F indicated by cells marked with an "X", and four mission-oriented partitions, X 1 to X 4 , represented by cells labeled with corresponding numbers.
Partition X 1 (and also X 3 ) exemplifies cells from different regions sharing the same role in the mission (e.g., charging stations or communication relays that could be distributed throughout the environment).Moreover, partitions X 3 and X 4 need to be given inward headings (indicated by triangle cell labels).X axis (meter) X axis (meter)    As for the UGV, the initial state ⟨i, j, θ⟩ 0 = ⟨15, 4, 3π/2⟩ is depicted as a red spot with an arrow for the heading.We adopted UGV slope constraints α min = −π/18 rad (−10 • ) for downhill and α max = π/12 rad (15 • ) for uphill, which are representative of asymmetric behaviour of actual UGVs [26].
Four distinctive high-level UGV missions were analyzed: 1.
The UGV must eventually reach X 1 to X 4 in the given order, avoiding F , to finally return to (i 0 , j 0 ) with any inward heading (i.e., Θ r = {θ , 0 ≤ θ ≤ 2π}): To enhance clarity, extra parentheses have been added to the LTL formula, even though the LTL grammar in Section 2.1 specifies that the U operator is left-associative, as is typical in SPIN's interpretation.
The UGV must eventually reach X 1 to X 4 with no specific order, avoiding F , to finally return to (i 0 , j 0 ) with any inward heading: 3.
Example of a combination of Equations ( 10) and (11), see Figure 5.
The UGV must eventually reach X 1 , then X 2 , and then X 3 and X 4 with no specific order, avoiding F , to finally return to (i 0 , j 0 ) with any inward heading: 4.
Example of a simplified LTL formula (Table 1), see Figure 6.
The UGV must eventually reach X 4 , avoiding F , to finally return to (i 0 , j 0 ) with any inward heading: X axis (meter) X axis (meter)

Mission Specification in a Real DEM
Additionally, to evaluate planning performance in a larger-scale real-world DEM, we used an n × m = 292 × 232 with δ = 2 m obtained from an aerial ortophoto (see Figure 7).This DEM captures 135,488 m 2 of an experimental area for realistic disaster response exercises [29], featuring dirt roads, rubble mounds, diverse vegetation, crushed vehicles, and partially buried pipelines [30].In this case, the high-level UGV mission specification corresponds to a casualty evacuation starting from ⟨i, j, θ⟩ 0 = ⟨366,991, 4,064,448, π/2⟩ depicted as a red spot with an arrow for the heading.The forbidden partition, marked by black cells, represents areas occupied by victims and tents.The goal partitions, marked by yellow cells, are designated areas close enough for the UGV to access and assist the victims while maintaining a safe distance.As for the UGV slope constraints, we consider appropriate values for safe casualty evacuation, i.e., α min = −π/18 rad (−10 • ) for downhill and α max = π/30 rad (6 • ) for uphill.
The mission is specified by the following LTL formula: i.e., the UGV must eventually reach two geolocated victims to evacuate them to a medical tent and finally return to the robotic tent.

Experimental Results
This section discusses the resulting paths, compares experimental results of the proposed method with respect to the baseline LTL path planned described in Section 4.2, and analyzes performance.

Path Planning Analysis
Figures 3-7 illustrate the resulting paths (red lines) for the UGV example missions, Equations ( 14)- (18), respectively.The arrows are color-coded to show the UGV's motion toward each goal partition in the mission sequence.The same color is used in the macron mark above the corresponding partition number in the goal cell.Different colors in the arrows indicate the UGV motion toward the next goal partition to be reached.
For the synthetic DEM, Figures 3-6 show results for the different on-cell turn constraints Θ.In the first three missions, only Θ = {0, ±π/2} and Θ = {0, ±π/4, ±π/2} produce result paths.The limited manoueverability of Θ = {0, ±π/4}, which does not allow π/2 turns, prevents paths from being found without encountering obstacles or reaching the DEM boundary limits.This limitation is evident in the wide loop around the elevated area on top of Figure 6b for ϕ 4 , which is the only mission that achieves a path with this motion constraint.
In Figure 3, both paths satisfy the goal partition order specified by ϕ 1 .However, different turn constraints cause partition X 3 to be reached at different states.The shortest path length (84 vs. 109 states) is achieved with the least restrictive maneuverability (i.e., Figure 3b).Figure 4 corresponds to ϕ 2 , which does not impose a specific order.As a result, the goal partition sequence is different: X 2 , X 4 , X 3 , and X 1 for Θ = {0, ±π/2} (see Figure 4a), and X 1 , X 3 , X 4 , and X 2 for Θ = {0, ±π/4, ±π/2} (see Figure 4b) by reducing the path length (93 vs. 70).Figure 5 corresponds to ϕ 3 , where the order for the last two partitions was not specified.In this case, both turn constraints yield the same goal partition sequence, even if the least restrictive manoeuverability (see Figure 5b) produces a shorter path (80 vs. 105).Figure 6 corresponds to ϕ 4 , a simpler mission that only needs to reach X 4 before returning to the initial position (in any heading).This figure illustrates the difference between the path length in terms of states (seen as the number of traversed cells), which is the LTL optimization criterion imposed by SPIN, and the actual path length (since diagonal cell motions are longer).Thus, paths in Figure 6a-c have 55, 48, and 44 states that correspond to 54 m, 54.9 m, and 47.6 m, respectively.
As for the real DEM, Figure 7 illustrates the path for the multi-victim evacuation mission ϕ 5 specified by Equation (18).In particular, the figure shows the path for Θ = {0, ±π/2}.Figure 7a reveals that the resulting path is close to the dirt roads in the environment, which correspond mostly with low terrain gradients (as seen in Figure 7b).

Comparison with the Baseline Path Planner
Table 2 offers a comparison of the proposed method against the baseline LTL path planner (see Section 4.2) for mission specifications in synthetic (ϕ 1 to ϕ 4 ) and real-world (ϕ 5 ) DEMs.The table presents the total computation time t total and partial times for the LTL workflow processes (see Figure 2): t SPIN for the generation of the LTL verifier in C, t comp for the compilation, t search for the breadth-first search for the counterexample, and t map for the mapping of the shortest path.Additionally, the table shows the number of explored states and the required memory during the counterexample search phase, as well as the length (i.e., the number of A S states) of the resulting shortest path.Furthermore, the path for each LTL mission specification has been computed for three different sets Θ of allowed on-cell turns (see Section 3.1).
Both LTL path planners leverage SPIN's specific search optimization techniques, which reduce the number of explored states and the required memory.Consequently, the memory requirements and the number of explored states are the same for both methods.The state-space explosion problem (i.e., reaching the memory limit of 16,384 MB in our hardware platform) occurs for both cases with ℓ = 8 in the real-world DEM, so no resulting paths are provided.This can be explained by the real-world DEM having a significantly larger number of cells and a higher ratio of children per node due to the smoother terrain compared to the synthetic DEM.
To achieve a solution with the available hardware, we selected the lossy "bitstate hashing" (-DBITSTATE) compression method in the compile options.Table 2 shows the results using both -DCOLLAPSE and -DBITSTATE.With the lossy method, the computational time for ϕ 5 with Θ = {0, ±π/2} was reduced by 70.4%, the state-space explosion problem was mitigated (reducing the required memory by 88.2%), and the resulting suboptimal path length was equal to the shortest path length obtained with lossless compression.All in all, Table 2 shows an average reduction of 52.4% in t total with our proposal compared to the baseline planner.The most remarkable decrease occurs in t SPIN , where the lower complexity of the LTL property reduces the generation time of the C-file verifier (37.2%) and, consequently, the compilation time t comp (72%).

Performance Analysis
The results for different DEM sizes in Table 2 (i.e., 17 × 17 for ϕ 1 to ϕ 4 in the synthetic DEM, and 292 × 232 for ϕ 5 in the real-world DEM) indicate that DEM size mainly affects t search but is not relevant for other processes of the SPIN workflow.The real-world environment is larger and has a smoother relief, which causes a higher number of states and valid transitions in the system model A S .This can explain the higher memory (about 16 GB, for the real-world mission vs. 160 MB for synthetic DEMs) needed to save the nodes expanded (about 3.9 × 10 6 vs. 0.26 × 10 6 , respectively) by the BFS algorithm.
The set Θ also influences the counterexample search time.Thus, the less restrictive set Θ = {0, ±π/4, ±π/2} implies a higher ratio of children per node in each BFS iteration, which increases t search and t total but could reduce the resulting path length.For Θ = {0, ±π/4}, a larger number of traversable neighboring cells are required to move through the environment, which, in some cases (e.g., ϕ 1 , ϕ 2 and ϕ 3 ), prevents finding a path that satisfies the mission.
The complexity of the system model and/or the LTL formula describing the high-level mission specification, i.e., the number of states of the automaton product A S ⊗ A ¬ ϕ , affects t SPIN and t comp .Thus, for LTL formulas with lower complexity, i.e., ϕ 4 and ϕ 5 , these times are shorter.t map is irrelevant, with values between 100 and 500 ms, increasing slightly for longer path lengths.

Conclusions
In this paper, we proposed a SPIN-based linear temporal logic (LTL) path planner for uncrewed ground vehicle (UGV) missions on uneven terrain.Our approach leverages existing search optimization techniques available in the open-source Simple Promela Interpreter (SPIN) model checker.First, the system model incorporates UGV motion constraints for a digital elevation model (DEM), including factors such as asymmetric slope limitations and maneuverability constraints like on-cell turns.These constraints are integrated into the system model, allowing them to be omitted from the LTL model checking process and focusing solely on verifying mission specifications.To enhance the efficiency of state-space exploration, we defined two general SPIN-efficient LTL formulas for specifying UGV missions.These formulas allow for reaching a set of goal DEM partitions in either a specified or unspecified order.The proposed planner was implemented using SPIN with customized search optimization parameters.
For experimental analysis, the planner was validated on both synthetic and real-world DEMs.Specifically, we tested four representative high-level missions on a synthetic DEM and applied the framework to plan a multi-victim evacuation mission in a real large-scale DEM of 135,488 m 2 .The experimental results show that our approach significantly reduces the total planning time, particularly in the generation and compilation of the LTL verifier's source code, compared to a baseline planner.While both approaches apply SPIN's search optimization techniques, resulting in no significant differences in path search time, our method demonstrates clear advantages in the preparatory stages of the planning process.Regarding the observed limitations, the proposed method encounters scalability challenges in large-scale DEMs.This is a common issue for graph-search approaches.
In future work, it will be valuable to explore enhancements to search algorithms in directed weighted transition systems that model UGV motion over DEMs with a broader set of motion constraints.These constraints could encompass non-uniform velocities and any-angle motion primitives.Furthermore, focusing on optimizing travel time rather than just the number of cells traversed may offer a more effective criterion for path planning in time-critical missions within challenging environments.Furthermore, future work will address the integration of the planner into the control architecture of a UGV with appropriate path tracking and motion control methods for rough terrain.

Table 2 .
Comparison of the proposed method against the baseline LTL path planner in synthetic and real-world DEMs: computation times, explored states, required memory, and path length.