Integrating Runtime Verification into an
Automated UAS Traffic Management System

Matthew Cauwels, Abigail Hammer, Benjamin Hertz, Phillip H. Jones, Kristin Y. Rozier

This webpage contains supplementary specifications for "Integrating Runtime Verification into an
Automated UAS Traffic Management System" by M. Cauwels, A. Hammer, B. Hertz, P. H. Jones, and K. Y. Rozier

OR_UTM_20

Specification Description

The latitude (conLat) of any conflict will be bounded between LatLB and LatUB

Signals Required

conLat

Boolean Conversion of Signals to Atomic Inputs

conLat_leq_LatUB = 1;
for(i = 0; i < NumUAS; i++)
{
    // if UAS i's conLat is greater than the upper bounded
    // and the value is not "nan"
    if((conLat[i] > LatUB) && (conLat[i] == conLat[i])
    { 
        conLat_leq_LatUB = 0;
    }
}                       
conLat_geq_LatLB = 1;
for(i = 0; i < NumUAS; i++)
{
    // if UAS i's conLat is less than the lower bounded
    // and the value is not "nan"
    if((conLat[i] < LatLB) && (conLat[i] == conLat[i])
    { 
        conLat_geq_LatLB = 0;
    }
}

MLTL Specification

Original: conLat_leq_LatUB ∧ conLat_geq_LatLB

Updated: ☐[0,3] (conLat_leq_LatUB ∧ conLat_geq_LatLB)

Fault Explanation

Any conflict should be within the UTM's airspace

Additional Notes

Figures

Figure 1: All of the latitude (conLat) inputs from each GCS the UTM reads from the conflict datatable.
Figure 2: The output of R2U2's monitoring of specification OR_UTM_20, confirming that no conflict exceeds its operating range.
Since Fig. 1 had no conLat inputs that exceeded LatUB or LatLB, we manually injected a fault into a single conflict (orange).
Figure 4: The output of R2U2's monitoring of specification OR_UTM_20, showing that R2U2 catches when the injected fault occurs. However, notice that there is bouncing in the initial Boolean specificaiton, which can lead to undesireable false-positive alerts.
Figure 5: The output of R2U2's monitoring of the updated specification OR_UTM_20, showing that R2U2 catches when the injected fault occurs and the "☐[0,3]" temporal operator acts as a sliding filter, debouncing R2U2's output.