Integrating Runtime Verification into an
Automated UAS Traffic Management System

Matthew Cauwels, Abigail Hammer, Benjamin Hertz, Phillip H. Jones, Kristin Y. Rozier

This webpage contains supplementary specifications for "Integrating Runtime Verification into an
Automated UAS Traffic Management System" by M. Cauwels, A. Hammer, B. Hertz, P. H. Jones, and K. Y. Rozier

OR_UTM_9

Specification Description

The longitude reference waypoint (wpLon) that any UAS is flying towards will be bounded between LonLB and LonUB.

Signals Required

wpLon

Boolean Conversion of Signals to Atomic Inputs 

wpLon_leq_LonUB = 1;
for(i = 0; i < NumUAS; i++)
{
    // if UAS i's wpLon is greater than the upper bounded
    // and the value is not "nan"
    if((wpLon[i] > LonUB) && (wpLon[i] == wpLon[i])
    { 
        wpLon_leq_LonUB = 0;
    }
}                       
wpLon_geq_LonLB = 1;
for(i = 0; i < NumUAS; i++)
{
    // if UAS i's wpLon is less than the lower bounded
    // and the value is not "nan"
    if((wpLon[i] < LonLB) && (wpLon[i] == wpLon[i])
    { 
        wpLon_geq_LonLB = 0;
    }
}

MLTL Specification

Original: wpLon_leq_LonLB ∧ wpLon_geq_LonLB

Updated: ☐[0,3] (wpLon_leq_LonLB ∧ wpLon_geq_LonLB)

Fault Explanation

Any telemetry point should be within the UTM's airspace

Additional Notes

Figures

Figure 1: All of the reference longitude waypoint (wpLon) inputs from each GCS the UTM reads from the telemetry datatable.
Figure 2: The output of R2U2's monitoring of specification OR_UTM_9, confirming that no UAS exceeds its operating range.
Figure 3: Since Fig. 1 had no wpLon inputs that exceeded LonUB or LonLB, we manually injected a fault into a single UAS (purple).
Figure 4: The output of R2U2's monitoring of specification OR_UTM_9, showing that R2U2 catches when the injected fault occurs. However, notice that there is bouncing in the initial Boolean Specification, which can lead to undesireable false-positive alerts.
Figure 5: The output of R2U2's monitoring of the updated specification OR_UTM_9, showing that R2U2 catches when the injected fault occurs and the "☐[0,3]" temporal operator acts as a sliding filter, debouncing R2U2's output.