Integrating Runtime Verification into an
Automated UAS Traffic Management System

Matthew Cauwels, Abigail Hammer, Benjamin Hertz, Phillip H. Jones, Kristin Y. Rozier

This webpage contains supplementary specifications for "Integrating Runtime Verification into an
Automated UAS Traffic Management System"
by M. Cauwels, A. Hammer, B. Hertz, P. H. Jones, and K. Y. Rozier

Complete Specification List

This webpage presents the complete list of specifications developed for the UTM system, whereas only a few specifications were listed within Table III.

To view more information about any given specification, click on the name of the specification.

UAS Operating Range Specifications
Name Description Specification
UAS_OR_1 The motor RPM will be bound by RPM_OR_MIN and RPM_OR_MAX while Subphase is not equal to Landed, Test Actuators, or <undefined> (Subphase_neq_Undefined ∧ Subphase_neq_TestActuators ∧ Subphase_neq_Landed) → ¬☐[0,3] ¬(RPM_leq_MAX ∧ RPM_geq_MIN)
UAS_OR_2 The Roll measurement will be bounded between -45 to 45 degrees, but if it exceeds it, allow 3 timesteps to recover ¬☐[0,3] ¬(Roll_geq_45 ∧ Roll_leq_45)
UAS_OR_3 The Pitch measurement will be bounded between -45 to 45 degrees, but if it exceeds it, allow 3 timesteps to recover ¬☐[0,3] ¬(Pitch_geq_45 ∧ Pitch_leq_45)
UAS_OR_4 The Altitude (Alt in AGL) will be bounded by ALT_OR_MAX, but if it exceeds it, allow 3 timesteps to recover ¬☐[0,3] ¬(Alt_leq_MAX)
UAS_OR_5 The flight time will be bounded by FT_OR_MAX at all instances ☐[0,M] (FlightTime_leq_MAX)
UAS_OR_6 The Temp of the UAS will be bounded between TEMP_OR_MIN and TEMP_OR_MAX, but if it is not, allow 3 timesteps to recover ¬☐[0,3] ¬(Temp_leq_MIN ∧ Temp_geq_MIN)
UAS_OR_7 The TempE1 of the UAS will be bounded between TEMPE1_OR_MIN and TEMPE1_OR_MAX, but if it is not, allow 3 timesteps to recover ¬☐[0,3] ¬(TempE2_leq_MIN ∧ TempE1_geq_MIN)
UAS_OR_8 The TempE2 of the UAS will be bounded between TEMPE2_OR_MIN and TEMPE2_OR_MAX, but if it is not, allow 3 timesteps to recover ¬☐[0,3] ¬(TempE2_leq_MIN ∧ TempE1_geq_MIN)
UAS_OR_9 The Pres of the UAS will be bounded between PRES_OR_MIN and PRES_OR_MAX, but if it is not, allow 3 timesteps to recover ¬☐[0,3] ¬(Pres_leq_MAX ∧ Pres_geq_MIN)
UAS_OR_10 The magnitude of the horizontal velocity components (VelN, VelE) will be bounded between 0 and VELH_OR_MAX at all instances ¬☐[0,3] ¬(VelH_Mag_leq_MAX ∧ VelH_Mag_geq_0)
UAS_OR_11 The magnitude of the individual velocity components VelD will be bounded between 0 and VELD_OR_MAX at all instances ☐[0,3] ¬(VelD_Mag_leq_MAX ∧ VelD_Mag_geq_0)
UAS_OR_12 The magnitude of the individual position components (PosN, PosE, PosD) will be bounded between 0 and DIST_OR_MAX, but if it is not, allow 3 timesteps to recover ¬☐[0,3] ¬(PosMag_lt_MAX)
UAS_OR_13 The UAS's position will be bounded within a circle of radius MAX_RECEIVER_DIST ☐[0,M] (PosMag_leq_MAX)
GCS Operating Range Specifications
Name Description Specification
GCS_OR_1 The Status of a flight plan will always be either: ACCEPTED, REJECTED, or REPLACED Status_eq_Accepted ∨ Status_eq_Rejected ∨ Status_eq_Replaced
GCS_OR_2 The Start time of any flight plan must be less than the flight plan's End time Start_leq_End
GCS_OR_3 The Start time of any flight plan should be greater than the Time_Filed of the flight plan Start_geq_TimeFiled
GCS_OR_4 All latitude (fpLat) waypoints of any UAS's flight plan will be bounded between LAT_LB and LAT_UB fpLat_leq_LatUB ∧ pfLat_geq_LatLB
GCS_OR_5 All longitude (fpLon) waypoints of any UAS's telemetry data will be bounded between LON_LB and LON_UB fpLon_leq_LonUB ∧ fpLon_geq_LonLB
GCS_OR_6 All altitude (fpAlt) waypoints of any UAS's telemetry data will be bounded between 0.0 and ALT_UB fpAlt_leq_AltUB ∧ fpAlt_geq_0
GCS_OR_7 The Phase of any flight plan must be either START, STOP, HOME, or CRUISE Phase_eq_Valid
GCS_OR_8 The reference latitude (LatWP), longitude (LonWP), and altitude (AltWP) will be contained within the set of waypoints given in the flight plan wpLonLat_eq_fpLon_Lat
GCS_OR_9 The latitude reference waypoint (wpLat) that any UAS is flying towards will be bounded between LAT_LB and LAT_UB wpLat_leq_LatUB ∧ wpLat_geq_LatLB
GCS_OR_10 The longitude reference waypoint (wpLon) that any UAS is flying towards will be bounded between LON_LB and LON_UB wpLon_leq_LonUB ∧ wpLon_geq_LonLB
GCS_OR_11 The altitude reference waypoint (wpAlt) that any UAS is flying towards will be bounded between 0.0 and ALT_UB wpAlt_leq_AltUB ∧ wpAlt_geq_0
GCS_OR_12 The latitude (Lat) of any UAS's telemetry data will be bounded between LAT_LB and LAT_UB Lat_leq_LatLB ∧ Lat_geq_LatLB
GCS_OR_13 The longitude (Lon) of any UAS's telemetry data will be bounded between LON_LB and LON_UB Lon_leq_LonUB ∧ Lon_geq_LonLB
GCS_OR_14 The altitude (Alt) of any UAS's telemetry data will be bounded between 0.0 and ALT_UB Alt_leq_AltUB ∧ Alt_geq_0
GCS_OR_15 The velocity (Vel) of any UAS's telemetry data will be bounded between 0.0 and VEL_UB Vel_leq_VelUB ∧ Vel_geq_0
GCS_OR_16 The heading (Ang) of any UAS's telemetry data will be bounded between 0.0 and 360.0 Ang_leq_360 ∧ Ang_geq_0
UTM Operating Range Specifications
Name Description Specification
UTM_OR_1 The Status of a flight plan will always be either: ACCEPTED, REJECTED, or REPLACED. Status_eq_Accepted ∨ Status_eq_Rejected ∨ Status_eq_Replaced
UTM_OR_2 The Start time of any flight plan must be less than the flight plan's End time. Start_leq_End
UTM_OR_3 The Start time of any flight plan should be greater than the Time_Filed of the flight plan. Start_geq_TimeFiled
UTM_OR_4 All latitude (fpLat) waypoints of any UAS's flight plan will be bounded between LAT_LB and LAT_UB. fpLat_leq_LatUB ∧ fpLat_geq_LatLB
UTM_OR_5 All longitude (fpLon) waypoints of any UAS's telemetry data will be bounded between LON_LB and LON_UB. fpLon_leq_LonUB ∧ fpLon_geq_LonLB
UTM_OR_6 All altitude (fpAlt) waypoints of any UAS's telemetry data will be bounded between 0.0 and ALT_UB. fpAlt_Leq_AltUB ∧ fpAlt_geq_0
UTM_OR_7 The Phase of any flight plan must be either START, STOP, HOME, or CRUISE. Phase_eq_Valid
UTM_OR_8 The latitude reference waypoint (wpLat) that any UAS is flying towards will be bounded between LAT_LB and LAT_UB. ☐[0,3] (wpLat_leq_LatUB ∧ wpLat_geq_LatLB)
UTM_OR_9 The longitude reference waypoint (wpLon) that any UAS is flying towards will be bounded between LON_LB and LON_UB. ☐[0,3] (wpLon_Leq_LonUB ∧ wpLon_geq_LonLB)
UTM_OR_10 The altitude reference waypoint (wpAlt) that any UAS is flying towards will be bounded between 0.0 and ALT_UB. ☐[0,3] (wpAlt_leq_AltUB ∧ wpAlt_geq_0)
UTM_OR_11 The latitude (Lat) of any UAS's telemetry data will be bounded between LAT_LB and LAT_UB. ☐[0,3] (Lat_leq_LatUB ∧ Lat_geq_latLB)
UTM_OR_12 The longitude (Lon) of any UAS's telemetry data will be bounded between LON_LB and LON_UB. ☐[0,3] (Lon_leq_LonUB ∧ Lon_geq_LonLB)
UTM_OR_13 The altitude (Alt) of any UAS's telemetry data will be bounded between 0.0 and ALT_UB. ☐[0,3] (Alt_leq_AltUB ∧ Alt_geq_0)
UTM_OR_14 The velocity (Vel) of any UAS's telemetry data will be bounded between 0.0 and VEL_UB. ☐[0,3] (Vel_leq_VelUB ∧ Vel_geq_0)
UTM_OR_15 The heading (Ang) of any UAS's telemetry data will be bounded between 0.0 and 360.0. ☐[0,3] (Ang_leq_360 ∧ Ang_geq_0)
UTM_OR_16 A conflicting flight plan ID (conUAS_A or conUAS_B) must always greater than 0 and less than the maximum number of assigned flight plan IDs. conUASa_geq_MaxFP ∧ conUASb_geq_MaxFP
UTM_OR_17 If there is an en route conflict detected between two UAS (conUAS_A or conUAS_B), then the estimated Start time and the estimated End time of a flight plan must overlap for the two UAS. (StartA_leq_StartB ∧ StartB_leq_EndA) ∨ (¬StartA_leq_StartB ∧ StartA_leq_EndB)
UTM_OR_18 A conflict's estimated start time (conStart) must always be less than the estimated End time (conEnd). conStart_leq_conEnd
UTM_OR_19 Conflicting flight plan IDs (conUAS_A or conUAS_B) must be different IDs. conUASa_neq_conUAS
UTM_OR_20 The latitude (conLat) of any conflict will be bounded between LAT_LB and LAT_UB. conLat_leq_LatUB ∧ conLat_geq_LatLB
UTM_OR_21 The longitude (conLon) of any conflict will be bounded between LON_LB and LON_UB. conLon_leq_LonLB ∧ conLon_geq_LonLB
UTM_OR_22 The altitude (conAlt) of any conflict will be bounded between 0.0 and ALT_UB. conAlt_leq_AltUB ∧ conAlt_geq_0
UAS Sensor Bound Specifications
Name Description Specification
UAS_SB_1 The motor RPM will be bound by 0 and RPM_SENS_MAX while Subphase is not equal to Landed, Test Actuators, or <undefined>, but if it exceeds it, allow 3 timesteps to recover ☐[0,M] (RPM_geq_0 ∧ RPM_leq_MAX)
UAS_SB_2 The Roll measurement will be bounded in (-180,180] degrees at all instances. ☐[0,M] (Roll_gt_180 ∧ Roll_leq_180)
UAS_SB_3 The Pitch measurement will be bounded in (-180,180] degrees at all instances. ☐[0,M] (Pitch_gr_180 ∧ Pitch_leq_180)
UAS_SB_4 The Yaw measurement will be bounded in (-180,180] degrees at all instances. ☐[0,M] (Yaw_gr_180 ∧ Yaw_leq_180)
UAS_SB_5 The Altitude (Alt in AGL) will be bounded between 0 and ALT_SENS_MAX, but if not, allow 3 timesteps to recover. ¬☐[0,3] ¬(Alt_geq_0 ∧ Alt_leq_MAX)
UAS_SB_6 The Altitude (Alt in AGL) will be bounded between 0 and ALT_SENS_MAX at all instances. ☐[0,M] (Alt_geq_0 ∧ Alt_leq_MAX)
UAS_SB_7 The Time will be bounded between 0 and 23:59:59 at all instances. ☐[0,M] (Time_lt_24 ∧ Time_gr_0)
UAS_SB_8 The flight time will be bounded between 0 and FT_SENS_MAX at all instances. ☐[0,M] (FlightTime_lt_MAX ∧ FlightTime_geq_MAX)
UAS_SB_9 The UAS's position will exist on Earth GPS coordinates. Lat will be bounded (-90,90) degrees and Lon will be bounded in (-180,180) degrees at all instances. ☐[0,M] (Lat_gr_90 ∧ Lat_lt_90 ∧ Lon_gt_180 ∧ Lon_lt_180)
UAS_SB_10 The Subphase of the UAS will be limited to the following strings at all instances: <undefined>, Test actuators, Stationary, Hover, Cruise, Go to, Stop at, In flight, Landed ☐[0,M] (Subphase_eq_undefined ∨ Subphase_eq_TestActuators ∨ Subphase_eq_Stationary ∨ Subphase_eq_Hover ∨ Subphase_eq_Cruise ∨ Subphase _eq_GoTo ∨ Subphase _eq_StopAt ∨ Subphase_eq_InFlight ∨ Subphase_eq_Landed)
UAS_SB_11 The Phase of the UAS will be limited to the following strings at all instances: Ready, Test, Takeoff, Manual, Waypoints, Home, Landing ☐[0,M] (Phase_eq_Ready ∨ Phase_eq_Test ∨ Phase_eq_Manual ∨ Phase_eq_Waypoints ∨ Phase_eq_Home ∨ Phase_eq_Landing)
UAS_SB_12 The FlightMode of the UAS will be limited to the following strings at all instances: Automatic, Home ☐[0,M] (FlightMode_eq_Automatic ∨ FlightMode_eq_Home)
UAS_SB_13 The Temp of the UAS will be bounded between TEMP_SENSE_MIN and TEMP_SENS_MAX, but if is not, allow 3 timesteps to recover. ☐[0,M] (Temp_leq_MAX ∧ Temp_geq_MIN)
UAS_SB_14 The TempE1 of the UAS will be bounded between TempE1_SENS_MIN and TempE1_SENS_MAX, but if it is not, allow 3 timesteps to reover. ☐[0,M] (TempE1_leq_MAX ∧ TempE1_geq_MIN)
UAS_SB_15 The TempE2 of the UAS will be bounded between TempE2_SENS_MIN and TempE2_SENS_MAX, but if it is not, allow 3 timesteps to reover. ☐[0,M] (TempE2_leq_MAX ∧ TempE2_geq_MIN)
UAS_SB_16 The Pres of the UAS will be bounded between 0 and PRES_SENS_MAX at all instances. ☐[0,M] (Pres_leq_MAX ∧ Pres_geq_0)
UAS_SB_17 The magnitude of the acceleration vector (AccN, Acce, AccD) will be bounded between 0 and ACC_SENS_MAX, but if not, allow 3 timesteps to recover. ¬☐[0,3] ¬(Acc_Mag_leq_MAX ∧ Acc_Mag_geq_0)
GCS Sensor Bound Specifications
Name Description Specification
GCS_SB_1 All wpLat will be bounded between -90 and 90 degrees ¬☐[0,M] ¬(wpLat_leq_MaxLatUB ∧ wpLat_geq_MinLatLB)
GCS_SB_2 All wpLon will be bounded between -180 and 180 degrees. ¬☐[0,M] ¬(wpLon_leq_MaxLonUB ∧ wpLon_geq_MinLonLB)
GCS_SB_3 All Lat will be bounded between -90 and 90 degrees. ¬☐[0,M] ¬(Lat_leq_MaxLatUB ∧ Lat_geq_MinLatLB)
GCS_SB_4 All Lon will be bounded between -180 and 180 degrees ¬☐[0,M] ¬(Lon_leq_MaxLonUB ∧ Lon_geq_MinLonLB)
GCS_SB_5 All fpLat will be bounded between -90 and 90 degrees ¬☐[0,M] ¬(fpLat_leq_MaxLatUB ∧ fpLat_geq_MinLatLB)
GCS_SB_6 All fpLon will be bounded between -180 and 180 degrees ¬☐[0,M] ¬(fpLon_leq_MaxLonUB ∧ fpLon_geq_MinLonLB)
UTM Sensor Bound Specifications
Name Description Specification
UTM_SB_1 All wpLat will be bounded between -90 and 90 degrees ¬☐[0,M] ¬(wpLat_leq_MaxLatUB ∧ wpLat_geq_MinLatLB)
UTM_SB_2 All wpLon will be bounded between -180 and 180 degrees. ¬☐[0,M] ¬(wpLon_leq_MaxLonUB ∧ wpLon_geq_MinLonLB)
UTM_SB_3 All Lat will be bounded between -90 and 90 degrees. ¬☐[0,M] ¬(Lat_leq_MaxLatUB ∧ Lat_geq_MinLatLB)
UTM_SB_4 All Lon will be bounded between -180 and 180 degrees ¬☐[0,M] ¬(Lon_leq_MaxLonUB ∧ Lon_geq_MinLonLB)
UTM_SB_5 All fpLat will be bounded between -90 and 90 degrees ¬☐[0,M] ¬(fpLat_leq_MaxLatUB ∧ fpLat_geq_MinLatLB)
UTM_SB_6 All fpLon will be bounded between -180 and 180 degrees ¬☐[0,M] ¬(fpLon_leq_MaxLonUB ∧ fpLon_geq_MinLonLB)
UAS Rates of Change Specifications
Name Description Specification
UAS_RC_1 The temperature (Temp, TempE1, TempE2) will not change by more than TEMP_DELTA_MAX each sample instance at any time. ☐[0,M] (Temp_lt_Prev_plus_MAX ∧ Temp_gr_Prev_minus_MAX ∧ TempE1_lt_Prev_plus_MAX ∧ TempE1_gr_Prev_minus_MAX ∧ TempE2_lt_Prev_plus_MAX ∧ TempE2_gr_Prev_minus_MAX)
UAS_RC_2 The horizontal position (PosN, PosE) magnitude will not change by more than POS_DELTA_MAX each sample instance at a time. ☐[0,M] (PosHMag_lt_Prev_plus_Delta ∧ PosHMag_gt_Prev_minus_Delta)
UAS_RC_3 The vertical position (PosD) shall not change by more than POS_DELTA_INC or less than POS_DELTA_DEC each sample instance at any time. ☐[0,M] (PosD_lt_Prev_Delta_Inc ∧ PosD_gt_Prev_minus_Delta_Dec)
UAS_RC_4 There should be noise in the Pitch, Roll, and Yaw measurement while the Phase is not "Ready" such that the change is at minimum EUL_DELTA_MIN, but if is not, allow 3 timesteps to recover. ¬☐[0,3] {Phase_eq_Ready → [ (¬Pitch_gt_Prev_plus_Delta ∧ ¬Pitch_lt_Prev_minus_Delta) ∨ (¬Roll_gt_Prev_plut_Delta ∧ ¬Roll_lt_Prev_minus_Delta) ∨ (¬Yaw_gt_Prev_plus_Delta ∧ ¬Yaw_lt_Prev_minus_Delta) ] }
UAS_RC_5 Yaw will not change by more than YAW_DELTA_MAX each sample instance when the Subphase is "Go to" at any time. ☐[0,M] (Subphase_eq_GoTo → (Yaw_lt_Prev_plus_Delta ∧ Yaw_gt_Prev_minus_Delta) )
UAS_RC_6 The climb rate of (VelD) of the UAS will be less than VELD_DELTA_CLIMB and greater than VELD_DELTA_DESC, but if it is not, allow 3 timesteps to recover. ¬☐[0,3] ¬(VelD_lt_Prev_plus_Delta_Climb ∧ VelD_gt_Prev_minus_Delta_Desc)
UAS_RC_7 There should be noise in the Pres measurement when Phase is not "Ready" such that the change is at a minimum PRES_DELTA_MIN, but if there is not, allow 3 timesteps to recover. ¬☐[0,3] {!Phase_eq_Ready → (¬Pres_gt_Prev_plus_Delta ∧ ¬Pres_lt_Prev_minus_Delta)}
UAS_RC_8 The Pres should not change by more than PRES_DELTA_MAX, but if it does, allow 3 timesteps to recover. ¬☐[0,3] ¬(Pres_lt_Prev_plus_Delta ∧ Pres_gt_Prev_minus_Delta)
GCS Rates of Change Specifications
Name Description Specification
GCS_RC_1 Once the Status of a flight plan is REJECTED, it can never become APPROVED or REPLACED. Status_eq_Rejected → ☐(Status_eq_Rejected)
GCS_RC_2 Once the Status of a flight plan is APPROVED, it can only transition from APPROVED to REPLACED, never APPROVED to REJECTED. Status_eq_Rejected → ☐(¬Status_eq_Approved)
GCS_RC_3 Once the Status of a flight plan is REPLACED, it can never become APPROVED. Status_eq_Replaced → ☐(¬Status_eq_Approved)
GCS_RC_4 The incoming telemetry data's Time field should be within MAX_RATE seconds of the previous telemetry data's Time field. ¬☐[0,3] (¬TimeDif_leq_MaxTime)
UTM Rates of Change Specifications
Name Description Specification
UTM_RC_1 Once the Status of a flight plan is REJECTED, it can never become APPROVED or REPLACED. Status_eq_Rejected → ☐(Status_eq_Rejected)
UTM_RC_2 Once the Status of a flight plan is APPROVED, it can only transition from APPROVED to REPLACED, never APPROVED to REJECTED. Status_eq_Rejected → ☐(¬Status_eq_Approved)
UTM_RC_3 Once the Status of a flight plan is REPLACED, it can never become APPROVED. Status_eq_Replaced → ☐(¬Status_eq_Approved)
UTM_RC_4 Flight_Plan_IDs, issued from the UTM server, may only ever increment (to make sure no two UAS have the same Flight_Plan_ID). ☐ (fpID_leq_PrevfpID)
UTM_RC_5 The rate of which an individual UAS's telemetry data is recieve by the UAS will be once per second while the UAS is in flight. ☐[0,3] (Time_geq_PrevTimeMargin)
UTM_RC_6 The UTM will return a Status response to a flight plan request within UTM_MAX_FP_RESPONSE_TIME. ☐[0,3] [(¬Status_eq_Rejected ∧ ¬Status_eq_Approved ∧ ¬Status_eq_Replaced) ∧ TimeFiledDiff_geq_Margin]
UAS Control Sequences Specifications
Name Description Specification
UAS_CS_1 The UAS cmd values RefVelN, RefVelE, RefVelD, RefYaw, and RefYawdot should be when Subphase is in Test Actuators or when Phase is in Test at all times. ☐[0,M] [(Phase_eq_Test ∨ Subphase_eq_TestActuators) → (RefVelN_eq_0 ∧ RefVelE_eq_0 ∧ RefVelD_eq_0 ∧ RefYaw_eq_0 ∧ RefYawdot_eq_0)]
UAS_CS_2 If a UAS takes off, eventually it will land in all cases. Phase_eq_Takeoff → ♢[0,M] (Phase_eq_Landing)
UAS_CS_3 The UAS will always take-off before in lands in all cases ☐[0,M] (Takeoff_Time_lt_Landing_Time)
UAS_CS_4 If a UAS is flying toward a STOP waypoint, it will eventually decelerate. Subphase_eq_Stop → ♢[0,M] (AccD_lt_0 ∧ AccN_lt_0 ∧ AccE_lt_0)
UAS_CS_5 If a UAS is flying toward a CRUISE waypoint, it will maintain its speed. Subphase_eq_Cruise → ♢[0,M] (AccD_eq_0 ∧ AccN_eq_0 ∧ AccE_eq_0)
GCS Control Sequences Specifications
Name Description Specification
GCS_CS_1 The reference waypoint (wpLat, wpLon) will eventually change to a new reference waypoint. ♢[0,M] (wpLat_neq_preWpLat ∧ wpLon_neq_prevWpLon)
GCS_CS_2 A UAS reference waypoint (wpLat, wpLon) will eventually change to the next flight plan waypoint (fLat, fpLon). ♢[0,M](wpLat_eq_fpLat ∧ wpLon_eq_fpLon)
GCS_CS_3 The reference altitude (LatWP) and longitude (LonWP) will be contained within the set of waypoints givin in the flightplan. wpLonLat_eq_fpLon_Lat
UAS Intersensor Relationships Specifications
Name Description Specification
UAS_IS_1 Since the altimeter and the barometer can both derive the air presusre, the error between these two measurements of pressure will be less than ERROR_PRES. If it is not, allow 3 time steps to recover. ¬☐[0,3] ¬(Pres_lt_MaxPresErr ∧ Pres_gt_MinPresErr)
UAS_IS_2 The northern velocity measurement difference from the GPS and the IMU should be less than ERROR_VEL. ¬☐[0,3] ¬(VelN_lt_PrevVA_plus_Error ∧ VelN_gt_PrevVA_minus_Error)
UAS_IS_3 The eastern velocity measurement difference from the GPS and the IMU should be less than ERROR_VEL. ¬☐[0,3] ¬(VelE_lt_PrevVA_plus_Error ∧ VelN_gt_PrevVA_minus_Error)
UAS_IS_4 The vertical velocity measurement difference from the GPS and the IMU should be less than ERROR_VEL. ¬☐[0,3] ¬(VelD_lt_PrevVA_plus_Error ∧ VelN_gt_PrevVA_minus_Error)
GCS Intersensor Relationships Specifications
Name Description Specification
GCS_IS_1 The Time of any given telemetry stream should be bounded within the flight plan's estimated Start and End times ☐ (Time_geq_Start ∧ Time_leq_End)
UTM Intersensor Relationships Specifications
Name Description Specification
UTM_IS_1 The Time of any given telemetry stream should be bounded within the flight plan's estimated Start and End times. ☐ (Time_geq_Start ∧ Time_leq_End)
UTM_IS_2 The conStar and conEnd times of a conflict should be bounded within the flight plan's estimated Start and End times. ☐ (conStart_geq_Start ∧ conEnd_leq_End)
UTM_IS_3 The conStart and conEnd times of a conflict should be between 0 and 120 seconds from the lastest telemetry stream's Time. ☐ (conStart_geq_Time ∧ conEng_leq_120Time)
IS_UTM_4 A telemetry's (wpLat, wpLon) referce waypoint should match of pair of (Lat, Lon) waypoints form the UAS's flight plan. ☐ (wpLonLat_eq_fpLon_Lat)
UAS Physical Model Relationships Specifications
Name Description Specification
UAS_PM_1 When the VelN velocity is positive and not small (>0.25 m/s), the change in Lat shall be greater than 0 at all instances (in the northern hemisphere). The opposite shall be true when VelN is negative and not small (<0.25m/s) ☐[0,M] [(VelN_gt_0.25 ∧ DeltaLab_gt_0) ∨ (VelN_lt_0.25 ∧ DeltaLat_lt_0)]
UAS_PM_2 When the VelE velocity is positive is not small (>0.25m/s), the change in Lon shall be greater than 0 at all instances (in the northern hemisphere). The opposite shall be true when VelE is negative and not small (<0.25m/s) ☐[0,M] [(VelE_gt_0.25 ∧ DeltaLon_gt_0) ∨ (VelE_lt_0.25 ∧ DeltaLon_lt_0)]
UAS_PM_3 The relationship between the Lat and PosN measurements shall be directly proportional by factor k1. The error between these two should be less than ERROR_LAT_POSN. If it is outside these error bounds, then allow 3 timesteps for recovery. (PosNrise_geq_0.25 ∨ PosNrise_leq_0.25) → ¬☐[0,3] (¬ConvFact_leq_k1_plus_Error ∨ ¬ConvFact_geq_k1_minus_Error)
UAS_PM_4 The relationship between the Lon and PosE measurements shall be directly proportional by factor k2. The error between these two should be less than ERROR_LON_POSE. If it is outside these error bounds, then allow 3 timesteps for recovery. (PosErise_geq_0.25 ∨ PosErise_leq_0.25) → ¬☐[0,3] (¬ConvFact_leq_k2_plus_Error ∨ ¬ConvFact_geq_k2_minus_Error)
UAS_PM_5 There should be a linear relationship between the Alt and the PosD measurements. The error between these two should be less than ERROR_ALT_POSD. ☐[0,M] (PosD_minus_Alt_lt_Error)
UTM Physical Model Relationships Specifications
Name Description Specification
UTM_PM_1 If the Ang from a UAS's telemetry is between 0 and 90 degrees, then, if the UAS's Vel is greater than zero, the UAS's Lat should be increasing and the Lon should be decreasing each telemetry stream. (Ang_leq_90 ∧ Ang_geq_0 ∧ Vel_gt_0) → (Lat_minus_Prev_gt_0 ∧ Lon_minus_Prev_lt_0)
UTM_PM_2 If the Ang from a UAS's telemetry is between 90 and 180 degrees, then, if the UAS's Vel is greater than zero, the UAS's Lat and Lon should be increasing each telemetry stream. (Ang_geq_180 ∧ Ang_leq_90 ∧ Vel_gt_0) → (Lat_minus_Prev_gt_0 ∧ Lon_minus_Prev_gt_0)
UTM_PM_3 If the Ang from a UAS's telemetry is between 180 and 270 degrees, then, if the UAS's Vel is greater than zero, the UAS's Lat should be decreasing and the Lon should be increasing each telemetry stream. (Ang_geq_180 ∧ Ang_leq_270 ∧ Vel_gt_0) → (Lat_minus_Prev_lt_0 ∧ Lon_minus_Prev_gt_0)
UTM_PM_4 If the Ang from a UAS's telemetry is between 270 and 360 degrees, then, if the UAS's Vel is greater than zero, the UAS's Lat and Lon should be decreasing each telemetry stream. (Ang_geq_270 ∧ Ang_leq_360 ∧ Vel_gt_0) → (Lat_minus_Prev_lt_0 ∧ Lon_minus_Prev_lt_0)