Formal Methods for the Certification of Autonomous Unmanned Aircraft Systems Matt Webster 1,4 , Michael Fisher 2 , Neil Cameron 1 , and Mike Jump 1,3 1 Virtual Engineering Centre, Daresbury Laboratory, Warrington, UK 2 Department of Computer Science, University of Liverpool, UK 3 School of Engineering, University of Liverpool, UK 4 Corresponding author. Email: matt@liv.ac.uk, Tel/Fax: +44 (0) 1925 864850 Abstract. In this paper we assess the feasibility of using formal methods, and model checking in particular, for the certification of Unmanned Aircraft Systems (UAS) within civil airspace. We begin by modelling a basic UAS control system in PROMELA, and verify it against a selected subset of the CAA’s Rules of the Air using the SPIN model checker. Next we build a more advanced UAS control system using the autonomous agent language Gwendolen, and verify it against the small subset of the Rules of the Air using the agent model checker AJPF. We introduce more advanced autonomy into the UAS agent and show that this too can be verified. Finally we compare and contrast the various approaches, discuss the paths towards full certification, and present directions for future research. Keywords: Model Checking, Formal Methods, Unmanned Aircraft System, Au- tonomous Systems, Certification 1 Introduction An Unmanned Aircraft System (UAS, plural UAS) is a group of elements necessary to enable the autonomous flight of at least one Unmanned Air Vehicle (UAV) [8]. For ex- ample, a particular UAS may comprise a UAV, a communication link to a ground-based pilot station and launch-and-recovery systems for the UAV. UAS are now routinely used in military applications, their key advantages coming from their ability to be used in the so-called “dull, dangerous and dirty” missions, e.g., long duration/persistence flights and flights into hostile or hazardous areas (such as clouds of radioactive material) [20]. There is a growing acceptance, however, that the coming decades will see the integra- tion of UAS into civil airspace for a variety of similar applications: security surveil- lance, motorway patrols, law enforcement support, etc. [21,15]. However, in order for this integration to take place in a meaningful way, UAS must be capable of routinely fly- ing through “non-segregated” airspace. Today, for most useful civil applications, UAS can fly in UK civil airspace but in what is known as segregated airspace, that is, airspace which is for the exclusive use of the specific user. For routine UAS operations, this will not be an acceptable solution if the demand for UAS usage increases as is envisaged. The UK projects ASTRAEA and ASTRAEA II and the FAA’s Unmanned Aircraft Pro- gram Office (UAPO) are tasked with meeting this regulatory challenge, but a summary of the issues is considered pertinent. Guidance on the UK policy for operating UAS is