Why does ATC radar AI use threshold 35 rather than 40?

Threshold 35 for ATC radar AI reflects two structural properties: (1) mass-casualty consequence scale — a single missed STCA alert at SoCal TRACON involves aircraft carrying 150-400 passengers each; (2) controller time-to-response — at 3nm separation minima and 250-300 knot approach closing speeds, a missed alert leaves approximately 36-43 seconds before violation, insufficient for independent controller detection and resolution. The operational cost of a false positive — 10-30 seconds of degraded-mode manual separation — is asymmetrically lower than the consequence of the false negative.

What are the regulatory cybersecurity requirements for NAS AI under FAA and RTCA standards?

NAS AI cybersecurity requirements derive from RTCA DO-278A (NAS ground systems software integrity), FAA Order 8200.1 (NAS certification), FAA National Cybersecurity Plan (NCSP, 2022, under FISMA and NIST CSF), and FAA AI Research Program adversarial ML evaluation requirements aligned with NIST AI RMF and NIST AI 100-2. ACAS Xu's DO-385 certification includes formal methods adversarial robustness testing requirements under the DO-385 Formal Methods Supplement.

What is the adversarial injection surface in ERAM en route AI vs TRACON STARS/TAMR?

ERAM's ERICA conflict alert AI uses the same radar scope synthetic display rendering architecture as STARS STCA but with 12-20 minute look-ahead versus 2-3 minutes for TRACON. The longer horizon provides a partial human mitigation — an ARTCC controller has time to independently detect developing conflicts within the 12-20 minute window — that does not exist at TRACON timescales. Both contexts use threshold 35 reflecting mass-casualty consequence potential, while noting the en route per-event false-negative consequence may be partially mitigated by the longer independent human detection window.

FAA STARS/TAMR radar surveillance AI · ACAS Xu conflict detection AI · ASDE-X runway incursion AI · EUROCONTROL iTEC digital tower AI

Prompt injection in air traffic control radar AI

Q: How does ACAS Xu's RL architecture create different adversarial injection properties vs TCAS II?

TCAS II's DO-185B deterministic logic operates on raw transponder-derived parameters (range, altitude, range rate) with no image processing step — it has no rendering-based adversarial injection surface. ACAS Xu's RL policy lookup on a discretized state space introduces an encounter geometry rendering step as the adversarial injection surface, where a perturbed state space image maps to the wrong Q-table index, retrieving an RA trained for a different encounter geometry. The DO-385 certification adversarial robustness evaluation covers encounter model distribution performance, not adversarially perturbed state space renderings — a distinct attack class requiring a runtime Glyphward scan gate.

Q: How does ASDE-X RWSL adversarial injection differ from ATC controller human override?

RWSL Takeoff Hold Lights and Runway Intersection Lights illuminate automatically from ASDE-X AI classification, providing flight crew warnings independent of controller awareness and communication. FAA RWSL evaluation studies demonstrated incursion event detection that controllers did not independently detect in time. Adversarial ASDE-X AI injection subverts this autonomous alerting property, eliminating the one safety barrier that operates independently of controller performance and reverting to the pre-RWSL architecture that was found insufficient at high-complexity airports during controller workload peaks.

The United States National Airspace System (NAS) handles approximately 45,000 instrument flight operations daily across 19,000 airports, 20 Air Route Traffic Control Centers (ARTCCs), 160+ Terminal Radar Approach Control (TRACON) facilities, and 483 FAA-operated air traffic control towers — making the NAS the world’s largest and most complex real-time distributed safety system. The NAS’s safety record — zero commercial passenger fatalities from midair collision between 2002 and 2025 in US-controlled airspace — rests on a layered architecture of surveillance, separation assurance, and collision avoidance systems, each of which has progressively incorporated artificial intelligence over the past decade. The FAA’s Standard Terminal Automation Replacement System (STARS), developed by Raytheon Technologies and deployed at all 160+ TRACON facilities in the US since 2015, processes primary and secondary surveillance radar returns from FAA ASR-9 and ASR-11 airport surveillance radars — operating at ranges of 60–250 nautical miles from each radar site — together with Automatic Dependent Surveillance-Broadcast (ADS-B) position reports from the 970 FAA ADS-B ground receiver stations mandated under FAA Rule 14 CFR Part 91.225 (which required ADS-B Out equipage for all aircraft operating in Class A, B, and C airspace by January 2020). STARS processes this multi-sensor surveillance picture through an AI-assisted track fusion engine that correlates radar returns and ADS-B position reports from the same aircraft, resolves track ambiguities (distinguishing primary radar return from the target aircraft from antenna sidelobes, weather returns, and ground clutter), and generates a fused track for each aircraft in the TRACON facility’s airspace — a synthetic representation of aircraft position, altitude, heading, and speed that is rendered on the TRACON controller’s radar display as a data block with the aircraft’s call sign, altitude, and ground speed. The Terminal Automation Modernization and Replacement (TAMR) program, the next-generation STARS successor currently deployed at 13 of the highest-density TRACONs in the US (including Southern California TRACON handling 800,000+ annual operations, Chicago TRACON handling 760,000+, and New York TRACON handling 425,000+), extends the STARS AI architecture with enhanced machine learning conflict prediction, automated sequencing, and decision support AI. The ACAS Xu system — the FAA/MIT Lincoln Laboratory AI-based replacement for TCAS II as the airborne collision avoidance system in commercial aircraft, currently in DO-385 certification and scheduled for mandate on new commercial aircraft type certificates from 2027 onward — moves airborne conflict resolution from the deterministic decision-tree logic of TCAS II to a reinforcement-learning-trained AI policy that generates Resolution Advisories (RAs) from a learned Q-table over a state space of 300 million+ encounter geometries. At each layer of this surveillance and separation architecture, artificial intelligence processes radar images, synthetic track renderings, and encounter geometry visualizations at AI classification boundaries — creating adversarial pixel injection surfaces within the safety-critical NAS infrastructure.

TL;DR

FAA STARS and TAMR radar track visualization AI, FAA ERAM en route surveillance AI, ACAS Xu airborne conflict detection AI, and ASDE-X airport surface movement radar AI all process synthetic radar display images, track rendering visualizations, and encounter geometry images at AI classification boundaries. Adversarially crafted images can suppress runway incursion alerts, corrupt traffic conflict resolution advisories, and generate phantom separation errors — at a threshold of 35 across all ATC surveillance and conflict detection AI contexts, reflecting the safety-critical air traffic control operational environment. Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in air traffic control radar AI

1. FAA STARS and TAMR radar track visualization and conflict alert AI

The STARS radar display system renders the air traffic picture on each TRACON controller’s position display as a synthetic radar scope — a 2048×2048 pixel or higher resolution monochrome or color synthetic plan-position display (PPI) showing processed aircraft tracks as moving data blocks on a range-azimuth grid, with the background radar return imagery (weather, terrain, clutter) displayed as a visual context layer below the synthetic track overlay. The STARS AI track fusion and conflict alert engine processes this synthetic display rendering at the alert classification step: the Short-Term Conflict Alert (STCA) function in STARS continuously evaluates projected aircraft trajectories for separation minima violations — 3 nautical miles horizontal and 1,000 feet vertical in TRACON airspace — and generates visual and audio conflict alerts on the controller’s display when a predicted separation loss falls within a configurable look-ahead time (typically 2–3 minutes). The STCA AI applies a trajectory prediction model to the rendered track vectors displayed on the radar scope, projecting current track state vectors forward and detecting future minimum separation violations. The rendered radar scope image — with the synthetic track symbology that feeds the STCA trajectory prediction model — is the pixel-level input to the AI classification step.

An adversarial perturbation applied to the rendered radar scope synthetic display image can target the STCA AI at the display rendering layer, introducing pixel-level distortions in the track data block symbology — the alphanumeric characters and velocity vectors that encode aircraft call sign, altitude, and speed — that cause the STCA trajectory prediction model to misread track state vectors for one or both aircraft in a developing conflict. A velocity vector magnitude distortion in the rendered data block image — compressing the displayed velocity vector from its true ground speed to a lower apparent value — causes the STCA model to project a slower closing speed for the conflict geometry, extending the predicted time to minimum separation beyond the alert threshold and suppressing the STCA conflict alert for the actual impending violation. At the Southern California TRACON, which handles arrivals and departures at Los Angeles International (LAX, KORD of the west coast, 88 million annual passengers), John Wayne (SNA), Long Beach (LGB), Burbank (BUR), Ontario (ONT), and Palm Springs (PSP) in a compressed airspace sector with published approach and departure corridors that require maintaining 3nm separation between aircraft on simultaneous instrument approaches — the STCA suppression attack directly targets the primary controller alerting mechanism for simultaneous runway approach conflicts at the nation’s second-busiest airport complex. The FAA Order 7110.65Z (Air Traffic Control) and the STARS Program Performance Specification (PPS) establish the STCA performance requirements and the alert timing parameters that define adequate advance warning for controller response.

2. ACAS Xu AI-based airborne conflict detection and resolution advisory system

The Airborne Collision Avoidance System X for Unmanned Aircraft (ACAS Xu) — developed by MIT Lincoln Laboratory under FAA Research, Engineering and Development Program support and standardised in RTCA DO-385 (Minimum Operational Performance Standards for ACAS Xu) — represents the replacement for the deterministic TCAS II (Traffic Alert and Collision Avoidance System version II) logic that has been mandatory on commercial aircraft in the US since 14 CFR Part 91.221 and internationally under ICAO Annex 10. TCAS II uses a fixed, certified decision tree (the logic defined in RTCA DO-185B, certified to a fixed version that has not changed since 2010 to maintain certifiability) that generates Resolution Advisories (RAs: “Climb”, “Descend”, “Monitor Vertical Speed”) based on measured intruder range, bearing, and altitude rate using discrete thresholds on the intruder’s “tau” parameter (estimated time to closest point of approach). ACAS Xu replaces this fixed logic with a reinforcement-learning trained AI policy — a lookup table over a discretized state space of approximately 300 million encounter states, generated by optimizing a deep RL agent over a large corpus of simulated encounter geometries — that selects the optimal RA from a continuous range of vertical rate advisories rather than the discrete TCAS II maneuver set. This RL approach allows ACAS Xu to generate encounter-geometry-appropriate RAs for multi-aircraft encounters (three or more aircraft in simultaneous conflict), UAS (unmanned aircraft system) operations, and non-cooperative intruder encounters that are beyond the design envelope of the TCAS II decision tree.

The ACAS Xu AI policy lookup operates on encounter state representations that include relative range, bearing, altitude, and vertical rate estimates — some of which are derived from rendered encounter geometry visualizations used in the ACAS Xu state estimation pipeline. The adversarial injection surface for ACAS Xu exists at the encounter geometry rendering step of the state estimation pipeline, where sensor-fused surveillance data (transponder SSR Mode C/S return, ADS-B position report, or radar track) is rendered into a standardized encounter geometry image for ACAS Xu state lookup. A pixel-level perturbation in the encounter geometry rendering — shifting the apparent intruder range by a threshold amount in the rendered distance representation — can cause the ACAS Xu policy lookup to map the encounter state to an incorrect state index, retrieving an RA from the Q-table that was trained for a different encounter geometry than the one actually in progress. In a converging head-on encounter at high closure rate — the encounter geometry with the highest NMAC (near-midair collision) risk probability per the TCAS/ACAS encounter model maintained by FAA and EUROCONTROL — an incorrect RA that generates a same-direction vertical maneuver for both conflicting aircraft (instead of opposite-direction separation) reduces the vertical separation rather than increasing it, converting an avoidable conflict into a NMAC. The January 2023 NTSB report on the Piedmont/FedEx runway incursion at Memphis International (KNMEM) cited automated alerting systems as critical elements of the safety barrier that ultimately prevented collision; adversarial injection against ACAS Xu would target the one safety barrier that operates after all ground-based separation has failed.

3. ASDE-X airport surface detection equipment runway incursion AI

The Airport Surface Detection Equipment, Model X (ASDE-X) is the FAA’s primary ground movement and runway incursion detection system, deployed at 35 large US commercial service airports including O’Hare International (ORD, 913,000+ annual operations), Hartsfield-Jackson Atlanta (ATL, 860,000+ operations), Dallas/Fort Worth (DFW, 735,000+ operations), and Los Angeles International (LAX, 530,000+ operations). ASDE-X integrates high-resolution millimeter-wave surface movement radar (operating at 78GHz with 0.25×0.25 degree angular resolution providing approximately 10-meter surface position accuracy), multi-lateration (MLAT) systems tracking transponder-equipped aircraft and ground vehicles, and ADS-B position reports to generate a fused airport surface traffic picture at update rates of 1 second or better. The ASDE-X Runway Status Light (RWSL) system — FAA-certified under FAA AC 150/5340-40 — uses the ASDE-X surface picture AI to drive a system of in-pavement illuminated runway status lights (Takeoff Hold Lights at runway entry points and Runway Intersection Lights at runway-runway intersections) that provide independent automated warnings to flight crews of incursion risk without requiring controller action. The RWSL AI processes the rendered ASDE-X surface radar display image — a synthetic airport map with moving target symbols for each tracked aircraft and ground vehicle — to determine which runways are active and whether any tracked target poses an incursion threat to a runway that another aircraft is cleared for takeoff or landing on.

The adversarial injection surface for ASDE-X runway incursion AI exists at the rendered surface radar display image processing step. An adversarial perturbation applied to the ASDE-X surface picture rendering — suppressing the target symbol for a ground vehicle or aircraft that has entered a protected runway zone, or reducing the apparent velocity vector of a target to below the threshold that triggers the RWSL illumination algorithm — can prevent the RWSL system from illuminating the Takeoff Hold Lights at the runway entry point for an aircraft lined up for takeoff on a runway that another aircraft has entered without clearance. The RWSL’s failure to illuminate — caused not by a hardware failure (the lights are operational) but by adversarial suppression of the AI classification that would normally trigger illumination — removes the independent automated crew warning mechanism, leaving the ATC controller’s verbal communication as the only incursion prevention barrier. The FAA Aviation Safety Information Analysis and Sharing (ASIAS) database recorded 1,732 runway incursion events in fiscal year 2024, including 19 Category A and B events (the highest severity categories, representing actual near-collision events); at O’Hare alone, which has the highest runway intersection density among US airports and a documented history of runway incursion risk, ASDE-X RWSL is the primary automated safety system between an incursion event and a collision outcome. The ASDE-X Performance Specification (FAA Contract DTFA01-99-C-00089) and FAA Order 7110.65Z establish the performance and certification requirements for ASDE-X AI and the RWSL alert generation logic.

4. EUROCONTROL iTEC digital tower sequencing AI and SESAR automated separation AI

The EUROCONTROL Integrated Tower Equipment and Communication (iTEC) system — deployed at London Heathrow (LHR, Europe’s busiest airport with 480,000+ annual aircraft movements), Frankfurt Airport (FRA, 460,000+ movements), Madrid-Barajas (MAD, 410,000+ movements), and Vienna International — represents the European equivalent of TAMR’s AI-assisted TRACON sequencing, extended to the tower domain. The iTEC digital tower processes high-definition pan-tilt-zoom camera arrays providing 360-degree airport surveillance, surface movement radar data, and ADS-B/MLAT position data through an AI sequencing engine that generates arrival and departure sequence recommendations for tower controllers, predicts runway occupancy times to enable reduced separation operations under RECAT (Wake Turbulence Re-Categorisation) procedures, and provides electronic Runway Incursion Monitoring and Conflict Alerting System (RIMCAS) function. The RIMCAS AI in iTEC processes the rendered airport surface composite display image — a synthetic overhead view of the airport surface with moving target symbols — to detect runway incursion events and generate alerts for tower controllers with a look-ahead time of 30–60 seconds. The EU SESAR (Single European Sky ATM Research) program’s Automated ATCO conflict detection AI, scheduled for deployment across EUROCONTROL member states through 2030 under the European ATM Master Plan, extends AI-based separation assurance from the terminal domain to the en route domain in European airspace handling 11 million annual instrument operations. Both iTEC and SESAR automated conflict detection process rendered radar scope visualization images at their AI classification boundaries, creating adversarial injection surfaces equivalent in architecture to the FAA STARS/TAMR surfaces described above, with the EUROCONTROL ANSP (Air Navigation Service Provider) security framework under EU NIS2 Directive (Directive 2022/2555) providing the regulatory cybersecurity requirement context.

Integration: ATC radar AI display image scanning with Glyphward pre-scan

The Glyphward scan gate for ATC radar AI belongs at the synthetic display rendering boundary before each AI classification step — before STARS/TAMR STCA processes the radar scope synthetic track image, before ACAS Xu processes the encounter geometry rendering, before ASDE-X RWSL AI processes the surface movement picture, and before iTEC RIMCAS processes the airport composite display. The threshold of 35 across all ATC AI contexts reflects the safety-critical NAS operational environment. The implementation below uses structured JSONL audit logging referencing FAA Order 7110.65Z and RTCA DO-278A standards.

import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# All ATC radar AI contexts: threshold 35 — NAS safety-critical infrastructure
# FAA Order 7110.65Z requires separation assurance and conflict alerting.
# RTCA DO-278A defines NAS software qualification requirements.
ATC_RADAR_AI_THRESHOLD = 35


class ATCRadarAIContext(Enum):
    STARS_STCA_TRACON         = "stars_stca_tracon"          # STARS Short-Term Conflict Alert
    TAMR_CONFLICT_PREDICTION  = "tamr_conflict_prediction"   # TAMR AI conflict prediction
    ERAM_EN_ROUTE             = "eram_en_route"              # ERAM en route track/conflict AI
    ACAS_XU_RA_GENERATION     = "acas_xu_ra_generation"      # ACAS Xu RL-based RA selection
    ASDE_X_RWSL               = "asde_x_rwsl"               # ASDE-X Runway Status Light AI
    EUROCONTROL_ITEC_RIMCAS   = "eurocontrol_itec_rimcas"    # iTEC RIMCAS runway incursion AI


class AdversarialATCImageError(Exception):
    """Raised when Glyphward detects adversarial pixel content in an ATC
    radar AI display image above the NAS safety-critical threshold of 35.

    Consequence if not raised: runway incursion alert suppressed, conflict
    advisory corrupted, or ACAS Xu RA from wrong encounter state retrieved.
    """

    def __init__(self, scan_id: str, score: int, context: ATCRadarAIContext,
                 flagged_region: dict | None = None) -> None:
        self.scan_id = scan_id
        self.score = score
        self.context = context
        self.flagged_region = flagged_region
        super().__init__(
            f"Adversarial ATC radar AI image: "
            f"context={context.value} score={score} scan_id={scan_id}"
        )


async def scan_atc_radar_display(
    display_image_bytes: bytes,
    context: ATCRadarAIContext,
    facility_id: str,
    sector_id: str,
    display_timestamp: str,
    client: httpx.AsyncClient,
) -> dict:
    """Scan an ATC radar AI synthetic display image for adversarial pixel content.

    Args:
        display_image_bytes: Rendered synthetic radar display image bytes
            (STARS/TAMR scope, ACAS Xu encounter geometry, ASDE-X surface picture).
        context: ATCRadarAIContext identifying the ATC AI platform.
        facility_id: ICAO facility identifier (e.g., 'SCT' for SoCal TRACON,
            'N90' for New York TRACON, 'KLAX' for LAX ASDE-X).
        sector_id: Controller sector identifier within facility.
        display_timestamp: ISO 8601 display rendering timestamp.
        client: Shared httpx.AsyncClient for connection reuse.

    Returns:
        Glyphward scan result dict.

    Raises:
        AdversarialATCImageError: if score exceeds threshold 35.
        httpx.HTTPStatusError: on Glyphward API error (fail-closed).
    """
    image_hash = hashlib.sha256(display_image_bytes).hexdigest()
    payload = {
        "image": base64.b64encode(display_image_bytes).decode(),
        "source": f"atc_radar:{context.value}:{facility_id}:{sector_id}",
        "metadata": {
            "facility_id": facility_id,
            "sector_id": sector_id,
            "display_timestamp": display_timestamp,
            "image_sha256": image_hash,
            "context": context.value,
        },
    }
    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json=payload,
        timeout=4.0,
    )
    resp.raise_for_status()
    result = resp.json()

    await _write_atc_scan_audit(
        image_hash=image_hash,
        scan_id=result["scan_id"],
        score=result["score"],
        context=context,
        facility_id=facility_id,
        sector_id=sector_id,
        display_timestamp=display_timestamp,
        flagged=result["score"] > ATC_RADAR_AI_THRESHOLD,
    )

    if result["score"] > ATC_RADAR_AI_THRESHOLD:
        raise AdversarialATCImageError(
            scan_id=result["scan_id"],
            score=result["score"],
            context=context,
            flagged_region=result.get("flagged_region"),
        )
    return result


async def _write_atc_scan_audit(
    *, image_hash: str, scan_id: str, score: int,
    context: ATCRadarAIContext, facility_id: str, sector_id: str,
    display_timestamp: str, flagged: bool,
) -> None:
    record = {
        "ts": datetime.now(timezone.utc).isoformat(),
        "scan_id": scan_id,
        "image_sha256": image_hash,
        "context": context.value,
        "score": score,
        "threshold": ATC_RADAR_AI_THRESHOLD,
        "flagged": flagged,
        "facility_id": facility_id,
        "sector_id": sector_id,
        "display_timestamp": display_timestamp,
        "regulatory_refs": [
            "FAA Order 7110.65Z (Air Traffic Control)",
            "RTCA DO-278A (NAS Software Qualification)",
            "RTCA DO-385 (ACAS Xu MOPS)",
            "FAA AC 150/5340-40 (RWSL)",
            "EU NIS2 Directive 2022/2555 (ANSP cybersecurity)",
        ],
    }
    audit_path = Path("/var/log/glyphward/atc_radar_ai_scan_audit.jsonl")
    audit_path.parent.mkdir(parents=True, exist_ok=True)
    with audit_path.open("a") as fh:
        fh.write(json.dumps(record) + "\n")

Deploy scan_atc_radar_display at each ATC radar AI synthetic display ingestion boundary: before STARS/TAMR STCA radar scope AI (threshold 35), before ERAM en route conflict AI (threshold 35), before ACAS Xu encounter geometry rendering AI (threshold 35), before ASDE-X RWSL surface picture AI (threshold 35), and before iTEC RIMCAS composite display AI (threshold 35). On AdversarialATCImageError or any Glyphward API error: fail-closed — block the display image from passing to the AI conflict alert engine and revert to the non-AI separation assurance mode (conventional radar monitoring with manual controller assessment), logging the quarantine event with RTCA DO-278A references. Get early access

Related questions

Why does ATC radar AI use threshold 35 — the same as surgical robotics AI — rather than the threshold of 40 used for most life-critical contexts?

The threshold of 35 for ATC radar AI reflects two structural properties of the NAS safety context that align it with surgical robotics in the lowest-threshold class. First, the operational consequence of a missed ATC conflict alert is a mid-air collision or runway incursion involving aircraft carrying hundreds of passengers — a mass-casualty event rather than the single-patient events that characterize most medical AI adversarial injection consequences. A single missed STCA alert at SoCal TRACON during simultaneous instrument approaches to LAX parallel runways involves aircraft carrying 150–400 passengers each; the consequence scale of a false negative at threshold 50 is categorically higher than for any single-patient clinical AI error. Second, the ATC controller’s time-to-response after an undetected conflict develops is measured in tens of seconds rather than minutes — at TRACON separation minima of 3nm and typical instrument approach closing speeds of 250–300 knots, a missed STCA alert leaves approximately 36–43 seconds before minimum separation is violated, insufficient for a controller to independently detect, assess, and resolve the conflict through unassisted radar monitoring of a sector with 15–30 simultaneous tracks.

The asymmetry of consequences at the tail of the distribution — where a single adversarial injection event could cause a multi-fatality aviation accident — justifies a threshold that accepts a higher false positive rate (more legitimate radar scope images triggering quarantine and reversion to non-AI separation mode) in exchange for the lowest achievable false negative rate. The practical operational cost of a false positive in ATC AI — a 10–30 second period during which the AI conflict alert is in reversion mode and controllers are performing unassisted radar separation — is a manageable degraded-mode operation equivalent to the standard manual separation that ATC controllers trained on before AI assist was introduced. The cost of a false negative is not manageable.

How does ACAS Xu’s reinforcement learning architecture create different adversarial injection properties compared to TCAS II’s deterministic logic?

TCAS II’s RTCA DO-185B certified deterministic logic — a fixed decision tree based on the intruder’s estimated time to closest point of approach (tau) and relative altitude rate — is not an adversarial injection target in the same way as ACAS Xu’s RL policy, because TCAS II’s decision computation is entirely based on directly measured transponder-derived parameters (range, altitude, range rate) rather than rendered image inputs. TCAS II has no image processing step; its sole input is the SSR transponder reply signal processed through the TCAS directional antenna. ACAS Xu, by introducing an AI policy trained on a learned Q-table, creates an image rendering step in the state estimation pipeline — the encounter geometry visualization that maps sensor-fused surveillance data into the discretized ACAS Xu state space — that is the adversarial injection surface. The RL policy’s behaviour under adversarially corrupted state inputs is also fundamentally different from TCAS II’s deterministic response: TCAS II would generate an erroneous RA if its tau calculation inputs were corrupted (requiring adversarial manipulation of the raw transponder signal), while ACAS Xu’s RL policy can generate an erroneous RA from a correctly measured encounter geometry if the image rendering of that geometry produces a state representation that maps to the wrong Q-table lookup index.

The RL policy’s ability to “be fooled” by encounter geometry rendering artifacts is a new attack surface class that does not have an analogue in TCAS II. The adversarial robustness evaluation required for ACAS Xu’s DO-385 certification — conducted at MIT Lincoln Laboratory and FAA under the Formal Methods Supplement to DO-385 — evaluates the RL policy’s performance against the encounter model distribution; it does not evaluate the policy’s robustness against adversarially perturbed state space renderings, which is a distinct attack class. A Glyphward pre-scan gate at the encounter geometry rendering boundary provides the runtime adversarial detection that the DO-385 certification adversarial evaluation does not address.

What are the regulatory cybersecurity requirements for NAS AI systems under FAA and RTCA standards?

FAA cybersecurity requirements for NAS AI systems derive from multiple overlapping regulatory sources. RTCA DO-278A (Software Integrity Assurance Considerations for Communication, Navigation, Surveillance and Air Traffic Management systems) establishes the software qualification level requirements for NAS ground systems software — the equivalent of DO-178C for airborne systems — and specifically includes cybersecurity considerations for networked NAS software under a supplement framework analogous to the DO-178C/DO-326A relationship for airborne cybersecurity. FAA Order 8200.1 (National Airspace System Certification) governs the certification process for NAS-critical systems including STARS, TAMR, ASDE-X, and ERAM. The FAA’s National Cybersecurity Plan (NCSP) — updated in 2022 under OMB Circular A-130 cybersecurity requirements — specifies adversarial threat modelling requirements for NAS critical infrastructure under FISMA (Federal Information Security Modernization Act) and the NIST Cybersecurity Framework. For AI components specifically, the FAA’s AI research program (under FAA Research Engineering and Development Program) includes adversarial ML evaluation requirements for AI/ML components deployed in safety-critical NAS systems, aligned with NIST AI RMF (AI Risk Management Framework) and NIST AI 100-2 (Adversarial Machine Learning guidance, published January 2024). ACAS Xu’s DO-385 certification pathway includes specific adversarial robustness testing requirements under the Formal Methods Supplement that are analogous to but narrower than the full runtime adversarial injection coverage that a Glyphward scan gate provides.

How does ASDE-X Runway Status Light adversarial injection differ from ATC controller human override?

The RWSL system’s Takeoff Hold Lights (THLs) and Runway Intersection Lights (RILs) provide flight crew warnings that are independent of ATC controller awareness — the lights illuminate automatically based on ASDE-X AI classification without requiring controller action or communication. This independence is the RWSL’s primary safety value: it provides a direct crew warning that bypasses the ATC communication chain and does not depend on the controller having detected the incursion and transmitted a “hold position” or “stop” instruction before the flight crew initiates takeoff. In the FAA’s RWSL evaluation studies at Las Vegas McCarran (KLAS) and Atlanta Hartsfield-Jackson (KATL), the RWSL system demonstrated detection of incursion events that were not independently detected by the ATC controller in time to prevent aircraft movement. This autonomous alerting property — the RWSL’s core differentiator from the ATC communication barrier — is precisely what adversarial ASDE-X AI injection subverts: by preventing the RWSL AI from classifying an incursion event correctly, the adversarial injection eliminates the one safety barrier that operates independently of controller performance. The controller remains the only remaining incursion warning mechanism — a reversion to the pre-RWSL safety architecture that RWSL was designed to supplement precisely because it was found to be insufficient at high-complexity airports during controller workload peaks.

What is the adversarial injection surface in ERAM en route AI compared to TRACON STARS/TAMR?

The FAA En Route Automation Modernization (ERAM) system — developed by Leidos (formerly Lockheed Martin) and deployed at all 20 ARTCCs — manages en route airspace between approximately FL100 and FL600 over the contiguous US and oceanic tracks, handling approximately 5,000–7,000 simultaneous en route flights at peak periods. ERAM’s AI conflict prediction function (the En Route Conflict Alert, ERICA) uses trajectory prediction over longer time horizons — 12–20 minutes look-ahead for en route spacing compared to 2–3 minutes for TRACON STCA — and processes aircraft radar track vectors from ARSR-4 long-range radar returns (600nm range, 12-second update rate) combined with ADS-B position reports through an AI trajectory modeling engine that generates conflict alerts based on predicted flight profile deviations. The adversarial injection surface in ERAM is architecturally equivalent to STARS STCA: the rendered radar scope synthetic display image fed to the ERICA conflict alert AI. However, the longer look-ahead time horizon in ERAM provides a greater opportunity for human controllers to independently detect developing conflicts without AI assistance — 12–20 minutes is a time horizon within which an experienced ARTCC controller can perform manual separation analysis of a developing conflict. This additional human capability provides a partial mitigation that does not exist at TRACON timescales, justifying the same threshold of 35 (reflecting mass-casualty consequence potential) while noting that the per-event false-negative consequence in ERAM may be partially mitigated by the longer time window for independent human detection.