The state of the art in formal methods applied to air traffic management systems involves specifying software behavior in detail, using formalisms such as Statecharts. Although such methods are precise, they do not help much in understanding the systems intuitively; nor do they enable analysis of high-level global requirements, such as “Under condition A, the planes will not crash.”

To aid people in understanding such systems, and to enable such analysis, we advocate defining high-level mathematical models for the system, including not only the control software, but also the airplanes, sensors, and pilots—that is, high-level hybrid system models.

In a current demonstration project at MIT and Berkeley, we have defined abstract models for the key system components of the new TCAS II (version 7) system. These are based formally on the Hybrid I/O Automaton (HIOA) model [1]. We are using these models to formulate and prove theorems about the behavior of the system under particular assumptions. Our results are intended only as illustrations—the models provide a foundation for study of a wide range of properties of the system’s behavior. We hope that this project will help to produce improved validation methods for air-traffic management systems.