0002 - Classification Engine: Flight Trust Levels

Andi Lamprecht ·2026-05-11· 11 min read· Draft

CONFIDENTIAL | DroneUp | April 2026

This document supersedes the classification rules in PRD 0001 Section G. PRD 0001 remains the authoritative source for all other MVP scope; this document provides the detailed classification model.

1. Purpose

Define the classification categories, resolution rules, and UI representation for aircraft trust levels in the live airspace view (Common Operating Picture).

The classification engine takes three independent data inputs – pilot identity, aircraft (UA) identity, and flight intent – and produces a single, deterministic trust level for each aircraft. The output is a color-coded indicator suitable for real-time display and downstream system consumption.

Scope

Exact classification rules and the data inputs that feed each level
A config-ready axis dictionary that maps directly to software implementation
UI representation: colors, overlay states, badges
Edge cases: partial data, degraded signals, conflicting inputs
How classification changes in real time as conditions evolve
Demo narrative arc for stakeholder presentations

Out of Scope

Scoring, probabilities, or analytical models – all outputs are rule-based and explainable
Real FAA DiSCVR integration (simulated for demo)
Cryptographic implementation details (see crypto identity spike)
Non-conformance detection internals (reuses existing collision service logic per Ihor)

2. Identity Axes

The classification engine evaluates three independent axes. Each axis has an ordered set of states from lowest to highest trust. These definitions are designed to be used directly as a configuration file.

2.1 Pilot Identity

Ordinal	State	Key	Description
0	Unknown	`unknown`	No pilot information available.
1	Declared	`declared`	Pilot identity claimed via Remote ID broadcast or FAA DiSCVR lookup. Not independently verified.
2	Verified	`verified`	Pilot authenticated through a strong identity provider (e.g., login.gov). Identity independently confirmed.

2.2 UA (Drone) Identity

Ordinal	State	Key	Description
0	Unknown	`unknown`	No aircraft information available. Raw telemetry only.
1	Declared (Remote ID)	`declared_rid`	Aircraft broadcasts standard Remote ID. Identity claimed but not independently verified.
2	Software Verified	`software`	Software-anchored identity via certificate. Revocable, but no hardware binding.
3	Hardware Verified	`hardware`	Hardware PKI on the aircraft. Strong non-repudiation – identity is bound to physical hardware.

2.3 Flight Intent

Ordinal	State	Key	Description
0	Absent	`absent`	No operational intent or flight authorization exists for this aircraft.
1	Operational Intent	`oi_only`	An operational intent has been submitted but no flight authorization has been granted.
2	Authorized	`authorized`	Flight authorization granted by all required jurisdictions.

Future Consideration: oi_planned

A potential intermediate state between absent and oi_only: the pilot has filed a flight intent but has not adhered to the planned timing (e.g., took off before authorization window). This edge case is deferred from the initial model but can be inserted at ordinal 1 by shifting oi_only to ordinal 2 and authorized to ordinal 3 without changing the resolution algorithm.

2.4 Configuration Reference

The axis definitions above map directly to this YAML structure, intended as the source of truth for the classification engine implementation:

# classification-config.yaml
# Three independent identity axes with ordered states.
# Ordinals define the trust progression within each axis.

axes:
  pilot:
    unknown:       0
    declared:      1
    verified:      2

  ua:
    unknown:       0
    declared_rid:  1
    software:      2
    hardware:      3

  flight:
    absent:        0
    oi_only:       1
    authorized:    2

3. Trust Levels

Five trust levels, ordered from lowest to highest confidence. Each level defines the minimum axis requirements that must ALL be satisfied for an aircraft to qualify.

3.1 Level Definitions

Color: Red

The aircraft is detected via raw telemetry (e.g., counter-UAS sensor) but nothing is known about it. No pilot identity, no drone identity, no flight intent.

Minimum Requirements:

Axis	Minimum State
Pilot	`unknown` (0)
UA	`unknown` (0)
Flight	`absent` (0)

This is the baseline – every aircraft starts here until data elevates it.

Color: Orange

Identities have been claimed but not independently verified. Typically triggered by Remote ID broadcast and a corresponding DiSCVR pilot lookup.

Minimum Requirements:

Axis	Minimum State
Pilot	`declared` (1)
UA	`declared_rid` (1)
Flight	`absent` (0)

Note: An aircraft with strong identity credentials (verified pilot, software/hardware UA) but no flight authorization also resolves here. We know who they are – they just do not have permission.

Color: Yellow

At minimum, an operational intent exists and matches the aircraft. Identities are at least declared (not verified through the platform). The system can correlate the flight with a known plan.

Minimum Requirements:

Axis	Minimum State
Pilot	`declared` (1)
UA	`declared_rid` (1)
Flight	`oi_only` (1)

Note: This level also captures cases where identities exceed the minimum but flight intent has not reached full authorization (e.g., verified pilot + hardware UA + operational intent only).

Color: Green

The flight is authorized through the system. The pilot is verified via a strong identity provider. The drone has a software-anchored identity certificate.

Minimum Requirements:

Axis	Minimum State
Pilot	`verified` (2)
UA	`software` (2)
Flight	`authorized` (2)

This is the standard “fully trusted” state for flights processed through the platform.

Color: Purple

Highest trust level. Same as L4 but with hardware PKI on the drone, providing strong non-repudiation. The drone’s identity is bound to physical hardware and cannot be spoofed via software alone.

Minimum Requirements:

Axis	Minimum State
Pilot	`verified` (2)
UA	`hardware` (3)
Flight	`authorized` (2)

This represents the target end-state for the platform.

3.2 Level Thresholds (Configuration Reference)

# Extends classification-config.yaml
# Each level defines minimum ordinal requirements per axis.
# Resolution: iterate L5 -> L1; first level where ALL axes meet
# or exceed the minimum is the assigned trust level.

levels:
  - id: L1_unidentified
    name: Unidentified
    color: red
    min_pilot: 0        # unknown
    min_ua: 0            # unknown
    min_flight: 0        # absent

  - id: L2_declared
    name: Declared
    color: orange
    min_pilot: 1         # declared
    min_ua: 1            # declared_rid
    min_flight: 0        # absent

  - id: L3_correlated
    name: Correlated
    color: yellow
    min_pilot: 1         # declared
    min_ua: 1            # declared_rid
    min_flight: 1        # oi_only

  - id: L4_authorized
    name: Authorized
    color: green
    min_pilot: 2         # verified
    min_ua: 2            # software
    min_flight: 2        # authorized

  - id: L5_verified
    name: Verified
    color: purple
    min_pilot: 2         # verified
    min_ua: 3            # hardware
    min_flight: 2        # authorized

3.3 Resolution Algorithm

The trust level for an aircraft is determined by a single rule:

Iterate from L5 down to L1. The first level where the aircraft’s pilot, UA, and flight intent values ALL meet or exceed the level’s minimum requirements is the assigned trust level.

This algorithm is:

Deterministic – same inputs always produce the same output, no randomness or weighting
Self-consistent – monotonically increasing thresholds prevent contradictions
Complete – every possible axis combination resolves to exactly one level (L1 is the catch-all)
Extensible – new axis states or levels can be added by inserting ordinals and threshold rows

3.4 Combination Verification

Key combinations verified against the resolution algorithm:

Pilot	UA	Flight	Resolves To	Rationale
unknown	unknown	absent	L1 Red	Canonical L1. Raw telemetry, nothing known.
unknown	declared_rid	absent	L1 Red	RID detected but pilot unresolved. Pilot fails L2 threshold.
declared	unknown	absent	L1 Red	Pilot declared but drone unknown. UA fails L2 threshold.
declared	declared_rid	absent	L2 Orange	Canonical L2. Both identities declared via RID/DiSCVR.
declared	declared_rid	oi_only	L3 Yellow	Canonical L3. Operational intent matched.
declared	declared_rid	authorized	L3 Yellow	Authorized but pilot only declared – fails L4 pilot threshold.
verified	software	absent	L2 Orange	Strong IDs but no authorization. Known but not cleared.
verified	hardware	oi_only	L3 Yellow	Max identity but only OI – fails L4 flight threshold.
verified	software	authorized	L4 Green	Canonical L4. Full authorization, software identity.
verified	hardware	authorized	L5 Purple	Canonical L5. Hardware PKI, strong non-repudiation.
declared	hardware	authorized	L3 Yellow	Hardware cert + authorized but pilot only declared. Fails L4.
verified	declared_rid	authorized	L3 Yellow	Verified pilot, authorized, but drone only RID. Fails L4 UA threshold.

4. Non-Conformance Overlay

Non-conformance is an independent, transient state – not a trust level. It represents an aircraft that has deviated from its filed intent or authorized parameters. Because deviations can be momentary (e.g., briefly clipping the edge of an authorized area due to wind), non-conformance is modeled as a recoverable overlay rather than a change to the trust level.

Design decision: Non-conformance was considered as an ordinal state within the flight intent axis (e.g., non_conformant at ordinal 1). This was rejected because non-conformance is transient and recoverable – the trust level must remain stable while conformance status fluctuates. Yo-yoing the trust level on every brief deviation would make the COP unusable.

4.1 Applicability

Level	Non-Conformance Applicable	Reason
L1 Unidentified	No	No intent or authorization on record to deviate from.
L2 Declared	No	No intent or authorization on record to deviate from.
L3 Correlated	Yes	Operational intent exists; deviation is detectable.
L4 Authorized	Yes	Flight authorization defines bounds; deviation is detectable.
L5 Verified	Yes	Same as L4 with stronger identity assurance.

4.2 Trigger Conditions

Aircraft position outside the authorized geographic area
Aircraft altitude outside the authorized altitude band
Aircraft operating outside the authorized time window
Flight authorization rescinded by a jurisdiction

4.3 State Transitions and Grace Period

Non-conformance follows a three-state lifecycle:

Conformant ──[deviation detected]──> Non-Conformant ──[back in bounds]──> Grace Period ──[grace expires]──> Conformant
                                          │                                     │
                                          │                              [deviation again]
                                          │                                     │
                                          <─────────────────────────────────────┘

Transition	Trigger	Behavior
Conformant to Non-Conformant	Deviation detected (position, altitude, or time)	Immediate. Red overlay activates.
Non-Conformant to Grace Period	Aircraft returns within authorized parameters	Timer starts. Red overlay remains but animation may soften (implementation detail).
Grace Period to Conformant	Grace timer expires without further deviation	Overlay removed. Trust level unchanged throughout.
Grace Period to Non-Conformant	New deviation detected before grace expires	Timer resets. Full red overlay resumes.

The grace period prevents visual flickering when an aircraft is near the boundary of its authorized area. The trust level never changes during any of these transitions – it remains at whatever the threshold algorithm assigned.

4.4 Visual Treatment

The underlying trust level color remains visible (operators need to know who is non-conformant – a green aircraft out of bounds is a very different situation than a red one)
A pulsing/flashing animation is applied to the aircraft indicator
A red border or ring surrounds the color dot
The aircraft detail panel displays the conformance state explicitly
During the grace period, the overlay persists but may use a reduced animation (e.g., solid red border without pulsing) to indicate “recently non-conformant, recovering”

4.5 Configuration Reference

# Non-conformance is independent of trust level.
# Only applicable when flight intent >= oi_only.
non_conformance:
  applicable_min_flight: 1          # oi_only or higher
  grace_period_seconds: 10          # configurable; time before clearing overlay
  visual_active: pulsing_red_border
  visual_grace: solid_red_border    # reduced animation during grace period
  detail_label: "Non-Conformant"

5. Edge Cases and Future Considerations

5.1 Partial Data / In-Transit States

Scenario	Handling
RID detected, pilot lookup in progress	Remains L1 (Red) until pilot identity resolves. The L1-to-L2 transition is the key demo moment.
Authorization granted, drone not yet airborne	Trust level is pre-computed but not displayed until telemetry appears on the COP.
Multiple conflicting RID signals for same position	Treat as L1 until correlation engine disambiguates. Flag for operator review.

5.2 Signal Degradation

Scenario	Handling
RID signal lost mid-flight	Trust level degrades: remove `declared_rid` from UA, re-evaluate. If this drops below current level thresholds, level decreases.
Telemetry gap (no position updates)	Aircraft shown at last known position with a “stale” indicator. Trust level unchanged but staleness flagged.
Authorization expires during flight	Flight intent reverts from `authorized` to `absent`. Trust level re-evaluated. Non-conformance may apply if aircraft continues operating.

5.3 Future Extensions

oi_planned state: A filed intent where timing has not been adhered to. Can be inserted at flight ordinal 1 without restructuring.
External match correlation: A future axis or state that captures matches from external systems (LAANC/DroneZone) not processed through the platform.
Multi-source identity: Cases where identity is confirmed by multiple independent sources, potentially warranting a confidence modifier.

6. UI Representation

6.1 Color Reference

Level	Name	Badge	Hex (Suggested)	Meaning
L1	Unidentified	Unidentified	`#E53E3E`	No information available. Highest concern.
L2	Declared	Declared	`#ED8936`	Identities claimed, not verified.
L3	Correlated	Correlated	`#ECC94B`	Flight intent matched. Identities still declared.
L4	Authorized	Authorized	`#48BB78`	Fully authorized. Verified pilot, software identity.
L5	Verified	Verified	`#9F7AEA`	Highest trust. Hardware PKI, strong non-repudiation.
–	Non-Conformant	Non-Conformant	`#E53E3E`	Overlay on L3/L4/L5. Deviation from intent or authorization.

6.2 Map Indicator

Each aircraft on the COP map is rendered as a colored dot or icon:

Dot color corresponds to trust level
Non-conformant aircraft: pulsing animation with red border ring
On hover or click: trust level name, conformance state, and the three axis values are shown in the aircraft detail panel

7. Demo Presentation and Comparison

For the demo script, presentation narrative, talk-track guidance, and current-state-vs-ATOMx comparison, see PRD 0003 - Demo Script: Partner.

8. Relationship to PRD 0001

This document provides the detailed classification model for the MVP demonstration system defined in PRD 0001.

What this document supersedes:

PRD 0001 Section G (Classification Engine) – replaced by the threshold-based model in Section 3 above
PRD 0001 color coding reference – replaced by Section 6 above

What remains in PRD 0001:

All other system components (Operator Submission, Authorization Management, Field Awareness View, Simulation Engine, External Awareness)
Demo flow (high-level) – see PRD 0003 for the detailed presentation script
Non-functional requirements and success criteria

Key Changes from PRD 0001

Aspect	PRD 0001	This Document
Number of levels	4 (Unknown, Limited Info, Known, Verified)	5 (Unidentified, Declared, Correlated, Authorized, Verified)
Colors	Gray, Yellow, Blue, Green	Red, Orange, Yellow, Green, Purple
Classification basis	Authorization + external match + identity type	Three independent axes with threshold-based resolution
Model type	Implicit rules	Explicit config-ready YAML with resolution algorithm
Extensibility	Ad hoc	Ordinal-based; new states and levels can be inserted

Last updated on May 11, 2026

0001 - MVP Demonstration: Flight Authorization + Verifiable Identity 0004 - Jurisdiction Service