Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Testing and verification of neural-network-based safety-critical control software: A systematic literature review

Testing and verification of neural-network-based safety-critical control software: A systematic... Context: Neural Network (NN) algorithms have been successfully adopted in a number of Safety-Critical Cyber- Physical Systems (SCCPSs). Testing and Verification (T&V) of NN-based control software in safety-critical domains are gaining interest and attention from both software engineering and safety engineering researchers and practition- ers. Objective: With the increase in studies on the T&V of NN-based control software in safety-critical domains, it is important to systematically review the state-of-the-art T&V methodologies, to classify approaches and tools that are invented, and to identify challenges and gaps for future studies. Method: By searching the six most relevant digital libraries, we retrieved 950 papers on the T&V of NN-based Safety-Critical Control Software (SCCS). Then we filtered the papers based on the predefined inclusion and exclusion criteria and applied snowballing to identify new relevant papers. Results: To reach our result, we selected 83 primary papers published between 2011 and 2018, applied the thematic analysis approach for analyzing the data extracted from the selected papers, presented the classification of approaches, and identified challenges. Conclusion: The approaches were categorized into five high-order themes, namely, assuring robustness of NNs, improving the failure resilience of NNs, measuring and ensuring test completeness, assuring safety properties of NN- based control software, and improving the interpretability of NNs. From the industry perspective, improving the interpretability of NNs is a crucial need in safety-critical applications. We also investigated nine safety integrity prop- erties within four major safety lifecycle phases to investigate the achievement level of T&V goals in IEC 61508-3. Results show that correctness, completeness, freedom from intrinsic faults, and fault tolerance have drawn most atten- tion from the research community. However, little e ort has been invested in achieving repeatability, and no reviewed study focused on precisely defined testing configuration or defense against common cause failure. Keywords: Software testing and verification, Neural network, Safety-critical control software, Systematic literature review 1. Introduction Cyber-Physical Systems (CPSs) are systems involving networks of embedded systems and strong human-machine interactions [1]. Safety-critical CPSs (SCCPSs) are a type of CPSs that highlights the severe non-functional constraints (e.g., safety and dependability). The failure of SCCPSs could result in loss of life or significant damage (e.g., property and environmental damage). Typical applications of SCCPSs are in nuclear systems, aircraft flight control systems, automotive systems, smart grids, and healthcare systems. In the last few years, advances in Neural Networks (NNs) have boosted the development and deployment of SCCPSs. The NN is considered the most viable approach to meet the complexity requirements of Safety-Critical Corresponding author Email addresses: jin.zhang@ntnu.no (Jin Zhang), jingyue.li@ntnu.no (Jingyue Li) Accepted 6 March 2020 by Information and Software Technology arXiv:1910.06715v2 [cs.LG] 20 Mar 2020 Control Softwares (SCCSs) [2, 3]. In this study, we refer to NN-based SCCS as SCCS that heavily use NNs (e.g., to implement controller). For example, in the transportation industry, deep-learning-based NNs have been widely used to developing self-driving cars [4] and collision avoidance systems [5]. It is also worth noting that several safety incidents caused by autonomous vehicles have been presented in media, e.g., Uber car’s fatal incident [6], Tesla’s fatal Autopilot crash [7], and Google’s self-driving car crash [8]. In addition to the safety incidents caused by failures of the autonomous system, security breaches of autonomous vehicles can potentially lead to safety issues, e.g., a demo showed that autonomous vehicles can be remotely controlled and hijacked [9]. How can we ensure that an SCCS containing NN technology will behave correctly and consistently when system failures or malicious attacks occur? Increasing interest in the migration of Industrial Control Systems (ICSs) towards SCCPSs has encouraged research in the area of safety analysis of SCCPSs. Kriaa et al. [10] surveyed existing approaches for an integrated safety and security analysis of ICSs. The approaches cover both the design stage and the operational stage of the system lifecycle. Some approaches (such as [11, 12]) are aimed at combining safety and security techniques into a single methodology. Others (such as [13, 14]) are trying to align safety and security techniques. These approaches are either generic, which consider both safety and security at a very high level, or model-based, which build upon the formal or semi-formal representation of the system’s functions. There are many studies that focus on the T&V of NNs in the past decade. Several review articles [15, 16, 17, 18] on this topic have been published. Studies [15, 19] have reviewed methods focusing on verification and validation of NNs for aerospace systems. Studies [17, 18] are limited in automotive applications. None of these review articles have applied the Systematic Literature Review (SLR) [20] approach. Recently there has been more concern about Artificial Intelligence (AI) safety. The state-of-the-art advancements in the T&V of NN-based SCCS are increasingly important; hence, there is a need to have a thorough understanding of present studies to incentivize further discussion. This study aimed to summarize the current research on T&V methods for NN-based control software in SCCPSs. We have systematically identified and reviewed 83 papers focusing on the T&V of NN-based SCCSs and synthesized the data extracted from those papers to answer three research questions. RQ1 What are the profiles of the studies focusing on testing and verifying NN-based SCCSs? RQ2 What approaches and associated tools have been proposed to test and verify NN-based SCCSs? RQ3 What are the limitations of current studies with respect to testing and verifying NN-based SCCSs? To our best knowledge, our study is the first SLR on testing and verifying NN-based control software in SCCPSs. The results of these research questions can help researchers identify the research gaps in this area, and help industrial practitioners choose proper verification and certification methods. The main contributions of this work are: We made a classification of T&V approaches in both academia and industry for NN-based SCCSs. We identified and proposed challenges for advancing state-of-the-art T&V for NN-based SCCSs. The remainder of this paper is organized as follows: In section 2, we define terminologies related to NN-based SCCPSs and summarize related work from academia and industry. Section 3 describes the SLR process and the review protocol. The results of the research questions are reported in Section 4. Section 5 discusses the industry practice of T&V of NN-based SCCSs, and the threats to validity of our study. Section 6 concludes the study. 2. Background In this section, we first introduce terminology related to CPSs and modern NNs and show how NN algorithms have been used in SCCPSs. Then, we present the current state of practice of T&V of SCCSs. 2.1. Cyber-physical systems As defined in [1], “cyber-physical systems (CPSs) are physical and engineered systems whose operations are monitored, coordinated, controlled and integrated by a computing and communication core.” Several other systems, such as Internet of Things (IoTs) and ICSs have very similar features compared to CPSs, since they are all systems 2 used to monitor and control the physical world with embedded sensor and actuator networks. In general, CPSs are perceived as the new generation of embedded control systems, which can involve IoTs and ICSs [21, 22]. In this SLR, we adopted the CPS conceptual model in [23] as a high-level abstraction of CPSs to describe the di erent perspectives of CPSs and the potential interactions of devices and systems in a system of systems (SoS) as shown in Fig. 1. From the perspective of unit level, a CPS at least includes one or several controllers, many actuators, and sensors. A CPS can also be a system consisting of one or more cyber-physical devices. From the SoS perspective, a CPS is composed of multiple systems that include multiple devices. In general, a CPS must contain the decision flow (from controller to actuators), information flow (from sensors to controller), and action flow (actuators impacting the physical state of the physical world). System of Systems level System level Unit level (cyber-physical device) Human Controller Decision Information Actuator(s) Sensor(s) Action Physical state Figure 1: CPS conceptual model In the context of SCCPS, safety and performance are dependent on the system (to be more specific, the controller of the system) making the right decision according to the measurement of the sensors, and operating the actuators to take the right action at the right time. Thus, verification of the process of decision-making is vital for a SCCPS. 2.2. Modern neural networks The concept of neural network was first proposed in 1943 by Warren McCullough and Walter Pitts [24], and Frank Rosenblatt in 1957 designed the first trainable neural network called the Perceptron”[25]. A perceptron is a simple binary classification algorithm with only one layer and output decision of 0 or 1. By the 1980s, neural nets with more than one layer were proposed to solve more complex problems, i.e., multilayer perceptron (MLP). In this SLR, we regard multilayer NNs that emerged after the 1980s as modern NNs. Artificial Neural Network (ANN) is the general name of computing systems designed to mimic how the human brain processes information [26]. An ANN is composed of a collection of interconnected computation nodes (namely artificial neurons), which are organized in layers. Depending on the directions of the signal flow, an ANN can have feed-forward or feedback architectures. Fig. 2 shows a simplified feed-forward ANN architecture with multiple hidden layers. Each artificial neuron has weighted inputs, an activation function, and one output. The weights of the interconnections are adjusted based on the learning rules. There are three main models of learning rules, which are unsupervised learning, supervised learning, and reinforcement learning. The choice of learning rules corresponds to the particular learning task. The common activation functions contain sigmoid, hyperbolic tangent, radial bases function (RBF), and piece-wise linear transfer function, such as Rectified Linear Unit (ReLU) [27]. In a word, an 3 ANN can be defined by three factors: the interconnection structure between di erent layers, activation function type, and procedure for updating the weights. Input Hidden Output layer layer(s) layer …….. …….. …….. Figure 2: A simplified feed-forward ANN architecture Multi-Layer Perceptron (MLP [28]) represents a class of feed-forward ANN. An MLP consists of an input layer, one or several hidden layers, and an output layer. Each neuron of MLP in one layer is fully connected with every node in the following layer. An MLP employs a back-propagation technique (which belongs to supervised learning) for training. Convolutional Neural Network (CNN [29]) is a special type of multi-layer NN with one or more convolutional layers. A convolutional layer includes “several feature maps with di erent weight vectors. A sequential implementa- tion of a feature map would scan the input image with a single unit that has a local receptive field, and store the states of this unit at corresponding locations in the feature map. This operation is equivalent to a convolution, followed by an additive bias and squashing function, hence the name convolutional network”[29]. CNNs are superior for pro- cessing two-dimensional data (particular camera images) because of the convolution operations, which are capable of detecting features in images. CNNs are now widely applied to develop partially-autonomous and fully-autonomous vehicles. Deep Neural Networks (DNNs [30]) represent an ANN with multiple hidden layers between the input and output layers. DNNs (e.g., a MLP with more than three layers or a CNN) di er from shallow NNs (e.g., a three-layer MLP) in the number of layers, the activation functions that can be employed, and the arrangement of the hidden layer. Compared to shallow NNs, DNNs can be trained more in-depth to find patterns with high performance even for complex nonlinear relationships. An NN could be trained oine or online. An NN trained oine means it only learns during development. After training, the weights of the NN will be fixed and the NN will act deterministically. Therefore static verification meth- ods could be possible. In contrast, online training will allow the NN to keep learning and evolving during operation, which requires run-time verification methods. In some applications, such as the Intelligent Flight Control System developed by NASA [15], both oine and online training strategies are employed to meet the system requirements. NNs are fundamentally di erent with algorithmic programs, but a formal development methodology can still be derived for an NN system. Development process of an NN system can include six phases [31]: 1. Formulation of requirements and goals; 2. Selection of training and test data sets; 3. Selection of the NN architecture; 4. Training of the network; 5. Testing of the network; and 6. Acceptance and use by the customer. 4 Like [31], Falcini et al. introduced a similar development lifecycle for DNNs in automotive software [32] and proposed a W-model integrated data development with standard software development to highlight the importance of data-driven in DNN development. Falcini et al. [32] also summarized that the DNN’s functional behavior depends on both its architecture and its learning outcome through training. 2.3. The trends of using NN algorithm in SCCPSs From 1940s automated range finders (developed by Norbert Wiener for anti-aircraft guns) [33] to today’s self- driving cars, AI, especially NN algorithms, is widely applied in both civilian (e.g., autonomous cars) and military domains (e.g., military drones). Boosted by the advances of AI, state-of-the-art CPSs can plan and execute more and more complex operations with less human interaction. Here we present the applications of NNs in the following four representative SCCPSs. 2.3.1. Autonomous cars For automobile, the Society of Automotive Engineers (SAE) proposed six levels of autonomous driving [34]. A level 0 vehicle has no autonomous capabilities, and the human driver is responsible for all aspects of the driving task. For level 5 vehicle, the driving tasks are only managed by the autonomous driving system. When developing autonomous vehicles targeting a high level of autonomy, one industry trend is to use DNNs to implement vehicle control algorithms. The deep-learning-based approach enables vehicles to learn meaningful road features from raw input data automatically and then output driving actions. The so-called end-to-end learning approach can be applied to resolve complex real-world driving tasks. When using deep-learning-based approaches, the first step is to use a large number of training data sets (images or other sensor data) to train a DNN. Then a simulator is used to evaluate the performance of the trained network. After that, the DNN-based autonomous vehicle will be able to “execute recognition, prediction, and planning” driving tasks in diverse conditions [10]. Nowadays, CNNs are the most widely adopted deep-learning model for fully autonomous vehicles [5, 6, 7, 8]. NVIDIA introduced an AI supercomputer for autonomy [35]. The development flow using NVIDIA DRIVE PX includes four stages: 1) data acquisition to train the DNN, 2) deployment of the output of a DNN in a car, 3) autonomous application development, and 4) testing in-vehicle or with simulation. One essential characteristic of deep-learning-based autonomy is that the decision-making part of the vehicle is almost a black box. This means that in most cases, we as human drivers must trust the decisions made by the deep- learning algorithms without knowing exactly why and how the decisions are made. 2.3.2. Industrial control systems Industrial Control System (ICS) is the general term for control systems, also called Supervisory Control and Data Acquisition (SCADA) systems. ICSs make decisions based on the specific control law (such as lookup table and non-linear mathematical model) formulated by human designers. In contrast to the classical design procedure of control law, reinforcement-learning-based approaches learn the control law simply from the interaction between the controller and the process, and then incrementally improving control behavior. Such approaches and NNs have been used in process control two decades ago [36]. Concerning the recent progress in AI and the success of DNNs in making complex decisions, there are high expectations for the application of DNNs in ICSs. For instance, DNNs and reinforcement learning can be combined to develop continuous control [37]. Spielberg et al. extended the work in [37] to design control policy for process control [38]. Even though the proposed approach in [38] is only tested on linear systems, it shows a practical solution for applying DNNs in non-linear ICSs. 2.3.3. Smart grid systems The smart grid is designed as the next generation of electric power system, dependent on information communi- cations technology (ICT). There is tremendous initiative of research activities in automated smart grid applications, such as FLISR (which is a smart grid multi-agent automation architecture based on decentralized intelligent decision- making nodes) [39]. NNs have been considered for solving many pattern recognition and optimization problems, such as fault diagnosis [40], and control and estimation of flux, speed [2], and economical electricity distribution to consumers. MLP is one of the most commonly used topology in power electronics and motor drives [2]. 5 2.3.4. Healthcare Medical devices is another emerging area where research and industry practitioners are seeking to integrate AI technologies to improve accuracy and automation. ANNs and other machine learning approaches have been proposed to improve the control algorithms for diabetes treatment in recent decades [41, 42]. In 2017, an AI-powered device for automated and continuous delivery of basal insulin (named MiniMed 670G system [43]) was approved by the U.S. Food and Drug Administration. In the same year, it was reported that GE Healthcare had integrated the NVIDIA AI platform into their computerized tomography scanner to improve speed and accuracy for the detection of liver and kidney lesions [44]. Using deep learning solutions, such as CNNs, in the medical computing field has proven to be e ective since CNNs have excellent performance in object recognition and localization in medical images [45]. 2.4. Testing and verification of safety-critical control software IEC 61508 and ISO 26262 are two standards highly relevant to the T&V of SCCS. IEC 61508 is an international standard concerning Functional safety of electrical/electronic/programmable electronic safety-related systems. It de- fines four safety integrity levels (SILs) for safety-critical systems [46]. The higher the SIL level a SCCPS requires, the more time and e ort for verification are needed. In IEC 61508, formal methods are highly recommended tech- niques for verifying high SIL systems. Because formal methods can be used to construct the specification and provide a mathematical proof that the system matches some formal requirements, this is quite a strong commitment for the correctness of a system. ISO 26262, titled Road vehicles functional safety, is an international standard for the functional safety of electrical and/or electronic systems in production automobiles [47]. Besides using classical safety analysis methods such as Fault Tree Analysis (FTA) and Failure Mode and E ects Analysis (FMEA), ISO 26262 explicitly states that the production of a safety case is mandated to assure system safety. It defines a safety case as an argument that the safety requirements for an item are complete and satisfied by evidence compiled from work products of the safety activities during development [47]. The development of suitable approaches, which can verify the system behavior and misbehavior of a SCCPS is always challenging. Not to mention that the architecture of NNs (especially DNNs) makes it even harder to decipher how the algorithmic decisions were made. The current version of IEC 61508 is not applicable for the verification of NN-based SCCSs because AI technologies are not recommended there. The latest version of ISO 26262 and its extension, ISO/PAS 21448, which is also known as safety of the intended functionality (SOTIF) [48], will likely provide a way to handle the development of autonomous vehicles. However, SOTIF will only provide guidelines associated with SAE Level 0–2 autonomous vehicles [49], which are not ready for the verification of NN-based autonomous vehicles. In practice, in order to reduce test and validation costs, high-fidelity simulation is a commonly used approach in the automotive domain. The purpose of using a simulator is to predict the behavior of an autonomous car in a mimicked environment. NVIDIA and Apollo distributed their high-fidelity simulation platforms for testing autonomous vehicles. CARLA [50] and Udacity’s Self-Driving Car Simulator [51] are two popular open-source simulators for autonomous driving research and testing. 3. Research method We conducted our SLR by following the SLR guidelines in [20] as well as consulting other relevant guidelines in [52] and [53, 54]. Our review protocol consisted of four parts: 1) search strategy, 2) inclusion and exclusion criteria, 3) selection process, and 4) data extraction and synthesis. 3.1. Search strategy Based on guidelines provided in [20], we use the Population, Intervention, Outcome, Context (PIOC) criteria to formulate search terms. In this SLR, The population should be an application area (e.g., general CPS) or specific CPS (e.g., self-driving car). The intervention is methodology, tools and technology that address system/component testing or verification. 6  The outcome is the improved safety or functional safety of CPSs. The context is the NN-based SCCPSs in which the T&V take place. Fig. 3 shows the search terms formulated based on the PIOC criteria. We first used these search terms to run a series of trial searches and verify the relevance of the resulting papers. We then revised the search string to form the final search terms. The final search terms were composed of synonyms and related terms. Population: “Cyber-physical system*” or “Cyber physical TITLE-ABS-KEY(("Cyber-physical system*" or "Cyber-physical system*" or CPS* or "Smart grid" or "Smart car" or "Automotive system*” or CPS* or “Smart grid” or “Smart car” or “Automotive cyber-physical system*" or "Self-driving car*" or "Autonomous cyber-physical system*” or “Self-driving car*” or “Autonomous vehicle*" or "Autonomous driving system*" or "Automotive vehicle*” or “Autonomous driving system*” or “Automotive electronic control system*" or "Automotive embedded system*" or electronic control system*” or “Automotive embedded system*” "Unmanned Aerial Vehicles" or "aircraft collision avoidance Intervention: “Risk assessment” or “verification” or “test” or system*")AND(“Risk assessment” or “verification” or “test” or ”testing” or “analysis” or “Certification” or “assurance” ” t e s t i n g ” o r “ a n a l y s i s ” o r “ C e r t i f i c a t i o n ” o r Outcome: “Safety” or “Functional safety” “assurance”) AND ( “ S a f e t y ” o r “ F u n c t i o n a l safety”)AND(“Autonomous decision” or “Autonomous agent*” or Context: “Deep learning” or “Deep neural networks” or “Deep learning” or “Deep neural networks”) “Autonomous decision” or “Autonomous agent” Figure 3: Search terms We executed automated searches in six digital libraries, namely, Scopus, IEEE Xplore, Compendex EI, ACM Digital library, SpringerLink, and Web of Science (ISI). 3.2. Inclusion and exclusion criteria Table 1 presents our inclusion and exclusion criteria. We set three inclusion criteria to restrict the application domain, context, and outcome type. We excluded papers that were not peer-reviewed, such as keynotes, books, and dissertations, and papers not written in English. It should be clarified that, unlike most other SLR studies, we did not directly exclude short papers (less than six pages), work-in-progress papers, and pre-print papers. The reason is that this research area is far from mature, so many initial thoughts or in-progress papers are still valuable to review. Table 1: Inclusion and Exclusion criteria Inclusion criteria I1 The paper must have a context in SCCPSs, either in general or in a specific application domain I2 The paper must be aimed at testing/verification approaches for NN-based SCCSs I3 The paper must be aimed at modern neural networks Exclusion criteria E1 Papers not peer-reviewed E2 Not written in English E3 Full-text is not available E4 Not relevant to modern neural networks 3.3. Selection process We used the inclusion and exclusion criteria to filter the papers in the following steps. We covered papers from January 2011 to November 2018. Fig. 4 shows the whole search and filtering process. Stage 1: Ran the search string on the six digital libraries and retrieved 1046 papers. After removing those dupli- cated papers, we had 950 papers. Stage 2: Excluded studies by reading title and keywords. If it was not excluded simply by reading titles and keywords, the paper was kept for further investigation. At the end of this stage, we selected 254 papers. Stage 3: Further filtered the papers by reading abstracts and found 105 potential papers with high relevance to the research goal of our SLR. 7 Stage 1 Data Sources: Scopus, IEEE Xplore, Compendex Results=950 EI, ACM Digital library, SpringerLink, and Web of Science(ISI) Stage 2 Results=254 Apply inclusion and exclusion criteria by reading title and keywords Stage 3 Results=105 Apply inclusion and exclusion criteria by reading abstract Stage 4 Results=27 Apply inclusion and exclusion criteria by reading introduction and conclusion Stage 5 Results=83 Snowballing: Read full paper got in 4th stage and scan the reference Figure 4: Search process Stage 4: Read the introduction and conclusion to decide on selection. We recorded the reasons for exclusion for each excluded paper. We excluded the papers that were irrelevant, or whose full texts were not available. Furthermore, we critically examined the quality of primary studies to exclude those that lacked sucient information. We ended up with 27 papers. Stage 5: Read full text of the selected studies from the fourth stage, applied snowballing by scanning the reference of the selected papers. The snowballing process can be implemented in two directions: backwards (which means scanning the references of a selected paper and find any other relevant papers published before the selected paper), and forwards (which means checking if any other relevant paper was published after the selected paper and cited the selected paper). In our SLR, we adapted mainly backward snowballing to include additional papers. To limit the scope of the snowballing, we covered only references published between 2011 and 2018. From snowballing, we found 56 new relevant papers. Finally, we selected 83 papers as primary studies for detailed analysis. We listed all of the selected studies in Appendix A. The first author conducted the selection process with face-to-face discussions with the second author. The second author performed a cross-check of each step and read all the final selected papers to confirm the selection of the papers. 8 3.4. Data extraction and synthesis Data Extraction: We extracted two kinds of information from the selected papers. To answer RQ1, we extracted information for statistical analysis, e.g., publication year and research type. To answer RQ2 and RQ3, we collected information to identify key features (such as research goal, technique and tools, major contribution and limitation) of T&V approaches. Synthesis: We used descriptive statistics to analyze the data for answering RQ1. To answer RQ2 and RQ3, we analyzed the data using the qualitative analysis method by following the five steps of thematic analysis [55]: 1) extracting data, 2) coding data, 3) translating codes into themes, 4) creating a model of higher-order themes, and 5) assessing the trustworthiness of the synthesis. 4. Result 4.1. RQ1. What are the profiles of the studies focusing on testing and verifying NN-based SCCSs? Studies distributions: Fig. 5 shows the distribution of selected papers based on publication year and the types of work. There has been 68 papers (81.9%) published since 2016, indicating that researchers are paying more attention to the T&V of NN-based SCCSs. Conference was the most popular publication type with 48 papers (57.8%), followed by pre-print (25 papers, 30.1%), workshop (6 papers, 7.2%), and journal (4 papers, 4.8%). 2011 2012 2013 2014 2015 2016 2017 2018 Pre-print 0 0 2 0 3 0 13 7 Wo rk sh op 0 0 0 1 1 0 3 1 Journal 0 1 0 0 1 0 1 1 Conference 1 0 0 2 3 12 20 10 Conference Journal Wo rk sh op Pre-print Figure 5: Publication year and types of selected papers We also investigated the geographic distribution of the reviewed studies. It allowed us to identify which countries are leading the research in this domain. We considered a study to be conducted in one country if the aliation of at least one author is in that country. Moreover, the involvement of industry would be an indicator of industry’s interest in this domain. We classified the reviewed papers as industry if at least one author came from industry or the study used real-world industrial systems to test/verify the proposed approach. A paper would be categorized as academia if all authors came from academia. It shows that researchers based in the USA have been involved in the most primary studies for testing or verification of NN-based SCCSs with 56 publications, followed by the researchers based in Germany and the UK with 10 and 9 publications, respectively. It is worth noting that 47 of 83 (56.6%) publications have involvement from industry. Research types: We classified the selected papers based on the criteria proposed by Kai et al. [52] (See Table 2). According to Table 2, the research type of the paper is governed by rules (i.e., R1-R6). Each rule is a combination of Number of studies several conditions. The six research types (i.e., evaluation research, solution proposal, validation research, philosoph- ical papers, opinion papers, and experience papers) correspond to R1-R6, respectively. For example, both evaluation research (corresponding to R1) and validation research (corresponding to R4) must present empirical evaluation. The di erence between evaluation and validation research is that validation is not used in practice (e.g., experimental or simulation-based approaches), whereas evaluation studies should be conducted in a real-world context. Solution pro- posal means that it has to propose a new solution that may or may not be used in practice. We found that evaluation and validation research are the majority of the selected papers, corresponding to 31.3% (26 papers) and 61.4% (51 papers) of the selected papers, respectively. The low percentage of the solution proposal (6 papers) was not surprising because a majority of the reviewed papers presented and demonstrated their T&V approaches through academic and industrial case studies, simulation, and controlled experiments. The other three types of research papers (i.e., philo- sophical papers, opinion papers, and experience papers) do not exist in selected studies because we only included papers that aimed at testing/verification approaches (refer to inclusion criteria I2). Table 2: Research type classification (T = True, F = False, l = irrelevant or not applicable, R1R6 refer to rules). R1 R2 R3 R4 R5 R6 Conditions Used in practice T l T F F F Novel solution l T F l F F Empirical evaluation T F F T F F Conceptual framework l l l l T F Opinion about something F F F F F T Authors’ experience l l T l F F Decisions Evaluation research 3 l l l l l Solution proposal l 3 l l l l Validation research l l l 3 l l Philosophical papers l l l l 3 l Opinion papers l l l l l 3 Experience papers l l 3 l l l Note: Reprinted from [52],Copyright 2015 by the Elsevier. Application domains: We analyzed the application domain of selected studies to provide useful information for researchers and practitioners who are interested in the domain-specific aspects of the approaches. The results are shown in Table 3. We found that considerable e ort is now being put into using NN algorithms to accomplish control logic for general purpose (59 papers, 71.1%), automotive CPSs, such as autonomous vehicles (13 papers, 15.7), and autonomous aerial systems, such as airborne collision avoidance systems for unmanned aircrafts (5 papers, 6%). Table 3: Distribution of application domains of the selected studies Application domain No. of studies General SCCPSs 59 Automotive CPSs 13 Autonomous aerial systems 5 Robot system 5 Health care 1 4.2. RQ2. What approaches and associated tools have been proposed to test and verify NN-based SCCSs? As 4 of the 83 papers focused mainly on high-level ideas and concepts without presenting detailed approaches or tools, we did not include them to answer RQ2. For the remaining 79 out of 83 (95.2%) papers, we applied the thematic 10 analysis approach [55] and identified five high-order themes and some sub-themes. Some papers contain more than one themes. In order to balance the accuracy and the simplicity of categorization, we decided to assign each study only one category based on its major contribution. Table 4 presents the themes, sub-themes, and the corresponding papers. Fig. 6 compares the interests di erence of academia and industry for the five identified themes. Table 4: A classification of approaches to test and verify NN-based SCCSs Themes Sub-themes Papers # Understanding the characteristics and impacts of adver- [56],[57],[58],[59],[60], [61], [62] 17 sarial examples Assuring robustness of NNs Detect adversarial examples [63],[64], [65], [66], [67], [68] Mitigate impact of adversarial examples [69], [70] Improving robustness of NNs through using adversarial [71], [72] examples Improving failure resilience of NNs [73],[74],[75],[76],[77],[78],[79],[80],[81],[82],[83] 11 Measuring and ensuring test com- [84],[85],[86],[87],[88],[89],[90] 7 pleteness Assuring safety properties of NN- [91],[92],[93],[94],[95],[96],[97],[98],[99], 13 based CPSs [100],[101],[102],[103] [104],[105],[106],[107],[108],[109],[110],[111], Understand how a specific decision is made [112],[113],[114],[115],[116],[117],[118], [119], Improving interpretability [120],[121],[122] of NNs Facilitate understanding of the internal logic of NNs [123],[124],[125],[126],[127],[128] 31 Visualizing internal layers of NNs to help identify errors [129],[130],[131],[132],[133],[134] in NNs Assuring robustness of NN Improving failure resilience of NN Me asuring and ens uring t est completeness Assuring safety properties of NN-based SCCPS Improving interpretability of NN 0 5 10 15 20 25 30 35 ACADEMIA INDUSTRY Figure 6: Comparing the interests di erence of academia and industry 4.2.1. CA1: Assuring robustness of NNs One high-order theme of the studies is to assure the robustness of NNs. Robustness of an NN is its ability to cope with erroneous inputs. The erroneous inputs can be an adversarial example (i.e., an input that adds small perturbation intentionally to mislead classification of an NN), or benign but wrong input data. Methods under this theme can be further classified into four sub-themes. Studies focusing on understanding the characteristics and impacts of adversarial examples. Some studies tried to identify the characteristics and impacts of adversarial examples. The study [57] found the characteristics, such as the linear nature, of adversarial examples. The study [59] measured the impact of adversarial examples by counting 11 their frequencies and severities. Nguyen et al. [56] found that a CNN trained on ImageNet [135] is vulnerable to adversarial examples generated through Evolutionary Algorithms (EAs) or gradient ascent. A few other studies, such as [58, 60, 61, 62], tried to understand the characteristics of robust NNs. Cisse et al. [60] introduced a particular form of DNN, namely Parseval Networks, that is intrinsically robust to adversarial noise. Gu et al. [62] concluded that some training strategies, for example, training using adversarial examples or imposing contractive penalty layer by layer, are robust to certain structures of adversarial examples (e.g., inputs corrupted by Gaussian additive noises or blurring). Higher-confidence adversarial examples (i.e., adversarial instances that are extremely easy to classify into the wrong category) were used to evaluate the robustness of the state-of-the-art NN in [61] and the robot-vision system in [58]. Studies focusing on methods to detect adversarial examples. Detecting adversarial examples that are already inserted into training or testing data set are the primary targets of [63, 65, 66, 67, 68]. Wicker et al. [63] and [67] formulated the adversarial examples detection as a two-player stochastic game and used the Monte Carlo Tree Search to identify adversarial examples. Reuben [65] applied density estimates, and Bayesian uncertainty estimates to detect adversarial samples. Xu et al. [66] proposed a feature squeezing framework to detect adversarial examples, which are generated by seven state-of-the-art methods. According to [66], an advantage of feature squeezing is that it did not change the underlying model. Therefore, it can easily be integrated with other defenses methods. Metzen et al. [68] embedded DNNs with a subnetwork (called “detector”) to detect adversarial perturbations. The Deepsafe presented in [64] used clustering technology to find candidate-safe regions first and then verified whether the candidates were safe using counter-examples as a proof. Studies focusing on methods to mitigate impact of adversarial examples. Papemot et al. [69] adopted defen- sive distillation as a defense strategy to train DNN-based classifiers against adversarial examples. However, several powerful attacks have been proposed to defeat defensive distillation and have demonstrated that defensive distilla- tion does not actually eliminate adversarial examples [61]. Papemot et al. [70] revisited defensive distillation and proposed a more e ective way to defend against three recently discovered attack strategies, i.e., the Fast Gradient Method (FGM) [57], the Jacobian Saliency Map Approach (JSMA) [136], and the AdaDelta optimization strategy (AdaDelta) [61]. Studies focusing on increasing robustness of NNs through using adversarial examples. In studies [71] and [72], the authors proposed methods to leverage adversarial training (e.g., generating a large amount of adversarial examples and then training the NN not to be fooled by these adversarial examples) to increase the robustness of NNs. 4.2.2. CA2: Improving failure resilience of NNs Studies under this theme focused on improving the resilience of NNs, so that the NN-based CPSs are more tolerant of possible hardware and software failures. Studies [75, 77, 78] investigated error detection and mitigation mechanisms, while studies [76, 80] focused on understanding error propagation in DNN accelerators. Vialatte et al.[75] demonstrated that faulty computations can be addressed by increasing the size of NNs. Santos et al. [77] proposed an algorithm-based fault tolerance (ABFT) strategy to detect and correct radiation-induced errors. In [78], a binary classification algorithm based on temporal and stereo inconsistencies was applied to identify errors caused by single frame object detectors. Li et al. [76] developed a general-purpose GPU (GPGPU) fault injection tool [137] to investigate error propagation patterns in twelve GPGPU applications. Later, Li et al. revealed that the error resilience of DNN accelerators depends on “the data types, values, data reuse, and the types of layers in the design [80]”. Based on this finding, they devised guidelines for designing resilient DNN systems and proposed two DNN protection techniques, namely Symptom-based Error Detectors (SED) and Selective Latch Hardening (SLH) to mitigate soft errors that are typically caused by high-energy particles in hardware systems [138]. Mhamdi et al. explored error propagation mechanism in an NN [79], and they theoretically and empirically proved that the key parameters that can be used to estimate the robustness of an NN are: “Lipschitz coecient of the activation function, distribution of large synaptic weights, and depth of the network”. The study [81] characterized the faults propagation through an open-source autonomous vehicle control software (i.e., openpilot) to assess the failure resilience of the system. The Systems-Theoretic Process Analysis (STPA) [139] hazard analysis technique was used to guide fault injection. Existing work in [81] showed that STPA is suited for an in-depth identification of unsafe scenarios, and thus, the fault injection space was reduced. 12 Based on the diversified redundancy strategies, the study [82] developed diverse networks in the context of dif- ferent training data sets, di erent network parameters, and di erent classification mechanisms to strengthen the fault tolerance of the DNN architecture. Studies [73, 74] tried to improve computation eciency without compromising error resilience. Studies [73, 74] also predicted the error resilience of DNN accelerators to make reconfigurable NN accelerators. The study [73] demonstrated a more accurate neuron resilience assignment than the state-of-the-art techniques and provided the possibility of moving parts of the neuron computations to unreliable hardware at the given quality constraint. Zhang et al. [74] proposed a framework to increase eciency of computation by approximating the computation of certain less critical neurons. Daftry et al. [83] provided an interesting idea about “how to enable a robot to know when it does not know?” The idea of [83] is to utilize the resulting features of the controller, which are learned from a CNN to predict the failure of the controller, and then let the system self-evaluate and decide whether to execute or discard an action. 4.2.3. CA3: Measuring and ensuring test completeness The approaches and tools under this theme aim to ensure good coverage when testing NNs. The testing approaches include black-box testing (i.e., focusing on whether the tests cover all possible usage scenarios), white-box testing (i.e., focusing on whether the tests cover every neuron in the NN), and metamorphic testing, which focuses on both test case generation and result verification [140]. O’Kelly et al.[84] proposed methods to ensure good usage coverage through first making a formal Scenario De- scription Language (SDL) to create driving scenarios, and then translating the scenarios to a specification-guided automatic test generation tool named S-TALIRO to generate and run the tests. Raj et al. [87] proved the possibil- ity of speeding up the generation of new and interesting counterexamples by introducing fuzzing patterns obtained from an unrelated DNN on a di erent image database, although the proposed method provides no guarantee of test completeness. DeepXplore [85] first introduced neuron coverage as a testing metric for DNNs, and then used multiple di erent DNNs with similar functionality to identify erroneous corner cases. Compared to [85], DeepTest [86] and DLFuzz [90] aimed at maximizing the neuron coverage without requiring multiple DNNs. The study [86] employed meta- morphic relations to identify erroneous behaviors. The study [90] proposed a di erential fuzzing testing framework to generate adversarial inputs. However, methods proposed in [85, 86, 90] cannot guarantee the generation of test cases that can precisely reflect real-world cases (e.g., driving scenes in various weather conditions when taking a DNN-based autonomous driving system). DeepRoad [89] employed Generative Adversarial Network (GAN) based techniques and metamorphic testing to synthesize diverse real driving scenes, and to test inconsistent behaviors in DNN-based autonomous driving systems. In contrast to earlier works, DeepGauge [88] argued that the testing criteria for traditional software are no longer applicable for DNNs. Ma et al. [88] proposed neuron-level and layer-level coverage criteria for testing DNNs and for measuring the testing quality. 4.2.4. CA4: Assuring safety property of NN-based SCCPSs Formal verification can provide a mathematical proof that a system satisfies some desired safety properties (e.g., the system should always stay within some allowed region, namely a safe region). Formal verification usually presents NNs as models and then apply a model checker, such as Boolean satisfiability (SAT) solvers (e.g., Cha [141], SATO [142], GRASP [143]) to verify the safety property. Pulina et al. [93] developed NeVer (Neural networks Verifier), which solves Boolean combinations of linear arithmetic constraints, to verify safe regions of MLPs. Through adopting an abstraction-refinement mechanism, NeVer can verify real-world MLPs automatically. As an extended experiment analysis of results of [93], [91] compared the performance (e.g., competition-style and scalability) of state-of-the-art Satisfiability Modulo Theories (SMT) solvers [144], and demonstrated that scalability and fine-grained abstractions remain challenges for realistic size networks. The studies [92] and [98] verified the “feed-forward NNs with piece- wise linear activation functions” by encoding verification problems into solving a linear approximation exploring network behavior in a SMT solver. The next generation of collision avoidance systems for unmanned aircrafts (ACAS Xu) adopted DNNs to compress large score table [5]. Julian et al. [96] explored the performance of ACAS Xu by measuring a set of safety and performance metrics. A simulation in study [96] shows that the system based on DNNs performed as correctly as the original large score table but with better performance. Reluplex [98] had successfully been used to verify the safety 13 property of a DNN for the prototype of ACAS Xu. Although the outcomes of Reluplex [98] are limited to verifying the correctness of NNs with specific type of activation functions (i.e., ReLUs and max-pooling layers), the study sheds a light on which types of NN architectures are easier to verify, and thus paves the way for verifying real-world DNN-based controllers. The method proposed in studies [100] and [101] verified that Binarized Neural Networks (BNNs) are ecient and scalable to moderate-sized BNNs. Study [100] represented BNNs as boolean formulas, and then verified the robustness of BNNs against adversarial perturbations. In study [101], BNNs and their input-output specifications were transferred into equivalence hardware circuits. The equivalence hardware circuits consist of a BNN structure module and a BNN property module. The authors of [101] then applied a SAT solver to verify the properties (e.g., simultaneously classify an image as a priority road sign and as a stop sign with high confidence) of the BNN in order to identify the risk behavior of the BNN. When verifying a SCCS, one of the fundamental concerns is to make sure that the SCCS will never violate a safety property. An example of a safety property is that the system should never reach an unsafe region. The main ideas of studies under this sub-theme are to calculate the output reachable set of MLPs, such as in studies [95] and [97], or DNNs in study [94], to verify if unsafe regions will be reached. Xiang et al. [97] proposed a layer-by-layer approach to compute the output reachable set assisted by polyhedron computation tools. The safety verification of a ReLU MLP is turned into checking if a non-empty intersection exists between the output reachable set and the unsafe regions. In a later work of Xiang et al. [95], they introduced maximum sensitivity to perform a simulation-based reachable set estimation with few restrictions on the activation functions. By combining local search and linear programming problems, Dutta et al. [94] developed an output bound searching approach for DNNs with ReLU activation functions, which is implemented in a tool called SHERLOCK to check whether the unsafe region is reached. Study [99] focused on the safety verification of image classification decisions. In [99], Huang et al. employed discretization to enable a finite exhaustive search for adversarial misclassifications. If no misclassifications are found in all layers after the exhaustive search, the NN is regarded as safe. The idea of [102] was to formulate the formal verification of temporal logic properties of a CPS with Machine Learning (ML) components as the falsification problem (finding a counterexample that does not satisfy system spec- ification). The study [102] adopted an ML analyzer to abstract the feature space of ML components (which ap- proximately represents the ML classifiers). The identified misclassifying features are then used to drive the process of falsification. The introduction of the ML analyzer narrowed down the searching space for counterexamples and established a connection between the ML component and the rest of the system. Another direction to make sure the system will not violate safety properties is to use run-time monitoring. The study [103] envisioned an approach named WISEML, which combines reinforcement learning and run-time monitor- ing technique, to detect invariants violations. The purpose of this work was to create a safety envelope around the NN-based SCCPSs. 4.2.5. CA5: Improving interpretability of NNs NNs have proved to be e ective ways to generalize the relationship between inputs and outputs. As the models of NNs are learned from training data sets without human intervention, the relationship between the inputs and outputs of NNs is like a black box. Due to the black-box nature of NNs, it is dicult for people to understand and explain how an NN works. Studies under this theme focus on facilitating the understanding on how NNs generate outputs from inputs. Studies in this theme can be classified into the following three sub-themes, which can be overlapped. However, this can be a way to capture the di erent motivations for the interpretability of NNs. Studies focusing on understanding how a specific decision is made. This line of work mainly focuses on providing explanations for individual predictions (also defined as local interpretability). One study is called Local Interpretable Model-agnostic Explanations (LIME) [130]. LIME can approximate the original NN model locally to provide an explanation for a specific prediction of interest. The problem of LIME is that it assumes the local linearity of the classification boundary, which is not true for most complex NNs. The creators of LIME later extended their work by introducing high-precision rules (i.e., if-then rules), which they called anchors [105]. The study [131] developed an explanation system named LEMNA for security applications and Recurrent Neural Networks (RNNs). LEMNA can locally approximate a non-linear classification boundary and handle feature dependency problems and therefore is able to provide a high fidelity explanation. 14 In the case of an image classifier, it is also common to use gradient measurements to estimate the importance value of each pixel for the final classification. DeepLIFT [116], Integrated Gradients [106], and more recently, SmoothGrad [121] fall into this category. The study [122] proposed a unified framework, SHapley Additive exPlanations (SHAP), by integrating six existing methods (LIME [123], DeepLIFT [116], Layer-Wise Relevance Propagation, Shapley regression values, Shapley sampling values, and Quantitative Input Influence) to measure feature importance. Several approaches attempted to decompose the classification decision (output) into the contributions of individual components of an input based on specific local decomposition rules (i.e., Pixel-Wise decomposition [107, 117], and deep Taylor decomposition [109]). Szegedy et al. [104] investigated the semantic meaning of individual units and the stability of DNNs while small perturbations were added to the input. They pointed out that the individual neurons did not contain the semantic infor- mation, while the entire space of activations does. They also experimentally proved that the same small perturbation of input can cause di erent DNN models (e.g., trained with di erent hyperparameters) to generate wrong predictions. There are several methods for improving local explanations for NN models compared to the above-mentioned approaches. The study [114] argued that explanation approaches for NN models should provide sound theoretical support. Ross et al. [119] presented their idea as “Right for the right reasons,” which means that the output of NN models should be right with the right explanation. In Ross et al. [119], incorrect explanations for particular inputs can be identified, and NN models can be guided to learn alternate explanations. Both [114, 118] made e orts on real-time explanations since their approaches can generate accurate explanations quickly enough. Studies focusing on facilitating understanding of the internal logic of NNs. Studies in this sub-theme are also known as global interpretability. To help interpret how NN models work, model distillation is used in [123], [124], [125], and [127]. The initial intention of distillation was to reduce the computational cost. For example, Hinton et al. [125] distilled a collection of DNN models into a single model to facilitate deployment. The knowledge distilled from NN models has later been applied for interpretability. Some studies compressed information (e.g., decision rules) from deep learning models into transparent models such as decision trees [123, 132] and gradient boosting trees [124] to mimic the performance of models. Others tended to explain the inner mechanisms of NN models through analyzing the feature space. Study [127] distilled the relationship between input features and model predictions (outputs of the model) as a feature shape to evaluate the feature contribution to the model. Another attempt to produce global interpretability is to reveal the features learned by each neuron. For example, in [128], the authors leveraged deep generator networks to synthesized the input (i.e., image) that highly activates a neuron. Dong et al. [111] adopted an attentive encoder-decoder network to learn interpretable features, and then proposed an algorithm called prediction di erence maximization to interpret the features learned by each neuron. One interesting work [120] used an additional NN module that is fit for relational reasoning to reason the relations between the input and response of the NN models. There is also another promising line of work (e.g., [110], [115]) that combined local and global interpretability to explain NN models. Studies focusing on visualizing internal layers of NNs to help identify errors in NNs. In study[129], activities, such as the operation of the classifier and the function of intermesdiate feature layers within the CNN model, were visualized by using a multi-layered deconvolutional network (named DeconvNet). These visualizations are useful to interpret model problems. Unlike [129], which visually depicted neurons in a convolutional layer, the study [108] visualized neurons in a fully connected layer. Zhou et al. [113] proposed Class Activation Mapping (CAM) for CNNs to visualize the discriminative object parts on any given image. Fong and Vedaldi [112] highlighted the most respon- sible part of an image for a decision by perturbing meaningful images. DarkSight [126] combined the ideas of model distillation and visualization to visualize the prediction of an NN model. Thiagarajan et al. [133] built a TreeView rep- resentation via feature-space partitioning to interpret the prediction of an NN. Mahendran et al. [134] reconstructed semantic information (images) in each layer of CNNs by using information from the image representation. 4.3. RQ3. What are the limitations of current research with respect to testing and verifying NN-based SCCSs? Analyzing failure modes and how the system reacts to failures are crucial parts of the safety analysis, especially in safety-critical domains. When testing and verifying the safety of NN-based SCCPSs, we need to rethink how to perform failure mode and e ect analysis, how to analyze inter-dependencies between sub-systems of SCCPSs, and how to analyze the resilience of the system. We need to ensure that even if some of the system’s hardware or software do not behave as expected, the system can sense the risk, avoid the risk before the incident, and mitigate the risk 15 e ectively when an incident happens. Looking into T&V activities through software development, the ideal situation is that we would find appropriate T&V methods to verify whether the design and implementation are consistent with the requirements, construct complete test criteria and test oracle, and generate test data and test any objects (such as code modules, data structures) that are necessary for the correct development of software [145]. Unfortunately, the fact is that complete T&V is hard to guarantee. In order to investigate the gap between industry needs for T&V of NN-based SCCPS and state-of-the-art T&V methods, we performed a mapping of identified approaches to the relevant standard. 4.3.1. Mapping of reviewed approaches to the software safety lifecycles in IEC 61508 An increased interest in the application of NNs within safety-critical domains has encouraged research in the area of T&V of NN-based SCCSs. Research institutions and industry T&V practitioners are working on di erent aspects of this problem. However, we have not found strong connections between those potentially useful methods for T&V of NNs and relevant safety standards (such as IEC 61508 [46] and ISO 26262 [47]). We hereby adopt IEC 61508 [46] as a reference standard to execute the mapping analysis since ISO 26262 [47] is the adaptation of IEC 61508 [46]. We found that the major T&V activities listed in the software safety lifecycles of IEC 61508-3 (including evaluation of software architecture design, software module testing and integration, programmable electronics integration, and software verification) are still valid when conducting T&V for NN-based SCCSs. But for most of them, new techniques/measures for supporting the T&V of NN-based software are demanded. Therefore, we decided to employ safety integrity properties (which are explained in IEC 61508-3 Annex C and Annex F of IEC 61508-7) as indicators to justify to what extent these desirable properties have been achieved by the state-of-the-art methods for T&V of NN-based SCCSs. The detailed mapping information can be found in Table 5. Table 5: A mapping of reviewed approaches to IEC 61508 safety lifecycle Relevant primary Phase Property Remaining challenges studies Software Completeness None N/A architecture Correctness [96] CA4 Training process of NN-based algo- design rithm is time-consuming. [57, 59, 60, 62, 66], Freedom from in- CA1 ¶ Limited to specific model [68] - [72] trinsic faults classes, or tasks (e.g., image classi- fier), or small size NNs [59]; · Not immune to adversarial adaptation [66]; ¸ Lack of understanding on how system can be free from di erent kinds of attacks other than adversarial examples. Understand- [104] - [134] CA5 ¶ Limited to specific model ability classes, or tasks (e.g., image clas- sifier), or small size NN models [123]; · Not able to provide real-time explanations; ¸ Lack of evaluation method for the explanation of NNs. Verifiable and [84] CA3 ¶ Lack of integrated computer- testable design aided toolchains to support the ver- ification activities; · Limited to specific models, tasks or NN size. [92] CA4 ¶ Limited to specific NN archi- tectures (i.e., piece-wise linear ac- tivation functions), need better un- derstanding of NN architectures; · Trade-o between ecient verifica- tion and linear approximation of the NN behavior is not studied su- ciently. Category Table 5 – continued from the previous page Relevant primary Phase Property Remaining challenges studies Fault [74, 75, 79, 82, CA2 ¶ Decouple the fault tolerance from tolerance 83] the classification performance [75]; · Lack of studies on unexpected environmental failures. Defense against None N/A common cause failure Software module testing and Completeness [61, 72] CA1 Lack of comprehensive criteria to integration evaluate testing adequacy. [85] - [90] CA3 Low fidelity of testing cases com- pared with real-world cases [86]. [56, 58, 61, 63, 64] Correctness CA1 ¶ Vulnerable to the variation of ad- [65, 67] versarial examples; · Limited to specific NN model classes or tasks. [78] CA2 Insucient validation of input raw data. Repeatability [84, 85, 86] CA3 Testing cases generated by auto- mated tools may be biased. Precisely defined None N/A testing configura- tion Programm- able electronics integration Completeness None N/A (hardware and software) Correctness [73, 76, 77, 80] CA2 Insucient testing of hardware ac- celerator. Repeatability None N/A Precisely defined None N/A testing configura- tion Software Completeness [95, 97] CA4 ¶ Limited to specific NN models; verification · Lack of scalability. Correctness [81] CA2 ¶ Automatic generation of com- plete testing scenarios sets. [91, 93, 94, 98, 99] CA4 ¶ Scalability and computational [100] - [102] performance need to improve; · SMT encoding for large-scale NN model; ¸ Lack of model-agnostic verification methods; ¹ Automatic generation of feature space abstrac- tions [102]. Repeatability None N/A Precisely defined None N/A testing configura- tion In Table 5, we mapped existing T&V methods for NN-based SCCSs (column 3 and column 4) into relevant properties (column 2) of four major T&V phases (column 1) in the software safety lifecycles of IEC 61508-3. For column 5 in Table 5, we summarized the remaining challenges in testing and verifying NN-based SCCSs based on reviewed papers. The overviews of these remaining challenges can potentially inspire researchers to look for a focus in the future. Category 4.3.2. Limitations and suggestions for testing and verifying NN-based SCCSs In Table 5, we show the limitations and gaps of state-of-the-art T&V approaches for NN-based SCCSs. In this section, we will take two T&V phases (evaluation of software architecture design and software module testing and integration) as examples to provide detailed analysis of identified limitations and corresponding suggestions on the basis of required safety integrity properties. For the other two T&V phases (programmable electronics integration and software verification), only summaries of limitations and suggestions will be presented to avoid duplication. Evaluation of software architecture design. The top three properties that have been addressed are: simplicity and understandability (31 papers), freedom from intrinsic design faults (10 papers), and fault tolerance (5 papers). Cor- rectness with respect to software safety requirements specification (1 paper) and verifiable and testable design have drawn little attention (2 papers) for reviewed studies. There are two properties, i.e., completeness with respect to soft- ware safety requirements specification and Defense against common cause failure from external events, which have not been addressed in reviewed papers. Completeness with respect to software safety requirements specification No study contributes to the achieve- ment of completeness, which requires the architecture design to be able to address all the safety needs and constraints. The achievement of completeness depends on the achievement of other properties, such as fully understanding the behavior of NN models. The design and deployment of NN-based SCCSs are in its infancy stage. When NN-based SCCS design becomes more practical, more studies may address this topic. Correctness with respect to software safety requirements specification To achieve correctness, software ar- chitecture design needs to respond to the specified software safety requirements appropriately. Study [96] reported their successful design of a DNN-based compression algorithm for aircraft collision avoidance systems. Even though they demonstrated that the DNN-based algorithm preserves the required safety performance, the training process is still time-consuming. Freedom from intrinsic design faults Intrinsic design faults can be interpreted as failures derived from the design itself. State-of-the-art NNs have proved to be vulnerable to adversarial perturbations due to some intriguing properties of NNs [57]. Most of the studies in this category were aimed at understanding, detecting, and mitigating adversarial examples. Study [99] reported that their approach could generalize well on several state-of-the-art NNs to find adversarial examples successfully. However, the verification process of founded features is time-consuming, especially for larger images. In this sense, the scalability and computational performance of adversarial robustness are expected to be addressed in the future. In addition, adversarial robustness does not imply that the NN model is truly free from intrinsic design faults. How to assure freedom from interferences (e.g., signal-noise ratio degradation) other than adversarial perturbations is a research gap that needs to be filled. Understandability This property can be interpreted as the predictability of system behavior, even in erroneous and failure situations. In this category, studies focusing on providing explanations for individual prediction (e.g., [104]) and on visualizing internal layers of NN (e.g., [129, 130, 131]) are not meaningful for safety assurance. Stud- ies focusing on facilitating understanding of the internal logic of NNs (such as presenting NNs as decision trees [123]) could be a solution to improve the understandability of NN-based architecture design. However, this line of work is rare, and most methods are only applied to small-scale DNNs with image input, or specific NN models. Besides, assuming the explanation of NN is available, confirming the correctness of the explanation is still a challenge. Inter- pretability of NNs is undoubtedly a crucial need in safety-critical applications. Methods in this line should capable of explaining di erent types of sensor data (e.g., image, text, and point data) and both local and global decisions. Verifiable and testable design The evaluation metrics of verifiable and testable design may be derived from modularity, simplicity, provability, and so on. We observed that existing verifiable and testable designs are limited to specific NN architectures (e.g., [92]) or specific tasks (e.g., [84]). There is no standard procedure for determining which type of NNs will be easier to verify. Ehlers [92] argued that NNs that adopt piece-wise linear activation 18 functions are easier to verify, but their method still need to face the conflict between ecient verification and accuracy of linear approximation for the NN behavior. Fault tolerance Fault tolerance implies that the architecture design can assure the safe behavior of the software whenever internal or external errors occur. To achieve fault tolerance, features like failure detection and failure impact mitigation of both internal and external errors should be included in the design. Existing methods showed that unexpected environmental failures are hard to detect and mitigate. Besides, many of the proposed approaches in this category have not yet been evaluated in the real-world. Some studies formulated approximated computational models to represent real-world systems (e.g., [74]). The study [83] did not use any test oracle when executing system flight tests. Some studies used simulation models to verify the performance of the original NN (e.g., [75]). They are not able to prove the fidelity of the model compared with the real-world system. Defense against common cause failure from external events Software common cause failure is a type of concurrent failure of two or more modules in the software, which is caused by software design defects and triggered by external events such as time, unexpected input data, or hardware abnormalities [146]. Many safety critical systems adopt redundant architectures (meaning two or more independent subsystems have identical functions to back-up each other) to prevent a single point of failure. However, redundant architectures are vulnerable considering common cause failure. In the context of NN-based SCCSs, it is common to employ multiple NNs with similar architectures in order to improve the accuracy of prediction. If a common cause failure occurs in this kind of software design, the prediction might be totally wrong, and thus the control software might make the wrong decision. DeepXplore, reported in [85], used more than two di erent DNNs with the same functionality to automatically generate a test case. If all the DNNs in DeepXplore are a ected by common cause failure, such as if a sensor failure causes all the DNNs to make the same misclassification, then it will not be able to generate the corresponding test case. No method is found in reviewed papers that can identify common cause failure modes and defend against such failures. In order to e ectively defend against common cause failure, designers need to inspect the completeness and correctness of the safety requirements specification, trace the implementation of the safety requirements specification, and make a thorough T&V plan to reveal the common cause failure modes in the early stage. Software module testing and integration. The top two properties that have been addressed are: completeness of testing and integration with respect to the design specifications (9 papers) and correctness of testing and integration with respect to the design specifications (8 papers). Repeatability has drawn little attention (3 papers) from the reviewed studies. There is one property, precisely defined testing configuration, which has not been addressed in the reviewed papers. This property aims to evaluate the precision of T&V procedures, which is not in the scope of our selected papers. Therefore, we will not give more explanation on this property. Completeness of testing and integration with respect to the design specifications We observed some e orts that tried to find a systematic way to generate testing cases (e.g., [86, 89]) to measure testing quality (e.g., [88]) or to connect di erent T&V stages in the development of SCCSs (e.g., [147]). As analyzed in Section 4.2, we can infer that an NN-based control software is instinctually di erent in design workflow and software development compared to the design of traditional control software. We suggest that the testing criteria should thoroughly align with the software design. To be more specific, the instinctive features of NN-based softwares (e.g., NN model’s architectural details and the working mechanism of NNs) should be carefully considered when setting the testing criteria. That is testing criteria should be defined comprehensively and explicitly under the consideration of not only test case coverage but also the robustness of NN-based system performance (for instance, test how an NN will respond when input data change slightly) and the features of training data sets, such as the data density issue mentioned in [148]. Correctness of testing and integration with respect to the design specifications Several studies (e.g., [56, 63, 64]) reported that their methods are vulnerable to the variation of adversarial examples. Another common limitation is that most methods are model-specific, meaning that they can only apply to a single type or class of NN model. To achieve correctness of testing and integration, the module testing task should be completed, which means the testing 19 should cover both NN models and external input. However, few studies focused on the validation of input data. One study [78] identified that sucient validation of input raw data remains a challenge. Repeatability The complexity and un-interpretable feature of NNs make manual testing almost infeasible. In order to be able to generate consistent results from testing repeatedly, some studies were dedicated to achieving automatic test execution or even automatic test generation. We found three papers (i.e., [84, 85, 86]) addressing automatic test generation. However, generating test cases automatically is still a challenge. For instance, studies [85, 86] claimed that the test cases generated by an automated testing tool may not cover all real-world cases. Programmable electronics integration. The major limitation of this line of work is insucient testing for hardware accelerators. NN-based SCCPSs requires typically high-performance computing systems, such as Graphics Process- ing Units (GPUs). Some industry participants have provided specialized hardware accelerators to accelerate NN-based computations. For example, Google deployed a DNN accelerator (called Tensor Processing Unit) in its data centers for DNN applications [149]. NVIDIA introduced an automotive supercomputing platform named DRIVE PX 2 [35], which now has been used by over 370 companies and research institutions in the automotive industry [150]. However, little research e ort has been put into the T&V of the reliability of using hardware accelerators for NN applications. We found seven studies (i.e. [73, 74, 75, 77, 76, 78, 80]) addressing the evaluation of the error resilience of hard- ware accelerators. However, the testing is limited to specific type errors (e.g., radiation-induced soft errors, which are presented in [73, 77, 80]). The mitigation method proposed in [77] (called ABFT: Algorithm-Based Fault Tolerance) can only protect portions of the accelerator (e.g., sgemm kernels, which is one kind of matrix multiplication kernels). The study [78] identified errors made by single frame object detectors, but the result showed that the method is not capable of detecting all mistakes. The studies [73, 80] investigated the propagation characteristic of soft errors in the DNN system, but they used a DNN simulator instead of a real DNN accelerator for fault injection. Software verification. In general, there is a lack of a comprehensive and standardized framework for verifying the safety of NN-based SCCSs. Formal verification procedures are highly demanding. The common limitation of formal verification approaches is the scalability issues. Most proposed methods are limited to a specific NN structure and size (e.g., [92, 93, 98, 100, 101]). The study [93] reported that their approaches can only verify small-scale systems (i.e., the layer of NN is 3 and the maximum amount of input neurons is 64). One approach reported in [100] can verify medium size NNs. The verification of large-scale NNs is still a challenge. Another limitation is that proposed approaches are not robust to NN variations. For example, verification methods in studies [92, 98] are only adapted to specific network types and sizes. 5. Discussion In this section, we first discuss industry practices for T&V of NN-based SCCPSs. Then, we compare this SLR with related works. At the end of this section, we present the threats to the validity of our study. 5.1. Industry practice Our findings on the research questions (RQ1 to RQ3) mainly reflected the academic e orts addressing T&V of NN-based SCCPSs. NN-based applications have drawn a lot of attention from industry practitioners. Taking the automotive industry as an example, several car makers (e.g., GM, BMW, and Tesla) and some high technology companies (e.g., Waymo and Baidu) are leading the revolution in autonomous driving safety. 5.1.1. Safety of the intended functionality At the beginning of this year, ISO/PAS 21448:2019 [48] was published. It listed recommended methods for deriving verification and validation activities (See ISO/PAS 21448:2019 Table 4). In Table 6, we highlighted six of the recommended methods, which shared similar verification interests with existing academic e orts. 20 Table 6: Shared verification interests of ISO/PAS 21448 and academic e orts ISO/PAS 21448 Academic e orts Analysis of triggering events CA1: Assuring robustness of NNs Analysis of sensors design and their known potential limitations CA2: Improving failure resilience of NNs Analysis of environmental conditions and operational use cases CA3: Measuring and ensuring test completeness Analysis of boundary values CA4: Assuring safety property of NN-based SCCPSs Analysis of algorithms and their decision paths CA5: Improving interpretability of NNs Analysis of system architecture CA1-CA5 5.1.2. Safety reports In 2018, three companies (Waymo, General Motor, and Baidu Apollo) published their annual safety reports. As a pioneer in the development of self-driving cars, Waymo proposed the “Safety by Design” [151] approach, which entails the processes and techniques they used to face safety challenges of a level 4 autonomous car on the road. For the cybersecurity consideration, Waymo adopted Google’s security framework [152] as the foundation. Af- ter that, General Motor (GM) released their safety report [153] for Cruise AV (also level 4). GM’s safety process combined conventional system validation (such as vehicle performance tests, fault injection testing, intrusive test- ing, and simulation-based software validation) with SOTIF validation through iterative design. Baidu adopted the Responsibility-Sensitive Safety model [154] proposed by Mobileye [155] (an Intel company) to design the safety process for the Apollo Pilot for a passenger car (level 3). In addition, we noticed that Tesla started releasing quarterly safety data since October 2018 [156]. It seemed that Tesla has a completely di erent approach to self-driving cars than other companies. According to TESLA NEWS [157], AutoPilot will rely for its self-driving function on cameras, not on LIDAR; the AutoPilot software is trained online (which means that the NN keeps learning and evolving during operation). The Autopilots safety features are continuously evolved and enhanced through understanding real-world driving data from every Tesla. Referring to these safety reports of existing autonomous cars, we should be aware that when testing DNN-based control software (the core part of autonomous vehicles), black-box system level testing (by observing inputs and its corresponding outputs, e.g., closed course testing and real-world driving) is still the leading method. More systematic T&V criteria and approaches are needed for more complete and reliable testing results. 5.2. Comparison with related work 5.2.1. Verification and validation of NNs Taylor et al. [15] conducted a survey on the Verification and Validation (V&V) of NNs used in safety-critical domains in 2003. Study [15] is the closest work we found, although they did not adopt an SLR approach. Our study covered new studies from 2011-2018. The authors of [15] also made a classification of methods for the V&V of NNs. They grouped the methods into five traditional V&V technique categories, namely, automated testing and testing data generation methods, run-time monitoring, formal methods, cross validation, and visualization. In contrast to [15], our study adopted a thematic analysis approach [55] and identified five themes based on the research goals of the selected studies. We thought it was better to classify the proposed T&V methods of NNs based on their aims rather than on the traditional technique categories since many traditional V&V techniques are no longer e ective for verifying NNs in many cases. New methods and tools should be explored and developed without being limited by the traditional V&V categories. Another di erence is our study specialized more in the T&V of modern NNs, such as MLP and DNN, whereas the study [15] provided more in-depth analysis of V&V methodologies for NNs used in flight control system, such as Pre-Trained Neural Network (PTNN) and Online Learning Neural Network (OLNN). Our study and [15] have some common findings. For example, one category, named Visualization in [15], falls into our category CA5 Improving interpretability of NNs. 5.2.2. Surveys of security, safety, and productivity for Deep Learning (DL) systems development Hains et al. [16] surveyed existing work on “attacks against DL systems; testing, training, and monitoring DL systems for safety; and the verification of DL systems.” Our study and [16] shared a similar motivation. The critical di erence between our SLR and [16] are threefold: 1) We conducted our literature review on 83 selected papers based 21 on specific SLR guidelines, while they used an ad hoc literature review (ALR) approach and reviewed only 21 primary papers. 2) They only focused on DL systems, whereas our scope covered modern NN-based software systems, which embodies DL-based software systems. 3) They inferred that formal methods and automation verification are the two promising research directions based on the reviewed works. In contrast, we focused more on safety issues, and found more categories to be addressed for safety purposes. 5.2.3. Surveys of certification of AI technologies in automotive Falcini et al. [17, 18] reviewed the existing standards in the automotive industry and pointed out the related applicability issues of automotive software development standards to deep learning. Although our SLR takes the automotive industry as an example, we are concerned with SCCPSs in general. This concern is reflected in the distribution of the selected papers (only 13 of the 83 selected papers are oriented to automotive CPSs). 5.2.4. SLR of Explainable Artificial Intelligence (XAI) There are two very recent SLRs, [158] and [159], on the interpretation of artificial intelligence. Both [158] and [159] employed similar commonly accepted guidelines to conduct their SLRs. The fundamental di erence between our study and [159, 158] is the scope. [158] reviewed 381 papers on existing XAI approaches from interdisciplinary perspectives. As reported in [159], the scope of their SLR is visualization and visual analytics for deep learning. The study [159] focused on studies that adopted visual analytics to explain NN decisions. Our study has a more comprehensive coverage of T&V approaches that were employed to not only interpret NN behaviors but also to assure the robustness of NNs, to improve the failure resilience of NNs, to ensure test completeness, and to assure the safety property of NN-based SCCPSs. In a summary, our SLR tried to provide an overview of key aspects related to T&V activities for NN-based SCCSs. 5.3. Threats to validity In this section, we discuss some threats to the validity of our study. 5.3.1. Search strategy The most possible threat in this step is missing or excluding relevant papers. To mitigate this threat, we used six of the most relevant digital libraries to retrieve papers. Additionally, we employed two strategies to mitigate potential limitations in the search terms: 1) adopted an PIOC criteria to ensure the coverage of search terms; and 2) improved search terms iteratively. Further, we conducted an extensive snowballing process on references of the selected papers to identify related papers. The search keywords were cross-checked and agreed on by both authors. 5.3.2. Study selection Researchers’ subjective judgment could be a threat to the study selection. We strictly followed the pre-defined review protocol to mitigate this threat. For example, we started recording the inclusion and exclusion reasons from the 3rd stage. We validated the inclusion and exclusion criteria with two authors on the basis of the pilot search. Furthermore, the second author performed a cross-check of all selected papers. Any paper that raised doubts about its inclusion or exclusion decision was discussed between the first and second authors. For example, the “smart grid” is included in the search term, but no relevant papers were found after the 3rd stage. Then, we conducted a snowballing search to identify papers that presented how to use NNs in smart grids. We found out that AI is mainly used to solve the economically relevant problems [160] of the smart grid system (e.g., prediction of energy usage and ecient use of resources). AI is not involved in the safety-critical applications (e.g., decision making on optimal provision of power) of smart grids. Therefore, there were no relevant papers addressing safety analysis or testing/verification (refer to Inclusion criteria I2). 5.3.3. Data extraction The first author was responsible for designing the data extraction form and conducting the data extraction from selected papers. In order to avoid the first author’s bias in data extraction, the two authors continuously discussed the data extraction issues. The extracted data were verified by the second author. 22 5.3.4. Data synthesis Data analysis outcomes could vary with di erent researchers. To reduce the subjective impact on data synthesis, besides strictly following the thematic synthesis steps [55], the data synthesis was first agreed on by both authors. We disseminated our preliminary findings to two internal research groups at our university (i.e., the autonomous vehicle lab and autonomous ships lab) and presented at a Ph.D. seminar on IoT, Machine Learning, Security, and Privacy for comments and feedback. In summary, the audiences agreed with our research design and results, and they thought that the mapping of reviewed approaches to the IEC61508 is a valuable attempt. Several researchers working in formal verification and safety verification thought that safety cases would be a promising direction to address the challenges of T&V of NN-based SCCSs. One suggestion is adding information about self-driving car simulators. Based on these comments and feedback, we revised our paper accordingly. 6. Conclusion and future work In this paper, we have presented the results of a Systematic Literature Review (SLR) of existing approaches and practices on T&V methods for neural-network-based safety critical control software (NN-based SCCS). The motivation of this study was to provide an overview of the state-of-the-art T&V of safety-critical NN-based SCCSs and to shed some light on potential research directions. Based on pre-defined inclusion and exclusion criteria, we selected 83 papers that were published between 2011 and 2018. A systematic analysis and synthesis of the data extracted from the papers and comprehensive reviews of industry practices (e.g., technical reports, standards, and white papers) related to our RQs were performed. Results of the study show that: 1. The research on T&V of NN-based SCCSs is gaining interest and attention from both software engineering and safety engineering researchers/practitioners according to the impressive upward trend in the number of papers on T&V of NN-based SCCSs (See Fig. 5). Most of the reviewed papers (68/83, 81.9%) have been published in the last three years. 2. The approaches and tools reported for the T&V of NN-based control software have been applied to a wide variety of safety-critical domains, among which automotive CPSs has received the most attention. 3. The approaches can be classified into five high-order themes, namely, assuring robustness of NNs, improving failure resilience of NNs, measuring and ensuring test completeness, assuring safety properties of NN-based SCCPSs, and improving interpretability of NNs. 4. The activities listed in the software safety lifecycles of IEC 61508-3 are still valid when conducting safety verification for NN-based control software. However, most of the activities need new techniques/measures to deal with the new characteristics of NNs. 5. Four safety integrity properties within the four major safety lifecycle phases, namely, correctness, completeness, freedom from intrinsic faults, and fault tolerance, have drawn the most attention from the research community. Little e ort has been put on achieving repeatability. No reviewed study focused on precisely defined testing configuration and defense against common cause failure, which are extremely crucial for assuring the safety of a production-ready NN-based SCCS [161]. 6. It is common to combine standard testing techniques with formal verification when testing and verifying large- scale, complex safety-critical software [15, 145]. As explained in section 4.3, we found that an increasing concern of the reviewed works is the integration of di erent T&V techniques in a systematic manner to gain assurance for the whole lifecycle of the NN-based control software. This SLR is just a starting point in our studies to test and verify NN-based SCCPSs. In the future, we will focus on improving the interpretability of NNs. To be more specific, we plan to develop a method for explaining why an NN model is more (or less) robust than other models. It can guide software designers to design an NN model with an appropriate robustness level, which will greatly support safety by design. Acknowledgments The authors would like to thank Weifeng Liu for commenting on and improving this paper. This work is supported by the Safety, autonomy, remote control and operations of industrial transport systems (SAREPTA) project, which is 23 financed by the Norwegian Research Council with Grant No. 267860. This work is also supported by the Management of safety and security risks for cyber-physical systems project, which is financed by the Norwegian University of Science and Technology and the Technical University of Denmark. References [1] R. Rajkumar, I. Lee, L. Sha, J. Stankovic, Cyber-physical systems: the next computing revolution, in: Design Automation Conference (DAC), 2010 47th ACM/IEEE, IEEE, pp. 731–736. [2] B. K. Bose, Neural network applications in power electronics and motor drivesan introduction and perspective, IEEE Transactions on Industrial Electronics 54 (2007) 14–33. [3] P. Ongsulee, Artificial intelligence, machine learning and deep learning, in: ICT and Knowledge Engineering (ICT&KE), 2017 15th International Conference on, pp. 1–6. [4] M. Bojarski, D. Del Testa, D. Dworakowski, B. Firner, B. Flepp, P. Goyal, L. D. Jackel, M. Monfort, U. Muller, J. Zhang, et al., End to end learning for self-driving cars, arXiv preprint arXiv:1604.07316 (2016). [5] K. D. Julian, J. Lopez, J. S. Brush, M. P. Owen, M. J. Kochenderfer, Policy compression for aircraft collision avoidance systems, in: Digital Avionics Systems Conference (DASC), 2016 IEEE/AIAA 35th, IEEE, pp. 1–10. [6] S. Levin, J. C. Wong, Self-driving uber kills arizona woman in first fatal crash involving pedestrian, https://www.theguardian.com/ technology/2018/mar/19/uber-self-driving-car-kills-woman-arizona-tempe, 2018. Accessed: 2018-07-27. [7] D. Yadron, D. Tynan, Tesla driver dies in first fatal crash while using autopilot mode, https://www.theguardian.com/technology/ 2016/jun/30/tesla-autopilot-death-self-driving-car-elon-musk, 2016. Accessed: 2018-07-27. [8] D. Lee, Google self-driving car hits a bus, https://www.bbc.com/news/technology-35692845, 2016. Accessed:18-12-2018. [9] Valasek, Chris, Miller, Charlie, Who’s behind the wheel? exposing the vulnerabilities and risks of high tech vehicles, https://trid.trb. org/view/1370158, 2015. Accessed: 2018-07-27. [10] S. Kriaa, L. Pietre-Cambacedes, M. Bouissou, Y. Halgand, A survey of approaches combining safety and security for industrial control systems, Reliability Engineering & System Safety 139 (2015) 156–178. [11] T. Aven, A unified framework for risk and vulnerability analysis covering both safety and security, Reliability Engineering & System Safety 92 (2007) 745 – 754. [12] G. Stoneburner, Toward a unified security-safety model, Computer 39 (2006) 96–97. [13] T. Novak, A. Treytl, Functional safety and system security in automation systems - a life cycle model, in: 2008 IEEE International Conference on Emerging Technologies and Factory Automation, pp. 311–318. [14] P. Bieber, J.-P. Blanquart, G. Descargues, M. Dulucq, Y. Fourastier, E. Hazane, M. Julien, L. Leonardon, ´ G. Sarouille, Security and safety assurance for aerospace embedded systems, in: Proceedings of the 6th International Conference on Embedded Real Time Software and Systems, Toulouse, France, pp. 1–10. [15] B. J. Taylor, M. A. Darrah, C. D. Moats, Verification and validation of neural networks: a sampling of research in progress, in: Intelligent Computing: Theory and Applications, volume 5103, International Society for Optics and Photonics, pp. 8–17. [16] G. Hains, A. Jakobsson, Y. Khmelevsky, Towards formal methods and software engineering for deep learning: Security, safety and produc- tivity for dl systems development, in: Systems Conference (SysCon), 2018 Annual IEEE International, IEEE, pp. 1–5. [17] F. Falcini, G. Lami, Challenges in certification of autonomous driving systems, in: 2017 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 286–293. [18] F. Falcini, G. Lami, Deep learning in automotive: Challenges and opportunities, in: A. Mas, A. Mesquida, R. V. O’Connor, T. Rout, A. Dorling (Eds.), Software Process Improvement and Capability Determination, Springer International Publishing, 2017, pp. 279–288. [19] P. Van Wesel, A. E. Goodloe, Challenges in the Verification of Reinforcement Learning Algorithms, Technical Report, 2017. https: //ntrs.nasa.gov/search.jsp?R=20170007190. [20] B. Kitchenham, S. Charters, Guidelines for performing systematic literature reviews in software engineering, 2007. [21] E. Lee, The past, present and future of cyber-physical systems: A focus on models, Sensors 15 (2015) 4837–4869. [22] A. Humayed, J. Lin, F. Li, B. Luo, Cyber-physical systems security - a survey, IEEE Internet of Things Journal 4 (2017) 1802–1831. [23] E. R. Gri or, C. Greer, D. A. Wollman, M. J. Burns, Framework for Cyber-Physical Systems: Volume 1, Overview, Technical Report, 2017. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-201.pdf. [24] W. S. McCulloch, W. Pitts, A logical calculus of the ideas immanent in nervous activity, The bulletin of mathematical biophysics 5 (1943) 115–133. [25] F. Rosenblatt, The perceptron: a probabilistic model for information storage and organization in the brain., Psychological review 65 (1958) [26] G. Katz, C. Barrett, D. L. Dill, K. Julian, M. J. Kochenderfer, Reluplex: An ecient smt solver for verifying deep neural networks, in: International Conference on Computer Aided Verification, Springer, pp. 97–117. [27] R. Kruse, C. Borgelt, F. Klawonn, C. Moewes, M. Steinbrecher, P. Held, Multi-layer perceptrons, in: Computational Intelligence, Springer, 2013, pp. 47–81. [28] Y. LeCun, Y. Bengio, G. Hinton, Deep learning, nature 521 (2015) 436. [29] Y. LeCun, L. Bottou, Y. Bengio, P. Ha ner, et al., Gradient-based learning applied to document recognition, Proceedings of the IEEE 86 (1998) 2278–2324. [30] M. van Gerven, S. Bohte, Artificial neural networks as models of neural information processing, Frontiers Media SA, 2018. [31] D. M. Rodvold, A software development process model for artificial neural networks in critical applications, in: IJCNN’99. International Joint Conference on Neural Networks. Proceedings (Cat. No.99CH36339), volume 5, pp. 3317–3322. [32] F. Falcini, G. Lami, A. M. Costanza, Deep learning in automotive software, IEEE Software 34 (2017) 56–63. [33] J. L. Heilbron, The Oxford companion to the history of modern science, Oxford University Press, 2003. 24 [34] SAE, J3016:Taxonomy and Definitions for Terms Related to On-Road Motor Vehicle Automated Driving Systems, Standard, 2014. [35] NVIDIA, Nvidia drive:scalable ai platform for autonomous driving, https://www.nvidia.com/en-us/self-driving-cars/drive- platform/, 2018. Accessed:18-12-2018. [36] J. C. Hoskins, D. M. Himmelblau, Process control via artificial neural networks and reinforcement learning, Computers & Chemical Engineering 16 (1992) 241–251. [37] T. P. Lillicrap, J. J. Hunt, A. Pritzel, N. Heess, T. Erez, Y. Tassa, D. Silver, D. Wierstra, Continuous control with deep reinforcement learning, arXiv preprint arXiv:1509.02971 (2015). [38] S. P. K. Spielberg, R. B. Gopaluni, P. D. Loewen, Deep reinforcement learning approaches for process control, in: 2017 6th International Symposium on Advanced Control of Industrial Processes (AdCONIP), pp. 201–206. [39] G. Zhabelova, V. Vyatkin, Multiagent smart grid automation architecture based on iec 61850/61499 intelligent logical nodes, IEEE Transactions on Industrial Electronics 59 (2012) 2351–2362. [40] B. K. Bose, Artificial intelligence techniques in smart grid and renewable energy systemssome example applications, Proceedings of the IEEE 105 (2017) 2262–2273. [41] G. Robertson, E. D. Lehmann, W. Sandham, D. Hamilton, Blood glucose prediction using artificial neural networks trained with the aida diabetes simulator: a proof-of-concept pilot study, Journal of Electrical and Computer Engineering 2011 (2011) 1–11. [42] M. K. Bothe, L. Dickens, K. Reichel, A. Tellmann, B. Ellger, M. Westphal, A. A. Faisal, The use of reinforcement learning algorithms to meet the challenges of an artificial pancreas, Expert review of medical devices 10 (2013) 661–673. [43] Medtronic, Medtronic initiates u.s. launch of world’s first hybrid closed loop system for type 1 diabetes, http://newsroom.medtronic. com/phoenix.zhtml?c=251324&p=irol-newsArticle&ID=2279529, 2017. Accessed: 2018-08-25. [44] K. Sennaar, Ai in medical devices three emerging industry applications, https://www.techemergence.com/ai-medical-devices- three-emerging-industry-applications/, 2018. Accessed: 2018-08-16. [45] H. Greenspan, B. Van Ginneken, R. M. Summers, Guest editorial deep learning in medical imaging: Overview and future promise of an exciting new technique, IEEE Transactions on Medical Imaging 35 (2016) 1153–1159. [46] IEC61508:2005, Functional safety of electrical/electronic/programmable electronic safety-related systems, Standard, International Elec- trotechnical Commission, 2005. [47] ISO 26262:2011, Road vehicles – Functional safety, Standard, International Organization for Standardization, 2011. [48] G. Griessnig, A. Schnellbach, Development of the 2nd edition of the iso26262, in: J. Stolfa, S. Stolfa, R. V. O’Connor, R. Messnarz (Eds.), Systems, Software and Services Process Improvement, Springer International Publishing, 2017, pp. 535–546. [49] Hansen, Standardization E orts on Autonomous Driving Safety Barely Under Way, Technical Report, 2017. [50] A. Dosovitskiy, G. Ros, F. Codevilla, A. Lopez, V. Koltun, Carla: An open urban driving simulator, arXiv preprint arXiv:1711.03938 (2017). [51] Udacity, An open source self-driving car, https://github.com/udacity/self-driving-car, 2016. Accessed:2018-12-19. [52] K. Petersen, S. Vakkalanka, L. Kuzniarz, Guidelines for conducting systematic mapping studies in software engineering: An update, Information and Software Technology 64 (2015) 1–18. [53] M. Shahin, M. A. Babar, L. Zhu, Continuous integration, delivery and deployment: a systematic review on approaches, tools, challenges and practices, IEEE Access 5 (2017) 3909–3943. [54] P. H. Nguyen, S. Ali, T. Yue, Model-based security engineering for cyber-physical systems: A systematic mapping study, Information and Software Technology 83 (2017) 116–135. [55] D. S. Cruzes, T. Dyba, Recommended steps for thematic synthesis in software engineering, in: 2011 International Symposium on Empirical Software Engineering and Measurement, pp. 275–284. [56] A. Nguyen, J. Yosinski, J. Clune, Deep neural networks are easily fooled: High confidence predictions for unrecognizable images, pp. 427–436. [57] I. J. Goodfellow, J. Shlens, C. Szegedy, Explaining and harnessing adversarial examples, arXiv preprint arXiv:1412.6572 (2014). [58] M. Melis, A. Demontis, B. Biggio, G. Brown, G. Fumera, F. Roli, Is deep learning safe for robot vision? adversarial examples against the icub humanoid, in: 2017 IEEE International Conference on Computer Vision Workshops (ICCVW), pp. 751–759. [59] O. Bastani, Y. Ioannou, L. Lampropoulos, D. Vytiniotis, A. Nori, A. Criminisi, Measuring neural net robustness with constraints, pp. 2613–2621. [60] M. Cisse, P. Bojanowski, E. Grave, Y. Dauphin, N. Usunier, Parseval networks: Improving robustness to adversarial examples, arXiv preprint arXiv:1704.08847 (2017). [61] N. Carlini, D. Wagner, Towards evaluating the robustness of neural networks, in: 2017 IEEE Symposium on Security and Privacy (SP), pp. 39–57. [62] S. Gu, L. Rigazio, Towards deep neural network architectures robust to adversarial examples, arXiv preprint arXiv:1412.5068 (2014). [63] M. Wu, M. Wicker, W. Ruan, X. Huang, M. Kwiatkowska, A game-based approximate verification of deep neural networks with provable guarantees, arXiv preprint arXiv:1807.03571 (2018). [64] D. Gopinath, G. Katz, C. S. Pasareanu, C. Barrett, Deepsafe: A data-driven approach for checking adversarial robustness in neural networks, arXiv preprint arXiv:1710.00486 (2017). [65] F. Reuben, R. R. Curtin, S. Saurabh, A. B. Gardner, Detecting adversarial samples from artifacts, arXiv preprint arXiv:1703.00410 (2017). [66] W. Xu, D. Evans, Y. Qi, Feature squeezing: Detecting adversarial examples in deep neural networks, arXiv preprint arXiv:1704.01155 (2017). [67] M. Wicker, X. Huang, M. Kwiatkowska, Feature-guided black-box safety testing of deep neural networks, volume 10805 LNCS, Springer Verlag, 2018, pp. 408–426. [68] J. H. Metzen, T. Genewein, V. Fischer, B. Bischo , On detecting adversarial perturbations, arXiv preprint arXiv:1702.04267 (2017). [69] N. Papernot, P. McDaniel, X. Wu, S. Jha, A. Swami, Distillation as a defense to adversarial perturbations against deep neural networks, arXiv preprint arXiv:1511.04508 (2015). [70] N. Papernot, P. McDaniel, Extending defensive distillation, arXiv preprint arXiv:1705.05264 (2017). 25 [71] S. Zheng, Y. Song, T. Leung, I. Goodfellow, Improving the robustness of deep neural networks via stability training, pp. 4480–4488. [72] U. Shaham, Y. Yamada, S. Negahban, Understanding adversarial training: Increasing local stability of neural nets through robust optimiza- tion, arXiv preprint arXiv:1511.05432 (2015). [73] C. Schorn, A. Guntoro, G. Ascheid, Accurate neuron resilience prediction for a flexible reliability management in neural network accelera- tors, in: 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 979–984. [74] Q. Zhang, T. Wang, Y. Tian, F. Yuan, Q. Xu, Approxann: an approximate computing framework for artificial neural network, EDA Consortium, 2015, pp. 701–706. [75] J.-C. Vialatte, F. Leduc-Primeau, A study of deep learning robustness against computation failures, arXiv preprint arXiv:1704.05396 (2017). [76] G. Li, K. Pattabiraman, C.-Y. Cher, P. Bose, Understanding error propagation in gpgpu applications, IEEE, 2016, pp. 240–251. [77] F. F. d. Santos, L. Draghetti, L. Weigel, L. Carro, P. Navaux, P. Rech, Evaluation and mitigation of soft-errors in neural network-based object detection in three gpu architectures, in: 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), pp. 169–176. [78] S. R. Manikandasriram, C. Anderson, R. Vasudevan, M. Johnson-Roberson, Failing to learn: autonomously identifying perception failures for self-driving cars [arxiv], arXiv arXiv:1707.00051 (2017) 8 pp. [79] E. M. E. Mhamdi, R. Guerraoui, S. Rouault, On the robustness of a neural network, in: 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), pp. 84–93. [80] G. Li, S. K. S. Hari, M. Sullivan, T. Tsai, K. Pattabiraman, J. Emer, S. W. Keckler, Understanding error propagation in deep learning neural network (dnn) accelerators and applications, in: Proceedings of the International Conference for High Performance Computing, Networking, Storage and Analysis, ACM, p. 8. [81] A. H. M. Rubaiyat, Y. Qin, H. Alemzadeh, Experimental resilience assessment of an open-source driving agent, CoRR abs/1807.06172 (2018). [82] K. Rhazali, B. Lussier, W. Schn, S. Geronimi, Fault tolerant deep neural networks for detection of unrecognizable situations, IFAC- PapersOnLine 51 (2018) 31–37. [83] S. Daftry, S. Zeng, J. A. Bagnell, M. Hebert, Introspective perception: Learning to predict failures in vision systems, in: 2016 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), pp. 1743–1750. [84] M. O’Kelly, H. Abbas, R. Mangharam, Computer-aided design for safe autonomous vehicles, in: Resilience Week (RWS) 2017, 2017 Resilience Week (RWS), IEEE, 2017, pp. 90–6. [85] K. Pei, Y. Cao, J. Yang, S. Jana, Deepxplore: Automated whitebox testing of deep learning systems, Association for Computing Machinery, Inc, 2017, pp. 1–18. [86] Y. Tian, K. Pei, S. Jana, B. Ray, Deeptest: Automated testing of deep-neural-network-driven autonomous cars, in: Proceedings of the 40th International Conference on Software Engineering, ICSE ’18, ACM, New York, NY, USA, 2018, pp. 303–314. [87] S. Raj, S. K. Jha, A. Ramanathan, L. L. Pullum, Work-in-progress: testing autonomous cyber-physical systems using fuzzing features from convolutional neural networks, in: 2017 International Conference on Embedded Software (EMSOFT), pp. 1–2. [88] L. Ma, F. Juefei-Xu, F. Zhang, J. Sun, M. Xue, B. Li, C. Chen, T. Su, L. Li, Y. Liu, J. Zhao, Y. Wang, Deepgauge: Multi-granularity testing criteria for deep learning systems, in: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ACM, 2018, pp. 120–131. [89] M. Zhang, Y. Zhang, L. Zhang, C. Liu, S. Khurshid, Deeproad: Gan-based metamorphic testing and input validation framework for autonomous driving systems, in: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ACM, pp. 132–142. [90] J. Guo, Y. Jiang, Y. Zhao, Q. Chen, J. Sun, Dlfuzz: di erential fuzzing testing of deep learning systems, in: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ACM, pp. 739–743. [91] L. Pulina, A. Tacchella, Challenging smt solvers to verify neural networks, AI Communications 25 (2012) 117–135. [92] R. Ehlers, Formal verification of piece-wise linear feed-forward neural networks, Springer, 2017, pp. 269–286. [93] L. Pulina, A. Tacchella, N e v er: a tool for artificial neural networks verification, Annals of Mathematics and Artificial Intelligence 62 (2011) 403–425. [94] S. Dutta, S. Jha, S. Sanakaranarayanan, A. Tiwari, Output range analysis for deep neural networks, arXiv preprint arXiv:1709.09130 (2017). [95] W. Xiang, H. D. Tran, T. T. Johnson, Output reachable set estimation and verification for multilayer neural networks, IEEE Transactions on Neural Networks and Learning Systems (2018) 1–7. [96] K. D. Julian, J. Lopez, J. S. Brush, M. P. Owen, M. J. Kochenderfer, Policy compression for aircraft collision avoidance systems, IEEE, 2016, pp. 1–10. [97] W. Xiang, H.-D. Tran, T. T. Johnson, Reachable set computation and safety verification for neural networks with relu activations, arXiv preprint arXiv:1712.08163 (2017). [98] G. Katz, C. Barrett, D. L. Dill, K. Julian, M. J. Kochenderfer, Reluplex: An ecient smt solver for verifying deep neural networks, in: Computer Aided Verification. CAV 2017, Springer, 2017, pp. 97–117. [99] X. Huang, M. Kwiatkowska, S. Wang, M. Wu, Safety verification of deep neural networks, in: International Conference on Computer Aided Verification, Springer, pp. 3–29. [100] N. Narodytska, S. P. Kasiviswanathan, L. Ryzhyk, M. Sagiv, T. Walsh, Verifying properties of binarized deep neural networks, arXiv preprint arXiv:1709.06662 (2017). [101] C.-H. Cheng, G. Nhrenberg, H. Ruess, Verification of binarized neural networks, arXiv preprint arXiv:1710.03107 (2018). [102] T. Dreossi, A. Donz, S. A. Seshia, Compositional falsification of cyber-physical systems with machine learning components, NASA Formal Methods, Springer International Publishing, 2017, pp. 357–372. [103] P. Mallozzi, P. Pelliccione, C. Menghi, Keeping intelligence under control, in: Proceedings of the 1st International Workshop on Software Engineering for Cognitive Services, ACM, 2018, pp. 37–40. [104] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, R. Fergus, Intriguing properties of neural networks, arXiv preprint 26 arXiv:1312.6199 (2013). [105] M. T. Ribeiro, S. Singh, C. Guestrin, Anchors: High-precision model-agnostic explanations, in: Proceedings of the 32rd AAAI Conference on Artificial Intelligence. [106] M. Sundararajan, A. Taly, Q. Yan, Axiomatic attribution for deep networks, in: Proceedings of the 34th International Conference on Machine Learning-Volume 70, pp. 3319–3328. [107] S. Bach, A. Binder, K.-R. Mller, W. Samek, Controlling explanatory heatmap resolution and semantics via decomposition depth, in: 2016 IEEE International Conference on Image Processing (ICIP), pp. 2271–2275. [108] K. Simonyan, A. Vedaldi, A. Zisserman, Deep inside convolutional networks: Visualising image classification models and saliency maps, arXiv preprint arXiv:1312.6034 (2013). [109] G. Montavon, S. Lapuschkin, A. Binder, W. Samek, K.-R. Mller, Explaining nonlinear classification decisions with deep taylor decomposi- tion, Pattern Recognition 65 (2017) 211–222. [110] D. Linsley, D. Scheibler, S. Eberhardt, T. Serre, Global-and-local attention networks for visual recognition, arXiv preprint arXiv:1805.08819 (2018). [111] Y. Dong, H. Su, J. Zhu, B. Zhang, Improving interpretability of deep neural networks with semantic information, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 4306–4314. [112] R. C. Fong, A. Vedaldi, Interpretable explanations of black boxes by meaningful perturbation, in: Proceedings of the IEEE International Conference on Computer Vision, pp. 3429–3437. [113] B. Zhou, A. Khosla, A. Lapedriza, A. Oliva, A. Torralba, Learning deep features for discriminative localization, in: Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 2921–2929. [114] M. A. K.-R. M. Dumitru, E. B. K. S. D. Pieter, J. Kindermans, K. T. Schtt, Learning how to explain neural networks: Patternnet and patternattribution, in: Proceedings of the International Conference on Learning Representations (2018). [115] R. Guidotti, A. Monreale, S. Ruggieri, D. Pedreschi, F. Turini, F. Giannotti, Local rule-based explanations of black box decision systems, arXiv preprint arXiv:1805.10820 (2018). [116] A. Shrikumar, P. Greenside, A. Kundaje, Learning important features through propagating activation di erences, in: Proceedings of the 34th International Conference on Machine Learning-Volume 70, JMLR. org, pp. 3145–3153. [117] S. Bach, A. Binder, G. Montavon, F. Klauschen, K.-R. Mller, W. Samek, On pixel-wise explanations for non-linear classifier decisions by layer-wise relevance propagation, PLOS ONE 10 (2015) 1–46. [118] P. Dabkowski, Y. Gal, Real time image saliency for black box classifiers, in: Advances in Neural Information Processing Systems, pp. 6967–6976. [119] A. S. Ross, M. C. Hughes, F. Doshi-Velez, Right for the right reasons: Training di erentiable models by constraining their explanations, arXiv preprint arXiv:1703.03717 (2017). [120] A. Santoro, D. Raposo, D. G. Barrett, M. Malinowski, R. Pascanu, P. Battaglia, T. Lillicrap, A simple neural network module for relational reasoning, in: Advances in neural information processing systems, pp. 4967–4976. [121] D. Smilkov, N. Thorat, B. Kim, F. Vigas, M. Wattenberg, Smoothgrad: removing noise by adding noise, arXiv preprint arXiv:1706.03825 (2017). [122] S. M. Lundberg, S.-I. Lee, A unified approach to interpreting model predictions, in: Advances in Neural Information Processing Systems, pp. 4765–4774. [123] N. Frosst, G. Hinton, Distilling a neural network into a soft decision tree, arXiv preprint arXiv:1711.09784 (2017). [124] Z. Che, S. Purushotham, R. Khemani, Y. Liu, Distilling knowledge from deep networks with applications to healthcare domain, arXiv preprint arXiv:1512.03542 (2015). [125] G. Hinton, O. Vinyals, J. Dean, Distilling the knowledge in a neural network, arXiv preprint arXiv:1503.02531 (2015). [126] K. Xu, D. H. Park, C. Yi, C. Sutton, Interpreting deep classifier by visual distillation of dark knowledge, arXiv preprint arXiv:1803.04042 (2018). [127] S. Tan, R. Caruana, G. Hooker, P. Koch, A. Gordo, Learning global additive explanations for neural nets using model distillation, arXiv preprint arXiv:1801.08640 (2018). [128] A. Nguyen, A. Dosovitskiy, J. Yosinski, T. Brox, J. Clune, Synthesizing the preferred inputs for neurons in neural networks via deep generator networks, in: Advances in Neural Information Processing Systems, pp. 3387–3395. [129] M. D. Zeiler, R. Fergus, Visualizing and understanding convolutional networks, Springer, 2014, pp. 818–833. [130] M. T. Ribeiro, S. Singh, C. Guestrin, Why should i trust you?: Explaining the predictions of any classifier, ACM, 2016, pp. 1135–1144. [131] W. Guo, D. Mu, J. Xu, P. Su, G. Wang, X. Xing, Lemna: Explaining deep learning based security applications, in: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, ACM, pp. 364–379. [132] O. Bastani, C. Kim, H. Bastani, Interpretability via model extraction, arXiv preprint arXiv:1706.09773 (2017). [133] J. J. Thiagarajan, B. Kailkhura, P. Sattigeri, K. N. Ramamurthy, Treeview: Peeking into deep neural networks via feature-space partitioning, arXiv preprint arXiv:1611.07429 (2016). [134] A. Mahendran, A. Vedaldi, Understanding deep image representations by inverting them, in: Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 5188–5196. [135] J. Deng, W. Dong, R. Socher, L. Li, and, Imagenet: A large-scale hierarchical image database, in: 2009 IEEE Conference on Computer Vision and Pattern Recognition, pp. 248–255. [136] N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, A. Swami, The limitations of deep learning in adversarial settings, IEEE, 2016, pp. 372–387. [137] Q. Lu, M. Farahani, J. Wei, A. Thomas, K. Pattabiraman, Llfi: An intermediate code-level fault injection tool for hardware faults, in: 2015 IEEE International Conference on Software Quality, Reliability and Security, IEEE, pp. 11–16. [138] S. Borkar, Designing reliable systems from unreliable components: the challenges of transistor variability and degradation, IEEE Micro 25 (2005) 10–16. [139] N. Leveson, Engineering a safer world: Systems thinking applied to safety, MIT press, 2011. 27 [140] T. Y. Chen, F.-C. Kuo, H. Liu, P.-L. Poon, D. Towey, T. H. Tse, Z. Q. Zhou, Metamorphic testing: A review of challenges and opportunities, ACM Comput. Surv. 51 (2018) 4:1–4:27. [141] M. W. Moskewicz, C. F. Madigan, Y. Zhao, L. Zhang, S. Malik, Cha : Engineering an ecient sat solver, ACM, 2001, pp. 530–535. [142] H. Zhang, Sato: An ecient prepositional prover, in: International Conference on Automated Deduction, Springer, pp. 272–275. [143] J. P. Marques-Silva, K. A. Sakallah, Grasp: A search algorithm for propositional satisfiability, IEEE Transactions on Computers 48 (1999) 506–521. [144] C. Barrett, C. Tinelli, Satisfiability modulo theories, Springer, pp. 305–343. [145] W. R. Adrion, M. A. Branstad, J. C. Cherniavsky, Validation, verification, and testing of computer software, ACM Computing Surveys (CSUR) 14 (1982) 159–192. [146] Protecting Against Common Cause Failures in Digital I&C Systems of Nuclear Power Plants, number NP-T-1.5 in Nuclear Energy Series, International Atomic Energy Agency, Vienna, 2009. [147] H. J. Vishnukumar, B. Butting, C. Muller, E. Sax, Machine learning and deep neural network - artificial intelligence core for lab and real- world test and validation for adas and autonomous vehicles: Ai for ecient and quality test and validation, in: 2017 Intelligent Systems Conference, pp. 714–21. [148] R. Ashmore, M. Hill, boxing clever: Practical techniques for gaining insights into training data and monitoring distribution shift, in: International Conference on Computer Safety, Reliability, and Security, Springer, 2018, pp. 393–405. [149] N. Jouppi, Google supercharges machine learning tasks with tpu custom chip, https://cloud.google.com/blog/products/gcp/ google-supercharges-machine-learning-tasks-with-custom-chip, 2017. Accessed: 2018-08-25. [150] NVIDIA, Partner innovation:accelerating automotive breakthroughs, https://www.nvidia.com/en-us/self-driving-cars/ partners/, 2018. Accessed:2018-12-19. [151] WAYMO, Waymo Safety Report : On the Road to Fully Self-Driving, Technical Report, 2017. https://www.bbc.com/news/ technology-35692845. [152] GoogleCloud, Google Infrastructure Security Design Overview, Technical Report, 2017. https://cloud.google.com/security/ infrastructure/design/. [153] GM, Self-driving safety report, Technical Report, 2018. https://www.gm.com/our-stories/self-driving-cars.html. [154] S. Shalev-Shwartz, S. Shammah, A. Shashua, On a Formal Model of Safe and Scalable Self-driving Cars, arXiv e-prints (2017) arXiv:1708.06374. [155] Mobileye, Mobileye:sensing the future, https://www.mobileye.com/, 2018. Accessed:2018-12-19. [156] Tesla, Tesla vehicle safety report, https://www.tesla.com/VehicleSafetyReport, 2018. Accessed: 2019-11-01. [157] Tesla, Your tesla is learning to drive by itself, https://evannex.com/blogs/news, 2019. Accessed: 2019-11-01. [158] A. Adadi, M. Berrada, Peeking inside the black-box: A survey on explainable artificial intelligence (xai), IEEE Access 6 (2018) 52138– [159] F. M. Hohman, M. Kahng, R. Pienta, D. H. Chau, Visual analytics in deep learning: An interrogative survey for the next frontiers, IEEE Transactions on Visualization and Computer Graphics (2018) 1–1. [160] S. Khan, D. Paul, P. Momtahan, M. Aloqaily, Artificial intelligence framework for smart city microgrids: State of the art, challenges, and opportunities, Institute of Electrical and Electronics Engineers Inc., 2018, pp. 283–288. [161] A. Arpteg, B. Brinne, L. Crnkovic-Friis, J. Bosch, Software engineering challenges of deep learning, in: 2018 44th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), pp. 50–59. [162] K. Scheibler, L. Winterer, R. Wimmer, B. Becker, Towards verification of artificial neural networks, pp. 30–40. [163] G. Katz, C. Barrett, D. L. Dill, K. Julian, M. J. Kochenderfer, Towards proving the adversarial robustness of deep neural networks, arXiv preprint arXiv:1709.02802 (2017). [164] L. Kuper, G. Katz, J. Gottschlich, K. Julian, C. Barrett, M. Kochenderfer, Toward scalable verification for safety-critical deep networks, arXiv preprint arXiv:1801.05950 (2018). 28 Appendix A. Selected studies (sorted based on publication year) S ID Author(s) Year Title Publication Venue [93] Pulina, L. and A. Tacchella 2011 NeVer: a tool for artificial neural networks verifica- Annals of Mathematics and Artifi- tion cial Intelligence [91] Pulina, L. and A. Tacchella 2012 Challenging SMT solvers to verify neural networks AI Communications [108] Simonyan, K., A. Vedaldi 2013 Deep inside convolutional networks: Visualising im- arXiv preprint and A. Zisserman age classification models and saliency maps [104] Szegedy, C., W. Zaremba, 2013 Intriguing properties of neural networks arXiv preprint I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow and R. Fergus [57] Goodfellow, I. J., J. Shlens 2014 Explaining and Harnessing Adversarial Examples International Conference on Learn- and C. Szegedy ing Representations (ICLR) [62] Gu, S. and L. Rigazio 2014 Towards deep neural network architectures robust to International Conference on Learn- adversarial examples ing Representations (ICLR) [129] Zeiler, M. D. and R. Fer- 2014 Visualizing and understanding convolutional net- European conference on computer gus works vision [74] Zhang, Q., T. Wang, Y. 2015 ApproxANN: an approximate computing framework Design, Automation & Test in Eu- Tian, F. Yuan and Q. Xu for artificial neural network rope Conference & Exhibition [124] Che, Z., S. Purushotham, 2015 Distilling knowledge from deep networks with appli- arXiv preprint R. Khemani and Y. Liu cations to healthcare domain [125] Hinton, G., O. Vinyals and 2015 Distilling the knowledge in a neural network arXiv preprint J. Dean [56] Nguyen, A., J. Yosinski 2015 Deep neural networks are easily fooled: High confi- IEEE Conference on Computer and J. Clune dence predictions for unrecognizable images Vision and Pattern Recognition (CVPR) [117] Bach, S., A. Binder, G. 2015 On pixel-wise explanations for non-linear classifier PloS one Montavon, F. Klauschen, decisions by layer-wise relevance propagation K.-R. Mller and W. Samek [162] Scheibler, K., L. Winterer, 2015 Towards Verification of Artificial Neural Networks Workshop on Methods and De- R. Wimmer and B. Becker scription Languages for Modeling and Verification of Circuits and Systems (MBMV) [72] Shaham, U., Y. Yamada 2015 Understanding adversarial training: Increasing local arXiv preprint and S. Negahban stability of neural nets through robust optimization [134] Mahendran, A. and A. 2015 Understanding deep image representations by invert- IEEE conference on computer vi- Vedaldi ing them sion and pattern recognition [107] Bach, S., A. Binder, K.-R. 2016 Controlling explanatory heatmap resolution and se- IEEE International Conference on Mller and W. Samek mantics via decomposition depth Image Processing (ICIP) [69] Papernot, N., P. McDaniel, 2016 Distillation as a defense to adversarial perturbations IEEE Symposium on Security & X. Wu, S. Jha and A. against deep neural networks Privacy Swami [71] Zheng, S., Y. Song, T. Le- 2016 Improving the robustness of deep neural networks via IEEE conference on computer vi- ung and I. Goodfellow stability training sion and pattern recognition [83] Daftry, S., S. Zeng, J. A. 2016 Introspective perception: Learning to predict failures IEEE/RSJ International Conference Bagnell and M. Hebert in vision systems on Intelligent Robots and Systems (IROS) [113] Zhou, B., A. Khosla, A. 2016 Learning deep features for discriminative localization IEEE conference on computer vi- Lapedriza, A. Oliva and A. sion and pattern recognition Torralba [59] Bastani, O., Y. Ioannou, L. 2016 Measuring neural net robustness with constraints Advances in neural information Lampropoulos, D. Vytini- processing systems otis, A. Nori and A. Crim- inisi [116] Shrikumar, A., P. Green- 2016 Not just a black box: Interpretable deep learning by arXiv Preprint side, A. Shcherbina and A. propagating activation di erences Kundaje [96] Julian, K. D., J. Lopez, J. 2016 Policy compression for aircraft collision avoidance IEEE/AIAA international confer- S. Brush, M. P. Owen and systems ence on Digital Avionics Systems M. J. Kochenderfer Conference (DASC) [128] Nguyen, A., A. Dosovit- 2016 Synthesizing the preferred inputs for neurons in neu- Advances in Neural Information skiy, J. Yosinski, T. Brox ral networks via deep generator networks Processing Systems and J. Clune 29 S ID Author(s) Year Title Publication Venue [133] Thiagarajan, J. J., B. 2016 TreeView: Peeking into deep neural networks via arXiv preprint Kailkhura, P. Sattigeri and feature-space partitioning K. N. Ramamurthy [76] Li, G., K. Pattabiraman, 2016 Understanding error propagation in GPGPU applica- International Conference on High C.-Y. Cher and P. Bose tions Performance Computing, Network- ing, Storage and Analysis [130] Ribeiro, M. T., S. Singh 2016 Why should i trust you?: Explaining the predictions ACM SIGKDD International Con- and C. Guestrin of any classifier ference on Knowledge Discovery and Data Mining [106] Sundararajan, M., A. Taly 2017 Axiomatic attribution for deep networks International Conference on Ma- and Q. Yan chine Learning [84] O’Kelly, M., H. Abbas and 2017 Computer-aided design for safe autonomous vehicles Resilience Week (RWS) R. Mangharam [102] Tommaso DreossiAlexan- 2017 Compositional Falsification of Cyber-Physical Sys- NASA Formal Methods dre DonzSanjit A. Seshia tems with Machine Learning Components [86] Tian, Y., K. Pei, S. Jana 2017 DeepTest: Automated testing of deep-neural- arXiv preprint and B. Ray network-driven autonomous cars [65] Reuben, F., R. R. Curtin, 2017 Detecting Adversarial Samples from Artifacts arXiv preprint S. Saurabh and A. B. Gardner [123] Frosst, N. and G. Hinton 2017 Distilling a Neural Network Into a Soft Decision Tree arXiv preprint [85] Pei, K., Y. Cao, J. Yang 2017 DeepXplore: Automated Whitebox Testing of Deep ACM Symposium on Operating and S. Jana Learning Systems Systems Principles (SOSP) [64] Gopinath, D., G. Katz, C. 2017 Deepsafe: A data-driven approach for checking ad- arXiv preprint S. Pasareanu and C. Bar- versarial robustness in neural networks rett [109] Montavon, G., S. La- 2017 Explaining nonlinear classification decisions with Pattern Recognition puschkin, A. Binder, W. deep Taylor decomposition Samek and K.-R. Mller [77] Santos, F. F. d., L. 2017 Evaluation and Mitigation of Soft-Errors in Neural IEEE/IFIP International Confer- Draghetti, L. Weigel, L. Network-Based Object Detection in Three GPU Ar- ence on Dependable Systems and Carro, P. Navaux and P. chitectures Networks Workshops (DSN-W) Rech [70] Papernot, N. and P. Mc- 2017 Extending defensive distillation arXiv preprint Daniel [92] Ehlers, R. 2017 Formal verification of piece-wise linear feed-forward International Symposium on Auto- neural networks mated Technology for Verification and Analysis [78] Manikandasriram, S. R., 2017 Failing to learn: autonomously identifying perception arXiv preprint C. Anderson, R. Vasude- failures for self-driving cars van and M. Johnson- Roberson [66] Xu, W., D. Evans and Y. Qi 2017 Feature squeezing: Detecting adversarial examples in Network and Distributed Systems deep neural networks Security Symposium (NDSS) [111] Dong, Y., H. Su, J. Zhu 2017 Improving interpretability of deep neural networks IEEE Conference on Computer Vi- and B. Zhang with semantic information sion and Pattern Recognition [132] Bastani, O., C. Kim and H. 2017 Interpretability via model extraction arXiv preprint Bastani [112] Fong, R. C. and A. Vedaldi 2017 Interpretable explanations of black boxes by mean- IEEE International Conference on ingful perturbation Computer Vision [58] Melis, M., A. Demontis, 2017 Is Deep Learning Safe for Robot Vision? Adversarial IEEE International Conference on B. Biggio, G. Brown, G. Examples Against the iCub Humanoid Computer Vision Workshops (IC- Fumera and F. Roli CVW) [147] Vishnukumar, H. J., B. 2017 Machine learning and deep neural network - artificial Intelligent Systems Conference (In- Butting, C. Muller and E. intelligence core for lab and real-world test and val- telliSys) Sax idation for ADAS and autonomous vehicles: AI for ecient and quality test and validation [79] Mhamdi, E. M. E., R. 2017 On the Robustness of a Neural Network IEEE Symposium on Reliable Dis- Guerraoui and S. Rouault tributed Systems (SRDS) [68] Metzen, J. H., T. Ge- 2017 On detecting adversarial perturbations International Conference on Learn- newein, V. Fischer and B. ing Representations (ICLR) Bischo 30 S ID Author(s) Year Title Publication Venue [94] Dutta, S., S. Jha, S. 2017 Output range analysis for deep neural networks arXiv preprint Sanakaranarayanan and A. Tiwari [60] Cisse, M., P. Bojanowski, 2017 Parseval networks: Improving robustness to adversar- arXiv preprint E. Grave, Y. Dauphin and ial examples N. Usunier [97] Xiang, W., H.-D. Tran and 2017 Reachable set computation and safety verification for arXiv preprint T. T. Johnson neural networks with ReLU activations [98] Katz, G., C. Barrett, D. L. 2017 Reluplex: An ecient SMT solver for verifying deep International Conference on Com- Dill, K. Julian and M. J. neural networks puter Aided Verification (CAV) Kochenderfer [118] Dabkowski, P. and Y. Gal 2017 Real time image saliency for black box classifiers Advances in Neural Information Processing Systems (NIPS) [119] Ross, A. S., M. C. Hughes 2017 Right for the right reasons: Training di erentiable arXiv preprint and F. Doshi-Velez models by constraining their explanations [75] Vialatte, J.-C. and F. 2017 A Study of Deep Learning Robustness Against Com- arXiv preprint Leduc-Primeau putation Failures [120] Santoro, A., D. Raposo, 2017 A simple neural network module for relational rea- Advances in Neural Information D. G. Barrett, M. Ma- soning Processing Systems (NIPS) linowski, R. Pascanu, P. Battaglia and T. Lillicrap [99] Huang, X. W., M. 2017 Safety Verification of Deep Neural Networks International Conference on Com- Kwiatkowska, S. Wang puter Aided Verification and M. Wu [121] Smilkov, Daniel and Tho- 2017 Smoothgrad: removing noise by adding noise arXiv preprint rat, Nikhil and Kim, Been and Vigas, Fernanda and Wattenberg, Martin [61] Carlini, N. and D. Wagner 2017 Towards Evaluating the Robustness of Neural Net- IEEE Symposium on Security and works Privacy (SP) [163] Katz, G., C. Barrett, D. L. 2017 Towards proving the adversarial robustness of deep arXiv Preprint Dill, K. Julian and M. J. neural networks Kochenderfer [80] Li, G., S. K. S. Hari, M. 2017 Understanding error propagation in deep learning International Conference for High Sullivan, T. Tsai, K. Pat- neural network (DNN) accelerators and applications Performance Computing, Network- tabiraman, J. Emer and S. ing, Storage and Analysis W. Keckler [122] Lundberg, S. M. and S.-I. 2017 A unified approach to interpreting model predictions Advances in Neural Information Lee Processing Systems (NIPS) [100] Narodytska, N., S. P. Ka- 2017 Verifying properties of binarized deep neural net- arXiv preprint siviswanathan, L. Ryzhyk, works M. Sagiv and T. Walsh [87] Raj, S., S. K. Jha, A. Ra- 2017 Work-in-progress: testing autonomous cyber- International Conference on Em- manathan and L. L. Pul- physical systems using fuzzing features from bedded Software (EMSOFT) lum convolutional neural networks [73] Schorn, C., A. Guntoro 2018 Accurate neuron resilience prediction for a flexible re- Design, Automation & Test in and G. Ascheid liability management in neural network accelerators Europe Conference & Exhibition (DATE) [105] Ribeiro, M. T., S. Singh 2018 Anchors: High-precision model-agnostic explana- AAAI Conference on Artificial In- and C. Guestrin tions telligence [88] Ma, L., F. Juefei-Xu, F. 2018 DeepGauge: multi-granularity testing criteria for ACM/IEEE International Confer- Zhang, J. Sun, M. Xue, B. deep learning systems ence on Automated Software Engi- Li, C. Chen, T. Su, L. Li neering and Y. Liu [89] Zhang, M., Y. Zhang, L. 2018 DeepRoad: GAN-based metamorphic testing and in- ACM/IEEE International Confer- Zhang, C. Liu and S. put validation framework for autonomous driving sys- ence on Automated Software Engi- Khurshid tems. neering [90] Guo, J., Y. Jiang, Y. Zhao, 2018 DLFuzz: di erential fuzzing testing of deep learning ACM Joint Meeting on European Q. Chen and J. Sun systems Software Engineering Conference and Symposium on the Foundations of Software Engineering [81] Rubaiyat, A. H. M., 2018 Experimental Resilience Assessment of An Open- arXiv preprint Q. Yongming and H. Source Driving Agent Alemzadeh 31 S ID Author(s) Year Title Publication Venue [82] Rhazali, K., B. Lussier, W. 2018 Fault Tolerant Deep Neural Networks for Detection IFAC-PapersOnLine Schn and S. Geronimi of Unrecognizable Situations [67] Wicker, M., X. Huang and 2018 Feature-guided black-box safety testing of deep neu- International Conference on Tools M. Kwiatkowska ral networks and Algorithms for the Construc- tion and Analysis of Systems (TACAS) [110] Linsley, D., D. Scheibler, 2018 Global-and-local attention networks for visual recog- arXiv preprint S. Eberhardt and T. Serre nition [63] Wu, M., M. Wicker, W. 2018 A Game-Based Approximate Verification of Deep arXiv preprint Ruan, X. Huang and M. Neural Networks with Provable Guarantees Kwiatkowska [126] Xu, K., D. H. Park, C. Yi 2018 Interpreting Deep Classifier by Visual Distillation of arXiv preprint and C. Sutton Dark Knowledge [103] Mallozzi, P., P. Pelliccione 2018 Keeping intelligence under control. International Workshop on Soft- and C. Menghi ware Engineering for Cognitive Services [115] Guidotti, R., A. Monreale, 2018 Local rule-based explanations of black box decision arXiv preprint S. Ruggieri, D. Pedreschi, systems F. Turini and F. Giannotti [131] Guo, W., D. Mu, J. Xu, P. 2018 LEMNA: Explaining Deep Learning based Security ACM SIGSAC Conference on Su, G. Wang and X. Xing Applications Computer and Communications Security [127] Tan, S., R. Caruana, G. 2018 Learning Global Additive Explanations for Neural arXiv preprint Hooker, P. Koch and A. Nets Using Model Distillation Gordo [114] Dumitru, M. A. K.-R. M., 2018 Learning how to explain neural networks: Patternnet International Conference on Learn- E. B. K. S. D. Pieter, and patternattribution ing Representations (ICLR) J. Kindermans and K. T. Schtt [95] Xiang, W., H. D. Tran and 2018 Output Reachable Set Estimation and Verification for IEEE Transactions on Neural Net- T. T. Johnson Multilayer Neural Networks works and Learning Systems [164] Kuper, L., G. Katz, J. 2018 Toward scalable verification for safety-critical deep arXiv preprint Gottschlich, K. Julian, C. networks Barrett and M. Kochender- fer [101] Cheng, C.-H., G. Nhren- 2018 Verification of binarized neural networks arXiv preprint berg and H. Ruess http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Electrical Engineering and Systems Science arXiv (Cornell University)

Testing and verification of neural-network-based safety-critical control software: A systematic literature review

Electrical Engineering and Systems Science , Volume 2019 (1910) – Oct 5, 2019

Loading next page...
 
/lp/arxiv-cornell-university/testing-and-verification-of-neural-network-based-safety-critical-qsQ7Oaxzw7
ISSN
0950-5849
eISSN
ARCH-3348
DOI
10.1016/j.infsof.2020.106296
Publisher site
See Article on Publisher Site

Abstract

Context: Neural Network (NN) algorithms have been successfully adopted in a number of Safety-Critical Cyber- Physical Systems (SCCPSs). Testing and Verification (T&V) of NN-based control software in safety-critical domains are gaining interest and attention from both software engineering and safety engineering researchers and practition- ers. Objective: With the increase in studies on the T&V of NN-based control software in safety-critical domains, it is important to systematically review the state-of-the-art T&V methodologies, to classify approaches and tools that are invented, and to identify challenges and gaps for future studies. Method: By searching the six most relevant digital libraries, we retrieved 950 papers on the T&V of NN-based Safety-Critical Control Software (SCCS). Then we filtered the papers based on the predefined inclusion and exclusion criteria and applied snowballing to identify new relevant papers. Results: To reach our result, we selected 83 primary papers published between 2011 and 2018, applied the thematic analysis approach for analyzing the data extracted from the selected papers, presented the classification of approaches, and identified challenges. Conclusion: The approaches were categorized into five high-order themes, namely, assuring robustness of NNs, improving the failure resilience of NNs, measuring and ensuring test completeness, assuring safety properties of NN- based control software, and improving the interpretability of NNs. From the industry perspective, improving the interpretability of NNs is a crucial need in safety-critical applications. We also investigated nine safety integrity prop- erties within four major safety lifecycle phases to investigate the achievement level of T&V goals in IEC 61508-3. Results show that correctness, completeness, freedom from intrinsic faults, and fault tolerance have drawn most atten- tion from the research community. However, little e ort has been invested in achieving repeatability, and no reviewed study focused on precisely defined testing configuration or defense against common cause failure. Keywords: Software testing and verification, Neural network, Safety-critical control software, Systematic literature review 1. Introduction Cyber-Physical Systems (CPSs) are systems involving networks of embedded systems and strong human-machine interactions [1]. Safety-critical CPSs (SCCPSs) are a type of CPSs that highlights the severe non-functional constraints (e.g., safety and dependability). The failure of SCCPSs could result in loss of life or significant damage (e.g., property and environmental damage). Typical applications of SCCPSs are in nuclear systems, aircraft flight control systems, automotive systems, smart grids, and healthcare systems. In the last few years, advances in Neural Networks (NNs) have boosted the development and deployment of SCCPSs. The NN is considered the most viable approach to meet the complexity requirements of Safety-Critical Corresponding author Email addresses: jin.zhang@ntnu.no (Jin Zhang), jingyue.li@ntnu.no (Jingyue Li) Accepted 6 March 2020 by Information and Software Technology arXiv:1910.06715v2 [cs.LG] 20 Mar 2020 Control Softwares (SCCSs) [2, 3]. In this study, we refer to NN-based SCCS as SCCS that heavily use NNs (e.g., to implement controller). For example, in the transportation industry, deep-learning-based NNs have been widely used to developing self-driving cars [4] and collision avoidance systems [5]. It is also worth noting that several safety incidents caused by autonomous vehicles have been presented in media, e.g., Uber car’s fatal incident [6], Tesla’s fatal Autopilot crash [7], and Google’s self-driving car crash [8]. In addition to the safety incidents caused by failures of the autonomous system, security breaches of autonomous vehicles can potentially lead to safety issues, e.g., a demo showed that autonomous vehicles can be remotely controlled and hijacked [9]. How can we ensure that an SCCS containing NN technology will behave correctly and consistently when system failures or malicious attacks occur? Increasing interest in the migration of Industrial Control Systems (ICSs) towards SCCPSs has encouraged research in the area of safety analysis of SCCPSs. Kriaa et al. [10] surveyed existing approaches for an integrated safety and security analysis of ICSs. The approaches cover both the design stage and the operational stage of the system lifecycle. Some approaches (such as [11, 12]) are aimed at combining safety and security techniques into a single methodology. Others (such as [13, 14]) are trying to align safety and security techniques. These approaches are either generic, which consider both safety and security at a very high level, or model-based, which build upon the formal or semi-formal representation of the system’s functions. There are many studies that focus on the T&V of NNs in the past decade. Several review articles [15, 16, 17, 18] on this topic have been published. Studies [15, 19] have reviewed methods focusing on verification and validation of NNs for aerospace systems. Studies [17, 18] are limited in automotive applications. None of these review articles have applied the Systematic Literature Review (SLR) [20] approach. Recently there has been more concern about Artificial Intelligence (AI) safety. The state-of-the-art advancements in the T&V of NN-based SCCS are increasingly important; hence, there is a need to have a thorough understanding of present studies to incentivize further discussion. This study aimed to summarize the current research on T&V methods for NN-based control software in SCCPSs. We have systematically identified and reviewed 83 papers focusing on the T&V of NN-based SCCSs and synthesized the data extracted from those papers to answer three research questions. RQ1 What are the profiles of the studies focusing on testing and verifying NN-based SCCSs? RQ2 What approaches and associated tools have been proposed to test and verify NN-based SCCSs? RQ3 What are the limitations of current studies with respect to testing and verifying NN-based SCCSs? To our best knowledge, our study is the first SLR on testing and verifying NN-based control software in SCCPSs. The results of these research questions can help researchers identify the research gaps in this area, and help industrial practitioners choose proper verification and certification methods. The main contributions of this work are: We made a classification of T&V approaches in both academia and industry for NN-based SCCSs. We identified and proposed challenges for advancing state-of-the-art T&V for NN-based SCCSs. The remainder of this paper is organized as follows: In section 2, we define terminologies related to NN-based SCCPSs and summarize related work from academia and industry. Section 3 describes the SLR process and the review protocol. The results of the research questions are reported in Section 4. Section 5 discusses the industry practice of T&V of NN-based SCCSs, and the threats to validity of our study. Section 6 concludes the study. 2. Background In this section, we first introduce terminology related to CPSs and modern NNs and show how NN algorithms have been used in SCCPSs. Then, we present the current state of practice of T&V of SCCSs. 2.1. Cyber-physical systems As defined in [1], “cyber-physical systems (CPSs) are physical and engineered systems whose operations are monitored, coordinated, controlled and integrated by a computing and communication core.” Several other systems, such as Internet of Things (IoTs) and ICSs have very similar features compared to CPSs, since they are all systems 2 used to monitor and control the physical world with embedded sensor and actuator networks. In general, CPSs are perceived as the new generation of embedded control systems, which can involve IoTs and ICSs [21, 22]. In this SLR, we adopted the CPS conceptual model in [23] as a high-level abstraction of CPSs to describe the di erent perspectives of CPSs and the potential interactions of devices and systems in a system of systems (SoS) as shown in Fig. 1. From the perspective of unit level, a CPS at least includes one or several controllers, many actuators, and sensors. A CPS can also be a system consisting of one or more cyber-physical devices. From the SoS perspective, a CPS is composed of multiple systems that include multiple devices. In general, a CPS must contain the decision flow (from controller to actuators), information flow (from sensors to controller), and action flow (actuators impacting the physical state of the physical world). System of Systems level System level Unit level (cyber-physical device) Human Controller Decision Information Actuator(s) Sensor(s) Action Physical state Figure 1: CPS conceptual model In the context of SCCPS, safety and performance are dependent on the system (to be more specific, the controller of the system) making the right decision according to the measurement of the sensors, and operating the actuators to take the right action at the right time. Thus, verification of the process of decision-making is vital for a SCCPS. 2.2. Modern neural networks The concept of neural network was first proposed in 1943 by Warren McCullough and Walter Pitts [24], and Frank Rosenblatt in 1957 designed the first trainable neural network called the Perceptron”[25]. A perceptron is a simple binary classification algorithm with only one layer and output decision of 0 or 1. By the 1980s, neural nets with more than one layer were proposed to solve more complex problems, i.e., multilayer perceptron (MLP). In this SLR, we regard multilayer NNs that emerged after the 1980s as modern NNs. Artificial Neural Network (ANN) is the general name of computing systems designed to mimic how the human brain processes information [26]. An ANN is composed of a collection of interconnected computation nodes (namely artificial neurons), which are organized in layers. Depending on the directions of the signal flow, an ANN can have feed-forward or feedback architectures. Fig. 2 shows a simplified feed-forward ANN architecture with multiple hidden layers. Each artificial neuron has weighted inputs, an activation function, and one output. The weights of the interconnections are adjusted based on the learning rules. There are three main models of learning rules, which are unsupervised learning, supervised learning, and reinforcement learning. The choice of learning rules corresponds to the particular learning task. The common activation functions contain sigmoid, hyperbolic tangent, radial bases function (RBF), and piece-wise linear transfer function, such as Rectified Linear Unit (ReLU) [27]. In a word, an 3 ANN can be defined by three factors: the interconnection structure between di erent layers, activation function type, and procedure for updating the weights. Input Hidden Output layer layer(s) layer …….. …….. …….. Figure 2: A simplified feed-forward ANN architecture Multi-Layer Perceptron (MLP [28]) represents a class of feed-forward ANN. An MLP consists of an input layer, one or several hidden layers, and an output layer. Each neuron of MLP in one layer is fully connected with every node in the following layer. An MLP employs a back-propagation technique (which belongs to supervised learning) for training. Convolutional Neural Network (CNN [29]) is a special type of multi-layer NN with one or more convolutional layers. A convolutional layer includes “several feature maps with di erent weight vectors. A sequential implementa- tion of a feature map would scan the input image with a single unit that has a local receptive field, and store the states of this unit at corresponding locations in the feature map. This operation is equivalent to a convolution, followed by an additive bias and squashing function, hence the name convolutional network”[29]. CNNs are superior for pro- cessing two-dimensional data (particular camera images) because of the convolution operations, which are capable of detecting features in images. CNNs are now widely applied to develop partially-autonomous and fully-autonomous vehicles. Deep Neural Networks (DNNs [30]) represent an ANN with multiple hidden layers between the input and output layers. DNNs (e.g., a MLP with more than three layers or a CNN) di er from shallow NNs (e.g., a three-layer MLP) in the number of layers, the activation functions that can be employed, and the arrangement of the hidden layer. Compared to shallow NNs, DNNs can be trained more in-depth to find patterns with high performance even for complex nonlinear relationships. An NN could be trained oine or online. An NN trained oine means it only learns during development. After training, the weights of the NN will be fixed and the NN will act deterministically. Therefore static verification meth- ods could be possible. In contrast, online training will allow the NN to keep learning and evolving during operation, which requires run-time verification methods. In some applications, such as the Intelligent Flight Control System developed by NASA [15], both oine and online training strategies are employed to meet the system requirements. NNs are fundamentally di erent with algorithmic programs, but a formal development methodology can still be derived for an NN system. Development process of an NN system can include six phases [31]: 1. Formulation of requirements and goals; 2. Selection of training and test data sets; 3. Selection of the NN architecture; 4. Training of the network; 5. Testing of the network; and 6. Acceptance and use by the customer. 4 Like [31], Falcini et al. introduced a similar development lifecycle for DNNs in automotive software [32] and proposed a W-model integrated data development with standard software development to highlight the importance of data-driven in DNN development. Falcini et al. [32] also summarized that the DNN’s functional behavior depends on both its architecture and its learning outcome through training. 2.3. The trends of using NN algorithm in SCCPSs From 1940s automated range finders (developed by Norbert Wiener for anti-aircraft guns) [33] to today’s self- driving cars, AI, especially NN algorithms, is widely applied in both civilian (e.g., autonomous cars) and military domains (e.g., military drones). Boosted by the advances of AI, state-of-the-art CPSs can plan and execute more and more complex operations with less human interaction. Here we present the applications of NNs in the following four representative SCCPSs. 2.3.1. Autonomous cars For automobile, the Society of Automotive Engineers (SAE) proposed six levels of autonomous driving [34]. A level 0 vehicle has no autonomous capabilities, and the human driver is responsible for all aspects of the driving task. For level 5 vehicle, the driving tasks are only managed by the autonomous driving system. When developing autonomous vehicles targeting a high level of autonomy, one industry trend is to use DNNs to implement vehicle control algorithms. The deep-learning-based approach enables vehicles to learn meaningful road features from raw input data automatically and then output driving actions. The so-called end-to-end learning approach can be applied to resolve complex real-world driving tasks. When using deep-learning-based approaches, the first step is to use a large number of training data sets (images or other sensor data) to train a DNN. Then a simulator is used to evaluate the performance of the trained network. After that, the DNN-based autonomous vehicle will be able to “execute recognition, prediction, and planning” driving tasks in diverse conditions [10]. Nowadays, CNNs are the most widely adopted deep-learning model for fully autonomous vehicles [5, 6, 7, 8]. NVIDIA introduced an AI supercomputer for autonomy [35]. The development flow using NVIDIA DRIVE PX includes four stages: 1) data acquisition to train the DNN, 2) deployment of the output of a DNN in a car, 3) autonomous application development, and 4) testing in-vehicle or with simulation. One essential characteristic of deep-learning-based autonomy is that the decision-making part of the vehicle is almost a black box. This means that in most cases, we as human drivers must trust the decisions made by the deep- learning algorithms without knowing exactly why and how the decisions are made. 2.3.2. Industrial control systems Industrial Control System (ICS) is the general term for control systems, also called Supervisory Control and Data Acquisition (SCADA) systems. ICSs make decisions based on the specific control law (such as lookup table and non-linear mathematical model) formulated by human designers. In contrast to the classical design procedure of control law, reinforcement-learning-based approaches learn the control law simply from the interaction between the controller and the process, and then incrementally improving control behavior. Such approaches and NNs have been used in process control two decades ago [36]. Concerning the recent progress in AI and the success of DNNs in making complex decisions, there are high expectations for the application of DNNs in ICSs. For instance, DNNs and reinforcement learning can be combined to develop continuous control [37]. Spielberg et al. extended the work in [37] to design control policy for process control [38]. Even though the proposed approach in [38] is only tested on linear systems, it shows a practical solution for applying DNNs in non-linear ICSs. 2.3.3. Smart grid systems The smart grid is designed as the next generation of electric power system, dependent on information communi- cations technology (ICT). There is tremendous initiative of research activities in automated smart grid applications, such as FLISR (which is a smart grid multi-agent automation architecture based on decentralized intelligent decision- making nodes) [39]. NNs have been considered for solving many pattern recognition and optimization problems, such as fault diagnosis [40], and control and estimation of flux, speed [2], and economical electricity distribution to consumers. MLP is one of the most commonly used topology in power electronics and motor drives [2]. 5 2.3.4. Healthcare Medical devices is another emerging area where research and industry practitioners are seeking to integrate AI technologies to improve accuracy and automation. ANNs and other machine learning approaches have been proposed to improve the control algorithms for diabetes treatment in recent decades [41, 42]. In 2017, an AI-powered device for automated and continuous delivery of basal insulin (named MiniMed 670G system [43]) was approved by the U.S. Food and Drug Administration. In the same year, it was reported that GE Healthcare had integrated the NVIDIA AI platform into their computerized tomography scanner to improve speed and accuracy for the detection of liver and kidney lesions [44]. Using deep learning solutions, such as CNNs, in the medical computing field has proven to be e ective since CNNs have excellent performance in object recognition and localization in medical images [45]. 2.4. Testing and verification of safety-critical control software IEC 61508 and ISO 26262 are two standards highly relevant to the T&V of SCCS. IEC 61508 is an international standard concerning Functional safety of electrical/electronic/programmable electronic safety-related systems. It de- fines four safety integrity levels (SILs) for safety-critical systems [46]. The higher the SIL level a SCCPS requires, the more time and e ort for verification are needed. In IEC 61508, formal methods are highly recommended tech- niques for verifying high SIL systems. Because formal methods can be used to construct the specification and provide a mathematical proof that the system matches some formal requirements, this is quite a strong commitment for the correctness of a system. ISO 26262, titled Road vehicles functional safety, is an international standard for the functional safety of electrical and/or electronic systems in production automobiles [47]. Besides using classical safety analysis methods such as Fault Tree Analysis (FTA) and Failure Mode and E ects Analysis (FMEA), ISO 26262 explicitly states that the production of a safety case is mandated to assure system safety. It defines a safety case as an argument that the safety requirements for an item are complete and satisfied by evidence compiled from work products of the safety activities during development [47]. The development of suitable approaches, which can verify the system behavior and misbehavior of a SCCPS is always challenging. Not to mention that the architecture of NNs (especially DNNs) makes it even harder to decipher how the algorithmic decisions were made. The current version of IEC 61508 is not applicable for the verification of NN-based SCCSs because AI technologies are not recommended there. The latest version of ISO 26262 and its extension, ISO/PAS 21448, which is also known as safety of the intended functionality (SOTIF) [48], will likely provide a way to handle the development of autonomous vehicles. However, SOTIF will only provide guidelines associated with SAE Level 0–2 autonomous vehicles [49], which are not ready for the verification of NN-based autonomous vehicles. In practice, in order to reduce test and validation costs, high-fidelity simulation is a commonly used approach in the automotive domain. The purpose of using a simulator is to predict the behavior of an autonomous car in a mimicked environment. NVIDIA and Apollo distributed their high-fidelity simulation platforms for testing autonomous vehicles. CARLA [50] and Udacity’s Self-Driving Car Simulator [51] are two popular open-source simulators for autonomous driving research and testing. 3. Research method We conducted our SLR by following the SLR guidelines in [20] as well as consulting other relevant guidelines in [52] and [53, 54]. Our review protocol consisted of four parts: 1) search strategy, 2) inclusion and exclusion criteria, 3) selection process, and 4) data extraction and synthesis. 3.1. Search strategy Based on guidelines provided in [20], we use the Population, Intervention, Outcome, Context (PIOC) criteria to formulate search terms. In this SLR, The population should be an application area (e.g., general CPS) or specific CPS (e.g., self-driving car). The intervention is methodology, tools and technology that address system/component testing or verification. 6  The outcome is the improved safety or functional safety of CPSs. The context is the NN-based SCCPSs in which the T&V take place. Fig. 3 shows the search terms formulated based on the PIOC criteria. We first used these search terms to run a series of trial searches and verify the relevance of the resulting papers. We then revised the search string to form the final search terms. The final search terms were composed of synonyms and related terms. Population: “Cyber-physical system*” or “Cyber physical TITLE-ABS-KEY(("Cyber-physical system*" or "Cyber-physical system*" or CPS* or "Smart grid" or "Smart car" or "Automotive system*” or CPS* or “Smart grid” or “Smart car” or “Automotive cyber-physical system*" or "Self-driving car*" or "Autonomous cyber-physical system*” or “Self-driving car*” or “Autonomous vehicle*" or "Autonomous driving system*" or "Automotive vehicle*” or “Autonomous driving system*” or “Automotive electronic control system*" or "Automotive embedded system*" or electronic control system*” or “Automotive embedded system*” "Unmanned Aerial Vehicles" or "aircraft collision avoidance Intervention: “Risk assessment” or “verification” or “test” or system*")AND(“Risk assessment” or “verification” or “test” or ”testing” or “analysis” or “Certification” or “assurance” ” t e s t i n g ” o r “ a n a l y s i s ” o r “ C e r t i f i c a t i o n ” o r Outcome: “Safety” or “Functional safety” “assurance”) AND ( “ S a f e t y ” o r “ F u n c t i o n a l safety”)AND(“Autonomous decision” or “Autonomous agent*” or Context: “Deep learning” or “Deep neural networks” or “Deep learning” or “Deep neural networks”) “Autonomous decision” or “Autonomous agent” Figure 3: Search terms We executed automated searches in six digital libraries, namely, Scopus, IEEE Xplore, Compendex EI, ACM Digital library, SpringerLink, and Web of Science (ISI). 3.2. Inclusion and exclusion criteria Table 1 presents our inclusion and exclusion criteria. We set three inclusion criteria to restrict the application domain, context, and outcome type. We excluded papers that were not peer-reviewed, such as keynotes, books, and dissertations, and papers not written in English. It should be clarified that, unlike most other SLR studies, we did not directly exclude short papers (less than six pages), work-in-progress papers, and pre-print papers. The reason is that this research area is far from mature, so many initial thoughts or in-progress papers are still valuable to review. Table 1: Inclusion and Exclusion criteria Inclusion criteria I1 The paper must have a context in SCCPSs, either in general or in a specific application domain I2 The paper must be aimed at testing/verification approaches for NN-based SCCSs I3 The paper must be aimed at modern neural networks Exclusion criteria E1 Papers not peer-reviewed E2 Not written in English E3 Full-text is not available E4 Not relevant to modern neural networks 3.3. Selection process We used the inclusion and exclusion criteria to filter the papers in the following steps. We covered papers from January 2011 to November 2018. Fig. 4 shows the whole search and filtering process. Stage 1: Ran the search string on the six digital libraries and retrieved 1046 papers. After removing those dupli- cated papers, we had 950 papers. Stage 2: Excluded studies by reading title and keywords. If it was not excluded simply by reading titles and keywords, the paper was kept for further investigation. At the end of this stage, we selected 254 papers. Stage 3: Further filtered the papers by reading abstracts and found 105 potential papers with high relevance to the research goal of our SLR. 7 Stage 1 Data Sources: Scopus, IEEE Xplore, Compendex Results=950 EI, ACM Digital library, SpringerLink, and Web of Science(ISI) Stage 2 Results=254 Apply inclusion and exclusion criteria by reading title and keywords Stage 3 Results=105 Apply inclusion and exclusion criteria by reading abstract Stage 4 Results=27 Apply inclusion and exclusion criteria by reading introduction and conclusion Stage 5 Results=83 Snowballing: Read full paper got in 4th stage and scan the reference Figure 4: Search process Stage 4: Read the introduction and conclusion to decide on selection. We recorded the reasons for exclusion for each excluded paper. We excluded the papers that were irrelevant, or whose full texts were not available. Furthermore, we critically examined the quality of primary studies to exclude those that lacked sucient information. We ended up with 27 papers. Stage 5: Read full text of the selected studies from the fourth stage, applied snowballing by scanning the reference of the selected papers. The snowballing process can be implemented in two directions: backwards (which means scanning the references of a selected paper and find any other relevant papers published before the selected paper), and forwards (which means checking if any other relevant paper was published after the selected paper and cited the selected paper). In our SLR, we adapted mainly backward snowballing to include additional papers. To limit the scope of the snowballing, we covered only references published between 2011 and 2018. From snowballing, we found 56 new relevant papers. Finally, we selected 83 papers as primary studies for detailed analysis. We listed all of the selected studies in Appendix A. The first author conducted the selection process with face-to-face discussions with the second author. The second author performed a cross-check of each step and read all the final selected papers to confirm the selection of the papers. 8 3.4. Data extraction and synthesis Data Extraction: We extracted two kinds of information from the selected papers. To answer RQ1, we extracted information for statistical analysis, e.g., publication year and research type. To answer RQ2 and RQ3, we collected information to identify key features (such as research goal, technique and tools, major contribution and limitation) of T&V approaches. Synthesis: We used descriptive statistics to analyze the data for answering RQ1. To answer RQ2 and RQ3, we analyzed the data using the qualitative analysis method by following the five steps of thematic analysis [55]: 1) extracting data, 2) coding data, 3) translating codes into themes, 4) creating a model of higher-order themes, and 5) assessing the trustworthiness of the synthesis. 4. Result 4.1. RQ1. What are the profiles of the studies focusing on testing and verifying NN-based SCCSs? Studies distributions: Fig. 5 shows the distribution of selected papers based on publication year and the types of work. There has been 68 papers (81.9%) published since 2016, indicating that researchers are paying more attention to the T&V of NN-based SCCSs. Conference was the most popular publication type with 48 papers (57.8%), followed by pre-print (25 papers, 30.1%), workshop (6 papers, 7.2%), and journal (4 papers, 4.8%). 2011 2012 2013 2014 2015 2016 2017 2018 Pre-print 0 0 2 0 3 0 13 7 Wo rk sh op 0 0 0 1 1 0 3 1 Journal 0 1 0 0 1 0 1 1 Conference 1 0 0 2 3 12 20 10 Conference Journal Wo rk sh op Pre-print Figure 5: Publication year and types of selected papers We also investigated the geographic distribution of the reviewed studies. It allowed us to identify which countries are leading the research in this domain. We considered a study to be conducted in one country if the aliation of at least one author is in that country. Moreover, the involvement of industry would be an indicator of industry’s interest in this domain. We classified the reviewed papers as industry if at least one author came from industry or the study used real-world industrial systems to test/verify the proposed approach. A paper would be categorized as academia if all authors came from academia. It shows that researchers based in the USA have been involved in the most primary studies for testing or verification of NN-based SCCSs with 56 publications, followed by the researchers based in Germany and the UK with 10 and 9 publications, respectively. It is worth noting that 47 of 83 (56.6%) publications have involvement from industry. Research types: We classified the selected papers based on the criteria proposed by Kai et al. [52] (See Table 2). According to Table 2, the research type of the paper is governed by rules (i.e., R1-R6). Each rule is a combination of Number of studies several conditions. The six research types (i.e., evaluation research, solution proposal, validation research, philosoph- ical papers, opinion papers, and experience papers) correspond to R1-R6, respectively. For example, both evaluation research (corresponding to R1) and validation research (corresponding to R4) must present empirical evaluation. The di erence between evaluation and validation research is that validation is not used in practice (e.g., experimental or simulation-based approaches), whereas evaluation studies should be conducted in a real-world context. Solution pro- posal means that it has to propose a new solution that may or may not be used in practice. We found that evaluation and validation research are the majority of the selected papers, corresponding to 31.3% (26 papers) and 61.4% (51 papers) of the selected papers, respectively. The low percentage of the solution proposal (6 papers) was not surprising because a majority of the reviewed papers presented and demonstrated their T&V approaches through academic and industrial case studies, simulation, and controlled experiments. The other three types of research papers (i.e., philo- sophical papers, opinion papers, and experience papers) do not exist in selected studies because we only included papers that aimed at testing/verification approaches (refer to inclusion criteria I2). Table 2: Research type classification (T = True, F = False, l = irrelevant or not applicable, R1R6 refer to rules). R1 R2 R3 R4 R5 R6 Conditions Used in practice T l T F F F Novel solution l T F l F F Empirical evaluation T F F T F F Conceptual framework l l l l T F Opinion about something F F F F F T Authors’ experience l l T l F F Decisions Evaluation research 3 l l l l l Solution proposal l 3 l l l l Validation research l l l 3 l l Philosophical papers l l l l 3 l Opinion papers l l l l l 3 Experience papers l l 3 l l l Note: Reprinted from [52],Copyright 2015 by the Elsevier. Application domains: We analyzed the application domain of selected studies to provide useful information for researchers and practitioners who are interested in the domain-specific aspects of the approaches. The results are shown in Table 3. We found that considerable e ort is now being put into using NN algorithms to accomplish control logic for general purpose (59 papers, 71.1%), automotive CPSs, such as autonomous vehicles (13 papers, 15.7), and autonomous aerial systems, such as airborne collision avoidance systems for unmanned aircrafts (5 papers, 6%). Table 3: Distribution of application domains of the selected studies Application domain No. of studies General SCCPSs 59 Automotive CPSs 13 Autonomous aerial systems 5 Robot system 5 Health care 1 4.2. RQ2. What approaches and associated tools have been proposed to test and verify NN-based SCCSs? As 4 of the 83 papers focused mainly on high-level ideas and concepts without presenting detailed approaches or tools, we did not include them to answer RQ2. For the remaining 79 out of 83 (95.2%) papers, we applied the thematic 10 analysis approach [55] and identified five high-order themes and some sub-themes. Some papers contain more than one themes. In order to balance the accuracy and the simplicity of categorization, we decided to assign each study only one category based on its major contribution. Table 4 presents the themes, sub-themes, and the corresponding papers. Fig. 6 compares the interests di erence of academia and industry for the five identified themes. Table 4: A classification of approaches to test and verify NN-based SCCSs Themes Sub-themes Papers # Understanding the characteristics and impacts of adver- [56],[57],[58],[59],[60], [61], [62] 17 sarial examples Assuring robustness of NNs Detect adversarial examples [63],[64], [65], [66], [67], [68] Mitigate impact of adversarial examples [69], [70] Improving robustness of NNs through using adversarial [71], [72] examples Improving failure resilience of NNs [73],[74],[75],[76],[77],[78],[79],[80],[81],[82],[83] 11 Measuring and ensuring test com- [84],[85],[86],[87],[88],[89],[90] 7 pleteness Assuring safety properties of NN- [91],[92],[93],[94],[95],[96],[97],[98],[99], 13 based CPSs [100],[101],[102],[103] [104],[105],[106],[107],[108],[109],[110],[111], Understand how a specific decision is made [112],[113],[114],[115],[116],[117],[118], [119], Improving interpretability [120],[121],[122] of NNs Facilitate understanding of the internal logic of NNs [123],[124],[125],[126],[127],[128] 31 Visualizing internal layers of NNs to help identify errors [129],[130],[131],[132],[133],[134] in NNs Assuring robustness of NN Improving failure resilience of NN Me asuring and ens uring t est completeness Assuring safety properties of NN-based SCCPS Improving interpretability of NN 0 5 10 15 20 25 30 35 ACADEMIA INDUSTRY Figure 6: Comparing the interests di erence of academia and industry 4.2.1. CA1: Assuring robustness of NNs One high-order theme of the studies is to assure the robustness of NNs. Robustness of an NN is its ability to cope with erroneous inputs. The erroneous inputs can be an adversarial example (i.e., an input that adds small perturbation intentionally to mislead classification of an NN), or benign but wrong input data. Methods under this theme can be further classified into four sub-themes. Studies focusing on understanding the characteristics and impacts of adversarial examples. Some studies tried to identify the characteristics and impacts of adversarial examples. The study [57] found the characteristics, such as the linear nature, of adversarial examples. The study [59] measured the impact of adversarial examples by counting 11 their frequencies and severities. Nguyen et al. [56] found that a CNN trained on ImageNet [135] is vulnerable to adversarial examples generated through Evolutionary Algorithms (EAs) or gradient ascent. A few other studies, such as [58, 60, 61, 62], tried to understand the characteristics of robust NNs. Cisse et al. [60] introduced a particular form of DNN, namely Parseval Networks, that is intrinsically robust to adversarial noise. Gu et al. [62] concluded that some training strategies, for example, training using adversarial examples or imposing contractive penalty layer by layer, are robust to certain structures of adversarial examples (e.g., inputs corrupted by Gaussian additive noises or blurring). Higher-confidence adversarial examples (i.e., adversarial instances that are extremely easy to classify into the wrong category) were used to evaluate the robustness of the state-of-the-art NN in [61] and the robot-vision system in [58]. Studies focusing on methods to detect adversarial examples. Detecting adversarial examples that are already inserted into training or testing data set are the primary targets of [63, 65, 66, 67, 68]. Wicker et al. [63] and [67] formulated the adversarial examples detection as a two-player stochastic game and used the Monte Carlo Tree Search to identify adversarial examples. Reuben [65] applied density estimates, and Bayesian uncertainty estimates to detect adversarial samples. Xu et al. [66] proposed a feature squeezing framework to detect adversarial examples, which are generated by seven state-of-the-art methods. According to [66], an advantage of feature squeezing is that it did not change the underlying model. Therefore, it can easily be integrated with other defenses methods. Metzen et al. [68] embedded DNNs with a subnetwork (called “detector”) to detect adversarial perturbations. The Deepsafe presented in [64] used clustering technology to find candidate-safe regions first and then verified whether the candidates were safe using counter-examples as a proof. Studies focusing on methods to mitigate impact of adversarial examples. Papemot et al. [69] adopted defen- sive distillation as a defense strategy to train DNN-based classifiers against adversarial examples. However, several powerful attacks have been proposed to defeat defensive distillation and have demonstrated that defensive distilla- tion does not actually eliminate adversarial examples [61]. Papemot et al. [70] revisited defensive distillation and proposed a more e ective way to defend against three recently discovered attack strategies, i.e., the Fast Gradient Method (FGM) [57], the Jacobian Saliency Map Approach (JSMA) [136], and the AdaDelta optimization strategy (AdaDelta) [61]. Studies focusing on increasing robustness of NNs through using adversarial examples. In studies [71] and [72], the authors proposed methods to leverage adversarial training (e.g., generating a large amount of adversarial examples and then training the NN not to be fooled by these adversarial examples) to increase the robustness of NNs. 4.2.2. CA2: Improving failure resilience of NNs Studies under this theme focused on improving the resilience of NNs, so that the NN-based CPSs are more tolerant of possible hardware and software failures. Studies [75, 77, 78] investigated error detection and mitigation mechanisms, while studies [76, 80] focused on understanding error propagation in DNN accelerators. Vialatte et al.[75] demonstrated that faulty computations can be addressed by increasing the size of NNs. Santos et al. [77] proposed an algorithm-based fault tolerance (ABFT) strategy to detect and correct radiation-induced errors. In [78], a binary classification algorithm based on temporal and stereo inconsistencies was applied to identify errors caused by single frame object detectors. Li et al. [76] developed a general-purpose GPU (GPGPU) fault injection tool [137] to investigate error propagation patterns in twelve GPGPU applications. Later, Li et al. revealed that the error resilience of DNN accelerators depends on “the data types, values, data reuse, and the types of layers in the design [80]”. Based on this finding, they devised guidelines for designing resilient DNN systems and proposed two DNN protection techniques, namely Symptom-based Error Detectors (SED) and Selective Latch Hardening (SLH) to mitigate soft errors that are typically caused by high-energy particles in hardware systems [138]. Mhamdi et al. explored error propagation mechanism in an NN [79], and they theoretically and empirically proved that the key parameters that can be used to estimate the robustness of an NN are: “Lipschitz coecient of the activation function, distribution of large synaptic weights, and depth of the network”. The study [81] characterized the faults propagation through an open-source autonomous vehicle control software (i.e., openpilot) to assess the failure resilience of the system. The Systems-Theoretic Process Analysis (STPA) [139] hazard analysis technique was used to guide fault injection. Existing work in [81] showed that STPA is suited for an in-depth identification of unsafe scenarios, and thus, the fault injection space was reduced. 12 Based on the diversified redundancy strategies, the study [82] developed diverse networks in the context of dif- ferent training data sets, di erent network parameters, and di erent classification mechanisms to strengthen the fault tolerance of the DNN architecture. Studies [73, 74] tried to improve computation eciency without compromising error resilience. Studies [73, 74] also predicted the error resilience of DNN accelerators to make reconfigurable NN accelerators. The study [73] demonstrated a more accurate neuron resilience assignment than the state-of-the-art techniques and provided the possibility of moving parts of the neuron computations to unreliable hardware at the given quality constraint. Zhang et al. [74] proposed a framework to increase eciency of computation by approximating the computation of certain less critical neurons. Daftry et al. [83] provided an interesting idea about “how to enable a robot to know when it does not know?” The idea of [83] is to utilize the resulting features of the controller, which are learned from a CNN to predict the failure of the controller, and then let the system self-evaluate and decide whether to execute or discard an action. 4.2.3. CA3: Measuring and ensuring test completeness The approaches and tools under this theme aim to ensure good coverage when testing NNs. The testing approaches include black-box testing (i.e., focusing on whether the tests cover all possible usage scenarios), white-box testing (i.e., focusing on whether the tests cover every neuron in the NN), and metamorphic testing, which focuses on both test case generation and result verification [140]. O’Kelly et al.[84] proposed methods to ensure good usage coverage through first making a formal Scenario De- scription Language (SDL) to create driving scenarios, and then translating the scenarios to a specification-guided automatic test generation tool named S-TALIRO to generate and run the tests. Raj et al. [87] proved the possibil- ity of speeding up the generation of new and interesting counterexamples by introducing fuzzing patterns obtained from an unrelated DNN on a di erent image database, although the proposed method provides no guarantee of test completeness. DeepXplore [85] first introduced neuron coverage as a testing metric for DNNs, and then used multiple di erent DNNs with similar functionality to identify erroneous corner cases. Compared to [85], DeepTest [86] and DLFuzz [90] aimed at maximizing the neuron coverage without requiring multiple DNNs. The study [86] employed meta- morphic relations to identify erroneous behaviors. The study [90] proposed a di erential fuzzing testing framework to generate adversarial inputs. However, methods proposed in [85, 86, 90] cannot guarantee the generation of test cases that can precisely reflect real-world cases (e.g., driving scenes in various weather conditions when taking a DNN-based autonomous driving system). DeepRoad [89] employed Generative Adversarial Network (GAN) based techniques and metamorphic testing to synthesize diverse real driving scenes, and to test inconsistent behaviors in DNN-based autonomous driving systems. In contrast to earlier works, DeepGauge [88] argued that the testing criteria for traditional software are no longer applicable for DNNs. Ma et al. [88] proposed neuron-level and layer-level coverage criteria for testing DNNs and for measuring the testing quality. 4.2.4. CA4: Assuring safety property of NN-based SCCPSs Formal verification can provide a mathematical proof that a system satisfies some desired safety properties (e.g., the system should always stay within some allowed region, namely a safe region). Formal verification usually presents NNs as models and then apply a model checker, such as Boolean satisfiability (SAT) solvers (e.g., Cha [141], SATO [142], GRASP [143]) to verify the safety property. Pulina et al. [93] developed NeVer (Neural networks Verifier), which solves Boolean combinations of linear arithmetic constraints, to verify safe regions of MLPs. Through adopting an abstraction-refinement mechanism, NeVer can verify real-world MLPs automatically. As an extended experiment analysis of results of [93], [91] compared the performance (e.g., competition-style and scalability) of state-of-the-art Satisfiability Modulo Theories (SMT) solvers [144], and demonstrated that scalability and fine-grained abstractions remain challenges for realistic size networks. The studies [92] and [98] verified the “feed-forward NNs with piece- wise linear activation functions” by encoding verification problems into solving a linear approximation exploring network behavior in a SMT solver. The next generation of collision avoidance systems for unmanned aircrafts (ACAS Xu) adopted DNNs to compress large score table [5]. Julian et al. [96] explored the performance of ACAS Xu by measuring a set of safety and performance metrics. A simulation in study [96] shows that the system based on DNNs performed as correctly as the original large score table but with better performance. Reluplex [98] had successfully been used to verify the safety 13 property of a DNN for the prototype of ACAS Xu. Although the outcomes of Reluplex [98] are limited to verifying the correctness of NNs with specific type of activation functions (i.e., ReLUs and max-pooling layers), the study sheds a light on which types of NN architectures are easier to verify, and thus paves the way for verifying real-world DNN-based controllers. The method proposed in studies [100] and [101] verified that Binarized Neural Networks (BNNs) are ecient and scalable to moderate-sized BNNs. Study [100] represented BNNs as boolean formulas, and then verified the robustness of BNNs against adversarial perturbations. In study [101], BNNs and their input-output specifications were transferred into equivalence hardware circuits. The equivalence hardware circuits consist of a BNN structure module and a BNN property module. The authors of [101] then applied a SAT solver to verify the properties (e.g., simultaneously classify an image as a priority road sign and as a stop sign with high confidence) of the BNN in order to identify the risk behavior of the BNN. When verifying a SCCS, one of the fundamental concerns is to make sure that the SCCS will never violate a safety property. An example of a safety property is that the system should never reach an unsafe region. The main ideas of studies under this sub-theme are to calculate the output reachable set of MLPs, such as in studies [95] and [97], or DNNs in study [94], to verify if unsafe regions will be reached. Xiang et al. [97] proposed a layer-by-layer approach to compute the output reachable set assisted by polyhedron computation tools. The safety verification of a ReLU MLP is turned into checking if a non-empty intersection exists between the output reachable set and the unsafe regions. In a later work of Xiang et al. [95], they introduced maximum sensitivity to perform a simulation-based reachable set estimation with few restrictions on the activation functions. By combining local search and linear programming problems, Dutta et al. [94] developed an output bound searching approach for DNNs with ReLU activation functions, which is implemented in a tool called SHERLOCK to check whether the unsafe region is reached. Study [99] focused on the safety verification of image classification decisions. In [99], Huang et al. employed discretization to enable a finite exhaustive search for adversarial misclassifications. If no misclassifications are found in all layers after the exhaustive search, the NN is regarded as safe. The idea of [102] was to formulate the formal verification of temporal logic properties of a CPS with Machine Learning (ML) components as the falsification problem (finding a counterexample that does not satisfy system spec- ification). The study [102] adopted an ML analyzer to abstract the feature space of ML components (which ap- proximately represents the ML classifiers). The identified misclassifying features are then used to drive the process of falsification. The introduction of the ML analyzer narrowed down the searching space for counterexamples and established a connection between the ML component and the rest of the system. Another direction to make sure the system will not violate safety properties is to use run-time monitoring. The study [103] envisioned an approach named WISEML, which combines reinforcement learning and run-time monitor- ing technique, to detect invariants violations. The purpose of this work was to create a safety envelope around the NN-based SCCPSs. 4.2.5. CA5: Improving interpretability of NNs NNs have proved to be e ective ways to generalize the relationship between inputs and outputs. As the models of NNs are learned from training data sets without human intervention, the relationship between the inputs and outputs of NNs is like a black box. Due to the black-box nature of NNs, it is dicult for people to understand and explain how an NN works. Studies under this theme focus on facilitating the understanding on how NNs generate outputs from inputs. Studies in this theme can be classified into the following three sub-themes, which can be overlapped. However, this can be a way to capture the di erent motivations for the interpretability of NNs. Studies focusing on understanding how a specific decision is made. This line of work mainly focuses on providing explanations for individual predictions (also defined as local interpretability). One study is called Local Interpretable Model-agnostic Explanations (LIME) [130]. LIME can approximate the original NN model locally to provide an explanation for a specific prediction of interest. The problem of LIME is that it assumes the local linearity of the classification boundary, which is not true for most complex NNs. The creators of LIME later extended their work by introducing high-precision rules (i.e., if-then rules), which they called anchors [105]. The study [131] developed an explanation system named LEMNA for security applications and Recurrent Neural Networks (RNNs). LEMNA can locally approximate a non-linear classification boundary and handle feature dependency problems and therefore is able to provide a high fidelity explanation. 14 In the case of an image classifier, it is also common to use gradient measurements to estimate the importance value of each pixel for the final classification. DeepLIFT [116], Integrated Gradients [106], and more recently, SmoothGrad [121] fall into this category. The study [122] proposed a unified framework, SHapley Additive exPlanations (SHAP), by integrating six existing methods (LIME [123], DeepLIFT [116], Layer-Wise Relevance Propagation, Shapley regression values, Shapley sampling values, and Quantitative Input Influence) to measure feature importance. Several approaches attempted to decompose the classification decision (output) into the contributions of individual components of an input based on specific local decomposition rules (i.e., Pixel-Wise decomposition [107, 117], and deep Taylor decomposition [109]). Szegedy et al. [104] investigated the semantic meaning of individual units and the stability of DNNs while small perturbations were added to the input. They pointed out that the individual neurons did not contain the semantic infor- mation, while the entire space of activations does. They also experimentally proved that the same small perturbation of input can cause di erent DNN models (e.g., trained with di erent hyperparameters) to generate wrong predictions. There are several methods for improving local explanations for NN models compared to the above-mentioned approaches. The study [114] argued that explanation approaches for NN models should provide sound theoretical support. Ross et al. [119] presented their idea as “Right for the right reasons,” which means that the output of NN models should be right with the right explanation. In Ross et al. [119], incorrect explanations for particular inputs can be identified, and NN models can be guided to learn alternate explanations. Both [114, 118] made e orts on real-time explanations since their approaches can generate accurate explanations quickly enough. Studies focusing on facilitating understanding of the internal logic of NNs. Studies in this sub-theme are also known as global interpretability. To help interpret how NN models work, model distillation is used in [123], [124], [125], and [127]. The initial intention of distillation was to reduce the computational cost. For example, Hinton et al. [125] distilled a collection of DNN models into a single model to facilitate deployment. The knowledge distilled from NN models has later been applied for interpretability. Some studies compressed information (e.g., decision rules) from deep learning models into transparent models such as decision trees [123, 132] and gradient boosting trees [124] to mimic the performance of models. Others tended to explain the inner mechanisms of NN models through analyzing the feature space. Study [127] distilled the relationship between input features and model predictions (outputs of the model) as a feature shape to evaluate the feature contribution to the model. Another attempt to produce global interpretability is to reveal the features learned by each neuron. For example, in [128], the authors leveraged deep generator networks to synthesized the input (i.e., image) that highly activates a neuron. Dong et al. [111] adopted an attentive encoder-decoder network to learn interpretable features, and then proposed an algorithm called prediction di erence maximization to interpret the features learned by each neuron. One interesting work [120] used an additional NN module that is fit for relational reasoning to reason the relations between the input and response of the NN models. There is also another promising line of work (e.g., [110], [115]) that combined local and global interpretability to explain NN models. Studies focusing on visualizing internal layers of NNs to help identify errors in NNs. In study[129], activities, such as the operation of the classifier and the function of intermesdiate feature layers within the CNN model, were visualized by using a multi-layered deconvolutional network (named DeconvNet). These visualizations are useful to interpret model problems. Unlike [129], which visually depicted neurons in a convolutional layer, the study [108] visualized neurons in a fully connected layer. Zhou et al. [113] proposed Class Activation Mapping (CAM) for CNNs to visualize the discriminative object parts on any given image. Fong and Vedaldi [112] highlighted the most respon- sible part of an image for a decision by perturbing meaningful images. DarkSight [126] combined the ideas of model distillation and visualization to visualize the prediction of an NN model. Thiagarajan et al. [133] built a TreeView rep- resentation via feature-space partitioning to interpret the prediction of an NN. Mahendran et al. [134] reconstructed semantic information (images) in each layer of CNNs by using information from the image representation. 4.3. RQ3. What are the limitations of current research with respect to testing and verifying NN-based SCCSs? Analyzing failure modes and how the system reacts to failures are crucial parts of the safety analysis, especially in safety-critical domains. When testing and verifying the safety of NN-based SCCPSs, we need to rethink how to perform failure mode and e ect analysis, how to analyze inter-dependencies between sub-systems of SCCPSs, and how to analyze the resilience of the system. We need to ensure that even if some of the system’s hardware or software do not behave as expected, the system can sense the risk, avoid the risk before the incident, and mitigate the risk 15 e ectively when an incident happens. Looking into T&V activities through software development, the ideal situation is that we would find appropriate T&V methods to verify whether the design and implementation are consistent with the requirements, construct complete test criteria and test oracle, and generate test data and test any objects (such as code modules, data structures) that are necessary for the correct development of software [145]. Unfortunately, the fact is that complete T&V is hard to guarantee. In order to investigate the gap between industry needs for T&V of NN-based SCCPS and state-of-the-art T&V methods, we performed a mapping of identified approaches to the relevant standard. 4.3.1. Mapping of reviewed approaches to the software safety lifecycles in IEC 61508 An increased interest in the application of NNs within safety-critical domains has encouraged research in the area of T&V of NN-based SCCSs. Research institutions and industry T&V practitioners are working on di erent aspects of this problem. However, we have not found strong connections between those potentially useful methods for T&V of NNs and relevant safety standards (such as IEC 61508 [46] and ISO 26262 [47]). We hereby adopt IEC 61508 [46] as a reference standard to execute the mapping analysis since ISO 26262 [47] is the adaptation of IEC 61508 [46]. We found that the major T&V activities listed in the software safety lifecycles of IEC 61508-3 (including evaluation of software architecture design, software module testing and integration, programmable electronics integration, and software verification) are still valid when conducting T&V for NN-based SCCSs. But for most of them, new techniques/measures for supporting the T&V of NN-based software are demanded. Therefore, we decided to employ safety integrity properties (which are explained in IEC 61508-3 Annex C and Annex F of IEC 61508-7) as indicators to justify to what extent these desirable properties have been achieved by the state-of-the-art methods for T&V of NN-based SCCSs. The detailed mapping information can be found in Table 5. Table 5: A mapping of reviewed approaches to IEC 61508 safety lifecycle Relevant primary Phase Property Remaining challenges studies Software Completeness None N/A architecture Correctness [96] CA4 Training process of NN-based algo- design rithm is time-consuming. [57, 59, 60, 62, 66], Freedom from in- CA1 ¶ Limited to specific model [68] - [72] trinsic faults classes, or tasks (e.g., image classi- fier), or small size NNs [59]; · Not immune to adversarial adaptation [66]; ¸ Lack of understanding on how system can be free from di erent kinds of attacks other than adversarial examples. Understand- [104] - [134] CA5 ¶ Limited to specific model ability classes, or tasks (e.g., image clas- sifier), or small size NN models [123]; · Not able to provide real-time explanations; ¸ Lack of evaluation method for the explanation of NNs. Verifiable and [84] CA3 ¶ Lack of integrated computer- testable design aided toolchains to support the ver- ification activities; · Limited to specific models, tasks or NN size. [92] CA4 ¶ Limited to specific NN archi- tectures (i.e., piece-wise linear ac- tivation functions), need better un- derstanding of NN architectures; · Trade-o between ecient verifica- tion and linear approximation of the NN behavior is not studied su- ciently. Category Table 5 – continued from the previous page Relevant primary Phase Property Remaining challenges studies Fault [74, 75, 79, 82, CA2 ¶ Decouple the fault tolerance from tolerance 83] the classification performance [75]; · Lack of studies on unexpected environmental failures. Defense against None N/A common cause failure Software module testing and Completeness [61, 72] CA1 Lack of comprehensive criteria to integration evaluate testing adequacy. [85] - [90] CA3 Low fidelity of testing cases com- pared with real-world cases [86]. [56, 58, 61, 63, 64] Correctness CA1 ¶ Vulnerable to the variation of ad- [65, 67] versarial examples; · Limited to specific NN model classes or tasks. [78] CA2 Insucient validation of input raw data. Repeatability [84, 85, 86] CA3 Testing cases generated by auto- mated tools may be biased. Precisely defined None N/A testing configura- tion Programm- able electronics integration Completeness None N/A (hardware and software) Correctness [73, 76, 77, 80] CA2 Insucient testing of hardware ac- celerator. Repeatability None N/A Precisely defined None N/A testing configura- tion Software Completeness [95, 97] CA4 ¶ Limited to specific NN models; verification · Lack of scalability. Correctness [81] CA2 ¶ Automatic generation of com- plete testing scenarios sets. [91, 93, 94, 98, 99] CA4 ¶ Scalability and computational [100] - [102] performance need to improve; · SMT encoding for large-scale NN model; ¸ Lack of model-agnostic verification methods; ¹ Automatic generation of feature space abstrac- tions [102]. Repeatability None N/A Precisely defined None N/A testing configura- tion In Table 5, we mapped existing T&V methods for NN-based SCCSs (column 3 and column 4) into relevant properties (column 2) of four major T&V phases (column 1) in the software safety lifecycles of IEC 61508-3. For column 5 in Table 5, we summarized the remaining challenges in testing and verifying NN-based SCCSs based on reviewed papers. The overviews of these remaining challenges can potentially inspire researchers to look for a focus in the future. Category 4.3.2. Limitations and suggestions for testing and verifying NN-based SCCSs In Table 5, we show the limitations and gaps of state-of-the-art T&V approaches for NN-based SCCSs. In this section, we will take two T&V phases (evaluation of software architecture design and software module testing and integration) as examples to provide detailed analysis of identified limitations and corresponding suggestions on the basis of required safety integrity properties. For the other two T&V phases (programmable electronics integration and software verification), only summaries of limitations and suggestions will be presented to avoid duplication. Evaluation of software architecture design. The top three properties that have been addressed are: simplicity and understandability (31 papers), freedom from intrinsic design faults (10 papers), and fault tolerance (5 papers). Cor- rectness with respect to software safety requirements specification (1 paper) and verifiable and testable design have drawn little attention (2 papers) for reviewed studies. There are two properties, i.e., completeness with respect to soft- ware safety requirements specification and Defense against common cause failure from external events, which have not been addressed in reviewed papers. Completeness with respect to software safety requirements specification No study contributes to the achieve- ment of completeness, which requires the architecture design to be able to address all the safety needs and constraints. The achievement of completeness depends on the achievement of other properties, such as fully understanding the behavior of NN models. The design and deployment of NN-based SCCSs are in its infancy stage. When NN-based SCCS design becomes more practical, more studies may address this topic. Correctness with respect to software safety requirements specification To achieve correctness, software ar- chitecture design needs to respond to the specified software safety requirements appropriately. Study [96] reported their successful design of a DNN-based compression algorithm for aircraft collision avoidance systems. Even though they demonstrated that the DNN-based algorithm preserves the required safety performance, the training process is still time-consuming. Freedom from intrinsic design faults Intrinsic design faults can be interpreted as failures derived from the design itself. State-of-the-art NNs have proved to be vulnerable to adversarial perturbations due to some intriguing properties of NNs [57]. Most of the studies in this category were aimed at understanding, detecting, and mitigating adversarial examples. Study [99] reported that their approach could generalize well on several state-of-the-art NNs to find adversarial examples successfully. However, the verification process of founded features is time-consuming, especially for larger images. In this sense, the scalability and computational performance of adversarial robustness are expected to be addressed in the future. In addition, adversarial robustness does not imply that the NN model is truly free from intrinsic design faults. How to assure freedom from interferences (e.g., signal-noise ratio degradation) other than adversarial perturbations is a research gap that needs to be filled. Understandability This property can be interpreted as the predictability of system behavior, even in erroneous and failure situations. In this category, studies focusing on providing explanations for individual prediction (e.g., [104]) and on visualizing internal layers of NN (e.g., [129, 130, 131]) are not meaningful for safety assurance. Stud- ies focusing on facilitating understanding of the internal logic of NNs (such as presenting NNs as decision trees [123]) could be a solution to improve the understandability of NN-based architecture design. However, this line of work is rare, and most methods are only applied to small-scale DNNs with image input, or specific NN models. Besides, assuming the explanation of NN is available, confirming the correctness of the explanation is still a challenge. Inter- pretability of NNs is undoubtedly a crucial need in safety-critical applications. Methods in this line should capable of explaining di erent types of sensor data (e.g., image, text, and point data) and both local and global decisions. Verifiable and testable design The evaluation metrics of verifiable and testable design may be derived from modularity, simplicity, provability, and so on. We observed that existing verifiable and testable designs are limited to specific NN architectures (e.g., [92]) or specific tasks (e.g., [84]). There is no standard procedure for determining which type of NNs will be easier to verify. Ehlers [92] argued that NNs that adopt piece-wise linear activation 18 functions are easier to verify, but their method still need to face the conflict between ecient verification and accuracy of linear approximation for the NN behavior. Fault tolerance Fault tolerance implies that the architecture design can assure the safe behavior of the software whenever internal or external errors occur. To achieve fault tolerance, features like failure detection and failure impact mitigation of both internal and external errors should be included in the design. Existing methods showed that unexpected environmental failures are hard to detect and mitigate. Besides, many of the proposed approaches in this category have not yet been evaluated in the real-world. Some studies formulated approximated computational models to represent real-world systems (e.g., [74]). The study [83] did not use any test oracle when executing system flight tests. Some studies used simulation models to verify the performance of the original NN (e.g., [75]). They are not able to prove the fidelity of the model compared with the real-world system. Defense against common cause failure from external events Software common cause failure is a type of concurrent failure of two or more modules in the software, which is caused by software design defects and triggered by external events such as time, unexpected input data, or hardware abnormalities [146]. Many safety critical systems adopt redundant architectures (meaning two or more independent subsystems have identical functions to back-up each other) to prevent a single point of failure. However, redundant architectures are vulnerable considering common cause failure. In the context of NN-based SCCSs, it is common to employ multiple NNs with similar architectures in order to improve the accuracy of prediction. If a common cause failure occurs in this kind of software design, the prediction might be totally wrong, and thus the control software might make the wrong decision. DeepXplore, reported in [85], used more than two di erent DNNs with the same functionality to automatically generate a test case. If all the DNNs in DeepXplore are a ected by common cause failure, such as if a sensor failure causes all the DNNs to make the same misclassification, then it will not be able to generate the corresponding test case. No method is found in reviewed papers that can identify common cause failure modes and defend against such failures. In order to e ectively defend against common cause failure, designers need to inspect the completeness and correctness of the safety requirements specification, trace the implementation of the safety requirements specification, and make a thorough T&V plan to reveal the common cause failure modes in the early stage. Software module testing and integration. The top two properties that have been addressed are: completeness of testing and integration with respect to the design specifications (9 papers) and correctness of testing and integration with respect to the design specifications (8 papers). Repeatability has drawn little attention (3 papers) from the reviewed studies. There is one property, precisely defined testing configuration, which has not been addressed in the reviewed papers. This property aims to evaluate the precision of T&V procedures, which is not in the scope of our selected papers. Therefore, we will not give more explanation on this property. Completeness of testing and integration with respect to the design specifications We observed some e orts that tried to find a systematic way to generate testing cases (e.g., [86, 89]) to measure testing quality (e.g., [88]) or to connect di erent T&V stages in the development of SCCSs (e.g., [147]). As analyzed in Section 4.2, we can infer that an NN-based control software is instinctually di erent in design workflow and software development compared to the design of traditional control software. We suggest that the testing criteria should thoroughly align with the software design. To be more specific, the instinctive features of NN-based softwares (e.g., NN model’s architectural details and the working mechanism of NNs) should be carefully considered when setting the testing criteria. That is testing criteria should be defined comprehensively and explicitly under the consideration of not only test case coverage but also the robustness of NN-based system performance (for instance, test how an NN will respond when input data change slightly) and the features of training data sets, such as the data density issue mentioned in [148]. Correctness of testing and integration with respect to the design specifications Several studies (e.g., [56, 63, 64]) reported that their methods are vulnerable to the variation of adversarial examples. Another common limitation is that most methods are model-specific, meaning that they can only apply to a single type or class of NN model. To achieve correctness of testing and integration, the module testing task should be completed, which means the testing 19 should cover both NN models and external input. However, few studies focused on the validation of input data. One study [78] identified that sucient validation of input raw data remains a challenge. Repeatability The complexity and un-interpretable feature of NNs make manual testing almost infeasible. In order to be able to generate consistent results from testing repeatedly, some studies were dedicated to achieving automatic test execution or even automatic test generation. We found three papers (i.e., [84, 85, 86]) addressing automatic test generation. However, generating test cases automatically is still a challenge. For instance, studies [85, 86] claimed that the test cases generated by an automated testing tool may not cover all real-world cases. Programmable electronics integration. The major limitation of this line of work is insucient testing for hardware accelerators. NN-based SCCPSs requires typically high-performance computing systems, such as Graphics Process- ing Units (GPUs). Some industry participants have provided specialized hardware accelerators to accelerate NN-based computations. For example, Google deployed a DNN accelerator (called Tensor Processing Unit) in its data centers for DNN applications [149]. NVIDIA introduced an automotive supercomputing platform named DRIVE PX 2 [35], which now has been used by over 370 companies and research institutions in the automotive industry [150]. However, little research e ort has been put into the T&V of the reliability of using hardware accelerators for NN applications. We found seven studies (i.e. [73, 74, 75, 77, 76, 78, 80]) addressing the evaluation of the error resilience of hard- ware accelerators. However, the testing is limited to specific type errors (e.g., radiation-induced soft errors, which are presented in [73, 77, 80]). The mitigation method proposed in [77] (called ABFT: Algorithm-Based Fault Tolerance) can only protect portions of the accelerator (e.g., sgemm kernels, which is one kind of matrix multiplication kernels). The study [78] identified errors made by single frame object detectors, but the result showed that the method is not capable of detecting all mistakes. The studies [73, 80] investigated the propagation characteristic of soft errors in the DNN system, but they used a DNN simulator instead of a real DNN accelerator for fault injection. Software verification. In general, there is a lack of a comprehensive and standardized framework for verifying the safety of NN-based SCCSs. Formal verification procedures are highly demanding. The common limitation of formal verification approaches is the scalability issues. Most proposed methods are limited to a specific NN structure and size (e.g., [92, 93, 98, 100, 101]). The study [93] reported that their approaches can only verify small-scale systems (i.e., the layer of NN is 3 and the maximum amount of input neurons is 64). One approach reported in [100] can verify medium size NNs. The verification of large-scale NNs is still a challenge. Another limitation is that proposed approaches are not robust to NN variations. For example, verification methods in studies [92, 98] are only adapted to specific network types and sizes. 5. Discussion In this section, we first discuss industry practices for T&V of NN-based SCCPSs. Then, we compare this SLR with related works. At the end of this section, we present the threats to the validity of our study. 5.1. Industry practice Our findings on the research questions (RQ1 to RQ3) mainly reflected the academic e orts addressing T&V of NN-based SCCPSs. NN-based applications have drawn a lot of attention from industry practitioners. Taking the automotive industry as an example, several car makers (e.g., GM, BMW, and Tesla) and some high technology companies (e.g., Waymo and Baidu) are leading the revolution in autonomous driving safety. 5.1.1. Safety of the intended functionality At the beginning of this year, ISO/PAS 21448:2019 [48] was published. It listed recommended methods for deriving verification and validation activities (See ISO/PAS 21448:2019 Table 4). In Table 6, we highlighted six of the recommended methods, which shared similar verification interests with existing academic e orts. 20 Table 6: Shared verification interests of ISO/PAS 21448 and academic e orts ISO/PAS 21448 Academic e orts Analysis of triggering events CA1: Assuring robustness of NNs Analysis of sensors design and their known potential limitations CA2: Improving failure resilience of NNs Analysis of environmental conditions and operational use cases CA3: Measuring and ensuring test completeness Analysis of boundary values CA4: Assuring safety property of NN-based SCCPSs Analysis of algorithms and their decision paths CA5: Improving interpretability of NNs Analysis of system architecture CA1-CA5 5.1.2. Safety reports In 2018, three companies (Waymo, General Motor, and Baidu Apollo) published their annual safety reports. As a pioneer in the development of self-driving cars, Waymo proposed the “Safety by Design” [151] approach, which entails the processes and techniques they used to face safety challenges of a level 4 autonomous car on the road. For the cybersecurity consideration, Waymo adopted Google’s security framework [152] as the foundation. Af- ter that, General Motor (GM) released their safety report [153] for Cruise AV (also level 4). GM’s safety process combined conventional system validation (such as vehicle performance tests, fault injection testing, intrusive test- ing, and simulation-based software validation) with SOTIF validation through iterative design. Baidu adopted the Responsibility-Sensitive Safety model [154] proposed by Mobileye [155] (an Intel company) to design the safety process for the Apollo Pilot for a passenger car (level 3). In addition, we noticed that Tesla started releasing quarterly safety data since October 2018 [156]. It seemed that Tesla has a completely di erent approach to self-driving cars than other companies. According to TESLA NEWS [157], AutoPilot will rely for its self-driving function on cameras, not on LIDAR; the AutoPilot software is trained online (which means that the NN keeps learning and evolving during operation). The Autopilots safety features are continuously evolved and enhanced through understanding real-world driving data from every Tesla. Referring to these safety reports of existing autonomous cars, we should be aware that when testing DNN-based control software (the core part of autonomous vehicles), black-box system level testing (by observing inputs and its corresponding outputs, e.g., closed course testing and real-world driving) is still the leading method. More systematic T&V criteria and approaches are needed for more complete and reliable testing results. 5.2. Comparison with related work 5.2.1. Verification and validation of NNs Taylor et al. [15] conducted a survey on the Verification and Validation (V&V) of NNs used in safety-critical domains in 2003. Study [15] is the closest work we found, although they did not adopt an SLR approach. Our study covered new studies from 2011-2018. The authors of [15] also made a classification of methods for the V&V of NNs. They grouped the methods into five traditional V&V technique categories, namely, automated testing and testing data generation methods, run-time monitoring, formal methods, cross validation, and visualization. In contrast to [15], our study adopted a thematic analysis approach [55] and identified five themes based on the research goals of the selected studies. We thought it was better to classify the proposed T&V methods of NNs based on their aims rather than on the traditional technique categories since many traditional V&V techniques are no longer e ective for verifying NNs in many cases. New methods and tools should be explored and developed without being limited by the traditional V&V categories. Another di erence is our study specialized more in the T&V of modern NNs, such as MLP and DNN, whereas the study [15] provided more in-depth analysis of V&V methodologies for NNs used in flight control system, such as Pre-Trained Neural Network (PTNN) and Online Learning Neural Network (OLNN). Our study and [15] have some common findings. For example, one category, named Visualization in [15], falls into our category CA5 Improving interpretability of NNs. 5.2.2. Surveys of security, safety, and productivity for Deep Learning (DL) systems development Hains et al. [16] surveyed existing work on “attacks against DL systems; testing, training, and monitoring DL systems for safety; and the verification of DL systems.” Our study and [16] shared a similar motivation. The critical di erence between our SLR and [16] are threefold: 1) We conducted our literature review on 83 selected papers based 21 on specific SLR guidelines, while they used an ad hoc literature review (ALR) approach and reviewed only 21 primary papers. 2) They only focused on DL systems, whereas our scope covered modern NN-based software systems, which embodies DL-based software systems. 3) They inferred that formal methods and automation verification are the two promising research directions based on the reviewed works. In contrast, we focused more on safety issues, and found more categories to be addressed for safety purposes. 5.2.3. Surveys of certification of AI technologies in automotive Falcini et al. [17, 18] reviewed the existing standards in the automotive industry and pointed out the related applicability issues of automotive software development standards to deep learning. Although our SLR takes the automotive industry as an example, we are concerned with SCCPSs in general. This concern is reflected in the distribution of the selected papers (only 13 of the 83 selected papers are oriented to automotive CPSs). 5.2.4. SLR of Explainable Artificial Intelligence (XAI) There are two very recent SLRs, [158] and [159], on the interpretation of artificial intelligence. Both [158] and [159] employed similar commonly accepted guidelines to conduct their SLRs. The fundamental di erence between our study and [159, 158] is the scope. [158] reviewed 381 papers on existing XAI approaches from interdisciplinary perspectives. As reported in [159], the scope of their SLR is visualization and visual analytics for deep learning. The study [159] focused on studies that adopted visual analytics to explain NN decisions. Our study has a more comprehensive coverage of T&V approaches that were employed to not only interpret NN behaviors but also to assure the robustness of NNs, to improve the failure resilience of NNs, to ensure test completeness, and to assure the safety property of NN-based SCCPSs. In a summary, our SLR tried to provide an overview of key aspects related to T&V activities for NN-based SCCSs. 5.3. Threats to validity In this section, we discuss some threats to the validity of our study. 5.3.1. Search strategy The most possible threat in this step is missing or excluding relevant papers. To mitigate this threat, we used six of the most relevant digital libraries to retrieve papers. Additionally, we employed two strategies to mitigate potential limitations in the search terms: 1) adopted an PIOC criteria to ensure the coverage of search terms; and 2) improved search terms iteratively. Further, we conducted an extensive snowballing process on references of the selected papers to identify related papers. The search keywords were cross-checked and agreed on by both authors. 5.3.2. Study selection Researchers’ subjective judgment could be a threat to the study selection. We strictly followed the pre-defined review protocol to mitigate this threat. For example, we started recording the inclusion and exclusion reasons from the 3rd stage. We validated the inclusion and exclusion criteria with two authors on the basis of the pilot search. Furthermore, the second author performed a cross-check of all selected papers. Any paper that raised doubts about its inclusion or exclusion decision was discussed between the first and second authors. For example, the “smart grid” is included in the search term, but no relevant papers were found after the 3rd stage. Then, we conducted a snowballing search to identify papers that presented how to use NNs in smart grids. We found out that AI is mainly used to solve the economically relevant problems [160] of the smart grid system (e.g., prediction of energy usage and ecient use of resources). AI is not involved in the safety-critical applications (e.g., decision making on optimal provision of power) of smart grids. Therefore, there were no relevant papers addressing safety analysis or testing/verification (refer to Inclusion criteria I2). 5.3.3. Data extraction The first author was responsible for designing the data extraction form and conducting the data extraction from selected papers. In order to avoid the first author’s bias in data extraction, the two authors continuously discussed the data extraction issues. The extracted data were verified by the second author. 22 5.3.4. Data synthesis Data analysis outcomes could vary with di erent researchers. To reduce the subjective impact on data synthesis, besides strictly following the thematic synthesis steps [55], the data synthesis was first agreed on by both authors. We disseminated our preliminary findings to two internal research groups at our university (i.e., the autonomous vehicle lab and autonomous ships lab) and presented at a Ph.D. seminar on IoT, Machine Learning, Security, and Privacy for comments and feedback. In summary, the audiences agreed with our research design and results, and they thought that the mapping of reviewed approaches to the IEC61508 is a valuable attempt. Several researchers working in formal verification and safety verification thought that safety cases would be a promising direction to address the challenges of T&V of NN-based SCCSs. One suggestion is adding information about self-driving car simulators. Based on these comments and feedback, we revised our paper accordingly. 6. Conclusion and future work In this paper, we have presented the results of a Systematic Literature Review (SLR) of existing approaches and practices on T&V methods for neural-network-based safety critical control software (NN-based SCCS). The motivation of this study was to provide an overview of the state-of-the-art T&V of safety-critical NN-based SCCSs and to shed some light on potential research directions. Based on pre-defined inclusion and exclusion criteria, we selected 83 papers that were published between 2011 and 2018. A systematic analysis and synthesis of the data extracted from the papers and comprehensive reviews of industry practices (e.g., technical reports, standards, and white papers) related to our RQs were performed. Results of the study show that: 1. The research on T&V of NN-based SCCSs is gaining interest and attention from both software engineering and safety engineering researchers/practitioners according to the impressive upward trend in the number of papers on T&V of NN-based SCCSs (See Fig. 5). Most of the reviewed papers (68/83, 81.9%) have been published in the last three years. 2. The approaches and tools reported for the T&V of NN-based control software have been applied to a wide variety of safety-critical domains, among which automotive CPSs has received the most attention. 3. The approaches can be classified into five high-order themes, namely, assuring robustness of NNs, improving failure resilience of NNs, measuring and ensuring test completeness, assuring safety properties of NN-based SCCPSs, and improving interpretability of NNs. 4. The activities listed in the software safety lifecycles of IEC 61508-3 are still valid when conducting safety verification for NN-based control software. However, most of the activities need new techniques/measures to deal with the new characteristics of NNs. 5. Four safety integrity properties within the four major safety lifecycle phases, namely, correctness, completeness, freedom from intrinsic faults, and fault tolerance, have drawn the most attention from the research community. Little e ort has been put on achieving repeatability. No reviewed study focused on precisely defined testing configuration and defense against common cause failure, which are extremely crucial for assuring the safety of a production-ready NN-based SCCS [161]. 6. It is common to combine standard testing techniques with formal verification when testing and verifying large- scale, complex safety-critical software [15, 145]. As explained in section 4.3, we found that an increasing concern of the reviewed works is the integration of di erent T&V techniques in a systematic manner to gain assurance for the whole lifecycle of the NN-based control software. This SLR is just a starting point in our studies to test and verify NN-based SCCPSs. In the future, we will focus on improving the interpretability of NNs. To be more specific, we plan to develop a method for explaining why an NN model is more (or less) robust than other models. It can guide software designers to design an NN model with an appropriate robustness level, which will greatly support safety by design. Acknowledgments The authors would like to thank Weifeng Liu for commenting on and improving this paper. This work is supported by the Safety, autonomy, remote control and operations of industrial transport systems (SAREPTA) project, which is 23 financed by the Norwegian Research Council with Grant No. 267860. This work is also supported by the Management of safety and security risks for cyber-physical systems project, which is financed by the Norwegian University of Science and Technology and the Technical University of Denmark. References [1] R. Rajkumar, I. Lee, L. Sha, J. Stankovic, Cyber-physical systems: the next computing revolution, in: Design Automation Conference (DAC), 2010 47th ACM/IEEE, IEEE, pp. 731–736. [2] B. K. Bose, Neural network applications in power electronics and motor drivesan introduction and perspective, IEEE Transactions on Industrial Electronics 54 (2007) 14–33. [3] P. Ongsulee, Artificial intelligence, machine learning and deep learning, in: ICT and Knowledge Engineering (ICT&KE), 2017 15th International Conference on, pp. 1–6. [4] M. Bojarski, D. Del Testa, D. Dworakowski, B. Firner, B. Flepp, P. Goyal, L. D. Jackel, M. Monfort, U. Muller, J. Zhang, et al., End to end learning for self-driving cars, arXiv preprint arXiv:1604.07316 (2016). [5] K. D. Julian, J. Lopez, J. S. Brush, M. P. Owen, M. J. Kochenderfer, Policy compression for aircraft collision avoidance systems, in: Digital Avionics Systems Conference (DASC), 2016 IEEE/AIAA 35th, IEEE, pp. 1–10. [6] S. Levin, J. C. Wong, Self-driving uber kills arizona woman in first fatal crash involving pedestrian, https://www.theguardian.com/ technology/2018/mar/19/uber-self-driving-car-kills-woman-arizona-tempe, 2018. Accessed: 2018-07-27. [7] D. Yadron, D. Tynan, Tesla driver dies in first fatal crash while using autopilot mode, https://www.theguardian.com/technology/ 2016/jun/30/tesla-autopilot-death-self-driving-car-elon-musk, 2016. Accessed: 2018-07-27. [8] D. Lee, Google self-driving car hits a bus, https://www.bbc.com/news/technology-35692845, 2016. Accessed:18-12-2018. [9] Valasek, Chris, Miller, Charlie, Who’s behind the wheel? exposing the vulnerabilities and risks of high tech vehicles, https://trid.trb. org/view/1370158, 2015. Accessed: 2018-07-27. [10] S. Kriaa, L. Pietre-Cambacedes, M. Bouissou, Y. Halgand, A survey of approaches combining safety and security for industrial control systems, Reliability Engineering & System Safety 139 (2015) 156–178. [11] T. Aven, A unified framework for risk and vulnerability analysis covering both safety and security, Reliability Engineering & System Safety 92 (2007) 745 – 754. [12] G. Stoneburner, Toward a unified security-safety model, Computer 39 (2006) 96–97. [13] T. Novak, A. Treytl, Functional safety and system security in automation systems - a life cycle model, in: 2008 IEEE International Conference on Emerging Technologies and Factory Automation, pp. 311–318. [14] P. Bieber, J.-P. Blanquart, G. Descargues, M. Dulucq, Y. Fourastier, E. Hazane, M. Julien, L. Leonardon, ´ G. Sarouille, Security and safety assurance for aerospace embedded systems, in: Proceedings of the 6th International Conference on Embedded Real Time Software and Systems, Toulouse, France, pp. 1–10. [15] B. J. Taylor, M. A. Darrah, C. D. Moats, Verification and validation of neural networks: a sampling of research in progress, in: Intelligent Computing: Theory and Applications, volume 5103, International Society for Optics and Photonics, pp. 8–17. [16] G. Hains, A. Jakobsson, Y. Khmelevsky, Towards formal methods and software engineering for deep learning: Security, safety and produc- tivity for dl systems development, in: Systems Conference (SysCon), 2018 Annual IEEE International, IEEE, pp. 1–5. [17] F. Falcini, G. Lami, Challenges in certification of autonomous driving systems, in: 2017 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 286–293. [18] F. Falcini, G. Lami, Deep learning in automotive: Challenges and opportunities, in: A. Mas, A. Mesquida, R. V. O’Connor, T. Rout, A. Dorling (Eds.), Software Process Improvement and Capability Determination, Springer International Publishing, 2017, pp. 279–288. [19] P. Van Wesel, A. E. Goodloe, Challenges in the Verification of Reinforcement Learning Algorithms, Technical Report, 2017. https: //ntrs.nasa.gov/search.jsp?R=20170007190. [20] B. Kitchenham, S. Charters, Guidelines for performing systematic literature reviews in software engineering, 2007. [21] E. Lee, The past, present and future of cyber-physical systems: A focus on models, Sensors 15 (2015) 4837–4869. [22] A. Humayed, J. Lin, F. Li, B. Luo, Cyber-physical systems security - a survey, IEEE Internet of Things Journal 4 (2017) 1802–1831. [23] E. R. Gri or, C. Greer, D. A. Wollman, M. J. Burns, Framework for Cyber-Physical Systems: Volume 1, Overview, Technical Report, 2017. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-201.pdf. [24] W. S. McCulloch, W. Pitts, A logical calculus of the ideas immanent in nervous activity, The bulletin of mathematical biophysics 5 (1943) 115–133. [25] F. Rosenblatt, The perceptron: a probabilistic model for information storage and organization in the brain., Psychological review 65 (1958) [26] G. Katz, C. Barrett, D. L. Dill, K. Julian, M. J. Kochenderfer, Reluplex: An ecient smt solver for verifying deep neural networks, in: International Conference on Computer Aided Verification, Springer, pp. 97–117. [27] R. Kruse, C. Borgelt, F. Klawonn, C. Moewes, M. Steinbrecher, P. Held, Multi-layer perceptrons, in: Computational Intelligence, Springer, 2013, pp. 47–81. [28] Y. LeCun, Y. Bengio, G. Hinton, Deep learning, nature 521 (2015) 436. [29] Y. LeCun, L. Bottou, Y. Bengio, P. Ha ner, et al., Gradient-based learning applied to document recognition, Proceedings of the IEEE 86 (1998) 2278–2324. [30] M. van Gerven, S. Bohte, Artificial neural networks as models of neural information processing, Frontiers Media SA, 2018. [31] D. M. Rodvold, A software development process model for artificial neural networks in critical applications, in: IJCNN’99. International Joint Conference on Neural Networks. Proceedings (Cat. No.99CH36339), volume 5, pp. 3317–3322. [32] F. Falcini, G. Lami, A. M. Costanza, Deep learning in automotive software, IEEE Software 34 (2017) 56–63. [33] J. L. Heilbron, The Oxford companion to the history of modern science, Oxford University Press, 2003. 24 [34] SAE, J3016:Taxonomy and Definitions for Terms Related to On-Road Motor Vehicle Automated Driving Systems, Standard, 2014. [35] NVIDIA, Nvidia drive:scalable ai platform for autonomous driving, https://www.nvidia.com/en-us/self-driving-cars/drive- platform/, 2018. Accessed:18-12-2018. [36] J. C. Hoskins, D. M. Himmelblau, Process control via artificial neural networks and reinforcement learning, Computers & Chemical Engineering 16 (1992) 241–251. [37] T. P. Lillicrap, J. J. Hunt, A. Pritzel, N. Heess, T. Erez, Y. Tassa, D. Silver, D. Wierstra, Continuous control with deep reinforcement learning, arXiv preprint arXiv:1509.02971 (2015). [38] S. P. K. Spielberg, R. B. Gopaluni, P. D. Loewen, Deep reinforcement learning approaches for process control, in: 2017 6th International Symposium on Advanced Control of Industrial Processes (AdCONIP), pp. 201–206. [39] G. Zhabelova, V. Vyatkin, Multiagent smart grid automation architecture based on iec 61850/61499 intelligent logical nodes, IEEE Transactions on Industrial Electronics 59 (2012) 2351–2362. [40] B. K. Bose, Artificial intelligence techniques in smart grid and renewable energy systemssome example applications, Proceedings of the IEEE 105 (2017) 2262–2273. [41] G. Robertson, E. D. Lehmann, W. Sandham, D. Hamilton, Blood glucose prediction using artificial neural networks trained with the aida diabetes simulator: a proof-of-concept pilot study, Journal of Electrical and Computer Engineering 2011 (2011) 1–11. [42] M. K. Bothe, L. Dickens, K. Reichel, A. Tellmann, B. Ellger, M. Westphal, A. A. Faisal, The use of reinforcement learning algorithms to meet the challenges of an artificial pancreas, Expert review of medical devices 10 (2013) 661–673. [43] Medtronic, Medtronic initiates u.s. launch of world’s first hybrid closed loop system for type 1 diabetes, http://newsroom.medtronic. com/phoenix.zhtml?c=251324&p=irol-newsArticle&ID=2279529, 2017. Accessed: 2018-08-25. [44] K. Sennaar, Ai in medical devices three emerging industry applications, https://www.techemergence.com/ai-medical-devices- three-emerging-industry-applications/, 2018. Accessed: 2018-08-16. [45] H. Greenspan, B. Van Ginneken, R. M. Summers, Guest editorial deep learning in medical imaging: Overview and future promise of an exciting new technique, IEEE Transactions on Medical Imaging 35 (2016) 1153–1159. [46] IEC61508:2005, Functional safety of electrical/electronic/programmable electronic safety-related systems, Standard, International Elec- trotechnical Commission, 2005. [47] ISO 26262:2011, Road vehicles – Functional safety, Standard, International Organization for Standardization, 2011. [48] G. Griessnig, A. Schnellbach, Development of the 2nd edition of the iso26262, in: J. Stolfa, S. Stolfa, R. V. O’Connor, R. Messnarz (Eds.), Systems, Software and Services Process Improvement, Springer International Publishing, 2017, pp. 535–546. [49] Hansen, Standardization E orts on Autonomous Driving Safety Barely Under Way, Technical Report, 2017. [50] A. Dosovitskiy, G. Ros, F. Codevilla, A. Lopez, V. Koltun, Carla: An open urban driving simulator, arXiv preprint arXiv:1711.03938 (2017). [51] Udacity, An open source self-driving car, https://github.com/udacity/self-driving-car, 2016. Accessed:2018-12-19. [52] K. Petersen, S. Vakkalanka, L. Kuzniarz, Guidelines for conducting systematic mapping studies in software engineering: An update, Information and Software Technology 64 (2015) 1–18. [53] M. Shahin, M. A. Babar, L. Zhu, Continuous integration, delivery and deployment: a systematic review on approaches, tools, challenges and practices, IEEE Access 5 (2017) 3909–3943. [54] P. H. Nguyen, S. Ali, T. Yue, Model-based security engineering for cyber-physical systems: A systematic mapping study, Information and Software Technology 83 (2017) 116–135. [55] D. S. Cruzes, T. Dyba, Recommended steps for thematic synthesis in software engineering, in: 2011 International Symposium on Empirical Software Engineering and Measurement, pp. 275–284. [56] A. Nguyen, J. Yosinski, J. Clune, Deep neural networks are easily fooled: High confidence predictions for unrecognizable images, pp. 427–436. [57] I. J. Goodfellow, J. Shlens, C. Szegedy, Explaining and harnessing adversarial examples, arXiv preprint arXiv:1412.6572 (2014). [58] M. Melis, A. Demontis, B. Biggio, G. Brown, G. Fumera, F. Roli, Is deep learning safe for robot vision? adversarial examples against the icub humanoid, in: 2017 IEEE International Conference on Computer Vision Workshops (ICCVW), pp. 751–759. [59] O. Bastani, Y. Ioannou, L. Lampropoulos, D. Vytiniotis, A. Nori, A. Criminisi, Measuring neural net robustness with constraints, pp. 2613–2621. [60] M. Cisse, P. Bojanowski, E. Grave, Y. Dauphin, N. Usunier, Parseval networks: Improving robustness to adversarial examples, arXiv preprint arXiv:1704.08847 (2017). [61] N. Carlini, D. Wagner, Towards evaluating the robustness of neural networks, in: 2017 IEEE Symposium on Security and Privacy (SP), pp. 39–57. [62] S. Gu, L. Rigazio, Towards deep neural network architectures robust to adversarial examples, arXiv preprint arXiv:1412.5068 (2014). [63] M. Wu, M. Wicker, W. Ruan, X. Huang, M. Kwiatkowska, A game-based approximate verification of deep neural networks with provable guarantees, arXiv preprint arXiv:1807.03571 (2018). [64] D. Gopinath, G. Katz, C. S. Pasareanu, C. Barrett, Deepsafe: A data-driven approach for checking adversarial robustness in neural networks, arXiv preprint arXiv:1710.00486 (2017). [65] F. Reuben, R. R. Curtin, S. Saurabh, A. B. Gardner, Detecting adversarial samples from artifacts, arXiv preprint arXiv:1703.00410 (2017). [66] W. Xu, D. Evans, Y. Qi, Feature squeezing: Detecting adversarial examples in deep neural networks, arXiv preprint arXiv:1704.01155 (2017). [67] M. Wicker, X. Huang, M. Kwiatkowska, Feature-guided black-box safety testing of deep neural networks, volume 10805 LNCS, Springer Verlag, 2018, pp. 408–426. [68] J. H. Metzen, T. Genewein, V. Fischer, B. Bischo , On detecting adversarial perturbations, arXiv preprint arXiv:1702.04267 (2017). [69] N. Papernot, P. McDaniel, X. Wu, S. Jha, A. Swami, Distillation as a defense to adversarial perturbations against deep neural networks, arXiv preprint arXiv:1511.04508 (2015). [70] N. Papernot, P. McDaniel, Extending defensive distillation, arXiv preprint arXiv:1705.05264 (2017). 25 [71] S. Zheng, Y. Song, T. Leung, I. Goodfellow, Improving the robustness of deep neural networks via stability training, pp. 4480–4488. [72] U. Shaham, Y. Yamada, S. Negahban, Understanding adversarial training: Increasing local stability of neural nets through robust optimiza- tion, arXiv preprint arXiv:1511.05432 (2015). [73] C. Schorn, A. Guntoro, G. Ascheid, Accurate neuron resilience prediction for a flexible reliability management in neural network accelera- tors, in: 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 979–984. [74] Q. Zhang, T. Wang, Y. Tian, F. Yuan, Q. Xu, Approxann: an approximate computing framework for artificial neural network, EDA Consortium, 2015, pp. 701–706. [75] J.-C. Vialatte, F. Leduc-Primeau, A study of deep learning robustness against computation failures, arXiv preprint arXiv:1704.05396 (2017). [76] G. Li, K. Pattabiraman, C.-Y. Cher, P. Bose, Understanding error propagation in gpgpu applications, IEEE, 2016, pp. 240–251. [77] F. F. d. Santos, L. Draghetti, L. Weigel, L. Carro, P. Navaux, P. Rech, Evaluation and mitigation of soft-errors in neural network-based object detection in three gpu architectures, in: 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), pp. 169–176. [78] S. R. Manikandasriram, C. Anderson, R. Vasudevan, M. Johnson-Roberson, Failing to learn: autonomously identifying perception failures for self-driving cars [arxiv], arXiv arXiv:1707.00051 (2017) 8 pp. [79] E. M. E. Mhamdi, R. Guerraoui, S. Rouault, On the robustness of a neural network, in: 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), pp. 84–93. [80] G. Li, S. K. S. Hari, M. Sullivan, T. Tsai, K. Pattabiraman, J. Emer, S. W. Keckler, Understanding error propagation in deep learning neural network (dnn) accelerators and applications, in: Proceedings of the International Conference for High Performance Computing, Networking, Storage and Analysis, ACM, p. 8. [81] A. H. M. Rubaiyat, Y. Qin, H. Alemzadeh, Experimental resilience assessment of an open-source driving agent, CoRR abs/1807.06172 (2018). [82] K. Rhazali, B. Lussier, W. Schn, S. Geronimi, Fault tolerant deep neural networks for detection of unrecognizable situations, IFAC- PapersOnLine 51 (2018) 31–37. [83] S. Daftry, S. Zeng, J. A. Bagnell, M. Hebert, Introspective perception: Learning to predict failures in vision systems, in: 2016 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), pp. 1743–1750. [84] M. O’Kelly, H. Abbas, R. Mangharam, Computer-aided design for safe autonomous vehicles, in: Resilience Week (RWS) 2017, 2017 Resilience Week (RWS), IEEE, 2017, pp. 90–6. [85] K. Pei, Y. Cao, J. Yang, S. Jana, Deepxplore: Automated whitebox testing of deep learning systems, Association for Computing Machinery, Inc, 2017, pp. 1–18. [86] Y. Tian, K. Pei, S. Jana, B. Ray, Deeptest: Automated testing of deep-neural-network-driven autonomous cars, in: Proceedings of the 40th International Conference on Software Engineering, ICSE ’18, ACM, New York, NY, USA, 2018, pp. 303–314. [87] S. Raj, S. K. Jha, A. Ramanathan, L. L. Pullum, Work-in-progress: testing autonomous cyber-physical systems using fuzzing features from convolutional neural networks, in: 2017 International Conference on Embedded Software (EMSOFT), pp. 1–2. [88] L. Ma, F. Juefei-Xu, F. Zhang, J. Sun, M. Xue, B. Li, C. Chen, T. Su, L. Li, Y. Liu, J. Zhao, Y. Wang, Deepgauge: Multi-granularity testing criteria for deep learning systems, in: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ACM, 2018, pp. 120–131. [89] M. Zhang, Y. Zhang, L. Zhang, C. Liu, S. Khurshid, Deeproad: Gan-based metamorphic testing and input validation framework for autonomous driving systems, in: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ACM, pp. 132–142. [90] J. Guo, Y. Jiang, Y. Zhao, Q. Chen, J. Sun, Dlfuzz: di erential fuzzing testing of deep learning systems, in: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ACM, pp. 739–743. [91] L. Pulina, A. Tacchella, Challenging smt solvers to verify neural networks, AI Communications 25 (2012) 117–135. [92] R. Ehlers, Formal verification of piece-wise linear feed-forward neural networks, Springer, 2017, pp. 269–286. [93] L. Pulina, A. Tacchella, N e v er: a tool for artificial neural networks verification, Annals of Mathematics and Artificial Intelligence 62 (2011) 403–425. [94] S. Dutta, S. Jha, S. Sanakaranarayanan, A. Tiwari, Output range analysis for deep neural networks, arXiv preprint arXiv:1709.09130 (2017). [95] W. Xiang, H. D. Tran, T. T. Johnson, Output reachable set estimation and verification for multilayer neural networks, IEEE Transactions on Neural Networks and Learning Systems (2018) 1–7. [96] K. D. Julian, J. Lopez, J. S. Brush, M. P. Owen, M. J. Kochenderfer, Policy compression for aircraft collision avoidance systems, IEEE, 2016, pp. 1–10. [97] W. Xiang, H.-D. Tran, T. T. Johnson, Reachable set computation and safety verification for neural networks with relu activations, arXiv preprint arXiv:1712.08163 (2017). [98] G. Katz, C. Barrett, D. L. Dill, K. Julian, M. J. Kochenderfer, Reluplex: An ecient smt solver for verifying deep neural networks, in: Computer Aided Verification. CAV 2017, Springer, 2017, pp. 97–117. [99] X. Huang, M. Kwiatkowska, S. Wang, M. Wu, Safety verification of deep neural networks, in: International Conference on Computer Aided Verification, Springer, pp. 3–29. [100] N. Narodytska, S. P. Kasiviswanathan, L. Ryzhyk, M. Sagiv, T. Walsh, Verifying properties of binarized deep neural networks, arXiv preprint arXiv:1709.06662 (2017). [101] C.-H. Cheng, G. Nhrenberg, H. Ruess, Verification of binarized neural networks, arXiv preprint arXiv:1710.03107 (2018). [102] T. Dreossi, A. Donz, S. A. Seshia, Compositional falsification of cyber-physical systems with machine learning components, NASA Formal Methods, Springer International Publishing, 2017, pp. 357–372. [103] P. Mallozzi, P. Pelliccione, C. Menghi, Keeping intelligence under control, in: Proceedings of the 1st International Workshop on Software Engineering for Cognitive Services, ACM, 2018, pp. 37–40. [104] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, R. Fergus, Intriguing properties of neural networks, arXiv preprint 26 arXiv:1312.6199 (2013). [105] M. T. Ribeiro, S. Singh, C. Guestrin, Anchors: High-precision model-agnostic explanations, in: Proceedings of the 32rd AAAI Conference on Artificial Intelligence. [106] M. Sundararajan, A. Taly, Q. Yan, Axiomatic attribution for deep networks, in: Proceedings of the 34th International Conference on Machine Learning-Volume 70, pp. 3319–3328. [107] S. Bach, A. Binder, K.-R. Mller, W. Samek, Controlling explanatory heatmap resolution and semantics via decomposition depth, in: 2016 IEEE International Conference on Image Processing (ICIP), pp. 2271–2275. [108] K. Simonyan, A. Vedaldi, A. Zisserman, Deep inside convolutional networks: Visualising image classification models and saliency maps, arXiv preprint arXiv:1312.6034 (2013). [109] G. Montavon, S. Lapuschkin, A. Binder, W. Samek, K.-R. Mller, Explaining nonlinear classification decisions with deep taylor decomposi- tion, Pattern Recognition 65 (2017) 211–222. [110] D. Linsley, D. Scheibler, S. Eberhardt, T. Serre, Global-and-local attention networks for visual recognition, arXiv preprint arXiv:1805.08819 (2018). [111] Y. Dong, H. Su, J. Zhu, B. Zhang, Improving interpretability of deep neural networks with semantic information, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 4306–4314. [112] R. C. Fong, A. Vedaldi, Interpretable explanations of black boxes by meaningful perturbation, in: Proceedings of the IEEE International Conference on Computer Vision, pp. 3429–3437. [113] B. Zhou, A. Khosla, A. Lapedriza, A. Oliva, A. Torralba, Learning deep features for discriminative localization, in: Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 2921–2929. [114] M. A. K.-R. M. Dumitru, E. B. K. S. D. Pieter, J. Kindermans, K. T. Schtt, Learning how to explain neural networks: Patternnet and patternattribution, in: Proceedings of the International Conference on Learning Representations (2018). [115] R. Guidotti, A. Monreale, S. Ruggieri, D. Pedreschi, F. Turini, F. Giannotti, Local rule-based explanations of black box decision systems, arXiv preprint arXiv:1805.10820 (2018). [116] A. Shrikumar, P. Greenside, A. Kundaje, Learning important features through propagating activation di erences, in: Proceedings of the 34th International Conference on Machine Learning-Volume 70, JMLR. org, pp. 3145–3153. [117] S. Bach, A. Binder, G. Montavon, F. Klauschen, K.-R. Mller, W. Samek, On pixel-wise explanations for non-linear classifier decisions by layer-wise relevance propagation, PLOS ONE 10 (2015) 1–46. [118] P. Dabkowski, Y. Gal, Real time image saliency for black box classifiers, in: Advances in Neural Information Processing Systems, pp. 6967–6976. [119] A. S. Ross, M. C. Hughes, F. Doshi-Velez, Right for the right reasons: Training di erentiable models by constraining their explanations, arXiv preprint arXiv:1703.03717 (2017). [120] A. Santoro, D. Raposo, D. G. Barrett, M. Malinowski, R. Pascanu, P. Battaglia, T. Lillicrap, A simple neural network module for relational reasoning, in: Advances in neural information processing systems, pp. 4967–4976. [121] D. Smilkov, N. Thorat, B. Kim, F. Vigas, M. Wattenberg, Smoothgrad: removing noise by adding noise, arXiv preprint arXiv:1706.03825 (2017). [122] S. M. Lundberg, S.-I. Lee, A unified approach to interpreting model predictions, in: Advances in Neural Information Processing Systems, pp. 4765–4774. [123] N. Frosst, G. Hinton, Distilling a neural network into a soft decision tree, arXiv preprint arXiv:1711.09784 (2017). [124] Z. Che, S. Purushotham, R. Khemani, Y. Liu, Distilling knowledge from deep networks with applications to healthcare domain, arXiv preprint arXiv:1512.03542 (2015). [125] G. Hinton, O. Vinyals, J. Dean, Distilling the knowledge in a neural network, arXiv preprint arXiv:1503.02531 (2015). [126] K. Xu, D. H. Park, C. Yi, C. Sutton, Interpreting deep classifier by visual distillation of dark knowledge, arXiv preprint arXiv:1803.04042 (2018). [127] S. Tan, R. Caruana, G. Hooker, P. Koch, A. Gordo, Learning global additive explanations for neural nets using model distillation, arXiv preprint arXiv:1801.08640 (2018). [128] A. Nguyen, A. Dosovitskiy, J. Yosinski, T. Brox, J. Clune, Synthesizing the preferred inputs for neurons in neural networks via deep generator networks, in: Advances in Neural Information Processing Systems, pp. 3387–3395. [129] M. D. Zeiler, R. Fergus, Visualizing and understanding convolutional networks, Springer, 2014, pp. 818–833. [130] M. T. Ribeiro, S. Singh, C. Guestrin, Why should i trust you?: Explaining the predictions of any classifier, ACM, 2016, pp. 1135–1144. [131] W. Guo, D. Mu, J. Xu, P. Su, G. Wang, X. Xing, Lemna: Explaining deep learning based security applications, in: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, ACM, pp. 364–379. [132] O. Bastani, C. Kim, H. Bastani, Interpretability via model extraction, arXiv preprint arXiv:1706.09773 (2017). [133] J. J. Thiagarajan, B. Kailkhura, P. Sattigeri, K. N. Ramamurthy, Treeview: Peeking into deep neural networks via feature-space partitioning, arXiv preprint arXiv:1611.07429 (2016). [134] A. Mahendran, A. Vedaldi, Understanding deep image representations by inverting them, in: Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 5188–5196. [135] J. Deng, W. Dong, R. Socher, L. Li, and, Imagenet: A large-scale hierarchical image database, in: 2009 IEEE Conference on Computer Vision and Pattern Recognition, pp. 248–255. [136] N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, A. Swami, The limitations of deep learning in adversarial settings, IEEE, 2016, pp. 372–387. [137] Q. Lu, M. Farahani, J. Wei, A. Thomas, K. Pattabiraman, Llfi: An intermediate code-level fault injection tool for hardware faults, in: 2015 IEEE International Conference on Software Quality, Reliability and Security, IEEE, pp. 11–16. [138] S. Borkar, Designing reliable systems from unreliable components: the challenges of transistor variability and degradation, IEEE Micro 25 (2005) 10–16. [139] N. Leveson, Engineering a safer world: Systems thinking applied to safety, MIT press, 2011. 27 [140] T. Y. Chen, F.-C. Kuo, H. Liu, P.-L. Poon, D. Towey, T. H. Tse, Z. Q. Zhou, Metamorphic testing: A review of challenges and opportunities, ACM Comput. Surv. 51 (2018) 4:1–4:27. [141] M. W. Moskewicz, C. F. Madigan, Y. Zhao, L. Zhang, S. Malik, Cha : Engineering an ecient sat solver, ACM, 2001, pp. 530–535. [142] H. Zhang, Sato: An ecient prepositional prover, in: International Conference on Automated Deduction, Springer, pp. 272–275. [143] J. P. Marques-Silva, K. A. Sakallah, Grasp: A search algorithm for propositional satisfiability, IEEE Transactions on Computers 48 (1999) 506–521. [144] C. Barrett, C. Tinelli, Satisfiability modulo theories, Springer, pp. 305–343. [145] W. R. Adrion, M. A. Branstad, J. C. Cherniavsky, Validation, verification, and testing of computer software, ACM Computing Surveys (CSUR) 14 (1982) 159–192. [146] Protecting Against Common Cause Failures in Digital I&C Systems of Nuclear Power Plants, number NP-T-1.5 in Nuclear Energy Series, International Atomic Energy Agency, Vienna, 2009. [147] H. J. Vishnukumar, B. Butting, C. Muller, E. Sax, Machine learning and deep neural network - artificial intelligence core for lab and real- world test and validation for adas and autonomous vehicles: Ai for ecient and quality test and validation, in: 2017 Intelligent Systems Conference, pp. 714–21. [148] R. Ashmore, M. Hill, boxing clever: Practical techniques for gaining insights into training data and monitoring distribution shift, in: International Conference on Computer Safety, Reliability, and Security, Springer, 2018, pp. 393–405. [149] N. Jouppi, Google supercharges machine learning tasks with tpu custom chip, https://cloud.google.com/blog/products/gcp/ google-supercharges-machine-learning-tasks-with-custom-chip, 2017. Accessed: 2018-08-25. [150] NVIDIA, Partner innovation:accelerating automotive breakthroughs, https://www.nvidia.com/en-us/self-driving-cars/ partners/, 2018. Accessed:2018-12-19. [151] WAYMO, Waymo Safety Report : On the Road to Fully Self-Driving, Technical Report, 2017. https://www.bbc.com/news/ technology-35692845. [152] GoogleCloud, Google Infrastructure Security Design Overview, Technical Report, 2017. https://cloud.google.com/security/ infrastructure/design/. [153] GM, Self-driving safety report, Technical Report, 2018. https://www.gm.com/our-stories/self-driving-cars.html. [154] S. Shalev-Shwartz, S. Shammah, A. Shashua, On a Formal Model of Safe and Scalable Self-driving Cars, arXiv e-prints (2017) arXiv:1708.06374. [155] Mobileye, Mobileye:sensing the future, https://www.mobileye.com/, 2018. Accessed:2018-12-19. [156] Tesla, Tesla vehicle safety report, https://www.tesla.com/VehicleSafetyReport, 2018. Accessed: 2019-11-01. [157] Tesla, Your tesla is learning to drive by itself, https://evannex.com/blogs/news, 2019. Accessed: 2019-11-01. [158] A. Adadi, M. Berrada, Peeking inside the black-box: A survey on explainable artificial intelligence (xai), IEEE Access 6 (2018) 52138– [159] F. M. Hohman, M. Kahng, R. Pienta, D. H. Chau, Visual analytics in deep learning: An interrogative survey for the next frontiers, IEEE Transactions on Visualization and Computer Graphics (2018) 1–1. [160] S. Khan, D. Paul, P. Momtahan, M. Aloqaily, Artificial intelligence framework for smart city microgrids: State of the art, challenges, and opportunities, Institute of Electrical and Electronics Engineers Inc., 2018, pp. 283–288. [161] A. Arpteg, B. Brinne, L. Crnkovic-Friis, J. Bosch, Software engineering challenges of deep learning, in: 2018 44th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), pp. 50–59. [162] K. Scheibler, L. Winterer, R. Wimmer, B. Becker, Towards verification of artificial neural networks, pp. 30–40. [163] G. Katz, C. Barrett, D. L. Dill, K. Julian, M. J. Kochenderfer, Towards proving the adversarial robustness of deep neural networks, arXiv preprint arXiv:1709.02802 (2017). [164] L. Kuper, G. Katz, J. Gottschlich, K. Julian, C. Barrett, M. Kochenderfer, Toward scalable verification for safety-critical deep networks, arXiv preprint arXiv:1801.05950 (2018). 28 Appendix A. Selected studies (sorted based on publication year) S ID Author(s) Year Title Publication Venue [93] Pulina, L. and A. Tacchella 2011 NeVer: a tool for artificial neural networks verifica- Annals of Mathematics and Artifi- tion cial Intelligence [91] Pulina, L. and A. Tacchella 2012 Challenging SMT solvers to verify neural networks AI Communications [108] Simonyan, K., A. Vedaldi 2013 Deep inside convolutional networks: Visualising im- arXiv preprint and A. Zisserman age classification models and saliency maps [104] Szegedy, C., W. Zaremba, 2013 Intriguing properties of neural networks arXiv preprint I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow and R. Fergus [57] Goodfellow, I. J., J. Shlens 2014 Explaining and Harnessing Adversarial Examples International Conference on Learn- and C. Szegedy ing Representations (ICLR) [62] Gu, S. and L. Rigazio 2014 Towards deep neural network architectures robust to International Conference on Learn- adversarial examples ing Representations (ICLR) [129] Zeiler, M. D. and R. Fer- 2014 Visualizing and understanding convolutional net- European conference on computer gus works vision [74] Zhang, Q., T. Wang, Y. 2015 ApproxANN: an approximate computing framework Design, Automation & Test in Eu- Tian, F. Yuan and Q. Xu for artificial neural network rope Conference & Exhibition [124] Che, Z., S. Purushotham, 2015 Distilling knowledge from deep networks with appli- arXiv preprint R. Khemani and Y. Liu cations to healthcare domain [125] Hinton, G., O. Vinyals and 2015 Distilling the knowledge in a neural network arXiv preprint J. Dean [56] Nguyen, A., J. Yosinski 2015 Deep neural networks are easily fooled: High confi- IEEE Conference on Computer and J. Clune dence predictions for unrecognizable images Vision and Pattern Recognition (CVPR) [117] Bach, S., A. Binder, G. 2015 On pixel-wise explanations for non-linear classifier PloS one Montavon, F. Klauschen, decisions by layer-wise relevance propagation K.-R. Mller and W. Samek [162] Scheibler, K., L. Winterer, 2015 Towards Verification of Artificial Neural Networks Workshop on Methods and De- R. Wimmer and B. Becker scription Languages for Modeling and Verification of Circuits and Systems (MBMV) [72] Shaham, U., Y. Yamada 2015 Understanding adversarial training: Increasing local arXiv preprint and S. Negahban stability of neural nets through robust optimization [134] Mahendran, A. and A. 2015 Understanding deep image representations by invert- IEEE conference on computer vi- Vedaldi ing them sion and pattern recognition [107] Bach, S., A. Binder, K.-R. 2016 Controlling explanatory heatmap resolution and se- IEEE International Conference on Mller and W. Samek mantics via decomposition depth Image Processing (ICIP) [69] Papernot, N., P. McDaniel, 2016 Distillation as a defense to adversarial perturbations IEEE Symposium on Security & X. Wu, S. Jha and A. against deep neural networks Privacy Swami [71] Zheng, S., Y. Song, T. Le- 2016 Improving the robustness of deep neural networks via IEEE conference on computer vi- ung and I. Goodfellow stability training sion and pattern recognition [83] Daftry, S., S. Zeng, J. A. 2016 Introspective perception: Learning to predict failures IEEE/RSJ International Conference Bagnell and M. Hebert in vision systems on Intelligent Robots and Systems (IROS) [113] Zhou, B., A. Khosla, A. 2016 Learning deep features for discriminative localization IEEE conference on computer vi- Lapedriza, A. Oliva and A. sion and pattern recognition Torralba [59] Bastani, O., Y. Ioannou, L. 2016 Measuring neural net robustness with constraints Advances in neural information Lampropoulos, D. Vytini- processing systems otis, A. Nori and A. Crim- inisi [116] Shrikumar, A., P. Green- 2016 Not just a black box: Interpretable deep learning by arXiv Preprint side, A. Shcherbina and A. propagating activation di erences Kundaje [96] Julian, K. D., J. Lopez, J. 2016 Policy compression for aircraft collision avoidance IEEE/AIAA international confer- S. Brush, M. P. Owen and systems ence on Digital Avionics Systems M. J. Kochenderfer Conference (DASC) [128] Nguyen, A., A. Dosovit- 2016 Synthesizing the preferred inputs for neurons in neu- Advances in Neural Information skiy, J. Yosinski, T. Brox ral networks via deep generator networks Processing Systems and J. Clune 29 S ID Author(s) Year Title Publication Venue [133] Thiagarajan, J. J., B. 2016 TreeView: Peeking into deep neural networks via arXiv preprint Kailkhura, P. Sattigeri and feature-space partitioning K. N. Ramamurthy [76] Li, G., K. Pattabiraman, 2016 Understanding error propagation in GPGPU applica- International Conference on High C.-Y. Cher and P. Bose tions Performance Computing, Network- ing, Storage and Analysis [130] Ribeiro, M. T., S. Singh 2016 Why should i trust you?: Explaining the predictions ACM SIGKDD International Con- and C. Guestrin of any classifier ference on Knowledge Discovery and Data Mining [106] Sundararajan, M., A. Taly 2017 Axiomatic attribution for deep networks International Conference on Ma- and Q. Yan chine Learning [84] O’Kelly, M., H. Abbas and 2017 Computer-aided design for safe autonomous vehicles Resilience Week (RWS) R. Mangharam [102] Tommaso DreossiAlexan- 2017 Compositional Falsification of Cyber-Physical Sys- NASA Formal Methods dre DonzSanjit A. Seshia tems with Machine Learning Components [86] Tian, Y., K. Pei, S. Jana 2017 DeepTest: Automated testing of deep-neural- arXiv preprint and B. Ray network-driven autonomous cars [65] Reuben, F., R. R. Curtin, 2017 Detecting Adversarial Samples from Artifacts arXiv preprint S. Saurabh and A. B. Gardner [123] Frosst, N. and G. Hinton 2017 Distilling a Neural Network Into a Soft Decision Tree arXiv preprint [85] Pei, K., Y. Cao, J. Yang 2017 DeepXplore: Automated Whitebox Testing of Deep ACM Symposium on Operating and S. Jana Learning Systems Systems Principles (SOSP) [64] Gopinath, D., G. Katz, C. 2017 Deepsafe: A data-driven approach for checking ad- arXiv preprint S. Pasareanu and C. Bar- versarial robustness in neural networks rett [109] Montavon, G., S. La- 2017 Explaining nonlinear classification decisions with Pattern Recognition puschkin, A. Binder, W. deep Taylor decomposition Samek and K.-R. Mller [77] Santos, F. F. d., L. 2017 Evaluation and Mitigation of Soft-Errors in Neural IEEE/IFIP International Confer- Draghetti, L. Weigel, L. Network-Based Object Detection in Three GPU Ar- ence on Dependable Systems and Carro, P. Navaux and P. chitectures Networks Workshops (DSN-W) Rech [70] Papernot, N. and P. Mc- 2017 Extending defensive distillation arXiv preprint Daniel [92] Ehlers, R. 2017 Formal verification of piece-wise linear feed-forward International Symposium on Auto- neural networks mated Technology for Verification and Analysis [78] Manikandasriram, S. R., 2017 Failing to learn: autonomously identifying perception arXiv preprint C. Anderson, R. Vasude- failures for self-driving cars van and M. Johnson- Roberson [66] Xu, W., D. Evans and Y. Qi 2017 Feature squeezing: Detecting adversarial examples in Network and Distributed Systems deep neural networks Security Symposium (NDSS) [111] Dong, Y., H. Su, J. Zhu 2017 Improving interpretability of deep neural networks IEEE Conference on Computer Vi- and B. Zhang with semantic information sion and Pattern Recognition [132] Bastani, O., C. Kim and H. 2017 Interpretability via model extraction arXiv preprint Bastani [112] Fong, R. C. and A. Vedaldi 2017 Interpretable explanations of black boxes by mean- IEEE International Conference on ingful perturbation Computer Vision [58] Melis, M., A. Demontis, 2017 Is Deep Learning Safe for Robot Vision? Adversarial IEEE International Conference on B. Biggio, G. Brown, G. Examples Against the iCub Humanoid Computer Vision Workshops (IC- Fumera and F. Roli CVW) [147] Vishnukumar, H. J., B. 2017 Machine learning and deep neural network - artificial Intelligent Systems Conference (In- Butting, C. Muller and E. intelligence core for lab and real-world test and val- telliSys) Sax idation for ADAS and autonomous vehicles: AI for ecient and quality test and validation [79] Mhamdi, E. M. E., R. 2017 On the Robustness of a Neural Network IEEE Symposium on Reliable Dis- Guerraoui and S. Rouault tributed Systems (SRDS) [68] Metzen, J. H., T. Ge- 2017 On detecting adversarial perturbations International Conference on Learn- newein, V. Fischer and B. ing Representations (ICLR) Bischo 30 S ID Author(s) Year Title Publication Venue [94] Dutta, S., S. Jha, S. 2017 Output range analysis for deep neural networks arXiv preprint Sanakaranarayanan and A. Tiwari [60] Cisse, M., P. Bojanowski, 2017 Parseval networks: Improving robustness to adversar- arXiv preprint E. Grave, Y. Dauphin and ial examples N. Usunier [97] Xiang, W., H.-D. Tran and 2017 Reachable set computation and safety verification for arXiv preprint T. T. Johnson neural networks with ReLU activations [98] Katz, G., C. Barrett, D. L. 2017 Reluplex: An ecient SMT solver for verifying deep International Conference on Com- Dill, K. Julian and M. J. neural networks puter Aided Verification (CAV) Kochenderfer [118] Dabkowski, P. and Y. Gal 2017 Real time image saliency for black box classifiers Advances in Neural Information Processing Systems (NIPS) [119] Ross, A. S., M. C. Hughes 2017 Right for the right reasons: Training di erentiable arXiv preprint and F. Doshi-Velez models by constraining their explanations [75] Vialatte, J.-C. and F. 2017 A Study of Deep Learning Robustness Against Com- arXiv preprint Leduc-Primeau putation Failures [120] Santoro, A., D. Raposo, 2017 A simple neural network module for relational rea- Advances in Neural Information D. G. Barrett, M. Ma- soning Processing Systems (NIPS) linowski, R. Pascanu, P. Battaglia and T. Lillicrap [99] Huang, X. W., M. 2017 Safety Verification of Deep Neural Networks International Conference on Com- Kwiatkowska, S. Wang puter Aided Verification and M. Wu [121] Smilkov, Daniel and Tho- 2017 Smoothgrad: removing noise by adding noise arXiv preprint rat, Nikhil and Kim, Been and Vigas, Fernanda and Wattenberg, Martin [61] Carlini, N. and D. Wagner 2017 Towards Evaluating the Robustness of Neural Net- IEEE Symposium on Security and works Privacy (SP) [163] Katz, G., C. Barrett, D. L. 2017 Towards proving the adversarial robustness of deep arXiv Preprint Dill, K. Julian and M. J. neural networks Kochenderfer [80] Li, G., S. K. S. Hari, M. 2017 Understanding error propagation in deep learning International Conference for High Sullivan, T. Tsai, K. Pat- neural network (DNN) accelerators and applications Performance Computing, Network- tabiraman, J. Emer and S. ing, Storage and Analysis W. Keckler [122] Lundberg, S. M. and S.-I. 2017 A unified approach to interpreting model predictions Advances in Neural Information Lee Processing Systems (NIPS) [100] Narodytska, N., S. P. Ka- 2017 Verifying properties of binarized deep neural net- arXiv preprint siviswanathan, L. Ryzhyk, works M. Sagiv and T. Walsh [87] Raj, S., S. K. Jha, A. Ra- 2017 Work-in-progress: testing autonomous cyber- International Conference on Em- manathan and L. L. Pul- physical systems using fuzzing features from bedded Software (EMSOFT) lum convolutional neural networks [73] Schorn, C., A. Guntoro 2018 Accurate neuron resilience prediction for a flexible re- Design, Automation & Test in and G. Ascheid liability management in neural network accelerators Europe Conference & Exhibition (DATE) [105] Ribeiro, M. T., S. Singh 2018 Anchors: High-precision model-agnostic explana- AAAI Conference on Artificial In- and C. Guestrin tions telligence [88] Ma, L., F. Juefei-Xu, F. 2018 DeepGauge: multi-granularity testing criteria for ACM/IEEE International Confer- Zhang, J. Sun, M. Xue, B. deep learning systems ence on Automated Software Engi- Li, C. Chen, T. Su, L. Li neering and Y. Liu [89] Zhang, M., Y. Zhang, L. 2018 DeepRoad: GAN-based metamorphic testing and in- ACM/IEEE International Confer- Zhang, C. Liu and S. put validation framework for autonomous driving sys- ence on Automated Software Engi- Khurshid tems. neering [90] Guo, J., Y. Jiang, Y. Zhao, 2018 DLFuzz: di erential fuzzing testing of deep learning ACM Joint Meeting on European Q. Chen and J. Sun systems Software Engineering Conference and Symposium on the Foundations of Software Engineering [81] Rubaiyat, A. H. M., 2018 Experimental Resilience Assessment of An Open- arXiv preprint Q. Yongming and H. Source Driving Agent Alemzadeh 31 S ID Author(s) Year Title Publication Venue [82] Rhazali, K., B. Lussier, W. 2018 Fault Tolerant Deep Neural Networks for Detection IFAC-PapersOnLine Schn and S. Geronimi of Unrecognizable Situations [67] Wicker, M., X. Huang and 2018 Feature-guided black-box safety testing of deep neu- International Conference on Tools M. Kwiatkowska ral networks and Algorithms for the Construc- tion and Analysis of Systems (TACAS) [110] Linsley, D., D. Scheibler, 2018 Global-and-local attention networks for visual recog- arXiv preprint S. Eberhardt and T. Serre nition [63] Wu, M., M. Wicker, W. 2018 A Game-Based Approximate Verification of Deep arXiv preprint Ruan, X. Huang and M. Neural Networks with Provable Guarantees Kwiatkowska [126] Xu, K., D. H. Park, C. Yi 2018 Interpreting Deep Classifier by Visual Distillation of arXiv preprint and C. Sutton Dark Knowledge [103] Mallozzi, P., P. Pelliccione 2018 Keeping intelligence under control. International Workshop on Soft- and C. Menghi ware Engineering for Cognitive Services [115] Guidotti, R., A. Monreale, 2018 Local rule-based explanations of black box decision arXiv preprint S. Ruggieri, D. Pedreschi, systems F. Turini and F. Giannotti [131] Guo, W., D. Mu, J. Xu, P. 2018 LEMNA: Explaining Deep Learning based Security ACM SIGSAC Conference on Su, G. Wang and X. Xing Applications Computer and Communications Security [127] Tan, S., R. Caruana, G. 2018 Learning Global Additive Explanations for Neural arXiv preprint Hooker, P. Koch and A. Nets Using Model Distillation Gordo [114] Dumitru, M. A. K.-R. M., 2018 Learning how to explain neural networks: Patternnet International Conference on Learn- E. B. K. S. D. Pieter, and patternattribution ing Representations (ICLR) J. Kindermans and K. T. Schtt [95] Xiang, W., H. D. Tran and 2018 Output Reachable Set Estimation and Verification for IEEE Transactions on Neural Net- T. T. Johnson Multilayer Neural Networks works and Learning Systems [164] Kuper, L., G. Katz, J. 2018 Toward scalable verification for safety-critical deep arXiv preprint Gottschlich, K. Julian, C. networks Barrett and M. Kochender- fer [101] Cheng, C.-H., G. Nhren- 2018 Verification of binarized neural networks arXiv preprint berg and H. Ruess

Journal

Electrical Engineering and Systems SciencearXiv (Cornell University)

Published: Oct 5, 2019

References