Cyber-Physical Systems (CPSs) such as those found within autonomous vehicles are increasingly adopting Artificial Neural Network (ANN)-based controllers. To ensure the safety of these controllers, there is a spate of recent activity to formally verify the ANN-based designs. There are two challenges with these approaches: (1) The verification of such systems is difficult and time consuming. (2) These verified controllers are not able to adapt to frequent requirements changes, which are typical in situations like autonomous driving. This raises the question: how can trained and verified controllers, which have gone through expensive training and verification processes, be re-used to deal with requirement changes? This paper addresses this challenge for the first time by proposing a new framework that is capable of dealing with requirement changes at runtime through a mechanism we term runtime interchange. Our approach functions via a continual exchange and selection process of multiple pre-verified controllers. It represents a key step on the way to component-oriented engineering for intelligent designs, as it preserves the behaviours of the original controllers while introducing additional functionality. To demonstrate the efficacy of our approach we utilise an existing autonomous driving case study as well as a set of smaller benchmarks. These show that introduced overheads are extremely minimal and that the approach is very scalable.
翻译:自动车辆内部发现的那种网络物理系统(CPS)正在越来越多地采用人工神经网络(ANN)控制器。为了确保这些控制器的安全,最近有一系列活动来正式核查以ANN为基础的设计。这些方法存在两个挑战:(1) 对这种系统的核查是困难和耗时的。 (2) 这些经过核查的控制器无法适应频繁的需求变化,这些变化在自主驾驶等情况下是典型的。这提出了这样一个问题:经过昂贵的培训和核查过程的经过训练和核查的人工神经网络控制器如何被重新用于应对需求变化?本文件首次解决了这一挑战,提出了一个新的框架,能够通过我们称为运行时间交换的机制在运行时处理需求变化。我们通过多个预先核实的控制器的不断交换和选择程序进行的方法功能。这是在智能设计以组件为导向的工程方面迈出的关键一步,因为它保留了原始控制器的行为,同时引入了额外的功能。为了展示我们采用的现有自主驱动器方法的功效,我们采用了非常低的通用驱动器研究方法,作为最小规模的标准。