1 Introduction
The Airborne Collision Avoidance System (ACAS) is crucial for aircraft safety [10]
. This system aims to avoid collision with intruding aircraft via automatically controlling the aircraft or advising a human operator to take action. The ACAS typically takes lowdimensional sensory inputs, including distance, direction, and speed for the intruder and ownship aircraft, and provides a control policy which is a valuation for a set of candidate actions such as “weak left” or “strong right”. Recent work has formulated aircraft dynamics under uncertainties such as advisory response delay as a partially observable Markov decision process for which dynamic programming can be used to compute values for different actions
[11]. The value function computed via dynamic programming is often stored in a lookup table with millions of entries [12] that require gigabytes of storage. While this table could, in principle, be used to implement the ACAS, the high storage demand makes it too costly to be embedded in practical flight control systems. This situation has motivated the development of table compression techniques, including block compression with reduced floatingpoint precision [13]and decision trees
[6].Recently, neural networks have emerged as an efficient alternative for compressing the lookup tables in ACAS Xu (ACAS X for unmanned aircraft) by approximating the value function with small neural networks. Specifically, Julian et al. [6] compresses the twogigabyte lookup table into 45 neural networks with 2.4MB of storage, where each network handles a partition of the input space.
Katz et al. [9] proposes a set of safety properties for the ACAS Xu networks, such as that a “strong right” advisory should be given when a nearby intruder is approaching from the left. These safety properties have served as a valuable benchmark to motivate and evaluate multiple verification algorithms [9, 19, 15, 17, 1]. Such verifiers typically need to perform exact or conservative analysis of the internal neural network computation [14, 18]. Unfortunately, neural network verification is an NPComplete problem [9], and therefore the verifiers need exponential running time in the worst case and can be very slow in practice. In particular, Bak et al. [1] recently presented the first verifier that is able to analyze the properties to in the ACAS Xu benchmarks with a time limit of 10 minutes for each case, but their verifier still needs 1.7 hours to analyze the property .
In summary, previous techniques perform the following steps to obtain and verify their neural network controllers for ACAS:

Compute a lookup table containing the scores of different actions given sensory states via dynamic programming.

Train neural networks to approximate the lookup table.

In deployed systems, use the neural networks to provide control advisories.

At run time, the networks give interpolated scores for states not present in the original lookup table.

Neural network verifiers that analyze the internal computing of neural networks are adopted to check if the networks meet certain safety specifications.

We propose instead to verify neural networks with lowdimensional inputs, such as the ACAS Xu networks, via input quantization and state enumeration. Specifically, we prepend a quantization layer to the network so that all the internal computation is performed on the discretized input space. Our proposed technique performs the following steps to obtain and verify a quantized neural network:

We take a pretrained network and prepend an input quantization layer to the network. The input quantization should be compatible with the original lookup table, i.e., preserving the grid points in the lookup table.

In deployed systems, sensory inputs are first quantized by the input quantization layer. The original network then computes the scores for the quantized input.

At run time, the quantization process is equivalent to nearestneighbor interpolation.

To verify the network for any specification, we enumerate all quantized states within the constraint of the specification and check if the network outputs meet the specification.

Our method provides the following desirable features:

Our method provides acceptable runtime accuracy for ACAS Xu. Our input quantization is equivalent to nearestneighbor interpolation and gives identical results on the table grid points as the original continuous network. Julian et al. [6] has shown that nearestneighbor interpolation on the lookup table for runtime sensory inputs provides effective collision avoidance advisories in simulation.

Our method enables efficient verification. Verifying the inputquantized networks for any safety specification takes nearly constant time bounded by evaluating the network on all the grid points in the quantized space. Multiple specifications can be verified simultaneously by evaluating the network on the grid once and checking the input and output conditions for each property. Our method provides a verification speedup of tens of thousands of times compared to the ReluVal [19] verifier.

Many existing verifiers do not accurately model floatingpoint arithmetic due to efficiency considerations, thus giving potentially incorrect verification results
[5]. For example, Wang et al. [19] reports that Reluplex [9] occasionally produces false adversarial examples due to floatingpoint error.By contrast, our verification result is exact (i.e., complete and sound) and does not suffer from floatingpoint error because we combine input quantization and complete enumeration of the effective input space. Moreover, input quantization allows directly verifying on the target implementation or an accurate simulation of the implementation, and therefore provides trustworthy safety guarantees for given neural network inference implementations.

Our technique allows easily verifying more complicated network architectures, such as continuousdepth models [2]. Our verification only needs an efficient inference implementation for the networks. By contrast, extending other neural network verifiers to new network architectures requires significant effort.
We recommend input quantization for neural networks with lowdimensional inputs as long as the quantization provides sufficient accuracy for the target application and the quantization space is small enough to allow efficient enumeration. This technique enables efficient, exact, and robust verification and provides reliable performance on the deployed platform.
2 Method
We formally describe our inputquantization method. This paper uses bold symbols to represent vectors and regular symbols to represent scalars. The superscript represents derived mathematical objects or exponentiation depending on the context.
Let denote the computation of a neural network on dimensional input space with being a small number. We propose to use a quantized version of the network for both training and inference, defined as
(1) 
where is the quantization function such that with being a finitesized set. For a specification where and are predicates, we verify regarding by checking:
(2)  
where 
Since , the complexity of verifying is bounded by .
We quantize each dimension of independently via . Note that if some of the dimensions are highly correlated in some application, we can quantize them together to avoid a complete Cartesian product and thus reduce the size of the quantized space.
In many cases, the input space is uniformly quantized. Previous work has utilized uniform input quantization for neural network verification [20, 4] and uniform computation quantization for efficient neural network inference [3]. Given a quantization step and a bias value , we define a uniform quantization function as:
(3) 
where denotes rounding to the nearest integer.
The values of are essentially determined according to prior knowledge about the target application and may thus be nonuniform. Let denote the range of . We use nearest neighbor for nonuniform quantization:
(4) 
The ACAS Xu networks are trained on a lookup table , where the domain is a finite set. We choose the quantization scheme so that the quantization preserves grid points, formally . In this way, the training processes of and are identical. In fact, we directly prepend as an input quantization layer to a pretrained network to obtain . Note that we can use a denser quantization than the grid points in so that prediction accuracy might get improved by using the neural network as an interpolator.
3 Experiments
We evaluate our method on checking the safety properties for the ACAS Xu networks [9]. Note that accuracy of inputquantized networks in deployed systems is acceptable since the quantization is equivalent to nearestneighbor interpolation that has been shown to provide effective collision avoidance advisories in simulation [6].
Experiments in this section focus on evaluating the runtime overhead of input quantization and the actual speed of verification by enumerating quantized states. We train two networks of different sizes to evaluate the scalability of the proposed method.
3.1 Experimental Setup
The horizontal CAS problem takes seven inputs as described in Table 1, and generates one of the five possible advisories: COC (clear of conflict), WL (weak left), WR (weak right), SL (strong left), and SR (strong right).
Symbol  Description  Values in the lookup table 

(m)  Distance from ownship to intruder  32 values between 0 and 56000 ^{1} 
(rad)  Angle to intruder ^{2}  41 evenly spaced values between and 
(rad)  Heading angle of intruder ^{2}  41 evenly spaced values between and 
(m/s)  Speed of ownship  
(m/s)  Speed of intruder  
(sec)  Time until loss of vertical separation  
Previous advisory  {COC, WL, WR, SL, SR} 

Distance values are nonuniformly distributed. They are given in the source code of Julian and Kochenderfer [7]: https://github.com/sisl/HorizontalCAS/blob/cd72ffc073240bcd4f0eb9164f441d3ad3fdc074/GenerateTable/mdp/constants.jl#L19

Angle is measured relative to ownship heading direction.
Description of horizontal CAS inputs. The last column describes the values used to generate the lookup table, which are taken from the opensource implementation of HorizontalCAS
[7] and the Appendix VI of Katz et al. [9].Julian et al. [8] proposes to train a collection of neural networks where each network works with a pair of specific
values, takes the remaining five values as network inputs, and approximates the corresponding scores in the lookup table. Although ACAS only needs to suggest the action with the maximal score, the network is still trained to approximate the original scores in the table instead of directly giving the best action because the numerical scores are used in a Kalman filter to improve system robustness in the face of state measurement uncertainty
[8]. In order to maintain the action recommendation of the original table while reducing score approximation error, Julian et al. [8]adopts an asymmetric loss function that imposes a higher penalty if the network and the lookup table give different action advisories.
Katz et al. [9] proposes a few ACAS Xu safety properties as a sanity check for the networks trained by Julian et al. [8]. These properties have also served as a useful benchmark for many neural network verifiers. Although the pretrained networks of Julian et al. [8] are publicly accessible, the authors told us that they could not provide the training data or the source code due to regulatory reasons. They suggested that we use their opensource HorizontalCAS system [7] to generate the lookup tables to train our own networks. However, HorizontalCAS networks differ from the original ACAS Xu networks in that they only have three inputs by fixing and . We modified the source code of HorizontalCAS to match the input description in Table 1 so that we can directly use the ReluVal [19] verifier.
We evaluate our method by analyzing the property proposed in Katz et al. [9], which usually takes the longest time to verify among all the properties for many verifiers [9, 19, 16]. Other properties share a similar form but have different input constraints and output requirements. Note that property is the most compatible with the opensource HorizontalCAS because the input constraints of other properties are beyond the ranges in Table 1. For example, property has but the quantization scheme of for the original ACAS Xu networks is not publicly available.
The specification of is:

Description: Even if the previous advisory was “weak right”, the presence of a nearby intruder will cause the network to output a “strong left” advisory instead.

Tested on: the network trained on and

Input constraints: , , , , .
We conduct the experiments on a workstation equipped with two GPUs (NVIDIA Titan RTX and NVIDIA GeForce RTX 2070 SUPER), 128 GiB of RAM, and an AMD Ryzen Threadripper 2970WX processor. We train two neural networks for property (i.e., with and
) with PyTorch.
Our small network has five hidden layers with 50 neurons in each layer, and our large network has seven hidden layers with 100 neurons in each layer. We use the ReLU activation.
We implement the nearestneighbor quantization for via directly indexing
a lookup table. The greatest common divisor of differences between adjacent
quantized values is 5. Therefore, we precompute a lookup table
such that is the nearest neighbor of in the
set of quantized values. We use the torch.index_select
operator provided
by PyTorch to take elements in the lookup table in a batched manner. Other
network inputs use uniform quantization as described in Table 1. We
implement uniform quantization according to the equation (3).
3.2 Experimental Results
Metric  Small network  Large network 

Policy accuracy  96.87%  98.54% 
Score error  0.052  0.026 
Score error 
Let (resp. ) denote the scores given by the network (resp. the original lookup table) for the five candidate actions on the
lookup table entry. We consider three accuracy measurements, assuming a uniform distribution of the table index
:
Policy accuracy
is the probability that the network recommends the same action as the original lookup table. Formally, it is
. 
Score error measures the error of approximated scores, defined as , where .

Score error measures the error of approximated scores, defined as , where .
Table 2 presents the accuracies achieved by our networks, which shows that our training achieves comparable results as the HorizontalCAS system [7].
To verify the networks, we prepend them with an input quantization layer that implements the quantization scheme given in Table 1. To verify any specification or a set of specifications, we evaluate the network on all the 860, 672 points in the quantized space and check if each input/output pair meets the specification(s). Evaluating the network on the grid points takes 0.384 seconds for the small network and 0.866 seconds for the large one. We evaluate the network on multiple inputs in a batched manner to benefit from optimized numerical computing routines included in PyTorch. Adding the quantization layer incurs about 2% runtime overhead. We do not do any performance engineering and use the offtheshelf implementation provided by PyTorch. Our verification speed can be further improved by using multiple CPU cores or using the GPU.
We also compare our method with ReluVal [19] on verifying the property . The input constraint of consists of only 60 states in the quantized space. Therefore, we only need to check if the network constantly gives the “weak right’ advisory for all the 60 states to verify . As shown in Table 3, input quantization significantly reduces the verification time compared to the ReluVal solver.
4 Conclusion
This paper advocates input quantization for the verification of neural networks with lowdimensional inputs. Our experiments show that this technique is significantly faster and more scalable than verifiers that analyze the internal computations of the neural networks on verifying ACAS Xu networks. Moreover, our method does not suffer from the floatingpoint discrepancy between the verifier and the network inference implementation. In general, our method applies to deterministic floatingpoint programs that take lowdimensional inputs as long as the target application tolerates input quantization such that enumerating all the quantized values takes acceptable time.
References
 [1] (2020) Improved geometric path enumeration for verifying relu neural networks. In International Conference on Computer Aided Verification, pp. 66–96. Cited by: §1.
 [2] (2018) . In Advances in Neural Information Processing Systems, S. Bengio, H. Wallach, H. Larochelle, K. Grauman, N. CesaBianchi, and R. Garnett (Eds.), Vol. 31, pp. . External Links: Link Cited by: item 4.
 [3] (2021) A survey of quantization methods for efficient neural network inference. arXiv preprint arXiv:2103.13630. Cited by: §2.

[4]
(2020)
Efficient exact verification of binarized neural networks
. In Advances in Neural Information Processing Systems, H. Larochelle, M. Ranzato, R. Hadsell, M. F. Balcan, and H. Lin (Eds.), Vol. 33, pp. 1782–1795. External Links: Link Cited by: §2.  [5] (2020) Exploiting verified neural networks via floating point numerical error. arXiv preprint arXiv:2003.03021. Cited by: item 3.
 [6] (2019) Deep neural network compression for aircraft collision avoidance systems. Journal of Guidance, Control, and Dynamics 42 (3), pp. 598–608. Cited by: item 1, §1, §1, §3.
 [7] (2019) Guaranteeing safety for neural networkbased aircraft collision avoidance systems. In 2019 IEEE/AIAA 38th Digital Avionics Systems Conference (DASC), pp. 1–10. Cited by: item 1, §3.1, §3.2, Table 1, Table 2.
 [8] (2016) Policy compression for aircraft collision avoidance systems. In 2016 IEEE/AIAA 35th Digital Avionics Systems Conference (DASC), Vol. , pp. 1–10. External Links: Document Cited by: §3.1, §3.1.
 [9] (2017) Reluplex: an efficient smt solver for verifying deep neural networks. In International Conference on Computer Aided Verification, pp. 97–117. Cited by: item 3, §1, §3.1, §3.1, Table 1, §3.
 [10] (2011) Robust airborne collision avoidance through dynamic programming. Massachusetts Institute of Technology, Lincoln Laboratory, Project Report ATC371 130. Cited by: §1.
 [11] (2015) Optimized airborne collision avoidance. In Decision Making Under Uncertainty: Theory and Application, pp. 249–276. Cited by: §1.
 [12] (2010) A decisiontheoretic approach to developing robust collision avoidance logic. In 13th International IEEE Conference on Intelligent Transportation Systems, pp. 1837–1842. External Links: Document Cited by: §1.
 [13] (2013) Compression of optimal value functions for markov decision processes. In 2013 Data Compression Conference, pp. 501–501. External Links: Document Cited by: §1.
 [14] (2019) Algorithms for verifying deep neural networks. arXiv preprint arXiv:1903.06758. Cited by: §1.
 [15] (2019) Boosting robustness certification of neural networks.. In ICLR (Poster), Cited by: §1.
 [16] (2019) Boosting robustness certification of neural networks. In International Conference on Learning Representations, Cited by: §3.1.
 [17] (2020) NNV: the neural network verification tool for deep neural networks and learningenabled cyberphysical systems. In Computer Aided Verification, S. K. Lahiri and C. Wang (Eds.), Cham, pp. 3–17. External Links: ISBN 9783030532888 Cited by: §1.

[18]
(2021)
A review of formal methods applied to machine learning
. arXiv preprint arXiv:2104.02466. Cited by: §1.  [19] (2018) Formal security analysis of neural networks using symbolic intervals. In 27th USENIX Security Symposium (USENIX Security 18), pp. 1599–1614. Cited by: item 2, item 3, §1, §3.1, §3.1, §3.2, Table 3.

[20]
(2020)
Robustness guarantees for deep neural networks on videos.
IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)
, pp. 308–317. Cited by: §2.
Comments
There are no comments yet.