Sample-Free Safety Assessment of Neural Network Controllers via Taylor Methods

In recent years, artificial neural networks have been increasingly studied as feedback controllers for guidance problems. While effective in complex scenarios, they lack the verification guarantees found in classical guidance policies. Their black-box nature creates significant concerns regarding trustworthiness, limiting their adoption in safety-critical spaceflight applications. This work addresses this gap by developing a method to assess the safety of a trained neural network feedback controller via automatic domain splitting and polynomial bounding. The methodology involves embedding the trained neural network into the system’s dynamical equations, rendering the closed-loop system autonomous. The system flow is then approximated by high-order Taylor polynomials, which are subsequently manipulated to construct polynomial maps that project state uncertainties onto an event manifold. Automatic domain splitting ensures the polynomials are accurate over their relevant subdomains, whilst also allowing an extensive state-space to be analysed efficiently. Utilising polynomial bounding techniques, the resulting event values may be rigorously constrained and analysed within individual subdomains, thereby establishing bounds on the range of possible closed-loop outcomes from using such neural network controllers and supporting safety assessment and informed operational decision-making in real-world missions.

💡 Research Summary

The paper introduces a rigorous, sample‑free methodology for assessing the safety of neural‑network (NN) feedback controllers used in spacecraft guidance. Traditional verification relies on Monte‑Carlo simulations, which are computationally expensive in high‑dimensional state spaces and can miss edge cases or adversarial inputs. To overcome these limitations, the authors embed a trained NN controller directly into the spacecraft’s equations of motion, thereby forming an autonomous closed‑loop dynamical system.

Using Differential Algebra (DA), the closed‑loop flow is expanded into high‑order Taylor polynomials with respect to the initial state. The DA framework treats the initial condition as a symbolic variable (δx) and propagates it through a DA‑compatible 7/8 Dormand‑Prince Runge‑Kutta integrator, yielding a polynomial transfer map φ that captures all derivatives of the flow up to the chosen order. This map provides a compact analytical representation of how any perturbation in the initial state influences the trajectory.

Safety analysis, however, is usually concerned with specific events (e.g., closest approach distance, time of surface crossing, rendezvous tolerance) rather than the state at a fixed final time. The authors therefore construct an “event map”. An event is defined by a scalar function E(x) whose zero crossing marks the event. During numerical integration, the first crossing is detected at a discrete time step, producing an approximate event time t_e and state x_e. To refine these values, a Picard iteration is performed within the DA framework, generating high‑order Taylor expansions of x_e(t) and E(t). By inverting the polynomial E(t) = 0, an accurate event time t* is obtained, and the corresponding state is evaluated using the refined expansion. This process yields a polynomial that maps initial‑state deviations directly onto the event manifold.

Because a single high‑order polynomial may become inaccurate over a large uncertainty region, the method incorporates Automatic Domain Splitting (ADS). ADS monitors the truncation error of the Taylor expansion; when the error exceeds a prescribed tolerance, the domain is recursively subdivided into smaller subdomains. Each subdomain thus contains a polynomial whose error is guaranteed to stay within bounds. Interval arithmetic is then applied to each subdomain’s event polynomial, providing rigorous upper and lower bounds on the event quantity (e.g., minimum distance, arrival time). By aggregating the results across all subdomains, the method delivers a global safety envelope for the NN controller without any random sampling.

The approach is demonstrated on two realistic scenarios. The first is a planar Clohessy‑Wiltshire rendezvous problem, where a NN predicts thrust directions to bring a deputy spacecraft to a prescribed relative distance. The event of interest is the time at which the distance tolerance is first satisfied. ADS partitions the initial‑state uncertainty into thousands of subdomains, and the resulting bounds certify that the NN always achieves rendezvous within the allowed time and distance limits. The second scenario is an interplanetary Earth‑to‑Mars transfer. Here the event includes the minimum fly‑by distance to Mars and the total propellant consumption. Despite the long propagation horizon, the high‑order Taylor flow and ADS still produce tight, provable bounds, showing that the NN controller respects mission safety constraints as well as, or better than, a classical optimal control solution.

In summary, the paper delivers a mathematically sound, computationally efficient framework that combines Differential Algebra, high‑order Taylor expansions, Automatic Domain Splitting, and interval bounding to certify the safety of neural‑network‑based guidance laws. By eliminating reliance on Monte‑Carlo sampling and providing explicit error guarantees, the method paves the way for the trustworthy deployment of learning‑based controllers in safety‑critical aerospace applications.