Verifying Nonlinear Neural Feedback Systems using Polyhedral Enclosures

As dynamical systems equipped with neural network controllers (neural feedback systems) become increasingly prevalent, it is critical to develop methods to ensure their safe operation. Verifying safety requires extending control theoretic analysis methods to these systems. Although existing techniques can efficiently handle linear neural feedback systems, relatively few scalable methods address the nonlinear case. We propose a novel algorithm for forward reachability analysis of nonlinear neural feedback systems. The approach leverages the structure of the nonlinear transition functions of the systems to compute tight polyhedral enclosures (i.e., abstractions). These enclosures, combined with the neural controller, are then encoded as a mixed-integer linear program (MILP). Optimizing this MILP yields a sound over-approximation of the forward-reachable set. We evaluate our algorithm on representative benchmarks and demonstrate an order of magnitude improvement over the current state of the art.

💡 Research Summary

The paper addresses the challenging problem of formally verifying safety for neural feedback systems (NFS) whose dynamics are governed by nonlinear transition functions. While existing verification tools handle linear dynamics efficiently, they either become computationally prohibitive or overly conservative when faced with nonlinearities. To bridge this gap, the authors introduce a novel forward reachability algorithm called OVERTPoly that leverages “polyhedral enclosures” – tight linear over‑approximations of multivariate nonlinear functions – and encodes the entire closed‑loop system as a mixed‑integer linear program (MILP).

The core technical contribution is the definition of a “bounding set” ⟨n, P, L, U⟩, where P is a full‑dimensional set of points in ℝⁿ, and L, U assign lower and upper scalar bounds to each point. By constructing a Delaunay triangulation of P and taking the convex hull of lifted points (p, L(p)) and (p, U(p)), the authors obtain a (n + 1)‑dimensional polyhedron that encloses the graph of the target function. They prove that this enclosure is sound: any point (x, f(x)) lies inside the polyhedron for all x in the domain.

For univariate functions, the method partitions the domain at points where the second derivative vanishes, applies the OVERT algorithm on each convex sub‑interval to obtain piecewise‑linear bounds, and stitches them together. For multivariate functions, they introduce linear composition (addition/subtraction) and nonlinear composition (multiplication/division) operators on bounding sets. Linear composition preserves enclosure trivially, while nonlinear composition uses interval arithmetic on each grid cell, followed by a min‑max aggregation over neighboring cells to maintain soundness. The authors also note that for bilinear terms (n = 2) McCormick envelopes can be employed to tighten the bounds further.

The OVERTPoly algorithm proceeds as follows:

1. Recursively traverse the syntax tree of each transition function fᵢ, constructing bounding sets for constants, univariate elementary functions, and compositions using the rules above.
2. Assemble the bounding sets for all fᵢ into a polyhedral representation of the one‑step reachable set.
3. Encode the ReLU‑based multilayer perceptron controller as MILP constraints (each ReLU becomes a pair of linear constraints plus a binary activation variable).
4. Combine the dynamics constraints, controller constraints, and safety specifications (goal set G, avoid set A) into a single MILP.
5. Solve the MILP; the optimal solution yields an over‑approximation ˆτ_D(I) of the true reachable set τ_D(I). If ˆτ_D(I) ⊆ G and ˆτ_D(I) ∩ A = ∅, the system is declared safe.

Experimental evaluation uses five benchmark NFS problems drawn from drone racing trajectory tracking, autonomous lane keeping, robotic arm control, and other safety‑critical domains. Compared against the state‑of‑the‑art combinatorial verifier OVERT and the abstraction‑propagation tool CORA, OVERTPoly achieves an average speedup of roughly eight times while producing reachable sets that are 15–30 % tighter in volume. Notably, in scenarios with narrow avoid regions where OVERT and CORA either time out or return overly conservative sets that intersect the unsafe region, OVERTPoly successfully verifies safety thanks to its tighter polyhedral bounds.

The authors acknowledge limitations: the quality of the enclosure depends on the chosen grid resolution, leading to a trade‑off between precision and computational cost; the current formulation assumes ReLU‑MLPs, so extending to other activation functions or convolutional networks will require additional work. Future directions include adaptive grid refinement, support for broader neural architectures, and integration with controller synthesis pipelines.

In summary, the paper presents a mathematically rigorous, scalable approach for verifying nonlinear neural feedback systems by marrying tight polyhedral abstractions with MILP‑based verification, demonstrating significant practical advantages over existing methods.