Models of actual causality leverage domain knowledge to generate convincing diagnoses of events that caused an outcome. It is promising to apply these models to diagnose and repair run-time property violations in cyber-physical systems (CPS) with learning-enabled components (LEC). However, given the high diversity and complexity of LECs, it is challenging to encode domain knowledge (e.g., the CPS dynamics) in a scalable actual causality model that could generate useful repair suggestions. In this paper, we focus causal diagnosis on the input/output behaviors of LECs. Specifically, we aim to identify which subset of I/O behaviors of the LEC is an actual cause for a property violation. An important by-product is a counterfactual version of the LEC that repairs the run-time property by fixing the identified problematic behaviors. Based on this insights, we design a two-step diagnostic pipeline: (1) construct and Halpern-Pearl causality model that reflects the dependency of property outcome on the component's I/O behaviors, and (2) perform a search for an actual cause and corresponding repair on the model. We prove that our pipeline has the following guarantee: if an actual cause is found, the system is guaranteed to be repaired; otherwise, we have high probabilistic confidence that the LEC under analysis did not cause the property violation. We demonstrate that our approach successfully repairs learned controllers on a standard OpenAI Gym benchmark.

翻译：实际因果模型借助领域知识，能生成引发结果事件的有说服力的诊断结论。将该模型应用于诊断并修复包含学习组件（LEC）的信息物理系统（CPS）中的运行时属性违规，颇具前景。然而，鉴于学习组件的高度多样性与复杂性，如何将领域知识（如CPS动力学特性）编码至可扩展的实际因果模型中以生成有效的修复建议，仍面临挑战。本文聚焦于学习组件输入/输出行为的因果诊断，具体目标是识别该组件的哪些I/O行为子集构成属性违规的实际原因。一个重要的附带成果是，通过修复已识别的违规行为，可获得一个反事实版本的学习组件来修正运行时属性。基于这一思路，我们设计了两阶段诊断流程：（1）构建反映属性结果对组件I/O行为依赖性的Halpern-Pearl因果模型；（2）在模型上搜索实际原因及对应的修复方案。我们证明该流程具备以下保证：若找到实际原因，则系统必然得到修复；反之，我们有高概率置信度认为所分析的学习组件并非属性违规的致因。实验表明，该方法成功修复了标准OpenAI Gym基准测试中的学习控制器。