In the context of an AI system consisting of a machine learning model for classification, we present a framework denoted SafetyCage for systematically detecting and explaining misclassifications. We show how the framework can be used under deployment of the AI systems when true labels are unknown. Specifically, a misclassification detector measures the reliability in one particular model prediction and flags the prediction as either trustworthy or not. Unfortunately, most existing misclassification detectors are not easily interpretable for the purpose of ifnding the root cause of a misclassification. Hence, if the prediction is deemed untrustworthy, our approach provides additional so-called local misclassification explorations to further assess the trustworthiness of the prediction. The purpose of the framework is to be able to systematically explore the root cause of a particular misclassification, and hence incentivizing procedures to enhance the AI system even further. We showcase our framework with three ML models of diferent model architectures trained on images, tabular data and text respectively, and present three generic suggestions of local misclassification explorations, and how they can be adapted for each use case.
The integration and use of AI systems has been influential in modern society. The widespread availability
of so-called large language models (LLMs) is a good example of this. Another example is within the
health sector where for instance radiologists can get assistance from an AI model to detect bone fractures
based on X-ray images of patients [
Following the definition above, an AI system is not limited to providing predictions, but may also
provide recommendations for decisions or even make decisions on behalf of a human. We emphasize
the diference between the raw predictions, and the final recommendations and decisions that will in
some way make use of the raw predictions in a decision-making process. Under the EU AI Act [
The remainder of the paper is structured as follows. In Section 2 we include related work, and present challenges of using misclassification detectors in AI systems, and how we address them in this work. In Section 3, we present our SafetyCage framework for misclassification detection and exploration. Section 4 demonstrates the application of the framework in three diferent use cases involving ML models for images, tabular data and text. In Section 5 we discuss the results and limitations of the framework. Finally, Section 6 concludes the paper and presents directions for future work.
Given a pre-trained (already trained) ML model. With an input sample x, the ML model will output a prediction ˆ, ˆ : x ↦→ , satisfying ˆ = ˆ (x). The ML model is trained by fitting the parameters such as to mimic the true target function * : x ↦→ satisfying = * (x). This branch of machine learning is called supervised learning where the ML model is trained based on true labels 1, . . . , for every input x1, . . . , x with training size , denoted the training data = {(x, )}=1 . In classification problems the labels are distinct and disjoint categories or classes. We assume only one class can be present for each input sample. In this study, we will deal with ML models where the output is a vector where each element, representing class , is a value that predicts the probability that class is present, and where the final prediction is equal to the class with the largest probability. We will further only explore ML models where the softmax activation function is applied to the output layer which ensures that all elements sum to one, following the law of total probability.
The goal of a misclassification detector (MD) is in general to detect whenever the ML model prediction is wrong for a given input x and prediction ˆ for which ˆ ̸= . We define the MD to be a function (x, ˆ) ↦→ B which given x and ˆ outputs a boolean value where the output 1 means that the MD predicts the ML model prediction to be wrong, while the output 0 means the MD model prediction is correct. Ultimately, the MD is a binary classifier. When the output is 1 we say that the MD model flags the prediction as being wrong. Note that this problem is only relevant during so-called deployment of the ML model, which means whenever the ML model makes a prediction, but when we still don’t know what the true label is. The MD is itself a prediction model, which can flag wrongly, and hence we will throughout the paper refer to an MD model.
At the time of writing, there exist several misclassification detection models that have been published.
What can be considered the baseline methods are the maximum softmax probability (MSP) method [
This raw output from the misclassification detectors is in itself informative, and can ultimately be used
to declare a prediction as trustworthy or not. In practice, this will require a threshold with respect to
the quantitative reliability measure, which defines the border between correct and wrong predictions.
However, in [
What the MD models mentioned above also have in common is that while their mutual goal is to capture incorrect predictions, they do not provide any explanations as to why the prediction is incorrect. This lack of interpretability is problematic, and limits the trustworthiness of the MD model itself.
Our contribution in this work is the following: 1. We propose to use the Matthews correlation coeficient (MCC) as a suitable evaluation metric for threshold-based MD models 2. We propose a way to estimate the threshold which decides when to declare a prediction as trustworthy or not 3. We introduce the concept of local misclassification explorations with the aim of exploring predictions flagged by an MD model in order to monitor an AI system and to validate the flagging by the MD model
In this section our proposition points 1., 2. and 3. described in Section 2.1 will be described in detail in Section 3.1, 3.2 and 3.3-3.4 respectively.
As noted earlier, misclassification detectors (MDs) can themselves produce inaccurate outputs, so their
trustworthiness must also be quantified. The underlying ML model in an operative AI system must
be suficiently accurate. Therefore, it is essential that the MD correctly identifies the small portion of
incorrect predictions, while minimizing false alarms on correct ones. This imbalance between correct
and incorrect predictions must be accounted for when evaluating MD performance. Moreover, the MD
model performance should be evaluated based on all aspects covered by the performance metrics recall,
precision, specificity (1-Type I error) and negative predictive value. We therefore recommend the use
of the Matthews Correlation Coeficient (MCC), which is specifically designed to provide a reliable
performance measure for binary classifiers under class imbalance [
To avoid optimism bias due to potential model overfitting, the threshold should be estimated on data
independent of the data used to train the ML model [
where ∩ = ∅. When is applied on the ML We denote this as = {(x, )}=1 model, we can aqcuire the training data for the MD model which we denote * = {(x, )}=1 with = 1(ˆ = ). Summarized, the construction of a misclassification detector can be visualized in Figure 1.
ML model architecture
Trained
ML model
Train ML model
Train
MD model MD model architecture
Trained misclassification detector
Once an MD model is trained we can use it during deployment of the ML model to flag potential misclassifications, see Figure 2 where we see the MD model takes as input the input sample, x, the ML model prediction, ˆ as well as information about the ML model architecture if needed.
Trained ML model
Trained MD model
Flag
Local misclassification exploration
The performance of an ML model can be evaluated based on historical data where we know the incidents where the predictions were correct or wrong. This can be achieved by computing accuracy metrics such as classification accuracy or the F1 score, and the performance can be visualized for instance with a confusion matrix. These metrics can also be calculated across diferent subsets of the data that share similar characteristics, helping to identify specific conditions under which the model performs better or worse. These results can give an overall impression of when the ML model fails, but to a limited degree the reason why.
Recent work has emphasized the value of creating local explanations — that is, explanations for
individual predictions. This includes identifying which input variables the ML model found most
important for a given prediction [
Input: Input sample x, trained ML model , misclassification detector Output: Trust decision on prediction ˆ ˆ ← (x) ; lfag ← (x, ˆ) ; if flag = 1 then
Generate local misclassification explorations; end Make trust decision based on flag and local misclassification explorations; // Obtain ML model prediction // Detect if prediction may be incorrect Algorithm 1: Framework for use of misclassification detector together with local misclassification explorations during deployment of an AI system.
Note that the term SafetyCage has been previously used as a particular type of misclassification
detection model first introduced in [
As the previous section suggests, we are interested in generating local misclassification explorations for a sample x whenever (x, ˆ) = 1.
In this section, we present three generic open-ended misclassification exploration methods. We approach this as a hypothesis-generating study rather than a hypothesis-testing one. • Exploration 1: Historically explore similar samples with same misclassified prediction • Exploration 2: Evaluate whether the sample is an outlier, and in what way • Exploration 3: Perturb the input sample, without changing the true label, and explore the efect it has on the corresponding prediction
Exploration 1. requires the definition of what are similar samples. This will depend from use case to use case. In Section 4.1 we will show a particular example of this. The purpose of Exploration 2. is to explore whether the sample deviates significantly from other previous observations in the training dataset, hence being an outlier. This is based on the fact that ML models typically perform poorly in these circumstances. The presence of an outlier may be due to measurement errors in the sample, but it might as well also be due to the limited representativeness of the training data. In Section 4.2 we show a practial example. Exploration 3. explores how the ML model behaves if we modify the original input sample without loosing its essence. If the corresponding prediction changes, we automatically loose trust in the original prediction. The challenge is to know how we should perturb the input sample without changing its true label. In Section 4.3 we show one example for how to deal with this.
We demonstrate the approach of generating Exploration 1. of a flagged sample to the MNIST
dataset [
We trained a simple feed-forward neural network designed to solve the MNIST classification problem. As illustrated by Figure 3, the model consists of an input layer, two hidden layers with sigmoid activation functions, and an output layer of size 10 with a softmax activation function. This model achieves an overall accuracy of 97% on unseen test data of size 1000.
We trained a SPARDACUS detector on the data using the Dense 2 layer as a source of information. The training procedure lead to an associated MCC = 0.48 on testing data. Specifically, the trained SafetyCage flagged 2.61% of the 1000 test samples as not trustworthy.
(a) (b) (c) (d) (e) (f)
Figure 4a shows a sample, wrongly predicted to be the digit 5, from the testing set correctly flagged
by the SPARDACUS detector. We show an example of applying Exploration 1, namely by looking at
previous samples with same prediction, however misclassified, and similar to the input sample (4a). The
notion of similarity must be explicitly defined, which is not straightforward to do between raw images.
However, with a neural network, one approach is to instead base the similarity between samples on
the corresponding representations (activation values) at a particular layer. Specifically, given a new
input sample x flagged by SafetyCage , we can search for previous samples, having the same class
prediction and known to be misclassified, that are closest to x with respect to a distance metric in a
particular layer. Here, we use the penultimate layer of the neural network model (Dense 2 layer), and
deploy the KNN distance metric introduced by [
We now discuss another possible approach to explaining misclassified samples. Consider a tabular
dataset of 918 rows linking 11 patient features (age, sex, resting blood pressure, ...) to a 0/1 variable
stating whether the patient had a cardio-vascular incident. An eficient method to model the binary
classification problem ˆ = () with ˆ ∈ {0, 1} is to use a decision tree based algorithm such as
light gradient boosting machines (LGBM). We relied on the open source implementation of LGBM:
LightGBM [
In this use case, the DOCTOR missclassification detector is used to flag test set samples. The method lfagged 30 samples (13%) as potentially wrongly classified, achieving an overall accuracy of 87% at correctly flagging samples and MCC = 0.45 on the testing set.
Figure 5 (Left) shows test set samples as flagged by the detector and ECOD [
To conclude Exploration 2, we can present the age distribution (Figure 5 (Right)) to the ML model end-user and propose that the extreme value of the age can explain why the ML model misclassified the sample.
We apply a pre-trained Roberta transformer model [
This looks like one of these Australian movies done by “talented” students and funded by the government. It is chock full of smart shots of colors and shapes and verbal excursions into Freudian psychology to be appreciated by art students and teachers alike, but in general it is perceived a stupid mockery of good cinema, good storytelling and generally good taste...
This movie is thought to be a stupid mockery of good cinema because it is full of smart shots of colors and shapes and verbal excursions into Freudian psychology to be appreciated by art students and teachers alike.
We showcase how Exploration 3 can be utilized in this case for the movie review in Table 1. We employ the PEGASUS transformer model fine-tuned for paraphrasing [19, 20], which rephrases a given input while preserving its original meaning. We generate ten paraphrases of the original review, and compute the sentiment prediction of the Roberta transformer model. See right column of Table 1 to see one such paraphrase generated. We recompute the sentiment predictions by the Roberta model for each paraphrase. It turns out that the prediction flips from positive to negative sentiment for seven out of ten paraphrases. Provided that the paraphrases are of particular quality, this shows the lack of robustness for the sentiment prediction model for this particular input sample, and hence reduces the trustworthiness of the prediction.
We have presented a system, denoted SafetyCage , for detecting and exploring misclassifications in an AI system for the purpose of general human oversight and finding the root cause of a misclassification. We showed three generic examples. Note the important distinction between exploration and explanation. A next step would be to construct hypotheses of root causes, and further to evaluate them. With this in mind, we regard the quality of a local misclassification exploration as the degree to which one can generate formal hypothesis testing to infer the root cause. Misclassifications where the root cause have been found is valuable information for the future use of an AI system. How to actually materialize this to further improve the AI system is yet another natural step.
The SafetyCage framework may be a compliance enabler for high-risk AI systems with respect to the EU AI Act, for instance with respect to Article 14 and 15 which among other things require that high-risk AI systems are resilient to errors, and that natural persons can eficiently oversee the system during use. The quantification of the prediction uncertainty and the flagging procedure can make the AI system more resilient to the prediction errors, and the local misclassification explorations can contribute to human oversight. As SafetyCage assesses the likelihood of an ML model to produce a prediction error, the framework can be integrated into a risk management system. This is especially relevant given that Article 9 of the EU AI Act requires a risk management system for high-risk AI systems. A potential integration of SafetyCage in a high-risk AI system also creates new obligations regarding the technical documentation (Article 11). This should for instance include detailed information about the flagging procedure of SafetyCage , and its performance quantified with metrics (such as the MCC).
The examples provided in Section 4 serve as illustrative cases intended to showcase the practical potential of the framework, and should not be interpreted as the default behaviour of flagged samples by a misclassification detector. The successfulness of the framework highly depends on the performance of the ML model, the MD model as well as the local explorations. The purpose of this work is to introduce the framework, and how to couple diferent components together in a bigger picture.
From the use cases in Section 4, we see the MCC on the test data ranges from 0.38 to 0.48 across diferent MD models. While this means the MD models are informative, there is still room for improvement by catching more misclassifications and reducing false flags, which efectively would increase the MCC towards 1.
A premise for the motivation of local misclassification explorations is the limited interpretability of existing misclassification detectors. One alternative way forward is to construct interpretable misclassification detectors where it is also possible to see the reason why there is a misclassification such as by using linear models or decision trees. However, increased interpretability often comes at the cost of reduced accuracy of the misclassification detector.
In this work, we proposed the framework SafetyCage for how to actively use misclassification detectors in AI systems. SafetyCage acts as a guardrail mechanism during decision-making, aiming to reduce the risk of poor decisions due to incorrect predictions from AI classification models. We recommend the use of local misclassification explorations, which can help uncover the underlying causes of erroneous predictions. These insights can support the development of hypothesis-driven tests and guide AI model retraining or modification to improve the overall quality and reliability of the decision-making.
We have identified several directions for future research and development to enhance the SafetyCage framework: • Improving the misclassification detectors: Even though the MDs covered in this work are informative, there is still room for improvement. How to construct MD models that can achieve higher MCC values will be important future research. • Improving local explorations: Enhancing the quality and interpretability of local explorations is a key challenge. In particular, identifying root causes of misclassifications and briding the gap between exploratory insights and actionable explanations is essential. • Interpretable misclassification detectors: By using an interpretable model architecture, one can not only predict the presence of a misclassification, but also be able to interpret the reason why.
This work has received funding from the THEMIS 5.0 project under the European Union’s Horizon Europe research and innovation programme (grant agreement No 101121042). THEMIS 5.0 aims to develop an AI-driven, human-centered trustworthiness optimization ecosystem that enables users to assess, influence, and enhance the fairness, transparency, and accountability of AI systems.
During the preparation of this work, the authors used ChatGPT for grammar and spelling check, paraphrasing and rewording. After using this tool, the authors reviewed and edited the content as needed and take full responsibility for the publication’s content. [18] A. L. Maas, R. E. Daly, P. T. Pham, D. Huang, A. Y. Ng, C. Potts, Learning word vectors for sentiment analysis, in: Proceedings of the 49th Annual Meeting of the Association for Computational Linguistics: Human Language Technologies, Association for Computational Linguistics, Portland, Oregon, USA, 2011, pp. 142–150. URL: http://www.aclweb.org/anthology/P11-1015. [19] J. Zhang, Y. Zhao, M. Saleh, P. J. Liu, Pegasus: Pre-training with extracted gap-sentences for abstractive summarization, 2019. arXiv:1912.08777. [20] Tuner007, tuner007/pegasus_paraphrase, https://huggingface.co/tuner007/pegasus_paraphrase, 2021. Fine-tuned PEGASUS model for paraphrasing, hosted on Hugging Face.