1 Introduction

The real world phenomena will result in human assertions that are imprecise and uncertain; for instance, measuring quantities in the real world can lead to imprecise, fuzzy, or even vague assertions. One cannot simply cope with these types of fuzziness, vagueness, and uncertainties using classical logics; therefore, new types of theories and logics are invented to tackle the issues arising from uncertainties and imprecisions. Among these newly invented theories and logics, probabilistic theory and fuzzy logic together can cope with most of those issues. However, in order to understand what types of uncertainties can be dealt with probability theory and what aspects of uncertainties are best handled with fuzzy logic, it is best for one to know about the background of probability theory and fuzzy logic and their application domains.

Probability theory is defined to deal with uncertainties arising from random events while fuzzy logic is the theory to deal with the data demonstrating uncertainties other than randomness, like fuzziness and sometimes vagueness in expression. The late professor Lotfi Zadeh discussed some fundamental shortcomings in classical probability theory and took several issues with the inclusion of fuzzy logics by this theory. Finally, he specifically stated that the two concepts are complementary; yet, a perception-based probability theory is more general and more complex than probability theory, conceptually, mathematically, and computationally [29]. Consequently, throughout this paper we neither intend to elaborate on fuzzy models nor plan to advocate fuzzy logic; instead, we assume the importance of having fuzzy systems in parallel with probabilistic systems is already justified.

Model based design and formal verification are getting an ever-increasing attention in system development. It is common for a system design, should it be formally verified, to be represented by an appropriate mathematical model, while its behavior is expressed by a descriptive specification framework; thereupon, one is able to devise an algorithm to systematically analyze if the model and subsequently the system’s behavior guarantees certain properties. Since various stochastic phenomena are involved in reliability of a system, verifying if a system design absolutely guarantees certain properties is a rigid notion. Subsequently, focusing on absolute guaranties while verifying system’s behavior is not empirical.

System’s behavior can be considered uncertain if its reliability is susceptible to external stimuli that cannot be controlled or prevented. In order to have an empirical verification approach for systems with uncertain behavior, the mathematical model of the system must be adapted to grasp certain degrees of uncertainty. Meanwhile, the specification framework shall also possess correct understanding of uncertainty at the same level. Consequently, verification approaches are invented to verify certain aspects of systems that show stochastic, random, and uncertain behaviors.

Systems that are subject to or dealing with random phenomena are comprising both nondeterministic and probabilistic state transitions simultaneously. Markovian models typically represent these systems. A discrete-time finite state transition system whose transition to next state is distributed probabilistically is a discrete-time Markov Chain. A more sophisticated Markovian model in which nondeterministic and probabilistic transitions coexist is called a Markov Decision Process. In in any state of Markov decision process there exist a nondeterministic choice between probability distributions for the successors.

Probabilistic Computation Tree Logic (PCTL) is an extension of CTL such that it formulates conditions on a state of a Markov chain and Markov decision process [2, 4, 10]. In PCTL, a quantitative counterpart replaced path quantifiers \(\exists \) and \(\forall \) that is denoted as \(\mathbb {P}_J(\varphi )\), where J indicates a probabilistic bound on the number of paths satisfying property \(\varphi \) and yet the interpretation of a PCTL formula remains Boolean; that is, a state either satisfies or violates a PCTL formula. PCTL model checking for Markov chains is a natural extension of CTL model checking. A state s is considered in satisfaction set for a state formula only if the probability of s satisfying certain path property is in the probabilistic bound J. Unfortunately Markov chains and Markov decision processes are not powerful enough to model sophisticated dynamics of systems.

A more sophisticated, and comprehensive class of systems are hybrid systems that consist both discrete and continuous components. In order to model hybrid systems, Henzinger introduced Hybrid Automata [11]. Hybrid automata grasp the nature of systems that combine discrete and continuous dynamics by combining continuously evolving variables and finite state control graphs. The discrete components in hybrid automata are usually digital components that regulate and interact with analog components. Analog sampling and timing are important in hybrid systems and subsequently in hybrid automata for state transitions can occur discretely and instantaneously in the control graph or continuously as time passes by.

Although hybrid automata is very powerful in modeling hybrid systems, its verification problem is generally undecidable even for simple safety properties [12]. Therefore, studies on hybrid systems focus on classes of hybrid automata where the safety verification problem is decidable. Timed Automata are a subclass of hybrid automata whose reachability is decidable. Timed automata consist continuous variables called clocks that continuously evolve with constant slope 1. Clocks are frequently compared to constants and sometimes reset to 0. An extension of timed automata incorporates probabilistic theory to model systems that deal with random phenomena [18].

Probabilistic timed automata is also augmented with additional continuous variables in the form of costs or rewards; the resulting automata is often referred to as priced probabilistic timed automata. In this class of automata, all state and transitions are labeled with state and action rewards, respectively. PCTL is augmented with operators to reason about rewards by comprising a reward operator whose interpretation is Boolean; that is, whenever the expected value of a reward function on a reward/cost variable belongs to certain continuous bound it evaluates to 1 and otherwise to 0. A verification approach is also devised for this class of timed automata and proved to be useful in practice [18]; yet, it is only suitable in formal verification of probabilistic systems.

While modeling, specifying, and verifying probabilistic systems is well studied, verification problem for another subclass of hybrid/dynamic systems that incorporates fuzzy logic is overlooked. Hybrid automata can also model fuzzy logic controllers, as they are a class of hybrid systems. Fuzzy logic control systems can be cast in terms that human operators can understand and better relate to; thus, user’s experience can be used in design phase of the controller [23]. Consequently, fuzzy logic control systems are very popular because they mechanized most of tasks that humans can successfully perform. Meanwhile, numerous fuzzy logic models are developed to represent the underlying logic in fuzzy control systems; yet, few efforts are made to bridge the gap between system modeling and behavior specification, and from thereon to verification.

Seemingly, a scenario quite similar to the narrative of probabilistic system verification is also applicable in formal verification of fuzzy logic systems. It begins with formal verification of discrete-time fuzzy logic models of corresponding systems; then, higher-level abstractions and augmented models shall be built on top of discrete-time fuzzy logic models to address more sophisticated classes of systems. Finally yet importantly, formal verification of fuzzy logic systems shall encompass continuous time through models like fuzzy logic extended timed automata. Meanwhile, the specification framework shall also go through the same development cycle so that it corresponds to the modeling approach.

To this date, there are few efforts to define a suitable fuzzy temporal logic; among which, some used formal statement as the specification framework [9, 17] while others used linguistic statements [3, 27]. Some variety of fuzzy extended temporal logics considered the concept of time to be discrete [5, 21] while others presents events in continuous time [3, 17, 27]. In most cases, fuzzy extended temporal logics accompany a trace checking method instead of a formal verification approach. Fuzzy Branching Temporal Logic (FBTL) by Moon et al. [17] is by far the most notable effort towards a specification framework for fuzzy logic systems. Unfortunately, no one could devised an applicable model checking method for FBTL yet. If such an approach should happen to contrive then it will be based on a simpler fuzzy extended temporal logic defined in discrete time [26]. Therefore, in this paper, we are providing more comprehensive semantics in formal verification of discrete-time fuzzy systems.

Fuzzy Markov Chain is one of the notable discrete-time fuzzy logic models that has a finite convergence to a stationary solution [1]. It is also more robust with respect to small perturbations of the transition matrix compared to probabilistic Markov chains. Although fuzzy Markov chain is a good candidate to model discrete-time fuzzy logic systems, we simply believe this is a matter of preference. This paper neither aims nor intends to compare discrete-time fuzzy logic models but since semantics of our specification language is defined based on this structure [26] and we simply do not intend to reinvent the wheel, FzKripke structure is our choice of model for discrete-time fuzzy systems. FzKripke structure is capable of modeling fuzzy logic controllers, and fuzzy logic circuitry. It was even used for modeling fuzzy flip-flops, and a medical diagnosis and treatment example [22, 26].

Sotudeh also defined a higher-level abstraction of FzKripke structure that is more compact, and easier to manually manipulate called Fuzzy Program Graph (FzPG) [26]. Although FzPG is more efficient in modeling phase, its verification requires a direct translation to an equal FzKripke structure resulting in an exponential blow-up. Due to quantization of truth degrees, state-space explosion in a fuzzy extended model checking is more plausible compared to the classical model checking. Main contribution of this paper is a symbolic checking method for Fuzzy CTL (FzCTL) formulae over FzPG that avoids translation to an equal FzKripke structure. This saves an exponential blow-up, which is most effective in efficient model checking of complex fuzzy logic systems.

The rest of this paper is as follows: in Sects. 2 and  3, we study quantized FzKripke structure and FzCTL, respectively. Quantized FzPG and symbolic checking of FzCTL over FzPG are studied in Sects. 4 and 5, respectively. We analyze computational and memory complexity of proposed symbolic method; yet, an alternative symbolic checking method for FzCTL over FzPG is studied in Appendix A that is of lower memory complexity. Section 6 provides a case study on applicability of the proposed method in design and verification of fuzzy flip-flops. Finally, in Sect. 7 we conclude and plan our future research.

2 Quantized Fuzzy Kripke model

Fuzzy Kripke Model (FzKripke) Structure [26] is basically \(\upchi \)Kripke Model [6] whose quasi-boolean algebra is defined on infinite lattice of interval [0, 1]. Similarly the Quantized FzKripke (Q-FzKripke) can be defined over quantized [0, 1]. This model is quite similar to Fuzzy Graph previously introduced in [28]. There are multiple definitions of Fuzzy extended Kripke structure in the literature [22, 26], all of which are equal to some extent, but few of which are accompanied with a well-defined fuzzy extended temporal logic so that they can be used in modeling fuzzy control project and fuzzy logic circuitry.

Definition 1

Throughout this paper, \([0,1]_\varDelta \) denotes the quantization of interval [0, 1] and is defined as follows:

$$\begin{aligned} \quad [0,1]_\varDelta = \left\{ k\varDelta : k\in \{0,\dots ,\frac{1}{\varDelta }\}\right\} ,~\text {where}~ \varDelta \in \frac{1}{\mathbb {N}}\;. \end{aligned}$$

Definition 2

(Quantized Fuzzy Kripke) This is a tuple \(M = (S,X,\hbox {R},\hbox {L},\hbox {I})\) where \(S = \lbrace s_1,\ldots ,s_n \rbrace \) is a set of states, \(X = \langle x_1 ,\ldots ,x_m \rangle \) is a set of attributes, each of which are assigned with a truth degree in \([0,1]_\varDelta \). Function \({\text {Val}}_\varDelta (X)\) expresses different possible values for all attributes as a whole as follows:

$$\begin{aligned} {\text {Val}}_\varDelta (X) = \big \lbrace \langle v_1,\dots ,v_m \rangle \vert ~v_i \in [0,1]_\varDelta \big \rbrace \end{aligned}$$

Similarly, for attribute evaluation, a dot operator provides access to the value of each attribute as follows:

$$\begin{aligned} \mu \in {\text {Val}}_\varDelta (X),~\mu = \langle v_1,\dots ,v_m \rangle \Rightarrow v_i = \mu \cdot x_i \end{aligned}$$

Relation “\(\hbox {R}\)” defines the possibility of transition from one state to another, function “\(\hbox {L}\)” assigns a label to each state as the state’s specific valuation, and function “\(\hbox {I}\)” assigns the entrance possibility for each state in the initial step.

$$\begin{aligned} \hbox {R}&: S \rightarrow {\text {Val}}_\varDelta (X) \\ \hbox {L}&: S \times S \rightarrow [0,1]_\varDelta \\ \hbox {I}&: S \rightarrow [0,1]_\varDelta \end{aligned}$$

Definition 3

Given \(M = (S,X,\hbox {R},\hbox {L},\hbox {I})\), finite and infinite execution paths starting from state \(s_i\) are defined as follows:

$$\begin{aligned}&\pi \in \hbox {Path}_\mathrm{fin}(s_i) \Leftrightarrow \pi \in s_i \xrightarrow {r_i} s_{i+1} \xrightarrow {r_{i+1}} \dots \xrightarrow {r_{i+u-1}} s_{i+u}&\\&\pi \in \hbox {Path}_\mathrm{inf}(s_i) \Leftrightarrow \pi \in s_i \xrightarrow {r_i} s_{i+1} \xrightarrow {r_{i+1}} s_{i+2} \xrightarrow {r_{i+2}} \dots&\\&\forall i, \alpha \in \mathbb {N} \cdot r_{i+\alpha } \in [0,1]_\varDelta \end{aligned}$$

Definition 4

Single-Source Quantized Fuzzy Kripke is a Q-FzKripke such that \(\hbox {I}(s_0)=1\) and \(\forall s \in S\setminus \{s_0\} \cdot \hbox {I}(s)=0\).

An arbitrary Q-FzKripke can be casted to a single-source one using the method presented for FzKripke in [26]. In order to model check proposition \(\varphi \) on a multi-source Q-FzKripke M, it is enough to check the proposition \({\text {AX}}(\varphi )\) on the equivalent single-source Q-FzKripke \(M'\).

The reason behind casting a multi-source FzKripke structure to a single-source one is that bisimulation equivalence among FzKripke structures is defined on single-source FzKripke structures [26]. As a reminder it is proved that any CTL\(^*\) formula evaluates to the same value on bisimilar Kripke structures [2]. Sotudeh and Movaghar also showed that given two bisimilar FzKripke structures an FzCTL\(^*\) formula is evaluated to a similar truth degree on both of them [26]. Later, we are going to use this property of bisimilar FzKripke structures in devising our symbolic model checking approach.

3 Fuzzy Computational Tree Logic

Throughout this section, we assume the reader has knowledgeable about temporal logics, specifically the Computational Tree Logic (CTL). For a thorough introduction on CTL, we suggest to see relevant chapters in [2].

A reactive system is described adequately only if its ongoing behavior in any time step is addressed. An infinite sequence of actions leaving from current, and leading to next states represents a behavior of the system. Temporal logic is a well-established concept capable of describing behaviors of reactive systems [24]. Given analogue inputs as continuous variables whose range is [0, 1], a fuzzy control system is a reactive system that controls complex and continuously varying systems. Consequently, if one aims to describe and study behaviors of fuzzy control systems a fuzzy extended temporal logic can ease the process.

Since in a fuzzy system we are uncertain about the direction of execution path in each time step, Linear Temporal Logic (LTL) is an immediate inadequacy for describing them. In order to describe the behavior of such systems, Sotudeh and Movaghar introduced FzCTL\(^*\) in [26] such that it preserves branching time and uncertainty simultaneously. In this section, we define Fuzzy Computation Tree Logic (FzCTL) by restricting FzCTL\(^*\).

A temporal logic is only as powerful as the logic it is built on top of which. The more powerful the underlying logic is the more powerful the temporal logic will be in expressing model’s behavior. A recent study by Haiyu Pan et al. [22] defined a more restricted Fuzzy Computation Tree Logic that only encompasses fuzzy-{negation, conjunction, disjunction, and implication} operators. Meanwhile, almost all fuzzy logic operators in FzCTL\(^*\) are also included in FzCTL making it more descriptive and easier to use. Following subsection refreshes and redefines some fuzzy logic operators previously seen in [26].

3.1 Fuzzy logic operators

Fuzzy logic operators have a high variety of implementations; see [25, 28]. In the present study, we use their simplest implementations whose properties are similar to that of quasi-boolean algebra related to \(\upchi \)CTL. Fuzzy logic operations are:

$$\begin{aligned} true&= 1\\ false&= 0\\ \lnot a&= 1-a\\ a \sqcap b&= \min (a,b)\\ a \sqcup b&= \max (a,b)\\ a \rightarrow b&= \lnot a \sqcup b = \max (1-a,b) \end{aligned}$$

Additionally, using the saturation operator [15], shown in (1), we define discrete-saturation operator, please see (2).

(1)
(2)

3.2 Syntax

FzCTL formulae are categorized into two types: state formulae (as \(\varphi \)), and path formulae (as \(\varPhi \)). FzCTL state formulae are formed according to the following grammar:

where \(r \in [0,1]_\varDelta \), \(\varepsilon \in (0,1]_\varDelta \), \(a \in \mathbb {Q}^+\), and \(x \in X\), that is a set of state attributes. Path formulae express temporal properties of paths; they are formed according to the following grammar:

$$\begin{aligned} \varPhi ::= \hbox {X}\varphi ~\vert ~ \varphi \hbox {U}\varphi \end{aligned}$$

Although operators like bounded-add, discrete-saturation, and scalar-multiplication are not seen in \(\upchi \)CTL, they are determined by this logic. The full set of temporal operators can be defined using “Next” \(\hbox {X}\) and “Until” \(\hbox {U}\) as follows:

We borrowed the definitions for quasi-comparison\(\{ \prec \succ \preceq \succeq \approx \not \approx \}\) operators from [26]. Definitions for other comparison operators are also possible through the definition of \(\ge \) in conjunction with logical operators. Moreover, other auxiliary operators defined in [26] such as bounded-subtract and “if” are defined by FzCTL.

3.3 Semantic

Satisfaction relation can present truth degree of a formula. In the following notations, M represents an FzKripke model while s represents a certain state in M, and \(\pi \) is an infinite path defined on M.

Semantic of state formulae is defined as follows:

where “\({\text {op}}\)” can be a binary logical operator, a comparison operator, a quasi-comparison operator, or the bounded-add/subtract; the result of comparison operators is either “0” or “1”.

Semantic of path formulae can be defined as follows:

Given model M, satisfiability of proposition \(\varphi \) is defined as

Regarding the semantic of FzCTL formulae, the following equations are in place:

where \(\mu Z.f(x)\) and \(\nu Z.f(x)\) are greatest and smallest fixed points of f, respectively.

Example 1

The following properties hold for \(K_1\) as shown in Fig. 1:

$$\begin{aligned}&{\mathbb {P}}(K_1 \models {\hbox {EF}}(x)) = 0.5 \\&{\mathbb {P}}(K_1 \models {\hbox {EF}}(\lnot x)) = 0.9 \\&{\mathbb {P}}(K_1 \models {\hbox {EG}}(x < 0.5)) = 0.7 \end{aligned}$$
Fig. 1
figure 1

Q-FzKripke \(K_1\) with \(\varDelta = 0.1\) in which \(X = {x}\) and function \(\hbox {I}\) returns 1 for \(s_0\) and 0 for other states. Edges of \(K_1\) are demonstrating the relation \(\hbox {R}\) while relation \(\hbox {L}\) is represented by decimals depicted in each state

Full size image

Given an approximation error \(\varepsilon \) such that 1 is divisible by that, and an approximation function \(\tau _\varepsilon (x)\), it is shown that applying \(\tau _\varepsilon (x)\) on FzKripke M does not propagate the error while model checking an approximable FzCTL\(^*\) proposition on it [26]. Similarly, the quantization we defined on interval [0, 1] can be regarded as an immediate approximation of FzCTL and FzKripke with approximation error \(\frac{1}{\varDelta }\); which obviously does not propagate the error because FzCTL is a restricted version of FzCTL\(^*\) that preserves its approximability, and also due to our choice of fuzzy logic operators.

4 Quantized Fuzzy Program Graph

Fuzzy Program Graph (FzPG) provides higher-level abstraction of fuzzy systems and it that can be translated to an equivalent FzKripke model [26]. FzPG eases manual modelling process by providing a more scrutable semantics. We define Quantized Fuzzy Program Graph (Q-FzPG) quite similar to FzPG. In this section, we investigate Q-FzPG and its properties.

Definition 5

(Quantized Fuzzy Program Graph) This is a tuple \(G = (S, s_0, X, {\text {Init}}, {\text {Act}})\) where S is a set of states, \(s_0\in S\) is the initial state, and “\({\text {Init}}\)” is a function that defines degree of entrance to initial state. “\({\text {Act}}\)” is a relation defining state transitions; each state transition has two parts: (1) a function that defines transition degree, and (2) a function that maps truth degrees from attribute-set of the source state to that of destination. The formal definitions for “\({\text {Init}}\)” and “\({\text {Act}}\)” are:

$$\begin{aligned}&{\text {Init}}\in {\mathcal {F}}_{\varDelta ,X} \\&{\text {Act}}\in S\times S \nrightarrow {\mathcal {F}}_{\varDelta ,X} \times {\mathcal {G}}_{\varDelta ,X} \end{aligned}$$

where \({\mathcal {F}}_{\varDelta ,X} \in {\mathcal {P}}\big (\hbox {Val}_\varDelta (\hbox {X})\rightarrow [0,1]_\varDelta \big )\) and \({\mathcal {G}}_{\varDelta ,X} = {\mathcal {F}}_{\varDelta ,X}^{|X |}\).

All functions belonging to \({\mathcal {F}}_{\varDelta ,X}\) have the constraint of being compatible with the following grammar’s syntax:

where \(r\in [0,1]_\varDelta \), \(\varepsilon \in (0,1]_\varDelta \), \(a \in \mathbb {Q}^+\), and \(x \in X\). The rest of logical operators, comparison operators, quasi-comparison, and bounded-subtract are derivable from the above defined operators.

Although “\({\text {Act}}\)” is a partial function, it is possible to convert it to a total function as it was proposed for FzPG in [26]. To this end, it is enough to add missing state transitions for all nodes that are not connected directly, such that:

  1. 1.

    The transition possibility of the new edge is zero.

  2. 2.

    This edge assigns the possibility of the destination attributes by a list of zero values.

We can also make a new source by adding a dummy node \(\imath \) such that “\({\text {Init}}\)” continuously returns “1” for \(\iota \), meanwhile the previous “\({\text {Init}}\)” function must be merged with “\({\text {Act}}\)”.

Example 2

If \(X=(x,y)\), and \(\varDelta = 0.1\), then (fg) is an edge of Q-FzPG where:

4.1 Semantic

In order to express the semantic of FzPG an equivalent FzKripke is inevitably required [26]; similarly there is a \(K_G\) as an equivalent Q-FzKripke to an arbitrary Q-FzPG like G such that:

  1. 1.

    \(S^\prime = S \times {\text {Val}}_\varDelta (X)\)

  2. 2.

    \(\forall \eta \in {\text {Val}}_\varDelta (X)\)

    1. (a)

      if \(s \ne s_0\), then \(\forall s \in S \cdot \hbox {I}(s, \eta ) = 0\)

    2. (b)

      if \(s = s_0\), then \(\forall s \in S \cdot \hbox {I}(s, \eta ) = {\text {Init}}(\eta )\)

  3. 3.

    \(\forall \eta \in {\text {Val}}_\varDelta (X), \forall s \in S \cdot \hbox {L}(s, \eta ) = \eta \)

  4. 4.

    \(\forall \eta , \eta ^\prime \in {\text {Val}}_\varDelta (X), \forall s, s^\prime \in S\)

    1. (a)

      if \({\text {Act}}(s,s^\prime )\) is not defined, then \(\hbox {R}((s,\eta ),(s^\prime ,\eta ^\prime ))= 0\)

    2. (b)

      if \(({\text {A}},{\text {B}})={\text {Act}}(s,s^\prime )\), and \(\eta ^\prime ={\text {B}}(\eta )\) then \(\hbox {R}((s,\eta ),(s^\prime ,\eta ^\prime ))={\text {A}}(\eta )\)

Fig. 2
figure 2

An example of Q-FzPG alongside its equivalent Q-FzKripke model with \(\varDelta = 0.1\)

Full size image

When the equivalent Q-FzKripke accepts a proposition with a certain truth degree, we say that initial Q-FzPG also accepts the proposition with the same degree. Although there is an equivalent Q-FzPG denoted by \(G_K\) with the same number of states \(|S|\) to an arbitrary Q-FzKripke like K, it is against the purpose of Fuzzy Program Graph, which is to model the system in a highly compressed format, because for each state of \(G_K\) there is an equivalent state in K. To exemplify, an FzPG and an equivalent FzKripke are depicted in Fig. 2.

From this point onwards, for all Q-FzPGs we assume the “\({\text {Init}}\)” function returns “1” for initial state and “0” for all other states unless otherwise stated. In fact, we define a novel “\({\text {Init}}_\imath \)” function that returns “1” for a dummy source like \(\imath \); thereupon, by merging “\({\text {Init}}\)” and “\({\text {Act}}\)”, we obtain a Single-Source Q-FzPG that is referred to instead of the original Q-FzPG.

5 Symbolic checking of FzCTL on FzPG

Heretofore several symbolic methods are proposed to investigate satisfiability of propositions of multi-valued temporal logics, some of which use ordered binary decision diagram (OBDD), others use vectors of similar diagrams to store multi-valued Kripke models and investigate the satisfiability of propositions on that model [6, 7].

In order to check the temporal properties of a particular FzPG, initially, we translate it to an equivalent FzKripke; then, we check temporal properties on that FzKripke. This yields to an exponential blow-up in the state-space; thus, it is more appropriate to check the specification directly over the FzPG. To this purpose, we devised a symbolic checking method using OBDDs and vectors of OBDD.

Let \(\varDelta = 2^{-d}\), then since all numbers involved in model construction and model checking are multiples of \(\varDelta \), a data type with \(d+1\) bits is sufficient to store truth degrees, where the first bit of data type is the least significant bit and the \(d^{th}\) bit is the most significant one. In order to store a truth degree like \(\varepsilon \) in \(d+1\) bits, it is enough to store \(\varepsilon \times 2^d\) instead. For further readability, from this point forward we assume \(d^\prime = d+1\).

Example 3

Let \(\varDelta =4\) then we have:

$$\begin{aligned} 1.00\equiv 1.00\times 2^4&=(10000)_2\\ 0.50\equiv 0.50\times 2^4&=(01000)_2\\ 0.\overline{33}\equiv 0.\overline{33}\times 2^4&=(00101)_2\\ 0.25\equiv 0.25\times 2^4&=(00100)_2\\ 0.19\equiv 0.19\times 2^4&=(00011)_2\\ 0.00\equiv 0.00\times 2^4&=(00000)_2 \end{aligned}$$

We also encode attributes in a symbolic form; suppose W is a vector of bit vectors representing the set of all attributes X as follows:

$$\begin{aligned} W = \langle W_{1}, \dots , W_k \rangle , \quad k = |X |\end{aligned}$$

where \(W_i\) is a bit vector with length \(d^\prime \) representing encoded attribute \(x_i\), hence \(W_{ij}\) is a bit in vector \(W_i\).

$$\begin{aligned} W_i = \langle W_{i0}, \dots , W_{id} \rangle , \quad i \in 1~\cdots ~k \end{aligned}$$

Let U be union of variables used to encode model states S; this union has a total number of \(\lceil \log _2{|S |} \rceil \) members. From this point forward, we repeatedly use copies of U and W denoted by \(U^\prime \) and \(W^\prime \) respectively.

5.1 Auxiliary OBDD operators

This subsection is devoted to describe the functionality of important vector operations, besides basic operations defined on OBDDs that are necessary to define the proposed method.

Definition 6

Let \({v}_{}\) be a vector in terms of variables W and U, the OBDD of vector \({v}_{}\) is of maximum size \(2^h\) and maximum height h as follows:

$$\begin{aligned} h&= |W |+ |U |= n+kd^\prime \end{aligned}$$
(3)

where \(n = |U |\), \(k = |X |\) and \(d^\prime \) is the length of W.

Theorem 1

([16]) Logical combination of two OBDDs of size m and n is of time \(O(mn)\).

5.1.1 \(\textsc {vConst}\) and \(\textsc {vVal}\)

Converting integers and constants to vectors and viceversa is essential. Given an integer like “c” its vector representation is returned by function \(\textsc {vConst}\). On the other side, function \(\textsc {vVal}\) returns integer representation of a vector like “v”. We define constants “\(\textsc {True}\)” and “\(\textsc {False}\)” using \(\textsc {vConst}\) as follows:

Similarly, in order to convert a truth degree like \(r \in [0,1]_\varDelta \), we have:

5.1.2 \(\textsc {vIf}\)

When called like \(\textsc {vIf}(x, {v}_{1}, {v}_{2})\), this returns an OBDD vector whose \(i^\text {th}\) element equates to diagram \({\text {if}}(x, {v}_{1}[i], {v}_{2}[i])\). Parameter x is an OBDD, \({v}_{1}\) and \({v}_{2}\) are two vectors with \(d^\prime \) diagrams. \(\textsc {vIf}\) calculates the result iteratively in time \(O(d^\prime )\).

5.1.3 Comparison

Comparison operators return an OBDD by comparing two OBDD vectors. These are defined recursively (e.g. Algorithm 1). Operators “\(=,\ne ,>,\ge ,<,\le \)” and function prototypes “\(\textsc {vEql}, \textsc {vNeq}, \textsc {vGrt}, \textsc {vGeq}, \textsc {vLst}, \textsc {vLeq}\)”, are used interchangeably (e.g. \(\textsc {vLeq}({v}_{1},{v}_{2}) \equiv {v}_{1} \le {v}_{2}\)). Comparing two OBDD vectors of length \(d^\prime \) is convertible to an iterative logical combination of two OBDDs and the result is an OBDD of height h. The iteration is of order \(d^\prime \) thus the computational complexity of a comparison operator is \(O(d^\prime 2^{2h})\)

figure a

5.1.4 \(\textsc {vAdd}\) and \(\textsc {vSub}\)

Operators \(\textsc {vAdd}\) and \(\textsc {vSub}\) perform element-wise addition and subtraction of two vectors with similar length, the result is obviously a vector of same length. \(\textsc {vAdd}\) and \(\textsc {vSub}\) are also convertible to an iteration of order \(d^\prime \) of logical combination of OBDDs; therefore, they also run in time \(O(d^\prime 2^{2h})\). Similarly, bounded-add and bounded-subtract are permissible by comparison operations and \(\textsc {vIf}\); this indicates that they are of the same order as \(O(d^\prime 2^{2h})\).

5.1.5 Logical connectives

Logical operations over OBDD vectors are obtainable via previously defined operators. All logical operators run in time \(O(d^\prime 2^{2h})\).

(4)
(5)
(6)

Conjunction \(\wedge \) and disjunction \(\vee \) operators, and function prototypes \(\textsc {And}\) and \(\textsc {Or}\) are interchangeably used from this point onward.

5.1.6 \(\textsc {vMul}\) and \(\textsc {vDiv}\)

Operators \(\textsc {vMul}\) (\(\textsc {vDiv}\)) multiplies (divides) elements of a vector \({v}_{1}\) by a constant factor like c. The result is obviously a vector of the same length.

5.1.7 \(\textsc {Add}\) and \(\textsc {Mul}\)

We define add or multiply operations over two vectors as follows:

where \(h=\frac{\varepsilon }{\varDelta }\), \(a=\frac{p}{q}\) and \(p,q\in \mathbb {N}\).

5.2 Compiling FzCTL property to OBDD vector

For each sub-formula of FzCTL like \(\varphi \), an OBDD vector is calculated recursively called \(\tau (\varphi )\) using above defined auxiliary OBDD functions. Following are recursive procedures to calculate \(\tau \) for numbers, attributes and operators of a formula.

where \(h=\frac{\varepsilon }{\varDelta }\), \(a=\frac{p}{q}\) and \(p,q\in \mathbb {N}\). We can simply define the truth degree of proposition \(\varphi \), over a model like \(K_G\) as follows:

where \(\theta (s, \eta )\) denotes \({\mathbb {P}}(M,(s, \eta ) \models \varphi )\) and \(\tau (\varphi )\) is implicitly represented by vector \(\theta \). Conjunction operator \(\sqcap \) is obtainable using following property:

Property 1

For conjunction and disjunction of all member of set \(\mathrm {I}\subset \mathbb {R}\) we have:

$$\begin{aligned} \sqcap _{i \in \mathrm {I}} a_i = D \Leftrightarrow \exists i \in \mathrm {I}\cdot a_i = D \wedge \forall i \in \mathrm {I} \cdot a_i \ge D \Leftrightarrow \exists i \in \mathrm {I}\cdot a_i \le D \wedge \forall i \in \mathrm {I} \cdot a_i \ge D \\ \bigsqcup _{i \in \mathrm {I}} a_i = D \Leftrightarrow \exists i \in \mathrm {I}\cdot a_i = D \wedge \forall i \in \mathrm {I} \cdot a_i \le D \Leftrightarrow \exists i \in \mathrm {I}\cdot a_i \ge D \wedge \forall i \in \mathrm {I} \cdot a_i \le D\\ \end{aligned}$$

From this point onward, we refer to D as a vector of variables like \(D = \langle z_d, \dots , z_0\rangle \). Following algorithm is the required procedure to convert OBDD vector \(\tau (\varphi )\), which is represented by \(\theta (U,W)\), into a decimal number to determine the truth degree of proposition \(\varphi \) over an FzPG. Depending on the algorithms certain preprocesses may be involved prior to evaluate truth degree of \(\tau (\varphi )\), some of which are referred later in this paper.

figure b

In line 2, we restrict members of vector \(\alpha \) to node \(s_0\) in time \(O(d^\prime 2^h)\), then we restrict members of \(\theta \) to nodes in \(\alpha \) (that is \(s_0\)) in line 4 to create vector \(\lambda \) in time \(O(d^\prime 2^h)\). In lines 6 and 7, the comparison operators are of time complexity of \(O(d^\prime 2^{2(h+d^\prime )})\) and results are of memory complexity of \(O(2^{h+d^\prime })\). In those lines, the universal and existential quantifiers are restriction operators each of which is of time complexity of \(O(2^{h+d^\prime })\). These quantifiers eliminate participant variables in diagrams and reduce the height of corresponding diagrams gradually by one. Conjunction over \(\beta _1\) and \(\beta _2\) forms \(\beta \) in time \(O(2^{2d^\prime })\).

According to properties of \(\sqcap \), \(\beta \) is a composition of minterms of variables \(z_0\) to \(z_d\). In line 10, expression D[i] represents \(z_i\), so when \(z_i\) participates in \(\beta \), expression \(\rho [i]\) evaluates to 1 otherwise to 0, the complexity of calculating vector \(\rho \) is \(O(2^{d^\prime })\). Finally, dividing \(\textsc {vVal}(\rho )\) by \(2^d\) results in the truth degree of \(\varphi \). This algorithm is of time complexity of \(O(d^\prime 2^{2(h+d^\prime )})\).

5.3 Temporal operators

An implication operator represents the transition edge between nodes s and t. A disjunction over all transition implications forms relation \(\hbox {R}\). In order to add a transition edge to relation \(\hbox {R}\), we initially calculate and store vectors of \({\text {Act}}(s, t)\), then using implication operator we calculate the transition edge that eventually aggregates to \(\hbox {R}\) with a disjunction; please see Algorithm 3.

figure c

In line 2, it is assumed the \({\text {Act}}(s, t)\) is a total function. Otherwise, we repeatedly call \(\textsc {AddRelation}\) on each and every one of transition edges between each pair. Since \(W^\prime \) and B are both vectors of k rows and each row is consist of \(d^\prime \) elements, OBDDs for these variables is of height \(kd^\prime \). Accordingly, \(\textsc {vEql}(W^\prime _i, B_i)\) is of complexity of \(O(d^\prime 2^{2kd^\prime })\) and therefore \(\textsc {vEql}(W^\prime , B)\) is of time complexity of \(O(kd^\prime 2^{2kd^\prime })\). Line 3, calculates \(\alpha \) in time \(O(2^{2h+1})\) and line 4 runs in time \(O(d^\prime 2^{2h+1})\); subsequently, calculating relation \(\hbox {R}\) is of the following complexity:

$$\begin{aligned}&O\big (r(2^{2h+1} + d^\prime 2^{2h+1} + kd^\prime 2^{2kd^\prime })\big ) = O\Big (r\big (2^{2h+1}(1+d^\prime ) + kd^\prime 2^{2kd^\prime } \big ) \Big ) \\&\quad = O\Big (r\big (d^\prime 2^{2h+1} + kd^\prime 2^{2kd^\prime } \big ) \Big ) = O\Big (rd^\prime 2^{2kd^\prime }\big (2^{2n+1} + k \big ) \Big ). \end{aligned}$$

5.3.1 EX operator

According to semantic of \({\text {EX}}\) operator in FzCTL over \(K_G\) model, we have:

$$\begin{aligned}&{\mathbb {P}}(M,(s,\eta ) \models {\text {EX}}\varphi )= \bigsqcup _{(s^\prime , \eta ^\prime )\in S^\prime } {\mathbb {P}}(M,(s^\prime ,\eta ^\prime )\models \varphi ) \sqcap \hbox {R}((s,\eta ),(s^\prime ,\eta ^\prime )). \end{aligned}$$
(7)

where \(\hbox {R}\) can be obtained according to its definition in \(K_G\). Now we can rewrite (7) by substituting \(\tau (\varphi )\) with \(\theta \) and \(\tau ({\text {EX}}\varphi )\) with \(\rho \) as follows:

$$\begin{aligned} \rho (s,\eta )= \bigsqcup _{(s^\prime , \eta ^\prime )\in S^\prime } \theta (s^\prime ,\eta ^\prime ) \sqcap \hbox {R}((s,\eta ),(s^\prime ,\eta ^\prime )). \end{aligned}$$

The simplest method to calculate \(\rho (s,\eta )\) is to find the maximum value for conjunction of \(\theta \) and vector \(\hbox {R}\) [7]. Algorithm 4 illustrates a procedure to calculate \(\rho \). In this algorithm, \(\psi \) represents the equality of vector D and vector \(\rho \) (i.e., a vector of diagrams in terms of U and W) as follows:

where \(\oplus \) represents eXclusive-OR. In line 8 of algorithm 4, the expression \(\exists D \cdot (D[i] \wedge \psi )\) forms \(\rho [i]\), as for \(D^\prime = \langle z_d,\dots ,z_{i+1},z_{i-1},\dots ,z_0\rangle \) we have:

$$\begin{aligned} \exists D \cdot (z_i \wedge \psi )&= \exists D^\prime \cdot \exists z_i \cdot (z_i \wedge \psi ) = \exists D^\prime \cdot \exists z_i \cdot \big ( z_i \wedge \rho _i \wedge (\bigwedge _{i\ne j} z_j \oplus \rho _j) \big )\\&= \exists D^\prime \cdot \big ( \rho _i \wedge (\bigwedge _{i\ne j} z_j \oplus \rho _j) \big ) = \rho _i \wedge \exists D^\prime \cdot \big (\bigwedge _{i\ne j} z_j \oplus \rho _j \big )\\&= \rho _i \wedge 1 = \rho _i \end{aligned}$$
figure d

Bits in \(\theta \) are of height h and bits of \(\hbox {R}\) are of height 2h. Line 2 forms \(\theta ^\prime \) from \(\theta \) in time \(O(d^\prime 2^h)\). In line 3, \(\lambda \) is formed by applying \(\textsc {And}\) on two vectors of \(d^\prime \) bits which according to (4) is convertible to \(\textsc {vGeq}\) that takes \(O(d^\prime )\) times of conjunctive and disjunctive operations on corresponding bits. Composition of individual bits of \(\theta ^\prime \) and \(\hbox {R}\) is of order \(O(2^{3h})\) and the resulted bit is of height 2h. Conjunctive and disjunctive operations on diagrams of height 2h is of order \(O(2^{4h})\), which leads us to the computational complexity of \(O(d^\prime 2^{4h})\) and a result of height 2h for \(\textsc {vGeq}\). The \(\textsc {vIf}\) is of the same computational complexity therefore total complexity of line 3 is \(O(d^\prime 2^{4h})\).

In order to form \(\psi _1\) and \(\psi _2\), comparing vectors of size \(d^\prime \) bits with diagrams of height \(d^\prime \) and h is required as shown in lines 4 and 5. These comparison operations result in diagrams of maximum height \(d^\prime + h\) in time complexity of \(O(d^\prime 2^{2(h+d^\prime )})\); through a similar reasoning that we used while computing \(\lambda \) in line 3. Universal and existential quantifiers in lines 4 and 5eliminate participant variables in diagrams and reduce the height of corresponding diagrams gradually by one, consequently all predicates in these lines (i.e., \(\lambda \ge D\) and \(\lambda \le D\)) are quantified in time complexity of \(O(2^{2h+d^\prime })\), because we have:

$$\begin{aligned} O\big (2^{2h+d^\prime }+2^{2h+d^\prime -1}+\dots +2^{h+d^\prime }\big ) = O\big (2^{2h+d^\prime }\big ). \end{aligned}$$

Time complexity for universal and existential quantification is negligible in comparison with the time complexity of comparison operators therefore lines 4 and 5are of time complexity \(O(d^\prime 2^{2(h+d^\prime )})\). Since \(\psi _1\) and \(\psi _2\) are of maximum height of \(h + d^\prime \) the their conjunction in line 6 is of time \(O(2^{2(h+d^\prime )})\). Subsequently, \(\psi \) is obtainable in total time \(O(d^\prime 2^{2(h+d^\prime )})\). In line 8, \(D[i]\wedge \psi \) is of time \(O(2^{h+d^\prime })\); moreover, computational complexity of existential quantification, \(\exists D\), is as follows:

$$\begin{aligned} O\big (2^{h+d^\prime } + 2^{h+d^\prime -1} + \dots + 2^{h+1} \big ) = O\big (2^{h+d^\prime } \big ). \end{aligned}$$

Having computed \(\psi \), then \(\rho \) is obtainable in time \(O(d^\prime 2^{2(h+d^\prime )})\); therefore, the total complexity for \(\textsc {Ex}\) operator is as follows:

$$\begin{aligned} O\big (d^\prime 2^{4h} + d^\prime 2^{2(h+d^\prime )} + 2^{h+d^\prime } \big ) = O\big (d^\prime 2^{4h} \big ). \end{aligned}$$

5.3.2 EU operator

The semantic of \(\hbox {E}(\varphi \hbox {U}\psi )\) indicates it only equates to “1” only if \(\psi \) eventually occurs. We formally define “strong until” using the fixed-point concept as shown in Algorithm 5.

figure e

Computing \(\textsc {Eu}\) requires \(\textsc {Ex}\) and a variety of auxiliary operations to be called repetitively. For each iteration computational complexity of auxiliary operators are negligible comparing to that of \(\textsc {Ex}\) operator. \(\textsc {Eu}\) operator give rise to a sequence of vectors as follows:

$$\begin{aligned} Z_1, Z_2, \dots , Z_g \end{aligned}$$

where \(Z_i\) is equivalent to a function that maps members of \(S^\prime \) to \([0,1]_\varDelta \). This equivalency can be demonstrated as follows:

$$\begin{aligned} Z_i&= \Big \lbrace \big ((s_1,\eta _1),v^{(i)}_1\big ), \dots , \big ((s_e,\eta _e),v^{(i)}_e \big ) \Big \rbrace \quad \forall j \in \{1 \dots e\} \cdot v^{(i)}_j \in [0,1]_\varDelta \end{aligned}$$

where \(e=|S^\prime |\). In each iteration of \(\textsc {Eu}\) some values of \(v^{(i)}_j\) are increased till convergence happens in the \(g^{th}\) iteration. This property can be formalized as:

$$\begin{aligned} \forall i \in 1 \dots (g-1) \cdot \left( \forall j \in 1 \dots e \cdot v^{(i+1)}_j \ge v^{(i)}_j \wedge \exists j \in 1 \dots e \cdot v^{(i+1)}_j \ge v^{(i)}_j + \varDelta \right) \end{aligned}$$
(8)

According to (8) it is obvious \(g \le \frac{e}{\varDelta }\), because in each iteration there exists at least one \(v_j\) whose value is incremented by a minimum of \(\varDelta \). In order to store all members of \(S^\prime \) we use all variables U and W, consequently \(e=O(2^h)\) and \(g = O(2^{h+d^\prime })\). In practice the convergence happens quickly and this is the worst-case convergence time. Given the computational complexity of \(\textsc {Ex}\) operator, the computational complexity of \(\textsc {Eu}\) is of \(O(d^\prime 2^{5h+d^\prime })\).

5.3.3 AU operator

The definition of \(\textsc {Au}\) operator is quite similar to \(\textsc {Eu}\) and similar reasoning applies to its time complexity analysis; please see Algorithm 6.

figure f

5.3.4 AX operator

The definition of \(\textsc {Ax}\) is directly obtained from the definition of \(\textsc {Ex}\) operator as shown in Algorithm 7, therefore the time complexity of this operator is similar to that of \(\textsc {Ex}\) operator.

figure g

5.4 Computational complexity analysis

Forming relation \(\hbox {R}\) is the preprocessing step of checking proposition \(\varphi \) over a model, then operators of temporal logic are computed recursively. Finally, we evaluate the truth degree of \(\varphi \) in a post-processing step. The most costly and time-consuming stage in verification of proposition \(\varphi \) are \(\textsc {Eu}\) and \(\textsc {Au}\) operators. Let \(|\varphi |\) be the length of proposition \(\varphi \), then for overall time complexity we have:

$$\begin{aligned}&O(rd^\prime 2^{2kd^\prime }(k+2^{2n}) + |\varphi |\times (d^\prime 2^{5h+d^\prime }) + (d^\prime 2^{2(h+d^\prime )}))\\&\quad =O( d^\prime 2^{2h} (r(1 + k2^{-2n}) + |\varphi |\times 2^{3h+d^\prime } + 2^{2d^\prime } ) ) \end{aligned}$$

since k is naturally a small number and \(r=O(|S |^2) = O(2^{2n})\) then computational complexity of checking \(\varphi \) over a model is of computational complexity of \(O(|\varphi |\times d^\prime 2^{5h+d^\prime })\).

Please note that we are counting computational steps with different scaling parameters. Unlike the general convention of considering computational complexity by the size of state-space, we considered the computational complexity by the length of encoding. The reason for this unorthodox convention is simply that our applications of interest required a speed-accuracy trade-off. In other words, we simply calculated the willingness to respond slowly with fewer errors compared to quick response with relatively more errors.

Whilst this manuscript was under review authors were informed that a similar study is done for model checking of a fuzzy logic extended CTL over a fuzzy logic extended Kripke Structure [22]. They claimed the computational complexity of checking fuzzy logic extended CTL formulae \(\varphi \) over a fuzzy logic extended Kripke structure is as follows:

$$\begin{aligned} O(\vert \varphi \vert \times (\vert S' \vert ^2 + \vert S' \vert \times \log \vert S'\vert )), \end{aligned}$$

where \(S'\) is the state-space of the Kripke structure. Please note, the state-space of an FzKripke structure can be larger than that of an equal FzPG by an exponential factor; that is, \(O(\vert S' \vert )\) = \(O(\vert S \times {\text {Val}}_\varDelta (X) \vert )\), where S is the state-space of the FzPG. The computational complexity of our model checking approach with respect to state-space of equal FzKripke is \(S'\) is of \(O(\vert S' \vert ^5)\), which is by no means tight.

Nevertheless, in order to model check a given FzPG, we need to construct the complete state-space of an equal FzKripke including its whole transition edges so that we are able to model check the equal FzKripke structure using the approach in [22]. This is computationally expensive and eventually leads to an state-space explosion; yet, since our approach directly model checks the FzCTL formula on the FzPG, state space explosion is effectively avoided; Sects. 6.1 and Appendix A.2 provide intuitive assessments of our method by reporting practical execution time and memory consumption.

The memory complexity of model checking an FzKripke structure in both approaches is of \(O(\vert S' \vert ^ 2)\). Although simple operations like comparison are of computational complexity of \(O(d)\) while using OBDD, we believe OBDD provides a more compact and more efficient representation of our state-space. Further research is necessary to provide an insightful comparison of these two approaches in terms of expressiveness, applicability, and scalability.

6 Fuzzy flip-flops

The concept of fuzzy flip-flops was first proposed by Hirota et al. and then studied in [8, 13, 14, 19, 20]. They presented the idea of designing fuzzy logic hardware systems using fuzzy flip-flops. Fuzzy flip-flops are made of fuzzy logic gates through having some extensions to binary flip-flops. Almost none of fuzzy flip-flops are suitable for realizing neurons in a multilayer perceptron because instability is the issue with almost all of them; this means the output of the circuit may fluctuate under certain conditions. In this section, we first investigate the correctness of a previously proposed multi-valued D flip-flop using our proposed formal method, and then we introduce a formal model of fuzzy J-K flip-flop and investigate the correctness of its behavior.

Fig. 3
figure 3

Block diagram of multi-valued D flip-flop that is proposed in [8]. AND gates represent \(\min \) function; similarly OR gates represent \(\max \) function. We have labeled the output of each and every gate with \(y_1\) to \(y_7\), N, and Q for further readability

Full size image

6.1 Fuzzy D Flip-Flop

Ben Choi and Kankana Shulka proposed a multi-valued D flip-flop in [8]. Although they investigated the validity of their proposed circuit via computer simulations, under certain conditions gate delays lead to dynamic hazards. In this section, we show under which condition an unpredictable sequence of outputs are generated periodically for Choi’s circuitry. Another multi-valued D flip-flop is verified with a quite similar method, which led to discovery of static hazards in the circuitry [26].

Fig. 4
figure 4

FzPG G which represents the multi-valued D flip-flop depicted in Fig. 3

Full size image

Figure 3 illustrates the block diagram of Choi’s D flip-flop. For the sake of simplicity, we assume propagation delay for all gates are the same and the value is equal to \(T = 2^{-p}\) where p is a positive integer. We also assume input D is stable and the CLK is a pulse in the following form:

figure h

where \(\alpha \) and \(\beta \) are integers. Great values of \(\alpha \) and \(\beta \) do not cause any problems except slowing down the circuit. On the other hand, if \(\alpha \) and \(\beta \) would be smaller than a limit there are no chance for the circuit to stabilize its output therefore it acts incorrectly. We can prove by model checking that this design requires the values of \(\alpha \) and \(\beta \) to be at least 7. Let us assume \(N=\frac{1}{T}\) be the maximum possible value for \(\alpha \) and \(\beta \) (obviously this is an assumption to simplify the modeling problem, greater values would not affect the circuit but slowing it down).

We have also labeled all the outputs for each logical gate in this block diagram, please see Fig. 3. Fresh primed labels are used to denote the outputs of logical gates after T time units; now it is easy to compute the output of each gate considering its inputs. From this point onward we denote CLK as C for further readability.

$$\begin{aligned} y_1^\prime&=\lnot C\\ y_2^\prime&=y_1 \sqcap Q\\ y_3^\prime&=D \sqcap C\\ y_4^\prime&=y_2 \sqcup y_3\\ y_5^\prime&=y_4 \sqcup Q\\ y_6^\prime&=y_4 \sqcup N\\ y_7^\prime&=y_5 \sqcap y_6\\ Q^\prime&=y_4 \sqcap y_7\\ N^\prime&=\lnot Q \end{aligned}$$

Now we consider an FzPG with two states \(s_0\) and \(s_1\). Being in state \(s_0\) means CLK is 0 and being in \(S_1\) conveys the opposite, please see Fig. 4. The attribute set X is as follows:

$$\begin{aligned} X= \langle \varGamma ,u,D,C,y_1,y_2,y_3,y_4,y_5,y_6,y_7,Q,N \rangle \end{aligned}$$

Attribute \(\varGamma \) represents the passage of time in states of FzPG with steps of T, therefore on the verge of entering a new state the value for this attribute is 0; whilst on a state, as soon as \(\varGamma \) changes the output of all gates will change accordingly. Attribute u represents the raising edge of the clock pulse; it is set to 1 while the clock is pulse raised. Once u is set it will preserve its value. Participating functions in graph G are defined as:

6.1.1 Properties of multi-valued D flip-flop

In order to verify Choi’s design of multi-valued D flip-flop, we defined its properties using FzCTL and then investigated their correctness using model checking.

Property 2

6T after the very first raising edge of clock pulse, we will have \(Q=D\) for the rest of time. This property is expressible in FzCTL as follows:

$$\begin{aligned} {\text {AG}}\big (u=1 \rightarrow {\text {AX}}^6 \big ({\text {AG}}(Q=D)\big )\big ) \end{aligned}$$

where D is input, \({\text {AX}}^n\) denotes applying \({\text {AX}}\) operator n consecutive times. This proposition evaluates to 0.

Property 3

6T after the very first raising edge of clock pulse, the possible values for Q are D, \({\overline{D}}\), and 0. This property is expressible in FzCTL as follows:

$$\begin{aligned} {\text {AG}}\big (u=1 \rightarrow {\text {AX}}^6 \big ({\text {AG}}(Q=D \sqcup Q=0\sqcup Q={\overline{D}})\big )\big ) \end{aligned}$$

Finally, this proposition evaluates to 1.

Table 1 depicts a trace that nullifies the first property. There is an issue caused by the propagation delay of NOT gate while falling edge occurs. According to Table 1, a dynamic hazard with a period of 3T emerged at time \(t+5T\). As can be observed if \(D<{\overline{D}}\) then on the verge of clock’s falling edge the next value for Q is among D, 0, or \({\overline{D}}\) otherwise if \(D>{\overline{D}}\) then Q is either D or 0. A short while after clock’s rising edge (i.e. less than 6T) the state of circuit will be reverted to column t. As long as clock pulse is high, the state is preserved.

Table 1 Unstable condition of fuzzy D flip-flop
Full size table

6.1.2 Experimental results

We ran the experiments on a laptop with 4GBytes of RAM with Intel\(^\circledR \) CoreTM2 Due (2.6 G.Hz.) CPU that runs Windows XP Professional (32bits). We used BuDDy library [16] to implement proposed algorithms because this library provides a near comprehensive set of tools and functions to work with OBDDs and their vectors. In this library nodes of all diagrams are stored and retrieved by a hashing method. The total size allocated for each node is 20 bytes and the upper bound for number of nodes is initialized by function “bdd_init” which we set it to 100,000,000; that is, a total memory of 2GBytes. Due to memory space constraints, as soon as 70% of the allocated memory is consumed, we reorder diagrams to reduce number of nodes as well as consumed memory.

We used different parameter values for \(\alpha \) and \(\beta \) ranging from \(2^3\) to \(2^5\); please see Table 2. For all cases the first property evaluates to 0 while the second property evaluates to 1. In case of parameter values less than 7 for \(\alpha \) or \(\beta \) both properties evaluate to 0. Changing T to any value ranging from \(2^{-6}\) to \(2^{-3}\) did not affect the results yet it affected memory consumption and execution time of the proposed model checker. Meanwhile, Table 3 presents the practical orders on computational power and memory space needed for our proposed method. As can be seen by reported computational and memory complexity are not tight.

Table 2 Given \(h=5\) and considering different values of \(\alpha \) and \(\beta \), we recorded number of calls to \(\textsc {Ex}\) operator (\(\#\textsc {Ex}\)), execution time in milliseconds, and memory consumption in terms of BDD nodes
Full size table
Table 3 Given \(\alpha T = \beta T = \frac{1}{2}\) we recorded the state-space size, number of calls to \(\textsc {Ex}\) operator (\(\#\textsc {Ex}\)), execution time in milliseconds, and memory consumption in terms of BDD nodes for different values of h
Full size table

6.2 Fuzzy J-K flip-flop

In this subsection we are destined neither to provide an on-chip fuzzy system nor their applications but a formal model realizing a fuzzy flip-flops.

6.2.1 Fuzzy NAND gate

Fuzzy operations are simple to realize physically, except for more complex gates like eXclusive-OR. Variations of fuzzy NAND gates are implemented in [19], however they are ignored in this study because of their complexity. The NAND gate depicted in Fig. 5 is a fuzzy logic gate simply defined by \(\min -\max \) norms as follows:

$$\begin{aligned} {\text {NAND}}_1(x,y) = 1 - \min (x,y) = \lnot (x \sqcap y) \end{aligned}$$

This gate can also be defined using the Łukasiewicz t-norm as follows:

Fig. 5
figure 5

J-K flip-flop block diagram

Full size image

6.2.2 Properties of fuzzy J-K flip-flop

Obviously, inputs and outputs of fuzzy \({\text {NAND}}\) gate are decimals from [0, 1]. Suppose numbers smaller or equal to 0.25 as low and numbers larger or equal to 0.75 as high and the numbers in-between these two bounds as invalid values. According to Fig. 5 the following properties holds for each fuzzy J-K flip-flop.

Property 4

If J is high and K is low at the clock edge, then Q output is forced high and stays high while \({\overline{Q}}\) is forced low and stays low for sure. Note that at the beginning initial values of Q and \({\overline{Q}}\) are random and even may be invalid values like 0.5.

The following is FzCTL proposition of the above property:

$$\begin{aligned} P_1 =&J \ge 0.75 \sqcap K \le 0.25 \\&\rightarrow {\text {AF}}\big ({\text {AG}}(Q \ge 0.75 \sqcap {\overline{Q}} \le 0.25) \big ) \end{aligned}$$

Following is the FzPG for Fuzzy J-K flip-flop as depicted in Fig. 6,

$$\begin{aligned}&G = \big \lbrace \lbrace s_0 \rbrace , s_0, \lbrace J,K,Q,{\overline{Q}} \rbrace , {\text {Init}},{\text {Act}}\big \rbrace \\&{\text {Init}}(s_0) = [1] \\&{\text {Act}}(s_0,s_0)= ([1],J,K,Q_{next},{\overline{Q}}_{new}),\\&\qquad Q_{next}= {\text {NAND}}({\overline{Q}}, {\text {NAND}}({\overline{Q}},J)), \\&\qquad {\overline{Q}}_{next}= {\text {NAND}}(Q, {\text {NAND}}(Q,K)) \end{aligned}$$

If we rewrite \({\text {NAND}}\) functions (as shown below), we can use them to construct the corresponding FzPG. Discrete saturation operator is used to quantize input values in order to have a finite number of states in the equivalent FzKripke.

Using \({\text {NAND}}_1\) while constructing FzPG G there is a condition in which flip-flop works improperly (and that is when the initial state values for the Q and \({\overline{Q}}\) are invalid) thus the property is incorrect and proposition \(P_1\) evaluates to 0; see Table 4 for traces and configuration of model. By substitution of \({\text {NAND}}_1\) with \({\text {NAND}}_2\), proposition \(P_1\) (for all \(\varepsilon \ge 0.25\)) evaluates to 1, and the property always holds.

Fig. 6
figure 6

FzPG of the J-K flip-flop shown in Fig. 5

Full size image

If another criterion is imposed to proposition \(P_1\), then the property holds for both \({\text {NAND}}_1\) and \({\text {NAND}}_2\). The following proposition corrects improper behavior of the flip-flop.

$$\begin{aligned} P^\prime _1&= J \ge 0.75 \sqcap K \le 0.25 \\&\sqcap (Q \ge 0.75 \sqcup Q \le 0.25) \sqcap ({\overline{Q}} \ge 0.75 \sqcup {\overline{Q}} \le 0.25) \\&\rightarrow {\text {AF}}\big ({\text {AG}}(Q \ge 0.75 \sqcap {\overline{Q}} \le 0.25) \big ) \end{aligned}$$
Table 4 Unstable condition of Fuzzy J-K flip-flop using \({\text {NAND}}_1\)
Full size table

7 Conclusion and future work

We defined Quantized FzKripke as a variant of multi-valued Kripke structure on interval \([0,1]_\varDelta \). We also defined FzCTL as the modal temporal logic to express temporal properties of FzKripke. A series of operators like quasi-comparison, bounded-add, bounded-subtract, and scalar-multiplication on discrete interval are defined in FzCTL that are rarely seen in other logics introduced prior to this. This gives FzCTL the ability to specify sophisticated behaviors of fuzzy systems easily.

Having defined a powerful fuzzy temporal logic, we paired it with FzPG as the modeling structure. This is a more convenient structure to model fuzzy systems due to its compactness and readability. Moreover, we introduced Quantized FzPG such that it is convertible to Quantized FzKripke. In order to model check an FzCTL formula \(\varphi \) over an FzPG a translation to an equivalent FzKripke with an exponential blow-up was inevitable leading to state-space explosion. By the means of OBDD vectors, we devised a symbolic method that can perform direct checking of \(\varphi \) on a Quantized FzPG avoiding the aforementioned exponential blow-up.

In order to demonstrate the applicability of our method, we formally investigated the correctness of a multi-valued D Flip-Flop as a case study, and showed a flaw in the circuitry that is not seen in design phase with computer simulations. This flaw yields to a dynamic hazard making the whole flip-flop unstable under certain initial conditions. Afterwards, by investigating a potential design for Fuzzy J-K Flip-Flops, we demonstrated how the proposed method can be useful in design phase of such intuitive circuits for analyzing their complex behaviors.

Considering the expressibility of FzCTL, compactness and readability of FzPG, our method is affordable in terms of memory and computational complexity. We believe further investigation is needed to compare our proposed method with a relevant method introduced in [22] in terms of expressiveness, scalability, and applicability for real-world scenarios. We believe it is not the case that these methods are not equivalent but making this comparison is initially difficult because the modeling structure in [22], i.e., FzKripke structure, is by an exponential factor larger than FzPG and the model checking method in [22] follows a different theoretical base.

Furthermore, an improved implementation for \(\textsc {Ex}\) operator is proposed in Appendix A, which is of lower memory and computational complexity. Not only we analysed the worst case complexity of all algorithms in this paper but we also implemented our method and made an intuitive assessment. Appendix A.2 reads about practical performance analysis of the proposed method through an intuitive assessment.

We had covered all preliminaries about abstraction and approximation in fuzzy temporal logic and models in a discrete setup [26]; and now we covered a symbolic model checker that deals with state-space explosion in the same setup. The ultimate goal of this series of research is to apply formal verification in field of fuzzy control systems. To this purpose, it is required to define some extensions to our modeling, specification, and verification approach. For future research our intention is to perceive concrete time in form of fuzzy sets and also to include natural language propositions in an augmented fuzzy extended temporal logic.