Model Checking Fuzzy Computation Tree Logic Based on Fuzzy Decision Processes with Cost

In order to solve the problems in fuzzy computation tree logic model checking with cost operator, we propose a fuzzy decision process computation tree logic model checking method with cost. Firstly, we introduce a fuzzy decision process model with cost, which can not only describe the uncertain choice and transition possibility of systems, but also quantitatively describe the cost of the systems. Secondly, under the model of the fuzzy decision process with cost, we give the syntax and semantics of the fuzzy computation tree logic with cost operators. Thirdly, we study the problem of computation tree logic model checking for fuzzy decision process with cost, and give its matrix calculation method and algorithm. We use the example of medical expert systems to illustrate the method and model checking algorithm.


Introduction
Model checking is an important formal verification method. Because of its automatic, model checking has been widely used in the analysis and verification of computer hardware and software systems, communication protocols, security protocols and so on. Model checking is mainly composed of three parts: the first is to model the system under consideration, the second is to use formal language to describe the properties, and the third is to use a model checking algorithm to systematically check whether or not the given model satisfies these properties [1].
Classical model checking [2,3] was formulated for verifying the qualitative properties of systems. However, the Boolean result is not enough for the models with quantitative information, such as a 90 percent probability of the system crashing during operation. At present, more and more complex computer systems have the characteristics of randomness, uncertainty and inconsistency. In order to deal with the verification of complex systems, many quantitative model checking methods have been proposed by academia.
Probabilistic model checking [4][5][6][7][8] mainly deals with the problem of model checking for systems with uncertainties generated by stochastic processes. Its goal is to determine the accuracy of probabilistic systems for quantitative probability specifications. Sometimes models may contain inconsistencies as they connect conflict points or contain components designed by different designers independently. In order to verify complex systems with inconsistencies and uncertainties, multi-valued model checking [9][10][11][12] is proposed. Fuzzy model checking [13][14][15][16][17][18][19][20] pays more attention to the true value of the properties, which is another kind of uncertainty, caused by unclear concept extension [21][22][23]. Both possibility model checking [13,14], and generalized possibility model checking [15,16,24] are based on possibility measure, a combination of possibility measure theory in fuzzy set with model checking. Possibilistic Kripke structure is used to model the system, and possibilistic temporal logic is used to describe properties. Li Yongming et al. [14] use the operators in possibilitic computation tree logic to replace the existence and arbitrary quantifiers of classical computation tree logic to calculate the possibility that the model satisfies the properties. In the process of calculating the possibility measure, the possibility of the path cylinder set after reaching the state also participates in the calculation, but these calculations can be ignored in most systems. Pan Haiyu et al. [19] use fuzzy Kripke structure to model the systems, fuzzy computation tree logic(FCTL) to describe properties and study fuzzy model checking.
Fuzzy Kripke structure is characterized by a state-to-state transition without a cost. However, in daily life, the transition may be different and have some cost [25]. For example, consider the disease diagnosis system studied in [14,19,26]. Suppose there are multi-steps treatments A and B for a disease, and different treatment needs different costs for each step during the process. The models in the literature [14,19,26] can only describe the situation that experts have been using treatment A or B during the treatment but cannot describe the situation where experts use A as the first and third steps and use B as the other steps. In addition, the cost of treatments is also unable to represent and verify. For the above reasons, we have done this paper. First, we define a fuzzy decision process model with a cost function, which can not only describe the nondeterministic choices but also describe the quantitative properties. Second, we introduce the definition of scheduler into the uncertain selection of actions so that the fuzzy decision process with cost function can be transformed into a fuzzy Kripke structure with a cost function. Then, we present the syntax and semantics of fuzzy computation tree logic with the cost operator. Finally, we calculate the quantitative possibility and cost of the problem according to the model checking algorithm. The main contributions of this paper are as follows. • A fuzzy decision process model with cost function is defined, which can describe the cost and other quantitative properties of a fuzzy system. The action property in the model is used to describe the uncertain action selection of the model, and the cost property is used to describe the cost of the system. • The FCTL is extended to FCTL with cost operator. The fuzzy computation tree logic with cost operator inherits the existence and arbitrary quantifiers of classical temporal logic and adds operators about cost. • The fuzzy computation tree logic model checking quantitative calculation formula and algorithm are given. At the same time, the complexity of the algorithm is analyzed.
The paper is organized as follows: in Section 2, the basic theoretical knowledge of fuzzy mathematics and fuzzy Kripke structure are given. In Section 3, we define a fuzzy decision process model with a cost function. In Section 4, we define fuzzy computation tree logic with a cost operator. In Section 5, we give the fuzzy computation tree logic model checking quantitative calculation formula and algorithm. Section 6 is an example. Section 7 summarizes this paper.

Preliminaries
A fuzzy set is a mathematical concept proposed by Zadeh in 1965. Fuzziness, in general, refers to any indistinct phenomena, where there is no clear boundary between "stability" and "instability", "healthy" and "unhealthy". The transition from one state to another is a continuous process when quantitative changes accumulate and eventually result in a qualitative change, which is due to the uncertainty caused by the breaking of the law of excluded middle. To model and verify fuzzy systems, we provide some necessary knowledge, which includes the fuzzy set, fuzzy set operation, fuzzy matrix operation, closure and others. Definition 1 ([27]). Let X be a universal set. A fuzzy set A of X is a function which associates each element in X a value in the interval [0, 1], i.e., A : X −→ [0, 1]. For x ∈ X, A(x) is the membership of x in the fuzzy set A.
We use F (X) to represent all fuzzy sets in X,, i.e., F (X) = {A | A : X −→ [0, 1]}. Definition 2 ([27]). Let A, B ∈ F (X), we use A ∪ B, A ∩ B, A c to represent the union, intersection and complement of A and B. The definition is as follows.
Furthermore, we have De Morgan's laws.
Fuzzy matrix is a kind of special matrix, in which the value of each element is in the interval [0, 1]. It has some interesting operations and natures as follows.

Definition 3 ([28]
). Let R and S be two fuzzy matrixes with m rows and n columns, i.e., R = (r ij ) m×n , S = (s ij ) m×n . The standard operations on fuzzy matrixes R, S are defined in the following manner: R = S, if and only if r ij = s ij for all i, j. R ⊆ S, if and only if r ij ≤ s ij for all i, j.

Definition 4 ([28]
). Let R be a fuzzy matrix with m rows and n columns, S be a fuzzy matrix with n rows and l columns, i.e., R = (r ij ) m×n , S = (s ij ) n×l . The composition operation of R and S is (r ik ∧ s kj ), (i = 1, 2, . . . , m, j = 1, 2, . . . , l). For fuzzy matrixes R, S, T the composition operation has some laws.
Let X be a universal set. For the fuzzy matrix R = (R(s, t)) s,t∈X , we use R + to denote its transitive closure. When X is finite, and X has | X | elements, then R + = R ∪ R 2 ∪ . . . ∪ R |X| [29], where R k+1 = R k • R for any positive integer number k. The Transition systems or Kripke structures are the key models for model checking. Corresponding to fuzzy model checking, we expend the notion of fuzzy Kripke structures, defined as follows. The transition of FKS is certain for a pair of states, i.e., P(s, t) is unique. However, on many occasions, we can transmit from one state to another by many methods. In other words, P(s, t) is not certain. We carry out the fuzzy decision processes with a cost which are uncertain in the transition and have a function of cost. For the conditions of daily life, we use the natural number set N as the range of the cost function as an example.

Fuzzy Decision Processes with Cost
Fuzzy systems are often used to describe the medical expert systems. Due to the different judgment standards of each expert on the patient's condition and treatment effect, it establishes the model better. At the same time, there are many new problems caused by a variety of treatment options for the same disease. For instance, how to choose the best treatment option in a variety of options? How to evaluate the cost of various treatment options? FKS cannot model the interleaving behavior and the cost of concurrent processes in an adequate manner. For this purpose, we extend FKS to an uncertain system model with cost. The specific definition is as follows. C : S × Act −→ N is a cost function. For each s ∈ S and α ∈ Act, C(s, α) is the cost of that the action α is selected in state s.
If S, Act and AP are finite, we say the M f is finite. We say that action α is enabled in state s if there exists a state t ∈ S such that P(s, α, t) > 0. Act(s) denotes the set of actions which can be enabled in state s.     FDPCs are more complex than FKSs because of the interleaving of the transitions. For example, for a states sequence s 0 s 1 s 2 , there is only one possibility in an FKS, but it may be multiple possibilities in a FDPC, such as s 0 αs 1 βs 2 or s 0 γs 1 βs 2 or the others. We introduce a scheduler to convert FDPC into FKS with cost. In this way, the relevant methods in FKS can be used. We often care about the maximum (or minimum) possibility. We select the maximum (or minimum) possibility of transition from state s to t by action in Adv(s) as an example to introduce our thought of scheduler. If there are two or more actions in Adv(s) such that we can select the action by the algebraic product P(s, α i , t) · C(s, α i ). Through the operation of a scheduler, an FDPC can be switched to an FKS with cost.

Remark 1.
It is easy to prove that the select operations do not change the maximum or minimum possibility of the Adv, because we can use the actions which are selected by us to replace the actions in the maximum or minimum possibility path.    The actions are eliminated in the conversion period, so we design an action index matrix to store those actions. The transition matrix in the corresponding FKS and the index matrix for recording actions under a specific scheduler are given below.
Let M f = (S, Act, P, I, AP, L, C) be a finite FDPC and π = s 0 α 0 s 1 α 1 s 2 . . . ∈ Paths(s) be a path of M f . P α is a | S | × | S | fuzzy matrix of transition possibility under the action α. For each s, t ∈ S, The left of the equation is the direct transition which transmit from s to t in FKS which is transmitted by α with cost, but the right is the direct transition which transmit from s to t by act α in FDPC. P Adv−max is a | S | × | S | fuzzy matrix which denotes the matrix of maximum transition possibility of Adv. For each s, t ∈ S, T Adv−max is a | S | × | S | action index matrix which records the actions creating the maximum transition possibility. For each s, t ∈ S, T Adv−min is a | S | × | S | action index matrix which records the actions creating the minimum transition possibility. For each s, t ∈ S, We often pay attention to the maximum and minimum possibility of FDPC, but they are the special Adv where Adv(s) ≡ Act(s) for all s ∈ S. We use the special symbol α max , α min to denote the index of this Adv. P α max is a | S | × | S | fuzzy matrix which denotes the matrix of maximum transition possibility of FDPC. For each s, t ∈ S, T α max is a | S | × | S | action index matrix which records the actions creating the maximum transition possibility. For each s, t ∈ S, P α min is a | S | × | S | fuzzy matrix which denotes the matrix of minimum transition possibility of FDPC. For each s, t ∈ S, T α min is a | S | × | S | action index matrix which records the actions creating the minimum transition possibility. For each s, t ∈ S, C α is a | S | ×1 matrix declaring the cost activating action α from state s, for each s ∈ S, The action β transition possibility matrix and the cost matrix activating action β is The action γ transition possibility matrix and the cost matrix activating action γ is The maximum transition possibility matrix, maximum transition possibility action index matrix, minimum transition possibility matrix and minimum transition possibility action index matrix is Under the maximum transition possibility matrix and minimum transition possibility matrix, the FDPC of Figure 4 turns into the FKSs with cost in Figures 8 and 9. Since the cost is generated in the process of each activation action, in order to solve the cost-related problems in model checking, we determine the cost through a deterministic selection strategy for the action, and then calculate the expected cost. Because model checking pays more attention to the possibility of transition, this paper takes the maximum possibility of one-step transition as the selected strategy. First, we select the action by the above matrix. Then, we select the successor state by the maximum possibility. Under the scheduler Adv, we use each step to choose the maximum possibility to transmit from the current state as an example, and the step k instantaneous expected cost is defined as to denote the cumulative cost of the first k steps. The cumulative expected cost of the first k steps is defined as The previous descriptions are all about the expected cost without limiting the states in the path. However, in the actual process, some restrictions may be added to the states in the path.
) denotes the first steps k cumulative expected cost under the scheduler Adv which reaches F in step k, defined as below, is the cumulative expected cost from s to the state in F, defined as below, . Where n is the max step of all paths that can reach F under the restrictive condition 'No or one ring'. Why do we have the restrictive condition 'No or one ring'? Because it has no contribution for transition possibility changing. Without the amount of rings, all states of the path which can reach F are less than or equal | S/F | +1, thus we can get that the max skep n ≤| S/F |.

FCTL with Cost Operator
We present the FCTL with cost operators in this section, i.e., expand FCTL for our FDPC with cost operator. We expand FCTL [19] with the cost operator. The syntax and semantics are as below.
Definition 9 (FCTL syntax). The FCTL state formula is defined inductively as follows, where ϕ is a path formula, a ∈ AP. Furthermore, the FCTL path formula is, where Φ, Φ 1 and Φ 2 are state formulas.
For the given scheduler Adv and π ∈ Paths Adv (s), the semantic of path formula ϕ is defined as below.

Model Checking Fuzzy Computation Tree Logic Based on Fuzzy Decision Processes with Cost
The FCTL model checking problem on FDPC is defined as the following. Given a FDPC M f , a state s of M f , a FCTL state formula Φ and a step k, then calculate the true value of state s satisfying the state formula or the expect cost. We often consider the maximum and minimum possibilitic truth values. We give the computing method of There are some useful matrixes and operations given.
Let M f = (S, Act, P, I, AP, L, C) be a finite FDPC, D Φ be a | S | × | S | fuzzy diagonal matrix for state formula Φ. For each s, t ∈ S, We use P α|max| to realize the transition of only choosing the maximum truth value transition using action α. P α|max| is a | S | × | S | fuzzy matrix and defined as that for each s, t ∈ S, Otherwise where f is a function mapping P × C to [0,1]. f is decided by the need in usual. In this paper, we set f (P(s, α, t), cost(s, α)) = P(s, α, t) if there is only one maximum transition from s to t. When it is multiple, we select the first maximum transition by elements in the matrix.
Through those matrixes, we can reduce the state transition matrix in FKS to a sparse matrix containing only one-step maximum possibility.
E is a | S | ×1 fuzzy matrix with all elements equal to 1. We use it to turn the matrix into a vector.
We also use an auxiliary matrix identified as D F , for the restricted set F. D F is defined below. Using our matrixes, we can re-represent the cost in Definition 8. The first k steps cumulative expected cost where P α|F|max| is the operation that to P α first count P α|F and second count P α|max| for P α|F . P α|F|max| is the operation that to P α first count P α|F and second count P α|max| for P α|F . || ∃ Φ || max (s) is the maximum truth value of that there exists a path that starts from state s and satisfies Φ.
The proof is placed in Appendix A. || ∃ Φ || min (s) is the minimum truth value of that there exists a path that starts from state s and satisfies Φ.
The proof is placed in Appendix A. || ∀ Φ || max (s) is the maximum truth value of that all of the paths which start from state s satisfy Φ.
The proof is placed in Appendix A. || ∀ Φ || min (s) is the minimum truth value of that all of the paths which start from state s satisfy Φ.
The proof is placed in Appendix A.
|| ∃Φ 1 Φ 2 || max (s) is the maximum truth value of that there exists a path that starts from state s satisfies Φ 1 Φ 2 .

|| ∃Φ
The proof is placed in Appendix A. || ∃Φ 1 Φ 2 || min (s) is the minimum truth value of that there exists a path that starts from state s satisfies Φ 1 Φ 2 .

|| ∃Φ
The proof is placed in Appendix A. || ∀Φ 1 Φ 2 || max (s) is the maximum truth value of that all of the paths which start from state s satisfy Φ 1 Φ 2 .

|| ∀Φ
The proof is placed in Appendix A. || ∀Φ 1 Φ 2 || min (s) is minimum the truth values of that all of the paths that start from state s satisfy Φ 1 Φ 2 .

|| ∀Φ
The proof is placed in Appendix A. || E(= k) || max (s) is the skep k instantaneous expected cost of the path that starts from state s under the maximum scheduler.
where t m = argmax t m ∈S (P m α max |max| (s, t m )). The proof is placed in Appendix A. || E(= k) || min (s) is the skep k instantaneous expected cost of the path that starts from state s under the minimum scheduler.
where t m = argmax t m ∈S (P m α min |max| (s, t m )). The proof is placed in Appendix A. || E(≤ k) || max (s) is the first k steps cumulative expected cost of the path that starts from state s under the maximum scheduler.
where t m = argmax t m ∈S (P m α max |max| (s, t m )). || E(≤ k) || min (s) is the first k steps cumulative expected cost of the path that starts from state s under the minimum scheduler.
where t m = argmax t m ∈S (P m α min |max| (s, t m )). || E(Φ) || max (s) is the cumulative expected cost of the path that starts from state s and can reach a state in F under the maximum scheduler.
|| E(Φ) || min (s) is the cumulative expected cost of the path that starts from state s and can reach a state in F under the minimum scheduler. (14), we provide three algorithms to solve the problem of FCTL model checking with cost. Algorithm 1 is used to catch some values of some parameters which would be used to calculate the cost operators. Algorithm 2 is used to calculate the truth values of the formal FCTL state formulas. Algorithm 3 is used to calculate the cost operators.

Algorithm 1 Catch the action
Require: a state s, the first k − 1 step transition matrix P α , the step k transition matrix P β , action index matrix T α . Ensure: the state t k−1 after k − 1 steps transition, the state t k after k steps transition, the action of step k T α (t k−1 , t k ). 1: for t ∈ S do 2: if P k−1 α (s, t) > 0 then 3: end if 8: end for 9: return t k−1 , t k , T α (t k−1 , t k ) Algorithm 1 is proposed to get the action α and states s k−1 and s k in transition s k−1 α −→ s k which are used in the computing of cost operators. By the definition of P α|max| , we can use the P k−1 α (s, t) > 0 to be the determined condition of which is the successor state. return (1) s∈S 3: end if 4: if Φ = a ∈ AP then 5: return (|| a || (s)) s∈S 6: end if 7: if Φ = ¬Φ then 8: 13: if Φ = ∃ Φ then 14: return P Adv • P Φ 15: end if 16: if Φ = ∀ Φ then 17: Algorithm 2 is proposed to calculate the quantitative possibility of state formula by matrix operations based on (1)- (8).
Algorithm 3 is proposed to calculate the cost operators by matrix operations based on (9)- (14). Now let us analyze the time complexities of our algorithm. We would see the three algorithms as one algorithm and analyze it.
Under the scheduler Adv, we can recursively calculate the truth value of || Φ || (s) in step | Φ |, which is the number of the sub-formula of which is recursively defined as below.
The time complexity of calculating the formula Φ = a | Φ 1 ∧ Φ 2 | ¬Φ is only contacted with the size of FDPC M f and Φ, and is O(| S |). The time of calculating the formula Φ = E(= k) | E(≤ k) is only contacted with the size of FDPC M f and Φ and k, and is O(| S | ×k). The time of calculating the formula Φ = ∃ϕ | ∀ϕ is mainly contacted with the time of calculating the transitive closure of P Adv , e.g., P * Adv . We use the method of literature [30], and the time complexities is O(| S | 2 ×log | S |). The time of calculating the formula Φ = E(Φ) is contacted with the time of catch and the time of matrix multiplication, and is O(| S | 4 ). Above all, we give the time complexities of our algorithm.

Algorithm 3 Calculating the cost operators of FCTL
Require: a FDPC M f , step k, a FCTL state formula Φ. Ensure: the value of E.

22:
if sum(i) ≥ sum(0) then 23: sum(0) ⇐ sum(i) 24: end if 25: end for 26: return sum(0) 27: end if Theorem 1. Let M f = (S, Act, P, I, AP, L, C) be a finite FDPC, Φ be a FCTL formula and k be a natural number. Then, the time complexities of calculating the truth values or expected is a polynomials of | S |, | Φ | is the number of the sub-formula of | Φ |, and k is the given natural number.

Illustrative Examples
A medical expert system is an intelligent computer system that collects, sorts and analyzes a large number of cases by computer, concentrates on the diagnosis results of medical experts, and diagnoses and treats patients. Because of the different judgment standards of each expert for the degree of the patient's conditions and the effect of the treatment plan, using a fuzzy system can reflect the operation process of the system closer to the real world. Figures 10-13 is a simple medical expert system, in which there are three experts. Each expert gives different treatment plans, which are represented by α, β, γ. The model has four states of the patients, respectively, represented by s 0 , s 1 , s 2 , s 3 . The variables in the state indicate the patient's health states, which can be divided into B(bad), G(general), N(normal) and E(enough). Different experts have a different understanding of these four health conditions. Therefore, we give fuzzy values to the four to show the health of patients. When treatment scheme α i is used in state s i , cost C(s i , α i ) will be generated, indicating the treatment cost of the scheme. When using a single treatment scheme, the state transition of patients is shown in Figures 10-12. When three experts consult, a complex system is synthesized, as shown in Figure 13. The connecting line with the arrow in the figure indicates transition. The transition possibility is given by the number on the connecting line, and the cost is indicated by the underlined number in the figure. For example, s 0 α,0. 8,160 −−−−→ s 1 indicates that the patient is in state s 0 , using treatment scheme α, then the possibility of transition to state s 1 is 0.8, and the treatment cost is 160.    (1) || ∃ N || max (s 2 ) = 0.8, || ∃ N || min (s 2 ) = 0.3. || ∃ N || max (s 2 ) = 0.8 is the maximum truth value of that there exists one plan where the patient starts from state s 2 and becomes normal after one treatment. || ∃ N || min (s 2 ) = 0.3 is the minimum truth value of that there exists one plan where the patient starts from state s 2 and becomes normal after one treatment.
(2) || ∀ G || max (s 2 ) = 0.4, || ∀ G || min (s 2 ) = 0.1. || ∀ G || max (s 2 ) = 0.4 is the maximum truth value of all of the plans to satisfy that the patient starts from state s 2 and becomes general after one treatment. || ∀ G || inx (s 2 ) = 0.1 is the minimum truth value of all of the plans to satisfy that the patient starts from state s 2 and becomes general after one treatment.
(3) || ∃G E || max (s 1 ) = 0.5, || ∃G E || min (s 1 ) = 0.4. || ∃G E || max (s 1 ) = 0.5 is the maximum truth value that there exists one plan that the patient starts from state s 1 , keeps general in treatments and becomes enough finally. || ∃G E || min (s 1 ) = 0.4 is the minimum truth value that there exists one plan that the patient starts from state s 1 , keeps general in treatments and becomes enough finally.
(4) || ∀G N || max (s 1 ) = 0.4, || ∀G N || min (s 1 ) = 0.1. || ∀G N || max (s 1 ) = 0.4 is the maximum truth value that all of the plans to satisfy that the patient starts from state s 1 , keeps general in treatments and becomes enough finally. || ∀G N || min (s 1 ) = 0.1 is the minimum truth value that all of the plans to satisfy that the patient starts from state s 1 , keeps general in treatments and becomes enough finally.

Conclusions
This paper provides a polynomial model checking algorithm for the verification of some quantitative properties in fuzzy systems in which in any state a nondeterministic choice and cost between fuzzy sets exist. First, we define a fuzzy decision process model with a cost function. This model can describe the cost consumption and other attributes of a fuzzy system. By introducing the definition of the scheduler, we transmit FDPC into a fuzzy Kripke structure. Next, we give the syntax and semantics of fuzzy computation tree logic with a cost operator to describe the properties. Then, using fuzzy matrix and matrix operations, the quantitative calculation of the computation tree logic model checking on the fuzzy decision process model with the cost is introduced, and the corresponding polynomial time algorithm is proposed.
There are several problems that are worth further study. First, it is interesting to consider the linear temporal logic model checking in FDPC. Second, we would like to extend this method used in this paper to multi-objectives model checking. Finally, we will give some case studies on the methods proposed in this paper.

Conflicts of Interest:
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.