Refinement Checking for Multirate Hybrid ZIA

A hybrid system is a dynamical system with both discrete and continuous components. In order to study the modeling and verification aspects of hybrid system, in this paper we first introduce a specification approach combining interface automata, initialized multirate hybrid automata and Z language, which is named MZIA. Meanwhile we propose a refinement relation on MZIAs. Then we give an algorithm for checking refinement relation between MZIAs with finite domain and demonstrate the correctness of the algorithm.

💡 Research Summary

The paper addresses the challenge of formally specifying and verifying hybrid systems that combine discrete control logic with continuous physical dynamics, especially when components operate at multiple rates. To bridge gaps in existing formalisms, the authors introduce a new specification model called MZIA (Multirate Hybrid Z Interface Automaton). MZIA integrates three well‑established techniques: (1) Interface Automata (IA) for modeling input/output interactions between components, (2) Initialized Multirate Hybrid Automata (MHHA) for capturing continuous variables, differential equations, and transitions that occur at different time scales, and (3) the Z notation for describing data structures, invariants, and operation schemas in a mathematically rigorous way.

An MZIA consists of a finite set of states, each annotated with a Z schema that defines the discrete data variables and their invariants, together with a vector of continuous variables. Transitions are labeled with IA actions (inputs or outputs) and are guarded by both Z predicates and continuous guard intervals; they also specify the evolution of continuous variables (e.g., differential equations or discrete resets) and may involve multirate timing constraints. The model therefore captures the full spectrum of hybrid behavior while preserving a clear interface contract.

The core contribution of the work is a formal refinement relation between two MZIAs, denoted A ⊑ B, meaning that A (the implementation) refines B (the specification). The refinement definition extends the classic simulation‑based notion used for IA by adding two crucial constraints: (i) action compatibility – every input or output that A can perform must be allowed by B, and (ii) continuous dynamics inclusion – the reachable set of continuous trajectories of A from any state must be a subset of the trajectories permitted by B from the corresponding abstract state. To make this precise, the authors define a relation R ⊆ SA × SB linking concrete and abstract states, and they require that for each pair (sA, sB) ∈ R, (a) the Z schemas of sA satisfy the invariants of sB, (b) for every transition of A labeled with action α, there exists a matching transition of B with the same α, whose guard interval contains the guard of A, and whose post‑state satisfies the Z post‑conditions of B.

To decide whether such a relation exists, the paper presents an algorithm that works under the assumption of a finite domain for the discrete variables and a bounded discretization of the continuous space. The algorithm proceeds as follows:

1. Discretization – Continuous variable domains are partitioned into a finite set of intervals (or integer approximations), turning the infinite state space into a finite abstraction.
2. Graph Construction – Both MZIAs are unfolded into labeled transition graphs where nodes are pairs (state, interval) and edges correspond to guarded actions.
3. Relation Initialization – The algorithm starts with the pair of initial states and checks that the Z initial schemas are compatible.
4. Iterative Matching – Using a breadth‑first or depth‑first search, it explores reachable node pairs. For each candidate pair, it verifies: (i) action label equality, (ii) inclusion of the concrete guard interval within the abstract guard interval, and (iii) that the Z predicates of the concrete transition imply those of the abstract transition. The implication checks are delegated to an off‑the‑shelf SMT solver capable of handling Z‑style predicates.
5. Fixpoint Detection – If all explored pairs satisfy the conditions, the algorithm concludes that a refinement relation exists; otherwise, it reports failure.

The authors prove soundness (any relation found by the algorithm is a true refinement) and completeness (if a refinement exists, the algorithm will eventually discover it) with respect to the finite abstraction. Complexity analysis shows that the procedure is polynomial in the number of abstracted states and transitions, making it feasible for moderately sized models.

A case study involving a temperature‑control system illustrates the approach. The specification MZIA models a thermostat with a coarse temperature interval and a simple on/off control law, while the implementation MZIA refines it with finer temperature granularity, multirate sampling (fast sensor updates, slower actuator commands), and additional safety invariants expressed in Z. The algorithm successfully verifies that the implementation refines the specification, demonstrating the practical applicability of the method.

In summary, the paper contributes a unified formalism (MZIA) that captures interface contracts, multirate hybrid dynamics, and rich data invariants, together with a rigorously defined refinement notion and a decidable verification algorithm for finite‑domain instances. This work advances the state of the art in formal methods for cyber‑physical systems by enabling compositional reasoning about both discrete and continuous aspects, and by providing a tool‑supported pathway from high‑level specifications to concrete implementations.