HYBRID ZIA AND ITS APPROXIMATED REFINEMENT

RELATION

∗

Zining Cao

1,2,3

and Hui Wang

National Key Laboratory of Science and Technology on Avionics System Integration, Shanghai 200233, China

Department of Computer Science and Technology, Nanjing University of Aero. & Astro., Nanjing 210016, China

Provincial Key Laboratory for Computer Information Processing Technology, Soochow University, Suzhou 215006, China

Keywords:

Interface automata, Z notation, Hybrid automata, Approximated reﬁnement relation.

Abstract:

In this paper, we propose a speciﬁcation model combining interface automata, hybrid automata and Z lan-

guage, named HZIA. This model can be used to describe temporal properties, hybrid properties, and data

properties of hybrid software/hardware components. We also study the approximated reﬁnement relation on

HZIAs.

1 INTRODUCTION

Modern software systems are comprised of numerous

components, and are made larger through the use of

software frameworks. Hybrid software/hardware sys-

tems exhibit various behavioural aspects such as dis-

crete and continuous transition, communication be-

tween components, and state transformation inside

components. Formal speciﬁcation techniques for such

systems have to be able to describe all these aspects.

Unfortunately, a single speciﬁcation technique that

is well suited for all these aspects is yet not avail-

able. Instead one needs various specialised tech-

niques that are very good at describing individual as-

pects of system behaviour. This observation has led

to research into the combination and semantic integra-

tion of speciﬁcation techniques. In this paper we com-

bine three well researched speciﬁcation techniques:

Interface automata, hybrid automata and Z.

Interface automaton is a light-weight automata-

based languages for component speciﬁcation, which

was proposed in (Luca de Alfaro, 2001). An inter-

face automaton (IA), introduced by de Alfaro and

Henzinger, is an automata-based model suitable for

∗

This work was supported by the Aviation Science

Fund of China under Grant No. 20085552023, the Na-

tional Natural Science Foundation of China under Grants

No. 60873025, the Natural Science Foundation of Jiangsu

Province of China under Grant No. BK2008389, and the

Foundation of Provincial Key Laboratory for Computer In-

formation Processing Technology of Soochow University

under Grant No. KJS0920.

specifying component-based systems. IA is part of a

class of models called interface models, which are in-

tended to specify concisely how systems can be used

and to adhere to certain well-formedness criteria that

make them appropriate for modelling component-

based systems.

Hybrid automaton (Henzinger, 1996) is a formal

model for a mixed discrete-continuous system. A

paradigmatic example of a mixed discrete-continuous

system is a digital controller of an analog plant. The

discrete state of the controller is modelled by the ver-

tices of a graph (control modes), and the discrete dy-

namics of the controller is modelled by the edges of

the graph (control switches). The continuous state of

the plant is modelled by points in R

, and the contin-

uous dynamics of the plant is modelled by ﬂow con-

ditions such as differential equations. The behavior

of the plant depends on the state of the controller:

each control mode determines a ﬂow condition, and

each control switch may cause a discrete change in the

state of the plant, as determined by a jump condition.

Dually, the behavior of the controller depends on the

state of the plant: each control mode continuously ob-

serves an invariant condition of the plant state, and by

violating the invariant condition, a continuous change

in the plant state will cause a control switch.

Z (Bowen, 2003; Spivey, 1998; Woodcock and

Davies, 1996) is a typed formal speciﬁcation nota-

tion based on ﬁrst order predicate logic and set the-

ory. The formal basis for Z is ﬁrst order predicate

logic extended with type set theory. Using mathemat-

260

Cao Z. and Wang H..

HYBRID ZIA AND ITS APPROXIMATED REFINEMENT RELATION.

DOI: 10.5220/0003504002600265

In Proceedings of the 6th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE-2011), pages 260-265

ISBN: 978-989-8425-57-7

 2011 SCITEPRESS (Science and Technology Publications, Lda.)

ics for speciﬁcation is all very well for small exam-

ples, but for more realistically sized problems, things

start to get out of hand. To deal with this, Z in-

cludes the schema notation to aid the structuring and

modularization of speciﬁcations. A boxed notation

called schemas is used for structuring Z speciﬁca-

tions. This has been found to be necessary to han-

dle the information in a speciﬁcation of any size. In

particular, Z schemas and the schema calculus enable

a structured way of presenting large state spaces and

their transformation. But Z itself is cumbersome for

specifying parallel systems. Its use will produce a

much longer speciﬁcation than if some other speci-

ﬁcation languages are used. Hence it is more con-

venient to use a language like CSP (Hoare, 1985) in

such cases. Work has been undertaken to attempt to

combine some of the features of CSP with Z (Fischer,

1996; Fischer, 1997; Fischer, 1998).

In this paper, we present a new speciﬁcation lan-

guage which combines interface automata, hybrid au-

tomata and Z language. Interface automata are a kind

of intuitive models for interface property of software

components. Hybrid automata are a model of mixed

discrete-continuous systems. Z can describe the data

property of states and transitions of a system. To

specify mixed discrete-continuous software/hardware

components, we give the deﬁnition of HZIA. Roughly

speaking, a HZIA is in a style of hybrid interface au-

tomata but its states and operations are described by Z

language. Furthermore, we deﬁne the approximated

reﬁnement relation between HZIAs and prove some

propositions of such reﬁnement relation. This paper

is organized as follows: Section 2 gives a brief re-

view of interface automata, hybrid automata and Z

language. In Section 3, we propose a speciﬁcation

language-HZIA. Furthermore, the approximated re-

ﬁnement relation for HZIA are presented and studied.

The paper is concluded in Section 4.

2 OVERVIEW OF INTERFACE

AUTOMATA, HYBRID

AUTOMATA AND Z LANGUAGE

In this section, we give a brief overview of interface

automata, hybrid automata and Z language.

2.1 Interface Automata

An interface automaton (IA) (Luca de Alfaro,

2001), introduced by de Alfaro and Henzinger, is

an automata-based model suitable for specifying

component-based systems. IA is part of a class of

models called interface models, which are intended

to specify concisely how systems can be used and

to adhere to certain well-formedness criteria that

make them appropriate for modelling component-

based systems. The two main characteristics of in-

terface models are that they assume a helpful envi-

ronment and support top-down design.

Deﬁnition 1. An interface automaton (IA) P = hV

, A

, T

i consists of the following ele-

ments:

(1) V

is a set of states,

(2) V

⊆ V

is a set of initial states. If V

0 then

P is called empty.

(3) A

, A

and A

are disjoint sets of input, out-

put, and internal actions, respectively. We denote by

= A

∪ A

the set of all actions.

(4) T

is the set of transitions between states such

that T

⊆ V

× A

× V

The interface automaton P is closed if it has only

internal actions, that is, A

= A

0; otherwise we

say that P is open.

The composition of two IAs consists of all possi-

ble interleaved transitions of the two IAs, except for

those actions that are shared. Two IAs are composable

if they do not take any of the same inputs, do not pro-

duce any of the same outputs and the internal actions

of the two components do not overlap. An internal

action is created through the composition of IA when

an output action of one component is internally con-

sumed by an input action of another component. This

synchronization reduces the two actions to an internal

action on a single transition.

IA Q reﬁnes IA P if Q provides the services of P;

it can have more inputs but no more output actions.

As such, a reﬁnement of an IA does not constrain the

environment more than the original IA does.

2.2 Hybrid Automata

A hybrid system is a dynamical system with both dis-

crete and continuous components. Hybrid automata

(Henzinger, 1996) are a model of hybrid systems.

Deﬁnition 2. A hybrid automaton H consists of the

following components.

(1) Variables. A ﬁnite set X = {x

,...,x

} of real-

numbered variables. The number n is called the di-

mension of H. We write X

for the set {x

,...,x

} of

primed variables (which represent values at the con-

clusion of change).

(2) Q is a ﬁnite set of states.

(3) q

∈ Q is the initial state.

(4) φ

init

∈ Φ(X) is the initial condition.

HYBRID ZIA AND ITS APPROXIMATED REFINEMENT RELATION

261

(5) T ⊆ Q×Φ(x

,...,x

|X|

,...,x

|X|

)×Q is a ﬁnite

set of transitions. Variables x

,...,x

|X|

represent the

new values taken by the variables x

,...,x

|X|

after the

ﬁring of the transition.

(6) Act : Q → Φ(x

,...,x

|X|

,t, x

,...,x

|X|

) is the ac-

tivity function assigning to each state q a formula

Act(q). The variable t represents time elapsing.

For the sake of space, more details of Hybrid

automata can be refereed to the article (Henzinger,

1996).

2.3 Z Language

Z was introduced in the early 80’s in Oxford by Abrial

as a set-theoretic and predicate language for the spec-

iﬁcation of data structure, state spaces and state trans-

formations. The ﬁrst systematic description of Z is

(Spivey, 1998). Since then the language has been

used in many case studies and industrial projects (e.g.

(Bowen, 2003; Woodcock and Davies, 1996)).

Z includes the schema notation to aid the struc-

turing and modularization of speciﬁcations. A boxed

notation called schemas is used for structuring Z spec-

iﬁcations.

Schemas are primarily used to specify state spaces

and operations for the mathematical modelling of sys-

tems. For example, here is a schema called StateS-

pace:

StateSpace

: S

; ...; x

: S

Inv(x

,...,x

)

This schema speciﬁes a state space in which x

. . . , x

are the state variables and S

, . . . , S

are expressions from which their types may be sys-

tematically derived. Z types are sets - x

, . . . ,

should not occur free in S

, . . . , S

, or if they

do, they refer instead to other occurrences of these

variables already in scope (e.g., globally deﬁned vari-

ables). Inv(x

,...,x

) is the state invariant, relating the

variables in some way for all possible allowed states

of the system during its lifetime.

Z makes use of identiﬁer decorations to encode in-

tended interpretations. A state variable with no deco-

ration represents the current (before) state and a state

variable ending with a prime (

) represents the next

(after) state. A variable ending with a question mark

(?) represents an input and a variable ending with an

exclamation mark (!) represents an output.

The vertical form of schema

; ...; D

; ...; P

is equivalent to the horizontal form of schema

S b=[D

; ...; D

| P

; ...; P

]

In the following, we sometimes use the horizontal

form.

In Z (Bowen, 2003; Spivey, 1998; Woodcock and

Davies, 1996), there are many schema operators. For

example, we write S ∧ T to denote the conjunction of

these two schemas: a new schema formed by merging

the declaration parts of S and T and conjoining their

predicate parts. S ⇒ T (S ⇔ T) is similar to S ∧ T

except connecting their predicate parts by ⇒ (⇔).

The hiding operation S\(x

,...,x

) removes from the

schema S the components x

,...,x

explicitly listed,

which must exist. Formally, S\(x

,...,x

) is equiva-

lent to (∃x

: t

; ...; x

: t

• S), where x

,...,x

have

types t

,...,t

in S. The notation ∃x : a • S states that

there is some object x in a for which S is true. The

notation ∀ x : a • S states that for each object x in a, S

is true.

For the sake of space, more details of Z can be

refereed to some books on Z (Bowen, 2003; Spivey,

1998; Woodcock and Davies, 1996).

3 HYBRID INTERFACE

AUTOMATA WITH Z

NOTATION

In many cases, systems have both discrete and con-

tinuous property. To specify hybrid systems, we now

propose hybrid interface automata with Z notation,

named HZIA.

3.1 Model

In (Cao, 2010), we propose a model which combines

interface automata and Z notation, named ZIA. In this

paper, the ZIA (Cao, 2010) is extended to hybrid ver-

sion of ZIA, which can be used to specify hybrid be-

havioural and the data structure aspects of a system.

Deﬁnition 3. A hybrid interface automaton with Z

notation (HZIA) P = hS

, S

, A

, X

, V

, C

, F

, T

i consists of the following

elements:

(1) S

is a set of states;

(2) S

⊆ S

is a set of initial states. If S

0 then

P is called empty;

ENASE 2011 - 6th International Conference on Evaluation of Novel Software Approaches to Software Engineering

262

(3) A

, A

and A

are disjoint sets of input, output,

and internal actions, respectively. We denote by A

∪ A

the set of all actions;

(4) X

= {x

,...,x

} is a ﬁnite set of real-

numbered variables; The number n is called the di-

mension of P. We write X

for the set {x

,...,x

} of

primed variables (which represent values at the con-

clusion of change).

(5) V

, V

and V

are disjoint sets of input, out-

put, and internal variables, respectively. We denote by

= V

∪ V

the set of all variables. We have

that X

⊆ V

which are all continuous valued vari-

ables and V

− X

are all discrete valued variables;

(6) C

is a variable representing time, whose value

is a real number, C

/∈ V

;

(7) F

is a map, which maps any state in S

to a

state schema Φ(V

∪ {C

}) in Z language;

(8) F

is a map, which maps any input action in

to an input operation schema Φ(V

) in Z language,

and maps any output action in A

to an output op-

eration schema Φ(V

) in Z language, and maps any

internal action in A

to an internal operation schema

Φ(V

) in Z language;

(9) T

is the set of transitions between

states such that T

⊆ S

× A

× S

. If

(s,a,t) ∈ T

then |= ((F

(s) ∧ F

(a))\(x

,...,x

) ↔

(t)[y

,...,y

]), where {x

,...,x

} is the set

of the variables in F

(s), {y

,...,y

} is the set of the

variables in F

(t), the set of variables in F

(a) is the

subset of {x

,...,x

} ∪ {y

,...,y

4 APPROXIMATED

REFINEMENT RELATION ON

HZIAS

The reﬁnement relation aims at formalizing the re-

lation between abstract and concrete versions of the

same component, for example, between an interface

speciﬁcation and its implementation.

Since HZIA have some real-numbered variables

which may be measured with small errors. We should

consider the measuring errors of real-numbered vari-

ables in the deﬁnition of approximated reﬁnement re-

lation on HZIAs. Roughly, a HZIA P approximately

reﬁnes a HZIA Q if all the input or output actions of

P can be simulated by Q except that some small mea-

suring errors of real numbered variables. The precise

deﬁnition must take into account the fact that the in-

ternal actions of P and Q are independent. For this,

we need some preliminary notions. The closure of a

state s consists of the set of states that can be reached

from s by taking only internal actions.

We now give the following deﬁnition which de-

scribes the set of states after performing a sequence

of internal actions from a given state.

Deﬁnition 4. Given a HZIA P and a state s ∈ S

, the

set ε−closure

(s) is the smallest set U ⊆ S

such that

(1) s ∈ U and (2) if t ∈ U, a ∈ A

, and (t, a, t

∗

) ∈ T

then t

∗

∈ U.

The environment of a HZIA P cannot see the inter-

nal actions of P. Consequently if P is at a state s then

the environment cannot distinguish between s and any

state in ε − closure

(s).

The following deﬁnition describes the set of states

after performing several internal actions and an exter-

nal action from a given state.

Deﬁnition 5. Consider a HZIA P and a state s ∈ S

For an action a, we let

ExtDest

(s,a) = {s

∗

| ∃(t,a,t

∗

) ∈ T

.t ∈ ε −

closure

(s) and s

∗

∈ ε − closure

∗

)}.

In the following, we use V

(A) to denote the set

of input variables in Z schema A, V

(A) to denote

the set of output variables in Z schema A, V

(A) to

denote the set of internal variables in Z schema A, and

CV(A) to denote the set of real-numbered variables in

Z schema A.

In order to deﬁne the approximated reﬁnement re-

lation between Z schemas, we need the following no-

tation.

Deﬁnition 6. Given a positive real-numbered as-

signment δ on {x

,...,x

} which represents the mea-

suring errors of real-numbered variables {x

,...,x

an assignment ρ on {v

,...,v

}, where {x

,...,x

} are

set of all real-numbered variables in {v

,...,v

}. We

use the notation ρ ⊕ δ to denote the set of assign-

ment {σ | σ(v) = ρ(v) if v /∈ {x

,...,x

}, and σ(x) =

ρ(x)+a, if x ∈ {x

,...,x

}, where −δ(x) ≤ a ≤ δ(x)}.

Deﬁnition 7. Consider two Z schemas A and B with

(A) = V

(B), V

(A) = V

(B), V

(A) = V

(B) =

0 and CV(A) = CV(B). δ is a positive real-numbered

assignment on CV(A). We use the notation A ≥

B if

one of the following cases holds:

(1) if V

(A) 6=

0 and V

(A) 6=

0 then given an as-

signment ρ on V

(A), for any assignment σ on V

(A),

(ρ ∪ σ) |= B implies (ρ ∪ σ) ⊕ δ |= A, and given an

assignment σ on V

(A), for any assignment ρ on

(A), (ρ ∪ σ) |= A implies (ρ ∪ σ) ⊕ δ |= B, where

(ρ ∪ σ) ⊕ δ |= A means that there is an assignment

λ ∈ (ρ ∪ σ) ⊕ δ, such that λ |= A, and ρ ∪ σ is an as-

signment which is the union of ρ and σ;

(2) if V

(A) 6=

0 and V

(A) =

0 then for any as-

signment ρ on V

(A), ρ |= A implies ρ ⊕ δ |= B;

HYBRID ZIA AND ITS APPROXIMATED REFINEMENT RELATION

263

(3) if V

(A) =

0 and V

(A) 6=

0 then for any as-

signment ρ on V

(A), ρ |= B implies ρ ⊕ δ |= A;

(4) V

(A) =

0 and V

(A) =

Intuitively, A ≥

B means that schemas A and B

have the same input variables and the same output

variables, and except of small measuring errors δ of

real numbered variables, schema B has bigger do-

mains of input variables but smaller ranges of output

variables than schema A. For example, A b=[x? : N;

y! : R | x is an even number, y! = π × x?] ≥

δ=[y!:=0.1]

Bb=[x? : N; y! : R | y! = 2π ×bx?/2c ± 0.02], where N

is the set of natural numbers, R is the set of reals, and

bx?/2c is the largest natural number that is not larger

than x?/2.

Now we give the approximated reﬁnement rela-

tion between Z schemas, which describe the approx-

imated reﬁnement relation between data structures

properties of states.

Deﬁnition 8. Consider two Z schemas A and B, we

use the notation A D

B if

(1) V

(A) ⊆ V

(B), V

(A) ⊆ V

(B), and CV(A)∩

(A) ∪ V

(A)) = CV(B)∩ (V

(A) ∪ V

(A));

(2) A\(x

,...,x

) ≥

B\(y

,...,y

), where

,...,x

} = V(A) − V

(A) − V

(A), {y

,...,y

} =

V(B) − V

(A) − V

(A), and δ is a positive real-

numbered assignment on CV(A) ∩ (V

(A) ∪ V

(A).

For example, Ab=[x? : N; y! : R | x is an even

number,y! = π × x?] D

δ=[y!:=0.1]

Bb=[x? : N; u? : R;

y! : R; v! : R; z : N | y! = 2π × bx?/2c ± 0.02;

v! = z ∗ u?].

In the following, we give a approximated reﬁne-

ment relation between HZIAs. For HZIAs, a state

has not only behaviour properties but also data prop-

erties. Therefore this approximated reﬁnement rela-

tion involves both the reﬁnement relation between be-

haviour properties and the approximated reﬁnement

relation between data properties.

Deﬁnition 9. Given a HZIA P and a conﬁguration

(s,D

) ∈ S

× R, where R is the set of real numbers,

the set ε − transition

((s,D

),d) = {(s

∗

+ d) |

t ∈ ε − closure

(s), for every 0 ≤ e ≤ d, the in-

variant F

(t) holds for C

= D

+ e, and s

∗

∈ ε −

closure

(t)}.

Intuitively, ε − transition

((s,T

),d) is the set of

conﬁgurations after performing some internal actions

with d time delay.

Deﬁnition 10. Given a HZIA P and a conﬁgura-

tion (s,D

) ∈ S

× R, where R is the set of real

numbers, the set ε − delay

((s,D

),d) = {(s

) |

) ∈ ε − transition

((s,D

),d

),..., (s

) ∈

ε − transition

((s

i−1

),d

), where d = d

+ ... +

The set ε − delay

((s,D

),d) is the set of conﬁg-

urations after performing several internal actions with

time delay d.

Deﬁnition 11. Consider a HZIA P and a conﬁgu-

ration (s,D

) ∈ S

× R, where R is the set of real

numbers. For an action a, we let

ExtDest

((s,D

),a,d) = {(s

∗

) | (t,D

) ∈ ε −

delay

((s,D

),d

), D

= D

+ d

. ∃(t, a, t

∗

) ∈ T

∗

) ∈ ε − delay

((t

∗

),d

), and d = d

+ d

∗

= D

+ d

The set ExtDest

((s,D

),a,d) is the set of conﬁg-

urations after performing several internal actions and

an external action with time delay d.

The approximated reﬁnement relation between

HZIAs is similar to that of original ZIAs (Cao, 2010)

except that a transition with time delay d should be

matched by another transition with time delay d and

small measuring errors δ of real numbered variables

should be considered.

Deﬁnition 12. Consider two HZIAs P and Q. Sup-

pose CV

∩(V

∪V

) = CV

∩(V

∪V

), where CV

(CV

) denotes the set of real-numbered variables in

HZIA P (Q). δ is a positive real-numbered assign-

ment on CV

∩ (V

∪ V

). A binary relation R

⊆

× R) × (S

× R) is an approximated simulation

from Q to P, if for all conﬁgurations (s,D

) ∈ S

×R,

there exists (t,D

) ∈ S

× R such that (s,D

) R

(t, D

) the following conditions hold:

(1) F

(s) D

(t);

(2) For any (s

∗

) ∈ ε−delay

((s,D

),d), there

is a conﬁguration (t

∗

) ∈ ε − delay

((t, D

),d),

such that F

∗

) D

∗

), and (s

∗

) R

∗

);

(3) For any input action a, if (s

∗

) ∈

ExtDest

((s,D

),a,d), there is a conﬁguration

∗

) ∈ ExtDest

((t, D

),a,d), such that F

(a)D

(a), F

∗

) D

∗

), and (s

∗

) R

∗

);

(4) For any output action a, if (s

∗

) ∈

ExtDest

((s,D

),a,d), there is a conﬁguration

∗

) ∈ ExtDest

((t, D

),a,d), such that F

(a)D

(a), F

∗

) D

∗

), and (s

∗

) R

∗

We write (s,D

) 

(t, D

) if there is an approxi-

mated simulation R

such that (s,D

) R

(t, D

Deﬁnition 13. The HZIA Q approximately reﬁnes

the HZIA P written P 

Q if

There is an approximated simulation 

from Q

to P, a conﬁguration (s, 0) ∈ S

and a conﬁguration

(t, 0) ∈ S

such that (s,0) 

(t, 0).

We have the following proposition about approxi-

mated reﬁnement relation 

ENASE 2011 - 6th International Conference on Evaluation of Novel Software Approaches to Software Engineering

264

Proposition 1. (1) P 

P, where δ(x) = 0 for any

(2) If P 

Q and δ(x) ≤ η(x) for any x, then P 

(3) If P 

Q and Q 

R, then P 

(δ+η)↓

dom(δ)

R, where (δ + η) ↓

dom(δ)

is a positive real-numbered

assignment such that the domain of (δ + η) ↓

dom(δ)

is the same as that of δ and ((δ + η) ↓

dom(δ)

)(x) =

δ(x) + η(x) for any x in the domain of δ.

In the following, we present a simpliﬁed approx-

imated reﬁnement relation 

where the appearance

of time delay d in Clauses (3) and (4) in the deﬁnition

of 

is replaced by 0. Then we show the equivalence

between 

and 

Deﬁnition 14. Consider two HZIAs P and Q. Sup-

pose CV

∩ (V

∪ V

) = CV

∩ (V

∪ V

), where

(CV

) denotes the set of real-numbered vari-

ables in HZIA P (Q). δ is a positive real-numbered

assignment on CV

∩ (V

∪ V

). A binary relation

⊆ (S

× R) × (S

× R) is a simpliﬁed approxi-

mated simulation from Q to P, if for all conﬁgurations

(s,D

) ∈ S

× R, there exists (t,D

) ∈ S

× R such

that (s,D

) R

(t, D

) the following conditions hold:

(1) F

(s) D

(t);

(2) For any (s

∗

) ∈ ε−delay

((s,D

),d), there

is a conﬁguration (t

∗

) ∈ ε − delay

((t, D

),d),

such that F

∗

) D

∗

), and (s

∗

) R

∗

);

(3) For any input action a, if (s

∗

) ∈

ExtDest

((s,D

),a,0), there is a conﬁgura-

tion (t

∗

) ∈ ExtDest

((t, D

),a,0), such that

(a) D

(a), F

∗

) D

∗

), and (s

∗

) R

∗

);

(4) For any output action a, if (s

∗

) ∈

ExtDest

((s,D

),a,0), there is a conﬁgura-

tion (t

∗

) ∈ ExtDest

((t, D

),a,0), such that

(a) D

(a), F

∗

) D

∗

), and (s

∗

) R

∗

We write (s,D

) 

(t, D

) if there is a simpli-

ﬁed approximated simulation R

such that (s, D

) R

(t, D

Deﬁnition 15. The HZIA Q simply approximately

reﬁnes the HZIA P written P 

Q if

There is a simpliﬁed approximated simulation 

from Q to P, a conﬁguration (s,0) ∈ S

and a conﬁg-

uration (t, 0) ∈ S

such that (s,0) 

(t, 0).

We have the following proposition about the re-

lation between approximated reﬁnement relations 

and 

Proposition 2. (1) (s,D

) 

(t, D

) iff (s,D

) 

(t, D

) for any HZIA P and Q, any state s in P and t

in Q, and any real number D

and D

;

(2) P 

Q iff P 

Q for any HZIA P and Q.

5 CONCLUSIONS

This paper proposed a speciﬁcation approach of hy-

brid software/hardware components which is suitable

to specify the hybrid behaviour and data structures

properties of a system. There are several other works

for such topic (Fischer, 1996; Fischer, 1997; Fischer,

1998). But the speciﬁcation languages in these works

are based on process calculi which are abstract and

difﬁcult to be applied by programmers. Interface au-

tomata are a kind of models for programmers to spec-

ify the behaviour properties of a system. However

it can not specify the hybrid property and data struc-

tures property of a system. In this paper, we deﬁne

a combination of interface automata, hybrid automata

and Z called HZIA, which can be applied to specify

the behaviour and data structures properties of a hy-

brid system. Moreover, it is intuitive, and it is easy

to be understood and to be applied by programmers.

We also deﬁne the approximated reﬁnement relation

for HZIA. The properties of the approximated reﬁne-

ment relation for HZIA are also studied. HZIA is well

suited for speciﬁcation and development of hybrid

software/hardware components. It provides powerful

techniques to model control aspects, hybrid property

and data structures in a common framework.

REFERENCES

Bowen, J. (2003). Formal Speciﬁcation and Documentation

using Z: A Case Study Approach. Thomson Publish-

ing.

Cao, Z. (2010). Reﬁnement checking for interface automata

with z notation. Proceeding of Software Engineering

and Knowledge Engineering, pages 399–404.

Fischer, C. (1996). Combining CSP and Z. Technical report,

TRCF-97-1, University of Oldenburg.

Fischer, C. (1997). Csp-oz: A combination of object-z and

csp. Proceedings of FMODDS’97, pages 423–438.

Fischer, C. (1998). How to combine z with a process alge-

bra. Proceedings of ZUM’98, pages 5–23.

Henzinger, T. A. (1996). The theory of hybrid automata.

Proceedings of LICS 96, pages 278–292.

Hoare, C. A. R. (1985). Communicating Sequential Pro-

cesses. Prentice-Hall.

Luca de Alfaro, T. A. H. (2001). Interface automata. Pro-

ceedings of FSE2001, pages 109–120.

Spivey, J. M. (1998). The Z Notation: A Reference Manual.

Sencond Edition. Prentice Hall International.

Woodcock, J. and Davies, J. (1996). Using Z - Speciﬁcation,

Reﬁnement, and Proof. Prentice-Hall.

HYBRID ZIA AND ITS APPROXIMATED REFINEMENT RELATION

265