Software verification for programmable logic controllers

ion Abstraction is a fundamental concept used in all formal verification methods. Abstracting means replacing a concrete object with an abstract one which is more universal, and therefore, often has a simpler structure than before. A well-chosen abstraction simplifies as much as possible, without losing too much information about the concrete object. Abstractions can be used in different ways during the specification and verification process:ion is a fundamental concept used in all formal verification methods. Abstracting means replacing a concrete object with an abstract one which is more universal, and therefore, often has a simpler structure than before. A well-chosen abstraction simplifies as much as possible, without losing too much information about the concrete object. Abstractions can be used in different ways during the specification and verification process: • Building the system model: Every translation from a real-life system or an informal system description into a formal model is an abstraction. • Optimizing the system model: Depending on the property that is to be checked, different abstractions of the system model can be useful, e.g., by abstracting from data, time, or continuous variables to obtain simpler models. • Reducing the complexity of model checking: Model-checkers often use abstractions to minimize time and space usage, e.g., by introducing symbolic states. When abstracting a system model, often a so-called safe abstraction is chosen: Whenever a property holds for the abstract system, it also holds for the concrete system. The converse, however, does not always hold, due to the over-approximation which occurs in the abstraction process. A positive model checking result on a safe abstraction therefore means that the concrete system also fulfills the property, whereas a negative result can either mean that the concrete system is not correct or that the abstraction is too coarse. Thus, when getting a negative result, the counterexample provided by the model-checker is examined to see if the error will also occur in the concrete system. If it doesn’t, a finer abstraction has to be chosen.