ESBMC-PLC: Formal Verification of IEC 61131-3 Ladder Diagram Programs Using SMT-Based Model Checking

2026-06-13 · Source: Computation and Language · Field: Technology & Digital — Software Development & Engineering, Robotics & Autonomous Systems, Artificial Intelligence & Machine Learning · Depth: Expert, quick

Summary

ESBMC-PLC is the first open-source formal verifier designed to natively support IEC 61131-3 ladder diagram (LD) programs, addressing a critical gap where SMT-based model checkers previously could not process LD's graphical notation. Implemented as a new ESBMC frontend, it translates LD rungs into GOTO IR and models the PLC scan cycle as a while(true) loop with nondeterministic inputs. The tool verifies safety properties using SMT-based bounded model checking or k-induction, employing a five-property YAML language (mutual_exclusion, invariant, absence, response, reachability) instead of temporal logic. ESBMC-PLC closes two of four research gaps identified in a 2020-2026 survey of 22 studies. Evaluation on 13 benchmarks from 6 domains, including deployed CONTROLLINO PLCs and MathWorks Simulink PLC Coder, demonstrated correct classification across 61 properties, identifying 8 actionable bugs and achieving 7 unbounded k-induction proofs, all within 60ms on Apple Silicon. It stands out as the only open-source tool combining native LD, k-induction, and SMT bit-vector semantics.

Key takeaway

For automation engineers developing or maintaining safety-critical IEC 61131-3 ladder diagram programs, ESBMC-PLC provides a robust, open-source formal verification solution. You should integrate this tool into your pre-deployment validation pipeline to automatically detect bugs and ensure property adherence. Its native LD support and efficient SMT-based checking can significantly enhance the reliability of your industrial control systems, offering actionable counterexamples and unbounded proofs for critical safety properties.

Key insights

ESBMC-PLC enables formal verification of IEC 61131-3 ladder diagram programs using SMT-based model checking.

Principles

• Graphical PLC languages can be formally verified.
• Simplified YAML properties suffice for safety checks.
• SMT bit-vector semantics enhance PLC verification.

Method

ESBMC-PLC translates LD rungs to GOTO IR, models the PLC scan cycle as a while(true) loop with nondeterministic inputs, and checks safety properties via SMT-based bounded model checking or k-induction using a five-property YAML language.

In practice

• Verify safety-critical industrial PLC programs.
• Detect bugs in deployed ladder diagram logic.
• Achieve unbounded proofs for PLC properties.

Topics

• Formal Verification
• Ladder Diagram
• IEC 61131-3
• SMT Model Checking
• Programmable Logic Controllers
• Industrial Control Systems

Best for: Research Scientist, AI Scientist, Robotics Engineer, Automation Engineer

Related on AIssential

• Automating Geometry-Intensive Compliance Checking in BIM: Graph-Based Semantic Reasoning Framework — SGR-BIM uses a graph-driven framework to automate geometry-intensive BIM compliance checks, improving accuracy and interpretability.
• PhaseNet++: Phase-Aware Frequency-Domain Anomaly Detection for Industrial Control Systems via Phase Coherence Graphs — Phase information, often discarded, offers a complementary and powerful modality for ICS anomaly detection.
• I Built an AI That Modernizes Legacy COBOL — And Then Made It Prove Its Own Work — Separating correctness (compiler theory) from intent (LLM semantics) is key to reliable legacy code modernization.
• STMutants: A Mutation Testing Dataset for Structured Text Programs in Industrial Automation — STMutants provides the first public mutation testing benchmark for IEC 61131-3 Structured Text, enabling reproducible research and LLM evaluation for PLC software.
• pcbGPT: Automatic PCB Schematic Synthesis from Natural Language Requirements — pcbGPT automates PCB schematic synthesis from natural language using a multi-faceted, grounded approach.
• FoVer: First-Order Logic Verification for Natural Language Reasoning — FoVer enhances LLM logical reasoning reliability via automated first-order logic verification using Z3.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Computation and Language.