PLC Program Translation for Verification Purposes by Darvas, Dániel et al.
151PLC Program Translation for Verification Purposes 2017 61 2
PLC Program Translation for 
Verification Purposes
Dániel Darvas1,2*, István Majzik1, Enrique Blanco Viñuela2
Received 15 July 2016; accepted after revision 27 November 2016
Abstract
Programmable logic controllers are typically programmed 
in one of the five languages defined in the IEC 61131 stand-
ard. While the ability to choose the appropriate language for 
each program unit may be an advantage for the developers, 
it poses a serious challenge to verification methods. In this 
paper we analyse and compare these languages to show that 
the ST programming language can efficiently and conveniently 
represent all PLC languages for formal verification purposes. 
Furthermore, we provide a translation method from IL to ST 
programming languages (for the Siemens implementation), 
together with a sketch of proof for its correctness. This allows 
the usage of the ST-based PLCverif model checking method for 
safety PLC programs.
Keywords
PLC, programming languages, formal verification, semantics
1 Introduction and Background
Programmable Logic Controllers (PLCs) are widely used 
for various control tasks in the industry. As they often perform 
critical tasks – sometimes PLCs are even used in safety-critical 
settings up to SIL3 – the verification of these hardware-soft-
ware systems is a must. Besides the common testing and simu-
lation methods, formal verification techniques, such as model 
checking are used increasingly often.
The corresponding IEC 61131 standard defines five PLC-
specific programming languages: Instruction List (IL), Struc-
tured Text (ST), Ladder Diagram (LD), Function Block Dia-
gram (FBD) and Sequential Function Chart (SFC) [15]. It is 
out of the scope of this article to discuss the features of these 
languages in detail, but a simple example in Fig. 1 illustrates 
these languages. The first four example program excerpts are 
execution equivalent, i.e. for all possible starting (input and 
retained) variable valuations, the results of these programs are 
the same variable valuations. The SFC example is different 
from the others, as this is a special-purpose language for struc-
turing complex applications.
This variety of languages responds to the fact that PLCs are 
used in different settings and programmed by people with vari-
ous backgrounds. This is an advantage for the developers, but 
an important challenge for the verification. The languages can 
be freely mixed, e.g. a function written in IL can call an ST 
function. To provide a generally applicable formal verification 
solution, all these languages should be supported.
1.1 Motivation
Our practical motivation lies in the PLCverif formal veri-
fication tool and its verification workflow [12, 7]. The PLC-
verif tool provides a way for PLC program developers to apply 
model checking to their implementation. This allows to check 
the satisfaction of various state reachability, safety and liveness 
requirements. The inputs of the model checking workflow are 
the source code and the requirements formalised using require-
ment patterns. At the moment, programs (or program units) 
written in the Siemens variant of ST are supported natively. 
These inputs are selected to be convenient for the users who are 
1 Department of Measurement and Information Systems, Faculty of Electrical 
Engineering and Informatics, Budapest University of Technology and 
Economics (BUTE), H-1117 Budapest, Magyar tudósok körútja 2., Hungary
2 European Organization for Nuclear Research (CERN), CH-1211 Geneva 23, 
Geneva, Switzerland
* Corresponding author, e-mail: darvas@mit.bme.hu
61(2), pp. 151-165, 2017
https://doi.org/10.3311/PPee.9743
Creative Commons Attribution b
research article
P Periodica Polytechnica
Electrical Engineering 
and Computer Science
152 Period. Polytech. Elec. Eng. Comp. Sci. D. Darvas, I. Majzik, E. Blanco Viñuela
not familiar with formal verification methods. PLCverif auto-
matically generates temporal logic expressions from the pat-
tern-based requirements, parses the input code, builds a simple, 
automata-based intermediate verification model, calls the cho-
sen external model checker tool (e.g. nuXmv), and presents the 
results in a simple, self-contained format to the user. The tool 
is in use at the European Organization for Nuclear Research 
(CERN) to check critical control programs [13]. While most of 
the PLC programs are written in ST at CERN, in special cases 
(e.g. safety instrumented systems) restrictions forbid the use of 
ST. To make PLCverif generally applicable, all five PLC pro-
gramming languages should be supported.
From the development point of view, providing a complete 
parser and a verification model builder is a great effort. Further-
more, the grammars of the PLC languages are notably different, 
making it difficult to use the same technology stack. For exam-
ple, in case of PLCverif the currently used Xtext-based1 parser 
is not suitable for the IL language, where the same tokens can be 
treated as keywords or names depending on the context. On the 
other hand, the different languages have many common parts, 
e.g. function and function block declarations, variable declara-
tions. If these should be developed for each language indepen-
dently, the maintenance of the tool may become difficult.
Instead, in this paper we investigate the possibility of a dif-
ferent approach: is it possible to use the ST language as a pivot 
to represent all five standard PLC languages? If the translation 
preserves the properties of the model to be checked, adding this 
extra translation step (i.e. transformation to ST, then parse and 
build the verification model) makes no theoretical difference, 
the pivot language might be considered as a concrete syntax 
of the underlying intermediate verification model (IM). How-
ever, as it will be discussed later, the required development and 
maintenance effort could be significantly lower.
To answer this question, the relations between the PLC lan-
guages have to be investigated. As it might not be possible or 
practical to translate each language directly to ST, the relation-
ship between all languages should be discussed.
This paper is a modified and extended version of the 
local conference paper [9], and it is structured as follows. 
Sections 2–5 are taken from the conference paper [9] with 
minor modifications. Section 2 defines our comparison method. 
Section 3 discusses the relations between the different IEC 
61131 PLC programming languages. Next, Section 4 discusses 
a concrete implementation of these languages, namely the one 
provided by Siemens. Section 4.1 is an additional subsection 
compared to [9] that overviews the organisation of Siemens 
PLC programs. Section 5 analyses the results of the paper and 
shows that the Siemens implementation of the ST language can 
serve as a pivot language for the rest of the languages.
The new contributions are in Sections 6–9. Section 6 
describes and formalises the IL to ST translation (using the Sie-
mens implementation of these languages), as proposed in Sec-
tion 5. Section 7 provides a method for the correctness proof 
of this translation. Section 8 discusses the application of the 
contributions of this paper for verification purposes. The reader 
finds an overview of the related work in Section 9. The paper is 
concluded in Section 10.
2 Comparison Method
The expressive power of different programming languages 
is often discussed in computer science. However, the typical 
answer to these questions for a pair of commonly used lan-
guages is that both languages are Turing complete, therefore 
their expressive power is equivalent.
For our purposes this is not a useful comparison. When we 
are looking for pivot language, it is not enough to know that a 
certain program can be represented in another language, i.e. for 
each program in source language 𝖲 there exists an execution 
equivalent program in language 𝖳. It should be known as well, 
how can this translation be performed. Therefore we are inter-
ested in a stronger, element-wise emulation relation that deter-
mines whether each “element”2 of a language 𝖲 can be mapped 
to language 𝖳. If this relation holds, then inductively all programs 
of language 𝖲 can be translated into language 𝖳, in other words 
language 𝖳 can emulate language 𝖲. This is close to defining a 
small-step operational semantics for language 𝖲 in language 𝖳.
ST
IF NOT(x = TRUE OR
   y = FALSE) THEN
    r1 := TRUE;
END_IF;
r2 := (a >= b);
x
y
NOT S
r1
r2
>=
IN1
IN2
a
b
LD FBD
r1
S
>=1
x
y
r2
=
>=
IN1
IN2
a
b
S1
T1 T2
S4
S2
S4
T4T3
T5
S1
S3
SFC
A(    
O     x
ON    y
)     
NOT   
S     r1
L     a   
L     b
>=I        
=     r2
IL (Siemens)
Fig. 1 PLC language examples
1 https://eclipse.org/Xtext/
2 As the PLC languages are significantly different, “element” is understood 
on a high level (i.e. an element can be an ST statement, but also an LD wire 
junction).
153PLC Program Translation for Verification Purposes 2017 61 2
In the following we investigate for each pair of PLC languages 
if such elementwise mapping relation exists. Note that this rela-
tion is transitive, reflexive and asymmetric. We start the investi-
gation with the IEC 61131 version of the languages, as they have 
a detailed, yet semi-formal description in [15]. Later, we check 
the differences between the standard and the Siemens variants.
3 Standard Languages
In this section, we discuss the element-wise representation 
relation for each pair of standard PLC languages. The findings 
are summarised in Table 1. Here “–” denotes that the element-
wise representation is not possible.
Table 1 Element-wise mapping between standard languages
to 
from
ST IL FBD LD SFC
ST + + − − −
IL − + − − −
FBD − + + + −
LD − + + + −
SFC + + + + +
SFC is based on a specification method called Grafcet [14], 
which itself has roots in safety Petri nets. The goal of SFC is to 
structure the programs, it is not intended to be a generic PLC lan-
guage. Only certain types of program units can be represented 
by SFCs, while the other four languages target all of the pro-
gram unit types, therefore no other language can be universally 
represented in SFC. Since it is based on Petri nets, translating 
the structure of an SFC program to any other language could be 
problematic, because Petri nets allow non-determinism, while 
the PLC languages are deterministic. However, determinism is 
explicitly required by the standard [15, Sec. 2.6.5]. The parts 
of SFC besides the structure are the actions, which can can be 
typically regarded as simple program snippets and these specific 
parts can be mapped to any other PLC language, assuming that 
the ambiguities of the standard are first resolved [1].
FBD and LD are two similar graphical languages. FBD is 
composed by signal flow lines and boxes representing built-in 
and user-defined program units. LD builds on concepts close 
to electric diagrams, such as power rails, contacts and coils. 
Despite the differences, IEC 61131 defines LD and FBD in 
a similar way, with many common elements. The differences 
[15, Sec. 4.2–4.3] are minor and mainly syntactic. All LD-
specific elements (e.g. coils, power rails) can be translated to 
equivalent FBD elements and vice versa. The wires and flow 
lines represent data flows, the coils and contacts have corre-
sponding instructions in IL (see below). The built-in and user-
defined blocks of FBD and LD can be called from IL as well. 
Therefore each FBD and LD program can be element- wise 
mapped to IL, in some cases requiring to explicitly introduce 
new variables that are only implicitly present (as wires) in the 
FBD and LD programs.
Contrarily, LD and FBD programs cannot be element-wise 
mapped to ST. The FBD, LD and IL languages support labels and 
jumps, but ST enforces structured programming, thus jumps are 
missing from the language [15, Sec. B.3]. Although it is known 
that Turing complete programs can be made jump-free by replac-
ing jumps with loops and conditional statements [6], this con-
struction does not fit to our approach of element-wise mapping.
IL is an assembly-like, low-level language. It has instructions 
such as LD (load value to accumulator) or ST (store the accumu-
lator value to the given variable). As the rest of the languages do 
not provide direct access to the accumulator, the element-wise 
(instruction by instruction) translation to any other PLC lan-
guage is not possible. Furthermore, the lack of jump instruction 
in ST would make the IL to ST translation difficult too.
ST is a high-level, structured textual language. Besides 
providing program structuring elements, such as conditional 
statements (IF, CASE) and loops, it also makes the indi-
rect variable access possible. For example, the expression 
“array_var[var1]” is permitted in ST, but not in FBD or 
LD [15, Sec. 2.4.1.2], therefore the ST to FBD or LD transla-
tion is not possible. On the other hand, these expressions are 
permitted in IL. More precisely, the ST syntax for defining 
expression is permitted in IL in certain cases [11]. Based on the 
syntax and semantics definitions of ST and IL, each ST state-
ment can be represented by a list of IL instructions: the corre-
sponding arithmetic operations exist in IL as well, the variable 
assignments can be performed through LD and ST, the selec-
tion and iteration statements can be represented by labels and 
jumps, etc.
Based on the discussion above and Table 1, ST does not 
seem to be a pivot language candidate. However, before the 
final conclusion, the implementation of the languages should 
also be checked for two reasons: (1) the different manufactur-
ers may have differences in their implementation compared to 
the standard, and (2) the IEC 61131 standard is ambiguous [1, 
10, 16] and the vendors might resolve the ambiguities differ-
ently. The following section compares a concrete implementa-
tion of the five PLC programming languages.
4 Implementation of the Languages
The IEC 61131 standard does not discuss the implementa-
tion details of the languages. Several decisions are left to the 
vendors, marked as “implementation-dependent” features or 
parameters in the standard (e.g. range of certain data types, 
output values on detected internal errors). Consequently, PLC 
providers support different variants of the languages. The 
implementation-dependent details are also important for the 
behaviour of the programs, thus it is necessary to check these 
details. Siemens is the PLC provider most used at CERN 
and one of the most used globally, therefore we focus on the 
154 Period. Polytech. Elec. Eng. Comp. Sci. D. Darvas, I. Majzik, E. Blanco Viñuela
Siemens variants of the languages in this section. All five lan-
guages are supported in Siemens PLCs with some differences 
[28]. Compared to the standard, the differences are significant 
in some cases, also some languages have ancestors from times 
before IEC 61131, thus Siemens uses different names for their 
languages: instead of ST, IL, FBD, LD, SFC the Siemens lan-
guages are called SCL, STL (AWL), FBD, LAD, SFC/GRAPH, 
respectively. To avoid the confusion of the readers, we will use 
the standard language names for the Siemens variants too, with 
an added apostrophe (e.g. we will use ST’ instead of SCL to refer 
to the Siemens implementation of the standard ST language).
4.1 Organisation of Siemens PLC Programs
To make the following discussions more understandable, a 
brief overview of the Siemens PLC program structure is pre-
sented. This follows the IEC 61131 with some notable differ-
ences. PLCs have a mainly cyclic behaviour. In each so-called 
scan cycle (or PLC cycle) the physical inputs are read, the user-
defined program is executed, then the resulting output values 
are assigned to the physical outputs.
The code to be executed in each cycle is described by an 
organization block. This is a special program block, similar to a 
function, that serves as an interface between the operating sys-
tem and the user code. Similarly, the interrupt handler methods 
are organization blocks too. There are two other program block 
types: functions and function blocks. Function blocks are state-
ful functions: they can be instantiated and certain variables pre-
serve their values between two calls. There are only few restric-
tions on the implementation of the program blocks: the SFC’ 
language can only be used for function blocks. The other four 
languages can be used for all three types of program blocks. 
The program blocks can call each other (except organization 
blocks which can only be called by the operating system), no 
matter in which language they are written.
An additional block type exists: the data block. A data 
block is a structured memory storage. Instance data blocks are 
used to store the non-volatile variables of the function block 
instances, while the shared data blocks are used for general-
purpose global storage of structured data.
It is worth to be noted that the Siemens PLC programming 
languages are not case sensitive.
4.2 Relations Between the Siemens PLC Languages
The following part of the section overviews the differences 
between the standard and Siemens implementations of the PLC 
programming languages, compared to Table 1. The differences 
between the standard and Siemens versions of FBD and LD are 
subtle and mainly syntactic3 [28]. Notable differences in syntax 
and semantics between the standard and the implementation 
can be observed in the Siemens variants of ST and IL. The rela-
tions between the Siemens languages are shown in Table 2 and 
discussed in the following.
Table 2 Element-wise mapping between Siemens languages
to 
from
ST’ IL’ FBD’ LD’ SFC’
ST’ + + − − −
IL’ − + − − −
FBD’ + + +
LD’ + + +
SFC’ + + + + +
As the FBD’ and LD’ languages match nearly perfectly the 
standard versions, the relations between them are valid for the 
Siemens variants too. The SFC’ language is an extension of the 
standard SFC. A notable difference is the introduction of new 
actions in SFC’. As SFC’ has a rich and configurable semantics 
that is only described informally, without details, we omit the 
deep analysis of this language and we assume that each action 
can be translated into any of the languages, therefore the com-
plete SFC’ program can be translated to other languages. ST’ and 
IL’ are extended compared to the standard equivalents. Therefore 
if a language can be mapped to ST or IL, it can also be mapped to 
the corresponding implementation (ST’ or IL’). Similarly, if ST 
or IL cannot be mapped to a given standard language, IL’ or ST’ 
cannot be mapped to the same language either. Consequently, the 
shaded cells of Table 2 are inherited from Table 1.
Due to the limitations of the Siemens development envi-
ronment, the FBD’ and LD’ programs can only be exported if 
they are translated to IL’ first. According to [22], the translation 
from LD’ and FBD’ to IL’ is always possible. We omit the dis-
cussion of transforming LD’ and FBD’ directly to ST’ or SFC’, 
as they would be practically infeasible.
The Siemens variant of ST is significantly extended com-
pared to the standard. It includes labels and jump functions, 
which invalidates the reasoning of Section 3 why IL, LD and 
FBD cannot be represented in ST. Despite the extensions, it is 
not possible in ST’ to directly access the registers, e.g. modi-
fying the contents of the accumulators. For example, the IL’ 
instruction “L var1”, transferring the contents of Accumula-
tor 1 to Accumulator 2 and then loading the content of variable 
var1 to Accumulator 1 cannot be directly represented in ST’. 
One can argue that a function containing only the instruction 
“L var1” is meaningless, as its effect will be made invisible 
when the function returns. However, this example is enough 
to demonstrate that the element-wise mapping is not possible.
The Siemens IL’ variant is significantly different from the 
standard IL, and it dates back well before the first version of 
the IEC 1131 standard (the predecessor of IEC 61131), as this 
3 For instance, LD’ fully implements the standard. The only difference 
between FBD and FBD’ is that the latter does not support the unconditional 
jumps, but it is easy to represent them as conditional jumps [28].
155PLC Program Translation for Verification Purposes 2017 61 2
programming language was used already for the S5 series of 
PLCs in the 1980s. The following short example illustrates the 
syntactic differences. The IL program in Listing 1 and the IL’ 
program in Listing 2 give the same output values to the same 
input values, but they use a significantly different syntax and 
underlying semantics. The behaviour of both code snippets is 
equivalent to “r:=(a >= b)” in ST. The background of this 
difference is that the standard defines only one “register”, the 
result variable. The Siemens implementation is closer to the 
assembly-like languages, using several status bits, registers, 
accumulators, etc.4 As the ST’ and IL’ language definitions are 
non-formal, it is difficult to argue about the ST’ to IL’ transfor-
mation. However, the Siemens development tool provides this 
transformation capability, therefore we treat this as possible.
1
2
3
LD a    (∗ RES:=a ∗)
GE b    (∗ RES:=(RES>=b) ∗)
ST r    (∗ r : =RES ∗)
Listing 1 Example IL code
1
2
3
4
L a    (∗ ACC2:=ACC1; ACC1:=a ∗)
L b    (∗ ACC2:=ACC1; ACC1:=b ∗)
>=I    (∗ RLO:=(ACC2>=ACC1) ∗)
= r    (∗ r:=RLO ∗)
Listing 2 Example IL’ code
5 Finding a Pivot Language
Looking at Table 2 might lead to the same conclusion for the 
Siemens implementations of the languages as Table 1. How-
ever, due to the extensions in the implementations, the gap 
between IL’ and ST’ is much smaller than between their stand-
ard equivalents. The only main difference between them is the 
possibility to access the registers directly. Therefore ST’ can 
be a pivot language, if it is extended with the emulation of reg-
ister access by using dedicated local variables for verification 
purposes. We will refer to this format of the programs as STr’. 
As the values of the registers are saved on the stack on each 
function call, their values are local to each program unit, they 
can be represented as local temporary variables. Thus the map-
ping from IL’ to STr’ can be done instruction by instruction, 
by explicitly representing the effects of each instruction on the 
basis of their semantics. For example, the above-mentioned 
“L var1” will be represented as “ACC2 := ACC1; 
ACC1 := var1;”, where ACC1 and ACC2 are the local vari-
ables representing Accumulator 1 and 2. This idea is similar to 
the SystemC representation used in [29].
Although the FBD’ and LD’ programs cannot be directly 
translated to STr’ in practice, it is feasible through IL’. The 
SFC’ programs can directly be mapped to ST’, thus to STr’ 
also. The advantage of this method is that one parser and one 
intermediate verification model generator fit all the languages. 
Only a simpler, text-to-text mapping to STr’ has to be devel-
oped for each language that is responsible for translating the 
language-specific parts, element by element.
One could argue that IL’ might be a good pivot language 
without defining any extension or representation convention 
for the verification. However, STr’ is a higher-level language, 
with a more compact representation (especially the expression 
description is more compact). The underlying intermediate 
verification model supports also complex expressions (simi-
larly to the formalism of many model checkers, e.g. nuXmv, 
UPPAAL), therefore translating a compact ST’ expression to a 
lengthy IL’ form is inefficient. Also, in our setting typically ST’ 
codes are verified, therefore using STr’ (and not IL’) as pivot 
can provide support for the other languages without any impact 
on the verification of ST’ programs.
Fig. 2 summarises the proposed generic representations of 
PLC languages for PLCverif. The FBD’ and LD’ graphical lan-
guages can be translated into IL’ by the Siemens development 
environment (1). An instruction-by-instruction transformation 
from IL’ to STr’, that makes the effects of the IL’ instructions 
explicit, is implemented for the most common instructions 
(currently we are focusing on the instructions that are typically 
used in safety-critical programs, e.g. Boolean logic operations, 
arithmetic operations) (2). This transformation is discussed in 
detail in Sections 6–7. The SFC’ to ST’ translation can be im- 
plemented using the same principles as the ones used in [12] to 
represent SFC’ directly using the PLCverif intermediate model 
(3). Finally, ST’ is a subset of STr’, thus it does not need any 
further transformation step (4). The STr’ code is the input for 
the verification model generation.
FBD’
LD’
SFC’
IL’
ST’
STr’
(1)
(1)
(2)
(3) (4)
Fig. 2 Unified representation of Siemens PLC languages
The PLC interrupts were not targeted in this paper. Certain 
PLCs may use them, interrupting the execution of the main pro-
gram. A certain IL’ instruction may be atomic, but the correspond-
ing STr’ representation, comprising several statements will not be 
atomic. This might cause concurrency problems and discrepan-
cies between the two representations of the code. However, if this 
is critical, a locking mechanism can be added to the translation. 
Although the IEC 61131 standard does not define any locking 
mechanism, it is defined for the Siemens ST’ language via the 
available system function blocks. To fully support the concurrent 
behaviour, further work will be necessary.
4 From this point we use the term “register” in a generic way, referring to the 
various low-level data structures: status bits, accumulators, nesting stack, etc.
156 Period. Polytech. Elec. Eng. Comp. Sci. D. Darvas, I. Majzik, E. Blanco Viñuela
6 Mapping IL’ to ST’
We recall that due to our motivation it is not enough to prove 
the existence of ST’ code with an equivalent behaviour for any 
IL’ program. We also need a precise description of the trans-
lation to be performed. This section describes the translation 
from IL’ to STr’ in detail.
The IL’ to STr’ translation is crucial in practice, even though 
IL’ is not used for the development of complex programs at 
CERN. However, the safety-critical programs of fail-safe PLCs 
can only be written in LD’ or FBD’ language according to the 
Siemens guidelines. The programs written in those graphi-
cal languages cannot be exported directly, they are converted 
to IL’ first using the Siemens development tool. Therefore the 
safety-critical programs are accessible only in IL’ language. In 
those cases the usage of error-prone features (e.g. floating-point 
data types, arrays, structures, pointers; see [27, Sec. 5.1.3] for 
complete definition) are prohibited, that is why we focus on the 
instructions in the following categories of [23]: bit logic instruc-
tions, simple load and transfer instructions, integer math instruc-
tions and comparison instructions (for integers). Contrarily, the 
instructions in the following groups of [23] are not discussed 
in this paper: counter instructions, shift and rotate instructions, 
floating-point math instructions, program control instructions.
As mentioned previously, IL’ is a low-level, assembly-like 
language. It provides access directly to registers, the arithme-
tic operations are performed on values stored in accumulators, 
the conditional behaviour is represented by jumps. However, it 
provides some higher-level features, such as function calls: the 
user does not have to deal with e.g. putting the parameters of 
a function call to the stack. Therefore while IL’ is commonly 
considered as an assembly-like language, it resembles more to 
the bytecodes of managed languages (e.g. Common Intermedi-
ate Language of .NET or the Java bytecode).
Another main difference between IL’ and the typical low-
level instruction sets is the special support for logical opera-
tions. PLCs often deal with Boolean logic, therefore dedicated 
registers (status bits, stacks) and instructions are available to 
facilitate these operations.
In this section we overview the memory model of the PLCs 
(Section 6.1). Then we discuss the IL’ semantics in Section 6.2 
and the representation of the IL’ instructions in STr’ (Sec-
tion 6.3). A method for the correctness proof of this translation 
is given after, in Section 7.
6.1 Memory Model of Siemens PLCs
In this subsection we overview the key features of the mem-
ory model that affect the IL’ to STr’ translation.
General-Purpose Memory. The Siemens PLCs have a glob-
ally accessible general-purpose memory. The so-called bit 
memory is a non-structured memory which needs no allocation. 
Data blocks are statically allocated, structured memory blocks. 
In non-safety settings all these memory parts support direct, 
indirect or symbolic addressing. To simplify the discussion, we 
will mainly consider symbolic addressing in the following (i.e. 
accessing variables via their names instead of their relative or 
absolute addresses).
Input/Output Memory. The physical inputs and outputs of the 
PLC are mapped to special ranges of the memory. The speciality 
of this memory region is that the input values are only sampled 
at the beginning of the PLC cycles, and the values stored in the 
output memory will only be assigned to the physical outputs at 
the end of the PLC cycles. In other aspects these memory ranges 
behave similarly to the general-purpose memory.
Besides the general-purpose memory, PLC programs use 
various status bits, accumulators and special-purpose stacks. 
As discussed before, they are referred simply as registers. The 
following overview of registers is based on [25].
Status Word. Most of the IL’ instructions read and write the 
status word (STW). The status word consists of status bits, as 
follows [25, p. 13].
• FC  (not first computation, bit 0) indicates if there was 
already any Boolean operation. If it is false, the value of 
RLO (see below) should not be taken into account. In the 
following, we will refer to this register as nFC.
• RLO (result of logic operation, bit 1) stores the result of 
the previous logic operations.
• STA (status, bit 2) stores the Boolean status of the previ-
ous operation. It has no effect on the execution of the pro-
gram, used only for diagnostic purposes [2, Sec. 15.1].
• OR (or, bit 3) stores auxiliary data for the “and before 
or” operation.
• OV (overflow, bit 5) indicates an overflow occurred in an 
arithmetic operation.
• Without discussing here their intuitive meaning, the rest 
of the status bits are the following: OS (stored overflow, 
bit 4); CC0, CC1 (condition codes, bit 6–7); BR (binary 
result, bit 8).
Accumulators. To allow binary arithmetic operations, Sie-
mens PLCs use two accumulators, ACCU1 and ACCU2. The 
size of the accumulators is 32 bits, but their lower and upper 
16 bits can be addressed directly (ACCUx-L and ACCUx-H, 
respectively), just as the individual bytes [25, p. 11]. Certain 
PLCs have two additional accumulators which might alter the 
arithmetic operations [2, p. 198].
Nesting Stacks. In order to facilitate the complex Boolean 
operations, a so-called nesting stack is defined. Each entry of this 
stack can store a partial result of a logic operation, and the code 
of the operation to be performed after the stack entry is popped. 
This makes easy to represent complex Boolean operations with 
157PLC Program Translation for Verification Purposes 2017 61 2
parentheses in IL’. For example, the r ← (a ∨ b) ∧ (c ∨ d) ∧ e 
operation (in ST’: r := (a OR b) AND (c OR d) AND e;) 
can be represented as follows:
1
2
3
4
5
6
7
8
9
10
A( 
O a
O b
)
A(
O c
O d
)
A e
= r
// pushing nesting stack entry
// OR operation
// OR operation
// pop nesting stack entry and perform AND operation
// pushing nesting stack entry
// OR operation
// OR operation
// pop nesting stack entry and perform AND operation
// AND operation
// store result in variable r
The A( instruction in line 5 stores the current RLO value 
(a ∨ b) and the operation to be performed (AND) on the nesting 
stack. As the nFC is set to false by A(, a new logic computa-
tion is started. Therefore the value of RLO will be c ∨ d after 
the execution of line 7. When the ) instruction is executed, 
the topmost nesting stack entry is popped and the stored AND 
operation will be performed on the stored RLO value (which 
is a ∨ b) and the current RLO value (which is c ∨ d). This will 
result in a new value for RLO: (a ∨ b) ∧ (c ∨ d).
Each nesting stack entry contains six bits: three saved sta-
tus bits and three bits to encode a Boolean operation (so-called 
function code). We will denote the three status bits of a nesting 
stack entry by nsRLO, nsOR, nsBR, and the function code 
bits as nsFC2, nsFC1, nsFC0. To refer to the different entries 
of the nesting stack, we will use the [ ] indexing operator. For 
example, nsRLO[1] refers to the RLO bit of the first (topmost) 
entry of the nesting stack. The nesting stack may contain up 
to 7 entries [23, Sec. 2.2], indexed by us from 1 (most recent 
entry) to 7 (least recent entry).
Additional Registers and Stacks. For completeness, we 
briefly mention some additional registers of Siemens PLCs 
which will not be discussed in detail in the following.
• AR1 and AR2 are two address registers, providing a base 
address for indirect addressing.
• The interrupt stack stores the contents of accumulators 
and address registers when the execution is interrupted by 
a higher-priority organization block [26, Sec. 27.2.3.4].
• The local stack (L stack) and the block stack (B stack) 
store the local data of function or function block calls and 
the return addresses [26, Sec. 27.2.3].
• The MCR (master control relay) bit alters the behaviour 
of certain instructions which are modifying the values 
stored in the memory. Its value can be stored in a special 
stack and it is possible to have special “MCR zones” [2, 
p. 232]. As the incorrect usage of MCR zones can lead to 
errors [2, p. 232], we treat only a simplified case without 
MCR zones, handling MCR only as a bit register.
6.2 Syntax and Semantics of IL’ Instructions
The syntax of the IL’ language is rather simple. The body 
of an IL’ program consists of statements. Each statement has a 
label (optional), an instruction and a parameter (depending on 
the instruction). For some instructions no parameter is needed, 
for others a symbolic name, a memory address, a label, a func-
tion or a constant is required. Without going into formal details, 
an intuitive syntax definition can be the following:
<IL_program> ::= <IL_statement>+;
<IL_statement> ::= [<label> ’:’] <IL_instruction>
[<parameter>] ’\n’;
<IL_instruction> ::= ’A’ | ’O’ | ’X’ | ’SET’ | ’CLR’
| ’=’ | ...;
The instructions and their parameters are defined in [24]. 
That document typically gives the following information for 
each instruction:
• The accepted parameter types,
• The informal description of the semantics of the instruction,
• The effect of the instruction on the status word: which 
bits are written by the instruction (if a certain bit is al-
ways set to 0 or 1 by the instruction, this fact is stated, 
but if the bit value is conditional, the exact formula is 
not defined),
• An example.
Some further information is available about the IL’ instruc-
tions in [23, 25]. The latter documentation defines for each 
instruction on which status bits do they depend.
However, the authors are not aware of any official documen-
tation that describes the precise semantics of each IL’ instruc-
tion. Obviously, this knowledge is necessary for the formal 
verification of IL’ programs. Therefore we have to propose a 
method to discover the precise semantics.
Method to Determine the Precise Semantics. In order to dis-
cover the precise semantics, we execute the instructions in all 
possible combinations, i.e. checking the results of each instruc-
tion in each possible situation. Of course, testing the behaviour 
of each instruction with each possible memory content is not 
feasible. However, each instruction depends only on certain reg-
isters and certain parts of the memory. These dependencies are 
defined in the description or status word influence part of [23, 
25]. It is also defined (or can be assumed based on the descrip-
tion), which registers and memory locations might be altered 
by the execution of a certain instruction5. Reproducing all pos-
sible combinations of the registers and parameters that affect a 
5 It is precisely defined which status bits can be modified by the instruction, 
but the same information is not given for other registers or memory locations. 
However, we assume that an instruction with a variable parameter does not 
access or modify any other variables if not described explicitly.
158 Period. Polytech. Elec. Eng. Comp. Sci. D. Darvas, I. Majzik, E. Blanco Viñuela
specific instruction and checking the new values of the altered 
affected registers and memory locations seem to be feasible.
On certain PLCs it is possible to set up the status word to a 
given value using the “T STW” statement. It is also possible 
to determine the current values of the status bits and registers 
on a breakpoint using a real PLC or the official Siemens PLC 
simulator software6. Therefore we can generate test programs 
which execute a given instruction for each interesting valua-
tion. In summary, we determine the precise semantics by check-
ing for each state (for each variable and register valuations) 
which new state can be reached by executing a given statement. 
This is performed using systematically produced test programs 
which set up each fundamentally different state one-by-one, 
then execute the IL’ instruction under analysis.
Example. We use the A( instruction as an example to present 
the method. According to the documentation, “A( (AND nest-
ing open) saves the RLO and OR bits and a function code into 
the nesting stack. A maximum of seven nesting stack entries are 
possible.” [24]. According to [25], the A( instruction depends 
on the BR, OR, RLO and nFC status bits and it sets the STA 
bit to true, and the OR and nFC bits to false. The instruction 
does not depend on any other status bit and it does not modify 
any other status bit. However, it may depend or affect other 
data. Based on the informal description, the A( modifies the 
contents of the nesting stack.
In order to determine the semantics of the A(, all possible 
combinations of BR, OR, RLO and nFC status bits should be 
reproduced by a test program, then the resulting values of STA, 
OR and nFC registers and the nesting stack should be checked. 
We have generated an IL’ test code for the A( instruction. The 
IL’ code snippet corresponding to a check for a single valuation 
can be seen in Listing 3. This specific code snippet can help us 
to determine the behaviour of the instruction when the BR bit 
is false, and the OR, RLO and nFC bits are true.
By generating and performing similar checks for all 16 
combinations, the data in Table 3 can be obtained. Row 8 of 
the table was determined by executing the test program in 
Listing 3. According to the documentation, the STA, OR and 
nFC bits are set to constant values unconditionally. However, 
we have already observed mistakes and contradictions in the 
official documentations, thus it is worth to check the values 
of STA, OR and nFC too. In the current case the status bit 
values observed after the execution matched the defined values, 
therefore they are omitted from the table. Based on Table 3 
and the documentation the effects of the A( instruction can be 
summarised:
• It sets the OR and nFC status bits to 0,
• It sets the STA status bit to 1,
• It creates a new nesting stack entry, where:
- The value of OR bit is OR ∧ nFC,
- The value of RLO bit is RLO ∨ ¬nFC,
- The value of BR bit is BR7,
- The value of function encoding is (0, 0, 0), corre-
sponding to the “A(” instruction [23], and
• It pushes this new nesting stack entry into the nesting 
stack.
1
2
3
4
5
6
L 2#00001011
T STW
A(
NOP 0
)
NOP 0
// BR=0, OR=1, RLO=1, nFC=1
// breakpoint here to check the result
// to restore the empty nesting stack
Listing 3 Test code to determine the semantics of the A( instruction.
Table 3 Behaviour of the A( instruction
Before execution
After execution 
(new nesting stack entry)
BR OR RLO nFC nsBR nsOR nsRLO nsFC2,1,0
0 0 0 0 0 0 1 0,0,0
0 0 0 1 0 0 0 0,0,0
0 0 1 0 0 0 1 0,0,0
0 0 1 1 0 0 1 0,0,0
0 1 0 0 0 0 1 0,0,0
0 1 0 1 0 1 0 0,0,0
0 1 1 0 0 0 1 0,0,0
0 1 1 1 0 1 1 0,0,0
1 0 0 0 1 0 1 0,0,0
1 0 0 1 1 0 0 0,0,0
1 0 1 0 1 0 1 0,0,0
1 0 1 1 1 0 1 0,0,0
1 1 0 0 1 0 1 0,0,0
1 1 0 1 1 1 0 0,0,0
1 1 1 0 1 0 1 0,0,0
1 1 1 1 1 1 1 0,0,0
It is worth to be noted that contrarily to the straightforward 
meaning of the description, based on our systematic checks the 
A( instruction does not store the exact values of the RLO and 
the OR bits (i.e. the nsRLO does not equal to RLO in every 
7 We were not able to observe directly the BR value of the nesting stack 
entry. Instead, we have checked the value of the BR status bit after the ) 
instruction. The result (i.e. the BR bit of the nesting stack entry equals to the 
value of the BR status bit) is in accordance with our expectations based on the 
informal descriptions.
6 It worth to note that technical limitations should be taken into account. 
For example, according to [23, p. 8-6], in the Siemens S7-300 series PLCs the 
access to the status word is limited. These limitations does not apply to the 
S7-400 series PLCs.
159PLC Program Translation for Verification Purposes 2017 61 2
case). This demonstrates that the IL’ to STr’ translation cannot 
rely only on the informal description of the instructions.
6.3 STr’ Translation of IL’ Instructions
As discussed previously, there is another challenge in the IL’ 
to ST’ transformation besides the lack of precise IL’ semantics: 
the IL’ language has lower level instructions than the ST’, the IL’ 
instructions typically access and modify the registers directly. 
In our translation method, following the principles discussed 
previously, we represent IL’ programs in STr’ by emulating the 
registers with local variables, and by making the effects of the 
IL’ instructions explicit. In order to avoid the name collisions, 
the variables representing registers will be prefixed by “ --”. 
The ST’ definition normally forbids the usage of double under-
scores as prefix.
Following these principles and conventions, using the 
knowledge gathered by performing the systematic analysis of 
the IL’ instruction semantics, it is possible to give an STr’ rep-
resentation for each IL’ instruction. Table 4 shows the STr’ rep-
resentation of the basic bit logic IL’ instructions. After, Table 5 
shows the representation of the basic arithmetic instructions. 
Note that in Table 5 instructions on 32-bit integers are assumed, 
but the instructions for smaller data types can be defined simi-
larly. The more advanced logic instructions, relying on the 
nesting stack, are in Table 6.
7 Proving the Correctness of the IL’ to ST’ 
Translation
In this section we present a method to prove the correctness 
of the translation from IL’ to STr’, i.e. if the STr’ equivalents 
have the same behaviour as the corresponding IL’ instructions 
according to the experiments. For this, we perform the follow-
ing steps:
• Defining the formal semantics of STr’ (Section 7.1),
• Defining the formal semantics of IL’ (Section 7.2), and
• Giving a proof strategy to show the equivalence (Sec-
tion 7.3).
The following discussion focuses on the principles of this 
proof strategy and does not provide a complete correctness 
proof.
7.1 Formal Semantics for STr’
In this section we draw up an operational semantics for 
the ST’ (STr’) language. We will denote the context of an ST’ 
statement by σ. This is a function  σ : V → D, i.e. a function 
that assigns a value from pre-defined domains to each defined 
variable. The program  P  executed from an initial context σ0 
results in σ1 which will determine the values of the physical 
outputs and the initial values of retained variables for the fol-
lowing PLC cycle.
At the beginning of the program execution, each variable has 
an explicitly or implicitly defined default value (the implicit 
default values are 0 or false). Then in the beginning of each 
cycle the non-local variables keep their previously set values, 
while the initial values of local variables are undefined. The 
execution ends when the final configuration (áskip;ñ, σ) is 
reached (“skip;” denotes that there is no more program code 
to be executed).
An intuitive formalisation of the ST’ statements’ semantics is 
presented in Fig. 3. This is a small-step semantics, i.e. it defines 
the operation of a program step by step. The semantics defini-
tion in Fig. 3 consists of a set of inference rules. Each inference 
rule consists of some (zero or more) premises (above the hori-
zontal line) and a conclusion (below the line). The operation of 
a given program with a given initial context can be determined 
by applying the inference rules one after another until the final 
configuration (áskip;ñ, σ) is reached.
that σ(v1) = c1. Formally:
σ[v1 → c1](x) =
{
σ(x) if x = v1
c1 if x = v1.
For the sake of readability, we will use the following, comma-separated format
too: σ[v1 → c1, . . . , vn → cn] =
(
(σ[v1 → c1]) · · ·
)
[vn → cn].
σ(v1) = c1
(v1, σ) −→a c1
ST’ Variable value
(e1, σ) −→a c1 (e2, σ) −→a c2
(〈e1 OR e2〉, σ) −→a c1 ∨ c2
ST’ OR expression
(e1, σ) −→a c1 (e2, σ) −→a c2
(〈e1 AND e2〉, σ) −→a c1 ∧ c2
ST’ AND expression
(〈s1;〉, σ) −→ (〈skip;〉, σ′)
(〈s1;s2;〉, σ) −→ (〈s2;〉, σ′)
ST’ Sequence
(e1, σ) −→a c1
(〈v1:=e1;〉, σ) −→ (〈skip;〉, σ[v1 → c1])
ST’ Assignment
(e1, σ) −→a 
(〈 IF e1 THEN s1 ELSE s2 END_IF; 〉, σ) −→ (s1, σ)
ST’ If (1)
(e1, σ) −→a ⊥
(〈 IF e1 THEN s1 ELSE s2 END_IF; 〉, σ) −→ (s2, σ)
ST’ If (2)
Figure 3: Simplified ST’ semantics
7.2 Formal Semantics for IL’
In this section the goal is to describe the formal semantics of IL’, similarly to
the semantics of ST’ in the previous section. We will denote the context of an
ST’ statement by σ, ρ. The first function is σ : V → D that assigns a value from
pre-defined domains to each defined variable, similarly to the ST’ semantics.
The second function is ρ : R → D that assigns values to the set of registers
R = {MCR, nFC,RLO,STA, . . . , nsRLO[1], nsOR[1], . . . nsFC0[7]}.
At the beginning of the program execution, each variable has an explicitly
or implicitly defined default value in σ (the implicit default values are 0 or
false). Then at the beginning of each cycle the non-local variables keep their
previously set values, while the initial values of local variables are undefined.
The registers are initialised to their default values at the beginning of each
cycle. The default values of the registers are false, except for MCR, RLO and
STA which are initialised to true at the beginning of each cycle.
We define the basics of semantics, such as the variable and register values,
or the semantics of the sequence of instructions, as follows in Figure 4. In the
rules v1 is a variable, c1 is a constant value, s1 and s2 are IL’ statements or IL’
statement lists.
20
Fig. 3 Simplified ST’ semantics
Note that the expression evaluation is not presented in Fig. 3 
in detail (only the OR and AND operators are defined as illus-
tration), furthermore only the variable assignment and the IF 
statements are presented. In the rules v1 denotes a variable, 
e1 , e2 are expressions, c1 , c2 are constant values, s1 and s2 are 
ST’ statements or ST’ stateme t lists. We distinguish between 
arithmetic or logic evaluation (denoted by →a ) and single-step 
program evaluations (denoted by →). If a program evaluation 
is possible in more steps we will denote it by →*. Let us denote 
by σ[v1   c1] the function that is equivalent to  σ  except that 
σ(v1) = c1 . Formally:
σ
σ
v c x
x x v
c x v1 1
1
1 1
[ ]( ) = ( )
≠
=




   if   
         if   .
For the sake of readability, we will use the following, 
comma-separated format too:  σ[v1   c1 , … , vn   cn ] 
= ((σ[v1   c1 ]) … )[vn   cn ].
160 Period. Polytech. Elec. Eng. Comp. Sci. D. Darvas, I. Majzik, E. Blanco Viñuela
Table 4 STr’ representation of simple bit logic IL’ instructions
IL’ STr’ equivalent
A var1 IF --NFC THEN --RLO:=--RLO AND (var1 OR --OR); ELSE --RLO:=var1 OR --OR; END-IF;
--STA:=var1; --NFC:=TRUE;
AN var1 IF --NFC THEN --RLO:=--RLO AND (NOT var1 OR --OR); ELSE --RLO:=NOT var1 OR --OR; END-IF;
--STA:=var1; --NFC:=TRUE;
O var1 IF --NFC THEN --RLO:=--RLO OR var1; ELSE --RLO:=var1; END-IF;
--OR:=FALSE; --STA:=var1; --NFC:=TRUE;
ON var1 IF --NFC THEN --RLO:=--RLO OR (NOT var1); ELSE --RLO:=NOT var1; END-IF;
--OR:=FALSE; --STA:=var1; --NFC:=TRUE;
X var1 IF --NFC THEN --RLO:=--RLO XOR var1; ELSE --RLO:=var1; END-IF;
--OR:=FALSE; --STA:=var1; --NFC:=TRUE;
XN var1 IF --NFC THEN --RLO:=--RLO XOR (NOT var1); ELSE --RLO:=NOT var1; END-IF;
--OR:=FALSE; --STA:=var1; --NFC:=TRUE;
O --STA:=TRUE; --OR:=--NFC AND (--OR OR --RLO); --NFC:=--RLO AND --NFC;
= var1 IF --MCR THEN var1:=--RLO; ELSE var1:=FALSE; END-IF;
--OR:=FALSE; --STA:=var1; --NFC:=FALSE;
S var1 IF --MCR AND --RLO THEN var1:=TRUE; END-IF; --OR:=FALSE; --STA:=var1; --NFC:=FALSE;
R var1 IF --MCR AND --RLO THEN var1:=FALSE; END-IF; --OR:=FALSE; --STA:=var1; --NFC:=FALSE;
FP var1
--OR:=FALSE; --STA:=--RLO; --NFC:=TRUE;IF NOT var1 AND --RLO THEN
var1:=--RLO; --RLO:=TRUE; //rising edge detectedELSE 
var1:=--RLO; --RLO:=FALSE;END-IF;
FN var1
--OR:=FALSE; --STA:=--RLO; --NFC:=TRUE;IF var1 AND NOT --RLO THEN
var1:=--RLO; --RLO:=TRUE; //falling edge detectedELSE
var1:=--RLO; --RLO:=FALSE;END-IF;
NOT --RLO:=NOT --RLO OR --OR; --STA:=TRUE; (∗It does not set NFC.∗)
CLR --RLO:=FALSE; --OR:=FALSE; --STA:=FALSE; --NFC:=FALSE;
SET --RLO:=TRUE; --OR:=FALSE; --STA:=TRUE; --NFC:=FALSE;
SAVE --BR:=--RLO;
MCRA --MCR:=TRUE;
MCRD --MCR:=FALSE;
Table 5 STr’ representation of load and transfer, and integer math IL’ instructions
IL’ STr’ equivalent
L var1 --ACCU2 := --ACCU1; --ACCU1 := var1;
T var1 IF --MCR THEN var1:= --ACCU1; ELSE var1:=0; END-IF;
>D --
OR:=FALSE; --NFC:=TRUE; --RLO:=(--ACCU1<--ACCU2);
--CC0:=(--ACCU1>--ACCU2); --CC1:=(--ACCU1<--ACCU2);
--OV:=FALSE; --OR:=FALSE; --NFC:=TRUE; --STA:=--RLO;
>=D --
OR:=FALSE; --NFC:=TRUE; --RLO:=(--ACCU1<=--ACCU2);
--CC0:=(--ACCU1>--ACCU2); --CC1:=(--ACCU1<--ACCU2);
--OV:=FALSE; --OR:=FALSE; --NFC:=TRUE; --STA:=--RLO;
<D --
OR:=FALSE; --NFC:=TRUE; --RLO:=(--ACCU1>--ACCU2);
--CC0:=(--ACCU1>--ACCU2); --CC1:=(--ACCU1<--ACCU2);
--OV:=FALSE; --OR:=FALSE; --NFC:=TRUE; --STA:=--RLO;
<=D --
OR:=FALSE; --NFC:=TRUE; --RLO:=(--ACCU1>=--ACCU2);
--CC0:=(--ACCU1>--ACCU2); --CC1:=(--ACCU1<--ACCU2);
--OV:=FALSE; --OR:=FALSE; --NFC:=TRUE; --STA:=--RLO;
==D --
OR:=FALSE; --NFC:=TRUE; --RLO:=(--ACCU1=--ACCU2);
--CC0:=(--ACCU1>--ACCU2); --CC1:=(--ACCU1<--ACCU2);
--OV:=FALSE; --OR:=FALSE; --NFC:=TRUE; --STA:= RLO;
161PLC Program Translation for Verification Purposes 2017 61 2
Table 6 STr’ representation of nesting stack operations
IL’ STr’ equivalent
A( --nsRLO[7]:=--nsRLO[6]; ... --nsRLO[2]:=--nsRLO[1]; --nsRLO[1]:=--RLO OR NOT --NFC;
--nsOR[7] :=--nsOR[6];  ... --nsOR[2] :=--nsOR[1];  --nsOR[1]:=--OR AND --NFC;
--nsBR[7] :=--nsBR[6];  ... --nsBR[2] :=--nsBR[1];  --nsBR[1]:=--BR;
--nsFC2[7]:=--nsFC2[6]; ... --nsFC2[2]:=--nsFC2[1]; --nsFC2[1]:=FALSE;
--nsFC1[7]:=--nsFC1[6]; ... --nsFC1[2]:=--nsFC1[1]; --nsFC1[1]:=FALSE;
--nsFC0[7]:=--nsFC0[6]; ... --nsFC0[2]:=--nsFC0[1]; --nsFC0[1]:=FALSE;
--OR:=FALSE; --STA:=TRUE; --NFC:=FALSE;
AN( --nsRLO[7]:=--nsRLO[6]; ... --nsRLO[2]:=--nsRLO[1]; --nsRLO[1]:=--RLO OR NOT --NFC;
--nsOR[7] :=--nsOR[6]; ...  --nsOR[2] :=--nsOR[1];  --nsOR[1]:=--OR AND --NFC;
--nsBR[7] :=--nsBR[6]; ...  --nsBR[2] :=--nsBR[1];  --nsBR[1]:=--BR;
--nsFC2[7]:=--nsFC2[6]; ... --nsFC2[2]:=--nsFC2[1]; --nsFC2[1]:=FALSE;
--nsFC1[7]:=--nsFC1[6]; ... --nsFC1[2]:=--nsFC1[1]; --nsFC1[1]:=FALSE;
--nsFC0[7]:=--nsFC0[6]; ... --nsFC0[2]:=--nsFC0[1]; --nsFC0[1]:=TRUE;
--OR:=FALSE; --STA:=TRUE; --NFC:=FALSE;
O( --nsRLO[7]:=--nsRLO[6]; ... --nsRLO[2]:=--nsRLO[1]; --nsRLO[1]:=--RLO AND --NFC;
--nsOR[7] :=--nsOR[6];  ... --nsOR[2] :=--nsOR[1];  --nsOR[1]:=FALSE;
--nsBR[7] :=--nsBR[6];  ... --nsBR[2] :=--nsBR[1];  --nsBR[1]:=--BR;
--nsFC2[7]:=--nsFC2[6]; ... --nsFC2[2]:=--nsFC2[1]; --nsFC2[1]:=FALSE;
--nsFC1[7]:=--nsFC1[6]; ... --nsFC1[2]:=--nsFC1[1]; --nsFC1[1]:=TRUE;
--nsFC0[7]:=--nsFC0[6]; ... --nsFC0[2]:=--nsFC0[1]; --nsFC0[1]:=FALSE;
--OR:=FALSE; --STA:=TRUE; --NFC:=FALSE;
ON( --nsRLO[7]:=--nsRLO[6]; ... --nsRLO[2]:=--nsRLO[1]; --nsRLO[1]:=--RLO AND --NFC;
--nsOR[7] :=--nsOR[6];  ... --nsOR[2] :=--nsOR[1];  --nsOR[1]:=FALSE;
--nsBR[7] :=--nsBR[6];  ... --nsBR[2] :=--nsBR[1];  --nsBR[1]:=--BR;
--nsFC2[7]:=--nsFC2[6]; ... --nsFC2[2]:=--nsFC2[1]; --nsFC2[1]:=FALSE;
--nsFC1[7]:=--nsFC1[6]; ... --nsFC1[2]:=--nsFC1[1]; --nsFC1[1]:=TRUE;
--nsFC0[7]:=--nsFC0[6]; ... --nsFC0[2]:=--nsFC0[1]; --nsFC0[1]:=TRUE;
--OR:=FALSE; --STA:=TRUE; --NFC:=FALSE;
X( --nsRLO[7]:=--nsRLO[6]; ... --nsRLO[2]:=--nsRLO[1]; --nsRLO[1]:=--RLO AND --NFC;
--nsOR[7] :=--nsOR[6];  ... --nsOR[2] :=--nsOR[1];  --nsOR[1]:=FALSE;
--nsBR[7] :=--nsBR[6];  ... --nsBR[2] :=--nsBR[1];  --nsBR[1]:=--BR;
--nsFC2[7]:=--nsFC2[6]; ... --nsFC2[2]:=--nsFC2[1]; --nsFC2[1]:=TRUE;
--nsFC1[7]:=--nsFC1[6]; ... --nsFC1[2]:=--nsFC1[1]; --nsFC1[1]:=FALSE;
--nsFC0[7]:=--nsFC0[6]; ... --nsFC0[2]:=--nsFC0[1]; --nsFC0[1]:=FALSE;
--OR:=FALSE; --STA:=TRUE; --NFC:=FALSE;
XN( --nsRLO[7]:=--nsRLO[6]; ... --nsRLO[2]:=--nsRLO[1]; --nsRLO[1]:=--RLO AND --NFC;
--nsOR[7] :=--nsOR[6];  ... --nsOR[2] :=--nsOR[1];  --nsOR[1]:=FALSE;
--nsBR[7] :=--nsBR[6];  ... --nsBR[2] :=--nsBR[1];  --nsBR[1]:=--BR;
--nsFC2[7]:=--nsFC2[6]; ... --nsFC2[2]:=--nsFC2[1]; --nsFC2[1]:=TRUE;
--nsFC1[7]:=--nsFC1[6]; ... --nsFC1[2]:=--nsFC1[1]; --nsFC1[1]:=FALSE;
--nsFC0[7]:=--nsFC0[6]; ... --nsFC0[2]:=--nsFC0[1]; --nsFC0[1]:=TRUE;
--OR:=FALSE; --STA:=TRUE; --NFC:=FALSE;
) --OR:=--nsOR[1]; --NFC:=TRUE; --STA:=TRUE; --BR:= nsBR[1];IF (NOT --nsFC2[1] AND NOT --nsFC1[1] AND NOT --nsFC0[1])THEN
--RLO:=(--nsRLO[1] AND --RLO)OR OR[1]; //A( instruction, FC=(0,0,0)ELSIF (NOT --nsFC2[1] AND NOT --nsFC1[1] AND --nsFC0[1])THEN
--RLO:=(--nsRLO[1] AND NOT --RLO)OR --OR[1]; //AN( instruction, FC=(0,0,1)ELSIF (NOT --nsFC2[1] AND --nsFC1[1] AND NOT --nsFC0[1])THEN
--RLO:=nsRLO[1] OR --RLO; //O( instruction, FC=(0,1,0)ELSIF (NOT --nsFC2[1] AND --nsFC1[1] AND --nsFC0[1])THEN
--RLO:=--nsRLO[1] OR (NOT --RLO); //ON( instruction, FC=(0,1,1)ELSIF (--nsFC2[1] AND NOT --nsFC1[1] AND NOT --nsFC0[1])THEN
--RLO:= nsRLO[1] XOR --RLO; //X( instruction, FC=(1,0,0)ELSE
--RLO:= nsRLO[1] XOR (NOT --RLO); //XN( instruction, FC=(1,0,1)END_IF;
// Stack pop
--nsRLO[1]:=--nsRLO[2]; ... --nsRLO[6]:=--nsRLO[7]; --nsRLO[7]:=FALSE;
--nsOR[1] :=--nsOR[2]; ...  --nsOR[6] :=--nsOR[7];  --nsOR[7]:=FALSE;
--nsBR[1] :=--nsBR[2]; ...  --nsBR[6] :=--nsBR[7];  --nsBR[7]:=FALSE;
--nsFC2[1]:=--nsFC2[2]; ... --nsFC2[6]:=--nsFC2[7]; --nsFC2[7]:=FALSE;
--nsFC1[1]:=--nsFC1[2]; ... --nsFC1[6]:=--nsFC1[7]; --nsFC1[7]:=FALSE;
--nsFC0[1]:=--nsFC0[2]; ... --nsFC0[6]:=--nsFC0[7]; --nsFC0[7]:=FALSE;
162 Period. Polytech. Elec. Eng. Comp. Sci. D. Darvas, I. Majzik, E. Blanco Viñuela
7.2 Formal Semantics for IL’
In this section the goal is to describe the formal semantics 
of IL’, similarly to the semantics of ST’ in the previous section. 
We will denote the context of an ST’ statement by σ, ρ. The first 
function is  σ : V → D that assigns a value from pre-defined 
domains to each defined variable, similarly to the ST’ seman-
tics. The second function is  ρ : R → D that assigns values to the 
set of registers  R = {MCR, nFC, RLO, STA, … , nsRLO[1], 
nsOR[1], … nsFC0[7]}.
At the beginning of the program execution, each variable 
has an explicitly or implicitly defined default value in σ (the 
implicit default values are 0 or false). Then at the beginning 
of each cycle the non-local variables keep their previously set 
values, while the initial values of local variables are undefined. 
The registers are initialised to their default values at the begin-
ning of each cycle. The default values of the registers are false, 
except for MCR, RLO and STA which are initialised to true at 
the beginning of each cycle.
We define the basics of semantics, such as the variable and 
register values, or the semantics of the sequence of instructions, 
as follows in Fig. 4. In the rules  v1  is a variable,  c1  is a con-
stant value,  s1  and  s2  are IL’ statements or IL’ statement lists.
σ(v1) = c1
(v1, σ, ρ) −→a c1
IL’ Variable value
ρ(r1) = c1
(r1, σ, ρ) −→a c1
IL’ Register value
(〈s1〉, σ, ρ) −→ (〈skip〉, σ′, ρ′)
(〈s1 s2〉, σ, ρ) −→ (〈s2〉, σ′, ρ′)
IL’ Sequence
Fig. 4 Simplified IL’ semantics
Formalising the Discovered IL’ Semantics. As it was dis-
cussed previously, the semantics of the IL’ instructions are not 
defined precisely. In our method we conduct systematic ex-
periments to determine the semantics of the IL’ instructions in 
each possible configuration. The IL’ semantics is known only 
through these observed semantics. This was summarised in ta-
bles, similarly to Table 3. These tables can systematically be 
transformed into inference rules. Each row of the table can be 
represented as a single inference rule, therefore the semantics 
of a given IL’ instruction will be formalised as a set of infer-
ence rules, one for each possible initial configuration. This is 
demonstrated by the following example.
Example. Here we will use a simple “or” operation  O v1  as 
an example, where  v1  is a variable. The observed semantics 
of   O v1 , obtained through a series of tests as described before 
can be seen in Table 7.
Table 7 Observed IL’ semantics for  O v1
Before execution
After execution 
(new nesting stack entry)
RLO nFC v1 v1 OR STA RLO nFC
0 0 0 0 0 0 0 1
0 0 1 1 0 1 1 1
0 1 0 0 0 0 0 1
0 1 1 1 0 1 1 1
1 0 0 0 0 0 0 1
1 0 1 1 0 1 1 1
1 1 0 0 0 0 1 1
1 1 1 0 0 1 1 1
Each row of this table describes the semantics of the  O v1 
statement with different preconditions. For example, row 2 
defines the following formal semantics:
ρ(RLO) = ⊥     ρ(nFC) = ⊥     σ(v1) = 
(〈O v1〉, σ, ρ) −→ (〈skip〉, σ, ρ[OR →⊥, STA →, RLO →, nFC →])
IL’ O v1 (2)
After formalising the ST’ and IL’ semantics, the only remain-
ing step is to prove that the suggested STr’ representations of 
the IL’ statements will provide the same results. This proof will 
be drawn up in the next section.
7.3 Strategy for the Correctness Proof
Now it is possible to define formally the correctness of the IL’ 
to ST’ translation. Formally, the goal is to prove the following:
PIL , ,σ ρ1 1( )( →* skip , , ,σ ρ σ2 2 1( )) ⇒ ′( )( PST →* skip; , ′( ))σ 2
where  PST  is the STr’ representation of the IL’ code  PIL , and 
σi'  is the representation of  σi ,  ρi  such that:
′( ) =
( )
( )




σ
σ
ρi
i
i
x
x
y
The program PIL is a sequence of IL statements. Based on the 
ST’ Sequence and IL’ Sequence inference rules of the seman-
tics definitions discussed before, it is enough to prove that the 
behaviour of each IL’ instruction corresponds to their STr’ rep-
resentations’ behaviour. We have to show that the proposed 
STr’ equivalent of a certain IL’ instruction provides the same 
semantics as the original IL’ instruction. As the semantics of 
a given IL’ instruction is formalised as a set of inference rules 
(as discussed in the previous section), the goal is to show that 
for each IL’ inference rule given the same premises (equivalent 
initial contexts), given the STr’ representation, and using the 
inference rules of the ST’ semantics, the reached final configu-
ration of the STr’ program corresponds to the final configura-
tion of the IL’ instruction. This is demonstrated by the follow-
ing example.
if is  x  a real variable
if is  x  is the STr’ variable representing the register  y (--y = x)
163PLC Program Translation for Verification Purposes 2017 61 2
Example. For example, based on Table 7, the STr’ equivalent 
presented in Listing 4 can be proposed for  O v1 .
For each row of Table 7 it is possible to formally prove 
based on the defined STr’ semantics that the proposed STr’ 
equivalent provides the same result. The inference tree in Fig. 5 
proves that the above STr’ code matches the previously dis-
cussed IL’ O v1 (2) semantic rule. This proof shows that from 
the same premises  (σ(--nFC) = ^ , σ(--RLO) = ^ , σ(v1) = ), 
by applying the inference rules of the ST’ semantics, the 
reached configuration corresponds to the one reached by the 
execution of the IL’ statement: the context  σ'[--OR   ^, 
--STA   , --RLO , --nFC   ] reached by the STr’ code 
emulates the final configuration in the IL’ semantics definition 
( ρ[OR   ^, STA   , RLO   , nFC    ], σ).
1
2
3
4
5
6
7
8
IF --NFC THEN
--RLO:=--RLO OR v1;ELSE
--RLO:=v1;END_IF;
--OR:=FALSE;
--STA:=v1;
--nFC:=TRUE;
Listing 4 STr’ equivalent of the O v1 IL’ statement
By looking at Fig. 5 it can also be seen that the result does 
not depend on the value of the RLO register, therefore the same 
proof can be used for the IL’ O v1 (6) semantic rule, describing 
row 6 of Table 7:
ρ ρ σ
σ ρ σ ρ
RLO nFC
OR STA RLO
( ) = ( ) = ( ) =
( )→
⊥
⊥
v
v
1
1
0 skip , , , , , ,    , nFC[ ]( )
8 Application and Outlook to Verification
The motivation of this work was to extend PLCverif with 
support for more PLC languages. The LD’ and FBD’ languages 
are especially interesting, as these are the only languages that 
can be used to program fail-safe (safety) Siemens PLCs. The 
only way to access the source code written for Siemens safety 
PLCs is to export the LD’ or FBD’ code as IL’ code. Therefore 
the verification tool to be used has to handle programs written 
in IL’. By establishing an IL’ to STr’ translation, the PLCverif 
tool made available for the verification of safety PLC programs.
Complete Verification Workflow. The complete verification 
workflow of a safety PLC program is depicted in Fig. 6. The 
verification is based on the implementation of the safety logic 
(written either in LD’ or FBD’ language) and the informal spec-
ification. The LD’ or FBD’ implementation can be transformed 
into IL’ code by the Siemens development tool. Then, using the 
IL’ to ST’ translation principles discussed in this paper, an STr’ 
representation can be generated that has an equivalent behav-
iour to the original IL’ code.
σ
(
nF
C)
=
⊥
(_
_N
FC
,
σ
)
−→
a
⊥
(〈
IF
__
NF
C
TH
EN
__
RL
O:
=_
_R
LO
OR
v1
;
EL
SE
__
RL
O:
=v
1;
EN
D_
IF
; 〉
,
σ
)
−→
(〈
__
RL
O:
=v
1;
〉,
σ
)
σ
(v
1
)
=

(v
1,
σ
)
−→
a

(〈
IF
__
NF
C
TH
EN
__
RL
O:
=_
_R
LO
OR
v1
;
EL
SE
__
RL
O:
=v
1;
EN
D_
IF
;〉
,
σ
)
−→
(〈
sk
ip
;〉
,
σ
[
RL
O
→

])
·
(〈
__
OR
:=
FA
LS
E;
〉,
σ
[
RL
O
→

])
−→
(〈
sk
ip
;〉
,
σ
[
O
R
→
⊥
,
RL
O
→

])
(〈
IF
__
NF
C
TH
EN
__
RL
O:
=_
_R
LO
OR
v1
;
EL
SE
__
RL
O:
=v
1;
EN
D_
IF
;
__
OR
:=
FA
LS
E;
〉,
σ
)
−→
(〈
sk
ip
;〉
,
σ
[
O
R
→
⊥
,
RL
O
→

])
σ
(v
1
)
=

(v
1,
σ
)
−→
a

(〈
__
ST
A:
=v
1;
〉,
σ
[
O
R
→
⊥
,
RL
O
→

])
−→
(〈
sk
ip
;〉
,
σ
[
O
R
→
⊥
,
ST
A
→

,
RL
O
→

])
(〈
IF
__
NF
C
TH
EN
__
RL
O:
=_
_R
LO
OR
v1
;
EL
SE
__
RL
O:
=v
1;
EN
D_
IF
;
__
OR
:=
FA
LS
E;
__
ST
A:
=v
1;
〉,
σ
)
−→
(〈
sk
ip
;〉
,
σ
[
O
R
→
⊥
,
ST
A
→

,
RL
O
→

])
·
(〈
__
NF
C:
=T
RU
E;
〉,
σ
[
O
R
→
⊥
,
ST
A
→

,
RL
O
→

])
−→
(〈
sk
ip
;〉
,
σ
[
O
R
→
⊥
,
ST
A
→

,
RL
O
→

,
nF
C
→

])
(〈
IF
__
NF
C
TH
EN
__
RL
O:
=_
_R
LO
OR
v1
;
EL
SE
__
RL
O:
=v
1;
EN
D_
IF
;
__
OR
:=
FA
LS
E;
__
ST
A:
=v
1;
__
nF
C:
=T
RU
E;
〉,
σ
)
−→
(〈
sk
ip
;〉
,
σ
[
O
R
→
⊥
,
ST
A
→

,
RL
O
→

,
nF
C
→

])
Fi
gu
re
5:
Pr
oo
fo
fs
em
an
tic
eq
ui
va
le
nc
e
be
tw
ee
n
th
e
ST
r’
re
pr
es
en
ta
tio
n
of
O
v1
an
d
th
e
se
m
an
tic
ru
le
IL
’
O
v 1
(2
)
24
Fig. 5 Proof of semantic equivalence between the STr’ representation 
of O v1 and the semantic rule IL’ O  v1 (2)
 
IL’ O v1 (6)

164 Period. Polytech. Elec. Eng. Comp. Sci. D. Darvas, I. Majzik, E. Blanco Viñuela
STr’ code
IM
Verif. report
Specification
Reduction
IL’ code
LD’ FBD’
Req. patterns
PLCverif
model checking
PLCverif
IL’ to ST’
Fig. 6 Workflow of checking a safety PLC program (based on [8])
The requirements from the informal specification can be 
extracted using requirement patterns. Each pattern has a pre-
cise textual description with some placeholders, which have to 
be filled by the user based on the informal specification. Each 
pattern has a formal representation too based on temporal logic 
which can be then used by the model checker tool [12].
The original PLCverif workflow [13] is based on an ST’ 
(STr’) implementation and some filled requirement patterns. 
Based on these artefacts an intermediate model (IM) is gener-
ated, which is then reduced and translated to the concrete syn-
tax of the chosen model checker. The external model checker 
tool is executed, after its result is parsed and then presented to 
the user in a verification report.
Using PLCverif for Safety-Critical Systems. In [8] we have 
presented a first case study of using PLCverif for safety-critical 
PLC programs. The target of this work was the verification of 
a safety logic that is used in the SM18 Cryogenic Test Facility 
at CERN. This test facility allows to check various properties 
of superconducting magnets at low temperatures, in vacuum, 
and at high currents. These magnet tests might be dangerous if 
certain subsystems are not ready, e.g. high currents should only 
be applied when the cryogenic system is properly working. The 
purpose of the safety logic under verification is to ensure the 
safety of the magnet tests by allowing or forbidding them based 
on preconditions of the magnet test scenarios.
This safety logic is a significantly large, real safety-critical 
program. The IL’ representation of the implementation consists 
of 9,500 lines of code, while the generated STr’ representation 
is composed of more than 120,000 statements [8].
This verification case study has demonstrated that model 
checking can reveal complex issues with moderate effort, 
before putting the system in production. In this case 12 differ-
ent problems were identified using the above-described model 
checking workflow implemented in PLCverif. More details 
about this case study can be found in [8].
9 Related Work
This is not the first paper aiming to translate programs 
between PLC languages. Sülflow and Drechsler [29] translated 
Siemens IL’ (STL) programs to SystemC for verification pur-
poses. They have discussed the semantics of Siemens IL’, but 
only to a limited extent, e.g. the nesting logic statements are 
not targeted. Pavlović et al. targets the formal verification of 
Siemens IL’ programs in [19]. For this reason, they discuss the 
formal and informal semantics of the Siemens IL’ instructions. 
Both in [29] and [19] one can find translations similar to the 
ones in Table 4 and 5 of the current paper. However, they did 
not discuss how could the precise semantics be determined, 
therefore due to the lack of available semantics definition, they 
could not handle the nesting stack for example. Besides, they 
did not target the proof of correctness.
Meulen [17] provides formal semantics for the Siemens 
IL’ (STL) language to use propositional logic for verification. 
In his thesis the discussion of instructions is more complete 
than in [19, 29], however the instructions with more complex 
semantics are not targeted here either.
Sadolewski discussed the translation of IEC 61131 ST pro-
grams to C and Why for verification [21, 20]. Similarly, Kabra 
et al. [16] targeted the ST to C translation. Biha and Blech dis-
cusses the formal semantics of IL and LD languages [5, 4]. 
However, as they translated programs written in IEC 61131 
standard languages, their results cannot be directly applied to 
Siemens PLC programs due to the semantic and syntactic dif-
ferences. Therefore to the authors’ best knowledge no previous 
work published precise STL semantics that is essential for the 
formal verification of these programs.
Certain works target specifically the verification of Siemens 
variants of IL’ (STL) programs [3, 19, 18]. However, none of 
these papers focus specifically on the details of the semantics, 
e.g. the precise representation of the nesting stack operations.
Awlsim8 is an open-source simulator for Siemens IL’ (STL) 
programs. The authors claim that it provides a nearly complete, 
Siemens-equivalent simulation of IL’ programs. However, by 
analysing the source code it seems that the semantics was not 
determined precisely, and for example the nesting stack han-
dling is simplified compared to what is observed in reality9.
10 Summary
This paper presented the relations between the different 
PLC programming languages, both for the standard versions of 
IEC 61131 and the Siemens implementations. For our practical 
8 http://bues.ch/cms/automation/awlsim.html
9 See for example https://github.com/mbuesch/awlsim/blob/master/awlsim/
core/instructions/insn_ub.py that implements the behaviour of the A( instruction. 
It can be seen that the complete status word is saved to the nesting stack as it is, 
however in Section 6.2 it was shown that the OR and RLO bits are modified 
before saving them.
165PLC Program Translation for Verification Purposes 2017 61 2
goals, i.e. to extend PLCverif to support all five Siemens vari-
ants of the PLC languages, a good pivot language candidate 
was proposed: STr’ that is the Siemens ST’ language emulating 
register access with variable access for verification purposes. 
Using STr’, PLCverif can efficiently support the verification 
of low-level languages (IL’, FBD’, LD’), without modifying 
the core workflow or decreasing the verification performance 
of the programs written in ST’ language. We have drawn up a 
translation from IL’ language to STr’, which is a crucial step 
towards the verification of safety PLC programs. This transla-
tion description included a systematic observation of seman-
tics, the formalisation of semantics and a correctness proof 
method of the transformation.
References
[1] Bauer, N., Huuck, R., Lukoschus, B., Engell, S. "A unifying semantics 
for sequential function charts." In: Integration of Software Specification 
Techniques for Applications in Engineering. (Ehrig, H., Damm, W., De-
sel, J., Große-Rhode, M., Reif, W., Schnieder, E., Westkämper, E. (eds.)). 
Springer, Volume 3147 of Lecture Notes in Computer Science, pp. 400–
418. 2004. https://doi.org/10.1007/978-3-540-27863-4_22
[2] Berger, H. "Automating with STEP 7 in STL and SCL." Publicis Corpo-
rate Publishing, 3rd edition, 2005.
[3] Biallas, S., Brauer, J., Kowalewski, S. "Arcade.PLC: A verification plat-
form for programmable logic controllers." In: Proceedings of the 27th 
IEEE/ACM International Conference on Automated Software Engineer-
ing. pp. 338–341. IEEE, 2012.
 https://doi.org/10.1145/2351676.2351741
[4] Ould Biha, S. "A formal semantics of PLC programs in Coq." In: 2011 
IEEE 35th Annual Computer Software and Applications Conference. 
IEEE, pp. 118–127, 2011. https://doi.org/10.1109/COMPSAC.2011.23
[5] Blech, J. O., Ould Biha, S. "On formal reasoning on the semantics of PLC 
using Coq." Preprint, available online arXiv:1301.3047 [cs.SE], 2013.
[6] Böhm, C., Jacopini, G. "Flow diagrams, Turing machines and languages 
with only two formation rules." Communications of the ACM. 9(5), pp. 
366–371. 1966.
[7] Darvas, D., Fernández Adiego, B., Blanco Viñuela, E. "PLCverif: A tool 
to verify PLC programs based on model checking techniques." In: 15th 
International Conference on Accelerator and Large Experimental Phys-
ics Control Systems (Corvetti, L., Riches, K., Schaa, V. R. W. (eds.)). pp. 
911–914. JACoW, 2015.
 https://doi.org/10.18429/JACoW-ICALEPCS2015-WEPGF092
[8] Darvas, D., Majzik, I., Blanco Viñuela, E. "Formal verification of safety 
PLC based control software." In: Integrated Formal Methods. Volume 
9681 of Lecture Notes in Computer Science. (Ábrahám, E., Huisman, M. 
(eds.)). pp. 508–522. Springer, 2016.
 https://doi.org/10.1007/978-3-319-33693-0_32
[9] Darvas, D., Majzik, I., Blanco Viñuela, E. "Generic representation of PLC 
programming languages for formal verification." In: Proceedings of 23rd 
PhD Mini-Symposium. pp. 6–9. Budapest University of Technology and 
Economics, Department of Measurement and Information Systems, 2016.
 https://doi.org/10.5281/zenodo.51064
[10] de Sousa, M. "Proposed corrections to the IEC 61131-3 standard." Com-
puter Standards & Interfaces. 32(5-6), pp. 312–320. 2010.
 https://doi.org/10.1016/j.csi.2010.03.006
[11] de Sousa, M. "Ambiguities in IEC 61131-3 ST and IL expression seman-
tics." In: 13th IEEE International Conference on Industrial Informatics. 
IEEE, 2015, pp. 1312–1317.
 https://doi.org/10.1109/INDIN.2015.7281925
[12] Fernández Adiego, B., Darvas, D., Blanco Viñuela, E., Tournier, J-C., 
Bliudze, S., Blech, J. O., González Suárez, V. M. "Applying model 
checking to industrial-sized PLC programs." IEEE Transactions on In-
dustrial Informatics. 11(6), pp. 1400–1410. 2015.
 https://doi.org/10.1109/TII.2015.2489184
[13] Fernández Adiego, B., Darvas, D., Tournier, J-C., Blanco Viñuela, E., 
González Suárez, V. M. "Bringing automated model checking to PLC 
program development. – A CERN case study." In: IFAC Proceedings 
Volumes. 47(2), pp. 394–399. Elsevier, 2014.
 https://doi.org/10.3182/20140514-3-FR-4046.00051
[14] IEC 60848:2013 – GRAFCET specification language for sequential 
function charts, 2013.
[15] IEC 61131-3:2003 – Programmable controllers – Part 3: Programming 
languages, 2003.
[16] Kabra, A., Karmakar, G., Patil, R. K. "A structured text to MISRA-C 
translator and issues with IEC 61131-3 standard." In: 2012 IEEE Confer-
ence on Emerging Technologies & Factory Automation. IEEE, 2012.
 https://doi.org/10.1109/ETFA.2012.6489693
[17] Meulen, M. G. "Verification of PLC source code using propositional 
logic." Master's Thesis, TU Eindhoven, 2010. URL: http://redesign.esi.
nl/publications/falcon/meulen2010.pdf
[18] Pavlović, O., Ehrich, H-D. "Model checking PLC software written in 
function block diagram." In: 2010 Third International Conference on 
Software Testing, Verification and Validation. IEEE, 2010. pp. 439–448.
 https://doi.org/10.1109/ICST.2010.10
[19] Pavlović, O., Pinger, R., Kollmann, M. "Automated formal verification 
of PLC programs written in IL." In: Proceedings of 4th International 
Verification Workshop in connection with CADE-21. (Beckert, B. (ed.)). 
Volume 259 of CEUR-WS, pp. 152–163. University of Koblenz-Landau, 
2007.
[20] Sadolewski, J. "Automated conversion of ST control programs toWhy for 
verification purposes." In: Proceedings of the Federated Conference on 
Computer Science and Information Systems. IEEE, pp. 849–854. 2011.
[21] Sadolewski, J. "Conversion of ST control programs to ANSI C for verifi-
cation purposes." e-Informatica Software Engineering Journal. 5(1), pp. 
65–76. 2011.
 https://doi.org/10.2478/v10233-011-0031-3
[22] Siemens. SIMATIC Ladder Logic (LAD) for S7-300 and S7-400 Pro-
gramming, 1996. C79000-G7076-C504-02.
[23] Siemens. SIMATIC Statement List (STL) for S7-300 and S7-400 Pro-
gramming – Reference manual, 1998. C79000-G7076-C565.
[24] Siemens. SIMATIC Statement List (STL) for S7-300 and S7-400 Pro-
gramming, 2002. A5E00171232-01.
[25] Siemens. S7-300 Instruction List, 2010. A5E02354744-03.
[26] Siemens. SIMATIC Programming with STEP 7, 2010. A5E02789666-01.
[27] Siemens. SIMATIC Safety – Configuring and Programming, 2011. 
A5E02714440-01.
[28] Siemens. Standards compliance according to IEC 61131-3, 2011. URL: 
http://support.automation.siemens.com/WW/view/en/50204938
[29] Sülflow, A., Drechsler, R. "Verification of PLC programs using formal 
proof techniques." In: Formal Methods for Automation and Safety in 
Railway and Automotive Systems. (Tarnai, G., Schnieder, E. (eds.)). pp. 
43–50. L’Harmattan, 2008.
