A Tool for the Certification of PLCs based on a Coq Semantics for Sequential Function Charts

In this report we describe a tool framework for certifying properties of PLCs: CERTPLC. CERTPLC can handle PLC descriptions provided in the Sequential Function Chart (SFC) language of the IEC 61131-3 standard. It provides routines to certify properties of systems by delivering an independently checkable formal system description and proof (called certificate) for the desired properties. We focus on properties that can be described as inductive invariants. System descriptions and certificates are generated and handled using the COQ proof assistant. Our tool framework is used to provide supporting evidence for the safety of embedded systems in the industrial automation domain to third-party authorities. In this document we describe the tool framework: usage scenarios, the archi-tecture, semantics of PLCs and their realization in COQ, proof generation and the construction of certificates.

💡 Research Summary

The paper presents CERTPLC, a tool framework designed to certify safety properties of programmable logic controllers (PLCs) whose behavior is described using the Sequential Function Chart (SFC) language defined in the IEC 61131‑3 standard. The core idea is to translate an SFC model into a formal representation in the Coq proof assistant, automatically generate auxiliary lemmas and proof scripts, and then allow users to specify additional safety properties as Coq propositions. By leveraging Coq’s small trusted kernel, the framework produces a “certificate” consisting of (i) a formal system description, (ii) a formal property statement, and (iii) a machine‑checked proof that the property holds for the system.

The authors first formalize the syntax of SFC as a tuple (S, S₀, T, A, F, V, ValV), where S is the set of steps, S₀ the initial steps, T the set of transitions, A the set of action blocks, F the mapping from steps to action blocks, V the set of variables, and ValV the domain of variable values. A transition is a triple (S_in, g, S_out) with a guard g : memory → Prop. Execution states are triples (m, a, s) representing memory, pending action blocks, and active steps. The operational semantics is expressed as an inductive transition relation in Coq, with two rules: (1) execution of a pending action block updates memory and removes the block from the pending set, and (2) a transition fires when its guard evaluates to true, all required steps are active, and all action blocks of steps to be deactivated have already been executed. This formalization captures parallelism, synchronization, and optional timing extensions via special time variables.

CERTPLC’s architecture consists of two main generators. The “representation generator” parses an SFC model (produced, for example, by the EasyLab graphical tool) and emits a collection of Coq files that define the step set, transition relation, action block semantics, and variable types. The generated Coq code is human‑readable, enabling expert auditors to manually verify that it faithfully reflects the original graphical model. The “proof generator” automatically derives a library of basic lemmas about the reachable state space, such as “every reachable step belongs to S” and “all pending actions are drawn from A”. These lemmas are proved once and reused as building blocks for user‑defined properties.

To certify a property, a developer writes the property in Coq syntax (e.g., an invariant on a variable range) and selects or writes a tactic that invokes the automatically generated lemmas. Coq then attempts to discharge the proof automatically; if necessary, the developer can provide minor guidance. The resulting proof script, together with the system description and the property statement, forms a certificate. The certificate can be independently checked by any Coq installation, providing a high‑assurance artifact for third‑party certification authorities.

The trusted computing base (TCB) of the approach comprises only the Coq kernel and the automatic representation generator. Proof scripts themselves are not part of the TCB; therefore, an incorrect or incomplete proof merely leads to a verification failure, never to an unsound acceptance of a false property. Consequently, the framework is sound but not necessarily complete.

The paper also discusses integration with other IEC 61131‑3 languages. Function Block Diagrams (FBDs) are modeled as functional blocks with data‑flow connections; cycles require explicit delay elements and are handled via iterative evaluation bounded by a time slice. While the current implementation provides a manual interface for adding FBD semantics, future work aims at fully automated translation of IL, LD, and FBD into Coq.

A typical usage scenario follows a realistic PLC development workflow: requirements → early formal specification → SFC control‑flow modeling → annotation of action blocks → property definition → CERTPLC‑driven automatic certificate generation → optional refinement or manual adaptation → distribution of the certificate to customers or certification bodies. Because the certificate contains only the abstract Coq model and proofs, proprietary implementation details can remain confidential while still providing formal evidence of safety.

In summary, the contributions of the paper are: (1) a precise, human‑readable formal semantics for SFC encoded in Coq, (2) an automated pipeline that converts graphical PLC models into Coq definitions and generates supporting lemmas, (3) a practical certification workflow that integrates with existing industrial tools and offers high assurance through Coq’s trusted kernel. The authors argue that this approach mitigates the trust issues inherent in traditional model‑checking tools, whose complex algorithms and implementations are difficult to certify. Ongoing and future work includes scaling the framework to larger industrial case studies and extending automated support to the full IEC 61131‑3 language suite.