Detects WHILE or FOR loops where the loop variable is never modified, causing the PLC to hang indefinitely. This can halt all control logic and create dangerous conditions.

Detects when an emergency stop input is declared but never checked in the control logic. E-stops must always be able to halt equipment regardless of program state.

Detects safety-critical outputs (valves, brakes) that default to TRUE (open/disengaged). Safety devices should fail to the safe state (closed/engaged) on power loss.

Detects outputs that are set TRUE but never set FALSE. This can cause actuators to remain energized indefinitely, leading to equipment damage or safety hazards.

Detects TON/TOF timers that are enabled but never reset. This can cause timing logic to malfunction on subsequent cycles.

Detects circular wait conditions where two or more operations wait for each other, causing the system to hang.

Detects state machines without timeout handling or error states. If an expected event never occurs, the machine stays stuck indefinitely.

Detects outputs that initialize to unsafe states on PLC startup or after a power cycle. All safety-critical outputs should default to safe state.

Detects division operations without checking if the divisor could be zero, which causes runtime faults on most PLCs.

Detects array access using variables without bounds checking. Out-of-range access can corrupt memory or crash the PLC.

Detects integer variables that are incremented without overflow protection. INT values wrap at 32767, causing counters to reset unexpectedly.

Detects local variables that are read before being assigned a value. Uninitialized variables may contain arbitrary data, leading to unpredictable behavior in safety-critical systems.

Detects CASE statements without an ELSE default branch. Unhandled selector values may leave outputs in undefined states. Severity bumps to Critical when the selector is a state machine variable.

Detects HMI or external inputs used directly without range validation. Malicious or erroneous values could cause unsafe operation.

Detects setpoints assigned from external sources without range validation. Out-of-range values could damage equipment or product.

Detects FOR loops with variable end bounds that are not validated, and WHILE loops with unbounded conditions. Unchecked loop bounds from external inputs could cause millions of iterations, exceeding scan time.

Detects magic numbers used for safety-critical comparisons. Hardcoded values are hard to maintain and audit.

Detects setpoints that can change instantly without ramp limiting. Rapid changes can cause equipment damage, thermal shock, or process upsets.

Detects watchdog timers that are declared but never refreshed/kicked. If the watchdog expires, the PLC may reset unexpectedly, causing process disruption.

Detects PID controllers without integrator anti-windup protection. The integral term can accumulate unbounded, causing large overshoots when the process recovers.

Detects batch or sequence operations without a maximum duration timeout. A hung process step could run indefinitely.

Detects sensor inputs that are used without range checking or fault detection. Bad sensor readings can cause incorrect control actions.

Detects alarms that are disabled or suppressed without an automatic timeout to re-enable them. Suppressed alarms can mask real problems.

Detects programs that read inputs from other programs without proper interlock variables to coordinate execution.

Detects when maintenance or service modes can disable safety functions without proper authorization, timeout, or logging.

Detects outputs that can be forced/overridden without timeout protection or audit logging. Forced outputs can bypass all safety logic.

Detects when the same variable is modified in multiple independent IF blocks, which can cause unpredictable behavior depending on scan timing.

Detects critical safety functions that rely on a single sensor or input without redundancy. A sensor failure could cause unsafe operation.

Detects commands received from network/HMI that are used directly without validation or authorization checks. Malicious commands could compromise safety.

Detects remote connections that are assumed alive without heartbeat or timeout verification. A lost connection could leave the system in an unsafe state.

Detects direct and indirect recursive function calls. PLCs have fixed stack sizes — recursion will cause stack overflow and controller crash. Checks both direct self-calls and call graph cycles.

Detects passwords, API keys, or authentication tokens embedded directly in PLC code. Attackers can extract these from compiled programs or project files.

Detects protected values (calibration, limits, passwords) being modified without checking user access level. Operators could modify supervisor-only settings.

Detects critical operations (E-stop, setpoint changes, mode changes) that are not logged to an audit trail. Required for regulatory compliance and incident investigation.

Detects code that can never execute due to always-true/false conditions or missing state transitions. May indicate logic errors.

Detects VAR_OUTPUT variables that are declared but never assigned a value. The output will have an undefined state.

Detects when multiple programs write to the same output variable. This causes unpredictable behavior as one program overrides another.

Detects programs that depend on each other's outputs, creating a circular reference that makes execution order matter unpredictably.