1、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL UL 1998 Software in Programmable ComponentsUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM ULUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR F
2、URTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL UL Standard for Safety for Software in Programmable Components, UL 1998 Third Edition, Dated December 18, 2013 Summary of Topics This new edition of ANSI/UL 1998 includes the following: Clarication of Requirements for Negative Condition
3、Branch Failure Mode Revision of the Requirements to Address the Effects of Power Supply Voltage Variations The requirements are substantially in accordance with Proposal(s) on this subject dated January 20, 2012 and February 15, 2013. All rights reserved. No part of this publication may be reproduce
4、d, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical photocopying, recording, or otherwise without prior permission of UL. UL provides this Standard as is without warranty of any kind, either expressed or implied, including but not limited to, the implied
5、warranties of merchantability or tness for any purpose. In no event will UL be liable for any special, incidental, consequential, indirect or similar damages, including loss of prots, lost savings, loss of data, or any other damages arising out of the use of or the inability to use this Standard, ev
6、en if UL or an authorized UL representative has been advised of the possibility of such damage. In no event shall ULs liability for any damage ever exceed the price paid for this Standard, regardless of the form of the claim. Users of the electronic versions of ULs Standards for Safety agree to defe
7、nd, indemnify, and hold UL harmless from and against any loss, expense, liability, damage, claim, or judgment (including reasonable attorneys fees) resulting from any error or deviation introduced while purchaser is storing an electronic Standard on the purchasers computer system. The requirements i
8、n this Standard are now in effect, except for those paragraphs, sections, tables, gures, and/or other elements of the Standard having future effective dates as indicated in the note following the affected item. The prior text for requirements that have been revised and that have a future effective d
9、ate are located after the Standard, and are preceded by a SUPERSEDED REQUIREMENTS notice. DECEMBER 18, 2013 UL 1998 tr1UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL DECEMBER 18, 2013 UL 1998 tr2 No Text on This PageUL COPYRIGHTED MATERIAL
10、NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL DECEMBER 18, 2013 1 UL 1998 Standard for Software in Programmable Components First Edition January, 1994 Second Edition May, 1998 Third Edition December 18, 2013 This ANSI/UL Standard for Safety consists of the Third
11、Edition. The most recent designation of ANSI/UL 1998 as an American National Standard (ANSI) occurred on December 16, 2013. ANSI approval for a standard does not include the Cover Page, Transmittal Pages, Title Page, or effective date information. Comments or proposals for revisions on any part of t
12、he Standard may be submitted to UL at any time. Proposals should be submitted via a Proposal Request in ULs On-Line Collaborative Standards Development System (CSDS) at http:/. ULs Standards for Safety are copyrighted by UL. Neither a printed nor electronic copy of a Standard should be altered in an
13、y way. All of ULs Standards and all copyrights, ownerships, and rights regarding those Standards shall remain the sole and exclusive property of UL. COPYRIGHT 2013 UNDERWRITERS LABORATORIES INC. ANSI/UL 1998-2013UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT
14、PERMISSION FROM UL DECEMBER 18, 2013 SOFTWARE IN PROGRAMMABLE COMPONENTS - UL 1998 2 No Text on This PageUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL CONTENTS PREFACE 4 1 Scope .5 2 Denitions of Terms Used 6 3 Risk Analysis 10 4 Process D
15、enition 11 5 Qualication of Design, Implementation, and Verication Tools 11 6 Software Design .12 7 Critical and Supervisory Sections of Software .12 8 Measures To Address Microelectronic Hardware Failure Modes .13 9 Product Interface 14 10 User Interfaces .14 11 Software Analysis and Testing .15 11
16、.1 Software analysis 15 11.2 Software testing 15 11.3 Failure mode and stress testing 16 12 Documentation .17 12.1 User documentation 17 12.2 Software plan 17 12.3 Risk analysis approach and results .17 12.4 Conguration management plan .17 12.5 Programmable system architecture .18 12.6 Programmable
17、component and software requirements specication 18 12.7 Software design documentation 18 12.8 Analysis and test documentation .19 13 Off-the-Shelf (OTS) Software .19 14 Software Changes and Document Control .20 15 Identication .20 APPENDIX A EXAMPLES OF MEASURES TO ADDRESS MICROELECTRONIC HARDWARE F
18、AILURE MODES A1 Scope .A1 A2 Examples of Acceptable Measures for Microelectronic Hardware Failure Modes .A1 A3 Software Classes .A8 A4 Description of Fault Models A9 A5 Description of System Structures .A9 A6 Example of the Application of Table A2.1 A10 A7 Descriptions of Acceptable Measures for Pro
19、viding the Required Fault/Error Coverage Specied in Table A2.1 .A11 A7.1 Descriptions of fault/error control techniques .A11 A7.2 Description of memory tests A13 A7.3 Word protection A14 DECEMBER 18, 2013 SOFTWARE IN PROGRAMMABLE COMPONENTS - UL 1998 3UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTH
20、ER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL PREFACE The requirements in UL 1998 address non-networked embedded software residing in programmable components which are application-specic. Embedded software is software that resides in a programmable component and that performs some of th
21、e requirements of the programmable component. Non-networked embedded software is embedded software that executes on a single microprocessor/microcontroller or on redundant microprocessors/microcontrollers residing in the same physical enclosure. Application-specic means that the software is limited
22、to a designated application which permits effective evaluation of the hazards and risks associated with the software. Programmable components are any microelectronic hardware that can be programmed in the design center, the factory, or in the eld. The requirements in UL 1998 are applicable when used
23、 in conjunction with an application-specic standard that contains requirements for safety-related functions implemented using software. UL 1998 does not apply to software in programmable components used in general purpose applications when the risks for the end-application cannot be identied. Safety
24、-related functions are control, protection, and monitoring functions which are intended to reduce the risk of re, electric shock, or injury to persons. When UL 1998 is applied to a specic product, it is intended that the requirements address product safety risks associated with the specic purpose (a
25、s components only) use of software in the programmable component. A product is an instrument, apparatus, implement, or machine intended for personal, household, industrial, laboratory, office, or transportation use. The requirements in UL 1998 are not intended to be used as the sole basis for review
26、ing programmable components. UL 1998 is intended to be used in conjunction with other safety standards that address the programmable component hardware. Requirements in UL 1998 may be amended or superseded by requirements in a product safety standard, a directive, regulation, or a purchasing specica
27、tion. Due to the diversity of software functions and the application-specic nature of testing programmable components, UL 1998 indicates neither testing protocols nor tools. Instead, UL 1998 contains requirements that dene test objectives and criteria for the general case. This permits the user to c
28、hoose from many testing protocols and tools as long as the test objectives and criteria are met. Users of UL 1998 are encouraged to specify and make available to the public the test protocols and tools used when applying the requirements of UL 1998. The UL 1998 Standard covers handling of changes to
29、 the software in the programmable component after release. The recognition of maintenance processes for the handling and qualication of software and programmable component modications that occur after release will be considered. This consideration will include consideration of all requirements stipu
30、lated by Authorities Having Jurisdiction. The use of eld performance data to demonstrate compliance with the software analysis and test, off-the-shelf software, and tool validation requirements of UL 1998 will be considered for a period determined for each product type. DECEMBER 18, 2013 SOFTWARE IN
31、 PROGRAMMABLE COMPONENTS - UL 1998 4UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL 1 Scope 1.1 These requirements apply to non-networked embedded microprocessor software whose failure is capable of resulting in a risk of re, electric shock,
32、 or injury to persons. 1.2 This is a reference standard in which the requirements are to be applied when specically referenced by other standards or product safety requirements. 1.3 These requirements address the risks unique to product hardware controlled by software in programmable components. 1.4
33、 These requirements are intended to supplement applicable product or component standards and requirements, and are not intended to serve as the sole basis for investigating the risk of re, electric shock, or injury to persons. 1.5 These requirements are intended to address risks that occur in the so
34、ftware or in the process used to develop and maintain the software, such as the following: a) Requirements conversion faults that cause differences between the specication for the programmable component and the software design; b) Design faults such as incorrect software algorithms or interfaces; c)
35、 Coding faults, including syntax, incorrect signs, endless loops, and other coding faults; d) Timing faults that cause program execution to occur prematurely or late; e) Microelectronic memory faults, such as memory failure, not enough memory, or memory overlap; f) Induced faults caused by microelec
36、tronic hardware failure; g) Latent, user, input/output, range, and other faults that are only detectable when a given state occurs; and h) Failure of the programmable component to perform any function at all. 1.6 Product standard requirements may amend or supersede the requirements in this standard,
37、 as appropriate. DECEMBER 18, 2013 SOFTWARE IN PROGRAMMABLE COMPONENTS - UL 1998 5UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL 2 Denitions of Terms Used 2.1 For the purpose of this standard, the following denitions apply. 2.2 APPLICATION-
38、SPECIFIC INTEGRATED CIRCUIT (ASIC) An electronic device comprised of many transistors and other semiconductor components which integrate standard cells and arrays from a library into one piece of silicon intended for a particular use. 2.3 BUILT-IN TEST A design method that allows a product to test i
39、tself by adding logic for test signal generation and analysis of test results. 2.4 CENTRAL PROCESSING UNIT (CPU) The unit of a computing and controlling system that includes the circuits controlling the interpretation of instructions and their execution. 2.5 CRITICAL SECTION A segment of the softwar
40、e that is intended to perform the functions that address or control risks. 2.6 DATA A representation of facts, concepts, or instructions in a manner suitable for storage, communication, interpretation, or processing. 2.7 DESIGN The process of dening the software architecture, components, modules, in
41、terfaces, test approach, and data for a software system to satisfy specied requirements. 2.8 ELECTRONICALLY ERASABLE PROGRAMMABLE READ ONLY MEMORY (EEPROM) A reprogrammable read-only memory in which cells may be erased electrically and in which each cell is capable of being reprogrammed electrically
42、. 2.9 EMBEDDED SOFTWARE Software that is physically part of a product and whose primary purpose is to maintain some property or relationship between other components of the product in order to achieve the overall system objective. 2.10 ERASABLE PROGRAMMABLE READ ONLY MEMORY (EPROM) A type of program
43、mable memory device which can only be read and not altered under normal use. The memory is capable of being erased by ultraviolet light and reprogrammed. 2.11 ERROR A discrepancy between a computed, observed, or measured value or condition and the true, specied, or theoretically correct value or con
44、dition. 2.12 FAIL-OPERATIONAL PROCEDURE A procedure executed in the event that a failure has occurred which continues product operation but provides degraded performance or reduced functional capabilities. 2.13 FAIL-SAFE PROCEDURE A procedure executed to maintain the Risks Addressed (RA) state of a
45、product while transitioning into a non-operational mode. 2.14 FAILURE The inability of a product or component to perform its specied function. 2.15 FAILURE MODE The physical or functional manifestation of a failure. 2.16 FAILURE MODE TEST A suite of tests that have been specically developed based up
46、on the failure modes that exist in a programmable component or product. DECEMBER 18, 2013 SOFTWARE IN PROGRAMMABLE COMPONENTS - UL 1998 6UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL 2.17 FAULT A deciency in a product or component which is
47、 capable of, under some operational conditions, contributing to a failure. 2.18 FAULT-TOLERANT The capability of software to provide continued correct execution in the presence of a dened set of microelectronic hardware and software faults. 2.19 FLASH MEMORY A type of non-volatile memory which is ca
48、pable of being erased electrically and reprogrammed, but only in blocks, as opposed to one byte increments. 2.20 HAZARD A potential source of physical injury to persons. 2.21 INSTRUCTION A statement that species an operation to be performed and that is capable of identifying data involved in the ope
49、ration. 2.22 INTEGRITY The degree to which a system or component prevents unauthorized access to, or modication of, computer programs or data. 2.23 MICROCONTROLLER A microcomputer chip capable of executing instructions. 2.24 MICROELECTRONICS Monolithic, hybrid, or module circuits, where the internal connections are not accessible, which satisfy one or more of the following criteria: a) More than 1000 gates are used in digital mode; b) More than 24 fu
