Introduction
As connected vehicles and IoT devices proliferate, the ability to update software remotely has become essential for fixing bugs, adding features, and patching security vulnerabilities. However, remote software updates introduce unique safety and security risks. UL 5500 addresses these challenges by establishing comprehensive requirements for safe remote software update processes.
Figure 1: UL 5500 Remote Software Update Framework
What is UL 5500?
UL 5500: Standard for Remote Software Updates is a safety standard developed by Underwriters Laboratories that covers remote software updates while taking into account manufacturers' recommended processes. Published in September 2018, this standard is limited to software elements having an influence on safety.
Key Scope and Purpose
UL 5500 addresses:
- Remote connection establishment between host and device
- Authentication mechanisms for secure updates
- Software integrity verification during transmission and installation
- Hardware compatibility necessary for safe remote software updates
- Rollback and recovery procedures in case of update failures
- Safety-critical software update validation
The standard is particularly relevant for:
- Automotive systems (ECUs, infotainment, ADAS)
- Industrial IoT devices
- Medical devices with remote connectivity
- Consumer electronics with safety implications
- Powertrain control units and battery management systems
Why UL 5500 Matters for Automotive Engineers
In my work implementing over-the-air (OTA) update systems at Rivian, UL 5500 provides critical guidance for ensuring firmware updates don't compromise vehicle safety.
Real-World Risks Without Proper Standards
Update failures can lead to:
- Bricked ECUs: Incomplete updates rendering control units inoperable
- Version mismatches: Incompatible software combinations across networked ECUs
- Security vulnerabilities: Unencrypted or unauthenticated update channels
- Safety degradation: Updates that inadvertently disable safety features
- Communication failures: Lost connectivity during critical safety operations
Integration with ISO Standards
UL 5500 complements existing automotive safety and cybersecurity standards:
| Standard | Focus Area | Relationship to UL 5500 |
|---|---|---|
| ISO 26262 | Functional Safety | Ensures updated software maintains ASIL requirements |
| ISO 21434 | Cybersecurity | Addresses authentication, encryption, and threat mitigation |
| UNECE R155 | Cybersecurity Type Approval | Requires robust software update management systems |
| UNECE R156 | Software Update Management | Mandates processes for safe OTA updates |
UL 5500 provides implementation-level requirements that support compliance with these higher-level standards.
Core Requirements of UL 5500
1. Secure Connection Establishment
The standard requires:
- Mutual authentication between update server and device
- Encrypted communication channels (TLS 1.2 or higher)
- Certificate-based verification of update source legitimacy
- Session integrity throughout the update process
Example implementation:
// Secure connection establishment for OTA
typedef struct {
uint8_t server_certificate;
uint8_t device_certificate;
uint8_t session_key;
bool is_authenticated;
} OTA_SecureConnection;
bool establish_secure_connection(OTA_SecureConnection *conn) {
// Verify server certificate
if (!verify_certificate(conn->server_certificate, trusted_ca)) {
log_error("Server certificate verification failed");
return false;
}
// Perform mutual TLS handshake
if (!perform_tls_handshake(conn)) {
log_error("TLS handshake failed");
return false;
}
// Generate and exchange session keys
if (!establish_session_key(conn)) {
log_error("Session key establishment failed");
return false;
}
conn->is_authenticated = true;
return true;
}