How We Performed Equivalence Testing for Seamless MCU Firmware Migration

This client engagement focused on testing the modernization of the microcontroller systems without disrupting live systems.

The key objectives were:

• Migrate firmware from SH2A to RH850 with no behavioural deviation.
• Preserve deterministic real-time response metrics.
• Leverage RH850’s multi-core architecture and ≥200 MHz clock speed.
• Expand memory from less than 1 MB Flash / 64 KB RAM to 16 MB Flash / 2 MB RAM.
• Achieve ISO 26262 ASIL-D compliance.
• Reduce power consumption through dynamic voltage scaling.
• Establish a reusable migration framework for future microcontroller programs.

We executed the migration testing using a validation-first engineering strategy, eliminating transition risk through proof of equivalence before enablement. 

Firmware Migration & Compiler Transition 

The full firmware stack was migrated from the HEW toolchain to the GHS compiler while preserving application logic.  

Key actions included: 

• Redesigning memory layouts to utilize RH850’s extended RAM and Flash
• Tuning optimization flags
• Validating interrupt routines and scheduling logic
• Verifying instruction-level compatibility and timing behaviour

Hardware Enablement & Peripheral Integration

To activate RH850 platform capabilities:

• Hardware Abstraction Layers were updated.
• Peripheral drivers were updated for Ethernet, CAN, ADC/DAC
• Clock trees were optimised, and pin functions were realigned.
• Low-level register mapping was revalidated to ensure deterministic access.

Automated Equivalence Testing Framework

We leveraged a comprehensive testing framework that validated behavioural equivalence by executing identical inputs on both platforms and verifying: 

• Functional correctness
• Runtime performance consistency
• Regression avoidance
• Boundary and edge-case reliability 

This ensures identical behaviour at every operational level prior to production approval.

Functional Safety Integration

To meet ISO 26262 ASIL-D requirements, we implemented and validated:

• Watchdog supervision
• Fault-tolerant execution paths
• Safety monitoring and fallback handling

All these safety functions were tested with planned fault simulations and recovered to the ideal state under safer and predictable conditions.

Key Highlights

Zero-Deviation Migration

Maintained exact behavioural equivalence across engine, braking, and safety ECUs throughout the SH2A to RH850 transition. 

High-Performance Enablement

Enabled ≥200 MHz multi-core processing for improved real-time performance and deterministic execution.

ISO 26262 ASIL-D Compliance

Achieved the highest automotive safety classification through fault-tolerant architecture and safety monitoring mechanisms.

Advanced Peripheral Integration

Enabled Ethernet, CAN, and ADC/DAC to support next-generation vehicle functions.

Memory & Power Optimisation

Expanded to 16 MB Flash and 2 MB RAM while reducing power usage through dynamic voltage scaling.

Reusable Migration Framework

Created a standardized process for future Microcontroller transitions.

 

Platform Evolution: Before vs After Equivalence Testing

Feature	Before Migration (SH2A)	After Migration (RH850)
Microcontroller	SH2A (16/32-bit RISC)	RH850 (32/64-bit multi-core)
Clock Speed	~100 MHz	≥200 MHz
Memory	<1 MB Flash, 64 KB RAM	16 MB Flash, 2 MB RAM
Compiler	HEW	GHS
Compiler Optimisation	Platform-specific	Platform-specific
Peripherals	UART, timers, PWM	Ethernet, CAN, ADC/DAC
Real-Time Capability	Limited	High-precision multitasking
Safety	Basic watchdog	ISO 26262 ASIL-D, cryptography
Power Management	Minimal	Dynamic voltage scaling
Scalability	Constrained	Future-ready architecture

• Zero functional deviation from SH2A behaviour
• Improved real-time performance with multi-core processing.
• Verified ASIL-D safety compliance.
• Lower power usage through dynamic scaling
• Future-ready ECU architecture
• Migration method reused across ECU portfolio.