The cost multiplier of finding and fixing software defects late in the development cycle is well documented across industries, but in automotive embedded systems the stakes are amplified by safety certification requirements. A defect discovered during system integration or vehicle validation can trigger re-verification cascading across multiple ASIL decomposition paths, multiplying the remediation cost by 10x to 100x compared to catching the same issue during unit testing. Shift-left testing strategies address this by moving verification activities as early as possible in the development lifecycle.
Automated unit testing with tools like TESSY enables teams to achieve comprehensive code coverage, including MC/DC coverage required for ASIL-D, at the function level, before code is integrated into the broader system. By running these tests automatically in CI/CD pipelines triggered by every code commit, teams create a continuous verification loop that catches regressions within minutes rather than weeks.
Virtual prototyping and virtual ECU testing with Arm Virtual Hardware extends the shift-left approach beyond unit testing into integration and system-level validation. Teams can begin testing embedded software against realistic hardware models before physical prototypes are available, compressing the overall development timeline and reducing dependence on scarce hardware resources during the critical early development phases.
Static analysis as the first shift-left layer
Before a single unit test runs, static analysis can catch a substantial class of defects at the desk-check stage. Pre-compilation MISRA C/C++ enforcement via tools like Perforce Helix QAC or Klocwork inspects every translation unit for undefined behaviour, type punning, integer-promotion bugs, and the long list of constructs the MISRA consortium classifies as unsafe in safety-related code. MISRA C:2012 (with Amendment 4) and MISRA C++:2023 are the de-facto coding standards across Tier 1 automotive suppliers, and ISO 26262-6:2018 §5.4.6 explicitly requires the use of language subsets and coding guidelines for ASIL B and above. Catching a null-pointer dereference or a signed-overflow path here costs minutes, catching it at HIL costs days.
Coverage requirements per ASIL
ISO 26262-6:2018 Part 6 Table 12 (structural coverage at the software unit level) sets out the recommendation gradient that drives shift-left tooling choices: statement coverage is highly recommended for ASIL A and B, branch coverage becomes highly recommended for ASIL C, and Modified Condition/Decision Coverage (MC/DC) is highly recommended for ASIL D. Table 10 separately calls for structured test methods, equivalence classes, boundary values, and error guessing, at the unit level. Hitting MC/DC by hand is impractical on production-sized ECU code, which is why automated unit-test generators like Razorcat TESSY are the workhorse here: TESSY instruments the code, generates the test vectors needed to exercise each independent condition, and reports coverage in the ISO 26262 format auditors expect.
CI/CD integration patterns
The pattern most Tier 1 teams converge on layers verification by feedback latency. On every commit, a Jenkins or GitLab runner executes Helix QAC / Klocwork static analysis and rejects MISRA violations before review. On every pull request, TESSY unit tests and coverage reports run against the changed modules, gated against the ASIL coverage threshold above. Nightly pipelines extend into integration tests on Arm Virtual Hardware, virtual Cortex-M models running the same binary that will ship to the ECU, and finally into hardware-in-loop benches once a release candidate is cut. The discipline is not the toolchain itself but the gate placement: each shift-left layer must block merge, not merely report.
Also appears in:
Building for Automotive & Mobility?
Talk to our application engineers for personalized tool recommendations.
You might also like
View all →