Simulation and model checking are commonly used to compare the behaviour of a computer-based system with its requirements specification. However, when upgrading an operational legacy system the challenge is usually to compare the behaviour of a proposed new system against an old trusted one. Doing this for time-sensitive control systems is awkward because the behaviour of the system is dependent on that of its physical environment. Consequently, the old and new systems can be compared meaningfully only when they are simulated under exactly the same conditions. In this paper we show how this can be done by simulating both the old and new systems simultaneously, with both system models linked to the same environment model. The resulting simulation traces and model checking counterexamples allow the behaviours of a legacy real-time system and its proposed replacement to be compared directly and easily.
Colin J. Fidge