Soft-RT PLC runtime heart¶
This page captures the requirements for using taktora-executor as the runtime
heart of a soft-real-time PLC. It follows from the gap analysis between
typical PLC architecture (Beckhoff TwinCAT, Siemens TIA, B&R Automation
Studio, Rockwell Logix) and the abstractions taktora-executor provides today.
The decomposition is two-tier:
Top-level feature — PLC runtime heart on iceoryx2 (FEAT_0010) — the umbrella capability.
Sub-features — capability themes, each one
:satisfies:the top-level feature.Requirements — concrete shall-clauses that
:satisfies:a sub-feature.
Sub-features are grouped into foundation capabilities (already provided by taktora-executor v0.1) and gap capabilities (must be added before the runtime credibly serves as a soft-RT PLC heart). Foundation reqs reference the existing API surface; gap reqs describe TBD work.
Top-level feature¶
A Rust runtime that schedules, sequences, and observes the cyclic execution of PLC-style logic (read inputs → run logic → write outputs) under soft-real-time constraints, with iceoryx2 as the inter-process data plane. The runtime targets non-safety industrial automation, robotics control loops, and machine-monitoring scenarios. Hard-real-time bounds, safety certification, IEC 61131-3 frontends, hot-standby, and specific fieldbus protocol stacks are explicitly out of scope; the runtime integrates with such concerns but does not implement them. |
Foundation capabilities¶
The following sub-features are already provided by taktora-executor v0.1. Their requirements describe the contracts the runtime exposes today; the work for them is closing the review/approval lifecycle, not authoring new implementation.
Cyclic scan execution¶
Periodic execution of a scheduled item at a configured scan period — the PLC equivalent of a scan cycle. |
The runtime shall allow each cyclic item to declare a scan period as a
|
Under nominal load (no item exceeding its scan period), the runtime shall invoke each cyclic item exactly once per declared period. |
The runtime shall emit pre-execute and post-execute timestamps for
every scan-cycle invocation through the |
Event-driven I/O dispatch¶
Inter-process inputs and outputs flow through iceoryx2 channels so producers wake consumers without polling. |
The runtime shall trigger an item’s |
The runtime shall expose |
Pub/sub data transfer between processes shall be zero-copy across shared memory via iceoryx2; receivers shall obtain a borrowed view of the producer’s payload, not a deserialised copy. |
The runtime shall surface dropped event-service notifications to the
sender as a non-error counter ( |
Deterministic logic sequencing¶
Items compose into chains and DAGs with explicit ordering and abort semantics — the structural equivalent of a PLC cause-effect network. |
The runtime shall execute the items of a chain in declared order on a single dispatch slot per chain invocation. |
The runtime shall execute the vertices of a DAG concurrently when their in-edges are all satisfied, and shall block downstream vertices until all of their upstream vertices have completed. |
An item returning |
The runtime shall provide a |
Cycle-time watchdog¶
Visibility into deadline-missed events at the dispatch layer. |
The runtime shall provide a |
The runtime shall report each item’s actual execute duration through
|
Real-time scheduling¶
Worker threads can be pinned and prioritized for predictable latency on PREEMPT_RT-capable Linux systems. |
The runtime shall, behind the |
The runtime shall, behind the |
Cooperative shutdown¶
The runtime exits cleanly on signal or programmatic stop without leaking worker threads or shared-memory artefacts. |
The runtime shall return cleanly from |
The runtime shall expose a clonable |
Gap capabilities¶
The following sub-features are not yet provided by taktora-executor v0.1.
Each is a prerequisite for credibly calling the runtime a soft-real-time
PLC heart. Their requirements are authored at status: open and
represent work to be planned and executed.
Bounded-time dispatch¶
The dispatch hot path shall not allocate, take unbounded locks, or block on poll loops, so steady-state cycle latency is bounded by factors the runtime declares (not by the system allocator or kernel futex implementation). |
The runtime’s dispatch path shall perform zero heap allocations during
steady-state execution after |
The runtime’s worker pool shall be sized at |
The graph DAG scheduler shall not rely on a polling condvar
|
The runtime shall capture per-iteration item errors in a pre-allocated
bounded slot rather than constructing an |
Cycle-overrun fault primitive¶
Deadline violations transition the runtime — at task or executor scope —
to a configured fault state, rather than only being reported as
timestamps via |
When a task’s |
When any single dispatch iteration exceeds a configured executor-wide deadline, the runtime shall transition the executor to a configured fault state. |
When a task or the executor is in a fault state, the runtime shall not run the normal item logic and shall instead dispatch an optional user-supplied fault-handler item once per triggering cycle. |
Fault transitions shall be visible to the configured |
Mode / state-machine framework¶
A first-class lifecycle for the runtime — distinct from item lifecycle — that captures the operational modes typical of PLC programs. |
The runtime shall support an explicit mode lifecycle of at least
|
Mode transitions shall be triggered both programmatically (caller-driven) and as a consequence of configured events (executor-wide deadline overrun, item error, signal-driven stop). |
Each registered task shall declare which modes it is enabled in; the runtime shall not dispatch a task while it is disabled by the current mode. |
Mode transitions shall be visible to the configured |
Retentive state¶
State that survives process restarts — the equivalent of NVRAM-backed retentive memory in classical PLCs. |
The runtime shall provide a retentive memory abstraction whose declared contents persist unchanged across cooperative process restarts. |
Retentive memory regions shall be backed by a memory-mapped file with a checksum verified at load. |
A retentive-memory checkpoint shall be atomic with respect to process crash — a concurrent crash shall yield either the pre-checkpoint or post-checkpoint contents, never a partial state. |
At startup, the runtime shall report whether retentive state was loaded cleanly, recovered from an incomplete checkpoint (and which version was selected), or initialised from defaults because no prior state existed. |
Scan-cycle observability¶
First-class statistics on cycle-time behaviour — percentiles, jitter, overrun counts — exposed without requiring users to build their own. |
The runtime shall report p50, p95, and p99 execute-duration percentiles
per registered task, computed over a sliding window whose size is
configurable at Percentile estimation shall use a fixed-bucket log-linear histogram covering the value range 100 ns … 10 s with at least three buckets per decade (yielding ≤ 1% relative error at bucket centroids). The bucket layout shall be fixed at compile time so the per-sample update path is allocation-free; see Allocation-free telemetry u... (REQ_0104) and Fixed-bucket histogram for ... (ADR_0060). |
The runtime shall report the maximum observed jitter — defined as the absolute difference between actual and declared scan period — per cyclic task, computed over the same sliding window as Per-task latency percentiles (REQ_0100). Lifetime maxima are out of scope; the reported value ages out with the window. |
The runtime shall expose a monotonic counter per task that increments on each scan-cycle execution that exceeds the declared scan period. |
Cycle-cycle statistics shall be available via two distinct paths:
Both paths shall be allocation-free on the runtime side (see Allocation-free telemetry u... (REQ_0104)); allocations on the consumer side are out of scope. |
The runtime’s per-sample telemetry update path — the code that runs inside the dispatch loop’s timing hooks to update the histogram, max-jitter, and overrun counter — shall perform zero heap allocations and shall complete in bounded time. The update path’s worst-case runtime shall be dominated by the
histogram bucket-index computation (a |
PREEMPT_RT validation¶
The runtime’s worst-case latency on PREEMPT_RT Linux is characterised under realistic load — a continuous regression gate, not a one-off measurement. |
The repository shall ship a versioned document
( |
The repository shall include a benchmark harness, packaged as a
cargo binary under Each NDJSON record shall conform to the schema
The harness shall offer at least three selectable load profiles:
|
The repository shall ship a documented procedure
( A continuous CI gate on jitter is explicitly not required by this REQ. See Harness as xtask, not CI gate (ADR_0061) for the rationale (no persistent self-hosted RT runner; cloud GH runners cannot guarantee PREEMPT_RT). |
The benchmark harness (Cyclictest-style benchmark ... (REQ_0111)) shall obtain its per-cycle
observations exclusively via the |
Fieldbus integration interface¶
The shape by which fieldbus protocol stacks (EtherCAT, Modbus, Profinet, CIP) plug into the runtime — without committing to any specific protocol implementation in the core. |
The runtime shall expose an adapter trait by which a fieldbus driver
produces |
Fieldbus driver implementations shall live in separate crates and shall not require modifications to the executor core. |
The executor core shall not embed any specific fieldbus protocol implementation; protocol selection is a deployment concern carried in adapter crates. |
Cross-cutting traceability¶
Every requirement on this page :satisfies: exactly one parent feature;
every sub-feature :satisfies: PLC runtime heart on iceoryx2 (FEAT_0010). The needtables on
Requirements and Architecture will populate as spec
artefacts are authored.
ID |
Title |
Status |
Satisfies |
|---|---|---|---|
PLC runtime heart on iceoryx2 |
open |
||
Cyclic scan execution |
open |
||
Event-driven I/O dispatch |
open |
||
Deterministic logic sequencing |
open |
||
Cycle-time watchdog |
open |
||
Real-time worker scheduling |
open |
||
Cooperative shutdown |
open |
||
Bounded-time dispatch |
open |
||
Cycle-overrun fault primitive |
open |
||
Mode / state-machine framework |
open |
||
Retentive state |
open |
||
Scan-cycle observability |
open |
||
PREEMPT_RT validation harness |
open |
||
Fieldbus integration interface |
open |
||
Connector framework |
open |
||
Envelope transport |
open |
||
Codec abstraction |
open |
||
Connector trait and routing |
open |
||
Connection lifecycle |
open |
||
Process boundary deployments |
open |
||
MQTT reference connector |
open |
||
Host wiring and builder |
open |
||
Bounded global allocator |
open |
||
EtherCAT reference connector |
open |
||
Zenoh reference connector |
open |
||
Zenoh pub/sub |
open |
||
Zenoh queries |
open |
||
Zenoh session topology and health |
open |
||
CAN (SocketCAN) reference connector |
open |
||
CAN frame transport (classical + FD) |
open |
||
Multi-interface gateway and per-channel filtering |
open |
||
Bus health, error frames, and reconnect |
open |
||
Device-driver codegen toolchain |
open |
||
ESI parser |
open |
||
IR and codegen backend trait |
open |
||
ethercrab codegen backend |
open |
||
Runtime trait surface |
open |
||
Build helper (build.rs glue) |
open |
||
CLI inspection (cargo subcommand) |
open |
||
EEPROM diff verification |
open |
||
CANopen device-driver codegen toolchain |
open |
||
Shared OD core |
open |
||
EDS parser |
open |
||
Codegen IR and backend trait |
open |
||
taktora-connector-can codegen backend |
open |
||
Runtime trait surface |
open |
||
Build helper (build.rs glue) |
open |
||
CLI inspection (cargo subcommand) |
open |
||
EDS ↔ SDO-dump verification |
open |
ID |
Title |
Status |
Satisfies |
|---|---|---|---|
Configurable scan period |
open |
||
One execution per scan period |
open |
||
Scan-cycle execution observability |
open |
||
Subscriber-triggered ingestion |
open |
||
Publisher-driven emission |
open |
||
Zero-copy IPC transport |
open |
||
Notification-drop visibility |
open |
||
Sequential chain execution |
open |
||
Parallel DAG execution |
open |
||
Abort propagation |
open |
||
Conditional inclusion |
open |
||
Subscriber deadline detection |
open |
||
Per-execute timing visibility |
open |
||
Core-affinity assignment |
open |
||
SCHED_FIFO priority on Linux |
open |
||
Signal-driven shutdown |
open |
||
Programmatic shutdown wakeup |
open |
||
No heap allocation in dispatch |
implemented |
||
Statically-sized task pool |
open |
||
Pre-allocated error slot |
open |
||
Wait-free completion signalling |
open |
||
Per-task overrun fault transition |
open |
||
Executor-wide overrun fault transition |
open |
||
Fault-handler item dispatch |
open |
||
Fault state observability |
open |
||
Mode lifecycle |
open |
||
Mode transition triggers |
open |
||
Per-mode task gating |
open |
||
Mode change observability |
open |
||
Process-restart persistence |
open |
||
Memory-mapped backing |
open |
||
Crash-atomic checkpoints |
open |
||
Recovery status reporting |
open |
||
Per-task latency percentiles |
draft |
||
Per-task maximum jitter |
draft |
||
Per-task overrun counter |
draft |
||
Statistics query API |
draft |
||
Allocation-free telemetry update |
draft |
||
Documented worst-case jitter |
draft |
||
Cyclictest-style benchmark harness |
draft |
||
Documented reproducer procedure |
draft |
||
Harness consumes runtime telemetry |
draft |
||
Adapter-driven I/O |
open |
||
Out-of-tree driver crates |
open |
||
Protocol-neutral runtime |
open |
||
ConnectorEnvelope is a POD type |
open |
||
Per-channel max payload size |
open |
||
Sequence number monotonically increasing |
open |
||
Timestamp recorded at send |
open |
||
Correlation id is a passive carrier |
open |
||
Zero-copy publish via iceoryx2 loan |
open |
||
One iceoryx2 service per channel direction |
open |
||
PayloadCodec trait |
open |
||
Codec is a generic parameter on connectors |
open |
||
JsonCodec is the default codec |
open |
||
Codec encode error variant |
open |
||
Codec decode error variant |
open |
||
Connector trait |
open |
||
ChannelDescriptor carries typed routing |
open |
||
Routing is a marker trait with bounds |
open |
||
create_writer / create_reader return concrete handles |
open |
||
Connector ships its own routing struct |
open |
||
ConnectorHealth state machine |
open |
||
subscribe_health returns a Channel of HealthEvent |
open |
||
ReconnectPolicy trait |
open |
||
ExponentialBackoff default policy |
open |
||
HealthEvent emitted on every transition |
open |
||
Stack-internal-reconnect connectors emit health uniformly |
open |
||
Same envelope contract for both deployments |
open |
||
In-process gateway is a tokio task |
open |
||
Separate-process gateway is a self-contained binary |
open |
||
Clean exit on SIGINT / SIGTERM on both sides |
open |
||
No app↔gateway control-plane envelopes |
open |
||
MqttConnector implements Connector |
open |
||
MqttRouting carries topic, qos, retained |
open |
||
QoS 0 and 1 supported |
open |
||
Retained-message publish supported |
open |
||
Wildcard subscriptions supported |
open |
||
Username/password authentication |
open |
||
TLS is optional via cargo feature |
open |
||
MQTT 3.1.1 baseline |
open |
||
Tokio sidecar inside the gateway crate |
open |
||
Bridge channels are bounded |
open |
||
Outbound bridge saturation surfaces as BackPressure |
open |
||
Inbound bridge saturation surfaces as DroppedInbound HealthEvent |
open |
||
ConnectorHost builder API |
open |
||
ConnectorGateway builder API |
open |
||
Host registers connector items with the executor |
open |
||
Optional Observer adapter for tracing |
open |
||
NO request/response matching by the framework |
rejected |
||
NO app↔gateway control plane |
rejected |
||
NO persistent outbox or durable buffering |
rejected |
||
NO schema/contract enforcement across the boundary |
rejected |
||
NO protocol-portable Channel<T> |
rejected |
||
NO multi-broker / multi-tenant gateway |
rejected |
||
NO supervision / panic recovery |
rejected |
||
Pre-allocated fixed-block arena |
open |
||
Fail-closed on cap overrun |
open |
||
Lock-after-init panic mode |
open |
||
Allocation accounting API |
open |
||
Thread-safe allocation |
open |
||
EthercatConnector implements Connector |
open |
||
EthercatRouting carries SubDevice and PDO addressing |
open |
||
Single MainDevice per gateway instance |
open |
||
Bus reaches OP before serving traffic |
open |
||
Static PDO mapping per SubDevice |
open |
||
PDO mapping applied during PRE-OP to SAFE-OP transition |
open |
||
Cycle time configurable with millisecond resolution |
open |
||
Missed cycle ticks are skipped not queued |
open |
||
Distributed Clocks bring-up is opt-in |
open |
||
Working-counter-based health policy |
open |
||
Working-counter mismatch degrades health |
open |
||
Tokio sidecar contained inside the connector crate |
open |
||
Bridge channels are bounded |
open |
||
Outbound bridge saturation surfaces as BackPressure |
open |
||
Inbound bridge saturation surfaces as DroppedInbound HealthEvent |
open |
||
Linux raw socket required on gateway host |
open |
||
Outbound payload written to PDI bit slice per routing |
open |
||
Inbound payload read from PDI bit slice per routing |
open |
||
Per-channel routing registry on the gateway |
open |
||
ZenohConnector implements Connector |
open |
||
ZenohRouting carries key_expr and pub/sub QoS fields |
open |
||
JsonCodec is the default codec for Zenoh |
open |
||
Tokio sidecar contained inside the Zenoh connector crate |
implemented |
||
Zenoh bridge channels are bounded |
open |
||
Outbound bridge saturation surfaces as BackPressure |
open |
||
Inbound bridge saturation surfaces as DroppedInbound |
open |
||
Zenoh zero-copy publish via iceoryx2 loan |
open |
||
Zenoh gateway is byte-only on the inbound publish path |
open |
||
ZenohConnector exposes create_querier and create_queryable |
open |
||
ZenohQuerier maps QueryId to envelope correlation_id |
open |
||
ZenohQueryable correlates replies via correlation_id |
open |
||
Multi-reply per query supported |
open |
||
Reply stream end-of-stream framed in payload |
open |
||
Query timeout sourced from options, overridable per-querier |
open |
||
terminate(id) finalizes the upstream zenoh::Query |
open |
||
Codec applied to Q on send and to R on reply |
open |
||
Reply-side inbound saturation emits DroppedInbound |
open |
||
Zenoh session mode is a config knob |
open |
||
NO ReconnectPolicy on Zenoh session loss |
rejected |
||
HealthEvent emitted on every Zenoh session transition |
implemented |
||
Connect and listen locators surfaced to zenoh::Config |
open |
||
zenoh-integration cargo feature gates the real zenoh dep |
implemented |
||
MockZenohSession ships unfeature-gated |
implemented |
||
Linux, macOS, and Windows are supported host operating systems |
implemented |
||
Pure parse function with no I/O |
open |
||
no_std + alloc compatible |
open |
||
quick-xml + serde backend |
open |
||
Parser does not depend on ethercrab or codegen |
open |
||
IR carries identity, PDO maps, mailbox, DC, and OD |
open |
||
Vendor-specific extensions captured as opaque blobs |
open |
||
Parse errors carry line and column |
open |
||
CodegenBackend trait shape |
open |
||
Naming policy is owned by codegen, not the backend |
open |
||
Revision collision handled deterministically |
open |
||
Common PDO entry types deduplicated |
open |
||
Emission target is proc_macro2 TokenStream |
open |
||
Backend crate is the sole ethercrab dependency |
open |
||
One device struct per ESI device entry |
open |
||
SubDeviceIdentity const emitted per device |
open |
||
PDO assignment alternatives emitted as sum type |
open |
||
One PDO struct per assignment alternative |
open |
||
Generated module root exposes a registry |
open |
||
Generated code compiles under no_std + alloc |
open |
||
EsiDevice trait shape |
open |
||
EsiConfigurable trait shape for preop bring-up |
open |
||
Traits live in ethercat-esi-rt, not taktora-connector |
open |
||
Object dictionary emission is a default-off cargo feature |
open |
||
Process image access via bitvec BitSlice |
open |
||
Builder API shape |
open |
||
Output written to OUT_DIR |
open |
||
Cargo rerun-if directives emitted per ESI input |
open |
||
Generated output passes through prettyplease |
open |
||
cargo esi expand emits one device's generated code |
open |
||
cargo esi list enumerates devices in a glob |
open |
||
CLI shares the parser and codegen crates |
open |
||
Verifier ingests ESI XML plus SII binary |
open |
||
Diagnostic output names the differing field |
open |
||
Verifier reuses the parser |
open |
||
Verifier exits non-zero on mismatch |
open |
||
NO CAN / CANopen / EDS support in this round |
rejected |
||
NO proc-macro front-end |
rejected |
||
NO unification of EtherCAT and CANopen runtime traits |
rejected |
||
NO runtime XML parsing |
rejected |
||
NO modification of taktora-connector-ethercat runtime |
rejected |
||
NO automatic vendor library scraping |
rejected |
||
CanConnector implements Connector |
open |
||
CanRouting carries iface, can_id, mask, kind, fd_flags |
open |
||
Linux is the supported host OS for real I/O |
open |
||
socketcan-integration cargo feature gates the real socketcan dep |
open |
||
MockCanInterface ships unfeature-gated |
open |
||
Tokio sidecar contained inside the CAN connector crate |
open |
||
CAN bridge channels are bounded |
open |
||
Outbound bridge saturation surfaces as BackPressure |
open |
||
Inbound bridge saturation surfaces as DroppedInbound |
open |
||
Classical CAN frames supported |
open |
||
CAN-FD frames supported |
open |
||
Channel payload sizing keyed on frame kind |
open |
||
Outbound payload serialised to socketcan frame |
open |
||
Inbound gateway is byte-only on the publish path |
open |
||
CAN ID extended flag preserved end-to-end |
open |
||
Multiple interfaces per gateway |
open |
||
Routing identifies the interface |
open |
||
Per-interface filter is the union of channel masks |
open |
||
Filter recomputed on channel add/remove |
open |
||
Inbound demux to all matching readers |
open |
||
Per-iface routing registry has stable iteration order |
open |
||
ConnectorHealth aggregates per-iface state via worst-of |
open |
||
Error frames consumed internally |
open |
||
error-passive transitions to Degraded |
open |
||
bus-off transitions to Down and triggers reconnect |
open |
||
ReconnectPolicy reused; ExponentialBackoff default |
open |
||
HealthEvent emitted on every transition |
open |
||
Error frames not exposed to plugin |
open |
||
NO DBC parsing or typed signal extraction in taktora-connector-can |
rejected |
||
NO ISO-TP or J1939 support in taktora-connector-can |
rejected |
||
NO CAN-XL support |
rejected |
||
NO plugin-visible error-frame channel |
rejected |
||
NO can-restart-ms management from the gateway |
rejected |
||
No transport-specific types in fieldbus-od-core |
open |
||
no_std + alloc, no mandatory serde |
open |
||
OD type surface |
open |
||
ethercat-esi re-exports lifted types |
open |
||
canopen-eds uses fieldbus-od-core types |
open |
||
Pure parse function with no I/O |
open |
||
no_std + alloc, no upstream coupling |
open |
||
serde-derive INI backend |
open |
||
Parse errors carry line and column |
open |
||
Unknown sections captured as RawSection |
open |
||
Liberal parsing — warn and continue on quirks |
open |
||
IR carries identity, OD, PDO comm + maps |
open |
||
CodegenBackend trait shape |
open |
||
Naming policy is owned by codegen, not the backend |
open |
||
Revision collision handled deterministically |
open |
||
Common PDO entry types deduplicated |
open |
||
Emission target is proc_macro2 TokenStream |
open |
||
One EDS file equals one device |
open |
||
Backend crate is the sole canopen-eds-rt dependency |
open |
||
One device struct per EDS file |
open |
||
Identity const emitted per device |
open |
||
PDO declarations emitted as sum types |
open |
||
Dummy entries skipped in PDO payload structs |
open |
||
Generated module root exposes a registry |
open |
||
Bring-up SDO writes emitted from EDS |
open |
||
Object dictionary emission is a default-off cargo feature |
open |
||
Generated code compiles under no_std + alloc |
open |
||
CanOpenDevice trait shape |
open |
||
CanOpenConfigurable trait shape for bring-up |
open |
||
Traits live in canopen-eds-rt, not taktora-connector-can |
open |
||
Frame payloads use heapless::Vec<u8, 8> |
open |
||
Frame-per-PDO dispatch shape |
open |
||
CanOpenError variant surface |
open |
||
RPDO rejected outside Operational state |
open |
||
Builder API shape |
open |
||
Output written to OUT_DIR |
open |
||
Cargo rerun-if directives emitted per EDS input |
open |
||
Generated output passes through prettyplease |
open |
||
Parser warnings surface as cargo warnings |
open |
||
cargo eds expand emits one device's generated code |
open |
||
cargo eds list enumerates devices in a glob |
open |
||
CLI shares the parser and codegen crates |
open |
||
Verifier ingests EDS plus JSON SDO-dump |
open |
||
Diagnostic output names the differing field |
open |
||
Verifier reuses the parser |
open |
||
Verifier exits non-zero on mismatch |
open |
||
SDO-dump JSON schema versioned |
open |
||
NO DCF support this round |
rejected |
||
NO CAN-FD payload support in PdoOut |
rejected |
||
NO proc-macro front-end |
rejected |
||
NO unification of EtherCAT and CANopen runtime traits |
rejected |
||
NO runtime EDS parsing |
rejected |
||
NO modification of taktora-connector-can runtime |
rejected |
||
NO automatic vendor library scraping |
rejected |
||
NO live-bus verifier this round |
rejected |
Safety refinements¶
The PLC runtime (taktora-executor) carries four TSRs from the SEooC
safety concept (see Technical Safety Concept — TSRs):
Integrity-level declaration... (TSR_0003) (integrity-level declaration and process isolation for executable items) — draft;
ExecutableItemtrait and registration API need an integrity-level field. See Process boundary as spatial... (ADR_0050).Missed-deadline detection w... (TSR_0004) (missed-deadline detection within one cycle) — implemented by the executor’s existing deadline monitor.
Cross-process hosting mode (TSR_0009) (cross-process hosting mode) — draft; the executor must support a mode that hosts only SC items and cross-references QM items via iceoryx2.
Heartbeat for Element B mon... (TSR_0010) (heartbeat for Element B monitor) — draft; no liveness heartbeat surface exists today.