Assumptions of Use¶
The SEooC contract with the integrator. Each AoU is a claim taktora makes about the integrator’s environment or process. The integrator MUST validate every AoU before claiming any ASIL for a taktora-hosted item.
The integrator supplies a diverse, independent Element B monitor of equivalent ASIL B(D) capability that observes taktora’s outputs and forces safe state on detected omission or value failure.
|
Element A (taktora) and Element B (monitor) run on independent CPU cores or independent SoCs, with independent power and clock domains where feasible.
|
The integrator implements the receiver side of taktora’s heartbeat
protocol and the safe-state forcing path with reaction time at most
|
The host OS provides MMU-enforced address-space isolation between processes and a deterministic scheduling discipline (real-time class or deadline-based scheduling). |
The integrator pins the SC process to dedicated CPU core(s) and configures it under SCHED_FIFO or SCHED_DEADLINE; QM processes are excluded from those cores.
|
The integrator validates that the assumed hazards (Loss of cyclic safety-criti... (AHZ_0001), Erroneous safety-critical c... (AHZ_0002)) and assumed safety goals (Prevent unintended terminat... (ASG_0001), Prevent silent corruption o... (ASG_0002)) match the result of their own HARA. The FTTI of 100 ms is confirmed or replaced.
|
The integrator’s application logic enters a defined safe state on
receipt of
|
The integrator’s own
|
The integrator confirms that the host OS kernel, libc, iceoryx2 runtime, and Rust toolchain are qualified to at least ASIL B(D). Taktora does not qualify these — they sit below taktora in the stack.
|
Logging (taktora-log / taktora-log-dlt)¶
These AoUs cover the workspace logging surface (see Logging — DLT base library with swappable backends and Logging — architecture (arc42)). Logging is QM (per Logging is QM (CON_0027)); every safety-relevant property of the log stream depends on the integrator’s deployment, so taktora carries the responsibility as AoUs rather than as TSRs.
The integrator provides a COVESA
|
If the integrator swaps the pure-Rust DLT backend for any backend
that crosses an FFI boundary — including |
Integrator code on safety-relevant hot paths (ASIL-rated loops,
the executor’s deadline-critical sections, the
|
The integrator ensures DLT App IDs are unique across all processes
on the same ECU. The 4-character DLT App ID namespace is flat;
colliding IDs make DLT Viewer / dlt-tui filtering ambiguous.
taktora reserves the
|
The integrator chooses the bounded ring capacity (per Bounded in-memory ring buff... (REQ_0814)), the runtime production log level (per Production default level is... (REQ_0811)), and any non-default reconnect-backoff parameters, based on the ECU’s memory and bandwidth budget. taktora ships safe defaults but does not size them for any specific ECU. The default ring capacity should be re-evaluated for high-volume integrations (e.g. ADAS perception pipelines) where overflow under sustained daemon outage would otherwise drop forensically important records. |
If post-mortem recovery of FATAL events is required after a
reboot, the integrator configures the
|
Every fieldbus output slave has its sync-manager (process-data) watchdog enabled, with a timeout bounded at or below FTTI/2 (≤ 50 ms given the assumed 100 ms FTTI). This is load-bearing for the runtime’s fail-fast failure model (Framework-invariant violati... (REQ_0123), Abort on framework-invarian... (ADR_0065)): on a framework-invariant abort the master stops emitting process-data frames and runs no destructors, so the slave watchdog is the sole mechanism that drives outputs to their configured safe state. If the watchdog is disabled the outputs hold their last commanded value indefinitely; if its timeout exceeds FTTI/2 the safe-state transition misses budget. Enforcement status (2026-06-07). The bound is now validated and
programmed rather than merely assumed: the per-SM enable bit is
decoded from the ESI (ESI model exposes per-SM wa... (REQ_0843)) and statically rejected at
network-config time when disabled on an output slave
(Validate the SM-watchdog bo... (REQ_0845), with an explicit per-device attestation required
for inline-described devices that have no ESI); the timeout is
resolved (default FTTI/2, override validated against the quantized
effective value, Resolve and emit each outpu... (REQ_0844)) and programmed into the device
watchdog registers ( |