Assumptions of Use

The SEooC contract with the integrator. Each AoU is a claim taktora makes about the integrator’s environment or process. The integrator MUST validate every AoU before claiming any ASIL for a taktora-hosted item.

Assumption of Use: Diverse Element B monitor at ASIL B(D) AOU_0001
status: open

The integrator supplies a diverse, independent Element B monitor of equivalent ASIL B(D) capability that observes taktora’s outputs and forces safe state on detected omission or value failure.

Validates:

Decomposition (ASIL Decomposition)

Assumption of Use: Independence between Element A and Element B AOU_0002
status: open

Element A (taktora) and Element B (monitor) run on independent CPU cores or independent SoCs, with independent power and clock domains where feasible.

Validates:

Independence per ISO 26262-9 §5.4.4

Assumption of Use: Heartbeat receiver and safe-state path AOU_0003
status: open

The integrator implements the receiver side of taktora’s heartbeat protocol and the safe-state forcing path with reaction time at most FTTI taktora's emission period (at most 50 ms given FTTI=100 ms and heartbeat period ≤ FTTI/2).

Validates:

Heartbeat for Element B mon... (TSR_0010)

Assumption of Use: Host OS provides MMU isolation and deterministic scheduling AOU_0004
status: open

The host OS provides MMU-enforced address-space isolation between processes and a deterministic scheduling discipline (real-time class or deadline-based scheduling).

Validates:

Integrity-level declaration... (TSR_0003), Cross-process hosting mode (TSR_0009)

Assumption of Use: Real-time scheduling and CPU pinning for SC process AOU_0005
status: open

The integrator pins the SC process to dedicated CPU core(s) and configures it under SCHED_FIFO or SCHED_DEADLINE; QM processes are excluded from those cores.

Validates:

Temporal FFI

Assumption of Use: Integrator confirms HARA inputs and FTTI AOU_0006
status: open

The integrator validates that the assumed hazards (Loss of cyclic safety-criti... (AHZ_0001), Erroneous safety-critical c... (AHZ_0002)) and assumed safety goals (Prevent unintended terminat... (ASG_0001), Prevent silent corruption o... (ASG_0002)) match the result of their own HARA. The FTTI of 100 ms is confirmed or replaced.

Validates:

Whole concept

Assumption of Use: Integrator owns safe-state semantics AOU_0007
status: open

The integrator’s application logic enters a defined safe state on receipt of HealthEvent::Faulted or on absence of expected channel data within deadline. Taktora raises faults; it does not define what safe state means for any particular application.

Validates:

Internal fault detection an... (AFSR_0004)

Assumption of Use: Integrator unsafe-Rust discipline AOU_0008
status: open

The integrator’s own ExecutableItem implementations use unsafe Rust only in ways that do not violate spatial isolation invariants — no aliasing of channel handles, no escape of writable references across integrity-level boundaries, no shared mutable state outside iceoryx2 channels.

Validates:

Spatial FFI

Assumption of Use: Lower-stack qualification at ASIL B(D) AOU_0009
status: open

The integrator confirms that the host OS kernel, libc, iceoryx2 runtime, and Rust toolchain are qualified to at least ASIL B(D). Taktora does not qualify these — they sit below taktora in the stack.

Validates:

Whole stack

Logging (taktora-log / taktora-log-dlt)

These AoUs cover the workspace logging surface (see Logging — DLT base library with swappable backends and Logging — architecture (arc42)). Logging is QM (per Logging is QM (CON_0027)); every safety-relevant property of the log stream depends on the integrator’s deployment, so taktora carries the responsibility as AoUs rather than as TSRs.

Assumption of Use: Integrator provides a DLT daemon AOU_0010
status: open

The integrator provides a COVESA dlt-daemon (or compatible) listening on the Unix-domain socket or TCP endpoint configured at taktora-log-dlt init. taktora-log-dlt does not start, supervise, restart, or reconfigure the daemon.

Validates:

UDS (default) and TCP trans... (REQ_0807)

Assumption of Use: Integrator owns FFI freedom-from-interference AOU_0011
status: open

If the integrator swaps the pure-Rust DLT backend for any backend that crosses an FFI boundary — including libdlt adapters (dlt_log, dlt-rs, tracing-dlt) or vendor logger SDKs — the integrator owns the freedom-from-interference argument (separate process, memory partitioning, supervised lifecycle). taktora’s spec only covers the pure-Rust DLT backend at taktora-log-dlt DLT-backend... (BB_0091).

Validates:

No build-time dependency on... (CON_0025), Backend-swap surface (FEAT_0073)

Assumption of Use: Safety-relevant hot paths do not log AOU_0012
status: open

Integrator code on safety-relevant hot paths (ASIL-rated loops, the executor’s deadline-critical sections, the HealthEvent::Faulted emit path) shall not log inside the tightest loops. taktora-log is best-effort, lossy under overload (per Drop-oldest overflow policy... (REQ_0815)), and not certified. Logging from a safety path is acceptable only when the path can absorb a dropped record without changing its safety behaviour.

Validates:

Logging is QM (CON_0027), Low-overhead, non-blocking ... (QG_0020)

Assumption of Use: DLT App ID uniqueness on the ECU AOU_0013
status: open

The integrator ensures DLT App IDs are unique across all processes on the same ECU. The 4-character DLT App ID namespace is flat; colliding IDs make DLT Viewer / dlt-tui filtering ambiguous. taktora reserves the TK* prefix for its own crates (per 4-character DLT App ID and ... (REQ_0808)); integrators shall pick non-TK* IDs for their own applications.

Validates:

4-character DLT App ID and ... (REQ_0808)

Assumption of Use: Integrator sizes ring capacity and runtime log level AOU_0014
status: open

The integrator chooses the bounded ring capacity (per Bounded in-memory ring buff... (REQ_0814)), the runtime production log level (per Production default level is... (REQ_0811)), and any non-default reconnect-backoff parameters, based on the ECU’s memory and bandwidth budget. taktora ships safe defaults but does not size them for any specific ECU. The default ring capacity should be re-evaluated for high-volume integrations (e.g. ADAS perception pipelines) where overflow under sustained daemon outage would otherwise drop forensically important records.

Validates:

Bounded in-memory ring buff... (REQ_0814), Drop-oldest overflow policy... (REQ_0815)

Assumption of Use: Reboot persistence is daemon-side AOU_0015
status: open

If post-mortem recovery of FATAL events is required after a reboot, the integrator configures the dlt-daemon offline-trace storage (dlt.conf OfflineTraceDirectory / size limits) — that is the AUTOSAR-spec’d persistence path. taktora-log-dlt’s in-memory ring (per Bounded in-memory ring buff... (REQ_0814)) covers daemon-down windows only and is lost on process restart.

Validates:

Bounded in-memory ring buff... (REQ_0814)

Assumption of Use: Output-slave watchdog enabled and bounded AOU_0016
status: open

Every fieldbus output slave has its sync-manager (process-data) watchdog enabled, with a timeout bounded at or below FTTI/2 (≤ 50 ms given the assumed 100 ms FTTI). This is load-bearing for the runtime’s fail-fast failure model (Framework-invariant violati... (REQ_0123), Abort on framework-invarian... (ADR_0065)): on a framework-invariant abort the master stops emitting process-data frames and runs no destructors, so the slave watchdog is the sole mechanism that drives outputs to their configured safe state. If the watchdog is disabled the outputs hold their last commanded value indefinitely; if its timeout exceeds FTTI/2 the safe-state transition misses budget.

Enforcement status (2026-06-07). The bound is now validated and programmed rather than merely assumed: the per-SM enable bit is decoded from the ESI (ESI model exposes per-SM wa... (REQ_0843)) and statically rejected at network-config time when disabled on an output slave (Validate the SM-watchdog bo... (REQ_0845), with an explicit per-device attestation required for inline-described devices that have no ESI); the timeout is resolved (default FTTI/2, override validated against the quantized effective value, Resolve and emit each outpu... (REQ_0844)) and programmed into the device watchdog registers (0x0400/0x0420) during every bring-up and recovery, read-back-verified, hard-failing on mismatch (Master programs the SubDevi... (REQ_0846)). The residual assumption carried by this AOU shrinks to: the device honours its SM watchdog per ETG1000.4, and its configured safe-state output values are themselves correct.

Validates:

Internal fault detection an... (AFSR_0004), Framework-invariant violati... (REQ_0123)