Assumptions of Use¶

The SEooC contract with the integrator. Each AoU is a claim taktora makes about the integrator’s environment or process. The integrator MUST validate every AoU before claiming any ASIL for a taktora-hosted item.

Assumption of Use: Diverse Element B monitor at ASIL B(D) AOU_0001

status: open

The integrator supplies a diverse, independent Element B monitor of equivalent ASIL B(D) capability that observes taktora’s outputs and forces safe state on detected omission or value failure.

Validates:: Decomposition (ASIL Decomposition)

Assumption of Use: Independence between Element A and Element B AOU_0002

status: open

Element A (taktora) and Element B (monitor) run on independent CPU cores or independent SoCs, with independent power and clock domains where feasible.

Validates:: Independence per ISO 26262-9 §5.4.4

Assumption of Use: Heartbeat receiver and safe-state path AOU_0003

status: open

The integrator implements the receiver side of taktora’s heartbeat protocol and the safe-state forcing path with reaction time at most FTTI − taktora's emission period (at most 50 ms given FTTI=100 ms and heartbeat period ≤ FTTI/2).

Validates:: Heartbeat for Element B mon... (TSR_0010)

Assumption of Use: Host OS provides MMU isolation and deterministic scheduling AOU_0004

status: open

The host OS provides MMU-enforced address-space isolation between processes and a deterministic scheduling discipline (real-time class or deadline-based scheduling).

Validates:: Integrity-level declaration... (TSR_0003), Cross-process hosting mode (TSR_0009)

Assumption of Use: Real-time scheduling and CPU pinning for SC process AOU_0005

status: open

The integrator pins the SC process to dedicated CPU core(s) and configures it under SCHED_FIFO or SCHED_DEADLINE; QM processes are excluded from those cores.

Validates:: Temporal FFI

Assumption of Use: Integrator confirms HARA inputs and FTTI AOU_0006

status: open

The integrator validates that the assumed hazards (Loss of cyclic safety-criti... (AHZ_0001), Erroneous safety-critical c... (AHZ_0002)) and assumed safety goals (Prevent unintended terminat... (ASG_0001), Prevent silent corruption o... (ASG_0002)) match the result of their own HARA. The FTTI of 100 ms is confirmed or replaced.

Validates:: Whole concept

Assumption of Use: Integrator owns safe-state semantics AOU_0007

status: open

The integrator’s application logic enters a defined safe state on receipt of HealthEvent::Faulted or on absence of expected channel data within deadline. Taktora raises faults; it does not define what safe state means for any particular application.

Validates:: Internal fault detection an... (AFSR_0004)

Assumption of Use: Integrator unsafe-Rust discipline AOU_0008

status: open

The integrator’s own ExecutableItem implementations use unsafe Rust only in ways that do not violate spatial isolation invariants — no aliasing of channel handles, no escape of writable references across integrity-level boundaries, no shared mutable state outside iceoryx2 channels.

Validates:: Spatial FFI

Assumption of Use: Lower-stack qualification at ASIL B(D) AOU_0009

status: open

The integrator confirms that the host OS kernel, libc, iceoryx2 runtime, and Rust toolchain are qualified to at least ASIL B(D). Taktora does not qualify these — they sit below taktora in the stack.

Validates:: Whole stack