Safety¶

ISO 26262 Safety Element out of Context (SEooC) safety concept for taktora. Sketch-level coverage: assumed item, illustrative HARA, two assumed safety goals, five assumed functional safety requirements (AFSRs), ten technical safety requirements (TSRs) allocated to taktora’s existing crates, the Freedom From Interference argument spanning spatial / temporal / information-exchange categories, and the nine-item Assumption-of-Use (AoU) contract with the integrator.

ASIL capability: ASIL D, claimed via ISO 26262-9 §5 decomposition ASIL D = ASIL B(D) + ASIL B(D). Taktora is Element A at ASIL B(D); the integrator supplies a diverse independent monitor as Element B at ASIL B(D). The independence argument is claimed but not closed by taktora — closure is an AoU on the integrator.

How to read this section:

Start with Assumed Item — what taktora-hosted item we assume.
Read Assumed HARA — Hazards and Safety Goals — assumed hazards and the safety goals they drive.
Read ASIL Decomposition — how we get to ASIL D.
Read Functional Safety Concept — Assumed FSRs for the assumed functional safety requirements, then Technical Safety Concept — TSRs for the refinement onto taktora’s crates.
Read Freedom From Interference Argument for the Freedom From Interference argument.
Read Assumptions of Use for what the integrator MUST validate.

Architecture decisions supporting this concept (ADR_0050, ADR_0051) live in Safety architecture decisions under the architecture tree.

Safety concept

Safety artefacts at a glance¶

Used filter: types(assumed-hazard)

ID	Title	Status	Asil
AHZ_0001	Loss of cyclic safety-critical command	assumed	D
AHZ_0002	Erroneous safety-critical command	assumed	D

Used filter: types(assumed-safety-goal)

ID	Title	Status	Asil
ASG_0001	Prevent unintended termination of the safety-critical cyclic computation	assumed	D
ASG_0002	Prevent silent corruption of safety-critical input/output data	assumed	D

Used filter: types(assumed-fsr)

ID	Title	Status	Asil	Refines
AFSR_0001	Spatial Freedom From Interference between integrity levels	assumed	B(D)	ASG_0001; ASG_0002
AFSR_0002	Directional channel topology	assumed	B(D)	ASG_0002
AFSR_0003	Per-integrity-level allocation isolation	assumed	B(D)	ASG_0001
AFSR_0004	Internal fault detection and propagation	assumed	B(D)	ASG_0001; ASG_0002
AFSR_0005	Startup integrity verification	assumed	B(D)	ASG_0001; ASG_0002

Used filter: types(tsr)

ID	Title	Status	Asil	Refines
TSR_0001	Bounded allocator hard caps	implemented	B(D)	AFSR_0003
TSR_0002	Per-integrity-level allocation quotas	draft	B(D)	AFSR_0003
TSR_0003	Integrity-level declaration and process isolation	draft	B(D)	AFSR_0001
TSR_0004	Missed-deadline detection within one cycle	implemented	B(D)	AFSR_0004
TSR_0005	Compile-time channel directionality	implemented	B(D)	AFSR_0002
TSR_0006	Bounded health-event latency	implemented	B(D)	AFSR_0004
TSR_0007	Single-publisher iceoryx2 topology for safety-critical channels	implemented	B(D)	AFSR_0002
TSR_0008	Envelope sequence + CRC integrity	draft	B(D)	AFSR_0002; AFSR_0004
TSR_0009	Cross-process hosting mode	draft	B(D)	AFSR_0001; AFSR_0002
TSR_0010	Heartbeat for Element B monitor	draft	B(D)	AFSR_0004

Used filter: types(aou)

ID	Title	Status
AOU_0001	Diverse Element B monitor at ASIL B(D)	open
AOU_0002	Independence between Element A and Element B	open
AOU_0003	Heartbeat receiver and safe-state path	open
AOU_0004	Host OS provides MMU isolation and deterministic scheduling	open
AOU_0005	Real-time scheduling and CPU pinning for SC process	open
AOU_0006	Integrator confirms HARA inputs and FTTI	open
AOU_0007	Integrator owns safe-state semantics	open
AOU_0008	Integrator unsafe-Rust discipline	open
AOU_0009	Lower-stack qualification at ASIL B(D)	open