System-Level Test Cases

Black-box, requirements-based, blind to code; oracles REVIEW REQUIRED.

comms safety supervision command actuation localization motion_control perception power_management cyclic_scheduler

644 system-level, requirements-based black-box test cases (EP / BVA / Decision / State / Interface / Scenario), generated blind to the source code. Every oracle is marked REVIEW REQUIRED (Design-Entscheidung B): the customer reviews and executes.

comms 52 tests

ID	Method	Covers	Title	Stimuli	Expected (oracle)
`TC-COM-001`	BVA	REQ-COM-001	System time minimum boundary	tick_ms_=0	Module shall accept tick_ms_ = 0 without error; link_status_.time_since_last_valid_frame shall compute correctly using this timestamp
`TC-COM-002`	BVA	REQ-COM-001	System time maximum boundary	tick_ms_=max_value	REVIEW REQUIRED
`TC-COM-003`	BVA	REQ-COM-001	System time monotonic advancement nominal	tick_ms_=2000	Module shall accept monotonically increasing tick_ms_; time_since_last_valid_frame and latency calculations shall reflect positive time deltas
`TC-COM-004`	BVA	REQ-COM-001	System time non-monotonic violation (negative test)	tick_ms_=3000	REVIEW REQUIRED
`TC-COM-005`	BVA	REQ-COM-002	Packet loss percentage at minimum boundary	tick_ms_=1000	link_status_.packet_loss_percentage shall be 0.0
`TC-COM-006`	BVA	REQ-COM-002	Packet loss percentage at maximum boundary	tick_ms_=1000	link_status_.packet_loss_percentage shall be 100.0
`TC-COM-007`	BVA	REQ-COM-002	Packet loss percentage mid-range nominal	tick_ms_=1000	link_status_.packet_loss_percentage shall be in range [0.0, 100.0], reflecting observed loss rate
`TC-COM-008`	BVA	REQ-COM-003	Latency clamping at upper bound	tick_ms_=10000	REVIEW REQUIRED
`TC-COM-009`	BVA	REQ-COM-003	Time since last valid frame clamping at upper bound	tick_ms_=100000	REVIEW REQUIRED
`TC-COM-010`	BVA	REQ-COM-003	Latency below clamping threshold nominal	tick_ms_=1100	REVIEW REQUIRED
`TC-COM-011`	EP	REQ-COM-004	Timestamp unit consistency in milliseconds	tick_ms_=600; link_degraded_timeout_ms_=500	Time difference (600 - 0 = 600 ms) shall exceed link_degraded_timeout_ms_ (500 ms), triggering degraded state transition per REQ-COM-006
`TC-COM-012`	BVA	REQ-COM-004	Zero time difference computation	tick_ms_=1000	link_status_.latency shall be 0 ms; time_since_last_valid_frame shall be 0 ms if frame just received
`TC-COM-013`	BVA	REQ-COM-004	Negative time difference handling (non-monotonic edge case)	tick_ms_=1000	REVIEW REQUIRED
`TC-COM-014`	Decision	REQ-COM-005	Authentication failure sets command_authentic_ false	tick_ms_=1000	command_authentic_ shall be false
`TC-COM-015`	Decision	REQ-COM-005	Replay detection sets replay_detected_ true	tick_ms_=1000	replay_detected_ shall be true
`TC-COM-016`	Decision	REQ-COM-005	Decoding failure sets remote_command_.valid false	tick_ms_=1000	remote_command_.valid shall be false
`TC-COM-017`	Decision	REQ-COM-005	Link lost timeout triggers lost state	tick_ms_=2001; link_lost_timeout_ms_=2000	link_status_.state shall be link_state_t::lost
`TC-COM-018`	BVA	REQ-COM-005	Link lost timeout boundary exact match	tick_ms_=2000; link_lost_timeout_ms_=2000	link_status_.state shall remain in previous state (not yet lost) or transition to lost if condition is >= rather than >
`TC-COM-019`	BVA	REQ-COM-005	Link lost timeout boundary one below threshold	tick_ms_=1999; link_lost_timeout_ms_=2000	link_status_.state shall remain in degraded or ok state (not yet lost)
`TC-COM-020`	Decision	REQ-COM-006	Degraded state transition due to age timeout	tick_ms_=1001; link_degraded_timeout_ms_=1000	link_status_.state shall transition from ok to degraded
`TC-COM-021`	Decision	REQ-COM-006	Degraded state transition due to latency threshold	tick_ms_=2000; link_max_latency_ms_=500	link_status_.state shall transition from ok to degraded
`TC-COM-022`	Decision	REQ-COM-006	Degraded state transition due to packet loss threshold	tick_ms_=1000; link_max_packet_loss_pct_=10.0	link_status_.state shall transition from ok to degraded when link_status_.packet_loss_percentage > 10.0
`TC-COM-023`	Decision	REQ-COM-006	Lost state transition due to lost timeout	tick_ms_=3001; link_lost_timeout_ms_=3000	link_status_.state shall transition from degraded to lost
`TC-COM-024`	BVA	REQ-COM-006	Degraded timeout boundary exact match	tick_ms_=1000; link_degraded_timeout_ms_=1000	link_status_.state shall remain ok or transition to degraded if condition is >= rather than >
`TC-COM-025`	BVA	REQ-COM-006	Latency threshold boundary exact match	tick_ms_=1000; link_max_latency_ms_=200	link_status_.state shall remain ok or transition to degraded if condition is >= rather than >
`TC-COM-026`	BVA	REQ-COM-006	Packet loss threshold boundary exact match	tick_ms_=1000; link_max_packet_loss_pct_=15.0	link_status_.state shall remain ok or transition to degraded if condition is >= rather than >
`TC-COM-027`	Decision	REQ-COM-006	Multiple degradation conditions simultaneous	tick_ms_=2000; link_max_latency_ms_=100; link_max_packet_loss_pct_=5.0	link_status_.state shall transition from ok to degraded (OR logic across conditions)
`TC-COM-028`	BVA	REQ-COM-007	Sliding window size at maximum boundary	tick_ms_=1000	REVIEW REQUIRED
`TC-COM-029`	BVA	REQ-COM-007	Tracked gaps at maximum boundary	tick_ms_=1000	REVIEW REQUIRED
`TC-COM-030`	Decision	REQ-COM-007	Window overflow handling (negative test)	tick_ms_=1000	REVIEW REQUIRED
`TC-COM-031`	State	REQ-COM-008	Initial link state at first execution	tick_ms_=0	REVIEW REQUIRED
`TC-COM-032`	State	REQ-COM-008	Lost to degraded state transition	tick_ms_=1000	link_status_.state shall transition from lost to degraded (or directly to ok if conditions allow jump)
`TC-COM-033`	State	REQ-COM-008	Degraded to ok state transition	tick_ms_=1000; link_max_latency_ms_=500; link_max_packet_loss_pct_=10.0; link_degraded_timeout_ms_=1000	link_status_.state shall transition from degraded to ok
`TC-COM-034`	State	REQ-COM-008	Ok to degraded state transition	tick_ms_=2000; link_degraded_timeout_ms_=1000	link_status_.state shall transition from ok to degraded per REQ-COM-006 conditions
`TC-COM-035`	State	REQ-COM-008	Degraded to lost state transition	tick_ms_=5000; link_lost_timeout_ms_=3000	link_status_.state shall transition from degraded to lost per REQ-COM-006 conditions
`TC-COM-036`	State	REQ-COM-008	Lost to ok direct jump transition	tick_ms_=1000	link_status_.state shall transition from lost directly to ok (skipping degraded) if conditions allow per requirement
`TC-COM-037`	State	REQ-COM-008	Ok to lost direct jump transition	tick_ms_=4000; link_degraded_timeout_ms_=1000; link_lost_timeout_ms_=3000	link_status_.state shall transition from ok directly to lost if lost_timeout is exceeded (even if degraded_timeout also exceeded)
`TC-COM-038`	State	REQ-COM-008	State persistence without transition condition	tick_ms_=1500; link_lost_timeout_ms_=3000	link_status_.state shall remain degraded (no spurious transition)
`TC-COM-039`	Interface	REQ-COM-009	Execution order within cycle	tick_ms_=1000	REVIEW REQUIRED
`TC-COM-040`	Interface	REQ-COM-009	Authentication signals available to link_monitor in same cycle	tick_ms_=1000	command_authentic_ and replay_detected_ shall reflect authentication result of current cycle's link_frame_ before link_monitor reads them (same-cycle consistency)
`TC-COM-041`	Interface	REQ-COM-009	Link receiver alive counter incremented once per cycle	tick_ms_=1000	alive_counters_[module_id::link_receiver] shall increment by exactly 1 per cycle
`TC-COM-042`	Interface	REQ-COM-009	Link monitor alive counter incremented once per cycle	tick_ms_=2000	alive_counters_[module_id::link_monitor] shall increment by exactly 1 per cycle
`TC-COM-043`	Interface	REQ-COM-009	Alive counters do not double-increment in single cycle	tick_ms_=1000	Both alive_counters_[module_id::link_receiver] and alive_counters_[module_id::link_monitor] shall each increment by exactly 1 (not 0, not 2+)
`TC-COM-044`	Scenario	REQ-COM-005, REQ-COM-006	End-to-end link loss scenario	tick_ms_=3500; link_degraded_timeout_ms_=1000; link_lost_timeout_ms_=3000	link_status_.state shall be lost, command_authentic_ shall be false, remote_command_.valid shall be false
`TC-COM-045`	Scenario	REQ-COM-005, REQ-COM-006	Link recovery from lost to ok scenario	tick_ms_=5000	link_status_.state shall transition to ok (or degraded then ok), command_authentic_ shall be true, remote_command_.valid shall be true
`TC-COM-046`	BVA	REQ-COM-006	Calibration parameter minimum boundary - degraded timeout	tick_ms_=1; link_degraded_timeout_ms_=0	link_status_.state shall transition to degraded immediately (any age > 0 exceeds threshold 0)
`TC-COM-047`	BVA	REQ-COM-006	Calibration parameter minimum boundary - lost timeout	tick_ms_=1; link_lost_timeout_ms_=0	link_status_.state shall transition to lost immediately (any age > 0 exceeds threshold 0)
`TC-COM-048`	BVA	REQ-COM-006	Calibration parameter minimum boundary - latency threshold	tick_ms_=1000; link_max_latency_ms_=0	link_status_.state shall transition to degraded (any latency > 0 exceeds threshold 0)
`TC-COM-049`	BVA	REQ-COM-006	Calibration parameter minimum boundary - packet loss threshold	tick_ms_=1000; link_max_packet_loss_pct_=0.0	link_status_.state shall transition to degraded (any loss > 0% exceeds threshold 0%)
`TC-COM-050`	BVA	REQ-COM-006	Calibration parameter high value - degraded timeout	tick_ms_=86400000; link_degraded_timeout_ms_=86400000	link_status_.state shall remain ok until time_since_last_valid_frame exceeds 86400000 ms (24 hours)
`TC-COM-051`	Decision	REQ-COM-002, REQ-COM-006	Packet loss exactly at 100% triggers degraded	tick_ms_=1000; link_max_packet_loss_pct_=99.0	link_status_.packet_loss_percentage shall be 100.0 (per REQ-COM-002) and link_status_.state shall be degraded (100.0 > 99.0)
`TC-COM-052`	Scenario	REQ-COM-004, REQ-COM-006	Timeout threshold comparison with consistent time units	tick_ms_=6501; link_degraded_timeout_ms_=1500	Time since last valid frame (6501 - 5000 = 1501 ms) shall exceed threshold (1500 ms) triggering degraded transition

safety 81 tests

ID	Method	Covers	Title	Stimuli	Expected (oracle)
`TC-SAF-001`	BVA	REQ-SAF-001	Pose validity with confidence at minimum threshold	bus.pose_.validity=True; bus.pose_.confidence=pose_min_confidence_; bus.pose_.speed=10.0	Pose is treated as valid; no pose-invalid fault raised; bus.any_fault_active_ does not reflect pose invalidity
`TC-SAF-002`	BVA	REQ-SAF-001	Pose validity with confidence just below minimum threshold	bus.pose_.validity=True; bus.pose_.confidence=pose_min_confidence_ - 0.01; bus.pose_.speed=10.0	Pose is treated as invalid; module behavior reflects invalid pose (e.g., fault or safe fallback)
`TC-SAF-003`	BVA	REQ-SAF-001	Pose validity flag false	bus.pose_.validity=False; bus.pose_.confidence=0.95; bus.pose_.speed=10.0	Pose is treated as invalid regardless of high confidence; module reflects invalid pose state
`TC-SAF-004`	BVA	REQ-SAF-001	Speed at minimum valid range boundary	bus.pose_.validity=True; bus.pose_.confidence=0.95; bus.pose_.speed=min_speed_mps	REVIEW REQUIRED
`TC-SAF-005`	BVA	REQ-SAF-001	Speed just below minimum valid range	bus.pose_.validity=True; bus.pose_.confidence=0.95; bus.pose_.speed=min_speed_mps - 0.01	REVIEW REQUIRED
`TC-SAF-006`	BVA	REQ-SAF-001	Speed at maximum valid range boundary	bus.pose_.validity=True; bus.pose_.confidence=0.95; bus.pose_.speed=max_speed_mps	REVIEW REQUIRED
`TC-SAF-007`	BVA	REQ-SAF-001	Speed just above maximum valid range	bus.pose_.validity=True; bus.pose_.confidence=0.95; bus.pose_.speed=max_speed_mps + 0.01	REVIEW REQUIRED
`TC-SAF-008`	BVA	REQ-SAF-002	Geofence distance to boundary is zero (on boundary)	bus.pose_.x=geofence_max_x_m_; bus.pose_.y=50.0; bus.pose_.validity=True; bus.pose_.confidence=0.95	bus.geofence_.distance_to_boundary_m >= 0.0 (non-negative, likely 0.0)
`TC-SAF-009`	BVA	REQ-SAF-002	Safe stop target deceleration minimum boundary	bus.geofence_.breach=True; bus.pose_.speed=5.0	REVIEW REQUIRED
`TC-SAF-010`	BVA	REQ-SAF-002	Safe stop target deceleration maximum boundary	bus.geofence_.breach=True; bus.pose_.speed=30.0	REVIEW REQUIRED
`TC-SAF-011`	EP	REQ-SAF-002	Health state is OK under nominal conditions	bus.any_fault_active_=False; bus.critical_fault_active_=False; bus.watchdog_ok_=True; bus.link_status_=link_state_t::ok	bus.health_ == health_state_t::ok
`TC-SAF-012`	EP	REQ-SAF-002	Health state is degraded under non-critical fault	bus.any_fault_active_=True; bus.critical_fault_active_=False; bus.watchdog_ok_=True	bus.health_ == health_state_t::degraded
`TC-SAF-013`	EP	REQ-SAF-002	Health state is critical under critical fault	bus.critical_fault_active_=True; bus.watchdog_ok_=True	bus.health_ == health_state_t::critical
`TC-SAF-014`	BVA	REQ-SAF-002	Fault list at maximum capacity (64 entries)	bus.faults_.size()=63; trigger_new_fault=True	bus.faults_.size() == 64; no overflow beyond 64 entries
`TC-SAF-015`	BVA	REQ-SAF-002	Fault list overflow attempt (65th fault)	bus.faults_.size()=64; trigger_new_fault=True	bus.faults_.size() remains 64; new fault is dropped (ignore_new policy)
`TC-SAF-016`	BVA	REQ-SAF-003	Geofence distance clamping at minimum	bus.pose_.x=geofence_max_x_m_ + 1000; bus.pose_.y=50.0; bus.pose_.validity=True; bus.pose_.confidence=0.95	REVIEW REQUIRED
`TC-SAF-017`	BVA	REQ-SAF-003	Safe stop deceleration clamping at minimum	bus.geofence_.breach=True; bus.pose_.speed=0.5	REVIEW REQUIRED
`TC-SAF-018`	BVA	REQ-SAF-003	Safe stop deceleration clamping at maximum	bus.geofence_.breach=True; bus.pose_.speed=50.0	REVIEW REQUIRED
`TC-SAF-019`	BVA	REQ-SAF-003	E-stop deceleration clamped to calibrated emergency deceleration	bus.collision_.imminent=True; emergency_decel_mps2_=8.0	bus.estop_.target_decel_mps2 == 8.0 (clamped to cal_.emergency_decel_mps2_)
`TC-SAF-020`	Interface	REQ-SAF-004	Geofence distance is unsigned magnitude	bus.pose_.x=geofence_max_x_m_ + 10; bus.pose_.y=50.0; bus.pose_.validity=True; bus.pose_.confidence=0.95	bus.geofence_.distance_to_boundary_m >= 0.0 (unsigned magnitude in meters)
`TC-SAF-021`	Interface	REQ-SAF-004	Deceleration values are positive magnitudes	bus.geofence_.breach=True; bus.pose_.speed=10.0; safe_stop_decel_mps2_=3.0	bus.safe_stop_.target_decel_mps2 > 0.0 (positive magnitude in m/s²)
`TC-SAF-022`	Interface	REQ-SAF-004	Speed computed in meters per second	bus.pose_.speed=15.0; bus.pose_.validity=True; bus.pose_.confidence=0.95	Module interprets bus.pose_.speed as 15.0 m/s; all speed comparisons use m/s units
`TC-SAF-023`	Decision	REQ-SAF-005	Invalid pose when validity flag is false	bus.pose_.validity=False; bus.pose_.confidence=0.95; bus.pose_.speed=10.0	Pose treated as invalid; module does not use pose data for safety-critical decisions
`TC-SAF-024`	Decision	REQ-SAF-005	Invalid pose when confidence below minimum threshold	bus.pose_.validity=True; bus.pose_.confidence=pose_min_confidence_ - 0.05; bus.pose_.speed=10.0	Pose treated as invalid due to low confidence
`TC-SAF-025`	Decision	REQ-SAF-005	E-stop activation on link lost	bus.link_status_=link_state_t::lost	bus.estop_.active == true; bus.estop_.source indicates link_loss trigger
`TC-SAF-026`	Decision	REQ-SAF-005	E-stop activation on imminent collision	bus.collision_.imminent=True	bus.estop_.active == true; bus.estop_.source indicates obstacle/collision trigger
`TC-SAF-027`	Decision	REQ-SAF-005	Critical health state on critical fault active	bus.critical_fault_active_=True; bus.watchdog_ok_=True	bus.health_ == health_state_t::critical
`TC-SAF-028`	Decision	REQ-SAF-005	Critical health state on watchdog failure	bus.watchdog_ok_=False; bus.critical_fault_active_=False	bus.health_ == health_state_t::critical
`TC-SAF-029`	Decision	REQ-SAF-005	Safe stop activation on geofence breach	bus.geofence_.breach=True; bus.pose_.speed=10.0	bus.safe_stop_.active == true; bus.safe_stop_.target_decel_mps2 set to safe_stop_decel_mps2_ calibration
`TC-SAF-030`	Decision	REQ-SAF-006	Fault confirmation after 3 consecutive cycles	cycle_1_fault_present=True; cycle_2_fault_present=True; cycle_3_fault_present=True	Fault is confirmed after cycle 3; fault entry shows confirmation_status == confirmed (or equivalent)
`TC-SAF-031`	Decision	REQ-SAF-006	Fault not confirmed if intermittent (2 of 3 cycles)	cycle_1_fault_present=True; cycle_2_fault_present=False; cycle_3_fault_present=True	Fault is not confirmed after cycle 3; confirmation counter resets on missing detection
`TC-SAF-032`	State	REQ-SAF-006	E-stop latching: remains active while trigger persists	cycle_1_bus.link_status_=link_state_t::lost; cycle_2_bus.link_status_=link_state_t::lost; bus.pose_.speed=5.0	bus.estop_.active remains true across cycles while link_status_ is lost
`TC-SAF-033`	State	REQ-SAF-006	E-stop deactivation after triggers clear and standstill reached	bus.link_status_=link_state_t::ok; bus.collision_.imminent=False; bus.geofence_.breach=False; bus.remote_command_.estop_request=False; bus.pose_.speed=standstill_speed_mps_ - 0.01; standstill_duration=standstill_duration_cycles	REVIEW REQUIRED
`TC-SAF-034`	Interface	REQ-SAF-006	Alive counter increments every cycle	bus.tick_ms_=1000	bus.alive_counters_[module_id::geofence], bus.alive_counters_[module_id::safe_stop], bus.alive_counters_[module_id::estop] each increment by 1 per cycle
`TC-SAF-035`	Interface	REQ-SAF-006	E-stop activation timestamp captured from tick_ms	bus.collision_.imminent=True; bus.tick_ms_=123456789	bus.estop_.activated_tick_ms == 123456789 (timestamp captured at activation)
`TC-SAF-036`	BVA	REQ-SAF-007	Fault list at capacity minus one (63 entries)	bus.faults_.size()=62; trigger_new_fault=True	REVIEW REQUIRED
`TC-SAF-037`	BVA	REQ-SAF-007	Fault list overflow policy: new fault dropped when full	bus.faults_.size()=max_faults_limit; trigger_new_fault=True	REVIEW REQUIRED
`TC-SAF-038`	BVA	REQ-SAF-007	Fault occurrence count at maximum	fault_entry.occurrence_count=max_occurrence_count - 1; trigger_same_fault_again=True	REVIEW REQUIRED
`TC-SAF-039`	BVA	REQ-SAF-007	Fault occurrence count overflow behavior	fault_entry.occurrence_count=max_occurrence_count; trigger_same_fault_again=True	REVIEW REQUIRED
`TC-SAF-040`	BVA	REQ-SAF-007	Alive counter wraparound at UINT32_MAX	bus.alive_counters_[module_id::geofence]=4294967295	After one cycle, bus.alive_counters_[module_id::geofence] wraps to 0 (unsigned wraparound per C++ standard)
`TC-SAF-041`	State	REQ-SAF-008	E-stop initial state is INACTIVE		bus.estop_.active == false; bus.estop_.source == estop_source_t::none
`TC-SAF-042`	State	REQ-SAF-008	E-stop transition INACTIVE to ACTIVE_LATCHED on collision	bus.estop_.active=False; bus.collision_.imminent=True	bus.estop_.active == true; bus.estop_.source indicates obstacle/collision; bus.estop_.activated_tick_ms recorded
`TC-SAF-043`	State	REQ-SAF-008	E-stop remains ACTIVE_LATCHED while any trigger persists	bus.estop_.active=True; bus.collision_.imminent=True; bus.pose_.speed=5.0	bus.estop_.active remains true; source reflects highest-priority active trigger
`TC-SAF-044`	State	REQ-SAF-008	E-stop source priority: local_button highest priority	inject_local_estop=True; bus.collision_.imminent=True; bus.link_status_=link_state_t::lost	bus.estop_.source indicates local_button (highest priority per priority order)
`TC-SAF-045`	State	REQ-SAF-008	E-stop source priority: obstacle over link_loss	inject_local_estop=False; bus.collision_.imminent=True; bus.link_status_=link_state_t::lost	bus.estop_.source indicates obstacle (higher priority than link_loss per priority order)
`TC-SAF-046`	State	REQ-SAF-008	E-stop source priority: link_loss over geofence	inject_local_estop=False; bus.collision_.imminent=False; bus.link_status_=link_state_t::lost; bus.geofence_.breach=True	bus.estop_.source indicates link_loss (higher priority than geofence per priority order)
`TC-SAF-047`	State	REQ-SAF-008	E-stop source priority: geofence over remote_command	inject_local_estop=False; bus.collision_.imminent=False; bus.link_status_=link_state_t::ok; bus.geofence_.breach=True; bus.remote_command_.estop_request=True	bus.estop_.source indicates geofence (higher priority than remote_command per priority order)
`TC-SAF-048`	State	REQ-SAF-008	E-stop transition ACTIVE_LATCHED to INACTIVE when all triggers clear and standstill reached	bus.estop_.active=True; bus.collision_.imminent=False; bus.link_status_=link_state_t::ok; bus.geofence_.breach=False; bus.remote_command_.estop_request=False; inject_local_estop=False; bus.pose_.speed=standstill_speed_mps_ - 0.01	bus.estop_.active == false after standstill condition holds for required duration; bus.estop_.source reset to none
`TC-SAF-049`	State	REQ-SAF-008	E-stop does not deactivate if speed above standstill threshold	bus.estop_.active=True; bus.collision_.imminent=False; bus.link_status_=link_state_t::ok; bus.geofence_.breach=False; bus.remote_command_.estop_request=False; inject_local_estop=False; bus.pose_.speed=standstill_speed_mps_ + 0.5	bus.estop_.active remains true (standstill condition not met)
`TC-SAF-050`	State	REQ-SAF-008	E-stop entry action: timestamp recorded at activation	bus.estop_.active=False; bus.collision_.imminent=True; bus.tick_ms_=987654321	bus.estop_.activated_tick_ms == 987654321 (captured at transition to ACTIVE_LATCHED)
`TC-SAF-051`	Scenario	REQ-SAF-009	Fault memory reads faults from all modules before processing	module_a_fault=True; module_b_fault=True	REVIEW REQUIRED
`TC-SAF-052`	Scenario	REQ-SAF-009	tick_ms updated before run() called each cycle	bus.tick_ms_=1000	Module observes updated tick_ms_ value within run(); timestamps use current tick_ms_
`TC-SAF-053`	Scenario	REQ-SAF-009	inject_local_estop called before run() each cycle	inject_local_estop=True	REVIEW REQUIRED
`TC-SAF-054`	Interface	REQ-SAF-009	All input bus fields read atomically within single run()	bus.pose_.speed=10.0; bus.collision_.imminent=False	Module observes consistent snapshot of all input fields; no torn reads across field boundaries
`TC-SAF-055`	Interface	REQ-SAF-009	All output bus fields written atomically before run() returns		Downstream consumers observe consistent state across all output fields; no partial updates visible
`TC-SAF-056`	BVA	REQ-SAF-002	Fault list size exactly at limit (64 entries)	bus.faults_.size()=64	bus.faults_.size() == 64; no overflow, system stable
`TC-SAF-057`	Scenario	REQ-SAF-005	Combined fault scenario: link lost AND collision AND geofence breach	bus.link_status_=link_state_t::lost; bus.collision_.imminent=True; bus.geofence_.breach=True	bus.estop_.active == true (E-stop from link/collision); bus.safe_stop_.active == true (from geofence); bus.health_ == health_state_t::critical (multiple critical faults)
`TC-SAF-058`	Scenario	REQ-SAF-005	Watchdog failure during active E-stop	bus.estop_.active=True; bus.watchdog_ok_=False	bus.health_ == health_state_t::critical; E-stop remains active; system does not attempt recovery
`TC-SAF-059`	Scenario	REQ-SAF-001, REQ-SAF-005	Geofence breach with invalid pose (low confidence)	bus.pose_.x=geofence_max_x_m_ + 5; bus.pose_.y=50.0; bus.pose_.validity=True; bus.pose_.confidence=pose_min_confidence_ - 0.1; bus.geofence_.breach=True	Pose treated as invalid; geofence breach detection may be suspended or fault raised for invalid pose; safe stop behavior depends on pose validity policy
`TC-SAF-060`	Scenario	REQ-SAF-006, REQ-SAF-008	E-stop deactivation boundary: speed exactly at standstill threshold	bus.estop_.active=True; bus.collision_.imminent=False; bus.link_status_=link_state_t::ok; bus.geofence_.breach=False; bus.remote_command_.estop_request=False; inject_local_estop=False; bus.pose_.speed=standstill_speed_mps_	E-stop deactivation condition evaluates speed <= standstill_speed_mps_ (inclusive boundary); after required duration, bus.estop_.active == false
`TC-SAF-061`	EP	REQ-SAF-003	Emergency deceleration applied on E-stop activation	bus.collision_.imminent=True; emergency_decel_mps2_=8.0	E-stop deceleration target set to 8.0 m/s² (cal_.emergency_decel_mps2_)
`TC-SAF-062`	EP	REQ-SAF-003	Safe stop deceleration applied on geofence breach	bus.geofence_.breach=True; bus.pose_.speed=15.0; safe_stop_decel_mps2_=3.0	bus.safe_stop_.target_decel_mps2 set to 3.0 m/s² (cal_.safe_stop_decel_mps2_)
`TC-SAF-063`	Interface	REQ-SAF-002	Geofence distance to boundary is zero when exactly on boundary	bus.pose_.x=geofence_max_x_m_; bus.pose_.y=geofence_min_y_m_ + 10; bus.pose_.validity=True; bus.pose_.confidence=0.95	bus.geofence_.distance_to_boundary_m == 0.0 (non-negative, zero on boundary)
`TC-SAF-064`	Interface	REQ-SAF-002	Geofence inside flag true when well inside boundary	bus.pose_.x=geofence_min_x_m_ + 50; bus.pose_.y=geofence_min_y_m_ + 50; bus.pose_.validity=True; bus.pose_.confidence=0.95	bus.geofence_.inside == true; bus.geofence_.breach == false; bus.geofence_.distance_to_boundary_m > 0
`TC-SAF-065`	Interface	REQ-SAF-002	Geofence breach flag true when outside boundary	bus.pose_.x=geofence_max_x_m_ + 10; bus.pose_.y=geofence_min_y_m_ + 50; bus.pose_.validity=True; bus.pose_.confidence=0.95	bus.geofence_.inside == false; bus.geofence_.breach == true; bus.geofence_.distance_to_boundary_m >= 0
`TC-SAF-066`	Decision	REQ-SAF-005	Safe stop not activated when inside geofence	bus.pose_.x=geofence_min_x_m_ + 50; bus.pose_.y=geofence_min_y_m_ + 50; bus.geofence_.breach=False; bus.pose_.validity=True; bus.pose_.confidence=0.95	bus.safe_stop_.active == false (no geofence breach trigger)
`TC-SAF-067`	State	REQ-SAF-008	E-stop does not deactivate while collision trigger persists	bus.estop_.active=True; bus.collision_.imminent=True; bus.link_status_=link_state_t::ok; bus.pose_.speed=0.0	bus.estop_.active remains true (collision trigger still active despite standstill)
`TC-SAF-068`	Decision	REQ-SAF-006	Fault debouncing: fault clears before confirmation (1 cycle present, then absent)	cycle_1_fault_present=True; cycle_2_fault_present=False	Fault not confirmed; confirmation counter resets; fault not added to bus.faults_ persistent list
`TC-SAF-069`	Interface	REQ-SAF-007	Alive counter for geofence monitor increments monotonically		bus.alive_counters_[module_id::geofence] increments by 1 each cycle (monotonically increasing until wraparound)
`TC-SAF-070`	Interface	REQ-SAF-007	Alive counter for safe stop controller increments monotonically		bus.alive_counters_[module_id::safe_stop] increments by 1 each cycle (monotonically increasing until wraparound)
`TC-SAF-071`	Interface	REQ-SAF-007	Alive counter for estop handler increments monotonically		bus.alive_counters_[module_id::estop] increments by 1 each cycle (monotonically increasing until wraparound)
`TC-SAF-072`	Scenario	REQ-SAF-002, REQ-SAF-005	Health state transitions from OK to DEGRADED on non-critical fault	bus.any_fault_active_=True; bus.critical_fault_active_=False; bus.watchdog_ok_=True	bus.health_ transitions from health_state_t::ok to health_state_t::degraded
`TC-SAF-073`	Scenario	REQ-SAF-002, REQ-SAF-005	Health state transitions from DEGRADED to CRITICAL on critical fault	bus.any_fault_active_=True; bus.critical_fault_active_=True; bus.watchdog_ok_=True	bus.health_ transitions from health_state_t::degraded to health_state_t::critical
`TC-SAF-074`	Scenario	REQ-SAF-002, REQ-SAF-005	Health state remains CRITICAL while watchdog failure persists	bus.watchdog_ok_=False; bus.critical_fault_active_=False	bus.health_ remains health_state_t::critical across multiple cycles while watchdog_ok_ is false
`TC-SAF-075`	State	REQ-SAF-008	E-stop source updates to highest priority when multiple triggers active	bus.estop_.active=True; bus.geofence_.breach=True; bus.collision_.imminent=True	bus.estop_.source updates from geofence to obstacle (higher priority trigger)
`TC-SAF-076`	Interface	REQ-SAF-001, REQ-SAF-004	Speed value negative treated as invalid	bus.pose_.validity=True; bus.pose_.confidence=0.95; bus.pose_.speed=-5.0	REVIEW REQUIRED
`TC-SAF-077`	Interface	REQ-SAF-004	Geofence coordinates interpreted as signed meters (negative X)	geofence_min_x_m_=-100.0; geofence_max_x_m_=100.0; bus.pose_.x=-50.0; bus.pose_.y=0.0; bus.pose_.validity=True; bus.pose_.confidence=0.95	bus.geofence_.inside == true (vehicle inside geofence with negative X coordinate); distance computed correctly
`TC-SAF-078`	Interface	REQ-SAF-004	Geofence coordinates interpreted as signed meters (negative Y)	geofence_min_y_m_=-100.0; geofence_max_y_m_=100.0; bus.pose_.x=0.0; bus.pose_.y=-50.0; bus.pose_.validity=True; bus.pose_.confidence=0.95	bus.geofence_.inside == true (vehicle inside geofence with negative Y coordinate); distance computed correctly
`TC-SAF-079`	Decision	REQ-SAF-006	Fault confirmation counter increments each cycle fault is present	cycle_1_fault_present=True; cycle_2_fault_present=True	Fault confirmation counter increments from 1 to 2; fault not yet confirmed (requires 3 cycles)
`TC-SAF-080`	Decision	REQ-SAF-006	Fault confirmation counter resets when fault disappears	cycle_1_fault_present=True; cycle_2_fault_present=True; cycle_3_fault_present=False	Fault confirmation counter resets to 0; fault not confirmed; if fault reappears, counter restarts from 1
`TC-SAF-081`	Decision	REQ-SAF-007	Fault occurrence count increments on repeated fault detection	fault_already_confirmed=True; trigger_same_fault_again=True	Fault entry occurrence_count increments by 1; fault remains in bus.faults_ list

supervision 53 tests

ID	Method	Covers	Title	Stimuli	Expected (oracle)
`TC-SUP-001`	BVA	REQ-SUP-001	Verify acceptance of link_status_.state_ at nominal boundary	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module accepts link_status_.state_ = nominal and produces valid vehicle_mode_ output from the enumeration {init, idle, remote, autonomous, safe_stop, emergency, fault}
`TC-SUP-002`	EP	REQ-SUP-001	Verify acceptance of link_status_.state_ = lost	link_status_.state_=lost; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module accepts link_status_.state_ = lost and produces valid vehicle_mode_ output
`TC-SUP-003`	EP	REQ-SUP-001	Verify acceptance of link_status_.state_ = degraded	link_status_.state_=degraded; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module accepts link_status_.state_ = degraded and produces valid vehicle_mode_ output
`TC-SUP-004`	EP	REQ-SUP-001	Verify acceptance of health_ = critical	link_status_.state_=nominal; health_=critical; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module accepts health_ = critical and produces valid vehicle_mode_ output
`TC-SUP-005`	EP	REQ-SUP-001	Verify acceptance of health_ = degraded	link_status_.state_=nominal; health_=degraded; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module accepts health_ = degraded and produces valid vehicle_mode_ output
`TC-SUP-006`	EP	REQ-SUP-001	Verify acceptance of estop_.source_ = local_button	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module accepts estop_.source_ = local_button and produces valid vehicle_mode_ output
`TC-SUP-007`	EP	REQ-SUP-001	Verify acceptance of estop_.source_ = obstacle	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=obstacle; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module accepts estop_.source_ = obstacle and produces valid vehicle_mode_ output
`TC-SUP-008`	EP	REQ-SUP-001	Verify acceptance of estop_.source_ = remote	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=remote; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module accepts estop_.source_ = remote and produces valid vehicle_mode_ output
`TC-SUP-009`	BVA	REQ-SUP-001	Verify acceptance of pose_.speed_mps_ at lower boundary 0.0	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module accepts pose_.speed_mps_ = 0.0 (minimum valid speed) and produces valid outputs
`TC-SUP-010`	BVA	REQ-SUP-001	Verify acceptance of pose_.speed_mps_ at upper boundary	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=PENDING_speed_max_mps; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-011`	BVA	REQ-SUP-001	Verify handling of geofence_.distance_to_boundary_m_ at lower boundary	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=PENDING_geofence_distance_min_m; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-012`	BVA	REQ-SUP-001	Verify handling of geofence_.distance_to_boundary_m_ at upper boundary	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=PENDING_geofence_distance_max_m; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-013`	EP	REQ-SUP-002	Verify vehicle_mode_ emits value from valid enumeration set	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	vehicle_mode_ output is one of {init, idle, remote, autonomous, safe_stop, emergency, fault}
`TC-SUP-014`	EP	REQ-SUP-002	Verify previous_mode_ emits value from valid enumeration set	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	previous_mode_ output is one of {init, idle, remote, autonomous, safe_stop, emergency, fault}
`TC-SUP-015`	EP	REQ-SUP-002	Verify degradation_level_ emits value from valid enumeration set	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	degradation_level_ output is one of {full, reduced_speed, geofence_hold, safe_stop_only}
`TC-SUP-016`	BVA	REQ-SUP-002	Verify remote_takeover_requested_ emits true	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	remote_takeover_requested_ output is true (boolean value from {true, false})
`TC-SUP-017`	BVA	REQ-SUP-002	Verify remote_takeover_requested_ emits false	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	remote_takeover_requested_ output is false (boolean value from {true, false})
`TC-SUP-018`	BVA	REQ-SUP-002	Verify watchdog_ok_ emits true	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	watchdog_ok_ output is true (boolean value from {true, false}) when all alive_counters_ increment normally
`TC-SUP-019`	BVA	REQ-SUP-002	Verify watchdog_ok_ emits false	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	watchdog_ok_ output is false (boolean value from {true, false}) when any alive_counters_ element exhibits non-monotonic behavior per REQ-SUP-005
`TC-SUP-020`	BVA	REQ-SUP-003	Verify init_cycles_ saturation at maximum value	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-021`	BVA	REQ-SUP-003	Verify alive_counters_ wraparound detection using modulo-2^32 arithmetic	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module correctly detects alive_counters_ increment when counter wraps from 4294967295 to 0 using modulo-2^32 (4294967296) arithmetic, watchdog_ok_ remains true
`TC-SUP-022`	BVA	REQ-SUP-004	Verify geofence_.distance_to_boundary_m_ positive value interpretation (outside boundary)	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=50.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False; geofence_margin_m_=10.0	Module interprets geofence_.distance_to_boundary_m_ = 50.0 meters as distance outside boundary per REQ-SUP-004, degradation_level_ not set to geofence_hold (since distance 50.0 > margin 10.0)
`TC-SUP-023`	BVA	REQ-SUP-004	Verify geofence_.distance_to_boundary_m_ negative value interpretation (breach depth)	link_status_.state_=nominal; health_=nominal; geofence_.breach_=True; geofence_.distance_to_boundary_m_=-15.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False; geofence_margin_m_=10.0	Module interprets geofence_.distance_to_boundary_m_ = -15.0 meters as breach depth of 15.0 meters per REQ-SUP-004, degradation_level_ set to geofence_hold or more restrictive
`TC-SUP-024`	EP	REQ-SUP-004	Verify pose_.speed_mps_ non-negative interpretation (forward speed magnitude)	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=5.5; plausible_command_.plausible_=True; plausible_command_.speed_mps_=5.5; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False; standstill_speed_mps_=0.1	Module interprets pose_.speed_mps_ = 5.5 m/s as forward speed magnitude per REQ-SUP-004, recognizes vehicle is not at standstill (5.5 > 0.1)
`TC-SUP-025`	EP	REQ-SUP-004	Verify plausible_command_.speed_mps_ non-negative interpretation	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=3.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module interprets plausible_command_.speed_mps_ = 3.0 m/s as forward speed magnitude per REQ-SUP-004, uses value for command evaluation
`TC-SUP-026`	Decision	REQ-SUP-005	Verify fault reaction to invalid link_status_.state_ input	link_status_.state_=INVALID_VALUE; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-027`	Decision	REQ-SUP-005	Verify fault reaction to invalid health_ input	link_status_.state_=nominal; health_=INVALID_VALUE; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-028`	Decision	REQ-SUP-005	Verify watchdog_ok_ set to false on non-monotonic alive_counters_ behavior	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	watchdog_ok_ output is false per REQ-SUP-005 when any alive_counters_ element exhibits non-monotonic behavior (counter stall or corruption)
`TC-SUP-029`	Decision	REQ-SUP-005	Verify fault reaction when remote_command_.valid_ is false	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=False; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-030`	Decision	REQ-SUP-005	Verify fault reaction when plausible_command_.plausible_ is false	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=False; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-031`	State	REQ-SUP-006	Verify transition from init to idle after 3 init_cycles_	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	After 3 consecutive cycles with init_cycles_ incrementing, vehicle_mode_ transitions from init to idle per REQ-SUP-006
`TC-SUP-032`	BVA	REQ-SUP-006	Verify no transition from init to idle before 3 init_cycles_ (boundary test at 2 cycles)	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	After 2 cycles, vehicle_mode_ remains in init (does not transition to idle) per REQ-SUP-006 (requires 3 cycles)
`TC-SUP-033`	Decision	REQ-SUP-006	Verify alive_counters_ stall detection after 1 consecutive cycle of no increment	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	watchdog_ok_ is set to false after 1 consecutive cycle where any alive_counters_ element fails to increment per REQ-SUP-006
`TC-SUP-034`	State	REQ-SUP-006	Verify standstill condition detection after debounce cycles	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.05; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False; standstill_speed_mps_=0.1	REVIEW REQUIRED
`TC-SUP-035`	BVA	REQ-SUP-006	Verify cycle period timing requirement	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-036`	BVA	REQ-SUP-007	Verify alive_counters_ array access at index 0 (lower boundary)	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module accesses alive_counters_[0] without array bounds violation per REQ-SUP-007 (min index = 0)
`TC-SUP-037`	BVA	REQ-SUP-007	Verify alive_counters_ array access at index 11 (upper boundary for 12 modules)	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module accesses alive_counters_[11] without array bounds violation per REQ-SUP-007 (max index = 12-1 = 11)
`TC-SUP-038`	EP	REQ-SUP-007	Verify module monitors exactly 12 modules via alive_counters_	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module monitors exactly 12 modules per REQ-SUP-007 (num_monitored_modules = 12), watchdog logic evaluates all 12 counters
`TC-SUP-039`	BVA	REQ-SUP-007	Verify configuration rejection when 12 exceeds max_monitored_modules_limit	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-040`	State	REQ-SUP-008	Verify vehicle_mode_ initialization to initial state	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-041`	State	REQ-SUP-008	Verify init state entry action execution	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-042`	State	REQ-SUP-008	Verify previous_mode_ populated with prior cycle vehicle_mode_	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	In cycle N, previous_mode_ output equals vehicle_mode_ from cycle N-1 per REQ-SUP-008 (if vehicle_mode_ was idle in N-1, previous_mode_ = idle in N)
`TC-SUP-043`	Decision	REQ-SUP-008	Verify estop_.source_ = local_button classified as emergency trigger	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=True; estop_.source_=local_button; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module classifies estop_.source_ = local_button as emergency trigger per REQ-SUP-008, vehicle_mode_ transitions to emergency state (highest priority per transition_priority_order)
`TC-SUP-044`	Decision	REQ-SUP-008	Verify estop_.source_ = obstacle classified as emergency trigger	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=True; estop_.source_=obstacle; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module classifies estop_.source_ = obstacle as emergency trigger per REQ-SUP-008, vehicle_mode_ transitions to emergency state
`TC-SUP-045`	Decision	REQ-SUP-008	Verify estop_.source_ = remote classified as safe-stop trigger	link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=True; estop_.source_=remote; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	Module classifies estop_.source_ = remote as safe-stop trigger per REQ-SUP-008, vehicle_mode_ transitions to safe_stop state (second priority after emergency per transition_priority_order)
`TC-SUP-046`	State	REQ-SUP-009	First-cycle execution with uninitialized watchdog snapshot prevents false fault	alive_counters_=[1, 1, 1, 1, 1]; link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=False; remote_command_.mode_autonomous_request_=False	watchdog_ok_ = true (no false fault triggered because have_snapshot_ = false prevents comparison on first cycle)
`TC-SUP-047`	State	REQ-SUP-009	Second-cycle execution detects stalled module after snapshot established	alive_counters_=[2, 2, 1, 2, 2]; link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=False; remote_command_.mode_autonomous_request_=False	watchdog_ok_ = false (module index 2 counter did not increment from previous snapshot, indicating stalled module)
`TC-SUP-048`	Interface	REQ-SUP-009	Atomic read of alive_counters_ array prevents race condition on concurrent increment	alive_counters_=[10, 20, 30, 40, 50]; link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=False; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-049`	Scenario	REQ-SUP-009	Execution order - supervision reads inputs after all providers have updated current cycle	alive_counters_=[5, 5, 5, 5, 5]; link_status_.state_=degraded; health_=degraded; geofence_.breach_=False; geofence_.distance_to_boundary_m_=50.0; estop_.active_=False; critical_fault_active_=False; pose_.speed_mps_=2.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=3.0; remote_command_.valid_=True; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-050`	BVA	REQ-SUP-009	Boundary - alive_counters_ array all zeros on first cycle with have_snapshot_ false	alive_counters_=[0, 0, 0, 0, 0]; link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=False; plausible_command_.speed_mps_=0.0; remote_command_.valid_=False; remote_command_.mode_autonomous_request_=False	watchdog_ok_ = true (no fault on first cycle even with zero counters because have_snapshot_ = false prevents comparison per AOU-007)
`TC-SUP-051`	BVA	REQ-SUP-009	Boundary - alive_counters_ array wrap-around at UINT32_MAX	alive_counters_=[4294967295, 4294967295, 4294967295, 4294967295, 4294967295]; link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=False; remote_command_.mode_autonomous_request_=False	REVIEW REQUIRED
`TC-SUP-052`	Decision	REQ-SUP-009	Decision - alive_counters_ single element stalled while others increment normally	alive_counters_=[11, 11, 10, 11, 11]; link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=False; remote_command_.mode_autonomous_request_=False	watchdog_ok_ = false (index 2 did not increment, indicating stalled module)
`TC-SUP-053`	Decision	REQ-SUP-009	Decision - alive_counters_ all elements increment normally after first cycle	alive_counters_=[8, 9, 10, 11, 12]; link_status_.state_=nominal; health_=nominal; geofence_.breach_=False; geofence_.distance_to_boundary_m_=100.0; estop_.active_=False; critical_fault_active_=False; pose_.speed_mps_=0.0; plausible_command_.plausible_=True; plausible_command_.speed_mps_=0.0; remote_command_.valid_=False; remote_command_.mode_autonomous_request_=False	watchdog_ok_ = true (all counters incremented, no stall detected)

command 59 tests

ID	Method	Covers	Title	Stimuli	Expected (oracle)
`TC-COM-001`	BVA	REQ-COM-001	Remote command speed exceeds hard plausibility limit (positive boundary)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=20.1; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.plausible_ shall be false
`TC-COM-002`	BVA	REQ-COM-001	Remote command speed at hard plausibility limit (positive boundary)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=20.0; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.plausible_ shall not be false due to this check (may pass plausibility check)
`TC-COM-003`	BVA	REQ-COM-001	Remote command speed exceeds hard plausibility limit (negative boundary)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=-20.1; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.plausible_ shall be false
`TC-COM-004`	BVA	REQ-COM-001	Remote command yaw rate exceeds hard plausibility limit (positive boundary)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=0.0; remote_command_.desired_yaw_rate_radps_=2.1; remote_command_.valid_=True; command_authentic_=True	plausible_command_.plausible_ shall be false
`TC-COM-005`	BVA	REQ-COM-001	Remote command yaw rate at hard plausibility limit (positive boundary)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=0.0; remote_command_.desired_yaw_rate_radps_=2.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.plausible_ shall not be false due to this check
`TC-COM-006`	BVA	REQ-COM-001	Remote command yaw rate exceeds hard plausibility limit (negative boundary)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=0.0; remote_command_.desired_yaw_rate_radps_=-2.1; remote_command_.valid_=True; command_authentic_=True	plausible_command_.plausible_ shall be false
`TC-COM-007`	EP	REQ-COM-001	Remote command speed is NaN (non-finite value rejection)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=NaN; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.plausible_ shall be false
`TC-COM-008`	EP	REQ-COM-001	Remote command speed is positive infinity (non-finite value rejection)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=Infinity; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.plausible_ shall be false
`TC-COM-009`	EP	REQ-COM-001	Remote command yaw rate is NaN (non-finite value rejection)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=0.0; remote_command_.desired_yaw_rate_radps_=NaN; remote_command_.valid_=True; command_authentic_=True	plausible_command_.plausible_ shall be false
`TC-COM-010`	EP	REQ-COM-001	Remote command with both speed and yaw within hard limits (nominal acceptance)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=8.0; remote_command_.desired_yaw_rate_radps_=0.5; remote_command_.valid_=True; command_authentic_=True	plausible_command_.plausible_ shall not be set to false by hard limit checks (may be true subject to other checks)
`TC-COM-011`	BVA	REQ-COM-002	Motion setpoint target acceleration at maximum positive limit	max_accel_mps2_=2.0; max_decel_mps2_=3.0	REVIEW REQUIRED
`TC-COM-012`	BVA	REQ-COM-002	Motion setpoint target acceleration at maximum negative limit (deceleration)	max_accel_mps2_=2.0; max_decel_mps2_=3.0	REVIEW REQUIRED
`TC-COM-013`	EP	REQ-COM-002	Motion setpoint output ranges enforcement (general)	max_accel_mps2_=2.0; max_decel_mps2_=3.0	REVIEW REQUIRED
`TC-COM-014`	BVA	REQ-COM-003	Command speed clamping at maximum forward limit	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=12.0; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.speed_mps_ shall be clamped to 10.0 m/s
`TC-COM-015`	BVA	REQ-COM-003	Command speed clamping at maximum reverse limit	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=-7.0; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.speed_mps_ shall be clamped to -5.0 m/s
`TC-COM-016`	BVA	REQ-COM-003	Command yaw rate clamping at positive limit	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=0.0; remote_command_.desired_yaw_rate_radps_=1.5; remote_command_.valid_=True; command_authentic_=True	plausible_command_.yaw_rate_radps_ shall be clamped to 1.0 rad/s
`TC-COM-017`	BVA	REQ-COM-003	Command yaw rate clamping at negative limit	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=0.0; remote_command_.desired_yaw_rate_radps_=-1.5; remote_command_.valid_=True; command_authentic_=True	plausible_command_.yaw_rate_radps_ shall be clamped to -1.0 rad/s
`TC-COM-018`	BVA	REQ-COM-003	Command speed rate limiting at maximum positive step	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_speed_step_mps_=1.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=7.0; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.speed_mps_ shall be limited to 6.0 m/s (5.0 + 1.0)
`TC-COM-019`	BVA	REQ-COM-003	Command speed rate limiting at maximum negative step	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_speed_step_mps_=1.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=2.0; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.speed_mps_ shall be limited to 4.0 m/s (5.0 - 1.0)
`TC-COM-020`	BVA	REQ-COM-003	Command yaw rate limiting at maximum positive step	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; max_command_yaw_step_radps_=0.2; remote_command_.desired_speed_mps_=0.0; remote_command_.desired_yaw_rate_radps_=0.5; remote_command_.valid_=True; command_authentic_=True	plausible_command_.yaw_rate_radps_ shall be limited to 0.2 rad/s (0.0 + 0.2)
`TC-COM-021`	BVA	REQ-COM-003	Command yaw rate limiting at maximum negative step	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; max_command_yaw_step_radps_=0.2; remote_command_.desired_speed_mps_=0.0; remote_command_.desired_yaw_rate_radps_=-0.5; remote_command_.valid_=True; command_authentic_=True	plausible_command_.yaw_rate_radps_ shall be limited to -0.2 rad/s (0.0 - 0.2)
`TC-COM-022`	EP	REQ-COM-004	Reverse motion with negative speed value within magnitude limit	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=-3.0; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.speed_mps_ shall represent reverse motion with magnitude 3.0 m/s not exceeding max_reverse_speed_mps_ (5.0 m/s)
`TC-COM-023`	BVA	REQ-COM-004	Reverse motion at maximum reverse speed magnitude	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=-5.0; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.speed_mps_ shall be -5.0 m/s (at reverse limit boundary)
`TC-COM-024`	EP	REQ-COM-004	Yaw rate sign convention (positive yaw)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=5.0; remote_command_.desired_yaw_rate_radps_=0.5; remote_command_.valid_=True; command_authentic_=True	REVIEW REQUIRED
`TC-COM-025`	EP	REQ-COM-004	Yaw rate sign convention (negative yaw)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=5.0; remote_command_.desired_yaw_rate_radps_=-0.5; remote_command_.valid_=True; command_authentic_=True	REVIEW REQUIRED
`TC-COM-026`	Decision	REQ-COM-004	Target acceleration computation from speed change over cycle period	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0	motion_setpoint_.target_accel_mps2_ shall be computed as (5.0 - 3.0) / 0.02 = 100.0 m/s²
`TC-COM-027`	Interface	REQ-COM-004	Unit consistency for all speed values (m/s)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=7.5; remote_command_.desired_yaw_rate_radps_=0.3; remote_command_.valid_=True; command_authentic_=True	All speed values in plausible_command_, arbitrated_command_, and motion_setpoint_ outputs shall be in meters per second (m/s) with no unit conversion errors
`TC-COM-028`	Interface	REQ-COM-004	Unit consistency for all yaw rate values (rad/s)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=5.0; remote_command_.desired_yaw_rate_radps_=0.8; remote_command_.valid_=True; command_authentic_=True	All yaw rate values in plausible_command_, arbitrated_command_, and motion_setpoint_ outputs shall be in radians per second (rad/s) with no unit conversion errors
`TC-COM-029`	Interface	REQ-COM-004	Unit consistency for acceleration values (m/s²)	max_accel_mps2_=2.0; max_decel_mps2_=3.0	motion_setpoint_.target_accel_mps2_ shall be in meters per second squared (m/s²)
`TC-COM-030`	Decision	REQ-COM-005	Command authentication failure sets plausible to false	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=5.0; remote_command_.desired_yaw_rate_radps_=0.3; remote_command_.valid_=True; command_authentic_=False	plausible_command_.plausible_ shall be false
`TC-COM-031`	Decision	REQ-COM-005	Invalid remote command sets plausible to false	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=5.0; remote_command_.desired_yaw_rate_radps_=0.3; remote_command_.valid_=False; command_authentic_=True	plausible_command_.plausible_ shall be false
`TC-COM-032`	Decision	REQ-COM-005	Safe-stop active overrides command arbitration to safe-stop source	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=5.0; remote_command_.desired_yaw_rate_radps_=0.3; remote_command_.valid_=True; command_authentic_=True; safe_stop_.active_=True; vehicle_mode_=vehicle_mode_t::autonomous	arbitrated_command_.source_ shall be command_source_t::safe_stop_controller regardless of other inputs
`TC-COM-033`	Decision	REQ-COM-005	Safe-stop active forces motion setpoint to zero speed	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; safe_stop_.active_=True	motion_setpoint_.target_speed_mps_ shall be 0.0
`TC-COM-034`	Decision	REQ-COM-005	Safe-stop active forces motion setpoint to zero yaw rate	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; safe_stop_.active_=True	motion_setpoint_.target_yaw_rate_radps_ shall be 0.0
`TC-COM-035`	Decision	REQ-COM-005	Authentication failure forces motion setpoint to zero speed	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=5.0; remote_command_.desired_yaw_rate_radps_=0.3; remote_command_.valid_=True; command_authentic_=False	motion_setpoint_.target_speed_mps_ shall be 0.0 under authentication fault condition
`TC-COM-036`	Decision	REQ-COM-005	Invalid command forces motion setpoint to zero yaw rate	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=5.0; remote_command_.desired_yaw_rate_radps_=0.3; remote_command_.valid_=False; command_authentic_=True	motion_setpoint_.target_yaw_rate_radps_ shall be 0.0 under invalid command fault condition
`TC-COM-037`	EP	REQ-COM-006	Module heartbeat counter increments each cycle		alive_counters_[module_id::command_arbiter] shall increment by 1 each cycle
`TC-COM-038`	BVA	REQ-COM-006	Module executes with 20 ms cycle period (nominal timing)		Module shall execute with cycle period of 20 milliseconds
`TC-COM-039`	Decision	REQ-COM-006	Stale remote command detection and rejection	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0	REVIEW REQUIRED
`TC-COM-040`	BVA	REQ-COM-006	Cycle timing with jitter (positive boundary)		REVIEW REQUIRED
`TC-COM-041`	BVA	REQ-COM-007	Heartbeat counter overflow from UINT32_MAX wraps to zero		alive_counters_[module_id::command_arbiter] shall wrap to 0 on next increment
`TC-COM-042`	Interface	REQ-COM-007	Heartbeat counter array index bounds validity		module_id::command_arbiter shall be a valid index within the allocated bounds of alive_counters_ array
`TC-COM-043`	EP	REQ-COM-007	Heartbeat counter remains bounded by uint32_t type		alive_counters_[module_id::command_arbiter] shall remain within uint32_t range [0, 4294967295]
`TC-COM-044`	State	REQ-COM-008	Arbitration priority: safe-stop has highest priority	safe_stop_.active_=True; vehicle_mode_=vehicle_mode_t::autonomous; remote_command_.valid_=True; command_authentic_=True	arbitrated_command_.source_ shall be command_source_t::safe_stop_controller (highest priority)
`TC-COM-045`	State	REQ-COM-008	Arbitration priority: autonomous mode selected when safe-stop inactive	safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; remote_command_.valid_=True; command_authentic_=True	arbitrated_command_.source_ shall be command_source_t::autonomous_mission (second priority)
`TC-COM-046`	State	REQ-COM-008	Arbitration priority: remote operator selected when conditions met	safe_stop_.active_=False; remote_command_.valid_=True; command_authentic_=True	REVIEW REQUIRED
`TC-COM-047`	State	REQ-COM-008	Arbitration defaults to none when no command source active	safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::manual; remote_command_.valid_=False; command_authentic_=False	arbitrated_command_.source_ shall be command_source_t::none (lowest priority default)
`TC-COM-048`	State	REQ-COM-008	State transition: safe-stop activation overrides current source	safe_stop_.active_=True; vehicle_mode_=vehicle_mode_t::autonomous	arbitrated_command_.source_ shall transition to command_source_t::safe_stop_controller immediately
`TC-COM-049`	State	REQ-COM-008	State transition: entry to autonomous mode selects autonomous source	safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; remote_command_.valid_=False; command_authentic_=False	arbitrated_command_.source_ shall transition to command_source_t::autonomous_mission
`TC-COM-050`	Scenario	REQ-COM-009	Intra-cycle execution order: plausibility before arbitration	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=8.0; remote_command_.desired_yaw_rate_radps_=0.5; remote_command_.valid_=True; command_authentic_=True; vehicle_mode_=vehicle_mode_t::autonomous; safe_stop_.active_=False	plausible_command_ shall be fully written by command_plausibility before command_arbiter reads it; observable through consistent arbitration decision based on plausibility result
`TC-COM-051`	Scenario	REQ-COM-009	Intra-cycle execution order: arbitration before setpoint generation	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=8.0; remote_command_.desired_yaw_rate_radps_=0.5; remote_command_.valid_=True; command_authentic_=True; vehicle_mode_=vehicle_mode_t::autonomous; safe_stop_.active_=False	arbitrated_command_ shall be fully written by command_arbiter before setpoint_generator reads it; observable through motion_setpoint_ reflecting arbitrated source selection
`TC-COM-052`	Concurrency	REQ-COM-009	Shared state protection: last_speed_mps_ not concurrently modified	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_speed_step_mps_=1.0	Shared state last_speed_mps_ shall not exhibit concurrent modification; rate limiting shall use consistent previous value
`TC-COM-053`	Concurrency	REQ-COM-009	Shared state protection: last_yaw_rate_radps_ not concurrently modified	max_command_yaw_rate_radps_=1.0; max_command_yaw_step_radps_=0.2	Shared state last_yaw_rate_radps_ shall not exhibit concurrent modification; yaw rate limiting shall use consistent previous value
`TC-COM-054`	Concurrency	REQ-COM-009	Shared state protection: last_target_speed_mps_ not concurrently modified	max_accel_mps2_=2.0; max_decel_mps2_=3.0	Shared state last_target_speed_mps_ shall not exhibit concurrent modification; acceleration computation shall use consistent previous target speed
`TC-COM-055`	Scenario	REQ-COM-009	Complete intra-cycle data flow from input to motion setpoint	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; max_command_speed_step_mps_=1.0; max_command_yaw_step_radps_=0.2; max_accel_mps2_=2.0; max_decel_mps2_=3.0; remote_command_.desired_speed_mps_=7.0; remote_command_.desired_yaw_rate_radps_=0.4; remote_command_.valid_=True; command_authentic_=True; vehicle_mode_=vehicle_mode_t::autonomous; safe_stop_.active_=False	Within single 20 ms cycle: plausible_command_ written, then arbitrated_command_ written, then motion_setpoint_ written; final motion_setpoint_ reflects complete processing chain without data corruption
`TC-COM-056`	Scenario	REQ-COM-003	Combined clamping and rate limiting interaction (speed)	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_speed_step_mps_=1.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=12.0; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.speed_mps_ shall be limited by rate limiter to 9.0 m/s (8.0 + 1.0) before clamping at 10.0 m/s can apply, resulting in 9.0 m/s output
`TC-COM-057`	Scenario	REQ-COM-001, REQ-COM-005	Multiple fault conditions: authentication fail and hard limit exceeded	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=25.0; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=False	plausible_command_.plausible_ shall be false (both hard limit and auth checks fail); motion_setpoint_ shall be {speed: 0.0, yaw: 0.0}
`TC-COM-058`	Scenario	REQ-COM-005, REQ-COM-008	Safe-stop activation during remote operator control	safe_stop_.active_=True; remote_command_.desired_speed_mps_=5.0; remote_command_.desired_yaw_rate_radps_=0.3; remote_command_.valid_=True; command_authentic_=True	arbitrated_command_.source_ shall immediately transition to command_source_t::safe_stop_controller; motion_setpoint_ shall be {speed: 0.0, yaw: 0.0} regardless of remote command
`TC-COM-059`	Scenario	REQ-COM-003, REQ-COM-004	Forward-to-reverse speed transition with rate limiting	max_command_speed_mps_=10.0; max_reverse_speed_mps_=5.0; max_command_speed_step_mps_=1.0; max_command_yaw_rate_radps_=1.0; remote_command_.desired_speed_mps_=-4.0; remote_command_.desired_yaw_rate_radps_=0.0; remote_command_.valid_=True; command_authentic_=True	plausible_command_.speed_mps_ shall be rate-limited to +2.0 m/s (3.0 - 1.0) in this cycle; reverse motion magnitude shall not exceed max_reverse_speed_mps_ after multiple cycles

actuation 56 tests

ID	Method	Covers	Title	Stimuli	Expected (oracle)
`TC-ACT-001`	BVA	REQ-ACT-001	Limited acceleration input at lower boundary	limited_motion_.limited_accel_mps2_=min_accel_mps2; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	REVIEW REQUIRED
`TC-ACT-002`	BVA	REQ-ACT-001	Limited acceleration input at upper boundary	limited_motion_.limited_accel_mps2_=max_accel_mps2; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	REVIEW REQUIRED
`TC-ACT-003`	BVA	REQ-ACT-001	Limited steering input at minimum boundary	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=min_steering_input_rad; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	REVIEW REQUIRED
`TC-ACT-004`	BVA	REQ-ACT-001	Limited steering input at maximum boundary	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=max_steering_input_rad; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	REVIEW REQUIRED
`TC-ACT-005`	BVA	REQ-ACT-001	Safe-stop target deceleration at minimum boundary	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=True; safe_stop_.target_decel_mps2_=min_safe_stop_decel_mps2; vehicle_mode_=vehicle_mode_t::safe_stop; power_ok_=True	REVIEW REQUIRED
`TC-ACT-006`	BVA	REQ-ACT-001	Safe-stop target deceleration at maximum boundary	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=True; safe_stop_.target_decel_mps2_=max_safe_stop_decel_mps2; vehicle_mode_=vehicle_mode_t::safe_stop; power_ok_=True	REVIEW REQUIRED
`TC-ACT-007`	BVA	REQ-ACT-002	Drive torque output at minimum boundary	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	actuator_command_.drive_torque_nm_ shall equal 0.0
`TC-ACT-008`	BVA	REQ-ACT-002	Drive torque output at maximum boundary	limited_motion_.limited_accel_mps2_=max_accel_for_max_torque; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	REVIEW REQUIRED
`TC-ACT-009`	BVA	REQ-ACT-002	Brake force output at minimum boundary	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	actuator_command_.brake_force_n_ shall equal 0.0
`TC-ACT-010`	BVA	REQ-ACT-002	Brake force output at maximum boundary	limited_motion_.limited_accel_mps2_=max_decel_for_max_brake; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	REVIEW REQUIRED
`TC-ACT-011`	BVA	REQ-ACT-002, REQ-ACT-003	Steering angle output at negative maximum boundary	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=-2.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True; max_steering_rad_=0.7854	actuator_command_.steering_angle_rad_ shall equal -0.7854 (clamped to -max_steering_rad_)
`TC-ACT-012`	BVA	REQ-ACT-002, REQ-ACT-003	Steering angle output at positive maximum boundary	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=2.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True; max_steering_rad_=0.7854	actuator_command_.steering_angle_rad_ shall equal 0.7854 (clamped to max_steering_rad_)
`TC-ACT-013`	BVA	REQ-ACT-003	Brake force saturation at limit	limited_motion_.limited_accel_mps2_=-50.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	REVIEW REQUIRED
`TC-ACT-014`	EP	REQ-ACT-003	Holding brake force when actuators disabled	limited_motion_.limited_accel_mps2_=2.0; limited_motion_.limited_steering_rad_=0.5; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::fault; power_ok_=True	actuator_command_.brake_force_n_ shall equal 700.0 and actuator_command_.actuators_enabled_ shall equal false
`TC-ACT-015`	EP	REQ-ACT-004	Acceleration to torque conversion formula	limited_motion_.limited_accel_mps2_=2.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	actuator_command_.drive_torque_nm_ shall equal 1050.0 (calculated as 2.0 × 350.0 × 0.15 × 10.0)
`TC-ACT-016`	EP	REQ-ACT-004	Deceleration to brake force conversion formula	limited_motion_.limited_accel_mps2_=-3.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	actuator_command_.brake_force_n_ shall equal 1050.0 (calculated as 3.0 × 350.0) and actuator_command_.drive_torque_nm_ shall equal 0.0
`TC-ACT-017`	EP	REQ-ACT-004	Positive steering direction interpretation	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.3; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	REVIEW REQUIRED
`TC-ACT-018`	EP	REQ-ACT-004	Zero acceleration boundary between drive and brake	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	actuator_command_.drive_torque_nm_ shall equal 0.0 and actuator_command_.brake_force_n_ shall equal 0.0
`TC-ACT-019`	Decision	REQ-ACT-005	Actuator disable on fault mode	limited_motion_.limited_accel_mps2_=2.0; limited_motion_.limited_steering_rad_=0.2; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::fault; power_ok_=True	actuator_command_.actuators_enabled_ shall equal false and actuator_command_.drive_torque_nm_ shall equal 0.0 and actuator_command_.brake_force_n_ shall equal 700.0 (holding brake per REQ-ACT-003)
`TC-ACT-020`	Decision	REQ-ACT-005	Actuator disable on init mode	limited_motion_.limited_accel_mps2_=1.0; limited_motion_.limited_steering_rad_=0.1; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::init; power_ok_=True	actuator_command_.actuators_enabled_ shall equal false and actuator_command_.drive_torque_nm_ shall equal 0.0 and actuator_command_.brake_force_n_ shall equal 700.0 (holding brake per REQ-ACT-003)
`TC-ACT-021`	Decision	REQ-ACT-005	Actuator disable on power loss	limited_motion_.limited_accel_mps2_=1.5; limited_motion_.limited_steering_rad_=0.15; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=False	actuator_command_.actuators_enabled_ shall equal false and actuator_command_.drive_torque_nm_ shall equal 0.0 and actuator_command_.brake_force_n_ shall equal 700.0 (holding brake per REQ-ACT-003)
`TC-ACT-022`	Decision	REQ-ACT-005	Emergency stop override with emergency deceleration	limited_motion_.limited_accel_mps2_=2.0; limited_motion_.limited_steering_rad_=0.3; estop_.active_=True; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::emergency; power_ok_=True	REVIEW REQUIRED
`TC-ACT-023`	Decision	REQ-ACT-005	Safe-stop deceleration application	limited_motion_.limited_accel_mps2_=1.0; limited_motion_.limited_steering_rad_=0.2; estop_.active_=False; safe_stop_.active_=True; safe_stop_.target_decel_mps2_=2.5; vehicle_mode_=vehicle_mode_t::safe_stop; power_ok_=True	actuator_command_.brake_force_n_ shall equal 875.0 (calculated as 2.5 × 350.0 per REQ-ACT-004) and actuator_command_.drive_torque_nm_ shall equal 0.0
`TC-ACT-024`	Decision	REQ-ACT-005	E-stop priority over safe-stop	limited_motion_.limited_accel_mps2_=1.0; limited_motion_.limited_steering_rad_=0.2; estop_.active_=True; safe_stop_.active_=True; safe_stop_.target_decel_mps2_=2.0; vehicle_mode_=vehicle_mode_t::emergency; power_ok_=True	REVIEW REQUIRED
`TC-ACT-025`	EP	REQ-ACT-005	Drive torque zeroed when actuators disabled	limited_motion_.limited_accel_mps2_=3.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::fault; power_ok_=True	actuator_command_.drive_torque_nm_ shall equal 0.0
`TC-ACT-026`	EP	REQ-ACT-006	Alive counter increment on successful cycle	limited_motion_.limited_accel_mps2_=1.0; limited_motion_.limited_steering_rad_=0.1; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	REVIEW REQUIRED
`TC-ACT-027`	EP	REQ-ACT-006	Cycle time compliance	limited_motion_.limited_accel_mps2_=0.5; limited_motion_.limited_steering_rad_=0.05; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	Module execution cycle shall complete within 20 ms
`TC-ACT-028`	Interface	REQ-ACT-007	Alive counter array index bounds	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	REVIEW REQUIRED
`TC-ACT-029`	State	REQ-ACT-008	Actuators enabled in init mode with power	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::init; power_ok_=True	actuator_command_.actuators_enabled_ shall equal true
`TC-ACT-030`	State	REQ-ACT-008	Actuators enabled in idle mode with power	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::idle; power_ok_=True	actuator_command_.actuators_enabled_ shall equal true
`TC-ACT-031`	State	REQ-ACT-008	Actuators enabled in remote mode with power	limited_motion_.limited_accel_mps2_=1.0; limited_motion_.limited_steering_rad_=0.2; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::remote; power_ok_=True	actuator_command_.actuators_enabled_ shall equal true
`TC-ACT-032`	State	REQ-ACT-008	Actuators enabled in autonomous mode with power	limited_motion_.limited_accel_mps2_=1.5; limited_motion_.limited_steering_rad_=0.25; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	actuator_command_.actuators_enabled_ shall equal true
`TC-ACT-033`	State	REQ-ACT-008	Actuators enabled in safe_stop mode with power	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.1; estop_.active_=False; safe_stop_.active_=True; safe_stop_.target_decel_mps2_=2.0; vehicle_mode_=vehicle_mode_t::safe_stop; power_ok_=True	actuator_command_.actuators_enabled_ shall equal true
`TC-ACT-034`	State	REQ-ACT-008	Actuators enabled in emergency mode with power	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=True; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::emergency; power_ok_=True	actuator_command_.actuators_enabled_ shall equal true
`TC-ACT-035`	State	REQ-ACT-008	Actuators enabled in fault mode with power (conflict case)	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::fault; power_ok_=True	REVIEW REQUIRED - REQUIREMENTS CONFLICT
`TC-ACT-036`	State	REQ-ACT-008	Actuators disabled in undefined mode	limited_motion_.limited_accel_mps2_=1.0; limited_motion_.limited_steering_rad_=0.1; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::undefined; power_ok_=True	actuator_command_.actuators_enabled_ shall equal false
`TC-ACT-037`	State	REQ-ACT-008	Steering hold during safe-stop transition	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.3; estop_.active_=False; safe_stop_.active_=True; safe_stop_.target_decel_mps2_=2.5; vehicle_mode_=vehicle_mode_t::safe_stop; power_ok_=True	actuator_command_.steering_angle_rad_ shall equal last valid value before safe-stop activation (0.3 rad assumed)
`TC-ACT-038`	State	REQ-ACT-008	Steering hold during E-stop transition	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.25; estop_.active_=True; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::emergency; power_ok_=True	actuator_command_.steering_angle_rad_ shall equal last valid value before E-stop activation (0.25 rad assumed)
`TC-ACT-039`	Decision	REQ-ACT-008	Drive torque zeroed when E-stop active	limited_motion_.limited_accel_mps2_=2.0; limited_motion_.limited_steering_rad_=0.1; estop_.active_=True; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::emergency; power_ok_=True	actuator_command_.drive_torque_nm_ shall equal 0.0
`TC-ACT-040`	Decision	REQ-ACT-008	Drive torque zeroed when safe-stop active	limited_motion_.limited_accel_mps2_=1.5; limited_motion_.limited_steering_rad_=0.1; estop_.active_=False; safe_stop_.active_=True; safe_stop_.target_decel_mps2_=2.0; vehicle_mode_=vehicle_mode_t::safe_stop; power_ok_=True	actuator_command_.drive_torque_nm_ shall equal 0.0
`TC-ACT-041`	Decision	REQ-ACT-008	Drive torque zeroed when actuators disabled	limited_motion_.limited_accel_mps2_=2.5; limited_motion_.limited_steering_rad_=0.2; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::fault; power_ok_=True	actuator_command_.drive_torque_nm_ shall equal 0.0
`TC-ACT-042`	Interface	REQ-ACT-009	Input signal coherence snapshot	limited_motion_.limited_accel_mps2_=1.0; limited_motion_.limited_steering_rad_=0.15; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	REVIEW REQUIRED
`TC-ACT-043`	Interface	REQ-ACT-009	Output signal atomic write	limited_motion_.limited_accel_mps2_=1.5; limited_motion_.limited_steering_rad_=0.2; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	REVIEW REQUIRED
`TC-ACT-044`	Interface	REQ-ACT-009	Execution sequence before actuator interface	limited_motion_.limited_accel_mps2_=1.0; limited_motion_.limited_steering_rad_=0.1; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	Module execution shall complete before actuator_interface run() is invoked per fixed sequence AOU-002
`TC-ACT-045`	BVA	REQ-ACT-002, REQ-ACT-003	Steering angle within range passes through	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.5; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True; max_steering_rad_=0.7854	actuator_command_.steering_angle_rad_ shall equal 0.5 (input passes through unclamped)
`TC-ACT-046`	BVA	REQ-ACT-003	Steering clamp exactly at negative limit	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=-0.7854; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True; max_steering_rad_=0.7854	actuator_command_.steering_angle_rad_ shall equal -0.7854 (at limit, no clamping)
`TC-ACT-047`	BVA	REQ-ACT-003	Steering clamp exactly at positive limit	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.7854; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True; max_steering_rad_=0.7854	actuator_command_.steering_angle_rad_ shall equal 0.7854 (at limit, no clamping)
`TC-ACT-048`	BVA	REQ-ACT-004	Torque conversion at small positive acceleration	limited_motion_.limited_accel_mps2_=0.1; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	actuator_command_.drive_torque_nm_ shall equal 52.5 (calculated as 0.1 × 350.0 × 0.15 × 10.0)
`TC-ACT-049`	BVA	REQ-ACT-004	Brake force conversion at small deceleration	limited_motion_.limited_accel_mps2_=-0.1; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=True	actuator_command_.brake_force_n_ shall equal 35.0 (calculated as 0.1 × 350.0) and actuator_command_.drive_torque_nm_ shall equal 0.0
`TC-ACT-050`	Scenario	REQ-ACT-005	Normal driving to E-stop transition	limited_motion_.limited_accel_mps2_=2.0; limited_motion_.limited_steering_rad_=0.3; estop_.active_=True; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::emergency; power_ok_=True	REVIEW REQUIRED
`TC-ACT-051`	Scenario	REQ-ACT-005	Normal driving to safe-stop transition	limited_motion_.limited_accel_mps2_=1.5; limited_motion_.limited_steering_rad_=0.2; estop_.active_=False; safe_stop_.active_=True; safe_stop_.target_decel_mps2_=3.0; vehicle_mode_=vehicle_mode_t::safe_stop; power_ok_=True	actuator_command_.brake_force_n_ shall equal 1050.0 (calculated as 3.0 × 350.0), actuator_command_.drive_torque_nm_ shall equal 0.0, actuator_command_.steering_angle_rad_ shall equal last valid value (0.2 assumed)
`TC-ACT-052`	Scenario	REQ-ACT-005, REQ-ACT-008	Safe-stop escalation to E-stop	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.15; estop_.active_=True; safe_stop_.active_=True; safe_stop_.target_decel_mps2_=2.0; vehicle_mode_=vehicle_mode_t::emergency; power_ok_=True	REVIEW REQUIRED
`TC-ACT-053`	Scenario	REQ-ACT-005	Power loss during normal operation	limited_motion_.limited_accel_mps2_=1.0; limited_motion_.limited_steering_rad_=0.1; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::autonomous; power_ok_=False	actuator_command_.actuators_enabled_ shall equal false, actuator_command_.drive_torque_nm_ shall equal 0.0, actuator_command_.brake_force_n_ shall equal 700.0 (holding brake per REQ-ACT-003)
`TC-ACT-054`	Scenario	REQ-ACT-005	Fault detection during normal operation	limited_motion_.limited_accel_mps2_=1.5; limited_motion_.limited_steering_rad_=0.2; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::fault; power_ok_=True	actuator_command_.actuators_enabled_ shall equal false, actuator_command_.drive_torque_nm_ shall equal 0.0, actuator_command_.brake_force_n_ shall equal 700.0 (holding brake per REQ-ACT-003)
`TC-ACT-055`	Scenario	REQ-ACT-008	System initialization to operational transition	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::init; power_ok_=True	REVIEW REQUIRED - REQUIREMENTS CONFLICT
`TC-ACT-056`	EP	REQ-ACT-003	Holding brake force application on disable	limited_motion_.limited_accel_mps2_=0.0; limited_motion_.limited_steering_rad_=0.0; estop_.active_=False; safe_stop_.active_=False; vehicle_mode_=vehicle_mode_t::fault; power_ok_=True	actuator_command_.brake_force_n_ shall equal 700.0 (holding brake) regardless of brake_force_request_n_ value

localization 76 tests

ID	Method	Covers	Title	Stimuli	Expected (oracle)
`TC-LOC-001`	BVA	REQ-LOC-001	tick_ms_ minimum boundary value acceptance	tick_ms_=0	REVIEW REQUIRED
`TC-LOC-002`	BVA	REQ-LOC-001	tick_ms_ maximum boundary value acceptance	tick_ms_=18446744073709551615	REVIEW REQUIRED
`TC-LOC-003`	BVA	REQ-LOC-001	Wheel encoder ticks minimum boundary	tick_ms_=1000	REVIEW REQUIRED
`TC-LOC-004`	BVA	REQ-LOC-001	IMU yaw rate minimum boundary	tick_ms_=1000	REVIEW REQUIRED
`TC-LOC-005`	BVA	REQ-LOC-001	Odometry speed minimum boundary	tick_ms_=1000	REVIEW REQUIRED
`TC-LOC-006`	BVA	REQ-LOC-002	Pose heading at lower boundary (-π)	tick_ms_=5000	pose_.heading is in range [-3.14159, +3.14159] and approximately equal to -3.14159 radians
`TC-LOC-007`	BVA	REQ-LOC-002	Pose heading at upper boundary (+π)	tick_ms_=5000	pose_.heading is in range [-3.14159, +3.14159] and approximately equal to +3.14159 radians
`TC-LOC-008`	BVA	REQ-LOC-002	Pose speed at lower boundary (0.0)	tick_ms_=2000	pose_.speed is in range [0.0, max_pose_speed] and equal to 0.0 m/s
`TC-LOC-009`	BVA	REQ-LOC-002	Pose speed at upper boundary	tick_ms_=3000	REVIEW REQUIRED
`TC-LOC-010`	BVA	REQ-LOC-002	Pose confidence at lower boundary (0.0)	tick_ms_=4000	pose_.confidence is in range [0.0, 1.0] and equal to 0.0
`TC-LOC-011`	BVA	REQ-LOC-002	Pose confidence at upper boundary (1.0)	tick_ms_=1000	pose_.confidence is in range [0.0, 1.0] and equal to 1.0
`TC-LOC-012`	BVA	REQ-LOC-002	Pose x position boundary (unresolved)	tick_ms_=2000	REVIEW REQUIRED
`TC-LOC-013`	BVA	REQ-LOC-002	Pose y position boundary (unresolved)	tick_ms_=2000	REVIEW REQUIRED
`TC-LOC-014`	BVA	REQ-LOC-003	Clamping of pose confidence to lower bound (0.0)	tick_ms_=3000	pose_.confidence is clamped to 0.0 (not negative)
`TC-LOC-015`	BVA	REQ-LOC-003	Clamping of pose confidence to upper bound (1.0)	tick_ms_=3000	pose_.confidence is clamped to 1.0 (not exceeding)
`TC-LOC-016`	BVA	REQ-LOC-003	Clamping of pose x to minimum (unresolved)	tick_ms_=5000	REVIEW REQUIRED
`TC-LOC-017`	BVA	REQ-LOC-003	Clamping of pose x to maximum (unresolved)	tick_ms_=5000	REVIEW REQUIRED
`TC-LOC-018`	BVA	REQ-LOC-003	Clamping of pose y to minimum (unresolved)	tick_ms_=5000	REVIEW REQUIRED
`TC-LOC-019`	BVA	REQ-LOC-003	Clamping of pose y to maximum (unresolved)	tick_ms_=5000	REVIEW REQUIRED
`TC-LOC-020`	Interface	REQ-LOC-004	Wheel ticks to meters conversion with calibration parameter	tick_ms_=1000; wheel_ticks_per_meter=1000.0	odometry_ accumulated distance correctly reflects conversion using wheel_ticks_per_meter (e.g., 1000 ticks = 1.0 meter)
`TC-LOC-021`	Interface	REQ-LOC-004	Heading expressed in radians with counterclockwise positive	tick_ms_=2000	pose_.heading is expressed in radians and increases (counterclockwise) when positive yaw rate is integrated
`TC-LOC-022`	Interface	REQ-LOC-004	IMU yaw rate expressed in radians/second	tick_ms_=1000	imu_.yaw_rate is expressed in radians/second and integrated into heading over time delta dt
`TC-LOC-023`	Interface	REQ-LOC-004	Positions (x, y) expressed in meters	tick_ms_=3000	pose_.x and pose_.y are expressed in meters, derived from encoder ticks via wheel_ticks_per_meter conversion
`TC-LOC-024`	Interface	REQ-LOC-004	Timing calculations use milliseconds	tick_ms_=2500	Time delta dt is calculated as (2500 - previous_tick_ms) / 1000.0 seconds, confirming millisecond input unit
`TC-LOC-025`	Decision	REQ-LOC-005	IMU marked invalid when age exceeds staleness timeout	tick_ms_=1600; imu_stale_timeout_ms=500	imu_.valid is false because (1600 - 1000) = 600 ms exceeds imu_stale_timeout_ms (500 ms)
`TC-LOC-026`	Decision	REQ-LOC-005	Odometry marked invalid when no fresh sensor data injected	tick_ms_=1000	odometry_.valid is false because !injected_ (no fresh sensor data injected)
`TC-LOC-027`	Decision	REQ-LOC-005	Pose confidence reduced by 0.5 for one invalid sensor	tick_ms_=2000	pose_.confidence is reduced by 0.5 (from 1.0 to 0.5) when one sensor is invalid
`TC-LOC-028`	Decision	REQ-LOC-005	Pose confidence reduced by 1.0 for two invalid sensors	tick_ms_=2000	pose_.confidence is reduced by 1.0 (from 1.0 to 0.0) when both sensors are invalid
`TC-LOC-029`	Decision	REQ-LOC-005	Pose marked invalid when confidence falls below threshold	tick_ms_=3000; pose_min_confidence=0.6	pose_.valid is false when pose_.confidence < 0.6 (pose_min_confidence)
`TC-LOC-030`	Decision	REQ-LOC-005	Fallback integration uses zero substitution for invalid sensor	tick_ms_=2000	Pose integration proceeds using zero substitution for invalid sensor data (e.g., yaw_rate=0 or distance=0)
`TC-LOC-031`	Interface	REQ-LOC-006	Time delta calculation using tick_ms_ formula	tick_ms_=2500	Time delta dt is calculated as (2500 - 1000) / 1000.0 = 1.5 seconds
`TC-LOC-032`	Decision	REQ-LOC-006	IMU staleness detection at threshold boundary	tick_ms_=1500; imu_stale_timeout_ms=500	REVIEW REQUIRED
`TC-LOC-033`	Decision	REQ-LOC-006	IMU staleness detection just below threshold	tick_ms_=1499; imu_stale_timeout_ms=500	REVIEW REQUIRED
`TC-LOC-034`	Decision	REQ-LOC-006	IMU staleness detection just above threshold	tick_ms_=1501; imu_stale_timeout_ms=500	REVIEW REQUIRED
`TC-LOC-035`	Interface	REQ-LOC-006	Nominal cycle time assumption for integration	tick_ms_=1000	REVIEW REQUIRED
`TC-LOC-036`	Decision	REQ-LOC-006	Non-monotonic tick_ms_ handling (backward time)	tick_ms_=1000	REVIEW REQUIRED
`TC-LOC-037`	Decision	REQ-LOC-006	Non-monotonic tick_ms_ handling (no time advance)	tick_ms_=1000	REVIEW REQUIRED
`TC-LOC-038`	State	REQ-LOC-006	Sensor validity debouncing over multiple cycles	tick_ms_=1000	REVIEW REQUIRED
`TC-LOC-039`	Interface	REQ-LOC-007	Alive counter index within bounds (module_id::localization)	tick_ms_=1000	REVIEW REQUIRED
`TC-LOC-040`	BVA	REQ-LOC-007	Alive counter at maximum value (UINT64_MAX)	tick_ms_=1000	alive_counters_[module_id::localization] increments to UINT64_MAX (18446744073709551615)
`TC-LOC-041`	BVA	REQ-LOC-007	Alive counter overflow to 0	tick_ms_=1000	alive_counters_[module_id::localization] wraps to 0 on next increment
`TC-LOC-042`	BVA	REQ-LOC-007	Alive counter increment from 0	tick_ms_=1000	alive_counters_[module_id::localization] increments to 1 after first cycle
`TC-LOC-043`	State	REQ-LOC-008	Pose initialization to (0.0, 0.0, 0.0) at startup	tick_ms_=0	pose_.x = 0.0, pose_.y = 0.0, pose_.heading = 0.0 at initialization
`TC-LOC-044`	State	REQ-LOC-008	Initial pose confidence at startup	tick_ms_=0	REVIEW REQUIRED
`TC-LOC-045`	State	REQ-LOC-008	State transition after first valid sensor data	tick_ms_=1000	REVIEW REQUIRED
`TC-LOC-046`	BVA	REQ-LOC-008	Heading wrapping from +π to -π boundary	tick_ms_=2000	pose_.heading wraps from +π (+3.14159) to negative values near -π (-3.14159) using iterative while-loop normalization
`TC-LOC-047`	BVA	REQ-LOC-008	Heading wrapping from -π to +π boundary	tick_ms_=2000	pose_.heading wraps from -π (-3.14159) to positive values near +π (+3.14159) using iterative while-loop normalization
`TC-LOC-048`	BVA	REQ-LOC-008	Heading wrapping with multiple rotations (+3π)	tick_ms_=5000	pose_.heading is normalized to range [-π, +π] using iterative while-loop (e.g., +3π wraps to +π via subtraction of 2π)
`TC-LOC-049`	State	REQ-LOC-008	Accumulated state reset under specified condition	tick_ms_=3000	REVIEW REQUIRED
`TC-LOC-050`	Interface	REQ-LOC-009	inject_ticks() called before run() enforcement	tick_ms_=1000	Module applies flag check with safe default: odometry_.valid = false due to !injected_ flag
`TC-LOC-051`	Interface	REQ-LOC-009	inject_imu() called before run() enforcement	tick_ms_=1000	Module applies flag check with safe default: imu_.valid = false due to staleness or missing injection
`TC-LOC-052`	Interface	REQ-LOC-009	tick_ms_ read at run() entry from bus	tick_ms_=2000	Module uses tick_ms_ value (2000) present at run() entry for time delta calculation
`TC-LOC-053`	Interface	REQ-LOC-009	Atomic pose_ update (single write struct assignment)	tick_ms_=1500	pose_ output reflects consistent snapshot (all fields from same integration step), no partial updates observable
`TC-LOC-054`	Interface	REQ-LOC-009	Concurrent access to alive_counters_ synchronization	tick_ms_=1000	REVIEW REQUIRED
`TC-LOC-055`	Scenario	REQ-LOC-005, REQ-LOC-006	Complete sensor fault recovery scenario	tick_ms_=5000; imu_stale_timeout_ms=500	imu_.valid transitions false when stale, pose_.confidence degrades by 0.5, then imu_.valid recovers true, pose_.confidence restores (mechanism unclear)
`TC-LOC-056`	Scenario	REQ-LOC-004, REQ-LOC-008	Heading integration and wrapping scenario	tick_ms_=10000	pose_.heading wraps from 0 → +π → -π → 0 using iterative normalization, completing 2π rotation in radians
`TC-LOC-057`	Scenario	REQ-LOC-003, REQ-LOC-005	Confidence degradation and clamping scenario	tick_ms_=3000	pose_.confidence degrades by 0.5 per invalid sensor (1.0 → 0.5 → 0.0), clamped to [0.0, 1.0], pose_.valid becomes false when below pose_min_confidence
`TC-LOC-058`	Scenario	REQ-LOC-004, REQ-LOC-006	Position integration with known displacement	tick_ms_=2000; wheel_ticks_per_meter=1000.0	pose_.x increases by 10.0 meters (from ticks via wheel_ticks_per_meter conversion), pose_.y remains ~0.0, using dt from tick_ms_ delta
`TC-LOC-059`	Scenario	REQ-LOC-007, REQ-LOC-009	Alive counter increment across multiple cycles	tick_ms_=100000	alive_counters_[module_id::localization] increments to 100, confirming heartbeat per cycle execution
`TC-LOC-060`	Decision	REQ-LOC-001	Out-of-range tick_ms_ rejection (below minimum)	tick_ms_=0	REVIEW REQUIRED
`TC-LOC-061`	Decision	REQ-LOC-002	Pose heading at exactly -π boundary	tick_ms_=3000	pose_.heading is exactly -3.14159 radians, within valid range [-π, +π]
`TC-LOC-062`	Decision	REQ-LOC-002	Pose heading at exactly +π boundary	tick_ms_=3000	pose_.heading is exactly +3.14159 radians, within valid range [-π, +π]
`TC-LOC-063`	Decision	REQ-LOC-005	Fallback integration with only odometry valid	tick_ms_=2500; imu_stale_timeout_ms=500	Pose integration proceeds with odometry displacement, heading integration uses zero substitution for yaw_rate (no heading change)
`TC-LOC-064`	Decision	REQ-LOC-005	Fallback integration with only IMU valid	tick_ms_=2500	Pose integration proceeds with IMU yaw rate for heading, position integration uses zero substitution for displacement (no position change)
`TC-LOC-065`	Decision	REQ-LOC-005	Fallback integration with both sensors invalid	tick_ms_=3000	Pose integration proceeds with zero substitution for both (no position or heading change), confidence degraded by 1.0, pose_.valid likely false
`TC-LOC-066`	BVA	REQ-LOC-006	Time delta with zero tick_ms_ advance	tick_ms_=1000	REVIEW REQUIRED
`TC-LOC-067`	BVA	REQ-LOC-006	Time delta with very large tick_ms_ advance	tick_ms_=100000	Time delta dt calculated as (100000 - 1000) / 1000.0 = 99.0 seconds, integration proceeds (no dt clamping specified)
`TC-LOC-068`	State	REQ-LOC-008	Heading normalization with small excess beyond +π	tick_ms_=2000	pose_.heading normalized to approximately -3.08 radians (3.2 - 2π) within [-π, +π] using iterative while-loop
`TC-LOC-069`	State	REQ-LOC-008	Heading normalization with small excess below -π	tick_ms_=2000	pose_.heading normalized to approximately +3.08 radians (-3.2 + 2π) within [-π, +π] using iterative while-loop
`TC-LOC-070`	EP	REQ-LOC-003	Pose confidence within valid range (no clamping)	tick_ms_=2000	pose_.confidence remains 0.7 (no clamping applied), within valid range [0.0, 1.0]
`TC-LOC-071`	Interface	REQ-LOC-004	Negative yaw rate integration (clockwise rotation)	tick_ms_=2000	pose_.heading decreases (clockwise rotation) when negative yaw rate integrated, consistent with counterclockwise positive convention
`TC-LOC-072`	Interface	REQ-LOC-004	Zero yaw rate integration (no heading change)	tick_ms_=3000	pose_.heading remains approximately 1.0 radians (no change) when yaw_rate=0 integrated
`TC-LOC-073`	Decision	REQ-LOC-005	IMU validity flag persistence after staleness recovery	tick_ms_=2500; imu_stale_timeout_ms=500	imu_.valid transitions from false to true after fresh IMU injection, indicating staleness recovery
`TC-LOC-074`	Decision	REQ-LOC-005	Odometry validity flag persistence after injection recovery	tick_ms_=2000	odometry_.valid transitions from false to true after inject_ticks() called with valid data
`TC-LOC-075`	BVA	REQ-LOC-006	IMU staleness at exact timeout boundary	tick_ms_=1500; imu_stale_timeout_ms=500	REVIEW REQUIRED
`TC-LOC-076`	Interface	REQ-LOC-007	Alive counter increment monotonicity	tick_ms_=10000	alive_counters_[module_id::localization] increments monotonically by 1 each cycle (e.g., 0→1→2→...→10)

motion_control 56 tests

ID	Method	Covers	Title	Stimuli	Expected (oracle)
`TC-MOT-001`	BVA	REQ-MOT-001	Target speed setpoint at lower boundary (negative max reverse)	motion_setpoint_.target_speed_mps_=-max_reverse_speed_mps_; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	Module processes input without error; limited_motion_.limited_speed_mps_ <= -max_reverse_speed_mps_ (clamped to reverse envelope)
`TC-MOT-002`	BVA	REQ-MOT-001	Target speed setpoint at upper boundary (max forward)	motion_setpoint_.target_speed_mps_=max_speed_mps_; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	Module processes input without error; limited_motion_.limited_speed_mps_ <= max_speed_mps_ (clamped to forward envelope)
`TC-MOT-003`	BVA	REQ-MOT-001	Target yaw rate at negative boundary	motion_setpoint_.target_speed_mps_=5.0; motion_setpoint_.target_yaw_rate_radps_=-max_command_yaw_rate_radps_; pose_.speed_mps_=5.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	Module processes input without error; limited_motion_.limited_yaw_rate_radps_ is within [-max_command_yaw_rate_radps_, max_command_yaw_rate_radps_]
`TC-MOT-004`	BVA	REQ-MOT-001	Target yaw rate at positive boundary	motion_setpoint_.target_speed_mps_=5.0; motion_setpoint_.target_yaw_rate_radps_=max_command_yaw_rate_radps_; pose_.speed_mps_=5.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	Module processes input without error; limited_motion_.limited_yaw_rate_radps_ is within [-max_command_yaw_rate_radps_, max_command_yaw_rate_radps_]
`TC-MOT-005`	BVA	REQ-MOT-001	Pose speed input at unresolved minimum boundary	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=UNRESOLVED_min_pose_speed_mps; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-006`	BVA	REQ-MOT-001	Pose speed input at unresolved maximum boundary	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=UNRESOLVED_max_pose_speed_mps; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-007`	BVA	REQ-MOT-001	IMU yaw rate input at unresolved minimum boundary	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=UNRESOLVED_min_imu_yaw_rate_radps; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-008`	BVA	REQ-MOT-001	IMU yaw rate input at unresolved maximum boundary	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=UNRESOLVED_max_imu_yaw_rate_radps; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-009`	BVA	REQ-MOT-002	Speed control output at maximum acceleration boundary	motion_setpoint_.target_speed_mps_=30.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	speed_control_output_mps2_ <= max_accel_mps2_ (saturated at upper bound)
`TC-MOT-010`	BVA	REQ-MOT-002	Speed control output at maximum deceleration boundary	motion_setpoint_.target_speed_mps_=0.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=30.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	speed_control_output_mps2_ >= -max_decel_mps2_ (saturated at lower bound)
`TC-MOT-011`	BVA	REQ-MOT-002	Steering control output at positive steering limit	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=1.5; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	steering_control_output_rad_ <= max_steering_rad_ (saturated at upper bound)
`TC-MOT-012`	BVA	REQ-MOT-002	Steering control output at negative steering limit	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=-1.5; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	steering_control_output_rad_ >= -max_steering_rad_ (saturated at lower bound)
`TC-MOT-013`	BVA	REQ-MOT-002	Limited acceleration output at maximum boundary	motion_setpoint_.target_speed_mps_=30.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	limited_motion_.limited_accel_mps2_ <= max_accel_mps2_
`TC-MOT-014`	BVA	REQ-MOT-002	Limited acceleration output at minimum boundary	motion_setpoint_.target_speed_mps_=0.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=30.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	limited_motion_.limited_accel_mps2_ >= -max_decel_mps2_
`TC-MOT-015`	BVA	REQ-MOT-002	Limited steering output at positive limit	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=1.5; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	limited_motion_.limited_steering_rad_ <= max_steering_rad_
`TC-MOT-016`	BVA	REQ-MOT-002	Limited steering output at negative limit	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=-1.5; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	limited_motion_.limited_steering_rad_ >= -max_steering_rad_
`TC-MOT-017`	Decision	REQ-MOT-003	Speed PID anti-windup at positive saturation	motion_setpoint_.target_speed_mps_=30.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=5.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	speed_control_output_mps2_ = max_accel_mps2_; speed PID integral term does not continue accumulating beyond saturation (anti-windup active)
`TC-MOT-018`	Decision	REQ-MOT-003	Speed PID anti-windup at negative saturation	motion_setpoint_.target_speed_mps_=0.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=25.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	speed_control_output_mps2_ = -max_decel_mps2_; speed PID integral term does not continue accumulating beyond saturation (anti-windup active)
`TC-MOT-019`	Decision	REQ-MOT-003	Steering PID anti-windup at positive saturation	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=2.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	steering_control_output_rad_ = max_steering_rad_; steering PID integral term does not continue accumulating beyond saturation (anti-windup active)
`TC-MOT-020`	Decision	REQ-MOT-003	Steering PID anti-windup at negative saturation	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=-2.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	steering_control_output_rad_ = -max_steering_rad_; steering PID integral term does not continue accumulating beyond saturation (anti-windup active)
`TC-MOT-021`	Scenario	REQ-MOT-003, REQ-MOT-006	Jerk rate limiting on large acceleration step command	motion_setpoint_.target_speed_mps_=30.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	Change in limited_motion_.limited_accel_mps2_ from previous cycle to current cycle <= (max_jerk_mps3_ * 0.02) m/s²
`TC-MOT-022`	EP	REQ-MOT-004	Positive target speed interpreted as forward motion	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	limited_motion_.limited_speed_mps_ >= 0.0 and speed_control_output_mps2_ >= 0.0 (positive acceleration for forward motion command)
`TC-MOT-023`	EP	REQ-MOT-004	Negative target speed interpreted as reverse motion	motion_setpoint_.target_speed_mps_=-5.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	limited_motion_.limited_speed_mps_ <= 0.0 and speed_control_output_mps2_ <= 0.0 (negative acceleration for reverse motion command)
`TC-MOT-024`	EP	REQ-MOT-004	Positive yaw rate sign convention (direction unresolved)	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.5; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-025`	EP	REQ-MOT-004	Negative yaw rate sign convention (direction unresolved)	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=-0.5; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-026`	EP	REQ-MOT-004	Positive steering angle sign convention (direction unresolved)	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.5; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-027`	EP	REQ-MOT-004	Negative steering angle sign convention (direction unresolved)	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=-0.5; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-028`	EP	REQ-MOT-004	Positive acceleration output for forward acceleration command	motion_setpoint_.target_speed_mps_=15.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=5.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	speed_control_output_mps2_ > 0.0 and limited_motion_.limited_accel_mps2_ > 0.0 (positive values for forward acceleration in m/s²)
`TC-MOT-029`	State	REQ-MOT-005	Speed reduction when degradation_level_ = reduced_speed	motion_setpoint_.target_speed_mps_=20.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=reduced_speed	limited_motion_.limited_speed_mps_ <= reduced_max_speed_mps_ (speed envelope reduced per degradation state)
`TC-MOT-030`	State	REQ-MOT-005	Speed set to zero when degradation_level_ = safe_stop_only	motion_setpoint_.target_speed_mps_=20.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=safe_stop_only	limited_motion_.limited_speed_mps_ = 0.0 (vehicle commanded to stop per degradation state)
`TC-MOT-031`	State	REQ-MOT-005	Speed set to zero when degradation_level_ = disabled	motion_setpoint_.target_speed_mps_=20.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=disabled	limited_motion_.limited_speed_mps_ = 0.0 (vehicle commanded to stop per degradation state)
`TC-MOT-032`	State	REQ-MOT-005	Degradation-dependent acceleration envelope (unresolved formula)	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=5.0; imu_.yaw_rate_radps_=0.0; degradation_level_=reduced_speed	REVIEW REQUIRED
`TC-MOT-033`	Decision	REQ-MOT-005	Failsafe actuator commands on invalid input (unresolved condition)	motion_setpoint_.target_speed_mps_=UNRESOLVED_INVALID_VALUE; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-034`	EP	REQ-MOT-006	Cycle period consistency verification	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	Module executes with period = 20 ms; PID controllers use dt = 0.02 s for derivative and integral term calculations
`TC-MOT-035`	State	REQ-MOT-006	PID derivative term zero on first cycle after initialization	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.2; pose_.speed_mps_=5.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	speed_control_output_mps2_ and steering_control_output_rad_ computed with derivative term = 0.0 (no derivative kick on initialization)
`TC-MOT-036`	EP	REQ-MOT-006	Alive counter increment per cycle	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	alive_counters_[module_id::motion] increments by 1 per cycle (health signal active)
`TC-MOT-037`	BVA	REQ-MOT-006	Jerk rate limit applied per cycle using 0.02s time step	motion_setpoint_.target_speed_mps_=25.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	Change in limited_motion_.limited_accel_mps2_ per cycle <= (max_jerk_mps3_ * 0.02) m/s²
`TC-MOT-038`	BVA	REQ-MOT-007	Speed PID integral term bounded at unresolved minimum	motion_setpoint_.target_speed_mps_=0.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=20.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-039`	BVA	REQ-MOT-007	Speed PID integral term bounded at unresolved maximum	motion_setpoint_.target_speed_mps_=25.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-040`	BVA	REQ-MOT-007	Steering PID integral term bounded at unresolved minimum	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=-1.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.5; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-041`	BVA	REQ-MOT-007	Steering PID integral term bounded at unresolved maximum	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=1.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=-0.5; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-042`	BVA	REQ-MOT-007	Alive counter wraps at unresolved modulo boundary	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-043`	State	REQ-MOT-008	Speed PID integral and derivative initialized to 0.0 on first execution	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	speed_control_output_mps2_ computed with integral = 0.0 and derivative = 0.0 (initial PID state)
`TC-MOT-044`	State	REQ-MOT-008	Speed PID state preserved across degradation transition from normal to reduced_speed	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=8.0; imu_.yaw_rate_radps_=0.0; degradation_level_=reduced_speed	Speed PID integral and derivative states preserved (not reset) across degradation transition per preserve policy
`TC-MOT-045`	State	REQ-MOT-008	Steering PID integral and derivative initialized to 0.0 on first execution	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.5; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	steering_control_output_rad_ computed with integral = 0.0 and derivative = 0.0 (initial PID state)
`TC-MOT-046`	State	REQ-MOT-008	has_prev_ flag set to false until first cycle completes	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=5.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	On first cycle, has_prev_ = false (derivative terms = 0.0); on subsequent cycles has_prev_ = true (derivative terms computed normally)
`TC-MOT-047`	Interface	REQ-MOT-009	Speed controller executes before trajectory limiter within cycle	motion_setpoint_.target_speed_mps_=15.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-048`	Interface	REQ-MOT-009	Steering controller executes before trajectory limiter within cycle	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.5; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-049`	Interface	REQ-MOT-009	Trajectory limiter reads controller outputs after both controllers write	motion_setpoint_.target_speed_mps_=15.0; motion_setpoint_.target_yaw_rate_radps_=0.5; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	REVIEW REQUIRED
`TC-MOT-050`	Interface	REQ-MOT-009	All limited_motion_ fields updated atomically per single-writer policy	motion_setpoint_.target_speed_mps_=15.0; motion_setpoint_.target_yaw_rate_radps_=0.5; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	All fields of limited_motion_ (limited_speed_mps_, limited_accel_mps2_, limited_yaw_rate_radps_, limited_steering_rad_) are consistent snapshot from single cycle execution (no partial updates visible to external consumers)
`TC-MOT-051`	EP	REQ-MOT-009	Alive counter incremented exactly once per cycle by trajectory_limiter	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	alive_counters_[module_id::motion] increments by exactly 1 per cycle (no double-increment, no missed increment)
`TC-MOT-052`	Scenario	REQ-MOT-002, REQ-MOT-003	Multi-stage saturation: speed PID saturated, then jerk limited	motion_setpoint_.target_speed_mps_=30.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	speed_control_output_mps2_ clamped to max_accel_mps2_; limited_motion_.limited_accel_mps2_ further rate-limited by jerk constraint (max_jerk_mps3_ * 0.02 per cycle)
`TC-MOT-053`	BVA	REQ-MOT-001, REQ-MOT-002	Negative boundary test: target speed below -max_reverse_speed_mps_	motion_setpoint_.target_speed_mps_=-max_reverse_speed_mps_ - 1.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	Module either rejects input or clamps limited_motion_.limited_speed_mps_ to >= -max_reverse_speed_mps_ (input domain protection)
`TC-MOT-054`	BVA	REQ-MOT-001, REQ-MOT-002	Negative boundary test: target speed above max_speed_mps_	motion_setpoint_.target_speed_mps_=max_speed_mps_ + 1.0; motion_setpoint_.target_yaw_rate_radps_=0.0; pose_.speed_mps_=0.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	Module either rejects input or clamps limited_motion_.limited_speed_mps_ to <= max_speed_mps_ (input domain protection)
`TC-MOT-055`	BVA	REQ-MOT-001, REQ-MOT-002	Negative boundary test: target yaw rate below -max_command_yaw_rate_radps_	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=-max_command_yaw_rate_radps_ - 0.1; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	Module either rejects input or clamps limited_motion_.limited_yaw_rate_radps_ to >= -max_command_yaw_rate_radps_ (input domain protection)
`TC-MOT-056`	BVA	REQ-MOT-001, REQ-MOT-002	Negative boundary test: target yaw rate above max_command_yaw_rate_radps_	motion_setpoint_.target_speed_mps_=10.0; motion_setpoint_.target_yaw_rate_radps_=max_command_yaw_rate_radps_ + 0.1; pose_.speed_mps_=10.0; imu_.yaw_rate_radps_=0.0; degradation_level_=normal	Module either rejects input or clamps limited_motion_.limited_yaw_rate_radps_ to <= max_command_yaw_rate_radps_ (input domain protection)

perception 70 tests

ID	Method	Covers	Title	Stimuli	Expected (oracle)
`TC-PER-001`	BVA	REQ-PER-001	Ego speed minimum boundary acceptance	pose_.speed_mps_=REVIEW REQUIRED: min_ego_speed_mps; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-002`	BVA	REQ-PER-001	Ego speed maximum boundary acceptance	pose_.speed_mps_=REVIEW REQUIRED: max_ego_speed_mps; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-003`	BVA	REQ-PER-001	Ego speed below minimum boundary rejection	pose_.speed_mps_=REVIEW REQUIRED: min_ego_speed_mps - 0.1; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-004`	BVA	REQ-PER-001	Ego speed above maximum boundary rejection	pose_.speed_mps_=REVIEW REQUIRED: max_ego_speed_mps + 0.1; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-005`	BVA	REQ-PER-001	Monotonically increasing timestamp normal operation	pose_.speed_mps_=20.0; tick_ms_=1050	Module accepts tick_ms_ = 1050. alive_counters_[module_id::perception] increments. No fault status asserted.
`TC-PER-006`	BVA	REQ-PER-001	Timestamp backwards within permissible delta	pose_.speed_mps_=20.0; tick_ms_=REVIEW REQUIRED: 1000 - max_tick_backwards_ms	REVIEW REQUIRED
`TC-PER-007`	BVA	REQ-PER-001	Timestamp backwards exceeding permissible delta	pose_.speed_mps_=20.0; tick_ms_=REVIEW REQUIRED: 1000 - (max_tick_backwards_ms + 1)	REVIEW REQUIRED
`TC-PER-008`	BVA	REQ-PER-002	Collision TTC at minimum boundary (zero)	pose_.speed_mps_=30.0; tick_ms_=1000	collision_.time_to_collision_s >= 0.0 (no negative TTC values produced)
`TC-PER-009`	BVA	REQ-PER-002	Collision TTC at maximum boundary (large sentinel)	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-010`	BVA	REQ-PER-002	Collision nearest range at minimum boundary (zero)	pose_.speed_mps_=5.0; tick_ms_=1000	collision_.nearest_range_m >= 0.0 (no negative range values produced)
`TC-PER-011`	BVA	REQ-PER-002	Collision nearest range at maximum boundary (large sentinel)	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-012`	BVA	REQ-PER-002	Obstacle range at minimum boundary (exclusive zero)	pose_.speed_mps_=15.0; tick_ms_=1000	All obstacle range values in obstacles_ vector satisfy range > 0.0 (strictly positive, zero excluded)
`TC-PER-013`	BVA	REQ-PER-002	Obstacle range at maximum boundary	pose_.speed_mps_=25.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-014`	BVA	REQ-PER-002	Obstacle bearing at minimum boundary	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-015`	BVA	REQ-PER-002	Obstacle bearing at maximum boundary	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-016`	BVA	REQ-PER-003	TTC clamping at maximum threshold	pose_.speed_mps_=10.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-017`	BVA	REQ-PER-003	TTC exceeds clamping threshold	pose_.speed_mps_=5.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-018`	BVA	REQ-PER-003	Obstacle relative speed at minimum clamping boundary	pose_.speed_mps_=30.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-019`	BVA	REQ-PER-003	Obstacle relative speed at maximum clamping boundary	pose_.speed_mps_=30.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-020`	BVA	REQ-PER-003	Relative speed below minimum clamp	pose_.speed_mps_=25.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-021`	BVA	REQ-PER-003	Relative speed above maximum clamp	pose_.speed_mps_=5.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-022`	EP	REQ-PER-004	Bearing angle sign convention verification	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-023`	EP	REQ-PER-004	Positive relative speed indicates receding obstacle	pose_.speed_mps_=20.0; tick_ms_=1000	Obstacle in obstacles_ vector has relative_speed > 0 (positive, indicating opening/receding per REQ-PER-004)
`TC-PER-024`	EP	REQ-PER-004	Negative relative speed indicates approaching obstacle	pose_.speed_mps_=20.0; tick_ms_=1000	Obstacle in obstacles_ vector has relative_speed < 0 (negative, indicating closing/approaching per REQ-PER-004)
`TC-PER-025`	Decision	REQ-PER-004	TTC computation formula with closing scenario	pose_.speed_mps_=30.0; tick_ms_=1000	collision_.time_to_collision_s = 50 / (30 - (-10)) = 50 / 40 = 1.25 seconds (using formula ttc = range / (ego_speed - relative_speed) per REQ-PER-004)
`TC-PER-026`	Decision	REQ-PER-004	TTC computation formula with opening scenario	pose_.speed_mps_=20.0; tick_ms_=1000	collision_.time_to_collision_s = large sentinel (no collision, closing_speed = 20 - 5 = 15, obstacle opening so TTC not computed or set to max per clamping)
`TC-PER-027`	EP	REQ-PER-004	Range values maintained in meters	pose_.speed_mps_=25.0; tick_ms_=1000	All range fields (collision_.nearest_range_m, obstacle.range_m in obstacles_) are in meters (SI unit consistency per REQ-PER-004)
`TC-PER-028`	EP	REQ-PER-004	Speed values maintained in meters-per-second	pose_.speed_mps_=30.0; tick_ms_=1000	All speed fields (pose_.speed_mps_, obstacle.relative_speed_mps in obstacles_) are in meters-per-second (SI unit consistency per REQ-PER-004)
`TC-PER-029`	Decision	REQ-PER-005	LiDAR status transitions to stale on timeout	pose_.speed_mps_=20.0; tick_ms_=REVIEW REQUIRED: last_scan_time + lidar_stale_timeout_ms_ + 1	REVIEW REQUIRED
`TC-PER-030`	Decision	REQ-PER-005	LiDAR status set to stale when timeout exceeded	pose_.speed_mps_=20.0; tick_ms_=5000	lidar_status_ == sensor_status_t::stale
`TC-PER-031`	Decision	REQ-PER-005	LiDAR status set to failed on sensor failure	pose_.speed_mps_=20.0; tick_ms_=1000	lidar_status_ == sensor_status_t::failed
`TC-PER-032`	Decision	REQ-PER-005	Collision imminent flag on sensor fault	pose_.speed_mps_=25.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-033`	Decision	REQ-PER-005	Obstacles vector handling on sensor fault	pose_.speed_mps_=20.0; tick_ms_=10000	REVIEW REQUIRED
`TC-PER-034`	Decision	REQ-PER-006	LiDAR staleness detection at timeout threshold	pose_.speed_mps_=20.0; tick_ms_=REVIEW REQUIRED: last_scan_time + lidar_stale_timeout_ms_	REVIEW REQUIRED
`TC-PER-035`	State	REQ-PER-006	Obstacle confirmation after required cycles	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-036`	State	REQ-PER-006	Obstacle deletion after missed detections	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-037`	EP	REQ-PER-006	Alive counter increments by one each cycle	pose_.speed_mps_=20.0; tick_ms_=1000	After run() completes, alive_counters_[module_id::perception] = N + 1 (increment by 1 per REQ-PER-006)
`TC-PER-038`	EP	REQ-PER-006	Alive counter increments at cycle period rate	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-039`	BVA	REQ-PER-007	Obstacles vector at maximum capacity	pose_.speed_mps_=20.0; tick_ms_=1000	obstacles_.size() <= 32 (at or below maximum per REQ-PER-007)
`TC-PER-040`	BVA	REQ-PER-007	New obstacle rejected at capacity limit	pose_.speed_mps_=20.0; tick_ms_=1000	obstacles_.size() == 32 (new obstacle rejected, count does not exceed 32 per REQ-PER-007 reject_new policy)
`TC-PER-041`	BVA	REQ-PER-007	LiDAR scan vector at maximum capacity	pose_.speed_mps_=20.0; tick_ms_=1000	lidar_scan_.size() <= 360 (at or below maximum per REQ-PER-007)
`TC-PER-042`	BVA	REQ-PER-007	LiDAR scan overflow handling	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-043`	State	REQ-PER-008	Obstacle track transitions from unconfirmed to confirmed	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-044`	State	REQ-PER-008	Only confirmed obstacles included in collision prediction	pose_.speed_mps_=20.0; tick_ms_=1000	collision_.nearest_range_m and collision_.nearest_bearing_rad correspond to obstacle with confirmed_ == true only (unconfirmed obstacles excluded per REQ-PER-008)
`TC-PER-045`	State	REQ-PER-008	LiDAR status transitions from ok to stale	pose_.speed_mps_=20.0; tick_ms_=REVIEW REQUIRED: last_scan_time + lidar_stale_timeout_ms_ + 1	REVIEW REQUIRED
`TC-PER-046`	State	REQ-PER-008	LiDAR status transitions from stale to ok on fresh scan	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-047`	Scenario	REQ-PER-009	inject_scan precedes run in cycle execution order	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-048`	Interface	REQ-PER-009	LiDAR scan not modified during run cycle	pose_.speed_mps_=20.0; tick_ms_=1000	lidar_scan_ vector contents remain stable from cluster_scan entry to obstacles_ publication (no concurrent modification per REQ-PER-009)
`TC-PER-049`	Interface	REQ-PER-009	Output fields updated atomically at run cycle end	pose_.speed_mps_=20.0; tick_ms_=1000	obstacles_, collision_, lidar_status_, alive_counters_[module_id::perception] all updated atomically at end_of_run (no partial/torn updates observable per REQ-PER-009)
`TC-PER-050`	Interface	REQ-PER-009	Reentrant call to run() handling	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-051`	Interface	REQ-PER-009	Reentrant call to inject_scan() handling	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-052`	Scenario	REQ-PER-001, REQ-PER-006	Normal operation with valid inputs over multiple cycles	pose_.speed_mps_=25.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-053`	Scenario	REQ-PER-005, REQ-PER-006, REQ-PER-008	Sensor fault recovery scenario	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-054`	Decision	REQ-PER-002, REQ-PER-004	Collision imminent flag set when TTC below threshold	pose_.speed_mps_=30.0; tick_ms_=1000; collision_stop_ttc_s_=2.0	collision_.imminent == true when collision_.time_to_collision_s < collision_stop_ttc_s_ (2.0 seconds)
`TC-PER-055`	Decision	REQ-PER-002, REQ-PER-004	Collision imminent flag set when range below minimum threshold	pose_.speed_mps_=10.0; tick_ms_=1000; collision_min_range_m_=5.0	collision_.imminent == true when collision_.nearest_range_m < collision_min_range_m_ (5.0 meters), regardless of TTC
`TC-PER-056`	State	REQ-PER-006, REQ-PER-008	Obstacle confirmation debouncing prevents spurious tracks	pose_.speed_mps_=20.0; tick_ms_=1000; obstacle_confirmation_cycles_=3	REVIEW REQUIRED
`TC-PER-057`	State	REQ-PER-006, REQ-PER-008	Obstacle track deletion after sustained non-detection	pose_.speed_mps_=20.0; tick_ms_=1000; obstacle_deletion_cycles_=5	REVIEW REQUIRED
`TC-PER-058`	Decision	REQ-PER-005, REQ-PER-006	LiDAR staleness detection boundary at timeout threshold	pose_.speed_mps_=20.0; tick_ms_=2100; lidar_stale_timeout_ms_=100	lidar_status_ == sensor_status_t::stale when (tick_ms_ - last_scan_time) > lidar_stale_timeout_ms_ (100 ms). At exact boundary (== 100 ms), status should remain ok (exceeds means >).
`TC-PER-059`	BVA	REQ-PER-007	Obstacles vector size exactly at maximum (32 obstacles)	pose_.speed_mps_=20.0; tick_ms_=1000	obstacles_.size() == 32 (at maximum capacity per REQ-PER-007, valid operational state)
`TC-PER-060`	BVA	REQ-PER-007	LiDAR scan size exactly at maximum (360 points)	pose_.speed_mps_=20.0; tick_ms_=1000	lidar_scan_.size() == 360 (at maximum capacity per REQ-PER-007, valid operational state)
`TC-PER-061`	Decision	REQ-PER-004	TTC computation with zero closing speed (parallel motion)	pose_.speed_mps_=20.0; tick_ms_=1000	collision_.time_to_collision_s set to large sentinel or clamped maximum (closing_speed = 0, division-by-zero case, TTC infinite)
`TC-PER-062`	Decision	REQ-PER-004	TTC computation with negative closing speed (receding obstacle)	pose_.speed_mps_=20.0; tick_ms_=1000	collision_.time_to_collision_s set to large sentinel or clamped maximum (closing_speed < 0, no collision, TTC not meaningful for receding obstacle)
`TC-PER-063`	Decision	REQ-PER-002, REQ-PER-008	Collision nearest obstacle selection among multiple confirmed obstacles	pose_.speed_mps_=25.0; tick_ms_=1000	collision_.nearest_range_m and collision_.nearest_bearing_rad correspond to the confirmed obstacle with minimum range (nearest obstacle per REQ-PER-002 and confirmed-only per REQ-PER-008)
`TC-PER-064`	Decision	REQ-PER-005, REQ-PER-008	Collision prediction when sensor status is not ok	pose_.speed_mps_=20.0; tick_ms_=1000	REVIEW REQUIRED
`TC-PER-065`	EP	REQ-PER-001, REQ-PER-006	Nominal ego speed in mid-range	pose_.speed_mps_=20.0; tick_ms_=1000	Module accepts pose_.speed_mps_ = 20.0 mps. Outputs (obstacles_, collision_, lidar_status_, alive_counters_) are produced without error. Alive counter increments by 1.
`TC-PER-066`	EP	REQ-PER-001, REQ-PER-006	Zero ego speed (stationary vehicle)	pose_.speed_mps_=0.0; tick_ms_=1000	Module accepts pose_.speed_mps_ = 0.0 mps (stationary ego). TTC computation uses ego_speed = 0 in closing_speed formula. Outputs produced without error.
`TC-PER-067`	EP	REQ-PER-006	Alive counter wraps at maximum uint32_t value	pose_.speed_mps_=20.0; tick_ms_=1000	After run() completes, alive_counters_[module_id::perception] wraps to 0 (UINT32_MAX + 1 = 0 for uint32_t, natural overflow per C/C++ unsigned arithmetic)
`TC-PER-068`	Interface	REQ-PER-002, REQ-PER-007	Empty obstacles vector when no obstacles detected	pose_.speed_mps_=20.0; tick_ms_=1000	obstacles_.size() == 0 (empty vector, valid state per REQ-PER-007 min is 0). collision_ outputs set to sentinel values (no nearest obstacle).
`TC-PER-069`	EP	REQ-PER-002	Obstacle range exactly zero (edge case, should not occur)	pose_.speed_mps_=20.0; tick_ms_=1000	Obstacle with range 0.0 is rejected or filtered (range must be > 0.0 per REQ-PER-002). Obstacle does not appear in obstacles_ vector.
`TC-PER-070`	EP	REQ-PER-003	Relative speed exactly zero (obstacle stationary relative to ground)	pose_.speed_mps_=20.0; tick_ms_=1000	Obstacle relative_speed near -20.0 mps (stationary obstacle appears to approach at ego speed, relative_speed = obstacle_speed - ego_speed = 0 - 20 = -20). No clamping if within bounds.

power_management 66 tests

ID	Method	Covers	Title	Stimuli	Expected (oracle)
`TC-PWR-001`	BVA	REQ-PWR-001	Valid voltage measurement at minimum physical boundary	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - minimum physical voltage boundary not specified
`TC-PWR-002`	BVA	REQ-PWR-001	Valid voltage measurement at maximum physical boundary	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - maximum physical voltage boundary not specified
`TC-PWR-003`	BVA	REQ-PWR-001	Invalid voltage measurement below minimum physical range	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - invalid sensor data handling not specified
`TC-PWR-004`	BVA	REQ-PWR-001	Invalid voltage measurement above maximum physical range	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - invalid sensor data handling not specified
`TC-PWR-005`	BVA	REQ-PWR-002	Main power voltage output at minimum boundary	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - output_min_voltage_v not specified
`TC-PWR-006`	BVA	REQ-PWR-002	Main power voltage output at maximum boundary	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - output_max_voltage_v not specified
`TC-PWR-007`	BVA	REQ-PWR-002	Backup power voltage output at minimum boundary	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - output_min_voltage_v not specified
`TC-PWR-008`	BVA	REQ-PWR-002	Backup power voltage output at maximum boundary	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - output_max_voltage_v not specified
`TC-PWR-009`	EP	REQ-PWR-002	Boolean flag states are strictly true or false	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	All boolean flags (power_main_.undervoltage, power_main_.overvoltage, power_main_.health, power_backup_.undervoltage, power_backup_.overvoltage, power_backup_.health, power_ok_, backup_power_active_) shall have values of exactly true or false with no intermediate states
`TC-PWR-010`	BVA	REQ-PWR-003	Voltage clamping at minimum physical limit	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - clamp_min_v not specified
`TC-PWR-011`	BVA	REQ-PWR-003	Voltage clamping at maximum physical limit	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - clamp_max_v not specified
`TC-PWR-012`	EP	REQ-PWR-004	Voltage units and polarity convention - nominal reference	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - nominal_voltage_v reference point not specified
`TC-PWR-013`	EP	REQ-PWR-004	Voltage positive polarity convention	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	Voltage values in power_main_.voltage and power_backup_.voltage shall represent higher electrical potential as positive numerical values in units of volts
`TC-PWR-014`	BVA	REQ-PWR-005	Undervoltage detection at exact threshold	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.undervoltage shall be true when power_main_.voltage equals cal_.min_voltage_v_ (9.0V)
`TC-PWR-015`	BVA	REQ-PWR-005	Undervoltage detection below threshold	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.undervoltage shall be true when power_main_.voltage < cal_.min_voltage_v_ (e.g., 8.5V)
`TC-PWR-016`	BVA	REQ-PWR-005	Undervoltage detection just above threshold	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.undervoltage shall be false when power_main_.voltage > cal_.min_voltage_v_ (e.g., 9.1V)
`TC-PWR-017`	BVA	REQ-PWR-005	Overvoltage detection at exact threshold	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.overvoltage shall be true when power_main_.voltage equals cal_.max_voltage_v_ (16.0V)
`TC-PWR-018`	BVA	REQ-PWR-005	Overvoltage detection above threshold	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.overvoltage shall be true when power_main_.voltage > cal_.max_voltage_v_ (e.g., 16.5V)
`TC-PWR-019`	BVA	REQ-PWR-005	Overvoltage detection just below threshold	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.overvoltage shall be false when power_main_.voltage < cal_.max_voltage_v_ (e.g., 15.9V)
`TC-PWR-020`	Decision	REQ-PWR-005	Rail health failed when undervoltage fault active	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.health shall be false when power_main_.undervoltage is true
`TC-PWR-021`	Decision	REQ-PWR-005	Rail health failed when overvoltage fault active	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.health shall be false when power_main_.overvoltage is true
`TC-PWR-022`	Decision	REQ-PWR-005	Rail health normal when no faults active	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.health shall be true when both power_main_.undervoltage and power_main_.overvoltage are false (voltage in range 9.0V to 16.0V)
`TC-PWR-023`	Decision	REQ-PWR-005	Backup power activation when main rail health false	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall be true when power_main_.health is false AND power_backup_.health is true
`TC-PWR-024`	BVA	REQ-PWR-005	Backup power activation at exact switchover voltage	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall be true when power_main_.voltage equals cal_.backup_switch_voltage_v_ (10.5V) AND power_backup_.health is true
`TC-PWR-025`	BVA	REQ-PWR-005	Backup power activation below switchover voltage	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall be true when power_main_.voltage < cal_.backup_switch_voltage_v_ (e.g., 10.0V) AND power_backup_.health is true
`TC-PWR-026`	Decision	REQ-PWR-005	Backup power not activated when backup rail unhealthy	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall be false when power_main_.voltage < cal_.backup_switch_voltage_v_ BUT power_backup_.health is false
`TC-PWR-027`	Decision	REQ-PWR-005	Backup power not activated when main voltage above switchover and healthy	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall be false when power_main_.voltage > cal_.backup_switch_voltage_v_ (e.g., 12.0V) AND power_main_.health is true
`TC-PWR-028`	Decision	REQ-PWR-006	Voltage measurement used when injected in current cycle	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - injection mechanism and current-cycle detection not observable
`TC-PWR-029`	Decision	REQ-PWR-006	Voltage fallback to nominal when measurement stale	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.voltage and power_backup_.voltage shall equal cal_.nominal_voltage_v_ (12.0V) when inject_voltage() was not called in current cycle
`TC-PWR-030`	EP	REQ-PWR-006	Heartbeat counter increment each cycle	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	alive_counters_[module_id::power] shall increment by 1 each execution cycle
`TC-PWR-031`	Interface	REQ-PWR-006	Execution ordering before power_distribution	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - task sequence position not specified
`TC-PWR-032`	Interface	REQ-PWR-006	Task cycle period timing	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - cycle_period_ms not specified
`TC-PWR-033`	BVA	REQ-PWR-007	Heartbeat counter overflow wrapping to zero	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - counter_max_value not specified
`TC-PWR-034`	BVA	REQ-PWR-007	Heartbeat counter at maximum minus one	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - counter_max_value not specified
`TC-PWR-035`	EP	REQ-PWR-007	Heartbeat counter no overflow error	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - overflow detection mechanism not specified
`TC-PWR-036`	State	REQ-PWR-008	Backup power state transition: inactive to active on main health failure	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall transition from false to true when power_main_.health becomes false AND power_backup_.health is true
`TC-PWR-037`	State	REQ-PWR-008	Backup power state transition: inactive to active on main voltage drop	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall transition from false to true when power_main_.voltage drops below cal_.backup_switch_voltage_v_ (10.5V) AND power_backup_.health is true
`TC-PWR-038`	State	REQ-PWR-008	Backup power state transition: active to inactive on main recovery	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall transition from true to false when bus.power_main_.ok_ == true AND bus.power_main_.voltage_v_ >= cal_.backup_switch_voltage_v_ (10.5V)
`TC-PWR-039`	State	REQ-PWR-008	Backup power state remains inactive when main healthy above threshold	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall remain false when power_main_.health is true AND power_main_.voltage >= cal_.backup_switch_voltage_v_ (e.g., 12.0V)
`TC-PWR-040`	State	REQ-PWR-008	Backup power state remains active when main unhealthy	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall remain true when power_main_.health is false (even if voltage recovers but health flag not cleared)
`TC-PWR-041`	BVA	REQ-PWR-008	Backup deactivation at exact switchover threshold	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall transition to false when bus.power_main_.ok_ == true AND bus.power_main_.voltage_v_ equals cal_.backup_switch_voltage_v_ (10.5V)
`TC-PWR-042`	State	REQ-PWR-008	Backup power state transition with OR condition (health OR voltage)	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall transition to true when power_main_.health is false (regardless of voltage above switchover threshold) AND power_backup_.health is true
`TC-PWR-043`	State	REQ-PWR-008	Backup power not activated when backup unhealthy despite main failure	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall remain false when power_main_.health is false BUT power_backup_.health is false (both rails unhealthy)
`TC-PWR-044`	Interface	REQ-PWR-009	Atomic output updates before run() return	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	All outputs (power_main_, power_backup_, power_ok_, backup_power_active_) shall be updated atomically before run() returns
`TC-PWR-045`	Interface	REQ-PWR-009	Execution ordering before power_distribution reads outputs	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	REVIEW REQUIRED - task_sequence_position not specified
`TC-PWR-046`	Interface	REQ-PWR-009	Injected voltage measurement single-buffered last-write-wins	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	Module shall use the latest (last) injected voltage value when multiple inject_voltage() calls occur within the same execution cycle
`TC-PWR-047`	Decision	REQ-PWR-005	power_ok flag true when main rail healthy	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_ok_ shall be true when power_main_.health is true (regardless of backup state)
`TC-PWR-048`	Decision	REQ-PWR-005	power_ok flag true when backup rail healthy (main unhealthy)	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_ok_ shall be true when power_backup_.health is true (even when power_main_.health is false)
`TC-PWR-049`	Decision	REQ-PWR-005	power_ok flag false when both rails unhealthy	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_ok_ shall be false when both power_main_.health and power_backup_.health are false
`TC-PWR-050`	Scenario	REQ-PWR-005	Main power degradation with successful backup switchover	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	When main voltage degrades from 12V → 10.4V (below switchover 10.5V) with backup healthy: (1) backup_power_active_ transitions true, (2) power_ok_ remains true, (3) power_main_.undervoltage remains false (above 9V min), (4) power_main_.health remains true
`TC-PWR-051`	Scenario	REQ-PWR-005	Main power critical failure with backup activation	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	When main voltage drops from 12V → 8V (below min 9V): (1) power_main_.undervoltage=true, (2) power_main_.health=false, (3) backup_power_active_=true (backup healthy), (4) power_ok_=true (backup healthy)
`TC-PWR-052`	Scenario	REQ-PWR-005	Main power recovery with backup deactivation	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	When main voltage recovers from 8V → 11V (above switchover 10.5V): (1) power_main_.undervoltage=false, (2) power_main_.health=true, (3) backup_power_active_ transitions false (main ok and voltage adequate), (4) power_ok_=true
`TC-PWR-053`	Scenario	REQ-PWR-005	Both rails fail - total power loss	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	When both main and backup voltages drop below min (9V): (1) power_main_.health=false, (2) power_backup_.health=false, (3) backup_power_active_=false (backup unhealthy), (4) power_ok_=false (neither rail healthy)
`TC-PWR-054`	Scenario	REQ-PWR-005	Main overvoltage with backup switchover	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	When main voltage surges from 12V → 17V (above max 16V): (1) power_main_.overvoltage=true, (2) power_main_.health=false, (3) backup_power_active_=true (main unhealthy, backup healthy), (4) power_ok_=true
`TC-PWR-055`	BVA	REQ-PWR-005	Backup rail undervoltage detection	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_backup_.undervoltage shall be true when power_backup_.voltage < cal_.min_voltage_v_ (e.g., 8.5V), power_backup_.health shall be false
`TC-PWR-056`	BVA	REQ-PWR-005	Backup rail overvoltage detection	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_backup_.overvoltage shall be true when power_backup_.voltage > cal_.max_voltage_v_ (e.g., 16.5V), power_backup_.health shall be false
`TC-PWR-057`	Decision	REQ-PWR-005	Backup activation not triggered when main voltage at switchover but backup unhealthy	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	backup_power_active_ shall be false when power_main_.voltage at cal_.backup_switch_voltage_v_ (10.5V) BUT power_backup_.health is false
`TC-PWR-058`	EP	REQ-PWR-006	Heartbeat counter initial value	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	alive_counters_[module_id::power] shall have defined initial value (0 or 1) at system startup
`TC-PWR-059`	Decision	REQ-PWR-006	Voltage fallback on first cycle without injection	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.voltage and power_backup_.voltage shall equal cal_.nominal_voltage_v_ (12.0V) on first cycle before inject_voltage() is called
`TC-PWR-060`	EP	REQ-PWR-004	Calibration parameter units validation	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	All calibration parameters (nominal_voltage_v_, min_voltage_v_, max_voltage_v_, backup_switch_voltage_v_) shall be interpreted in units of volts
`TC-PWR-061`	Decision	REQ-PWR-005	Simultaneous undervoltage and overvoltage faults impossible	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.undervoltage and power_main_.overvoltage shall never both be true simultaneously (mutually exclusive conditions given min < max)
`TC-PWR-062`	BVA	REQ-PWR-005	Voltage in valid range - no faults	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	When power_main_.voltage in range [cal_.min_voltage_v_, cal_.max_voltage_v_] (e.g., 12.0V): power_main_.undervoltage=false, power_main_.overvoltage=false, power_main_.health=true
`TC-PWR-063`	BVA	REQ-PWR-005	Main voltage exactly at min threshold plus epsilon	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.undervoltage shall be false when power_main_.voltage is marginally above cal_.min_voltage_v_ (e.g., 9.01V)
`TC-PWR-064`	BVA	REQ-PWR-005	Main voltage exactly at max threshold minus epsilon	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=10.5	power_main_.overvoltage shall be false when power_main_.voltage is marginally below cal_.max_voltage_v_ (e.g., 15.99V)
`TC-PWR-065`	BVA	REQ-PWR-008	Backup switchover voltage exactly at min threshold	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=9.0	System shall handle backup_switch_voltage_v_ equal to min_voltage_v_ (9.0V) - switchover and undervoltage occur simultaneously
`TC-PWR-066`	Decision	REQ-PWR-008	Backup switchover voltage must be above min threshold - invalid calibration	nominal_voltage_v_=12.0; min_voltage_v_=9.0; max_voltage_v_=16.0; backup_switch_voltage_v_=8.0	REVIEW REQUIRED - behavior with invalid calibration not specified

cyclic_scheduler 75 tests

ID	Method	Covers	Title	Stimuli	Expected (oracle)
`TC-CYC-001`	BVA	REQ-CYC-001	Task registration rejects period not divisible by 10 - boundary 9ms	task_registration_period_ms=9; task_registration_offset_ms=0; task_registration_priority=high	Task registration rejected, no task added to scheduler
`TC-CYC-002`	BVA	REQ-CYC-001	Task registration rejects period not divisible by 10 - boundary 11ms	task_registration_period_ms=11; task_registration_offset_ms=0; task_registration_priority=medium	Task registration rejected, no task added to scheduler
`TC-CYC-003`	BVA	REQ-CYC-001	Task registration accepts period exactly divisible by 10 - boundary 10ms	task_registration_period_ms=10; task_registration_offset_ms=0; task_registration_priority=high	Task registration accepted, task scheduled for execution
`TC-CYC-004`	BVA	REQ-CYC-001	Task registration accepts period exactly divisible by 10 - boundary 100ms	task_registration_period_ms=100; task_registration_offset_ms=0; task_registration_priority=low	Task registration accepted, task scheduled for execution
`TC-CYC-005`	BVA	REQ-CYC-001	Task registration rejects offset_ms equal to period_ms	task_registration_period_ms=50; task_registration_offset_ms=50; task_registration_priority=high	Task registration rejected, no task added to scheduler
`TC-CYC-006`	BVA	REQ-CYC-001	Task registration rejects offset_ms greater than period_ms	task_registration_period_ms=50; task_registration_offset_ms=51; task_registration_priority=medium	Task registration rejected, no task added to scheduler
`TC-CYC-007`	BVA	REQ-CYC-001	Task registration accepts offset_ms just below period_ms	task_registration_period_ms=50; task_registration_offset_ms=49; task_registration_priority=high	Task registration accepted, task scheduled with offset 49ms within 50ms period
`TC-CYC-008`	EP	REQ-CYC-001	Task registration rejects invalid priority - empty string	task_registration_period_ms=20; task_registration_offset_ms=0; task_registration_priority=	Task registration rejected, no task added to scheduler
`TC-CYC-009`	EP	REQ-CYC-001	Task registration rejects invalid priority - numeric value	task_registration_period_ms=20; task_registration_offset_ms=0; task_registration_priority=123	Task registration rejected, no task added to scheduler
`TC-CYC-010`	EP	REQ-CYC-001	Task registration accepts valid priority - high	task_registration_period_ms=30; task_registration_offset_ms=0; task_registration_priority=high	Task registration accepted with high priority, task scheduled for execution
`TC-CYC-011`	EP	REQ-CYC-001	Task registration accepts valid priority - medium	task_registration_period_ms=40; task_registration_offset_ms=0; task_registration_priority=medium	Task registration accepted with medium priority, task scheduled for execution
`TC-CYC-012`	EP	REQ-CYC-001	Task registration accepts valid priority - low	task_registration_period_ms=50; task_registration_offset_ms=0; task_registration_priority=low	Task registration accepted with low priority, task scheduled for execution
`TC-CYC-013`	Decision	REQ-CYC-002	Tick counter increments by base_period_ms on first tick	run_tick_count=1	tick_ms_ output reads 10 after one tick execution
`TC-CYC-014`	Decision	REQ-CYC-002	Tick counter increments by base_period_ms on multiple ticks	run_tick_count=10	tick_ms_ output reads 100 after ten tick executions
`TC-CYC-015`	Decision	REQ-CYC-002	Tick counter increments by custom base_period_ms	scheduler_base_period_ms=20; run_tick_count=5	tick_ms_ output reads 100 after five tick executions
`TC-CYC-016`	BVA	REQ-CYC-002	Tick counter monotonicity near uint64_t overflow	initial_tick_ms=18446744073709551586; run_tick_count=5	tick_ms_ output wraps modulo 2^64 and reads (18446744073709551586 + 50) mod 2^64 = 20 after five ticks
`TC-CYC-017`	BVA	REQ-CYC-003	Task registration at maximum capacity boundary		REVIEW REQUIRED
`TC-CYC-018`	BVA	REQ-CYC-003	Task registration rejection beyond maximum capacity		REVIEW REQUIRED
`TC-CYC-019`	BVA	REQ-CYC-003	Task execution per tick at maximum limit		REVIEW REQUIRED
`TC-CYC-020`	Decision	REQ-CYC-003	Task execution limit enforced when more tasks due than max_tasks_per_tick		REVIEW REQUIRED
`TC-CYC-021`	Decision	REQ-CYC-004	Time unit consistency - tick_ms_ in milliseconds	run_tick_count=1	tick_ms_ output reads 10, representing milliseconds, after one tick with base_period_ms=10
`TC-CYC-022`	Decision	REQ-CYC-004	Period conversion from ms to tick counts	task_registration_period_ms=50; task_registration_offset_ms=0; task_registration_priority=high	Task executes every 50ms (5 ticks), observable through task callback effects on signal_bus_t outputs
`TC-CYC-023`	Decision	REQ-CYC-004	Offset conversion from ms to tick counts	task_registration_period_ms=100; task_registration_offset_ms=30; task_registration_priority=medium	Task first executes at tick_ms_=30, then every 100ms thereafter, observable through task callback effects
`TC-CYC-024`	Decision	REQ-CYC-004	Frequency to period conversion using hz_to_ms_formula		REVIEW REQUIRED
`TC-CYC-025`	Decision	REQ-CYC-005	Task callback exception handling - exception caught		REVIEW REQUIRED
`TC-CYC-026`	Decision	REQ-CYC-005	Task callback exception - fault logged		REVIEW REQUIRED
`TC-CYC-027`	Decision	REQ-CYC-005	Task callback exception - task marked with fault status		REVIEW REQUIRED
`TC-CYC-028`	Decision	REQ-CYC-005	Task callback exception - fault_task_policy enforced		REVIEW REQUIRED
`TC-CYC-029`	Decision	REQ-CYC-005	Uninitialized signal_bus_t error on run_tick		REVIEW REQUIRED
`TC-CYC-030`	Decision	REQ-CYC-006	Periodic task execution at exact scheduling point - zero offset	task_registration_period_ms=50; task_registration_offset_ms=0; task_registration_priority=high; run_tick_count=10	Task executes at tick_ms_ values 0, 50, 100 (every 50ms) within tolerance 0ms, observable through task callback effects on signal_bus_t outputs
`TC-CYC-031`	Decision	REQ-CYC-006	Periodic task execution at exact scheduling point - non-zero offset	task_registration_period_ms=100; task_registration_offset_ms=20; task_registration_priority=medium; run_tick_count=25	Task executes at tick_ms_ values 20, 120, 220 (offset 20ms, period 100ms) within tolerance 0ms, observable through task effects
`TC-CYC-032`	Decision	REQ-CYC-006	Task priority ordering - high before medium	task_1_period_ms=50; task_1_offset_ms=0; task_1_priority=high; task_2_period_ms=50; task_2_offset_ms=0; task_2_priority=medium; run_tick_count=5	High priority task (priority 0) executes before medium priority task (priority 1) observable through signal_bus_t write order and output states
`TC-CYC-033`	Decision	REQ-CYC-006	Task priority ordering - medium before low	task_1_period_ms=60; task_1_offset_ms=0; task_1_priority=medium; task_2_period_ms=60; task_2_offset_ms=0; task_2_priority=low; run_tick_count=6	Medium priority task (priority 1) executes before low priority task (priority 2) observable through signal_bus_t write order and output states
`TC-CYC-034`	Decision	REQ-CYC-006	Task priority ordering - all three priorities	task_1_period_ms=30; task_1_offset_ms=0; task_1_priority=low; task_2_period_ms=30; task_2_offset_ms=0; task_2_priority=high; task_3_period_ms=30; task_3_offset_ms=0; task_3_priority=medium; run_tick_count=3	Tasks execute in order: high(0), then medium(1), then low(2) regardless of registration order, observable through signal_bus_t output states
`TC-CYC-035`	Decision	REQ-CYC-006	Stable sort preserves registration order within same priority	task_1_period_ms=40; task_1_offset_ms=0; task_1_priority=high; task_1_registration_order=1; task_2_period_ms=40; task_2_offset_ms=0; task_2_priority=high; task_2_registration_order=2; task_3_period_ms=40; task_3_offset_ms=0; task_3_priority=high; task_3_registration_order=3; run_tick_count=4	Tasks execute in registration order (task1, task2, task3) within high priority, observable through signal_bus_t write sequence and output states
`TC-CYC-036`	Decision	REQ-CYC-006	All due task callbacks complete within max_tick_execution_time_ms		REVIEW REQUIRED
`TC-CYC-037`	BVA	REQ-CYC-007	Alive counters array at maximum valid index boundary	alive_counter_module_index=11	Write to alive_counters_[11] succeeds (valid, last index for 12 entries 0-11), observable through alive_counters_ output array
`TC-CYC-038`	BVA	REQ-CYC-007	Alive counters array prevents write beyond maximum bound	alive_counter_module_index=12	Write to alive_counters_[12] rejected (beyond bound for 12 entries 0-11), no out-of-bounds write occurs
`TC-CYC-039`	BVA	REQ-CYC-007	Alive counters array at minimum valid index boundary	alive_counter_module_index=0	Write to alive_counters_[0] succeeds (valid, first index), observable through alive_counters_ output array
`TC-CYC-040`	BVA	REQ-CYC-007	Lidar scan points at maximum limit	lidar_scan_point_count=360	lidar_scan_ vector contains exactly 360 points (maximum allowed), observable through lidar_scan_ output vector size
`TC-CYC-041`	BVA	REQ-CYC-007	Lidar scan points exceed maximum limit rejected	lidar_scan_point_count=361	lidar_scan_ vector limited to 360 points, 361st point rejected or container prevents addition, observable through lidar_scan_ output vector size <= 360
`TC-CYC-042`	BVA	REQ-CYC-007	Obstacles at maximum limit	obstacle_count=32	obstacles_ vector contains exactly 32 obstacles (maximum allowed), observable through obstacles_ output vector size
`TC-CYC-043`	BVA	REQ-CYC-007	Obstacles exceed maximum limit rejected	obstacle_count=33	obstacles_ vector limited to 32 obstacles, 33rd obstacle rejected or container prevents addition, observable through obstacles_ output vector size <= 32
`TC-CYC-044`	State	REQ-CYC-008	Scheduler in uninitialized state before signal_bus_t initialization		REVIEW REQUIRED
`TC-CYC-045`	State	REQ-CYC-008	Scheduler transitions to registration state after initialization		REVIEW REQUIRED
`TC-CYC-046`	State	REQ-CYC-008	Task registration allowed in registration state	task_registration_period_ms=20; task_registration_offset_ms=0; task_registration_priority=high	Task registration succeeds in registration state, observable through task execution after run_tick begins
`TC-CYC-047`	State	REQ-CYC-008	Scheduler transitions to running state on first run_tick	run_tick_count=1	REVIEW REQUIRED
`TC-CYC-048`	State	REQ-CYC-008	Task registration rejected in running state	run_tick_count=1; task_registration_period_ms=30; task_registration_offset_ms=0; task_registration_priority=medium	Task registration rejected after scheduler enters running state, observable through registration failure mechanism
`TC-CYC-049`	State	REQ-CYC-008	run_tick rejected in uninitialized state		REVIEW REQUIRED
`TC-CYC-050`	Concurrency	REQ-CYC-009	Sequential task execution within single tick - no concurrency	task_1_period_ms=50; task_1_offset_ms=0; task_1_priority=high; task_2_period_ms=50; task_2_offset_ms=0; task_2_priority=high; task_3_period_ms=50; task_3_offset_ms=0; task_3_priority=high; run_tick_count=5	Tasks execute sequentially (task1 completes before task2 starts, task2 completes before task3 starts) within each tick, no concurrent execution, observable through signal_bus_t consistent state writes
`TC-CYC-051`	Interface	REQ-CYC-009	Signal bus writes by task N visible to task N+1 in same tick	task_1_period_ms=40; task_1_offset_ms=0; task_1_priority=high; task_1_writes=odometry_.speed_mps; task_2_period_ms=40; task_2_offset_ms=0; task_2_priority=high; task_2_reads=odometry_.speed_mps; run_tick_count=4	Task2 observes the value written by task1 to odometry_.speed_mps within the same tick, visible through task2's output effects reflecting task1's write
`TC-CYC-052`	Concurrency	REQ-CYC-009	Signal bus synchronization mechanism when run_tick single-threaded	run_tick_count=10; concurrent_run_tick_calls=1	Signal_bus_t accessed without synchronization mechanism (NONE) as specified, no data races occur, observable through consistent output states across all ticks
`TC-CYC-053`	Concurrency	REQ-CYC-009	Signal bus data race prevention when run_tick multi-threaded	run_tick_count=10; concurrent_run_tick_calls=3	Requirement specifies synchronization NONE. If run_tick can be called from multiple threads, data races may occur (requirement specifies NONE synchronization), observable through inconsistent or corrupted output states
`TC-CYC-054`	Interface	REQ-CYC-009	Task callback signal_bus_t access mode - non-const reference	task_period_ms=20; task_offset_ms=0; task_priority=high; run_tick_count=2	Task callback has non-const reference (READ_WRITE) access to signal_bus_t, can write outputs like odometry_.speed_mps, observable through modified output values after task execution
`TC-CYC-055`	Interface	REQ-CYC-009	Task callback cannot directly modify scheduler state	task_period_ms=30; task_offset_ms=0; task_priority=medium; run_tick_count=3	Task callback can modify signal_bus_t outputs but cannot modify scheduler internal state (task list, tick_ms_ outside normal increment, state transitions), observable through scheduler continuing normal operation
`TC-CYC-056`	BVA	REQ-CYC-002	Tick counter at zero initial value	run_tick_count=0	tick_ms_ output reads 0 before any tick execution
`TC-CYC-057`	BVA	REQ-CYC-006	Task execution scheduling formula - boundary at offset equals 0	task_registration_period_ms=40; task_registration_offset_ms=0; task_registration_priority=high; run_tick_count=8	Task executes when ((tick_ms_ - 0) % 40) equals 0 within tolerance 0: executes at tick_ms_ = 0, 40, 80, observable through task effects
`TC-CYC-058`	BVA	REQ-CYC-006	Task execution scheduling formula - boundary at offset equals period-1	task_registration_period_ms=60; task_registration_offset_ms=59; task_registration_priority=low; run_tick_count=15	Task executes when ((tick_ms_ - 0) % 60) equals 59 within tolerance 0: executes at tick_ms_ = 59, 119, observable through task effects
`TC-CYC-059`	Scenario	REQ-CYC-001, REQ-CYC-006	End-to-end task registration and periodic execution	task_registration_period_ms=100; task_registration_offset_ms=10; task_registration_priority=medium; run_tick_count=25	Task registration accepted (REQ-CYC-001: period=100 divisible by 10, offset=10 < period=100, priority=medium valid), task executes at tick_ms_ = 10, 110 (REQ-CYC-006: scheduling formula satisfied), observable through task callback effects on signal_bus_t outputs
`TC-CYC-060`	Scenario	REQ-CYC-002, REQ-CYC-006	Time progression and task scheduling correlation	task_registration_period_ms=50; task_registration_offset_ms=20; task_registration_priority=high; run_tick_count=15	tick_ms_ increments by 10 each tick (REQ-CYC-002), reaching 150 after 15 ticks; task executes when tick_ms_=20, 70, 120 (REQ-CYC-006 scheduling formula), observable through tick_ms_ output and task effects
`TC-CYC-061`	EP	REQ-CYC-007	Alive counters nominal operation - module 5	alive_counter_module_index=5; alive_counter_increment=1	alive_counters_[5] increments successfully (within valid 0-11 range), observable through alive_counters_ output array showing incremented value
`TC-CYC-062`	EP	REQ-CYC-007	Lidar scan points nominal operation - 180 points	lidar_scan_point_count=180	lidar_scan_ vector contains 180 points (well below 360 maximum), observable through lidar_scan_ output vector size = 180
`TC-CYC-063`	EP	REQ-CYC-007	Obstacles nominal operation - 16 obstacles	obstacle_count=16	obstacles_ vector contains 16 obstacles (well below 32 maximum), observable through obstacles_ output vector size = 16
`TC-CYC-064`	EP	REQ-CYC-001	Task registration nominal - 100ms period, 0ms offset, high priority	task_registration_period_ms=100; task_registration_offset_ms=0; task_registration_priority=high	Task registration accepted (all validation criteria satisfied: period=100 divisible by 10, offset=0 < period=100, priority=high valid)
`TC-CYC-065`	BVA	REQ-CYC-004	Period conversion boundary - minimum valid period 10ms	task_registration_period_ms=10; task_registration_offset_ms=0; task_registration_priority=high	Task period 10ms converts to 1 tick count (10/10=1), task executes every tick, observable through task effects at tick_ms_ = 0, 10, 20, 30...
`TC-CYC-066`	Decision	REQ-CYC-006	Multiple tasks same priority - stable sort maintains registration order	task_A_period_ms=50; task_A_offset_ms=0; task_A_priority=medium; task_A_registration_order=1; task_B_period_ms=50; task_B_offset_ms=0; task_B_priority=medium; task_B_registration_order=2; task_C_period_ms=50; task_C_offset_ms=0; task_C_priority=medium; task_C_registration_order=3; run_tick_count=5	At tick_ms_=0 and 50, tasks execute in registration order: task_A first, task_B second, task_C third (stable sort within medium priority), observable through signal_bus_t write sequence
`TC-CYC-067`	Decision	REQ-CYC-002	Tick counter monotonicity over extended operation	run_tick_count=1000	tick_ms_ increments monotonically from 0 to 10000 (1000 ticks * 10ms/tick) without skips, decrements, or duplicates, observable through tick_ms_ output after 1000 ticks = 10000
`TC-CYC-068`	EP	REQ-CYC-001	Task registration with minimum valid offset - 0ms	task_registration_period_ms=80; task_registration_offset_ms=0; task_registration_priority=low	Task registration accepted with offset=0ms (minimum valid offset), task first executes at tick_ms_=0
`TC-CYC-069`	Scenario	REQ-CYC-006	Mixed priority tasks execution order - realistic scenario	task_H1_period_ms=100; task_H1_offset_ms=0; task_H1_priority=high; task_H2_period_ms=100; task_H2_offset_ms=0; task_H2_priority=high; task_M1_period_ms=100; task_M1_offset_ms=0; task_M1_priority=medium; task_M2_period_ms=100; task_M2_offset_ms=0; task_M2_priority=medium; task_L1_period_ms=100; task_L1_offset_ms=0; task_L1_priority=low; run_tick_count=10	Tasks execute in priority order: H1, H2 (high), then M1, M2 (medium), then L1 (low), with registration order preserved within each priority level, observable through signal_bus_t write sequence and output states
`TC-CYC-070`	Decision	REQ-CYC-004	Large period conversion accuracy - 1000ms	task_registration_period_ms=1000; task_registration_offset_ms=0; task_registration_priority=medium; run_tick_count=150	Task period 1000ms converts to 100 tick counts (1000/10=100), task executes at tick_ms_ = 0, 1000, observable through task effects only at these times
`TC-CYC-071`	Interface	REQ-CYC-009	Signal bus data propagation chain - three sequential tasks	task_1_period_ms=60; task_1_offset_ms=0; task_1_priority=high; task_1_writes=odometry_.speed_mps; task_2_period_ms=60; task_2_offset_ms=0; task_2_priority=high; task_2_reads=odometry_.speed_mps; task_2_writes=pose_.speed_mps; task_3_period_ms=60; task_3_offset_ms=0; task_3_priority=high; task_3_reads=pose_.speed_mps; run_tick_count=6	Within same tick at tick_ms_=0,60,120: task1 writes odometry_.speed_mps, task2 reads that value and writes pose_.speed_mps, task3 reads pose_.speed_mps written by task2, complete data chain visible, observable through task3's outputs reflecting task1's input
`TC-CYC-072`	BVA	REQ-CYC-007	Lidar scan points at boundary minus one - 359 points	lidar_scan_point_count=359	lidar_scan_ vector contains exactly 359 points (just below 360 maximum), observable through lidar_scan_ output vector size = 359
`TC-CYC-073`	BVA	REQ-CYC-007	Obstacles at boundary minus one - 31 obstacles	obstacle_count=31	obstacles_ vector contains exactly 31 obstacles (just below 32 maximum), observable through obstacles_ output vector size = 31
`TC-CYC-074`	Decision	REQ-CYC-001	Task registration compound rejection - multiple violations	task_registration_period_ms=33; task_registration_offset_ms=40; task_registration_priority=invalid	Task registration rejected (period=33 not divisible by 10, offset=40 >= period=33, priority=invalid not in {high,medium,low}), no task added
`TC-CYC-075`	Scenario	REQ-CYC-002, REQ-CYC-004	Custom base period - 20ms tick period	scheduler_base_period_ms=20; task_registration_period_ms=60; task_registration_offset_ms=0; task_registration_priority=high; run_tick_count=10	tick_ms_ increments by 20 each tick (REQ-CYC-002 with custom base), reaching 200 after 10 ticks; task period 60ms converts to 3 tick counts (60/20=3, REQ-CYC-004 conversion), task executes at tick_ms_=0,60,120,180