Architecture

19 crates organized in 6 layers with strict dependency direction and SIL4 safety boundary

Layered Safety Architecture

CENELEC EN 50128
L5
Platformetcs-sim · etcs-harness · etcs-tool · etcs-test
SIL0
L4
I/O Wiringetcs-evc (std, I/O only — cannot override safety decisions)
SIL2
Safety Boundary — no_std below — zero heap allocation
L3
Applicationsetcs-evc-core · etcs-rbc · etcs-leu · etcs-dmi · etcs-jru · etcs-procedures
SIL4
L2
Core Logicetcs-kernel · etcs-braking · etcs-odometry
SIL4
L1
Protocolsetcs-codec · etcs-euroradio
SIL4
L0
Domain Typesetcs-types · etcs-safety
SIL4
Strict dependency: Layer N depends only on Layer < N

Safety Boundary

Enforced

All SIL4 crates (Layers 0–3) are no_std with zero heap allocation. The I/O wiring layer (etcs-evc, Layer 4, std) only shuttles data between TCP/radio and the core — it cannot override safety decisions.

13no_std SIL4 crates
5std platform crates
0unsafe blocks
0unwrap/expect in prod

6 Complete Subsystems

EVCEuropean Vital ComputerCore SIL4 · I/O SIL2
RBCRadio Block Centre
LEULineside Electronic Unit
DMIDriver Machine Interface
JRUJuridical Recording Unit
EuroradioSecure Communication

Delivery Binaries

8 Binaries
etcs-simSystem Orchestrator
evcEuropean Vital Computer
rbcRadio Block Centre
leuLineside Electronic Unit
dmiTerminal DMI (ratatui)
jruJuridical Recorder
etcs-testSS-076 Test Runner
etcs-toolTraceability Tool
+ etcs-simdesk: Tauri 2.0 desktop app (Vue 3 + Vuetify)