ERTMS/ETCS: The European Train Control System

ERTMS/ETCS is the European Train Control System. Its role is not to drive the train, but to supervise whether the train is authorised to move, at which speed, and up to which point.

It provides cab signalling, movement supervision and intervention when the train would exceed its safe envelope.

In the European railway architecture, ETCS is therefore the common safety envelope on which ERTMS, ERTMS/ATO, future capacity concepts and DATO are built. This article explains ETCS as an architecture of protection, interoperability and migration, not only as a signalling technology.

Recommended reading

For a good understanding of the concepts discussed in this article, I recommend reading first:

1. Automatic Train Protection
2. ERTMS: The European Rail Traffic Management System

Executive Summary

ERTMS/ETCS is the European Train Control System. It is the train protection and supervision component of ERTMS, designed to replace or progressively reduce the dependency on national Automatic Train Protection systems. Its purpose is to provide a common European safety layer for train movement, cab signalling and interoperable train control.

The core object of ETCS operation is the Movement Authority. A train is authorised to move up to a defined limit, under defined speed and distance constraints. The onboard equipment supervises the train against this envelope and intervenes if the train would exceed the permitted limits. This is why ETCS should be understood as a safety envelope rather than only as a signalling display.

The architecture separates responsibilities between trackside and onboard. The trackside side provides information, movement permissions, route-related data and, in Level 2, communication through the Radio Block Centre. The onboard side calculates supervision, displays information to the driver, monitors train speed and position, and commands braking when required. This separation is one of the foundations of ETCS interoperability.

ETCS application levels describe the relationship between train and trackside. Level NTC allows an ETCS-equipped train to operate under a national system. Level 1 uses Eurobalises, optionally with infill, to transmit information to the train. Level 2 uses radio communication with a Radio Block Centre, while Eurobalises remain important for localisation and reference information. These levels are migration tools as much as technical configurations.

ETCS is not ATO. ETCS protects the train; ATO drives the train. In ERTMS/ATO GoA2, the automatic driving system controls traction and braking, but it must remain within the ETCS supervision envelope. This distinction is central to the future railway architecture: automation can evolve only if the safety layer remains clear, stable and interoperable.

ETCS also defines modes that allocate responsibilities between onboard equipment, driver and operation. Full Supervision, On Sight, Staff Responsible, Shunting, Trip, Post Trip, National System and other modes are not only technical states. They express how supervision, driver responsibility and operational constraints change according to the situation.

The main ETCS challenge is no longer only specification. It is deployment, compatibility and harmonisation. Trackside and onboard migration must be synchronised. System compatibility must be managed. Baselines must remain stable enough to protect investments while still allowing evolution. Operational rules and engineering practices must converge so that ETCS does not reproduce fragmentation inside a European standard.

From an architecture perspective, ETCS is the European safety envelope for digital and automated railway operation. ERTMS/ATO, Hybrid Train Detection, Moving Block, Remote Driving, GoA4 and DATO all depend on this envelope. The future of automation is therefore not separate from ETCS. It is built on it.

Last modified: 2026-06

Content

1. Why ETCS matters
2. From national ATP systems to a European safety envelope
3. Movement Authority: the core concept
4. Onboard and trackside architecture
5. The standardised train-track interface
6. ETCS Level NTC, Level 1 and Level 2
7. Level 2 and the future capacity trajectory
8. Cab signalling and driver interaction
9. Supervision, braking curves and intervention
10. ETCS operating modes and responsibility
11. Compatibility, baselines and migration
12. ETCS and ERTMS/ATO
13. ETCS as the safety envelope for DATO
14. Architecture perspective
15. Conclusion
16. Documentation and further reading

1. Why ETCS matters

Railway signalling is fundamentally about safe movement.

A train must know whether it is authorised to move, how far it may go, which speed limits apply, and where it must be able to stop. The driver, the onboard system and the trackside system must share a common understanding of this movement envelope. If the train exceeds that envelope, the system must intervene.

This is the purpose of train protection.

Before ETCS, European railways developed many national train protection systems. They were often effective within their national networks, but they created a structural problem for Europe. A locomotive or trainset crossing several countries could need several onboard systems, each with its own technical logic, operating rules, interfaces, maintenance requirements and authorisation constraints.

This fragmentation made cross-border rail more complex and more expensive. It increased onboard complexity. It limited economies of scale. It reinforced national signalling markets. It created a barrier to a more integrated European railway system.

ETCS was created to address this problem.

Its role is to provide a common European train control system. Instead of relying on many national ATP systems, the railway can progressively converge towards one interoperable safety and supervision layer.

This is why ETCS matters beyond signalling.

It is not only a technology installed on trains and tracks. It is the safety foundation of the Single European Railway Area. It defines how trains receive movement information, how speed and distance are supervised, how the driver interacts with the system, and how future automation can remain anchored in a clear protection architecture.

The importance of ETCS becomes even clearer when looking at automation.

ATO can drive the train, but it does not replace train protection. Remote Driving can relocate human control, but the train still needs to be supervised. Moving Block can make separation more dynamic, but the train still needs a safe movement envelope. GoA4 can remove staff from the train, but the railway still needs a protection layer that defines what the train may safely do.

ETCS is that layer.

This article therefore does not treat ETCS as a catalogue of levels, modes and components. It treats ETCS as an architecture of protection, interoperability and migration.

2. From national ATP systems to a European safety envelope

Automatic Train Protection systems were developed to prevent unsafe train movement. Their functions vary by national system, but the principle is broadly similar: monitor the train against signalling or speed constraints and intervene when the train would exceed them.

National ATP systems were created in national railway contexts. They reflected national signalling principles, operating rules, legacy infrastructure and industrial ecosystems. This made sense historically. Each country developed a system adapted to its own railway.

But Europe became a railway interoperability problem.

A train running internationally had to be compatible with several train protection systems. Multi-system locomotives became complex and expensive. Drivers had to understand different signalling environments. Operators faced technical and authorisation barriers. Infrastructure managers maintained national systems. Suppliers had to support multiple markets with different requirements.

ETCS was designed as the European response.

Its ambition is not merely to add another system to the train. Its ambition is to replace, or at least progressively reduce, the dependency on national Class B systems by creating a common European safety envelope.

This phrase matters: safety envelope.

ETCS does not simply display information. It supervises train movement. It calculates whether the train can continue safely within the authorised limits. It supervises speed, distance and braking. It can warn the driver and command braking when necessary.

The driver may still drive the train manually. ATO may drive it automatically. But ETCS defines the protected boundary within which movement must remain.

This is why ETCS is deeper than cab signalling. Cab signalling is visible to the driver. ETCS supervision is the safety function behind it. The DMI may show the permitted speed, target speed, distance to target and operating mode, but the core architecture is the onboard supervision of a movement authority.

Once this common safety envelope exists, other European capabilities become possible.

ERTMS/ATO can automate driving inside it. Traffic Management can provide operational constraints that must remain compatible with it. Hybrid Train Detection and Moving Block can evolve the way the movement envelope is generated and updated. DATO can build higher automation on top of it.

Without ETCS, the future European automation architecture would be fragmented at its safety foundation.

3. Movement Authority: the core concept

The central concept of ETCS is the Movement Authority.

A Movement Authority defines how far a train is authorised to move. It tells the onboard equipment the limit up to which movement is permitted and under which conditions that movement must be supervised. The train does not simply move because the driver decides to accelerate. It moves because the signalling and protection system authorises movement within a defined envelope.

This is the core of ETCS supervision.

The onboard system uses the Movement Authority, train position, speed profile, gradients, train data and braking characteristics to calculate the permitted movement of the train. It determines where the train must be able to stop, which speeds are allowed, where targets are located, and when intervention would become necessary.

This creates a dynamic relationship between authorisation and supervision.

The trackside side provides the authority and infrastructure-related data. The onboard side supervises the train against that authority. The driver receives information through the DMI. If the driver or automatic driving system keeps the train within the permitted limits, ETCS remains in supervision. If the train would exceed the limits, ETCS intervenes.

This is why Movement Authority is more important than the signal aspect in ETCS thinking.

In conventional lineside signalling, the driver reads signal aspects and interprets what they mean according to national rules. In ETCS, the train receives structured information that can be supervised onboard. The driver is no longer only interpreting external signals. The onboard equipment supervises the actual movement against the authorised envelope.

This is the foundation of cab signalling.

The driver does not only see whether the next signal is green or restrictive. The driver sees information related to the train’s permitted movement: speed, distance, mode, target and supervision status.

This also explains why ETCS is suitable for automation.

An ATO system needs more than signal aspects. It needs a structured, machine-readable safety envelope inside which it can compute traction and braking. ETCS provides that envelope. ATO can then optimise the driving behaviour without having to become the train protection system itself.

This separation is fundamental.

The Movement Authority defines what the train may safely do.
ATO, or the driver, decides how to drive within that authority.
ETCS supervises the boundary.

That is why Movement Authority is the architectural centre of ETCS.

4. Onboard and trackside architecture

ETCS is built around a separation between onboard and trackside responsibilities.

The onboard equipment supervises the train. It receives data from trackside transmission systems, determines the train position, calculates supervision curves, displays information to the driver, monitors speed and distance, and commands braking when required. It is the part of ETCS that travels with the train.

The trackside side provides the movement information and infrastructure context. Depending on the application level, this may involve Eurobalises, Lineside Electronic Units, Radio Block Centres, interlockings, train detection systems, radio communication and other trackside systems. ETCS trackside equipment is connected to the signalling logic that determines whether the train may move.

This separation is important because ETCS is not one monolithic device.

It is a distributed safety architecture.

The train must know where it is. It must receive information from the infrastructure. The trackside must know the state of routes, train detection, movement authority limits and infrastructure constraints. The onboard equipment must translate that into supervision. The driver must understand the result.

This architecture also creates the basis for interoperability. The onboard equipment and the trackside equipment may be supplied by different companies, deployed on different networks and installed on different fleets. They must still communicate according to standardised rules.

The onboard side typically includes the European Vital Computer, odometry inputs, balise antenna, radio communication equipment where applicable, Driver-Machine Interface, interfaces with the train braking system, and interfaces with other onboard systems. The exact implementation depends on the vehicle, but the architectural role is the same: supervise the train according to ETCS information.

The trackside side depends on the level. In Level 1, Eurobalises transmit information to the train, often using information generated by a Lineside Electronic Unit connected to existing signalling. In Level 2, the Radio Block Centre plays a central role by sending Movement Authorities through radio communication. Eurobalises remain important for location reference and data transmission, but the continuous movement authority exchange is radio-based.

This separation also explains the migration difficulty.

A railway can equip the trackside without all trains being ready. A train can be equipped with ETCS without all lines being equipped. Baselines, compatibility, national values, engineering rules, RBC implementations, DMI behaviour and operational procedures all influence how the system works in practice.

ETCS is standardised, but deployment is still a system integration challenge.

This is why the onboard/trackside separation is both the strength and the difficulty of ETCS.

It enables interoperability.
It also requires disciplined integration.

5. The standardised train-track interface

The European value of ETCS lies in the train-track interface.

A railway can have many national signalling systems. It can have different interlocking technologies, different track layouts, different operational rules and different infrastructure histories. But if the information exchanged between track and train follows a common European specification, the onboard equipment can operate across networks more consistently.

This is the logic of ETCS.

The train-track interface includes the data transmitted by Eurobalises, radio messages in Level 2, national values, speed and distance information, movement authorities, gradient profiles, mode profiles, level transitions and many other data elements used by the onboard system.

This interface is not just communication. It is the language through which the trackside expresses the movement envelope to the train.

The onboard equipment does not need to know the internal logic of every interlocking or national signalling system. It needs to receive standardised ETCS information that can be interpreted, supervised and displayed according to the specification.

This is a major architectural simplification.

But it is not a complete simplification of the railway.

The trackside must still convert real infrastructure and signalling logic into ETCS information. This requires engineering. It requires data quality. It requires configuration control. It requires safety validation. It requires system compatibility checks. It requires operational rules that match the technical implementation.

The standardised interface therefore moves part of the complexity. It does not eliminate it.

For a Principal Architect, this is one of the most important lessons of ETCS. Standardisation does not mean that integration disappears. It means that integration is structured around agreed interfaces.

This is what makes European deployment possible. It is also what makes deployment difficult when local variations remain too broad.

If each network implements ETCS with different engineering assumptions, different operational rules and different driver experiences, the interface may be technically standardised but the system may still feel fragmented. This is why operational harmonisation matters as much as technical compliance.

ETCS is a European language between train and track.

But a language only creates interoperability when it is spoken consistently.

6. ETCS Level NTC, Level 1 and Level 2

ETCS application levels describe the operating relationship between train and trackside. They are often presented as a technical hierarchy, but it is better to see them as architecture and migration configurations.

Level 0 is used when an ETCS-equipped train operates where ETCS or national train control supervision is not available. In this context, ETCS provides only limited supervision, and the train relies on other means of signalling and operation. Level 0 is therefore not a target for digital European train control; it is a way to handle unfitted or temporarily non-supervised contexts.

Level NTC is used when an ETCS-equipped train operates under a national train control system. This is a key migration level. It allows an ETCS-equipped vehicle to continue operating on lines where national systems remain in service. In many countries, NTC is essential during the transition period because Class B systems cannot disappear overnight.

Level 1 introduces ETCS track-to-train transmission through Eurobalises. The train receives information from balises installed on the track. Depending on the implementation, this can be associated with existing lineside signalling. Optional infill transmission can provide information before the train reaches the next balise, improving operational performance.

Level 1 is an important migration architecture because it can be superimposed on existing signalling. It allows ETCS supervision to be introduced without necessarily replacing the entire signalling architecture at once. This is why Level 1 has been attractive for some networks and corridors.

Level 2 is the architecture most associated with modern ERTMS deployment. In Level 2, the train communicates with a Radio Block Centre. The RBC sends Movement Authorities by radio. Eurobalises are still used, especially for location reference, but the movement authority exchange is no longer limited to discrete balise locations.

Level 2 enables cab signalling and can support operation without lineside signals where national rules and implementation choices allow it. It also provides a stronger foundation for ERTMS/ATO because ATO benefits from more continuous and digital movement information.

However, conventional Level 2 does not automatically mean Moving Block. In many deployments, train detection and train separation still rely on trackside train detection sections such as track circuits or axle counters. The authority is transmitted digitally, but the underlying separation logic may remain fixed-block.

This distinction is essential.

Level 2 digitalises the communication and supervision architecture. It does not automatically virtualise train detection or create train-centric separation.

Hybrid Train Detection and Moving Block are further steps in the capacity trajectory. They build on the digital foundation of ETCS, but they require additional capabilities such as safe train positioning, train integrity, train length and more dynamic trackside logic.

This is why ETCS levels should not be understood as simple technology labels. They are migration states in a long transformation of railway control-command architecture.

7. Level 2 and the future capacity trajectory

ETCS Level 2 is often associated with capacity improvement.

This is partly justified. Level 2 can remove the driver’s dependency on lineside signals, provide cab signalling, support continuous supervision and allow Movement Authorities to be transmitted by radio. These features can improve operational performance and create the basis for more modern traffic management and ATO integration.

But Level 2 alone does not guarantee capacity.

Capacity depends on the separation principle, the location and length of train detection sections, braking curves, speed profiles, traffic management, dwell times, train performance, operational rules, driver or ATO behaviour and degraded modes.

A conventional Level 2 line can still be capacity-limited by fixed-block train detection. If the infrastructure is divided into long track sections, the following train cannot be authorised more finely simply because the authority is transmitted by radio. The radio communication may be modern, but the capacity granularity may still be shaped by trackside detection.

This is why the future capacity discussion moves beyond conventional Level 2.

Hybrid Train Detection introduces a virtualisation layer. If the train can safely provide its position, confirmed length and train integrity, the trackside system can release smaller virtual sections within larger physical detection sections. This can reduce headways without installing a dense network of physical train detection equipment.

Moving Block goes further by moving towards more dynamic, train-centric separation. The system manages trains as moving objects with safe front and rear ends, rather than relying primarily on fixed section boundaries.

Both concepts depend on ETCS, but they also go beyond the simple idea of Level 2.

This matters for the article because ETCS is not only today’s train protection system. It is the platform on which the capacity architecture evolves. The way Movement Authorities are generated, updated and supervised determines how close trains can safely run.

ETCS therefore links safety and capacity.

It protects movement, but the architecture of that protection influences how much railway capacity can be used.

This is one of the reasons ETCS is central to DATO. Digital and Automatic Train Operation cannot be separated from the way movement permissions, train separation and safety supervision are structured.

The future automated railway will not only need trains that drive automatically.

It will need a dynamic, safe and interoperable movement envelope.

ETCS is where that envelope begins.

8. Cab signalling and driver interaction

One visible difference between ETCS and traditional lineside signalling is cab signalling.

In ETCS, the driver receives key movement information through the Driver-Machine Interface. This information may include permitted speed, target speed, distance to target, mode, level, intervention status, braking indications, messages and other operational data depending on the mode and situation.

This changes the driver’s relationship with signalling.

In a conventional lineside signalling environment, the driver observes external signal aspects and applies national rules. In ETCS, the onboard system presents supervised movement information in the cab. The driver still drives and remains responsible according to the operating mode, but the system provides a more direct representation of the movement envelope.

This is especially important in ETCS Level 2 operation without lineside signals. The driver relies on the DMI to understand the authorised movement and supervision status. This can support more consistent operation, but it also makes DMI usability and operational harmonisation critical.

Cab signalling is not only a display function.

It is part of the human-system interface of the safety architecture.

The driver must understand what ETCS is supervising, which mode is active, whether the train is in Full Supervision, On Sight, Staff Responsible, Shunting or another mode, and what operational responsibility remains with the driver.

This becomes particularly important in degraded situations. If the train transitions to Staff Responsible or On Sight, the driver’s role changes. If ETCS intervenes or trips the train, the driver must understand why. If the train is operating under a national system or in Level 0, the driver must understand what ETCS is and is not supervising.

A technically compliant DMI is not enough if the driver experience remains fragmented across implementations.

This is why operational harmonisation matters. The same ETCS principle should not result in many different driver experiences across Europe. If ETCS is to become a true European system, the driver’s interaction with it must become more coherent.

The cab is therefore one of the places where interoperability becomes visible.

A European standard is not only a set of messages between systems. It is also an operational experience for the people who use it.

9. Supervision, braking curves and intervention

ETCS supervises train movement by comparing the actual train behaviour with the permitted envelope.

This supervision is not a simple check of maximum speed. It is a dynamic calculation that considers the train’s speed, position, braking capability, movement authority, speed profile, gradients and other relevant data. The objective is to ensure that the train remains able to respect the target and stop before the protected limit.

Braking curves are central to this logic.

The onboard system calculates when the train must begin braking to avoid exceeding its permitted limits. It can provide indications to the driver, warnings when limits are approached, and intervention when the train does not remain within the safe envelope.

This is one of the most important differences between ETCS and more limited train protection systems.

ETCS does not only react at fixed points. It supervises continuously according to calculated speed and distance relationships. It knows where the train is, where it is authorised to go, and what braking behaviour is required to remain safe.

The quality of supervision depends on data.

The system needs train data. It needs braking parameters. It needs gradient information. It needs speed restrictions. It needs the movement authority. It needs position confidence. It needs the correct infrastructure data. If these data are incomplete, incorrect or inconsistent, the supervision may become more restrictive or unsafe.

This is why ETCS is also a data system.

It transforms signalling into a digital supervision problem. The safety of the movement depends not only on physical signals, but on the correctness, consistency and interpretation of data exchanged between trackside and onboard.

This point becomes even more important for future automation.

ATO needs ETCS information to drive inside the safe envelope. Moving Block needs train-centric data to calculate dynamic movement permissions. DATO needs reliable digital information to coordinate automated operation.

The more automated the railway becomes, the more important the safety data foundation becomes.

ETCS is one of the first large-scale examples of that transformation.

10. ETCS operating modes and responsibility

ETCS modes are sometimes treated as technical states. They are more than that.

A mode defines the operational context in which the onboard equipment and the driver interact. It defines what the onboard equipment supervises, what the driver sees, which functions are active, and where responsibility lies.

Full Supervision is the nominal mode most people associate with ETCS. In Full Supervision, the onboard equipment has sufficient information to supervise the train according to the Movement Authority, speed profile and other relevant data. The driver drives within the ETCS-supervised envelope.

On Sight is different. It may be used in areas where the system authorises movement, but where the track ahead cannot be guaranteed to be clear in the same way as in Full Supervision. The driver must proceed with additional caution according to operating rules.

Staff Responsible is another important mode. It is used when the driver is responsible for movement under defined restrictions, typically because the onboard system does not have a full Movement Authority or because an override or degraded procedure is active. In this mode, the system can still supervise certain limits, but the driver’s responsibility becomes central.

Shunting is used for shunting movements. National System mode is used when the train operates under a national train protection system. Trip and Post Trip relate to ETCS intervention and recovery after the train has been brought to a stop because the supervised envelope was exceeded or another trip condition occurred.

These modes matter because they express responsibility transitions.

The railway is not always in nominal full supervision. It must handle degraded operation, shunting, transitions, national systems, isolation, failures and recovery. Each context changes the relationship between ETCS onboard, driver, trackside systems and operational rules.

This is why modes are central to safety and operations.

For example, the Override procedure allows the driver, under operational authorisation, to pass an End of Movement Authority in specific degraded situations. This is not simply a technical button. It changes the mode and the responsibility model. It reflects the fact that railway operation sometimes requires controlled procedures outside nominal supervision.

This is one of the reasons ETCS is complex.

It does not only supervise ideal operation. It codifies how the train behaves across many operational contexts. It makes explicit what older railway systems sometimes handled through national rules, driver knowledge and local procedures.

For automation, this is a crucial lesson.

If the railway moves towards GoA4, responsibility transitions must become even more explicit. ETCS modes already show how difficult this is. The future DATO architecture will have to manage similar responsibility transitions across more systems and with less human presence onboard.

11. Compatibility, baselines and migration

ETCS is a European standard, but deploying it is not as simple as installing the same system everywhere.

Compatibility remains a major issue.

An ETCS-equipped train must be compatible with the ETCS trackside equipment it encounters. This involves specifications, baselines, national values, engineering choices, radio communication, DMI behaviour, operational rules, safety cases and authorisation. The existence of a common standard reduces fragmentation, but it does not remove all integration work.

This is why ETCS System Compatibility is important. A train must be shown to work correctly with a given trackside implementation or set of implementations. If different networks deploy ETCS in ways that are technically compliant but operationally different, vehicle authorisation and operation can remain complex.

Baselines add another layer.

ETCS has evolved over time. Specifications have been updated, corrected and expanded. Older onboard equipment and newer trackside implementations must be managed carefully. The railway cannot replace all equipment whenever a specification evolves. At the same time, the system must continue to improve.

This creates a lifecycle architecture problem.

Stability is necessary because railway investments last decades. Vehicles and infrastructure cannot be retrofitted continuously at high cost. But evolution is also necessary because the railway must address errors, improve interoperability, support new functions and prepare future capabilities.

The challenge is therefore controlled evolution.

ETCS must be stable enough to protect investment and evolvable enough to remain useful.

This is one of the key lessons for DATO. Advanced automation will face the same tension, probably more strongly. If future ATO, Moving Block, Remote Driving or GoA4 capabilities evolve too fast, operators may hesitate to invest. If they evolve too slowly, the railway may fail to respond to real operational needs.

Migration is also a brownfield problem.

National Class B systems will remain for years. Some trains will be equipped with ETCS, others not. Some lines will operate Level 1, others Level 2, others NTC or mixed configurations. Some vehicles will carry multiple systems. Some infrastructure will retain lineside signals, while other lines may move towards cab signalling without lineside signals.

This makes ETCS a long transition, not a single deployment.

The architecture must therefore support coexistence, but not become trapped by coexistence.

The objective is not to run forever with ETCS plus national systems plus local variants. The objective is to move progressively towards simplification.

This is the difficult part of migration.

If ETCS remains an overlay, costs remain high. If ETCS becomes the backbone, simplification becomes possible.

12. ETCS and ERTMS/ATO

ETCS and ATO are often discussed together, but their roles are different.

ETCS protects the train.
ATO drives the train.

This distinction is the foundation of ERTMS/ATO.

In GoA2 ERTMS/ATO, the ATO onboard function controls traction and braking. It follows the operational mission, respects timing points, optimises energy where possible and improves stopping accuracy. But it must remain inside the ETCS safety envelope.

ETCS provides the supervised movement constraints. It defines the authorised movement, speed supervision and braking limits. ATO uses this information to compute a driving strategy. If ATO commands something that would exceed the ETCS envelope, ETCS remains the protection layer.

This separation is powerful because it allows automatic driving to be introduced without turning ATO into a safety protection system.

ATO can optimise. ETCS supervises.

The driver remains in the cab in GoA2, supervising the operation and able to take over when needed. This creates a clear three-layer arrangement: ETCS protects, ATO drives, the driver supervises.

This arrangement is also a migration step.

It allows railways to introduce automatic driving before solving all the challenges of unattended operation. It allows suppliers to integrate ATO with ETCS and rolling stock. It allows operators to learn how automatic driving behaves in real traffic. It allows traffic management to begin interacting with train-level automation.

But ERTMS/ATO is not the whole DATO architecture.

It automates driving, but it does not remove the driver. It does not solve perception, train health, mission fitness, remote supervision, Remote Driving, passenger incidents, full degraded recovery or GoA4 responsibility allocation.

This is why ETCS must remain clearly understood.

If ETCS is the safety envelope for ATO, then future automation must preserve that clarity. As more functions are added, the system must not blur the boundary between protection, driving, supervision, traffic management and recovery.

This is one of the main architecture risks of railway automation.

The more functions are connected, the more important it becomes to preserve responsibility boundaries.

ETCS gives a model for that discipline.

13. ETCS as the safety envelope for DATO

DATO, or Digital and Automatic Train Operation, goes beyond ERTMS/ATO GoA2.

It includes automatic driving, traffic management, remote supervision, Remote Driving, perception, train health, mission fitness, digital infrastructure data, capacity management, cybersecurity and operational rules. It is a system-of-systems transformation.

But this transformation still needs a protection architecture.

A GoA4 train cannot simply decide to move because its onboard system wants to. A remotely driven train cannot move outside the safe envelope. A train operating under Moving Block cannot ignore movement permissions. A DATO system cannot be credible if safety supervision becomes unclear.

This is why ETCS remains central.

Future automation may change how the Movement Authority is generated, updated and used. It may make train separation more dynamic. It may use more onboard data. It may integrate with TMS and Plan Execution. It may rely on FRMCS for communication. It may support automated recovery and remote supervision.

But the railway still needs a clear answer to one question:

What is the train authorised to do safely?

ETCS provides the European framework for answering that question today.

In the future, the envelope may evolve. Hybrid Train Detection may allow finer release of infrastructure. Moving Block may create more dynamic movement permissions. ATO may drive more precisely. TMS may orchestrate the operational plan more actively. But the safety function must remain explicit.

This is the architecture lesson.

Automation should not replace the safety envelope. It should operate inside it or contribute to its controlled evolution.

This also means that DATO cannot be developed independently from ETCS evolution. If DATO needs train-centric data, train integrity, safe positioning, FRMCS communication, new operational modes or new degraded procedures, these must be aligned with the ETCS and CCS architecture.

The future automated railway will not be a collection of clever trains.

It will be a railway system in which automated functions remain coordinated by a clear protection and operation architecture.

ETCS is the current foundation of that protection architecture.

14. Architecture perspective

From an architecture perspective, ETCS can be understood through five roles.

The first role is protection. ETCS supervises train movement against a permitted envelope. It monitors speed, distance and braking. It intervenes when the train would exceed its limits. This is the core safety function.

The second role is interoperability. ETCS provides a European train control framework that can replace national ATP systems. Its purpose is to allow trains to operate across networks with a common onboard supervision architecture.

The third role is digitalisation. ETCS transforms signalling information into structured data exchanged between trackside and onboard systems. Movement Authority, speed profiles, gradients, modes, levels and national values become part of a digital train control language.

The fourth role is migration. ETCS must coexist with national systems, different deployment levels, baselines, legacy infrastructure and brownfield operational contexts. It is both the target and the transition mechanism.

The fifth role is automation foundation. ETCS creates the safety envelope inside which ATO, Remote Driving, Moving Block and DATO can operate.

These roles explain why ETCS is difficult.

It is not only a product. It is not only an onboard computer. It is not only a trackside installation. It is not only a driver display.

It is a European safety architecture.

This also explains why the success of ETCS cannot be measured only by whether the specification exists. It must be assessed through deployment, compatibility, operational harmonisation, cost control, migration and readiness for future capabilities.

A technically compliant ETCS installation may still contribute to fragmentation if it creates a different driver experience, a different engineering logic or a difficult compatibility context. A vehicle equipped with ETCS may still face authorisation and operational constraints if system compatibility is not managed. A line equipped with ETCS may still deliver limited benefit if too few trains can use it.

Architecture is the discipline that connects these dimensions.

The question is not only whether ETCS works. The question is whether ETCS becomes the common safety envelope of the European railway system.

That is the real test.

15. Conclusion

ERTMS/ETCS is the European Train Control System.

Its purpose is to provide a common European protection and supervision layer for train movement. It replaces the logic of fragmented national ATP systems with a standardised architecture based on Movement Authorities, onboard supervision, cab signalling, braking curves, modes, levels and train-track communication.

Its core idea is simple: the train must remain inside its authorised movement envelope.

Everything else follows from that.

The trackside provides movement information. The onboard system supervises the train. The driver receives the information in the cab. The system intervenes if the train would exceed the safe limits.

This makes ETCS the safety envelope of the European digital railway.

It is the foundation for ERTMS/ATO, because ATO can drive only inside the ETCS envelope. It is the foundation for future capacity concepts, because Hybrid Train Detection and Moving Block evolve the way this envelope is generated and updated. It is the foundation for DATO, because higher automation cannot scale without a clear and interoperable protection architecture.

But ETCS is not only a technical system. It is a migration and harmonisation challenge.

Trackside and onboard deployment must be synchronised. National Class B systems must be phased out. Baselines must be managed. System compatibility must be controlled. Driver experience and operational rules must converge. Costs must decrease. The system must be stable enough for investment and evolvable enough for the future.

This is why ETCS remains one of the most important railway architecture topics in Europe.

Without ETCS, there is no common safety envelope.
Without a common safety envelope, there is no credible interoperable automation.
Without interoperable automation, DATO risks becoming fragmented before it is deployed.

ETCS is therefore not just the European Train Control System.

It is the protection architecture on which the next European railway will be built.

Documentation and further reading

Voie Libre articles

• Automatic Train Protection
• ERTMS: The European Rail Traffic Management System
• Automatic Train Operation
• ERTMS/ATO: Europe’s Interoperable Train Autopilot
• From Fixed Blocks to Moving Block: Unlocking Capacity on Existing Railway Infrastructure
• Migration to ERTMS/ATO
• DATO as a System-of-Systems
• Railway Automation, ERTMS and DATO Glossary

ERTMS/ETCS specifications

• SUBSET-023 — ERTMS/ETCS Glossary of Terms and Abbreviations
• SUBSET-026-1 — System Requirements Specification, Chapter 1: Introduction
• SUBSET-026-2 — System Requirements Specification, Chapter 2: Basic System Description
• SUBSET-026-3 — System Requirements Specification, Chapter 3: Principles
• SUBSET-026-4 — System Requirements Specification, Chapter 4: Modes and Transitions
• SUBSET-026-5 — System Requirements Specification, Chapter 5: Procedures
• SUBSET-026-6 — System Requirements Specification, Chapter 6: Management of older System Versions
• SUBSET-026-7 — System Requirements Specification, Chapter 7: ERTMS/ETCS language
• SUBSET-026-8 — System Requirements Specification, Chapter 8: Messages
• SUBSET-026-9 — System Requirements Specification, Chapter 9: Classification of clauses

European framework and deployment

• European Commission — ERTMS Third Work Plan of the European Coordinator, 2026

Future ETCS and DATO-related topics

• Europe’s Rail Joint Undertaking — Work Programme 2026

Cover picture credit : ALSTOM