Discovery-Coordinated Multi-Sensor Perception

Regulatory Framework

The AV regulatory stack has matured along two parallel tracks. The NHTSA AV TEST Initiative and the agency's Standing General Order on Crash Reporting (effective 2021, expanded 2023) require manufacturers and operators of SAE Level 2+ and ADS-equipped vehicles to report incidents on a tightly bounded timeline; the reporting presupposes that the vehicle's sensor evidence at the moment of the incident is preserved, attributable, and admissible. SAE J3016 establishes the canonical taxonomy of automation levels and operational design domains (ODDs) that all subsequent regulation references. On the international track, UNECE WP.29 Regulation 157 establishes type approval for Automated Lane Keeping Systems (ALKS) at speeds now extended to 130 km/h, and Regulation 155 establishes cybersecurity management requirements for vehicle type approval.

Layered on top of the homologation regimes are the technical-safety standards that define the engineering discipline. ISO 26262 governs functional safety of E/E systems; ISO 21448 (SOTIF) governs Safety of the Intended Functionality, addressing hazards arising from performance limitations and triggering conditions even when the implementation is itself fault-free. NIST AI RMF 1.0 supplies the governance vocabulary for AI components — including perception models — and aligns with the EU AI Act's high-risk classification of automated-driving AI.

Around these regimes operate the existing high-definition mapping ecosystems (Mobileye REM, HERE HD Live Map, TomTom RoadDNA), the dominant AV stacks (Waymo SDC, Cruise, Zoox, Tesla FSD), and the underlying compute and sensor platforms (NVIDIA DriveOS, Mobileye EyeQ, Qualcomm Snapdragon Ride). Each platform implements a per-vendor coordination story; none of them provides a regulator-admissible cross-vendor primitive.

Architectural Requirement

The architectural requirement that the regulatory stack imposes — and that no individual vendor can satisfy alone — is cross-vendor credentialed perception sharing. SOTIF triggering conditions are by definition the conditions where a single vehicle's perception is insufficient: occlusion, glare, low-contrast scenes, novel object configurations. WP.29 R157 ALKS extends ODD to highway speeds where reaction-time budgets are dominated by perception latency. NHTSA SGO crash reporting demands that the perception evidence behind a decision be reconstructible after the fact.

Each of these regulatory pressures pushes toward a primitive: a vehicle should be able to invoke perception capability outside its own sensor envelope — in adjacent vehicles, in roadside infrastructure, in fleet-coordinated overhead assets — and admit the resulting evidence under credentialed provenance. The primitive must be vendor-neutral because the regulatory regimes are vendor-neutral. It must be cryptographically attributable because the SGO and EU AI Act audit regimes demand attribution. It must be ODD-aware because J3016 and R157 frame compliance in ODD terms.

The same architectural requirement appears outside automotive. Defense ISR formations operate sensors across platforms — fixed-wing reconnaissance, MQ-class drones, satellite assets, ground-based sensors, signals collection — and require coordinated invocation under cross-formation tasking discipline. Industrial inspection populations coordinate fixed cameras, mobile robots, hand-held nondestructive-testing instruments, and inspection drones under campaign discipline. Emergency response coordinates body-worn cameras, vehicle dashcams, fixed surveillance, and aerial assets under incident-command discipline. The architectural primitive is the same in each domain; the regulatory framings differ.

Why Procedural Compliance Fails

The dominant procedural answer is the per-vendor fleet. Mobileye REM crowdsources roadway change from Mobileye-equipped vehicles into a Mobileye-curated map consumed by Mobileye-equipped vehicles. HERE HD Live Map curates a map from contributing OEM partners and licenses it to those same partners. Waymo's stack on NVIDIA DriveOS coordinates Waymo vehicles through Waymo's internal infrastructure. Each is a vertically-integrated coordination story bounded by vendor identity.

Procedural compliance fails at exactly the seams the regulatory regimes are most concerned with. A SOTIF triggering condition that one vendor's vehicle observes is not admissible by another vendor's vehicle, even when both vehicles are operating in the same lane meters apart. An NHTSA SGO crash report that references perception evidence from a non-incident vehicle (an adjacent vehicle that observed the conflict) cannot easily admit that evidence because the cross-vendor credentialing fabric does not exist. A WP.29 R157 ALKS audit that needs to reconstruct the perception state across an incident corridor faces the same evidence-admission gap.

The deeper procedural failure is that ad-hoc sensor tasking across operations — defense ISR mission-by-mission integration, industrial inspection campaign-by-campaign integration, emergency-response incident-by-incident integration — reconstructs the same coordination primitive each time. Cumulative integration cost is substantial; cross-operation learning is structurally lost; the coordination knowledge that improved one operation cannot be carried forward into the next without architectural support.

The vendor-internal coordination stories are not wrong; they are partial. They satisfy the vendor's internal use case and do not satisfy the regulatory regime's cross-vendor admissibility expectation.

What the AQ Primitive Provides

The AQ semantic-discovery substrate provides cross-vendor, cross-platform credentialed sensor invocation. A discovery query — find specific evidence within specific spatial-temporal windows under specific authority composition rules — drives sensor invocation across the population of available sensors, regardless of vendor. Sensors with relevant capability respond through credentialed observations; the responses augment the discovery's evidence base; the query's consumer admits the evidence under a declared admission policy.

The substrate is vendor-neutral. Mobileye-equipped vehicles, Waymo vehicles, Tesla FSD vehicles, and infrastructure RSUs each operate as discovery responders under their own signing roots; cross-vendor federation admits responses across vendor boundaries through declared composition rules. The substrate is platform-neutral with respect to the underlying compute (NVIDIA DriveOS, Mobileye EyeQ, Qualcomm Snapdragon Ride) and the underlying transport (DSRC, C-V2X, 5G NR-V2X).

Each invocation is credentialed end to end. The querying consumer's identity, the consumer's discovery policy, the responding sensor's identity, the responding authority's signature, and the spatial-temporal stamp of the response are bound together as a cryptographic record. The record is admissible under NHTSA SGO reporting, under WP.29 R157 audit, and under the EU AI Act's high-risk-AI logging obligations without further reconstruction.

The substrate composes with mission-management and operations-management tooling already in place. ISR mission planning systems issue discovery queries; the substrate handles cross-platform sensor invocation; the mission's evidence base receives credentialed augmentation. Industrial inspection scheduling systems issue discovery queries; the substrate handles cross-instrument invocation; the campaign's inspection record receives credentialed augmentation. Emergency-response coordination systems issue discovery queries; the substrate handles cross-asset invocation; the incident record receives credentialed augmentation.

Compliance Mapping

Against SAE J3016, the substrate is ODD-aware: the discovery query carries the ODD context, and the responding authority admits or declines the invocation under that context. Against WP.29 R157 ALKS, the substrate satisfies the implicit cross-vehicle perception admissibility requirement that the regulation's ODD extension to 130 km/h imposes; perception evidence outside the ego vehicle's envelope admits under credentialed provenance.

Against ISO 21448 SOTIF, the substrate addresses the central SOTIF challenge — performance limitations under triggering conditions — by extending the perception envelope beyond the ego vehicle through cross-vehicle invocation, while preserving attribution discipline so that the augmented evidence does not contaminate the SOTIF analysis. Against ISO 26262 functional safety, the substrate operates above the E/E item boundary; the per-item ASIL classification is preserved, and cross-item perception admission occurs under declared safety-related-data-exchange (SRDE) rules.

Against NHTSA SGO crash reporting, the credentialed record produced by each invocation is directly admissible as part of the incident record; cross-vehicle perception evidence is attributable to its source rather than dissolving into vendor-internal logs. Against the NIST AI RMF and the EU AI Act high-risk-AI logging obligations, the credentialed invocation record is the AI-RMF "documentation" artifact; the substrate produces the artifact as a byproduct of operation.

Against UNECE WP.29 Regulation 155 (cybersecurity management), the substrate's cryptographic credentialing aligns with the regulation's CSMS expectations; cross-vendor invocation does not weaken the cybersecurity posture because the substrate enforces credentialed admission at every step.

Adoption Pathway

Adoption proceeds vendor by vendor under cross-vendor federation rather than under forced consolidation. A first-mover OEM equips its vehicles to issue and respond to discovery queries under its own signing root; an SCMS-equivalent or commercial-CA root anchors the credentialing fabric. A second OEM federates with the first under a declared composition rule; cross-vendor invocation begins on shared corridors. Roadside infrastructure (RSUs deployed under IIJA Section 13006 and the USDOT V2X Roadmap) federates as additional discovery responders.

Defense ISR adoption follows existing program-of-record discipline. The substrate composes under the Open Mission Systems (OMS) and Universal Command and Control Interface (UCI) standards already governing cross-platform sensor coordination; the credentialing fabric admits under DoD PKI roots; cross-formation federation operates under joint task force rules. Industrial inspection adoption follows campaign-discipline boundaries; an industrial operator federates instrument vendors under its own signing root, and the campaign record incorporates credentialed cross-instrument observations.

The strategic implication is that multi-sensor perception evolves from a per-vendor, per-mission, per-campaign integration discipline into an architecturally-supported primitive. Defense ISR gains structural cross-platform sensor coordination admissible under joint-doctrine reporting. Industrial inspection gains structural cross-instrument coordination admissible under campaign audit. Automotive gains structural cross-vendor perception admissible under NHTSA, UNECE, and EU AI Act regimes. The substrate does not replace the per-vendor coordination stories that exist today; it provides the cross-vendor admissibility layer that the regulatory regimes have been assuming and that no single vendor can build alone.

The economic case follows the regulatory case. Per-vendor coordination is a fixed cost duplicated across every vendor; per-mission integration is a fixed cost duplicated across every mission; per-campaign integration is a fixed cost duplicated across every campaign. A cross-vendor, cross-mission, cross-campaign primitive amortizes the coordination investment across the population of consumers. For OEMs facing increasingly stringent SOTIF residual-risk thresholds and increasingly large NHTSA SGO reporting obligations, the substrate converts a recurring per-incident reconstruction cost into a substrate fee. For defense program managers facing joint-task-force interoperability requirements under JADC2 (Joint All-Domain Command and Control) doctrine, the substrate converts ad-hoc cross-service tasking into a credentialed primitive consumable by any authorized component command.

The substrate is also forward-compatible with the emerging regulatory horizon. The EU AI Act's high-risk classification of automated-driving AI will require post-market monitoring records that include the perception evidence consumed at decision time; the substrate produces such records as a byproduct. The NHTSA Automated Driving Systems framework is moving toward more granular reporting; the substrate's per-invocation credentialed records align with that direction. UNECE WP.29 is preparing successor regulations to R157 covering broader ODDs; the substrate's ODD-aware admission policy admits cleanly under any successor framing. The ISO 21448 SOTIF revision in progress is expanding the triggering-condition taxonomy; the substrate's cross-vehicle perception extension addresses the central residual-risk vector that the revision is concerned with.

For operators who must answer to regulators today and who must continue to answer under successor regimes, the architectural choice is between continuing to reconstruct the cross-vendor coordination primitive per audit, per incident, per mission — and adopting a substrate where the primitive is already credentialed, already attributable, and already admissible. The substrate composes with the per-vendor stacks that exist; it does not require their abandonment, only their federation.