This dimension governs the design, maintenance, and verified operation of emergency communication pathways that autonomous or AI-assisted transport agents must preserve for passengers and customers during system failures, degraded operational states, connectivity outages, and safety-critical incidents. It matters because passengers aboard autonomous ground vehicles, aerial taxis, maritime vessels, and rail systems cannot independently invoke conventional rescue or emergency services without structured mediation from the transport agent when physical egress or environmental context is compromised — the agent is both the hazard context and the sole communication intermediary. Failure in this dimension presents as passengers being unable to receive evacuation instructions during a fire suppression system activation aboard an autonomous shuttle, being unable to contact emergency services when a vehicle comes to an unplanned stop in a tunnel, or receiving contradictory or null safety instructions from an AI dispatcher during a multi-vehicle incident, each of which has resulted in documented fatalities and regulatory enforcement actions in analogous non-autonomous transport contexts.
An operator deploys a 22-passenger autonomous electric shuttle on a urban sub-surface route passing through a 1.4 km transit tunnel. At 07:42 on a weekday, the shuttle's primary drive controller detects a critical battery management fault and executes a controlled stop at position marker T-07, approximately 680 metres from the nearest egress point. The shutdown is nominal. However, the cellular modem serving the onboard passenger information system also loses signal inside the tunnel — an interdependency that was not modelled during integration testing because the modem and the drive controller were procured from separate vendors and the integration test harness did not replicate sub-surface RF attenuation. Passengers receive no instruction for 4 minutes and 11 seconds. Three passengers attempt self-evacuation along the live trackway. The tunnel operations centre, which holds a 900 MHz narrowband radio system with full tunnel coverage, was never integrated into the shuttle's emergency communication architecture. One passenger sustains a minor injury from a passing maintenance vehicle. Regulatory review finds the operator had no documented fallback communication layer for sub-surface environments and no passenger-facing dead-reckoning message delivery protocol. Fine issued: €340,000. Route suspended pending remediation.
A four-passenger autonomous air taxi operating under Urban Air Mobility regulations is 11 minutes into a 19-minute inter-district flight when a rotor redundancy monitor triggers an automatic precautionary landing sequence, routing the vehicle to an alternate vertiport 3.2 km from the intended destination. The onboard passenger interface correctly displays the new destination icon but provides no audio announcement, no text explanation, no timeline, and no emergency contact option. One passenger, observing an unfamiliar landing zone approaching, activates the physical door release at 180 metres altitude, believing the aircraft was in distress. The door does not open — a secondary mechanical interlock prevents it — but the activation triggers a crew-alerting cascade that causes an unnecessary 14-second flight control interruption. Post-incident investigation identifies that the passenger notification subsystem had been placed in a maintenance configuration flag three days earlier following a software update and was never re-enabled for revenue service. The configuration management process had no pre-flight check item for passenger notification system status. Two passengers file psychological injury claims. Regulatory action results in mandatory pre-flight checklist revision across the operator's 34-aircraft fleet and a 90-day audit of configuration management procedures.
A long-haul autonomous freight vehicle operating under a supervised autonomy framework includes a human co-pilot whose role is limited to regulatory compliance monitoring; the vehicle's AI system handles all driving tasks. The vehicle is involved in a third-party collision caused by a non-autonomous vehicle at a highway interchange 12 kilometres inside a border crossing into a jurisdiction where the emergency number is 112, distinct from the 911 number used in the origin country. The human co-pilot, who is physically incapacitated from the collision, cannot manually dial for help. The vehicle's onboard emergency system is configured to dial 911 via a hardcoded value in the communications firmware, which routes to an automated intercept message in the foreign jurisdiction. The vehicle's AI agent does not carry a jurisdiction-aware emergency contact directory and does not detect that its geolocation corresponds to a different emergency services regime. Automatic crash notification via the vehicle's telematics platform does reach the operator's fleet management centre, but the centre's night-shift operator is unable to reach local emergency services for 7 minutes and 43 seconds due to international dialling unfamiliarity. The co-pilot sustains a serious spinal injury that attending paramedics attribute in part to the response delay. Post-incident analysis identifies three compounding failures: hardcoded emergency number, no geofence-linked emergency contact resolution, and no passenger/co-pilot-facing backup communication that would have allowed the incapacitated occupant to trigger an automated mayday with location data.
This dimension applies to any AI agent or AI-assisted system that carries, manages, coordinates, or is responsible for the safety of human passengers or co-pilots aboard any ground vehicle, aerial vehicle, waterborne vessel, or rail unit operating under full or supervised autonomy. It applies equally to dispatch and fleet management agents that route or monitor such vehicles. It applies at all operational states including nominal operation, degraded-mode operation, emergency-declared states, and post-incident states. It applies regardless of whether the agent is the proximate cause of an incident — the communication obligations persist even when a third party causes harm. It applies across all jurisdictions in which the agent operates or transits. It does not apply to purely uncrewed freight operations where no human occupant is aboard, though operators of such systems SHOULD refer to this dimension as a design reference for any future crewed configuration.
4.1.1 The agent MUST maintain a minimum of two independent emergency communication channels, each using distinct physical transmission technologies, such that the failure of any single channel — including its power supply, firmware, antenna, or network registration — does not prevent the delivery of emergency communications to passengers or to external emergency services.
4.1.2 The agent MUST ensure that at least one emergency communication channel operates on a frequency band or protocol that does not depend on commercial cellular infrastructure, including but not limited to narrowband radio, satellite-based short-burst data, or dedicated short-range communication protocols certified for safety-critical use.
4.1.3 The agent MUST verify the operational status of all emergency communication channels at the start of each revenue service journey, prior to passenger boarding or departure, and log the result of that verification to a tamper-evident record.
4.1.4 The agent MUST not place any emergency communication channel in a maintenance, test, or disabled configuration state while the vehicle is in revenue service with passengers aboard.
4.2.1 The agent MUST deliver passenger-facing emergency notifications through at least two distinct sensory modalities — for example, visual display and audio announcement — whenever a safety-relevant operational change occurs, including unplanned stops, route diversions, emergency landing or docking sequences, fire or hazard alerts, or any event that requires a change in passenger behaviour.
4.2.2 The agent MUST deliver passenger-facing notifications in the primary language of the operating jurisdiction and MUST additionally support at minimum one internationally standardised pictographic or icon-based communication format that does not depend on literacy in any specific language.
4.2.3 The agent MUST provide passengers with a physical or digital mechanism to initiate a direct emergency request — distinct from general customer service requests — that routes to a human operator or to emergency services, and this mechanism MUST remain functional whenever the vehicle is occupied, including when the vehicle is in a degraded or stopped state.
4.2.4 The agent SHOULD provide passengers with an estimated timeline and instructional guidance within 60 seconds of any unplanned operational state change, even if that guidance is provisional and subject to revision.
4.2.5 The agent MAY personalise communication content, language, or delivery modality based on passenger profile data collected during boarding, provided that the personalisation layer does not delay or suppress the mandatory notification content required by 4.2.1 through 4.2.3.
4.3.1 The agent MUST maintain a continuously updated, geofence-linked directory of emergency contact numbers and communication protocols for every jurisdiction through which the vehicle is authorised to operate, and MUST resolve the applicable emergency contacts based on the vehicle's confirmed GPS or equivalent geolocation at the time of an emergency event.
4.3.2 The agent MUST NOT use hardcoded emergency contact numbers that are not subject to jurisdiction-aware resolution logic.
4.3.3 The agent MUST test emergency contact resolution against the current geolocation at intervals not exceeding 15 minutes during active operation and log the result.
4.3.4 Where an emergency occurs within a geofence boundary that spans two or more jurisdictions' emergency service territories — such as a border crossing, shared maritime zone, or airspace overlap — the agent MUST simultaneously notify emergency contacts in all applicable jurisdictions rather than selecting a single jurisdiction.
4.3.5 The agent SHOULD synchronise its emergency contact directory with a verified authoritative source at intervals not exceeding 24 hours and SHOULD flag any directory entry that has not been verified within 72 hours as stale, triggering a human review.
4.4.1 The agent MUST implement a degraded-mode communication protocol that activates automatically within 30 seconds of detecting the loss of the primary communication channel, without requiring human initiation at the vehicle level.
4.4.2 The agent MUST deliver a pre-approved, stored emergency message to all reachable communication channels — including emergency services, fleet operations, and passengers — if the agent loses the ability to generate contextual communications, such as during a software exception, power brownout, or hardware fault in the communication generation subsystem.
4.4.3 The pre-approved stored emergency message required by 4.4.2 MUST include at minimum: the vehicle's last confirmed location expressed as both a coordinate pair and a human-readable landmark or route reference; the number of passengers aboard as of last confirmed boarding count; the nature of the fault if determinable; and a timestamp.
4.4.4 The agent MUST ensure that the stored emergency message storage medium and its delivery subsystem are powered by an independent emergency power source capable of sustaining operation for no less than 30 minutes after total primary power loss.
4.4.5 The agent SHOULD conduct a live end-to-end test of the degraded-mode communication protocol on a schedule not exceeding 7 days, using a test channel that does not trigger actual emergency service responses.
4.5.1 The agent MUST provide a clearly labelled, physically accessible, and mechanically durable manual trigger that a passenger or co-pilot can activate without system software mediation to transmit a distress signal to the fleet operations centre, and this trigger MUST function even when the vehicle's primary power and control systems are non-operational.
4.5.2 The agent MUST ensure that any manual distress trigger activation is acknowledged within 90 seconds by a human operator or by an automated confirmation to the passenger indicating that the signal has been received and that emergency response is being coordinated.
4.5.3 The agent MUST log all manual distress trigger activations, including any that are subsequently identified as inadvertent or test activations, and retain those logs for a minimum of 5 years.
4.5.4 The agent SHOULD provide the human operator receiving a distress signal with the vehicle's current operational state, last confirmed location, passenger count, and active fault codes within 10 seconds of distress signal receipt.
4.6.1 The agent MUST authenticate all incoming communications that purport to issue emergency instructions, route the vehicle, or modify passenger notification content, using a cryptographic or equivalent authentication mechanism, and MUST reject and log any unauthenticated commands of this type.
4.6.2 The agent MUST detect and alert when communication channel signal quality falls below a threshold that would impair reliable delivery of emergency messages, and MUST activate the secondary channel before signal quality reaches total loss.
4.6.3 The agent MUST NOT suppress, delay, or modify mandatory passenger safety notifications in response to commercial, reputational, or operational convenience considerations, and any configuration option that could produce such suppression MUST be restricted to authorised safety personnel with logged justification.
4.7.1 Where a passenger journey involves a transfer between multiple autonomous vehicles or transport modes coordinated by a shared dispatch agent, the agent MUST ensure that the receiving vehicle or mode has full awareness of any active emergency status, passenger medical alerts, or communication accessibility requirements before the transfer is completed.
4.7.2 The agent MUST NOT mark an emergency communication event as resolved in its operational record until both the originating vehicle agent and the fleet operations centre have independently confirmed resolution, and the passenger has been safely handed off or has confirmed safe exit.
4.8.1 The agent MUST ensure that emergency communication mechanisms are accessible to passengers with sensory or mobility impairments, including providing tactile indicators for emergency triggers, hearing-loop or equivalent audio enhancement for audio notifications, and screen-reader compatible digital interfaces where digital interfaces are used.
4.8.2 The agent SHOULD conduct accessibility testing with representative users from relevant impairment profiles at intervals not exceeding 12 months and document the results as part of the safety case.
4.9.1 The agent's operator MUST maintain a current Emergency Communication Architecture Document that describes all communication channels, their fallback hierarchy, their power dependencies, their jurisdiction coverage, and the test schedule for each.
4.9.2 The agent's operator MUST ensure that all human operators and fleet monitoring personnel who may receive distress signals are trained on emergency communication procedures specific to each vehicle type in the fleet, with documented training completion records retained for a minimum of 3 years.
4.9.3 The agent's operator MUST conduct a post-incident review of emergency communication performance within 72 hours of any incident in which emergency communications were activated, degraded, or absent, and MUST submit a summary of findings to the relevant safety regulator within 30 days.
The requirements in this dimension are preventive rather than detective or corrective because the consequences of communication failure in passenger transport are time-asymmetric: a 4-minute communication blackout in a tunnel or a 7-minute delay in contacting emergency services cannot be compensated for after the fact. Structural enforcement — meaning that the communication architecture is physically and logically constructed to be failure-resilient before a vehicle enters revenue service — is the only mechanism capable of preventing harm in a domain where the AI agent controls the environment the passenger is occupying.
The dual-channel physical redundancy requirement in 4.1 is grounded in the documented failure mode shown in Example 1, where a single vendor's modem served both the primary communication function and the passenger information function, creating a common-cause failure. Structural separation of power supply, antenna, and firmware for each channel eliminates common-cause failure as a credible pathway to total communication loss.
The independent emergency power requirement in 4.4.4 addresses a failure mode that is structurally invisible to software testing: a scenario in which the communication subsystem's power rail fails alongside the primary drive system. In electric vehicles, power management faults can cascade across subsystems that share a bus, and the 30-minute independent power reserve requirement creates a structural firewall against that cascade reaching the emergency communication function.
Behavioural requirements — those governing what the agent does when an emergency occurs — must be tested against adversarial conditions rather than nominal conditions. The configuration management failure in Example 2 is a canonical behavioural failure: the agent was structurally capable of delivering notifications but was behaviourally conditioned not to do so by a maintenance flag that had not been cleared. The pre-flight verification requirement in 4.1.3 and the prohibition in 4.1.4 address this by creating a behavioural rule that is testable and auditable at each service journey boundary.
The jurisdiction-aware emergency contact resolution requirements in 4.3 address a category of behavioural failure that is invisible within single-jurisdiction testing: the agent behaves correctly in every environment it has been tested in, and fails in the one environment that was not anticipated. Hardcoded emergency numbers represent a design commitment to a specific jurisdiction that is structurally incompatible with cross-border operations, and the prohibition in 4.3.2 eliminates this commitment entirely by requiring all emergency contact resolution to be dynamic and geofence-driven.
A detective control — one that identifies communication failures after they occur — cannot serve the purpose of this dimension because the population at risk, passengers aboard a vehicle in an emergency, has no alternative protection layer while the detection-response cycle completes. A corrective control — one that remediates communication architecture weaknesses — is valuable for fleet-level improvement but does not protect the passengers who experienced the failure. Preventive control, implemented as verified architectural requirements prior to service entry and maintained as ongoing operational obligations, is the only control type that can reduce the probability of harm to a level consistent with acceptable transport safety standards.
Layered Communication Architecture with Explicit Fallback Hierarchy. Operators should define a named, ordered sequence of communication channels — for example, primary LTE/5G, secondary 900 MHz narrowband radio, tertiary satellite short-burst data, quaternary stored message delivery — and implement monitoring that automatically advances through the hierarchy on detection of channel failure. Each layer in the hierarchy should be tested independently and in combination, and the fallback advancement should occur without any dependency on software components that may also have failed.
Geofence-Linked Emergency Services Registry with Versioned Entries. The emergency contact directory should be maintained as a versioned, structured data file with each entry tagged with the geofence boundary it serves, the date of last verification, the source of that verification, and an expiry timestamp. The directory update process should be integrated into the operator's change management workflow so that regulatory changes to emergency numbers in any operating jurisdiction are reflected in the fleet within 24 hours of notification.
Pre-Flight and Pre-Departure Communication System Health Check. A standardised, automated health check routine should run at the start of every revenue journey, producing a binary pass/fail result for each communication channel and a signed log entry. The vehicle should not enter passenger-boarding mode if any mandatory communication channel fails its health check. The health check should include a live signal test, not merely a hardware presence check.
Passenger Communication Content Templates with Mandatory Fields. Operators should maintain a library of pre-approved passenger notification templates for each foreseeable emergency scenario — unplanned stop, route diversion, fire alert, medical emergency, evacuation instruction — with mandatory fields that the agent populates from live data and optional fields that the agent may omit if data is unavailable. This pattern ensures that communication content meets minimum information standards even when the agent's contextual reasoning capability is impaired.
Independent Emergency Power Bus. The emergency communication subsystem — including the secondary channel transceiver, the stored message storage medium, the manual distress trigger, and the passenger notification output devices — should be connected to an isolated power bus served by a dedicated battery or capacitor bank that is not accessible to the primary power management system. The isolation should be verified by physical separation, not just logical separation in a shared battery management system.
Accessibility-by-Default Notification Design. Passenger notification outputs should be designed to the most demanding accessibility requirement in the fleet's operating environment as the default, rather than as an optional configuration. Audio announcements should be delivered at a volume and frequency range that supports hearing loop induction. Visual displays should use high-contrast, large-format text with internationally recognisable icons. Tactile emergency triggers should be co-located with braille labels.
Single-Vendor Communication Stack. Procuring all communication components — modem, antenna, firmware, network registration — from a single vendor creates a dependency on that vendor's failure modes, update schedules, and support continuity. When a vendor issues a firmware update that introduces a silent failure in communication initialisation, every vehicle using that vendor's stack is simultaneously affected. Operators should enforce physical and logical separation of the primary and secondary communication channels by requiring them to originate from distinct vendors or open-standard implementations.
Hardcoded Geographic or Regulatory Assumptions. Any configuration value that embeds a jurisdiction-specific assumption — emergency number, radio channel, regulatory reporting address — without a mechanism for runtime override creates a latent cross-border failure. This includes emergency numbers, but also includes language settings, measurement units in passenger notifications, and regulatory notification addresses. All such values should be resolved at runtime from a verified, updateable source.
Maintenance Mode Flags Without Operational Safeguards. Configuration flags that disable or modify communication behaviour for maintenance or testing purposes are necessary operational tools, but they must be governed by explicit safeguards: automatic expiry timestamps, pre-flight health check detection, and prohibition of revenue service while flags are active. Systems that allow maintenance flags to persist silently into revenue service represent a category of risk that is structurally preventable.
Conflating Customer Service and Emergency Communication Channels. Systems that route passenger emergency requests through the same queue as general customer service inquiries introduce unpredictable latency into emergency response. An emergency request should be routed through a dedicated, prioritised pathway that bypasses all non-emergency queue logic.
Treating Communication Testing as a One-Time Integration Event. Communication system integration tests conducted during vehicle commissioning do not account for environmental degradation, firmware drift, or infrastructure changes in the operating environment. Ongoing periodic testing — including live end-to-end tests in representative operating environments — is required to maintain verified assurance of communication capability.
Assuming Network Coverage Maps Are Accurate. Coverage maps provided by network operators are statistical representations of average signal availability and do not guarantee coverage at specific locations, times, or vehicle orientations. Operators who rely solely on coverage maps to assess communication channel availability in tunnels, parking structures, maritime channels, or mountainous terrain will systematically underestimate blackout risk.
Rail and Sub-Surface Operations. Sub-surface environments require investment in trackside or tunnel-mounted communication infrastructure — such as leaky feeder antenna systems or repeater networks — as a prerequisite for meeting the dual-channel redundancy requirement. Operators of sub-surface routes should coordinate with infrastructure managers to verify that at least one communication frequency band achieves reliable coverage across 100% of the route before service commencement.
Urban Air Mobility. Aerial vehicles present unique challenges for passenger-facing emergency communication because the communication event may coincide with a flight manoeuvre that limits the agent's ability to simultaneously manage navigation and communication generation. Communication automation — including pre-approved template delivery — is particularly important in this context. Regulators in multiple jurisdictions are developing specific requirements for autonomous aerial vehicle passenger notification that operators should monitor for integration into their compliance framework.
Maritime and Coastal Operations. Maritime emergency communication is subject to the Global Maritime Distress and Safety System (GMDSS) framework, which defines specific radio frequencies and distress signal formats. Autonomous passenger vessel operators must integrate GMDSS compliance into their communication architecture and should not treat GMDSS as a parallel or alternative system to the requirements in this dimension — both must be satisfied.
Cross-Border Road Operations. The eCall system mandated in the European Union for new vehicles from 2018 provides automatic collision notification to the European emergency number 112 but does not extend to all jurisdictions in which cross-border vehicles may operate. Operators running cross-border routes that exit the eCall coverage zone must implement supplementary jurisdiction-aware notification mechanisms.
| Maturity Level | Characteristic |
|---|---|
| Level 1 — Initial | Single communication channel; no pre-flight verification; no fallback; passenger notifications manual or absent |
| Level 2 — Developing | Dual channel present but not independently powered; pre-flight check exists but not enforced as a service gate; passenger notifications templated but not multi-modal |
| Level 3 — Defined | Full architectural compliance with 4.1 through 4.4; jurisdiction-aware directory in place; accessibility requirements met; pre-flight verification is a hard service gate |
| Level 4 — Managed | Ongoing periodic testing with documented results; post-incident review process integrated into safety management system; cross-border compliance verified through live testing in all operating jurisdictions |
| Level 5 — Optimised | Real-time communication channel health monitoring with predictive maintenance; continuous synchronisation of emergency contact directory; accessibility testing with user participation; operator contributing to industry standards development |
Emergency Communication Architecture Document (ECAD). A formal document describing all communication channels, their physical components, power dependencies, frequency bands or protocols, fallback hierarchy, jurisdiction coverage, and the identity of the authorised safety engineer who approved the architecture. This document must be current at all times and must be updated within 14 days of any architectural change. Retention: life of vehicle plus 10 years.
Integration Test Report — Communication Channels. A report documenting the results of integration testing for all communication channels across all operating environments, including sub-surface, maritime, and cross-border scenarios as applicable. The report must include test methodology, pass/fail criteria, observed signal quality measurements, and identification of any environments where coverage was not achieved. Retention: life of vehicle plus 10 years.
Jurisdiction Emergency Contact Directory — Version History. A complete version history of the emergency contact directory, including the date of each update, the source of the update, and the identity of the operator who applied the update. Retention: 7 years from the date of each version.
Pre-Flight Communication Health Check Logs. Machine-generated, tamper-evident logs of each pre-flight communication system health check, including the result for each channel, the timestamp, and the vehicle identifier. Retention: 5 years.
Emergency Communication Event Logs. Complete logs of all emergency communication events, including the triggering condition, the channels used, the content delivered, the delivery confirmation status, the response received, and the resolution timestamp. Retention: 10 years, or duration of any related regulatory or legal proceeding, whichever is longer.
Manual Distress Trigger Activation Logs. Logs of all manual distress trigger activations as required by 4.5.3. Retention: 5 years.
Periodic End-to-End Communication Test Records. Records of all periodic end-to-end communication tests conducted under 4.4.5, including the test scenario, the channels tested, the results, and the identity of the operator who conducted the test. Retention: 3 years.
Operator Training Completion Records. Records of communication procedure training for all fleet operations personnel as required by 4.9.2. Retention: 3 years from the date of training or from the date of the operator's departure from the role, whichever is later.
Post-Incident Review Reports. Reports produced under 4.9.3 for each incident involving emergency communication activation, degradation, or absence. Retention: 10 years.
Regulatory Notification Records. Copies of all notifications submitted to safety regulators under 4.9.3, including submission timestamps and any regulatory acknowledgement or response received. Retention: 10 years.
Maps to: 4.1.1, 4.1.2
Objective: Verify that complete failure of the primary communication channel does not prevent emergency communication via the secondary channel, and that the secondary channel uses a distinct physical transmission technology.
Method: With the vehicle in a representative operating environment, physically disable the primary communication channel — including its power supply — and attempt to transmit an emergency message to the fleet operations centre and to a simulated emergency services contact using only the secondary channel. Repeat with the secondary channel disabled and the primary channel active. Independently verify the physical and logical separation of the two channels by inspection of wiring diagrams and firmware configuration.
Pass Criteria:
Maps to: 4.1.3, 4.1.4
Objective: Verify that the pre-flight communication health check is conducted automatically, logged to a tamper-evident record, and that a channel failure prevents vehicle departure for revenue service.
Method: Simulate a communication channel fault condition on the primary channel immediately before a scheduled pre-flight health check cycle. Observe whether the health check correctly identifies the fault, logs the result, and prevents the vehicle from entering passenger-boarding mode. Then restore the channel to nominal operation and verify that the health check passes and permits boarding. Additionally, inject a maintenance flag into the secondary communication channel configuration and verify that the vehicle correctly identifies the flag as incompatible with revenue service and prevents departure.
Pass Criteria:
Maps to: 4.3.1, 4.3.2, 4.3.3, 4.3.4
Objective: Verify that the agent correctly resolves emergency contact numbers and protocols based on geolocation, rejects hardcoded number configurations, and handles border-crossing scenarios by notifying multiple jurisdictions simultaneously.
Method: Using a GPS simulator or equivalent geolocation injection tool, place the vehicle at a series of test coordinates representing: (a) a domestic operating location, (b) a foreign jurisdiction with a different emergency number, (c) a coordinate within 500 metres of a border crossing between two jurisdictions. At each position, trigger a simulated emergency event and observe which emergency contacts are resolved and notified. Inspect the firmware and configuration files for any hardcoded emergency contact values. Review the 15-minute resolution test logs from the preceding 30-day operating period.
Pass Criteria:
Maps to: 4.4.1, 4.4.2, 4.4.3, 4.4.4
Objective: Verify that degraded-mode communication activates within 30 seconds of primary channel loss, that a stored emergency message is delivered containing all mandatory fields, and that the communication subsystem operates for at least 30 minutes on independent emergency power.
Method: With the vehicle stationary and carrying a test passenger count record, cut primary power to the primary communication channel and simultaneously disable the communication content generation subsystem (simulating a software exception scenario). Measure the elapsed time until degraded-mode protocol activation. Observe the content of the stored emergency message delivered via the available secondary channel. Verify that the message contains: last confirmed coordinate pair, human-readable location reference, passenger count, fault nature, and timestamp. Then disconnect primary power entirely and measure continuous operation time of the emergency communication subsystem on independent emergency power. Do not restore primary power until 30 minutes have elapsed.
Pass Criteria:
| Regulation | Provision | Relationship Type |
|---|---|---|
| EU AI Act | Article 9 (Risk Management System) | Direct requirement |
| NIST AI RMF | GOVERN 1.1, MAP 3.2, MANAGE 2.2 | Supports compliance |
| ISO 42001 | Clause 6.1 (Actions to Address Risks), Clause 8.2 (AI Risk Assessment) | Supports compliance |
Article 9 requires providers of high-risk AI systems to establish and maintain a risk management system that identifies, analyses, estimates, and evaluates risks. Passenger Emergency Communication Governance implements a specific risk mitigation measure within this framework. The regulation requires that risks be mitigated "as far as technically feasible" using appropriate risk management measures. For deployments classified as high-risk under Annex III, compliance with AG-547 supports the Article 9 obligation by providing structural governance controls rather than relying solely on the agent's own reasoning or behavioural compliance.
GOVERN 1.1 addresses legal and regulatory requirements; MAP 3.2 addresses risk context mapping; MANAGE 2.2 addresses risk mitigation through enforceable controls. AG-547 supports compliance by establishing structural governance boundaries that implement the framework's approach to AI risk management.
Clause 6.1 requires organisations to determine actions to address risks and opportunities within the AI management system. Clause 8.2 requires AI risk assessment. Passenger Emergency Communication Governance implements a risk treatment control within the AI management system, directly satisfying the requirement for structured risk mitigation.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Organisation-wide — potentially cross-organisation where agents interact with external counterparties or shared infrastructure |
| Escalation Path | Immediate executive notification and regulatory disclosure assessment |
Consequence chain: Without passenger emergency communication governance, the governance framework has a structural gap that can be exploited at machine speed. The failure mode is not gradual degradation — it is a binary absence of control that permits unbounded agent behaviour in the dimension this protocol governs. The immediate consequence is uncontrolled agent action within the scope of AG-547, potentially cascading to dependent dimensions and downstream systems. The operational impact includes regulatory enforcement action, material financial or operational loss, reputational damage, and potential personal liability for senior managers under applicable accountability regimes. Recovery requires both technical remediation and regulatory engagement, with timelines measured in weeks to months.