ISO 23793-1:2024

International
Standard
ISO 23793-1
First edition
Intelligent transport systems —
2024-07
Minimal risk manoeuvre (MRM) for
automated driving —
Part 1:
Framework, straight-stop and in-
lane stop
Systèmes de transport intelligents — Manœuvre à risque minimal
pour la conduite automatisée (MRM) —
Partie 1: Cadre général, arrêt en ligne droite et arrêt dans la voie
Reference number
© ISO 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Function framework . 3
5.1 MRM description .3
5.2 State diagram .3
5.2.1 General .3
5.2.2 ADS active (1) .4
5.2.3 Minimal risk condition (4) .5
5.2.4 Sustained standstill management (5) .5
5.2.5 Manual driving (6) .5
5.3 Functionality .5
5.4 Classification .6
5.4.1 Overview .6
5.4.2 Traffic lane stop.6
5.4.3 Road shoulder stop .7
5.4.4 MRM type change .7
6 Requirements . 9
6.1 General requirements .9
6.1.1 Overview .9
6.1.2 Vehicle and ADS status monitoring .9
6.1.3 MRM triggering conditions .9
6.1.4 Decision-making for MRM types .9
6.1.5 Operational speed of an MRM .9
6.1.6 Implementation of an MRM .9
6.1.7 Human user takeover of the DDT during an MRM .10
6.1.8 Deceleration control .10
6.1.9 Standstill management .10
6.1.10 Resumption of operation after an MRC .10
6.1.11 Collision mitigation and avoidance function .10
6.1.12 Failure mitigation strategy .10
6.1.13 Internal/external status information .10
6.2 Straight stop requirements .11
6.2.1 Operational speed .11
6.2.2 Detection capability .11
6.2.3 Acceleration control .11
6.2.4 Lateral control .11
6.2.5 MRC location .11
6.3 In-lane stop requirements .11
6.3.1 Operational speed .11
6.3.2 Detection capability .11
6.3.3 Acceleration control .11
6.3.4 Lateral control .11
6.3.5 MRC location . 12
7 Performance evaluation test methods .12
7.1 General . 12
7.2 Test conditions . 12
7.2.1 General . 12
7.2.2 Environmental and test course conditions . 12

iii
7.2.3 Test vehicle conditions . 12
7.3 Test requirements. 12
7.3.1 Safety requirements . 12
7.3.2 Test case development . 13
7.4 Basic MRM function test . 13
7.4.1 Test procedure. 13
7.4.2 Test confirmation . 13
7.5 Human user takeover test .14
7.5.1 Test procedure.14
7.5.2 Test confirmation .14
Bibliography .15

iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 204, Intelligent transport systems.
A list of all parts in the ISO 23793 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

v
Introduction
A minimal risk manoeuvre (MRM) is the fallback function of an automated driving system (ADS) used to
achieve a minimal risk condition (MRC) which is a stable, stopped state (see ISO/SAE PAS 22736).
In a scenario where the dynamic driving task is being performed by the ISO/SAE Level 3-5 ADS, an event
which prevents the ADS from continuing the dynamic driving task can occur. Examples of such events
include:
a) for ISO/SAE Level 3-5 ADS, the failure of the ADS, automated driving component(s) or other vehicle
component(s);
b) for ISO/SAE Level 3 or 4 ADS, the risk that the ADS exits its operational design domain (ODD);
c) for ISO/SAE Level 3 ADS, the failure of the fallback ready user (FRU) or passenger to take over the
dynamic driving task when the ADS issues a request to intervene.
In response, the ADS initiates an MRM function to provide enhanced safety for all passengers and other road
users. The MRM function selects the most appropriate MRM type to reduce the risk (taking into account
the subject vehicle state and traffic conditions) and eventually stops the vehicle through vehicle control. In
addition to longitudinal control, lateral control can be added for certain MRM types.
The MRM is not a system, but rather a functionality within an ADS. "MRM" and "failure mitigation strategy"
appear similar in that both functions stop the vehicle in response to an adverse event for ADS operating
at Level 3 to 5 automation. However, they differ in that the MRM is a function of an ADS, whereas failure
mitigation strategy is a vehicle function designed to automatically bring a vehicle to a stop when it has been
incapacitated.
"MRM" and "object and event detection and response" (OEDR) based collision mitigation and avoidance
systems such as a "forward vehicle collision mitigation system" (FVCMS) sometimes behave similarly, as
they try to minimize the collision risk. However, they also differ in their purposes: collision mitigation and
avoidance systems consider impacts with external objects during normal operations, whereas an MRM
tries to stop the vehicle in order to limit risk under abnormal conditions (such as ADS system failures or
violations of ODD conditions) by decelerating the vehicle. OEDR-based collision mitigation and avoidance
will be executed independently of and in parallel to MRM.
This document can be used to define the MRM function of ADSs such as motorway chauffeur systems (MCS)
(ISO/TS 23792-1) or low speed automated driving (LSAD) systems (ISO 22737).

vi
International Standard ISO 23793-1:2024(en)
Intelligent transport systems — Minimal risk manoeuvre
(MRM) for automated driving —
Part 1:
Framework, straight-stop and in-lane stop
1 Scope
This document addresses the minimum requirements for minimal risk manoeuvres (MRM), which are the
response of an ADS to perform automated fallback to reach a minimal risk condition (MRC).
This document specifies the classification framework for MRMs. The classification framework establishes
the concept of MRM operation, classification of different MRM types, and basic principles of the decision-
making process to decide which MRM type can be performed based on the situation.
This document also specifies the minimum requirements of the control strategy and test procedures for the
two simplest types of MRM: straight stop for type 1 and in-lane stop for type 2.
The scope of the MRM described in this document covers minimum requirements for ADS performance
during MRM action, from initiation to termination, aimed at achieving an MRC. MRM action-specific safety
requirements for robust system design, such as those specified in ISO 26262 and ISO 21448, are not within
the scope of this document.
The MRM described in this document are intended to be used on light-duty vehicles equipped with Level 3-5 ADS.
The scope does not include methods for detecting ADS failures and the decision-making process to initiate
an MRM. This is because there are numerous cases that can initiate MRMs, and there is no general agreement
on classification of those cases in the industry.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
minimal risk manoeuvre
MRM
manoeuvre by an automated driving system while performing the DDT fallback to attain the minimal risk
condition
3.2
minimal risk condition
MRC
stable, stopped condition to which a user or an automated driving system may bring a vehicle after
performing the dynamic driving task fallback in order to reduce the risk of a crash when a given trip cannot
or should not be continued
[SOURCE: ISO/SAE PAS 22736:2021, 3.16, modified — Notes to entry and Examples have been removed.]
3.3
subject vehicle
SV
vehicle equipped with an automated driving system that is capable of performing minimal risk manoeuvres
3.4
standstill management
function that is implemented in actions taken to maintain the vehicle in minimal risk condition
3.5
lane boundary
borderline of the lane that is determined by a visible lane marking, and in the absence of a visible lane
marking, by incidental detectable road features or other means such as localization relative to a digital map,
magnetic markers, crash barriers, etc.
3.6
road shoulder
part of the road installed at the edge of the road, outside the lane boundary, to enable an emergency vehicle
to bypass traffic congestion or to provide a place for a vehicle that encounters a problem to get out of the
active traffic
3.7
acceleration control
control that generates positive acceleration using vehicle functions such as powertrain control
3.8
deceleration control
control that generates negative acceleration using vehicle functions such as brake
3.9
failure mitigation strategy
vehicle function [not an automated driving (ADS) function] designed to automatically bring an ADS-equipped
vehicle to a controlled stop in path following either:
1) prolonged failure of the fallback-ready user of a Level 3 ADS feature to perform the fallback after the
ADS has issued a request to intervene; or
2) occurrence of a system failure or external event so catastrophic that it incapacitates the ADS, which can
no longer perform vehicle motion control in order to perform the fallback and achieve a minimal risk
condition
[SOURCE: ISO/SAE PAS 22736:2021, 3.11]
3.10
collision mitigation and avoidance system
vehicle system that senses and monitors conditions inside and outside the vehicle for the purpose of
identifying perceived present and potential dangers to the vehicle, occupants and/or other road users, and
that automatically intervenes to help avoid or mitigate potential collisions via active control of the vehicle
subsystems (brakes, throttle, suspension, etc.)

4 Abbreviated terms
ADS automated driving system
CAN control area network
DDT dynamic driving task
ECU electronic control unit
FRU fallback-ready user
HMI human-machine interface
MRC minimal risk condition
MRM minimal risk manoeuvre
ODD operational design domain
OEDR object and event detection and response
SV subject vehicle
V2X vehicle to everything
5 Function framework
5.1 MRM description
The MRM is a fallback action by ADS which entails stopping as the last countermeasure of an ADS in response
to various risky situations such as failures and ODD constraint violations. Therefore, MRM is performed
only when an ADS is not able to continue performing the DDT, and once an MRM starts, the ADS cannot
automatically return to a normal state. MRM is not triggered in situations when ADS performance of the DDT
can be maintained. Maintaining the DDT includes temporary stops (e.g. due to changes in environmental
conditions) under the condition of remaining within the prescribed ODD.
The MRM is a function that aims to stop the SV in the safest achievable way, not to stop the SV as quickly
as possible. Therefore, it is not a sudden hard braking control, but rather a longitudinal/lateral control
according to the situation, which continuously seeks ways to minimize risks. The MRM is designed to
minimize traffic hazards, but it can violate traffic regulations while performing the MRM to minimize the
risk (e.g. stop in-lane).
5.2 State diagram
5.2.1 General
Figure 1 shows an example of an MRM state diagram to help illustrate the feature. Specific states of the
MRM and transition conditions can be different for each ADS.

Key
1 ADS active A transition to MRM
2 ADS normal operation B transition to MRC
3 ADS MRM operation C transition to sustained standstill management
4 minimal risk condition D transition to manual driving
5 sustained standstill management E transition to sustained
...