ISO 16615:2025

International
Standard
ISO 16615
First edition
Space systems — Stable operation
2025-07
requirements for spacecraft
attitude and orbit control system
Systèmes spatiaux — Exigences de fonctionnement stable pour le
système de contrôle de l'altitude et de l'orbite d'engins spatiaux
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Stable operation general principles . 2
4.1 General .2
4.2 Classification of stable operation levels .2
4.2.1 General .2
4.2.2 Continuous operational service .2
4.2.3 Degraded performance operation .3
4.2.4 Emergency transitional operation .3
4.3 Factors affecting stable operation .3
4.3.1 General .3
4.3.2 Anomalies from known sources .3
4.3.3 Anomalies from unknown sources .3
4.4 Capability building for stable operation .3
4.5 Ground-based optimization and operational maintenance .4
5 Data validity assessment requirements . 4
5.1 Basic principles of data validity judgement .4
5.2 Data validity assessment process .5
5.2.1 General .5
5.2.2 Status flag assessment .5
5.2.3 Data validity range assessment .5
5.2.4 Data continuity assessment . .5
5.2.5 Data dynamism assessment .5
5.2.6 Data consistency assessment .6
6 Anomaly detection requirements . 6
6.1 Classification of anomaly levels .6
6.1.1 General .6
6.1.2 Component-level anomaly detection .6
6.1.3 System-level anomaly detection .6
6.2 Component-level anomaly detection .6
6.3 System-level anomaly detection .7
7 Software or hardware fault handling requirements . 7
7.1 Fault classification .7
7.1.1 General .7
7.1.2 Software faults .7
7.1.3 Hardware faults .7
7.2 Software fault handling requirements .7
7.3 Hardware fault handling requirements .7
8 Safety boundary check requirements . 8
8.1 Principles of safety boundary checks .8
8.2 Requirements for safety boundary checks of spacecraft structure or mechanism .8
8.3 Requirements for safety boundary checks of spacecraft energy .8
8.4 Requirements for safety boundary checks of spacecraft propellant .8
9 Requirements for emergency survival modes in the spacecraft’s AOCS . 9
9.1 Classification of emergency survival modes .9
9.1.1 General .9
9.1.2 Sun-oriented safety mode .9
9.1.3 Stop-control safety mode .9

iii
9.2 Requirements for sun-oriented safety mode handling .9
9.3 Requirements for stop-control safety mode handling .9
10 Cybersecurity requirements for AOCS .10
10.1 General .10
10.2 Encryption of telemetry data .10
10.3 Access control for ground systems.10
10.4 Anomaly detection for cybersecurity breaches .10
10.5 Fault handling in the event of a cyber-attack .10
10.6 Regular security updates and testing .10
Bibliography .11

iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 20, Aircraft and space vehicles, Subcommittee
SC 14, Space systems and operations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

v
Introduction
The spacecraft’s attitude and orbit control system (AOCS) is pivotal for executing the attitude and orbit
management of the spacecraft, serving as a cornerstone for its basic functionalities, stable operation, and
the success of spacecraft missions. This document delineates requirements and best practices for the
AOCS to ensure that the spacecraft remains in a safe operational state under all circumstances, including
emergencies and anomalies. It outlines the responsibilities and interactions between the ground segment
and space segment, aiming to secure timely and effective detection, management, and resolution of on-board
contingencies. By establishing a comprehensive framework for stable operation, this document supports
mission success and enhances spacecraft safety and reliability, and equips the AOCS with the capacity to
sustain or recover a stable operating state autonomously or with ground support amidst system anomalies
or unforeseen failures in orbit. The ultimate goal, even under adverse conditions, is to prevent damage to the
spacecraft's structure and ensure the security of its energy and propellant resources.

vi
International Standard ISO 16615:2025(en)
Space systems — Stable operation requirements for
spacecraft attitude and orbit control system
1 Scope
This document provides the criteria for stable on-orbit operation of the spacecraft's AOCS. It addresses the
factors affecting the spacecraft's on-orbit stability by specifying principles and requirements for establishing
the spacecraft AOCS's capability for stable on-orbit operation, which include:
— principles for judging data validity and the requisite procedures for handling such data;
— anomaly detection;
— management of software and hardware failures;
— safety boundary checks;
— activation protocols for emergency survival modes.
This document also establishes the functional interface between on-orbit autonomy and ground-based
maintenance operations, ensuring that the spacecraft maintains its intended attitude and orbit.
This document is applicable to the attitude and orbit control systems of various types of spacecraft.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
attitude and orbit control system
AOCS
spacecraft sub-system designed to control the attitude and the orbit by integrating its software and
hardware based on predetermined rules or commands from ground control
3.2
stable on-orbit operation
state of operation where the AOCS (3.1) keeps the spacecraft's attitude and orbit within a bounded domain
around a desired state or sequence of states, despite external disturbances, to ensure mission success
3.3
anomaly
gap between a current situation and an expected one
Note 1 to entry: An anomaly justifies an investigation that can lead to the discovery of a nonconformance, a defect or a
“non-lieu” (deviation without impact, e.g. product peculiarity).

Note 2 to entry: A deviation may be declared, foreseen or requested.
Note 3 to entry: An anomaly is often detected in comparison with what seems to be standard or with the expected use.
[SOURCE: ISO 10795:2019, 3.13]
3.4
failure
termination of the ability of an item to perform a required function
[SOURCE: ISO 14620-1:2018, 3.1.9]
3.5
fault
state of an item characterized by inability to perform as required, excluding the inability during
preventative maintenance or other planned actions, or due to lack of external resources
Note 1 to entry: A fault is often the result of a failure (3.4) of the item itself, but can exist without prior failure.
[SOURCE: ISO 14620-1:2018, 3.1.10]
3.6
fault
unplanned occurrence or defect in an item which may result in one or more failures (3.4) of the item
itself or of other associated equipment
Note 1 to entry: An item may contain a sub-element fault, which is a defect that can manifest itself only under certain
circumstances. When those circumstances occur, the defect in the sub-element will cause the item to fail, resulting in
an error. This error can propagate to other items causing them, in turn, to fail. After the failure occurs, the item as a
whole is said to have a fault or to be in a faulty state.
[SOURCE: ISO 14620-1:2018, 3.1.11]
3.7
survival mode
non-operational, temporary safe-life mode of a spacecraft, defined to avoid its loss in case of contingency
(catastrophic or critical failure (3.4), external disturbance, etc.)
[SOURCE: ISO 14950:2004, 3.2.24]
4 Stable operation general principles
4.1 General
The spacecraft AOCS shall establish a stable operational architecture, as shown in Figure 1.
4.2 Classification of stable operation levels
4.2.1 General
The stable operation of a spacecraft’s AOCS shall be categorized into three levels, arranged from highest to
lowest in 4.2.2 to 4.2.4.
4.2.2 Continuous operational service
Continuous operational service refers to a state where the spacecraft's AOCS functions normally and stably,
with all performance metrics meeting the platform's performance requirements for the payload service
applications.
4.2.3 Degraded performance operation
Degraded performance operation refers to the operational state resulting from certain permanent hardware
failures within the spacecraft's AOCS, which preclude maintaining the performance metrics required under
normal operational conditions. This operational state is achieved by implementing strategies such as system
restructuring or switching operational modes to facilitate a managed degradation of performance metrics.
Despite the performance deviating from expected levels, the spacecraft still aims to maximize its application
efficiency to the greatest extent possible.
4.2.4 Emergency transitional operation
Emergency transitional operation refers to a temporary emergency operational state of a spacecraft
when it experiences anomalies such as attitude deviations, abnormal orientation of solar arrays, excessive
propellant consumption. The objective is to ensure the energy safety, structural or mechanical integrity,
thermal control safety, propellant safety, and payload safety of the entire spacecraft. This state aims to
place the spacecraft in specific target attitudes such as sun-pointing, or to induce slow rotation around a
specific axis, or to temporarily halt attitude control, thus ensuring the safety of the spacecraft during the
emergency situation. Typically, fault diagnosis and recovery measures should be completed with ground
support (or autonomously onboard in special cases), with the aim of eventually returning to either
continuous operational service or degraded performance operation. The purpose is to ensure the energy
safety, structural or mechanical integrity, thermal control safety, propellant safety, and payload safety of the
entire spacecraft.
4.3 Factors affecting stable operation
4.3.1 General
Factors affecting the stable operation of the spacecraft’s AOCS shall be categorized into two types as
specified in 4.3.2 and 4.3.3.
4.3.2 Anomalies from known sources
Anomalies from known sources include abnormal hardware status or abnormal output measurement data of
the AOCS components (including various types of sensors and actuators), abnormal ground remote control
data (such as ground orbit determination data), and abnormal data provided by external systems.
4.3.3 Anomalies from unknown sources
Anomalies from unknown sources refer to component or external system irregularities that remain
undetected and unidentified through the assessment and detection of anomalies from known sources.
These lead to s
...