ISO 16615:2025

FINAL DRAFT
International
Standard
ISO/FDIS 16615
ISO/TC 20/SC 14
Space systems — Stable operation
Secretariat: ANSI
requirements for satellite attitude
Voting begins on:
and orbit control system
2025-05-01
Voting terminates on:
2025-06-26
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
Reference number
ISO/FDIS 16615:2025(en) © ISO 2025

FINAL DRAFT
ISO/FDIS 16615:2025(en)
International
Standard
ISO/FDIS 16615
ISO/TC 20/SC 14
Space systems — Stable operation
Secretariat: ANSI
requirements for satellite attitude
Voting begins on:
and orbit control system
Voting terminates on:
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
© ISO 2025
IN ADDITION TO THEIR EVALUATION AS
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
or ISO’s member body in the country of the requester.
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ISO/FDIS 16615:2025(en) © ISO 2025

ii
ISO/FDIS 16615:2025(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Stable operation general principles . 2
4.1 General .2
4.2 Classification of stable operation levels .2
4.2.1 General .2
4.2.2 Continuous operational service .2
4.2.3 Degraded performance operation .3
4.2.4 Emergency transitional operation .3
4.3 Factors affecting stable operation .3
4.3.1 General .3
4.3.2 Anomalies from known sources .3
4.3.3 Anomalies from unknown sources .3
4.4 Capability building for stable operation .3
4.5 Ground-based optimization and operational maintenance .4
5 Data validity assessment requirements . 4
5.1 Basic principles of data validity judgement .4
5.2 Data validity assessment process .5
5.2.1 General .5
5.2.2 Status flag assessment .5
5.2.3 Data validity range assessment .5
5.2.4 Data continuity assessment . .5
5.2.5 Data dynamism assessment .5
5.2.6 Data consistency assessment .6
6 Anomaly detection requirements . 6
6.1 Classification of anomaly levels .6
6.1.1 General .6
6.1.2 Component-level anomaly detection .6
6.1.3 System-level anomaly detection .6
6.2 Component-level anomaly detection .6
6.3 System-level anomaly detection .7
7 Software or hardware fault handling requirements . 7
7.1 Fault classification .7
7.1.1 General .7
7.1.2 Software faults .7
7.1.3 Hardware faults .7
7.2 Software fault handling requirements .7
7.3 Hardware fault handling requirements .7
8 Safety boundary check requirements . 8
8.1 Principles of safety boundary checks .8
8.2 Requirements for safety boundary checks of spacecraft structure or mechanism .8
8.3 Requirements for safety boundary checks of spacecraft energy .8
8.4 Requirements for safety boundary checks of spacecraft propellant .8
9 Requirements for emergency survival modes in the spacecraft’s AOCS . 9
9.1 Classification of emergency survival modes .9
9.1.1 General .9
9.1.2 Sun-oriented safety mode .9
9.1.3 Stop-control safety mode .9

iii
ISO/FDIS 16615:2025(en)
9.2 Requirements for sun-oriented safety mode handling .9
9.3 Requirements for stop-control safety mode handling .9
10 Cybersecurity requirements for AOCS .10
10.1 General .10
10.2 Encryption of telemetry data .10
10.3 Access control for ground systems.10
10.4 Anomaly detection for cybersecurity breaches .10
10.5 Fault handling in the event of a cyber-attack .10
10.6 Regular security updates and testing .10
Bibliography .11

iv
ISO/FDIS 16615:2025(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the d
...

ISO/FDIS 16615
ISO/TC 20/SC 14
Secretariat: ANSI/AIAA
Date: 2025-03-1504-16
Space systems — Stable operation requirements for satellite attitude
and orbit control system
FDIS stage
Warning for WD’s and CD’s
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to change
without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which
they are aware and to provide supporting documentation.

ISO/DISFDIS 16615:20242025(en)
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying,
or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
E-mail: copyright@iso.org
Website: www.iso.org
Published in Switzerland
iii
ISO/FDIS 16615:2025(en)
Contents
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Stable operation general principles . 2
4.1 General . 2
4.2 Classification of stable operation levels . 2
4.3 Factors affecting stable operation . 3
4.4 Capability building for stable operation . 3
4.5 Ground-based optimization and operational maintenance . 4
5 Data validity assessment requirements . 5
5.1 Basic principles of data validity judgement . 5
5.2 Data validity assessment process . 5
6 Anomaly detection requirements . 6
6.1 Classification of anomaly levels . 6
6.2 Component-level anomaly detection . 7
6.3 System-level anomaly detection . 7
7 Software or hardware fault handling requirements . 7
7.1 Fault classification . 7
7.2 Software fault handling requirements . 8
7.3 Hardware fault handling requirements . 8
8 Safety boundary check requirements . 8
8.1 Principles of safety boundary checks . 8
8.2 Requirements for safety boundary checks of spacecraft structure or mechanism . 8
8.3 Requirements for safety boundary checks of spacecraft energy . 8
8.4 Requirements for safety boundary checks of spacecraft propellant . 9
9 Requirements for emergency survival modes in the spacecraft’s AOCS . 9
9.1 Classification of emergency survival modes . 9
9.2 Requirements for sun-oriented safety mode handling . 9
9.3 Requirements for stop-control safety mode handling . 10
10 Cybersecurity requirements for AOCS . 10
10.1 General . 10
10.2 Encryption of telemetry data . 10
10.3 Access control for ground systems . 10
10.4 Anomaly detection for cybersecurity breaches . 10
10.5 Fault handling in the event of a cyber-attack . 11
10.6 Regular security updates and testing . 11
Bibliography . 12

iv
ISO/DISFDIS 16615:20242025(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of
ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent rights
in respect thereof. As of the date of publication of this document, ISO had not received notice of (a) patent(s)
which may be required to implement this document. However, implementers are cautioned that this may not
represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 20, Aircraft and space vehicles, Subcommittee
SC 14, Space systems and operations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
ISO/FDIS 16615:2025(en)
Introduction
The spacecraft’s attitude and orbit control system (AOCS) is pivotal for executing the attitude and orbit
management of the spacecraft, serving as a cornerstone for its basic functionalities, stable operation, and the
success of spacecraft missions. This document delineates requirements and best practices for the AOCS to
ensure that the spacecraft remains in a safe operational state under all circumstances, including emergencies
and anomalies. It outlines the responsibilities and interactions between the ground segment and space
segment, aiming to secure timely and effective detection, management, and resolution of on-board
contingencies. By establishing a comprehensive framework for stable operation, this document supports
mission success and enhances spacecraft safety and reliability, and equips the AOCS with the capacity to
sustain or recover a stable operating state autonomously or with ground support amidst system anomalies or
unforeseen failures in orbit. The ultimate goal, even under adverse conditions, is to prevent damage to the
spacecraft's structure and ensure the security of its energy and propellant resources.
vi
ISO/FDIS 16615:2025(en)
Space systems — Stable operation requirements for satellite attitude
and orbit control system
1 Scope
This document provides the criteria for stable on-orbit operation of the spacecraft's AOCS. It addresses the
factors affecting the spacecraft's on-orbit stability by specifying principles and requirements for establishing
the spacecraft AOCS's capability for stable on-orbit operation, which include:
— principles for judging data validity and the requisite procedures for handling such data;
— anomaly detection;
— management of software and hardware failures;
— safety boundary checks;
— activation protocols for emergency survival modes.
This document also establishes the functional interface between on-orbit autonomy and ground-based
maintenance operations, ensuring that the spacecraft maintains its intended attitude and orbit.
This document is applicable to the attitude and orbit control systems of various types of spacecraft.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1 3.1
attitude and orbit control system
AOCS
spacecraft sub-system designed to control the attitude and the orbit by integrating its software and hardware
based on predetermined rules or commands from ground control
3.2 3.2
stable on-orbit operation
state of operation where the AOCS (3.1(3.1)) keeps the spacecraft's attitude and orbit within a bounded
domain around a desired state or sequence of states, despite external disturbances, to ensure mission success
3.3 3.3
anomaly
gap between a current situation and an expected one
ISO/FDIS 16615:2025(en)
Note 1 to entry: An anomaly justifies an investigation that can lead to the discovery of a nonconformance, a defect or a
“non-lieu” (deviation without impact, e.g. product peculiarity).
Note 2 to entry: A deviation may be declared, foreseen or requested.
Note 3 to entry: An anomaly is often detected in comparison with what seems to be standard or with the expected use.
[SOURCE: ISO 10795:2019, 3.13]
3.4 3.4
failure
termination of the ability of an item to perform a required function
[SOURCE: ISO 14620-1:2018, 3.1.9]
3.5 3.5
fault
state of an item characterized by inability to perform as required, excluding the inability during
preventative maintenance or other planned actions, or due to lack of external resources
Note 1 to entry: A fault is often the result of a failure (3.4(3.4)) of the item itself, but can exist without prior failure.
[SOURCE: ISO 14620-1:2018, 3.1.10]
3.6 3.6
fault
unplanned occurrence or defect in an item which may result in one or more failures (3.4(3.4)) of the
item itself or of other associated equipment
Note 1 to entry: An item may contain a sub-element fault, which is a defect that can manifest itself only under certain
circumstances. When those circumstances occur, the defect in the sub-element will cause the item to fail, resulting in an
error. This error can propagate to other items causing them, in turn, to fail. After the failure occurs, the item as a whole
is said to have a fault or to be in a faulty state.
[SOURCE: ISO 14620-1:2018, 3.1.11]
3.7 3.7
survival mode
non-operational, temporary safe-life mode of a spacecraft, defined to avoid its loss in case of contingency
(catastrophic or critical failure (3.4(3.4),), external disturbance, etc.
...