Research on risk control method of Spacecraft AIT process based on PFTA

In this article, the Process Fault Tree Analysis (PFTA) method is researched, which is about to the risk management of spacecraft Assembly Integration and Test (AIT) process. The method of how to identify the top event and bottom event of Spacecraft AIT process risk and the method of how to assess the risk severity of the bottom event is introduced. The model of risk control matrix is established. From the responsibilities, tools, methods, monitor and other dimensions about the post roles involved of the AIT process, how to establish a risk management system based on the identification, assessment, analysis and control of the whole AIT process is researched. In this risk management system, through technology subject, quantitative topic, process improve, Quality Control (QC) subjects, implementation of product assurance elements, writing Standard Operating procedure (SOP), maintaining system documents, combing knowledge and operation taboo items and other method is used.


Introduction
The characteristics of spacecraft production mode are multispecies, small amount, multisystem, long process. As the final step of spacecraft production, AIT has many characteristics such as many operating procedures, many risk items, significant human influence factors, strict quality control requirements, etc. [1] There is still a big gap between risk management and control of AIT operation process that all kinds of problems in AIT production process in aerospace industry at home and abroad indicated. In order to reduce the development risk and improve the development quality, this paper studies the process risk management and control method based on the whole cycle, all elements, and all positions of AIT for spacecraft products.

Fault Tree Analysis(FTA)
Fault Tree Analysis (FTA) is a design method to improve system reliability. Through the analysis of hardware, software, environment and human factors that may cause product failure, the fault tree is drawn to determine the various possible combination modes and occurrence probability of product failure. It is a graphic deduction method. It aims at the specific fault state and carries out in-depth logical analysis, visually and intuitively describes the causality of various events within the system, so as to find out the combination of various failure events that cause system failure, and take corresponding preventive measures. [2] The purpose of FTA is to determine the sequence of failure phenomena to be prevented according to the fault tree diagram, to understand their specific phenomena, and to take preventive measure to prevent the occurrence of undesirable phenomena according to the evaluation [3]. FTA is a commonly used analysis method for quality problems in spacecraft development.

The Meaning of PFTA
Process Fault Tree Analysis (PFTA) refers to the basic idea of FTA analysis method, takes the potential quality hazard and problems that occurred in the process of spacecraft development as the top event, combines with the process of spacecraft AIT development, further refines the risk items into bottom events, establishes the risk analysis and assessment methods of the whole process, whole cycle and all element of spacecraft AIT, and formulates specific and detailed quantitative control measure about various types of risk bottom events. Finally, the AIT risk management tool method guide is formed to achieve the AIT process risk control and prediction objectives.

Risk Items Identification Based on AIT Process of Spacecraft
In order to carry out AIT process risk research on spacecraft, it is necessary to indentify and analyze the risks in turn, formulate and implement strategies and measures to deal with these risks based on the risk possibility degree and its consequences, then monitor and control the implementation process and effect in an appropriate way. Finally, a management system is formed. [4] The iterative four-step risk management process of a project is illustrated in Figure 1. In the process of system design, the logical block diagram, i.e. fault tree, is drawn, so as to determine the possible combination and occurrence probability of system failure, and take corresponding corrective measures, through the analysis of various factors that may cause system failure, including hardware, software, environment, human factors and so on. [6]

Establishment of PFTA Model
The spacecraft AIT process mainly includes three parts: spacecraft assembly, professional testing and environmental testing. According to the specialty, the case of quality problems occurring in nearly the past ten years are sorted out and classified according to the types of problems. The whole process of spacecraft AIT is systematically analyzed, taking the potential quality hazard and problems as the top events, and using the technical risk identification and control tools such as fault tree analysis. The risk elements are analyzed from five aspects: human, machine, material, method and environment, with the key risk items and key products as the core. The PFTA model is established by decomposing the risk items into bottom events step by step.
The potential quality hazard and problems are the top events of the PFTA model. The top events are decomposed step by step according to the three processes of assembly, professional testing and environmental testing. The quantity and proportion of potential quality hazard and problems in each field in nearly the past ten years are counted. The key risk items and key product items are indentified, and then the subfault tree top events are drawn.

Fig.2 Key risk items statistics of sub fault tree
This method is illustrated by taking the data loss of an environmental test as an example. According to the principle of system composition and structure, the fault mode logic diagram of system failure is drawn, as shown in Figure 3. In this sub-fault tree, the data loss is the top event, sensor anomalies, test data anomalies, heat flow control data anomalies and data storage anomalies that may

Assessment of Risk Severity
After the PFTA model is established by the above methods, risk severity assessment should be carried out in order to prepare for the subsequent targeted formulation of control measures. The severity of risk includes two factors, one is the likelihood of failure or abnormal occurrence, the other is the severity of consequences caused by the occurrence of risk. Quantitative assessment, qualitative assessment, and risk index and magnitude assessment methods are carried out, according to the actual situation of spacecraft AIT specialty and the different situation of each sub-fault tree.

Quantitative Assessment
Quantitative assessment is mainly carried out from the likelihood of failure or abnormality. The structural importance of basic cause events is usually the most direct indicator of their impact on target risk events [7].
The structure function of the fault tree is defined as: occur  not  dose  event  top  the  If  ,  0   occurs  event  top  the  If  ,  1 , In this functions, n is the number of bottom events in the fault tree, x 1 ，x 2 ，…，x n are the Boolean variables describing the state of the bottom event.
i i The probability importance of the bottom event 'i' is: Q(q 1 ,q 2 , … , q n ) is the probability of top event occurrence. Under the condition that bottom event is independent of each other, Q(q 1 ,q 2 ,…, q n ) is the function of bottom event q 1 ,q 2 ,…, q n . The probability importance of bottom event 'i' is expressed as the chance rate of top event occurrence probability when the probability of bottom event 'i' changes slightly.

Qualitative Assessment
Qualitative assessment mainly focuses on the severity of the consequences caused by the occurrence of risks. And four-star assessment is carried out, according to the severity of the consequences of the occurrence of risks.

Ⅱ Critical ★★★☆
It may cause a significant decline in the main functions of the subsystem, which has a significant impact on the completion of tasks. It may cause major damage or loss to major flight system components or ground devices. It may cause a major delay in the development progress, such as affecting the AIT progress for 10-15 days. It may cause major damage or loss to public or personal property. It may cause long-term harmful effects on the environment. It may cause work life considerable reduced, such as design life is reduced 25%-50%. Ⅲ Significant ★★☆☆ It may cause a decline in the functions of the subsystem, which has some impact on the completion of tasks. It may cause minor damage to other equipment. It may cause a delay in the development progress, such as affecting the AIT progress less than 10 days. It may cause minor damage to public or personal property. It may cause a temporary effect on the environment. Ⅳ Negligible ★☆☆☆ It is a secondary risk and has little impact on the completion of tasks.

Risk Index and Magnitude Assessment
Risk Index and Magnitude Assessment is multiplied by the four scores as likelihood, severity precognition and pressing to indicate the degree of risk. According to the 4-level scoring system standard, the threshold of 1-4-level assessment standard is set, and the severity of risk is divided. [8]  It is easy to be detected and has a long prewarning time.
No process lag.

2
The probability of occurrence is very small.
The effect is low, slight damage, affect the main function，take emergency measures cannot be dealt with.
It is not easy to be detected and has a long pre-warning time.
Process lag time ≤1hour 3 The probability of occurrence is medium.
Medium impact, general failure, must be troubleshooting.
It is difficult to be detected and the prewarning time is short.
Process lag time ≤1day 4 It happens frequently.
Significant impact, serious damage, process stop.
It is difficult to be detected and there is no pre-warning time.
Process lag time ≥1 day

Risk Control Matrix Based on PFTA
Risk control is based on risk identification and assessment, and takes control measures to the identified and assessed bottom events. The goal of risk control is to establish a risk prevention control system and reduce the expected risk losses. The risk control measures mainly include risk avoidance, loss control, isolation of risk, diversification of risk, risk transfer, risk acceptance and so on. [9] Different control measures should be taken according to different risk levels. Level I and Ⅱ risks must be monitored regularly and carefully, and various measures such as loss control, isolation of risk, diversification of risk, risk transfer should be taken jointly; Level Ⅲ risks need to be monitored regularly to ensure that they do not translate into Level I risks. Loss control, isolation of risk, diversification of risk, risk transfer can be taken to control Level I risks; Level Ⅳ risks need to be monitored regularly, and measures such as loss control, risk transfer can be taken.
Based on the risk control of PFTA, the matrix of control measures should be formulated to clarify the control methods and implementation measures for each bottom event of the sub-fault tree in the AIT development process of spacecraft.
The risk control matrix model is constructed from the two dimensions of the implementation steps of the bottom events, which involve job-related control uniforms and control activities, on the basis of risk assessment of the identified bottom events, and in view of the severity of the bottom events. The risk control matrix model based on PFTA, takes post control measures as horizontal, and takes control requirement and activities as vertical. It achieves risk control by carrying out research on process and quantitative subjects, tackling key problems in process, QC, etc. and applying the methods of implementing product assurance elements, compiling SOP, perfecting system document, combing knowledge and operation taboo items, etc, starting from various positions involved in AIT process, from the dimensions of responsibilities, tools, methods and monitor.
The risk control matrix is designed for each identified bottom event, and each control dimension of the matrix is in the form of a drop-down menu. According to the actual situation of each underlying event, one or more appropriate methods are selected to formulate measures, in the process of formulating control measures. The risk control system of the subfault system is constituted by combining the control matrix of each bottom event that constitutes the top event of the sub-fault tree, thus the risk control system covering the whole process of AIT is constructed.

Monitor and Inspection
After determining the risk control measures, we should monitor and check the implementation of risk control measures, monitor the revision of system documents, the actual use of operation guidance documents, the development of improvement measure such as topics and tackling key problems, and the application in the development process. At the same time, for the confirmation items involved in the risk control matrix, the confirmation should be strictly carried out, and the quality records should be kept. To ensure that the bottom risk events are effectively controlled and the expected results are achieved, the development risk of the whole spacecraft AIT process is fundamentally reduced, and the product quality is improved.

Conclusion
In this paper, PFTA is used to study the risk control method of spacecraft AIT process. The identification methods of top and bottom risk events in spacecraft AIT process are introduced. Quantitative qualitative and assessment integrated code analysis methods are applied to analyze the risk severity of bottom events. The risk control system covering the whole process of AIT is constructed, through the establishment of risk control matrix, implementation of control measures and monitor and inspection,.
The quality problems and hidden dangers are effectively prevented and controlled, by applying the risk control method based on PFTA to the spacecraft AIT development process. In the past two years, the incidence of quality problems has been decreasing year after year, and the incidence of quality problems has decreased by 22.7%-33% compared with the same period last year, through the research and practice in the past two years. The low-level operational problems have been effectively controlled. The quality cost caused by abnormal quality has dropped dramatically, and the customer stabilized at more than 97%. This improves the business ability and management level of AIT process and ensures the successful completion of the development of high-density spacecraft AIT.