* r denote the field reject rate (i.e., fraction of devices that pass the test vector sequence yet are faulty) Then (I f)(l _i,)
Very little information has been made publicly available concerniig actual IC yields and field reject rates. A study has been documented 1,11[5] that examined the consequences of testing a microprocessor, the MC6802, with a test vector set with 96.6% fault coverage, versus testing using a test vector set with 99.9% fault coverage. The field reject rate estimated by the authors of the MC6802 study, obtained by determining the number of ICs that passed at 96.6% fault coverage but failed at. 99.9% fault coverage, equated to 8,200 ppm. The measured test, yield at 96.6% fault coverage was -70.7; using XVadsack's model the predicted field reject rate is 10,200 ppm (which closely matches that estimated in the M C6802 study).
Even when rescreening of ICs is performed bv the customer who receives them, testing usually consists only of checking that electrical and switching performance are within specifications, and if logic testing is performed'then at best all that is done is to apply the same test, (with the same fault coverage) that was originally applied by the manufacturer. To show what is implied by a high field reject rate, consider a circuit board assembled using 50 ICs where each IC type.used has an outgoing quality level of 10,200 ppm. With just over 1% of the lCs on average being faulty, the probability that such a board initially would have oIlly fault-free ICs is only 60,. For lower failt coverage the effects are more drastic; at a fault. coverage level of 90% the measured ý.est yield would have been about 72.1% and the outgoing quality level would have been 30,000 pIpm, resulting in a ,probability of 21.8% that the board would contain 50 fault-free ICs. Clearly, manufacturing-level tests for ICs must have high fault coverage in order to reduce costly board (and higher-level) test generation, testing, and rework. in order to eliminate fauilty cornm)ponents.
It has long been known that different failt similators commonly produce drastically different results for identical logic mnodhels and test vector sets. The l{adiation-lIardened 32-Bit (RI132) Processor program at Rome LaboratorY provided the original motivation to develop a standardized method for nieasuring fault coverage consistently. where it w&Is expected that fault simulation would be performed using a varietyv of fault simulators. Later, the annex of the RH32 Statement of Work that concerned fault, coverage measurement was used as the basis of a requirements section in the draft implementation plan for the VIISIC/VLSI Qualification Procedures (the "Qualified Manufact urers List" or "QMIL") program.
Under an Expert Science and Engineering task with the Uiniversity of South Florida, experiments were performed with four commerci ally-availa bhl fault simulators in order to identify what differences are possible, why they occur, and what can I)e (lone by using modeling guidelines, simulation directives, and 1 )()st processing in order to reduce or eliminate differences in reported fault coverage. MII-I-38535 for QML now references 5012, as do the MIL-M-38510 detail specifications for gate arrays. In 1987, the requirements now detailed in 5012 were made part of Requirement 6.1 of MI L-STl)-.15.1 L: 4.5.2 Fault coverage. Fault coverage shall Ibe relported for the man wfacturing-level logic tests for all digital microcircuits designe(d after 30 Septenber 1988. Fault, coverage shall be based on thhe equivalence classes of single, permanent, stuzck-atzero and stuck-at-one faults on all lines of a TIlSSS-conilpatil)ble structural VVIIDL model, where the structural model is expressed in terms of gate-level primitives or simple atomic functions (such as flip-flops). Large, regular structures such as RAIMs and ROMs shall not be modeled att lie gate level, but rather documentation shall be provided that these st.ructires are tested using appl)rol)riate algorithms (such as galloping patterns for a R•A:M).
The draft of MIL-STD-454 that is being circulated at the time of this writing has been revised to simply reference MII,-STD-883 Proce(dure 5012.
The authors wish to acknowledge the help r(,ei ved from all of'the people and organizations who reviewed drafts of 5012 and providhed *.coinient s. Vhbile the overwhelmiig response was positive, the authors were particularly gralified to note that reviewers, without exception, were honest and specific in their criticismis. Aks always, the most useful comments were the negative ones, and the authors have trie(l where possible either to accommodate or at least to answer every issue that was raised. John .1. Bart, Chief Scientist of Reliability Sciences, p)rovided the opportunity to develop 5012 and made numerous suggestions that contributed to its acceptability. Dr. Sami AlArian, of the University of South Florida, under contract to Rome Laboratory performed much of the technical work that resulted in usable techniques for reducing differences between fault simulators. Charles G. Messenger. Chief of the Reliability and Diagnostics Branch, provided greadtly-appreciated assistanicc ill developing, circtilating, testing, and revising 5012. . This procedure describes requirements governing the development of the logic model of the DUT, the assumed fault model and fault universe, fault classing, fault simulation, and fault coverage reporting. This procedure provides a consistent means of reporting fault coverage regardless of the specific logic and fault simulator used. Three procedures for fault simulation are described in this procedure: full fault simulation and two fault sampling procedures. The applicable procurement document shall specify a minimum required level of fault coverage and, optionally, specify the procedure to be used to determine the fault coverage. A Fault Simulation Report shall be provided that states the fault coverage obtained, as well as documenting assumptions, approximations, and procedures used.
Where any technique detailed in this procdure is inapplicable to some aspect of the logic model, or inconsistent with the functionality of the available fault simulator and simulation postprocessing tools, it is sufficient that the user of this procedure employ an equivalent or comparable technique and note the discrepancy in the fault simulation report.
Microcircuits may be tested by nontraditional methods of control or observation, such as power supply current monitoring or the addition of test points that are available by means of special test modes. Fault coverage based on such techniques shall be considered valid if substantiating analyses or references are provided in the fault simulation report.
NOTE:
This test procedure deals with microcircuit quality, not reliability. It does not attempt to relate logic model fault coverage to microcircuit failure rates; in fact, there is not necessarily any direct relationship between quality and reliability. However, mathematical models have been developed that relate fault coverage and test yield to "quality levels" or "field reject rates."
This test procedure deals only with the means of fault simulation. It does not set specific requirements or goals for minimum required levels of fault coverage. This procedure does not recommend either for or against the use of statistical fault sampling techniques. (End of Note) 
In the literature a "potential d(letection is also referred to as a "possible detection."
The Z state can lbe sensed by thre AlT1C when active or passive, loads on the DUT's outputs are used. Using passive loads, Z states ca,' be tested in two passes: in the first. pass, the high-imiupeda nce outpluts are pulled tip and each ex p ected Z response in the outttpit is c(onverted to a I; il the second pass, the high-impedance outputs are pulled down and each ex ) ' Idtctahbl fault is (defined herein as a logical fault for which no test vector sequence exists that can cause at least one hard detection or potential (letection (see 1.1c, )c-cutmon). Otherwise (that is, some test vector sequence exists that causes at least one hard detection, or potential detection, or both), the fault is defined herein to be a det:ctable fault (see 3.3.3).
NOTE: By this definition, it is sufficient for a fault to cause a potential detection for the fault to be declared detectable. However, credit is not given for potential detecitions in determining fault, coverage unles:s it is shown that the potential detection implies hard detection (see 3.4.
). (End of Note)

AIPPARATUS.
Logic
Simulator. Implementation of this test procedure requires the use of a facility capable of simulating the behavior of fault-free digital logic in response to a test vector sequence; this capability is herein referred to as logic simulation
In order to simulate sequential digital logic, the simulator must ,-upport simulation of a minimum of four logic states: zero (0), one (1), high-impedance (Z), and unknown (X). In order to simulate combinational digital logic only. the simulator mus:. support simulation of a minimum of two logic states: 0 and 1.
At the start of logic simulation of a logic nlelode of a I)J'F rcontrimning sequential logic, Hie state of every logic line and cotiponent. cont aining nemicory shall be X; any other initial Condition, including explicit initialization of any line or inenuory elerient to 0 or 1, shall be docu mented and justified in the lFault Simulati on Report.
lit ordei' to simulate "wired connectiions" or "bti s" structures 'he situulator must be capable of resolving signal conflicts introduced by such structures. Otherwise, modeling workarounds shall bc permitted to elitninate such structures front the logic model (see 3.1.2).
In order to simulate sequential digital logic, the simulator must support event-directed simulation. As a minimum, unit-delay logic coin pouenis mustl be supported.
Simulation of combinational-only logic, or sit-iu lation of Fequenti;i logic in special cases (such as combinational logic extracted from a scannable sequential logic model) can be based on non-event-directed simulation, such as levelized, zero-delay, or compiled-code methods. The Fault Simulation Report shall describe why tOe selected method is equivalent to the more general event-directed method.
Fault
Simulator. In addition to the capabilitv to simulate the fault-free digital logic, the capability ;s also require(] to simulate the efrct of single, perma ient, stuck-at-zero and stuck-at-one faults on the behavior of the logic: t his capability is he;'ein referred to as fault simulation. Fault simulation shall rfllect the lini tatiions of the target ATE (see 3.4.1). It is not necessary that the fault simulator dirrectly sui)lport the reluirements of this test procedure in the areas of hard vs. potential (etect ions, fault unive-se selection, and fault classing. However, the capbility must exist, at least indirectly, to report fault coverage in accordance with this procedure. Where approximations art. used (for example, where fault classing compensates for a different method of (ault universe selection) such differences shall be documented in the Fault Siniulation Report, and it. shall lie shown that the approximations (1o not increase the fault coverage oltaine(l.
NOTE: This test procedure places requirements on how the logic model for a DUT is developed for use with a fault simulator. Postprocessing of a fault simulator's output may be necessary in or(ler to report fault coverage in a -i-anner consistent with this procedure. (End of NoUc) 3. PROCEDURE.
Logic Model.
3.1.1 Level of Alodeling. The I) h'l" shall he dcsci'ihbed in termsof ii-logic model composed of components and connections between components. Prinmary iit)ut: to the logic model are assumed to be outputs of an imaginary component (representing the ATE's drivers), and primary outputs of the logic model are assumred to be inputs to aim imaginary component (representing the ATE's comparators). Some logic simulators requir-that the ATE drivers and comparators be modeled explicitly; howev•r, these components slhall not be considered to be part of the logic model of the l)UT. For the purpose of fault simuldation, t lie logic mnodel shall be dividcd into non-overlapping logic) partitions; however, the entire logic miodel miay (consisit of a single lo--gic partition. The logic p~arti tions contain conip1oriefts and theiir associa ted lines; althbough Iintes may span partitions, no component, is contained litnmore t han one partition. A G-logic partition contains only G-logic; any other logic part ition is a B1-logic partition.
A\ logic partition consisting of G-logic. or B1-logic, or G-logic aind B-logic that, as a unit, is testable using an established testing algorithmn, with known fault coverage or test effectiveness, may lbe treatedl as a single P-logic partition.
NOTE:
The interconnect ion of 13-logic coumpoll nt s WJithi G-iogic "gluie," can form a B-logic p~artition. For examnple., a "64lKx8 RAMT" in a logic model may actually lbe composedl of.32 l6Kxl RAM primitives and decoding logic. However, aGALPAT algorithm that exploits the 16lKx I organization of the memory would be more efficient than one that treat~s the 6.1 Kx8 structure as a ý-ingle component.
Although fault simulation c-an lbe performied at, the, transistor-primitive level, such simulation is discouraged for two reasons. First, fault simulatoion at the transistor level is far more timie-consumning than at the "gate" level. Second, transistor-level fault simulation generates at large fraction of potential detections that are difficult to justify as legitimate hard detections, whiichi significantly redutces the accuracy of fault simulation. 
Built-In Sclf-Tcst.
A special case of 13-logic is a B-logic pi rtition that includes a linear-feedback shift register (LFSti) that performs "signature analysis" for compression of output error data. Table I lists penalty values for different LFSR degrees. If the LFSR implements a primitive GF(2) polynomial of degree k. where there is at least one flip-flop stage between inputs to a. mullipIe-input LISR. ftieni the following p~rocedure shall be used in order to determine a lower bound on the established fault coverag • of the logic partition:
Step 1: Excluding the Ll"SR. but including any stimulus generatio:i logic considered to be part of the logic partition. deterini ne t he fatilt coverage of the logic partition by fault simulation without signature analysis. denotc tris fault coverage by C.
Step 2: Reference table I. For a given degree k obt ain the penalty v\-lue p. The established fault coverage of the logic partilt io rising a LI'SRI, of degree 4-shall be reported as (1 p)C. That is. a penalty of (101Op)%', is r i'curred ill assess'nrg the effectiveness of signature analysis if the a('t ial effect'ivetiess is ,iot (lcterinine(l.
NOTIE: TIhe ppenalty v'alues listcd in table'
I arc hased on p r(l milnary work inhouse at RAAI)C. Experinents were ri ii tiratl ,terni liicd c,,nfi( once intervals on error escape. for actual logic circiuitý,. for differrrt Ipolyniomial t "pes and degrees. A bus, which is a node with multipl)le driving lini's. shall hc coinsidc'red, for the purpose of fault universe generation, to be a multilpIe-inl . single'-mtuttt logic gale. The initial fault universe shall include stuck-at-zero and stuck-alt on e failts on each f; nin and fanout branch and the fanout origin iof the bus (see figurir I).
The fault universe does not explicitly v contrain allv faults within rr-logic partitions. Hlowever, all faults associated with inputs and oilupints of H-logic c()nh)oine:it s either are contained in a G-logic partition or shall be shown to be conisid('re(d by establisli'd test algorithms that are applied to the B-logic partitions.
I 1
No faults shall be added or removed by considering or not cons'dering logic model hierarchy. No extra faults shall be associated with any primary input or output line, macro input or output line, or logic line that spans logic partitions where the logic partitions do not correspond to a physical boundary.
No more than one stuck-at-zero and one stuck-at-one fault per logic line shall be contained in the initial fault universe.
Fault
Equivalence Classes. The initial fault universe shall be partitioned or collapsed into "fault equivalence classes" for reporting purposes. The fault equivalence classes shall be chosen such that all faults in a fault equivalence class cause apparei ly identical erroneous behavior with respect to the observable outputs of the logic model. One fault from each fault equivalence class shall be selected to represent the fault class *or reporting purposes; these faults shall be called the rcprrscntatiru faults.
For the purpose of implementing this test procedure it is sufficiei t to apply simple rules to identify structurally-dependent equivaleCtce classes. \ i acceptab e method for selecting the representative faults for the initial fault universe consists of listin , all single, permanent, stuck-at faults as specified in table II. :\ nv other failt equ ivalencing procedure used shall be documented in the Fault Simulation lReport.
If a bus node exhibits wired-ANI) or wired-() U hehavior in he , ipplicable circuit technology, then faults associated with that bus shall be collapsed in acc,)rdance with the AND or OR fault equivalencing rules, respectively. Otlierwise. no collapsing of faults associated with a bus shall be perfolrmed.
Detectable Fault
Universe. Fault coverage shall be based on t lie detectable fault universe. Undetectable faults shall be permitted to be dropped from tHie set, of representative faults; the remaining set of representative faults comprises the detec'able fault universe. In order for a fault to be declared as undetectable. docurnentation sk all be provided in the Fault Simulation Report as to why there does not exist. any test vec'or sequence capable of guaranteeing that the fault will cause air error at an observable primary output (see 1.1m,
Undetectable and Detcctable faults).
Any fault not documented in thel Fault Simulation Report as being undetectable shall be considered detectable for the purpose of calculating fault coverage.
NOTE: In general. identifying undetectable faults (in order to obtain the detectable fault universe) is a (Iiflicult probehim. I lowever. undet e( table faults associated with some simple str ctiiral depen(enci es can be easily identified. Chiefly, these are in four areas: a. Logic with no path to a primary out pUo the logic rnioel. For example, an unused outlput from a flip-Htop has no palh lo air obser vable output and so both stuck-at faults associated with thie iwnused output ;ire undetectable.
b. Stuck-at faults associated wit li lockd-at values. For exat uple, a gate input that is connected to ground always has the, stale )0; theref re, stuck-at-zero on this line is undetectable. If each four-hit slice has a limited tnilb er of in pii s (genevra;ly t.welve to fourCeei), then a single f,)ir-lhit sliice call bhe extra cted from th,-logic model and failt . simulation can be l)erfornied exhatistively on that slice to obtain a list of faults associaied wit. h that slice that are uivdetectaI le even when the inputs and on tp)tis of Ihat slice are directly accessible. Therefore, those faiilts certainly are midetectable when that slice is e(tIbcdded within any conltainHing logic 11(odel.
(E'nd of Note)
3.A Faidt Simulation.
Automatic Test Equipmncit Limitations.
Fault coverage reported for the logic model of a I) T shall reflect the limitations of the target AlV',. TIvo jommlIn.l1 cases arIe:
a.. Vault detection during fault sinmitlation sliall occur only at. times where the ATE will be capable of sensing the primary outputs of the I)U II': there must be a one-to-one correspondence between simulator comipares atid ATE compares. For example, if fault coverage for a test, vector sequence is obtained using broadside fault simulation (where fault detection occurs after every change of hipit stimuli, including clock signals), then it is not correct to claim the same fault, coverage on the ATE if the test vectors are reformatted into cycles where a clock signal is pulsed during each cycle and compares occur only at the entd of each cycle.
1.
If the ATE cannot sense the Z output state (either directly or by multiple passes), then the reported fault coverage shall not include detections involving the Z state. That is, an output value of Z shall be coxisidered to be equivalent to an output value of X.
Any difrerences in format or timing of the test vector sequence, between that used by the fault simulator and that applied by the ATE, shall be documented in the Fault Simulation Report and it shall be shown that fault coverage achieved on the AT I-is not lower than the reported fault coverage.
G-Logic.
Hard Detections and Poiential
Detections. Fault coverage for G-logic shall include only faults detected by hard detections. Potential detections shall not be considered directly ill Cal ctilat ing tilie fault, covera ge. Noa iii nb ler ()f potential (letcctioll 2 of at fault shall imilply hiat O le faullt would he dIetec tedl Soiiie piotenitial dletections S Call be( coilverted inito Ii ardl detectionis ror thle purpose of calculatinrg failt. coverage. If it, C-,i be shiowni th Iat1 a fatil t is only jpotew jally detected by fault ;in ala tiori but, i's inl fact, detectable by t.he Al', 1)) it di frereilce not inIvol vinrg an X valute, (ihen uipon documenting those coniiIitions ill tilie, Fauilt. Simulation NBeport thIiat fault shall ke considleredl to be dletectedl its at hard de4tect~ion and~ thle fault coverage shall be adjusted a ccordlin gly.
NO TE: Clock line faaI its providle a conin mon examinple of \vller"' a fault may be dletectabl)e on one or the other of tw~o test vectors, but, iot, both vectors. For examp~le, consider a D-flip-flop with two inpu)rts: data andl~ clock. Both stuck-at-z,'ro and stuck-atone on the clock input are dletectab~le by thie fault simulator ýinly as potential (detections. However, if both stack-at-zero~ and( stiich-at-one f; alls on the dlata input are shown to lbe dletected its llarl (detection~s by the fauilt simulator, then, regardlless of the initial state of thec Ili p-Hlop, it. is guaranteed thilt the( ATE would (detect, an error at some point in thie test vector sequence if eitiier stuck-at fault were to exist on the clock line. (End of Noic) z--,--:., I/ Faults associatedl with thiree-state buffer enlable signal lines canl cause X states to occur Oil nlodes with fanin branches, or erroneous Z. states to occur onl threc-state primary outputs that ma~y be untestable on some AT'E. Thiese faults may thewb--e detec~table only as potential detections, but may be uftconvertible into hiard detections. In such cases, it is permissible for the Fault Simulation R~eport to state separately tile fraction of thc( undetected faults that are (flue to such faults.
3.4.2.2
Fault Si'mulation, Iroccdlurcs. 'The p)referred method of fault simulation for G-logic is to simulate the effect of eachi representative fault in the G-logic. However, this may not be practical in some cases (lue to the large imimber of rep~resentative faults, or because of limitations of the logic models or simulation tools. tIn suich cases fault samp~ling procedures may be us5ed. When fault sampling is used, eithler the( p~rocuremenlt document shall specify the method of obtaining a. :raiiclom" sample of faults or the Fault Simulation Report shall dlescrihbe the method llsedl. In either case, the comp~lete random sa-uple of faults shall be obtained before beginning the( fault simulation proceduire involving a random sample of faults.
NOTE:
The. priocu rein elt, docaumerit, that eriniut s the( use of sta:,ist~ical fault samp~linig must address several p~rob~lems: a. How is the "rand(om"' sam ple of faults to be chosen? The most "fair" approach is to prepare at list, of every possible fault (that is, the full set of representatives of the failt equivalence classes) andl use i, randlom number generator to select the subset of faults to be simulated. In any case, it is rnot propel. to use at iietllod that skews the "distributior" of faults, such as faulting onlv ho signal lines accessiblel,' at IIhe Illain n, del level without faulting ,vithln s•tihlimacns. that a fault coverage that is higher than the actual fault coverage could be reported. Thus, simply resimulating the same test vector sequenc( repeatedly with new random suibsets of faults can result. in ain erroneous lower bound o1() fault, coverage.
(End of Note)
Use of any fault simulation procedure other than Fault Simnul;,tion Procedure I (see 3.41.2.2.1) shall be documented and justified in lhe Fault Simulation Report.
In this section, it is assumed that the representative faults declared to be undetectable have been removed from the set of faults to lIe simulated. Step 1: Denote by n the total number of representative faults in the G-logic partition.
Step 2: Fault simulate each representative fault. D)enote by d the number of hard detections.
Step 3: Fault coverage for the C-logic partition is given by d/n. NOTE: For example, let n which can be reported as 9.1.99%., 91.9",'. or 9-1%-. but not as 9.>%7 (see 1 .lf).
(End of Notr)
Fault Si1mulation Proccdurt 2.
Obtain lower bound on ac uial fault coverage in a C-logic partition using fixed sample size. Reference-tablle 111. The procedure used shall be equivalent to the following:
Step 1: Select a value for the penalty param~eter r (7-0.01 to 0.05). The corresponding value of n in table III is the size of the randomi sample of reprcsentative faults.
Step 2: Fault simulate eachi of the n representative fauilts. IDenot e by d the number of hard dletections.
Step 3: Trhe lower bound onl the fautlt coverage is given by dVII -I.
NO TE:
The penalty p~aramet er r det erini nes bo t i thle size of the random sample of faults and thle accuracy of d n ais an estimate of thie fault *overage. As the value of r increases thec sample size decreases. but so does the ai -curacv of fd/n as an estimate Subtracting r from d1, n accounts for th vi,%araiance 4 thle estimate.
For examinple, select r -0.02. Fromn Stpc1i I: l)eliot' by F' t li i i iil valuet r fmilt e'ml 'rag I'rit fable 1\' ] obtaiti lit i m inililtin re liiiredl sa ivii ,iv', dlel ,cd bYl It,' i.
Step 2: l"aiilt-simi ilate each of flite t' represetiati ,', foim ts. antimd tlt'iit by d the lill)nber of , hard detections.
Step Given that tihe actual fault covcrage is F' let 1) be the random variable denoting the number of hard detections oil t of Y1 fatilts sampled. l"Rr ea,'h value of F" the smallest value for n was determined slich that /'rI)
This procedure is designed sot at i the prihalhilit v of a Typt" I error (that is, concluding that the actual fault coverage is greater itan F, w.hen in fact it is less than or equal to F) is less than or equal to 5%. Suppose t'iat tile minimumt required level of fault coverage is 90'%. This procedure is very conservative because, if the actual fauilt coverage is 90%, then tfit-"hypothesis-that the actual fault coverage is greater than or equal to 90% will be rejected withi probability 95%. Table IV shows that in order to have a 50% probability of accepting the hypothesis that "tile actual fault coverage is greater than or equal to 90%" the actual fault coverage must he 97.6t%. (1E"nd of Noef) 3.4.3 B-Logic. Fault coverage shall be measured indirectly for eacl, B-logic partition. For a given B-logic partition, the established fault coverage or test effectiveness shall be reported for that B-logic partition only if it is shown that.: (a) the test vector !;equence applied to the DUT applies the established test algorithm to the h 3 -logic partition. and (b) the resulting critical output values from the 13-logic partition are made observable ;,t the primary outputs. Otherwise, the fault coverage for that B-logic partition shall be reported as 0%. For each B-logic partition tested in this way the established test. algorithm., proof of its successful application, and the Cstablishcd fault coverage or test effectiveness shall be documented in the Fault Simulation Report. c. Guidelines, restrictions, or reqiirenienis for test algorithins for 13-Logic types.
The Fault Simulation Report shall provide:
a. Statement of the overall fault coveragc. If tlherc arc iltd(lctecta dle faults due to threestate enable signal lines, then, opt ionally. fattl t 'vcrage bascd (on those potential detections maty be repl)orted seI)aratclv.
1).
Description of logic partitions. Every logic line that is a fanout origin s-a-0, s-a-i
Every logic line that is a primary oltput Note: "s-a-O" is "stuck-at-zero" and "s-a-l" is "stuck-zt-one." 
