NASA Office of Logic Design
A scientific study of the problems of digital engineering for space flight systems,
with a view to their practical solution.
The NASA ASIC Guide: Assuring ASICs for SPACE
Chapter Two: Quality and Reliability Analysis
Objective:To provide the evaluating team with a framework for ensuring a vendor's quality and reliability assurance programs can satisfy project requirements.
High-reliability space ASIC programs have stringent and unique requirements that not all ASIC vendors can meet. Government qualification programs set requirements for quality and reliability that parts must meet. Government qualified vendors are therefore one major source of high-reliability parts.
This chapter discusses two areas, the general support of government qualification programs for ASIC quality, and the specific support of ASIC quality through proper design methodology. ASIC designers and their managers must have access to and utilize a design methodology that supports reliable design.
Government Qualification ProgramsWhen evaluating a vendor for space ASICs, we recommend the team first look at whether the vendor qualifies under the QML or the QPL government programs. Among other things, these programs extensively analyze a vendor's quality and reliability. They also standardize the way a vendor gathers and presents data. This reduces the learning curve required to understand each new vendor's way of doing their technical business.
ASIC QUALIFICATION INFORMATIONObtaining ASICs for high-reliability applications requires the vendor and designer to deliver much more evidence of the part's reliability than most commercial ASICs require. Obtaining ASICs for high-reliability applications, obliges users to go beyond simply trusting the vendor's reputation and data book. The users must deliver data to their sponsors showing that all parts they use in an application, both off-the-shelf and ASIC parts, have the required pedigree.
The documents describing QML and QPL, MIL-I-38535 and MIL-M-38510/605/606/607/608, respectively, give a detailed description of the kinds of data the vendors must make available to users and to the government. These documents, to some extent, also call out the format for this information. This makes the pedigree information available to those users required to deliver the ASIC. Vendors who are not government qualified may not be able to produce pedigree information in a timely, complete, accurate, or easily understood fashion. Nonetheless, we advocate evaluating high-volume commercial vendors if they can meet the requirements of your program. However, when the contract requirements include proven reliability information, you may find that commercial vendors charge more and take longer to deliver the reliability information and associated parts than they would for their standard product and generic data book reliability information. After factoring in the entire ASIC program life cycle costs, commercial vendors may end up costing more than government-qualified vendors.
Both the QPL and the QML ASIC certification/qualification programs require quite extensive reliability analysis before the government grants qualification status. The quality and reliability analysis confirms that a vendor and/or a device meets the relevant government standards.
"Based on Total Quality Management, QML helps ensure high quality and reliability as well as cost effective parts."
QML and QPL are high-level programs, described by MIL-I-38535 and MIL-M-38510, respectively. Both QML and QPL refer to a number of additional MIL-STD documents. For example, MIL-STD-883 lists the details of test and screening methods used to evaluate quality and reliability of microcircuits for both the QML and QPL programs. The following list shows documents used in describing government microcircuit quality programs:
- MIL-I-38535: Integrated Circuits (Microcircuits) Manufacturing, General Specification for
- MIL-M-38510: Microcircuits, General Specification for
- MIL-STD-883: Microelectronics, Test Methods and Procedures for
- MIL-STD-976: Microcircuits, Certification Requirements for JAN
- MIL-STD-977: Microcircuit Line Certification, Test Methods and Procedures for
- MIL-STD-1331: Microcircuits, Parameters to be Controlled for the Specification of
For each device type requiring qualification there has to be:
- process line certification
- inspection during manufacture
- screening tests
BRIEF HISTORY OF GOVERNMENT QUALIFICATION PROGRAMSThe government originally created the QPL program to maintain the high quality and reliability of discrete parts. Though a lengthy process, once QPL qualified, the parts can be produced cost effectively and speedily, providing the design and the process does not change. When industry introduced ASICs, their low volume and application-specific nature led to modification in the standard QPL program.
To address the issues of ASICs, MIL-M-38510/605, 606, 607, and 608 defined a generic gate array qualification approach. The gate array program quality system and process requirements ensure the entire product family qualifies and consistently meets the same design rules and process controls. The government uses a Standard Evaluation Circuit (SEC) to evaluate, maintain, and control the process reliability for the product family. Performing life testing on the SEC generically qualifies the product family. This approach reduces cost and shortens qualification cycle time.
The alternative QML program, MIL-I-38535, introduces a new concept. A manufacturer performs a self audit based on Total Quality Management (TQM). This management approach calls for establishing a quality management (QM) plan, and forming a technology review board (TRB). The desired quality and reliability levels are maintained through tools, such as, statistical process control (SPC), process monitors, parameter monitors, technology characterization vehicles (TCVs), and SECs. MIL-I-38535 provides details about these tools.
Once the program is in place the government certifies a manufacturing process flow. This certification means that parts can be produced on that flow, with less cost and a much shorter qualification cycle time. Thus the government certifies a vendor's process flow rather than a vendor's product family. The desired goals of QML, as documented in MIL-I-38535, follow:
- reduce overall cost of qualification
- reduce the time required between design and qualification
- reduce end-of-line testing through in-process controls
- maintain a high level of product quality and reliability
- improve device speed, density, and manufacturing cost
For more information about these programs, see the Government Qualification Programs Appendix in this guide, or the actual MIL documents.
EVALUATING TEAM ACTIVITYWhether a vendor is government qualified or not, when determining a vendor's overall product quality and reliability capabilities, we suggest the evaluation team review the following areas against all of their present and future ASIC program requirements:
- process control
- material control
- tool control
- corrective action procedure
- testing and screening
- wafer lot acceptance
- fabrication and assembly
- environmental tests
- electrical characterization test
- product assurance program
Quality Design MethodologyWhen evaluating a vendor for space ASICs, we recommend the team also look at the quality aspects of the vendor's design methodology. Conversely, if the ASIC design team will be following their own methodology, examine it for the proper quality and reliability support features.
In general, a quality design methodology has maturity and stability. This means both the tasks and the tools used to carry them out have produced many reliable designs and actual devices.
For system-level reliability considerations related to ASICs, see Appendix Seven: "Reliability."
DESIGN METHODOLOGY TASKSA design methodology for producing a quality ASIC design must include tasks focused directly on reliability concerns. Quality and reliability design work is closely tied to "producibility" -- creating a design that can be economically built. Design analysis and design verification are the two major areas of ASIC design most closely related to producibility, design quality, and reliability. The evaluation team must evaluate the ASIC vendor's design methodology for proper support of these functions.
Design for ProducibilityModifying a design at the very end of the design cycle may introduce problems that occur too late to rectify, thus affecting quality and reliability. Therefore, a vendor evaluation team must make sure that the vendor's design methodology includes:
- Planning/partitioning: These tasks should accurately estimate an ASIC design's physical size, thereby helping to minimize the need to change the design to fit the original package or pin-count down the road.
- Design rules check: Using the manufacturer's tools and processes, this checks a design against the manufacturer's rules governing good design. Some design rules checks take place at the layout (mask or geometry) level of design, others at gate or cell levels of design.
Design for ReliabilityEven if a design can be produced, it may still contain structures that weaken over time due to various stresses, ultimately making an ASIC fail. Therefore, a vendor evaluation team must make sure that the vendor's design methodology includes:
- Worst-case analysis: This step looks at how a device will behave over temperature, after radiation and other environmental stress; after aging; and over the range of normal semiconductor processing variations.
- Design rules check: This check not only helps make a device producible, it can also ensure the device will be able to withstand stress. Stress may cause a device deemed good at time of production to fail later in life. Rules for maximum current density, fan-out, fan-in, and clock distribution, for example, prevent stresses such as electromigration, radiation and temperature from changing critical device characteristics and causing an ASIC to fail.
- Support for test generation: A design methodology must make it possible to economically create thorough tests for a device. These tests will be used both during design verification and later during production testing of the ASIC parts.
TOOLSTools must offer all needed functions for reliable design validation and analysis. They must have a sufficient level of quality, meaning maturity. Chapter 5 of this section, "CAD Tool Analysis," provides in-depth tool information.
A tool set must be both of sufficient quality and complete. New tools always have the potential for introducing problems. Therefore, to reduce potential problems, make sure the tool set is complete and proven at the beginning of your ASIC program. Introducing a new tool into a tool set late in a design cycle often results in a lack of quality because the new tool presents problems when there is little time to resolve the problem.
Tool Set CompletenessAll tools needed to support the design methodology must be available and show the required quality as described below. In determining the completeness of a tool set, the evaluation team must verify:
- The tool set has all functions required to support the design methodology, including design, design analysis, design verification, and test generation.
- The vendor has proper support available to document and support fixes--rigorous use of a complex tool set will likely find further bugs. The evaluation team must determine how quickly those bugs can be fixed or worked around.
Tool QualityThe basic tools and interfaces used in a quality design methodology have been available for some time. Tool bug fixes have matured to the point where cosmetic fixes dominate. To evaluate basic tools and interfaces, the evaluation team should obtain the following:
- Tool bug status: A recent bug summary from each of the tools' vendors. Since vendors are sensitive about releasing details of bugs, a summary report that lists the number of bugs by category of seriousness will suffice. Again, the less serious bugs should dominate.
- Tool training and support: Users of a good tool may produce a low-quality design if they use the tool improperly. The vendor must provide excellent initial training and continuing support to the tool set users. The evaluation team needs to thoroughly review available tool training and support.
- Demonstration of tool intercompatibility: A detailed description of the use of all the tools working together in the proposed tool set should be reviewed. This description should include:
- Use of a design at least as complex as the proposed ASIC(s)
- Demonstration of all needed interfaces between tools
- Successful interface to the vendor's production tester
- QML and QPL are the two government supported standard qualification programs for microcircuits.
- A QML and QPL vendor status review determines your cost in securing the required vendor quality and reliability information.
- The government originally created the QPL program to maintain the high quality and reliability of discrete parts. QPL has been extended to microcircuits for a number of years, but was only recently extended to ASICs (gate arrays) through MIL-M-38510/605, 606, 607, and 608 which define a generic gate array qualification approach.
- From its inception, QML has been targeted at microcircuits and describes qualifications for both standard cell and gate array ASICs.
- Design methodology must be closely examined for providing the proper reliability analyses.
- Design tools must be closely examined for supporting reliability analyses and a reliable design flow.
Now you may jump to:
Home - NASA
Office of Logic Design
Last Revised: February 03, 2010
Digital Engineering Institute
Web Grunt: Richard Katz