Preamble

Design of a Defense-in-Depth Interlock System for a Proton Accelerator Based on EPICS Chen SR, Shang P, Yang GJ, Guo YH, Zhou DT, Yang JM, Han XY, and Ma QM

1 Institute of Modern Physics, Chinese Academy of Sciences, Lanzhou 730000, China 2 Northwest Normal University, Lanzhou 730070, China 3 University of Chinese Academy of Sciences, Beijing 100049, China

To address the stringent requirements for real-time performance, reliability, and flexible protection in the complex operational environments of proton accelerators, this study proposes a layered interlock and defense- in-depth system that integrates PLC-based hardware interlocks, EPICS-based software protection, and node attribute register mechanisms. Employing a three-tier architecture—“hardware rapid response, software flexible protection, and redundant backup defense”—the system achieves millisecond-level response at the hardware layer, dynamic logic reconfiguration at the software layer, and fail-safe closed-loop operation at the backup layer. Node attribute registers function as cross-layer interfaces that enable parameter mapping and online verification between software and hardware logic, while also supporting real-time configuration and strategy switching through EPICS. The Python-based logic modules extend EPICS’s computational capability, enabling multi-signal fusion and dynamic threshold adjustment. This approach maintains logical consistency across varying operating conditions and minimizes false triggers. An independent fail-safe backup defense chain is established through communication-monitoring and execution-feedback mechanisms to ensure safe device iso- lation in the event of failures at the hardware or software layers. Experimental results demonstrate that the proposed architecture significantly outperforms traditional solutions in terms of response speed, logical consis- tency, and fault tolerance. It exhibits strong engineering applicability for large-scale deployment, providing a reproducible layered defense pathway for next-generation accelerator control and protection systems.

Keywords

Proton Accelerator; EPICS; PROFINET; Node Attribute Register; Defense in Depth

INTRODUCTION

Proton accelerators are essential instruments in high- energy physics research, nuclear medicine, and materials modification[ ]. The reliability of their control and protec- tion systems directly affects both experimental stability and equipment safety.

With the continuous increase in device scale and energy levels, the range of equipment managed by the system and the associated interlock logic have become increasingly complex, imposing greater demands on control real-time performance, operational flexibility, and redundant

safety mechanisms. Although traditional centralized control 11

architectures were widely adopted in early accelerator facil-

ities, their limitations in communication latency, scalability, 13

and fault tolerance have become increasingly evident[ as system complexity has grown. Particularly problematic are the single-point-of-failure risk introduced by centralized control nodes and the cumbersome process of recompiling and redeploying modified logic. These challenges hinder the rapid reconfiguration and dynamic adjustments required for multi-experiment operational modes.

To address these challenges, major accelerator facilities worldwide have progressively adopted distributed and hier- archical control strategies. For example, CERN’s LHC has developed a multi-level hardware interlock system[ ] that leverages high-speed networks to achieve millisecond-level

Supported by the Large Research Infrastructures of China: the China Initiative Accelerator Driven System (CiADS), under Grant No. 2017- author, 09316276;address:Institute of Modern Physics, Chinese Academy of Sciences, Lanzhou 730000, China.

response times. Similarly, the U.S. SNS and Japan’s J-PARC, employing a collaborative EPICS–PLC architecture, imple- ment layered hardware protection[ ] and software strate- gies to improve system maintainability. Domestic facilities such as SSRF and CSNS have likewise introduced the “fast protection and slow interlock” concept[ ] to balance op- erational safety and flexibility. Despite these advances, ex-

isting systems continue to exhibit significant shortcomings in 33

three key areas.

(1)The hardware layer provides deterministic responses but 35

lacks dynamic configuration capability[ ]. Although PLC- based hardware interlocks can achieve millisecond-level re- sponse, their logic is typically hardcoded within the control program. This rigidity makes it difficult to dynamically ad- just thresholds or interlock relationships according to differ- ent experimental modes.

Reconfiguration requires system shutdown and reprogramming, thereby reducing operational flexibility. (2)The software layer provides flexibility but suffers from insufficient decoupling from the underlying hardware logic.

EPICS-based software protection supports complex algo- rithms and strategic adjustments but typically depends on

variable-based communication. This dependency intro- 48

duces reliability vulnerabilities [ ]during network in-

terruptions, communication congestion, or software failures, 50

thereby hindering deep coordination with hardware logic. (3)A lack of redundant safety loops under system failure conditions. When hardware or software protection fails due

to communication anomalies, actuator malfunctions, or sim- 54

ilar faults, traditional systems lack independent backup safe- guards. This absence prevents the formation of effective lay- ered safety defenses, resulting in protection blind spots.

To overcome the aforementioned technical bottlenecks, 58

this study proposes a hierarchical interlock system integrating

PLC-based hardware interlocks and EPICS-based software protection to enhance real-time performance, operational flexibility, and system reliability. Two key technologies are introduced, namely the node attribute register (NAR) mech-

anism and the Defense-in-Depth Backup Layer (DBL). The 64

objective of this research is to establish a generalizable multi- level safety control framework that integrates rapid hard- ware response, flexible software configuration, and defense-

in-depth redundancy, thereby forming a unified platform with 68

multi-tier redundancy and cross-layer fault-tolerance capa- bilities. To achieve this goal, the system adopts a three-tier defense-in-depth architecture comprising “hardware rapid re- sponse, software flexible protection, and redundant backup defense.” The bottom layer employs PLCs to execute de-

terministic logic judgments and achieve rapid disconnection 74

within 10 ms. The middle layer integrates EPICS-IOC with a Python-based logic engine for multi-source signal fusion, dynamic logic computation, and strategy bypassing. top layer establishes the DBL, which independently performs

fail-safe actions in cases of communication failure or actua- 79

tor non-response, thereby forming a closed-loop system-level

safety mechanism. The key research focuses include: (1) the 81

design of a real-time communication architecture based on 82

PROFINET; (2) the engineering implementation of the node

attribute register mechanism; (3) dynamic logic decoupling 84

and strategy deployment for EPICS-based software protec- tion modules; and (4) redundancy verification and perfor- mance evaluation of the defense-in-depth backup layer.

SYSTEM ARCHITECTURE AND TECHNICAL ROUTE

This chapter presents the overall architecture and techni- 89

cal approach of the layered interlock system designed for the proton accelerator. The system employs a three-tier defense- in-depth structure[ ]—comprising hardware rapid interlock- ing, software flexible protection, and independent backup de- fense—to achieve end-to-end protection from signal acquisi- tion to safety lockout. The overall architecture of the proton accelerator’s layered interlock system is illustrated in Fig. 1 [FIGURE:1].

The system consists of three functional layers. The bottom layer, the equipment-level hardware interlock layer, is cen-

tered on distributed PLC control units. This layer performs 99

real-time monitoring and closed-loop shutdown of equip- 100

ment such as vacuum systems, beam diagnostics, tempera- ture sensors, door interlocks, fast-acting valves, power sup- plies, and liquid-level devices. The middle layer serves as the EPICS-based software protection layer, operating within the IOC framework.

It employs Python-based logic mod- ules to fuse and evaluate multi-source signals, implement delay control, and dynamically adjust protection strategies, thereby enabling flexible logic-driven protection.

The top layer, known as the Defense-in-Depth Backup Layer (DBL), operates independently of the main control chain. This layer

continuously monitors actuator feedback and communication 111

status, issuing fail-safe lockout signals in response to hard- ware or software anomalies to directly disconnect power from critical components such as the ion-source high-voltage sys- tem, microwave power modules, beam-chamber supplies, and magnetic-field excitation power sources. Data mapping and

parameter synchronization among the three layers are accom- 117

plished through node attribute registers, forming a layered defense framework characterized by rapid response, logical judgment, and redundant protection.

The primary interlock system, composed of distributed

PLC units, monitors critical equipment such as vacuum sys- 122

tems, beam diagnostics, temperature sensors (T3/T4), door interlocks, CM4 fast-acting valves, power supplies, and liquid-level devices. It enables local closed-loop decision-

making with response times of ≤ 10 ms , ensuring the im- 126

mediate isolation of hazardous conditions during the onset of an incident[ The secondary interlock layer, imple- mented through EPICS IOCs and Python-based logic mod- ules, primarily provides software-level protection for devices such as insertable components, valve states, LEBT_DUMP signals, BPM temperatures, MEBT/HEBT thermal readings, and power-supply operating status. This layer enables cross- device signal fusion and dynamic protection-policy config- uration. The tertiary interlock functions as an independent Defense-in-Depth Backup Layer (DBL). By collecting actua-

tor feedback and communication heartbeat signals, this layer 137

directly issues fail-safe lockout commands when both soft- ware and hardware layers malfunction, thereby forming the system’s ultimate line of defense.

The system design follows three fundamental classification principles: real-time performance, logical complexity, and redundancy. For components requiring millisecond-level re- sponse and actions that can be directly verified by hardware (e.g., vacuum systems and fast-acting valves), hardware in- terlocks are employed. For equipment requiring multi-signal integration or operational-mode adjustment (e.g., insertable components, valve states, and BPM temperatures), EPICS- and Python-based software protection is implemented. For

high-risk equipment (e.g., high-voltage power supplies and chamber power sources), both hardware and software protec- tions are integrated to establish a “rapid shutdown plus strate- gic redundancy” multi-layered closed-loop defense. Hard-

ware interlocks ensure deterministic system responses, soft- 154

ware protections provide logical flexibility, and the backup defense layer preserves intrinsic equipment safety under ex- treme failure conditions.

Together, these three elements constitute a complementary and progressive layered defense framework.

In terms of technical implementation, the system em- 160

ploys node attribute registers (NARs) as a unified inter- 161

face to realize parameter mapping and state synchroniza- 162

tion between software and hardware logic. Each physi- cal device is abstracted into a logical node characterized by state, threshold, delay, and bypass attributes.

EPICS enables online adjustment of protection parameters by modifying NARs without recompiling the PLC logic[ thereby supporting cross-layer coordination and real-time reconfiguration.

The overall data flow and control logic of the system follow a closed-loop process of “detec- tion–judgment–execution–verification.” Field signals are ac- quired by PLCs and first evaluated at the hardware level be- fore being transmitted to EPICS. EPICS then performs logi- cal computations and generates corresponding control strate- gies, while PLCs execute physical actions and upload feed- back data. The Defense-in-Depth Backup Layer (DBL) in- dependently verifies the execution results and issues fail-safe

commands when required. Figure 2 [FIGURE:2] illustrates the technical 178

architecture of the hierarchical interlock system.

Through this technical approach, hardware–software de- 182

coupling, inter-layer logical consistency, and a closed-loop

redundant protection mechanism are achieved, thereby signif- 184

icantly enhancing the maintainability, reliability, and intrinsic safety of the accelerator’s interlock system.

SYSTEM HARDWARE DESIGN This chapter presents the hardware implementation scheme of the equipment layer within the hierarchical interlock sys- tem, covering the PLC control architecture, hardware inter-

lock logic, and node attribute register (NAR) mechanism. The 191

system is designed to provide highly reliable, real-time, and reconfigurable protection functions in complex operational environments.

The equipment layer constitutes the foundational core of the hierarchical interlock system and is responsible for ac- quiring physical signals from the accelerator, performing log- ical evaluations, and executing control actions. The system

employs a Phoenix Contact AXC3050 PLC as the main con- 199

trol unit, forming a distributed control network through the 200

PROFINET real-time bus and remote I/O modules to achieve

deterministic response times of ≤ 10 ms . 202

A. Node Attribute Register Mechanism 205

Safety interlock protection represents one of the core tech- nologies in machine protection systems. However, conven- tional safety interlock solutions are typically tailored to spe- cific devices and interlock logic. Different devices, or even different operating modes of the same device[ ], can re- sult in variations in both the safety interlock system and its as-

sociated logic. Such systems generally lack universality and 212

exhibit poor adaptability. When interlock nodes, dependen- cies, or logic are altered, system shutdown is often required to modify the corresponding logic or circuitry. This process disrupts normal machine operation and increases the work-

load of technical personnel. Frequent modifications can also 217

introduce unpredictable errors, resulting in significant losses 218

of both time and resources. Moreover, the testing process may pose risks of equipment damage and potential personal injury.

To address the aforementioned issues, and considering that particle accelerator devices share consistent primary control objectives across different operating modes or experimen-

tal goals—differing only in interlock ranges[ ], thresholds, and execution actions—this study proposes a node-attribute- based configuration method, as illustrated in Fig. 4 [FIGURE:4]. By in- corporating configurable and modifiable node-attribute char- acteristics into the input and output nodes, the variable pa- rameters of the safety interlock are decoupled from the un- derlying logic. By modifying the attribute bits of these node characteristics through upper-level software, the scale, inter- lock relationships, and logical structure of the safety interlock system can be adjusted within predefined parameters.

The implementation of the node attribute register (NAR)

mechanism adopts a bottom-up systematic design approach, 236

comprising three stages: the hardware layer, the logic layer, and the integration layer.

Each layer is responsible for signal acquisition, logic mapping, and system integration, collectively forming a closed-loop structure of “configura- tion–feedback–verification.” This design ensures parameter

synchronization and state consistency between EPICS and 242

PLC systems. At the hardware implementation level, the system is based on a distributed PLC control architecture designed to achieve

high real-time data acquisition and cross-layer synchroniza- 246

tion. The control network is centered on PROFINET, which

enables high-speed sampling and deterministic transmission 248

of field signals with communication cycles as short as 4 249

]. This configuration ensures the real-time updating and consistency verification of Node Attribute Register (NAR) parameters. Field I/O modules are functionally configured ac- cording to signal characteristics, forming a three-tier structure that encompasses status acquisition, control output, and mon- itoring diagnostics. These correspond respectively to the S, C, and M logical domains, enabling direct mapping and invo- cation of various signal types at the logical layer. During con-

figuration, unified signal naming and address-mapping rules 258

are established through the PLCnext Engineer software. This approach ensures a one-to-one correspondence between hard- ware registers and EPICS PV variables at the semantic layer,

thereby achieving complete unification of hardware and soft- 262

ware namespaces as well as data structures. At the logic layer, the core structure of the Node Attribute Register (NAR) is implemented through modular program- ming using the SCL language. The system abstracts each controlled device into a logical node, with each node contain- ing fundamental attributes including State, Threshold, De- lay, Bypass, and Timestamp. All nodes are declared as ar- rays within the global variable area of the PLC and estab- lish a one-to-one mapping with process variable (PV) en- tries in the EPICS database through the PROFINET inter- face. Node logic adopts structured programming to perform operations including parameter reading, threshold compari- son, and state updating. When field input signals exceed pre- defined threshold ranges, the node triggers local protective

actions and writes to feedback registers containing the ac- 277

tion results and communication status. To prevent logic drift 278

between the software and hardware layers, a periodic con- sistency verification module is implemented within the PLC.

This module compares the EPICS-side configuration registers with the PLC-side feedback registers and generates a verifica- tion value through CRC-based hash computation. If parame- ter inconsistencies are detected, the system freezes the node logic and raises an alarm flag. This design ensures the inde- pendence of logical judgments and the consistency of soft- ware and hardware data.

At the integration layer, the Node Attribute Registers (NARs) enable system-level data interaction and visu- alization management through EPICS framework.

The EPICS IOC functions as the core control unit in the 291

middle layer, establishing bidirectional communication 292

with the PLCs through the Channel Access (CA) pro- tocol to create real-time links for parameter distribution and status feedback.

The process variable (PV) struc- ture defined in the EPICS database corresponds strictly

to the PLC register fields, following the unified naming 297

convention “NAR:DeviceName:ParameterType”—for example, “NAR:VALVE1:THRESHOLD”

“NAR:POWER1:BYPASS.” Communication adopts a dual- 300

channel mechanism, in which the downlink channel writes 301

EPICS configuration data to the PLC configuration registers, whereas the uplink channel reads real-time status data from the PLC feedback registers. A dual-verification logic com-

bining timestamps with the “Config_Valid/Feedback_OK” 305

flags is implemented to ensure data consistency and reliabil- ity during transmission. When the EPICS-side configuration is not acknowledged by the PLC, the system automatically reverts to the last stable version and records the event in the operational log.

At the interface layer, the graphical management interface developed on the Phoebus OPI platform enables the real-time display of node attributes, parameter adjustment, and visual- ization of verification status. The interface adopts a modular template structure that is divided into three sections: param- eter display, configuration, and logging. The parameter dis- play section presents the node’s real-time operational status and key parameters; the configuration section allows autho- rized users to modify thresholds, delays, and bypass flags on- line during operation; and the logging section displays real- time verification results and configuration change records. A

color-coded dynamic-binding mechanism intuitively reflects 322

the system status: green indicates configuration consistency,

yellow denotes pending confirmation, and red signifies ver- 324

ification failure. Through this interface, operators can per-

form cross-layer parameter monitoring and logical verifica- 326

tion within a unified environment, thereby fulfilling the de- 327

sign objectives of transparent hardware status, visualized log- ical behavior, and traceable system operations.

In summary, the implementation of the Node Attribute

Register (NAR) mechanism establishes a high–real-time sig- 331

nal acquisition platform at the hardware layer, realizes pa- rameter structuring and consistency verification at the logic layer, and accomplishes cross-system data mapping and vi- sualization control at the integration layer. The collaboration among the three layers forms a complete bottom-up technol- ogy chain, endowing the system with dynamic configuration, online verification, and logical self-consistency capabilities.

This provides stable data interfaces and security assurance for the subsequent design of the backup layer within the defense- in-depth architecture.

SOFTWARE IMPLEMENTATION AND DEFENSE-IN-DEPTH MECHANISM This chapter presents the software implementation frame- work of the hierarchical interlock system, encompassing the structural design of the EPICS-IOC–based soft protection module, the Python-driven dynamic logic operation mecha-

nism, and the collaborative strategy of the defense-in-depth 348

backup layer. The software layer serves as the core com- ponent responsible for logical determination, parameter con-

figuration, and operational monitoring throughout the sys- 351

tem. It functions as both the upper-level strategic extension of hardware-based rapid interlocking and the visualization hub of the entire system.

The system software is developed on the EPICS architec- ture and achieves modular deployment through a three-tier structure comprising the Driver Layer[ ], Logic Layer, and

Interface Layer. The underlying PLC communicates with 358

the IOC layer through the TCP/IP protocol to enable high- speed data exchange. The upper EPICS layer employs the Channel Access (CA) protocol to map physical quantities to process variables (PVs), thereby enabling signal standardiza- tion and cross-layer accessibility. The Driver Layer estab- lishes a one-to-one correspondence between PLC registers

and EPICS PVs, ensuring synchronized and real-time updat- 365

ing of the underlying data. The Logic Layer performs logical evaluations, condition combinations, and action generation based on EPICS record types such as calc, bo, and ai. The Interface Layer manages strategic parameters such as thresh- olds, delays, and bypasses, supporting runtime loading and cross-platform reuse. This architecture maintains real-time performance while ensuring logical independence, parameter decoupling, and strategy reconfigurability.

Design of Python Soft Protection Module To overcome the limitations of hardware interlocks in logi- cal complexity and information representation, the system in- corporates a Python- and EPICS-based soft protection mod- ule at the IOC layer. This module employs the EPICS IOC as its runtime container and Python scripts as its logic en- gine, thereby establishing a soft protection layer that supports multi-source data fusion and dynamic policy determination.

Unlike traditional EPICS record types that rely on static ex- pression calculations, the Python-based soft protection mod- ule is developed using the Pcaspy software package[ ]. It directly accesses real-time signals from PLCs through the EPICS Channel Access interface while simultaneously re- trieving data from AA historical databases and external math- ematical computation systems.

This enables multidimen- sional analysis of operational data across the time domain, frequency domain, and statistical dimensions.

This module leverages Python’s numerical computation li- braries (NumPy, SciPy, pandas, etc.) to execute advanced computational tasks[ ], including trend fitting, thresh- old prediction, derivative analysis, and anomaly detection.

Through custom logic functions, the system enables nonlin- ear condition evaluation, dynamic threshold adjustment, and multi-condition joint decision-making, thereby overcoming the expressive limitations inherent in EPICS’s native record types.

During operation, dynamic logic computations are performed by the module based on real-time parameters pro- vided by the Node Attribute Register (NAR). When the com- putation results satisfy the predefined action conditions, out- put signals are written to the EPICS process variables (PVs), thereby triggering the corresponding interlock responses or alarm events through upper-level logic.

Unlike traditional hardware interlocks that output only binary “active/inactive” results, the soft protection module outputs multidimensional status elements, including status codes, bypass flags, delay countdowns, trigger conditions, and timestamps. This design ensures interpretable status in- formation and traceable system operations. It allows the soft protection layer to function not only as a logical redundancy

mechanism for critical equipment but also as an independent 413

module capable of handling complex fault determination and predictive computation tasks beyond hardware capabilities, thereby enhancing overall system safety and intelligence.

The soft protection module adopts a parameterized config-

uration architecture, enabling more flexible policy adjustment and operational mode switching. Users can modify key pa- rameters such as thresholds, delays, and bypass settings on- line through the Phoebus OPI interface. These modifications are instantly loaded by the IOC and propagated to active pro- cesses via Channel Access, taking effect without the need for system recompilation or restart. This design enables hot logic

updates and runtime reconfigurability, thereby significantly 425

improving operational efficiency and system maintainability.

Simultaneously, the Phoebus interface integrates three vi- sualization components—real-time waveform display, alarm logging, and logical linkage diagrams. The system displays the verification results of each process variable (PV) using

color-coded status indicators: green signifies configuration 434

consistency, yellow indicates pending confirmation, and red denotes verification failure. By utilizing time-series curves, alarm trigger records, and dynamic threshold trend analy-

ses, operators can conduct cross-level system monitoring and 438

historical state tracing. This mechanism achieves full-chain 439

transparency from parameter configuration to logic verifica-

tion, thereby transforming the interface from a simple moni- 441

toring tool into a decision-support resource. Defense-in-Depth Backup Layer Collaboration The Defense Backup Layer (DBL) constitutes the highest level of protection within the system’s security architecture.

It is designed to independently perform security isolation and fault control, even in situations where both hardware-based

rapid interlock mechanisms and software protection logic fail 448

or exhibit abnormal responses. Through dedicated execution

units and communication-monitoring mechanisms, this layer 450

performs redundant verification of lower-level logic and pro- vides system-level fault-tolerance protection, thereby form- ing the ultimate line of defense that integrates hardware, soft- ware, and policy-based safeguards into a three-tiered, inter- connected architecture.

The design of the Defense Backup Layer (DBL) adheres to the principles of logical independence, data redundancy, and fail-safe operation[ ]. The system achieves rapid re- sponse at the hardware layer, performs logical evaluations at the software layer, and maintains control-chain integrity

through periodic self-checks and link monitoring within the 461

backup layer. Upon detecting communication anomalies, in- 462

terlock logic card malfunctions, or prolonged unresponsive- ness of critical nodes, the DBL automatically assumes control authority and executes safety actions. These actions include shutting down high-voltage power supplies, cutting off fast- acting valves, and closing vacuum isolation channels, thereby establishing a physical safety loop.

The core logic of the backup layer comprises two com-

ponents: the Communication Watchdog and the Execution 472

Feedback Unit. The Communication Watchdog periodically 473

monitors the communication status between EPICS and PLC 474

systems, as well as the update cycles of the node attribute reg- isters. Upon detecting consecutive timeouts (e.g., exceeding

three communication cycles) or CRC checksum anomalies, it 477

triggers a Communication Failure Flag. The Execution Feed- 478

back Unit continuously monitors the actual operational states 479

of field devices and compares them with the outputs of the software protection layer. When the feedback signals contra- dict the logical outputs (e.g., when a valve should be closed but its position signal remains open), the system automati- cally enters forced-safe mode. The backup layer subsequently

issues a direct physical disconnection command. The logical implementation of the Defense Backup Layer (DBL) is based on the EPICS framework but operates within an independent IOC process that is isolated from the main control IOC. This process accesses lower-level device states exclusively through restricted channels and does not partic- ipate in normal logical operations, thereby ensuring opera- tional independence. The system employs a Heartbeat Pro-

cess Variable (PV) monitoring mechanism, based on PV sub- 493

scriptions, to dynamically verify the response cycles of each logical layer[ ]. Upon detecting a halted heartbeat from any IOC or a suspension of the soft protection logic, the DBL im- mediately executes predefined safety actions and records the anomaly for subsequent analysis.

To achieve multi-level coordination, a policy-synergy

mechanism has been established between the Defense 500

Backup Layer (DBL) and the soft protection layer. During

logical operation, the soft protection layer synchronizes crit- 502

ical state variables—such as thresholds, action flags, and by-

pass states—with the DBL’s monitoring cache. When the 504

system enters a pre-alert state, the DBL executes the corre- sponding defense strategies based on the most recent valid configuration, thereby achieving temporal–spatial decoupling between soft-logic determination and hard-action execution.

This mechanism not only prevents protection gaps resulting 509

from upper-layer failures but also enables the backup layer to execute response actions that are more targeted and explain- able.

The execution outputs of the Defense Backup Layer (DBL) adopt a fail-safe design, in which all safety-action outputs are implemented through dual-channel redundant relays. When the primary channel signal fails, the backup channel automat- ically assumes the output function. The output status is simul- taneously verified through closed-loop feedback signals to en- sure that the action outcome aligns with the commanded state.

The system design equips the backup layer with an indepen- dent power supply and a separate grounding path, thereby guaranteeing autonomous operational capability even in the event of complete upper-level control failure.

Through the aforementioned mechanism, the backup layer 524

within the defense-in-depth architecture provides dual fault- tolerance protection for both the hardware interlock and soft- ware protection layers, thereby establishing a multi-level re- dundancy framework that extends from logical anomaly de- tection to physical security isolation. The proposed “policy coordination–link self-check–independent execution” mech-

anism enables the accelerator system to demonstrate greater 531

security autonomy and enhanced robustness under complex operating conditions, while providing data support and logi- cal interfaces for subsequent fault diagnosis and risk predic- tion.

SYSTEM TESTING AND RESULTS ANALYSIS To validate the effectiveness and reliability of the hier- archical interlock and defense-in-depth system, two types of tests were conducted in an experimental environment: functional verification and performance verification. Func- tional verification primarily assessed the logical correctness and coordination consistency among the hardware interlocks, the EPICS-based soft protection layer, and the backup layer within the defense-in-depth system. Performance verification quantitatively evaluated the system’s overall real-time per- formance and robustness using metrics such as response la- tency, redundant switching, and fault-tolerant recovery. The test platform consisted of field PLC cabinets, IOC hosts, in-

dependent backup control units, and Phoebus operator termi- 549

nals. All test signals were introduced through real equipment simulators and field sensors.

Functional Validation: Multi-Layer Interlock Logic Consistency Testing The objective of the functional verification is to confirm that the three-tier interlock system maintains logical consis- tency and safety responses under various operational scenar- ios. The testing process is conducted at three levels: (1) Hardware-Level Verification: Fault-injection tests were performed on critical equipment signals, including vacuum, fast-acting valves, power supplies, and temperature sensors.

The PLC program monitored input changes and executed 561

lockout commands within ≤ 10 ms , thereby verifying the de- 562

terministic response capability of the field-level rapid inter- 563

locks. (2) Software Protection Layer Verification:

Signal- combination and threshold-debouncing experiments were conducted using Python-based dynamic logic modules on the EPICS IOCs. When equipment thresholds approached crit- ical states, the system dynamically adjusted action determi- nations based on real-time changes, thereby enabling multi- condition fusion judgment and bypass-strategy switching.

Experimental results demonstrated that under high-frequency disturbance conditions, the false-trigger rate of the software protection module outputs was less than 0.05%, which is sig-

nificantly lower than that of traditional fixed-logic solutions. 575

(3) Backup Layer Validation: The autonomous takeover capability of the Defense-in-Depth Backup Layer (DBL) was

verified under conditions of communication interruption and 578

logic-card latch-up. When the EPICS-layer IOCs were man- ually suspended, the DBL detected lost heartbeats within ap- proximately 300 ms and executed fail-safe outputs, thereby automatically disconnecting the ion-source high voltage and fast-valve control to achieve final physical isolation.

The objective of the functional verification is to confirm that the three-tier interlock system maintains logical consis- tency and safety responses under various operational scenar- ios. The testing process is conducted at three levels: (1) Hardware-Level Verification: Fault-injection tests were performed on critical equipment signals, including vacuum, fast-acting valves, power supplies, and temperature sensors.

The PLC program monitored input changes and executed 591

lockout commands within ≤ 10 ms , thereby verifying the de- 592

terministic response capability of the field-level rapid inter- 593

locks.

(2) Software Protection Layer Verification: Signal- combination and threshold-debouncing experiments were conducted using Python-based dynamic logic modules on the EPICS IOCs. When equipment thresholds approached crit- ical states, the system dynamically adjusted action determi- nations based on real-time changes, thereby enabling multi- condition fusion judgment and bypass-strategy switching.

Experimental results demonstrated that under high-frequency disturbance conditions, the false-trigger rate of the software protection module outputs was less than 0.05%, which is sig-

nificantly lower than that of traditional fixed-logic solutions. 605

(3) Backup Layer Validation: The autonomous takeover capability of the Defense-in-Depth Backup Layer (DBL) was

verified under conditions of communication interruption and 608

logic-card latch-up. When the EPICS-layer IOCs were man- ually suspended, the DBL detected lost heartbeats within

approximately ≤ 300 ms [ 30 ] and executed fail-safe outputs, 611

thereby automatically disconnecting the ion-source high volt- age and fast-valve control to achieve final physical isolation.

The test results demonstrate that the three-tier interlock sys- tem operates correctly under various operating conditions.

The strategy outputs of the software protection layer were consistent with the execution results of the hardware layer, while the backup layer safely assumed control when the up- per layers failed. These results validate the effective imple- mentation of logical consistency and multi-level redundancy within the system.

Performance Validation: Real-time, Redundancy, and Fault Tolerance Testing Performance verification evaluates the system’s opera- tional characteristics from three perspectives: (1) In real-time testing, response delays across different layers were measured using oscilloscopes and timestamp- recording modules. The results indicate an average response time of 8.6 ms for the hardware interlocks, 162 ms for the EPICS-based software protection layer, and approximately 300 ms for the backup layer’s fail-safe output under trigger conditions. The overall system response satisfies the accel- erator control system’s safety requirement of less than 200 ms, exhibiting stable latency distribution across all layers and jitter below 2 ms. (2) During redundancy and fault-tolerance testing, the sys-

tem simulated scenarios such as communication interrup- 639

tions, threshold-configuration errors, and partial I/O module

failures. The results show that when the primary communica- 641

tion link was lost, the Defense Backup Layer (DBL) assumed control within 0.2 seconds and maintained the equipment in a safe state. When the Node Attribute Register (NAR) was mis-

configured, the attribute-verification mechanism of the EPICS 645

layer promptly blocked command issuance, thereby prevent- ing erroneous actions. When certain PLC modules failed, the system maintained stable operation through bypass strategies and redundant signals from the DBL. Figure 5 [FIGURE:5]-2 illustrates the fault-tolerance recovery time distribution across different fail- ure scenarios, thereby evaluating the self-recovery capability and fail-safe triggering characteristics of the hierarchical in- terlock and defense-in-depth system under complex failure conditions.

Functional and performance tests have demonstrated that the proposed layered interlock and defense-in-depth system for the proton accelerator outperforms existing solutions in logical consistency, response speed, and fault tolerance. The

hardware layer ensures deterministic and rapid response; the 661

software protection layer enables flexible and reconfigurable logical expansion; and the backup layer provides an indepen- dent fail-safe protection loop. The system’s multi-level re-

dundancy mechanism significantly reduces the probability of 665

false triggers and system failure rates, thereby establishing a reproducible engineering framework for the safe control of large-scale accelerator facilities.

CONCLUSION

This paper proposes and implements a hierarchical inter- lock system for proton accelerators, integrating PLC-based hardware interlocks and EPICS-based software protection to provide an innovative solution to challenges of real-time per- formance, safety, and flexibility in complex experimental en- vironments.

By introducing a three-tier interlock protec- tion architecture, the system achieves coordinated operation among rapid hardware-level response, flexible software-level configuration, and a defense-in-depth backup layer. This ap- proach enhances the system’s maintainability and scalability while ensuring the safe operation of the accelerator.

tably, the introduction of the node-attribute register mecha-

nism enables more efficient online switching and expansion 682

of device logic, thereby significantly enhancing the system’s 683

adaptability. Furthermore, the soft-protection module, lever- aging Python’s computational capabilities, processes com- plex multi-source data and provides stronger redundancy pro- tection than traditional hardware interlocks. The defense-in- depth backup layer ensures equipment safety during system failures, thereby enhancing the system’s fault tolerance and overall reliability.

Although the proposed system has achieved significant 691

progress in accelerator safety protection, further optimiza- tion remains necessary as accelerator facilities continue to expand in scale and complexity.

Future research will fo- cus on enhancing the system’s level of intelligence by ex- ploring the application of artificial intelligence (AI) and ma-

chine learning (ML) algorithms to enable predictive analy- 697

Wang R, Qian C, Guo YH, Zhang P, Ma JD. Automatic spec-

trum recognition system for charge state analysis in electron 714

cyclotron resonance ion sources. Nuclear Science and Tech-

niques, 34 (11): 178 (2023). 716

Yuan C, Zhang W, Ma T, Yue M, Wang PP. Design and imple-

mentation of accelerator control monitoring system. Nuclear 718

Science and Techniques, 34 (4): 56 (2023). 719

Zhao K, Chen L, Lv N, Zhou LD, He SY, Ruan JL, Wang H, Ouyang XP. Comprehensive study of pulse shape discrimina- tion in a Ga-doped zinc oxide scintillating detector. Nuclear

Science and Techniques, 36 (3): 37 (2025). 723

Gu YL, Yang F, Guo YY, Yan Z, Huang AJ, Hou J. Insights into the effects of oxygen content regulation on the microstruc-

ture and mechanical properties of in situ ODS 304L stainless 726

steel processed by laser powder bed fusion. Nuclear Science

and Techniques, 36 (6): 1–18 (2025). 728

Liu WP, Guo B, An Z, Cui BQ, Fang X, Fu CB, Gao BS, He JJ, Jiang YC, Lv C, et al. Recent progress in nuclear astro- physics research and its astrophysical implications at the China

Institute of Atomic Energy. Nuclear Science and Techniques, 732

(12): 217 (2024). Zhou LY, Zha H, Shi JR, Qiu JQ, Wang CJ, Han YS, Chen HB.

A non-invasive diagnostic method of cavity detuning based 735

on a convolutional neural network. Nuclear Science and Tech-

niques, 33 (7): 94 (2022). 737

Zhang H, Li JZ, Hou R, An S, Xu SQ, Liu YC, Zhang PJ, Song J, Zhang YL. Design and development of an ACCT for the Shanghai advanced proton therapy facility. Nuclear Science

and Techniques, 33 (10): 126 (2022). 741

Deng C, Wang SJ, Hu Q, Tang YH, Li PC, Xie B, Yang JB,

Tuo XG, Wang QB. Deep learning-based compressed sampling 743

reconstruction algorithm for digitizing intensive neutron ToF

signals. Nuclear Science and Techniques, 36 (7): 112 (2025). 745

Fu QB, Zhang Y, Wang YC, Huang TC, Zhu HY, Deng XW.

Systematic analysis and modeling of the FLASH sparing ef- fect as a function of dose and dose rate. Nuclear Science and

Techniques, 35 (10): 171 (2024). 749

Chen JH, Guo FK, Ma YG, Shen CP, Shou QY, Wang Q, Wu JJ, Zou BS. Production of exotic hadrons in pp and nuclear

sis of equipment status and early fault warning. Addition- 698

ally, with the advancement of cloud computing and virtu- alization technologies, cross-platform compatibility and de- ployment flexibility will become key research priorities, fa- cilitating broader system applications and upgrades across di- verse experimental scenarios. Finally, deep integration be- tween software and hardware layers represents a crucial di- rection for future system development. By more tightly cou-

pling hardware redundancy mechanisms with software logic, 706

the system’s safety and real-time responsiveness can be fur- ther enhanced. Through these optimizations and extensions, the system will be better equipped to meet the safety protec- tion requirements of future high-energy physics experiments, nuclear medicine applications, and industrial systems.

BIBLIOGRAPHY

collisions. Nuclear Science and Techniques, 36 (4): 55 (2025). 752

Yu YB, Liu GF, Xu W, Li C, Li WM, Xuan K. Research on tune feedback of the Hefei Light Source II based on machine

learning. Nuclear Science and Techniques, 33 (3): 28 (2022). 755

Zhang S, Meng C, Zhou ZS, He X, Zhang JR, Iqbal M, Zhang ZD, Bai BW, Chi YL. Design of 10 MeV electron linear accel- erator for space environment simulation. Nuclear Science and

Techniques, 35 (10): 177 (2024). 759

Fang WC, Huang XX, Tan JH, Wang CP, Xiao CC, Lu YX, Zhang Y, Yang YQ, Xu YM, Gong HY, et al. Proton linac- based therapy facility for ultra-high dose rate (FLASH) treat-

ment. Nuclear Science and Techniques, 32 (4): 34 (2021). 763

Wang JC, Ren J, Jiang W, Ruan XC, Liu YY, Yang HL, Xu KZ, Pan XY, Sun Q, Bao J, et al. In-beam gamma rays of CSNS Back-n characterized by black resonance filter. Nuclear Sci-

ence and Techniques, 35 (10): 164 (2024). 767

Qin B, Liu X, Chen QS, Li D, Han WJ, Tan P, Zhang ZQ, Zhou C, Chen AT, Liao YC, et al. Design and development of the beamline for a proton therapy system. Nuclear Science and

Techniques, 32 (12): 138 (2021). 771

Wang SY, Song YT, Feng HS, Li S, Cao HL, Zhang J, Huang OW, Li Z. Design of a personnel safety interlock system for

proton therapy. Nuclear Science and Techniques, 32 (4): 39 774

(2021).

[17] Liu Y, Zhu TF, Luo Z, Ouyang XP. 3D robust anisotropic dif- 776

fusion filtering algorithm for sparse view neutron computed to- mography 3D image reconstruction. Nuclear Science and Tech-

niques, 35 (3): 50 (2024). 779

Gu YL, Yang F, Guo YY, Yan Z, Huang AJ, Hou J. Insights into the effects of oxygen content regulation on the microstruc-

ture and mechanical properties of in situ ODS 304 L stainless 782

steel processed by laser powder bed fusion. Nuclear Science

and Techniques, 36 (6): 1–18 (2025). 784

Zheng PS, Shi FR, Dutt S, Zhang YL, Zhang YS, Wang W, Li GS, Wang SC, Yang HR, He JQ, et al. Study of true coinci- dence summing effects on FEP efficiency of HPGe detectors during decay measurements at HIRFL. Nuclear Science and

Techniques, 36 (5): 74 (2025). 789

Yang LJ, Peng JY, Qiu F, He Y, Ma JY, Xue ZH, Jiang TC, Zhu

ZL, Chen Q, Xu CY, et al. Classification of superconducting radio-frequency cavity faults of CAFE2 using machine learn-

ing. Nuclear Science and Techniques, 36 (6): 104 (2025). 793

Mingtao K, Yuliang Z, Dapeng J, Yongcheng H, Mingchuan Z, Peng Z, Xuan W, Fengqin G, Lin W. The machine protection system for CSNS. Radiation Detection Technology and Meth- (2): 273–279 (2021).

Jin H, Choi Y. Development of fast protection system and slow interlock system in the RAON accelerator. Journal of the Ko- rean Physical Society, (7): 601–607 (2020).

Liu S, Wei YX, Lu YR, Wang Z, Han MY, Wei TH, Zheng PF.

Design of PLC and EPICS based control system for a deuteron RFQ. Journal of Instrumentation, (06): T06002 (2022).

Xia Y, Wang Q, Zhao J, Feng L, Guo E, Yang T, Wang Y, Li F, Guo Z, He Q, et al. Design and implementation of EPICS on the laser accelerator: CLAPA-I control system upgrade. IEEE Transactions on Nuclear Science, (1): 18–30 (2023).

Nicklaus DJ, Hanlet P, King C, McArthur D, Neswold R. Controls at the Fermilab PIP-II Superconducting Linac. arXiv:2401.15160 (2024).

Tian RX, Wu JX, Li ZX, Gu KW, Su JJ, Ni FF, Wei Y, Xie

HM, Li LL, Zhang Y, et al. Design of beam position monitoring 812

interlocking protection system. Proc. IBIC2024, pp. 110–113 (JACoW Publishing, Geneva, Switzerland).

Colinet A, Romera I, Bolton S, Guasch-Martinez J, Martin C, Uythoven J, Secondo R. JACOW: Testing aspects of the CERN beam interlock system prior to installation in the accelerator.

JACoW IPAC2024, THPG59 (2024). Zhao LL, Yang Z, Guo Y, Zhang J, Chen J, Wang X, Zhang X. Personal Safety Interlock System Based on Siemens Safety PLC. People, (8): 9–10 (2025).

Jena SS, Shrotriya S, Patel NR, Shiju A, Pande M, Joshi G.

Interlock protection and monitoring system for SSA. Technical 823

Report (2024). Sato KC, Kimura T, Yamada S, Kamikubota N, Yamamoto N.

The software-based machine protection system using EPICS in J-PARC MR. In: ICALEPCS’19: International Conference on Accelerator and Large Experimental Physics Control Sys- tems, New York, USA, 05–11 October 2019. JACoW Pub- lishing, pp. 1418–1420 (2020).