Accelerator Beam Transport High Voltage Power Supply Interlock System

The safe and reliable operation of a particle accelerator depends not only on the performance of its individual components but on the deterministic coordination between them. This is particularly true for the beam transport system, which utilizes a network of high-voltage power supplies to energize electrostatic and magnetic elements—such as steerers, quadrupoles, einzel lenses, and deflectors—that guide and shape the particle beam. An interlock system governing these power supplies is not merely a safety feature; it is the central nervous system of the accelerator's beamline, designed to prevent equipment damage, protect personnel, and ensure beam integrity by enforcing a strict logic of operational states and sequences.

The primary function of the interlock system is to guarantee that the beam is only allowed to propagate when all beamline elements are in a known, safe, and properly configured state. This involves a multi-layered architecture with both hardware and software components, where high-voltage power supplies act as both initiators and recipients of interlock signals. At the most basic level, each power supply is equipped with local fault detection circuits. These monitor critical internal parameters: output over-voltage, over-current, arc detection, component temperature, and cooling flow (if liquid-cooled). The detection of any local fault must generate a "Local Fault" signal. This signal has two simultaneous actions. First, it commands the power supply's own output stage to shut down as quickly as possible, typically within microseconds for arc events or milliseconds for thermal faults. Second, it transmits a hardwired digital signal (often a relay contact opening) to the central beamline interlock logic.

This transmission to the central interlock is where system-wide protection is enacted. The interlock logic, usually implemented in a fail-safe programmable logic controller (PLC) or dedicated hardwired relay panels, continuously monitors the status of every interlocked device in the beamline. This includes not only all high-voltage supplies but also vacuum gate valves, beam profile monitors, radiation sensors, and cooling systems. The core logic is often a series of AND conditions. For example: `BEAM PERMIT = Vacuum_OK AND Cooling_OK AND HV_PSU_1_OK AND HV_PSU_2_OK AND ... AND HV_PSU_N_OK`. If any single element signals a fault (a condition becomes FALSE), the master BEAM PERMIT signal is revoked. This signal is typically fed back to the beam source—the ion source or radiofrequency (RF) systems—inhibiting beam generation or injection. It may also trigger fast beam shutters or dump magnets to divert or stop an existing beam in transit.

The interlocking extends beyond simple fault reaction to include operational sequencing. The correct start-up and shutdown of a beamline require a specific order of operations. High voltages on electrostatic elements, for instance, should only be applied after a sufficient vacuum level is achieved to prevent high-voltage discharge. Conversely, vacuum pumps should not be vented while high voltages are active. The interlock system enforces these sequences through permissive interlocks. A "Vacuum_OK" permissive must be present before the high-voltage enable command for an electrostatic steerer is accepted by its power supply controller. The power supply's internal control logic is designed to ignore remote "ON" commands unless all its required external permissive inputs are asserted. This logic is often duplicated in the central PLC for an additional layer of safety.

A critical and complex aspect is the handling of beam-induced faults. A mis-steered or mis-focused beam can strike an aperture or a beam pipe wall, generating secondary electrons, x-rays, or even causing local heating. This can be detected by a sudden increase in current on a collimator or a beam stop, which is typically held at a bias potential by a dedicated high-voltage supply. This supply is configured as a sensitive current monitor. When its output current exceeds a set threshold, it triggers an interlock. The response must be rapid to minimize equipment damage. Therefore, such "beam loss" monitors are often connected directly into a fast, dedicated interlock line that bypasses some of the slower PLC scan cycles, achieving reaction times in the microsecond to millisecond range.

Furthermore, the interlock system must manage the interdependence of power supplies. For example, in an electrostatic deflection system, the two plates of a pair require opposite polarity voltages. A failure of one supply could create a dangerously asymmetric field, deflecting the beam uncontrollably. An interlock scheme can link these supplies, so a fault on one causes the immediate shutdown of its partner. Similarly, the high-voltage supplies for extraction electrodes in an ion source may be interlocked with the source filament supply to prevent improper operation.

Diagnostics and recovery are integrated functions. Following an interlock trip, the system must log the sequence of events (event chronology) to identify the first fault (the "root cause"). Modern power supplies with digital communication (Ethernet, fieldbus) can transmit detailed fault codes to the control system. Before a reset is possible, the interlock system often requires a manual acknowledge and a deliberate reset procedure, which may involve cycling the faulty power supply off and on or performing a diagnostic check. This prevents automatic, uncontrolled restart after a fault.

In summary, the interlock system for accelerator beam transport high-voltage power supplies is a deterministic safety and orchestration network. It transforms a collection of independent high-voltage modules into a coherent, fault-tolerant beam guidance system. By enforcing hardware-based permissive logic, enabling fast response to beam loss, and managing complex start-up/down sequences, this system protects multi-million dollar accelerator components from damage and ensures that beam operation is only possible under a comprehensively verified set of safe conditions. It is the foundational element of reliable, hands-off accelerator operation.