

# **ISTITUTO NAZIONALE DI FISICA NUCLEARE**

## Laboratori Nazionali di Frascati

INFN-25-07-LNF 28 maggio 2025

## MPS DESIGN FOR TEX FACILITY

Giulia Latini<sup>1</sup>, Stefano Pioli<sup>1</sup>, Fabio Cardelli<sup>1</sup> <sup>1)</sup>INFN, Laboratori Nazionali di Frascati, P.O. Box 13, I-00044 Frascati, Italy

#### Abstract

This report outlines the design and validation of a prototype Machine Protection System (MPS) for the TEX facility at LNF-INFN. The system aims to protect critical components of the X-band and C-band accelerator lines by monitoring key subsystems and executing interlocks in response to fault conditions. The architecture is based on NI cRIO controllers with FPGA, integrated via EPICS using Channel Access and MODBUS protocols. The design follows the IEC 61508 standard, with defined Safety Instrumented Functions (SIFs) and the corresponding Safety Integrity Levels (SILs) derived from risk analysis. A logic matrix governs the interlock strategy, while real-time control is implemented in LabVIEW. Reliability calculations confirm compliance with safety requirements without redundancy. This MPS prototype provides a robust framework for machine protection, ensuring both equipment integrity and personnel safety.

PACS:28.41.Te

Published by Laboratori Nazionali di Frascati

#### **1** Project Overview

TEX [1] [2] [3], developed within the framework of the LATINO and Rome Technopole projects [4] [5], is an X-band test facility (11.994 GHz) located in Building 7 of the INFN National Laboratories of Frascati. It will also become a user facility with the construction of the new C-band linac, Fringe. As shown in Figure 1, the TEX layout after a period of construction will consist of a control room, a rack room housing the main control systems, data storage systems, three LLRF systems, two Scandinova X-band modulators [6] operating at 50 Hz and 400 Hz, respectively, and one C-band modulator at 400 Hz for the Fringe linac. Therefore, three klystrons are present, collectively constituting the high-power RF system.

From a design perspective, it is noteworthy that the modulator is equipped with an integrated Beckhoff PLC for interlock detection, while the LLRF systems feature an integrated interlock detection system related to VSWR measurement. Finally, the vacuum system consists of ion pumps (IPs) and cold cathode gauges (CC), managed respectively by IPCMini/4UHV and TPG-500 controllers, along with a cooling system designed to ensure proper heat dissipation from the most sensitive components (BOC and klystrons). The vacuum controllers include an internal interlock implemented with active low logic (NO), meaning a low logic signal indicates the system is in interlock.

Inside the bunker, there are two X-band test stations, an electron gun, and a Cband accelerating structure (Fringe project), 3D-printed RF spiral loads, a beam dump to dissipate the energy of the Fringe electron beam, and a diagnostics system. The latter consists of three Faraday cups for the linac and the structures (downstream and upstream), two toroids, and a Beam Loss Position Monitor based on Cherenkov effect for the two Xband structures. On the bunker roof, there are two X-band BOCs and one C-band BOC. Additionally, an SF6 plant is installed for the linac. The purpose of this document is to



Figure 1: TEX Layout

describe the prototype design of an MPS [7] [8] [9], a machine protection system to be implemented on TEX. This system not only monitors interlocks but also automatically activates procedures to optimize operations, monitor performance, and prevent anomalies by interfacing both with the machine timing control and the personnel protection system (PSS)[9] as shown in Figure 2.



Figure 2: MPS Interface

To ensure that the MPS is safe in terms of functional safety—that is, to guarantee the correct operation of the system and to adopt the necessary risk reduction measures—it is essential to comply with the IEC 61508 standard [10], which is currently in force for all industrial control systems. This standard sets the requirements to ensure that systems consisting of electrical, electronic, or programmable electronic elements (E/E/PE) are designed, implemented, managed, and maintained to provide the required safety integrity level (SIL). In this regard, it is important to specify the meaning of the Safety Instrumented System (SIS) and the respective Safety Instrumented Functions (SIF) it performs within the related project.

The project workflow, depicted by the V-model shown in Figure 3, involves the development of the prototype starting from the necessary requirements and taking into account the specifications. A controller will manage all monitored devices and operate in real time, synergistically coordinating all the subsystems connected to it.



Figure 3: V-Model

The verification phase of a project is a critical process during which activities, documents, and obtained results are examined and evaluated. The objective is to ensure that the project complies with the established specifications, requirements, and standards. Conversely, to guarantee the overall functionality of a system, it is necessary to plan tasks for the so-called validation or testing phase. This step involves comparing the various development stages of components and subsystems, particularly in relation to the verification phase. In between, aligned with the verification phase, the development phase—both hardware and software—is carried out and subsequently validated upon completion through testing.



Figure 4: Systems Connected to MPS

### 2 Risk Analysis and Requirements

#### 2.1 System Requirements (SR)

In the initial phase, the System Requirements (SR) that the intended project must fulfill are defined. Figure 4 shows the definition of the devices that need to be connected to the MPS, so that it can ensure the safe operation of the entire system. It is essential to identify the critical structures subject to monitoring. The critical systems are highlighted in blue, while the less critical ones are marked in red, in accordance with the overall configuration analysis. The supervision of these structures aims to ensure the integrity of the klystrons and other key systems, with particular attention to the protection of ceramic windows.

The following list presents the MPS requirements. This information constitutes the starting point for progressing within the V-model of the project, initially focused on defining the MPS architecture.

- **RS01** Monitor RF input/output signals to the klystrons and accelerating structures, vacuum signals, temperature and power on RF loads, dry cooler temperatures, the building's fire protection system, timing, signals from diagnostics, and signals from the PSS.
- **RS02** Provide an automatic procedure to manage the operation of the systems in response to potential issues affecting internal devices.
- **RS03** Provide proper timing to procedures in relation to the operation of the test stations and the Fringe linac. It is crucial that the management of all devices be strictly synchronized with the repetition rate to ensure adherence to each system's response time. The timing system is external to the MPS and is managed by a dedicated controller.
- **RS04** Record all relevant signals.
- **RS05** Operate even in the event of sudden power supply failures.
- **RS06** React to unexpected alarms from the building's fire protection system by stopping all operations and shutting down the most sensitive devices.

**RS07** Ensure personnel safety (PSS).

## 2.2 System Specifications (SS)

After analyzing and defining the System Requirements (SR), a more detailed project analysis is carried out by translating the requirements into technical specifications. The objective is to draft the functional specifications of the system and of the components intended for the final prototype implementation. The following section presents the system specifications, with explicit references to the corresponding requirements:

- **SS01** To monitor the signals, a multi-head system is required. (Ref. RS01)
- **SS02** To monitor and record the temperature of sensitive devices, PT100 temperature probes are required for the modulators (9 probes, 3 for each klystron) and one for each BOC. Additional spare channels are also available inside and outside the bunker. (Ref. RS01, RS04)
- SS03 A wired network is essential for communication with the high-power RF systems and LLRF systems to monitor signals, detect issues, and activate/deactivate devices. A wired network is also required for communication with CCs and IPs, PT100s, chillers, fluid systems, the building fire safety system, and all diagnostic devices to record, monitor signals, and detect failures. (Ref. RS01, RS04, RS06)
- **SS04** High Power RF, LLRF, and vacuum systems require a fast interlock detection system, referred to as the Fast Interlock System. Considering that the maximum repetition rate of TEX is 400 Hz, response times must be within 2.5 ms. (Ref. RS03)
- **SS05** Data from the cooling system, temperature monitoring system, and diagnostics can be processed with less stringent update rates of approximately 100 ms, in line with EPICS update frequency. (Ref. RS03)
- **SS06** To provide automation capabilities, the control system must include a CPU, an FPGA, and an I/O interface. This can be implemented using an NI cRIO-9057 controller (cRIO 1) equipped with a 1.33 GHz Intel dual-core processor, 4 GB SSD, and Xilinx Artix-7 40 MHz FPGA [11]. Programming is carried out using the G language (LabVIEW), which translates the block diagram into VHDL.

Different types of I/O modules are used:

- NI-9476 output module (sourcing): powered at 24 V with a reference signal, it receives a pilot signal (used to control switches) and generates a small current *i* (logical signal with 24 V logic levels).
- NI-9425 input module (sinking): it receives a current (logical signal at 24 V from the output module) and generates a digital output signal.



Figure 5: Schematic of the output/sourcing module on the left and of the input/sinking module on the right

The schematics are shown in the following Figure 5. To acquire the signal from the toroids, an NI-9220 analog input module with a  $\pm 10$  V range is required. A TTL digital module NI-9401 is used to interface with the timing signal provided by the modulators (X-band at 50 Hz and C-band).

A second controller, the cRIO-9057 (referred to as cRIO2), equipped with four NI-9216 RTD modules, manages the signals coming from the temperature probes.

The TEX control system is based on the EPICS framework (Experimental Physics and Industrial Control System), which processes raw data to generate process variables. These variables are distributed over the network using the 16-bit Channel Access protocol via Ethernet.

Communication with programmable logic controllers (PLCs) is handled using the MODBUS protocol in a server/client configuration.

The communication schematic is shown in the following Figure 6. A watch-



Figure 6: Communication Diagram of CRIO

dog signal is also available to monitor the communication between the FPGA and the CPU, and to alert the system in case of disconnection.

To ensure electrical isolation between the cRIO and the status signals from contact inputs, dedicated terminal blocks are used. These will be installed in various areas of the facility. An exception is made for the signals from the RTD sensors and those related to the SF6 system, which will be connected directly. (Ref. RS02, RS03)

**SS07** In the event of a power outage, it is essential that the Power Supply Unit (PSU) of the cRIO is connected to an Uninterruptible Power Supply (UPS), ensuring system

operation for at least 10 minutes after shutdown:  $T_{\text{wakeup}} = 600 \text{ s}$  (Ref. RS05).

- **SS08** The connection between the UPS and the cRIO must be continuously monitored using a dedicated watchdog signal. If disconnected, the system must be alerted to initiate recovery procedures (Ref. RS05).
- **SS09** In the event of a building fire, the fire alarm signal must be monitored. When the interlock signal is True, both the modulator and the LLRF must be shut down to ensure the safety of the entire facility (Refs. RS06, RS01).
- **SS10** The cRIO verifies the system safety by checking that there are no active interlocks before enabling the trigger. This verification must occur before the next RF pulse (Refs. RS01, RS03).
- **SS11** An advanced breakdown monitoring system is required. It must go beyond vacuum level monitoring and include the analysis of the RF waveform (Refs. RS01, RS02).
- SS12 RF and modulator operations must be inhibited whenever personnel safety conditions, managed by the external PSS (Personnel Safety System), are not satisfied (Ref. RS07).

#### 2.3 Verification Phase

To assess the correctness of the project workflow, a verification phase is carried out. To support this activity, the traceability matrix shown in Table 1 is used to simplify the analysis of project completeness by correlating the System Specifications (SS) with the System Requirements (RS). It is noted that each System Specification is associated with at least one System Requirement.

|             | <b>RS01</b> | <b>RS02</b> | <b>RS03</b> | <b>RS04</b> | <b>RS05</b> | <b>RS06</b> | <b>RS07</b> |
|-------------|-------------|-------------|-------------|-------------|-------------|-------------|-------------|
| <b>SS01</b> | Х           |             |             |             |             |             |             |
| SS02        | Х           |             |             | Х           |             |             |             |
| <b>SS03</b> | Х           |             | Х           | Х           |             |             |             |
| <b>SS04</b> |             |             | Х           |             |             |             |             |
| SS05        |             |             | Х           |             |             |             |             |
| SS06        |             | Х           | Х           |             |             |             |             |
| <b>SS07</b> |             |             |             |             | X           |             |             |
| <b>SS08</b> |             |             |             |             | X           |             |             |
| <b>SS09</b> | Х           |             |             |             |             | Х           |             |
| SS10        | Х           |             |             |             |             |             |             |
| SS11        | Х           | Х           |             |             |             |             |             |
| SS12        |             |             |             |             |             |             | Х           |

| Table | 1: | Traceabil | ity | Matrix |
|-------|----|-----------|-----|--------|
|-------|----|-----------|-----|--------|

## **3** Architecture Design

### 3.1 Communication Architecture

The MPS system architecture is composed of 4 main blocks:



Figure 7: Communication Architecture

- Devices: All types of devices/systems under MPS control.
- EPICS Box: Ethernet network to communicate with devices and the controller while tracking data information. EPICS uses the CA (Channel Access) network protocol based on TCP/IP, which allows many devices to communicate at high speed over the same network. TCP/IP stands for Transmission Control Protocol/Internet Protocol, a system that enables devices connected to the Internet to communicate with each other through networks. A single piece of data, as already described, is called a Process Variable (PV). A PV has a unique name used to reference the data (a naming convention must be chosen). EPICS also implements a Client/Server architecture: a CA Server provides information and services, and a CA Client uses the service or requests the information.
- Control Chassis: Controller (cRIO) to manage the control of all devices. It consists of I/O modules for the use of PVs, CPU, and FPGA (Ref. SS05). To allow the controller to read process variables, MODBUS server/client are used. MODBUS is a communication protocol created to communicate with programmable logic controllers. It can be implemented on both serial ports and Ethernet. In this project, Ethernet is used. The protocol manages 16-bit words. Communication takes place through the Client-Server paradigm. Two power supplies are used to power the system: one connected directly to the grid and one through the UPS, while a diode manages the switching.

• **OPI:** In the control room, multi-head monitors must be present to support monitoring programs, communication interface, and data analysis using LabVIEW.

## 3.2 System Architecture: SIS, SIF e SIL

To comply with the IEC-61508 standard, during the system architecture definition and risk analysis, it is possible to identify the Safety Instrumented Functions (SIF) for the Safety Instrumented System (SIS) and, for each of them, determine the Safety Integrity Level (SIL). All necessary operations have been divided into two categories due to different constraints regarding response time. The SIS in our project represents the MPS. The MPS



Figure 8: Classification of the signals under the control of the MPS

can be classified as a Safety Instrumented System (SIS) since it is designed to preserve the machine's integrity from hazardous conditions that could compromise the acceleration system or its components. The functional safety functions for the SIS are defined as follows:

- 1. **SIF-1:** Real-time control and intervention on critical systems requiring tight response time constraints (LLRF, High Power RF, vacuum), called the Fast Interlock System. Therefore, high reliability is necessary to prevent severe damage to the devices under control.
- SIF-2: Online control called the Supervisor. The Supervisor not only monitors the proper functioning of systems that require only online control (including hardware related to SIF-1) but also intervenes in case of interlocks using specific control routines, since issues detected through the Supervisor can also damage the system devices.

Based also on the risk analysis (failure frequency – severity of the issue in case of system failure), it is possible to define the required SIL for an SIF through the risk matrix shown in Table 2.

• SIL-1 (SIF-1): For real-time systems, it is assumed that the hazard frequency is *Almost certain*, while the effect of the hazard is assumed to be *Non-reportable injury*. In this case, the safety function requires at least SIL-1.



Figure 9: Characterization of the Safety Instrumented Function (SIF)

|                       | Extremely unlikely | Remote possibility | Possible occur | Probably occur | Almost certain |
|-----------------------|--------------------|--------------------|----------------|----------------|----------------|
| Insignificant damage  |                    |                    |                |                |                |
| Non-reportable injury |                    |                    |                |                | SIL-1          |
| Reportable injury     |                    |                    | SIL-1          | SIL-1          | SIL-2          |
| Major injury          |                    |                    | SIL-1          | SIL-2          | SIL-3          |
| Catastrophic injury   | SIL-1              | SIL-1              | SIL-2          | SIL-3          | SIL-3          |

Table 2: Risk Matrix

• SIL-1 (SIF-2): For other systems, it is again assumed that the hazard frequency is *Almost certain*, while the effect of the hazard is assumed to be *Non-reportable injury*. In this case, the safety function requires at least SIL-1.

Furthermore, both SIFs are required to operate with a high risk frequency. For this reason, their SIL is assumed in *Continuous mode*, and therefore only dangerous failures are considered, assuming that the safety function is required either continuously or, on average, once per hour.

According to the table 3, the failure rate  $\lambda$  of SIF-1 and SIF-2 should be between  $10^{-6}$  and  $10^{-5}$ .

| Safety Integrity Level | On Demand mode                | Continuous mode                      |
|------------------------|-------------------------------|--------------------------------------|
| SIL-1                  | $\geq 10^{-2}$ to $< 10^{-1}$ | $\geq 10^{-6}$ to $< 10^{-5}$        |
| SIL-2                  | $\geq 10^{-3}$ to $< 10^{-2}$ | $\geq 10^{-7}$ to $< 10^{-6}$        |
| SIL-3                  | $\geq 10^{-4}$ to $< 10^{-3}$ | $\geq 10^{-8}$ to $< 10^{-7}$        |
| SIL-4                  | $\geq 10^{-5}$ to $< 10^{-4}$ | $\geq 10^{-9} \mbox{ to } < 10^{-8}$ |

Table 3: Safety Integrity Levels (SIL) according to mode of operation

Several factors must be taken into consideration, as they affect every aspect of the project, determining its feasibility and applicability.

First and foremost, it is essential to ensure the system's *reliability*, so that it can meet the required specifications for a sufficiently long period of time starting from its deployment. Next, its *safety* must be considered: the implemented design must not pose a health risk, nor cause damage to objects or the environment in which it will operate. It must comply with the limits set by the applicable CEI standards. Last but not least, its *availability* must be addressed: the probability that the system remains operational regardless of the number of failures already experienced. All these factors depend on the system's *Mean Time Between Failures (MTBF)*. From the failure rate, it follows that the *Mean Time Between Failures (MTBF)*, the average time between one failure and the next, ranges from  $10^5$  h to  $10^6$  h for both SIF-1 and SIF-2.

Defining the *Mean Time To Repair (MTTR)* as the average downtime divided by the number of failures, expressed in hours and set to 30 days (720h), the *availability* (calculated using the minimum MTBF in hours) is given by the following equation:

Availability = 
$$\frac{\text{MTBF}}{\text{MTBF} + \text{MTTR}} = \frac{10^5}{10^5 + 720} \approx 99.9\%$$
  
The *reliability* is defined by the following equation:

$$R = e^{-t/\text{MTBF}} = e^{-t\lambda}$$

where t is the maximum reliability period of a component, which is considered to be up to 20 years if the device is used in a safety system. It is essential to consult the datasheets of all devices constituting the MPS in order to verify that they meet the specifications in terms of failure rate or MTBF.

| Device                     | Quantity | MTBF (h) | ${\rm MTBF}>10^5$ | <b>Reliability</b> $(10y = 87600 h)$ |
|----------------------------|----------|----------|-------------------|--------------------------------------|
| cRIO-9057                  | 2        | 192000   | PASS              | 0.633655403                          |
| NI-9425 32 ch. Sinking DI  | 4        | 1260000  | PASS              | 0.932837923                          |
| NI-9476 32 ch. Sourcing DO | 1        | 1090000  | PASS              | 0.92277765                           |
| NI-9220 16 ch. ±10V AI     | 1        | 1522250  | PASS              | 0.999781024                          |
| NI-9401 TTL 8 ch. DIO      | 1        | 1244763  | PASS              | 0.9320443846                         |
| NI-9216 RTD, 8 ch          | 4        | 891597   | PASS              | 0.9064216652                         |
| DIODE                      | 1        | 4690000  | PASS              | 0.981495315                          |
| PULS                       | 2        | 840000   | PASS              | 0.900967841                          |

Table 4: Availability and Reliability of System Components

To calculate the overall system reliability, it is essential to consider the system architecture: the equivalent reliability of two components in parallel increases compared to the reliability of the individual components, while it decreases when two components are arranged in series. Defining the probability of failure (unreliability) as:

$$Q = 1 - R$$

The reliability of a system in series is given by the following equation:

$$R_s = \prod_i R_i$$

Whereas the reliability of a system in parallel is given by:

$$R_p = 1 - \prod_i (1 - R_i)$$

The reliability block diagram (RBD) used to compute the system reliability, useful in determining the SIL, is shown in Figure 10. Some notes are also provided to help explain the choices made in the configuration.



Figure 10: Reliability Block Diagram (RBD)

The power supply unit is a redundant and fail-safe system; therefore, it is not necessary to include it in the MPS architecture (refer to Figure 11).



Figure 11: PSU Block Diagram

The overall system reliability and thus the MTBF, calculated over a useful life of 20 years, becomes:

$$R_{\text{tot}} = 10^{-6} < 2.66 \cdot 10^{-6} < 10^{-5}, \text{ MTBF}_{\text{tot}} = 376,236.905 \text{ h}$$

The result is in accordance with the required specifications; therefore, the system does not require redundancy. The probability that, due to a failure of the MPS system, a dangerous failure occurs within 20 years on an hourly basis is equal to:

0.000266%

## 4 Logic Matrix

• Modulator interlock system:



Figure 12: Modulator interlock system (Procedure)

• Vacuum interlock system:



Figure 13: Vacuum interlock system (Procedure)

• Cooling system interlock:



Figure 14: Cooling system interlock (Procedure)

• Interlock related to the temperatures of the spiral RF loads:



Figure 15: Interlock related to the temperatures of the spiral RF loads (Procedure)

• Fire alarm interlock:



Figure 16: Fire alarm interlock (Procedure)



Figure 17: Interlock system for LLRF (Procedure)

- Interlock system for LLRF (routine waveform mask):
- Interlock system for the Faraday cup <sup>1</sup>:



Figure 18: Interlock system for the Faraday cup (Procedure)

• Interlock system related to the PSS <sup>2</sup>:



Figure 19: Interlock system related to the PSS (Procedure)

<sup>&</sup>lt;sup>1</sup>The condition in which the Faraday cup signal can trigger an interlock is related to various causes of a breakdown that may influence the increase or decrease of the beam current (electrical discharge phenomena, structural defects or inadequate insulation, electrical resonances, overload, human error)

<sup>&</sup>lt;sup>2</sup>The condition in which the PSS signal can trigger an interlock is related to various causes that could put personnel at risk.

#### 5 Software Design

As illustrated in the diagram in Figure 20, the FPGA executes a state machine with a "read-search-set" cycle or enters a sleep-mode to ensure the system's fail-safe behavior:



Figure 20: MPS Flowchart

- 1. **Read:** Signals are acquired from various devices and transferred to the FPGA's I/O modules.
- 2. Search: The signals from the I/O modules are read. The cRIO searches for any interlock conditions in the logic matrix by comparing the input states against pre-defined fault conditions.
- 3. Set: The cRIO sets the output signals on the I/O modules to disable specific subsystems according to the logic matrix. The system enters a fail-safe loop in case of a CPU – FPGA communication failure.

The entire system was implemented using LabVIEW, the G programming language developed for National Instruments hardware. As described (Ref. ), LabVIEW enables both the programming of the Field Programmable Gate Array integrated in the controller and the development of the user interface.

## 6 Hardware Design

The philosophy behind the MPS is to provide a fully automated system capable of operating the accelerator equipment independently of operator activity, without affecting uptime. For these reasons, a Field-Programmable Gate Array (FPGA) was chosen to manage the control of devices under the MPS, as it is capable of executing software in less than one millisecond (Ref. SS04) while providing the required reliability. Specifically, a National Instruments cRIO 9057 was selected for implementation (Ref. SS05).



Figure 21: MPS Block Diagram

The system as a whole is structured as shown in Figure 21. The Devices Under Test (DUTs) will be distributed throughout the facility along the three lines (from the modulators to the bunker). The controllers, located in two different zones as shown in Figure 22, communicate via software.



Figure 22: Position of the MPS core within the TEX Facility

#### 7 Validation Phase

This chapter describes the validation phase of the Machine Protection System (MPS) developed during the project. The goal of this phase is to verify that the system operates according to the defined specifications, ensuring both functional correctness and safety.

Validation has been carried out through a series of structured tests aimed at assessing the behavior of the hardware and software components under expected operating conditions. Particular attention was given to the responsiveness and reliability of the control logic implemented on the FPGA and the communication with the field devices via the cRIO platform.

The results of these validation activities are reported in the following tables, each corresponding to a Specification Test (ST), which collectively demonstrate that the MPS meets the project requirements and is suitable for deployment.

| ID Test     | ST01                                                 |
|-------------|------------------------------------------------------|
| Туре        | Harware/Software                                     |
| Objective   | Verify the operation of the cRIOs                    |
| Setup       | Ethernet connection of the device to the TEX network |
| Procedure   | Basic commands tested using LabVIEW                  |
| Pass/Fail   | Pass                                                 |
| Conclusions | The cRIOs are connected and operating correctly      |

Figure 23: Specification Test 1

| ID Test     | ST02                                                                           |
|-------------|--------------------------------------------------------------------------------|
| Туре        | Manual/Software                                                                |
| Objective   | Verify the connection of all devices with CRIO                                 |
| Setup       | Connect all devices under MPS control to the terminal<br>blocks /cRIO modules. |
| Procedure   | Verify signal reading/writing using LabVIEW                                    |
| Pass/Fail   | Pass                                                                           |
| Conclusions | The devices are correctly connected with CRIO                                  |

Figure 24: Specification Test 2

| ID Test     | ST03                                                               |  |
|-------------|--------------------------------------------------------------------|--|
| Туре        | Software                                                           |  |
| Objective   | Verify the operation of the state machine implemented via software |  |
| Setup       | LabVIEW connected to the cRIO with the implemented state machine   |  |
| Procedure   | Simulate an interlock and verify whether the MPS behaves correctly |  |
| Pass/Fail   | Pass                                                               |  |
| Conclusions | The MPS brings the machine to a safe condition                     |  |

Figure 25: Specification Test 3

To conclude the validation phase, a traceability matrix has been compiled to map each Specification Test (ST) to the corresponding System Requirements (SR). This matrix provides a clear overview of how the implemented tests address the functional expectations defined at the beginning of the design process. It is important to highlight that all three Specifications Test (ST01, ST02, and ST03) have successfully verified the correct operation of the system in accordance with the specified requirements. This confirms that the Machine Protection System, as designed and implemented, is compliant with the project objectives and is ready for operational deployment.

|             | ST01 | ST02 | <b>ST03</b> |
|-------------|------|------|-------------|
| <b>SS01</b> | X    | X    | Х           |
| SS02        |      | Х    |             |
| SS03        | Х    | Х    | Х           |
| SS04        |      |      | Х           |
| SS05        |      | Х    | Х           |
| <b>SS06</b> | Х    | Х    | Х           |
| SS07        | Х    |      |             |
| <b>SS08</b> | Х    |      |             |
| SS09        |      |      | Х           |
| SS10        |      |      | Х           |
| SS11        |      |      | Х           |
| SS12        |      |      | Х           |

Table 5: Test Traceability Matrix

#### References

- [1] TEX Facility @ LNF, Available (27/05/2025): https://tex.lnf.infn.it/.
- [2] F.Cardelli, Advancements in X-band technology at the TEX facility at INFN LNF in: Proc. 14th International Particle Accelerator Conference, May 2023.
- [3] S. Pioli, TEX an X-Band Test Facility at INFN-LNF, in Proc. 12th International Particle Accelerator Conference, May 2021.
- [4] L. Sabbatini, The LATINO Project-An Italian Perspective on Connecting SMEs with Research Infrastructures, in Proc. 10th International Particle Accelerator Conference, May 2019.
- [5] Rome Technopole @ INFN Frascati National Laboratories, Available (27/05/2025): https://rometechnopole.lnf.infn.it/.
- [6] ScandiNova systems, Available (27/05/2025): https://scandinovasystems.com.
- [7] S. Pioli, The Machine Protection System for the ELI-NP Gamma Beam System, in Proc. 8th International Particle Accelerator Conference, May 2017.
- [8] G. Latini, Machine protection system for TEX facility, in Proc. 15th International Particle Accelerator Conference, May 2024.

- [9] S. Pioli, Advanced beam protection systems for high brightness electron-beam and linac-based Compton sources, in Internal Note @ LNF-INFN, April 2019.
- [10] IEC 61508, Available (27/05/2025): https://webstore.iec.ch/publication/22273.
- [11] National Instruments, Available (27/05/2025): https://www.ni.com/it-it.