"Overrule" Safety Automation; Minimum Control Valve Size

A Reader Asks Our Experts to Explain "Underwater Nuclear Reactors" and "Overrule Safety." Plus, What's the Minimum Control Valve Size in an Oil Pipeline?

By Bela Liptak

1 of 3 < 1 | 2 | 3 View on one page

Q: In your recent article you briefly referred to "underwater nuclear reactors" and to the order of magnitude improvement in their safety through automation. You also talked about "overrule safety" type automation. Could you elaborate on both of these topics a little more? I do not fully understand either term ("overrule safety" and "underwater reactor").

George F. Schmidt

A: The underwater reactor requires a small, artificial lake with the reactor at the bottom of it, inside a containment, as shown on the left of Figure 1. Under normal operation, the containment is evacuated to provide thermal insulation for the reactor, while under emergency conditions (see the right of the figure), the thermal expansion rods expand and open the safety valves so that the water flows by gravity into the containment. This design satisfies two key requirements for "overrule safety:"

  1. Nothing and nobody can turn off either of its energy sources: thermal expansion and gravity.
  2. No other energy source is required. All external and internal energy sources can fail and the shutdown will still take place safely.

I deal with this in detail in my recent book, Automation Can Prevent the Next Fukushima. The general philosophy of "overrule safety" automation is the same for all other processes. Its key characteristic is that nothing and nobody can turn it off. Take, for example, the BP accident: If the controls were so designed that the rig would have been "automatically" disconnected from the well and moved away as soon as fire was detected, 11 lives would have been saved.

Overrule safety also applies to protection against transportation accidents or cyberterrorism. In the case of cyberterrorism, we must understand that a firewall in our digital age is nothing more than what a visitors' door was in the past, and a password is nothing but the key to that door. When applied to protect against cyberterrorism, overrule safety is simply the elimination of both the door and the key. That means the process control computers are not connected to and cannot be accessed by anything or anybody: There is no door for visitors.

Therefore, in this age of cyberterrorism, the only road to absolute safety is to eliminate all wired and wireless contact to the outside, so not even the CEO can turn off the automatic override safety system. The key profession to explain all this to the public and to start applying the concept of overrule safety automation to our control systems is our own.

Béla Lipták

NORMAL: Containment is evacuated to thermally insulate the reactor and safety valves are closed, because the thermal expansion lifting rods are contracted    EMERGENCY: Containment is flooded as soon as safety valves are opened by the thermal expansion of the lifting rods. This automatically cools the reactor.

Q: Minimum Control Valve Size in an Oil Pipeline?

I am Kaushal Shah, working as an instrument design engineer for L&T Chiyoda Limited, India. I have a question concerning the API Standard 553, Section 3: Control Valves/ Sub Section 3.1: Valve Body , Clause 3.1.9. The clause states, "The valve body size should be no less than two pipe sizes smaller than the line size. Smaller valve sizes must be reviewed to make sure that line mechanical integrity is not violated."

Here are my questions:

  1. What does line mechanical integrity mean? Are there any guidelines?
  2. How do you ensure that mechanical integrity is achieved? Is there a standard?
  3. How do you demonstrate this to a third party in cases where the control valve size is smaller than two line sizes?

Also, ASME B31.1, which provides a stress analysis technique, does not require that all lines shall have stress analysis. If I am the EPC contractor, and if I need to prove to the licensor/PMC that my valve will not cause problems to mechanical integrity, is there any laid down standard? Does any standard require that to prove mechanical integrity, stress analysis must be performed in addition to the requirement specified in ASME B 31.1?

Kaushal Shah,

1 of 3 < 1 | 2 | 3 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p>I almost always agree with Bela Liptak, but I must take exception to one of his "overrule safety" solutions to the nuclear power plant problem. You cannot isolate a nuclear power plant from ANY external data communications. I seem to recall an NRC requirement for "remote operation" of a nuclear power plant in case the local control center becomes damaged or is otherwise inoperable. The requirement was for that plant to be operated from a distant location sufficient to regain control and safely operate it or shut it down in an orderly manner. This does not require an Internet connection, but it is a communications line out of the plant.</p> <p>I have often heard people exclaim that there should be no internet connections to the process control network, as a solution to the potential for control systems being "hacked." Well, that didn't protect the Iranian uranium enrichment plant from the Stuxnet virus that was probably planted into the operating system of the Siemens System 7 at least a year before it was shipped. These days, it is unrealistic to insist on NO internet connection for any process control system. There are too many necessary vendor support services connected via the Internet that are necessary to keep a modern process control system and the attached smart instrumentation in good repair and fully operational. As always, the Internet connection must be secure an allow only previously authorized connections. It's not impossible to achieve protected access, and all communications must be encrypted to prevent damage and covert data transmission. I didn't say it was easy, and it is usually not fast, but protected Internet connections must be allowed.</p>


RSS feed for comments on this page | RSS feed for all comments