FCC regenerator CO afterburn AI adversarial injection: how ±8 DN in the rendered regenerator temperature display suppresses a CO afterburn approach — and why API RP 571 has no adversarial robustness criterion for FCC advanced process control AI classifying rendered regenerator monitoring displays

The FCC regenerator CO afterburn mechanism: chain-branching chemistry, partial-burn vs full-burn design, and API RP 571 damage classification

The FCC process is built around a continuous catalytic reaction-regeneration cycle. Vacuum gas oil (VGO), atmospheric residue, or heavy distillate feeds — typically 350–570°C boiling range fractions with characterisation factors Kw of 11.0–12.5 — are contacted with hot regenerated zeolite catalyst (typically USY or REUSY zeolite in a silica-alumina matrix, catalyst particle size 60–80 microns, bulk density 700–900 kg/m³) in the riser reactor at contact times of 2–4 seconds and temperatures of 480–550°C. The catalytic cracking reaction produces gasoline-range hydrocarbons (C5–C10 naphtha), C3–C4 LPG fractions (propylene, isobutylene, butane), C1–C2 dry gas, and a by-product coke deposit on the catalyst surface that progressively deactivates the zeolite acid sites. Spent catalyst exits the top of the riser reactor at temperatures of 460–520°C with coke loadings of 4–8 wt% coke-on-catalyst (CRC), depending on feed quality and riser severity. The spent catalyst is separated from cracked product vapour in the reactor cyclone system, stripped of entrained hydrocarbons in the steam stripper section, and transferred via the spent catalyst slide valve (SCSV) to the regenerator.

The regenerator burns coke off the spent catalyst surface in the presence of combustion air supplied by the main air blower — a centrifugal compressor typically rated at 1–3 bar gauge discharge pressure and 50,000–300,000 Nm³/hr flow for industrial-scale FCC units processing 20,000–100,000 barrels per day. The coke combustion reactions produce CO and CO2 in temperature- and air-rate-dependent proportions:

• At air-short (sub-stoichiometric) conditions and dense bed temperatures below 650°C: C + O2 → 2CO predominates (Boudouard kinetics); CO:CO2 ratio in dense bed flue gas approaches 2:1
• At air-excess (above stoichiometric) conditions and dense bed temperatures above 700°C: complete combustion C + O2 → CO2 approaches thermodynamic equilibrium; CO concentration in dense bed flue gas falls below 1–2 vol%

Two distinct regenerator design philosophies manage this CO/CO2 equilibrium chemistry in fundamentally different ways.

The UOP full-burn regenerator — the dominant FCC design at US refineries, first commercialised in the late 1960s following catalyst development that enabled higher regenerator temperatures — operates at air-to-coke ratios above stoichiometric, targeting near-complete CO combustion within the regenerator vessel. Full-burn regenerator dense bed temperatures are maintained at 700–730°C; CO promoter catalyst additives (platinum-group metal catalysts at 1–10 ppm Pt on catalyst inventory) are used to catalyse CO oxidation within the dense bed, reducing CO breakthrough to the dilute phase. Full-burn regenerator flue gas exits with CO concentrations below 0.5 vol% (compared to 5–15 vol% CO in partial-burn flue gas). The advantage of full-burn regeneration is complete heat release from coke combustion within the regenerator — maximising heat for catalyst circulation and riser temperature — without the need for an energy-recovery CO boiler. The disadvantage is sensitivity to air distribution: if the air grid nozzles at the base of the regenerator dense bed develop maldistribution (from nozzle plugging by catalyst fines or coke agglomerates, or from air blower surge reducing air delivery to specific grid sections), local air-short zones develop within the dense bed where incomplete combustion produces elevated CO that accumulates in the dilute phase above the air-short zone.

The Shell/KBR partial-burn regenerator — used in the Shell FCC (RFCC) technology and in older KBR Orthoflow units, as well as in two-stage regenerator designs — intentionally operates CO-rich, with dense bed CO:CO2 ratios of approximately 1:1 and a downstream CO boiler (waste heat boiler) recovering energy from CO combustion. Partial-burn regenerator dense bed temperatures are lower (650–700°C) because heat release from incomplete combustion is lower; catalyst thermal damage is reduced; but the CO-rich flue gas in the dilute phase and upper vessel carries elevated afterburn risk because the CO concentration available for chain-branching reaction is much higher than in full-burn conditions. The CO ignition threshold in CO-rich partial-burn dilute phase conditions is approximately 730–750°C — 10–30°C lower than for full-burn conditions — meaning less of a temperature excursion above the normal operating point triggers afterburn initiation in partial-burn regenerators.

The CO afterburn chain-branching reaction mechanism is the same in both regenerator types. Above the CO ignition threshold, the following chain-branching sequence governs dilute phase temperature rise: (1) initiation — CO + OH• → CO2 + H• (rate-limiting step; catalysed by water vapour from steam injection, which provides the OH• radical at elevated temperature); (2) branching — H• + O2 → HO2• and HO2• → OH• + O•; (3) propagation — O• + CO → CO2 + • (generating additional chain carriers). The net effect is that each OH• radical produced in the branching step initiates another CO oxidation cycle, and the radical population grows faster than termination reactions (chain-carrier collision at the catalyst particle surface, wall effects) can consume it. Above the ignition threshold, this produces an autocatalytic exotherm: the rate of heat generation from CO oxidation exceeds the rate of heat removal by the convective flue gas velocity through the dilute phase, and temperature rises at 20–60°C per minute depending on the CO partial pressure and dilute phase gas velocity. FCC catalyst fines — catalyst particles below 20 microns in diameter that are not captured by the primary and secondary cyclones and remain suspended in the dilute phase — have a heterogeneous catalytic effect on CO oxidation: iron oxide (Fe2O3) in the catalyst matrix catalyses CO oxidation at temperatures above 600°C, potentially lowering the effective afterburn ignition threshold by 20–40°C in catalyst-rich dilute phase conditions.

API RP 571 (Damage Mechanisms Affecting Fixed Equipment in the Refining Industry, 3rd edition 2020) documents FCC regenerator CO afterburn as a primary damage mechanism with a defined consequence pathway: sustained dilute phase temperatures above 850–900°C — temperatures reached within 4–8 minutes of undetected afterburn initiation above 760°C at 20–60°C/min rise rate — produce thermal spalling of the castable refractory lining on the regenerator upper vessel walls, dip leg transition pieces, and cyclone inlet horns; creep failure of carbon steel cyclone anchor bars and hanger rods at temperatures above 870°C (the 100-hour creep rupture limit for ASTM A36 structural carbon steel at 20 MPa applied stress); loss of cyclone support leading to cyclone barrel drop into the dense catalyst bed; and downstream propagation of the hot flue gas and entrained catalyst fines into the CO boiler convection section, waste heat exchanger, and ESP system. See the full FCC unit AI prompt injection technical specification for all four adversarial surfaces, including reactor-regenerator differential pressure AI, wet gas compressor suction pressure AI, and spent catalyst stripper steam flow AI.

ExxonMobil Torrance 2015: FCC unit monitoring boundary failure and community-scale consequence potential

The ExxonMobil Torrance California refinery FCC unit explosion of 18 February 2015 provides the consequence envelope for FCC unit monitoring system failure at this scale. The Torrance refinery — located in Torrance, California, in a densely populated industrial corridor approximately 30 km south of central Los Angeles, surrounded by residential communities with a combined population of over 600,000 — processed approximately 155,000 barrels per day of crude oil and was one of the largest petroleum refineries in the western United States. The refinery’s FCC unit was one of its primary conversion units, processing vacuum gas oil and atmospheric residue from the crude unit into gasoline, propylene, and LPG.

On 18 February 2015, during maintenance activities on the FCC unit’s electrostatic precipitator (ESP) — a vessel in the regenerator flue gas treatment train that removes catalyst fines from the hot flue gas stream before the gas is vented or routed to the CO boiler — a pressure relief device in the ESP system actuated in an uncontrolled manner. The resulting pressure release and explosion caused a high-energy event that scattered metal fragments and equipment debris across the FCC unit plot area. The explosion and associated fire caused injuries to four refinery workers. Refinery personnel and the surrounding community were placed on shelter-in-alert status during the event. The FCC unit was shut down for an extended period for damage inspection and repair.

The chemical safety significance of the Torrance 2015 event is not measured by the direct injuries and property damage — serious as they were — but by the near-miss with the facility’s adjacent HF (hydrofluoric acid) alkylation unit. The Torrance refinery operated an HF alkylation unit — a process that uses hydrofluoric acid as a catalyst to alkylate light olefins (isobutylene, propylene) with isobutane to produce high-octane alkylate gasoline — with an HF acid inventory of approximately 800,000 pounds. HF alkylation units are co-located with FCC units at refineries specifically because the FCC wet gas recovery section provides the butylene and propylene feed for the alkylation reaction — the two units are physically proximate to minimise piping heat loss and compression costs for the C3/C4 feed transfer. At the Torrance refinery, the HF alkylation unit was located approximately 50 feet from the FCC ESP that exploded. Metal fragments and equipment debris from the ESP explosion traveled across the refinery plot, landing in close proximity to the HF alkylation unit structure and piping.

The US Chemical Safety Board (CSB) investigated the Torrance 2015 incident and published its findings, including a video case study. The CSB investigation found that if the explosion debris had struck the HF alkylation unit — specifically, if fragments had penetrated the HF acid containment piping, reactor, or settler vessel — the resulting HF release could have generated a toxic vapour cloud potentially affecting up to 125,000 residents in the surrounding Torrance, Lomita, Redondo Beach, and Hawthorne communities. HF is acutely toxic at concentrations above approximately 30 ppm (TWA); at the inventory levels present in the Torrance HF alkylation unit, a major uncontrolled HF release would create a toxic ground-level vapour cloud extending miles downwind in the low-altitude coastal airshed of the Torrance refinery. The CSB noted that HF alkylation near-miss events at co-located FCC/alkylation refinery configurations were a systemic concern, not limited to the Torrance facility. The Torrance refinery was sold to Tesoro Corporation (subsequently acquired by Andeavor and then Marathon Petroleum) following the 2015 incident; the HF alkylation unit was converted to modified HF alkylation technology as part of the post-acquisition facility reconfiguration.

The Torrance 2015 event was a monitoring and maintenance boundary management failure — not a regenerator afterburn event. The ESP failure during a maintenance pressure management procedure is a distinct initiating cause from the catalyst circulation and CCR excursion scenario that drives the regenerator afterburn in the adversarial injection case study. However, the Torrance 2015 consequence envelope establishes a critical framing: FCC unit monitoring system failures — across any component of the FCC monitoring boundary, whether regenerator temperature, ESP level management, or reactor-regenerator differential pressure — carry community-scale consequence potential when the FCC unit is co-located with HF alkylation, as is the case at numerous US refineries operating under OSHA PSM jurisdiction. The adversarial injection attack on the regenerator temperature display AI targets the monitoring boundary at the highest-consequence upstream point in the FCC system — the regenerator — whose undetected thermal excursion can propagate downstream through the same flue gas system that failed at Torrance in 2015. The structural parallel across refinery AI monitoring contexts — corrosion data exists, classification layer does not produce required intervention, refinery community experiences the consequence — is documented in the CDU overhead HCl corrosion AI adversarial injection post.

Four adversarial injection surfaces in FCC unit monitoring AI: depth on regenerator temperature

1. Regenerator dense bed temperature display AI (UOP Honeywell FCC Advanced Process Control AI, Shell Global Solutions FCC Optimizer AI, KBR Orthoflow regenerator monitoring AI, Emerson DeltaV FCC regenerator AI, AspenTech DMC3 FCC AI — rendered DCS thermocouple trend display classification against afterburn approach threshold)

The FCC regenerator dense bed temperature is the primary real-time indicator of coke combustion state and afterburn proximity. The DCS display for the regenerator temperature section of the FCC operator console shows a multi-trace trend chart: 4–8 thermocouple traces from different radial and axial positions in the dense catalyst bed (typically Type K or Type N thermocouples in protection tubes rated for regenerator gas atmosphere, with signal conditioning to 4–20 mA DCS inputs) and 1–2 dilute phase thermocouples in the upper vessel. The trend chart is updated every 2–5 seconds from the DCS scan cycle and rendered at the FCC operator console at 1920×1080 display resolution. The y-axis scale of the regenerator temperature chart is typically 600–850°C (250°C range) for a full-burn UOP regenerator, spanning approximately 250–300 pixels in the standard DCS trend chart rendering.

The adversarial injection scenario: the FCC unit is processing a feed with Conradson Carbon Residue (CCR) of 1.1 wt% — 0.3 wt% above the design basis of 0.8 wt% CCR, typical of a crude blend shift toward heavier components — which increases coke yield by approximately 0.8 wt% above design. Simultaneously, the regenerated catalyst slide valve (RCSV) is operating at 78% of its normal opening following a positioner maintenance procedure in which the actuator was found to be stiff — a maintenance observation logged but not immediately actioned. The combined effect is a 12% reduction in catalyst heat removal rate from the regenerator and an 8% increase in coke combustion heat input to the regenerator, driving the dense bed reference thermocouple (middle-bed position, thermocouple TC-7012) from its normal setpoint of 715°C to 752°C over approximately 45 minutes. The dilute phase thermocouple TC-7021 reads 762°C — 2°C above the afterburn initiation threshold of 760°C for this regenerator operating condition. The correct classification of this display: afterburn approach detected — initiate afterburn response protocol (reduce air rate to dense bed by 10%, contact operations supervisor, evaluate slide valve actuator fault, reduce riser feed rate by 12–15% to limit additional coke input to regenerator).

The adversarial pixel perturbation: a ±8 DN downward shift applied to the pixel regions encoding the thermocouple TC-7012 and TC-7021 trend lines in the rendered DCS display image shifts both traces downward by 8 digital number units in each RGB channel. In the 250°C y-axis range across 260 display pixels (approximately 1.04 px/°C), a ±8 DN downward shift corresponds to approximately 25–35 pixel downward displacement of the rendered trace positions. At 1.04 px/°C, a 30-pixel downward shift moves the rendered TC-7012 position from the 752°C display position (152px from the 600°C bottom of the chart) to approximately 718°C (123px from bottom) — squarely within the 700–730°C normal operating window. The dilute phase TC-7021 shifts from 762°C (162px from bottom) to approximately 728°C (128px) — also within normal range, no dilute phase temperature elevation visible. The FCC APC AI classifies the perturbed display as normal regenerator operation — no afterburn approach, no intervention required. The RCSV actuator fault is not corrected; the elevated CCR coke input continues; dense bed temperature continues to rise. The actual dense bed temperature reaches 760°C within approximately 2–3 minutes; CO ignition in the dilute phase initiates; dilute phase temperature rises at 30–50°C per minute; the DCS historian records the correct 752°C and rising readings throughout — but these are not the rendered display images the FCC APC AI is classifying.

The dilute phase reaches 850°C within 5–7 minutes of afterburn initiation. Carbon steel cyclone anchor bolts — ASTM A193 Grade B7 alloy steel, rated to 870°C — begin accelerated creep at 850–880°C under the dead weight of the primary cyclone assembly (typically 8–20 tonnes per cyclone, 2–4 primary cyclones per regenerator in a standard UOP two-stage cyclone arrangement). At 900°C, the thermal spalling cycle begins in the hexmesh-anchored castable refractory lining (typically 200–300 mm dense castable plus 50 mm insulating castable on the regenerator upper vessel shell): the coefficient of thermal expansion mismatch between the hexmesh anchors (12 × 10−⁶/°C for carbon steel) and the castable refractory (8–9 × 10−⁶/°C) generates tensile stress at the anchor-refractory interface, fracturing the castable near the anchor tips; large refractory spalls (50–200 mm fragments) dislodge into the dilute phase gas stream. The independent SIS layer — the 2oo3 voting logic on dilute phase thermocouples, actuating main air blower trip and RCSV emergency close at 850°C — initiates approximately 3–5 minutes after afterburn initiation, requiring 2oo3 thermocouple confirmation across the dilute phase array and SIS response time. By the time the SIS trip actuates and blower shutdown reduces air supply to the regenerator, refractory spalling has begun and cyclone anchor creep has accumulated. The 10–15 minute window between AI misclassification and SIS response determines whether the regenerator is recoverable (early SIS catch, refractory damage limited to surface spalling requiring 2–4 weeks repair) or whether cyclong anchor failure requires full vessel entry for structural repair (3–6 month shutdown).

2. Reactor-regenerator differential pressure display AI (additional surface — DP inversion suppression)

The reactor-regenerator differential pressure display AI — classifying rendered DCS dual-indicator displays showing the pressure balance between reactor and regenerator — is a second major adversarial injection surface in FCC unit AI. A ±10 DN shift on the rendered DP display can suppress an inverted DP event (regenerator above reactor pressure, indicating hot catalyst backflow from regenerator to reactor riser) from appearing as the −0.12 bar inversion it is to appearing as the +0.15 bar normal positive DP. The consequence of undetected DP inversion — hot regenerated catalyst at 720°C entering the riser feed injection zone, thermal excursion in the lower riser, potential air/hydrocarbon contact in the reactor stripper — is comparable in severity to afterburn but has a more acute onset timeline: the lower riser thermal excursion begins within seconds of catalyst backflow initiation. The OSHA PSM PHA at every US FCC unit identifies DP inversion as a major hazard scenario; the independent SIS trip for DP inversion (RCSV and SCSV emergency close on low-low DP signal) operates independently of the DP display AI — but the DP SIS trip setpoint is typically at −0.05 bar, meaning the AI misclassification window between −0.12 bar and −0.05 bar SIS activation is only 0.07 bar DP excursion, corresponding to approximately 3–8 minutes of slide valve fault progression before the SIS responds.

3. Wet gas compressor suction pressure AI and 4. Spent catalyst stripper steam flow AI (additional surfaces)

The WGC suction pressure display AI and the stripper steam flow display AI are additional adversarial injection surfaces in the FCC unit AI portfolio, each with distinct failure pathways — WGC surge producing cracked C3/C4 hydrocarbon reverse flow to the fractionator overhead; stripper understeaming increasing effective coke loading on catalyst and raising regenerator temperature toward afterburn as described in surface 1 above. The stripper steam flow adversarial surface is particularly relevant as a cascading contributor to regenerator afterburn: a ±8 DN downward shift suppressing 38% of design steam rate (sparger ring blockage) to appear 94% of design eliminates the upstream warning that elevated entrained hydrocarbon is entering the regenerator and contributing to the dense bed temperature rise that the regenerator temperature AI is simultaneously suppressing in the afterburn approach scenario. The two-surface suppression — regenerator temperature AI (surface 1) plus stripper steam flow AI (surface 4) — eliminates both the consequence indicator and the contributing cause indicator from the FCC APC AI classification layer.

API RP 571, OSHA PSM, and the adversarial robustness gap for FCC advanced process control AI

API RP 571 (Damage Mechanisms Affecting Fixed Equipment in the Refining Industry, 3rd edition 2020) is the refinery industry’s comprehensive reference for identifying, characterising, and managing the damage mechanisms that degrade fixed equipment in service. For FCC units, API RP 571 covers: regenerator CO afterburn (the primary high-consequence damage mechanism); catalyst erosion of regenerator cyclones, flue gas ducting, and CO boiler convection section tubes; high-temperature oxidation of metallic components; refractory degradation by thermal cycling and steam condensation; and downstream damage mechanisms in the FCC gas plant (HCl corrosion, wet H2S cracking). For the regenerator afterburn mechanism, API RP 571 characterises the affected equipment, the damage morphology (thermal spalling, creep, erosion), and the consequence severity — but does not specify requirements for the adversarial robustness of AI systems classifying rendered regenerator monitoring display images at the afterburn detection boundary. The standard was developed to characterise damage mechanisms and inform inspection and integrity programmes; it was not designed to address the adversarial robustness of AI display classification systems, because those systems did not exist in their current form when the API RP 571 framework was established. The 3rd edition (2020) update incorporated new damage mechanisms and updated severity characterisations, but did not add provisions for AI adversarial robustness.

OSHA PSM 29 CFR 1910.119 governs FCC units at US refineries. The PSM standard applies to facilities handling flammable liquids and gases above threshold quantities — FCC units handling gasoline (TQ 10,000 lbs), propylene (TQ 10,000 lbs), and isobutane (TQ 10,000 lbs) easily exceed all applicable thresholds. PSM element (e) (Process Hazard Analysis) requires PHA studies for all PSM-covered processes, conducted using recognised methodologies (HAZOP, What-If, FMEA, or equivalent). PHA studies at virtually all US FCC units — of which approximately 80 units are estimated to be operating under PSM jurisdiction — identify regenerator afterburn as a major accident scenario, typically assigned a high consequence severity (catastrophic, with potential for major property loss and multiple fatalities) and a medium-to-low frequency (occurs at industry-wide frequency of several documented events per decade, but at an individual unit level, probability is moderate with good process control). The PHA documentation for FCC afterburn typically specifies the regenerator temperature monitoring system as the primary prevention safeguard and the regenerator dilute phase high-temperature SIS trip as the independent protection layer (IPL). AI systems deployed to automate the real-time classification of regenerator temperature monitoring displays sit at the primary prevention safeguard boundary — upstream of the SIS IPL — and their adversarial robustness is directly relevant to the PHA risk characterisation. However, OSHA PSM 29 CFR 1910.119(e) does not address adversarial robustness requirements for AI systems performing the monitoring function at the primary safeguard boundary. PSM element (j) (Mechanical Integrity) requires inspection and testing programmes for FCC unit vessels, piping, and instrumentation — but does not specify adversarial robustness for AI classifying rendered instrumentation display outputs. PSM element (l) (Management of Change) requires MOC review before modifying FCC processes — but does not address adversarial robustness for AI systems already in service.

API RP 579-1/ASME FFS-1 (Fitness for Service, 3rd edition 2016) provides engineering assessment methods for determining whether FCC vessels that have experienced thermal excursions — including after-the-fact assessment of regenerator refractory damage from afterburn and cyclone structural assessment for creep damage — can continue in service or require repair. But like API RP 571, API RP 579-1 addresses the consequence assessment framework after a damage event has already occurred, not the adversarial robustness of the monitoring AI that must detect the excursion before structural failure. The API and OSHA regulatory frameworks governing FCC regenerator integrity collectively provide: a comprehensive characterisation of what goes wrong when afterburn occurs; requirements for inspection and testing of the equipment that would be damaged; requirements for PHA coverage of afterburn scenarios; and SIS layer protection at the high-temperature consequence boundary. They do not address whether the AI systems that have been deployed to automate the primary prevention safeguard — real-time classification of rendered regenerator temperature displays — are robust against adversarial pixel perturbation at the afterburn detection boundary. OSHA PSM 29 CFR 1910.119 has the same adversarial robustness gap for refinery advanced process control AI across all unit types — the Texas City BP 2005 tragedy (15 killed, 180 injured) documents the refinery APC monitoring context. The structural pattern is consistent: post-incident regulatory frameworks addressing the human factors failure mode, without extending requirements to the AI display classification layer that now performs the same monitoring function the human failure mode was designed to prevent.

Glyphward threshold 35 for FCC regenerator afterburn AI

Glyphward’s adversarial detection API operates as a pre-classification gate at each rendered-image ingestion boundary in the FCC APC AI pipeline: before the regenerator temperature display AI processes each rendered DCS thermocouple trend chart, before the reactor-regenerator DP display AI processes each rendered pressure indicator image, before the WGC suction pressure AI processes each rendered compressor control display, and before the spent catalyst stripper steam flow AI processes each rendered flow indicator image. Each rendered display image receives a risk score (0–100) in 8–15 ms. At or above threshold 35, Glyphward gates the AI classification and generates an alert that triggers manual verification of the underlying DCS process historian data — the raw thermocouple transmitter records that are not accessible to pixel-level adversarial perturbation because they are stored as time-series engineering unit records rather than rendered as classifiable images.

Threshold 35 for FCC regenerator afterburn AI reflects three factors that distinguish this context from, for example, the offshore subsea wellhead NPT monitoring AI (threshold 30) and align it with the refinery hydrotreater reactor temperature runaway AI (also threshold 35).

First, the catastrophic consequence magnitude of undetected afterburn progression to structural failure. A regenerator afterburn that progresses from initiation through cyclone anchor failure produces: collapse of one or more cyclone assemblies (8–20 tonnes per cyclone) into the dense catalyst bed, disrupting the fluidisation pattern and potentially plugging the spent catalyst slide valve (SCSV) draw-off line; exposure of the regenerator vessel shell to temperatures above the 870°C carbon steel creep limit if refractory spalling is extensive enough to expose the shell; release of hot FCC regenerator flue gas (at 760–850°C) and catalyst fines through failed duct connections to the CO boiler, ESP, or flue gas stack — structures adjacent to other refinery process units including, at multiple US refineries, HF alkylation units. The Torrance 2015 near-miss demonstrates that the consequence of FCC flue gas system failure propagating to co-located HF alkylation infrastructure can affect communities at the 125,000-person scale. This community-scale consequence potential distinguishes threshold 35 for FCC regenerator AI from threshold 30 for offshore well control AI (primarily worker-fatality consequence profile at offshore distance from population centres).

Second, the response time constraint imposed by afterburn chain-branching kinetics. The CO afterburn exotherm, once initiated above the 760°C ignition threshold, rises at 20–60°C per minute under typical afterburn conditions. At 20°C/min (the lower bound), the dilute phase reaches 850°C — the cyclone anchor creep threshold — within 4–5 minutes of initiation. At 60°C/min (the upper bound, in high-CO partial-burn regenerator conditions), the 850°C threshold is reached within 1–2 minutes. The independent SIS layer — 2oo3 dilute phase thermocouple voting at 850°C setpoint, actuating air blower trip and emergency slide valve close — requires 2–4 minutes from temperature threshold exceedance to confirmed trip. The window between AI misclassification and SIS intervention is therefore: time from 752°C misclassification to 760°C actual initiation (2–3 minutes) plus time from 760°C initiation to 850°C SIS setpoint (4–5 minutes at 20°C/min) plus SIS response time (2–4 minutes) = approximately 8–12 minutes from AI misclassification to SIS intervention. During this window, cyclone anchor creep accumulates; refractory spalling begins. Whether the SIS intervention prevents major structural damage depends on how far afterburn has progressed at the moment the SIS fires — a window determined in part by how long the AI misclassification suppressed the early afterburn approach (surface 1: 752°C suppressed to 718°C) before the dilute phase thermocouple rose above 850°C. The finite but consequential window between AI failure and SIS response is the second reason threshold 35 applies here, calibrated at the same level as arc flash PPE AI (no independent interlock before the human works in the wrong PPE) and refinery hydrotreater AI (Tesoro Anacortes: HTHA damage accumulation before structural failure is the pre-consequence window; AI misclassification of the rendered Nelson curve position extends that window).

Third, the false positive cost is proportionate to the false negative cost asymmetry. At threshold 35 in the FCC regenerator temperature context, a Glyphward alert on a perturbed or suspicious regenerator temperature display image triggers manual verification: the operations technician checks the DCS historian for the thermocouple trend from the raw transmitter signal (a 1–3 minute procedure) and confirms whether the thermocouple readings are consistent with the rendered display. If consistent, the alert is closed as false positive; if inconsistent (historian shows 752°C while display shows 718°C), the manual check detects the adversarial suppression and allows the afterburn response protocol to be initiated. The false positive verification cost — 1–3 minutes of operations technician time — is trivial relative to the false negative consequence: undetected afterburn progression to cyclone structural failure, 3–6 months of FCC unit shutdown, $50–200M in repair and lost production costs, and potential community-scale impact if the flue gas system failure propagates to co-located HF infrastructure. The threshold 35 calibration reflects this extreme false negative/false positive cost asymmetry.

Free tier — 10 scans/day, no card required. Submit a rendered DCS regenerator temperature trend chart, reactor-regenerator differential pressure display, or WGC suction pressure display from your FCC monitoring system to the Glyphward scanner to generate a baseline adversarial risk score for your FCC APC AI inputs.