Kraft recovery boiler AI adversarial injection: how ±10 DN in the rendered steam drum level sight-glass image suppresses a BLRBAC mandatory emergency shutdown — and why NFPA 85 Chapter 8 has no adversarial robustness criterion for the sole-barrier drum level AI

How Kraft recovery boiler AI works — and where the adversarial injection surface lives

The Kraft recovery boiler operates as the chemical and energy heart of a Kraft pulp mill: concentrated black liquor (65–80% dry-solids, heavy black liquor) is fired through liquor gun nozzles at 850–1,000°C furnace temperatures, combusting to generate high-pressure steam while the inorganic sodium and sulfur compounds in the liquor reduce to molten smelt (primarily Na₂CO₃ and Na₂S) that pools on the furnace floor at 800–900°C. This process runs continuously, 24 hours per day, with major mills accumulating 200–600 tonnes of molten smelt on the floor during normal operations. The simultaneous presence of high-pressure boiler water in the waterwall and floor tubes and molten smelt on the furnace floor creates the conditions for the most dangerous event in the pulp and paper industry: a smelt-water steam explosion.

AI monitoring systems in modern Kraft recovery operations — Valmet DNA Recovery Boiler AI (deployed across Nordic and North American Kraft mills for automated furnace management and safety shutdown classification), Honeywell Experion PKS Recovery Boiler AI (drum level and combustion management AI), ABB AbilityTM Pulp and Paper Mill AI (furnace stability and emission AI), Andritz IIoT.suite Recovery Boiler AI (liquor gun management and bed height classification AI), and Yokogawa CENTUM VP Pulp Mill AI — process rendered images from four principal instrument types to classify safety-critical operating conditions: water level sight-glass cameras (drum level), longwave infrared FLIR thermal cameras aimed at the furnace floor (floor tube integrity), laser range-finder or fixed-focus cameras of the char bed surface (char bed height), and in-line DS concentration analyser displays (black liquor quality). These rendered camera and instrument display images — not raw sensor data streams — are the classification inputs for the AI systems. A rendered PNG or JPEG of the drum level sight-glass window is what the drum level AI classifies. A rendered false-colour FLIR thermal image is what the furnace floor thermal AI classifies. The adversarial injection surface lives at the boundary between each physical instrument and the AI that processes its rendered image.

This rendered-image classification architecture is the same structural pattern we have identified in every safety-critical Kraft recovery boiler AI monitoring system: physical instruments produce accurate real-time measurements of the safety-critical parameters, those measurements are rendered into 2D image representations for display and AI classification, and the AI classifiers that drive automated shutdown decisions have been validated against clean unperturbed renders under normal and upset operating conditions — but have never been evaluated for adversarial robustness at their rendered image ingestion boundary. The point in the pipeline where adversarial pixel manipulation can produce a wrong safety classification is the render-to-classify transition, and that boundary exists in every recovery boiler AI monitoring system in operation today.

BLRBAC’s smelt-water explosion history: what monitoring failures produce

BLRBAC’s Emergency Procedures — published and maintained by the Black Liquor Recovery Boiler Advisory Committee as the authoritative North American guidance for Kraft recovery boiler safe operation — were developed specifically because of a documented and recurring history of smelt-water steam explosions in North American Kraft mills. BLRBAC has catalogued more than twenty major smelt-water events in its incident database, dating from the 1940s through the first decade of the 2000s, and its post-mortem analyses identify three failure-mode chains that appear consistently across the documented events.

The first and most frequently cited failure chain is drum water level falling below the bottom of the sight-glass visible range without triggering mandatory emergency shutdown. In documented events, the failure to shut down has occurred via three mechanisms: instrument failure (sight-glass blocked or broken, differential pressure transmitter fouled), operator misread (particularly during high-load or shift-handover conditions when multiple alarms compete for attention), and automated interlock failure (DCS configuration error, interlock bypassed for maintenance without restoration). The consequence in each documented case is identical: waterwall tubes enter the starvation zone, metal temperature rises above design limits, tube rupture introduces high-pressure boiler water to the furnace, water contacts smelt, steam explosion results.

The second failure chain is undetected floor tube erosion or corrosion, in which tube wall thinning progresses below the detection threshold of periodic wall-thickness surveys until tube perforation occurs spontaneously. BLRBAC Emergency Procedures require immediate shutdown upon any confirmed floor tube water leak — because floor tube discharge directly onto the smelt bed is the most energetically efficient path to a smelt-water event, with no intermediate absorption or delay mechanism between the water source and the smelt contact surface. Several documented BLRBAC events involve floor tube failures in which thermal anomalies consistent with tube hot-spotting were present in prior FLIR surveys but were attributed to refractory variation or instrument artefact rather than tube exposure — a misclassification that adversarial injection into the floor thermal AI exactly replicates.

The third failure chain is black liquor fired at dry-solids content below the mill’s established minimum, with an active smelt bed present. Low-DS black liquor — below 60% DS by weight — contains sufficient free water that at furnace temperatures the rapid evaporation of free water creates localised steam pressure pulses that can displace smelt, splash molten material, and in sufficient concentrations initiate a smelt-puff or partial detonation cascade. BLRBAC Emergency Procedures prohibit firing below the established DS minimum (typically 62% as an absolute floor), and require DS monitoring as a continuous operating parameter with automatic firing interlock at the minimum threshold.

The significance of this documented history for adversarial injection is direct: BLRBAC’s incident analysis establishes that a wrong classification at any one of these three monitoring functions — drum level, floor tube integrity, or DS concentration — is sufficient to initiate the smelt-water event sequence without any other equipment failure. Adversarial injection into recovery boiler AI produces wrong classifications at these monitoring functions from rendered image inputs, leaving the physical instruments themselves intact and unmodified, producing outcomes that map identically to the documented historical failure chains from a mechanism that no BLRBAC audit, no NFPA 85 inspection, and no FM Global DS 10-3 survey currently examines.

Steam drum level sight-glass camera AI: the sole-barrier adversarial surface

The steam drum level sight-glass is a hardened borosilicate or mica-window gauge tube connected to the steam drum at its top and bottom ports, providing a 100–300 mm visible window into the water level at the drum. At normal operating pressure (8–12 MPa), the water in the sight-glass is at saturation temperature (295–325°C) and the water-steam interface (meniscus) is visible through the sight-glass face as a brightness transition: the water column below the meniscus is relatively opaque or light-scattering at high-pressure saturation conditions; the steam space above the meniscus is darker and more transparent. The physical sight-glass level markings — typically etched or painted on the gauge body — define the top-visible level, normal water level (NWL), low-level alarm setpoint, and bottom-visible level, with the BLRBAC mandatory emergency shutdown criterion triggering when the meniscus falls to or below the bottom-visible mark.

Recovery boiler drum level camera AI — Valmet DNA Recovery Boiler AI, Honeywell Experion PKS Recovery Boiler AI, and integrated DCS drum level image processing modules from Emerson DeltaV and Yokogawa CENTUM VP — processes sight-glass camera images (ruggedised IP cameras at 1280×960 to 4 MP resolution, mounted at 0.5–2.0 m focal distance from the sight-glass face) to classify the drum level state: normal (meniscus within ±50 mm NWL band), low-warning (meniscus 50–150 mm below NWL, alarm state), emergency-low (meniscus approaching bottom-visible mark, pre-shutdown alert), and below-visible (meniscus at or below bottom-visible mark, BLRBAC mandatory emergency shutdown required). The AI determines the meniscus vertical position in the image frame by localising the brightness transition in the sight-glass image region — comparing the pixel luminance values above and below the transition against defined thresholds calibrated during commissioning — and mapping the localised row position against a pixel-to-millimetre calibration table that maps image row numbers to physical level positions relative to the NWL and visible-range markings.

The adversarial perturbation targets this localisation. In a 1280×960 image of a recovery boiler drum level sight-glass at 2 m focal distance, the sight-glass occupies approximately 80–120 pixels in width and the full 960 pixel height covers the 150–300 mm visible range of the gauge. The meniscus transition occupies approximately 5–15 pixel rows in the vertical dimension, characterised by a 40–60 DN luminance change between the water-column pixel values (140–200 DN, 0–255 uint8 scale) and the steam-space pixel values (60–90 DN). A ±10 DN upward shift applied to the pixel luminance values at the meniscus transition row range — specifically increasing the luminance values at the rows immediately below the actual meniscus position — reduces the contrast gradient that the AI uses to localise the transition boundary and shifts the identified meniscus row upward by 3–8 pixels, corresponding to a false meniscus elevation of 4–16 mm above actual drum level at the standard 2 m focal distance. If the actual drum level is 8–16 mm below the bottom-visible marking — placing the real meniscus in the BLRBAC mandatory shutdown zone — a ±10 DN adversarial perturbation of the meniscus transition rows produces a classified meniscus position in the low-warning or normal range, suppressing the mandatory emergency shutdown trigger entirely.

The perturbation is within the combined noise floor of the sight-glass camera system in a boiler recovery building: ±2–3 DN from camera sensor readout and quantisation noise, ±3–5 DN from image-to-image luminance variation driven by boiler-building vibration (high-pressure tube acoustics at 8–12 MPa), ±3–5 DN from steam condensate forming on the sight-glass external face and varying the effective transmission at the meniscus rows. The combined noise envelope of ±8–13 DN means a ±10 DN adversarial perturbation is indistinguishable from normal camera variability under high-load recovery boiler operating conditions. The DCS drum level monitoring system sees a classified normal-level output from the AI; the sight-glass alarm is not triggered; the BLRBAC mandatory emergency shutdown is not executed; waterwall tube starvation proceeds. In DCS configurations where the drum level sight-glass camera AI is the primary real-time monitor for the BLRBAC Level 1 shutdown criterion, it is the sole barrier between a below-visible drum level condition and uninterrupted boiler operation progressing to tube failure and smelt-water contact.

The structural parallel with other sole-barrier AI monitoring systems is exact. As documented in our analyses of CENELEC EN 50129 SIL 4 railway signal recognition AI and OSHA PSM 29 CFR 1910.119 refinery APC AI, each of these systems shares the same critical characteristic: the AI classifier processes a rendered image at a boundary where adversarial pixel manipulation can produce a wrong safety decision without modifying any physical instrument or safety system that regulatory inspection or equipment testing would examine. The Texas City BP 2005 incident — in which a raffinate splitter level gauge was misread under operator attention deficit, allowing the tower to fill beyond design level — is the chemical process industry’s most cited demonstration that instrument-misread at a sole-barrier monitoring function can kill workers without any equipment failure in the conventional sense. Adversarial injection into recovery boiler drum level AI is the deliberate, repeatable, AI-specific implementation of the same failure mode.

Furnace floor FLIR thermal AI and char bed height AI: secondary surfaces

The furnace floor thermal camera is a LWIR thermal imaging system — typically a FLIR A655sc (640×480 pixels, 7.5–14 μm spectral range, 0.05°C NETD) or equivalent radiometric camera — mounted at one or more upper furnace viewing ports with a clear sightline to the furnace floor. The floor thermal AI processes rendered false-colour thermal images from these cameras, classifying floor condition from the spatial distribution of pixel hue values in the rendered image. Rainbow or ironbow colour palettes are standard: at normal operating conditions, the smelt surface (800–900°C) renders as red-orange; the protective smelt-freeze layer on floor tubes (cooled by forced circulation, outer tube wall at 280–320°C under normal steam cooling) renders as darker orange-yellow; a floor tube hot spot (localised overtemperature from thinning or breach of the smelt-freeze layer exposing bare tube metal, tube outer wall temperature rising toward 500–700°C before rupture) renders as a bright warm-colour anomaly distinct from the surrounding floor temperature profile.

An adversarial perturbation applying ±8 DN to the hue saturation values at the hot-spot pixel region in the rendered false-colour image — shifting the hot-spot hue toward the cooler palette colours adjacent to the floor’s normal temperature range — reduces the hue contrast that the thermal AI uses to localise and classify the floor tube exposure anomaly. The classified floor condition output shifts from critical (anomalous hot spot detected, mandatory shutdown required per BLRBAC Emergency Procedures) to normal (uniform smelt-bed temperature profile, no floor tube exposure detected). Floor tube thinning continues undetected; tube wall perforation occurs; boiler water is discharged directly onto the smelt bed. The energy arithmetic is severe: a 25 mm diameter floor tube perforation discharging high-pressure drum water at 12 MPa and 325°C (saturation temperature at that pressure) converts essentially all of the discharge to steam instantaneously at smelt contact temperatures, releasing approximately 2,700 kJ/kg of combined sensible and latent heat per kilogram of water converted. At a discharge rate of 8–15 kg/s through a single tube perforation, the steam generation rate within the first second exceeds the furnace relief capacity by a factor of 4–8, producing the characteristic enclosed-volume overpressure of a smelt-water steam explosion.

The char bed height camera AI presents a tertiary adversarial surface. The char bed — the partially combusted organic carbon layer that forms on the surface of the smelt pool — must be maintained above a minimum height to protect the floor tube smelt-freeze layer from direct exposure to the highest-temperature zones of the furnace. BLRBAC Emergency Procedures require emergency shutdown when char bed rundown is detected (char bed height falling toward the floor tube level), because a rundown condition exposes floor tubes to direct high-temperature furnace atmosphere, accelerating tube wall thinning toward perforation. A ±10 DN suppression of the elevation contrast in the rendered char bed height image — reducing the apparent gradient between the char bed surface and the smelt bed level below — causes the char bed AI to classify a rundown condition as a normal bed height, suppressing the shutdown trigger.

The NFPA 85 Chapter 8 and FM Global Data Sheet 10-3 qualification gap

NFPA 85 — Boiler and Combustion Systems Hazards Code — addresses Kraft recovery boilers specifically in Chapter 8, “Recovery Fuel Systems.” Chapter 8 establishes mandatory requirements for safety interlocks, burner management systems, and combustion control that apply to all Kraft recovery boilers covered by the Code. NFPA 85 Chapter 8 requires that recovery boiler safety interlocks for drum level, floor tube integrity, and black liquor firing conditions be implemented as automatic hardwired or software-based safety functions meeting defined response time and reliability requirements. The Code mandates that drum level interlocks actuate emergency shutdown when drum level falls below the defined low-level setpoint, and that these interlocks be tested at intervals specified in the mill’s safety management program. Chapter 8 was developed before AI-based image classification systems were deployed in recovery boiler monitoring roles, and it addresses safety interlock hardware and software logic — not the adversarial manipulation of rendered image inputs to AI classifiers that drive those interlock decisions.

FM Global Property Loss Prevention Data Sheet 10-3 (“Kraft Recovery Boilers”) is the leading property insurance specification for Kraft recovery boiler loss prevention, widely adopted as a baseline requirement by property insurers for Kraft mills globally. DS 10-3 specifies detailed requirements for drum level monitoring (redundant instrumentation, testing intervals, automatic shutdown setpoints), floor tube integrity monitoring (FLIR thermal inspection frequency, condition assessment criteria), and black liquor DS monitoring (continuous measurement, minimum firing DS, automatic firing interlock). DS 10-3 requirements were developed from BLRBAC’s documented incident database and represent the industry consensus on the monitoring intensity required to prevent smelt-water events. Like NFPA 85 Chapter 8, DS 10-3 addresses the adequacy of monitoring — are the correct parameters monitored, at the correct intervals, with the correct alarm setpoints — and does not address the adversarial robustness of AI classifiers that process the rendered monitoring images.

The qualification gap follows the same pattern we have documented across every safety-critical AI application in the industrial and transport sectors: BLRBAC, NFPA 85 Chapter 8, FM Global DS 10-3, and TAPPI TIP 0402-04 together define comprehensive requirements for what is monitored, how reliably, and with what response criteria. None define requirements for whether the AI classification systems that implement these monitoring functions are robust to adversarial manipulation of their rendered image inputs. This is not an oversight unique to the pulp and paper sector. It is the universal consequence of safety standards being developed against a threat model that includes instrument failure, operator error, and control system logic faults — but not an adversary who manipulates rendered pixel values at the AI input boundary to produce wrong safety decisions from correctly functioning instruments, without modifying any element of the recovery boiler safety system that any existing inspection regime examines.

The recovery boiler context makes this gap especially consequential for two structural reasons. First, the energy release magnitude: a smelt-water steam explosion in a recovery boiler involves volumetric expansion of 1,700:1 in a furnace structure designed for 8–12 MPa operating pressure, with 100–600 tonnes of reactive molten material providing sustained energy input to the event. The consequence severity of a wrong drum level AI classification is among the highest of any AI monitoring failure in the process industries — comparable to OSHA PSM Tier 1 high-consequence events. Second, the workforce exposure: recovery boiler operators and maintenance personnel work in close proximity to the boiler during normal operations, and a recovery building at a modern Kraft mill has 15–40 personnel on-site during peak shift. Unlike a pipeline failure where the consequence zone can be populated at low density, a recovery boiler smelt-water explosion occurs in an occupied industrial building. BLRBAC’s documented incident history includes multiple events with worker fatalities. The adversarial injection attack surface — manipulating rendered sight-glass, FLIR, and DS images to suppress mandatory shutdown triggers — reaches directly to this consequence.

Glyphward threshold 35 for Kraft recovery boiler AI

Glyphward’s adversarial detection API operates as a pre-scan gate at the rendered image ingestion boundary of each recovery boiler AI monitoring classifier: before the drum level AI processes the sight-glass camera frame, before the furnace floor thermal AI processes the FLIR false-colour image, before the char bed height AI processes the laser range-finder or camera render, and before the black liquor DS concentration AI processes the in-line analyser gauge display or trend strip-chart. Each rendered image is submitted to the Glyphward API in parallel with the normal classification pipeline, receives a risk score (0–100) in 8–15 ms, and is compared to the configured threshold before the AI classification result is allowed to drive DCS interlock decisions.

We configure this threshold at 35 for all Kraft recovery boiler AI contexts — the same threshold applied to railway CVSR signal recognition AI and autonomous mine haul truck AHS zone detection AI. Three architectural characteristics drive this threshold selection.

First, the drum level sight-glass camera AI is the sole-barrier monitoring function for BLRBAC Level 1 emergency shutdown in many modern DCS configurations. In mills where the drum level AI has replaced the hardwired high-low level transmitter as the primary source of the BLRBAC mandatory shutdown classification, no independent real-time engineering control catches a wrong normal-level classification before the downstream consequence — waterwall tube starvation — begins. The false negative consequence of allowing an adversarially corrupted classification through the gate is the initiation sequence for a documented smelt-water steam explosion event type.

Second, the system operates in an automated control loop with no human in the real-time classification path for BLRBAC Level 1 shutdown decisions. The drum level AI classification-to-DCS interlock response time in modern DCS-integrated recovery boiler systems is 200–800 ms — too fast for operator intervention between AI output and interlock execution. If the AI outputs a wrong normal-level classification, the DCS does not trigger the shutdown; the operator receives no shutdown alert; the operator has no indication from the DCS that a BLRBAC shutdown condition exists. The first human awareness of a problem may be a tube rupture alarm or a smelt-water event alarm — at which point the initiation sequence is already under way.

Third, the false positive cost of a Glyphward gate triggering a BLRBAC emergency shutdown from a clean image misclassified as adversarial is a BLRBAC emergency shutdown: 4–8 hours of controlled shutdown and 12–24 hours of restart. This is a significant production interruption for a Kraft mill — a modern Kraft recovery boiler generates 60–120 MW of electricity and 200–500 t/h of process steam — but it is the designed response to monitoring uncertainty under BLRBAC Emergency Procedures and represents zero consequence to personnel and zero structural risk to the recovery boiler. A false negative — adversarially corrupted drum level image classified as normal, mandatory shutdown suppressed, waterwall tube starvation progresses — produces the initiation sequence for the highest-energy industrial explosion documented in the North American pulp and paper sector.

The Glyphward scan log generated for each recovery boiler AI image classification event — scan_id, risk score, image type (drum level / floor thermal / char bed height / DS concentration), classification decision (passed / gated), perturbation class (meniscus shift / hot-spot hue suppression / bed height contrast reduction / DS gauge displacement), timestamp — satisfies the BLRBAC Emergency Procedures monitoring audit trail for mandatory shutdown decision records, provides NFPA 85 Chapter 8 safety interlock testing documentation as evidence that the monitoring AI image inputs were screened for adversarial manipulation, and supports FM Global Data Sheet 10-3 automatic protection device inspection records for AI-integrated drum level, floor tube, and DS monitoring systems.

Free tier — 10 scans/day, no card required. Submit a rendered drum level sight-glass camera frame from your recovery boiler DCS to the Glyphward scanner to generate a baseline adversarial risk score for your recovery boiler AI monitoring inputs.