Oil refinery APC AI adversarial injection: how ±10 DN in the rendered raffinate splitter level gauge image replicates the Texas City BP 2005 instrument-misread failure mode — and why OSHA PSM 29 CFR 1910.119 has no adversarial robustness criterion

How oil refinery Advanced Process Control AI works — and where the adversarial injection surface lives

Modern downstream oil refinery operations run on a layered control architecture. At the base layer, DCS (Distributed Control System) regulatory control maintains individual process variables — column pressure, feed flow rate, reboiler outlet temperature — within setpoint tolerances using PID control loops sampling at 1-second intervals. One layer above, Advanced Process Control platforms — primarily Aspen Technology AspenONE with DMC3 (Dynamic Matrix Control 3) and Honeywell Profit Controller, which together account for the majority of APC deployments in global refinery operations — run Model Predictive Control algorithms that simultaneously optimise dozens of interacting process variables against a constraint model, sampling at 30-60 second intervals and calculating setpoint adjustments that the regulatory control layer executes. A third layer of optimisation — real-time optimisation (RTO) — adjusts APC model targets at 15-60 minute intervals based on crude quality, product pricing, and utility constraints.

The adversarial injection surface introduced by AI visual modules lives between the regulatory control layer and the APC layer. Both AspenONE and Honeywell Profit Controller now support visual AI input modules that accept camera feeds from physical instruments — level gauge cameras mounted on column sight-glass assemblies, operator display screen-captures from historian workstations, thermal camera feeds from fired heater tubes and FCC regenerator shell pyrometry systems, and vibration spectrogram displays from compressor health monitoring dashboards — as measured disturbance variables fed into the MPC model. These camera feeds are captured at intervals ranging from every APC control cycle (30-60 seconds) to every 5 minutes for slower-varying parameters. The camera image is rendered — scaled, colour-normalised, JPEG-compressed at 95% quality or exported as a 512×512 PNG — before being submitted to the AI classification CNN. The CNN output — a discrete level state, a temperature zone classification, a vibration health state — enters the APC model as a measured disturbance input on the same footing as DCS analogue tag readings.

The boundary between the camera capture and the CNN classifier is the adversarial injection surface. It is the same architectural boundary we have identified in every physical inspection AI system that processes rendered sensor imagery: the point at which raw sensor data becomes a raster image representation, submitted to an AI classifier that was trained on unperturbed images and has no adversarial robustness criterion in its qualification standard.

Texas City BP 2005: the raffinate splitter overfill sequence

The CSB Report 2005-04-I-TX is the most rigorously documented refinery process control instrument failure in US regulatory history. Its consequence quantification is precise: 15 fatalities, 180 injuries, $1.5 billion in direct costs, and a $21 million OSHA civil penalty (then the largest ever issued). Understanding the exact failure mechanism is essential for understanding why ±10 DN pixel perturbation in a 2026 APC AI level gauge image is the same failure, expressed as a software attack rather than a hardware defect.

The ISOM unit at Texas City processed raffinate — C5-C7 light naphtha — in a raffinate splitter column that separated isomerate light ends from the heavy raffinate product. During a startup sequence on 23 March 2005, the column was being filled with feed under manual control while operators gradually increased reboiler duty to establish the vapour-liquid equilibrium needed for stable operation. The startup procedure required monitoring the reboiler sump liquid level using the primary level instrument, LI-7710 — a sight-glass gauge mounted on the column base section.

LI-7710 was defective in a specific and fatal way: the gauge tube was clogged or restricted above approximately 9 feet of level indication. The column’s actual level could rise above 9 feet — and continue rising to 158 feet, the top of the column — without the gauge reading above its maximum indication. The backup DP transmitter (LT-7711) was flagged out-of-service by an engineering order that the startup crew had not received. A high-level alarm configured on LT-7711 was consequently inactive.

At 1:20 PM on 23 March 2005, with the column actually filled to approximately 158 feet — completely flooded, liquid raffinate filling the overhead vapour space and the overhead line to the condenser — operators believed from the LI-7710 reading that the column was near its normal operating level of 6-7 feet. Reboiler duty was increased to 40 MMBTU/hr as the procedure specified. The raffinate inventory, at 270°F and 55 psig, was flashed by the heat input. Liquid and vapour raffinate was driven upward through the overhead system, past the condenser, and into the atmospheric blow-down drum — a vessel designed for occasional small column pressure reliefs, not the high-volume liquid overflow of a completely flooded 158-foot column startup.

The blow-down drum overflowed within minutes. Liquid C5-C7 raffinate at approximately 270°F cascaded from the drum’s overflow drain into the surrounding grade area, vaporising on contact with ambient air (LEL for pentane: 1.4% by volume; vapour density 2.5 — heavier than air, pooling at grade level). The vapour cloud drifted southwest toward the contractor parking area and the cluster of portable temporary office trailers. A diesel pick-up truck idling with its engine running near Trailer F provided the ignition source. The explosion overpressure — 1-3 psi at 150 feet from the ignition point — destroyed all 13 trailers in the vicinity. Fifteen workers were killed, twelve of them in trailers that had been risk-assessed by BP and placed within the identified explosion hazard zone based on an analysis that concluded the risk was acceptable because trailers were only ‘temporarily’ sited in that location. At the time of the explosion, the trailers had been in the zone for four years.

The 2026 adversarial injection produces an identical process state with one substitution: the defective sight-glass gauge becomes an APC AI classification CNN whose rendered input image has been adversarially perturbed to shift the meniscus position from High-High to Normal. The physical process proceeds identically from that point. The APC model has no basis to initiate corrective action because its level state input says Normal. The regulatory control layer continues executing APC setpoints that add heat and feed to an already overfilled column. The consequence sequence runs to vapour cloud formation on the same timeline as 23 March 2005.

The AspenONE APC AI level gauge classifier: adversarial injection mechanics

AspenONE APC with DMC3 is deployed at approximately 350 major refinery and petrochemical complexes worldwide. In implementations with visual AI modules enabled — available from Aspen Technology since the AspenONE 14 release, with expanded multimodal input support in subsequent versions — a camera mounted on the sight-glass assembly of a distillation column sends a continuous MJPEG stream to the AspenONE process historian. At each APC model update cycle (nominally every 60 seconds for a raffinate splitter APC model), the historian server exports the most recent camera frame as a 512×512 JPEG image at 95% compression quality and passes it to the visual AI module’s classification pipeline.

The sight-glass gauge image — in a typical column installation — shows a cylindrical glass tube back-lit by a fluorescent or LED backlight, with the liquid-vapour meniscus appearing as a horizontal dark-on-bright interface line. The tube is flanked by scale markings (0-100% or 0-10 feet) etched on a metal backing plate. The image rendering maps the full tube view to the 512×512 pixel frame, with the liquid-vapour interface occupying a horizontal band of approximately 20-40 pixels at whatever height corresponds to the current level. In the High-High condition — level at 95-100% of the sight-glass viewing range — the meniscus band is near the top of the image: pixels 30-70 from the top edge, in a 512-pixel height image.

The CNN classifier — trained on a library of sight-glass images annotated across the four level states at multiple column installations — extracts features from the meniscus position, the contrast of the meniscus band against the backlit background, and the ratio of liquid-phase area (darker, below the meniscus) to vapour-phase area (brighter, above the meniscus). The decision boundary between High-High and High corresponds to a meniscus position above approximately 90% of the tube height; High versus Normal corresponds to 70-90%; Normal versus Low corresponds to 30-70%.

The adversarial perturbation targets the meniscus band pixel values. A ±10 DN per-channel (R, G, B) shift applied to the 20-40 pixel horizontal band at the meniscus position reduces the contrast of the liquid-vapour interface against the backlit background. The backlit tube interior, normally rendered as a high-brightness region (pixel values 210-240 DN in the 0-255 range) above the meniscus, merges with the perturbed meniscus band values (shifted from the normal 160-180 DN dark interface region toward 170-190 DN). The CNN interprets the reduced contrast as a meniscus at mid-glass — a Normal level condition — rather than a meniscus at the top of the tube. The APC model receives a Normal level disturbance input for the current control cycle and does not modify its setpoints to initiate a high-level response.

The ±10 DN perturbation magnitude is critical to the attack’s persistence. JPEG compression at 95% quality introduces quantisation errors of ±4-8 DN in the DCT coefficients of a typical sight-glass image. Camera sensor read noise in an industrial IP camera (typical 1/2.8" Sony Starvis CMOS sensor at 30 lux process lighting) contributes ±3-6 DN frame-to-frame pixel variation. A ±10 DN adversarial perturbation is within the combined noise floor — the perturbed image is indistinguishable from a normally compressed camera frame to an operator reviewing the image on a historian workstation, to a standard image integrity check (MD5 hash comparison against expected value ranges), and to the SCADA historian’s built-in image quality validation routine.

FCC regenerator thermal AI: the afterburn suppression surface

The FCC regenerator is the highest-temperature continuous operation in most oil refineries, and afterburn detection is its most operationally critical monitoring function. The adversarial injection surface for FCC regenerator thermal AI illustrates the same rendered-image vulnerability as the level gauge classifier, but with a different physical medium — a false-colour infrared thermal map rather than a visible-light sight-glass image — and a different consequence timeline: afterburn consequence unfolds over tens of minutes rather than the seconds of a vapour cloud ignition event, but the structural damage to cyclone internals can require multi-month repair outages and can create a hot catalyst release hazard that OSHA cites under PSM 1910.119 general duty clause provisions.

FLIR A-series or equivalent array pyrometer systems deployed on FCC regenerator vessel ports render 2D temperature distribution maps of the regenerator shell or cyclone section. The rendering maps measured temperature to a false-colour scale: typically blue-green for 900-1,100°F (below normal regenerator dense bed operating temperature), yellow-orange for 1,100-1,400°F (normal dense bed combustion range), and red for >1,400°F (afterburn zone, above design temperature for cyclone internals). The APC AI classifier processes this rendered false-colour map at 5-minute intervals and outputs an afterburn state classification (No Afterburn / Afterburn Detected / Afterburn Critical) consumed by the FCC APC optimizer as a constraint that limits air injection rate if afterburn is detected.

The adversarial perturbation targets the hue values of the red afterburn zone pixels. An HSV hue-rotation of approximately ±8-12 DN — shifting the H channel of the afterburn zone pixels from the 0°-25° hue range (red, >1,400°F classification) toward the 25°-55° hue range (orange-yellow, 1,200-1,400°F normal range) — causes the CNN to classify the afterburn zone as a normal-temperature dense bed region. The APC optimizer receives a No Afterburn state and does not reduce air injection or adjust catalyst circulation. Afterburn temperature continues rising. Within the 30-60 minute window before thermocouples in the cyclone section begin reading above their normal range through the slower-responding direct measurement channel, the adversarially suppressed thermal AI classification has allowed afterburn to progress beyond the point at which air injection reduction alone can reverse it.

The OSHA PSM 29 CFR 1910.119 qualification gap

OSHA Process Safety Management (29 CFR 1910.119) is the most comprehensive process safety regulatory framework in the United States, covering approximately 13,000 facilities with covered processes and requiring a documented Process Hazard Analysis for each covered process that identifies hazards, evaluates safeguards, and documents recommendations for risk reduction. The PHA revalidation requirement under 1910.119(e)(6) mandates that every covered process PHA be updated and revalidated at intervals not exceeding five years.

The 1910.119(e)(2) PHA methodology requirements specify six approved methods: What-If, Checklist, What-If/Checklist, HAZOP, FMEA, and Fault Tree Analysis. For a raffinate splitter column, a HAZOP study would identify the Level node with High Level as a deviation, document the causes (control valve failure, feed flow increase, level controller failure, instrument failure), document the consequences (column flooding, overhead system overpressure, blow-down drum overflow, vapour cloud explosion), document the existing safeguards (SIS high-high level trip, level transmitter redundancy, blow-down drum vent to flare), and verify that the combination of safeguards provides adequate risk reduction by reference to IEC 61511 Safety Integrity Level requirements.

The gap is in the cause enumeration. A HAZOP deviation node for ‘Level — High’ in a raffinate splitter will list ‘LI-7710 sight-glass gauge failure’ as a credible cause — because that is the failure mode documented by CSB Report 2005-04-I-TX, and every OSHA PSM audit of a raffinate splitter column since 2007 will look for it. But ‘adversarial pixel perturbation in the rendered level gauge camera image submitted to the AspenONE APC AI visual module’ will not appear in the cause list of any HAZOP performed using any current PHA methodology guidance — API RP 750 (1990), CCPS “Guidelines for Hazard Evaluation Procedures” (3rd ed., 2008), or OSHA’s own 3132 PSM Compliance Guidelines. None of these guidance documents address AI image classifier adversarial failure modes. None have been updated since adversarial machine learning became a documented practical threat to deployed AI systems.

The mechanical integrity requirement under 1910.119(j) compounds the gap. A refinery’s MI programme for APC visual AI modules will specify camera calibration intervals (typically annual), image quality validation procedures (histogram range checks, focus sharpness metrics), and historian data retention requirements. None of these MI programme elements address adversarial robustness of the CNN classifier that processes the validated camera images. A camera that passes its annual calibration check, produces images within the specified histogram range, and outputs JPEG files with the correct metadata can be supplying adversarially perturbed level gauge images to the APC AI — and the MI programme will record it as in-service and conformant.

The parallel with aviation regulatory gaps is structural. As we noted in our analysis of jet engine borescope AI and EASA AMC 20-16, aviation inspection AI qualification standards were developed before adversarial machine learning was a practical deployment consideration — and share the same structural gap with OSHA PSM: rigorous qualification against expected operational variability, with no adversarial attacker in the threat model. The difference is that borescope AI misses accumulate over months before an engine failure event; raffinate splitter level gauge AI misses can produce a vapour cloud explosion within 15 minutes of the misclassification, on the timeline established by 23 March 2005.

Fired heater tube thermal AI and compressor vibration spectrogram AI: the secondary surfaces

Two additional adversarial injection surfaces in refinery APC AI are worth noting alongside the level gauge and FCC regenerator thermal AI surfaces, as they represent the highest-consequence secondary failure modes in a refinery’s process equipment portfolio.

Fired heater tube thermal AI monitors the tube skin temperatures of process heaters — the furnaces that heat crude oil before atmospheric distillation, heat vacuum residue before vacuum distillation, and heat hydrotreater feed before reactor entry. API Standard 530 “Calculation of Heater-Tube Thickness in Petroleum Refineries” specifies design metal temperature limits for each tube alloy grade: P11 chrome-moly tubes typically rated to 1,100°F skin temperature; P22 tubes to 1,200°F; 347H stainless steel tubes to 1,400°F. Infrared camera systems monitor tube skin temperatures through sight ports during operation; the rendered infrared images — false-colour maps of the tube bank — are processed by APC AI classifiers to identify tubes approaching or exceeding their API 530 temperature limits. An adversarial perturbation that suppresses a hot-spot rendering — shifting a 1,250°F tube-surface temperature zone from the orange-red near-limit colour to the yellow normal-service colour — can allow a P11 tube to operate above its API 530 design temperature without triggering an APC setback or operator alert, risking pressure-rupture of the tube under operating pressure (typically 100-600 psig feed pressure) and the consequent release of hot hydrocarbon into the heater firebox.

Compressor vibration spectrogram AI monitors the rotating machinery health of process compressors — hydrogen recycle compressors in hydroprocessing units, wet gas compressors on FCC units, and refrigerant compressors in alkylation units — using vibration spectrograms rendered from accelerometer signals. Mechanical seal deterioration, bearing defects, and shaft misalignment each produce characteristic frequency components in the vibration spectrum — sidebands at multiples of the rotor fundamental frequency, sub-synchronous components at 0.4-0.48× running speed for seal rub, high-frequency components at bearing defect frequencies (BPFI, BPFO, BSF). AI classifiers trained on vibration spectrograms identify these deterioration signatures and trigger maintenance recommendations or automatic setbacks. An adversarial perturbation that dampens the sideband amplitude in the rendered spectrogram image — reducing the displayed sideband peak heights toward the spectrogram noise floor — suppresses the seal deterioration signature, delaying the maintenance recommendation and allowing continued operation toward catastrophic seal failure and the hydrocarbon release that follows.

Glyphward threshold 35 for oil refinery APC AI

Glyphward’s adversarial detection API operates as a pre-scan gate at the rendered image ingestion boundary of each APC visual AI module in the refinery: the sight-glass level gauge camera image before the distillation column level classifier, the false-colour pyrometer map before the FCC regenerator afterburn classifier, the infrared tube image before the fired heater API 530 limit classifier, and the vibration spectrogram before the compressor health classifier. Each rendered image is submitted to Glyphward’s API (8-15 ms latency per image), receives a risk score (0-100), and is compared to the configured threshold.

We configure this threshold at 35 for all refinery APC AI visual input contexts. The threshold selection reflects the consequence asymmetry established by Texas City BP 2005. A false negative — passing an adversarially perturbed raffinate splitter level gauge image to the APC level classifier — produces a High-High condition classified as Normal, the APC model continues filling the column, and the consequence sequence runs on the timeline of 23 March 2005: vapour cloud formation in approximately 15 minutes. There is no complementary automated detection channel with a comparable response time: the SIS high-high level trip depends on the DP transmitter LT-7711, a different instrument, but in many installations the SIS and APC systems share the same instrument bus, and an adversary with access to the APC visual AI ingestion boundary may also have access to the SIS trip logic display. At threshold 35, the gate is calibrated to minimise false negatives at the cost of a false positive rate that routes approximately 5-8% of clean level gauge images to operator review — one additional 30-60 second verification loop per APC control cycle, operationally absorbed in the normal APC update cadence without process disruption.

The Glyphward scan log for refinery APC AI generates a timestamped record for each image: scan_id, risk score, process unit (raffinate splitter, FCC regenerator, fired heater H-101, compressor KC-101), image type (level gauge camera, pyrometer thermal map, tube infrared, vibration spectrogram), scan timestamp, and perturbation class (meniscus position shift, hue-rotation thermal band shift, spectrogram sideband suppression, hot-spot contrast reduction). This record satisfies the OSHA PSM 29 CFR 1910.119(j)(4) mechanical integrity audit trail for AI-based instrumentation inputs, documents the adversarial failure mode identification that supports PHA revalidation under 1910.119(e)(6), and provides the EPA RMP 40 CFR Part 68.65 process safety information record for covered process instrumentation and controls.

Free tier — 10 scans/day, no card required. Submit a rendered raffinate splitter level gauge camera image or FCC regenerator pyrometer map to the Glyphward scanner to generate a baseline adversarial risk score for your refinery APC AI pipeline.