Prompt injection in oil refinery and petrochemical plant process control AI

Four adversarial injection surfaces in oil refinery and petrochemical plant process control AI

1. Distillation column level gauge image AI (Aspen Technology AspenONE APC AI, Honeywell UniSim AI, Yokogawa OpreX DCS visual AI)

Atmospheric crude distillation units (CDUs), vacuum distillation units (VDUs), and downstream separation columns in refinery operations — including raffinate splitter columns in ISOM units, depropaniser and debutaniser towers in gas separation, and stripper columns in hydroprocessing units — rely on accurate liquid level measurement at multiple points in the column internals: reboiler sump level, reflux drum accumulator level, and overhead condensate drum level. In modern APC deployments using Aspen Technology AspenONE Advanced Process Control AI, Honeywell UniSim AI, and Yokogawa OpreX Control AI with visual instrument integration, optical camera feeds from column sight-glass gauges and differential pressure transmitter indicator panels are rendered as digital images and processed by a convolutional classification network to determine the current level state — categorised as Low, Normal, High, or High-High — and fed back into the APC multivariable predictive control (MPC) model as a measured disturbance input. The APC model uses this level classification to adjust column feed rate, reflux ratio, reboiler duty, and overhead condenser duty in a closed-loop cycle running at intervals of 30 to 60 seconds. The regulatory requirement for liquid level management in OSHA PSM-covered columns is embedded in 29 CFR 1910.119(j)(4)(i), which mandates that process equipment critical to safe operation is maintained in a safe operating condition — interpreted by OSHA to include level instrumentation accuracy. API RP 750 (Management of Process Hazards) section 5.4 further identifies liquid level control as a Layer of Protection in the HAZOP safeguard hierarchy for distillation column operations, with a required probability of failure on demand (PFD) of less than 0.1 for process alarm functions and less than 0.01 for Safety Instrumented System (SIS) level high-high trip functions, per IEC 61511.

The adversarial perturbation for distillation column level gauge AI is a uniform ±10 DN compression of the reflux drum high-level signature region in the rendered gauge image. In a standard optical sight-glass gauge image, the high liquid level state presents as a bright illuminated band (approximately 180–220 DN in an 8-bit greyscale normalisation) in the upper portion of the gauge glass capture window, whereas the normal operating level band presents at approximately 100–140 DN. A ±10 DN perturbation distributed across the high-level indicator region compresses this band toward the normal operating range, causing the Aspen or Honeywell classification model — which has been trained on nominal site imagery without adversarial augmentation — to output a Normal level classification instead of High. The APC model receiving a Normal level input does not increase overhead condenser duty or reduce column feed rate. If this misclassification occurs during the startup sequence of a raffinate splitter column — the exact operational phase in which the Texas City ISOM unit (CSB report 2005-04-I-TX) was operating when its level indicators failed — the tower continues to be fed until raffinate overflows the reflux drum, falls into the overhead product rundown system, and either backs up into a vent stack (as at Texas City, where vapour was released through a blowdown drum stack lacking a flare connection) or directly releases into a process area where it can contact an ignition source. The CSB noted that the site relied on a single sight glass read by a single operator; in a 2026 APC deployment, the equivalent single point of failure is the AI classification gate for the rendered gauge image, and it requires no physical access to perturb.

2. FCC regenerator temperature profile AI (UOP/Honeywell FCC AI, W.R. Grace FCC catalyst AI, Axens Prime-G+ AI)

Fluid Catalytic Cracking (FCC) units are the conversion workhorses of complex refineries, thermally cracking vacuum gasoil (VGO) and atmospheric residue over a fluidised zeolite catalyst bed at riser temperatures of 490–540°C to produce high-octane gasoline, light cycle oil (LCO), and C3/C4 olefins as petrochemical feedstocks. The FCC regenerator — where coked spent catalyst is burned in a controlled oxygen environment to restore catalytic activity before being recycled to the riser — operates at nominal dense-bed temperatures of 680–730°C. An afterburn condition — incomplete coke combustion in the dense bed causing CO to burn to CO2 in the dilute phase above the bed — produces a local temperature excursion above 870°C (1,600°F) in the regenerator cyclone system and upper dilute phase. Afterburn is the leading cause of FCC regenerator refractory damage and cyclone metal erosion: sustained afterburn above 900°C causes rapid alumina refractory spalling, cyclone barrel thinning at weld junctions, and in severe cases regenerator vessel shell overtemperature that can progress to structural failure. UOP/Honeywell FCC AI, W.R. Grace FCC catalyst AI, and Axens Prime-G+ AI now process regenerator catalyst temperature distribution data rendered as false-colour thermal maps — where colour encodes thermocouple array or infrared pyrometer spatial temperature readings across the regenerator vertical cross-section — to classify regenerator state (Normal Combustion, Mild Afterburn Warning, Severe Afterburn Alert) and drive air blower adjustment, catalyst circulation rate changes, and CO promoter injection rate decisions in the APC model. The classification threshold between the Mild Afterburn Warning and Normal Combustion states determines whether the APC increases combustion air flow to reduce afterburn or continues at current air rate. API RP 752 (Management of Hazards Associated with Location of Process Plant Permanent Buildings) requires consequence analysis for events including regenerator vessel failures because of the blast radius implication for occupied control buildings.

The adversarial perturbation for FCC regenerator temperature profile AI targets the hue channel of the false-colour thermal map rendered by the APC system’s visualisation layer. In standard FCC regenerator false-colour maps, the afterburn hot-spot region (temperatures above 870°C / 1,600°F) is encoded as a red or white-red colour region (hue values 0–15° in HSV space) within the dilute phase upper regenerator zone, while the normal dense-bed operating temperature region (680–730°C / 1,255–1,346°F) is encoded as orange-yellow (hue values 25–45°). A targeted hue rotation of approximately 20–30° applied to the red afterburn zone pixels shifts those pixel hue values into the yellow-orange normal operating range, causing the UOP/Honeywell or Axens classification model to output a Normal Combustion state rather than a Mild or Severe Afterburn Alert. The APC model receiving a Normal state does not increase air blower output to suppress afterburn. At sustained afterburn conditions above 870°C in the dilute phase, refractory spalling onset occurs within 6–12 hours for dense-castable refractory and within 2–4 hours for lightweight insulating refractory in the cyclone barrels. If spalled refractory material falls into the regenerator dense bed and causes catalyst distribution disruption, the afterburn can intensify — and the APC model continues to classify the (increasingly perturbed) thermal map as Normal throughout the escalation, because the adversarial perturbation has not been removed from the image pipeline.

3. Fired heater tube inspection thermal AI (FLIR ThermoVision AI, Ametek Land IR AI, Yokogawa thermal scanner AI)

Fired heaters (process furnaces) in oil refinery and petrochemical plants — including crude oil preheat furnaces in CDU trains, hydrogen plant reformer furnaces, ethylene cracking furnaces, and catalytic reformer charge heaters — heat process fluids passing through convective and radiant section tube banks to temperatures ranging from 300°C (crude preheat) to above 870°C (ethylene cracker radiant coils). Tube skin temperature is the critical operating parameter for fired heater tube integrity: API Standard 530 (Calculation of Heater-Tube Thickness in Petroleum Refineries) defines allowable skin temperature limits for each metallurgy as the temperature above which creep rupture, hydrogen embrittlement, or carburisation proceeds at a rate that reduces tube design life below the planned inspection interval — typically 1,100–1,150°F (593–621°C) for 9Cr-1Mo and 304 stainless steel tubing. Exceeding the API 530 skin temperature limit is a mechanical integrity event that triggers immediate inspection under OSHA 29 CFR 1910.119(j)(4). FLIR ThermoVision AI, Ametek Land infrared (IR) AI, and Yokogawa thermal scanner AI systems mounted inside the furnace firebox — on rotating pan-tilt scanner platforms or fixed wide-angle camera arrays — process rendered infrared thermography images of the radiant section tube banks to classify each tube segment as Normal, Elevated Skin Temperature Warning, or Skin Temperature Exceedance. The AI’s tube segment classification drives the APC control system’s burner management layer: in Honeywell Profit Burner Management AI and Yokogawa OpreX Burner AI, a Skin Temperature Exceedance classification for one or more tubes initiates an automatic tube-pass flow increase or a partial firebox derating to reduce the firing rate on the affected tube row, with a mandatory maintenance notification to the mechanical integrity team for physical inspection within 24 hours.

The adversarial perturbation for fired heater tube inspection thermal AI is a ±8 DN suppression applied to the high-temperature pixel region of the rendered tube surface thermal image. In a typical radiant section tube thermal map at 8-bit greyscale rendering (or false-colour RGB), a tube segment at or above the API 530 skin temperature limit (e.g., 1,150°F for 9Cr-1Mo) appears as a distinct bright region with pixel values of approximately 210–240 DN in the luminance channel, against a background tube surface at normal operating temperature (750–900°F) appearing at approximately 150–190 DN. A ±8 DN suppression applied to the hot-spot region reduces its apparent luminance to 202–232 DN — a value that the FLIR or Yokogawa classification model, lacking adversarial robustness training, maps to the Elevated Skin Temperature Warning rather than Skin Temperature Exceedance category, particularly if the model’s decision boundary was calibrated on site-specific thermal imagery without perturbation augmentation. The APC system receiving an Elevated Warning (rather than Exceedance) classification does not initiate the mandatory maintenance notification; it applies a small firing rate reduction that is insufficient to prevent further tube hot-spot development. If coking or scale buildup in the tube is the underlying cause of the elevated skin temperature, the reduced firing rate does not clear the blockage, and tube skin temperature continues to rise. The eventual consequence — creep rupture or hydrogen-induced cracking of the tube under the combined effect of elevated temperature and internal pressure (typically 40–200 bar in reformer and hydroprocessing furnaces) — produces a hydrocarbon release into the furnace firebox at a temperature well above the autoignition point of the process fluid, resulting in a firebox explosion or, in hydrogen service, a detonation-capable flame jet.

4. Compressor vibration spectrogram AI (Bently Nevada System 1 AI, Emerson AMS Machinery Health AI, SKF Enlight AI)

High-pressure centrifugal and reciprocating compressors are the rotating equipment backbone of downstream refinery and petrochemical operations: wet gas compressors in FCC units (handling cracked C2–C4 gas at 2–25 bar), hydrogen recycle compressors in hydroprocessing units (handling 90%+ hydrogen at 80–200 bar), make-up gas compressors in ammonia plants (handling synthesis gas at up to 300 bar), and ethylene refrigeration compressors in steam cracking units (handling ethylene at low temperatures and moderate pressures). The mechanical seal systems of high-pressure centrifugal compressors — tandem dry gas seals in gas service, wet contact seals in liquid hydrocarbon service — are the primary barrier between the high-pressure process inventory and the atmosphere. Seal deterioration, characterised by face wear, seal face contamination, or buffer gas pressure degradation, produces a distinctive frequency signature in the casing vibration spectrogram: high-frequency sidebands at 10–50 times run speed (typically 10–50 kHz for a 3,000–15,000 RPM machine), arising from the periodic impacting and slip of worn seal faces. Bently Nevada System 1 AI (GE Vernova), Emerson AMS Machinery Health AI, and SKF Enlight AI process the rendered vibration spectrogram — displayed as a frequency-amplitude plot or waterfall cascade rendered as a digital image or processed numeric array with a visual rendering layer — to classify seal condition as Healthy, Early Degradation, or Seal Failure Risk, and feed this classification to the APC system’s asset health layer. A Seal Failure Risk classification initiates a compressor pre-emptive shutdown or a maintenance standby notification. OSHA 29 CFR 1910.119(j) requires that compressor mechanical seals in covered processes are maintained per manufacturer’s specifications, and API Standard 617 (Axial and Centrifugal Compressors) section 6 requires vibration monitoring for all covered compressors above 300 kW.

The adversarial perturbation for compressor vibration spectrogram AI is a frequency-domain amplitude dampening that suppresses the high-frequency sideband peaks characteristic of seal deterioration. In the rendered spectrogram image (or in the numeric spectrogram array before rendering for AI systems that consume array data with a convolutional frontend), the seal deterioration sidebands at 10–50× run speed appear as elevated amplitude spikes (typically 5–15 dB above the broadband noise floor) in the 10–50 kHz region of the spectrogram. A ±8 DN amplitude dampening (or equivalent -3 to -5 dB amplitude suppression in the raw spectrum) applied to this frequency region reduces the sideband peaks to within the broadband noise floor, causing the Bently Nevada, Emerson, or SKF classification model to output a Healthy or Early Degradation classification rather than Seal Failure Risk. The APC asset health layer does not initiate a pre-emptive shutdown or maintenance standby. As the seal continues to deteriorate, buffer gas consumption increases and seal face temperature rises, eventually leading to catastrophic seal failure — a rapid loss of seal integrity producing an uncontrolled release of the process gas inventory (hydrogen, ethylene, or light hydrocarbons) directly to atmosphere through the failed seal. In hydrogen recycle compressor service at 80–200 bar, a seal failure venting that inventory is capable of producing a flash fire or deflagration-to-detonation transition (DDT) event. The Buncefield storage depot explosion of December 2005 (UK HSE/MIIB investigation; blast equivalent to the UK’s largest peacetime explosion) began with an overflow event from an atmospheric tank — a failure of level instrumentation in a storage context that is directly analogous to the sealed-process AI classification failure mode described here, in that a single instrument misread was sufficient to initiate a multi-kiloton-equivalent blast event.

Integration: oil refinery and petrochemical AI scanning with Glyphward pre-scan gate

Deploy the Glyphward pre-scan gate at every image classification boundary in the APC pipeline — before the rendered distillation column gauge image is fed to the AspenONE or UniSim level classifier, before the FCC regenerator false-colour thermal map is processed by the UOP/Honeywell combustion state classifier, before the fired heater tube thermal image is passed to the FLIR or Yokogawa tube skin temperature classifier, and before the compressor vibration spectrogram is consumed by the Bently Nevada or Emerson seal condition classifier. The threshold of 35 is appropriate for downstream refinery APC AI contexts because these systems operate in fully automated closed-loop control with sub-minute decision cycles, without a complementary process barrier (such as a human operator confirmation step) between the AI classification output and the APC actuation decision. At Glyphward score 35, the perturbation magnitude is sufficient to shift the rendered image’s statistical distribution outside the training envelope of an unaugmented refinery AI classifier, but below the threshold at which the perturbation is visible on a standard process historian display. Regulatory references for the audit log include OSHA PSM 29 CFR 1910.119, EPA RMP 40 CFR Part 68, API RP 750, and NFPA 30.

import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Oil refinery and petrochemical APC AI contexts: threshold 35
# OSHA PSM 29 CFR 1910.119, EPA RMP 40 CFR Part 68, API RP 750, NFPA 30
REFINERY_AI_THRESHOLD = 35


class RefineryAIContext(Enum):
    DISTILLATION_LEVEL_GAUGE = "distillation_level_gauge"
    FCC_REGENERATOR_THERMAL = "fcc_regenerator_thermal"
    FIRED_HEATER_TUBE_INSPECTION = "fired_heater_tube_inspection"
    COMPRESSOR_VIBRATION_SPECTROGRAM = "compressor_vibration_spectrogram"


class AdversarialRefineryImageError(Exception):
    """Raised when Glyphward detects adversarial perturbation in a refinery APC AI image above threshold."""

    def __init__(self, scan_id: str, score: int, context: RefineryAIContext, unit_tag: str, flagged_region: dict | None = None) -> None:
        self.scan_id = scan_id
        self.score = score
        self.context = context
        self.unit_tag = unit_tag
        self.flagged_region = flagged_region
        super().__init__(
            f"Adversarial refinery image blocked: scan_id={scan_id} score={score} "
            f"threshold={REFINERY_AI_THRESHOLD} context={context.value} unit={unit_tag}"
        )


async def scan_refinery_image(image_bytes: bytes, context: RefineryAIContext, unit_tag: str, client: httpx.AsyncClient) -> dict:
    """Scan a refinery APC AI image for adversarial perturbation before feeding to the APC classifier.

    Args:
        image_bytes: Raw image bytes (PNG/JPEG/TIFF rendered from DCS or thermal camera).
        context: The RefineryAIContext enum value identifying the APC surface.
        unit_tag: Process unit tag (e.g. 'CDU-1-SPLITTER', 'FCC-2-REGEN', 'H2-COMP-3A').
        client: Shared httpx.AsyncClient.

    Returns:
        Glyphward scan result dict with scan_id, score, flagged_region.

    Raises:
        AdversarialRefineryImageError: If score >= REFINERY_AI_THRESHOLD.
    """
    image_hash = hashlib.sha256(image_bytes).hexdigest()
    payload = {
        "image": base64.b64encode(image_bytes).decode(),
        "source": f"refinery:{context.value}:{unit_tag}",
        "metadata": {
            "unit_tag": unit_tag,
            "image_sha256": image_hash,
            "context": context.value
        }
    }
    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}", "Content-Type": "application/json"},
        json=payload,
        timeout=30.0
    )
    resp.raise_for_status()
    result = resp.json()
    if result["score"] >= REFINERY_AI_THRESHOLD:
        raise AdversarialRefineryImageError(
            scan_id=result["scan_id"],
            score=result["score"],
            context=context,
            unit_tag=unit_tag,
            flagged_region=result.get("flagged_region")
        )
    return result


async def _write_refinery_scan_audit(*, image_hash: str, scan_id: str, score: int, context: RefineryAIContext, unit_tag: str, flagged: bool) -> None:
    record = {
        "ts": datetime.now(timezone.utc).isoformat(),
        "scan_id": scan_id,
        "image_sha256": image_hash,
        "context": context.value,
        "score": score,
        "threshold": REFINERY_AI_THRESHOLD,
        "flagged": flagged,
        "unit_tag": unit_tag,
        "regulatory_refs": ["OSHA PSM 29 CFR 1910.119", "EPA RMP 40 CFR Part 68", "API RP 750"]
    }
    audit_path = Path("/var/log/glyphward/refinery_ai_scan_audit.jsonl")
    audit_path.parent.mkdir(parents=True, exist_ok=True)
    with audit_path.open("a") as fh:
        fh.write(json.dumps(record) + "\n")

Deploy the scan gate at each AI boundary in the APC data pipeline: for distillation column level gauge AI, scan the rendered gauge image immediately after the DCS historian exports the frame and before the AspenONE or UniSim classifier consumes it; for FCC regenerator thermal AI, scan the false-colour rendered thermal map before the UOP/Honeywell combustion state model runs; for fired heater tube inspection AI, scan the FLIR or Yokogawa infrared frame before the tube skin temperature classifier; for compressor vibration spectrogram AI, scan the rendered spectrogram before the Bently Nevada, Emerson, or SKF seal condition classifier. On AdversarialRefineryImageError, fail closed: do not pass the image to the downstream AI classifier, do not allow the APC model to update its state from this cycle’s image input, hold the previous safe APC setpoint, raise a DCS alarm at the highest priority level (Priority 1), and notify the shift supervisor. Write every scan result — clean and flagged — to the JSONL audit log for OSHA PSM mechanical integrity recordkeeping. Get early access

Related questions