Workstream Page: Drilling Process Protection

Click on the tabs below for more information or click here to return to all D-WIS Workstreams.

Drilling Process Protection: Overview.

The Drilling Process Protection (DPP) interface allows external agents to configure drilling process protection functionalities that are embedded in the ADCS. These functions can belongs to three different categories:

The fast response parts of these functionalities is implemented directly in the ADCS, but their configuration may necessitate information and models that may often not be accessible directly in the ADCS, therefore the importance of allowing external advisors to provide the necessary configuration.

This interface only concerns the drilling process protection and not the drilling machine protection, as it is considered that the drilling machine protection (DMP) can be fully performed inside the DCS and does not require inputs from external advisors.

It is expected that the ADCS combines the DPP with the DMP functions to always apply the most conservative protection at any time.

Drilling Process Protection: Motivation.

Drilling Process Protection functions can be classified in whether they require a fast response or if they are compatible with slower reaction times. When the necessary reaction time is greater than a few ten seconds,  it is acceptable that the DPP function is implemented directly in an external advisor that controls the drilling machine using the RigOS Equipment Interface. However, when reaction times are in the range of a few seconds or even shorter than a second, then the function needs to be implemented on a deterministic hardware and so must be an integral part of the ADCS.

An example of a slow response DPP function is one that detects and reacts to a formation fluid influx. Even though, it is desirable that a kick is detected as quickly as possible, in most cases a detection within a dozen of seconds is sufficient.

However, the detection and reaction to an overpull may often require to happen with a couple of seconds and even faster when the drill-stem is short or stiff as otherwise the situation may evolve quickly into a stuck pipe incident.

Yet, the quick detection and reaction to certain drilling events may necessitate information that is not directly available at the level of the RigOS, like for instance access to downhole measurements, or the estimation of downhole drilling condition characteristics. In the example of the overpull detection, it may be necessary to have an active monitoring of the mechanical friction including differences between static and kinetic frictions when there are for instance differential sticking conditions.

The embedded DPP functionalities inside the ADCS may allow for configuration by external advisors. But each ADCS may have different ways to allow for this external parametrization. The D-WIS DPP interface unifies the way dynamic parameters are passed to the ADCS from external advisors, therefore allowing to implement external advisors once and deploy them with different ADCS configurations.

Fault Detection, Isolation and Recovery

If a drilling process incident occurs, it is important to respond as quickly as possible. FDIR functions monitor continuously the process and are capable of detecting when an abnormal situation has started. After detection, the FDIR function proceeds with an immediate response to keep the process as safe as possible. Then after identification of the cause of the dysfunction, it applies procedures to isolate the problem. Finally, when isolation has been successful, it applies procedures to recover from the problem and get ready to resume the original normal command. FDIR functions apply when automated control functions are active, but also when human operators control the machines. A failure of the isolation or recovery procedures may trigger SMM functions. In the context of DWIS, only FDIR functionalities that concern the drilling process are addressed. In other words, DWIS does not interfere with FDIR functionalities that protect the drilling machines. FDIR is a subfield of control engineering that concerns itself with monitoring a system, identifying when a fault has occurred, and pinpointing the type of fault and its location (see

Fault Detection Isolation and Recovery functions for the drilling process can be classified in two categories:

  • Quick event
  • Slow event

A quick event is an event that requires a detection and a first action within a few seconds. Examples of quick events are pack-offs, overpulls/underpulls, over-torques, backward whirl at the bit. Events that may be acted upon after more than 10 seconds are considered as slow events. Example of slow events are formation fluid influx, formation fracturing, hole collapse, poor cuttings transport, pipe washout.

Slow event management can be managed through dedicated recipes which are scheduled and prioritized by the overall sequencer and conflict arbitration process. However, due to the necessary fast response to quick events, they need to be managed by a deterministic infrastructure, i.e., directly into the ADCS. 

Yet, the information available at the ADCS level is often limited to sensors and states associated with only the drilling machines and therefore may provide insufficient information to capture an understanding of the whole drilling process. Therefore, even though the ADCS implements a deterministic detection and reaction to quick drilling process events, it may depend on information that may be available from external agents.

A typical ADCS may implement one or more FDIR functionality. Various ADCS provider may work implement these FDIR functionalities in different ways or with some variations compare to each others. 

The aim of DWIS is to define a method for ADCS to describe which FDIR functions they support, how they work and what external information they require from external agent. The description is computer readable, therefore allowing an external agent to adapt to the available functionality provided by the ADCS.


Because quick event detection and reactions associated with the drilling process must be implemented in a deterministic environment, some ADCS provide such FDIR functions. Usually, the ADCS does not have all the information necessary to calculate the thresholds and parameters of mitigation procedures and therefore it relies on external agents to provide this information. With a large variety of available ADCS used at the rig site, providers of external agents need to spend much time to adapt their solution for each FDIR flavours. However, if the ADCS describes, in a computer readable format, the meaning of each available FDIR functions, what realtime signals it makes available to external agents and which parameters it expects, then it is possible for the external agent provider to program their agents to be adaptable to a range of different FDIR functions.

By providing a capability description of FDIR functions that are accessible through a standard interface, DWIS simplifies the connectivity between external agents and the embedded drilling process FDIR functions of the ADCS.


Synchronous Over-torque Detection and Mitigation




Cayeux, E., Macpherson, J., Dashevskiy, D., Hoarau, L., Pirovolou, D., Parak, M., Fett, D., 2023. “Drilling Systems Automation: Fault Detection, Isolation and Recovery Functions for Situational Awareness”. Paper SPE-xxxxx-MS presented at the SPE/IADC Drilling Conference in Stavanger, Norway, 7-9 March.

Fault Detection, Isolation and Recovery:


This is reserved for work-in-progress as members develop new documents.  Workgroup members click here.  Password is 12345


Safe Operating Envelope

When operating the drilling machines, excessive speeds or accelerations commands can lead to incidents:

  • at the machine level, for instance because reaching the given set-point would exceed the power capacity of the machines or their power supply.
  • at the drilling process level, because the generated response of the whole drilling system would exceed some downhole limits.

The first one is addressed directly in the DCS through functionalities such as smart power management and therefore is not a topic that requires interoperability with external advisors.

On the contrary, the second one is directly linked to understanding of the drilling process, which often necessitates information not directly available at the level of the DCS. It is therefore a relevant topic for interoperability between the ADCS and external advisors.

When an automated drilling procedure is executed, such limits should be accounted for by the procedure. However, when a human operator controls directly the drilling machines, there is a risk that these drilling process limits could be exceeded. The ADCS may provide functionalities that allow for external advisors to define such limits and to enforce that manual commands from the driller stays within those externally defined limits. Of course, the ADCS combines these limits with its own internal ones that are related to the protection of the drilling machines themselves.

Such externally defined limits that protect the drilling process are referred as Safe Operating Envelopes (SOE). The work conducted in D-WIS is to define a common interoperability layer for SOE between external advisors and the ADCS.

Commands sent to the drilling machines shall be within acceptable limits with the regards to the tolerances of the drilling process. The RigOS combines the safe operating envelopes for the drilling process with the safe operating limits that protect the drilling machines. SOE functions apply for both human operator and automated function commands.  It is not in the scope of DWIS to address SOE functionalities concerning the protection of the drilling machines.

Requirement IDScope Requirements common for SMM, FDIR and SOEConsiderations
 DWIS will enable the description and transmission of DPP information from an external application to the ADCS or DCS on the rig.The purpose of this work is not to solve how to generate the parameters of the DPP functions but assist in transmitting information across computer system boundaries.​  
 DWIS’s interface for DPP functionalities shall be flexible to account for a wide range of ADCS or DCS’ supported DPP functionalities.The purpose of this work is not to impose a functionality level for DPP functions implemented in the ADCS or DCS, but to allow external application to utilize only one interface (the DWIS interface) to access multiple ADCS or DCS solutions instead of having to adapt for a multitude of different solutions.
 The DWIS interface for DPP functionalities shall be simple to use both on the ADCS or DCS side, and on the external application side.DWIS shall avoid imposing any restrictions to either the ADCS or DCS, or the external application. For example, there shall not be a restriction on the programming languages used on each side of the interface.  
 It is not within the scope of DWIS to provide a solution for concurrent contributions of parameters for DPP functionalities.  The ADCS/DCS shall have a strategy to manage concurrent access for DPP functionalities.
 The DWIS interface shall allow the ADCS or DCS to describe its supported functionalities such that external application can adapt the passage of parameters accordingly.  A form describing capabilities shall be available so that both sides of the interface can agree on how to pass parameters.
 It is not in the scope of DWIS to address DPP configurations that require sub-second updates.  Requiring sub-second updates demands tightly integrating the external application into the ADCS or DCS.
 The DWIS interface for DPP functionalities shall enforce a form of detection for loss of connection between the two sides of the interface.It is important to detect a connection outage between the two sides of the interface, and to execute SMM procedures the ADCS or DCS side in such an eventuality.  

Will be completed later.

Will be completed later.

Cayeux, Eric , Daireaux, Benoît , and Erik Wolden Dvergsnes. “Automation of Drawworks and Topdrive Management To Minimize Swab/Surge and Poor-Downhole-Condition Effects.” SPE Drill & Compl 26 (2011): 557–568. doi:

Cayeux, Eric , Daireaux, Benoît , and Erik Wolden Dvergsnes. “Automation of Mud-Pump Management: Application to Drilling Operations in the North Sea.” SPE Drill & Compl 26 (2011): 41–51. doi:


Safe Operating Envelopes in the Nuclear industry: How to implement?

Safe Operating Envelopes in oil and gas.

Safe Operating Envelope in the aviation. (flight envelope).



Safe Mode Management

When running drilling automation functions, the situation awareness of the driller is lower than when he/she drives the drilling machines directly. Therefore, if for any reason, the drilling automation needs to return to manual control, it may take a few ten seconds, even a minute or two, before the driller gets an understanding of the current situation. During this transition between automated-control and manual-control, a drilling incident may occur or if it had occurred earlier, it may escalate dangerously. For that reason, some ADCS implement Safe Mode Management (SMM). 

With SMM, the ADCS is constantly informed about a procedure to execute to put the drilling system in a safe mode. Safe mode means here a drilling process state that is safe and stable for at least a few ten seconds. The path from the current drilling process state and the safe mode process state shall be possible and using a finite number of intermediate drilling process states.

As the notion of safe mode drilling process state is context dependent, SMM requires that the safe mode drilling process state and its path is constantly updated. The estimation of the safe mode drilling process state and its path requires information that is most often not directly available at the DCS level and therefore that shall be provided by external advisors.

D-WIS defines a common interoperability layer for defining the safe mode drilling process state and the path to reach it.

If for any reason, an automated control function fails or the connectivity between a 3rd party app and the RigOS is lost, the RigOS applies a series of actions to put the drilling machines in a state that is safe for the current operation. This state lasts for at least a few tens of second in order to leave time for the human operator to regain control of the situation even though his situation awareness may have been low. In the context of DWIS, the only addressed SMM functions are those linked to the protection of the drilling process. i.e., SMM functions that deal with the protection of the drilling machines are outside the scope of DWIS.

To be completed later.

To be completed later.

Cayeux, Eric , Mihai, Rodica , Carlsen, Liv , Ørevik, Morten , Birgisson, Kjartan , and Ronny Bergerud. “A Technical Approach to Safe Mode Management for a Smooth Transition from Automatic to Manual Drilling.” Paper presented at the SPE/IADC International Drilling Conference and Exhibition, Virtual, March 2021. doi:


Cayeux, Eric. 2020. Mathematical Modelling of the Drilling Process for Real-time Applications in Drilling Simulation, Interpretation and Assistance. Dr. Philos., University of Stavanger, Stavanger, Norway. 

Cayeux, Eric, Daireaux, Benoît, Ambrus, Adrian et al. 2021. Autonomous Decision-Making While Drilling. Energies 14 (4): 969.

Cayeux, Eric, Daireaux, Benoît, and Dvergsnes, Erik Wolden. 2011a. Automation of Drawworks and Topdrive Management To Minimize Swab/Surge and Poor-Downhole-Condition Effects. SPE Drilling & Completion 26 (04): 557-568.

Cayeux, Eric, Daireaux, Benoît, and Dvergsnes, Erik Wolden. 2011b. Automation of Mud-Pump Management: Application to Drilling Operations in the North Sea. SPE Drilling & Completion 26 (01): 41-51.

Cayeux, Eric, Mihai, Rodica, Carlsen, Liv et al. 2020. An Approach to Autonomous Drilling. Proc., IADC/SPE International Drilling Conference and Exhibition.

Cayeux, Eric, Mihai, Rodica, Carlsen, Liv et al. 2021. A Technical Approach to Safe Mode Management for a Smooth Transition from Automatic to Manual Drilling. Proc., SPE/IADC International Drilling Conference and Exhibition.


This work is the result of the fruitful cooperation of many contributors including (in alphabetic order):

  • Pradeep Annaiyappa, Nabors
  • Hans Uwe Brackel, Baker Hughes
  • Eric Cayeux, NORCE
  • Clinton Chapman, Schlumberger
  • Benoît Daireaux, NORCE
  • Dmitriy Dashevskiy, Baker Hughes
  • Michael Edwards, Edwards Energy Innovation Consulting LLC
  • Darryl Fett, TotalEnergies
  • Fred Florence, RigOps
  • Loïc Hoarau, Schlumberger
  • Jan Kåre Igland, Exebenus
  • Kevin Jander, DeepWater
  • Mark Jenkins, Baker Hughes
  • Moray Laing, Halliburton
  • Serafima Schaefer, Exebenus
  • John Macpherson, Baker Hughes
  • Scott McKaig, Transocean
  • Roger Marin, Halliburton
  • Mahdi Parak, Halliburton
  • Dimitrios Pirovolou, Weatherford



Click here to access the minutes of previous meetings.

Scroll to Top