View
216
Download
1
Category
Tags:
Preview:
Citation preview
WECC COMPLIANCE 101
Webinar
Thursday, October 9, 2014
2
Agenda
Introductions Laura Scholl
Overview of WECC and Regulatory Structure
Connie White
Audit – What to Expect Stacia Ellis and Bill Fletcher
Enforcement Overview Rachael Ferrin, Richard Shiflett, Haley Sousa, and Joelle Bohlender
webCDMS and EFT Brittany Power
Overview of WECC and Regulatory Structure
Constance WhiteVice President of Compliance and
Acting Regional Manager
COMPLIANCE 101Overview of WECC
And Regulatory Structure
5
The Western Electricity Coordinating Council (WECC) is a non-profit corporation that exists to
assure a reliable bulk electric system in the geographic area of the Western Interconnection. This area includes all or parts of the 14 western United States, two Canadian provinces, and the
northern portion of Baja California, Mexico.
WECC Profile
6
• Incorporated in 2002
• Predecessor, WSCC formed in 1967
• Largest geographic area of the eight Regional Entitieso Entire Western Interconnection (1.8 million square miles) -
includes all or part of 14 U.S. states, 2 Canadian provinces and a portion of Baja California Norte, Mexico
• Non-Governmental
• Industry participants join together to promote system reliability
• Bifurcation in February 2014 changed functions
WECC History
7
WECC Coverage Service Area
1.8 million square miles
126,285 miles of transmission
Population of 78 million
8
9
WECC Organization
• Independent Board of Directorso 9 memberso Committees
• Members Advisory Committee• Members
• Grid owners, operators, users• Stakeholders• State and Provincial
10
Peak Reliability assumed responsibility for Reliability Coordination
o Operate two Reliability Coordination Offices (Vancouver WA and Loveland CO) that provide situational awareness and real-time supervision of the entire Western Interconnection
Bifurcation
11
• Transmission expansion planningo Management of a comprehensive planning databaseo Provide coordination of sub-regional planning processeso Analyses and modeling
• Studieso Model the system and perform studies under a variety of
scenarios to set operating policies and limits
WECC Services
12
• Loads and Resources Assessmentso Perform annual assessment of 10-year loads and resourceso Maintain 10-year coordinated plan of system growth o Provide information to NERC for summer and winter assessments of
the reliability and adequacy of the bulk-power system
• Operator Trainingo Provide training sessions for operators, schedulers and dispatchers
• WREGISo Hosts the Western Renewable Energy Generation Information
System, which creates and tracks renewable energy certificates
WECC Services
13
Delegation Agreemento Perform functions delegated to WECC as a Regional Entity
under Delegation Agreement with NERC, including regulating entities subject to mandatory Reliability Standards
WECC Services
14
Mandatory Reliability Regulation
• Northeast Blackout of 2003– 10 Million people
in Ontario, Canada– 45 million people in
eight U.S. states
15
16
17
Task Force Report
• Final report of the U.S.- Canada Power System Outage Task Force on the 2003 blackout concluded:
the single most important recommendation for preventing future blackouts, and reducing the
scope of those that occur, is for the U.S. government to make reliability standards mandatory and enforceable.
18
Task Force Findings
Inadequate System Understanding
Inadequate Situational Awareness
Inadequate Tree Trimming
Inadequate Reliability Center Diagnostic Support
Congressional Action
•Energy Policy Act of 2005On August 8, 2005, the Energy Policy Act of 2005 (EPAct 2005) was signed into law.
•“Section 215”Section 215 of the EPAct 2005 directed FERC to certify an Electric Reliability Organization (ERO) and develop procedures for establishing, approving and enforcing electric reliability standards.
20
Authority for Compliance Monitoring
• FERC Order 672 (Implementing Rule 18 CFR 39)– Responsibility and oversight assigned to FERC– FERC designated NERC as Electric Reliability
Organization– NERC has delegation agreement with WECC and
seven other regions
Implementing Section 215
SECTION 215
• Creates Electrical Reliability Organization (ERO)• FERC names NERC as ERO
Regional Entiti
es
• NERC selects 8 regional entities• WECC is selected for Western Interconnection
Delegatio
n Agreeme
nt
• NERC and WECC sign agreements• WECC oversight begins in Western
Interconnection
Development of Mandatory Reliability Standards
Critical Infrastructure Protection (CIP) standards become mandatory and enforceable December 2009
(FERC Order 706)
Operations and Planning (O&P) Standards become mandatory and enforceable
June17, 2007 (FERC Order 693)
23
Order 693 & Order 706 Standards
• Order 693 (Operations and Planning) includes:– Resource and Demand Balancing (BAL)– Emergency Preparedness & Operations (EOP)– Facilities Design, Connection & Mtnce. (FAC)– Protection and Control (PRC)
• Order 706 (CIP) includes:– Critical Cyber Asset Identification– Personnel & Training– Electronic Security Perimeters
24
• Recommends Registrations for Entitieso Register users, owners, operators according to function
• Monitors Compliance with Standardso Monitor compliance by users, owners and operators of the bulk
power system in the United States
• Enforces Complianceo Violation mitigation and settlement negotiationo Representation of WECC in any hearing or appeal process
• Administration o Audit coordinationo Reporting systemso webCDMS and EFT
WECC Compliance
25
In summary…
Authority
Federal Power Act 2005Delegation AgreementReliability Standards
CMEP
Registration
Authority
Reg
istr
atio
n
Monitoring
Authority
Reg
istr
atio
n
AuditsSelf Reports
Self Certif
icatio
nsOther
Enforcement
Authority
Reg
istr
atio
n
Mo
nit
ori
ng
Risk A
ssess
ments
Due Pro
cessSettle
ment
Mitigatio
n Acti
ons
Education/Outreach
Authority
Reg
istr
atio
n
Mo
nit
ori
ng
En
forc
emen
t
Education/Outreach
31
Reference Documents• Compliance Monitoring and Enforcement Program
(CMEP) & WECC’s annual plan• Delegation Agreement• Rules of Procedure• NERC Standards and WECC Regional Standards• NERC Guidance, Bulletins, Directives and Compliance
Application Notices (CANs)• FERC Orders
Notice of Audit
Stacia EllisCompliance Program Coordinator
33
Notice of Compliance Audit Packet
• Notice of Audit Letter
• Compliance Monitoring Authority Letter
• Audit Team Biographies
• Confidentiality Agreements
34
Notice of Compliance Audit Packet
• Certification Letter
• Pre-Audit Data Requests
• Pre-Audit Survey
• Audit Scope and WECC RSAWs
35
Notice of Compliance Audit Letter
• 90-Day Notice of Audit Letter – Details of your specific Audit
• Dates of Audit• Audit Scope• Due Dates• Audit Team Composition, observers (if applicable)
– Observers can include FERC/NERC• Date/time of proposed Pre-Audit Conference Call• Opening Presentation Suggestions
36
Notice of Compliance Audit Letter
• Audit Team Composition – Primary Audit Team
• Individuals expected to participate in the Audit
– Alternate Audit Team• Individuals available to act as backup or replacements
for Primary Team members
37
Attachments A, B and C
• Attachment A– Informational; Explanation of Compliance
Monitoring Authority • Attachment B
– Short Biographies of the WECC Audit Staff• Attachment C
– Signed Confidentiality Agreements of the WECC Audit Staff
38
Attachments D and E
• Attachment D– Audit Scope– RSAWs (Reliability Standard Audit Worksheets)
• Customized for your Entity and your audit– Based on your Registered Functions and Audit Scope
• Attachment E– Certification Letter
• Must be printed on your company letterhead and signed by an Authorized Officer
• Certifies that the information being provided for the Audit is accurate
39
Attachment F
• Attachment F– Pre-Audit Survey
• Verify contact information• Audit Logistics • List any delegation agreements• Signed by Authorized Officer
• Please complete all applicable fields
40
Attachment G
• Attachment G– Pre-Audit Data Requests
• Why are we doing this to you?!?oClarifications for data submittalsoSpecifying types of evidence to remove some
of the guesswork
41
Att G – Operations & Planning (O&P) Data
• Some evidence may apply to more than one Standard– One copy is sufficient, but document inventories
or “roadmaps” are appreciated• Single Line Diagram
– Requested for the majority of Audits
42
Att G – Cyber Security (CIP) Data
• CIP-004 – CIP-009 may not be applicable based upon the Critical Asset/Critical Cyber Asset determination – Determined by CIP-002-3 Requirements 2 & 3– Complete RSAWs indicating absence of CA/CCA
identification– 2015 CIP audits will include CIP v5 outreach
If you have any questions please contact Brent Castagnetto at bcastagnetto@wecc.biz or 801-819-7627
43
Attachment H
• Attachment H– Audit Feedback– Now sending with initial package
• Feedback is encouraged for all phases of audit.
44
Audit Periods Defined
• Audit Periods, for O&P and CIP, are clearly defined in Attachment G for both:
• Operations and Planning (O&P) • Cyber Security (CIP)
45
Audit Frequency
• 3 year cycleEntities registered as a:
– Balancing Authority (BA) – Transmission Operator (TOP) or – Reliability Coordinator (RC)
• All others– Generally a 6 year cycle. Subject to flexibility in the
future as part of NERC’s Reliability Assurance Initiative (RAI).
46
Outreach
• “Howdy Call”– A few days after Notice of Audit Packet is
uploaded to the EFT Server.
47
Recommendations
• Know the Reliability Standards• Use the RSAWs as guides• Ask questions• Participate in Outreach (CUG/CIPUG)• We are here for you…
– Questions– Comments– Concerns
Audit Approach and Best Evidence
William FletcherSenior Compliance Auditor,
Operations and Planning
49
Compliance Audit (on-site vs. off-site)
• Primary difference is:– Location of audit conduct
• Scope is typically smaller for off site.• On-Site – Required for RC, BA, TOP functions
• Per NERC Rules of Procedure 403.11.2
50
Compliance Audit (on-site vs. off-site)
• On-Site– Documentation sent to WECC before audit for preliminary review– The audit team reviews evidence during off-site week or the first week of the
audit and completes its review during the second week or on-site week– Data Requests or DRs– In-person interviews for clarification
• Off-Site– Documentation sent to WECC before audit for preliminary review– Data Requests or DRs– Entity may be present at audit if desired– Telephone interviews for clarification
Audit Approaches
•We audit to the Requirements of the Standards•General Approaches included in RSAW•RSAW may ask specific questions•Always includes the section:
“Describe, in narrative form, how you meet compliance with this requirement.”
52
Audit Approaches
“Describe, in narrative form, how you meet compliance with this requirement.”
• Describe here how your company knows it is compliant with this requirement and how you know you have been compliant for the entire period of the audit.
• Your place to describe your internal controls.• Your evidence should support your narrative.
53
Audit Approaches
• List the evidence provided in the RSAW.o This road map is important
• Compliance Assessment Approach in RSAW is used as a checklist.o Data Request (DR) for gaps or samples
• Document & record review is primary• Interviews and observations are usually for
Corroborating
54
Sufficient Audit Evidence
Sufficiency of Evidence• The measure of the quantity of evidence• Quantity of evidence is dependent on the scope of
the audit• Extra quantity does not make up for poor quality• Ensure you provide enough evidence to demonstrate
compliance for the entire audit period.
55
Sufficient Audit Evidence
Sampling is used to limit the amount of detailed evidence provided.• Normally used in conjunction with summary of a full
set of data.• Sampling used to assess details.• Reduces the burden on the Audit Team but not really
on the Entity• Audit Team must select the samples
56
Appropriate Audit Evidence
AppropriatenessThe measure of the quality of evidence• Relevance• Validity• Reliability
57
Appropriate Audit Evidence
Quality of Evidence• Good Internal Controls point to reliable evidence.• Direct observation is more reliable than indirect observation.• Examination of original documents is more reliable than
examination of copies.• Testimonial evidence from system experts is more reliable
than from personnel with indirect or partial knowledge.
58
Types of Evidence
• Physical Evidence• Documentary Evidence• Testimonial Evidence
Compliance Audits may use all three types but Documentary Evidence is by far the most frequent type of evidence assessed and relied on.
59
Testimonial Evidence
• Attestations of Compliance or Statements of Compliance are generally not accepted as the only available evidence.
• Attestations may be used to explain minor gaps in documentation or to state if no conditions occurred which are subject to a requirement.
• Attestor must be knowledgable and qualified.
60
Evidence for Procedural Documents
The characteristics of a valid procedural or policy document include: – Document title – Definition or Purpose– Revision level – Effective dates – Authorizing signatures
61
Non Applicable Requirements
Three instances are acceptable for use of term “Not Applicable”1) Entity is not registered for the applicable
function. (only TOP responsible for TOP requirements)
2) Entity does not own, operate or maintain the equipment addressed by the requirement. (UVLS, UFLS, SPS etc.)
3) Entity does not use the program or process specified by the requirement. (and is not required to… ATC, CBM, etc)
62
Evidence for Tasks Performed
• When the standard calls for a task to be performed it must be documented.– Records– Logs– Reports– Work Orders– Phone recordings– Transcripts of phone recordings– Shift Schedules
• Dates & Times are critical
63
Evidence of “Coordination” with other entities
• Typical evidence provided initially is a single email.“…If you have any comments please contact ______”
This alone is neither sufficient or appropriate to demonstrate coordination between two or more parties.
• If emails or correspondence are used– Two way communications are needed
• Better are:– Meeting Agendas– Meeting Minutes– Attendance Lists
64
Evidence of “Distribution” of information
• Typical evidence provided initially is a single email with a large distribution list.“…please see attached”
This alone is typically neither sufficient or appropriate to demonstrate distribution to others.
• If emails or correspondence are used– Need clear identification of the personnel on the distribution list.
• Even Better is corroboration by receipt acknowledgement
Enforcement 101October 9, 2014
Rachael FerrinRichard Shiflett
Haley SousaJoelle Bohlender
66
Agenda
• What is a violation?
• How does WECC know about a violation?
• What is the submittal and review process for
possible violations?
• What is the submittal and review process for
Mitigation Plans?
67
What is a violation?
A violation is a failure to demonstrate
compliance pursuant to applicable NERC
Reliability Standard Requirement– Possible Violation (PV)
• The identification by the Compliance Enforcement Authority of
a possible failure by a registered Entity to comply with a
Reliability Standard that is applicable to the Registered Entity.
NERC Rules of Procedure, Appendix 2 (January 31, 2012).
68
How does the Entity discover a possible violation?
Ongoing Compliance Assessments
Internal Assessments
Internal Audits
Compliance Culture
69
How does WECC know about a possible violation?
Compliance Monitoring• Self-Reports• Self-Certifications
– New possible violation – Change in scope
• Compliance Audits• Spot Checks• Compliance Investigations• Periodic Data Submittals• Complaints
70
Possible Violation Submittal
• Submit Self-Reports and Self-Certifications via webCDMS
• Self Report/Self Certification Content Checklist
71
Self-Report/Self-Certification Content Checklist
• Is the version of the standard (in effect at the time of the violation) identified?
• Are all multiple subrequirements in scope identified?
• Has this violation been previously reported?
• Does the violation description include:– All devices/facilities/personnel in scope?– Names/IDs of devices/facilities/personnel?– Where are these devices located?– What are these devices used for?– What type of access do the personnel have? – Any additional information to assess the VSL?
• Is the start date and end date identified?
• Are the compensating measures identified?
72
Possible Violation Review
• WECC Subject Matter Experts (SME) reviews the “possible violation”
• Analyze facts and circumstances• Data Requests/conference call if necessary• Technical assessment
– Facts and Timelines– Risk Assessment
• Recommendation of Dismissal or Acceptance to Case Managers
73
Entity’s next step after reporting a Possible Violation
• Submit Mitigation Plan– Notice of Alleged Violation triggers
Mitigation Plan due date– Timely Mitigation is encouraged– Not admission of violation
Every violation goes through the same process.
74
Mitigation Plan Submittal
• Submit via webCDMS– One violation per plan
• Eight Steps to Prevention and Mitigation
• Mitigation Plan Content Checklist
75
Mitigation and Prevention Checklist
• Symptom• Root Cause• Corrective Actions• Preventive Actions• Detective Actions• Assign tasks• Timeline and milestones• Interim Risk
76
Mitigation Plan Content Checklist
• Has the scope of the violation being mitigated changed?
• Has the root cause been identified?
• Does the mitigation plan include:
– What is being fixed?
– How it is being fixed?
– When it is being fixed?
• Do the mitigation actions:
– Relate to the requirements in scope?
– Identify preventative measures?
– Identify detection measures?
77
Mitigation Plan Review
• WECC Subject Matter Experts (SME) conduct reviews
• Review the mitigation plan– Actions (Corrective, Detective and Preventive)– Duration
• Data Requests/conference call if necessary• Notice of Acceptance or Rejection via auto
notification or EFT server
78
Mitigation Plan Extensions
• Extension Requests– Accepted Mitigation Plan completion date =
date Completion Certification and evidence submitted to WECC
– Five business days prior to completion date
79
CMP Submittal
• Submit Completion Certification and evidence via webCDMS
• CMP Content Checklist
80
CMP Content Checklist
• Has the scope changed since the Mitigation Plan was accepted?– Have you included a brief statement to confirm the
scope?
• Is the evidence uploaded with a description for each file?
• Is there a mapping of actions to evidence?
• Is there a completion date for each action?
81
Mitigation Plan Completion Review
• WECC Subject Matter Experts (SME) conduct reviews
• Analyze Evidence– Were all actions outlined in the plan completed?– Has both procedural and implementation evidence been
submitted?
• Data Requests/conference call if necessary• Notice of Acceptance or Rejection via auto
notification or EFT Server
82
Summary
• Violation life cycle– Submitting violations and mitigation plans– WECC’s review of violations and mitigation plans
• Resources– http://
www.wecc.biz/compliance/outreach/Lists/101Links/AllItems.aspx
83
The Hand-Off
Possible
Violation Submitt
al
Technica
l SME Review
The Hand-off to Case Manager
Case
Manager
Review
4 Methods
of PV
Disposition
Confirmed
Violatio
n
84
WECC Enforcement Case Managers
Primary Role: Determining Violation Disposition (disposition analysis)
• Case analysis• Violation Disposition• Policy analysis• Assess penalties• Conduct settlements • Build relationships
85
Enforcement Processes
86
Disposition Analysis
• Dismissal• Find, Fix and Track (“FFT”)• Notice of Alleged Violation (“NOAV”)• Expedited Settlement Agreement (“ESA”)
87
Dismissal
• Disposition method used when the Case Manager determines the possible violation is not enforceable – For Example…– Standard Requirement does not apply to Entity– Facts and circumstances warrant a violation of a
different Standard Requirement– Entity produced additional evidence
demonstrating compliance
88
What does a dismissal look like?
• Case Manager will issue a “Notice of Dismissal and Completion of Enforcement Action”
• WECC: – Withdraws the Possible Violation from Entity’s compliance
record– Any data retention directives relating to the possible
violation are released
• Entity: – Does not need to respond to notice– Questions/concerns contact Case Manager
89
Not a Dismissal, Now what?
• Dismissal• Find, Fix and Track (“FFT”)• Notice of Alleged Violation (“NOAV”)• Expedited Settlement Agreement (“ESA”)
90
PVs for FFT Review
WECC Reviews All PVs for FFT Treatment“Strong” FFT Candidates:• Are not Repeat PVs• PV does not reveal programmatic or systematic
shortcomings• Found and Fixed by the Entity• Mitigation Plan has been submitted
91
What does an FFT look like?
• WECC Enforcement will issue a “Notice of Find, Fix and Track”– Remediation Required– No Penalty or sanction– FFT is filed with NERC but does not become a
“confirmed violation”
• FFT will become part of an Entity’s compliance history
92
What to do with an FFT?
• Within five (5) days of receiving an FFT Notice an Entity Must:
• Submit to WECC an affidavit, signed by an officer with knowledge of remediation,
OR• Submit to WECC written notification opting out of
the FFT processing– If an Entity opts out of the FFT disposition, then WECCs
policy is to issue the violation through the traditional NOAV process.
93
4 Disposition Methods
• Dismissal• Find, Fix and Track (“FFT”)• Notice of Alleged Violation (“NOAV”)• Expedited Settlement Agreement (“ESA”)
94
What does a NOAV look like?CMEP Section 5.3
• NERC Rules of Procedure, Appendix 4C §5.3 (“CMEP”)• Alleged Violation Facts• Mitigation Plan Summary (if applicable)• Enforcement Violation Determinations
– BES Impact Statement• Minimal• Moderate• Severe
– Violation Severity Level (“VSL”)– Violation Risk Factor (“VRF”)
• Penalty
95
What to do with a NOAV?
• Submit a NOAV Response within 30 days • The NOAV Response must conform to one of
three options– Agree with the violation AND penalty– Agree with the violation, but contest penalty– Contest both the violation AND penalty
• Failure to submit a NOAV Response within 30 days will automatically result in confirmed violations with penalties
96
NOAV Response: “Option 1” Does not contest
• Does not contest violation facts as alleged in the NOAV
• May identify errors that should be corrected in the “Notice of Confirmed Violation” (“NOCV”)
• Submit a Mitigation Plan
Enforcement will issue a Notice of Confirmed Violation within ten (10) days of receiving a NOAV Response that “agrees with or does not contest an alleged violation.”
97
NOAV Response: “Option 2” Contests Penalty
• NOAV Response will be submitted to Enforcement using the EFT Server within thirty (30) calendar days of receiving the NOAV.
• Submit a Mitigation Plan.• NOAV Response must explicitly contest penalty and
request settlement.– NOAV Response must articulate basis for each penalty– NOAV Response should include a proposed penalty the Entity
believes to be reasonable including the basis for proposed penalty
98
NOAV Response: “Option 3”Contests Alleged Violation & Penalties
• NOAV Response must be submitted to Enforcement using the EFT Server within thirty (30) calendar days of receiving the NOAV.
• NOAV Response must explicitly contest each alleged violation and proposed penalty and request settlement.
• Each Contention must be supported by:– An explanation of the Entity’s position– Basis for Contention– Additional Information or evidence
99
A Word on Penalties
• Attached to violations disposed of using the NOAV or ESA processes
• Based on: – NERC Sanction Guidelines (January 31, 2012)– Penalty Range
• Penalty range depends upon Violation Severity Level (“VSL”) and Violation Risk Factor (“VRF”)
• Penalties are then adjusted for either Mitigating or Aggravating Factors
100
Reaching Settlement
NOAVC & T
AgreementWork with Case
ManagerSettlement Agreement
101
4 Disposition Methods
• Dismissal• Find, Fix and Track (“FFT”)• Notice of Alleged Violation (“NOAV”)• Expedited Settlement Agreement (“ESA”)
102
ESA: Expedited Settlement Process
ESASettlement Agreement
103
What does an ESA look like?
• Expedites Formal Settlement Negotiations
• The ESA will contain– Facts and circumstances of the violation– Risk Assessment Summary– Mitigation Plan Summary– VSL and VRF determinations– Penalty determination
104
What to do with an ESA?
• Entity will have 15 days to review the ESA…– The Entity will contact Case Manager with questions or concerns.
• If the Entity accepts the terms of the ESA…– The Entity must submit a signed copy of the ESA to WECC within 15
days of receipt of the ESA issuance.
• If the Entity rejects the ESA or does not respond within 15 days…– WECC will issue a Notice of Alleged Violation and Proposed Penalty
and Sanction.
105
Settlement Agreements & Expedited Settlement Agreements
106
Payment & Closure of Enforcement Action
• After NOP becomes effective, WECC issues a “Payment Due Notice”
• The Penalty will be due thirty (30) days from the date the Notice is issued
• Public NOP filings can be found on the NERC website
CASE
CLOSED
107
Enforcement Process Summary
Possible Violation Submitta
l
Technical SME Review
The Hand-off to Case Manager
Case Manag
er Review
4 Methods
of PV Dispositi
on
Confirmed
Violation
• Lifecycle of a Possible Violation• Best Compliance Practices
• http://www.wecc.biz/compliance/Pages/Best-Practices.aspx
• Possible Violation Disposition and Entity Responses
Compliance 101
Brittany PowerData Coordinator
109
webCDMS
110
webCDMS Regions
1.MRO2.SPP3.WECC4.Texas RE5.RFC
112
Compliance Standards Index
Compliance Standards Index
113
Compliance Standards Index
114
Compliance Standards Index
115
Compliance Standards Index
116
• Call @ 801-883-6879• Types of calls for WECC
o EFT Questionso Registration Questionso Historical Questionso Standard Questionso Non-technical Questions
• support@wecc.biz
Reminder: Help Desk
• Call @ 673-220-2020• Types of calls for OATI
o Technical Problemso webCDMS Login Problemso Certificate Problemso Access Problems
WECC Support OATI Support
Recommended