Risks and Controls for VAR-001-4 and EOP-004-2. Richard Shiflett Ruchi Ankleshwaria

Similar documents
3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting of events by Responsible Entities.

Internal Controls And Good Utility Practices. Ruchi Ankleshwaria Manager, Compliance Risk Analysis

4.1.1 Generator Owner Transmission Owner that owns synchronous condenser(s)

Summary of CIP Version 5 Standards

Transmission Function Employees Job Titles and Descriptions 18 C.F.R 358.7(f)(1)

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions August 10, Electric Grid Operations

Reclamation Manual Directives and Standards

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions June 4, Electric Grid Operations

When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard.

System Operator Certification Program Administrative Guidelines

Master/Local Control Center Procedure No. 13 (M/LCC 13) Communications Between the ISO and Local Control Centers

Load Dispatcher (Class Code 5223) Task List

Generation Interconnection Feasibility Study Report-Web Version. PJM Generation Interconnection Request Queue Position Z1-055

DISCUSSION PAPER: Peak Reliability Performance Metrics

NERC Cyber Security Standards

Table of Contents. Real-Time Reliability Must Run Unit Commitment and Dispatch (Formerly G-203) Operating Procedure

Standard CIP 007 3a Cyber Security Systems Security Management

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Security Management Controls

ATTACHMENT G. Network Operating Agreement

Cyber Security Standards Update: Version 5

Advanced Inverter Overview

Duke Energy Progress Standards of Conduct Transmission Function Employee Job Titles and Job Descriptions 9/1/13

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Document Management Solution (EDMS)

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Benefits of Big Data Analytics in Security Helping Proactivity and Value Creation. June 2015

PHASE 9: OPERATIONS AND MAINTENANCE PHASE

CIP Physical Security. Nate Roberts CIP Security Auditor I

Standard CIP Cyber Security Security Management Controls

Standard CIP Cyber Security Systems Security Management

Entity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire

TRIPWIRE NERC SOLUTION SUITE

Project Risk Management

Asset Management Business Update

Project Type Guide. Project Planning and Management (PPM) V2.0. Custom Development Version 1.1 January PPM Project Type Custom Development

IEEE-Northwest Energy Systems Symposium (NWESS)

NERC CIP Compliance Gaining Oversight with ConsoleWorks

Scope of Restoration Plan

Job Descriptions. Job Title Reports To Job Description TRANSMISSION SERVICES Manager, Transmission Services. VP Compliance & Standards

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Last revised: September 1, 2014 TRANSMISSION FUNCTION TITLES AND JOB DESCRIPTIONS

GxP Process Management Software. White Paper: Ten Most Common Reasons for FDA 483 Observations and Warning Letter Citations

PI/PSLF Based Model Validation Application. Eric Bakie and Milorad Papic WECC JSIS Meeting Tempe, AZ January 21-23, 2014

Energy Management System (EMS) Model Updates and Quality Assurance (QA)

UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION WASHINGTON, D.C February 1, 2006

GENe Software Suite. GENe-at-a-glance. GE Energy Digital Energy

Systems Operation Department

Cyber Security Standards Update: Version 5 with Revisions

Following up recommendations/management actions

Internal Audit Report. Toll Operations Contract Management TxDOT Office of Internal Audit

Arizona Medicaid School Based Claiming

IA Metrics Why And How To Measure Goodness Of Information Assurance

SOP-RTMKTS Test and Approve Operations Software Applications. Contents

Five Ways to Use Security Intelligence to Pass Your HIPAA Audit

SCADA. The Heart of an Energy Management System. Presented by: Doug Van Slyke SCADA Specialist

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Wilhelmenia Ravenell IT Manager Eli Lilly and Company

Developing Your Strategic Plan

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Reclamation Manual Directives and Standards

Operational Security Network Code

Title 20 PUBLIC SERVICE COMMISSION. Subtitle 50 SERVICE SUPPLIED BY ELECTRIC COMPANIES. Chapter 02 Engineering

Market Data Transparency Service Level Agreement

PHASE 5: DESIGN PHASE

Template: Family Reunion: T-Shirt numbers

Manage IT Service Continuity and Availability

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Good Internal Controls for Small Businesses

ERCOT Design and Implementation of Internal Controls and benefits for NERC CMEP/RAI

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Change Management Policy

References Appendices I. INTRODUCTION... 6 A. Background... 6 B. Standards... 6

Appendix 2 to Chapter 7 GUIDANCE ON THE DEVELOPMENT OF AN SMS GAP ANALYSIS FOR SERVICE PROVIDERS

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

Energy Management Systems (EMS)

Transcription:

Risks and Controls for VAR-001-4 and EOP-004-2 Richard Shiflett Ruchi Ankleshwaria

2 Introductions Richard Shiflett Compliance Risk Engineer Joined WECC in February 2014 11 years experience with Bureau of Reclamation, Grand Coulee Dam (GO, GOP, TO) as a senior electrical engineer and compliance manager Retired Navy Chief Intelligence Specialist and six years experience as a nuclear mechanical operator Ruchi Ankleshwaria Compliance Risk Engineer Joined WECC in March 2013 6 years of industry experience prior to joining WECC 4 years at a BA/TO/TOP/GO/GOP in WECC as an EMS engineer and project controls engineer 2 years as a project manager Certified Project Management Specialist (PMP)

3 Agenda Introduction Risks and Controls VAR-001-4 Risks and Controls EOP-004-2 Risks and Controls Key Takeaways

4 Risk and Controls Risk Controls Residual Risk

5 Types of Internal Controls Internal Controls Management Practices People Tools Processes Systems

6 Importance of Risk and Controls Reduces the likelihood of causing a violation Provides efficiency through a proactive approach rather than reactive Helps in identifying details that are not obvious Helps in implementing good organizational processes Help with continuity of operations and other processes

7 How Did WECC Identify Risks and Controls? Analyze VAR-001-4 and EOP-004-2 requirements highlight key takeaways Research potential causes based on violation history Research best practices implemented by entities WECC Subject Matter Experts industry experience

8 List of Standards VAR-001-3 and VAR-001-4 Version 3-1/1/2014 Version 4-10/1/2014 EOP-004-2 1/1/2014

9 VAR-001-4 Requirement Mapping VAR-001-4 R1 R2 R3 R4 and R5 R6 E.A.13 E.A.14 E.A.15 E.A.16 E.A.17 E.A.18

10 VAR-001-4 R1 Each Transmission Operator shall specify a system voltage schedule as part of its plan to operate within System Operating Limits and Interconnection Reliability Operating Limits. 1.1. Each Transmission Operator shall provide a copy of the voltage schedules to its Reliability Coordinator and adjacent Transmission Operators within 30 calendar days of a request.

11 VAR-001-4 R1 Risks and Controls RISKS - Failure to include system voltage schedule or change in voltage schedule as part of TOP s plan - Failure to retain evidence of providing a copy of voltage schedule within 30 Calendar days - Peer review the voltage control plan - Implement change management process for voltage schedule changes - Have a process to maintain logs of all the requests received and sent - Proactively send voltage schedule to appropriate entities CONTROLS

12 VAR-001-4 R2 Each Transmission Operator shall schedule sufficient reactive resources to regulate voltage levels under normal and contingency conditions.

13 VAR-001-4 R2 Risks and Controls RISKS - Failure to schedule reactive resources in contingency conditions - Failure to schedule sufficient reactive resources - Failure to retain evidence that reactive resources were scheduled as per the studies or assessments - Develop a process for scheduling reactive resources - Perform periodic review to confirm system operators knowledge of the available reactive resources - Perform after-the-fact studies to validate the model when there is voltage excursion CONTROLS

14 VAR-001-4 R3 Each Transmission Operator shall operate or direct the Real-time operation of devices to regulate transmission voltage and reactive flow as necessary.

15 VAR-001-4 R3 Risks and Controls RISKS - Failure to utilize available reactive resources to regulate voltage and reactive flows - Failure to direct reactive resource utilization - Failure to retain evidence of actions taken to maintain voltage - Maintain a list of reactive resources that are available to provide voltage support - Maintain logs of reactive resource allocations for voltage support - Maintain high visibility of the voltages at critical areas CONTROLS

16 VAR-001-4 R4 and R5 R4 & R5 are superseded by WECC Regional Variance E.A.13 E.A.18 R4 and R5 are superseded by the WECC Regional Variances E.A.13 E.A.18

17 VAR-001-4 E.A.13 and E.A.14 E.A.13 and E.A.14 Highlights Each TOP shall issue one of the types of voltage schedules to the GOP as listed in the requirement for a specific period of time. Each TOP shall provide one of the types of voltage reference point to the GOP as listed in the requirement.

VAR-001-4 E.A.13 and E.A.14 Risks and Controls 18 RISKS - The TOP fails to issue one of the three types of voltage schedule - The TOP fails to specify the applicable period for the voltage schedule -The TOP fails to provide reference points for the voltage schedule - Develop a template for issuing voltage schedule - Maintain and periodically verify the list of GOPs in the TOPs area - Specify the voltage schedules in the Generation Interconnection Agreement CONTROLS

19 VAR-001-4 E.A.15 and E.A.16 E.A.15 Each Generator Operator shall convert each voltage schedule specified in Requirement E.A.13 into the voltage set point for the generator excitation system. E.A.16 Each Generator Operator shall provide its voltage set point conversion methodology from the point in Requirement E.A.14 to the generator terminals within 30 calendar days of request by its Transmission Operator.

VAR-001-4 E.A.15 and E.A.16 Risks and Controls 20 RISKS - Converted voltage schedules are not applied to all the excitation systems - GOP fails to convert voltage schedules for certain time periods to voltage set points as provided by TOP - GOP fails to document all the converted voltage schedules specific to each excitation system type - GOP fails to submit required set point conversion methodology to the TOP within 30 days - Peer review of the voltage set point conversion methodology - Develop a process to submit the methodology to the TOP once updated - As part of commissioning activities, include a task to develop the voltage set point conversion methodology CONTROLS

21 VAR-001-4 E.A.17 Each Transmission Operator shall provide to the Generator Operator, within 30 calendar days of a request for data by the Generator Operator, its transmission equipment data and operating data that supports development of the voltage set point conversion methodology

22 VAR-001-4 E.A.17 Risks and Controls - The TOP fails to retain evidence of the GOP request for the information. - The TOP fails to provide data within 30 days - Log and track all the requests. - Develop a process for timely review and submission of required data to the GOP CONTROLS RISKS

23 VAR-001-4 E.A.18 Each Generator Operator shall meet the following control loop specifications if the Generator Operator uses control loops external to the Automatic Voltage Regulators (AVR) to manage MVar loading: E.A.18.1. Each control loop s design incorporates the AVR s automatic voltage controlled response to voltage deviations during System Disturbances. E.A.18.2. Each control loop is only used by mutual agreement between the Generator Operator and the Transmission Operator affected by the control loop.

24 VAR-001-4 E.A.18 Risks and Controls RISKS - The GOP fails to recognize its external control loop as applicable - The GOP fails to include AVR s response to voltage deviation in its control loop s design - The GOP fails to retain evidence of mutual agreement between the TOP and GOP - Develop a process to review AVR and control loop designs for new and replacement excitation systems - For new generators, add the external control loop design as part of the interconnection agreement CONTROLS

25 VAR-001-4 R6 After consultation with the Generator Owner regarding necessary step-up transformer tap changes and the implementation schedule, the Transmission Operator shall provide documentation to the Generator Owner specifying the required tap changes, a timeframe for making the changes, and technical justification for these changes.

26 VAR-001-4 R6 Risks and Controls RISKS - TOP fails to provide documentation to GO - TOPs documentation to the GOs fails to include all the details as specified in the requirement - TOP fails to maintain evidence of consultation with the GO - Develop a tap change request template that outlines all the required information - Develop a process for tap change request - Develop a process to monitor outage coordination which ensures GO tap changes occur within the implementation period CONTROLS

27 EOP-004-2 Event Reporting

28

29 EOP-004-2 R1 Each Responsible Entity shall have an event reporting Operating Plan in accordance with EOP-004-2 Attachment 1 that includes the protocol(s) for reporting to the Electric Reliability Organization and other organizations.

30 EOP-004-2 R1 Risks and Controls Risks Failure to have an event reporting operating plan Failure to include protocol for reporting Failure to include all requirements of Attachment 1 Controls Periodic review of new standards being effective. Peer Review of the operating plan. Exercise the operating plans

31 EOP-004-2 R2 Each Responsible Entity shall report events per their Operating Plan within 24 hours of recognition of meeting an event type threshold for reporting or by the end of the next business day if the event occurs on a weekend.

32 EOP-004-2 R2 Risks Failure to fully implement the Operating Plan Failure to identify an event as reportable event Failure to submit the report as per Attachment 2 of the standard or the DOE form Failure to follow the protocol as per the Operating Plan Failure to report within required timeframe Failure to retain evidence after event was reported

33 EOP-004-2 R2 Controls Train operators on the reporting timelines, reporting protocols, and Attachment 1 thresholds Create a quick reference of the reportable event types for operators Keep blank copies of Attachment 2 or the DOE form readily available Review event logs from the previous shift Ensure collected data is sufficient to identify an event based on its threshold

34 EOP-004-2 R3 Each Responsible Entity shall validate all contact information contained in the Operating Plan pursuant to Requirement R1 each calendar year.

35 EOP-004-2 R3 Risks and Controls Risks Failure to validate all the contacts within a calendar year Not all of the contacts listed in the operating plan are validated Evidence of the validated contacts is insufficient or missing Controls Identify the personnel responsible for validating contacts and documenting evidence Set up reminders for at least 2 personnel to annually validate the contacts Document validation process

36 Examples of Common Controls Roadmap for Identifying Risks and Controls Resources to Build the Processes

37 Examples of Common Controls Integrate training into documentation changes and change management activities Implement a document management system or process If possible, identify primary and backup person while assigning responsibilities. Perform periodic review of compliance activities to confirm that the processes are followed. Perform periodic risk assessment to evaluate effectiveness of the controls.

38 Road Map for Identifying Risk and Controls Utilize Reliability and Audit recommendations provided by WECC Review past violation root causes Get input from standard owners and SMEs How to identify risk and implement controls? Highlight Key indicators in the Standard

39 Resources NIST Guide for Conducting Risk Assessments CMMi - Risk Management CERT Resilience Management Model COSO Internal Control Integrated Framework Internal Controls Working Guide: NERC Internal Controls: NERC Presentation

40 Key Takeaways Use the key indicators and failure points to identify risks Establish a combination of controls to address these risks Periodically monitor risks and update internal controls as necessary WECC Subject Matter Experts are available to help

41 Contact Information Richard Shiflett Compliance Risk Engineer (801) 819-7609 rshiflett@wecc.biz Ruchi Ankleshwaria Compliance Risk Engineer (801) 883-6881 rankleshwaria@wecc.biz

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information