wecc compliance 101 webinar · wecc compliance 101 webinar thursday, january 22, 2015 . agenda •...
TRANSCRIPT
WECC COMPLIANCE 101
Webinar
Thursday, January 22, 2015
Agenda
• Introductions Laura Scholl
• Overview of WECC and Regulatory Structure
Matthew Moore
• Audit – What to Expect Mindee Hawes and Bill Fletcher
• Enforcement Overview Rachael Ferrin, Tyson Jarrett, Carmelina Spina, and Joelle Bohlender
• webCDMS and EFT Brittany Power
2
Overview of WECC and Regulatory Structure
Matthew Moore Manager of Enforcement
COMPLIANCE 101 Overview of WECC
And Regulatory Structure
The Western Electricity Coordinating Council (WECC) is a 501(c)(4) social welfare organization corporation that exists to assure a reliable bulk
electric system in the geographic area of the Western Interconnection. This area includes all or parts of the 14 western United States, two
Canadian provinces, and the northern portion of Baja California, Mexico.
WECC Profile 5
• Incorporated in 2002
• Predecessor, WSCC formed in 1967
• Largest geographic area of the eight Regional Entities o Entire Western Interconnection (1.8 million square miles) -
includes all or part of 14 U.S. states, 2 Canadian provinces and a portion of Baja California Norte, Mexico
• Non-Governmental
• Industry participants join together to promote system reliability
• Bifurcation in February 2014 changed functions
WECC History 6
WECC Coverage Service Area
1.8 million square miles 126,285 miles of transmission Population of 78 million
7
8
WECC Organization
• Independent Board of Directors o 9 members o Committees
• Members Advisory Committee • Members
• Grid owners, operators, users • Stakeholders • State and Provincial
9
WECC separated the registered functions of Reliability Coordinator (RC) and Interchange Authority (IA) in January 2014. Peak Reliability assumed responsibility for the registered functions in January 2014.
o Operate two Reliability Coordination Offices (Vancouver WA and Loveland CO) that provide situational awareness and real-time supervision of the entire Western Interconnection
Bifurcation 10
• Transmission expansion planning o Management of a comprehensive planning database o Provide coordination of sub-regional planning processes o Analyses and modeling
• Studies o Model the system and perform studies under a variety of
scenarios to set operating policies and limits
WECC Services 11
• Loads and Resources Assessments o Perform annual assessment of 10-year loads and resources o Maintain 10-year coordinated plan of system growth o Provide information to NERC for summer and winter assessments of
the reliability and adequacy of the bulk-power system • Operator Training
o Provide training sessions for operators, schedulers and dispatchers
• WREGIS o Hosts the Western Renewable Energy Generation Information
System, which creates and tracks renewable energy certificates
WECC Services 12
Delegation Agreement o Perform functions delegated to WECC as a Regional Entity
under Delegation Agreement with NERC, including; o facilitating development of western interconnection
reliability standards o conducting reliability assessments and event analysis o regulating entities subject to mandatory Reliability
Standards
WECC Services 13
Mandatory Reliability Regulation
• Northeast Blackout of 2003 – 10 Million people
in Ontario, Canada – 45 million people in
eight U.S. states
14
15
16
Task Force Report
• Final report of the U.S.- Canada Power System Outage Task Force on the 2003 blackout concluded: the single most important recommendation for preventing future blackouts, and reducing the scope of those that occur, is for the U.S. government to make reliability standards mandatory and enforceable.
17
Task Force Findings 18
Inadequate System Understanding
Inadequate Situational Awareness
Inadequate Tree Trimming
Inadequate Reliability Center Diagnostic Support
Congressional Action
•Energy Policy Act of 2005 On August 8, 2005, the Energy Policy Act of 2005 (EPAct 2005) was signed into law.
•“Section 215” Section 215 of the EPAct 2005 directed FERC to certify an Electric Reliability Organization (ERO) and develop procedures for establishing, approving and enforcing electric reliability standards.
Authority for Compliance Monitoring
• FERC Order 672 (Implementing Rule 18 CFR 39) – Responsibility and oversight assigned to FERC – FERC designated NERC as Electric Reliability
Organization – NERC has delegation agreement with WECC and
seven other regions
20
Implementing Section 215
SECTION 215
• Creates Electrical Reliability Organization (ERO) • FERC names NERC as ERO
Regional Entities
• NERC selects 8 regional entities • WECC is selected for Western Interconnection
Delegation Agreement
• NERC and WECC sign agreements • WECC oversight begins in Western
Interconnection
Development of Mandatory Reliability Standards
Critical Infrastructure Protection (CIP) standards become mandatory and enforceable December 2009
(FERC Order 706)
Operations and Planning (O&P) Standards become mandatory and enforceable
June 17, 2007 (FERC Order 693)
Order 693 & Order 706 Standards
• Order 693 (Operations and Planning) includes: – Resource and Demand Balancing (BAL) – Emergency Preparedness & Operations (EOP) – Facilities Design, Connection & Mtnce. (FAC) – Protection and Control (PRC)
• Order 706 (CIP) includes: – Critical Cyber Asset Identification – Personnel & Training – Electronic Security Perimeters
23
• Recommends Registrations for Entities o Register users, owners, operators according to function
• Monitors Compliance with Standards o Monitor compliance by users, owners and operators of the bulk
power system in the United States
• Enforces Compliance o Violation mitigation and settlement negotiation o Representation of WECC in any hearing or appeal process
• Administration o Audit coordination o Reporting systems o webCDMS and EFT
WECC Compliance 24
Authority
Federal Power Act 2005 Delegation Agreement Reliability Standards
CMEP
Registration
Authority
Reg
istra
tion
Monitoring
Authority
Reg
istr
atio
n
Enforcement
Authority
Reg
istr
atio
n
Mon
itorin
g
Reference Documents • Compliance Monitoring and Enforcement Program
(CMEP) & WECC’s annual plan • Delegation Agreement • Rules of Procedure • NERC Standards and WECC Regional Standards • NERC Guidance, Bulletins, Directives and Compliance
Application Notices (CANs) • FERC Orders
29
Notice of Compliance Audit
Mindee Hawes Compliance Program Coordinator
Audit Frequency 31
3 Year Cycle Balancing Authority Transmission Operator Reliability Coordinator
All other registered functions Subject to flexibility in the future as part of NERC’s Reliability Assurance Initiative
Audit Timeline 32
145 days 90 days 60 days 30 days 15 days AUDIT
Pre-Audit Survey Due
Evidence Due
Objections to Team Members
Notice of
Audit
CIP v5 Request for Information
Notice of Audit Packet 33
Notice of Audit Letter
ATT A: Compliance Monitoring Authority Letter
ATT B: Audit Team Biographies
ATT C: Confidentiality Agreements
ATT D: Audit Scope and WECC RSAWs
ATT E: Certification Letter
ATT F: Pre-Audit Survey
ATT G: Pre-Audit Data Requests
ATT H: Post Audit Feedback Form
Notice of Audit Letter 34
90-Day Notice of Audit Letter Details of your specific audit • Audit Engagement Dates • Audit Period • Registered Functions within Audit Scope • Audit Team Composition Observers (if applicable)
– May include FERC/NERC
• Date/time of proposed Pre-Audit Conference Call • Links to reference documents
Attachments A, B and C 35
Attachment A Explanation of Compliance Monitoring Authority
Attachment B Short Biographies of the WECC Audit Staff
Attachment C Signed Confidentiality Agreements of the WECC Audit Staff
Attachments D and E 36
Attachment D Audit Scope Reliability Standard Audit Worksheets (RSAWs)
Attachment E Certification Letter
• Must be printed on your company letterhead and signed by an Authorized Officer
Attachment F 37
Attachment F Pre-Audit Survey
• Verify Registered Functions • Audit Logistics • Signed by Authorized Officer • Please complete all applicable fields
Attachment G 38
Attachment G Pre-Audit Data Requests – Clarifications for Data Submittal • One Line Diagram • Delegation agreements (if applicable)
• CCA and non-CCA lists • Public Key Encryption
Attachment H 39
Attachment H Audit Feedback
• Sent with initial package
Feedback is encouraged for all phases of audit!
Evidence Submittal 40
WECC Enhanced File Transfer (EFT) https://fileupload.wecc.biz
Any questions regarding log in or user
credentials please contact [email protected] or call 1-877-937-9722
Evidence Submittal 41
Adobe Portfolios
COM
Evidence Submittal 42
File Folder
COM
COM-001-1
Questions?
43
Audit Approach and Best Evidence
William Fletcher Senior Compliance Auditor,
Operations and Planning
Compliance Audit (on-site vs. off-site) 45
• Primary difference is: – Location of audit conduct
• Scope is typically smaller for off site • On Site – Required for RC, BA, TOP functions
• Per NERC Rules of Procedure 403.11.2
Compliance Audit (on-site vs. off-site)
• On-Site – Documentation sent to WECC before audit for preliminary review – The audit team reviews evidence during off-site week or the first week of the
audit and completes its review during the second week or on-site week – Data Requests or DRs – In-person interviews for clarification
• Off-Site – Documentation sent to WECC before audit for preliminary review – Data Requests or DRs – Entity may be present at audit if desired – Telephone interviews for clarification
46
Audit Approaches
•We audit to the Requirements of the Standards. •General Approaches included in RSAW •RSAW may ask specific questions •Always includes the section:
“Describe, in narrative form, how you meet compliance with this requirement.”
Audit Approaches
“Describe, in narrative form, how you meet compliance with this requirement.”
• Describe here how your company knows it is compliant with this requirement and how you know you have been compliant for the entire period of the audit
• Your place to describe your internal controls • Your evidence should support your narrative
48
Audit Approaches
• List the evidence provided in the RSAW
o This road map is important • Compliance Assessment Approach in RSAW is used as
a checklist o Data Request (DR) for gaps or samples
• Document and record review is primary • Interviews and observations are usually for
corroborating
49
Sufficient Audit Evidence
Sufficiency of Evidence • The measure of the quantity of evidence • Quantity of evidence is dependent on the scope of
the audit • Extra quantity does not make up for poor quality • Ensure you provide enough evidence to demonstrate
compliance for the entire audit period
50
Sufficient Audit Evidence
Sampling is used to limit the amount of detailed evidence provided • Normally used in conjunction with summary of a full
set of data • Sampling used to assess details • Reduces the burden on the Audit Team but not really
on the Entity • Audit Team must select the samples
51
Appropriate Audit Evidence
Appropriateness The measure of the quality of evidence • Relevance • Validity • Reliability
52
Appropriate Audit Evidence
Quality of Evidence • Good Internal Controls point to reliable evidence • Direct observation is more reliable than indirect observation • Examination of original documents is more reliable than
examination of copies • Testimonial evidence from system experts is more reliable
than from personnel with indirect or partial knowledge
53
Types of Evidence
• Physical Evidence • Documentary Evidence • Testimonial Evidence
Compliance Audits may use all three types but Documentary Evidence is by far the most frequent type of evidence assessed and relied on.
54
Testimonial Evidence
• Attestations of Compliance or Statements of Compliance are generally not accepted as the only available evidence.
• Attestations may be used to explain minor gaps in documentation or to state if no conditions occurred which are subject to a requirement.
• Attestor must be knowledgeable and qualified.
55
Evidence for Procedural Documents
The characteristics of a valid procedural or policy document include: – Document title – Definition or Purpose – Revision level – Effective dates – Authorizing signatures
56
Non Applicable Requirements
Three instances are acceptable for use of term “Not Applicable” 1) Entity is not registered for the applicable
function (only TOP responsible for TOP requirements)
2) Entity does not own, operate or maintain the equipment addressed by the requirement (UVLS, UFLS, SPS etc.)
3) Entity does not use the program or process specified by the requirement (and is not required to… ATC, CBM, etc.)
57
Evidence for Tasks Performed
• When the standard calls for a task to be performed it must be documented. – Records – Logs – Reports – Work Orders – Phone recordings – Transcripts of phone recordings – Shift Schedules
• Dates & Times are critical
58
Evidence of “Coordination” with other entities
• Typical evidence provided initially is a single email. “…If you have any comments please contact ______”
This alone is neither sufficient or appropriate to demonstrate coordination between two or more parties.
• If emails or correspondence are used – Two way communications are needed
• Better are: – Meeting Agendas – Meeting Minutes – Attendance Lists
59
Evidence of “Distribution” of information
• Typical evidence provided initially is a single email with a large distribution list. “…please see attached”
This alone is typically neither sufficient or appropriate to demonstrate distribution to others.
• If emails or correspondence are used – Need clear identification of the personnel on the distribution list.
• Even Better is corroboration by receipt acknowledgement
60
Enforcement 101
Rachael Ferrin Tyson Jarrett
Carmelina Spina Joelle Bohlender
Agenda
• What is a violation?
• How does WECC know about a violation?
• What is the submittal and review process for possible violations?
• What is the submittal and review process for Mitigation Plans?
62
What is a violation?
A violation is a failure to demonstrate compliance
pursuant to applicable NERC Reliability Standard
Requirement – Possible Violation (PV)
• The identification by the Compliance Enforcement Authority of a
possible failure by a registered Entity to comply with a Reliability
Standard that is applicable to the Registered Entity. NERC Rules of
Procedure, Appendix 2 (January 31, 2012).
63
How does the Entity discover a possible violation?
64
Ongoing Compliance Assessments
Internal Assessments
Internal Audits
Compliance Culture
How does WECC know about a possible violation?
Compliance Monitoring • Self-Reports • Self-Certifications
– New possible violation – Change in scope
• Compliance Audits • Spot Checks • Compliance Investigations • Periodic Data Submittals • Complaints
65
Possible Violation Submittal
• Submit Self-Reports and Self-Certifications via
webCDMS
• Self Report/Self Certification Content Checklist
66
Self-Report/Self-Certification Content Checklist
• Is the version of the standard (in effect at the time of the violation) identified?
• Are all multiple subrequirements in scope identified?
• Has this violation been previously reported?
• Does the violation description include: – All devices/facilities/personnel in scope? – Names/IDs of devices/facilities/personnel? – Where are these devices located? – What are these devices used for? – What type of access do the personnel have? – Any additional information to assess the VSL?
• Is the start date and end date identified?
• Are the compensating measures identified?
67
Possible Violation Review
• WECC Subject Matter Experts (SME) reviews the “possible violation”
• Analyze facts and circumstances • Data Requests/conference call if necessary • Technical assessment
– Facts and Timelines – Risk Assessment
• Recommendation of Dismissal or Acceptance to Case Managers
68
Entity’s next step after reporting a Possible Violation
• Submit Mitigation Plan – Notice of Alleged Violation triggers
Mitigation Plan due date – Timely Mitigation is encouraged – Not admission of violation
69
Every violation goes through the same process.
Mitigation Plan Submittal
• Submit via webCDMS – One violation per plan
• Eight Steps to Prevention and Mitigation • Mitigation Plan Content Checklist
70
Mitigation and Prevention Checklist
• Symptom • Root Cause • Corrective Actions • Preventive Actions • Detective Actions • Assign tasks • Timeline and milestones • Interim Risk
71
Mitigation Plan Content Checklist
• Has the scope of the violation being mitigated changed?
• Has the root cause been identified?
• Does the mitigation plan include:
– What is being fixed? – How it is being fixed? – When it is being fixed?
• Do the mitigation actions:
– Relate to the requirements in scope? – Identify preventative measures? – Identify detection measures?
72
Mitigation Plan Review
• WECC Subject Matter Experts (SME) conduct reviews
• Review the mitigation plan – Actions (Corrective, Detective and Preventive) – Duration
• Data Requests/conference call if necessary • Notice of Acceptance or Rejection via auto
notification or EFT server
73
Mitigation Plan Extensions
• Extension Requests – Accepted Mitigation Plan completion date =
date Completion Certification and evidence submitted to WECC
– Five business days prior to completion date
74
CMP Submittal
• Submit Completion Certification and evidence
via webCDMS
• CMP Content Checklist
75
CMP Content Checklist
• Has the scope changed since the Mitigation Plan was accepted? – Have you included a brief statement to confirm the
scope?
• Is the evidence uploaded with a description for each file?
• Is there a mapping of actions to evidence?
• Is there a completion date for each action?
76
Mitigation Plan Completion Review
• WECC Subject Matter Experts (SME) conduct reviews
• Analyze Evidence – Were all actions outlined in the plan completed? – Has both procedural and implementation evidence been
submitted?
• Data Requests/conference call if necessary • Notice of Acceptance or Rejection via auto
notification or EFT Server
77
Summary
• Violation life cycle – Submitting violations and mitigation plans – WECC’s review of violations and mitigation plans
78
The Hand-Off 79
Possible Violation Submittal
Technical SME
Review
The Hand-off to Case Manager
Case Manager Review
4 Methods of PV
Disposition
Confirmed Violation
WECC Enforcement Case Managers
Primary Role: Determining Violation Disposition (disposition analysis)
• Violation Disposition • Case analysis • Policy analysis • Assess penalties • Conduct settlements • Build relationships
80
Enforcement Processes 81
Disposition Analysis
• Dismissal • Find, Fix and Track (“FFT”) • Notice of Alleged Violation (“NOAV”) • Expedited Settlement Agreement (“ESA”)
82
Dismissal
• Disposition method used when the Case Manager determines the possible violation is not enforceable – For Example… – Standard Requirement does not apply to Entity – Facts and circumstances warrant a violation of a
different Standard Requirement – Entity produced additional evidence
demonstrating compliance
83
What does a dismissal look like?
• Case Manager will issue a “Notice of Dismissal and Completion of Enforcement Action”
• WECC: – Withdraws the Possible Violation from Entity’s compliance
record – Any data retention directives relating to the possible
violation are released
• Entity: – Does not need to respond to notice – Questions/concerns contact Case Manager
84
Not a Dismissal, Now what?
• Dismissal • Find, Fix and Track (“FFT”) • Notice of Alleged Violation (“NOAV”) • Expedited Settlement Agreement (“ESA”)
85
PVs for FFT Review
WECC Reviews All PVs for FFT Treatment “Strong” FFT Candidates: • Are not Repeat PVs • PV does not reveal programmatic or systematic
shortcomings • Found and Fixed by the Entity • Mitigation Plan has been submitted
86
What does an FFT look like?
• WECC Enforcement will issue a “Notice of Find, Fix and Track” – Remediation Required – No Penalty or sanction – FFT is filed with NERC but does not become a
“confirmed violation”
• FFT will become part of an Entity’s compliance history
87
What to do with an FFT?
• Within five (5) days of receiving an FFT Notice an Entity Must:
• Submit to WECC an affidavit, signed by an officer with knowledge of remediation,
OR • Submit to WECC written notification opting out of
the FFT processing – If an Entity opts out of the FFT disposition, then WECCs
policy is to issue the violation through the traditional NOAV process.
88
4 Disposition Methods
• Dismissal • Find, Fix and Track (“FFT”) • Notice of Alleged Violation (“NOAV”) • Expedited Settlement Agreement (“ESA”)
89
What does a NOAV look like? CMEP Section 5.3
• NERC Rules of Procedure, Appendix 4C §5.3 (“CMEP”) • Alleged Violation Facts • Mitigation Plan Summary (if applicable) • Enforcement Violation Determinations
– BES Impact Statement • Minimal • Moderate • Severe
– Violation Severity Level (“VSL”) – Violation Risk Factor (“VRF”)
• Penalty
90
What to do with a NOAV?
• Submit a NOAV Response within 30 days • The NOAV Response must conform to one of
three options – Agree with the violation AND penalty – Agree with the violation, but contest penalty – Contest both the violation AND penalty
• Failure to submit a NOAV Response within 30 days will automatically result in confirmed violations with penalties
91
NOAV Response: “Option 1” Does not contest
• Does not contest violation facts as alleged in the NOAV
• May identify errors that should be corrected in the “Notice of Confirmed Violation” (“NOCV”)
• Submit a Mitigation Plan
92
Enforcement will issue a Notice of Confirmed Violation within ten (10) days of receiving a NOAV Response that “agrees with or does not contest an alleged violation.”
NOAV Response: “Option 2” Contests Penalty
• NOAV Response will be submitted to Enforcement using the EFT Server within thirty (30) calendar days of receiving the NOAV.
• Submit a Mitigation Plan. • NOAV Response must explicitly contest penalty and
request settlement. – NOAV Response must articulate basis for each penalty – NOAV Response should include a proposed penalty the Entity
believes to be reasonable including the basis for proposed penalty
93
NOAV Response: “Option 3” Contests Alleged Violation & Penalties
• NOAV Response must be submitted to Enforcement using the EFT Server within thirty (30) calendar days of receiving the NOAV.
• NOAV Response must explicitly contest each alleged violation and proposed penalty and request settlement.
• Each Contention must be supported by: – An explanation of the Entity’s position – Basis for Contention – Additional Information or evidence
94
A Word on Penalties
• Attached to violations disposed of using the NOAV or ESA processes
• Based on: – NERC Sanction Guidelines (January 31, 2012) – Penalty Range
• Penalty range depends upon Violation Severity Level (“VSL”) and Violation Risk Factor (“VRF”)
• Penalties are then adjusted for either Mitigating or Aggravating Factors
95
Reaching Settlement 96
NOAV
NOAV Response
C & T Agreement
Schedule Settlement
Work with Case
Manager
Settlement Negotiation
Settlement Agreement
4 Disposition Methods
• Dismissal • Find, Fix and Track (“FFT”) • Notice of Alleged Violation (“NOAV”) • Expedited Settlement Agreement (“ESA”)
97
ESA: Expedited Settlement Process 98
ESA Settlement Agreement
What does an ESA look like?
• Expedites Formal Settlement Negotiations
• The ESA will contain
– Facts and circumstances of the violation – Mitigation Plan Summary – Risk Assessment Summary – VSL and VRF determinations – Penalty determination
99
What to do with an ESA?
• Entity will have 15 days to review the ESA… – The Entity will contact Case Manager with questions or concerns.
• If the Entity accepts the terms of the ESA… – The Entity must submit a signed copy of the ESA to WECC within 15
days of receipt of the ESA issuance.
• If the Entity rejects the ESA or does not respond within 15 days… – WECC will issue a Notice of Alleged Violation and Proposed Penalty
and Sanction.
100
Settlement Agreements & Expedited Settlement Agreements
101
Payment & Closure of Enforcement Action
102
• After NOP becomes effective, WECC issues a “Payment Due Notice”
• The Penalty will be due thirty (30) days from the date the Notice is issued
• Public NOP filings can be found on the NERC website
Enforcement Process Summary 103
Possible Violation Submittal
Technical SME Review
The Hand-off to Case Manager
Case Manager Review
4 Methods of PV
Disposition
Confirmed Violation
• Lifecycle of a Possible Violation • Best Compliance Practices
• http://www.wecc.biz/compliance/Pages/Best-Practices.aspx
• Possible Violation Disposition and Entity Responses
Compliance 101
Brittany Power Data Coordinator
webCDMS 105
• Web-based Application used to collect: o Periodic Data Submittals o Self-Certifications o Misoperations Reporting o Technical Feasibility Exceptions o Self Reports o Mitigation Plan Data
webCDMS 106
• WECC utilizes your entity contact information • Quick Start Guides are available in webCDMS
o From the Help menu, select Documentation • A Digital Certificate is required to use webCDMS
webCDMS Regions
1.WECC 2.MRO 3.SPP 4.TRE 5.RFC
107
EFT Server
WECC EFT Server
108
• Used to collect: o Audit Data o Spot Check Data o Enforcement Data Requests
WECC.biz 109
• Information about WECC Outreach Events • Reliability Standards Subject to WECC
Monitoring – 2015 • Reporting Forms • RSAWs • WECC Compliance Standards Index • Entity Registration • BESnet Login
Compliance Standards Index 110
Standards Resources 111
Reminder: Help Desk 112
WECC Support • Call (801) 883-6879 or (877) 937-9722 • Types of calls for WECC
o WECC.biz Questions o EFT Questions o Registration Questions o Standard Questions o Non-technical Questions
OATI Support • Call (763) 220-2020 • Types of calls for OATI
o Technical Problems o webCDMS Login Problems o Certificate Problems o Access Problems