Q&A and Lessons Learned

Click here to submit your question to SERC staff.
Link to NERC CMEP One-Stop Shop with COVID-19 FAQs

Acronyms
      • A:Updated December 30, 2019
        I would like a better idea of the requirements for Certification for SCADA/EMS scheduled upgrades. We were required to Certify the new SCADA/EMS system when we replaced the old Brand A EMS with Brand B per the NERC Rules of Procedure Appendix 5A Section IV (g).

        Since CIP V5 is now enforceable, the software and hardware replacement cycles will become more frequent and routine as the end of life/patch support ends, etc. I would like to know if one or both of these upgrades with the same vendor (Brand B) would trigger the Certification process; so we can include this consideration in our planning process.

        The decision to certify changes to an already operating and certified Registered Entity is a collaborative decision between the affected Regional Entity(s) and NERC and it is not limited by the considerations identified in the NERC Rules of Procedure, Appendix 5A: Organization Registration and Certification Manual, Section IV Organization Certification Process. Any change (replacement, upgrade, modification, etc.) to an existing SCADA/EMS System should be communicated to the applicable Regional Entity for evaluation and then a determination will be made on the need for a Certification Review based on the facts and circumstances.

        The Regional Entity ideally requires, at minimum, nine (9) months to evaluate, develop and submit a recommendation to NERC.

      • A:October 18, 2016
        Are relay settings considered confidential BCSI?

        While appropriate protection is essential, it is also necessary to avoid overprotection that will create unintended consequences; e.g., relays with setting information that is deemed to be BES Cyber System Information will make it unnecessarily difficult to make repairs.

        Reference: NERC Technical Questions and Answers, CIP Version 5 Standards, Version: June 13, 2014.
        http://www.nerc.com/pa/CI/tpv5impmntnstdy/Technical_FAQs.pdf

         

      • A:2/24/2015

        Would you expect FERC to maintain control of cybersecurity regulations for the near/long-term, or are other regulatory bodies pushing to be involved?

        For the electricity sector, it is expected that FERC and the ERO will maintain the cyber standards for the bulk power system. There is recognition that the electric sector is ahead of other sectors on these matters.

      • A:July 8, 2019

        While providing SERC with a list of "assets" in preparation for a CIP audit, a Transmission Operator noted that the current NERC Glossary of Terms states that a "Control Center" includes "... associated data centers, of ... a Transmission Operator for transmission Facilities at two or more locations ...."  (Note the defined term "Control Center" and the non-defined "data center.")  Therefore, the TOP might list its asset simply as the "Eastern Region Control Center" since the control center and data center are housed in the same building.

        However, if a data center is not co-located with a Control Center but supports it, should they list the data center as an "asset" on its own?  (The data center might be many miles away from the Control Centers it supports.)  Does NERC intend by its definition that data centers are no longer considered individual assets (although they would remain separate PSPs) but are lumped in as a shared resource used by the separate Control Centers?

        On the standard NERC Level 1 Evidence Request Tool, the BES Assets tab could be marked once for each control center (including all associated data centers) with the physical location(s) denoted under the Location column in the same spreadsheet. The separate physical locations of each Cyber Asset or Cyber System would be more granularly described in the CA, ESP, and PSP tabs.

        If the Registered Entity desires to list the associated data center locations separately from their control centers, perhaps owing to a difference in impact levels, they would list them as separate lines on the BES Asset tab but still mark in the Cyber Asset Classification column as Control Center.

        The question also asked about the treatment of an associated data center which was shared between multiple control centers. In that case, the data center would remain a single physical location on the BES Assets tab, but the specific BES Cyber Systems with that physical location and their impact level would be further detailed on the CA tab.

      • A:September 11, 2019
        This registered entity has used NPView to scan networks to verify firewall rules during previous CIP compliance audits. Does SERC have a preferred or required tool for this purpose?

        SERC does not endorse or have a required tool.  However, NP-View is the NERC ERO tool most commonly used currently to evaluate compliance with Firewalls rules.

      • A:June 22, 2018
        Company A is building a Remote Operating Center in our new office. Our desire is to have it meet the CIP Medium requirements. It will be an interior room. The proposed design has three of the four walls being glass, so that people walking by can look in and watch the operators. When looking at the CIP requirements I see a few issues with this design, but would like your opinion on it.

         

        Some Regional Entities have dropped the requirements from CIP Version 3 and deal strictly with the requirements as stated in the latest CIP Version. At SERC, we believe the new requirements build upon those as stated in previous Versions.

        With that said, the auditing staff at SERC would look for points of entry such as hinged pedestrian doors, overhead doors or rollup doors, sliding doors, operable windows, operable roof hatches, operable floor hatches, HVAC grates or access points that attach on the outside of the PSP (screws are able to be removed from outside the PSP), openings above lift tile ceilings, and openings below raised floors to see that these are monitored for unauthorized entry. The entity is also allowed to deploy area motion detection to detect  unauthorized entry into a PSP or an area housing BES Cyber Systems.

        If the glass is stationary then, per the CIP standards, it is considered a permanent barrier.

        If this is a site that would house medium impact BES Cyber Systems without External Routable Connectivity then the only requirement per the latest Version (CIP-006-6 R1.1) would be to define the operational or  procedural controls you have deployed to restrict access.

        If this is a site that would house medium impact BES Cyber Systems with External Routable Connectivity then the only requirement per the latest Version (CIP-006-6 R1.2) would be to utilize at least one physical access control to allow unescorted physical access into each applicable Physical Security Perimeter to only those individuals who have authorized unescorted physical access.

        If this is a site that would house high impact BES Cyber Systems then the only requirement per the latest Version (CIP-006-6 R1.3) would be, where technically feasible, to utilize two or more different physical access controls (this does not require two completely independent physical access control systems) to collectively allow unescorted physical access into Physical Security Perimeters to only those individuals
        who have authorized unescorted physical access.

        If this is a site that would house low impact BES Cyber Systems then the only requirement per the latest Version (CIP-003-7 R2 Section 2 under Attachments 1 and 2) would be to control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any.

        Examples of evidence for Section 2 may include, but are not limited to:

        • Documentation of the selected access control(s) (e.g., card key, locks, perimeter controls), monitoring controls (e.g., alarm systems, human observation), or other operational, procedural, or technical physical security controls that control physical access to both:
        1. The asset, if any, or the locations of the low impact BES Cyber Systems within the asset; and
        2. The Cyber Asset(s) specified by the Responsible Entity that provide(s) electronic access controls implemented for Attachment 1, Section 3.1, if any.

        These requirements regarding low impact BES Cyber Systems would not be auditable until January 1, 2020.

      • A:June 5, 2019
        In general, how is SERC treating virtual machines?  If I have five virtual machines that perform reliability functions and my definition of a programmable electronic device does not include virtual machines because they aren’t devices, can I exempt the virtual devices as non-Cyber Assets?

        SERC considers every “virtual machine” as if it was a “Physical Machine,” hence it is classified as a Cyber Asset. Although, a “virtual machine” by definition is not considered an electronic device by itself, it still utilizes the physical hardware of the Hypervisor in a shared function such as the CPU, memory, hard drives, NICs, and any available shared hardware allocated on its hypervisor.

        Each virtual machine has its own hardware and software configuration, hence it is applicable to CIP-010-2 baseline configuration controls, and also CIP-007-6 cyber security controls.

        • A:Updated:  1/1/2019
          What may registered entities expect relative to a timeline for V5 audits (i.e., initial notification letter, etc.)?

          The typical timeline for compliance monitoring activities is as follows: 210 days prior: IRA questionnaire to entity; 180 days prior: IRA Questionnaire due back from entity; 150 days prior: IRA complete; 90 days prior: Audit Notification letter is sent.  With respect to CIP V5, the Audit Notification Letter will detail which requirements are in scope.

        • A:Updated:  1/1/2019
          What is the "commissioned date" for BES Cyber Assets?  July 1?  Or ... 1996? or ? We ask that question since the term doesn't really exist until the new version goes into effect.

          See the instructions for the Level 1 Data Request spreadsheet. If put in service prior to the audit period, leave it blank. If put in service during the audit period, use the date the asset was placed in service. The purpose of the commission date is to determine whether the asset was in place at the beginning of the audit period or was placed in service during the audit period.

        • A:11/15/2016
          There are rumors that some regions are requiring Entities to have an incident response plan test completed on or before April 1st 2017.  Is this something that SERC is requiring of Entities?  Attached is the most current CIP implementation plan that I can find on the NERC website
          http://www.nerc.com/pa/Stand/Prjct2014XXCrtclInfraPrtctnVr5Rvns/CIP_Implementation_Plan_CLEAN_BOARD.pdf
          I cannot find where a test of the incident response plan is required to be completed on or before April 1st 2017.
          As stated in the CIP Version 5 Standards Implementation Dates, April 4, 2016, CIP-003-6 R2, Attachment 1, Section 4, registered entities are required to be compliant on April 1, 2017. The ERO Enterprise expects entities to have documented incident response testing completed on or before the compliance date. On October 20, 2016, during an ERO Enterprise call, NERC confirmed the expectation that incident response testing must be completed by April 1, 2017.
          Link to the referenced CIP Version 5 Standards Implementation Dates document:
        • A:September 28, 2016
          How do the standards address CIP Cyber System Information existing in the “cloud”?

          Per CIP-011-2, R1.2, the registered entity remains responsible for protecting and securely handling BES Cyber System Information, including storage, transit, and use.

        • A:September 28, 2016
          Are IP (and cell and satellite) phones within a Control Center to be treated as BES Cyber Assets?  (Reference the memo from WECC)           

          The IP, cell, and satellite phones would have to meet the definition of a BES Cyber Asset and potentially affect the BES within 15 minutes.

        • A:

          10/16/2015
          Is there an expectation that EACM will include only those systems that complete Electronic Access Control and Electronic Access Monitoring, or would that extend to secondary systems that are used to provide enhanced security (but do not perform compliance activities) to  the primary Electronic Access Control and Electronic Access Monitoring systems?  For example, if you have a system that automatically disables access to support the 24 hour removal requirement but is not the system that performs Electronic Access Control or Electronic Access Monitoring,  would that be included as an EACM?
          Generally speaking, if the system is simply a "nice to have" enhancement that goes above and beyond the access control and monitoring required by the standards (such as a system that runs a report to ensure that other systems have done their jobs), then it would not be included as an EACM, but would likely qualify as an internal control. However, in cases where the “secondary” system is needed to achieve strict compliance with access control and monitoring requirements, that system must be considered a part of the EACMS.

          Regarding the example provided in the question, consider a misuse scenario where the system is compromised and an account is not disabled in a timely manner. Clearly, we would want to make sure that doesn't happen, and the standards’ only recourse is to classify the system as an EACMS and protect it.

        • A:September 6, 2017
          We are filling out the NERC Evidence Request spreadsheet as an internal exercise but have found a few instances where the spreadsheet doesn’t seem to fit some of our scenarios, especially with EACMS and PACS. Is there any additional published guidance/expectations on how to fill out the spreadsheet, or is there someone at SERC who can provide guidance? We want to make sure our approach/assumptions are acceptable. Some example scenarios have been provided below.

          Example Scenarios:

          Recording an EACMS Cyber Asset that resides outside an ESP on the CA tab.

          • Example 1:  An individual EACMS or PACS Cyber Asset may be associated with more than one Asset ID.
            In this case, we’ve been including all associated Asset IDs as a delimited list within the Asset ID field. Log aggregation systems and PACS are examples that support/protect multiple Asset IDs listed on the BES Assets tab

          Recording log collectors on the CA tab (column M).

          • Example 2:  This is another case where several Cyber Assets accomplish the log aggregator function.
            We believe the primary Cyber Asset that’s configured to collect the logs in the log aggregator system should be recorded, not all Cyber Assets within the log aggregator system that may be a backup to the primary log collector. Taking this approach, all Cyber Assets that perform a log aggregation function are recorded as an EACMS (1 per row), but not all Cyber Assets in the log aggregation system will be associated with BCAs in the spreadsheet. We don’t know if this is the correct approach.
          • Example 3:  Log collectors for EACMS and PACS aren’t Cyber Assets under the CIP program (hall of mirrors problem) but are also the systems from which compliance evidence is provided.
            There’s no Cyber Asset classification on the list that fits this scenario but the requirement applies to EACMS and PACS. We’ve intentionally left these fields blank with the assumption that only those Cyber Assets that fall under the CIP program and perform log collection for BES Cyber Assets are the ones that should be included.

          Recording deactivated Cyber Assets

          •  Example 4:  We’ve assumed that the spreadsheet represents “current state”. Therefore, columns that would no longer apply (such as ESP Identifier) would be left blank.

          Entities can download the NERC guidance document from the CIP V5 Transition Program page located at: http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx 
          Note: The ERO is in the process of reviewing; so stay tuned.

          The zip file includes the “CIP Version 5 Evidence Request User Guide v1.0.pdf” document that contains the instructions from NERC on how to fill out the spreadsheet. NERC is working on an update to the spreadsheet. SERC also has a modified spreadsheet that can be populated and used as audit evidence. Here are links to the SERC documents. NOTE: The SERC documents are subject to change at any time. Whatever CIP evidence collection method is in effect at the time of the audit is the method entities will be expected to use. 

          Example 1: Listing all associated Cyber Assets as comma delimited is correct.

          Example 2: Please list all Cyber Assets that are part of the log aggregator system. Assess whether each Cyber Asset is required for operation of the log collector and whether, if it is compromised, it can affect logging and monitoring functions. Please note that redundancy does not affect the impact of the Cyber Asset.

          Example 3: Leaving that field blank is acceptable since these assets do not meet the definition as EACMS in the NERC Glossary of Terms.

          Example 4: List the information that is accurate when the Cyber Asset was decommissioned or removed from the network.

        • A:July 24, 2017
          How is routable connectivity defined when using serially connected devices? Is a protocol break required? Reference Lesson Learned CIP Version 5 Transition Program Communications to BES Cyber Systems and BES Cyber Assets, November 9, 2015.

          Referring to the document “Communications to BES Cyber Systems and BES Cyber Assets Version: November 9, 2015.” As noted in the last full paragraph on page 3 (just below Figure 1), the language within the Standard is unclear enough that this issue has been referred to the Standards Drafting Team for consideration in future Standards. Referring to Figure 1, right side of the drawing. The problem arises when the port server, which has an IP address and is accessible from any machine, has serially connected devices attached to it. Although the serially connected devices in the drawing have no IP addresses, they are network accessible since the port server has the IP address and the serially connected devices attached are attached to specific assigned ports. The same drawing, on the left side, provides a suggested remediation that should be considered. Note the use of the intermediate system. It would be helpful to clarify that, while the standards drafting team is working on addressing the ambiguity, the serial devices do not have Interactive Remote Access. However, recognizing the potential security risks with this architecture, it is a best practice to use an Intermediate System or something equivalent.

        • A:July 24, 2017
          If an internet protocol (IP), transmission control protocol (TCP), or user datagram protocol (UDP) port is established on a host but not accessible from any system on the local or remote network and was never a “listening” port, is that still considered a logical network accessible port that needs to be included on the baseline?

           

          Entities should include established IP, TCP, UDP, etc. ports on their baselines. These ports are considered network accessible.

           

           
        • A:10/16/2015
          Does SERC plan to do site visits for assets that contain Low Impact BES Cyber Systems?
          Maybe.  There is a wide variety in the scope and impact of low impact BES Cyber Systems, and SERC will target sampling and possibly site visits based on risk and impact.  For example, registered entities that have undergone a generation segmentation process at very large plants may require a site visit to ensure that the registered entity has completed the segmentation appropriately.  Similarly, large transmission stations may have both medium and low impact components, and SERC could assess the low impact portion during a medium impact site visit.  An audit of an entity that has only low impact BES Cyber Systems may include a site visit to a low impact field location if there is an on-site component to their audit.
        • A:10/16/2015
          How will physical controls be audited for assets containing Low Impact BES           Cyber Systems?
          The key phrases for low impact physical security are “control access” and “based on need as determined by the Responsible Entity.”  The audit approach would ask a) how is access being controlled, and b) how is the Responsible Entity determining whether an individual _needs_ to have access.  The audit would examine the procedures being used to answer these questions, and may involve a site visit to ensure that access is being controlled as the procedure states.
        • A:2/24/2015

          Medium impact generation facility: Could there be cases when a forced outage could qualify as a CIP exceptional circumstance? 

          CIP exceptional circumstances have taken the place of the provision for emergency situations in Version 3. With that in mind, a weather emergency like a tornado or hurricane bearing down on the generation facility; a police action like a rail car of toxic gas that derails; a medical emergency within a protected area; or a fire at the facility requiring a general evacuation should qualify. The fact the generator itself caused a forced outage would not necessarily qualify. Areas should still be protected from unauthorized physical access, and cyber assets should continue to be protected from logical access.

        • A:10/16/2015
          Is a workstation used for badging considered PACS? Is a controller panel considered locally mounted hardware? 
          No, if the workstation is only used to produce access “badges.” Yes, if the workstation actually performs a logical task in regards to physical access control. A controller panel is considered to be a part of the PACS (especially if the device performs the logical function of physical access control). A locally mounted badge reader that does not perform logic tasks is considered hardware.
        • A:September 28, 2016
          When commercial software that contains open-source components is installed, are you required to look at those open-source components separately for patching or can they be included in the patch process for the commercial software?

          The registered entity is responsible for defining its patch source; however, there is an expectation for due diligence to mitigate vulnerabilities of installed software. Please refer to CIP-007-6, R2.1.

        • A:September 28, 2016
          Can a PSP exist within a PSP? How should further segmentations within a PSP be treated?

          Yes, a registered entity can have a PSP within a PSP; however, the definition of a PSP within a PSP will be based on the entity’s implemented access controls and authorization.

        • A:May 5, 2017

          1.  Using the diagram below, is the entire substation router considered part of the ESP?  Or only the Electronic Access Point interface where access control is restricted?

          NERC defines the ESP as “The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.” The ESP depicted in the drawing is a logical border. The router is subject to the CIP requirements as an electronic access control system.

          2.  Are you familiar with the console “management” port on Cisco routers and switches? These cannot be addressed with an IP address, and they do not support routing. To access the console port, you must connect a device to it via a serial cable and use terminal emulation software to access the device. If a laptop is temporarily connected to the console “management” port, should it have all the controls of a Transient Cyber Asset? Authorized? Approved software?  Patch Management?  Approved users?

          If a registered entity connects a laptop to the console port of a BES Cyber Asset or PCA, the entity must protect the device per the CIP standards. NERC defines a Transient Cyber Asset as “A Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.” Based on the scenario presented, the laptop meets the Transient Cyber Asset definition and must be treated as such.

          3.  Is this different for a router where only a portion of the router (EAP) is part of the Electronic Security Perimeter and a switch that is completely inside the ESP?

          Based on the drawing, the registered entity should evaluate the router for consideration as an Electronic Access Control or Monitoring System. In addition, the registered entity should assess the switch within the ESP as a possible Protected Cyber Asset or BES Cyber Asset. The registered entity is responsible for ensuring the devices meet the applicable requirements based on device classification.

          4.  Can we use some sort of permanent device, e.g., Remote Site Gateway, to access the console “management” port? In this case, the Remote Site Gateway would NOT be connected to an Ethernet port on any device either at the boundary or inside the ESP. The remote site gateway would be remotely accessed via the business IP network and then access to a NERC CIP device through a serial connection.

          All Cyber Assets that have direct connectivity to BES Cyber Assets should be identified and assessed using the appropriate BES Cyber Asset, Electronic Access Control or Monitoring System, and Protected Cyber Asset definitions. In particular, the Cyber Assets, and associated network connections, should be evaluated based on the definition of Interactive Remote Access. The registered entity should conduct the review based on accurate network drawings showing the entire data path used in the management of the cyber assets. In addition, the registered entity must maintain documentation detailing the connectivity through the Remote Site Gateway.










        • A:Updated:  1/1/2019
          If a vendor says that a required action is not technically feasible but the entity has determined it is possible, how should this be handled? Should a TFE be filed?

          If strict compliance is technically feasible, then it must be implemented, and a TFE is not required. If strict compliance is possible but not technically feasible, then a TFE is required.

        • A:March 1, 2016
          Under CIP version 5/6, can visitor logs be amended on the same day even after the visitor has left the PSP for the day? Even longer?

          No, the expectation is that the logging process will provide accurate entry and exit times for each visitor at the time of the entry and exit.

          If logs are not being maintained accurately, consider whether a self-report is required.

        • A:2/10/2017

          Can inbound and outbound access controls be split between two interfaces/EAPs

          Possible answers following continued clarification.

          1. If this refers to separate physical interfaces on a device, then no. The inbound and outbound cannot be split between the two interfaces as the requirement is that the inbound and outbound access requirements are necessary for each interface.
          2. If referring to an Access Control List (ACL) as an interface or EAP, then yes. There may be two separate ACLs, one governing inbound traffic, the other governing outbound traffic. For some devices, this may even be the default access control scheme.
        • A:10/7/2014

          For those Registered Entities that had no assets under Version 3, will that impact their inherent risk assessment under RAI for Version 5?

          The number of Critical Assets as well Critical Cyber Assets is considered when conducting an inherent risk assessment.  If a Registered Entity had no such assets under V3 but will have Medium or High BES Cyber Systems under V5, the risk assessment team would assess the impact of including those assets against the ERO/Regional Risks.  The risk assessment team would also consider the impact rating of these newly identified assets, compliance history, previous CMEP monitoring methods/frequency among other items.

        • A:10/7/2014

          What is SERC's expectations for tracking dates during the transition to V5?  May we do it by Requirement, device, site level, system?  Will a final date that all systems were switched to V5 be acceptable?

          Registered Entities will need records of implementation to support the partial and transitional phase of implementation into CIP V5.  Registered Entities will also need records documenting the date an asset is moved into CIP V5 from CIP V3 until CIP V5’s date of compliance becomes active.  New assets should be developed and implemented into CIP V5 from their start.

        • A:2/13/2013

          If your Reliability Coordinator (RC) has agreed to be your TOP through a contractual agreement, does your control center fall within the “medium” or “low” criteria for CIP?  If “low,” does this change to a “medium” if your control center can operate BES equipment that the RC control center cannot?

          The answer depends on the functions being performed in the control center for one or more of the assets that meet the criterion of CIP-002-5, which determine whether the BES Cyber System is classified in the High-Medium-Low Impact Rating. However, as suggested by the question, the Impact Rating of an asset could be raised or lowered based on the transfer of these functional obligations to another Registered Entity in a contractual agreement.

          Also see CIP-002-5 question in the Standards category: How should  a TO facility that has a jurisdictional control agreement with a TOP control center be classified?

        • A:Updated:  1/1/2019
          How is audit data or information submitted for enforcement actions handled by SERC and where is it stored?   Explain what controls exist over data that may be stored off-site.

           

          All files that are submitted by a registered entity to SERC in order to demonstrate the registered entity's compliance (or return to compliance) with the CIP Standards are considered Protected Entity Information (PEI). All such files are stored on dedicated hardware within a secure data center.

        • A:

          Updated:  1/1/2019
          If SERC has outsourced their IT organization, who is supporting access to registered entities’ PEI?  Who is vetting the admins from that group and the whole process for protecting that information?
          Currently SERC has contracted with Walser Technology Group (WTG) to maintain the SERC IT infrastructure.    WTG has been performing work for SERC for the last several years, so they do not represent a new or unknown risk.  Employees of WTG are subject to the same background screening (PRA) as any SERC employee.  The process for protecting PEI has become more stringent since WTG took over the IT function. The methods of PEI transfer have been greatly restricted.  Once the PEI is in SERC’s hands, it is scanned for viruses, before being transferred to the SERC PEI server. The PEI server is located inside its own enclave, and is accessible only via a dedicated VPN appliance.  Access to this server is limited to SERC employees with a demonstrated need-to-know, and each such employee has a separate user name and password for VPN access to the PEI server.  PEI remains on SERC-owned cyber assets throughout the process.

        • A:11/14/2013

          Moving forward, is it possible to allow a Registered Entity to store CIP protected information used in preparation for an audit (ahead of the audit) rather than sending the information to SERC?  There are specific concerns about sharing information related to CIP-005 and CIP-007.

          Most Registered Entities have reviewed SERC’s PEI program, which was designed to conform with general cyber security best practices; and have seen the value of minimizing the on-site audit time and process. While SERC is willing to further explain the PEI process to assuage any specific concerns a Registered Entity may have, this is a necessary tool to improve our audit process.

        • A:11/14/2013

          Under CIP Version 5, do physical security perimeters need to be defined in three dimensions or, for example, would a fence around substation or a generating plant suffice?

          The CIP-006-5 Standard states in Section 4: “While the focus is shifted from the definition and management of a completely enclosed “six-wall” boundary, it is expected in many instances this will remain a primary mechanism for controlling, alerting, and logging access to BES Cyber Systems. Taken together, these controls will effectively constitute the physical security plan to manage physical access to BES Cyber Systems.” 

          That being stated, at a Generating Plant or Substation, it may not be possible to produce a six-wall boundary in many circumstances. While a fence is a good start, it could be considered one layer of physical protection, but should not be the only mechanism. According to CIP-006-5, the aim is “physical security defense in depth via multi-factor authentication or layered Physical Security Perimeter(s).”

      • A:March 9, 2018
        Per the NERC BES FAQ:

         7.3. When do compliance obligations begin for newly built Elements that are classified as BES Elements under the new BES definition?

        After July 1, 2014, for those newly built Elements that qualify as BES Elements, Entities must be compliant for that Element as of its energization, as per current processes. Existing Facilities that are now part of the BES and remain a part of the BES must remain compliant at all times.

        For example, however, the protection system assets that PRC-019 cover require commissioning testing, which comes after energization. Should an entity consider compliance necessary once commissioning test is complete but before the in-service date?

        Newly built Elements that are classified as BES Elements under the new BES definition should be compliant prior to that Element being placed in service and added to the pool of BES Assets.

        Compliance includes coordination of the voltage regulating system controls, including in-service limiters and protection functions, with the applicable equipment capabilities and settings of the applicable Protection System devices and functions covered under PRC-019-2.

      • A:12/21/2015
        What is the difference in general, for the NERC Reliability Standards Enforcement Date vs. Effective Date? NERC's webpage of Enforcement Dates indicates the Enforcement Date is the date on which the standard becomes mandatory and enforceable in accordance with the existing laws of the jurisdiction and the approval granted by the regulatory authority.

        Within the Implementation Plans the effective date is used.

        • When is an entity required to demonstrate compliance? Enforceable or Effective Date?
        • Is the Enforcement Date and Effective Date the same?
        • What is the effective date?
        • What initial date should be used to calculate "the first calendar day of the ninth calendar quarter" (example from CIP V5)? 

        Effective date is defined in the NERC Rules of Procedure as “the date or pre-conditions determining when each Requirement becomes effective in each jurisdiction.”  The effective date is used in FERC Orders, Reliability Standards and implementation plans to identify the date from which to calculate the mandatory enforcement date.

        The term Enforcement Date is not in the NERC Rules of Procedure, but is used by NERC to describe the date at which a registered entity must comply with a Reliability Standard or requirement. 

        For example, PRC-005-2 was approved by FERC on 12/19/2013.  The regulatory approval date, normally 60 or so days after being published in the Federal Register, was February 24, 2014.  The effective date was the 1st day of the 1st calendar quarter following regulatory approval (April 1, 2014).  The enforcement date or 100% compliant date for R1, R2 and R5 was 12 months following applicable regulatory approval (April 1, 2015).

      • A:Updated:  1/1/2019
        We may be upgrading a facility’s excitation equipment. Is there a Reliability Standard or SERC criteria that references any notifications, we need to perform prior to installation? If so, what is that time constraint?

        From an operations standpoint, TOP-003-3 R1 and TOP-003-3 R5 require coordination of generator availability prior to the outage. If the generation unit is going to be unavailable for more than six months, the outage has to be coordinated with the Transmission Planner and Planning Coordinator through the planning model process per TPL-001-4, R1.

        When changes are made to excitation equipment, PRC-019-2, R2 (effective July 1, 2016) requires Generator Owners to coordinate equipment or setting changes that affect Protection System settings within 90 calendar days following the identification or implementation of such changes. MOD-026-1 R4 requires each Generator Owner to provide revised model data or plans to perform model verification (in accordance with Requirement R2) for an applicable unit to its Transmission Planner within 180 calendar days of making changes to the excitation control system or plant volt/VAR control function that alter the equipment response characteristic.

      • A:December 8, 2016
        Description of the Violation, Issue, or Trend

        Entities discover that they have attributed incorrect Facility ratings, performed incorrect or inadequate maintenance and testing practices, and established inadequate Protection System setpoints. These issues related to legacy systems and related documentation, procedures and practices prior to the initiation of mandatory and enforceable Reliability Standards. 

        Risk Considerations
        N/A

        Description of Mitigation Activity
        These violations have a broad range of possible risks. Inaccurate Facility ratings may result in inadequate contingency planning and unplanned outages. They reach into long-term planning and Available Transfer Capability. Inadequate maintenance and testing practices may result in Protection System misoperations. Errors in establishing relay setpoints may cause premature generator trips and incorrect relay coordination. All of the above reduce the reliability of the Bulk Power System.

      • A:May 4, 2017
        Across all standards, entities would appreciate better clarity regarding enforcement dates in implementation plans. 

        SERC and NERC are keenly aware of the difficulty and confusion that results when attempting to determine effective dates of Reliability Standards.  NERC has taken steps to reduce the confusion by eliminating the term “Enforcement Date” from their postings and is using only the “Effective Date”.  NERC posts the Effective Date and the Implementation Plan on its “One-Stop-Shop” (see the NERC Standards Page, top link in blue column) in an effort to consolidate all of the information in one place.  NERC publishes a Weekly Standards and Compliance Bulletin that includes the effective date for all FERC-approved requirements as soon as they are known.

        SERC publishes effective dates in its monthly Transmission newsletter to Registered Entities and discusses them at committee meetings and outreach activities.  The SERC FAQ process is available if Registered Entities have specific questions.

      • A:November 2, 2018
        I have a couple of scenarios, trying to determine if they would be considered a true Fault condition or Misoperation?  
        1. Unit trip due to a generator protective relay (multifunction microprocessor). During troubleshooting a loose wire was found in the neutral ground cabinet.
          • Would this be considered an operation only? Not a Misoperation?
            • Fault as per the NERC Glossary of Terms:
              • Fault - An event occurring on an electric system such as a short circuit, a broken wire, or an intermittent connection.
                • Is electric system considered transmission system or control system or both?
          • Would this be considered a Misoperation?
            • 6. Unnecessary Trip – Other Than Fault – An unnecessary Composite Protection System operation for a non-Fault condition. A Composite Protection System operation that is caused by personnel during on-site maintenance, testing, inspection, construction, or commissioning activities is not a Misoperation.               
        2. PT fuse blows and unit trips through any protective relay?
        • Would this be considered a Fault condition? Therefore be considered an Operation only? Not a Misoperation

          or

        • Would this be considered a Misoperation?
        • 6. Unnecessary Trip – Other Than Fault – An unnecessary Composite Protection System operation for a non-Fault condition.

        One thing that would help would be a clarification of “an electric system” within the definition of a Fault?

        Response:
        A Misoperation is the failure of a Composite Protection System to operate as intended for protection purposes. Misoperations of a Protection System include failure to operate, slowness in operating, or operating when not required either during a Fault or non-Fault condition.

        In question 1 the loose wire would fall into the NERC Glossary definition of a fault as defined for an intermittent connection. The generator protective relay operated as intended for protection purposes during a Fault condition so this would be not be a Misoperation. 

        The term electrical system is not defined in the NERC Glossary, but as defined in Webster’s, an electric power system “is a network of electrical components deployed to supply, transfer and use electric power.”  Transmission and control systems would be part of the components that make up the electrical components of an electric power system.

        In Question 2 a determination would need to be made as to what caused the PT fuses to blow.  This determination would be used to decide whether this was a Fault or non-Fault condition.  Again as in question 1, if the protective system operated as intended for either a Fault or non-Fault condition for which it was designed for protection purposes, then this would not be a Misoperation.

        For any operation of a protection system device the overall performance of an Element’s total complement of protection should be considered when evaluating an operation.

        • A:May 14, 2015

          Please confirm whether SERC or any other NERC region provides certification for its compliance auditors.

          NERC and SERC do not provide certifications for auditors but do support ERO and Regional audit staff getting applicable audit certifications from the appropriate providers. NERC does have a “NERC Certified System Operator” certification, and several SERC auditors hold that certification.

        • A:December 14, 2016
          Description of the Violation, Issue, or Trend
          Entity provided table tents with the names of their subject matter experts and SERC Auditors during the audit. This facilitates the audit questioning process and SERC's ability to effectively document who said what with correct names. 

          Risk Considerations
          N/A

        • A:6/22/2015

          Description of the Violation, Issue, or Trend
          Registered entities have used legal or the Primary Compliance Contacts to act as a spokesperson/mediator instead of permitting the Subject Matter Experts (SMEs) to directly interact with SERC auditors.

          Risk Considerations
          This could slow the progress of the audit or hinder the SERC auditors’ ability to capture the actual process or walk-through in the documentation.

          Other Factors or Comments
          Auditors should have direct access to SMEs to permit the efficient and effective capture of evidence and knowledge. This will assist with the progress of the audit, and will get employees back to normal work assignments.

        • A:2/25/2015

          Would SERC be willing to commit to making their audit plans, RSAWs, work papers, etc. available to registered entities (drafts and final documents)?

          SERC believes in transparency and walks each registered entity through the audit process and expectations. However, SERC will not be sharing finalized RSAWS or work papers.

        • A:September 13, 2016
          Description of the Violation, Issue, or Trend
          A key element of auditing is to validate that the evidence being reviewed is complete and accurate. When the evidence is a list or spreadsheet that has specific criteria to be met, the auditor must verify that all elements that may be applicable are vetted, and that the decision to include them or exclude them is accurately executed. In some cases, this will require including items that will be excluded from the list because they do not meet the required criteria. For example, while distribution substations are generally out of scope for NERC CIP Requirements, there are specific cases where they will be in scope. For example, if a distribution substation is part of a Special Protection System or a required part of a Blackstart cranking path, that substation may contain Low Impact BES Cyber Systems and thus be subject to the CIP Requirements. The best practice is to document everything that is vetted and could, under specific conditions, be assessed as in scope for the Requirement.

          Risk Considerations
          N/A

          Description of Mitigation Activity
          N/A

        • A:January 12, 2017
          We are implementing a new compliance software solution that has the ability to control the electronic approval of documents.  Is this evidence acceptable to SERC, or will we still be required to have an actual "wet" signature on all of our compliance documents that require signatures?

          Electronic approvals or signatures are acceptable as evidence.

        • A:March 1, 2016
          Are standards and requirements being removed from audit scope based on SERC conducting an entity IRA, or can audit scope only be decreased by participating in the ICE program?

          The IRA conducted by SERC will result in the initial compliance monitoring scope for the registered entity.  Upon completion of the IRA, the summarization will be shared with the entity, and it’s the entity’s opportunity to identify possible errors (e.g., incorrect information, etc.).  Once the entity responds, SERC also ensures that it has not missed any key data points or information.  Based on the Entity and SERC’s additional reviews, there could be an increase or reduction of standards/requirements based on what information may have changed.  For example, SERC has conducted additional reviews and found that not all of the Implementation Plans (NERC/SERC/Other Region for MRRE) were properly selected in the “IRA Tool.” Therefore, an entity’s audit scope may have appeared to increase. However, it wasn’t necessarily an increase but an error correction.  For those entities that have received their IRA summarizations, SERC does see a decrease in the number of standards and requirements monitored via audit from previous years.  Those numbers vary based on the characteristics of the entity. 

          The IRA process is the one of the initial steps in risk-based compliance monitoring. Information is assessed against risk factor criteria, which in turn has been mapped to standards and requirements.  There is some professional judgment that is used in the IRA process. However, SERC primarily uses the Internal Controls Evaluation to potentially reduce the monitoring scope.

        • A:March 1, 2016
          Can SERC provide some metrics on how many entities have had requirements removed/added to audit scope based on a SERC IRA or participation in the ICE program? If so, were any entities registered as a BA, TOP, or RC?

          The IRA process does not remove standards/requirements from the audit scope. There is no longer an Actively Monitored List for entities. Therefore, the starting point for standards/requirements in scope is ANY standard or requirement that is applicable to the function for which the entity is registered.  The NERC/SERC Implementation Plans add additional focus to identified risks, and then the entity’s characteristics determine the rest.

          SERC has had approximately 12 entities “formally” participate in Internal Control Evaluations.  There has not been any reduction of standards/requirements based on ICE, but there have been many instances in the reduction of sampling. The entities that experienced a reduction in sampling were registered as a BA, TOP, or RC.

          How much time / effort is being saved and by whom?  Is it too early to tell?  Has the efficiency of using the above to target requirements based on risk been realized?

          The implementation year was 2015, and SERC, as well as the registered entities, has spent a lot of time and resources in reviewing, implementing, and developing internal controls. SERC expects that the efficiency will be realized in year two or three of the program once greater clarity is gained around expectations and as the controls mature.

          Will SERC make the current ICE form available to entities who have not participated?

          The ICE process is detailed on the SERC website, and the Internal Controls Survey template is available to the public.  SERC has worked with other entities that have declined ICE participation.  Based on resources available, SERC will provide the spreadsheet and a couple of risk factors (mapped to standards/requirements) and will work through the process with an entity.  Although it may not impact the current compliance monitoring engagement, it may provide training to the registered entity for Internal Control development and implementation.

           

        • A:2/24/2015

          Does SERC plan to publish the standardized data request for audits? If so, what is the anticipated publication date? (For example, a population of assets and format) 

          No. SERC will continue to make data requests as is currently done.

        • A:6/22/2015

          Description of the Violation, Issue, or Trend
          Registered entities have had issues with data/evidence retention in past audits. During the span of the audit periods, registered entities have lost or not retained all audit evidence.

          Risk Considerations
          If registered entities do not have an established document retention program, information can be lost; this could lead to an issue of noncompliance.

          Other Factors or Comments
          Registered entities should establish a process for retaining its audit documentation/evidence. In addition, a back-up person should know the process and periodically audit it to make certain the evidence is whole, complete, and accurate.

        • A:Updated:  1/1/2019

          How will data sampling and selection be handled?

          Sample sizes may be determined in part by the results of the optional Internal Controls Evaluation (ICE). If a registered entity chooses to participate in ICE and is found to have good internal controls, auditors will likely opt for a smaller number of samples. Sample selection will depend upon the Standard and Requirement involved, but will typically be a mix of statistical randomness and professional judgment. Sampling will be performed in accordance with the NERC ERO Sampling Handbook. An application called RAT-STATS (Regional Advanced Techniques Staff-Statistical) is used to generate a random sampling from a numbered list. Professional judgment generally aims to include a representative mix of samples, but can also be used to hone in on historic problem areas.

        • A:10/16/2015
          Where does the ISME program stand for CIP audits going forward?  Can the ISME participate in the off-site part of the audit?
          It will continue.  Yes, the ISME may participate in the off-site portion of the audit. The Audit Team Lead is responsible for assignments. See additional information about the ISME program.
        • A:2/24/2015

          SERC’s pre-audit survey: If SERC is asking questions to determine a registered entity’s risk, how are they using these questions to determine a registered entity’s risk? Is cost a factor? Who has access to the information provided by the entity? Some of the questions are not directly related to a particular standard. (Example: List all fuel contracts; the number of spare transformers on site; the turnover rate)  
          QUESTION:  What is the risk of not responding to pre-audit survey questions?

          The pre-audit survey has been modified to only include logistic type of information, while the risk-based questions are now asked in an IRA questionnaire.  Each IRA questionnaire is specific to a registered entity; and consists of questions directly related to ERO or Regional identified risks, which are mapped to Standards/Requirements. SERC Reliability and Compliance personnel have access to the information. However, it is protected to ensure only personnel with a need to know have access. SERC creates the IRA questionnaire based on information that the Region currently has on the registered entity. If a registered entity chooses not to respond to the questionnaire, the Inherent Risk Assessment may not correctly reflect the level of risk that the entity could pose to the BPS.

        • A:March 1, 2016
          Given that an entity may choose to perform a compliance task more often than a standard may require as part of an internal control, if that entity fails to perform that action as scheduled but within the timing requirements of the standard, will the auditors hold the entity to its own stated schedule or to that of the standard?

          That would depend on the specific standard and how the process document is written.  You may want to re-evaluate the effectiveness of the control. PRC-005-1.1b had no testing interval defined, and the entity was/is required to meet their own defined schedule.  PRC-005-2 defines the testing interval, but also caveats that, if the entity has a shorter interval and misses it but meets the defined interval, they still remain compliant.

          Entity Assessment Single Points of Contact would hold the entity accountable to the language of the Standard/Requirement.

          If the standard has a specific requirement and the requirement is met, even if the entity procedure is greater than the requirement, we will audit to the standard. If the requirement is to develop and implement a program, we will audit to that program.

        • A:12/1/2015
          There are several versions of RSAWs out there. In the past (our last audit), we used the format you showed in this presentation for both the O&P and CIP audits.  However, the new format coming out now has a table version of this information.  We were assuming that the new format should be used, regardless of what is pre-printed in the blank RSAW.  With audits coming up next year, what format do you want us to use for consistency?

          Generally, you may use the format that is in that particular RSAW for that particular standard. Communication with your audit team lead (ATL) is very important. Talk with your ATL regarding formatting of the RSAWs for your particular audit, if you have additional questions. The RSAWs for your audit will be placed on the SERC Portal in the audit committee for your audit in the blank RSAWs folder.

        • A:Updated:  1/1/2019
          Please provide guidance on how auditing is done within shared facilities?  Example, a substation with systems from two registered entities.
          Auditing is performed as defined in the Audit Notification Letter which defines the scope of the audit.

          In cases where more than one entity has BES Cyber Assets or BES Cyber Systems at a facility, there should be a written agreement that defines the responsibilities of each entity. For example, if one entity is providing all physical access control for a medium substation, that should be clearly documented. If a Possible Violation were found, the auditors would expect the second entity to review the information and consider appropriate action they should take to maintain their compliance with the standards (this could be a Self-Report).

        • A:3/18/2014

          How are attestations to be handled? When should attestations be updated and signed?

          Attestations should be worded to cover the entire current audit period and cover all elements of the Requirement.  A Registered Entity may sign and date attestations anytime from the date of the Audit Notification Letter to the date of the onsite portion of the audit.  However, the Registered Entity must notify the Audit Team Lead if the conditions of the attestation change after signing and dating it.  The Audit Team Lead will be able to provide a Registered Entity more information on the timing and specific wording of different attestations.

        • A:Updated:  1/1/2019

          Regarding consistency of the process for the two-week post-audit period, what is that process?

          During the two week period after an audit, the Audit team and SERC management perform a quality review of the Audit process and Audit findings to ensure consistent treatment of registered entities during the audit process.

        • A:10/5/2014

          Description of the Violation, Issue, or Trend
          Now that Registered Entities are providing audit evidence for review well in advance of the onsite audit, SERC auditors are facing new challenges when evaluating the evidence.  Most requirements warrant several evidence files each, however, when faced with several files at once, it can be difficult to know where to begin.  Sometimes, there is valuable introductory information in one of the files but auditors may not become aware of that information until after working through several other files.  Furthermore, since every Registered Entity uses a different combination of tools and approaches, the meaning of an individual file can be difficult to understand as auditors may not know what application generated the file or what parameters were used.

          Risk Considerations
          The most important risk posed by this problem is that auditors will misunderstand the evidence being presented and will arrive at an incorrect conclusion.  This could result in the incorrect issuance of a Potential Non-Compliance or, conversely, could result in failure to detect a serious compliance issue.  However, it is much more likely that the audit team will find it necessary to schedule additional conference calls with the Registered Entity in order to alleviate confusion, which requires the investment of significant additional time from SMEs.  This could make null one of the key benefits of the off-site documentation review.

          Description of Mitigation Activity
          Registered Entities could greatly aid the speed and efficiency of the off-site portion of the audit andreduce the time demands placed upon the SMEs by providing a small amount of explanation with each group of evidence files.  A simple text file entitled “ReadMe” could be used to give auditors some background information on the evidence files being submitted, such as the best order in which to review the files.  In cases where an evidence file consists of system-generated output, the ReadMe file could include such details as the name of the application that generated the output, what reporting parameters were used to generate the output, and/or which of a spreadsheet’s columns are pertinent to the Requirement in question.

        • A:Updated:  1/1/2019 

          Registered Entities were originally told there would be a cut-off date for audits (only looking at compliance information up to that date).  But now, Registered Entities are being told that SERC staff is looking at information up to the date of the audit. This means extra attestations, data, and work.  Why carry an audit scope up to the date of the audit?

          In accordance with the NERC Rules of Procedure Appendix 4C Compliance Monitoring and Enforcement Program (CMEP), SERC defines the End Date of the audit period as the date the Audit Notification Letter is issued to the Registered Entity (which is at least 90 days prior to the commencement of a regularly scheduled audit).  If the SERC audit team discovers a potential noncompliance occurring subsequent to the End Date, the potential noncompliance will be subject to a Preliminary Screen pursuant to Section 3.8 of the CMEP.

        • A:9/30/2014

          Is SERC scaling back on the ISME compliance audit participation?  Is the participation only going to be for documentation and evidence review and not for the on-site part of the audit?

          No, SERC is not scaling back on the ISME participation.  Because SERC is now doing more pre-audit evidence reviews, there may, at times, be less need to spend the full week on site.  Also, there may not be a need for the entire audit team to be on site.  It is at the Audit Team Leader’s discretion as to whether the entire team is needed on site or not and which team members are needed most.

        • A:3/18/2014

          If a Registered Entity provides mock audit information, how will that information be used? (In the Pre-Audit survey, SERC staff asks if the Registered Entity has done any pre-audit mock audits. If the response is yes, SERC staff requests the information.)  Is there a draft process for this?

          Using mock audit information can reduce the work required for a Registered Entity’s audit. Generally Accepted Government Auditing Standards (GAGAS) (The Yellow Book) permits auditors to utilize the work of others when performing audits or compliance reviews.  In accordance with this guidance, SERC auditors have drafted a process that allows the team to utilize the results of mock audits in lieu of testing every individual Reliability Standard and Requirement under certain conditions.

        • A:3/18/2014

          What is SERC’s risk assessment leading into the audit going to be? Fully subjective? Objective?  In the past this has been subjective. Has this been re-thought? Once scope is determined, is it going to be applied to all compliance monitoring or just the audit?

          SERC's risk assessment will be based on common risk criteria that will be applied to all of its Registered Entities.  All audit engagements entail professional judgment by the risk evaluators and audit staff.  However, by ensuring common risk criteria and common risk thresholds, SERC staff will ensure a more consistent approach across Registered Entities. Risk-based compliance monitoring will affect the scope and implementation of all CMEP activities.

        • A:12/31/2014

          Description of the Violation, Issue, or Trend
          In preparation for compliance audits, Registered Entities are asked to fill out the relevant Reliability Standard Audit Worksheets (RSAWs).  Depending on the scope of the audit, completing this step all at once may monopolize the Registered Entity Subject Matter Experts’ (SMEs) availability for a significant time period.

          Risk Considerations
          One of the most important risks is that limitations on their availability may lead Registered Entity SMEs to rush the process of filling out the RSAWs, resulting in incomplete or unclear information being supplied to auditors.  As a result, auditors may misunderstand the evidence being presented; and may arrive at an incorrect conclusion.  This could result in incorrect issuance of a Potential Non-Compliance or, conversely, could result in failure to detect a serious compliance issue.  However, it is much more likely that the audit team will find it necessary to schedule additional conference calls with the Registered Entity in order to alleviate confusion.  As such, the more prevalent risk is that the audit team will require Registered Entity SMEs to invest significant additional time. 

          Description of Mitigation Activity
          Treat the RSAWs as "living documents."  Rather than filling them out once every audit period, keep them updated as environments and processes change.

          Other Factors or Comments
          Because the RSAWs serve as auditors' work papers, becoming familiar with them will also aid SMEs in understanding what auditors look for during the audit.

        • A:3/18/2014

          There is a lack of clarity on what SERC is really going to do and the timing of site visits.  Registered Entities need more information in order to have the right people on site, extra escorts, etc.

          Site visits are normally conducted during the onsite portion of the audit.  The Audit Team Lead (ATL) will be the Registered Entity’s point of contact during the audit and will provide detailed information on what will take place and when.  The ATL will inform the Registered Entity well ahead of time when the site visit will need to take place, how many SERC staff will be attending, and will be as accommodating as possible.

        • A:10/30/2013

          Is there a NERC or SERC process in place for the registered entity to ask questions about the evidence the Auditors will look for on a specific requirement, if the RSAW doesn't provide that type of insight?

          No, there is not a SERC or NERC process where Registered Entities can ask for specifics of audit evidence details other than at workshops and seminars like the ones conducted by SERC twice a year. All Registered Entities do things differently. However, every Registered Entity should end up with the same results (outcome) when it comes to compliance with the NERC requirements. The CEAs will always audit to the wording in each Requirement. It is up to the Registered Entity to provide the evidence that will demonstrate compliance to the CEA during the audit process. For example, processes, procedures or records.

          It is not sufficient to merely regurgitate the Standard/Requirement as a demonstration of compliance. For example, regarding FAC-008-3 R1, R2, and R3, it will be the responsibility of the Registered Entity to present the specific means by which it derives its Facility Ratings for each component listed in the requirements.

          Pay special attention to words like “shall have” or “must have” to make sure that all aspects required in the Requirements are covered and including how those things in the wording of each requirement are performed (HINT: If you do not have any Series or Shunt Compensation elements in the Facility, stating that fact in the Facility Rating Methodology is a means of demonstrating  this element has been addressed.).

          Neither NERC nor SERC is going to tell or suggest how a Registered Entity is to run its business. SERC Compliance Monitoring is always willing to give broad examples of the type of information that it has seen as satisfactory evidence in previous audits and to share industry best practices.

        • A:10/30/2013

          If during the ICP review a question of an expansion of the audit scope is identified – is it a group decision of the audit team or just the lead auditor?

          Expansion of audit scope during an audit is usually an Audit Team decision based on evidence reviewed during the audit. The ultimate decision is made by the Audit Team Lead.

        • A:2/13/2013

          If you have a consultant preparing your documentation for an audit, can he, or a representative of his firm, act in the role of primary or secondary SME?

          If a consultant represents a registered entity as a subject matter expert (SME) that person needs to be an "authorized representative" on behalf of the registered entity. Also, remember that SERC's confidentiality agreements are with the registered entities, and not consultants.

        • A:July 18, 2017
          Do registered entities receive a report when SERC staff have completed their assessment of Guided Self-Certifications?

           

          Registered entities will receive a Guided Self-Certification Validation Letter outlining results of the SERC Compliance staff assessment upon completion. 

           

        • A:12/1/2015
          Can you provide specific guidance regarding the Self-Certification and audit process for 2015/2016? What is SERC’s plan over the next couple of years for implementing the CMEP?

          SERC will continue to have a yearly Implementation Plan, and Compliance Monitoring activities will be dependent on the results of a registered entity’s IRA. Traditional “annual” Self-Certifications have been eliminated. SERC, along with other regions, is now using Guided Self-Certifications instead, which look at lower risk requirements.

        • A:10/16/2015
          Please provide an update on Self-Certifications.
          The IRA process will drive the guided self-certification for registered entities.  The guided self-cert is more than the typical self-cert as SERC will require the entities to submit evidence to demonstrate compliance.  It may be compared to an off-site audit, because the auditors will review the evidence and may ask questions as needed.  Registered entities may see guided self-certifications for standards/requirements related to medium/low risks identified in IRAs.  For entities that have gone through the IRA process, the IRA summarization would have that schedule on it.
        • A:2/13/2013

          Please comment on “Self-Report credit” if you Self-Report after audit notification.

          In general, after an audit notification, you will not receive Self-Reporting credit. If an issue occurs during the audit notification period, SERC staff will review the facts and circumstances to determine if credit is appropriate. 

        • A:Updated:  1/1/2019

          I keep hearing about Self-Reporting.  While I understand it identifies that you are “being honest”, does Self-Reporting eliminate the possibility of fines/enforcement actions vs. the issue being found during an audit?

          No, Self-Reporting does not eliminate the possibility of penalties and sanctions. Penalties and sanctions are determined based on the risk to the bulk power system. However, most self-reported issues receive Self-Reporting credit, which reduces the penalty if one is imposed. Self-identification can be an indicator of a strong internal compliance program, which can also reduce a penalty.

        • A:2/13/2013

          For submitting Self-Reports, the new Self-Report form requires root cause and mitigating and prevent recurrence actions.  To be as complete as possible for input as a potential FFT candidate, is 4-8 weeks for submittal of the Self-Report considered timely?

          Yes. Self-Reports received within 90 days of discovery are generally considered timely. For issues discovered by the registered entity and not reported to the Region within 90 days, please provide the reason as to why it is took so long to report.  

        • A:12/1/2015
          If SERC plans to include Spot Audits in their CMEP process, what does that look like?

          SERC will continue to use Spot Checks as a monitoring tool. Traditionally, SERC has used Spot Checks as a monitoring method initiated for various reasons, like in response to a system event or to confirm a Self-Certification. In 2015 the regions expanded the use of Spot Checks as a Compliance Monitoring tool for issues that could include a small number of requirements or sampling. Spot Checks are similar to off-site audits, but are smaller and more focused in scope.

        • A:March 1, 2016
          Could SERC provide information regarding expectations for spot-audits and Guided Self-Certifications?

          Spot audits or Spot Checks are small, focused audits. They may be done on-site or off-site. The NERC Rules of Procedure require a minimum of at least 20 days notification of a Spot Check to the registered entity. The audit team gives an Opening and Exit presentation. RSAWs are used as in an audit. Depending on the standard and requirement, SERC may require sampling. At the end of the Spot Check, SERC will create and send a report.

          Guided Self-Certifications are like the traditional Self-Certifications and actually use the same electronic form on the SERC Compliance Portal. The word “Guided” was added to differentiate from the traditional Self-Certifications because Guided Self-Certifications will require supporting evidence to be attached to the electronic form. SERC will give a 30 to 60-day notification by letter to the registered entity that the forms will be posted on the SERC Compliance Portal. No RSAWs are required or expected to be used, as the Guided Self-Certification form itself is the audit work paper. SERC will not monitor standards and requirements that require a sampling methodology by the Guided Self-Certification method. SERC will monitor those standards and requirements by another method such as a Spot Check or Audit. If the supporting evidence attached to the Guided Self-Certification is not sufficient, SERC audit staff will make another evidence request or modify the monitoring method to a Spot Check. SERC will not send a report but will send a validation form confirming compliance with standards and requirements in scope as notification to the registered entity that the Guided Self-Certification review is complete.

      • A:3/16/2015

        I am working with a Client that is within the SERC Region but is not a member of SERC. Are they under any obligation to follow the SERC Criteria?

        Registered entities within the SERC Region are required to comply with the NERC Reliability Standards and the SERC Regional Reliability Standard PRC-006-SERC-01.  SERC Criteria are intended to provide guidance on how a registered entity within the SERC Region can take steps to comply with specific NERC Reliability Standards. As such, there is no obligation to follow SERC Criteria. Registered entities may find the SERC Criteria useful in understanding various means for demonstrating compliance with specific NERC Reliability Standards.

      • A:November 28, 2017
        If an entity becomes deregistered in 2017,  are they still required to submit annual NEL load data in 2018?  How will this data be used to calculate their NEL assessment dues?

        Net Energy for Load (NEL) is separate from registration. Entities within the SERC Region’s footprint with end-use customers are included in the NEL assessment regardless of whether they are listed on the NERC Compliance Registry or not. All entities should continue to report NEL according to existing practices.

        NEL is outlined in the NERC-SERC Delegation Agreement. See Funding beginning on page 14 and Exhibit E.

      • A:9/20/2016
        1. Is SERC planning to retire or revise the Regional Criteria for System Modeling Data Requirements?
        2. While Sections E & F clearly apply to Generator Owners, Sections A, B, C & D are not clear as to who has responsibility for meeting the requirements.  Who is responsible for each section?
        The SERC Dynamics Review Subcommittee has recently reviewed the SERC System Modeling Data Requirements Regional Criteria and have recommended the regional criteria be retired since new standards MOD-032-1, MOD-033-1, MOD-026-1, MOD-027-1 cover the items in the criteria. SERC registered entities should ensure their processes are compliant to the new standards, since the regional criteria will be retired by spring 2017.  Registered entity staff that build annual power flow and dynamics models are responsible for Sections A-D of the regional criteria.
      • A:Updated:  1/1/2019

        Can SERC expand on the statement that was made in an earlier session that the 2015/2016 CMEP will include any Reliability Standards that could be associated with cold weather (i.e., polar vortex)?  Specifically, what enforceable Reliability Standards is SERC referring to?  There is no specific "cold weather preparation" Reliability Standard.

        SERC identified certain Reliability Standards and Requirements as having a risk that was triggered by the cold weather event and identified those standards in the SERC Implementation Plan. SERC will consider the risk associated with those standards when performing a risk assessment of a Registered Entity, and they may become part of the audit scope.

      • A:10/7/2014

        Can SERC better coordinate the schedule for events like these seminars to avoid conflicts with 1) other SERC meetings, 2) NERC meetings, and 3) other industry events like GridEx/NATF/conferences?  We realize it is hard to decide who trumps who, but it is a hardship for limited Registered Entity personnel to attend all of the meetings in which we need to participate.

        The SERC outreach schedule is established in August to allow announcement of dates for the upcoming year at the fall seminars.  Established event dates listed on all calendars are avoided in the following order: SERC audit schedule, SERC meetings and events, NERC events, and industry events.  Avoiding conflicts benefits seminar planning also because a wider variety of subject matter experts are available to speak.  However, if other event dates change, it can adversely affect the best laid plans.

        • A:April 3, 2020
          Is SERC anticipating any impact on audit schedules at this time?

           

          SERC has already anticipated this, and has been in contact with those entities undergoing an audit or scheduled to receive an Audit Notification Letter in the coming weeks.

          Any impacts to those schedules will be communicated to the registered entity involved, as they arise.

        • A:April 3, 2020
          Will you provide guidance on what you are looking for with respect to each question on the form?

           

          Brief descriptions have been provided on the form for the exception justification, possible impact, and actions to be taken.

          Specific guidance cannot be provided due to the potential number of variations that may occur with specific facts and circumstances. Each registered entity can work with their assigned Single Point of Contact (SPOC) when completing the form or submit their question to the SERC Q&A using the COVID-19 topic. Contact serccomply@serc1.org, if you do not know who your SPOC is.

        • A:April 3, 2020
          Is it one form per standard and/or requirement(s)?  

           

           Yes, a separate COVID-19 Impact Notice form should be submitted to SERC for each unique Standard/Requirement in which a periodic action cannot be completed during the designated time period.

        • A:April 3, 2020
          Are you requiring compliance related items from now to end of June (the date that NERC used)?

           

          Yes, a separate COVID-19 Impact Notice form should be submitted to SERC for each unique Standard/Requirement in which a periodic action cannot be completed during the designated time period.

        • A:

          April 3, 2020
          Should our first step just be to contact our SPOC before submitting the form?

          It is not necessary to contact your SERC SPOC before submitted a COVID-19 Impact Notice form.  SERC asks, however, that you copy that SPOC when you submit the form.  If you need specific assistance prior to the submission, feel free to contact your SPOC directly.

        • A:April 3, 2020
          Describe use/completion of the COVID-19 Impact Notification Form versus the ERO Enterprise Exception Tracking spreadsheet.

           

          The COVID-19 Impact Notice form should be used to submit any COVID-19 impact issue to SERC. The spreadsheet was originally provided in the SERC notification prior to the creation of the form.

        • A:April 3, 2020
          Could COVID-19 have a domino impact on audits scheduled for later in the year?

           

          This is a very fluid situation we are currently in, however we are considering any impacts on our audit schedule for later this year.

          At this time we are maintaining our audit schedule for registered entities scheduled to receive an Audit Notification Letter after July 31, however this is subject to revision as this situation evolves.

        • A:

          March 23, 2020
          If a utility was forced to set up a temporary control center due to needs to isolate personnel over Coronavirus contamination that cannot be fully completed with the two current control centers (primary and backup), is there any provision that allows the entity to be released from meeting some of the CIP standards during an emergency conditions such as this?  

          SERC recognizes the challenges that the coronavirus outbreak has placed on our operations. In fact, NERC and FERC issued guidance on personnel certification requirements, meeting periodic Reliability Standards requirements, and compliance monitoring activities by the Regions. Regulatory discretion will be applied in consideration of the uncertainties caused by our collective response and recovery from this unprecedented public health emergency.

          The most relative scenarios center on our entities’ responses during a natural disaster. The response below for your consideration is very prescriptive. This is because the requirements around a CIP Exceptional Circumstance are specific. Naturally, there can be flexibility in any waivers or leniency granted during this time.

          For all instances during this period, SERC will consider all facts and circumstances as described in the guidance provided by NERC and FERC; however, it is incumbent on the registered entity to notify SERC of the issue, to fully describe the specific facts and circumstances for each case, and to not assume we know their specific details, should an issue arise.

          SERC places criticality on all situations concerning conditions or events that impact or might impact reliable operation of the bulk power system (BPS). Cases of COVID-19, have the potential to become a CIP Exceptional Circumstance. Understanding the definition of a CIP Exceptional Circumstance and ensuring that our registered entities’ existing Business Continuity Plans address the requirements identified for a CIP Exceptional Circumstance is paramount.

          Glossary definition of CIP Exceptional Circumstance:

          A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.

          Some examples of CIP Exceptional Circumstances include the standards and requirements identified below. Please remember, this list includes only CIP standards, and is not conclusive. Others, such as PER-003-2 and PRC-005-6 might also be affected.

          • CIP-003-7 R2 Attachment 1 Section 5
          • CIP-004-6 R2 Part 2.2
          • CIP-004-6 R4; Part 4.1
          • CIP-006-6 R2 Part 2.1, 2.2
          • CIP-007-6 R4 Part 4.3
          • CIP-010-2 R3 Part 3.3 and R4
          Please take a moment to review the guidance provided in the recent announcement from NERC and FERC. We at SERC are prepared to answer any questions you may have as we navigate this evolving threat. You may reach us at Support@SERC1.org and we will respond promptly.
      • A:April 17, 2017
        Does SERC have a criteria for operating companies in the SERC Region to follow to establish the Gross Maximum Capacity (GMC) of a new generating unit (e.g., a standard demonstration test method or test duration)?  GADS Data Reporting Instructions suggest contacting our regional manager (see excerpt below).

        GADS Data Reporting Instructions
        Section IV – Performance Reporting
        Page IV-4
        Gross Maximum Capacity (GMC) (Record 01, columns 16-21) - Voluntary

        Enter the maximum capacity the unit can sustain over a specified period of time when not restricted by ambient conditions or deratings. To establish this capacity, a formal demonstration is required. No standard demonstration test method or test duration exists at this time, but many of the NERC Regions have their own criteria that all operating companies in those Regions follow. If your operating company has not set demonstration test requirements, contact your regional manager listed in appendix C.

        The answer to your question is no. SERC does not currently have regional criteria regarding generator unit capacity testing. Based on previous conversations with other GADS reporters, most utilize upper operating bounds such as AGC high limits, and or PMAX values. Others in organized markets, such as MISO, are required to do Real Power Testing for capacity credit. You also may wish to review testing data during Real Reactive Power Tests, which may coincide with Real Power Testing.

      • A:March 30, 2017
        In the latest Data Request data requirements include Peak Demand for the calendar year 2016. Can you explain what the Peak Demand is and how it relates to an IPP?

        The data request was widely distributed and may include information about forms that are not applicable to your company’s NERC registration. The Peak Demand data forms are only applicable to entities registered as a Planning Authority (PA).

        As information, the forecasted peak demand is weather-normalized and collected on a coincident basis for each PA’s physical and electrical boundary. Load forecasting methods used should include the following:

        • Economic growth; examination of different economic sectors (e.g., residential, industrial, commercial)
        • Long-term weather (often simulated using historic data)
        • Energy Efficiency and conservation impacts
        • Localized impacts (e.g., large factories or data centers)

        For more information on assessment methods and assumptions, please reference the NERC Reliability Assessment website (http://www.nerc.com/pa/RAPA/ra/Pages/default.aspx ).

      • A:March 31, 2017
         I am trying to find the total summer peaking capacity (in MW) in SERC.  I was able to find an estimate for total gas capacity of 95,862 MW, but it does not break out the percent that is combined cycle versus peaking. Any help is greatly appreciated!

        As of March 2017, registered entities within the SERC Region project ~243,000MW during the summer peak.  Of this amount, ~100,000MW are from gas fired units.  More granular unit type information is available through EIA 860 datasets (https://www.eia.gov/electricity/data/eia860/). Unfortunately, gas unit peaking information is not available. 

      • A:March 30, 2017
        I am doing market research in your area, and would like to know where I could find information regarding proposed gas fired power plants coming online between now and 2030. I am specifically concerned with those proposed in Virginia, North Carolina, and South Carolina.

        The resource projections information is contained in these two publications on the SERC website:

        • The Reliability Review Subcommittee Report to the Engineering Committee contains an annual assessment of reliability within the Region. It documents how the SERC systems are being planned in accordance with the “NERC Planning Standards and the SERC Supplements to the NERC Planning Standards.”
        • The Regional Supply & Demand Projections document, which serves as a supplement to the Reliability Review Subcommittee Report to the Engineering Committee, provides actual and forecast demand and energy data, resource projections, and other data used in the assessment of reliability within the Region.
        The Energy Information Administration website (https://www.eia.gov/naturalgas) is also a good resource for generating unit data.
      • A:December 19, 2018
        Company A has received a generator interconnection request for an inverter-based resource that is larger than 100 MVA. As part of the interconnection process, Company A has reviewed SERC’s power system  stabilizer guidelines, and would like clarification regarding the application of the guidelines to inverter based resources. Specifically, our question is as follows:

        SERC Guideline - Power System Stabilizer, V4, March 21, 2017 only addresses the need for Power System Stabilizers relative to generation that contributes to power system oscillations (i.e., synchronous resources). Because inverter based resources neither contribute to nor are able to mitigate a power oscillation, it is our interpretation that this guideline does not apply to inverter based resources. Therefore, a PSS should not  be required on an inverter-based resource pursuant to this guideline. Can you please confirm that this  interpretation of the guideline is accurate?

        With the next update of the Power System Stabilizer Guideline (expected in March 2019), the following language will be added: This policy is hereby clarified to require PSS only on generating facilities which  consist of conventional synchronous generator(s). PSS will not be required for solar, wind, or other inverter-based generation facilities. However, if studies indicate that the solar, wind, or inverter-based generation facilities cause or contribute to a power oscillation problem, such generating facilities will be required to help mitigate the oscillation problem as specified by the Transmission Planner.

      • A:3/18/2014

        What is SERC staff’s plan with all the GADS data that is mandatorily required now

        GADS data is a Reliability Assessments activity that SERC performs with NERC.  SERC works with Registered Entities to compile this data into the NERC database.  The data is also used for various assessment efforts, such as the NERC Probabilistic Assessment, to assess reliability of the system.

      • A:3/18/2014

        In regards to the data collection task portal (GADS database) and the SERC portal for audit participation, if a person can log into audit team information in the SERC portal, that person has access to all of the audit folders. What are the practices regarding information security? There are concerns that unintended parties may be privy to plant outage data, which could have the potential to affect commercial commerce.

        All users of the Portal can view general non-confidential Committee information (committee name, abbreviation, roster, etc.).  Only users added to the committee roster (permissions list) have access to documents and other confidential information.

      • A:September 9, 2016

        Company A currently owns and operates Plant I SPS. If we determine the need to retire the SPS, what steps and evidence must be taken/submitted to have the SPS removed from the SERC Portal? I understand from the SERC Regional Guidance document that the Dynamics Review Subcommittee must be notified when the SPS is removed from the database, but I’m not clear on the actual process.

        When an SPS owner retires an SPS they need to send an email to the SERC staff assigned to the SERC Dynamics Review Subcommittee (DRS) or to SERC Support.  The information will be sent to the DRS for review. The SPS Owner will then be directed to delete the retired SPS from the SERC Reliability portal.  Note, as PRC-012-2 becomes effective per its implementation plan, SPS’s will be evaluated by Planning Coordinators and those that meet the definition of a Remedial Action Scheme (RAS) will be identified as such. Planning Coordinators, Reliability Coordinators and RAS entities will be responsible for the requirements for RASs in the standard. This process will retire the SERC SPS Regional Criteria and any associated activities of SPS owners in SERC and the SERC DRS prescribed in the Regional Criteria.

      • A:January 12, 2018
        When an entity is compliant with standards such as MOD-025, PRC-019, and PRC-024 as part of a fleet of entities but is then sold and becomes a single entity, does the compliance clock get reset to allow time to become compliant as a newly registered single entity? Would the entity be required to Self-Report? Should the new owners not register the newly acquired entity until it meets compliance requirements?

         

        NERC Compliance Process Bulletin #2011-005 (Bulletin) provides guidance on these questions.

        1. Registering the facilities under a separate registration will not reset the compliance clock. Also, there are no provisions for a grace period for the new registrant to become compliant. On page 2 of the Bulletin under the Buyer section it states, "[a] Buyer should be aware that when a transfer of asset occurs and the Buyer is registered for a function that relates to the asset in question, the Buyer will become the party responsible for compliance with relevant standards from the date the buyer is registered." It goes on to say in the following description of scenarios, "the new entity will be responsible for any instances of noncompliance with NERC Reliability Standards associated with the assets (including past periods). The transfer of all assets to a new company or a new corporate form cannot be used to ’reset’ the reliability clock of existing assets." 
        2. Regarding not changing the registration until becoming compliant, the Bulletin states on page 2 under the Seller section that "[a] Seller is encouraged to coordinate with the Buyer so that the Buyer is properly registered as of the intended date of the transfer, as the Seller will remain responsible for compliance with relevant standards that may relate to the particular asset until it is deactivated from the NCR for the applicable function(s) and the buyer is subject to compliance responsibility. The Seller will remain on the NCR until any outstanding settlement and enforcement issues associated with the asset in question are resolved."

        As always, the Self Report option is encouraged for all perceived incidents of non-compliance.

      • A:Updated December 30, 2019

        Are “mothballed” status units required to comply with NERC Reliability Standards? We intend to mothball several units later this year, and want to ensure our implementation plan schedules, etc. are on target if these activities are still required. Or, is there a window to comply once a unit has been removed from the mothballed status and returned to an active status?

        I’ve been reviewing specific standards, registration and GADS information but just not finding anything that defines compliance requirements for this status. The only standard where I’ve found a reference is MOD-025. That Standard’s Attachment 1  states, “existing units that have been in long term shut down and have not been tested for more than five years shall be verified within 12 calendar months”.

        “Mothball” is defined by IEEE Standard 762 and GADS as “the state in which a unit is unavailable for service but can be brought back into service after some repairs with appropriate amount of notification, typically weeks or months.”

        Entities are required to maintain compliance obligations for units that are classified as “mothballed.” Compliance obligations remain in effect until such time as the registered entity has been de-registered and removed from the NERC Compliance Registry. If the Registered Entity has multiple units linked to their registration as a Generator Owner (GO) and/or Generator Operator (GOP) and will be retaining their registration, compliance obligations associated with that unit would end once the subject unit is decommissioned and a non-operable break has been created to physically disconnect the unit from the Bulk Electric System (BES).

        The SERC Registration Department has established a process for the decommissioning of generation units in Region. Contact the SERC Certification and Registration Department for details.

        • A:Updated December 30, 2019
          Based on the Registration Update you gave at the Spring Compliance Seminar in Charlotte, NC on March 6, 2018 (Pages 14-19):
          BES Element status changes will no longer be processed using BESNet, but SERC will still need to be notified when an element changes status. I have the following email address "serccomply@serc1.org" to send the details of the change and instruction to include “BES” in the subject line.  New lines, substations, and generation should use the existing process for notification of model changes for planning purposes.

          My question is, what falls outside the existing process for notification of model changes for planning purposes?  We also need to know if there is a time frame associated with the notification to SERC.

          The NERC Rules of Procedures, Section 501. Scope of the Organization Registration and Organization Certification Programs, Part 1.3.5 states:

          Each Registered Entity identified on the NCR shall notify its corresponding Regional Entity(s) of any corrections, revisions, deletions, changes in ownership, corporate structure, or similar matters that affect the Registered Entity’s responsibilities with respect to the Reliability Standards. Failure to notify will not relieve the Registered Entity from any responsibility to comply with the Reliability Standards or shield it from any Penalties or sanctions associated with failing to comply with the Reliability Standards applicable to its associated Registration.

          The above obligation includes configuration changes (i.e., new facilities, reconfigurations, decommissions, etc.) associated with the entity’s Transmission system and Generation assets. This will allow SERC to conduct an evaluation of the subject facilities and determine the correct classification (i.e., BES or non-BES). This is not however limited specifically to Transmission and Generation facilities as other facilities can be a determining factor in the overall Registration process.

          For changes to the “models” (i.e., new facilities, reconfigurations, decommissions, etc.), entities should continue to follow the existing SERC processes.

          While there is no specific time frame requirement for reporting these changes, the expectation is that they be reported as soon as practicable. As stated in the NERC Rules of Procedure, Section 501. Scope of the Organization Registration and Organization Certification Programs, Part 1.3.5:

          Failure to notify will not relieve the Registered Entity from any responsibility to comply with the Reliability Standards or shield it from any Penalties or sanctions associated with failing to comply with the Reliability Standards applicable to its associated Registration.

        • A:May 4, 2017
          If a normally energized BES device is de-energized with line/bus disconnect switches open on either side of the BES device, is that device now considered not BES per the BES definition?

           

          1. How would this device be any different than a device in storage waiting to be installed?
          2. Does the length of time the device will be de-energized factor into the result? 

          If a device/Facility is installed and physically capable of being connected and energized, then the device/Facility should be treated as a BES Facility.

          The device/Facility is different because it can be physically connected and energized by closing a switch. 

          No.

        • A:12/6/2016
          During the SERC Fall Compliance Seminar a presenter stated that SERC will use the inverter nameplate ratings to determine whether a generation project should be classified as a BES facility. We seek clarification on this statement based on the following understanding:
           
          NERC’s Bulk Electric System Definition Reference Document, Version 2 April 2014, Radial System Exclusion E1 third sub-bullet allows for a radial system to be excluded from the BES “where the radial system serves Load and includes generation resources, not identified in Inclusions I2, I3 or I4, with an aggregate capacity of non-retail generation less than or equal to 75 MVA (gross nameplate rating).” 
           
          The statement made during the Seminar was that SERC would use the inverter nameplate ratings. Please clarify that a contractual limit of output stated in the Interconnection Agreement or other legal document can be used to determine the gross nameplate rating.  Due to standard inverter sizes produced by the various manufacturers a developer could likely install inverters with a gross nameplate rating larger than 75 MVA (i.e. 2MVA inverters * 38) but contractually limited the output to 74.9 MVA through programming of the inverter.
           
          At this time there are no provisions in NERC ROP Section 500, Organization Registration and Certification or in NERC ROP Appendix 5B, Statement of Registration Registry Criteria, that allow for the use of contractual or control based limitations on equipment ratings for BES considerations. In this instance we would look at the photovoltaic cells and inverters as a generator unit as illustrated in Figures I4-3 and I4-4 on pages 22 – 23 of the Bulk Electric System Definition Reference Document, Version 2. The inverter is the only equipment that has an MVA rating that could be used for a determination relating to BES Exclusion I1.
        • A:3/18/2014
          Does SERC staff have an opinion about the impact on BES reliability due to loss of baseload generation (i.e., coal units due to environmental regulation compliance and nuclear units due to market pricing)?
          To the extent that entities provide forecasts concerning early retirements, impact of regulations, fuel shifts, and other market pressures, that information is used by the Reliability Review Subcommittee (RSS) and SERC staff.  RSS and SERC staff consider trends in short-term and long-term planning, operations, and external influences as they affect reliability, both overall and sub-region specific.  Those conclusions are published annually and discussed at standing committee meetings.
        • A:2/13/2013
          Might FERC object if many entities are able to de-register due to the new BES Definition?
          FERC will not object as long as there are no gaps in the Compliance Monitoring and Enforcement process. In other words, as long as there are no gaps in modeling, load reporting, emergency procedures, and/or coordination of protective equipment, there will not be a problem.
        • A:

          3/18/2014

          SERC staff seems to want to see both internal and external assessments.  There seems to be a disconnect between what the SERC personnel are saying it will be used for and how it is actually being used.

          SERC is willing to utilize the work of independent evaluators to reduce the audit burden on a Registered Entity.  Independence, as defined in Generally Accepted Government Auditing Standards (GAGAS) (The Yellow Book), can be achieved by either an internal or external independent audit group. SERC evaluates independence and determines how much work of the independent assessment to utilize on a case-by-case basis.

        • A:

          Updated: 1/1/2019

          What impact will the inherent risk assessment have on an entity’s audit cycles and future audits? Could this result in some entities having audit cycles that extend greater than six years?

          Each registered entity’s inherent risk assessment will help define their compliance oversight plan.  As the ERO moves to a risk-based compliance oversight program, registered entities may have a different compliance oversight plan based on their individual IRA. The ERO Actively Monitored List (AML) of standards and requirements no longer exists; so registered entities are assessed (and your engagement is scoped) against the risks identified in the NERC and SERC CMEP Implementation Plan.

        • A:

          Updated:  1/1/2019

          Can the inherent risk assessment change the bright-line criteria for an entity (on a case-by-case basis) for CIP-002?

          No. Registered entities are encouraged to perform internal risk assessments and determine potential risk to the bulk power system. However, those internal assessments and/or SERC’s IRA cannot be utilized to “reclassify” a BES Cyber System to a lower impact rating.  The bright-line criteria are used to identify the impact rating of BES Cyber Systems, while the inherent risk assessment is utilized to develop a compliance monitoring plan around those identified systems.

        • A:Updated:  1/1/2019
          Can the outcome of the IRA limit the scope of the audit, and has SERC limited the audit scope for an entity since the implementation of IRA?

          SERC utilizes the information from the IRA questionnaire with the data that SERC has on-hand to complete the entity inherent risk assessment. The priority is on the registered entities that are scheduled for compliance monitoring engagement (audit), but the IRA results will be shared with each entity as they are completed. The results of the IRA are utilized to determine the compliance monitoring tool (on-site audit, off-site audit, Spot Check, guided Self-Certification, self-monitor). Each entity is unique; so the audit scope for each entity has been different. There is no longer an Actively Monitored List, as the IRA results drive the list of Standards/Requirements to be monitored for each entity.

        • A:

          10/31/2014

          Is there an appeals process or other method for the Registered Entity to provide additional information that might change the results?

          There isn’t an official appeal process.  However, SERC will consider any additional information that the Registered Entity would like to share.

        • A:

          10/31/2014

          What steps are being taken to promote consistency in the IRA process between SERC and the other Regions?

          The ERO has created an IRA Guidance document.  Also, the ERO is creating, with input from all the Regions, a training slide deck which all Regional personnel who are responsible for conducting IRAs must attend. In addition to the ERO industry sessions, the ERO is conducting numerous training sessions for Regional staff in the next few months.

        • A:

          Updated:  1/1/2019

          What inputs will SERC use in determining a Registered Entity’s inherent risk?

          SERC utilizes data previously submitted by the Registered Entity, as well as information from the IRA Questionnaire.  That information includes:  the Registered Entity’s unique characteristics (i.e., business organization, reporting structure, Registered Entity operating conditions); Risks identified by SERC’s Reliability Risk Team; previous audit history; compliance history; events analysis; NERC Alerts; and, mitigation activities to address open enforcement actions or previous audit findings. See ERO IRA Guidance.

        • A:

          10/31/2014

          Will SERC share the results of the IRA with the Registered Entity? If so, how?

          Yes.  SERC will provide a documented summarization of the IRA.

        • A:

          10/31/2014

          Who initiates the IRA? 

          The Regions initiate the IRA.  It may be based on emerging risks (ERO, Regional, or Registered Entity), compliance history, etc.

        • A:

          Updated:  1/1/2019

          Availability and application of self-logging (aggregation)?

          Any registered entity may request to begin self-logging by completing the application. SERC staff will review the application and notify the entity whether or not SERC grants permission to begin self-logging.

        • A:

          Updated:  1/1/2019

          Is the availability of self-logging of deficiencies by a Registered Entity contingent on its participation in RAI?

          SERC will conduct an IRA prior to considering a registered entity for self-logging. A review of internal controls may be a component of that review that can assist SERC in determining if a registered entity qualifies. 

        • A:

          Updated:  1/1/2019

          Will SERC offer self-logging to all Registered Entities, or will the Registered Entity need to request this?

          Each registered entity must apply for inclusion of the self-logging program.

        • A:

          10/31/2014

          If self-logging is not available to all Registered Entities, what criteria will SERC use to decide which Registered Entities can/cannot participate in self-logging?

          SERC will utilize the factors established in the ERO Self-Logging of Minimal Issues Guidance Document posted on the NERC website.

        • A:

          10/31/2014

          Will self-logging be available for all Reliability Standards and Requirements or just specific ones? If the latter, then by what criteria will SERC decide?

          If a Registered Entity is accepted into the self-logging program, it may be for all or just some of the Reliability Standards/Requirements.  The relevant factors evaluated for acceptance into the program will be utilized to determine which Reliability Standards/Requirements the Registered Entity may self-log.

        • A:

          10/31/2014

          How often will the Registered Entity need to file deficiency (or aggregation) logs with SERC? How often will SERC review the logs?

          Registered Entities should submit the logs to SERC every three months, and SERC will review the logs within 60 days per the triage process at the beginning of the program.

        • A:

          10/31/2014

          Will the Registered Entity be expected to discuss each issue individually with SERC prior to entering the issue on the aggregation log?

          It is not required to discuss the issue with SERC prior to entering the issue into the spreadsheet unless the Registered Entity is unsure of the risk and has questions. 

        • A:Response updated December 4, 2017

          With this being a transitional year for Reliability Assurance Initiative (RAI), are there things that are occurring in the audits?  Are audits being completed in a week? How is the implementation of RAI going thus far in 2014?

          RAI (currently known at Risk-Based Compliance) implementation includes risk assessment and audit changes that are occurring in preparation of and in carrying out compliance monitoring obligations.  The on-site portion of an audit generally occurs within a week's time.  To allow for this abbreviated time on-site and to minimize the operational impact of time on-site, SERC devotes more time to reviewing documentation in advance of the on-site portion of the audit.  As Risk-Based Compliance has matured the last couple of years across the ERO, entities are generally favorable with this approach.

        • A:

          10/5/2014

          Description of the Violation, Issue, or Trend
          Another key benefit of SERC’s RAI pilot program has been that it focuses primarily on risks that are ongoing, thus reducing the time spent by Registered Entities and by SERC in handling mitigated Violations.  However, a misconception has arisen that SERC auditors will no longer review mitigated Violations.  This is not the case. SERC will continue to review mitigated Violations, as warranted.  Registered Entities should continue to mitigate Possible Violations as soon as possible and not delay necessary improvements to the reliability of the BES.

          Risk Considerations
          Failing to realize that SERC auditors will continue to review previously mitigated Violations may result in a Registered Entity not self-reporting when it should have.  Another risk is that SMEs may not be adequately prepared with the appropriate supporting evidence.

          Description of Mitigation Activity
          Registered Entities should work internally to foster realistic expectations in regard to mitigated Violations.  Management and SMEs must understand that while SERC is most concerned with Violations that are ongoing, previously mitigated violations will also be reviewed, as warranted, during an audit  or other compliance monitoring activities.

           

           

        • A:

          10/7/2014

          Clarify the expected qualifications of the utility staff involved in performing internal reviews in preparation for taking advantage of RAI during an audit.  If the work papers met the standards of the NERC Auditor Manual -- up to the same standards that SERC's own auditors would use -- does the utility have to have personnel with auditor certifications?

          The qualifications spelled out in the Compliance Auditor Capabilities and Competency Guide, which is a portion of the Compliance Auditor Manual,- are intended primarily for the use of the Regions in developing training programs for their own auditors.  The internal or third-party auditors utilized by Registered Entities are not required to adhere to this guide.  While an internal review team that can demonstrate compliance with this guide will likely be viewed as being more credible than a team that does not demonstrate such qualifications, SERC’s review of Internal Audit Reports (IAR) will focus primarily on the quality of the work papers and the independence of the internal auditors.  Auditors are considered independent when their opinions, findings, conclusions, judgments, and recommendations are impartial and viewed as impartial by reasonable and informed third parties.  A good question to ask to determine whether an internal auditor would be considered independent is:  Has the auditor (or anyone to whom the auditor answers) had any involvement in the development, operation, or management of the compliance measures being audited?

          As long as the internal audit team can demonstrate independence, and their work papers demonstrate good audit practices (including appropriate sampling and performance evidence), the Registered Entity does not have to have personnel with auditor certifications.

        • A:Updated December 17, 2017

           

          Are there any differences between SERC's Risk-Based Compliance model and those of NERC and the other Regions?

          No. SERC’s goal is to have a model that is consistent with the ERO IRA and ICE Guidance, and all other CMEP approach documentation posted on the NERC website. However, each Region’s risk is unique; so certain results from each Region's Inherent Risk Assessment may differ and result in different scopes and monitoring methods. But, the ERO is implementing the same guidance.

        • A:Updated December 4, 2017


          For how long will ICE maintain its "voluntary status"?

          At this time, ICE will remain voluntary until NERC and the ERO determine otherwise. However, review of internal controls during compliance monitoring activities will continue as a normal part of the monitoring process.

        • A:

          Updated December 4, 2017

          If an entity chose not to undertake its own risk-assessment, prepare IARs, or perform other non-mandated elements of Risk-Based Compliance (all of which are expensive or resource intensive efforts), how will that be factored by SERC during an audit?  Would it be viewed negatively in it's culture of compliance or result in a more critical or extensive audit than is currently being performed?

          Regional Entities will utilize information available about Registered Entities to assess risk and develop an appropriate audit scope and monitoring methods based upon that risk.  The more information that SERC staff has, the more effectively SERC staff can rely on the Registered Entity’s internal control and management practices to scope and to scale focused monitoring objectives.  In the absence of a reasonable assurance of reliability, the Regional Entity may have to audit more Standards and Requirements for those Registered Entities on which the Regional Entity does not have information available.  This is not to penalize the Registered Entity but  to properly assess its level of compliance and resulting reliability risk. This would not be viewed negatively in a Registered Entity’s culture of compliance assessment.

      • A:2/13/2013

        My question for the forum is one we've been struggling with lately while updating our ICP. We are using the following definition that includes a three-month grace period: "Within a rolling 12-month period, but with no longer than 15 months between instances (i.e., with a three-month grace period to account for unforeseen circumstances)."  If an entity defines Annual as 'Within a rolling 12-month period…’ what is a suitable grace period for unforeseen circumstances?  It seems straightforward, but we’ve received several interpretations.

        The definition described is a NERC definition of annual, and it is the most common. A three-month grace period is suitable; so this definition is reasonable to use. If it is not already defined by the Standard, it is important that the definition of annual is documented. This helps ensure that the task is performed on a regular basis.

      • A:August 9, 2017
        For the O&P NERC Standards that require an entity to have a documented procedure or process, does that procedure or process have to be certified or signed by the entity to be viewed as valid by SERC, or is a dated review/revision table sufficient?

        Compliance evidence consisting of documented procedures or processes must be reliable in providing support for the conclusions on which the auditor's opinion is based. Reliability of the evidence is increased when the controls over the information are effective. Good industry practice would be an internal control or procedure that includes a signatory approval in addition to the review/revision table of the compliance evidence consisting of documented procedures or processes.
      • A:March 8, 2017

        Description of the Violation, Issue, or Trend
        Of the ten most frequently violated requirements in 2016, seven relate to late implementation of new requirements. Specifically, MOD-025-2, PRC-019-2 and PRC-024-2 all have implementation plans that phase in compliance beginning July 1, 2016. Entities self-reported that they misunderstood the implementation plans for a number of reasons.

        Risk Considerations
        New and revised Reliability Standards address reliability risk gaps that existed with the prior versions of the Reliability Standards. It is important to address the gaps as soon as possible while avoiding additional risk to the BPS.  

        Description of Mitigation Activity
        One entity with responsibility for compliance at several locations in SERC initiated this activity to monitor and respond to implementation plans:

        Create a tracking spreadsheet to monitor compliance deadlines and status for responsible parties. Establish a Compliance Group to coordinate all new or modified standards with the necessary engineering groups and operating groups. Such activities include, but are not limited to submittal of activities and interpretations to the Region (SERC) to ensure the understanding of all aspects of the Reliability Standard including Requirements, implementation plans, and schedules, as necessary. The objective is to ensure development of a complete implementation strategy to convey acceptable approaches with clear understanding, responsibilities, and timelines.

      • A:11/18/2014

        Description of the Violation, Issue, or Trend
        NERC CAN-0010 can impact annual requirements with a grace period.  For example, a Registered Entity has a procedure that needs to be reviewed annually with a three month grace period.  If the review from one year occurred in December and the review the following year utilized the three-month grace period and the procedure was reviewed again in February, based on CAN-0010, this would be a violation because it was not reviewed “at least once every Calendar Year” even though it was reviewed within the Registered Entity’s defined grace period.

        NERC’s Compliance Application Notice-0010 Implementation of “Annual” in Reliability Standards Requirements provides guidance to the Compliance     Enforcement Authority (CEA) stating that the CEA is “instructed to not  find noncompliance or a possible violation if a registered entity is following its own documented implementation of annual and its own documented implementation plan for annual requirements.”  However, this instruction is limited to apply only where, “the registered entity’s definition of annual causes the activity or event to occur at least once every Calendar Year.”  Calendar Year is defined as “beginning on January 1 and ending on December 31.”

        CEAs are to verify whether Registered Entities have documented another implementation of annual requirements along with procedures that define that implementation. However, CEAs are to verify that any alternative documented method demonstrates that the required activity was conducted at least once every Calendar Year.

        Regardless of the Registered Entity’s documented implementation of annual, that implementation will not supersede any Requirement stated in the Reliability Standard.

        Risk Considerations
        Risk is dependent upon the specific Reliability Standard and Requirement and situation.

        Description of Mitigation Activity
        Establish process to ensure that Reliability Standards and Requirements that require action annually are conducted at least once per calendar year regardless of the defined grace period.

      • A:10/5/2014

        Description of the Violation, Issue, or Trend
        Several Registered Entities have recently Self-Reported violations for failing to follow through with annual requirements.  In one instance, a Registered Entity changed its software vendor but forgot to enter the annual requirement 'reminder' in the new software system.  In another instance, a Registered Entity decided to re-align a review with the Self-Certification period without regard to the annual requirement.  In addition, one Registered Entity misapplied its grace period.  The employees performing the work interpreted the three-month grace period to mean three calendar months instead of the intended three months (90 days).

        Risk Considerations
        Risk is dependent upon the specific Standard and Requirement and situation.

        Description of Mitigation Activity

        1. Automated reminder for applicable work groups to submit the list to SERC
        2. Scheduled annual review of all Requirements with a specific time requirement
        3. Trained on existing procedures
        • A:2/18/2016
          BAL-001-2, which becomes enforceable July 1, 2016, states in the measures that the entity can provide calculation outputs to show compliance. However, the data retention states that the “data required for the calculation of Regulating Reserve Sharing Group Reporting ACE, or Reporting ACE, CPS1, and BAAL shall be retained in digital format at the same scan rate at which the Reporting ACE is calculated for the current year, plus three previous calendar years.” It appears that the data retention is imposing a requirement on the entity that is not stated in the requirements or measures. Will SERC expect the entity to retain the input data for the calculation as stated in the data retention, or will SERC be looking for the calculation outputs as stated in the measures?

          The SERC audit team will audit based on the NERC Compliance Monitoring Process outlined in the BAL-001-2 Standard. Data required for the calculation of Regulation Reserve Sharing Group Reporting ACE, or Reporting ACE, CPS1, and BAAL shall be retained for a period of three years. The data will also need to be stored in digital format at the same rate Reporting ACE is calculated for a three year period.

        • A:

          December 28, 2017
          With BAL-002-2, Most Severe Single Contingency (MSSC) and Reportable Balancing Contingency Event have been defined as shown below.

           Most Severe Single Contingency

          The Balancing Contingency Event, due to a single contingency identified using system models maintained within the Reserve Sharing Group (RSG) or a Balancing Authority’s area that is not part of a Reserve Sharing Group, that would result in the greatest loss (measured in MW) of resource output used by the RSG or a Balancing Authority that is not participating as a member of a RSG at the time of the event to meet Firm Demand and export obligation (excluding export obligation for which Contingency Reserve obligations are being met by the Sink Balancing Authority).

          If I read this correctly a BA with no firm demand and no export obligation would have no MSSC and, thus, no Reportable Balancing contingency Events. If that is correct only R2 would be applicable to the entity.

          I’d like to get SERC’s comments on the above statements to be sure I am not interpreting something differently than SERC. I would also like to know if any clarification exists for export obligation since it is not a defined term.

          Background Information

          BAL-002-2  Applicability:

          4.1. Responsible Entity

          4.1.1. Balancing Authority

          4.1.1.1. A Balancing Authority that is a member of a Reserve Sharing Group is the Responsible Entity only in periods during which the Balancing Authority is not in active status under the applicable agreement or governing rules for the Reserve Sharing Group.

          4.1.2. Reserve Sharing Group

          BAL-002-2 R1 states the following;

          R1. The Responsible Entity experiencing a Reportable Balancing Contingency Event shall: [Violation Risk Factor: Medium] [Time Horizon: Real-time Operations]

          1.1. within the Contingency Event Recovery Period, demonstrate recovery by returning its Reporting ACE to at least the recovery value of:

          • zero (if its Pre-Reporting Contingency Event ACE Value was positive or equal to zero); however, any Balancing Contingency Event that occurs during the Contingency Event Recovery Period shall reduce the required recovery: (i) beginning at the time of, and (ii) by the magnitude of, such individual Balancing Contingency Event,

            or,

          • its Pre-Reporting Contingency Event ACE Value (if its Pre-Reporting Contingency Event ACE Value was negative); however, any Balancing

            Contingency Event that occurs during the Contingency Event Recovery Period shall reduce the required recovery:

            1. beginning at the time of, and
            2. by the magnitude of, such individual Balancing Contingency Event.

            1.2. document all Reportable Balancing Contingency Events using CR Form 1.

            1.3. deploy Contingency Reserve, within system constraints, to respond to all Reportable Balancing Contingency Events, however, it is not subject to compliance with Requirement R1 part 1.1 if:

            1.3.1 the Responsible Entity:

          • is a Balancing Authority experiencing a Reliability Coordinator declared Energy Emergency Alert Level or is a Reserve Sharing Group whose member, or members, are experiencing a Reliability Coordinator declared Energy Emergency Alert level, and
          • is utilizing its Contingency Reserve to mitigate an operating emergency in accordance with its emergency Operating Plan, and
          • has depleted its Contingency Reserve to a level below its Most Severe Single Contingency

          or,

          1.3.2 the Responsible Entity experiences:

          • multiple Contingencies where the combined MW loss exceeds its Most Severe Single Contingency and that are defined as a single Balancing Contingency Event, or
          • multiple Balancing Contingency Events within the sum of the time periods defined by the Contingency Event Recovery Period and Contingency Reserve Restoration Period whose combined magnitude exceeds the Responsible Entity's Most Severe Single Contingency.

          The measure M1 states;

          Each Responsible Entity shall have, and provide upon request, as evidence, a CR Form 1 with date and time of occurrence to show compliance with Requirement R1. If Requirement R1 part 1.3 applies, then dated documentation that demonstrates compliance with Requirement R1 part 1.3 must also be provided.

          Reportable Balancing Contingency Event is defined;

          Any Balancing Contingency Event occurring within a one-minute interval of an initial sudden decline in ACE based on EMS scan rate data that results in a loss of MW output less than or equal to the Most Severe Single Contingency, and greater than or equal to the lesser amount of: (i) 80% of the Most Severe Single Contingency, or (ii) the amount listed below for the applicable Interconnection. Prior to any given calendar quarter, the 80% threshold may be reduced by the responsible entity upon written notification to the Regional Entity.

          • Eastern Interconnection – 900 MW
          • Western Interconnection – 500 MW
          • ERCOT – 800 MW
          • Quebec – 500 MW

          Contingency Event Recovery Period; defined;

          A period that begins at the time that the resource output begins to decline within the first one-minute interval of a Reportable Balancing Contingency Event, and extends for fifteen minutes thereafter.

          Balancing Contingency Event, defined

          Any single event described in Subsections (A), (B), or (C) below, or any series of such otherwise single events, with each separated from the next by one minute or less.

          A. Sudden loss of generation:

          1. Due to
            1. unit tripping, or
            2. loss of generator Facility resulting in isolation of thegenerator from the Bulk Electric System or from the responsible entity’s System, or
            3. sudden unplanned outage of transmission Facility;
          2. And, that causes an unexpected change to the responsible entity’s ACE;

          B. Sudden loss of an Import, due to forced outage of transmission equipment that causes an unexpected imbalance between generation and Demand on the Interconnection.

           C. Sudden restoration of a Demand that was used as a resource that causes an unexpected change to the responsible entity’s ACE.

          SERC Response

          As a generation only Balancing Authority with no firm load obligations, you are obligated, as demonstrated in the diagram below, to balance your power generated or purchases with sales (either firm or non-firm). These sales are your export obligation. It is SERC’s opinion that Requirement 1 of BAL-002-2 is applicable to a generation only Balancing Authority.


        • A:September 13, 2018

          BAL-003:  If an entity loses a unit that causes a BAL-003 event and that event is chosen for reporting, is the entity that caused the event still required to meet the FRM for that event; or can they be exempt?

          Frequency Response Measure (FRM) (as calculated and reported in accordance with Attachment A) is an annual requirement; there is not an exemption. If a Responsible Entity had a Reportable Balancing Contingency Event, BAL-002-2(i) Disturbance Control Standard (DCS), the Responsible Entity shall recover per the standard.

        • A:December 13, 2017
          The BAL-003-1.1 R1 RSAW asks the following question: “Has the entity merged or transferred load or generation during the compliance monitoring period and notified the ERO of the change in footprint and corresponding changes in allocation?”

           

          What is the process for making notification to the ERO? How much of a load or gen change is needed to trigger notification?

          The language in the RSAW following this question states that this “is for information purposes to assist the auditor in understanding if there should have been a corresponding change in the frequency response obligation, not to assess compliance with Requirement R1.” Further down in Attachment A of the Standard there is some additional language that states the entity is encouraged to reach out to the ERO Resource Subcommittee (RS) to inform of resource/load changes. These values are used by the RS to assign Frequency Response Obligations (FRO) per annum. This would be the same mechanism for informing the RS to make considerations for changing FROs or Frequency Bias Settings.

          Essentially, the ERO does not use this information to assess compliance directly, but uses it to provide more information for the auditor to understand changes to the metrics used to assess compliance; in this case the FRO.

        • A:July 26, 2019
          BAL-005-1 R3, requires the BA to demonstrate the frequency metering equipment used in the calculation of Reporting ACE is available at a minimum of 99.95% for each calendar year. Does SERC prefer evidence in the form of raw data that show the % of time the equipment was available, or would SERC prefer evidence in the form of raw data that show the % of time the equipment was unavailable? Or is SERC neutral on this issue?

          SERC is neutral on this issue. However, to demonstrate compliance with Requirement R3, the Balancing Authority shall have evidence such as dated documents or other evidence in hard copy or electronic format showing the frequency metering equipment used for the calculation of Reporting ACE had a minimum availability of 99.95% for each calendar year and had a minimum accuracy of 0.001 Hz.

        • A:August 3, 2019
          BAL-005-1 R5, requires the BA to have dated documentation demonstrating that the system necessary to calculate Reporting ACE has a minimum availability of 99.5% for each calendar year. A very large amount of data would be  required to demonstrate compliance for each day in an entire calendar year and even more data would be required to cover the entire three-year audit period. Therefore, is it acceptable to use data for a randomly selected day during each calendar year to demonstrate compliance? If so, has SERC established a sampling methodology and/or a preferred format for the evidence?

          Per the standard, the information is required for each calendar year; therefore, documented data for the system used to calculate Reporting ACE has a minimum availability of 99.5% must be available for the entire audit period.  SERC will use the NERC Sampling Guide which is part of the NERC Compliance Monitoring and Enforcement Manual Version 4.0 for sampling data if necessary.

        • A:May 13, 2019
          BAL-005-1 R7 requires entities to have a common source for scan rate values for Reporting ACE (R7.1).  If two entities sharing a tie line obtain scan rate values from the same current transformer (CT) and potential transformer (PT) but those values go to each entity's separate RTU, is it acceptable to state that the same CT-PT usage meets compliance; or do the scan rate values need to come from the same RTU or meter?

          Response:
          In order to meet this requirement you must demonstrate the values for ACE Telemetry come from a common source to both BAs and provide documentation of how the megawatt-hour values are time synchronized. PTs, CTs, and meters must be common and RTU’s time synchronized for the proper megawatt-hour values.

        • A:June 10, 2019
          With regards to CIP-002, if a separate storage area network (SAN) is used for memory for a virtual PACS system, is the SAN considered a Cyber Asset that needs to be compliance with CIP-007, -010, etc.? 

          The NERC glossary definition of PACS mentions cyber assets (plural) as achieving compliance with CIP-006-6 R1, so if the SAN is one of the BES Cyber Assets which in combination is used to “…control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers,” then it would be part of the PACS and subject to the standards, requirements, and requirement parts where it falls under the Applicability column.

        • A:Updated December 28, 2019


          Yes. FERC published the following determination in the October report on lessons learned from CIPv5 audit activity by FERC-led teams, “To determine whether a generation Control Center or back-up Control Center meets the 1500 MW threshold, the MW capacity of both BES generation and non-BES generation are considered” (FERC, 2017 Oct 6, 2017 Staff Report, p. 10).

        • A:June 5, 2019
          For CIP-002 R2, the identifications stated in R2.1 and R2.2 are only for assets and BES Cyber Systems containing BES Cyber Assets correct?  The identifications do not apply to other devices such as PACS devices correct?

          That is correct.

        • A:10/16/2015
          Do you need to list the physical address of the system?

          The auditor will require enough information to be able to locate the asset.

        • A:Updated December 28, 2019 
          Under the previous version of CIP 002, we did not identify any critical cyber assets. It has also been determined by LBA/TOP that we are not critical to the BES.  Other than complying with requests and record keeping, does this make the new version not applicable to our entity?   The new version is very confusing.

          Prior exclusion for not having Critical Assets in the version 3 standards is not a consideration for exclusion from CIP-002-5.1a or the other CIP standards. Registered entities meeting the criteria in section 4 “Applicability” of CIP-002-5.1a must implement a process to demonstrate compliance with CIP-002-5.1a.

        • A:12/1/2015
          CIP-002-5: How would you classify non-BES facilities? How do we treat remote line switches that are outside of a transmission substation?

          Non-BES “facilities” (Lower case “f”) and Non-BES “Facilities” (Upper case “F”) are out of scope. This is due to the applicability requirements. Refer to “Facility” definition in the NERC Glossary of terms and “Section 4” and “Attachment 1” (pages 23 - 33) of the CIP-002-5.1 Guideline and Technical Basis.

        • A:10/16/2015
          CIP-002 V5 Attachment 1 – 2.10: If you have multiple relays that operate independently of the EMS system but add up to over 300 MW, how is that handled?

          The question is not whether the relays operate independently of the EMS, but rather whether the multiple relays coordinate with each other (i.e., operate as a coordinated load shedding system) that can trip more than 300 MW of load.  If the relays do not coordinate, i.e., they are separate and autonomous, then they do not meet the criterion; however, if they coordinate their actions or have common inputs, then they may meet the criterion.

           

        • A:Updated December 28, 2019
          What assets qualify to be added to the data request spreadsheet?  For example, we have nine power plants and only six are controlled remotely.  Would I be correct in assuming that all generators, stations, etc. that are not connected to a "cyber-system" (such as a SCADA) should not be listed on the spreadsheet?  These are assets that do not have remote capability and have to be operated from a bench board locally. Naturally, I assume our remote plants, in which we can control generators, switchyard breakers, etc., would be included on the spreadsheet.

          Registered entities should apply CIP-002-5.1a to all assets and facilities that meet Section 4 Applicability of the CIP-002-5.1a standard.

          It is a best practice to document the assessment for all assets and facilities that are considered possible candidates as part of the BES. This documentation can provide information for auditors explaining why facilities may be excluded from the BES.

          Note that lack of remote operation is not a consideration for exclusion from the BES or the CIP requirements. BES facilities with no remote capability can still be an asset with Low or Medium BES Cyber Systems. In most generation facilities, the Distributed Control Systems (DCS) qualify as BES Cyber Assets/Systems, even if they are not connected to a SCADA system.

        • A:12/1/2015
          For TO facilities (local control centers) that do not perform the functional obligation of the TOP (per the NERC functional model), should they be classified as medium impact per CIP-002-5? Specifically how should a TO facility (local control center) that has a jurisdictional control agreement with a TOP control center be classified per CIP-002-5?

          Yes, if it meets the Impact Rating Criterion of Section 2 - Medium Impact Rating (M).

        • A:2/10/2016
          How does "of the preceding 12 calendar months" from the CIP Standard work with the MOD-025-2 periodicity of "every 5 years or within 12 months of discovery of a change that affects the Real Power capability of more than 10%" considering that the CIP-002-5 say that the two should work together?

          The CIP-002-5.1 Attachment 1 paragraph below, highlighted, uses the phrase "highest rated net Real Power capability of the preceding 12 calendar months…"  The Guidelines and Technical Basis below that says this was used to have a value that could be verified through existing requirements.

          MOD-025-2 requires Real Power capability verification every 5 years or within 12 months of discovery of a change that that affects the capability by more than 10 percent.

          2. Medium Impact Rating (M)

          Each BES Cyber System, not included in Section 1 above, associated with any of the following:

          2.1. Commissioned generation, by each group of generating units at a single plant location, with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single interconnection.

          From CIP-002-5.1 Guidelines and Technical Basis:
          In the use of net Real Power capability, the drafting team sought to use a value that could be verified through existing requirements as proposed by NERC standard MOD-024 and current development efforts in that area.

          MOD-025 requires verification of this capability “within 12 months of discovery of a change that affects the capability by more than 10 percent.” By referring to “the preceding 12 calendar months,” CIP-002-5.1a is saying that only the “current” net real power capability need be considered in cases where there have been no changes within the last 12 months that affected capability by more than 10 percent. In cases where such changes have occurred within the last 12 months, then both the “before” and “after” values of the net real power capability must be considered, with the highest of the two (or more, if multiple such changes occurred) being the value used to determine the risk rating.  The idea of these two standards “working together” also means that when a qualifying change occurs in the future, not only must real power capability verification be performed within 12 months for MOD-025, but the entity also must re-visit the CIP-002-5.1a risk rating (to determine whether, for example, the change results in a Low impact facility becoming Medium impact).

        • A:Updated:  1/1/2019
          What is the CIP V5 implementation schedule for low impact sites?           
          The Processes and Procedures for Sections 1 and 4 of CIP-003-6 - Attachment 1 should now be in place. The implementation date for Sections 2 and 3 (physical security and electronic access controls) is January 1, 2010.
        • A:March 1, 2016
          For DPs that implement a UFLS scheme that sheds greater than 300 MW of load under a distributed (uncommon) control system that is energized at less than 100 kV and is not considered BES, does CIP-002-5.1 Attachment 1 Criteria 2.10 or 3.6 apply? If so, which criteria?

          More detail is required for a definite answer. For example, if the distributed control system has only one input that is common to all parts of the system, it could be viewed as a common control system.

          Assuming that there are no common components or inputs of the distributed control system, then it would not apply. If all the elements are below 100 kV, they are not considered BES Elements and, therefore, not subject to the CIP Standards unless subject to the 4.2.1.1.2 inclusion.

          CIP-002-5.1 Attachment 1 Medium Impact Rating Criteria
          2.10. Each system or group of Elements that performs automatic Load shedding under a common control system, without human operator initiation, of 300 MW or more implementing undervoltage load shedding (UVLS) or underfrequency load shedding (UFLS) under a load shedding program that is subject to one or more requirements in a NERC or regional reliability standard.

          CIP-002-5.1 Attachment 1 Low Impact Rating Criteria
          3.6. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.

        • A:2/24/2015

          CIP-002 V5 R1 and Section 2.6 (Attachment 1): Which functional entity (TP, PC, RC) determines the identification of the transmission facility as a medium impact BES cyber system? The TP/PC, due to the time horizon considered, do not identify the IROL; but are the asset owner of the transmission facility.  (The RC is not the owner).

          Each entity audited for compliance will need to provide thorough evidence of communication with all parties involved to provide some final determination by one of the parties of the impact rating for the particular Transmission Facility. This communication should address the various determinations and responsibilities as applicable for each Transmission Facility for which this determination is necessary.

        • A:January 17, 2019
          I have a question on CIP 003-6 implementation.

           

          Section R1.2 states for assets identified in CIP-002 as containing low impact BES Cyber Systems, each entity shall review and obtain CIP Senior Manager approval at least every 15 calendar months for one of more documented cyber security policies that address:

          1.2.1 Cyber security controls (effective 4/1/17)

          1.2.2 Physical security controls (effective 4/1/17)

          1.2.3 Electronic access controls for Low Impact External Routable Connectivity and Dial-Up Connectivity (effective 4/1/17)

          1.2.4 Cyber Security incident response (effective 4/1/17)

          Section R2 states each entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plans for its low impact BES Cyber Systems per attachment 1.

          Section 1 – Cyber security awareness – reinforcement of cyber security practices every 15 months (effective 4/1/17)

          Section 2 – Physical Access Controls – Control of physical access to the asset (effective 1/1/20 with CIP 003-7)

          Section 3 – Electronic Access Controls (effective 1/1/20 with CIP 003-7)

          Section 4 – Cyber Security Incident Response (effective 4/1/17)

          My question is what is the difference between just having a documented cyber security policy versus implementing cyber security plans?

          A cyber security policy is a high level over-arching document either reiterating the standard and requirement to be met or similar verbiage stating the responsible entity shall perform or meet certain levels of compliance as stated in the CIP Standards. Per the Rationale for Requirement R2 as written in CIP-003-6, “One or more security policies enable effective implementation of the standard's requirements. The purpose of policies is to provide a management and governance foundation for all requirements that apply to personnel who have authorized electronic access and/or authorized unescorted physical access to low impact BES Cyber Systems. The Responsible Entity can demonstrate through its policies that its management supports the accountability and responsibility necessary for effective implementation of the standard's requirements by CIP Senior Manager approval of the policies specified in Part 2.1.”

          A plan is a lower level document providing information as to who will do what, when, and how to meet the requirement as set forth in the policy document. Plans may have lower level procedure documents providing more details, breaking down the stages in the plan into steps or tasks to be performed to accomplish the plan.

          An example: CIP-003-6 R1.2 requires a responsible entity having an asset containing low impact BES Cyber Systems to document a cyber security policy for cyber security awareness under R1.2.1. Requirement 2 states the responsible entity must implement one or more documented plans that include the applicable elements in Attachment 1.

          A cyber security policy statement might read, “Acme Power shall provide Cyber Security Awareness reinforcement to all authorized persons having access to low impact BES Cyber Systems at least once every 15 calendar months.”

          A cyber security awareness reinforcement plan might read, “Acme Power shall provide Cyber Security Awareness reinforcement to all authorized persons having access to low impact BES Cyber Systems at least once every 15 calendar months. This will be accomplished via the following methods: direct communications, indirect communications, and management support. Regarding direct communications, Acme Power shall send quarterly emails to all authorized persons with a known email account regarding some aspect of cyber security. Regarding indirect communications, posters portraying some aspect of cyber security shall be hung within each identified area housing low impact BES Cyber Systems and rotated on a quarterly basis. Regarding management support, all safety meetings and training sessions shall include a cyber security awareness topic to be presented.”

          A cyber security awareness reinforcement procedure might read, “The Manager of Transmission shall be responsible for hanging cyber security awareness posters within areas housing low impact BES Cyber Systems. Posters shall be hung in a prominent place so that all who enter would be most likely to see it. Posters shall be changed out on a quarterly basis among the various locations across the company. When a new poster is hung, a dated photograph shall be taken showing the poster and its surroundings as evidence of the reinforcement. Photographs shall be stored in the Evidence Server under Cyber Security Awareness.”

        • A:2/24/2015

          When monitoring is used as a physical security control at a low impact location for standard CIP-003-6 Attachment 1 Section 2, should entities maintain evidence/logs of the monitoring for 90 calendar days, as in CIP-006-5 R1.9, or for the entire compliance period to provide to internal and ERO auditors? What are other examples of what will be requested to show implementation of these controls?

          The 90 calendar day limit deals with logging of access by authorized personnel or of visitors. However, because SERC tends to only sample events and incidents for a 90-day period just prior to an audit, monitored alarm events could be kept for this same time period. The policies, procedures, and system configurations that support logging must be maintained throughout the compliance monitoring period. It should be noted that reportable incidents per CIP-008 R2 require that all pertinent information be retained for three calendar years.

        • A:4/19/2016

          CIP-003-6 – Attachment 1
          Section 2.

          Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset and (2) the Low Impact BES Cyber System Electronic Access Points (LEAPs), if any.

          Question: Does this require a log (physical or electronic) of individuals who physically access the “Low” assets?

          Per the standards, there is no requirement to log cyber or physical access of authorized persons or visitors to low impact BES Cyber Systems.
        • A:May 4, 2017
          Is CIP-003-6 applicable to all BES cyber assets or only BES Cyber Systems that would impact the reliable operation of the BES?

          Yes, CIP-003-6 is applicable to all BES Cyber Assets, and all BES Cyber Assets are part of at least one BES Cyber System.

          From NERC Glossary:
          BES Cyber Asset: A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non‐operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems.

        • A:Updated:  1/1/2019
          CIP-003-6 Attachment 1, Section 3, 3.2 states that each Responsible Entity shall “Implement authentication for all Dial-Up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability”.  

          The examples in CIP-003-6 Attachment 2, Section 3 list “access control on the BES Cyber System” as an example of authentication for Dial-Up Connectivity.  Many Cyber Assets utilized in industrial control systems are capable of providing password/passcode authentication, but are not capable of using any type of user or system account in conjunction with a password/passcode. 

          If Dial-Up Connectivity to a low impact BES Cyber System is authenticated through the use of passwords (but not in conjunction with any type of account) as the sole challenge authentication, would SERC consider this to be a sufficient means of authentication to meet the requirements of CIP-003-6 Attachment 1, Section 3, 3.2?

          At this point, dial-up authentication for low impact assets does not come into effect until January 1, 2010. Currently, SERC’s stance is that it applies “per device capability.”

           

        • A:10/16/2015
          CIP-004 R1.1:  A clarification is needed concerning the phrase “Responsible Entity’s personnel” as it relates to Security Awareness Programs in CIP-004-5 Part 1.1.

          Does the phrase imply that the registered entity’s Security Awareness Program only needs to target employees of the registered entity who have authorized electronic or unescorted physical access to High or Medium impact BES Cyber Systems?  It appears that, under V5, the SDT removed the registered entity’s obligation (as opposed to V3) to have multiple awareness programs to provide awareness to contract personnel who may not have access to direct communications (i.e., emails, memos, computerbased training); or indirect communications (i.e., intranet); or management support and reinforcement (i.e., presentations or meetings) when any of these methods are incorporated into the awareness program.
          As noted in the Measures section, compliance requires “documentation that the quarterly reinforcement has been provided.” The guidance states “[t]he Responsible Entity is not required to provide records that show that each individual received or understood the information, but they must maintain documentation of the program materials utilized in the form of posters, memos, and/or presentations.”

        • A:1/9/2015

          Can an entity define the training requirements specific to access type (physical or electronic)?

          Yes, a Registered Entity can define specific training requirements pursuant to access type. A Registered Entity will need to ensure that all training modules associated with that access type are obtained before access is granted and at least once every 15 calendar months for continual access. Example: If there are three modules needed for an access type, all three will need to be completed prior to being granted access.

        • A: 3/18/2015

          I am seeking guidance or examples on the level of separation required between the network(s) the BES Cyber Security policies and procedures are currently stored and the Corporate Network and associated Corporate IT staff.

          The BES Cyber Security policies are located on a secure network location(s), but the Corporate IT staff has “God Rights” to these network(s) as part of their job duties as assigned to support the Corporate network. The Corporate IT staff is not currently subject to any NERC compliance requirements and are not familiar with NERC in general since they only support the Corporate Network.

          Per the BES Cyber System Information definition, we are of the understanding that the BES Cyber Security policies and procedures would have to be stored in a separate location to prevent the Corporate IT staff from having any access.  If the BES Cyber Security policies and procedures are to remain on the Corporate Network, would the Corporate IT staff be subject to the NERC training requirements and access revocation timelines as specified?

          Within CIP-011-1 R1.1, the registered entity is required to establish methods to identify information that meets the definition of BES Cyber System Information. Under CIP-011-1 R1.2, the registered entity is instructed to implement procedures for protecting and securely handling BES Cyber Security Information. Using the definition of BES Cyber System Information that will become effective on April 1, 2016 (refer to the Glossary of Terms Used in NERC Reliability Standards; dated March 3, 2015), the registered entity would be required to properly determine and support the decisions on what information is considered BES Cyber Security Information.  Policies and procedures (what level of information they contain and how it is documented) will vary from entity to entity and from program to program. Some registered entities may include information in policies and procedures that is detailed or specific enough to its program, systems, architecture, and/or network that the information would be sensitive and could pose a threat to the BES if it found its way into the wrong hands.  Other registered entities keep policies high-level enough that they contain no sensitive information to cause or pose impact to the BES, even when considered in conjunction with all policies and procedures under CIP. The approach for this requirement is specific to the registered entity and to the program developed to meet compliance.  If a registered entity’s policies and procedures (when considered collectively) do not contain sensitive information that could pose a threat or could be used to allow unauthorized access to BES Cyber Systems, then it would not be in scope for protections cited in CIP-011-1 R1.2. If the policies and procedures do contain sensitive information, then they would be in scope for Information Protection.

          As a side note, if a registered entity chooses to keep policies and procedures devoid of operational specifics or details, there will be a level of documentation below these that does get into specifics and details that are required for operational effectiveness. These documents, however they are stored and used, and whatever they are called, would be subjected to Information Protection as required in CIP-011-1 R1.3/18/2015

        • A:June 5, 2019
          Concerning virtual machines, if a PACS-related virtual server is on a physical host along with other PACS-related virtual machines, does unescorted physical access to the physical host need to meet the Requirements of CIP-004-6 R3.2 if the virtual PACS machines are associated with a high impact BCS located in a separate physical location?  This is concerning access to the virtual PACS devices, not a BCS.

          Yes, unescorted physical access to the physical host would need to meet the Requirements of CIP-004-6 R3.2 if the virtual PACS are associated with a high impact BCS located in a separate physical location.  CIP-004-6 R2.3 states that it is associated with High Impact BES Cyber Systems and their associated PACS; it does not distinguish if they are virtual. Also, there is the risk that, if someone were to gain access to the physical host, they would have access to all virtual machines located on the said physical host. So, that physical host should be protected at the highest level of associated items on the said physical host.

        • A:May 4, 2017

          CIP-004-6 R5.2 specifies that for transfers, access must be revoked by the “end of the next calendar day following the date that the Responsible Entity determines that the individual no longer requires retention of that access.”  Knowing that transfers are still employees with passing PRAs and adequate CIP training, the risk against compromise that could lead to misoperation or instability in the Bulk Electric System (BES) from these transferred individuals accessing BES Cyber Systems after a transfer is assumed to be low risk.

          Based on this assumption of low risk threat, can SERC provide an opinion about how much time would be considered too great an amount of time to pre-determine the individual no longer needs access?  For example, if an entity predetermined 6 months to be acceptable to keep access intact such that the access must be revoked by the end of the next calendar day following the pre-determined 6 months, would SERC find the entity’s predetermined 6 months to be an acceptable time limit for revoking access for transfers? Is there a particular range of time that SERC feels could be acceptable?

          The entity is responsible for documenting the need for the employee to retain the access so there is not a specific number of days that will be acceptable, rather the entity should document the actual need for the employee to have access. SERC expects that if access is no longer being used, then it is not required unless there is a well-documented business need for the access. The documentation should clearly justify why access is required but is not being used.

        • A:July 17, 2019
          If a relay device was configured to only use a Layer 2 non-routable protocol to communicate outside of a medium substation using Ethernet, is that traffic required to cross through an EAP as in CIP-005 R1.2? If it does not, what evidence would be requested to prove the non-routable nature of the protocol?

           

          An Electronic Access Point (EAP) protects the Electronic Security Perimeter (ESP) via routable protocols that provide the capability of examining the communication traffic inside and outside the ESP.  A layer 2 protocol bypasses the established security controls provided by the Firewall EAP which protects BES Cyber Systems and Cyber Assets from potentially harmful attack vectors.

          Because layer 2 communications between Cyber Assets outside with those on the inside eliminates the protection needed that may impact the reliability of the Bulk Electric System (BES) and because the NERC ERO and the Standards Drafting Team has not published an acceptable method or solution for how the ESP should be minimally protected, the implementation of layer 2 bypassing the ESP is currently not recommended.  If you are considering the implementation of layer 2 communications that bypasses the security currently afforded by an ESP, consider the following:

          • Document the business purpose for the use of layer 2 and reasons for bypassing secure established protocols
          • Identify the Layer 2 protocol being considered
          • Identify all potential attack vectors and method of protection to determine or apply a Risk Based Analysis of those vectors
          • Describe the type of communications occurring both inbound/outbound from the protected BES Cyber Systems and Cyber Assets
          • Describe how the BES Cyber Systems and Cyber Assets within an ESP would be protected should an attack occur
          • Use a network diagram to design, document and articulate how the communications paths between all network equipment and protocols used to communicate both inside and outside the ESP will occur
          • Document all contingency processes and describe how Layer 2 would be monitored

          The above considerations are not all-inclusive. These are only a starting point for documenting a justification and making the determination of using a non-routable protocol that currently bypasses the security afforded by an Electronic Access Control or Monitoring Systems that protects the reliability of the BES.

        • A:May 4, 2017
          What are SERC auditors expecting for evidence to prove that the entity has implemented multi-factor authentication?

           

          Auditors expect the evidence to include the following information:
          1. Policy statement requiring multi-factor authentication and
          2. Any applicable procedures that affect multi-factor authentication and
          3. Configuration and procedure data showing that all IRA connections require multi-factor authentication and
          4. Evidence of execution of the process including a demonstration of the process
        • A:2/24/2015

          CIP-005-5 R2.3 – Multi-factor authentication for interactive access: If a registered entity uses an application on their smart device to generate an authentication code, does the smart phone need to be protected as part of the intermediate system?

          Examples of additional authentication factors that are typically employed to achieve multi-factor authentication include devices such as smart cards and hardware tokens. These would be considered stand-alone devices, and would not be brought into scope as part of the intermediate system. By extension, this would also be true of the smart phone described in the question, since the described application would fulfill the same role as a hardware token. Entities should keep in mind that smart phones are highly targeted by cyber threat actors; and should, thus, be secured accordingly. However, in this example, the smart phone does not fall into CIP purview as an intermediate system.

        • A:Updated:  1/1/2019
          CIP-005 R1.4 – Dial up: What is an acceptable minimal authentication level?   Is a password alone enough?  Does each person need to have their own password or is a shared one ok?   Is an Account expected?
          Registered entities should use an authentication that can validate the calling party  – any modem that answers all calls and connects would not be sufficient (and neither would be one that uses a well-known default password). The guidance states “[s]ome examples of acceptable methods include dial-back modems, modems that must be remotely enabled or powered up, and modems that are only powered on by onsite personnel when needed along with policy that states they are disabled after use.” It is not required that each person have a password as long as the small set of people with the password is documented.

          Note that if the dial-up connection provides Interactive Remote Access, then CIP-005 Requirement 2 will also apply.

        • A:Updated:  1/1/2019

          CIP-005 R1.5 is about Electronic Access Contol and/or Monitoring Systems.  Can SERC confirm that this means "electronic access control and/or electronic access monitoring", as is clarified in the accepted definition of EACM in V5?

          The "Applicable Systems" field of CIP-005 Part 1.5 states that this requirement part is about Electronic Access Points. Accordingly, the relevant definition in NERC's Glossary of Terms is the definition for Electronic Access Point.

        • A:September 11, 2019
          If Entity A employs an access control panel (ACP) to control access to a guard house that houses PACS devices, e.g., PACS related workstations, but no BCAs or EACMS are located within the guard house, is the ACP a PACS device if the ACP is programmable?  To clarify, it does not appear that the ACP controls, alerts, or logs access to a PSP, but it does appear the ACP controls access into a location containing PACS devices.            

          Let’s start with some definition from the NERC Glossary of Terms to answer the question:

          Physical Access Control Systems (PACS) are defined as Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.

          Physical Security Perimeter (PSP) is defined as the physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems reside, and for which access is controlled.

          From the definitions above, we can see that the access control panel (ACP) is controlling access to the guard house; but because it does not contain any BES Cyber Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems, it does not meet the definition of a PSP, hence it does not meet the strict definition of PACS.

          Per CIP-006 R1.1, the entity would need to define the operational or procedural controls to restrict physical access to PACS associated with high impact BES Cyber Systems or medium impact BES Cyber Systems with External Routable Connectivity.

          The ACP controlling access to the guard house would not be a CIP PACS cyber asset since this room contains no BES Cyber Systems or BES Cyber Assets. This would be a corporate PACS cyber asset.

          A dedicated PACS workstation located within this room or building would be a CIP PACS cyber asset, if alarm monitoring and access logging of CIP PSP physical access points are displayed and acted upon at this monitor position. If this workstation only has alarm and access information for non-CIP physical access points to buildings and grounds, it would not be a CIP PACS cyber asset. If it is CIP PACS, the entity would need to include operational or procedural controls to restrict physical access to the workstation, not to the room or building. The ACP controlling guard house card readers and those associated card readers would be corporate PACS devices.

          If the PACS is browser based and requires a logon to the PACS application by an authorized individual but the workstation is used for other applications also, the workstation would not be considered as a CIP PACS cyber asset. This would be the same as every other workstation connected to the same network.

        • A:Updated:  1/1/2019

          Description of the Violation, Issue, or Trend
          The responsible entity did not include or implement a visitor control program in its physical security plan, or it does not meet the requirements of continuous escort.

          Risk Considerations
          Unauthorized or unsupervised individuals could access sensitive information and systems within the physical security perimeter.

          Description of Mitigation Activity
          Implement a visitor control program that incorporates logging of access and exit and incorporates a continuous escort within the physical security perimeter.

          Other Factors or Comments
          This is a best practice for visitor pass management. The visitor is assigned a bright green badge with a number. The escort then takes the corresponding bright yellow half badge with the same number to indicate which visitor he/she is escorting. The escort can clip on multiple yellow half badges for escorting more than one visitor. At a glance you can recognize which visitors are being escorted by which entity personnel. In the event there is an escort hand off, the new escort would receive the smaller yellow clip-on badge(s) from the original escort.

        • A:2/24/2015

          Are there additional resources or guidance for the types of controls to restrict physical access for the Medium Impact BES Cyber Systems without External Routable Connectivity and PACs applicable to CIP-006-5 R1.1 which do not reside within a PSP? The measures section only mentions providing documentation that these controls exist.

          Please note the following are examples of what has worked for other organizations.  A Physical Access Control System (PACS) server that is configured and maintained by authorized personnel that utilizes a documented procedure to grant and review access can be used to restrict access.  In addition, utilize a visitor management procedure that requires sign in, identification tagging, and active escorting within restricted areas. A detective control would utilize alarm systems to alert for forced open, held open, or unauthorized entry.

        • A:September 28, 2016
          CIP-006-6: If locally mounted hardware or devices at a PSP, as defined in the Background of CIP-006-6, fails (i.e., an electronic door strike does not fully engage but the door is closed), is that considered a lack of physical access controls and a Possible Violation?  

          In this example the documented physical security plan defined physical access controls as card keys, mechanical keys, security personnel, and other authentication devices (keypad or biometrics). Additionally, monitoring and logging of physical access are in place and working.

          Depending on the effectiveness of the implemented access controls, if the registered entity can no longer restrict physical access into a PSP, then it could be a potential violation of CIP-006-6.
        • A:Updated December 28, 2019

          CIP-006-6:  Is a Cyber Asset that is only used to log visitor access to a PSP considered a PACS asset?

          A Cyber Asset used only to record visitor access should not be considered a PACS.

           

        • A:4/9/2016
          CIP-006-6 R1.1 applies to Medium Impact BES Cyber Systems without External Routable Connectivity (ERC) and requires the Entity to “Define operational or procedural controls to restrict physical access”. 

          The questions relates to the handling of guests or visitors.  Can an Entity write procedural controls to allow guest entry into the areas with just someone providing them access?  Would a guest/visitor log be expected? Would escorting be expected?  The standard is not very clear on handling access to 1-time guests.

          There is no requirement per the wording of CIP-006-6 Part 1.1 to restrict physical access to any certain authorized group or to require that any other persons be restricted or escorted. It is up to the entity to document how they will restrict physical access to these BES Cyber Systems. The document should include, but not limited to, a discussion regarding:

          • Who the entity deems to have authorized physical access to these BES Cyber Systems and who would be restricted from physical access;
          • For those restricted from physical access, how the entity plans to grant them temporary access;
          • Whether escorting of those not normally authorized should be required and performed by whom;
          • Whether logging of those the entity deems authorized and those they deem not authorized needs to occur and, if so, by what means,
          • How access is to be restricted, either by electronic means such as via a PACS or keyless entry system or via mechanical means such as keys; and
          • If using keys, whether said physical access points should have special keys or standard keys and whether the keys should be “restricted” through a check-out process or distributed to anyone deemed authorized.

          CIP-006-6 Part 2.2 requires manual or automated logging of visitor entry into and exit from the Physical Security Perimeter and CIP-006-6 Part 2.1 requires continuous escorted access of visitors and BES Cyber Systems; however, those requirements are not applicable to BES Cyber Systems without ERC.

        • A:10/16/2015
          CIP-007 R2: If a patch solely includes new security functionality, does it need to be assessed if it doesn’t directly address a security vulnerability?  For instance, what if the security patch enhances the password complexity capabilities of a device but doesn’t directly address a known security vulnerability?
          The requirement is to “evaluate security patches for applicability.” While not all security patches reference specific vulnerabilities, all security patches are designed to enhance the security of the system, and all should be evaluated for applicability.

          Note that not all applicable patches must be installed, so the entity may choose to create a mitigation plan.

          In the example cited, short and simple passwords are clearly a vulnerability, so increasing the complexity and length of the passwords on the system does make the system less vulnerable. If the patch allows the entity to retire a TFE, that would be a patch that should be considered for installation rather than just mitigated.

        • A:10/16/2015
          CIP-007-5 R2.2: For devices in the field that haven’t been updated in “years,” do we evaluate patches for the history of the device; or should we start from April 1, 2016?  Or, should we start from patches released from April 1, 2016 going forward?
          The ERO is currently developing an approach for how to analyze patches for devices which have been in place for a number of years, have not undergone a patch analysis, and likely have some patches that would be analyzed for applicability if the patches would be released following April 1, 2016 (As of the writing of this response, the ERO has not solicited comments on this approach). The Implementation Plan is silent about patches released prior to 4/1/16, however the ERO is considering that during the initial patch assessment period (i.e., 35 days following 4/1/16, or by no later than May 5, 2016), assuming the device is updateable, and a patch source exists, the Responsible Entity would determine what patches are available and perform an initial triage of those patches to determine if any of them are security patches associated with functionality in use on those devices.  Then during the evaluation period (i.e., no later than June 8, 2016), a vulnerability mitigation plan would be developed to address the security vulnerabilities addressed by those patches.  Note that there is no expectation by the ERO that the patches will be installed by June 8, nor is there a requirement that the mitigations all be completely in place by then, only that a vulnerability mitigation plan exists, and the Responsible Entity is working toward implementing that plan.
        • A:10/16/2015
          CIP-007 R2.2: Do entities need to review patches for BIOS updates/drivers?
          Yes, these are reviewed/assessed along with the security patches or updates.
        • A:9/16/2015

          CIP-007-5, Table R4, Requirement 4.2.2
          “Detected failure of Part 4.1 event logging.”

          1. I do not see anything under “Measures” that defines what is expected.
          2. Is this on a “per device” or a general logging function?
          3. Is this covered by fulfilling 4.4 or is it an automated function, and if so how often?

          I’m not sure what is required, how often it is required, or how to fulfill the requirement.

          CIP-007-5 Part 4.1 requires that registered entities use event logs, while Part 4.2.2 requires that an alert be generated if that logging fails. Part 4.4 requires a periodic review of a summarization or sampling of logs; this is neither frequent enough nor comprehensive enough to serve as an “alert.” For all practical purposes, Part 4.2.2 may need to be addressed by an automated function.

          Part 4.1 allows the option of logging at the BES Cyber System level or the Cyber Asset level. Accordingly, the registered entity should document whether they are implementing Part 4.1 on a “per device” basis or utilizing a central log server. Once the registered entity has documented this, the entity will need to implement Part 4.2.2 at the same level(s). Most registered entities employ logging at both levels; i.e., individual devices generate and store logs locally (Cyber Asset level) while also forwarding log entries to a log server (which may be at a BES Cyber System or broader level).

          An example measure at the Cyber Asset level might be a script that runs periodically to verify that the local logging service is still running. An example measure at the BES Cyber System level could be a “heartbeat” service, whereby a central log server is configured to recognize when it stops receiving logs from an individual device. A good example measure for either level would be an automatically generated email that alerts system personnel to a detected logging failure.

          Due to differences in entity logging practices and in the amount of activity on individual devices, the threshold at which failure might be detected (and thus the frequency at which automated checks should occur) could be as little as a few minutes or as long as several days.  As such, SERC cannot define how often these checks should occur. Each registered entity must evaluate their Cyber Assets / BES Cyber Systems to determine the appropriate threshold(s) for their own environment.

        • A:4/8/2016
          If a CIP Exceptional Circumstance occurs, does SERC want to be notified at the time?  (This question is separate from any "reportable incident" under CIP-008's Incident Response requirements.) 

          Are CIP Exceptional Circumstances to a PSP expected to be shown in the Visitor log?

          What format should the reports use? 

          To whom at SERC should they be addressed?

          The "at the time of occurrence" reports - not the documents for audit evidence.

          There is no requirement to "report" the CIP exceptional circumstance - at the time of occurrence. However, the registered entity should adequately document the CIP exceptional circumstance and be prepared to provide the documentation to the auditors. The documentation should include, but is not limited to, the start and stop times and details surrounding the issue.

        • A:9/25/2015

          Description of the Violation, Issue, or Trend
          Recovery plans focused on disaster recovery do not meet the requirement of CIP-009 which is focused on device recovery. While redundancy and automatic failover to backup assets or sites provide disaster recovery, that process does not provide recovery of individual assets. This is a good way to find any deficiencies or undocumented parts of the recovery plan and procedure.

          Risk Considerations
          Recovery of individual assets, if not clearly documented, may not be executed properly when needed, especially in a major event when multiple assets are lost. This could greatly increase the time required to recover to the base situation where all assets (both primary and backup) are available.

          Description of Mitigation Activity
          Ensure that the recovery plans include procedures to recover individual assets. These procedures should either address each asset individually or address each class of asset. They should include how to obtain replacement parts (relevant contracts, purchase orders, approvals required), which roles are required (who initiates the recovery, purchase order approval, communication to operations on restoration, change ticket creation and approval, testing prior to installation, documentation of events, lessons learned), and any relevant localized information. For example, there may be a central spare parts location, but for some assets (remote substations are one example), it may take longer to get the parts from the spare parts location to the site. That should be documented in the recovery plan and in the recovery procedure for those assets and both the plan and the procedure should account for that time in the expected recovery duration.

          Other Factors or Comments
          Quote from an Entity RSAW

          "Auditors noted an Area of Concern with the recovery process since it did not clearly address all information needed for the recovery. While the recovery plans include high level information that is required, they did not include details on parts of the recovery such as how to obtain replacement parts, who is responsible to obtain the spare parts (and any procurement sign offs), vendor contracts for spare parts or support, change management requirements during a recovery, roles for recovery approvers, coordination of the recovery with system operations and how the expected duration of the recovery is determined."

        • A:9/25/2015

          Description of the Violation, Issue, or Trend
          Recovery plan testing is often done only at a very high level.

          Risk Considerations
          Recovery of individual assets, if not adequately tested, may not be executed properly when needed, especially in a major event when multiple assets are lost. This could greatly increase the time required to recover to the base situation where all assets (both primary and backup) are available.

          Description of Mitigation Activity
          One approach that works well is to have someone technically qualified but outside the CIP organization attempt a recovery. This removes the tribal knowledge and forces the recovery to use the actual, documented procedure.

          Other Factors or Comments
          Quote from and Entity RSAW

          "shows a description of how the entity exercises their recovery plan but it does not include recovery of individual assets as specified in the requirement."

          "provides entities evidence of a 2015 recovery exercise, including agenda, participant list, exercise (not detailed) and restore types. It does not include a scenario describing the event, specific equipment affected or procedures to recover specific assets or lessons learned."

        • A:

          September 28, 2016
          CIP-010 Attachment 1, Section 3.2.2 states, “Mitigate the threat of detected malicious code on Removable Media prior to connecting the Removable Media to a high impact or medium impact BES Cyber System or associated Protected Cyber Assets.” 

          As further guidance within the Guidelines and Technical basis for Requirement R4, Attachment 1, Section 3 – Removable Media, it states: “Frequency and timing of the methods used to detect malicious code were intentionally excluded from the requirement because there are multiple timing scenarios that can be incorporated into a plan to mitigate the risk of malicious code.” 

          While this guidance and flexibility is appreciated, it also raises the question of what SERC would consider “acceptable” frequency and timing for detection of malicious code when the Removable Media may be used throughout BES and non-BES facilities.  For example, when providing support to remote facilities (e.g. substations, switchyards, etc.), it is not atypical to require use of Removable Media within multiple locations over an average workday, which each may be separately categorized as containing Medium Impact BES Cyber Systems, Low Impact BES Cyber Systems, or a non-BES facility.  As a standard practice to address this requirement, malware scanning of Removable Media may only occur at a central facility once each morning or week prior to using the Removable Media at these locations. 

          As such, we are requesting clarity from SERC regarding what would constitute sufficient mitigation controls for the Removable Media used at these facilities.  For example, if the Removable Media is scanned once each morning or week, but then used at multiple BES and non-BES facilities throughout the day, does SERC agree that this scan would suffice to meet the requirement?  Or, is the expectation from SERC that a sufficient frequency would only consist of an individual malware scan prior to use at each individual High or Medium impact BES Cyber System or BES Cyber Asset? 

          Additionally, if the specific frequency is solely up to the discretion of the entity, is it SERC’s contention that providing an entity uses a method to detect and mitigate malicious code on Removable Media at some point prior to connecting the Removable Media to a BES Cyber Asset, then the requirement is meet?

          Is the answer the same for transient assets?  Particularly, how frequently do anti-virus scans need to be run … daily, before each use?  For how long is an authorization valid?

          The threat of malicious code on Removable Media shall be mitigated prior to the registered entity making a connection with a high impact or medium impact BES Cyber System or associated Protected Cyber Assets.

        • A:July 17, 2019

          We are trying to determine if a laptop employed in the following way would be classified as a “transient cyber asset”:

          The laptop is normally plugged into the “low impact” rated power plant DCS system for more than 30 days. The laptop is used by the plant DCS engineers to monitor and maintain the DCS network. Occasionally, the laptop is disconnected from the network connection, and is used to access a network PLC through a serial port to provide updates or changes that can only be accomplished when connected through the serial port. When the tasks are completed on the network PLC the laptop is returned to its original location and reconnected to the plant DCS. It is never connected to a network outside of the referenced DCS.

          Our assumption is that, when using the laptop only in the manner described above, that the laptop is not a “transient cyber asset” just because it is physically moved and connected to the same DCS through the serial port. Please advise.

          If the laptop mentioned is already declared as a BES Cyber Asset given its “normal” usage, then it couldn’t also be a TCA – per the TCA definition (“A Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System)..”

          If the laptop is not declared a BES Cyber Asset, it is a TCA.  When the laptop is moved and momentarily connected to the network PLC, from the perspective of that network PLC (not the original DCS) it meets the TCA definition:

          • A Cyber Asset that
            1. (i) is capable of transmitting or transferring executable code,
            2. (ii) is not included in a BES Cyber System,
            3. (iii) is not a Protected Cyber Asset (PCA), and
            4.  (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset (in this case the network PLC), a network within an ESP, or a PCA.

          Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.

        • A:Updated:  1/1/2019
          CIP-010 R4:  Does defined business function (Attachment 1, Section1, 1.2.3) need to be identified for every executable on a Transient Cyber Asset? Can the same assumption be made from the guidance for CIP-010 R1 (…The SDT does not intend for notepad, calculator, DLL, device drivers, or other applications included in an operating system package as commercially available or opensource application software to be included).

          The registered entity does not need to identify the defined business function for every executable on a Transient Cyber Asset.  Follow the same guidance as CIP-010-2, R1.

        • A:May 4, 2017
          What is SERC's expectation on how long paper and active CVAs should take to be performed? We have business units who think that all four components of an active CVA can be performed for the duration of the interval (36 months) allowed by the Standard, and we'd like to clarify what the timing duration is.

          CIP-010-2 does not prescribe any specificity as to how long a vulnerability assessment should take to complete; only that the components must all be completed within 15 months (for R3.1) or 36 months (for R3.2).  The four components of an active vulnerability assessment (as listed in the Guidelines & Technical Basis), thus need not occur all at once. Rather, performance of the four components may be spread across the 15- or 36-month timeframe dictated by the applicable requirement part.  However, this approach cannot be used as a way to extend the compliance deadlines.  All components (not merely a subset) of a vulnerability assessment must be completed by the published implementation date for the applicable requirement part (July 1, 2017 for R3.1; and July 1, 2018 for R3.2).

          For more insight as to what the vulnerability assessment should address, SERC recommends reviewing FERC Order No. 706 and its associated Notice of Proposed Rulemaking.

        • A:February 17, 2017

          A question was raised in our organization, regarding a BES Cyber Asset. Our operational team brought up the existence of a BES Cyber Asset containing a built-in tape backup, which makes the “built-in” part, not a transient device. However, the specific question is… Does the [physical] tape constitute a removable media? If so, would it require the corresponding CIP protections as stated in the guidelines and technical basis?

          Physical tape cartridges constitute Removable Media as defined in the Glossary of Terms Used in NERC Reliability Standards, as long as the physical tape resides in the tape drive for 30 consecutive calendar days or less. As defined in the NERC Glossary, Removable Media is storage media that:

          (i) are not Cyber Assets – (SERC notes the tape cartridge is not a Cyber Asset)

          (ii) are capable of transferring executable code, - (Tape is indeed capable of doing so)

          (iii) can be used to store, copy, move, or access data, and – (Tape is indeed capable of doing so)

          (iv) are directly connected for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset. – (SERC assumes the Entity is rotating the tapes on a weekly basis.)

          As Removable Media, the physical tape cartridges are subject to the CIP protections listed in Section 3 of Attachment 1 in CIP-010-2. Assuming the tapes are being used to store backups of BES Cyber Assets (or associated EACMS or PACS), the BES Cyber Systems Information protections of CIP-011-2 also apply. Based on the facts presented, the registered entity’s Information Protection Program (IPP) shall explain how registered entity secures the information during storage, transit, and use. Specifically, if the physical tape leaves the Physical Security Perimeter, the IPP must detail how the physical tape is protected against unauthorized access, misuse, corruption, and how the registered entity protects confidentiality of the BES Cyber System Information.
        • A:June 5, 2019
          When developing a baseline for a BCA that is running Windows 7, what is the “OS” for that BCA; and what is the “version” of that OS for that BCA?  CIP-010-2 R1.1.1 specifically requires the OS to be listed and its “version”.

          When documenting baseline configuration of the asset, it is important to document unique configuration attributes of the asset.

          As an example, for windows 7, “OS” can be listed as – “Windows 7 Professional” or “Windows 7 Enterprise”. “Version” of the OS, depending on the service pack level, can be listed as “Windows 7 - 6.1.7600” or “Windows 7 SP1 - 6.1.7601”.

        • A:

          Updated December 28, 2019
          CIP-010-2 R1.3:  When does the 30 days start for CIP-010 R1.3? Is it when a change request (what starts the change) is closed, the day changes are complete on a BES Cyber System as a whole, or when a change is complete on an individual BES Cyber Asset of a BES Cyber System?

          According to the Applicable Systems section, this requirement applies to the BES Cyber Systems and their associated EACMS, PACS, and/or PCS.  If the registered entity has made a change to a BCA in that system, then the registered entity has essentially changed part of the BCS.  Therefore, the 30 days start after the change is completed on each BCA.  Please reference page 33 of the Guidelines and Technical Basis for CIP-010-2, Requirement 1, paragraph 1.

        • A:July 24, 2017
          Does CIP-010-2 R1.5 allow for testing of only the cyber security controls that could be impacted by the change? Reference NERC’s October 2015 FAQ.

          The Requirements (both CIP-010-2 R1.4 and R1.5) do permit the Responsible Entity to identify the “required” cyber security controls that may be impacted. CIP-010-2 R1.5.1, while not as specific in the language as CIP-010-2 R1.4.1, does say “. . . to ensure that required cyber security controls in CIP-005 and CIP-007 are not adversely affected . . .” The referenced FAQ also supports this position, However, the determination of what constitutes “required” is open to interpretation; and could result in differing opinions between entities and audit staff. Therefore, in order to avoid potential oversights that would lead to potential noncompliance and increased risk to entity operations and the BPS, it is strongly recommended that all cyber security controls in CIP-005 and CIP-007 be tested under CIP-010-2 R1.5.

        • A:Updated January 10, 2020

          Our understanding is that, if a stand-alone commercially available or open-source executable program (e.g., the SSH client "PuTTY" or the third-party text editor “Notepad ++”) is copied onto the hard disk of an asset, then it has been “installed” on the asset. Because these types of programs do not go through the Windows installer, they do not show up in the Windows registry or list of installed software.

          1. When performing a 35-day baseline review of installed software, is it expected that every folder on every asset is searched for executables to compare to the baseline?
          2. Or, is it acceptable to define a folder where such software is to be placed according to a procedure, then search that folder for the review?
          3. Or, is there another recommended practice?
          4. How should stand-alone commercially available or open-source executable programs that reside on removable media that gets inserted into a BCA be handled? (i.e., Which CIP-010-2 and CIP-007-6 requirements apply to the programs on removable media?) Note, this question is not referring to cases where the program is to be copied onto the asset (“installed”) but rather used temporarily directly from the removable media.

           

          1. A registered entity must monitor the baseline of installed software for unauthorized changes at least once every 35 days. The registered entity must first properly identify and document software that makes up each baseline. Typically, most executables are put in place by the operating system or other installed software without individual approval of each executable. As such, these individual executable files are part of the software documented in the baseline and do not require additional documentation on the baseline configuration. For this reason, SERC expects the registered entity to develop its baseline and monitor for changes as required. Depending on system configuration, it may require in depth system analysis as part of CIP-010-2 R2.1 compliance efforts.
          2. A procedure mandating the use of a single specific folder for intentionally added standalone executables, including monitoring that folder’s contents for changes every 35 days, would not be an acceptable practice for detecting changes to standalone executables. However, the registered entity could deploy internal controls to support the monitoring requirement and ensuring only executables are added to the identified directory. In addition, the registered entity must maintain evidence to demonstrate that the controls are operating sufficiently.
          3. We have no additional specific recommendations other than clarification provided above.
          4. Programs residing on removable media are not “installed on” the Cyber Asset; and thus, are not required to be documented as part of any baseline. However, as a good security practice, SERC recommends specifically authorizing use of such programs, whether documented in the baseline configuration or elsewhere.
        • A:10/16/2015
          How should the registered entities consider SERC’s PEI process in their CIP-011 Information Protection Program?
          The registered entity should ensure its own internal processes are followed for labelling sensitive information before providing it as evidence to SERC.  We recognize that the individual entities’ data handling procedures will not always mirror those required by the SERC PEI transfer process.  In these cases, SERC will not penalize the entity for failure to follow their own data protection policy if the entity follows the data transfer processes established by SERC.  We also will not expect the entity to track SERC’s retention and eventual destruction of entity data.
        • A:July 17, 2019
          The FAQ response around CIP-013 Supply Chain Risk Management (June 14, 2019 - July SERC Transmission newsletter) states that risk assessments of vendors that provided equipment or services prior to the effective date of July 1, 2020 are not required.

          Question: If you procured hardware and/or software from a vendor prior to July 1, 2020 and install it into the CIP environment after July 1, 2020, does the vendor that provided the hardware or software need to have a risk assessment completed prior to installing the hardware or software in the CIP environment?  For example, Entity A purchases several workstations on January 1, 2020 and stores the workstations in inventory. On August 1, 2020, Entity A takes one of the workstations purchased in January from inventory and installs that workstation in the EMS environment.

          Hardware or software that is procured prior to the effective date of July 1, 2020 would not be in scope for the purposes of CIP-013.

          “In implementing CIP-013-1, responsible entities are expected to use their Supply Chain Cyber Security Risk Management Plans in procurement processes (e.g., Request for Proposal, requests to entities negotiating on behalf of the responsible entity in the case of cooperative purchase agreements, master agreements that the responsible entity negotiates after the effective date, or direct procurements covered under the responsible entity’s plan) that begin on or after the effective date of CIP-013-1. Contract effective date, commencement date, or other activation dates specified in a contract do not determine whether the procurement action is within scope of CIP-013-1.”

        • A:June 14, 2019
          Q:  Will the Responsible Entities be expected to perform and document initial cyber security risk assessments on all its existing vendors that provide their BES Cyber System products and services prior to the compliance effective date?

          A:  No, CIP-013-1 affects only new procurements. This answer is supported by the General Considerations section of the Implementation Plan (https://www.nerc.com/pa/Stand/ CIP0131RD/Implementation_Plan_Clean_071117.pdf):

          “In implementing CIP-013-1, responsible entities are expected to use their Supply Chain Cyber Security Risk Management Plans in procurement processes (e.g., Request for Proposal, requests to entities negotiating on behalf of the responsible entity in the case of cooperative purchase agreements, master agreements that the responsible entity negotiates after the effective date (the renegotiation of contracts), or direct procurements covered under the responsible entity’s plan that begin on or after the effective date of CIP-013-1. Contract effective date, commencement date, or other activation dates specified in a contract do not determine whether the procurement action is within scope of CIP-013-1.”

          In order to determine the beginning date of a procurement, the Responsible Entity must document that date in a manner suitable for use as audit evidence. Without such documentation, audit teams will use the earliest date that provides reasonable assurance of the beginning of the procurement process.

          Q:  If initial risk assessments are expected, will performing and documenting a high-level controls risk assessment be acceptable for the 7/1/2020 effective date?

          A:   Risk assessments of vendors that provided equipment or services prior to the CIP-013-1 effective date of July 1, 2020, are not required. Any procurements for high or medium impact BES Cyber Systems equipment, software, or services begun after July 1, 2020, must be performed in accordance with the entity’s documented CIP-013-1 R1 supply chain cyber security risk management plan.

        • A:10/7/2014

          If the term "widespread" is removed from CIP-014, what criteria is NERC expecting Registered Entities to use?

          Registered Entities will be expected to apply the criteria that are issued with the release of FERC’s Final Rulemaking.  However, the Final Rule may not only remove the term “widespread” but also may include additional changes and language that further clarifies FERC’s intent; so read it very carefully.

        • A:6/15/2016

          Description of the Violation, Issue, or Trend

          NERC recently distributed a memorandum to the regions regarding the handling of CIP-014 evidence information. Per the instructions SERC will be conducting all reviews of CIP-014 while onsite at TOs and TOPs. SERC will fill out the RSAW also while onsite during the review with no pre-audit preparation by the entity. SERC will not collect from the entity or store on its PEI server any of the following:

          1. Any registered entity-provided evidence used to demonstrate compliance with CIP-014 from the Transmission Owner’s or Transmission Operator’s site

          a. An entity’s list of critical substations developed under Requirement R1

          b. Documentation of the entity’s vulnerability evaluation developed under Requirement R4

          c. Documentation of the entity’s security plan developed under Requirement R5

          2. CIP-014 Reliability Standard Audit Worksheets (RSAWs) containing entity provided evidence

          3. Any auditor notes describing the whereabouts of critical substations or any other entity-provided evidence from the Transmission Owner’s or Transmission Operator’s site.

          CIP-014 information that will be stored on the SERC PEI server for the next 7 years, along with other audit evidence, may include the following:

          1. Auditor notes that describe the ERO Enterprise’s process for conducting the audit

          2. Documents (or other evidence) reviewed during the CMEP activity and their location

          3. Reliability Standard Audit Worksheets (RSAWs) that do not contain entity provided evidence

          4. Evaluated findings

          5. Evidence in the ERO Enterprise’s possession as a result of CMEP activities performed for other Reliability Standards, such as the cybersecurity‐related Critical Infrastructure Protection Reliability Standards (CIP‐002 through CIP‐011) and Transmission Planning (TPL) Reliability Standards

        • A:7/15/2015

          Does the scope of a registered entity’s obligation to perform an initial risk assessment under CIP-014 R1 extend only to the Transmission stations and Transmission substations that it owns?  From a plain reading of the first sentence of R1, that appears to be the case:

          “Each Transmission owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1.” 

          The word “its” in R1 seems to make clear that a Transmission Owner need only include in its risk assessment those Transmission stations and Transmission substations that it owns.  This is further supported by the language in Applicability Section 4.1.1, which makes clear that the Reliability Standard applies to a “Transmission Owner that owns a Transmission station or Transmission substation that meets any of the following criteria.”  Given that CIP-014 would not apply to a Transmission Owner that did not own a Transmission station or Transmission substation, it is a fair reading that CIP-014 R1 would not require a Transmission Owner to include in its assessment Transmission stations/substations that it does not own.

           For example, if a registered entity owns transmission facilities that are located within Transmission stations/substations that are owned by neighboring utilities, does the registered entity need to include the Transmission stations/substations in its risk assessment under CIP-014 R1?  

          The Applicability section 4.1.1 of CIP- 014-1 states that the standard applies to a “Transmission Owner that owns a Transmission Station or Transmission substation that meets any of the following criteria: . . .” and this concept is further reinforced by the language in R1 as noted.

          However, ultimate compliance responsibility could be impacted by existing mutual agreements, Coordinated Functional Registration (CFR) agreements, Joint Registration Organization (JRO) agreements, delegation agreements, memorandums of understanding (MOU), or contractual arrangements. Where none exist or where none specifically address compliance responsibility, it is highly recommended that registered entities include language in a formal agreement to clearly address compliance responsibility to avoid any confusion or misunderstanding between the two registered entities who share an impacted site.

          See NERC Compliance Public Bulletin #2010-004

        • A:

          6/25/2014
          I am a contractor following the development of CIP-014 Standard. We’re reaching out to each of the NERC Regions to determine what qualifications, if any, that the RE may have for Requirement 2 of the Standard which specifies an independent third party verification of the risk assessment (R1).  Does SERC have a formal or informal process regarding approved third parties? We have also developed a study methodology to perform the risk assessment based on our industry experience with performing impact analysis that we’d like to receive feedback/opinions on.

          SERC conducts a number of outreach and training activities to keep Registered Entities apprised of new and revised NERC Reliability Standards. SERC does not, however, instruct Registered Entities on how to be compliant. SERC also does not review or give feedback on methodologies or processes to consulting firms concerning Reliability Standards.  Participation in SERC outreach events is open to employees and representatives of organizations listed on the NERC Compliance Registry within the SERC Region.

        • A:October 18, 2016
          CIP-014:  If an entity makes changes to its physical security plan, including changes to any mitigating activities included within the plan, should the entity conduct another third party review?
          Based on the Guidelines and technical basis (page 32 of 36), the requirement was designed for a third party to review and evaluate/develop the security plan. If an entity changes the plan from what was initially reviewed, SERC would expect a third party to perform an evaluation. Reference the Rationale for Requirement 6, which also references the FERC directive requiring reviews by an entity other than the owner or operator.
        • A:June 21, 2019
          Is a responsible entity required to be perform COM-001 R9 testing of the designated Alternative Interpersonal Communication capability at all facilities where the capability exists (e.g., primary and backup Control Center locations)? OR, is monthly testing at one of the facilities sufficient for compliance?

           

          Yes, if the designated Alternative Interpersonal Communication is unique to the backup Control Center and the only medium utilized at the backup Control Center, it would be required to be tested in accordance with Requirement R9.

        • A:June 21, 2019
          COM-001 R2, R4, and R6 state that each responsible entity must designate an Alternative Interpersonal Communication capability with each of the listed entities. It does not state for what purpose (e.g., for the exchange of information necessary for the Reliable Operation of the BES) or for which facilities/personnel (e.g., between Control Centers within the same functional entity, and/or between a Control Center and field personnel). Is R12 considered a scoping requirement for Alternative Interpersonal Communication capability in R2, R4, and R6?  

          Yes, an Alternative Interpersonal Communication is any medium that is able to serve as a substitute for, and does not utilize the same infrastructure (medium) as the Interpersonal Communication.

        • A:12/1/2015
          For COM-001-2, are cell phones and landlines considered separate infrastructures?

          Yes. 

          In addition, do you have to have a coordinated test with your neighbor; or can you test your own equipment?

          No, a documented test call for each is sufficient evidence of testing.

        • A:8/17/2016
          Does losing the ability to place outgoing long distance calls constitute a "failure" of Interpersonal Communication capability within the meaning of COM-001-2 R10 when all other means of Interpersonal Communication capability (such as receiving internal and external local calls, receiving long distance calls, and placing internal and external local calls), as well as all Alternate Interpersonal Communications capabilities, remain?

          As long as non-suffering entities are able to contact the suffering entity via the Primary Interpersonal Communication capability, there is no failure.

        • A:April 3, 2019

          Per the Standards for COM-001 and COM-002, the retention period for written documentation is the most recent twelve calendar months and voice recordings for the most recent 90 calendar days unless directed by the CEA to retain specific evidence for a longer period of time as part of an investigation.

          Does SERC have a retention period for written documentation and call recordings that will require an entity to keep evidence longer than what is specified in the Standard?

          Response:
          NERC Standard COM-001-3 require the applicable entity to retain written documentation for the most recent twelve calendar months and voice recordings for the most recent 90 calendar days. NERC Standard COM-002-4 requires the applicable entity to retain data or evidence for each applicable Requirement for the current calendar year and one previous calendar year, with the exception of voice recordings which shall be retained for a minimum of 90 calendar days.

          SERC is obligated to request the data and evidence based on the retention periods that are stated in the NERC Standards and Requirements. SERC may request the applicable entity to retain specific evidence for a longer period of time as part of an investigation.

        • A:October 10, 2018
          How long should primary communication be down before notifying proper entities?

          NERC Glossary defines Interpersonal Communication as any medium that allows two or more individuals to interact, consult, or exchange information.

          According to R10, each Reliability Coordinator, Transmission Operator, and Balancing Authority shall notify entities as identified in Requirements R1, R3, and R5, respectively within 60 minutes of the detection of a failure of its Interpersonal Communication capability that lasts 30 minutes or longer.  Does that apply for GOP and DP as well?

          As stated in COM-001-3 R10, each RC, TOP, and BA shall notify entities as identified in COM-001-3 R1, R3, and R5, respectively within 60 minutes of the detection of a failure of its Interpersonal Communication capability that lasts 30 minutes or longer.

          COM-001-3 R11 requires that each DP and GOP that detects a failure of its Interpersonal Communication capability shall consult each entity affected by the failure, as identified in Requirement R7 for a DP or Requirement R8 for a GOP, to determine a mutually agreeable action for the restoration of its Interpersonal Communication capability. COM-001-3 R11 does not specify a time requirement.

        • A:August 28, 2017
          Please provide clarity. On reviewing the new COM-001-3 R12, I am trying to determine the applicability to my facility.  We are a GO/GOP at a single facility with a single control room that operates four gas turbines as peaking units. Is our operating staff considered to be field personnel per Requirement 12?  Our normal process is to perform our operating functions from the control room such as opening and closing breakers; but we are capable of sending operators to the field to manually operate the breaker, if there is a need. So, does that make them field personnel per the standard?  We are not a Control Center, but I am not sure if that makes a difference in how we should determine if we have field personnel per the standard.

           

          R12. Each Reliability Coordinator, Transmission Operator, Generator Operator, and Balancing Authority shall have internal Interpersonal Communication capabilities for the exchange of information necessary for the Reliable Operation of the BES. This includes communication capabilities between Control Centers within the same functional entity, and/or between a Control Center and field personnel.

          Internal interpersonal Communication capabilities are not required for field personnel of a GOP at a single facility with a single control room.

          NERC definition of Control Center: One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generator Operator for generation Facilities at two or more locations.

        • A:October 18, 2016
          COM-002-4: Can an entity categorize operating instructions into non-emergency and emergency operating instructions?

          During a declared state of emergency, are all operating instructions considered an emergency operating instruction or just the ones related to the emergency?

          Will non-emergency operating instructions be treated differently than emergency operating instruction during an audit / require higher level of documentation?

          What is SERC / NERC doing to ensure consistency across the regions in what is considered an emergency? What guidance have they given the different regions’ auditors for how to apply this standard?

          Although not explicitly defined, Emergency Operating Instruction (OI) is a combination of two NERC defined terms. Only OIs related to an Emergency are considered an Emergency OI. From an audit perspective, an Emergency OI and an OI will be treated the same. The VRF for an Emergency OI increases. Emergency is a NERC defined term.

        • A:March 1, 2016
          Regarding COM-002-4, R3: To clarify, is R3 mandating that all field personnel (switchman, technicians, union employees, contractors) are required to take the three-part communication training?  This would include administering, documenting, tracking, etc.  Our field personnel that would normally carry-out the actual Operating Instruction in a switchyard or sub-station, if it has to be done manually, are often union employees, and sometimes contractors, that are not employed by our company. This would be a rather arduous task and something we have not done in the past. We already use three-part communication; and currently, when a dispatcher is giving a field person an Operating Instruction, we require that the person in the field repeat back the instruction. As of July 1, 2016, must we have a complete training and tracking program in place for the field personnel mentioned above?

          Operating personnel who can receive an oral two-party, person-to-person Operating Instruction must receive initial training prior to receiving an Operating Instruction (no retraining requirement).  If the personnel have been previously trained to use three-part communications that matches the COM-002-4 protocol, this training would meet the requirement and would have to be sufficiently documented. 

        • A:12/10/2015
          Under COM-002-4 R4 each RC, BA, and TOP is required to annually assess each of their personnel that issue operating instructions for adherence to their communication Protocol developed under R1. The Communication Protocol completion and operating personnel training on the Communication Protocol is required on or before June 30, 2016.

          Q: When does the initial assessment under R4 have to be performed?

          • July 1, 2016
          • December 31, 2016
          • July 1, 2017
          • Other, please explain

          The protocol should be in place by July 1, 2016. All operators that issue or receive Operating Instructions (OI) should be trained before issuing or receiving an OI. Operators that are trained on the COM-002-4 protocol prior to implementation meet the requirements of R2 and R3.

          The assessment should be completed by July 16, 2017 and within every 12 months thereafter. The assessment is not specifically an individual assessment, and the assessment methodology is left to the registered entity. One approach might be to assess each outage for adherence. Although somewhat burdensome, this approach would likely catch all operators at different times of the day. Another approach could be to document a specific time frame such as “x number of minutes per week during peak hours will be reviewed.” This approach would, most likely, catch each operator. It would also allow for the development of statistical data. That documentation would point out the percentage of adherence so that training could be brought in when irregularities are detected (perhaps an operator was determined to be using the protocols only 85% of the time). In the case where an operator did not issue or receive an OI or the sampling did not include an operator, simulation/training could be used and documented for an assessment of that individual.

        • A:12/1/2015
          There was a general discussion around applicability of COM-002-4 R6 to the GOP/DP functions and the acceptable evidence to demonstrate compliance to the requirement.

          COM- 002-4
          Purpose:
          To improve communications for the issuance of Operating Instructions with predefined communications protocols to reduce the possibility of miscommunication that could lead to action or inaction harmful to the reliability of the Bulk Electric System (BES).

          R6.     Each Balancing Authority, Distribution Provider, Generator Operator, and Transmission Operator that receives an oral two-party, person-to-person Operating Instruction during an Emergency, excluding written or oral single-party to multiple-party burst Operating Instructions, shall either: [Violation Risk Factor: High][Time Horizon: Real-time Operations]

          • Repeat, not necessarily verbatim, the Operating Instruction and receive confirmation from the issuer that the response was correct, or
          • Request that the issuer reissue the Operating Instruction.

          M6.   Each Balancing Authority, Distribution Provider, Generator Operator, and Transmission Operator that was the recipient of an oral two-party, person-to-person Operating Instruction during an Emergency, excluding oral single-party to multiple-party burst Operating Instructions, shall have evidence to show that the recipient either repeated, not necessarily verbatim, the Operating Instruction and received confirmation from the issuer that the response was correct, or requested that the issuer reissue the Operating Instruction in fulfillment of Requirement R6. Such evidence may include, but is not limited to, dated and time-stamped voice recordings (if the entity has such recordings), dated operator logs, an attestation from the issuer of the Operating Instruction, memos or transcripts.

          Time

          Horizon

          VRF

          Violation Severity Levels

          Lower VSL

          Moderate VSL

          High VSL

          Severe VSL

          Real Time Operations

          High

           

          The responsible entity did not repeat, not necessarily verbatim, the Operating Instruction during an Emergency and receive confirmation from the issuer that the response was correct, or request that the issuer reissue the Operating Instruction when receiving an Operating Instruction.

           

          The responsible entity did not repeat, not necessarily verbatim, the Operating Instruction during an Emergency and receive confirmation from the issuer that the response was correct, or request that the issuer reissue the Operating Instruction when receiving an Operating Instruction

          AND

          Instability, uncontrolled separation, or cascading failures occurred as a result.

           

          As written, R6 is only applicable to the DP/GOP in cases of an Emergency Operating Instruction. As illustrated during the 2015 Fall Compliance Seminar, however, a routine Operating Instruction may become an Emergency Operating Instruction while executing the Operating Instruction. So in this case, the lack of using the protocol when receiving the Operating Instruction has become a violation of R6 with a Severe VSL.  Most shops use three-part communications and may or may not be a requirement of a local procedure.  Using 3-part communications in any instance of receiving an Operating Instruction just makes good business sense, and is demonstrative of a Culture of Compliance.

          From the RSAW
          Evidence Requested:
          Dated operator logs, voice recordings, memos, or transcripts, or other evidence (per M6) describing the registered entity’s response to Operating Instructions received during an Emergency selected by the auditor.

          Auditors will look for several things in regards to this Standard for the DP/GOP. First will be that DP/GOP personnel have been trained as prescribed in R3, demonstrated by attendance records, training materials, agendas, etc. Second will be that DP/GOP personnel have used the established communication protocol when receiving an Emergency Operating Instruction. This can be demonstrated with date/time stamped voice recordings or transcripts thereof, dated operator logs, an attestation from the issuer of the Operating Instruction, voice recordings (if the entity has such recordings, memos transcripts, etc.).  In that the issuer is required to assess their protocol, it is likely that a recording of the Operating instruction already exists. This requirement does not require the DP/GOP to install any recording equipment.

        • A:Updated:  1/1/2019

          This is regarding EOP-004 reporting and suspicious activity.  Does SERC have any guidance as to what constitutes suspicious activity, or is the recommendation to let the Registered Entity specify what is reportable?

          The Registered Entity determines what is reportable as suspicious activity.  SERC Regional Criteria for Event Reporting is an applicable document, but it provides no specific recommendations.

        • A:10/30/2013

          Re: EOP-004, in the event that a standard is applicable to multiple functional entities, is a separate report required on behalf of each RE for the same event?

          No. From Page 13 of the standard . . ."Multiple Reports for a Single Organization

          For Registered Entities that have multiple registrations, the Disturbance and Sabotage Reporting Standard Drafting Team intends that these Registered Entities will only have to submit one report for any individual event. For example, if a Registered Entity is registered as a Reliability Coordinator, Balancing Authority and Transmission Operator, the Registered Entity would only submit one report for a particular event rather submitting three reports as each function.

        • A:October 17, 2017
          EOP-004-3 R2 states:
          Each Responsible Entity shall report events per their Operating Plan within 24 hours of recognition of meeting an event type threshold for reporting or by the end of the next business day if the event occurs on a weekend (which is recognized to be 4 PM local time on Friday to 8 AM Monday local time).

          EOP-004-3 Attachment 1 defines Transmission loss as:
          Unexpected loss within its area, contrary to design, of three or more BES Elements caused by a common disturbance (excluding successful automatic reclosing).

          PRC-004-5(i) R3 states:
          Each Transmission Owner, Generator Owner, and Distribution Provider that receives notification, pursuant to Requirement R2 shall, within the later of 60 calendar days of notification or 120 calendar days of the BES interrupting device(s) operation, identify whether its Protection System component(s) caused a Misoperation.

          If a Responsible Entity experiences an unexpected loss within its area of three or more BES Elements caused by a common disturbance and then identifies a Misoperation (contrary to design) during the 120 day or 60 day period allowed in PRC-004 R3 was involved in the unexpected loss, must they report the event within 24 hours of recognition of meeting an event type threshold for reporting or by the end of the next business day if the event occurs on a weekend per EOP-004-3 R2?

          EOP 004-R2 specifies providing an event report within 24 hours of recognition of meeting an event type threshold for reporting, but leaves open how long after the unexpected loss Responsible Entities can be required to recognize an event type meeting the threshold for reporting.  Does the time period for the Responsible Entity to recognize that an event meets the event type threshold for reporting end within 24 hours of the unexpected loss, extend to forever, or can the Responsible Entity define the time period within their Operating Plan?

          It is important to submit an EOP-004 report in situations of uncertainty to provide information to make people/agencies aware of the current situation so that they may prepare to mitigate current and future events. 

          If recognition of an event occurs where more than three BES elements are lost and there is no Protection System designed to remove the elements in question, an EOP-004 Event Reporting Form must be submitted within 24 hours or by the end of the next business day if the event occurs on a weekend.  If it is unclear if a Protection System misoperated, then a NERC Disturbance Report Form should be submitted. Once a final determination is made, an updated EOP-004 Event Reporting Form and/or misoperation report should be submitted.  There is not a defined time period that would prohibit submitting a NERC Disturbance Report Form.  Once recognition of an event occurs (e.g., days, months, etc. after the event), the Form must be submitted.

        • A:January 4, 2017
          If a TOP experiences a complete loss of monitoring capability affecting their BES control center for 30 minutes or more, would their RC and BA, assuming each entity is a separate corporate entity, be required to submit a report for this event too, even if their monitoring capability was not affected?

          If the RC or BA did not experience the loss of monitoring capability affecting the BES control center (and there are no contractual obligations (example: JRO or CFR)) for more than 30 minutes, they would have no reporting obligation. The only registered entity obligated to file a report would be the affected entity. In this particular case, if the RC or BA is depended on information that is delivered by the failed monitoring system, they would have a reporting obligation. Upon notification the RC would be obligated to post the event on RCIS.

        • A:3/18/2014

          Is the “review only” approach acceptable for small Distribution Providers for EOP-004-2 R1 and R3?

          Distribution Providers (DPs) that do not meet the “Threshold for Reporting” for any event listed in Attachment 1 will not have any reports to submit under Requirement R2. However, these DPs will be responsible for meeting Requirements R1 and R3. These DPs may have a very simple Operating Plan that includes a statement that there are no applicable events in Attachment 1 (to meet R1) and that the DP will review the list of events in Attachment 1 each year (to meet R3).

        • A:May 10, 2018 

          The threshold for reporting loss of load for my company is 200 MW. If my power provider has an outage that causes my company to lose 200 MW or more, am I required to report the event?

          Reporting this type of load loss event should be coordinated with impacted registered functions/entities. Multiple entities are not required to submit forms for the same event. It is important that one of the affected entities reports the event. It is important to note that, if the upstream provider does not meet its reporting threshold and does not complete OE-417 or EOP-004-3 Attachment 2 form, then Fayetteville may not be compliant should it not submit a report. SERC recommends that entities error on the side of caution and coordinate with the upstream provider to determine if the provider is submitting a form (and it includes Fayetteville load). If the provider is not submitting a report, then Fayetteville must submit an OE-417 or EOP-004-3 Attachment 2 report.

        • A:November 12, 2018
          SERC’s Lesson Learned for NERC CAN-010 states that requirements which require activities to be performed once during a calendar year should conduct the activity at least once per calendar year regardless of a defined grace period.  

          NERC Standard EOP-004-3 Requirement 3 requires Responsible Entities to validate contact information contained within the Operating Plan each calendar year. The date of enforcement for EOP-004-4 is April 1, 2019, and does not contain a Requirement to validate contact information each calendar year.

          Is the Responsible Entity under EOP-004-3 required to validate contact information prior to the April 1, 2019 effective date of EOP-004-4?

          Can a Responsible Entity, which has not performed a validation of contact information by April 1, 2019, state they did not perform the 2019 validation since the NERC Standard Version is no longer effective?

          Response:
          Because requirement R3 has been eliminated from EOP-004-4, an entity will no longer need to validate contact information contained within the Operating Plan each calendar year for the calendar year 2019 and beyond.
        • A:August 23, 2018
          I am attempting to obtain a definition of the word “recognition” in EOP-004-3 R2.  Therefore, could you point me to the person or people who could provide the definition of recognition?

          Recognition is not defined by the NERC glossary of terms. 

          Among other definitions, recognition can be defined as an acknowledgment of something's existence, validity, or legality.

          With reference to EOP-004-3 R2, when the reporting threshold is acknowledged (recognized), the reporting clock starts. The recognition could be made by a real-time operator or a member of the support staff. Either type of acknowledgement is valid and constitutes recognition of an event.

        • A:2/27/2013

          EOP-005 R2 requires Registered Entities to have restoration plan that identifies black start facilities and cranking path, etc.  How does this apply to Registered Entities with no black start capabilities that will not be restored from black start units and restored later in the plan, after frequency and voltage becomes stable?

          If a Registered Entity has no black start units or Cranking Paths, there won't be any identified in the plan. However, the Registered Entity must still have a restoration plan, which should document that there are no black start units or Cranking Paths.

        • A:8/21/2014

          In the ‘Applicability’ section of NERC Reliability Standard EOP-005-2 (System Restoration from Blackstart Resources), section 4.1 lists Transmission Operators (TOP). Does the EOP-005-2 apply to all TOPs or only to TOPs that have Blackstart Resources within their footprint?

          Applicability section 4.1 is applicable to all Transmission Operators (TOP’s).

          According to Requirement 1 which states:

          R1 - Each Transmission Operator shall have a restoration plan approved by its Reliability Coordinator. The restoration plan shall allow for restoring the Transmission Operator’s System following a Disturbance in which one or more areas of the Bulk Electric System (BES) shuts down and the use of Blackstart Resources is required to restore the shutdown area to service, to a state whereby the choice of the next Load to be restored is not driven by the need to control frequency or voltage regardless of whether the Blackstart Resource is located within the Transmission Operator’s System. The restoration plan shall include: R1.1-R1.9.

          Each TOP should have a restoration plan approved by its Reliability Coordinator (RC). If a TOP does not have a Blackstart Resource in their area, the plan should show cranking paths and initial switching requirements between the affected TOP and an adjacent TOP that has a Blackstart Resource for the affected TOP to restore their systems and reestablish connection with other TOP’s.

          Any changes that affect an established restoration plan will require the TOP to update the restoration plan and submit to their Reliability Coordinator (RC) within 90 days for approval, per Requirement 4.1.

        • A:2/27/2013

          System Operators normally pick up no more than 5% of the current system load at a time to avoid large frequency swings and the tripping of units that are online.  Would this need to be verified through steady state and dynamic simulation?

          Picking up no more than 5% of current system load is common practice and a good way to control voltage and frequency, but it is not part of this Requirement’s criteria. However, choosing to verify this through simulations is fine.

        • A:2/27/2013

          What Requirements do companies plan on applying dynamic simulations?  Will it only be R6.1 or all of them?

          Dynamic simulation is one of the methods of verification of the plan. It can be applied to all of the sub-requirements.  It's up to the company.  (Also see other responses to these requirements.)

        • A:2/27/2013

          Simulations performed in the EMS have difficulties energizing long transmission lines and starting some units due to the way these elements are modeled in the simulation.   Also, TOP restoration plans most of the time specify for the dispatch of field personnel to black start sites, to substations to open breakers, and to report station status.  The TOP can only estimate this time, so what basis does this need to have in the simulation?

          It is fine to estimate these things as best and realistically as possible. 

        • A:2/27/2013

          It seems the intent of Transmission Operator (TOP) restoration plans would include black start, off-site power to nuclear plants and control centers, provide offsite power to CT and coal plants, picking up critical customer loads, synchronize internal islands, and synchronize with the Interconnection.  Do all these elements need to be simulated to achieve compliance with R6?  What does a dynamic simulation need to consist of?  Would this be a dynamic stability analysis, scripted PSSE power flow solution, or a combination or several analyses?  To what extent do the steady state and dynamic simulations need to show the TOP restoration plans’ intended function?  Would taking the simulation to the point where off-site power is restored to nuclear plant switchyards and those unit auxiliary loads energized be sufficient, without taking the simulation to the point of the units actually being started?  Do other fossil units in the TOP restoration plan need to show their auxiliary loads modeled and unit started in order to show the ability to energize lines, pick up load, and be able to control frequency and voltage within a tolerance?

          Verify through at least one of the three analysis tools in the Requirement, that the restoration plan accomplishes its intention.   Any analysis used to support satisfaction that the plan works as intended is acceptable as long as it satisfies the Requirement and all sub-Requirements.   Taking the simulation to the point where off-site power is restored to the nuclear plant is fine.  However, to satisfy R6.3, other generating resources will have to be online to control voltage and frequency within acceptable operating limits.  Each restoration plan is obviously different. Take the verification of the restoration plan as far along as needed to establish that the plan accomplishes its intent and satisfies the Requirement and sub-requirements.

        • A:2/27/2013

          Many TOP restoration plans include multiple islands, with options, and paths to pursue since it is unknown where the restoration will begin due to damage from a storm, sabotage, etc.  For instance, several best option starting points are detailed in the restoration plan; and are outlined step-by-step to the point where off-site power to nuclear plants is restored.  Then the plan goes into more generic guidance to energize the 115 kV, 230 kV, and 500 kV systems in loops to establish stability and pick up load; and then eventually, gets to guidance on synchronizing islands and tying with neighbors.  How many different islands or options must be simulated?  Does the simulation need to include all possible black start sites?  If a TOP restoration plan has multiple black start units with multiple possibilities of places to start from and end up, is it ok to exercise just one of these options or do all possibilities need to be exercised in the simulation? 

          Each system is different.  Larger TOP's have a bigger footprint; and therefore, more options. It is up to the TOP as to how many islands, options, black start units, and simulations are needed to verify that the plan will accomplish its intended function. You have a vested interest in having a successful plan that sufficiently meets your needs. Your documentation should reasonably tell the story of compliance that your restoration plan will work when needed.

        • A:2/24/2015

          EOP-005-2 R9 requires each TOP to have “Blackstart Resource testing requirements to verify that each Blackstart Resource is capable of meeting the requirements of [the entity’s] restoration plan,” and R9.1 indicates that the  registered entity’s testing requirements must ensure that, at a minimum, “each Blackstart Resource is tested at least once every three calendar years.” EOP-005-2 R16 then states that GOPs with Blackstart Resources shall perform Blackstart Resource tests “in accordance with the testing requirements set by the TOP to verify that the Blackstart Resources can perform as specified in the restoration plan.”

          QUESTION: If an entity’s restoration plan includes testing requirements that provide for testing of each Blackstart Resource more frequently than once every three calendars years, will the entity be audited to the testing timeline specifications in its restoration plan or to the “at least once every three calendar years” language found in the standard at EOP-005-2 R9.1?

          The short answer is that SERC audits against the criteria established in the Reliability Standards. In this case, the criterion is a minimum of three years.

          The longer answer is:

          Some Reliability Standards require the registered entity to establish a program or plan that includes certain elements. For example, consider FAC-003-3 R7 that requires the registered entity to perform 100% of its annual work plan. In this example, the content of the work plan is flexible; but the entity will be audited against whatever it has established in its work plan. In PRC-005-1 R1, the registered entity is required to establish a maintenance and testing program that specifies maintenance and testing intervals; and registered entities are audited against whatever it justified as its interval.

          Other Reliability Standards (or Requirements within the same Reliability Standard) establish a criterion as a threshold for compliance. Where such a criterion exists, it establishes the threshold for compliance; and the entity will be audited against the Requirement. Examples include PRC-023 R1 that sets a minimum relay trip set-point.  Registered entities may exceed that set-point without being noncompliant.  FAC-003-3 requires that 100% of applicable transmission lines receive a vegetation inspection annually.  If a registered entity establishes a more aggressive schedule for inspections in their program, it will not be found noncompliant unless it does not meet the requirement of at least once annually.

          In general, the Reliability Standards establish a minimal expectation for compliance and registered entities will often prefer to exceed those expectations.  An internal control (such as a program, process, or procedure) that exceeds the criteria established in the Requirements is encouraged as a measure to enhance, maintain, or restore reliability; but does not establish the minimal required performance when the criterion is stated in the Requirements.

        • A:2/27/2013

          EOP-005-2 R11 states, “Each Transmission Operator, each applicable Transmission Owner, and each applicable Distribution Provider shall provide a minimum of two hours of System restoration training every two calendar years to their field switching personnel identified as performing unique tasks associated with the Transmission Operator’s restoration plan that are outside of their normal tasks.”   What does SERC define as unique tasks?  Please provide examples of these tasks.  How are other companies defining unique tasks?   What are the tasks identified; and what training is being, or will be, conducted?

          "Unique tasks" is actually defined in the Requirement as tasks "that are outside of their normal tasks." Examples could be a substation test engineer whose normal duties are to test relays or EMS remote work, who are called to do transmission line switching. Another example is a Distribution employee called to do transmission substation or line switching.

          SERC is not aware of how other companies define "unique tasks".  Tasks identified and the particular training needed would be up to the registered entity and its needs for successful training.

        • A:12/1/2015
          Each Transmission Operator, each applicable Transmission Owner, and each applicable Distribution Provider shall provide a minimum of two hours of System restoration training every two calendar years to their field switching personnel identified as performing unique tasks associated with the Transmission Operator’s restoration plan that are outside of their normal tasks.

          The RSAW for EOP-005-2 R11 states: 
          Note to Auditor: Evidence may include, but is not limited to, a copy of training records/materials with training dates, topic, attendees and duration. Initially, entities will have two years from July 1, 2013 to execute this training.

          Registered entities may have interpreted this to be “two calendar years” as stated in the requirement, which would make the “initial” training completion date to be December 31, 2015.

          Question:  When is the “initial” training for applicable Distribution Provider field switching personnel to be completed, by July 1, 2015 or by December 31, 2015?

          July 1, 2015, as per the implementation plan.
        • A:2/27/2013

          If the training is self-paced and some people take less than two hours to complete, are you out of compliance?  Self-paced training is written such that the average student will take “X” amount of time. This means some take longer, and some take less time. If it is formal classroom training and some instructors can cover the required material in less than two hours, are you out of compliance?  The measurability of R17 should rest on the training content that it is given within the required two year period.

          Provided the self-paced course has been piloted and documented to be a “two-hour program”, and provided the individual successfully completes all the requirements of the two-hour program, the Registered Entity would be in compliance, no matter how long it takes the person to actually complete the training.  This applies to self-paced training only.  For instructor-led classes, the individual must have the full two contact hours every two years.  It is expected that the two hours will address not only the restoration-related tasks but also an overview of restoration principles and practices.

        • A:2/27/2013

          Can SERC provide some clarification on what they would want to see for criteria for sharing information regarding restoration with neighboring RCs and with TOPs and BAs within its RC Area? Some examples would be helpful.

          What R1.7 is asking is what the RC is sharing, and how are you sharing or communicating this to your neighboring RC, and TOPs and GOPs in its RC Area. Show evidence of what you have shared and that the sharing has been/is being done to prove compliance.

        • A:9/30/2014

          This is relative to EOP-006-2 R2 and R3 that state:
          R2. The Reliability Coordinator shall distribute its most recent Reliability Coordinator Area restoration plan to each of its Transmission Operators and neighboring Reliability Coordinators within 30 calendar days of creation or revision.

          R3. Each Reliability Coordinator shall review its restoration plan within 13 calendar months of the last review.

          Is a review of the restoration plan that has no changes but is documented in the Revision History of the plan, such as going from Version 1 to 1a, considered a revision that has to be distributed to its TOPs and neighboring RCs within 30 calendar days?

          Yes, the TOPs and RC need to know that the plan was reviewed and that there were no changes.

        • A:September 13, 2016

          Description of the Violation, Issue, or Trend
          Entity that is required to maintain control center functionality and communications capability as a Reliability Coordinator and Balancing Authority maintains IT staff position in their control center at a System Operator console on a 24x7 basis. The IT person is also certified as a System Operator and has the same access and training on all EMS and SCADA applications as the on-shift System Operators.

          Risk Considerations
          Loss of EMS, SCADA, and other application tools affect the System Operators ability to manage real-time operations. These systems are vital to the oversight provided by the Reliability Coordinator and Balancing Authority functions.

          Description of Mitigation Activity
          Staffing the control center 24x7 with an IT person that is also a System Operator allows quick response to loss of EMS, SCADA, and other applications that affect system visibility for real-time System Operators.

          Other Factors or Comments
          Staffing an IT person in the control center 24x7 is excellent.  Staffing an IT person certified as a System Operator gives that person insight and knowledge of the systems and information and how they are used to maintain the reliability of the bulk electric system.

        • A:January 12, 2018
          EOP-011-1:  Interpretation is requested. Please confirm that we may remove the procedural steps which instruct the operators to complete the EEA 3 Report when we enter into one of these events.

           

          The new EOP-011 (http://www.nerc.com/pa/Stand/Reliability%20Standards/EOP-011-1.pdf) does not reference the EEA report anywhere. 

          The old EOP-002-3.1 (http://www.nerc.com/files/EOP-002-3_1.pdf), which EOP-011 essentially replaced, referenced in Attachment 1-EOP-002.

          Section B., Step 3.6, the reporting requirement and the report was included in Section C (only the heading is included below).

          3.6 Reporting. Any time an Alert 3 is declared, the Energy Deficient Entity shall submit the report enclosed in this Attachment to its respective Reliability Coordinator within two business days of downgrading or termination of the alert. Upon receiving the report, the Reliability Coordinator shall review it for completeness and immediately forward it to the NERC staff for posting on the NERC website. The Reliability Coordinator shall present this report to the Reliability Coordinator Working Group at its next scheduled meeting.

          C. Energy Emergency Alert 3 Report

          A Deficient Balancing Authority or Load Serving Entity declaring an Energy Emergency Alert 3 must complete the following report. Upon completion of this report, it is to be sent to the Reliability Coordinator for review within two business days of the incident.

          It appears this report is no longer required. I have scoured the Standards and documents and do not find a clear statement of this fact, other than the obvious omission. Before we remove this EEA 3 Reporting step from several of our procedures, I am asking for assistance from SERC to confirm that we are no longer required to submit this report or that we are still required to submit the report per Standard and Requirement.

          According to language in EOP-011-1, EEA 3 reports are not required. SERC has confirmed the interpretation of EOP-011-1 with NERC staff.

          Both SERC and NERC Situational Awareness staff will utilize RCIS to monitor for EEA activity. SA staff may request additional information from the RCs depending on the acuteness of the event.  

           [AS1]Added additional verbiage

        • A:July 18, 2017
          If an LSE within a Balancing Authority (BA) is unable to supply or acquire energy to serve its load and would like to utilize Capacity Benefit Margin (CBM), it must request an Energy Emergency Alert (EEA) 2 per the MOD standards.  Based on this, does that imply that the BA is also requesting an EEA2; so that the LSE can utilize CBM?  I would assume in this similar scenario that only a portion of a BA is experiencing issues, and would that be applicable to EOP-011-1?

           

          The described scenario would obligate the BA to file for the EEA. Unfortunately a BA cannot subdivide the obligation of filing the proper EEA. Any BA with forecasted or actual deficient reserves or lacks the ability to serve firm native load will be obligated to file the adequate EEA level to reflect the emergency operating conditions. Unfortunately, LSE is no longer a registered function within NERC; the traditional LSE obligations must be satisfied by the BA. The BA will be filing the EEA, and will be required to follow all reporting obligations under EOP-011-1.

           

        • A:

          June 4, 2018
          FAC-001-2 R2:   States to have a Facility Interconnection Requirements document and to provide the document within 45 calendar days of an executed Agreement to conduct a study for interconnecting a Third Party Facility through an existing Generator Owner’s Facility Interconnection.

          If the Generator Owner’s policy is to not allow such connections, does a GO need to have a Facility Interconnection document? If such a policy exists, would a study even be considered? If a GO is required to have a Facility Interconnection document, can the document plainly state that third party connections to their facility is not allowed? If such a Facility Interconnection document were written, how does that comply with Requirement R4?  

          FAC-001-2 requires Transmission Owners and “applicable Generator Owners” to document and make Facility interconnection requirements available so that entities seeking to interconnect will have the necessary information. Per the standard, an “applicable Generator Owner,” is a “Generator Owner with a fully executed Agreement to conduct a study on the reliability impact of interconnecting a third party Facility to the Generator Owner’s existing Facility that is used to interconnect to the Transmission system.” Therefore, if
          the Generator Owner’s policy prevents it from entering into any such Agreements, R2 does not apply to the Generator Owner and it is not required to have a Facility Interconnection Requirements document.

        • A:September 13, 2018
          FAC-001-3:  I need your help and feedback on the following questions:
          1. According to FAC-001-3 R3.3 and R4.3, the TO and GO are responsible for having a procedure that  addresses confirming that the party interconnecting has made appropriate provisions with a BA to  operate within its metered boundaries. Since our company is not the BA, where on the SERC website  can I find published material that will provide guidance for writing a procedure for R3.3 and R4.3?
          2. If there is no written guidance, are there examples of how other entities are approaching R3.3 and R4.3?

           

          1. SERC does not have a published procedure regarding R3.3 or R4.3.  
          2. FAC-001-3 includes a Guidelines and Technical Basis section on page 9 of the standard. This section provides further details about FAC-001-3 R3.3 and R4.3. The TO and GO procedure should be written to accomplish the task of coordination and notification between the entity wishing to connect and all entities that will or could be affected by new generation, transmission, or load. A good practice would be to coordinate the procedure with the reliability entities in the area of interconnection prior to implementation. Request input from the BA, TOP, etc. to determine preferences for coordination and notification.

           

        • A:January 12, 2017

          Description of the Violation, Issue, or Trend
          Applicable Transmission Owners and Generation Owners are required to perform a Vegetation Inspection of 100 percent of all Rights-of-Way (ROW) 200 kV and above each calendar year with no more than 18 months between inspections. In addition to the inspection, these registered entities must develop and complete an annual plan for vegetation related work to ensure no encroachments occur into the transmission line Minimum Vegetation Clearance Distance (MVCD).

          Risk Considerations
          Vegetation related transmission outages pose a high risk to transmission line reliability. Entities with a large number of transmission lines above 200 kV are challenged with keeping track of inspection and maintenance on their lines.

          Description of Mitigation Activity
          Entity uses geospatial data to monitor and track vegetation inspections, maintenance, and quality assurance review. The geospatial data is updated continuously from devices carried by field personnel and displayed on a geographical transmission map. The map uses different colors on the ROW corridors to indicate the completion of inspections, maintenance, and quality assurance review.

        • A:3/18/2014

          Does SERC staff have specific expectations regarding the timeliness of ratings changes in field being reflected in planning and EMS models (particularly for downgraded ratings)?

          [REF Recommendation: Be aware of associated PRC-023 “official ratings analysis” compliance.]

          No, there is not a hard timeline for updating the affected systems.  However, a Registered Entity should have a process in place to update its tools and systems with new information when changes in the field occur. 

        • A:Updated:  1/1/2019

          In regards to GO/GOP Registered Entities, the FAC-008-3 generators’ facility ratings are never requested. They are never electrically limited but mechanically limited. Has SERC staff recommended to NERC that this standard should not apply to generating units, since the rating of the largest prime mover is never attained?

          No, this Standard applies to both transmission and generation.  Generation facility ratings are requested for audit if this Standard is identified in the audit scope.  Some generation facilities are electrically limited. MOD-025-2 also requires generation facility ratings.

        • A:6/3/2016
          Description of the Violation, Issue, or Trend
          Entities of various sizes in SERC and the other regions are finding significant instances of noncompliance with FAC-009-1 R1/FAC-008-3 R6. Some of the instances date back prior to June 18, 2007 while others occurred after that date. In some cases the noncompliance is a result of incorrect calculations and in other cases the noncompliance is a result of not identifying the most limiting element.

          Risk Considerations
          These violations typically pose a moderate risk to the bulk power system.

          Description of Mitigation Activity
          Implementation of additional internal controls and training are typically included in the mitigating activities.

          Other Factors or Comments
          Ineffective change management for Facility Ratings has been a significant contributing factor.

        • A:2/24/2015

          Under FAC-008-3, R8.2, who specifically may request this data from the TO?
          a. Which functional entities may request this data?

          As stated in FAC-008-3 R8, each TO (and GO subject to R2) shall provide requested information to RC(s), PC(s), TP(s), TO(s) and TOP(s).
          b. What does “under the requestor’s authority” mean? (i.e., Could this include adjacent entities?)

          Facilities under the requestor’s authority refers to Facilities within the RC(s), PC(s), TP(s), TO(s) or TOP(s) area of operational or planning responsibility.

          Per FAC-014-2 R5.3, it is the PC’s responsibility to provide System Operating Limits, which include facility ratings, to adjacent PCs and TPs, TSPs, TOPs, and RCs within its PC area.

        • A:

          November 11, 2019

          1.  What specifically in the standard are they looking at for Operations and Planning Coordination? Is it that Planning and Operations should be getting the same source data, or do they see a requirement for a direct TOP – PC comparison?  As I mention below one of the things the drafting team is trying to address to some extent is the lack of a direct connection between TOP SOLs and the ratings/limits used by the TP/PC. Though the focus is primarily on stability limits, voltage limits and which of the mired of possible line ratings the TP/PC uses compared to the TOP. 
          2. The presentation is focusing primarily on thermal ratings. Do they have expectations regarding voltage rating?

          Responses:

          1. The coordination between operations and planning models is used to ensure that Facility Ratings and real-time SOLs for BES Facilities are developed consistently using sound technical rationale based on a registered entity’s Facility Rating methodology and/or SOL methodology. For example, if an entity is registered as a Transmission Operator and a Planning Coordinator, then their Facility Ratings in the summer and winter planning models should be consistent with the SOLs in their EMS/State Estimator for summer and winter for the corresponding year. If there is a difference due to real-time temperature adjustment, the registered entity should be able to provide calculations to show how the temperature adjusted rating is derived from the planning model Facility Rating.
          2. Yes. If you look at the definition of Equipment Rating (the maximum and minimum voltage, current, frequency, real and reactive power flows on individual equipment under steady state, short-circuit and transient conditions, as permitted or assigned by the equipment owner), you can see that voltage is a part of the Equipment Rating. Thermal ratings are presently a topic of focus because registered entities have exhibited problems in that area. If an entity installs equipment that is not rated to withstand nominal voltage, the equipment will normally fail during normal operation or fault conditions
        • A:March 1, 2016
          INT-006-4 Requirement 1 states that, “Each Balancing Authority shall approve or deny each on-time Arranged Interchange or emergency Arranged Interchange that it receives and shall do so prior to the expiration of the time period defined in Attachment 1, Column B.”  If an entity utilizes electronic tagging for interchange requests, does an E-Tag that automatically changes to an “Expired” state demonstrate compliance with this requirement?  In this instance, the E-Tag is not actively approved or denied by the entity’s scheduling personnel, but automatically changes to an expired state at the end of the assessment period due to an automatic process built into the E-Tagging software.  This question also corresponds to R2, which is a TSP requirement. 

          Yes

        • A:October 18, 2016
          IRO-001 / TOP-001: Draft RSAW v4 asks for a list of operating instructions received during the audit period.  Is SERC expecting a complete list of all operating instructions during an audit period?  This list could be extensive.

          No, SERC will sample certain days of the audit period per NERC Sampling Methodology.

        • A:12/7/2016
          In reviewing the requirements in IRO-001-4, we have a dilemma with R2 and R3, which state the following:
          R2 Each Transmission Operator, Balancing Authority, Generator Operator, and Distribution Provider shall comply with its Reliability Coordinator’s Operating Instructions unless compliance with the Operating Instructions cannot be physically implemented or unless such actions would violate safety, equipment, regulatory, or statutory requirements.

          R3  Each Transmission Operator, Balancing Authority, Generator Operator and Distribution Provider shall inform its Reliability Coordinator of its inability to perform the Operating Instruction issued by its Reliability Coordinator in R1. 
           
          We believe that these requirements are referencing operating instructions issued during normal operations.  We are currently registered to perform the BA, TOP RC functions in SERC.  All of these functions currently work out of the same control center in very close proximity to one another (less than 10 feet apart). 
           
          My question is in regard to operating instructions issued for normal operations.  Since these functions work so closely together, most operating instructions are issued verbally with three-part communication with only operating instructions issued for emergency situations being logged. Since these functions communicate operating instructions throughout the day, every day, the sheer number of issued operating instructions would be voluminous in nature and would possibly place a significant burden on the operators to ensure that they are logged. 
           
          Based on our functional setup, what evidence would SERC be looking for to demonstrate compliance?  Would we need to have microphones/intercom system set up at every functional desk that routes back to a centralized recording to capture every operating instruction issued during normal operations by the RC to the TOP and BA; or would SERC place value on our current setup and denote that these functions work closely together in the spirit of cooperation where operating instructions for normal operations are generally issued verbally and not captured or logged.
           
          It seems as though these requirements were written for entities that participate in RTOs.  However, we would like some guidance from you as to your compliance approach based on our functional setup.
           

          Per the measures for IRO-001-4:

          R2: Registered entities are expected to provide evidence that will be used to determine that it complied with its Reliability Coordinator's Operating Instructions, unless the instruction could not be physically implemented, or such actions would have violated safety, equipment, regulatory or statutory requirements. In such cases, the Transmission Operator, Balancing Authority, Generator Operator, or Distribution Provider shall have and provide copies of the safety, equipment, regulatory, or statutory requirements as evidence for not complying with the Reliability Coordinator’s Operating Instructions. If such a situation has not occurred, the Transmission Operator, Balancing Authority, Generator Operator, or Distribution Provider may provide an attestation.

          R3: Registered entities are expected to provide evidence that will be used to determine that it informed its Reliability Coordinator of its inability to perform an Operating Instruction issued by its Reliability Coordinator in Requirement R1.

        • A:December 20, 2017
          The following questions are submitted relative to IRO-002-5 R2 and R3.
          Question: 1 (IRO-002-5 R3)
          Is the RC required to test all redundant functionality every 90 days or can the testing be spread out over a longer period?

          Reference: The Rationale for Requirement R3 page 12 of the Standard states: An entity's testing practices should, over time, examine the various failure modes of its data exchange capabilities.

          Response: It is best practice to test all redundant functionality every 90 day. IRO-002-5 R3 is specific to testing data exchange capabilities. Data exchange capabilities must be tested every 90 days.

          Question: 2 (IRO-002-5 R3)

          1. Does the test require the RC to fail over to the back-up infrastructure (e.g., required to transfer from the primary EMS to the back-up EMS, transfer from the primary firewall to the back-up firewall)?

            Response: IRO-002-5 R3 does not require failover to back-up EMS. Testing the redundancy would include a process to verify information housed in the backup data exchange servers matches the data in the production servers. The comparison process would be similar to comparing a hot standby EMS (backup EMS) with the data in the production EMS. CIP standards will need to be included to cover the testing of a firewall.

          2. Or, does providing evidence the back-up infrastructure is functional (i.e., available and on hot stand-by) meet the requirement?
            Response: A timely comparison process testing the validity of the data housed in the back-up data exchange is sufficient for demonstrating compliance. 

          Question: 3 (IRO-002-5 R2R20)
          Can redundant functionality data exchange infrastructure located outside the primary Control Center be presented as evidence to meet R2 compliance (e.g. EMS servers or firewalls at the back-up Control Center)?

          Response: Yes, The requirement does not specify that back-up infrastructure must be located in the primary control center.
        • A:April 16, 2019

          MOD-033 R1 requirement R1.2 has an exception that states, “If no dynamic local event occurs within the 24 calendar months, use the next dynamic local event that occurs.”

          Dynamic local event is not a defined term. Dynamic events happen often (e.g., breaker operations), but are not always measurable enough or have sufficient data recorded to be used for comparison.

          Is it acceptable for an entity to define criteria for what is an acceptable local event, and can the exception be used if there is no acceptable event in 24 months?

          Example: For an event to be considered acceptable, the following criteria must be met:

          • Sufficient EMS data is available, and
          • Event must result in a perturbation of a portion of the system, and
          • Sufficient event recorder data  is available.

          Response:
          Per MOD-033, for the dynamics validation, the target of validation is those events that the Planning Coordinator (PC) determines are dynamic local events.

          A dynamic local event could include such things as closing a transmission line near a generating plant. A dynamic local event is a disturbance on the power system that produces some measurable transient response, such as oscillations. It could involve one small area of the system or a generating plant oscillating against the rest of the grid.

          Therefore, it is the PC that has to identify the dynamic event.  If something other than what the PC has identified is determined to be such an event, then the PC would still determine what is to be used.

          If no dynamic local event occurs within the 24 calendar months, use the next dynamic local event that occurs.

        • A:11/10/2015

          If we have been issued a specific voltage/reactive schedule by the BA/TOP for our plant to meet that specifies a minimum MVAR output below the capability rating curve for the units, can the test points for our MOD-025-2 testing documentation conform to that same schedule?

          The purpose of MOD-025-2 is to verify the actual real and reactive power capability of generators. The verification should be conducted per MOD-025-2, Attachment 1; so the Transmission Planners’ model data is consistent from the different units in their footprint. The verification process should compare the unit’s real/reactive output capability to the designed operating range (D-curve) of the unit, not the TOP’s voltage schedule.

        • A:February 12, 2018
          MOD-025-2 Attachment 1

          2.2. Verify Reactive Power capability of all applicable Facilities, other than wind and photovoltaic, for maximum overexcited (lagging) and under-excited (leading) reactive capability for the following conditions:

          2.2.1 At the minimum Real Power output at which they are normally expected to operate collect maximum leading and lagging reactive values as soon as a limit is reached.

          Does this mean minimum capable / minimum stable generation or literally normal minimum? Specifically, for a base-load plant and/or a plant with contractual and/or environmental constraints, do we test at that normal operating output (i.e., base-load or minimum identified by the contract or regulation); or do we test at minimum stable capability understanding that Min capability is not ‘normal’ for the plant and would only occur if there was an event that necessitated it.

          The minimum Real Power output level is determined by the manner in which the designated unit is dispatched. If the unit operates on a contractual basis, the output specified in the contract can be used as a basis for establishing a normal minimum. If the contract affecting the normal minimum changes, a resubmission of generator data to the Transmission Planner would be required. If the unit can be dispatched anywhere in its designed operating range, normal would be defined as the minimum stable capability at which the unit can operate on a continuous basis without tripping a reverse power relay or other low limit device.

        • A:Updated 5/19/2015

          Will a new Regional Guide be provided for MOD-025-2; and if so, when should we expect to see it?

          No, the SERC Regional Criteria, Verification of Generator Real and Reactive Power Capability, associated with MOD-024-1 and MOD-025-1 is being retired. 

        • A:7/22/2014

          MOD-025-2 / MOD-026-1 / MOD-027-1: Please explain how to be compliant and when each is effective. 

          SERC cannot comment on how to be compliant. The MOD Standards will be included in future SERC outreach activities. SERC staff is currently reviewing the material to plan the appropriate outreach initiatives. 

          Below is the requested effective date information.

          MOD-025-2 
            40%  of applicable Facilities are to be compliant by 7/1/2016  
            60%  of applicable Facilities are to be compliant by 7/1/2017  
            80%  of applicable Facilities are to be compliant by 7/1/2018  
            100%  of applicable Facilities are to be compliant by 7/1/2019

          MOD-026-1  R1, and R3 through R6:  Effective date is 7/1/14  
          MOD-026-1 R2:  
            30% of the entity’s applicable gross MVA are to be compliant by 7/1/2018  
            50% of the entity’s applicable gross MVA are to be compliant by 7/1/2020 
            100% of the entity’s applicable gross MVA are to be compliant by 7/1/2024

          MOD-027-1  R1, and R3 through R5:  Effective date is 7/1/14  
          MOD-027-1 R2:  
            30% of the entity’s applicable units gross MVA are to be compliant by 7/1/2018
            50% of the entity’s applicable units gross MVA are to be compliant by 7/1/2020
            100% of the entity’s applicable units gross MVA are to be compliant by 7/1/2024

        • A:February 21, 2017
          MOD-025-2: Does the verification have to be completed by a certified U.S. engineer? We employ many Canadian engineers, but in order to have a U.S. engineer certification we would have to hire a consultant.

          MOD-025-2 does not specifically address the qualifications of personnel performing verification.  In most situations, state law governs engineer licensure.  However, it is the responsibility of each registered entity to ensure qualified personnel performs work when certifying compliance with Reliability Standards.

        • A:November 13, 2017
          How is applicability of a solar farm considered in MOD-025 - the gross aggregate nameplate rating of 75 MVA or the gross nameplate rating of 20 MVA? (Is a solar farm considered to be an individual generating unit or a generating plant?)

          Solar farms are considered dispersed power producing resources that are covered under Inclusion I4 of the NERC BES definition. The BES portion of the solar farm begins from the point where those resources aggregate to greater than 75 MVA to a common point of connection at a voltage of 100 kV or above. The summation of the inverter ratings should be used to calculate the 75 MVA threshold. MOD-025 would be applicable to the solar farm as a Generating plant/Facility greater than 75 MVA in accordance with section 4.2.3. of MOD-025-2.

        • A:7/5/2016
          Question 1:
          Requirement 2 is the requirement to perform Reactive Power testing and submit the report to Transmission Planning within 90 days of recording the data.  Reactive Power testing consists of both a leading (lower voltage) and lagging (raising voltage) test.  Are they compliant if they perform the leading test in January, and perform the lagging test in July, and send a single report 90 days after finishing the lagging test in July?

          Leading and lagging Reactive Power tests can be performed at different times.  For the unit to be considered compliant, both tests must be complete and submitted by the implementation milestone dates.

          Additional information

          Milestone dates:
          Each Generator Owner and Transmission Owner shall have verified at least:
            40 percent of its applicable Facilities by 07-01-2016.
            60 percent of its applicable Facilities by 07-01-2017.
            80 percent of its applicable Facilities by 07-01-2018.
          100 percent of its applicable Facilities by 07-01-2019.

          Per MOD-025-2 Attachment 1 Paragraph 1 under Periodicity for conducting a new verification: 
          The first verification for each applicable Facility under this standard must be a staged test.

          Question 2:
          Requirement 2 has the 90 day window for submitting the report to Transmission Planning.  Will Nuclear still be compliant if they send the report after the 90 day period?

          The 90 calendar-day submittal deadline is enforceable at the milestone dates of the implementation plan. Thus, each Generator Owner must submit verification data to its Transmission Planner for at least 40% of its generation units prior to July 1, 2016. The only exclusion for Nuclear units is the requirement to perform Reactive Power verification at minimum Real Power output. 

          Reference:
          The Violation Severity Levels in the standard identify the consequences of exceeding the 90 calendar days specified in Requirement 2.2.

        • A:7/13/2016
           Question 1:
          Is a completed Attachment 2 report submitted after 90 calendar days, still a valid date to calculate the next testing due date?

          The next test date is based on the previous verification date, not the date the form is submitted. 

          Question 2:
          If the test for Reactive Power lagging and leading are performed at different times, is it ok to hold the data for the pending test until all data is gathered? If so, what is the maximum allowable time between the two tests?

          If the data is recorded from a staged test, then the data must be submitted within 90 days per requirement 1.2 and 2.2.  If the staged lagging and leading test are more than 90 days apart, then two forms are required.  If the data is selected from historical operational data, then the elapsed time between the lagging and leading test could exceed 90 days, as long as the dates selected are within the 66 calendar month compliance window.  However, paragraph 2 of MOD-025-2, Attachment 1 states, “If data for different points is recorded on different days, designate the earliest of those dates as the verification date, and report that date as the verification date on MOD-025 Attachment 2 for periodicity purposes.” 

          Question 3:
          Is the Real and Reactive Power capability change of 10 percent based on design/equipment change or what the unit could actually verify during an operational test?

          The 10 percent change is based on design changes or discovery of equipment changes that are expected to affect the unit’s capability for more than six months.

        • A:June 14, 2017

          This project came on line in early December, and COD was on December 26.

          Per NERC, MOD-025, 026 and 027 tests are to be completed and results submitted to SERC (per NERC) within 12 months of Commercial Operation. Since we have facilities in other jurisdictions – other Regional Authorities have different / additional requirements. We have been progressing on the basis that we need to comply within 12 months. Could you kindly let us know if this “understanding” is correct - if not what exactly is the requirement in SERC?


          SERC does not have a Regional Criteria or Standard associated with NERC Reliability Standards MOD-025-2, MOD-026-1 and MOD-027-1.  Entities should follow the specific testing and reporting requirements listed in each standard.  Also note, for new applicable Facilities, MOD-025-2 requires compliance within 12 calendar months, whereas MOD-026-1 and MOD-027-1 require compliance within 365 calendar days.

           

          The phased-in implementation plan dates for the associated standards are provided in a previous FAQ titled, “MOD-025-2 / MOD-026-1 / MOD-027-1: Please explain how to be compliant and when each is effective.” (On the FAQ & Lessons Learned page of the SERC website.)

           

        • A:11/9/2015

          For Generating Units that qualify for the 10 year exemption for excitation systems/governors, is the Generator Owner obligated to provide ANY model data to the Transmission Planner under MOD-026/027 and possibly MOD-032?  What if changes or updates are made to these systems?  If they still qualify for the exemption are we required to provide models or notify of changes?

          My reason for asking – The majority of my units qualify for this exemption and will likely never go over the 5%.  I have sent notification to the TP with this statement and showed the calculations for these units as described in the Attachments at the back of the standard.  They seem to think I still owe them model data, even if it isn't verified. I do not agree.

          We will also be upgrading some of these exempt units over the next couple of years hence my changes/upgrades question.

           MOD-026-1 and MOD-027-1 do not require initial generator verification for generators with an average capacity factor of 5% or less over the three most recent calendar years.  To meet this exclusion, the capacity factor must be calculated as specified in Appendix F of the GADS Data Reporting Instruction on the NERC website.  If the GADS capacity factor calculation is 5% or less, a letter should be sent to the Transmission Planner stating the facts and circumstances of each generator that meets this exclusion.  Notification of changes and/or models are not required, as long as the unit meets the net capacity factor exclusion.

           

        • A:12/1/2015
          MOD-026-1 and MOD-027-1 Attachment 1 have the following exemption: Existing  applicable  unit  has  a  current  average  net  capacity  factor over the  most recent three calendar years, beginning on January 1 and ending on December 31 of 5% or less.

          What three-year period do we use for the initial implementation date? Is it our choice?

          The most recent three calendar years, to be recalculated every 10 years.

        • A:April 10, 2015

          Standards each have staged implementation periods based on percent of applicable unit gross MVA or percent of applicable Facilities respectively.

          How will the percent of applicable unit gross MVA or percent of applicable Facilities be audited?  Entities are asking to ensure they know how to determine the percentages?  (Is it based on unit type, fossil, nuclear, hydro, etc., entire fleet, or another measure?)

          For entities with facilities in multiple Regions are the percentages based on facilities in each Region or can the percentage be based on their total facilities in all regions?

          First identify the applicable qualifying units in the Eastern Interconnect that meet one or more of the following criteria:

          • Those that are 100 MVA or greater, per generator, and directly connected at 100 kV or greater; or a generation plant with 100 MVA or greater generation connected at 100 kV or greater.
          • For those units that are connected in the ERCOT Region, those that are 50 MVA or greater, per generator, and directly connected at 100 kV or greater; or a generation plant with 75 MVA or greater generation connected at 100 kV or greater.
          • Also any technically justified unit that meets NERC registry criteria and is required by the Transmission Planner. (MOD-026-1)

          From this list of applicable generation, the total MVA shall be used for the percentage calculations and this may cross several regions. This includes all types of generation in the total MVA: hydro, nuclear, steam, wind, and solar. The registered entity shall be able to show how the total MVA and percentage were calculated and the records to show that the tests were performed and verified.

        • A:12/1/2015
          Many units qualify for the 5% capacity factor exemption under MOD-026/MOD-027. Are GOs obligated to provide any model that qualifies for the exemption?  MOD-026-1 and MOD-027-1 do not require initial generator verification for generators with an average capacity factor of 5% or less over the three most recent calendar years.

          The capacity factor must be calculated as specified in Appendix F of the GADS Data Reporting Instruction on the NERC website to meet this exemption. If the GADS capacity factor calculation is 5% or less, the GO should send a letter to the Transmission Planner stating the facts and circumstances of each generator that meet this exemption.

        • A:8/25/2016
          A site has determined it has 3 equivalent or sister units, Unit 1, 2, and 3. All three units have identical control systems, parameters, and settings.

          Unit 1 is selected for model verification and the required model and verification is submitted. Unit 2 and 3 submit their required model data and state they are sister units to Unit 1 which was verified.

          Question 1:  Is this all that is required or would there need to be additional information for a sister unit?

          Units 2 and 3 that meet the equivalency criteria documented in NERC Standards MOD-026-1, Attachment 1, Row Number 4, Verification Condition section (see below) and the MOD-027-1, Attachment 1, Row Number 5,  Verification Condition section (see below), necessitate completion of the corresponding Required Action sections of Attachment 1 for both NERC Standards.  If Entergy Units 2 and 3 do not meet the equivalency criteria, individual unit modeling and verification will be required for both Units 2 and 3. 

          Please note that verification of a “different” equivalent unit during each 10-year verification period is required and that MOD-026-1/MOD-027-1, Attachment 1, Row 1, applies when calculating generator fleet compliance during the 10-year implementation period.

          Also, please note that all Units that implement system changes after initial models have been verified are subject to MOD-026-1 R4 and MOD-027-1 R4 compliance and the obligation to notify its Transmission Planner within 180 calendar days of making system “changes”.

          Later, Unit 1 upgrades is control system and performs model verification and submits the required data.

          Question 2:  Would Unit 2 or 3 need to perform model verification since the original verification was performed for Unit 1?

          Units 2 and 3 that meet the equivalency criteria documented in NERC Standards MOD-026-1, Attachment 1, Row Number 4, Verification Condition section (see below) and the MOD-027-1, Attachment 1, Row Number 5,  Verification Condition section (see below), necessitate completion of the corresponding Required Action sections of Attachment 1 for both NERC Standards.  If Units 2 and 3 do not meet the equivalency criteria for the model that was verified, individual unit modeling and verification will be required for both Units 2 and 3.

          After the Unit 1 upgrade, Unit 2 upgrades is control system which is identical to Unit 1. 

          Question 3:  If the control system, parameters, and settings are the same as Unit 1, does Unit 2 need to perform model verification or is it covered as a sister unit?

          If Unit 2 does not meet the equivalency criteria documented in NERC Standards MOD-026-1, Attachment 1, Row Number 4, Verification Condition section (see below) and the MOD-027-1, Attachment 1, Row Number 5,  Verification Condition section (see below), completion of the corresponding Required Action sections of Attachment 1 for both NERC Standards is required.  If Unit 2 does meet the equivalency criteria, as stated above, it may qualify as an equivalent unit.

        • A:

          October 18, 2019
          Do I include the combined-cycle steam turbines that meet Attachment 1, Row 7 in the total MVA calculation to determine applicable percent complete?  What about a unit that is retiring in 2023 before the 100% deadline?  Or, an existing unit that is being repowered in 2021 with different characteristics?  I am looking for guidance on the total MVA included units.

          Yes, combined-cycle steam turbines, as shown in Attachment 1, Row 7 that meet the applicable facility as listed in MOD-027-1, should be included in determining the entity’s total MVA. The standard does not have any provisions to exclude these units from the total MVA calculation. A written statement must be provided to the TP showing compliance per Requirement R2, as stated in Attachment 1, Row 7. In accordance with the periodicity specified in MOD-027 Attachment 1. This unit is still applicable to the total MVA calculation until the actual retirement and needs to be included in the total MVA until the retirement date. The key milestone dates and applicable percentages in 2023 must be met. This unit would also be included at its current MVA in the total MVA calculation. Sufficient evidence of its total MVA and percentage of MVA prior to the repower event in 2021 should be provided to the TP. If the unit MVA changes during the repower operation in 2021, retain and provide evidence of the change in the unit MVA and total MVA. The key milestone dates and applicable percentages prior to and after the repower event in 2021 must be met.

        • A:January 9, 2019
          Per MOD-026 Attachment 1 Row 7 and MOD-027 Attachment 1 Row 8, existing applicable units that have a current average net capacity factor over the most recent three calendar years, beginning on January 1 and ending on December 31 of 5% or less, are eligible for a capacity factor exemption. In order to apply an  exemption to an entity’s applicable gross MVA, does the entity have to first formally notify the Transmission Planner OR can the entity internally document the exemption when calculating gross MVA without formal  notification? Does the 10-year time frame begin at formal notification or internal documentation?

          Per MOD-026 and MOD-027, if you have existing applicable units that have a current average net capacity factor over the most recent three calendar years, beginning on January 1 and ending on December 31 of 5% or less, they are eligible for a capacity factor exemption. A written statement to the Transmission Planner stating that an exemption is being applied is required.

          The 10-year timeframe begins on the date of the written submittal.

        • A:3/1/2016
          There have been many documents that have excluded some or all nuclear power plants from frequency response requirements.  These include:
          • NERC Alert A-2015-02-02-01, Generator Governor Frequency Response
          • Memo from Nano Sierra (FERC) to the ERAG MMWG dated September 9, 2010
          • Memo from Nano Sierra (FERC) to the ERAG MMWG dated April 27, 2011
          • Memo from ERAG Management Committee to the MMWG dated April 28, 2011
          • Email providing FRCC’s response to the September 9, 2010 FERC memo
          • MMWG Procedure Manual, page 42, section 9.2.D.2

          Based on these documents, our Transmission Planner does not include nuclear plant governors in their system models.

          The question is, can the nuclear industry get an exemption from the MOD-027-1 reporting requirement to provide governor models to our Transmission Planner since they are not going to use them?

          If the planner does not use the data, is it necessary?

          Auditors are required to audit to the standard as written. The standard includes an exclusion (MOD-027-1 Attachment 1). 

          Follow-up question to above. They would like to include steam turbine generators for Combined Cycle plants to the question to SERC on MOD-027 applicability.

          “Though we don’t have the “paper trail” of documents for them like we do for nuclear, these [Combined Cycle] units run with their steam valves wide open and, as such, do not respond to grid frequency deviations.  For this reason, our Transmission Planner does not include their governors in the models either.”

          Auditors are required to audit to the standard as written.

           

        • A:October 10, 2018

          MOD-027-1 Requirement R2 Part 2.1.1. allows entities to use frequency excursion event data to verify the Generator Owner’s turbine/governor and load control or active power/frequency control model.

          Question 1:  Attachment 1 Row 3 “Verification Condition” states, “Applicable unit is not subjected to a frequency excursion per Note 1 by the date otherwise required to meet the dates per Rows 1, 2, 4, or 6.”   Row 3 “Required Action” states, “Requirement 2 is met with a written statement to that effect transmitted to the Transmission Planner,” and then states, “Transmit the verified model, documentation and data to the Transmission Planner on or before 365 calendar days after a frequency excursion per Note 1 occurs and the recording equipment captures the applicable unit’s real power response as expected.”

          Is Row 3 allowing an applicable unit to exceed its verification date (Row 1 phased implementation, Row 2 periodic 10 year verification, Row 4 new unit/equipment verification, or Row 6 verification plan) by submitting a statement to the Transmission Planner stating that it is waiting for a frequency excursion event?  And that when a frequency excursion event does occur, Row 3 is stating that the verification report be sent to the Transmission Planner within 365 calendar days of when the frequency event occurred?

          Yes. Based on the information provided, once the frequency excursion event occurs, the clock starts on the 365 days for the verification report to be sent to the Transmission Planner.

          Question 2:  Other than Row 3, is there any requirement which limits the use of historical operating data for a frequency excursion event?  The MOD-025-2 standard limits the use of historical operating data to within two years prior to when the real or reactive power verification performed.

          Not at this time.

          Question 3:  Other than Row 3, is there any requirement which requires the verification report be submitted within a specific time-frame to the Transmission Planner for a frequency excursion event?  The MOD-025-2 standard places a 90 calendar day time-frame to submit a verification report from when historical operating data is selected or when test data is recorded.

          Not at this time.

        • A:8/19/2016
          In the past, the portal was open to all the various asset owners, LSEs, etc., for each company to log in and enter their respective data. Under MOD-031-1 or v2, it will be the Planning Coordinator's role to collect and enter said data. Will SERC be able to provide insight as to which data from MOD-031 R1 will be requested under the Q1 2017 time frame? Stated another way, do you know if we can expect any changes from the historical reporting forms other than which entities will be logging in to the portal to report?  If the forms are changing. Do you know if it will be communicated within the 75 calendar day time frame to allow for collections?
          There will be no changes to the Demand and Energy forecasts that are reported by the Planning Authority via the Reliability portal.
          The PC will continue to report Actual Demand and Energy data through the Reliability portal; however, the actual data will be broken out by LSE beginning with 1st Quarter 2017 data due in April 2017. SERC will distribute a data request with an explanation of the changes made to the PC entities early in February 2017.
        • A:7/22/2016
          NERC Reliability Standard MOD-031-1 – Demand and Energy Data became mandatory and enforceable on July 1, 2016.  Requirement R1 requires that the Planning Coordinator (PC) or Balancing Authority (BA) develop and issue a data request to certain applicable entities in their area. The sub-requirements of R1 specify the content of the data request. The data specified in Requirement R1 is provided to SERC via forms posted in the Reliability Data Reporting Portal as part of the Long-Term Reliability Assessment (LTRA)  and NEL data submittals due each year on or before April 1st. The issuance of a data request by the PC or BA to applicable entities for the same data prior to the next data collection cycle (i.e., Q1 2017) will create confusion among the entities, yet is implied in the Measure M1 if an entity is to be fully compliant with the new Standard on July 1, 2016. What is the expectation by SERC CEAs regarding evidence of compliance with Requirement R1 between the enforcement date of MOD-031-1 (July 1, 2016) and the next data reporting cycle (Q1, 2017)?

          MOD-031-1 is part of the ongoing annual process for Planning Coordinators and Balancing Authorities to collect demand, energy, and related data to support reliability studies and assessments. The schedule for issuing data request should continue to follow the normal data request process that has been established. Any data request issued after 7/1/16 should be compliant with MOD-031-1. Any data request issued after 10/1/16 should be compliant with MOD-031-2.

        • A:May 4, 2017
          I am a PC with several GOs in my PC area which do not have agreements stating such. As a PC, am I required to validate their models per MOD-033-1?

          No. However, according to MOD-025-2, MOD-026-1 and MOD-027-1 each Generator Owner shall provide its Transmission Planner with verified Generator data.

        • A:August 30, 2016

          We are planning our testing for NERC standards MOD-026 and MOD-027. I wanted to ask for information on coordinating this testing with SERC. We are planning on performing the tests in 2017, but do not have any dates at this time. I would like to have this information for planning of the tests.

          There are no requirements to coordinate with SERC during the development of the control models required by MOD-026-1 and MOD-027-1.  If you have specific Reliability Standards related questions, please submit those questions via the SERC FAQ process.

        • A:
          Updated:  12/29/2019
          PER-003-2           Purpose: To ensure that System Operators performing the reliability-related tasks of the Reliability Coordinator, Balancing Authority and Transmission Operator are certified through the NERC System Operator Certification Program when filling a Real-time operating position responsible for control of the Bulk Electric System.

           

          For an entity that is a member of PJM (where PJM would be the RC, BA and TOP), is the “Real-time operator” considered to be PJM or the operator at the entity who receives directions from PJM?  

          PJM requires the entity operators to be PJM Certified but not NERC Certified.  Would NERC require the entity’s operators to be NERC Certified based upon the requirements of PER-003-2?       

          If you’re performing reliability related tasks pertinent to RC, BA, or TOP, you need to be NERC Certified at that specific level.

          PJM Manual 40 Rev 20- Effective 1/24/2019 / Sec 3.2.1 Transmission Owner Operators, subsection NERC Certification, states operators must be NERC Certified.

        • A:October 10, 2018
          Should reliability related tasks be separate from desk qualifications? Describe what SERC is looking for in the evaluation at the end of the year?

          PER-005-2 does not require entities to separate reliability related tasks from desk qualifications. An entity should keep compliance with PER-005-2 in mind when deciding to separate or not separate.

          The entity should provide data or evidence of compliance that shows that it has reviewed, and updated, if necessary, its list of BES company specific Real-time reliability-related tasks identified in PER-005-2 Requirement R1 part 1.1 each calendar year. The entity shall keep data or evidence to show compliance for three years or since its last compliance audit, whichever time frame is greater, unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation.

        • A:March 26, 2020

          I have three questions related to PER-006-1 R1 that will be active on 10/1/2020.

          Will we need to have trained all real-time plant control operators by 10/1/2020, or is there an expected time-frame that is reasonable to train?
          NERC Standard PER-006-1 implementation plan requires the entity to be compliant by the effective date of 10/1/2020. Therefore, the Generator Operator will be required to have completed the necessary training by that date.

          New team members will need to be trained within how much time?
          The Standard does not specify a timeframe that training must be completed by new applicable plant personnel that have been hired after 10/1/2020. The Generator Operator should consider that they provide training in a reasonable timeframe to ensure that reliable Real-time operations of the Bulk Electric System will not be jeopardized.

          If a contractor operates the solar sites, can a small portion that only applies to solar be the only subset trained?
          The NERC registered Generator Operator is responsible to ensure that training has been provided to any plant personnel, contracted or entity employee, who is responsible for the Real-time control of a generator and receive Operating Instructions from the Generator Operator’s Reliability Coordinator, Balancing Authority, Transmission Operator, or centrally located dispatch center.

          The Reliability Standard is applicable to registered Generator Operators regardless of voltage, generating capacity, or point of interconnection.

        • A:9/30/2014

          PRC-001 R1 states that the GOP needs to be familiar with the purpose and limitations of protection system schemes applied in its area.  Is there specific guidance from SERC on what SERC believes is good evidence and who specifically is the target audience for the training?

          For this Reliability Standard, GOP is defined as the Registered Entity and not the person sitting on the desk.  There should be staff or contractor(s) available to address protection systems issues as they arise.  Staff could include the actual operator, electricians, instrumentation crew, etc. Training records, qualification records, etc. have been used as evidence of compliance in the past. The key question is: who is contacted to decide what to do when a protection device is triggered?  Is it the operator or other staff?

        • A:December 9, 2019
          Please provide compliance guidance regarding the following PRC-001 R3 coordination activities:

           

          1. Under R3 if the settings or set points stayed the same with a change out, do you need to coordinate?
          2. When the standard says coordinate when you have changes to protection systems is that directed at when performance changes and if the performance does not change then no coordination is needed?

          Responses

          1. The standard states all new and changes to protective systems shall be coordinated. In a circumstance where the settings or set points stay the same as a result of a protective systems change out, at a minimum a notification shall be made to the appropriate entity indicating no setting changes resulted from the protective systems change out.
          2. Whether or not the performance of the protective systems change, a notification shall be made to the appropriate entity when performance changes evidence of a relay coordination study or a letter of agreement on the settings between the responsible entities is required.
        • A:10/3/2016
          NERC Implementation Plan for PRC-002-2 Requirements R2, R3, R4, R6, R7, R8, R9, R10, R11 states:
          Entities shall be at least 50 percent compliant within four (4) years of the effective date of PRC-002-2 and fully compliant within six (6) years of the effective date.
          Question(s):
          1. How do you quantify 50% compliance with PRC-002-2?
          2. Does the 50% compliance apply to entities with a single generator?
           

          Question 1:
          As of July 1, 2016, registered entities must be compliant with PRC-002-2, R1.1 and R5.1.  Compliance with R1.1 and R5.1 determines the number of devices that an entity must install. Once the number of devices is determined, then the registered entity shall be at least 50 percent compliant by July 1, 2020.

          Example: Suppose an entity must install five (5) devices identified by R1.1 and R5.1. For 50 percent compliance, five devices * 50 percent = 2.5 devices; and rounded up to the nearest whole number equals three (3) devices that must be installed by July 1, 2020.  The remaining two (2) devices must be compliant by July 1, 2022.

          Question 2:
          Per the PRC-002-2 Implementation Plan, registered entities that own only one (1) identified BES bus, BES Element, or generating unit shall be fully compliant within six (6) years of the effective date (July 1, 2022).

        • A:
          August 6, 2019
          PRC-002-2, R7 .7.1, requires that dynamic Disturbance recording (DDR) data be collected on either high-side, or low-side, of the Generator Step-up Transformer (GSU). Is there a maximum allowable distance, from the high-side of the GSU, that DDR data can be collected and still be considered acceptable?

          Yes. The DDR should be located between the high/low-side of the GSU and the interconnection with the network transmission.  The basis for this comes from the rationale section in R5 which states: “With the exception of HVDC circuits, DDR data is only required for one end or terminal of the BES Elements selected. For example, DDR data must be provided for at least one terminal of a Transmission Line or generator step-up (GSU) transformer, but not both terminals. For an interconnection between two Responsible Entities, each Responsible Entity will consider this interconnection independently, and are expected to work cooperatively to determine how to monitor the BES Elements that require DDR data. For an interconnection between two TOs, or a TO and a GO, the Responsible Entity will determine which entity will provide the data.”

        • A:September 16, 2016
          If, down the road, we were to have the scenario described in PRC-002-2 R12, how should that Corrective Action Plan (CAP) be formatted for submission? Is it a Word document, an email, or something we submit on a portal or other location? We’re just trying to get a feel for what is expected there. Any guidance you could provide would be appreciated.

          PRC-002-2
          R12. Each Transmission Owner and Generator Owner shall, within 90-calendar days of the discovery of a failure of the recording capability for the SER, FR or DDR data, either: [Violation Risk Factor: Lower] [Time Horizon: Long-term Planning]

          • Restore the recording capability, or
          • Submit a Corrective Action Plan (CAP) to the Regional Entity and implement it.

          Registered entities should provide CAPs relevant to PRC-002-2, R12 to SERC via SERCComply@SERC1.org. The CAP must contain a list of actions and an associated timetable for implementation to remedy a specific problem. Form and format is at the discretion of the registered entity.

        • A:August 20, 2019
          If we have a device installed that meets the capability requirements of PRC-002-2, must we comply with R12 before 7/1/2020? For example, PRC-002-2 R12 was enforceable on 10/1/2016 and requires TOs and GOs within 90 calendar days of discovery of a failure of an SER, FR, or DDR to restore the data recording capability or submit a CAP to the Regional Entity. If Entity “Y” has 6 devices capable of meeting the data recording requirements of PRC-002-2 in service as of today:
          • Must the entity comply with R12 for these devices now; and
          • Must the entity retain evidence of these devices complying with the SER, FR, or DDR data recording capability requirements?

          The R12 reporting process should be used for failure of SER, FR, or DDR equipment in locations required by PRC-002-2 R1 and R5.  If an entity has devices installed at locations not required by PRC-002-2, R1 and R5 reporting via the R12 process is not required.

        • A:10/10/2016
          For an MRRE, to which regional entity should the Corrective Action Plan be submitted? I’m assuming they would go to SERC as our Lead Regional Entity, or should we send the CAP to other regions in the MRRE as well?

          The multi-regional registered entity shall follow the reporting protocol of the lead regional entity for submission of Corrective Action Plan(s) in accordance with PRC-002-2, R12. The lead regional entity will coordinate activity with any affected regional entity.

        • A:5/27/2016
          I have a question of clarification for PRC-004-4(i) R5 which states the following:

          R5. Each Transmission Owner, Generator Owner, and Distribution Provider that owns the Protection System component(s) that caused the Misoperation shall, within 60 calendar days of first identifying a cause of the Misoperation: [Violation Risk Factor: High]

          [Time Horizon: Operations Planning, Long-Term Planning]

          • Develop a Corrective Action Plan (CAP) for the identified Protection System component(s), and an evaluation of the CAP’s applicability to the entity’s other Protection Systems including other locations; or
          • Explain in a declaration why corrective actions are beyond the entity’s control or would not improve BES reliability, and that no further corrective actions will be taken.

          Question:
          My question is in regards to an entity that is registered as a JRO for multiple other independent companies that would be registered as a TO if another entity was not registered as a JRO on their behalf. When applying the following portion of PRC-004-4(i) R5: “Develop a Corrective Action Plan (CAP) for the identified Protection System component(s), and an evaluation of the CAP’s applicability to the entity’s other Protection Systems including other locations,” should the CAP for the Protection System components be evaluated across all independent entities registered within the JRO, or should the CAP just be evaluated  only within Protection System components within the singular independent company?

          The CAP needs to be evaluated only within Protection System components within the singular independent company.  From a BES reliability perspective, the JRO should communicate the CAP to all independent entities for their benefit.

        • A:

          August 22, 2018
          We recently completed PRC-005 battery load testing. A battery string has failed the load test, and it will be replaced with new batteries. Are we required to load test the new battery string, or should the next load test be done during the next testing interval?

          Per Table 1-4(a), Verification that the station battery can perform as manufactured by conducting a performance capacity test is a required maintenance activity that must be performed when replacing a component of a Protection System.  Any Protection System element that receives a failed test result must be resolved and documented prior the end of the maintenance interval. Once the corrective actions have been completed, the maintenance records shall be updated to reflect the successful results.

        • A:

          May 4, 2017
          PRC-005:  Timers are not defined.  Are timers considered protective equipment?

          Yes, because timers are essential for the proper operation of the protection system.

        • A:9/30/2014

          Where PRC-005 equipment is owned by Registered Entity A but used by Registered Entity B for a protection system applicable to PRC-005, which Registered Entity is responsible to demonstrate compliance?

          For previous guidance please refer to March 17, 2014 PRC-005 SERC lesson learned.
          Both will be reviewed to identify which Registered Entity maintains and which Registered Entity coordinates the protection systems equipment.  Documents stating which Registered Entity performs which duties help the audit team quickly identify the responsible party.

        • A:12/1/2015
          Are temporary batteries under the scope of PRC-005 considered part of the Protection System?

          Yes, if the batteries are in use for a period of time greater than the minimum testing interval for batteries (four months).

        • A:

          April 6, 2020
          Can I get an interpretation of the meaning of distributed UFLS and nondistributed UFLS? These terms are not defined in PRC-005 or the Glossary of Terms. Additionally, can someone direct me to the appropriate table that addresses batteries (Vented Lead Acid) for distributed UFLS?  

          A distributed UFLS or UVLS scheme contains individual relays, which make independent Load shed decisions based on applied settings and localized voltage and/or current inputs.

          A non‐distributed UFLS or UVLS scheme involves a system where there is some type of centralized measurement and Load shed decision being made. 

          A non‐distributed UFLS/UVLS scheme is comparable to an SPS scheme. 

          If the Vented Lead Acid battery bank associated with the distributed UFLS serves both a BES device, as well as a non-BES interrupting device used for UFLS. In such case, the battery bank will be subject to Table 1-4(a), if it not the case use Table 3 Protection System dc supply.

        • A:11/18/2014

          Description of the Violation, Issue, or Trend
          As generating units are being retired, Protection System maintenance and testing activities required by PRC-005 can be problematic if Generator Owners (GO) and Transmission Owners (TO) do not successfully address the Protection System components that will remain in service after the unit has been retired. There have been instances where the Protection System devices that had been the responsibility of the GO prior to the retirement of the unit remained in service after the retirement and became the responsibility of the TO.  The unsuccessful transfer of that responsibility has resulted in noncompliance for some Registered Entities.

          Risk Considerations
          The risk to the BPS depends on the number and types of devices involved.

          Description of Mitigation Activity
          Registered Entities can mitigate or prevent the violation by incorporating a review of the roles and responsibilities of Protection System devices associated with generating facilities into the unit retirement process.

        • A:3/17/2014 

          Description of the Violation, Issue, or Trend
          Lack of verification of routine maintenance and testing work performed by contractors led to the following: 

          1. Work-orders being closed-out as completed in the database when the work had not been performed
          2. Incomplete maintenance and testing documentation caused Protection System device testing and maintenance to be missed and/or test results to not be entered into the database
          3. Records were not retained by either the Registered Entity or the contractor as evidence

          Risk Considerations
          In general, this type of violation poses a minimal to moderate risk to the BPS depending on the number and types of devices involved.

          Description of Mitigation Activity
          Registered Entities have mitigated the violation in several ways:

          1. Enhanced their procedures for scoping contracted projects
          2. Implemented requirements for contractors to provide all maintenance and test records as part of the project documentation 
          3. Performed a thorough review of the documentation to verify completion of the work orders

          Other Factors or Comments
          Lack of oversight due to weak internal controls is a common factor.

        • A:Updated:  1/1/2019

          Description of the Violation, Issue, or Trend
          Large construction projects performed by contractors resulted in newly installed Protection System devices not to be entered into the Registered Entity database. Therefore, maintenance and testing was not conducted.

          Risk Considerations
          In general, this type violation poses a moderate risk to the BPS because of the potential for maintenance and testing on these Protection System devices to be missed for an extended period of time.

          Description of Mitigation Activity
          Registered Entities have mitigated the violation by revising procedures for construction projects with PRC-005 implications to include special consideration for contractor work to ensure compliance with the Registered Entity PRC-005 program.

          Other Factors or Comments
          Registered Entities typically utilize contractors in large construction projects. Failure to follow internal procedures for the handling of records has occurred due to the work being done by contractors and not Registered Entity employees resulting in devices not being entered in the database.

        • A:Updated: 1/7/2019

          What “auxiliary relays” must be included in the Protection System Maintenance Plan in order to be compliant with PRC-005-6?

          The Protection Systems addressed by PRC-005-6 are defined as the Protection Systems that are “installed for the purpose of detecting Faults on Bulk Electric System elements (lines, buses, transformers, etc.).” The “auxiliary relays” are relays that may be in the trip circuit between the trip coil of the circuit breaker or lockout relay and the fault detection relay.   Those “auxiliary relays” and their output contacts must be tested as part of the DC control circuits of the protection system (see Table 1-5).

          While other protection systems (such as those included for fire, loss of cooling, overexcitation, vibration, loss of fuel and host of others) may be present, they are not included in the definition of transmission Protection System or generator Protections System for purposes of PRC-005-6.  Later versions of PRC-005 may include specific system/devices such as those mentioned, but they are exempt from compliance until such time as they are included in an approved implementation plan. Of course, registered entities are encouraged to periodically test those functions, but it is not necessary to include them as part of the PSMP.

        • A:2/24/2015

          PRC-005-2 - Supplemental Information, Section 15.4:  Can SERC provide clarity regarding communication system batteries not being considered as applicable to V2?

          PRC-005-2 applies to station batteries that supply trip current to the trip coils of the interrupting devices that are part of a Protection System.

          Batteries used for the sole purpose of supplying power for communication facilities are not included.

        • A:12/5/2016
          I am referencing PRC-005 and monitoring capabilities of a relay, see quote below from Table 2; 12 calendar years.
           
          “Any alarm path through which alarms in Tables 1-1 through 1-5, Table 3, Tables 4-1 through 4-3, and Table 5 are conveyed from the alarm origin to the location
          where corrective action can be initiated, and not having all the attributes of the “Alarm Path with monitoring” category below. Alarms are reported within 24 hours of detection to a location where corrective action can be initiated.”
           
          Would a relay alarm at the substation that triggers a general alarm in the control room be considered “Monitored” as long as the control room can respond and have the problem investigated in less than 24 hours? The general alarm in the control room could also be triggered by other issues at the substation; but either way, the system operator would send someone out to investigate. What are your thoughts?
          A relay alarm that triggers a general alarm could be considered a monitored relay, if the general alarm is transmitted to a central location where personnel could be dispatched to invest the problem within 24 hours of detection of a relay failure. This feature would need to be verified and tested for each relay that uses this function to extend the maintenance interval due to monitoring.
        • A:9/30/14

          If a Registered Entity decides to implement more stringent requirements than the Reliability Standard, is the Registered Entity going to be audited to the implementing procedures or to the NERC Standard Requirements?

          For example, if the Registered Entity's maintenance and testing program requires relays to be calibrated every two years and the Registered Entity goes beyond two years (but within the table in PRC-005-2 of six years), is the Registered Entity going to be held accountable to the implementing procedure? 

          The intervals specified in PRC-005-2 govern.  The program must be conducted in accordance with PRC-005-2.  For example, your interval is four years, the PRC-005-2 specified interval is six years, and maintenance is conducted in five years.  That is not an issue.

        • A:2/24/2015

          How will SERC audit PRC-005-2?

          In accordance with the implementation plan, each TO, GO, and DP shall maintain documentation to demonstrate compliance with PRC-005-1b, PRC-008-0, PRC-011-0, and PRC-017-0 until that registered entity meets the requirements of PRC-005-2. Each registered entity shall be responsible for maintaining each of their Protection System components according to their maintenance program already in place for the legacy standards (PRC-005-1b, PRC-008-0, PRC-011-0, and PRC-017-0) or according to their maintenance program for PRC-005-2, but not both. Once a registered entity has designated PRC-005-2 as its maintenance program for specific Protection System components, it cannot revert to the original program for those components. While registered entities are transitioning to the requirements of PRC-005-2, each entity must be prepared to identify:

          • All of its applicable Protection System components; and
          • Whether each component has last been maintained according to PRC-005-2 or under PRC-005-1b, PRC-008-0, PRC-011-0, or PRC-017-0.

          For activities being added to a registered entity’s program as part of PRC-005-2 implementation, evidence may be available to show only a single performance of the activity until two maintenance intervals have transpired following initial implementation of PRC-005-2.

        • A:2/24/2015

          An entity has a BES carrier set powered by a customer-owned DC system at a customer owned substation.  Does the registered entity have any maintenance or testing compliance responsibilities related to PRC 005-2 for the batteries or charger at this type of location?

          For general information on components considered to be in scope for PRC-005, see Figure 1 and 2 Legend – components of Protection Systems in Supplementary Reference and FAQ PRC-005-X Protection System Maintenance April 2014. The legend describes station DC supply batteries, battery chargers, and any control power system which has the function of supplying power to the protective relays, associated trip circuits and trip coils. It excludes “any power supplies that are not used to power protective relays or their associated trip circuits and trip coils.”

          It also explains that communications systems necessary for correct operation of protective functions include “tele‐protection equipment used to convey specific information, in the form of analog or digital signals, necessary for the correct operation of protective functions” and exclude “any communications equipment that is not used to convey information necessary for the correct operation of protective functions." If the battery and charger are elements of an applicable communication system, they should be maintained as part of the communication system. See PRC-005-2 Table 1-2 for the minimum expected maintenance and testing activities.

        • A:March 1, 2016
          Does the DC control circuit between a UFLS relay and distribution multi-functional relay need to be tested under PRC-005-2? (This is mentioned in NERC PRC-005-2 supplement, section 15.7.)

          Yes. The path between the UFLS relay and the multifunction relay should be tested every 12 years.

        • A:October 18, 2016
          PRC-005-2: Is Periodic calibration of timing relays required? If so, what frequency? (These relays do not sense voltage or current, but their function is vital to the operation of the circuit trip path.)

          Yes, timing relays are essential to the proper functioning of the Protection System and should be calibrated at the same frequency of the relay.

        • A:October 18, 2016
          PRC-005-2: If the most recent maintenance activities for a specific element did not meet all of the required maintenance activities in PRC-005-2, does an entity need to retest prior to the April 1, 2017 deadline?

          An entity cannot transition a component to the PRC-005-2 program until it has performed all PRC-005-2 maintenance activities.  An entity can only maintain the component in one version of the standard, no revision is allowed.  New components placed in service after April 1, 2015 must be maintained in accordance with PRC-005-2.

        • A:October 18, 2016
          PRC-005-2: Table 1-5 12Y (non-SPS) states; “paths of the trip circuit inclusive of all auxiliary relays”. Are protective relays also inclusive in the trip circuit path, or does Table 1-1 encompass all protective relay testing requirements? (See Example below.)

          Example of Complete Trip Path Testing from Table 1-5 Using Overlap from Table 1-1:

          Table 1-1 6Y Activity

          1) Test Equipment is connected to the Protective Relay Inputs (via test block) to inject a voltage signal to simulate conditions to pick up the protective relay (outputs are isolated via test block);

          2) Output voltage (or continuity from closed contact) is monitored to ensure the protective relay picked up;

          3) Current is injected into the circuit to operate the protective relay target (where applicable);

          Table 1-5 12Y (non-SPS) Activity

          4) DC voltage is jumped to the output of the protective relay and the next trip path component (Aux Relay/Timer) is verified to have operated appropriately,

          5) The LOR is electrically operated to actuate the breaker trip coil.

          Trying to determine if example using overlap meets the intent of Table 1-5 or if passing current through the relay output contacts to pick up a downstream device without using overlap is required.

          Maintenance activities listed in Tables 1-1 and 1-5 are required to maintain compliance.

          ____________________

          Follow-up Questions:
          February 3, 2017

          Question 1:
          If a unit has the ability to run back to 50% power if one generator CB trips, would this scheme be part of PRC-005-2 or only that the unit would trip for loss of both generator CBs? We need to know specifically if it is the tripping of any Generator Circuit Breaker or if NERC only cares if you completely trip the unit from the grid.

          Tripping the entire generator or adjusting the generator to protect BES Facilities (e.g., electrical path of generator, GSU, or other equipment) to maintain system stability, acceptable voltage, or power flows would meet the definition of SPS/RAS and is included in the scope of facilities to be maintained under PRC-005-2 and PRC-005-6. If the runback scheme is initiated to protect the turbine from overspeed or other turbine condition, this is not considered an SPS/RAS

          Question 2:
          PRC-005-2: Is Periodic calibration of Timing Relays required? If so, what frequency? (These relays do not sense voltage or current, but their function is vital to the operation of the circuit trip path)

          Follow up response and question based on SERC response:
          If timing relay calibrations are required, we need clear guidance on what is required and which table to use for these calibrations. In addition, this needs to be clear in order to determine the correct maintenance timeframe (6Y or a 12Y).

          Any input or output of the Protective Relay that “affects the tripping” is included as essential to the proper functioning of the Protective Relays and should be tested for proper operation at the same interval as the Protection Relay.  Each input should be “picked up” or “turned on and off” and verified as changing state by the relay. Therefore, testing for proper operation, not calibration, of the timing relays is required.

          Question 3:
          The response did not answer the question. We are specifically questioning the method to meet Table 1-5 by using overlap from Table 1-1. Table 1-1 is the only table which includes protective relays and Table 1-5 is for the control circuitry for protective functions. We need to determine if example below using overlap meets the intent of Table 1-5 or if passing current through the relay output contacts to pick up a downstream device without using overlap is required.

          It appears the example given does meet most of the requirements of Table 1-5.  In addition, ensure trip coil testing includes operation of the interrupting device.

        • A:7/31/2015

          Below is a proposed method for microprocessor relay testing developed to satisfy requirements of PRC-005-2.

          1. Test Current Transformers (CTs) and Potential Transformers (PTs) at the same time as the relays because they are the inputs to the relays.
          2. Verify the microprocessor settings file is the same as what the registered entity has on record.
          3. Use a fluke meter to measure the inputs the relay is presently seeing, and compare that value to what the relay is reading.
          4. Pulse the relay output to the auxiliary relay to verify the output signal.

          The registered entity would use the above method instead of testing each individual element in the relay.  The reasoning behind this is that the relay is microprocessor-based. Therefore, there are no mechanical components that change. If the input is reading correctly and the output is functioning, the relay is operating properly. The registered entity would only test and verify the individual elements in the event of settings changes.

          Can you provide any feedback on this method?

          When verifying the microprocessor relay settings, ensure that each setting in the relay is compared to a known specified value. Using a meter to measure the values of CT/PT inputs is an acceptable method to obtain a value to compare with the relay value or other device measuring the same current/voltage.  Pulsing the relay to provide a signal to an auxiliary relay should also include verification of the signal through the trip coil circuit of the auxiliary relay. Overall, the testing should verify that all inputs, outputs, and trip circuitry necessary for the proper operation of the Protection System function as designed.

           

        • A:9/30/2014

          For PRC-005-2, can SERC provide guidance on the percentage implementation and if it is based on Registration or by individual generator?

          Percentage implementation for PRC-005-2 R3 and R4 is not based on Registration or individual generators, but rather is dependent on the percentage of Protection System Components that are maintained under the maintenance programs described in the Standard.  Protection System Components are defined in Tables 1-1, 1-2, 1-3, 1-4, 2, and 3 of PRC-005-2.  Certain percentages of Protection System Components must be compliant with R3 and R4 by specific dates, with the percentages based on the allowable maintenance interval for the given Component type.

          PRC-005-2 R1, R2, and R5 do not allow for phased-in compliance.  Only R3 and R4 allow for various percentages to be met at different times.

          The details of enforcement dates and percentages with respect to the various Requirements can be found on pages 4-6 of the PRC-005-2 Implementation Plan.

        • A:March 12, 2019
          Are breaker failure type relays (50BF) considered applicable relays for the purposes of PRC-005? These relays rely on external relay(s)  to activate. The relay trip is conditional and does not trip based solely on measured quantities but require external permissive signal.
           

          PRC-005-6 standard addresses Protection Systems that are installed for the purpose of detecting Faults on BES Elements.  Breaker failure relaying is the use of a current monitoring relay to determine whether or not current continues to flow into a faulted circuit sometime after a circuit breaker has been instructed to interrupt the circuit.  Therefore any breaker failure relay that detects the failure of a breaker that is defined as a BES breaker, or non-BES breaker that trips a single BES generator, or an aggregate of BES generators is considered an applicable relay that would fall under the testing requirements of PRC-005-6.

        • A:August 30, 2016
          1. We did not include excitation transformer protection relays in our V1.1b program.  Since the excitation transformers connect directly to the generator bus the relays are now included in versions 2 through 6.  My question is should we have included them in our V1.1b program, or can we use the V2 implementation plan and phase them in?  Per our V1.1b program, we would need to test both units’ relays by the end of the 2016 calendar year instead of being able to wait until 4/1/17 and 4/1/19 to complete the testing under the V2 implementation plan.
          2. Are AVRs generally considered part of a Protection System?  I don’t consider them to meet the definition of Protection System, but we’ve had some discussion back and forth and want to make sure we got it right.  I looked through the PRC-005 FAQ document and can’t find anything that addresses an AVR.

          Question 1
          Excitation transformers were not explicitly listed in PRC-005-1.1b, and not all entities include these components in their Protection System Maintenance Program (PSMP).  Entities should transition these components to PRC-005-2(i) as soon as practical, but no later than the dates allowed by the component milestone dates in the PRC-005-2(i) implementation plan. 

          Note:  PRC-005-2(i) Implementation Plan will be retired 12/31/2016 and superseded with the PRC-005-6 Implementation Plan. 

          Question 2
          If the Automatic Voltage Regulating (AVR) system is configured to trip a BES generator either directly or via lockout or auxiliary tripping relays, then the associated Protection System components should be included in the PSMP. In addition, PRC-019-2 requires that the AVR control settings be coordinated at least every five (5) calendar years.

        • A:August 9, 2019
          PRC-005-6, Table 1-2 states "Any communications system with continuous monitoring or periodic automated testing for the presence of the channel function, and alarming for loss of function (See Table 2)." 

          Question - Does "alarming for loss of function", as used in the table, refer to alarming the loss of the channel function only; or does it also include alarming the loss of the other associated communications equipment (i.e.,  relay panel  transmitters, and receivers) that makes up the overall communications system?  Please also reference Section "15.5.1 Frequently Asked Questions" in the NERC "Supplementary Reference and FAQ – PRC-005-6 Protection System, Automatic Reclosing, and Sudden Pressure Relaying Maintenance and Testing" dated October 2015.

          The alarming for loss of function encompasses everything from the alarm origin to the location that corrective action can be initiated. This would include all associated communication equipment between these two points.

        • A:March 22, 2017
           PRC-005-6 Implementation Periods:
          1. For Automatic Reclosing Components, Sudden Pressure Relaying Components, and dispersed generation resources maintenance activities with maximum allowable intervals of six (6) calendar years, as established in Tables 4‐1, 4‐2(a), 4‐2(b), 4‐3, and 5:
          • The entity shall be at least 30% compliant on the first day of the first calendar quarter thirty‐six (36) months following applicable regulatory approval of PRC‐005‐6 (or, for generating plants with scheduled outage intervals exceeding three years, at the conclusion of the first succeeding maintenance outage) or, in those jurisdictions where no regulatory approval is required, on the first day of the first calendar quarter forty‐eight (48) months following NERC Board of Trustees’ adoption of PRC‐005‐6 or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities.

          Is the correct date for this 30% threshold 1/1/2018?

          The 30 percent milestone date of compliance for Automatic Reclosing, Sudden Pressure and Dispersed Generation Resources is January 1, 2019.

        • A:October 18, 2016
          How are the requirements of NERC Standard PRC-005-6 applied to Automatic Voltage Regulators (AVRs)? AVRs can trip the generator for many reasons. Modern AVRs are microprocessor based and also have redundancy provided in those. Some can be protective functions similar to protective relays like over excitation, volts per hertz protection, and some can be related to the AVR itself like loss of cooling etc. The generator is tripped generally through lock-out relays.  We have the following questions:
          • Are Modern AVRs, which are microprocessor based and trip the generator under certain conditions, also subject to PRC-005-6 requirements?
          • If yes, which functions of AVRs which trip the unit are under the scope of the standard?
          • What are the requirements for testing these functions which are not provided by discrete relays but are written in the software?
          If some functions like loss of cooling have redundancy (i.e., if one cooler fails, redundant fan will come on and only on loss of both unit will trip), does the standard still apply to such functions which have redundancy?

          If the Automatic Voltage Regulating (AVR) system is configured to trip a BES generator, whether directly or via lockout or auxiliary tripping relays, then the associated Protection System components should be included in the PSMP. In addition, PRC-019-2 requires that the AVR control settings be coordinated at least every five (5) calendar years.
        • A:April 17, 2018
          Background
          According to NERC’s BES Definition, interconnection facilities for small generators that do not meet the nameplate size threshold for BES inclusion are excluded from the BES (i.e., considered non-BES facilities).  Typically, protection systems serving non-BES facilities are not subject to the requirements of the NERC PRC Standards.  However, Transmission Protection Systems on these interconnection facilities may be designed to detect and operate for faults on the BES Transmission network in order to isolate the non-BES generation facility from the BES.

          The Applicability section of NERC Standard PRC-005-6 specifically addresses “Protection Systems … installed for the purpose of detecting Faults on BES Elements,” and this would appear to bring such non-BES Protection Systems into the scope of PRC-005-6.

          Question
          Are Transmission Protection Systems that are designed to detect faults on BES Elements in order to isolate non-BES generation facilities from the transmission network to be included in an entity’s program for compliance with PRC-005-6?

          For a protection system that detects a fault on the BES to be excluded from applicability of PRC-005-6, the protection system must meet all the following criteria:

          • It was not designed or installed to protect the BES;
          • Failure of the protection system to operate would not impact the BES (other than isolating the BES from or to the Non-BES Element); and
          • Unintended Operation of the protection system would only impact the non-BES load or generation (and the limited BES Elements to or from the Non BES Element).
        • A:December 9, 2019
          Is PRC-005-6 applicable to Sudden Pressure Relaying on distribution transformers?

           

          Sudden Pressure Relaying (SPR) installed on distribution transformers are not included in PRC-005-6. Applicability as listed in 4.2.1, 4.2.5, and 4.2.6 describes which SPRs are applicable to the standard.

        • A:May 5, 2020

          Does PRC-005-6 R1 require a maintenance and testing program for potential transformers (PTs) whose function is to protect buses within the plant that provide power to the plant for auxiliary equipment to operate while the plant is out-of-service?

          As referenced in 4.2.5.1 of the Standard, PRC-005-6 requires maintenance and testing for “Protection Systems that act to trip the generator either directly or via lockout or auxiliary tripping relays.”

          Relays and their associated components, which are designed to trip breakers serving station auxiliary, need not be included in the program.

        • A:

          March 5, 2020
          I am seeking clarification of the PRC-005-6 provisions for monitoring and alarming of protection system components. I am working with a generation facility that is only staffed Monday through Friday during normal business hours unless they have an operating schedule. The Facility is interested in installing a battery monitoring system to monitor many of the parameters that are required per the PRC-005-6. However, as the Facility is unmanned over the weekend they would not be able to meet the 24 hour provisions called out in table 2 of the standard. The monitoring system would have an audible alarm associated with it, so as soon as the facility was manned any alarm would be received and corrective action initiated. In this scenario, would the monitoring and alarming system be sufficient to extend and/or reduce the maintenance activities as outlined in table 1-4(f) of the standard?

          Per the standard, the alarm circuits must alert, within 24 hours, at a location wherein corrective action can be initiated. As stated in your question, there is more than a 24 hour gap in coverage throughout the weekend. Therefore, the alarm attributes used to justify extended maximum maintenance intervals and/or reduced maintenance activities does not meet the requirement for a monitored system.

        • A:May 28, 2017
          When adding a relay to the UFLS scheme, does UFLS protection need to be added to a breaker bypass relay in addition to the line relay? The breaker bypass relay protects the line when the breaker is bypassed for maintenance by tripping the entire substation out. Is this redundant level of UFLS protection needed to address breakers that are out of service for maintenance and are typically only bypassed for short periods of time?

           

          If UFLS protection is added to the breaker bypass relay then more load will be shed than necessary when the breaker is out for maintenance, because the load at the substation would also be tripped off. If UFLS protection is not added to breaker bypass relay, then load will not be shed when the breaker is out for maintenance.

          Revised Response:
          If the breaker is part of a UFLS design scheme, the bypass configuration should also perform the intended design function for the UFLS scheme during maintenance, unless the percent of load shedding to be implemented can be met without the contribution of the breaker undergoing maintenance.

        • A:May 4, 2017
          PRC-006-SERC R4.1 says The percent of load shedding to be implemented shall be based on the actual or estimated distribution substation or feeder demand (including losses) of the UFLS entities at the time coincident with the previous year actual Peak Demand.

           

          The NERC glossary defines Peak Demand as:

          1. The highest hourly integrated Net Energy For Load within a Balancing Authority Area occurring within a given period (e.g., day, month, season, or year).
          2. The highest instantaneous demand within the Balancing Authority Area.
            1. What is the given period for PRC-006-SERC R4?
            2. Is it the previous calendar year of January 1 – December 31?
            3. Can an entity choose between summer and winter peak, or do they have to use the greater of the two?

          The given period for PRC-006-SERC-01 is the previous calendar year of January 1 – December 31.

          Each UFLS entity must select the previous year’s summer or winter Peak Demand, whichever is higher.
        • A:4/5/2016
          What is the division of responsibility for the Planning Coordinators with regard to UFLS program implementation (i.e., Standard PRC-006) in instances where pseudo-ties are present?  As an example:  Consider Utility A has loads within its Balancing Authority Area which are served from Utility B’s transmission system through a pseudo-tie arrangement. Utility A claims to be the Planning Coordinator for these loads, but the loads are connected to Utility B’s transmission lines.  Do these loads need to follow Utility A’s UFLS program or Utility B’s UFLS program?

          The answer is based on the following language from PRC-006-1

          R1. Each Planning Coordinator shall develop and document criteria, including consideration of historical events and system studies, to select portions of the Bulk Electric System (BES), including interconnected portions of the BES in adjacent Planning Coordinator areas and Regional Entity areas that may form islands.

          R2. Each Planning Coordinator shall identify one or more islands to serve as a basis for designing its UFLS program…

          R5. Each Planning Coordinator, whose area or portions of whose area is part of an island identified by it or another Planning Coordinator which includes multiple Planning Coordinator areas or portions of those areas, shall coordinate its UFLS program design with all other Planning Coordinators whose areas or portions of whose areas are also part of the same identified island …

          Note that we are talking about UFLS for an island and the island can be as large as a Regional Entity (SERC)

          In the scenario, generation in A is supplying load in B via a pseudo tie.  If the load in B changes, then ACE in A changes and BA A responds.  Frequency in A will be the same as B.  If UFLS action is needed, it will be needed in both areas.  If both A and B have included the load at B in their calculations and take credit for the load, the system may not shed enough load to make a difference on the interconnection.  Therefore, either A or B should take the load, but not both.  The question becomes, which one should take it?  For that answer, we look at the islanded situation where the pseudo tie is broken.

          In the scenario where generation is dropped and frequency is getting dangerously low, UFLS will help, but only if it is part of the interconnected load.  If area A and B are not interconnected (islanded), A is running normally but B is experiencing an under frequency condition, UFLS action in B will help B but it won’t affect A.  As above, if there is any sort of relationship between the UFLS at A and B that would cause load to be shed in both areas, then you could create an over-speed condition in A and create a problem in A. Therefore, only B should include the load in its calculations
        • A:February 21, 2017

          I have a compliance / implementation question around the inter-relationship between PRC-006-2 and PRC-024-2. 

          The implementation plan for PRC-006-1 (now PRC-006-2) states that, for Requirement R4, “Parts 4.1 through 4.6 of Requirement R4 shall become effective and enforceable one year following the receipt of generation data as required in PRC-024-1”.  Requirement R4 requires PCs to conduct a UFLS design assessment “at least once every five years that determines through dynamic simulation whether the UFLS program design meets the performance characteristics in Requirement R3 for each island identified in Requirement R2.”  Parts 4.1 through 4.7 specify things to model in the dynamic simulations, with Parts 4.1 through 4.6 being linked to PRC-024-1.

          The implementation plan for PRC-024-1 (now PRC-024-2) requires Generator Owners to reach initial compliance in four stages.

          •  40% of applicable Facilities compliant by 7/1/2016
          •  60% of applicable Facilities compliant by 7/1/2017
          •  80% of applicable Facilities compliant by 7/1/2018
          • 100% of applicable Facilities compliant by 7/1/2019

          I understand that the SERC DSG has outlined the scope for a UFLS study to be performed this year (attached).  This study should help facilitate the PCs within SERC being able to comply with the “at least once every five years” aspect of PRC-006-2 R4, as the last regional UFLS study was completed in 2012.  Presumably, the PCs within SERC will be able to request and utilize PRC-024-2 data from GOs within their footprint that are meeting the above PRC-024-2 milestone dates.

          My question is: What is the ERO’s intent for PCs complying with PRC-006-2 R4 during the initial phase-in of PRC-024-2?  Following completion of the SERC UFLS study in 2017, is there an expectation that the SERC PCs will also perform simulation-based UFLS assessments in 2018, 2019, and 2020 (one year following each PRC-024-2 milestones above)?  Or, is the compliance expectation that PCs in SERC shall complete their next PRC-006-2 R4 assessment in 2022 (five years after 2017)?

          If a Planning Coordinator uses a 2017 SERC DSG UFLS design assessment, the next design assessment will not be required until 2022.  The generator “no trip zone” as prescribed in PRC-024-2 Attachment 1 and Attachment 2 will not change.  For instances where generators are unable to meet the relay setting criteria described in PRC-024-2 Attachment 1 and Attachment 2 these should be documented in accordance with PRC-024-2 R3.

        • A:8/25/2016
          I am supporting a facility who is in a unique situation with their registration and we are looking for some guidance on where they fit into the new standards (e.g. PRC-019, PRC-024, etc.) with a 40% deadline on July 1.

          The operator is a company that both owns and operates a number of facilities throughout the country and generally combines this under a single GO/GOP registration per region.  However, the facility in question has separate GO and GOP registrations that reflects only that plant due to having a separate ownership structure. 

          The question is, would the plant have to be 100% compliant as of July 1 or would they be able to be classified as 1 of x number of facilities in the operating company’s fleet and only 40% of those would have to have been compliant on July 1?

          The Reliability Standard applies to the Generator Owner function by NCR number.  For applicable individual units at a single generating plant/Facility, the entity must be at least 40 percent compliant as of July 1, 2016.  The units to be compliant is equal to 40% of the total units rounded up to the next whole unit.  Example: (8 units X 40% = 3.2) rounded up would require 4 units to be compliant as of July 1, 2016.

        • A:December 9, 2019

          PRC-019, Requirement R1, states “At a maximum of every five calendar years, each Generator Owner and Transmission Owner with applicable Facilities shall coordinate the voltage regulating system controls...”

          Question: Our initial coordination study was completed by a third party in 2016 and included required documentation from Section G of the Standard. Therefore, our next analysis would be due in 2021.  For the upcoming 2021 analysis, is it sufficient to state that the plant has not undergone any equipment changes or relay settings changes that would affect the coordination?  The P-Q Diagram, R-X Diagram, and/or Inverse Time Diagrams were reviewed during the initial study, what additional evidence would SERC look for from the 5-year review?

          From the perspective of a small generating facility, a full study similar to the initial study requires hiring a third party, and if nothing has changed an entity would be paying them to restate the same information from the 2016 study.

          The entity is required to coordinate the voltage regulating system controls every five (5) calendar years after the initial coordination has been completed in accordance with the Implementation Plan. Your next coordination review will be in 2021.

        • A:8/25/2016
          Our entity has identified that one relay setting needs to be changed at the Facility A.  We would like guidance in regards to the interpretation of the following:

          R2 states that we have 90 calendar days following the identification OR implementation of systems, equipment or setting changes to perform the coordination as described in R1.

          Facility A is required to be available 24-7 during the summer peak period from June 1 to September 30.  If we assume that the 90 day period starts when PRC-019 took effect on July 1, 2016, then we would have to shut down Facility A for a period of time to implement the settings change during the summer peak period, which can be a reliability issue. 

          This is where clarification is needed:  We are interpreting the “OR implementation” to be that we can delay the R1 coordination until we implement the settings change.  Is that correct? 

          If so, we could schedule the settings change in October when Facility A is released from its 24-7 obligation; and we would still have 90 days for the R1 coordination.  Correct?

          The 90 calendar day window in R2 is focused on the need for setting changes to occur based on an identified coordination problem. The trigger for the 90 day period to begin could be caused by one of the following:

          1. Discovery that current settings are not correct;
          2. Replacing or installing new equipment or components that require re-coordination of settings; or
          3. Changes in the capability or settings of the Facility “unit” or other equipment that affects setting coordination.  

          The 90 calendar day window is only applicable to Facilities that are compliant with R1.  If the Facility is not part of the percentage milestone calculation, R2 does not apply.

          Example

          An entity has 10 generating units.  As of July 1, 2016, four of those units had to be compliant with the standard meaning that the entity completed coordination of the settings on those units in accordance with R1 by July 1, 2016.  The entity is in the process of evaluating the coordination on two more units in order to meet compliance with the 60% milestone by July 1, 2017.  During the settings evaluation, the entity determines that one of the units requires a setting change. The applicable Facility is not included in the 40 percent milestone calculation, therefore the 90 calendar day window does not yet apply.  The coordination change to this unit is required by July 1, 2017 in order to be considered in the 60% compliant calculation.

        • A:7/22/2014

          Please explain how to be compliant and when each is effective. 
          SERC cannot comment on how to be compliant. SERC staff is currently reviewing the material to plan the appropriate outreach initiatives. 

          Below is the requested effective date information.

          PRC-019-1  
            40% of applicable Facilities are to be compliant by 7/1/2016
            60% of applicable Facilities are to be compliant by 7/1/2017
            80% of applicable Facilities are to be compliant by 7/1/2018
            100% of applicable Facilities are to be compliant by 7/1/2019

          PRC-024-1  
            40% of Facilities are to be compliant by 7/1/2016
            60% of Facilities are to be compliant by 7/1/2017
            80% of Facilities are to be compliant by 7/1/2018
            100% of Facilities are to be compliant by 7/1/2019

        • A:11/1/2016
          One of our generation protection SME's is working on a summary of required actions in PRC-019-2.  R1 requires voltage regulation system controls coordination "At a maximum of every five calendar years…".
          The phrase "calendar years" is not capitalized, so it's not in the NERC Glossary.  He would like to know precisely what this means?  Does it mean:
          • Precisely 60 months from completion of the last coordination study?
            • For example, if the last study was completed 6/1/2016, the next one must be completed < 6/1/2021
          • Do you have until the end of the year five years after the last coordination study was completed?
            • This would be similar to PRC-005-6
            • However, with PRC-005, the terms Calendar Month and Calendar Year are defined in the Supplementary Reference
            • In PRC-005, if the last study was completed 6/1/2016, a five Calendar Year requirement means the next one must be completed < 12/31/2021.
          We are currently planning and thinking through all the Requirements and scheduling required for compliance. Any guidance is greatly appreciated.
           
          The PRC-019-2, R1 states “At a maximum of every five calendar years…”  The term is not capitalized, so you apply the common, dictionary definition: Calendar year is defined by the Gregorian calendar in common use as beginning on January 1st and ending on December 31 of that same year. If the first verification occurred July 1, 2016, then it occurred in the 2016 calendar year.  To remain compliant, the next verification must occur no later than December 31, 2021.
        • A:June 15, 2017
          I am trying to find NERC recognized guidance regarding how wind farms are expected to (know how to) apply the PRC-019 implementation schedule if all turbines are connected at a common bus. If this definition means 100% of the applicable facility (all turbines because they share a common bus), is the implementation date July 2016 (at 40%, how do you take 40% of one) or July 2019 (the 100%)? I have reviewed the implementation plan; but it, nor the Standard, provides this specific guidance. 
          In accordance with PRC-019-2 applicable Facilities section 4.2.3.1 and the rationale for 4.2.3.1 on page 11 of the standard, if each wind turbine has individual voltage regulating controls, the units are allowed to be phased into compliance on a percentage basis per the implementation plan.  If the wind turbine voltage regulation is done at the aggregate level, the Facility would fall under Applicability section 4.2.3 and would be considered one unit at the point of aggregation above 75 MVA.

          Example 1:
          For 50 wind turbines rated at 1.5 MW with one voltage regulation controller at the collector bus, compliance date for voltage regulation controller is 1 unit X 40 percent = 0.4. Rounded up would require the single voltage regulation controller to be compliant as of July 1, 2016.

          Example 2:
          For 50 wind turbines rated at 1.5 MW with an individual voltage regulation controller on each turbine, compliance date for voltage regulation controllers is 50 units X 40 percent = 20 units to be compliant as of July 1, 2016.

        • A:October 18, 2016
          NERC Standard PRC-019-2 R1.1.2 states: “The applicable in-service Protection System devices are set to operate to isolate or de-energize equipment in order to limit the extent of damage when operating conditions exceed equipment capabilities or stability limits.” Does this require the Protection System devices to fully protect the equipment for all circumstances, or are some gaps in the protection acceptable.

          Entities should coordinate voltage regulator with the Facility Protection Systems in a manner to prevent the generator from tripping unnecessarily.

        • A:9/30/2014

          This is regarding PRC-023-2 or 023-3.  Entity X is the TP, and it is not providing the list directly to the GO.  Entity X is requiring that the GO access a secure confidential "extranet."  This is not the same with other TPs that provide the information directly to the registered GO.  This is setting the GO up for an instance where the GO is not specifically informed of being on the list.

          This is an issue between the Entity X Registered Entities and Entity X.  The Reliability Standards state that the PC is required to provide the list of circuits to all RE, RC, TO, GO, and DP within their PC area within 30 days of creating the list. If your company is not identified as being on the list, it would be a good practice to confirm this with the PC.

          PRC-023-2 and -3:

          R6. Each Planning Coordinator shall conduct an assessment at least once each calendar year, with no more than 15 months between assessments, by applying the criteria in Attachment B to determine the circuits in its Planning Coordinator area for which Transmission Owners, Generator Owners, and Distribution Providers must comply with Requirements R1 through R5. The Planning Coordinator shall: [Violation Risk Factor: High] [Time Horizon: Long Term Planning]

          6.1 Maintain a list of circuits subject to PRC-023-2 per application of Attachment B, including identification of the first calendar year in which any criterion in Attachment B applies.

          6.2 Provide the list of circuits to all Regional Entities, Reliability Coordinators, Transmission Owners, Generator Owners, and Distribution Providers within its Planning Coordinator area within 30 calendar days of the establishment of the initial list and within 30 calendar days of any changes to that list.

        • A:April 20, 2018
          Do you agree that the Implementation Plan for PRC-023-3, Requirements R1 through R6 table on pages 3 through 6 of the PRC-023-3 – Transmission Relay Loadability Implementation Plan document is Effective for PRC-023-4?

          Background:
          PRC-023-2 included a table of the effective dates of the requirements in PRC-023-2 in Section 5. Effective Dates (pages 1 through 4 of the standard).

          PRC-023-3 moved the table of the effective dates of the requirements in PRC-023-3 from the body of the standard to the Implementation Plan for PRC-023-3, Requirements R1 through R6 table on pages 3 through 6 of the PRC-023-3 – Transmission Relay Loadability Implementation Plan document.

          PRC-023-4 does not have a table of the effective dates of the requirements in PRC-023-4 in the body of the standard nor in the Implementation Plan for the Revised Definition of “Remedial Action Scheme”, which is associated with PRC-023-4.

          We consider the Implementation Plan for PRC-023-3, Requirements R1 through R6 table on pages 3 through 6 of the PRC-023-3 – Transmission Relay Loadability Implementation Plan document to be Effective because we find nothing to indicate that the PRC-023-4 Implementation Plan (transition from SPS to RAS) retires or changes the PRC-023-3 Implementation Plan.

          This has come into question by some Registered Entitles because there is no table of the effective dates of the requirements in PRC-023-4 nor its associated Implementation Plan document.

          Yes, all aspects of the Implementation Plan for PRC-023-3, Requirements R1 through R6 table on pages 3 through 6 of the PRC-023-3 Transmission Relay Loadability Implementation Plan, will remain applicable to PRC-023-4. Entities with newly classified Remedial Action Schemes (RAS) resulting from the application of the revised definition must be fully compliant with any applicable RAS twenty-four months from the Effective Date of the revised definition of RAS. This additional time applies only to existing schemes that must transition to RAS due to the revised definition. The effective date for the definition of Remedial Action Scheme was effective 7/1/2017. Therefore any circuits that have been newly identified by the entity for inclusion due to the change in the RAS definition will have this additional time, until 7/1/2019, for implementation.

        • A:August 27, 2018
          What would be considered “coordination of all new protective systems and all protective system changes”?  We have heard this addressed at several recent RE workshops, and the answer has ranged from ‘notification to the TOP is considered coordination’ to ‘you must wait until you receive a response from the TOP approving the changes.’  Example:  One site (generation station) needed to make changes to meet compliance with PRC-024.  They notified the TOP of the required changes, but did not receive confirmation that the changes were acceptable until six months later after two follow up e-mails from the site/plant.  The plant was in an outage at the time of the initial email notification to the TOP and had the contractors on-site that could make the changes.  Should the plant have waited to receive a response from the TOP before completing the work, thereby rescheduling the contractors to return to the site at a later date, and potentially miss a compliance enforcement date?  Was the plant’s initial notification to the TOP sufficient to meet compliance?

          Notification to the TOP or BA for new or changes to protective systems via email or some other documented means of communication is sufficient for coordination and compliance.  However, making a change to a protective system without proper coordination could cause unintended operation or non-operation of an interconnected entity’s protection, thus potentially having an adverse impact to the BPS. Following up emails with phone calls or other means of contact with the TOP is encouraged in this situation to ensure that the overall protection system will functionally operate as designed.

        • A:12/1/2015
          What is SERC’s interpretation of PRC-024-1 implementation plan regarding protection systems? Protection System is not capitalized in the Standard.

          The protection systems referenced in the Implementation Plan are the relay protective devices as stated in Requirements 1 and 2. These devices are separate and apart from the Protection Systems listed in the NERC Glossary (PRC-005).

        • A:7/6/2016

          One of my facilities in the SERC region has determined that they have two relays per unit (4 simple cycle units) subject to PRC-024 that will require setting changes.  They have contacted Transmission Planner and received the okay to make the changes from a transmission standpoint. However, the unit manufacturer will not approve changes recommended by a third-party engineering firm. The plant is hesitant to make any changes to a machine without that okay.  They have been waiting for weeks to get approval before making changes, but are at a point that they will not be able to make them before the July 1, 2016 compliance date.

          From a compliance standpoint: 1) is it sufficient that they have made the relay setting determinations and have a plan to implement the changes, 2) does this need to be self-reported, or 3) would this be considered an equipment limitation under R3, until we get approval from the manufacturer that there are no limitations? 

          The determination of required changes to relay settings and a plan to implement the changes does not meet compliance with PRC-024-2. Ordinarily, the failure to make the changes in a manner that achieves compliance in accordance with the 5-year implementation plan should be self-reported. However, depending upon the manufacture’s reasons for denying the changes, there may be a valid equipment limitation as described in R1 and R2.  If so, the entity is required to document the limitation and communicate the limitation to the Planning Coordinator and Transmission Planner in lieu of making the changes as required in R1 and R2.  See PRC-024-2 R3 for details.

        • A:June 21, 2019
          One of our facilities has started to make relay setting changes and had two relays fail during the setting change. This has made them apprehensive to continue to make the changes on the remaining relays (the same model as the two that previously failed). They have started doing the engineering to replace these relays as the ones currently installed are end of life. Would a situation like this give them a basis to extend to the 10/1/2021 date as they are working to replace the relays? While we want to be compliant with PRC-025, we also do not want to increase the risk to the BES by having multiple relays fail trying to make the required changes to get into compliance.

          The implementation guide for PRC-025-2 puts the determination responsibility on the Generator Owner, Transmission Owner, or Distribution Provider to decide whether replacement or removal of the relay(s) is necessary. If it is determined that replacement or removal rather than setting changes is necessary, then the implementation date of October 1, 2021 is applicable. The entity should keep some form of documentation to support their basis for making this determination.

        • A:9/30/2014

          Is PRC-025-1 intended to replace the GO's obligations under PRC-023-3?

          No, PRC-023-3 is still applicable to GOs.  GOs need to review PRC-023-3 to determine if they have applicable Facilities.  PRC-025-1 applies to Generator Loadability, PRC-023-3 applies to Transmission Loadability.  Both Reliability Standards are applicable to TO, GO, and DP.  PRC-023-3 is also applicable to PCs.

        • A:

          October 18, 2019
          Facilities applicable to PRC-025-2 include blackstart resources in the TOP’s system restoration plan. Table 1 – Relay Loadability Evaluation Criteria that is associated with PRC-025-2 notes a connection point via a GSU for each relay loadability setting option specified for synchronous generation units. How should PRC-025-2 Table 1 – Relay Loadability Evaluation Criteria be applied to a blackstart resource that uses PRC-025-2 applicable elements but connects directly via a 14kV bus (no GSU)?

          Per the Standard, Blackstart resources in the Transmission Operator’s system restoration plan are applicable. Thus, it is necessary to include all load-responsive protective relays at the terminals’ Elements (generator). Consequently, relay functions such as 21, 50, 51,51V-R, 51V-C from the Blackstart Unit to the low side of the three winding transformer (GSU) would apply to the loadability requirement in PRC-025-2 using an appropriate option for your application in Table 1. The following option may apply under your scenario (1a, 1b, 1c, 2a, 2b, 2c, 3, 7a, 7b, 7c, 8a, 8b, 8c, 9a, 9b and 9c). Refer to your site Relay Functional Diagrams and compare it to Figure 5 on page 37 of the Standard as an illustration of the connections that may apply to you for each of the Table 1 options provided in PRC-025-2. It is important to note that standard does not require that you use any of the protective functions listed above.

        • A:June 5, 2019
          PRC-025 is applicable to UATs.  If however, during normal plant operations, a problem occurs with the UAT and the plant operators switch auxiliary load to their start-up transformer in order to keep the generator in service, is the start-up transformer now applicable to PRC-025 because it’s supporting auxiliary power to keep the generating unit online?

          PRC-025-2 does not require the Generator Owner, Transmission Owner, or Distribution Provider to use any of the protective functions listed in Table 1. However, each Generator Owner, Transmission Owner, and Distribution Provider that applies load-responsive protective relays on their respective Elements listed in Section 4.2, Facilities, which includes Unit Auxiliary Transformers, shall use one of the Options in Table 1, Relay Loadability Evaluation Criteria to set each load-responsive protective relay element according to its application and relay type. The start-up transformer in this scenario would be applicable to PRC-025-2 because it would be functioning as the Unit Auxiliary Transformer and would need the same protective functions applied to it as the normal Unit Auxiliary Transformer.

        • A:

          June 5, 2019
          PRC-025 is applicable to UATs.  If however, during normal plant operations, a problem occurs with the UAT and the plant operators switch auxiliary load to their start-up transformer in order to keep the generator in service, is the start-up transformer now applicable to PRC-025 because it’s supporting auxiliary power to keep the generating unit online?

          PRC-025-2 does not require the Generator Owner, Transmission Owner, or Distribution Provider to use any of the protective functions listed in Table 1. However, each Generator Owner, Transmission Owner, and Distribution Provider that applies load-responsive protective relays on their respective Elements listed in Section 4.2, Facilities, which includes Unit Auxiliary Transformers, shall use one of the Options in Table 1, Relay Loadability Evaluation Criteria to set each load-responsive protective relay element according to its application and relay type. The start-up transformer in this scenario would be applicable to PRC-025-2 because it would be functioning as the Unit Auxiliary Transformer and would need the same protective functions applied to it as the normal Unit Auxiliary Transformer.

        • A:March 19, 2018

          PRC-026 R1, which became effective January 1, 2018, requires the Planning Coordinator to provide annual notification of BES elements to the GO and TO. If the GO/TO receives a notification in late 2017 and another notification in early 2018, should both notifications be considered annual notifications and the BES listing on each notification evaluated and dispositioned in accordance with R2, R3 and R4?

          In addition, if the BES listing changes with each annual notification, does the new listing supersede the previous listing and the actions required by R2, R3, and R4 are no longer applicable to the BES elements on the previous listing?

          PRC-026-1, Requirement 1, which came into effect on 1/1/2018, requires the Planning Coordinator (PC), at least once each calendar year, to provide each Generator Owner (GO) and Transmission Owner (TO) notification of each generator, transformer, and transmission line BES Element in its area that meets at least one or more of the criteria listed in R1.

          According to the implementation plan, the 36 months for the GO and TO in Requirement R2 (and Requirements R3 and R4) is intended to allow the entity an opportunity to address the initial influx of identified Elements in Requirement R1. However, there is no obligation for the GO or TO to perform Requirement R2, R3, or R4 until the effective date of these Requirements. Therefore, the 36 month period allows the entity the opportunity to assess each of the notification lists received from the PC prior to the 1/1/2020 implementation date for R2, if they choose to do so prior to its required compliance obligation.

          When Requirement 2 becomes effective on 1/1/2020, it starts a 12-month clock for the GO/TO to perform the required determinations for any list received from the PC. R3 and R4 requires a corrective action plan and its implementation, if necessary.

          The PC is required to perform its assessment annually and submit a list annually. After 1/1/2020, receipt of that list starts another 12-month clock for that list.

          The Standard Requirement Effective Dates are:

          PRC-026-1     R1       1/1/2018
          PRC-026-1     R2       1/1/2020
          PRC-026-1     R2.1    1/1/2020
          PRC-026-1     R2.2    1/1/2020
          PRC-026-1     R3       1/1/2020
          PRC-026-1     R4       1/1/2020

        • A:May 13, 2019

          Would you verify and provide some clarification for PRC-026-1 based on the examples and questions below?

          PRC-026

          • R1 - PC notifies GO or TO with elements that meet criteria of R1
          • R2 - once GO has been notified
            • Within 12 full calendar months
              • Determine whether protective relays applied meet the criteria of Attachment B
              • Become aware of a generator, Transformer, or transmission line tripped in response to a stable or unstable power swing, meet the criteria of Attachment B
            • Example: if a GO is notified by the PC on 12/17/18, typically they would have to make the determination of R2 by 12/17/19, since the requirement doesn’t take effect until 1/1/2020.
              • Q1: This determination must take place by the 1/1/2020 effective date?
          • R3 – within six full calendar months of determining the Protective System does not meet the Attachment B criteria, the entity must develop a CAP.
            • Once the determination of R2 has been completed a CAP must be completed within six calendar months
            • Example: Determination of R2 is complete on 11/15/19
              • Q2: R3 CAP has to be developed by 5/15/2020?
                • Do the relays have to meet Attachment B by the 5/15/2020? Or; for this first effective date of 1/1/2020?
                • Can the implementation of the CAP run past the six month development process of the CAP? Example: Six months to develop the CAP is 5/15/2020. Can the CAP completion take 9 months or a year?

          Responses:

          Question 1: There is no obligation on the GO/TO to perform Requirement R2, R3, or R4 until the effective date of these Requirements.

          If a GO/TO is notified on or before 1/1/20 the determination for Requirement R2 must take place before 1/1/2021. If a GO/TO is notified any time after 1/1/20, then the determination for Requirement R2 must take place within 12 full calendar months of the notification date.

          Question 2, first bullet: The GO/TO must develop the CAP within 6 full calendar months of determining a load-responsive protective relay does not meet the PRC-026-1 – Attachment B pursuant to Requirement R2. If the determination for R2 is made on or before 1/1/20, then the CAP is due before 7/1/2020.  If the determination for R2 is made any time after 1/1/20, then the CAP is due within 6 full calendar months of the determination date.

          Question 2, second bullet 2: The implementation of the CAP could go beyond the six month development process. If this occurs, the GO/TO must update each CAP if actions or timetables change until all actions are complete.

          Refer to the FAQ_Implementation_Plan_PRC_026_1_04102018.pdf at the link below for more details.

          https://www.nerc.com/pa/Stand/Project%202010133%20Phase%203%20of%20Relay%20Loadability%20st1/FAQ_Implementation_Plan_PRC_026_1_04102018.pdf

        • A:November 11, 2019
          We need to get an interpretation of PRC-027 R2 Option 2.  When reading the option and the footnote 1, there appears to be a requirement to perform an initial coordination study at the time you set the Fault current values. We have had others say that is not the requirement and that we are reading more into the option than what NERC intended.  Would you clarify if is there a requirement to do a coordination study at the time you set the Fault current values baseline as required by option 2?

           

          Option 2 is a Fault current based methodology. If an entity elects to initially use Option 2, Fault current baseline(s) must be established prior to the effective date of the standard. In a time interval not to exceed six-calendar years following the effective date of this standard, an entity must perform a Fault current comparison. Page 12 of 17 in the standard provides a specific example for Option 2, and it does not appear a coordination study is required as the entity set up the Fault current baseline(s).

           

        • A:

          October 16, 2019
          Requirement R1.1 of PRC-027 requires a review and update of Short Circuit Model Data for the BES elements under study.  Does this data refer to the Short Circuit data submitted to the TP under MOD-032?  If not, can you specify what data our engineers need to be reviewing in order to comply with the standard?

          Entities can obtain the short-circuit model data submitted to the TP such as MOD-032 planning data from either the Transmission Planners, Planning Coordinators or Transmission Owners.  A review and if necessary an update of the short-circuit study topology may be necessary to ensure that information accurately reflects the physical power system that will form the basis of the Protection System Coordination Study and development of Protection System relay settings.

          Reviews could include:

          1. A review of applicable BES line, transformer, and generator impedances and Fault currents.

          2. A review of the network model to confirm the network in the study accurately reflects the configuration of the actual System, or how the System will be configured when the proposed relay settings are installed.

          3. A review, where applicable, of interconnected Transmission Owner, Generator Owner, and Distribution Provider information.

        • A:

          June 21, 2017
          Once the initial assessment has been coordinated and new relay/limiters settings have been implemented to bring those Facilities into compliance, does that mean these are considered “setting changes that will affect the coordination”, therefore requiring the Facility to perform another coordination as described in R1?

          Additional coordination would not be required if the setting changes described were completed as a result of the initial assessment to bring the facility into compliance with R1.  The 90 calendar day window in R2 is only applicable to those facilities that are already compliant with R1 as part of the PRC-019-2 implementation plan.  If subsequent coordination problems are identified after initial compliance is achieved, R2 would apply.

        • A:Updated:  1/1/2019

          The Standard states, “Each UFLS entity must annually review that the amount of UFLS load shedding implemented is within a certain tolerance as specified by SERC Standard PRC-006-SERC-02 Requirement R4 or Requirement R5 by May 1 of the current year.” It also states, “the percent of load shedding to be implemented shall be based on the actual or estimated distribution substation or feeder demand (including losses) of the UFLS entities at the time coincident with the previous year actual Peak Demand.” If the previous year’s actual Peak Demand switched from its usual peak season (example: switch from Page 1 of 2 summer to winter due to an abnormally cold period in the previous winter), is the UFLS plan expected to be implemented based on this new season peak?

          Yes, the intent of the standard is that registered entities base the amount of UFLS load shedding implemented on the previous year’s actual Peak Demand.

        • A:Updated:  1/1/2019

          In the case where the previous year’s actual Peak Demand switches seasons, does the May 1 time frame still apply?

          Refer to item 4 in the Guideline and Technical Basis section of the subject standard. The answer depends upon the extent of changes required to the UFLS plan. As stated in the Guideline and Technical Basis section of the standard, "the May 1 date applies only to implementation of the existing percentages of load shedding specified by the Planning Coordinator.“ The 18-month time frame specified in PRC-006-SERC-02 Requirement R6 is intended to allow sufficient budgeting, procurement, and installation time for additional equipment or for significant setting changes to existing equipment necessary to meet a revised load shedding scheme design that has been specified by the Planning Coordinator. During this 18-month transition period, the May 1 measurement of R4 or R5 would not apply.

          Item 4 in the Guideline and Technical Basis section of the PRC-006-SERC-02 standard copied below for reference:

          4. Basis for May 1 and 18 month time frames

          Each UFLS entity must annually review that the amount of UFLS load shedding implemented is within a certain tolerance as specified by SERC Standard PRC-006-SERC-02 Requirement R4 or Requirement R5 by May 1 of the current year. May 1 was chosen to allow sufficient time after the previous year’s peak occurred to make adjustments in the field to the implementation if necessary to meet the tolerances specified in Requirement R4 or Requirement R5. Therefore, the May 1 date applies only to implementation of the existing percentages of load shedding specified by the Planning Coordinator. On the other hand, the 18-month time frame specified in PRC-006-SERC-02 Requirement R6 is intended to allow sufficient budgeting, procurement, and installation time for additional equipment, or for significant setting changes to existing equipment necessary to meet a revised load shedding scheme design that has been specified by the Planning Coordinator. During this 18-month transition period, the May 1 measurement of R4 or Requirement R5 would not apply.

        • A:9/30/2014

          PRC-006-SERC-1 R6, which requires the UFLS Registered Entity to implement certain specified changes to the UFLS scheme within 18 months of notification by the PC goes into effect October 1, 2015.  If changes are recommended by the PC prior to October 1, 2015, can the UFLS Registered Entity take longer than 18 months from notification to implement those changes?

          No.  PRC-006-SERC-1 R6 is currently effective.  R6 becomes enforceable October 15, 2015.  The UFLS Registered Entity has 18 months to implement the changes after it is notified by the PC.

          “R6. Each UFLS entity shall implement changes to the UFLS scheme which involve frequency settings, relay time delays, or changes to the percentage of load in the scheme within 18 months of notification by the Planning Coordinator.”

        • A:October 18, 2016
          TOP-001 / IRO-001: Draft RSAW v4 asks for a list of operating instructions received during the audit period.  Is SERC expecting a complete list of all operating instructions during an audit period?  This list could be extensive.

          No, SERC will sample certain days of the audit period per NERC Sampling Methodology.

        • A:August 6, 2019
          If an entity is required to evacuate its control center pursuant with EOP-008, is an entity still required to ensure a Real-Time Assessment is performed every 30 minutes per TOP-001 R13 for the two (2) hour allotted transition time allowed by EOP-008 R1.5?

          Yes, an entity must perform an RTA every 30 minutes. During the transition to the alternate control center, the RTA can be performed by the TOP’s RC or another designated registered entity.

        • A:October 18, 2019
          1. TOP-001 R20-R24:  What is an acceptable or reasonable time frame to have each and all components of data exchange infrastructure tested?
            An entity's testing practices should, over time, examine the various failure modes of its data exchange capabilities. When an actual event successfully exercises the redundant functionality, it can be considered a test for the purposes of the proposed requirement. An entity may identify different test scenarios and develop a schedule to conduct a redundant functionality test using one such scenario every 90 calendar days.
          2. Is there a maximum or discouraged time frame not to go over?
            An entity must conduct a redundant functionality test within 90 calendar days of its most recent test (no more than 90 calendar days between tests).  An entity should determine which individual components or combinations of components should be removed from service to test the redundant functionality of the remaining available data exchange path(s). 
          3. Is DAC1 included in this standard”?

            In general, data exchange infrastructure in the context of the requirements in scope does not include the following:

            • An Entity’s devices or components (e.g. front end processors, application servers etc.) that are not associated with ICCP or an equivalent protocol.
            • Remote Terminal Units (RTU’s) or other similar types of Data Collection Units (DCU’s).  Entities are not required to have redundant RTUs, DCUs or similar type of field communication devices utilized for obtaining telemetry information.
            • Infrastructure that is not within the TOP’s Primary Control Center is not addressed by the requirement.
          4.  Does all equipment need to be tested in 90 days?
            No, not all equipment has to be tested in 90 days.  See response in 1 and 2 above. The requirements do not identify specific components of an entity’s data exchange infrastructure that need testing for redundant functionality.  The tests for redundant functionality are highly dependent on an entity’s data exchange infrastructure configuration.
        • A:December 7, 2017
          TOP-001-4 R9 states:

          Each Balancing Authority and Transmission Operator shall notify its Reliability Coordinator and known impacted interconnected entities of all planned outages, and unplanned outages of 30 minutes or more, for telemetering and control equipment, monitoring and assessment capabilities, and associated communication channels between the affected entities.

          Is the intent for BAs and TOPs to submit ALL planned outages (individual RTU outages) to the RC or is the intent for BAs and TOPs to submit planned outages that may impact their monitoring tools (multiple RTUs in one area)?

          The responsible entity is required to notify its RC of all planned outages as prescribed by its RC, which could include daily groupings.  Any notification method is acceptable. As stated in the measure, acceptable evidence includes dated operator logs, voice recordings or transcripts of voice recordings, electronic communications, or other equivalent evidence.

        • A:7/28/2016
          In the proposed TOP-001-4, R20, we assume that “redundant and diversely routed data exchange infrastructure within the Transmission Operator’s Control Center” refers to redundant ICCP servers that are tested each month. Is this correct?
           
          R20. Each Transmission Operator shall have data exchange capabilities, with redundant and diversely routed data exchange infrastructure within the Transmission Operator's Control Center, for the exchange of Real-time data with its Reliability Coordinator, Balancing Authority, and the entities it has identified it needs data from in order for it to perform its Real-time monitoring and Real-time Assessments.

          Redundant and diversely routed data exchange capabilities consist of infrastructure that will provide continued functionality despite failure or malfunction of an individual component within the Control Center. Redundancy and diverse routing may be achieved in various ways depending on the arrangement of the infrastructure or hardware within the Control Center. ICCP data will be an acceptable source of data exchange within the control center if accompanied by redundant data exchange capabilities.  

          M20:
          Each Transmission Operator shall have, and provide upon request, evidence that could include, but is not limited to, operator logs, system specifications, system diagrams, or other evidence that it has data exchange capabilities, with redundant and diversely routed data exchange infrastructure within the Transmission Operator's Control Center, for the exchange of Real-time data with its Reliability Coordinator, Balancing Authority, and the entities it has identified it needs data from in order to perform it Real-time monitoring and Real-time Assessments as specified in the requirement.

        • A:June 24, 2019
          Concerning TOP-001-4 R23, when evaluating diversely routed data exchange infrastructure, does SERC require redundant cabling to be in separate cable trays or conduit, or can the wiring be within the same cable tray or conduit within the primary Control Center?

          R23. Each Balancing Authority shall have data exchange capabilities, with redundant and diversely routed data exchange infrastructure within the Balancing Authority's primary Control Center, for the exchange of Real-time data with its Reliability Coordinator, Transmission Operator, and the entities it has identified it needs data from in order for it to perform its Real-time monitoring and analysis functions. [Violation Risk Factor: High] [Time Horizon: Same-Day Operations, Real-time Operations]

          The data infrastructure cabling should be routed through an independent tray and conduit system within the primary control center.

        • A:

          October 18, 2019
          We have a clarification question regarding the question asked in the July SERC Newsletter. What is SERC's expectation in regards to “redundant and diversely routed data”? Should the data infrastructure cabling be routed through an independent tray and conduit system within the primary control center? (How do you verify that during the onsite audit?) Did you have any onsite experience related to this requirement in SERC? I understand that some of the FRCC members have a different interpretation than SERC.

          From the July 2019 SERC Newsletter
          Question: June 24, 2019
          Concerning TOP-001-4 R23: When evaluating diversely routed data exchange infrastructure, does SERC require redundant cabling to be in separate cable trays or conduit, or can the wiring be within the same cable tray or conduit within the primary Control Center?

          Response:
          R23: Each Balancing Authority__ shall have data exchange capabilities, with redundant and diversely routed data exchange infrastructure within the Balancing Authority’s primary Control Center, for the exchange of Real-time data with its Reliability Coordinator, Transmission Operator, and the entities it has identified it needs data from in order for it to perform its Real-time monitoring and analysis functions. [Violation Risk Factor: High] [Time Horizon: Same-Day Operations, Real-time Operations]

          Per the NERC Reliability Standard TOP-001-4 Supplemental guidance and the Recent NERC implementation guidance:

          • The requirements in scope do not directly contemplate specific physical criteria or distances to achieve diverse routing.  Entities may choose to achieve diverse routing through physical or logical means.  An entity applying a risk-based approach may consider the overall strategy of data exchange infrastructure setup within its Primary Control Center in determining whether adequate redundancy and diversity in routing has been achieved to avoid single points of failure that could halt the flow of Real-time data.
          • The entity may not need specific physical criteria or distances to achieve diverse routing.  For example, while it may not be a best practice, depending on the entity’s individual circumstances, the entity may run multiple cables through the same tray or conduit as long as the cables are connected to different components.

          SERC verifies this requirement during an on-site audit by reviewing forms or documents of evidence provided by the entity listed in the measurement for this requirement.

        • A:August 17, 2017
           TOP-002-4 R2 and R4:  Is it acceptable for a TOP and BA to develop its Operating Plan for next day operations on Friday for Saturday, Sunday, and Monday and provide an updated Operating Plan only if conditions warrant an update to the plan?
          A TOP or BA may develop its Operating Plan for next day operations on Friday for Saturday, Sunday, and Monday only if the time period is mutually agreed upon between the entity and its Reliability Coordinator. A BA and TOP must provide an updated Operating Plan as conditions warrant an update to the plan.
        • A:December 7, 2017
          TOP-002-4 R2 and R4:Is it acceptable for a TOP and BA to develop its Operating Plan for next day operations on Friday for Saturday, Sunday, and Monday and provide an updated Operating Plan only if conditions warrant an update to the plan?

          R2: a TOP and BA may submit an Operating Plan for an identified period of time (such as the weekend, or until further notice) provided that there is a daily assessment of whether changes have occurred to the assumptions about operating conditions (e.g., outages, system topology/system configuration, weather and/or load, etc.) that result in the need to submit an updated plan. If, and only if, the RC agrees to the interval and conditions that would require an updated Operating Plan.

          R4: a TOP and BA may submit an Operating Plan for an identified period of time (such as the weekend, or until further notice) provided that there is a daily assessment of whether changes have occurred to the assumptions about operating conditions (e.g., weather, outages and/or load, etc.) that result in the need to submit an updated plan. If, and only if, the RC agrees to the interval and conditions that would require an updated Operating Plan.

        • A:December 7, 2017
          Is a TOP required to submit an Operating Plan to its RC even if the TOP did not identify a potential SOL exceedance as a result of its Operational Planning Analysis?

          (Transmission Operator):
          a.  If the Operational Planning Analysis performed in TOP-002-4 R1 reveals no SOL exceedances, then R2 does not require development of an Operating Plan, and the TOP does not need to submit a plan to the RC for R6. However, the TOP should document next day operating plans or other confirmation that no SOL exceedances were identified so:

          i.  The Reliability Coordinator is aware that the work was performed and there wasn't a communications failure.
          ii.  The Reliability Coordinator can determine if a discrepancy exists between its own analysis and Transmission Operator's plan.
          iii.  The documentation of the requirement provides a full record of the daily Operational Planning Analysis and the effort made by the entity to meet compliance.

        • A:December 7, 2017
          TOP-002-4 R7:Is the BA required to submit an Operating Plan for next-day operations to its RC on a daily basis?  Can a BA submit a one-time process description of how each of the four sub requirements is provided to the RC and provide an update if something changes?  For example, load forecasts/demand patterns are provided to the RC through the NERC SDX program.

          (Balancing Authority):
          In accordance with TOP-002-4, R7, each BA shall submit its Operating Plan(s) for next-day operations to the RC.  A specific plan document is not necessary if all parts R4 (4.1 through 4.4) of TOP-002-4 are being provided to the Reliability Coordinator through alternate means (e.g. electronically, ICCP, etc.).

        • A:October 10, 2018
          TOP-003-3:  Purpose: To ensure that the Transmission Operator and Balancing Authority have data needed to fulfill their operational and planning responsibilities.

          R3.  Each Transmission Operator shall distribute its data specification to entities that have data required by the Transmission Operator’s Operational Planning Analyses, Real-time monitoring, and Real-time  Assessment.

          R4.  Each Balancing Authority shall distribute its data specification to entities that have data required by the Balancing Authority’s analysis functions and Real-time monitoring.

          R5.  Each Transmission Operator, Balancing Authority, Generator Owner, Generator Operator, Load-Serving Entity, Transmission Owner, and Distribution Provider receiving a data specification in Requirement R3 or R4 shall satisfy the obligations of the documented specifications using: [Violation Risk Factor: Medium] [Time Horizon: Operations Planning, Same-Day Operations, Real-time Operations]
          5.1. A mutually agreeable format
          5.2. A mutually agreeable process for resolving data conflicts
          5.3. A mutually agreeable security protocol

          1. What type of data specifications from the TOP and BA is SERC looking for? TOP-002-2.1b is retired.  Is information below the evidence required for R5?

            TOP-002-2.1b

            TOP-003-3

             

            R3

            R5

            CROW?

            R13

             

            At request (TOP-001-4)

            R14

            R5

            CROW/Portals

            R15

            R5

            Portals

            R18

            Retired

             

          2. Is each TOP and BA required to send out data specifications to Transmission Operator, Balancing  Authority, Generator Owner, Generator Operator, Load-Serving Entity, Transmission Owner, and  Distribution Provider each year?

          The data specification is determined by the entity. Data specification is based on what data is required by the TOP and BA to ensure that the TOP can perform its Operational Planning Analyses, Real-time monitoring, and Real-time Assessments and the BA can perform its analysis functions and Real-time monitoring. NERC Standard TOP-003-3 Requirement R1 part 1.1 thru 1.4 and Requirement R2 parts 2.1 thru 2.2 specifies what the documented specification must include, but is not limited to.

          The documented specification for data shall include the periodicity for providing data and is determined by the entity based on the need of the TOP and BA to ensure that the TOP can perform its Operational Planning Analyses, Real-time monitoring, and Real-time Assessments and the BA can perform its analysis functions and Real-time monitoring.

           

        • A:August 20, 2019
          If a substation experiences a temporary loss of communications, would an entity be required to physically man that location until communications are restored, or could the entity monitor through video surveillance from another site with regional monitoring capabilities and full time security personnel?

          When physically manning or video monitoring a substation during a loss of communication event, the entity must take into consideration its ability to monitor data that is necessary to perform its Real-time monitoring and Real-time Assessments. The BA or TOP shall develop an Operating Process or Operating Procedure in accordance with NERC Standard TOP-010-1(i) Requirement R1 and R2 that addresses the quality of the Real-time data necessary to perform its Real-time monitoring and Real-time Assessments. The process or procedure is required to address the necessary actions that are to be taken by an entity or entities responsible for providing the data when data quality affects Real-time Assessments.

        • A:October 18, 2016
          TPL-001-4: An issue has been identified in two models, once in a 2021 sensitivity case and again in a 2026 non-sensitivity case. How do you interpret TPL-001-4 R2.7: “…Corrective Action Plan(s) do not need to be developed solely to meet the performance requirements for a single sensitivity case analyzed in accordance with R2….”  Do you say the issue showed up in one sensitivity case, so the sensitivity can be discounted and it doesn’t need to be fixed until 2026?  Or, do you say it didn’t just show up in a single sensitivity case, it also showed up in another case (even though the other case is not a sensitivity); and therefore, the sensitivity can’t be discounted and it needs to be fixed in 2021?

          If the issue occurs in only one Near-term planning horizon sensitivity study, corrective action plan can be delayed until 2026.

        • A:March 22, 2017
          We received a request to our legal team from our SMEs handling implementation of TPL-007-1. The requirements in TPL-007 become mandatory and enforceable on different dates. Basically, R5 requires data to be sent for a study to be performed. R6 requires the study to be done within 24 months. However, R6 becomes effective 24 months after R5 becomes effective. The concern we received was that an entity could send data under R5 on the first day R5 is effective or before and, if the 24-month period begins then, the performance under R6 could be due even before the requirement R6 itself is actually effective. 

          When does the 24 month period in Requirement R6 begin per the implementation plan if GIC data is received under R5 prior to the enforceable date of R6?  Our position is that, if GIC data is received prior to the effective date of R6, the 24-month period in R6 triggers on the first day that R6 is effective or at worst can’t reach back prior to the effective date of R5.

          Each Planning Coordinator/Transmission Planner must provide the maximum effective GIC value for all applicable transformers to the respective Transmission Owner/Generator Owner, as required by TPL-007-1, R5, no later than January 1, 2019. The Transmission Owner/Generator Owner shall conduct a thermal impact assessment on an applicable transformer within 24 months from the date of receipt of the maximum effective GIC value and provide the results to the Planning Coordinator/Transmission Planner, as required by TPL-007-1, R6, no later than January 1, 2021.

        • A:December 6, 2018

          Background
          Part 5.1 of Requirement R5 of NERC Standard TPL-007-1 requires the Planning Coordinator (PC) and/or Transmission Planner (TP) to provide to the applicable Transmission Owners (TOs) and Generator Owners (GOs) the “maximum effective GIC value for the worst case geoelectric field orientation for the benchmark GMD event described in Attachment 1” of the Standard.  This information is necessary for the applicable TOs and GOs to complete the required thermal impact assessment described in Requirement R6. However, Requirement R6 explicitly defines a threshold below which the applicable TOs and GOs are not required to perform the assessment.

          Question
          If the PC and/or TP determines that none of the applicable BES power transformers in the planning area have maximum effective GIC values equal to or in excess of the specified 75 A per phase threshold considering the worst case geoelectric field orientation for the benchmark GMD event, is it acceptable to meet compliance with Part 5.1 of Requirement R5 through a blanket notification to all applicable TOs and GOs in the planning area?  The blanket notification would provide the GIC value as “less than 75 A per phase” rather than individual GIC values by applicable transformer.

          Response:
           TPL-007-1 R5 requires the Planning Coordinator or Transmission Planner to provide the maximum effective GIC value for the worst case geoelectric field orientation for the benchmark GMD event described in Attachment 1 to the Transmission Owner or Generator Owner that owns applicable BES power transformers even if the threshold of 75A is not exceeded.

        • A:November 16, 2018
          In TPL-007-1, does SERC consider R5 and R6 as part of the R4 GMD Vulnerability Assessment, or is R5 and R6 separate from the timing requirements in R4?  

          Response:
          SERC would consider R5 and R6 separate from the timing requirements in R4. However, information developed in R5 is necessary when the entity is required to perform the GMD Vulnerability Assessment required in R4. R6 thermal assessments must be repeated or reviewed using previous assessment results each time the planning entity performs a GMD Vulnerability Assessment

          For R5, the GIC information is necessary for determining the thermal impact of GIC on transformers in the planning area and must be provided to the entities responsible for performing the thermal impact assessment in R6. GIC information provided in R5 is part of the GMD Vulnerability Assessment Process since it includes documented evaluation of susceptibility to localized damage due to GMD.

          Implementation dates for R4, R5 and R6 are as follows:

          • R4 – 1/1/2022
          • R5 – 1/1/2019
          • R6 – 1/1/2021
        • A:Updated 12/28/2019

          Description of the Violation, Issue, or Trend 
          Transmission Operators (TOPs) should ensure that new generators are properly issued a voltage or reactive power schedule and reporting requirements prior to commercial operation. Generator Operators (GOPs) should ensure that they have received their TOP's schedules and reporting requirements and that they are included in its procedures and operator training prior to commercial operation. 

          Risk Considerations
          Registered entities must ensure that voltage levels, reactive flows, and reactive resources are monitored, controlled, and maintained within limits in real-time to protect equipment and the reliable operation of the Interconnection.

          Description of Mitigation Activity
          Registered entities should comply with VAR-001-5 (for TOPs) and VAR-002-4.1 (for GOPs).    Operator training concerning specific system characteristics and alarm responses is considered good practice.

          Other Factors or Comments
          VAR-001-5 R4 allows the TOP to notify a GOP of its exemption from: 1) following a voltage or Reactive Power schedule, 2) having its automatic voltage regulator (AVR) in service or from being in voltage control mode, or 3) having to make any associated notifications. This exemption could be useful for intermittent sources such as wind and solar or other situations where strict adherence to the Requirements is difficult or impossible and does not pose a substantial risk to reliability.

        • A:Updated:  1/1/2019

          Description of the Violation, Issue, or Trend
          The Generator Operator (GOP) does not meet the generator voltage or Reactive Power schedule issued by the Transmission Operator (TOP).  Reasons for this include voltage schedules that give a single voltage to maintain without an associated bandwidth, voltage schedule bandwidths that are more conservative than necessary for reliable operation, failure to maintain evidence, failure to communicate with the TOP, and loss of indicators that the voltage was reaching levels outside of the bandwidth.

          Risk Considerations
          In general, this type of violation can pose a minimal, moderate, or serious risk to the Bulk Power System (BPS)  depending on many factors, including (but not limited to):

          1. the size of the units impacted;
          2. the magnitude of the departure from the schedule;
          3. the duration of the departure from the schedule;
          4. system conditions at the time of the departure from the schedule; and
          5. mitigating factors in place, such as alarming.

          Description of Mitigation Activity
          Mitigating actions have included:

          1. implementing back-up notification systems;
          2. re-evaluating the bandwidth in the schedule;
          3. revising procedures and re-training employees;
          4. developing data retention policies and practices specific to VAR-002; and
          5. conducting periodic reviews to ensure communication between the GOP and TOP occurs as required in applicable situations.

          Other Factors or Comments
          Where the loss of indicators was a contributing factor, many times the loss of indicators was an unintended consequence of performing work that took the indicators off-line  as part of another maintenance or installation project.

        • A:Updated:  1/1/2019

          Description of the Violation, Issue, or Trend
          The GOP not notifying the TOP of a change in status and/or the expected duration.  One example is late notification after an Automatic Voltage Regulator (AVR) trips from automatic controlling voltage to manual.  Another example is failure to notify the TOP in advance of an AVR status change that is controlled by the GOP (not a trip). Registered Entities also fail to notify the TOP of the expected duration of the change in status.  Registered Entities also communicate incorrect information to the TOP, such as the GOP notifying the TOP that the AVR returned to auto when in fact the AVR did not return to auto and the GOP notifying the TOP that it placed the AVR in manual control mode and the Power System Stabilizer (PSS) remained in service when in fact the PSS did not remain in service.

          Risk Considerations
          In general, this type of violation can pose a minimal to moderate  risk to the BPS depending on many factors, including:

          1. the size and number of the units impacted and what other units in the area had the AVR in auto controlling voltage;
          2. mitigating factors in place, such as alarming;
          3. the need for voltage support at that location; 
          4. operator training and experience in operating plants and units in manual; and
          5. type of unit and plant (base load, peak, etc.).

          Description of Mitigation Activity
          Mitigating actions have included:

          1. retraining operators on the procedures and expectations;
          2. installing alarming and notification indicators;
          3. training of operators on the operation of the AVR and PSS; and
          4. conducting periodic reviews of VAR event lots for completeness and accuracy and bringing incomplete or incorrect VAR Logs to the attention of the manager so that coaching can be provided.

          Other Factors or Comments

          1. To reduce the risk of sustaining a violation, some Registered Entities  surveyed all of their units to identify those that had an operating PSS, had AVRs that operated in other than automatic voltage control, and had adequate alarms to indicate abnormal operation.  The Registered Entities changed operating procedures, indicators, and alarms accordingly.
          2. When placing the AVR in auto following a trip, some operators believe that notifying TOP is not required since the operator is placing the AVR in the required mode.
This page provides answers to questions asked by entities.  The answers provided are based on opinions of SERC staff and do not necessarily represent SERC’s position.  While SERC staff provides answers in good faith, the answers are not an official SERC interpretation and shall not be binding on decisions of SERC.  The information provided herein is intended to provide guidance to the industry and is not intended to establish new requirements under the NERC Reliability Standards or to modify the requirements in any existing NERC Reliability Standards.  Actions based on this information shall have no standing for the purpose of contesting or mitigating any findings of noncompliance by SERC.  Compliance will continue to be determined based on language in the NERC Reliability Standards as they may be amended from time to time.