Audit & Compliance Tips Jagan Mandavilli Senior Compliance Engineer
2 Lessons Learned ●Sabotage Reporting (CIP-001-2a) Contractor produces procedure Ensure operating personnel are aware of procedures and maintain documentation of awareness Training records s Entities do not need to “establish communications contacts” with the FBI Entity should include a valid local FBI number in contact list, based on NERC guidance Auditors verify the FBI contact number NSRS January 9, 2013
3 Lessons Learned ●Protection Systems (PRC b) An entity is responsible for demonstrating compliance for any portion of a protection system it owns. If your entity has a Coordinated Functional Registration (CFR) or Joint Registration Organization (JRO), let Texas RE know. Automatic Voltage Regulator (AVR) equipment is included in Generation Control, not the Generation Protection System. Therefore, no need to self-report under PRC-005 if the equipment was not included in maintenance and testing of the Generation Protection System. NSRS January 9, 2013
4 Lessons Learned NSRS January 9, 2013
5 Lessons Learned ●Protection Systems (PRC b) Entity provides a listing of the sources for each basis Provide actual source documents such as: Manufacturer’s maintenance procedures (O&M Manuals) IEEE references (and associated calculations) NERC Protection System Maintenance (Technical Reference) Other authoritative documentation (studies based on history) NSRS January 9, 2013
6 Lessons Learned ●Generating real and reactive capability verification (TOP-002-2a, R13) Net leading and lagging reactive capability testing is performed every 2 years. The entity completes the ERCOT Operating Guides Section 8, Attachment D, Seasonal Unit Net Real Power Capability Verification Form, and submits its to the Qualified Scheduling Entity (QSE) to be uploaded into ERCOT’s Net Dependable Capability and Reactive Capability (NDCRC) in the Market Information System (MIS). Auditors have accepted this form as evidence of performing the test. Data fields for including weather, water conditions, fuel quality, or fuel quantity are not provided on the form. NSRS January 9, 2013
7 Lessons Learned ●Differences in Derived Limits (IRO-005-3a, R10) Operate the Bulk Electric System to the most limiting parameter. Evidence could include following a directive from ERCOT or a Local Transmission Operator (TOP) where there was an instance of differences in derived limits. NSRS January 9, 2013
8 Lessons Learned ●Registered Entity Responsibility is responsible for all the functions (CIP and 693) performed by contractors or agents is responsible for providing all evidence including procedures and records of work performed by contractors or agents QSE = Contractor or Agent ●Facility Ratings Generally, this should include all equipment up to the point of interconnection Interconnection agreement Diagrams NSRS January 9, 2013
9 Audit Update ●2013 Audit Schedule Posted COMPLIANCE>Compliance Audit>Audit Schedule Pages/Default.aspx Pages/Default.aspx ●Audit Scope Actively Monitored List Tier 1 Tier 2 Tier 3 NSRS January 9, 2013
10 Audit Update ●Year 2013 If previously audited or spot checked in most cases, current in-force document is adequate Previous audit or spot checked is the book-end New Revisions to existing standards Only need to provide evidence for the current enforceable standard. Auditors will use their judgment on whether to look at evidence of previous versions. NSRS January 9, 2013
11 FTP Site ●Texas RE has established its FTP site to provide a secure method of exchanging large amounts information between registered entities and Texas RE. ●Primary use: Request for Information (RFI) Event Analysis Compliance Investigations Audits Spot checks ●The FTP site uses SSL (Secure Sockets Layer) that allows upload and download of information through an encrypted session. NSRS January 9, 2013
12 CONTACT INFORMATION (512) You may also submit questions to NSRS January 9, 2013