Internal Controls Evaluation (ICE) Tony Eddleman, P.E. NERC Compliance Manager Nebraska Public Power District

Transcription

1 Internal Controls Evaluation (ICE) Tony Eddleman, P.E. NERC Compliance Manager Nebraska Public Power District

2 2 Topics NPPD Overview Reliability Controls NPPD Internal Control Evaluation (ICE) Sample Controls Summary

3 Nebraska Public Power District 3

4 Nebraska Public Power District 4

5 5 NPPD Sheldon Station Goes Hydrogen One of two boilers at Sheldon Station near Hallam, Nebraska will be converted to use hydrogen as fuel instead of coal. 125 megawatts of electricity Completion of the conversion expected in Monolith produces carbon black and hydrogen from natural gas Carbon Black is a common material found in thousands of products Americans use every day including tires, rubber and plastics, printing inks, and batteries

6 NPPD Sheldon Station Goes Hydrogen 6

7 7 NPPD NERC Registrations Distribution Provider (DP) Generator Owner (GO) Generator Operator (GOP) Resource Planner (RP) Transmission Owner (TO) Transmission Operator (TOP) Transmission Planner (TP) Note: The Southwest Power Pool (SPP) is NPPD s Reliability Coordinator (RC), Balancing Authority (BA) and Planning Authority (PA)

8 8

9 9 Reliability Controls Not Compliance Controls If you haven t started or are having trouble convincing others to start: Don t make controls too hard You are doing many of these today Document what you are doing to make sure you don t forget a requirement or a deadline We use spreadsheets a lot these are okay Start simple keep controls simple! Say to yourself I m going to do what I can do. Don t get overwhelmed!

10 10 Reliability Controls Controls are for us, not MRO Implement controls to ensure you are Reliable Don t focus on implementing controls to reduce regulatory oversight This puts the focus on compliance, not Reliability You don t want a SME thinking a control is just for compliance NPPD has implemented Reliability controls on high and medium risk requirements NPPD internal Inherent Risk Assessment (IRA) performed annually on applicable requirements MRO Performance & Risk Oversight Subcommittee (PROS) The PROS have produced good stuff use it!

11 11 Reliability Controls NPPD Annual Compliance Workshop provides a consistent message to subject matter experts External Compliance Consultant serves as a member of our NERC Compliance Steering Committee Steering Committee consists of senior leadership Discussed controls with several subject matter experts during recent visit Controls are being received well Controls remove anxiety and having to remember to get something done

12 12 MRO 2016 Compliance Audit MRO provided our NPPD Inherent Risk Assessment (IRA) NPPD has 74 NERC Reliability Standards and 325 requirements applicable NPPD IRA: 54 NERC Reliability Standards, including 167 requirements MRO s Internal Control Evaluation (ICE) 17 NERC Reliability Standards, including 36 requirements No CIP requirements MRO sampled ICE Submitted samples to MRO

13 13 Midwest Reliability Organization (MRO) 2016 Compliance Audit - ICE MRO removed 3 requirements from the audit EOP-005-2, R17 System Restoration from Blackstart Resources Generator Operator training FAC-008-3, R6 Facility Ratings PRC-005-6, R5 Protection System Automatic Reclosing and Sudden Pressure Relaying Maintenance Unresolved Maintenance Issues ICE Discussion with MRO Preventative versus Detective Controls

14 14 Internal Controls Evaluation Internal Controls Program Questionnaire Does your organization have a formalized program? If yes, explain the scope Provided: Electric Reliability Compliance Program Provided: NPPD ICP Process Manual Explain the relative independence of compliance responsibilities Explain resources dedicated to compliance program Explain senior management s role Explain the controls in place

15 NPPD Process Manual Attachments 15

16 16 Sample Reliability Controls EOP-005-2, Requirement 17: Each Generator Operator with a Blackstart Resource shall provide a minimum of two hours of training every two calendar years to each of its operating personnel responsible for the startup of its Blackstart Resource generation units and energizing a bus.

17 17 Sample Reliability Controls EOP-005-2, Requirement 17: Each Generator Operator with a Blackstart Resource shall provide a minimum of two hours of training every two calendar years to each of its operating personnel responsible for the startup of its Blackstart Resource generation units and energizing a bus.

18 18 Sample Reliability Controls EOP-005-2, Requirement 17: Each Generator Operator with a Blackstart Resource shall provide a minimum of two hours of training every two calendar years to each of its operating personnel responsible for the startup of its Blackstart Resource generation units and energizing a bus.

19 19 Sample Reliability Controls EOP-005-2, Requirement 17: Each Generator Operator with a Blackstart Resource shall provide a minimum of two hours of training every two calendar years to each of its operating personnel responsible for the startup of its Blackstart Resource generation units and energizing a bus.

20 20 Sample Reliability Controls FAC-008-3, Requirement 6: Each Transmission Owner shall have a documented methodology for determining Facility Ratings (Facility Ratings methodology) of its solely and jointly owned Facilities (except for those generating unit Facilities addressed in R1 and R2)

21 21 Sample Reliability Controls FAC-008-3, Requirement 6: Each Transmission Owner shall have a documented methodology for determining Facility Ratings (Facility Ratings methodology) of its solely and jointly owned Facilities (except for those generating unit Facilities addressed in R1 and R2)

22 22 Sample Reliability Controls FAC-008-3, Requirement 6: Each Transmission Owner shall have a documented methodology for determining Facility Ratings (Facility Ratings methodology) of its solely and jointly owned Facilities (except for those generating unit Facilities addressed in R1 and R2)

23 23 Sample Reliability Controls FAC-008-3, Requirement 6: Each Transmission Owner shall have a documented methodology for determining Facility Ratings (Facility Ratings methodology) of its solely and jointly owned Facilities (except for those generating unit Facilities addressed in R1 and R2)

24 24 Sample Reliability Controls Operationalized Compliance - baked in to operations FAC-008-3, Requirement 6: Each Transmission Owner shall have a documented methodology for determining Facility Ratings (Facility Ratings methodology) of its solely and jointly owned Facilities (except for those generating unit Facilities addressed in R1 and R2) Tom Tierney: A key factor indicator of operationalized compliance is that compliance is incorporated into day-to-day tasks of line personnel, not solely the responsibility of a standalone compliance function

25 25 Sample Reliability Controls FAC-008-3, Requirement 6: Each Transmission Owner shall have a documented methodology for determining Facility Ratings (Facility Ratings methodology) of its solely and jointly owned Facilities (except for those generating unit Facilities addressed in R1 and R2) Note: NPPD has 12 controls on this requirement, but we view this as a high risk.

26 What You Don t Want! 26

27 27 Reliability Controls Keeps small things small Positive compliance posture Base program on individual entity risk assessment No perfect one size fits all Each entity has a different risk tolerance Cost versus benefit Another thought to put controls in perspective Visualize trying to implement a compliance program without the oversight of MRO Understanding the risk of a serious violation then translates to implementing effective controls to mitigate the Reliability risk

28 28 Reliability Controls Bonus Having a Reliability controls mindset will help you review draft NERC Reliability Standards How will I implement this requirement? What Reliability controls will be needed? This may be a good idea and sound good, but how do I prove compliance? Is this a zero tolerance requirement? TOP R13: Each Transmission Operator shall ensure that a Real-time Assessment is performed at least once every 30 minutes. A great time to develop/document controls for new or revised standards is during the implementation meetings

29 Questions 29