ERO Certification and Review Procedure

Transcription

1 ERO Certification and Review Procedure Reliability Assurance December 15, Peachtree Road NE Suite 600, North Tower Atlanta, GA of 16

2 Table of Contents Table of Contents... 2 Purpose... 3 NERC Mission... 4 Accountabilities and Responsibilities... 5 NERC... 5 Director of Compliance Operations (or Designee)... 5 Manager of Organization Registration and Certification... 5 Regional Entity... 5 Manager responsible for Certification (or Designee)... 5 Certification Team Leader (CTL)... 6 Certification Team Member (duties assigned by the CTL)... 6 Certification Process... 7 Planning... 7 Fieldwork Reporting Certification Review Process Related Documentation Appendix I Certification Process Terms and Definitions Revision History of 16

3 Purpose The ERO Certification and Review Procedure serves two purposes. First, it enables the consistent implementation of an ERO-wide Certification process that meets the requirements of Section 500 and Appendix 5A of the NERC Rules of Procedure (ROP) 1. Secondly, it lays out the Certification process so that entities applying or registering for the Reliability Coordinator (RC), Balancing Authority (BA), and/or Transmission Operator (TOP) functions have a clear understanding of the process and know what to expect of 16

4 NERC Mission The North American Electric Reliability Corporation s (NERC) mission is to ensure the reliability of the North American bulk power system (BPS). NERC is the electric reliability organization (ERO) certified by the Federal Energy Regulatory Commission (FERC) to establish and enforce reliability standards for the BPS. NERC develops and enforces reliability standards; assesses adequacy annually via a 10-year forecast and summer and winter forecasts; monitors the bulk power system; and educates, trains, and certifies industry personnel. ERO activities in Canada related to the reliability of the bulk power system are recognized and overseen by the appropriate governmental authorities in that country. NERC has delegated certain responsibilities for the conduct of ERO statutory functions to the Regional Entities (RE), via regional delegation agreements (RDA). 2 In accordance with the NERC ROP Section 500, subsection 3, NERC shall develop and maintain a plan to ensure the continuity of Organization Registration and Organization Certification within the geographic or electrical boundaries of a Regional Entity in the event that no entity is functioning as a Regional Entity for that Region, or the Regional Entity withdraws as a Regional Entity, or does not operate its Organization Registration and Organization Certification Programs in accordance with delegation agreements. NERC will follow and adhere to the Registration and Certification procedural documents in order to successfully fulfill the day-to-day activities. 2 Located on NERC s website at 4 of 16

5 Accountabilities and Responsibilities NERC Director of Reliability Assurance (or Designee) Provides overall oversight of the Certification process Responsible for effective and consistent implementation of the Certification process throughout the eight REs Manager of Reliability Assurance Provides direct oversight of the Certification process Maintains contact with REs for effective implementation of the Certification process Confirms that the composition of each Certification Team (CT) complies with ROP requirements Assigns NERC members to CT Establishes training requirements Facilitates training for CT members Plans and organizes Certification workshops for REs and stakeholders NERC approval of RE recommendation of entity Certification Proposes and maintains revisions to Certification process documents, as required Regional Entity Manager responsible for Certification (or Designee) Ensures regional execution of the Certification process Identifies Certification Team Leader (CTL) Determines members of the CT in coordination with the CTL Confirms completion of required training and execution of appropriate CT member documentation Approves and ensures the adequate implementation of subsequent action plans from completed ERO Certifications Responsible for facilitating final RE approval of entity Certification Acts on the CT recommendation for Certification Notifies the entity and NERC of the Regional Entity s Certification recommendation Confirms all evidence and Certification documentation is kept in accordance with the RE document retention procedures per the ROP 5 of 16

6 Certification Team Leader (CTL) Must be a trained team leader Complete NERC s online auditor training Attend NERC s lead auditor training workshop Complete required reading package Participate as a team member on at least two Certifications Coordinates Certification activities in accordance with ROP Section 500, ROP Appendix 5A, and the ERO Certification and Review Procedure to achieve stated objectives of the Certification process Establishes and maintains contact with entity applicant throughout the Certification process Performs and oversees fact finding, interviews, and data collection Prepares opening and closing presentations Analyzes on-site interviews, observations, feedback, etc. to complete the Certification Coordinates with CT members regarding finalizing the wording of positive observations and closed Bucket 2 items Develops draft final report Supports RE manager, or designee, responsible for Certification in facilitating RE approval of entity Certification Certification Team Member (duties assigned by the CTL) Completes required training per ROP Executes confidentiality agreements and conflict of interest forms Reviews evidence presented by applicant Documents questions for entity Subject Matter Experts (SME) Submits requests for information to CTL Interviews subject entity management, SMEs, and system operators Acts as scribe, if assigned Comments on final report 6 of 16

7 Certification Process Entity Certification 3 requires a well-planned, in-depth review and well-documented assessment of an entity s capability to perform the tasks of the certifiable function (Reliability Coordinator, Balancing Authority, and Transmission Operator) for which it has applied or been registered. This document provides a summary of the steps required to conduct the Certification process. The following procedure is written in chronological order and may be changed at the discretion of the CTL to accommodate schedules and differences in scope, management direction, RE needs, etc. It also assumes that an entity has requested Certification. If an entity has received a registration initiated by either the RE or NERC as allowed in ROP Appendix 5A or if the entity is already registered, the procedure will be adjusted as appropriate. For an entity that is already registered, the CTL will review any Potential Violations of record. If there are any discrepancies between the NERC ROP and this document, the ROP shall take precedence. All discrepancies must be brought to the attention of NERC or the appropriate RE for further actions, as needed. Once an application has been received and accepted or an entity has been registered by the RE or NERC on behalf of the entity, the RE shall assign a CTL. 4 The CTL should be a trained team leader, 5 as this will provide a solid foundation for the CT. The CTL is responsible for putting together a CT in compliance with Appendix 5A of the NERC ROP. Prior to participation in the Certification process, all CT members must complete the requirements as described in the appropriate member training form and agree to adhere to the ERO s confidentiality agreements for any data or information made available to the CT member through the Certification process. These documents can be found on NERC s website. The following is a summary of steps for a Certification: Planning 1. As required by the ROP, the CT members: a. Shall consist of: i. For BA, the CT shall have representation from the following: 1. An existing BA, the entity s proposed RC, TOP, each affected RE, and NERC ii. For RC, the CT shall have representation from the following: 1. An existing RC, a BA and a TOP in the proposed RC area, each affected RE, and NERC iii. For TOP, the CT shall have representation from the following: 1. An existing TOP, the entity s proposed RC, each affected RE, and NERC 3 The Certification of Reliability Coordinators (RC), Balancing Authorities (BA), and Transmission Operators (TOP) is an independent process from the similar process of audits. 4 An entity is registered on behalf of if the RE or NERC determines the entity should be registered and the entity refuses to voluntarily register. 5 In accordance with ROP Section , NERC shall develop and provide training in auditing skills to all individuals prior to their participation in Certification evaluations. Training for Certification team leaders shall be more comprehensive than the training given to industry subject matter experts and RE members. 7 of 16

8 b. Additional CT members with expertise in any of the NERC registry functional areas may be added as necessary (i.e., NERC, RE staff). c. Entities such as government representatives or other stakeholders may be observers in the Certification process. 2. The CTL shall ensure all CT members have completed the following: a. Certification Team Member Training Record form b. For non-ero employees i. An ERO Conflict of Interest and business Ethics for Certification Team Members form ii. An ERO Confidentiality Agreement for NERC Certification Team form 3. The Certification Scope a. The CTL shall review the Certification application to determine the scope of the assessment. Using the NERC reliability standards VRF Matrix, the CTL shall develop a Master Matrix to identify which reliability standards shall be assessed based on the function(s) for which the entity is to be certified. 4. The CTL shall develop an online portal to store all documentation. The CTL shall set up a secured server to house all relevant Certification process documents, including but not limited to: a. The application b. All relevant correspondence between the CTL and the applicant, including the Certification packet (described in number five below) c. All relevant correspondence between the CTL and the CT members d. Instructions for the entity to access the server in order for the entity to submit their responses and allow for CT members to access the documentation supplied e. The agreed, applicable Master Matrix used to evaluate the entity during the process f. The overall process schedule g. The agenda for the on-site visit, if required h. The final report i. The RE approval or rejection of Certification application 5. A Certification packet shall be developed and sent to the entity 90 days prior to the on-site visit. 6 It shall contain: a. Notification of the Certification process b. Logistic Information Request c. The tentative overall process schedule and on-site agenda d. The appropriate questionnaires 7 e. The Master Matrix f. The CT roster and member biographies g. Request of confirmation of no-objections to CT members 6 This procedure recognizes circumstances may arise that require a timeline appropriate for the circumstances and the event durations are predicated on adequate time available. 7 At the discretion of the CTL, the CTL will forward a Neighboring Entity questionnaire to an appropriate neighboring entity. 8 of 16

9 h. Pre-Certification survey that must be returned to the CTL within 15 days of receipt i. Any specific requests for information (RFI) 6. CTL should contact the entity within one week of submitting the packet to confirm receipt of the package and discuss any concerns the entity may have. 7. The entity shall complete and return the questionnaires, Master Matrix, and supporting documentation no later than four weeks prior to the on-site visit. 8. The CTL shall schedule a document review(s) with the CT prior to the on-site visit. Document reviews could take place face-to-face or via teleconference. a. The CTL and CT shall review the Logistic Information Request, in order to: i. Develop an understanding of the entity being certified ii. Make all travel arrangements 9. During document reviews, the CT shall note all: a. Questions for the entity s management, SMEs, and system operators based upon the review of the supporting documentation b. Additional RFIs (These will be submitted to the entity prior to the on-site visit.) c. Comments that support the entity s abilities to perform the function for which the entity applied during the document review and indicate items which do not need further review d. Issues that need to be addressed prior to Certification being granted 10. If the CT is to be broken into smaller groups, the CTL shall assign a scribe(s) to document the assessment and identify teams: a. For complex Certifications of new facilities, the CTL may assign members of the CT to different focus areas. For example: i. Facilities Examples may include: The physical cyber assets against the CIP standards, the cyber training, the maintenance contracts and records for the facilities, the electrical system and uninterruptible power supply (UPS), the cybersecurity of servers, passwords, etc. per the CIP standards, and the physical installation of data and voice equipment. ii. EMS/SCADA Interview the EMS/SCADA SMEs to ensure that the tools will provide adequate situational awareness against the NERC standards. Ensure adequate change control of the EMS/SCADA. Review the data transfer, server, applications, and redundancy configuration of the core tools including: EMS, OSI- PI, ICCP, outage scheduling, scheduling, map-board displays, communication systems, etc. iii. Operator Preparedness Interview the operators at their workstations and ask them to present the tools, procedures, CIP readiness, and their procedure use for normal day-to-day and emergency operations. Interview the training staff regarding initial training needed to support the transition to the new responsibilities and continuing training to the NERC standards. Interview the planning staff to ensure adequate contingency planning and proper interaction with the real-time operators. 11. The CTL shall provide the entity a final schedule and agenda for the on-site visit based upon the results of the document review. 9 of 16

10 12. The Certification process shall be completed within nine months of the date of acceptance of the application unless agreed to by all parties involved in the process and approved by NERC. Fieldwork The CT shall conduct at least one on-site visit to the entity s Facilities. 1. Opening presentation 2. At a minimum, the team will: a. Review with the entity the data collected through the questionnaires, and such data that is available only onsite b. Interview the operations and management personnel c. Inspect the Facilities and equipment associated with the applicable Reliability Standards referenced in the questionnaire d. Request demonstration of all tools identified in the Certification process e. Review documents and data including agreements, processes, and procedures identified in the Certification process f. Verify operating personnel NERC Certification documents and proposed work schedules g. Review any additional documentation resulting from inquiries arising during the site visit 3. The CT shall interview entity personnel to clarify responses covered in the document review. 4. The CT shall tour the facilities, observing and noting the required physical assets. The CT may request a demonstration of the tools used to support the function. 5. At the end of each day, the CT will meet for the debriefing. The CTL shall lead a daily debriefing with the entity in order to: a. Identify the status of the assessment b. Identify any items of concern that need to be addressed, and identify which Bucket each item is in c. Provide an update to the schedule d. Identify any possible violations of applicable standards in order for the entity to selfreport to its respective Region 6. The CTL shall provide an exit briefing at the end of the on-site visit in order to: a. Identify any items of concern that need to be addressed, and identify which Bucket each item is in b. Discuss the reporting process c. Discuss the next steps in the Certification process, including the schedule of the postonsite visit and any Bucket 2 items to close d. Confirm that Entity Feedback Forms will be sent to the entity with a sincere request for candid feedback Reporting 1. The CTL will provide the CT with the CT Member Feedback Form, and requests that they are returned within five calendar days with a copy to NERC.Certification@nerc.net. 2. After completion of the on-site visit, the CTL should develop: a. A spreadsheet listing all Bucket 2 items that are to be tracked and closed prior to requesting RE management approval of Certification; and b. The draft final report, in coordination with input from the CT, which presupposes Bucket 2 items are closed. 10 of 16

11 3. Upon completion of the draft final report, the CTL should transmit the report to the CT, requesting return with final comments within two business days. 4. The CTL should also transmit the draft final report to the entity, requesting return with comments within 14 calendar days. 5. Entity comments will be given due consideration and incorporated in the final report at the discretion of the CTL and the input of the CT. 6. The CTL and CT will review the completed final report. When all Bucket 2 items are satisfactorily closed, the CTL and CT will submit the CT recommendation and final report to appropriate RE management 8 for consideration and approval. 7. If rejected by RE management, the CTL will work with the CT and the entity to resolve any issues. 8. If approved by RE management, the RE CEO 9 (or a designee) will transmit to the entity, with a copy to NERC, the formal RE approval, which includes RE recommendation for NERC approval, using the Region Certification Approval Recommendation Letter as a template If approved, NERC shall confirmation of Certification of the application function. Attached to the will be the formal Certification letter, which contains a link to the final report (that is posted on NERC s public website). Finally, NERC shall mail a hard copy of the Certification letter and certificate of functional Certification to the applicant. a. For those Coordinated Functional Registration (CFR) entities that agree upon a division of compliance responsibilities for one or more Reliability Standards or Requirements/sub- Requirements, NERC shall provide all entities responsible for BA, RC and/or TOP Requirements/sub-Requirements and approved for Certification as BA, RC and/or TOP a NERC certificate indicating that those entities are NERC certified as a BA, RC, and/or TOP. 10. After the applicant is certified, the RE will register the applicant; the applicant will be registered for the new function on the confirmed date that operations will begin The applicant must commence operations for the application function within 12 months after being notified of approval by NERC. If the applicant fails to commence operation within 12 months, the Certification process must be repeated. Data Retention 1. Documentation used to substantiate the conclusions of the Certification must be retained by Regional Entity for (6) six years. 2. NERC will maintain and post all Certification Final Reports on its website. 3. NERC will Issue a Certification approval letter and certificate applicants that successfully demonstrate its competency to perform the evaluated functions. 8 For multi-region entities, the CTL will submit the CT recommendation and final report to each Region s management for consideration and approval. 9 Each RE management is to issue the letter of approval and recommendation Within the Certification approval letter, the entity is reminded to (1) inform the RE when it is to commence operations and (2) register with NERC Alert. 11 of 16

12 Certification Review Process Functional Entity Certification Review will follow the same processes and procedures as a Functional Entity Certification with an appropriately scoped evaluation effort, which includes team composition, on-site visit needs, change in terminology and use of the applicable review templates as appropriate. Items that are to be considered in this decision are listed in ROP Appendix 5A Section IV, and include one or more of the following: Changes to a registered entity s footprint or operational challenges (e.g., transmission loading relief (TLRs)) Organizational restructuring that could impact BPS reliability Relocation of the control center Changes to registered entity ownership that require major operating procedure changes Significant changes to Joint Registration Organization(JRO)/CFR assignments or agreements Addition or removal of member JRO/CFR utilities or entities Complete replacement of a SCADA/EMS system The decision to certify changes to an already operating and certified Registered Entity is a collaborative decision between the affected REs and NERC. NERC has the final authority regarding this decision. Items to consider for this decision are listed in ROP Appendix 5A. A registered entity that requires a review shall complete the appropriate form and submit it to the applicable RE. The CTL in collaboration with NERC shall tailor the scope to those requirements that are affected as a direct result of the reason for the review; for example, if an entity installed a new EMS, there should be no reason to conduct personnel risk assessments due to the change if access to the Critical Cyber Assets remains the same. 12 of 16

13 Certification Appeals Process Any entity can appeal an organization Certification decision issued as a result of the Certification process. The appeals process begins when an entity notifies NERC, in writing, that it wishes to use the NERC appeals process. If an appeal is not filed within twenty one (21) Days of the date that the Certification report or finding is issued, or the final Regional Entity appeals process ruling is made, the finding shall be considered final and un-appealable. Hearing and Ruling by the Compliance and Certification Committee (CCC): Within twenty-eight (28) Days of receiving notice from NERC, the CCC will conduct a hearing where all the parties or representatives of the disputing parties will present the issue in question, in accordance with CCC procedurecccpp-005, Hearing Procedures for Use in Appeals of Certification Matters, which is incorporated in Appendix 4E of the Rules of Procedure. If the appeal is upheld, NERC notifies the entity and Regional Entity(s), updates the NCR, and issues any appropriate letter and certificate to the entity. If the appeal is denied, NERC notifies the entity and Regional Entity(s). Hearings and Ruling by the Board of Trustees Compliance Committee (BOTCC): The BOTCC will be asked to resolve a dispute related to the NERC Organization Certification Program if any party to the appeal contests the CCC final order. The BOTCC may request additional data from NERC, Regional Entity(s) or the entity and prescribe the timeframe for the submitting the requested data. At the next regularly scheduled BOTCC meeting, or at a special meeting if the Board determines it is necessary, the Chairman of the CCC will present a summary of the dispute and the actions taken to the BOTCC. Each party will have an opportunity to state its case. The BOTCC will then rule on the dispute. If the BOTCC upholds the appeal, NERC will: Notify the entity and the Regional Entity (ies) that the appeal was upheld. Update the NCR. Issue a Certification letter and a certificate to the entity as applicable. If the BOTCC does not uphold the appeal, NERC will notify the entity and the Regional Entity (ies) that the appeal was denied. The entity may appeal to Applicable Governmental Authorities within 21 Days of the issuance of the decision. A record of the appeals process shall be maintained by NERC and available upon request. Confidentiality of the record of the appeal will be based on the NERC Rules of Procedure Section of 16

14 Related Documentation All Certification process templates and the ERO Certification and Review Procedure are available on NERC s website. 12 NERC Rules of Procedure Section 500 Organization Registration and Certification NERC Rules of Procedure Section 1500 Confidential Information NERC Rules of Procedure Appendix 5A Organization Registration and Certification Manual NERC Rules of Procedure Appendix 5B Statement of Compliance Registry Criteria 12 Certification process templates: 14 of 16

15 Appendix I Certification Process Terms and Definitions Table 1: Terms and Definitions Term Balancing Authority Bucket Items Certification Certification Review Master Matrix Multi-Region Entity Reliability Coordinator Transmission Operator Definition The responsible entity that integrates resource plans ahead of time, maintains loadinterchange-generation balance within a Balancing Authority Area, and supports Interconnection frequency in real-time. This is a certifiable function. Bucket 1 issues prevent CT recommendation for Certification. Bucket 2 issues require resolution prior to Certification. Bucket 3 issues offer suggestions to the entity for improved performance. This process is undertaken by the ERO to verify an entity has the tools, processes, procedures, training, and personnel to perform the tasks associated with a function that requires Certification (i.e., RC, BA, and/or TOP). The process undertaken by the ERO to verify that an entity will have the tools, processes, procedures, training, and personnel to perform the tasks associated with a function requiring Certification (i.e., RC, BA, and/or TOP) such as, but not limited to, those listed in Appendix 5A, NERC Rules of Procedure. Certification Reviews are conducted prior to the occurrence of the change, allowing sufficient time to correct any deficiencies noted in the entity s preparedness prior to occurrence of the change. The spreadsheet created using the VRF Matrix on NERC s Standards link depicting those standards applicable to the specific function to be certified or reviewed due to listed changes. An entity whose facilities are located within more than one Region s footprint. The entity that is the highest level of authority who is responsible for the Reliable Operation of the Bulk Electric System, has the Wide Area view of the Bulk Electric System, and has the operating tools, processes and procedures, including the authority to prevent or mitigate emergency operating situations in both next-day analysis and real-time operations. The Reliability Coordinator has the purview that is broad enough to enable the calculation of Interconnection Reliability Operating Limits, which may be based on the operating parameters of transmission systems beyond any Transmission Operator s vision. This is a certifiable function. The entity responsible for the reliability of its local transmission system and operates or directs the operations of the transmission Facilities. This is a certifiable function. 15 of 16

16 Revision History Revision Number Date Description 0 4/1/2013 Original Date 1 9/16/2013 Various content changes 2 5/12/2014 Added Revision Table /6/2014 Included language to describe processes laid out in ROP 12/15/2015 Title changes and various errata changes 12/15/2016 Updated Certification Review definition on appendix I for clarity on timing of the Review. Changed ERO Certification Process Manual to ERO Certification and Review Procedure for consistency across document. 16 of 16