HomeMy WebLinkAbout20171218PAC to Staff Attachment Utah_DPU 10.11a.pdfREMEDIAL ACTION SCHEMES
Protection &Control Procedure No.304
Author:Flo Hausler
Approval:Jack Vranish
AuthoringDepartment:Reliability Standards
ApprovedFile Location:DFS\PDXCO\SHRO4\Publications\FPP\RLY\PRO
File Number-Name:304-RAS Procedure.docx
RevisionNumber:0
RevisionDate:3/12/15
Document Security Category
Confidential External
Restricted Critical Infrastructure Information(CII)
x Internal
Revision Log
0 12/15/14 Initial issue
0A 3/12/15 Final Draft
J:Publications FPP RLYiPRU3íW-RAS Procedure.docr.Rev.Q.3 12 15
The most current version ofthis document is posted to engineering s websites for relayforms,policies and procedures
Modification ofthis document must be authorized by engineering publications.(503)813-5096.
REMEDIAL ACTION SCHEMES
Protection &Control Procedure No.304
Table of Contents
1 Definitions.............................................................................................................................1
2 Scope.....................................................................................................................................1
3 Types of RAS........................................................................................................................3
4 RAS Functional Design and ApprovalProcess.................................................................5
5 RAS Design and Construction ............................................................................................6
6 RAS Operating Procedure,Testing,and Commissioning................................................6
7 RAS Performance Assessment...........................................................................................7
8 R AS M is oper at i on Re porti ng ...............................................................................................7
9 RAS Maintenance and Testing Documentation.................................................................8
Appendices
A.PAC-RAS-OVERVIEW-Yale_Run-Back
B.Procedure to Submit an RAS for Assessment,October 28,2013
C.Remedial Action Scheme Design Guide,November 28,2006
D.PRC-004-WECC-1
E.PRC-(012 through014)-WECC-CRT-2 Regional Criterion,September 17,2013
F.PRC-015-0
G.PRC-017-0
H.PRC-005-2
I.WECC Major RAS List,April 28,2008
J.PacifiCorp SPS,June 24,2014
K.CIP 002 Version 5.1
Procedure for Implementing a New Remedial Action Scheme (RAS)or
for Modifying an Existing RAS
1 Definitions
The following definitions are from the NERC Glossary.
1.1 Special Protection Systems (also called Remedial Action Schemes)
An automatic protection system designed to detect abnormal or predetermined
system conditions,and to take corrective actions other than and/or in addition to the
isolation of faulted components to maintain system reliability.Such action may
include changes in demand,generation (MW and Mvar),or system configuration to
maintain system stability,acceptable voltage,or power flows.An SPS does not
include (a)underfrequency or undervoltage load shedding or (b)fault conditions that
must be isolated or (c)out-of-step relaying (not designed as an integral part of an
SPS).
1.2 Protection Systems
Protective relays that respond to electrical quantities
Communication systems necessary for the correct operation of protective
functions
Voltage and current sensing devices providing inputs to protective relays
Station DC supply associated with protective functions (including station batteries
battery chargers,and non-battery-based DC supply)
Control circuitry associated with protective functions through the trip coil(s)of the
circuit breakers or other interrupting devices
1.3 Misoperation
Any failure of a protection system element to operate within the specified time
when a fault or abnormal condition occurs within a zone of protection
Any operation for a fault not within a zone of protection (other than operation as
back-up protection for a fault in an adjacent zone that is not cleared within a
specified time for the protection for that zone)
Any unintentional protection system operation when no fault or other abnormal
condition has occurred unrelated to on-site maintenance and testing activity
1.4 Unresolved Maintenance Issue
A deficiency identified during a maintenance activity that causes the component to
not meet the intended performance,cannot be corrected during the maintenance
interval,and requires follow-up corrective action
2 Scope
This document describes the procedure for implementing a new RAS or modifying an
existing RAS for PacifiCorp-owned RAS.Following this procedure will assist in meeting the
compliance requirements of NERC reliability standards listed below:
/Publications FPP RLYPR 04-RAS Procedure doc Rev 0 /15
The inost current version of this docunicar is postec/to engineerin s websites or re/a ornis policies and procedures.
Modi/ication o this docunient inust he authorized b en incering publicar ons.(503)8/3-5096.Page 1 of 8
2.1 PRC-004-WECC-1:PacifiCorp must review all operations of major RAS to identify
apparent misoperations within 24 hours.Within 20 business days all operations of
major RAS must be analyzed for correctness.Depending on the analysis of the
misoperation,PacifiCorp is required to follow R2.1,R2.2,R2.3 or R2.4 of the
standard.See Appendix D.
2.2 PRC-(012 through 014)-WECC-CRT-2 Regional Criterion:PacifiCorp was required
to submit the data described in the WECC Remedial Action Scheme Information
Sheet (Attachment A)to WECC by April 1,2014.WECC designated the Remedial
Action Scheme Reliability Subcommittee (RASRS)as the entity responsible for the
WECC review procedure for proposed and existing RAS within the Western
Interconnection to meet the NERC performance requirements of TPL-001through
TPL-003.PacifiCorp is required to follow the process established by the RASRS to
submit a RAS for review.RASRS shall ensure that each RAS reviewed meets,at a
minimum the following:
The Local Area Protection Scheme (LAPS)and Wide Area Protection Scheme
(WAPS)are designed so that a single component failure,when the LAPS or the
WAPS is intended to operate,does not prevent any portion of the interconnected
transmission system within WECC from meeting the performance requirements
defined in NERC reliability standards TPL-001-0,TPL-002-0,and TPL-003-0 or its
successor.
Inadvertent operation of the RAS meets the same performance requirements
(TPL-001-0,TPL-002-0,and TPL-003-0 or their successors)as that required of
the contingency for which it was designed,and does not exceed TPL-003-0 or its
successor
The proposed RAS will coordinate with other protection and control systems and
applicable WECC emergency procedures.
2.2.1 The Operating Committee (OC)will approve the WECC review procedure for
proposed and existing RAS within the Western Interconnection based upon
receipt of a positive recommendation of the RASRS.
2.2.2 RASRS will review a RAS at the level of a WAPS,when requested to do so
by the OC.
2.2.3 PacifiCorp is required to review the WECC RAS database for accuracy and
report any changes,modifications,retirements or expansions of its RAS to
WECC no later than December 31 of each calendar year.
2.2.4 PacifiCorp is required to submit any additions,changes,modifications,
retirements or expansions of its RAS to RASRS prior to placing the RAS or
its changes into service.
2.2.5 PacifiCorp is required to assess its RAS for operation,coordination and
effectiveness at least once each five years and report the RAS assessment
by sending a completed Attachment B to WECC no later than December 31
of the calendar year in which the assessment was completed.
2.2.6 PacifiCorp is required to retain the documentation to support Attachment B
data for the most recent assessment study reported and provide that data to
WECC within 30 days upon request.
/Publications FPP RLYPR 04-RAS Procedure doc Rev 0 /15
The inost current version of this docunicar is postec/to engineerin s websites or re/a ornis policies and procedures.
Modi/ication o this docunient inust he authorized b en incering publicar ons.(503)8/3-5096.Page 2 of 8
2.3 PRC 015-PacifiCorp is required to maintain a list of all RAS that are owned by
PacifiCorp and review new and modified RAS per WECC procedures.See Appendix
F and Appendix J.
2.4 PRC 017-This standard covers the documentation of maintenance and testing
programs.Documentation must include the following:Identification of all RAS
components (relays,instrument transformers,communication systems and
batteries);maintenance intervals and their basis;summary of testing procedures;
schedules for maintenance and testing and date last tested/maintained.This
standard is being phased out and the requirements are moving into PRC 005.See
Appendix G.
2.5 CIP 002-Meet the cyber security standard for RAS that are part of an
Interconnection Reliability Operating Limit (IROL)or RAS components at medium
security substations that are Bulk Electric System Cyber Assets (BCA).See
Appendix K.
2.6 2.6 PRC 005-PacifiCorp has chosen a time-based maintenance method and is
required to maintain all PacifiCorp-owned protection system components related to
RAS for both PacifiCorp-owned RAS and foreign-owned RAS per the time-based
intervals.Effort to correct identified unresolved maintenance issues is also required.
See Appendix H.
3 Types of RAS
3.1 The WECC remedial action classifications are as follows:
3.1.1 Wide Area Protection Scheme (WAPS):A remedial action scheme whose
failure to operate would result in any of the following:
o Violation of TPL -001-WECC-RBP-2 System Performance RBP
o Maximum load loss greater or equal to 300 MW
o Maximum generation loss greater or equal to 1000 MW
3.1.2 Local Area Protection Scheme (LAPS):A remedial action scheme whose
failure to operate would not result in any of the following:
o Violation of TPL -001-WECC-RBP-2 System Performance RBP
o Maximum load loss greater than or equal to 300 MW
o Maximum generation loss greater than or equal to 1000 MW
3.1.3 Safety Net (SN):A type of remedial action scheme designed to remediate
TPL 004-0 (system performance following extreme events resulting in the
loss of two or more BES elements),or other extreme events.Extreme
events are identified by Planners from TPL -004-1.
/Publications FPP RLTPRO (W-RAS Procedure cloc Rev 0 3 12 15
The most current version o this docunicar is posted to engineerin s webstres or re/a ornis policies and procedures.
Modi/ication o this </ocuntent inust he authori-ed b en incering publicar ons.(5/8)8/3-5096.Page 3 of 8
These classifications only affect the level of detail required for scheme review by the
RASRS.These classifications are used to focus the review effort on the larger schemes that
can have more impact on system operations.
3.2 The use of a RAS is an acceptable practice to meet the system performance
requirements as defined in reliability standards TPL-001-0,TPL-002-0,and
TPL-003-0.Electric systems that rely on a RAS to meet these performance
requirements must ensure that the RAS is highly reliable.Each RAS owner shall
document the design and functional operation of new and modified RAS.
3.3 The following is a list of scheme types that NERC and WECC do not consider to be a
RAS in and of themselves:
Under-frequency or Under-voltage load shedding
Locally-sensing devices applied on an element to protect it against equipment
damage for non-fault conditions by tripping or modifying the operation of that
element,such as,but not limited to,generator loss-of-field or transformer top-oil
temperature
Auto-reclosing schemes
Locally-sensed and locally-operated series and shunt reactive devices,FACTS
devices,phase-shifting transformers,variable-frequency transformers,
generation-excitation systems,and tap-changing transformers
Schemes that prevent high line voltage by automatically switching the affected
line
Schemes that automatically de-energize a line for non-fault operations when one
end of the line is open
Out-of-step relaying that is not designed as an integral part of an SPS
Schemes that provide anti-islanding protection (e.g.,protect load from effects of
being isolated with generation that may not be capable of maintaining acceptable
frequency and voltages)
Protection schemes that operate local breakers other than those on the faulted
circuit to facilitate fault clearing,such as,but not limited to,opening a circuit
breaker to remove infeed so protection at a remote terminal can detect a fault to
reduce fault duty,or bus sectionalizing/splitting/break-up schemes
Automatic sequences that proceed when manually initiated solely by an operator
Sub-synchronous resonance (SSR)protection schemes
Modulation of HVDC or SVC via supplementary controls such as angle damping
or frequency damping applied to local or inter-area oscillations
A protection system that includes multiple elements within its zone of protection,
or that isolates more than the faulted elements because an interrupting device is
not provided between the faulted element and one or more other elements
/Publications FPP RLYPR 04-RAS Procedure doc Rev 0 /15
The inost current version o this docunicar is postec/to engineerin s websites or re/a ornis policies and procedures.
Modi/ication o this docunient inust he authorized b en incering publicar ons.(503)8/3-5096.Page 4 of 8
4 RAS Functional Design and ApprovalProcess
PacifiCorp's template "PAC-RAS-OVERVIEW"is the document that should be populated for
all new and modified RAS.Appendix A has an example of a completed template.The
following are the steps that planning is required to follow to initiate a new RAS or modify an
existing RAS:
4.1 Section A RAS Purpose and Overview document is completed.If an existing RAS is
being modified,the original RAS Purpose and Overview document should be used to
document the changes that are being proposed.
4.2 Present and gain approval from EREV that the proposed RAS is the right solution.
4.3 The Planner is responsible for notifying all neighboring entities that may be affected
by RAS.
4.4 Submit to WECC RASR group for approval.See WECC's Remedial Action Scheme
Design Guide (Appendix C)and Procedure to Submit a RAS for Assessment
Guideline (Appendix B)for information on requirements.For WAPS,some design will
be required prior to submittal to RASR.
4.5 Schemes proposed for removal should also be submitted for approval by WECC
RASR prior to removal.
4.6 Notify the design group once RASR approval has been gained and provide
completed section A of PAC-RAS-OVERVIEW document to the design group.
4.7 Planning is responsible for maintaining the list of PacifiCorp-owned RAS and the
foreign-owned RAS that PacifiCorp owns components of the RAS.Planning submits
this list to WECC annually.This list is also provided to the PRC 017/PRC 005
standard owner as changes are made.
/Publications FPP RLTPRO (W-RAS Procedure cloc Rev 0 3 12 15
The most current version of this docunicar is posted to engineering s webstres or re/a orms policies and procedures.
Modi/ication o this </ocuntent must he authori-ed b en incering publicar ons.(5/8)8/3-5096.Page 5 of 8
5 RAS Design and Construction
PacifiCorp's template "PAC-RAS-OVERVIEW"is the document that should be populated for
all new and modified RAS.Appendix A has an example of a completed template.The
following are the steps that Design is required to follow to implement a new RAS or modify
an existing RAS:
5.1 Section B "RAS Design"and Section C "Monitoring"is completed.If an existing RAS
is being modified,the original "RAS Design"and "Monitoring"should be used to
document the changes that are being proposed.
5.2 Coordination with communications engineering is required,so communication design
is included in Section B and communication settings are completed.
5.3 For WAPS,the design group may need to complete some of the design prior to
submittal by planning to the RASR group.Coordination with planning on
requirements for RASR submittal is required.
5.4 Review of design should be submitted to the planner to ensure original intent is being
achieved.
5.5 Design is responsible for completing Appendices 1,2,4,and 5 of the template.
5.6 Design is responsible for ordering materials and providing construction support.
5.7 Design is responsible for relay settings.
5.8 Design shall forward the template completed through Section C to field technical
support and may need to assist field technical support with Sections D,E,and
Appendix 3 of the "PAC-RAS-OVERVIEW"document.
5.9 Design shall submit final "PAC-RAS-OVERVIEW"document to P8,PRC 017/PRC
005 standard owner and to grid operations.
5.10 If identified as required in the PSRAT scoping document,the design group shall
provide training to grid operations,substation operations and others on the details of
the RAS operation.
6 RAS Operating Procedure,Testing,and Commissioning
PacifiCorp's template "PAC-RAS-OVERVIEW"is the document that should be populated for
all new and modified RAS.Appendix A is an example of a completed template.The
following are the steps that technical support is required to follow to initiate a new RAS or
modify an existing RAS:
6.1 Section D,"RAS Operating Procedure"and Section E,"Commissioning,
Maintenance and Testing"shall be completed.If an existing RAS is being modified,
the original Sections D and E should be used to document the changes that are
being proposed.
6.2 Appendix 3 RAS Associated Maintenance Test Form shall be completed by technical
support.This will include the functional test documentation and any testing of
devices that would not follow a standard relay test form.Technical support may
request assistance from the design group for the functional test documentation.
6.3 Technical support is responsible for review of the maintenance and test forms once
test results have submitted.This should be completed prior to placing RAS in-
service.
/Publications FPP RLYPR 04-RAS Procedure doc Rev 0 /15
The inost current version of this docunicar is postec/to engineerin s websites or re/a ornis policies and procedures.
Modi/ication o this docunient inust he authorized b en incering publicar ons.(503)8/3-5096.Page 6 of 8
7 RAS Performance Assessment
Appendix J includes a list of all PacifiCorp-owned RAS.Planning is responsible for
maintaining this list and submitting any changes to WECC.
7.1 WECC requires that all RAS be assessed for operation,coordination,and
effectiveness at least every five years for compliance with NERC and WECC
standards and WECC criteria.
7.2 PacifiCorp typically performs System Operating Limit (SOL)studies,daily outage
planning,real time contingency analysis,or similar studies.If any violations of
performance of the RAS are discovered during these studies,a Corrective Action
Plan (CAP)must be developed.CAP must include a resolution and timeline to fix.If
CAP solutions involve significant modifications to RAS,then those modifications
must be reviewed by the RASRS through the procedures described in Section 3.
7.3 Planning is required to update the WECC RAS database annuallywith any changes
(new,modified or retired)to RAS that have gained approval from RASR.
8 RAS Mis-Operation Reporting
WECC requires PacifiCorp to ensure all transmission and generation misoperations of
"major"RAS are analyzed and/or mitigated.See Appendix I for the list of "major"WECC
RAS.Technical support is responsible for performing this analysis and recommending the
mitigation.This includes all accidental or unintended RAS operations that do not meet the
expected performance or RAS failures to operate that result in system performance outside
the expected levels.
8.1 Grid operations shall review all operations of "major"RAS to identify apparent mis-
operations within 24 hours.
8.2 Technical support shall analyze all operations of "major"RAS within 20 business
days for correctness to characterize whether a misoperation has occurred that may
not have been identified by grid operations.
8.3 Depending on the type of misoperation of the "major"RAS,technical support is
required to meet WECC PRC 004-WECC-1 requirements.This includes submitting
to WECC within 10 business days,a misoperations incident report.
/Publications FPP RLTPRO (W-RAS Procedure cloc Rev 0 3 12 15
The most current version of this docunicar is posted to engineerin s webstres or re/a orms policies and procedures.
Modi/ication o this </ocuntent must he authori-ed b en incering publicar ons.(5/8)8/3-5096.Page 7 of 8
9 RAS Maintenance and Testing Documentation
Relays,communication equipment,CT,PT,and batteries associated with a PacifiCorp-
owned RAS,as identified in Section 4 of the "PAC-RAS-OVERVIEW"document,are
required to be maintained per defined intervals as established in Policy _001.
9.1 Reliability standards is responsible for notifying maintenance planning of all devices
that are to be labeled in SAP as part of a specific RAS so maintenance plans can be
established.This should happen prior to in-service of the RAS.
9.2 Maintenance planning ensures that testing of the individual components of the RAS
and the functional test of the overall RAS are maintained and tested per established
intervals,provides an annual report documenting the current planned and actual
maintenanceltest dates along with the established interval,and the previous planned
and actual maintenanceltest dates.
9.3 RAS components owned by PacifiCorp but that are part of a RAS owned by another
entity must be maintained and tested also.The other entity is responsible for
reporting the dates and intervals to WECC and may request documentation of the
maintenance and testing.Operations may be involved in testing a portion of the
RAS.
/Publications FPP RLTPRO 04-RAS Procedure ciocx Rev 0 3 12 15
The most current version o this docunicar is posted to engineering s websites or cela ornis policies and procedures.
Modi/ication o this docuntent inust be authorized b en incering publications.(503)8/3-5096.Page 8 of 8
PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
RAS Name YALE RUN-BACK
Document #PAC-RAS-OVERVIEW-1001 Document numbers maintained by P&C Engineering
Revision 01.03 Document_revision.Template_revision
Document Date 3/27/2014 The most recent date between the document revision
date and the template revision date used
Contributors Name Organization
Chip Carter Transmission/Area Planning
Michael Payne Protection &Control Engineering
Robert Skimmyhorn Relay Support
Jeff Littman Substation Operations
Johnny Trumps Hydro Operations Engineering (PAC Energy)
Revision Name Title
Document Larry Frick Transmission/Area Planning Director
Approvals Greg Stratton Protection &Control Engineering Manager
Steve Leistner Relay Field Technical Support Manager
Steve Henderson Substations Operations Director
Erik Brookhouse Design Engineering Director
Ali Shafaei Hydro Operations Engineering Director (PAC Energy)
RAS Milestones Description Date
RAS need,proposed operation,and classification identified April 24,2012
Executive agreement that RAS is required August 9,2012
RAS capital project funding approved August 9,2012
RAS capital project design start November 17th,2012
Initial Proposal to WECC RASRS November 2013
RAS capital project design complete January 8th,2013
Detailed RAS documentation to WECC RASRS (WAPS,SN only)N/A
RAS capital project construction/testing complete February 28th,2013
Executive agreement to put RAS in service February 28th,2013
RAS put into service February 28th,2013
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 1/26
PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-...------Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
Table of Contents
Section Description Page
(i)PacifiCorp RAS Document Revision History 3
(ii)PacifiCorp RAS Document Template Revision History 3
(iii)References 3
(iv)Information Required to Assess the Reliability of a RAS 4
A RAS Purpose and Overview 6
B RAS Design 10
C Monitoring 16
D RAS Operating Procedures 17
E Commissioning,Maintenance,and Testing 18
F Performance and Operational History 19
Appendix 1 RAS Associated Drawing List 20
Appendix 2 RAS Associated Relay Setting Order List 21
Appendix 3 RAS Associated Maintenance Test Form 22
Appendix 4 RAS Associated Equipment Subject to NERC PRC-017 Requirements 25
Appendix 5 RAS Associated Affected Apparatuses 26
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 2/26
PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
(i)PACIFICORPRAS Document Revision History
Rev Date Description of Change
00 12/31/2013 Initial draft of document.Completed after RAS put into service.
01 3/27/2014 Updated to current template format and additional information added.
(ii)PACIFICORPRAS Document Template Revision History
Rev Date Description of Change
00 2/27/2013 Initial draft of document template based on WECC Procedure to Submit a RAS
for Assessment,dated August 2012.
01 3/25/2014 Updated draft of document template based on the WECC Procedure to Submit a
RAS for Assessment,dated October 2013.
02 3/26/2014 Moved section G (this table)to front of document and minor formatting
corrections.
03 3/27/2014 Removedthe previous section (i)the WECC Procedure to Submit a RAS for
Assessment document and relabeling it as references.Put the table contents ahead
of the revision history sections and renumbered first three sections.Added
appendix 4 and appendix 5.Minor formatting changes.
(iii)References
Type Date Description
WECC Guideline Oct 2013 (draft)Procedure to Submit a RAS for Assessment
Note:the template used to create this PacifiCorp RAS Overview
Document is based on the referenced WECC guideline.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 3/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
(iv)Information Required to Assess the Reliability of a RAS
For all new or modified RAS,also provide information required by the WECC RAS initial or Periodic
Assessment Summary as Attachment B of PRC-(012 thru 014)-WECC-CRT-2.
1 RAS Name
Yale Run-Back
2 Reporting Party
PacifiCorp
3 Group Conducting this RAS Assessment
PacifiCorpTransmission/Area Planning
4 Assessment Date
November 2012
5 Review the scheme purpose and impact to ensure proper classification
a Is it (still)necessary?
Yes
b Does it serve the intended purpose?
Yes
c Does it continue to meet current performance requirements?
Yes
6 The RAS assessment including Study Years
The assessment was done with existing conditions,noting that the risk identified has been in place
since 1958.With 310 MW of generation and two lines each with 176 MVA of capacity,loss of one
line results in an overload of the surviving line.The problem is related to generation output,and
not load or grid flow conditions,making future case analysis a moot point.
7 System conditions
The condition that results in a TPL violation is during light load condition with the Merwin and Yale
hydroelectric generation plants at maximum output,such as during spring run off or heavy local
precipitation conditions.
8 Contingencies analyzed (indicate which applies:N-1,N-1-1,N-2,Extreme)
With only two elements in the system,the N-1 condition poses the worst case situation where all
of the generation is carried by one line only.
9 Date when the technical studies were completed
April 24,2012
10 Does the RAS comply with NERC standards and adherence to WECC Criteria and TPL-001-WECC-
RBP-2?
Yes
11 Discuss any coordination problems found between this RAS and other protection and control
systems during this (most recent)assessment.
None
12 Provide a corrective Action Plan if this RAS was found to be non-compliant or had coordination
problems during this (most recent)assessment (should be NA for owner's initial assessment).
N/A
13 Provide the name and contact information of the person responsible for this RAS data submittal.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 4/26
PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
(iv)Information Required to Assess the Reliability of a RAS
Jason Wilson
PacifiCorpTransmission Planner
1407 West North Temple
Salt Lake City,UT 84116
(801)220-4056
Jason.T.Wilson@PacifiCorp.com
If a classification of LAPS is claimed by the Reporting Party,full scheme review by the RASRS is generally
not required unless this classification is not agreed to by the RASRS.The Reporting party must provide
adequate information for the RASRS to judge the proposed scheme classification.A scheme is a LAPS if
all of these questions can be answered negatively.
WECC TPL Regional Business Practice -WR3 violation?
WECC TPL Regional Business Practice -WR1 or 2 external impact violation?
Load at risk 2 300 MW?
Generation at risk 2 1000 MW?
If a full RASRS scheme review is not required (LAPS),the RAS owner is still responsible for meeting all of
the requirements of PRC-(012 thru 014)-WECC-CRT-2.Specifically,the scheme must still satisfy
requirements WR5.1-3 (single point of failure,inadvertent operation,and coordination).
If a full RASRS review is required (for WAPS or SN),the following information,sections A -F must be
submitted for review.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 5/26
PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
A.RAS PURPOSE AND OVERVIEW
1 Identifythe ownership of the RAS (the Reporting Party).
PacifiCorp
2 Provide the name of the RAS,the purpose and the desired in-service date.Include the specific type
of system problem(s)being solved,e.g.transient stability,thermal overload,voltage stability,etc.
Name Yale Run-Back
Purpose Prevent a line clearanceviolation or conductor damage of the Longview and
Battleground lines connected to the Merwin Switching Station in the event of a
sustained thermal overload of either line with the other line tripped out from a
system event.
Desired ISD 2/28/2013
3 Provide the owner's classification of the RAS as a LAPS,WAPS,or SN.
LAPS
4 Provide the information required to populate the WECC RAS data base using the appropriate Excel
spread sheet,PRC-013 template (available on the WECC web site).
Scheme is already in PRC-013 database.No changes are required.
5 Provide the name(s)of person(s)within the owner's organization who is (are)responsible for the
operation and maintenance of the RAS.
Operation Jeff Littman
8111 NE Columbia Blvd
Portland,OR 97218
Phone:(503)737-3301
Email:Jeff.Littman@PacifiCorp.com
Maintenance Jeff Littman
8111 NE Columbia Blvd
Portland,OR 97218
Phone:(503)737-3301
Email:Jeff.Littman@PacifiCorp.com
6 Provide a description of the RAS to give an overall understanding of the functionality and a map
showing the location of the RAS.Identify other protection and control systems requiring
coordination with the RAS.See "RAS Design",below,for additional information.
The Yale Run-Rack Scheme is an automatic scheme located at the Merwin Switching Station.It
consists of redundant SEL-751 relays connected to redundant current transformers.It is designed
such that either relay sends a runback signal via Ethernet Modbus TCP/IP to the Yale Plant in the
event of a sustained thermal overload of either the Longview line or the Battleground line.Each
relay implements two overcurrent elements,one for summer line limits and the other for winter
line limits,that are asserted based on calendar date.The runback signal automatically reducesthe
generator output from the Yale plant until the overload condition is eliminated.A delay of 2
seconds from overload condition initiation to runback signal initiation has been added to avoid
triggering a runback during a momentary line fault or other transient overload condition.If the
runback scheme fails to eliminate the overload condition within 60 seconds of runback signal
initiation,the scheme will trip breakers CB 2P26 and CB 2P27,isolating the Yale Plant from the
Merwin Switching Station.No other protection and control systems require coordination with this
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 6/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
A.RAS PURPOSE AND OVERVIEW
scheme.
Ielen
COUVCT-air
North
Portirind
7 Provide a single line drawing(s)showing all sites involved.The drawing(s)should provide sufficient
information to allow RASRS members to assess design reliability,and should include information
such as the bus arrangement,circuit breakers,the associated switches,etc.For each site,indicate
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 7/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
A.RAS PURPOSE AND OVERVIEW
whether detection,logic,action,or a combination of these is present.
4|I scheme detection and logic is present at the Merwin Switching Station.Action occurs at both the
Vlerwin Switching Station (breaker trip)and the Yale Plant (generation runback).
BPA CARDWELL
ARIBL
LONGVIEW LINE
INO LAKE LINE
\No *
I CB 2P27
MERWIN
BATTLEGROUNDLINE VIEW CHELAT HIE
YALE
CHERRY GROVE
TO PACW PORTLA.ND
iite Detection Logic Action
Vlerwin X X X
lale X
Cardwell (BPA)
Ariel (Cowlitz County PUD)
View (Clark Public Utilities)
Chelatchie (Clark Public Utilities)
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 8/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-....-..--Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
A.RAS PURPOSE AND OVERVIEW
Cherry Grove (Clark Public Utilities)
8 Indicate the type of system reliabilitystudies performed and a list of any that are in progress.
A contingency study was performed to assess the risk of overloading either line.A transient stability
analysis was performed to verify the necessity of the LAPS.
9 Provide a discussion of the impact to the WECC power grid,including other protection and control
systems that result from the actions taken by the proposed RAS and from its failure to operate as
expected.Does a failure to operate or a misoperation impact an Intertie Path?If yes,what Intertie
Path?
Other than the previously mentioned load and generation loss,neither intended operation,
misoperation,nor failure to operate would have any impact to the WECC power grid,any other
protection and control system,or any Intertie Path.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 9/26
PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-...----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
B.RAS DESIGN
1 Describe the design philosophy (e.g.failure is to be a non-credible event).
The scheme will continue to perform its intended function even while experiencing any single
point of failure.
2 Describe the design criteria.
Failure of a single component,element or system will not jeopardize the successful operation of
the scheme.
3 RAS Logic -Provide a description of the RAS Logic in the form of written text,flow charts,matrix
logic tables,timing tables,etc.as appropriate and identifythe inputs and outputs.Provide
appropriate diagrams and schematics.
See the logic diagram below.
TEST 59¶IN101 LTO3
NOg"RELAY NOTI a S OI\TEST |FATTLEGROUND LN L'ODOUS TCUT1021 ,
USH(L
E
LAKE LINE TRPPED
CUT502 TRIP CB 2P27
LONGVIEW LN
iCUTbO3
i BFL CB 2P26
4 RAS Logic Hardware -Provide a description of the logic hardware (relay,digital computer,etc.)and
describe how the RAS logic function is achieved.
Scheme logic is implemented using separate SEL-751 relays at the Merwin Switching Station.PLCs
(Programmable Logic Controllers)at both the Merwin Switching Station and the Yale Plant are
used to transmit the runback signal to the Yale Plant Hydro control Center.See the functional
block diagram below.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 10/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
B.RAS DESIGN
YALE RAS FlJNCTION BLOCK DIAGRAM
REV3
MERWIN
C
YAL
-MICROWAVE
PLC I I MICROWAVE MICROWAVE I I PLC
172 16228.40 172 16.10 148
YLC MWC RAS INI ST
MWC RAS 11A TRP ST MWC RAS 118 TRP ST
MWC RAS 11A INI ST MWC RAS 118 INI ST
MWC RAS 11A_NIT St MWC RAS 118 NtT ST YLC
PLC
11A 118 17216.10141
SEL-751 SEL-751 ¯'
RELAY RELAY17216.22871,172.1622872 YL1_GËN RAS_INI ST YL2 GËN RAS INI ST
YL1 YL2
PLC PLC
172.16.10.139 172.16 10 140
Yale microwave digital output for Run-Back Initale isRelay11Aand118monilortheBaltiegroundLineandLongviewLineandconnected10adigitalenpulonIheniicrowavePLC.set a Run-Back Ini1sate stales (INI ST)when li had detected a Line Limit
alarm >25 Yale Common PLC {YLC}monitors the RAS Initiale slatus
Mewritt Common PLC (MWC)monitors the Run-Back Ittdsale stalus from the rmetowave PLC.
(INI_ST)and Relay Noi In Test {NIT ST)from Relay i tA and 118 MWC
energizes a digital oulput when it had detected Ihe Run·Back Initiale status Yale Generator 1 PLC (YL1)and Generator 2 PLC (YL2)
(INI ST)and Relay Not in Test (NIT ST)from Relay 11A or 11B monitor the RA$Inttiale slatustromtheYLC PLC
Relay 11A and 118 will ing breakers 2P26 and 2P27 if the Line Lamil alarm
is not cleared after BOseconds MWC PLC will read the trip status from
Relay 11A and 118 and will sel lhe trip alarm points
MWC RAS 11A TRP STandMWC RAS 11B TRP ST.
5 Redundancy-Provide a discussion of the redundancy configuration and if appropriate,why
redundancy is not provided.Include discussion of redundant:
a Detection
Separate SEL-751 relays with independent current transformers.
b Power supplies,batteries and chargers
Redundant power supplies,batteries,and chargers are not required.Battery and charger
alarms are centrally monitored.In the event of a power supply or battery failure,generation at
Merwin would automatically shut down.
c Telecommunications (also mentioned in item 10d)
Redundant communications paths are not required.In the event of a failure of the
communications path,the scheme will trip CB 2P26 and CB 2P27 after 60 seconds from
runback signal initiation.This will isolate the Yale Plant from the Merwin Switching Station.
Since either line has capacity to carry the maximum output of the Merwin plant generation
alone,there is no possibility of a line overload with the Yale Plant generation eliminated.
d Logic controllers (if applicable)
Separate SEL-751 relays.Redundant PLCs used in the communication path are not required
(see section B.5.c above).
e RAS trip circuits
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 11/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
B.RAS DESIGN
The scheme runback ramp rate is set such that the Yale generators,if fully loaded,will fully
unload in about 45 seconds.With the Yale generation eliminated,the remaining line would not
be overloaded.In the event of a breaker trip failure,the runback would eliminate the overload
condition.Both the breaker trip and the runback would haveto fail (double point failure)prior
to a line clearanceviolation or conductor damage.
6 Arming -Describe how the RAS is armed (e.g.remotely via SCADA,locally,automatic,etc.).
The scheme is always armed.
7 Detection -Define all inputs to the RAS for the scheme to perform its required purpose.Examples
are provided below.
a Devices needed to determine line-end-status such as circuit breaker (52 a/b contacts)and
disconnect status
NA
b Protective relay inputs
See B.7.b below.
c Transducer and IED (intelligent electronic device)inputs (watts,vars,voltage,current)
The SEL-751 relays monitor the A-phase line current for each line.The line thermal limit for
each line is set using two instantaneous overcurrent elements.
d Rate-of-change detectors (angle,power,current,voltage)
NA
e All other inputs (e.g.set points,time from a GPS clock and wide area measurements such as
voltage angle between two stations)
The winter limit elements are always enabled.Using the time input from a GPS clock as
reference,the summer limit elements are enabled from April 1st to October 31st.
f Provide details of other remote data gathering or control equipment
NA
8 Coordination with Protection and control Systems.Describeall protection and control systems
interactions with the RAS,in addition to the RAS inputs described in (7)above.
a System configuration changes due to RAS operation do not adversely affect protective relay
functions such as distance relay overcurrent supervision,breaker failure pickup,switching of
potential sources,overexcitation protection activation,or other functions pertinent to the
specific relays or protection scheme.
Scheme operation does not affect protective relay functions or other protection schemes.
b If studies indicate that transient or sustained low voltages are expected in conjunction with
elevated line flows during or after RAS operation,confirm that any protection settings on
affected lines will not cause cascading outages related to the low system voltages.
Scheme operation will not result in low system voltage.
c Potential adverse interactions with any other protection or control systems.
This scheme does not adversely affect any protective or control systems.
9 Multifunction Devices.A multifunction device is a single device that is used to perform the
function of a RAS in addition to protective relaying and/or SCADA simultaneously.It is important
that other applications in the multifunction device do not compromise the functionalityof the RAS
when the device is in service or when is being maintained.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 12/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
B.RAS DESIGN
a Describe how the multifunction device is applied in the RAS.
The multifunction devices used in this scheme are the following programmable logic
controllers (PLC).
Merwin Plant PLC -Receives the Yale runback command from SEL-751 relays then passes it
on to the Merwin microwave.
Yale Microwave PLC -Receives the Yale runback command from the Yale microwave then
passes it on to the Yale plant PLC.
Yale Plant PLC-Receives the Yale runback command from the Yale microwave PLC then
passes it on to the Yale generator 1 and generator 2 PLCs.
Yale Generator 1 PLC-UnloadsYale #1generatorwhen the Yale runback command is
received from the Yale plant PLC.
Yale Generator 2 PLC-Unloadsthe Yale #2 generator when the Yale runback command is
received from the Yale plant PLC.
b Show the general arrangement and describe how the multi-function device is labeled in the
design and application,so as to identifythe RAS and other device functions.
The PLCs are arranged as shown in the image in section B.4 (Yale Run-Back Scheme Function
Block Diagram).There is no physical labeling on the PLCs to identify involvement in the Yale
Run-Back scheme.Separate sections in the PLC program code identify portions of the Yale Run-
Back logic.
c Describe the procedures used to isolate the RAS function from other functions in the device.
Portions of PLC logic for the Yale Run-Back scheme appear in their own sections.These
sections are independent of PLC logic for other functions.Some portions of the PLC logic for
the Yale Run-Back scheme are integrated with other sections of logic.The logic for
communication and load shedding cannot be separated from these other functions.
d Describe the procedures used when each multifunction device is removed from service and
whether any other coordination with other protection is required.
These PLCs are not removed from service without an outage of the associated generator.The
normal outage process with a Compass notification would take place.
e Describe how each multifunction device is tested,both for commissioning and during periodic
maintenance testing,with regard to each function of the device.
The PLCs involved in this system are existing and do not receive periodic maintenance testing.
The health status for these PLCs is monitored by hydro SCADA system.Should a PLC fail the
SCADA is configured to generate an alarm at the Hydro control Center (HCC).
f Describe how overall periodic RAS functional and throughputtests are performed if
multifunction devicesare used for both local protection and RAS.
Periodic functional testing of the runback scheme as described in section E has no effect on the
functionalityof any of the PLCs associated with this scheme.
g Describe how upgradesto the multifunction device,such as firmware upgrades,are
accomplished.How is the RAS function taken into consideration?
PLC program logic updates are done as needed using remote access.Updates to other PLC
logic will have no effect on the Yale Run-Back scheme.When the firmware is updated the PLC
is taken out of service and the process as identified in B.9.d above is followed.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 13/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
B.RAS DESIGN
10 Te ecommunications
a Provide a graphical display or diagram for each telecom path used in the proposed RAS
scheme,including extent of redundancy employed.See references.Indicate ownership of the
circuits,paths,and segments.Indicate responsibility for maintenance.If a telecom circuit
utilizes a public network,describe monitoring and maintenance agreements including repair
response,details of availability,and how possible change of ownership is addressed.Describe
maintenance agreements and response commitments when the RAS communication utilizes
multiple private systems.
The communication path is arranged as shown in the image in section B.4 (Yale Run-Back
Scheme Function Block Diagram).The communication path does not contain any redundancy.
All equipment in the communication path is owned and maintained by PacifiCorp.
b Describe and list the telecommunications media and electronic equipment (e.g.microwave
radio,optical fiber cable,multiplex node,power line carrier,wire pair,etc.)including
redundancy employed in each telecom path.For each of the paths and segments of the RAS,
identifythe type of telecom equipment employed.For example,whether analog or digital
licensed microwave radio,unlicensed spread spectrum radio,fiber optic SONET node,etc are
applied.
The communication path consists of the Merwin plant PLC,Merwin microwave,Yale
Microwave,Yale microwave PLC,Yale plant PLC,Yale generator 1 PLC and Yale generator 2
PLC.The Merwin microwave and Yale microwave are connected on PacifiCorp Licensed
microwave radio.The PLCs are connected to each other with network switches with Cat5
Ethernet cable.
c Provide a description of common facilities used for each RAS telecom path and segment that
are not specifically excluded from redundancy by the WECC critical communication circuit
design guideline (e.g.towers,generators,batteries).Identifypaths or segments routed
through common equipment chassis such as Digital cross-connect System,SONET node,or
router.Identify physical media carried or supported by the same structure,such as a
transmission line tower,pole structure,or duct bank.Discuss outside plant and inside plant
routing diversity.
Entire communication path is non-redundant.
d Provide a discussion of communications system performance including,circuit or path quality
in terms of availability.Provide details of reliability (e.g.,availability of 99.95%),and other
supporting reliability information such as equipment age,history,maintenance,etc.
Telecommunication reliabilityinformation is the average overall percentage,and not point-to-
point information.
Communications system performance is unknown.
e Provide a discussion about performance of any non-deterministic communication systems
used (such as Ethernet).If RAS performance is dependent upon successful operation through a
non-deterministic communications system or path,then describe how timing and latency
issues will be addressed and verified.Include timing and latency planning or management and
verification for initial commissioning and in the event of network modifications or additions.
Identifywhich industry standard is applied.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 14/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
B.RAS DESIGN
PLC to PLC communications uses Modbus TCP/IP.These communication paths operate
continuously at cycle rates of less than once a second.Should one of these communication
paths fail an alarm will be generated at HCC.Total end to end communications latency is about
3 seconds.The latency is considered short enough to be negligible.
f Acknowledge provision of appropriate high voltage entrance protection if wire pairs are used.
Not applicable.Communication equipment not located in high voltage area.
11 Transfer Trip Equipment -Identifythe manufacturer and type (FSK audio tone,FS carrier,digital,
etc.),and provide the logic configuration (dual channel,pilot tone,etc.).Identifywhether internal
device medium is used;e.g."Relay-to-Relay"communication.
Not applicable.
12 RemedialActions Initiated -Provide a functional description of the action(s)produced by the
scheme and include a simplified one-line diagram of the RAS output to the end-device operated by
the scheme.
The runback signal automatically reduces the generator output from the Yale plant until the
overload condition is eliminated.If the runback scheme fails to eliminate the overload condition
within 60 seconds of runback signal initiation,the scheme will trip breakers CB 2P26 and CB 2P27,
isolating the Yale Plant from the Merwin Switching Station.See the logic diagram in section B.3.
13 RemedialAction Schemes may haveelements such as engineering access,routable protocols,and
sensitive design documentation included in the design that require compliance with the NERC CIP
Standards.Utilities may handle CIP compliance differently.Please provide a high level overview of
how your company's CIP Compliance Program requirements are incorporated into this RAS design.
There are no CIP requirements for the telecommunications facilities involved with the Yale Run-
Back scheme.
The RASRS concern is that CIP compliance does not compromise the reliabilityof the RAS.RASRS
will not assess compliance,validity or completeness of the owner's CIP program.The owner
remains completely and solely responsible that its CIP program complies with NERC standards.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 15/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-...------Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
C.MONITORING
1 Provide details of RAS monitoring equipment and time resolution including station alarms,SCADA
monitoring,and Sequence of Events Recorders.
The relay failure alarms for the runback scheme relays are continuously monitored at cycle rates of
less than once a second by the Hydro control Center.See section B.10.e for communication path
failure alarm description.
2 Provide details of facilities monitored including:
a Equipment self-diagnostics and annunciation
Relay failure alarms continuously monitored by the Hydro control center.
b Initiation locations
Same as section C.2.a.
c Logic facilities
Same as section C.2.a.
d Telecommunications
A communications path failure of either path will generate an alarm at the Hydro control
Center.
e Transfer trip equipment
There is no transfer trip equipment.
f RAS actions
Runback action and is monitored via SCADA at the Hydro control Center.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 16/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-....-..--Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
D.RAS OPERATING PROCEDURES
Provide a summary of the operating procedures or the relevant Dispatch Instructions pertaining to this
RAS during abnormal system conditions.Specifically addressthe operating procedures for the following
situations:
1 The RAS operates incorrectly (failure to operate or false operation).
Operators at HCC use manual SCADA control to run back load on the Yale generators.
2 One part of a redundant RAS system is unavailable so that complete redundancy is no longer
assured.
The appropriate maintenance staff is called in to investigate.No action is taken on the Yale
generators.
3 Unscheduled,or unplanned and not coordinated,unavailability of the subject RAS (complete loss
of RAS)impacts operation.
The appropriate maintenance staff is called in to investigate.No action is taken on the Yale
generators.
4 When a partial or total loss of input data required for arming decisions.
The appropriate maintenance staff is called in to investigate.No action is taken on the Yale
generators.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 17/26
PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
E.COMMISSIONING,MAINTENANCEAND TESTING
1 Describe the RAS commissioning and overall functional test procedure(s).
Maintenance test procedure also used as commissioning and overall functional test procedure (see
section E.2 below).
2 Describe the maintenance and test procedures including:
a The provision of test switches and test facilities.
All output test switches for breaker trip,breaker failure,and alarms are opened prior to
testing.Test switches corresponding to specific functional tests are closed for the specific test
step,and then reopened following completion of the test step.Dispatch and the plant control
center are both contacted and clearance for testing is given prior to testing.The runback signal
is isolated from the governors of the Yale generators prior to testing to avoid a generation
runback during testing.
b Preventive maintenance;both electrical and telecommunication.
Visual inspection performed prior to maintenance testing.
c Functional Testing,including system end-to-end checks.
Following visual inspection and testing setup,an end-to-end functional test of the 11A relay is
performed,verifying:trippingof CB 2P26,tripping of CB 2P27,and receipt of runback signal at
the Yale plant.An end-to-end functional test of the 11B relay is then performed,verifying:
tripping of CB 2P26,tripping of CB 2P27,and receipt of runback signal at the Yale plant.All
overload conditions during functional testing are simulated for 3 seconds and 63 seconds to
verify that terminating the overload condition within the 60-second runback window will
prevent trippingthe breakers.
d Provide the maintenance and test intervals,including any seasonal restrictions.
The runback scheme will undergo maintenance testing every 4 years.No seasonal testing
restrictions exist.
e A copy of the Maintenance and Test Procedure(s).
See Appendix 3.
f A discussion of power system curtailment during maintenance and test activities.
Power system curtailment is not required during maintenance and test activities.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 18/26
PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
F.PERFORMANCE AND OPERATIONAL HISTORY
1 Provide assurances that the overall performance and operating time of the RAS will meet the
requirements identified in system studies.
A dynamic thermal study was performed on both the Longview and Battleground lines.
Calculations show that for worst case conditions,eliminating the overload condition within 90
seconds will avoid both a line clearance violation and conductor damage.This redundant design is
assured to detect and eliminate an overload condition within 62 seconds by virtue of its superior
hardware and excellent software.This responsetime is less than the 90 second response needed
as determined by the planning study.
2 When using the existing equipment and components,such as the EMS,RAS controllers,and arming
devices,address the following items as they pertain to the operational history of such equipment
and procedures.
a How long has the RAS been in operation and how many times has it operated?
Section not applicable since this is a new scheme.
b How many times has the RAS failed to operate when it should have?Provide details of causes
and impacts.
Not applicable.
c How many times has it operated unnecessarily?Provide details of causes and impacts.
Not applicable.
d What modifications,if any,are planned as a result of b and c above?
Not applicable.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 19/26
PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
APPENDIX 1
RAS Associated Drawing List *
DRAWING#REV LOCATION TITLE
12280A01 30 MERWIN ONE LINE DIAGRAM KEY SHEET
12280A02 3 MERWIN SWITCHING STATION ONE LINE DIAGRAM
12280A03 1 MERWIN YALE RUN-BACK RELAY LOGIC
106372.001 5 MERWIN CURRENT SCHEMATIC CB 2P1 &2P3
106372.002 2 MERWIN CURRENT SCHEMATIC CB 2P2 &2P4
106372.003 3 MERWIN CURRENT SCHEMATIC CB 2P6 &2P8
106372.004 2 MERWIN CURRENT SCHEMATIC CB 2P26 &2P27
106372.005 6 MERWIN CURRENT SCHEMATIC PORTLAND &LONGVIEW LINES
108288.001 2 MERWIN PANEL LAYOUT &WIRING BREAKER FAILURE PANEL A
108288.002 2 MERWIN PANEL LAYOUT &WIRING BREAKER FAILURE PANEL A UPPER
108288.003 3 MERWIN PANEL LAYOUT &WIRING BREAKER FAILURE PANEL A LOWER
108288.004 2 MERWIN PANEL LAYOUT &WIRING BREAKER FAILURE PANEL B
108288.005 2 MERWIN PANEL LAYOUT &WIRING BREAKER FAILURE PANEL B UPPER
108288.006 3 MERWIN PANEL LAYOUT &WIRING BREAKER FAILURE PANEL B LOWER
108288.008 7 MERWIN PANEL LAYOUT &WIRING PANEL 2R ("C"BUS)
108288.009 6 MERWIN PANEL LAYOUT &WIRING PANEL 3R
108288.010 1 MERWIN PANEL LAYOUT &WIRING PANEL 2R
108288.011 1 Merwin PANEL LAYOUT &WIRING PANEL 3R
108547.013 4 MERWIN CONTROL SCHEMATIC BREAKER 2P26
108547.014 2 MERWIN CONTROL SCHEMATIC BREAKER FAILURE 2P26
108547.015 4 MERWIN CONTROL SCHEMATIC BREAKER 2P27
108547.016 3 MERWIN CONTROL SCHEMATIC BREAKER FAILURE 2P27
108547.017 4 MERWIN CONTROL SCHEMATIC PORTLAND LINE PANEL 2R
108547.018 3 MERWIN CONTROL SCHEMATIC KALAMA LINE PANEL 3R
161669.001 1 MERWIN CONTROL SCHEMATIC YALE RUN-BACK RELAY COMMUNICATIONS
163517.000 0 MERWIN DRAWING LIST
*Drawing revisions as of document date.Current drawing revisions can be found in PacifiCorp's
document management system.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 20/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
APPENDIX 2
RAS Associated Relay Setting List *
ISSUE
APP ID LOCATION APPARATUS DESCRIPTION ISSUED BY DATE SET BY SET DATE
33242 MERWIN 2P26,2P27 Yale Run-Back Scheme M.Payne 2/6/2013 D.Gillum 3/22/2013
*Relay setting order app ID,issued by,issue date,set by,and set date as of document date.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 21/26
PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-...----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
APPENDIX 3
RAS Associated Maintenance Test Form
North Hydro Yale Run-Back Maintenance Test Form
Version1
PacifiCorp Protection and Control Technical Services Form PCF-XXX
The Person(s)responsible for the job shall print their names(s)below as verification that the work has been performed correctly and the form
filled out accurately.Each responsible person shall list their identifying number (1,2,3,4,or 5)in the "signed by"columns next to the results of
each of the tasks they perform.
Responsible person 1:Phone Number:Date:
Responsible person 2:Phone Number:Date:
Responsible person 3:Phone Number:Date:
Responsible person 4:Phone Number:Date:
Responsible person 5:Phone Number:Date:
Crew:Work Order:
Purpose:Scheduled Corrective Commissioning _Other
Equipment Identification
PacifiCorp Equipment/SAP Number
For results:A =acceptable,C =corrected,U =unacceptable,NA =not applicable to this equipment
For items marked "C or U",provide a detailed explanation in the comments section
Visual inspection
Signed by Results
1.Switchyard configuration normal "A"or not normal "U"
2.All alarms identified and or cleared
3.Verify relay is in summer position (Apr 1-Oct 31)or winter position (Nov 1-Mar 31)as applicable
Testing Setup
Grid Operations
Signed by Results
1.Safety tailgate
2.Dispatch contacted /clearance issued as needed
3.Save all history/settings from the relay prior to testing
4.Set relay to test position (Test SW 1;Open knife SW 1-2 &5-6)
5.Make sure the 43R reclosers are in the off (normal)position for 2P26 &2P27
6.Make sure that all trip,BFI and alarm outputs are c/o at the test sw's
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 22/26
PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-...----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
APPENDIX 3
RAS Associated Maintenance Test Form
Hydro control center
Signed by Results
1.Contact control center
2.Verify the run down signal is isolated from the generator governor
11A Functional test of relay tripping 2P26
Signed by Results
1.c/o LOR 86BF26 outputs
2.close test SW knife sw's to the 2P26 trip and BFI
3.inject a current above 50N2P (seasonal)and leave on for 63 seconds.2P26 and LOR should not trip
4.Close input 101 (Test SW 1;Open knife SW 1-2 &5-6)putting the relay to "not in test position"
5.inject a current above 50N2P (seasonal)and leave on for 3 seconds.2P26 and LOR does not trip
6.verify run down signal reached to where the generator governor was cut out
7.inject a current above 50N2P (seasonal)and leave on for 63 seconds.2P26 and LOR trips
8.reset LOR and close 2P26
9.open test SW knife sw's to the 2P26 trip and BFI (just monitor trip and BFI outputs from test sw)
10.force relay clock to seasonal change
11.inject current above 50N1P (seasonal)for 63 seconds.Trip &BFI outputs (monitored)should close
12.note:leave clock as is as you begin testing 2P27
11A Functional test of relay tripping 2P27
Signed by Results
1.c/o LOR 86BF27 outputs
2.close test SW knife sw's to the 2P27 trip and BFI
3.inject a current above 50P1P (seasonal)and leave on for 3 seconds.2P27 and LOR does not trip
4.verify run down signal reached to where the generator governor was cut out
5.inject a current above 50P1P (seasonal)and leave on for 63 seconds.2P27 and LOR trips
6.reset LOR and close 2P27
7.open test SW knife sw's to the 2P27 trip and BFI (just monitor trip and BFI outputs from test sw)
8.reset relay clock to normal
9.inject current above 50P2P (seasonal)for 63 seconds.Trip &BFI outputs (monitored)should close
10.Check that critical relay failure alarm and run down indication is operational (proper destination)
11B Functional test of relay tripping 2P26
Signed by Results
1.check c/o LOR 86BF26 outputs
2.close test SW knife sw's to the 2P26 trip and BFI
3.inject a current above 50P2P (seasonal)and leave on for 63 seconds.2P26 and LOR should not trip
4.Close input 101 (Test SW 1;Open knife SW 1-2 &5-6)putting the relay to "not in test position"
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 23/26
PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-....-..--Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
APPENDIX 3
RAS Associated Maintenance Test Form
5.inject a current above 50P2P (seasonal)and leave on for 3 seconds.2P26 and LOR does not trip
6.verify run down signal reached to where the generator governor was cut out
7.inject a current above 50P2P (seasonal)and leave on for 63 seconds.2P26 and LOR trips
8.reset LOR and close 2P26
9.open test SW knife sw's to the 2P26 trip and BFI (just monitor trip and BFI outputs from test sw)
10.force relay clock to seasonal change
11.inject current above 50P1P for 63 seconds.Trip &BFI outputs (monitored)should close
12.note:leave clock "as is"as you begin testing 2P27
11B Functional test of relay tripping 2P27
Signed by Results
1.check c/o LOR 86BF27outputs
2.close test SW knife sw's to the 2P27 trip and BFI
3.inject a current above 50N1P (seasonal)and leave on for 3 seconds.2P27 and LOR does not trip
4.verify run down signal reached to where the generator governor was cut out
5.inject a current above 50N1P (seasonal)and leave on for 63 seconds.2P27 and LOR trips
6.reset LOR and close 2P27
7.open test SW knife sw's to the 2P27 trip and BFI (just monitor trip and BFI outputs from test sw)
8.reset relay clock to normal
9.inject current above 50N2Pfor 63 seconds.Trip &BFI outputs (monitored)should close
10.Check that Critical relay failure alarm and run down indication is operational (proper destination)
Completion of relay testing
Signed by Results
1.Make sure all relay alarms are reset and no trip or BFI outputs are active
2.Make sure that relay clock is in normal setting
3.Return relay 11A and 11B back to as found condition
4.Notify dispatch and Hydro control Center
5.Upon successful completion of testing,relay is ready for service and released to operations
Complete in-service testing once relay is in operation.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 24/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
-....-..--Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
APPENDIX 4
RAS Associated Equipment Subject to PRC-017 Requirements
(including but not I mited to:relays,instrument transformers,communication equipment,batteries)*
Location Type Description
Merwin HE Plant Relays 11A/11B SEL-751 Multifunction Relays for CB 2P26/2P27
Merwin HE Plant Current Transformers #2,6,7,9,12,14,15,17,20,22,23,25,28,30,31,33
Merwin HE Plant Communications Merwin Hydro Plant Primary Control LAN
Merwin HE Plant Batteries Merwin Plant Control House Battery
*PRC-017 only lists these four types of items.However,examples of other potentially applicable PRC-017 items
include:logic contro lers,control switches,SCADA controllers
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 25/26
Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes
----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back
PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT
APPENDIX 5
ItAS Associated Affected Apparatuses *
Location Apparatus Description
Merwin Lake 115kV Line CB 2P26/2P27
Merwin Battleground 115kV Line CB 2P3/2P4/2P8/2P27
Merwin Longview 115kV Line CB 2P1/2P2/2P6/2P26
*This list is intended to help with future capital project scoping and determine if a RAS may be
impacted by the prospective project.
RAS Name:Yale Run-Back 3/27/2014
Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx
Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 26/26
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
WECC
Document name Procedure to Submit a RAS for Assessment
Information Required to Assess the Reliability of a RAS
Guideline
Category ()Regional reliability standard
()Regional criteria
()Policy
(X)Guideline
()Reportor other
()Charter
Document date October 28,2013
Adoptedlapprovedby Operating Committee
Date adoptedlapproved March 25,2014
Custodian (entity Remedial Action Subcommittee
responsible for maintenance
and upkeep)
Stored/filed Physical location:
Web URL:
Previous namelnumber (if any)
Status (X)in effect
()usable,minor formattingleditingrequired
()modification needed
()superseded by
()other
()obsoletelarchived
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
WECC
Procedure to Submit a RAS for Assessment
Information Required to Assess the Reliability of a RAS Guideline
Revised:October 28,2013
Table of Contents
Page
INTRODUCTION 3
What is (and is not)a RAS?3
When is RAS Review Required?4
RAS Classifications 4
Periodic Assessments 9
WECC Remedial Action Scheme Database 9
Closed RASRS Scheme Review Sessions 10
Making a Submission to the RASRS for Scheme Review 10
INFORMATION REQUIRED to ASSESS the RELIABILITY of a RAS 12
A.RAS Purpose And Overview 12
B.RAS Design 13
C.Monitoring 16
D.RAS Operating Procedures 16
E.Commissioning,Maintenance And Testing 17
F.Performance And Operational History 17
G.Revision History 17
H.References 19
Attachment A.WECC RAS Database Information 20
Attachment B.WECC RAS Initial or Periodic Assessment Summary 22
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 3/24
INTRODUCTION:
This document provides a framework for the submission of a Remedial Action Scheme (RAS),
also known as a Special Protection System (SPS),to the Remedial Action Scheme Reliability
Subcommittee (RASRS)for evaluation and operation within the WECC.All RAS within WECC
are required to be reviewed by the RASRS,per the PRC-(012 thru 014)-WECC-CRT-2 criterion
(RAS Criterion).The RASRS will also perform detailed evaluation of a RAS at the request of
appropriate WECC Committees even if such review may not have been otherwise required by
the RAS Criterion.
Generally,all elements of a RAS applied at any voltage level intended to remediate
performance violations on the Bulk Electric System (BES)are subject to the NERC
requirements for RAS.Minimum system performance requirements are identified in the TPL
standards and WECC Criteria.
What is (and is not)a RAS?
WECC uses the NERC Glossary definition of Remedial Action Scheme (RAS),included here
under NERC's commonly used term,Special Protection System (SPS),
An automatic protection system designed to detect abnormal or predetermined
system conditions,and take corrective actions other than and/or in addition to the
isolation of faulted components to maintain system reliability.Such action may
include changes in demand,generation (MW and Mvar),or system configuration to
maintain system stability,acceptable voltage,or power flows.An SPS does not
include (a)underfrequencyor undervoltageload shedding or (b)fault conditions that
must be isolated or (c)out-of-step relaying (not designed as an integral part of an
SPS).Also called Remedial Action Scheme.
The NERC System Protection and Control and System Analysis and Modeling Subcommittees
(SPCS and SAMS)developed a recent technical paper to,among other things,refine the
definition of remedial action schemes.This paper includes more clarity for schemes that NERC
does and does not consider to be RAS for its reliability /regulatory purposes.While this new
definition is still only proposed,it does provide useful clarity on what types of facilities may not
require review by the RASRS.Following is a list of scheme types that NERC (and WECC)
does not consider to be RAS in and of themselves:
a)Underfrequency or Undervoltage load shedding.
b)Locally sensing devices applied on an element to protect it against
equipment damage for non-fault conditions by tripping or modifying
the operation of that element,such as,but not limited to,generator
loss-of-field or transformer top-oil temperature.
c)Autoreclosing schemes.
d)Locally sensed and locally operated series and shunt reactive
devices,FACTS devices,phase-shifting transformers,variable
frequency transformers,generation excitation systems,and tap-
changing transformers.
e)Schemes that prevent high line voltage by automatically switching the
affected line.
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 4/24
f)Schemes that automatically de-energize a line for non-fault operation
when one end of the line is open.
g)Out-of-step relaying that is not designed as an integral part of an
SPS.
h)Schemes that provide anti-islanding protection (e.g.,protect load
from effects of being isolated with generation that may not be capable
of maintaining acceptable frequency and voltage).
i)Protection schemes that operate local breakers other than those on
the faulted circuit to facilitate fault clearing,such as,but not limited to,
opening a circuit breaker to remove infeed so protection at a remote
terminal can detect a fault or to reduce fault duty,or bus
sectionalizing/splitting/break-up schemes.
j)Automatic sequences that proceed when manually initiated solely by
an operator.
k)Sub-synchronous resonance (SSR)protection schemes.
I)Modulation of HVdc or SVC via supplementary controls such as angle
damping or frequency damping applied to local or inter-area
oscillations.
m)A Protection System that includes multiple elements within its zone of
protection,or that isolates more than the faulted element because an
interrupting device is not provided between the faulted element and
one or more other elements.
When is RAS Review Required?
Remedial action schemes are reviewed by WECC on the following occasions:
1)Prior to initial installation and commissioning.
2)Before significant modifications or extensions with possible impact to reliability or the
intent of the scheme.A modification may be considered significant when it involves
inputs,logic or outputs,
major component changes,
revision of the existing scheme architecture,or
when a periodic assessment of operation,coordination,and effectiveness identifies
that a scheme does not comply with NERC standards or WECC Criteria and the
required Corrective Action Plan has identified appropriate modifications.
Owners will separately inform all their neighbors who may be affected by a scheme that
the scheme is being significantly modified.
3)In the event of failure of a scheme for which significant modifications will be necessary.
For the purposes of RASRS review,failures shall be considered for such conditions as:
accidental or unintended RAS operations that do not meet expected performance
levels
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 5/24
RAS failures to operate that result in system performance outside the expected
levels.
4)Removal of a scheme from service.Schemes proposed for removal should first be
evaluated by the same Planning group (or appropriate successor group)as reviewed
the original studies that resulted in the RAS installation or most recent modification.
Examples include but are not limited to:
Technical Studies Subcommittee (TSS)for schemes originally identified and
reviewed through the WECC Three Phase Rating Process or
the appropriate Planning Coordinator for Local Area Protection Schemes.
Owners will separately inform all their neighbors who may be affected by a scheme that
the scheme will be removed.
RAS Classifications
WECC uses the NERC RAS/SPS Glossary definition without adding exceptions or other
attempts at clarification.
The focus of the RASRS in reviewing a scheme includes these considerations,but it is slightly
different.The NERC PRC standards identify system performance as the critical function.
Acceptable system performance is described in the NERC Planning (TPL)Standards.
Therefore schemes which are designed to result in system performance that meets the TPL
standards are the schemes that the RASRS reviews.
However,the PRC standards do provide WECC with flexibility in designing the review
procedure.WECC uses this flexibility to provide more detailed reviews of RAS that may have a
significant system performance impact.As an aid to identify the levels of impact,WECC
classifies RAS as three types based on the scale of the event that the scheme is designed to
remediate (generally in order of increasing event scale):
Local Area Protection Scheme (LAPS):A Remedial Action Scheme (RAS)whose failure to
operate would NOT result in any of the following:
Violations of TPL-001-WECC-RBP-2 System Performance RBP
Maximum load loss 2 300 MW,
Maximum generation loss 2 1000 MW.
Wide Area Protection Scheme (WAPS):A Remedial Action Scheme (RAS)whose failure to
operate WOULD result in any of the following:
Violations of TPL-001-WECC-RBP-2 System Performance RBP
Maximum load loss 2 300 MW,
Maximum generation loss 2 1000 MW.
Safety Net (SN):A type of Remedial Action Scheme designed to remediate TPL-004-0
(System Performance Following Extreme Events Resulting in the Loss of Two or More Bulk
Electric System Elements (Category D)),or other extreme events.
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 6/24
The titles of these classifications (local area,wide area)do retain a sense that a scheme may
have some geographic basis.However,the actual definitions do not impose any specific
geographic limits.The prospective new NERC definition of SPS closely follows these functional
definitions (using "limited"and "significant"rather than "local"and "wide area"names),with the
exception that WECC's Safety Net is further split into limited and significant versions of these
"Planning"and "Extreme"schemes.These proposed NERC designations also intentionally de-
emphasize geography as a factor in the scale and classification of a RAS.
This classification method does not affect any NERC standards compliance requirements.The
RAS type only affects the level of detail required for scheme review by the RASRS.The
defintions are used to focus the review effort on the larger schemes that can have more impact
on system operation.This is more effective for both the RASRS and individual WECC
members whose schemes need review.
The fact that a scheme may be fully redundant and therefore its failure can be judged not
credible is not relevant to this classification.One functional method to draw the line between
LAPS and WAPS is at the Transmission Planning study stage.The Planner may model "no
RAS action"for the critical contingency,observe the modeled system performance,and judge
the "local"versus "wide area"impact according to the bullets in the definitions.This may
actually be the Planning case that originally identified the need for a RAS,even before the
specific RAS functionality is identified.
The WECC System Performance requirement WR3 (from the first bullet in the LAPS/WAPS
definitions)applies both internal to a WECC Member system as well as between Member
systems.This is unlike WR1 and WR2,which apply internally to a Member's system,or among
Member systems that agree to the mutual impact.When the "both internal and external"WR3
requirement applies,then the RAS is classified as a WAPS.
The Figure 1 flow chart outlines how to apply these definitions to determine which type applies
to a specific RAS.
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 7/24
TPL-001-WECC-RBP-2
Extreme WECC TPL WR1 WR2,or
TPL Event -N RBP --Ye Vio a n?N Ex
rW 1 NOW 1MitigationViolation?Impact?
Yes Yes
WAPSYesNo
Yes Yes
Safety Net Load Loss Gen Loss >=
>=300 MW N 1000 MW --Nog LAPS
Figure 1.WECC Remedial Action Scheme type defintions.
Historically WECC has concentrated review efforts on schemes that have larger system impact,
(WAPS)even prior to adopting formal type definitions above.LAPS,while not being completely
ignored,were reviewed generally only at the request of the owner or when some mis-operation
raised scheme visibility within WECC.
WAPS remain critically important to BES operation and still require detailed reviews.Review
procedures for these schemes remain essentially unchanged.While a LAPS mis-operation will
not result in a large-scale impact on the system,these schemes still require a level of WECC
review to encourage reliability and document what the scheme does.Similarly,a SN may have
a significant system impact,but does not have the same single point of failure requirement as a
LAPS or WAPS.The overall WECC review process is outlined in Figure 2.
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 8/24
Local Area Wide Area
Pratectlan Schernets Protecuon
Scheme,LAPS SafetyNet,SN Scherne,WAPS
Senedule Re.tem
ihn!RASRS Cthair
i SN or WAPS
I owner pre.'idBE inf0tm3tlDn
Required ...'tbr re".iew
Yes owner presentationReview.To RASRS meeting i
upon OC
Request?SN WAPS
Con1m DN Conlirm WAPS
No systern systern perrbrrn ance
performance for for single point of Owner prepares
|RABRD enecks coordnation and failure,coordnation rEspODES to
classtlicatlan ina erient and inadverten1 can ris
operation operation
TReutemsystemInmal RAGRSperliorrnanceforAssessmentsinglepointer
railure,coordnation
and inadvertenioperation Needs RASRS Cond donal RAGRS speames*Accepted conditions for 1011
?acceptance
Inmal RAGRS Work AcceptedAssessment
FuEyAccepted
RAGRS RASRS updates
Accepted WECC PRC-D13 I
y ,database
No RAGRS enair NotmeE 101Ein3i $0Cumen131100WECCOpEf30DObyOWngt,IncludhgCornmrtteeatnextPRC-D15 data base1seneduledmeetirg
Figure 2.WECC Remedial Action Scheme review process.
WAPS are examined by the RASRS at the level of detail necessary to provide an "outside"
review to ensure satisfying the requirements of PRC-012-0.
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 9/24
Safety Nets are generally reviewed at a slightly lower level of detail than WAPS because the
TPL standard does not require that such extreme events actually be remediated.The RAS
Criterion does not require the same single point of failure performance (PRC-012-0,R1.3)as
LAPS or WAPS,but still requires that system performance for inadvertent operations (PRC-
012-0,R1.4 and RAS Criterion WR5.2)and coordination with other protection and control
systems (PRC-012-0,R1.5 and RAS Criterion WR5.3)is satisfied.
LAPS reviews are more limited.The RASRS will review the owner's classification and
apparent conformance of the scheme to RAS Criterion WR5.1-3 (single point of failure,
inadvertent operation,and coordination),and initial assessment.If the RASRS disagrees with
the owner's classification,the RASRS will assign the appropriate classification and review the
scheme at that level.
The WECC review process is not intended to limit making urgent modifications to a scheme if
necessary to maintain BES reliability.However,the reporting party is expected to submit any
such urgent modifications to the RASRS for review expeditiously.Reviews of this nature
should be rare,but a review generally can be scheduled via conference call on short notice
when required.
Periodic Assessments
PRC-014 and PRC-(012 thru 014)-WECC-CRT -2 WR10 require that all RAS be assessed
for operation,coordination,and effectiveness at least every five years for compliance with
NERC and WECC standards and WECC Criteria.
WECC recognizes that most,if not all members include RAS installed on their systems in
System Operating Limit (SOL)studies,daily outage planning,real time contingency analysis
(RTCA)or similar studies,typically at least annually.If any violations of performance
requirements are discovered during SOL or other studies,a Corrective Action Plan (CAP)must
be developed.
Only the RAS owner is in a position to develop and follow through on such a CAP.The NERC
Glossary only indicates that the CAP must identify a solution that will fix the identified
problem(s)and a timetable when the solution(s)will be implemented.If the CAP solutions
involve significant modifications to a RAS (see above),then those modifications must be
reviewed by the RASRS through the procedures described in this document.
The information that should be included in the assessment is based on the requirements of
PRC-014-0 R3.1-5 and outlined in Attachment B.The same summary information is also
needed for the initial review of a new RAS.The RAS database (below)keeps track of when the
most recent assessment occurred,but WECC needs to review the owner's most recent
assessment and summary within a 5-year schedule.
WECC Remedial Action Scheme Database
The PRC-013 standard and the RAS Criterion require that WECC create and maintain a
database of all RAS within WECC.This database has been created and is maintained by the
RASRS in the form of an Excel spreadsheet.The RAS Criterion Attachment A,WECC RAS
Database Information,provides explanations of the contents of the database.This information
is also included as Attachment A in this document.A template of the database with several
examples is available on the WECC web site,PRC-013 RAS Template,
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 10/24
http://www.wecc.biz/committees/StandinqCommittees/OC/RASRS/RASRS%20Database%20Li
brary/Forms/Allltems.aspx
The owner (reporting party)for each new or modified RAS is required to fill in the database
information in the template spreadsheet.The completed template should be submitted
electronically as part of the material required for scheme review by the RASRS.Schemes
scheduled for removal need simply include "SCHEME REMOVED"or a similar phrase in the
description for the specific scheme.
The RAS Criterion also requires annual reporting of any updated scheme information (if
needed).This annual reporting should use the PRC-013 RAS Template or the current RAS
Database (also available on the WECC web site with separate versions for each owner
(reporting party)).This process is intended to keep the RAS database up to date.
When a scheme has been reviewed and achieved either full or conditional acceptance by
RASRS (as shown in Figure 2),the scheme data is incorporated in the WECC RAS database.
The status of scheme conditions (if any)and full acceptance is tracked separately from the
WECC RAS database.
Closed RASRS Scheme Review Sessions
Schemes reviewed by RASRS often include facilities classified as Critical Assets,and,
depending on implementation,may contain Critical Cyber Assets,BES Cyber Assets or BES
Cyber Systems as part of implementing the functionality that the RASRS reviews.The
information which RASRS requests and reviews includes at least some aspects of operational
procedures,incident response plans,and network topology or similar diagrams.It is also
common for presentations to include some floor plan and equipment layout information in the
form of pictures or diagrams.
In addition,much of the scheme information requested and discussed is of greater sensitivity
than the information specifically listed in the NERC CIP Critical Cyber Asset Information (CCAI)
requirement and therefore is expected to be protected.This may include confidential,
restricted,or other non-public documents.Some companies have a requirement that CCAl and
other restricted information may only be transmitted with a nondisclosure agreement (NDA)in
place.If information of this nature were omitted from the RASRS presentations and
discussions,or if it were less detailed,the review process would be hampered and less
effective.
The RASRS Chair may propose a scheme review in closed session with appropriate notification
in the publicly-posted meeting agenda before the RASRS meeting.The scheme owner may
request that the RASRS review occur in closed session in time to provide adequate notice of
the potential closed session.Closed sessions are subject to a 2/3 vote of RASRS members
present.Participants in and observers of such closed session discussions,including RASRS
members,may need to sign an appropriate NDA.
Making a Submission to the RASRS for Scheme Review
1.Discuss the proposed RAS with the RASRS Chair.If the Chair,or the RASRS designee,
determines that the documentation is sufficiently complete,a review will be scheduled at the
next in-person meeting of the RASRS.If schedules require,a separate RASRS meeting
may be scheduled (either in-person or via web/phone communications).
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 11/24
2.The presenter(s)will supply copies of the completed documentation,including the
Information Required to Assess the Reliability of a RAS (following section of this document)
to the RASRS members,to be received prior to the presentation date so members have
sufficient time for review.The necessary mailing information may be requested from the
RASRS Chair.Electronic copies are acceptable provided that the documents can be
opened by using standard MS Office or Adobe *.pdf products,and provided that no special
software tools are required.It is the responsibility of the presenter(s)to insure that all
submitted materials,attachments,presentation material,and handouts are clearly legible.
Electronic documents may also be submitted to the RASRS through the WECC web site,
chair,or WECC staff.
3.The RAS will be included in the WECC RAS database on the WECC RASRS web site (but
subject to limited access due to the sensitive nature of the data)for record purposes and for
periodic review as part of the WECC/NERC certification process.The database is updated
as new schemes are added or existing schemes are modified,retired,or expanded and as
part of the annual review and periodic assessments by RAS owners (reporting parties)
required by PRC-(012 thru 014)-WECC-CRT-2 .
4.Scheme modifications may include changes to the hardware,transfer levels,or any change
with possible impact to the overall functionality,timing,or redundancy level approved at the
time of the original submission for approval.The RAS applicant,participant,or owner -the
"Responsible Party"--is required to prepare a summary of salient features of the RAS for
inclusion in the database as part of the documents submitted for review.
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 12/24
Information Required to Assess the Reliabilityof a RAS
For all new or modified RAS,also provide information required by the WECC RAS Initial or
Periodic Assessment Summary as Attachment B of PRC-012 through 014 WECC-CRT-2
(included as Attachment B of this document):.
1)RAS Name
2)Reporting Party
3)Group Conducting this RAS Assessment
4)Assessment Date
5)Review the scheme purpose and impact to ensure proper classification,is it (still)
necessary,does it serve the intended purpose,and does it continue to meet current
performance requirements.
6)The RAS assessment including Study Years
7)System Conditions
8)Contingencies analyzed
9)Date when the technical studies were completed
10)Does the RAS comply with NERC standards and adherence to WECC Criteria and TPL-
001-WECC-RBP-2
11)Discuss any coordination problems found between this RAS and other protection and
control systems during this (most recent)assessment.
12)Provide a Corrective Action Plan if this RAS was found to be non-compliant or had
coordination problems during this (most recent)assessment (should be NA for owner's
initital assessment)
Provide the name and contact information of the person responsible for this RAS data
submittal.
If a classification of LAPS is claimed by the Reporting Party,full scheme review by the RASRS
is generally not required unless this classification is not agreed to by the RASRS.The
Reporting party must provide adequate information for the RASRS to judge the proposed
scheme classification.A scheme is a LAPS if all of these questions can be answered
negatively.
WECC TPL Regional Business Practice WR3 violation?
WECC TPL Regional Business Practice WR1 or 2 external impact violation?
·Load at risk 2 300 MW?
Generation at risk 2 1000 MW?
If a full RASRS scheme review is not required (LAPS),the RAS owner is still responsible for
meeting all of the requirements of PRC-012 through 014 WECC-CRT-2.Specifically,the
scheme must still satisfy requirements WR5.1-3 (single point of failure,inadvertent operation,
and coordination).
If a full RASRS review is required (for WAPS or SN),the following information,sections A -F
must be submitted for review:
A.RAS PURPOSE AND OVERVIEW
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 13/24
1)Identify the ownership of the RAS (the Reporting Party).
2)Provide the name of the RAS,the purpose and the desired in-service date.Include the
specific type of system problem(s)being solved,e.g.transient stability,thermal
overload,voltage stability,etc.
3)Provide the owner's classification of the RAS as a LAPS,WAPS,or SN.
4)Provide the information required to populate the WECC RAS database using the
appropriate Excel spreadsheet,PRC-013 template (available on the WECC web site).
The specific data required is also listed in Attachment A.
5)Provide the name(s)of person(s)within the owner's organization who is(are)
responsible for the operation and maintenance of the RAS.
6)Provide a description of the RAS to give an overall understanding of the functionality
and a map showing the location of the RAS.Identify other protection and control
systems requiring coordination with the RAS.See "RAS Design",below,for additional
information.
7)Provide a single line drawing(s)showing all sites involved.The drawing(s)should
provide sufficient information to allow RASRS members to assess design reliability,and
should include information such as the bus arrangement,circuit breakers,the
associated switches,etc.For each site,indicate whether detection,logic,action,or a
combination of these is present.
8)Indicate the type of system reliability studies performed and a list of any that are in
progress.
9)Provide a discussion of the impact to the WECC power grid,including other protection
and control systems that result from the actions taken by the proposed RAS and from its
failure to operate as expected.Does a failure to operate or a misoperation impact an
Intertie Path?If yes,what Intertie Path?
B.RAS DESIGN
1)Describe the design philosophy (e.g.failure is to be a non-credible event).
2)Describe the design criteria (e.g.failure of a single component,element or
system will not jeopardize the successful operation of the RAS).
3)RAS Logic -Provide a description of the RAS Logic in the form of written text,
flow charts,matrix logic tables,timing tables,etc.as appropriate and identify the
inputs and outputs.Provide appropriate diagrams and schematics.
4)RAS Logic Hardware -Provide a description of the logic hardware (relay,digital
computer,etc.)and describe how the RAS logic function is achieved.
5)Redundancy -Provide a discussion of the redundancy configuration and if
appropriate,why redundancy is not provided.Include discussion of redundant:
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 14/24
a)Detection.
b)Power supplies,batteries and chargers.
c)Telecommunications (also mentioned in item 10d).
d)Logic controllers (if applicable).
e)RAS trip circuits.
6)Arming -Describe how the RAS is armed (i.e.remotely via SCADA,locally,
automatic,etc.).
7)Detection -Define all inputs to the RAS for the scheme to perform its required
purpose.Examples:
a)Devices needed to determine line-end-status such as circuit breaker (52 alb
contacts)and disconnect status.
b)Protective relay inputs.
c)Transducer and IED (intelligent electronic device)inputs (watts,vars,
voltage,current).
d)Rate-of-change detectors (angle,power,current,voltage)
e)All other inputs (e.g.set points,time from a GPS clock and wide area
measurements such as voltage angle between two stations).
f)Provide details of other remote data gathering or control equipment.
8)Coordination with Protection and Control Systems
Describe all protection and control systems interactions with the RAS,in addition
to the RAS inputs described in (7)above.
a)System configuration changes due to RAS operation do not adversely affect
protective relay functions such as distance relay overcurrent supervision,
breaker failure pickup,switching of potential sources,overexcitation
protection activation,or other functions pertinent to the specific relays or
protection scheme.
b)If studies indicate that transient or sustained low voltages are expected in
conjunction with elevated line flows during or after RAS operation,confirm
that any protection settings on affected lines will not cause cascading
outages related to the low system voltages.
c)Potential adverse interactions with any other protection or control systems.
9)Multifunction Devices.
A multifunction device is a single device that is used to perform the function of a
RAS in addition to protective relaying and/or SCADA simultaneously.It is
important that other applications in the multifunction device do not compromise
the functionality of the RAS when the device is in service or when is being
maintained.
a)Describe how the multifunction device is applied in the RAS.
b)Show the general arrangement and describe how the multi-function device is
labeled in the design and application,so as to identify the RAS and other
device functions.
c)Describe the procedures used to isolate the RAS function from other
functions in the device.
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 15/24
d)Describe the procedures used when each multifunction device is removed
from service and whether any other coordination with other protection is
required.
e)Describe how each multifunction device is tested,both for commissioning
and during periodic maintenance testing,with regard to each function of the
device.
f)Describe how overall periodic RAS functional and throughput tests are
performed if multifunction devices are used for both local protection and
RAS.
g)Describe how upgrades to the multifunction device,such as firmware
upgrades,are accomplished.How is the RAS function taken into
consideration?
10)Telecommunications.
a)Provide a graphical display or diagram for each telecom path used in the
proposed RAS scheme,including extent of redundancy employed.See
references.Indicate ownership of the circuits,paths,and segments.Indicate
responsibility for maintenance.If a telecom circuit utilizes a public network,
describe monitoring and maintenance agreements including repair response,
details of availability,and how possible change of ownership is addressed.
Describe maintenance agreements and response commitments when the
RAS communication utilizes multiple private systems.
b)Describe and list the telecommunications media and electronic equipment
(e.g.microwave radio,optical fiber cable,multiplex node,power line carrier,
wire pair,etc.)including redundancy employed in each telecom path.For
each of the paths and segments of the RAS,identify the type of telecom
equipment employed.For example,whether analog or digital licensed
microwave radio,unlicensed spread spectrum radio,fiber optic SONET
node,etc are applied.
c)Provide a description of common facilities used for each RAS telecom path
and segment that are not specifically excluded from redundancy by the
WECC critical communication circuit design guideline (e.g.towers,
generators,batteries).Identify paths or segments routed through common
equipment chassis such as Digital Cross-connect System,SONET node,or
router.Identify physical media carried or supported by the same structure,
such as a transmission line tower,pole structure,or duct bank.Discuss
outside plant and inside plant routing diversity.See references.
d)Provide a discussion of communications system performance including,
circuit or path quality in terms of availability.Provide details of reliability
(e.g.,availability of 99.95%),and other supporting reliability information such
as equipment age,history,maintenance,etc.Telecommunication reliability
information is the average overall percentage,and not point-to-point
information.See references.
e)Provide a discussion about performance of any non-deterministic
communication systems used (such as Ethernet).If RAS performance is
dependent upon successful operation through a non-deterministic
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 16/24
communications system or path,then describe how timing and latency issues
will be addressed and verified.Include timing and latency planning or
management and verification for initial commissioning and in the event of
network modifications or additions.Identify which industry standard is
applied.
f)Acknowledge provision of appropriate high voltage entrance protection if wire
pairs are used.
11)Transfer Trip Equipment -Identify the manufacturer and type (FSK audio tone,
FS carrier,digital,etc.),and provide the logic configuration (dual channel,pilot
tone,etc.).Identify whether internal device medium is used;e.g."Relay-to-
Relay"communication.
12)Remedial Actions Initiated -Provide a functional description of the action(s)
produced by the scheme and include a simplified one-line diagram of the RAS
output to the end-device operated by the scheme.
13)Remedial Action Schemes may have elements such as engineering access,
routable protocols,and sensitive design documentation included in the design
that require compliance with the NERC CIP Standards.Utilities may handle CIP
compliance differently.Please provide a high level overview of how your
company's CIP Compliance Program requirements are incorporated into this
RAS design.
The RASRS concern is that CIP compliance does not compromise the reliability
of the RAS.RASRS will not assess compliance,validity or completeness of the
owner's CIP program.The owner remains completely and solely responsible that
its CIP program complies with NERC standards.
C.MONITORING
1)Provide details of RAS monitoring equipment and time resolution including
station alarms,SCADA monitoring,and Sequence of Events Recorders.
2)Provide details of facilities monitored including
a)Equipment self diagnostics and annunciation
b)Initiation locations
c)Logic facilities
d)Telecommunications
e)Transfer trip equipment
f)RAS actions
D.RAS OPERATING PROCEDURES FOR ABNORMAL SYSTEM CONDITIONS
Provide a summary of the operating procedures or the relevant Dispatch Instructions
pertaining to this RAS during abnormal system conditions.Specifically address the
operating procedures for the following situations:
1)The RAS operates incorrectly (failure to operate or false operation).
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 17/24
2)One part of a redundant RAS system is unavailable so that complete
redundancy is no longer assured.
3)Unscheduled,or unplanned and not coordinated,unavailability of the subject
RAS (complete loss of RAS)impacts operation.
4)When a partial or total loss of input data required for arming decisions.
E.COMMISSIONING,MAINTENANCE AND TESTING
1)Describe the RAS commissioning and overall functional test procedure(s).
2)Describe the maintenance and test procedures including:
a)The provision of test switches and test facilities.
b)Preventative maintenance;both electrical and telecommunication.
c)Functional Testing,including system end-to-end checks
d)Provide the maintenance and test intervals,including any seasonal
restrictions.
e)A copy of the Maintenance and Test Procedure(s).
f)A discussion of power system curtailment during maintenance and test
activities
F.PERFORMANCE AND OPERATIONAL HISTORY
1)Provide assurances that the overall performance and operating time of the RAS
will meet the requirements identified in system studies.
2)When using the existing equipment and components,such as the EMS,RAS
controllers,and arming devices,address the following items as they pertain to
the operational history of such equipment and procedures.
a)How long has the RAS been in operation and how many times has it
operated?
b)How many times has the RAS failed to operate when it should have?
Provide details of causes and impacts.
c)How many times has it operated unnecessarily?Provide details of causes
and impacts.
d)What modifications,if any,are planned as a result of b and c above?
G.REVISION HISTORY
March 1999 Initial release
April 2000 Approve by JGC -Added RAS Catalog Information
January 2002 Incorporated RAS Operating Procedures for Abnormal System
Conditions,as part of due process comments.Also,added
References and Table of Contents section.
April 2002 January 2002 Revision approved by the JGC
August 2002 Changed WSCC to WECC and updated links in the Reference
Section
February 2005 References to the Remedial Action Scheme Reliability Task Force
(RASRTF)have been changed to Subcommittee,in accordance
with the updated Scope Statement.RAS Design section is
updated to include latest concepts and technologies,address
conditions where a multifunction device is shared for RAS and
other critical functions such as local protection or SCADA,and the
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 18/24
latest telecommunication technologies such as SONET or Device-
Device communications.
March 2005 Approved by the OC
April 2005 Approved by the WECC Board of Directors
August 2012 Incorporated significant procedural changes related to the
PRC(012 thru 014)-WECC -CRT -1 criterion and RAS type
definitions.
October 2013 Incorporated periodic assessment procedural changes related to
the revised PRC-(012 thru 014)-WECC -CRT -2 criterion.
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 19/24
H.REFERENCES
Remedial Action Scheme Reliability Subcommittee (RASRS)Charter
http://www.wecc.biz/library/Documentation%20Categorization%20Files/Charters/OC/RASRS%
20Charter.pdf
Remedial Action Schemes Application and Implementation Requirements and Performance
Assessment Measures -October 25,2001 Power Point Presentation Before The
PCCIOC/WMIC Joint Meeting -
http://www.wecc.biz/committees/StandinqCommittees/OC/RASRS/Shared%20Documents/For
ms/Allitems.aspx
WECC Guidelines
WECC,"Remedial Action Scheme Design Guide"
http://www.wecc.biz/library/Documentation%20Categorization%20Files/Guidelines/Remedial%2
0Action%20Scheme%20Design%20Guide.pdf
WECC,"Communications Systems Performance Guide for Protective Relaying Applications"
http://www.wecc.biz/library/Documentation%20Categorization%20Files/Guidelines/Communicat
ion%20System%20Performance%20Guide%20for%20Relays.pdf
WECC,"Guidelines for the Design of Critical Communications Circuits"
http://www.wecc.biz/library/Documentation%20Categorization%20Files/Guidelines/Guidelines%
20for%20the%20Desiqn%200f%20Critical%20Communications%20Circuits.pdf
WECC Criteria
WECC,"Remedial Action Scheme Review and Assessment Plan"
PRC -(012 thru 014)-WECC -CRT -1 "RAS Criterion"
http://www.wecc.biz/library/Documentation%20Categorization%20Files/Reqional%20Criteria/P
RC-012%20throuqh%20014%20WECC-CRT-
1%20Remedial%20Action%20Scheme%20Criterion%20Effective%2010-1-2011.pdf
TPL-001-WECC-RBP-2.1
http:llwww.wecc.bizllibrary/Documentation%20Categorization%20Files/Reqional%20Bu
siness%20Practices/TPL-001-WECC-RBP-2.1.pdf
NERC ReliabilityStandards and Technical Papers
NERC,"Special Protection System Review Procedure"
http://www.nerc.com/files/PRC-012-0.pdf
NERC,"Special Protection System Database"
http://www.nerc.com/files/PRC-013-0.pdf
NERC,"Special Protection System Assessment"
http://www.nerc.com/files/PRC-014-0.pdf
NERC,Planning Committee "Special Protection Systems,"September 2012
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 20/24
ATTACHMENT A
WECC RAS Database Information
The WECC Remedial Action Scheme Information and the associated Excel spreadsheet posted
on the RASRS web site as PRC-013 template.xls is to be completed in accordance with this
criterion by the Reporting Party designated by the Transmission Owner,the Generation Owner,
and the Distribution Provider that owns an existing or proposed RAS for use within the Western
Interconnection.Explanations for the Spreadsheet data are contained in the following table.
In accordance with the Requirements of PRC-012 through 014 WECC-CRT-1,each Reporting
Party is to provide the completed spreadsheet to those parties designated in the criterion as
well as the Director of Operations for the Western Electricity Coordinating Council (WECC)and
the Chair of the Remedial Action Scheme Reliability Subcommittee (RASRS).
Remedial Action Scheme Database Information Sheet Explanations
Data Item Explanation
Reporting Party The Reporting Party is the primary contact designated by the
Transmission Owner(s),Generator Owner(s)and Distribution
Provider(s)that owns all or part of an existing or proposed RAS.The
Reporting Party will usually be either:1)the entity that controls the
scheme,2)the primary owner of the scheme or 3)the sole owner of
the scheme.
Scheme Name Provide the name by which the Reporting Party references the scheme.
Classification WAPS (Wide Area Protection Scheme),LAPS (Local Area Protection
Scheme),or Safety Net (SN)as initially classified by the Transmission
Owner(s),Generator Owner(s)and Distribution Provider(s)that owns
all or part of an existing or proposed RAS as reported by the Reporting
Party.This initial classification is subject to review by the RASRS.
Major WECC RAS If this scheme is in WECC Reliability Standard PRC-STD-003,Table 3,
Major WECC RAS List,enter the number from the list.If the scheme is
not on the Major WECC RAS List,enter NA.
Operating Procedure If the Transmission Owner(s),Generator Owner(s)and Distribution
Provider(s)that owns all or part of an existing or proposed RAS as
reported by the Reporting Party has a written operating procedure for
this scheme,provide the identifying procedure number or title.If no
operating procedure is available,enter NONE or NA.
Design Objectives Data required to describe Design Objectives -Contingencies and
system conditions which the scheme was designed to mitigate.
Operation Data required describing Operation -The actions taken by the
scheme in response to disturbance conditions.
Modeling Data required for adequate Modeling -Information on detection logic
or relay settings that control operation of the scheme.
Original In Service Enter the year that the scheme originally went into service,not
Year including any subsequent upgrades or other modifications.If specific
records are not available,a best estimate such as "early 1980's"is
acceptable.
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 21/24
Recent Assessment Identify the group (typically the Transmission Owner(s),Generator
Group Owner(s)and Distribution Provider(s)that owns all or part of an
existing or proposed RAS as reported by the Reporting Party that
performed the most recent assessment of scheme operation,
coordination and effectiveness.
Recent Assessment Enter the date of the Reporting Party's most recent assessment
Date performed (mmlyyyy)that evaluated scheme operation,coordination
and effectiveness.
RASRS Review Date RASRS entry.Date of the most recent RASRS review of a Reporting
Party's assessment (mmlyyyy).
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 22/24
Attachment B
WECC RAS Initial or Periodic Assessment Summary
Information on Attachment B will be used by the RASRS to ensure proper analysis,
operation,coordination and effectiveness of the RAS.
Althoughthe content of Attachment A and Attachment B are both provided to WECC,it
is only the content of Attachment A that constitutes the minimum data to be contained
in the WECC RAS Database.This criterion shall not be interpreted as prohibiting the
expansionof the WECC RAS Database to include information beyond that contained in
Attachment A.
RAS Name
Reporting Party
(The Reporting Party for this entry will always be
the same as the Reporting Party entry listed in the
Reporting Party field of Attachment A.)
Group Conducting this RAS Assessment
Assessment Date
Review the scheme purpose and impact to ensure
proper classification,is it (still)necessary,does it
serve the intended purposes,and does it continue
to meet current performance requirements.
This RAS assessment included the following:
Study Years
System Conditions
Contingencies analyzed
(select what applies)
N-1
N-1-1
N-2
Extreme
Date when the technical studies were completed
Does this RAS comply with NERC standards and
WECC Criteria?
Discuss any coordination problems found between
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 23/24
this RAS and other protection and control systems
during this (most recent)assessment.
Provide a Corrective Action Plan if this RAS was
found to be non-compliantor had coordination
problemsduring this (mostrecent)assessment
(should be NA for owner's initial assessment).
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013
Procedure to Submit a RAS for Assessment
Page 24/24
Effective Period
This document will remain in effect until revised by the RASRS and approved by the
WECC Operating Committee and Board of Directors.The new version will then
supersede this version.
ApprovedBy:
ApprovingCommittee,Entity or Person Date
Remedial Action Scheme Reliability Subcommittee October 28,2013
Operating Committee March 25,2014
Board of Directors
RAS Name Owner:
Revision No.Submittal Date:
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
WECC
Document name REMEDIAL ACTION SCHEME DESIGN GUIDE
Category ()Regional Reliability Standard
()Regional Criteria
()Policy
(x)Guideline
()Report or other
()Charter
Document date June 6,2006
Adoptedlapproved by Operating Committee
Date adoptedlapproved November 28,2006
Custodian (entity Remedial Action Scheme Subcommittee
responsible for
maintenance and
upkeep)
Stored/filed Physical location:
Web URL:
Previous namelnumber (if any)
Status (x)in effect
()usable,minor formattinglediting required
()modification needed
()superseded by
()other
()obsoletelarchived)
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
WECC
WECC Guideline:
REMEDIAL ACTION SCHEME DESIGN GUIDE
Date:June 6,2006
Contents
EXECUTIVE SUMMARY .............................................................................ii
I N TRODU CT10 N .........................................................................................1
PROBLEM RECOGNITION and DEFINITION ............................................2
Safety Net Schemes ..............................................................3
Common RAS Classifications ................................................4
Typical RAS Features ............................................................5
PHILOSOPHY and GENERAL DESIGN CRITERIA ....................................7
Logic ......................................................................................7
Hardware ...............................................................................7
Arming ...................................................................................7
Detection and Initiating Devices .............................................8
Logic Processing ...................................................................11
Communications Channels ....................................................11
Cyber Security .......................................................................11
Transfer Trip Equipment........................................................12
Test Switches ........................................................................12
REDUND A N CY ...........................................................................................1 2
Minimum Requirements.........................................................13
Breaker Failure ......................................................................15
Communication Circuit Redundancy ......................................15
MONITORING and ALARMS ......................................................................15
COORDINATION with PROTECTION,OTHER RAS,
and CONTROL SYSTEMS ...............................................................16EquipmentProtection.............................................................16
MultipleApplicationsin a Single Device .................................17
Other Remedial Action Schemes ...........................................18
2 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
Energy ManagementSystems ...............................................18
OPERATIONS and TEST PROCEDURES .................................................19
WECC REVIEW ..........................................................................................19
FIGURE 1 Common RAS Objectivesand Control Methods ....................21
REFERENCES ............................................................................................22
3 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
EXECUTIVE SUMMARY
Remedial action schemes (RAS),also known as special protection systems (SPS)or system
integrityprotection systems (SIPS),have become more widely used in recent years to provide
protection for power systems against problems not directlyinvolvingspecific equipment fault
protection.The terms SPS and RAS are often used interchangeably,but WECC generally and
this document specifically uses the term RAS.
Economic incentives and other factors have led to increased electric transmission system usage,
power transfer,and changes in historic usage patterns,both among regions and within individual
utilities.New transmission construction has often lagged behind these changes,resulting in
lower operating margins.The resulting system-wide problems usuallyrequire separate solutions
than can be provided by equipment-specific protection schemes.Remedial action schemes are
applied to solve single and credible multiple-contingencyproblems.These schemes have
become more common primarily because they are less costly and quicker to permit,design,and
build than other alternatives such as constructing major transmission lines and power plants.
Remedial Action Schemes in WECC supplement ordinary protection and control devices (fault
protection,reclosing,AVR,PSS,governors,AGC,etc)to prevent violations of the
NERC/WECC ReliabilityCriteria for Category B and more severe events.RAS sense abnormal
system conditions and (often)take pre-determined or pre-designedaction to prevent those
conditions from escalating into major system disturbances.RAS actions minimize equipment
damage and prevent cascading outages,uncontrolled loss of generation,and interruptions to
customer electric service.
This Guide is a revision of the 1991 WSCC "Guide for Remedial Action Schemes."The NERC
and WECC Standards have changed significantlysince 1991.The Standards'changes were
driven by the major WSCC outages in July and August 1996 with "reminders"from the outages
in eastern North America and Italy in August and September 2003.These outages indicate that
Standards compliance is necessary.This document is intended to help the RAS designer comply
with these Standards.(The 1997 NERC and 2002 WECC Planning Standards Section III.F and
2005 NERC Standards PRC-012-0 through PRC-017-0 specifically apply to RAS).
REMEDIAL ACTION SCHEME DESIGN GUIDE
INTRODUCTION
Remedial action schemes (RAS),also known as special protection systems (SPS)or system
integrityprotection systems (SIPS),have become more widely used in recent years to provide
protection for power systems against problems not directlyinvolvingspecific equipment fault
protection.The terms SPS and RAS are often used interchangeably,but WECC generally and
this document specifically uses the term RAS.
Economic incentives and other factors have led to increased electric transmission system usage,
power transfers,and changes in historic usage patterns,both among regions and within
4 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
individual utilities.New transmission construction has often lagged behind these changes,
resulting in lower operating margins.The resulting system-wide problems usuallyrequire
separate solutions than can be provided by equipment-specific protection schemes.Remedial
action schemes are applied to solve single and credible multiple-contingencyproblems.These
schemes have become more common primarily because they are less costly and quicker to
permit,design,and build than other alternatives such as constructing major transmission lines
and power plants.
Remedial Action Schemes in WECC supplement ordinary protection and control devices (fault
protection,reclosing,AVR,PSS,governors,AGC,etc)to prevent violations of the
NERC/WECC ReliabilityCriteria for Category B and more severe events.RAS sense abnormal
system conditions and (often)take pre-determined or pre-designedaction to prevent those
conditions from escalating into major system disturbances.RAS actions minimize equipment
damage and prevent cascading outages,uncontrolled loss of generation,and interruptions of
customer electric service.Recent WECC experience with existing RAS has been good from the
IviewpointofRASimpactsonmajorsystemdisturbances.
This Guide is a revision of the 1991 WSCC "Guide for Remedial Action Schemes."The
2,3 4NERCandWECC Standards have changed significantlysince 1991.The Standards changes
were driven by the major WSCC outages in July and August 1996 with "reminders"from the
outages in eastern North America and Italy in August and September 2003.These outages
indicate that Standards compliance is necessary.The 1997 NERC and 2002 WECC Planning
Standards Section III.F and 2005 NERC Standards PRC-012-0 through PRC-017-0 specifically
apply to RAS.This document is intended to help the RAS designer comply with these
Standards.
The 1991 Guide addressed design,operation,and maintenance of RAS.Appropriate installation
and maintenance practices for all types of protection systems,includingRAS,are described
5separatelyinmoredetailintheRWGInstallation&Maintenance Guide.These issues are also
addressed in detail during review of specific RAS by the WECC Remedial Action Scheme
6 7ReliabilitySubcommittee,(RASRS).The recent CIGRE report "System Protection Schemes
8inPowerNetworks"addresses many aspects of these schemes.The NPCC and (formerly)
9MAAC regional reliability councils also have SPS Design Guides,though these documents are
generally less detailed than the CIGRE report or this Design Guide.
The 1991 Guide devoted considerable discussion to organizational,project management,and
inter-company coordination issues.While these issues remain highly important,they are not
unique to developing and operating remedial action schemes and are no longer discussed here.
Requirements for underfrequency load shedding (UFLS)schemes are not addressed in detail
here.Theyare addressed separately by several WECC documents.10,11,12 These documents
provide satisfactory design guidance.Therefore UFLS schemes designed in compliance with
these WECC requirements have not normallyrequired further review by WECC as remedial
action schemes.
5 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
PROBLEM RECOGNITION and DEFINITION
The 1991 Guide identified actual or near instabilityduring actual events first in the list of ways
to recognize a potential system problem.Other identified problem detection methods centered
on system planning studies on a scale ranging from individual planners to the Reliability
Council.
The NERC and WECC Standards do not allow using historical events for initial detection of a
problem,regardless of the solution,though events must be reviewed and the lessons learned
must be applied appropriately.Standards require that appropriate studies be performed to
evaluate all system configurations where operations are to occur.The system should not be
operated in an un-studied configuration.Any significant problems identified in studies are to be
avoided by operating the system in a safe configuration,for example by reducing intertie
schedules,until additional facilities (includingRAS)can be installed to mitigate the problem.
Simulation studies must resolve system-wide issues prior to beginning the specific RAS design.
This Design Guide does not address these system-wide issues in detail.These issues should be
documented separately,and may include but are not limited to:
Critical contingencies,critical components/paths,limitingfactors,
Security regions/nomograms,
Remedies (mitigation/interruption/separation),
Remedial action types and locations,
Speed requirements,
Control principles (opened/closed loop,predetermined/arbitrary disturbing events,etc),
Economic justification,
Critical system condition parameter identification (line/path flows,angles,voltages,fault
severity,system component status,etc),
Scheme architecture (local,centralized,hierarchical,distributed,device locations and
interactions),
Disturbing event indication principles (direct detection,system-response-based
recognition),
Analytical and logical conditions for remedial action types and amounts,arming settings
for step-wise RAS systems,
Margins to be applied to amounts of remedial action or to arming settings to cover system
modeling and instrumentation inaccuracies,
Algorithmsand programs for computerized RAS systems,
Possible out-of-step cut-planes,
Principles,locations and coordination of out-of-step tripping devices.
6 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
Principles and locations of out-of-step blocking functions
A RAS solution will typically be considered when other operating and construction options are
substantially more expensive or cannot be implemented in time to avoid problems identified by
the initial studies.The studies should support and identify the need of the RAS and recommend
the actions to be taken to mitigate the problem.
The studies shall also identify system effects if the RAS misoperates,either by failing to take
action when required or by taking action when action is not required.The system performance
requirements for either type of failure shall meet the NERC/WECC Standards identified in
Categories A,B,C,and D of Table 1 (Section I.A in NERC 1997 and WECC 2002 Standards or
TPL-001-0 through TPL-004-0 in NERC 2005 Standards).
An illustration of system problems that are candidates for RAS solutions,along with
corresponding effective remedial actions is provided as Figure 1,Common RAS Objectives and
Control Methods.Most of these control methods (remedial actions)are also described in section
2.5 of reference 7.
Safety Net Schemes
"Safety Net"system protection schemes have similar general characteristics and objectives as
RAS.A safety net is intended to handle more severe disturbances resulting from extreme
events.Such events are within or beyond Category D of Table 1 in the NERC/WECC Standards
(multiple related outages).
4TheNERC/WECC Planning Standard I.G9 recognizes "that it is not practical (and in some
cases not possible)to construct a system to withstand all possible extreme contingencies without
cascading,[but]it is desirable to control or limit the scope of such cascading or system
instability events and the significant economic and social impacts that can result."
The safety net is intended to minimize the impact of extreme events when such impacts cannot
be entirelyavoided.In part because of this change in objective,WECC does not normally
require that the RASRS review safety net schemes.However,the scheme designer should
consider whether the RAS requirements are still a prudent objective because the safety net may
need to be converted to a RAS as system conditions continue to change.
13TheWECCPolicyRegardingExtremeContingenciesandUnplannedEvents states that "...the
appropriate equipment,remedial action schemes,and operating procedures [must]provide for
reliable system operation at all times....If,at any time,operating conditions exceed these secure
conditions,immediate actions shall be taken to reduce stress on the system and return operation
to safe and reliable levels."The safety net is intended to provide these immediate actions.
Direct detection of events that cause insecure conditions is not always possible or necessary.
Safety net actions can be initiated in response to other indications of insecure conditions.Out-
of-step blocking and tripping and underfrequency load shedding are examples of response-based
7 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
safety nets.The response-based safety net should be supported by studies illustrating
satisfactory speed,action magnitude,and coordination of the remedial actions.Some
simplifications can be made in simulating the process part of returning the system to secure
conditions.
The WECC Policy anticipates application of a safety net with direct indication of the Category D
disturbances if they have high probability (e.g.extreme disturbances that have actually
occurred),or if a response-based safety net would not return the system to a secure state.
Practically all types of RAS actions can be considered for such a "preventative"safety net,
includingmore severe actions such as dropping firm load,system separation,etc.This type of
safety net should be supported by the full range of system simulation studies.
The Policy also emphasizes the importance of controlled (instead of cascading)system
separation to provide stable and balanced operation of each island with the potential of faster re-
synchronization.Fast reserve mobilization (e.g.automatic start of hydro generators)could be
used in resource deficient islands.Generatortripping in resource surplus islands could be
needed.
A safety net scheme may not be used to establish facility ratings or transfer capabilities for
interconnected system operations.
Common RAS Classifications
The followingdescriptions do not cover all possible RAS classifications,but do outline several
common and convenient methods.
One convenient method to classify RAS control principles is by the scheme input variables that
detect system contingencies and disturbances:
Event-based,
Parameter-based,
Response-based,or
Combination of the above.
Event-based schemes directlydetect outages and/or fault events and initiate actions such as
generator/loadtripping to fully or partially mitigate the event impact.This open-loop type of
control is commonly used for preventing system instabilities when necessary remedial actions
need to be applied as quickly as possible.
Parameter-based schemes measure variables for which a significant change confirms the
occurrence of a critical event.This is also a form of open-loop control but with indirect event
detection.The indirect method is mainlyused to detect remote switching of breakers (e.g.an
opposite end of a line)and significant sudden changes which can cause instabilities,but may not
be readily detected directly.To provide timely remedial action execution,the measured variables
may include power,angles,etc.,and/or their derivatives.
8 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
Most event-and parameter-based schemes are triggered by a combination of events and
parameters.These schemes initiate pre-planned actions based on studies of pre-defined system
contingencies for a variety of conditions.
Response-based schemes monitor system response during disturbances and incorporate a closed-
loop process to react to actual system conditions.Response-based scheme action may be more
finely calibrated to the magnitude of the disturbance,but usuallyis not fast enough to prevent
instabilities followingsevere disturbances.UFLS,some types of UVLS,and some equipment
unloading schemes could be interpreted as response-based closed-loop schemes.A response-
based scheme can be used when gradual (e.g.step-by-step)increase of remedial action is
acceptable.
The Northeast Power Coordinating Council's (NPCC)2002 Criteria classified SPS [RAS]
8accordingtoimpactsonthesystem as:
Type I:Scheme where failure or misoperations would have significant impact outside the
local system,
Type II:Scheme intended for extreme contingencies or other extreme causes where failure
or misoperation would have significant impact outside the local system,and
Type III:Scheme where failure or misoperations would not have significant impact outside
the local system.
WECC does not use an official RAS classification system,but the NPCC SPS Types correspond
to the followingWECC terminology:
RAS -A scheme needed to meet WECC performance requirements and operating
standards.The scheme mitigates conditions that could affect the systems of multiple
owners and may be used to establish facility ratings.This type of RAS requires WECC
review by the RASRS.Similar to NPCC Type I.
Example:Pacific AC Intertie RAS (the scheme is used to establish intertie ratings and
affects multipleowners within WECC).
Safety Net -A scheme used to provide a defense against extensive cascading or complete
system collapse.This type of scheme has usuallynot required review by the WECC
RASRS.Similar to NPCC Type II.
Example:WECC Off Nominal FrequencyProgram (the program is not used to establish
intertie ratings,compliance is required and may be audited by WECC and NERC,but a
separate review of each owner's implementation is not required).
Local RAS -A scheme used to meet an owner's performance requirements within that
owner's system.This type of scheme does not usuallyrequire WECC review.Similar to
NPCC Type III.
9 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
Example:Pacific Gas &Electric's San Francisco RAS (the scheme affects only part of
PG&E's system).
TypicalRAS Features
Critical details of the RAS design and operating characteristics must be determined through
appropriate studies.Among the more important recommendations and conclusions of these
studies might be:
Arming Criteria:Critical system conditions for which a step-wise RAS should be ready
to take action when required.
Initiating Conditions:The critical contingencies to initiate action if the scheme is armed.
Parameter-based RAS detect changes in critical system conditions rather than directly
detecting specific conditions.
Action Taken:The minimum remedial action required for each contingency (when
armed)and the maximum acceptable remedial action for each contingency (when
pertinent)
Time Requirements or Allowable Time:The maximum time allowable for the remedial
action to be accomplished.
Critical system conditions are often identified by one or more of the following:
Generation patterns,
Transmission line loadings,
Load patterns,
Reactive power reserves,
System response as determined from the data provided by wide area measurement
systems (WAMS),or
Other unsustainable conditions identified by studies of system characteristics.
For example,during lightlyloaded system conditions,a transmission line outage may not cause
any reliability criteria violations,but during heavier loads,the same outage may result in
generator instabilityor overloads on remaining facilities.
Automatic single-phase or three-phase reclosing followingtemporary faults during stressed
operating conditions may avoid the need to take remedial action.Appropriate RAS action may
still be required if reclosing is unsuccessful.
The RAS is designed to mitigate specific critical contingencies that initiate the actual system
problems.There may be a single critical outage or there may be several critical single
10 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
contingency outages for which remedial action is needed.There may also be credible double or
other multiplecontingencies for which remedial action is needed.Each critical contingency may
require a separate arming level and different remedial actions.
Various possible remedial actions are usuallyavailable to improve system performance.These
may include but are not limited to:
Islanding or other line tripping,
Generatortripping,
Load tripping (direct,underfrequency,undervoltage),
Braking resistors,
Static VAr control units,
Capacitor and/or reactor switching,
The minimum remedial action required is determinedthrough studies that define the boundary
between acceptable and unacceptable system performance.Remedial action in addition to this
minimum level often can result in further system performance improvements.At some higher
action level,system performance standards may again be violated if system response approaches
another part of the boundary (e.g.high voltage due to extra load shedding).However,some
extra remedial action (safety margin)should be applied to ensure that at least the minimum
action will still occur even for the worst-case credible scheme failure (typically a single
component).While actions above the necessary "safety margin"do not create new violations,
they may make the scheme more costly and complex,as well as result in a larger impact to
customers (e.g.reduction of generating reserve,shed more load).
The maximum time allowable to take action will change with the type of problem for which the
RAS is a solution.Short-term angular and voltage stabilityproblems typically require the fastest
response,as fast as a few cycles but usuallyless than one second.Actions to mitigate steady-
state stabilityand slow voltage collapse problems may allow several seconds.Thermal overload
problems could allow up to several minutes before action is required.
Often sensing,logic processing,and corrective action will take place at different sites.A RAS
senses system conditions,communicates to a logic processor programmed to determine the
appropriate arming,determine corrective actions at each arming level and for each contingency,
and initiate appropriate actions,usuallythrough communication links among remote sites.In
this common configuration,RAS are critically dependent on high-speedtelecommunications,
condition-sensing,arming,logic processing,and action equipment.
Often system problems and their solution through RAS involve more than a single entity.The
resulting RAS will require negotiations among the parties (includingtechnical specialists needed
to implement the proposed RAS)identifyingthe conditions to be monitored,scheme logic,logic
processing,and the actions to be taken.The NERC and WECC Standards provide the starting
point to evaluate system performance.The WECC Minimum Operating ReliabilityCriteria
11 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
14(MORC)provides more detailed and specific rules to judge the acceptability of actual system
performance under various conditions.These performance requirements must be met within the
western interconnected systems.Detailed scheme design can begin after the discussions among
parties reach a consensus.
It can be acceptable for an entityto apply more rigorous,well-documented criteria to problems
with a proposed RAS solution.However,the same criteria will need to apply to both the host
utility's internal and third party applications,such as independentpower producers,transmission
providers,or load serving entities,to avoid any perceived unequaltreatment of third parties by
the RAS owner.
PHILOSOPHY and GENERAL DESIGN CRITERIA
In general,the design philosophy appropriate for a RAS is that all system performance criteria
will still be met,even followinga single device or component failure within the RAS.As with
other protection systems,this design objective is often met with a fully redundant system design.
A fully redundant design will avoid the possibility of a single component failure that would
jeopardize successful operation of the RAS.However,as described below,a fully redundant
design is not always required to meet the performance criteria.
Logic
The operating requirements for any RAS are derived from the system simulation studies that
identify the problem (e.g.loss of any of several specific lines during heavy export conditions
would initiate out-of-step conditions on a remaining intertie),appropriate actions to mitigate the
problem (e.g.generation tripping in the area that had been exporting before the outage),and the
maximum time available to take action.
Documentation of this scheme logic will direct the detailed implementation design,aid in
necessary reviews,and assist personnel when installingand testing the scheme.The logic
documentation may take the form of a written description,equations,flow charts,matrix logic
tables,timing tables,logic diagrams,charts,etc,or a combination of formats.The
documentation will also include all scheme inputs and outputs.
Hardware
Hardware used to implement a RAS shall meet the same standards that apply to other protection
systems,includingbut not limited to:
IEEE Power System Relaying Committee,"IEEE Standard Surge Withstand Capability
(SWC)Tests for Protective Relays and Relay Systems Associated with Electric Power
Apparatus,"IEEE/ANSI Standard C37.90.1-2002,IEEE Standard C37-90-2004.
12 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
IEEE Power System Relaying Committee,"IEEE Standard for Relays and Relay
Systems Associated with Electric Power Apparatus,"IEEE/ANSI Standard C37.90-1989.
IEEE Power System Relaying Committee,"IEEE Standard for Withstand Capability of
Relay Systems to Radiated Electromagnetic Interference from Tranceivers,"ANSI/IEEE
Standard C37.90.2-2004.
Technology advances have provided the designer with many solution options.The designer will
often have a choice among several platforms to build the RAS-multi-function or single-
function relays,digital computer,programmable logic controller,etc.
Arming
Some,especially newer,RAS do not depend on a traditional arming concept.These systems are
characterized by fast computations and detect critical changes in system conditions rather than
specific pre-disturbance levels or status.In this sense,they are always "armed"and ready to
initiate action when they detect a disturbance.
However,many RAS monitor load,generation levels,voltage,frequency,breaker status,and/or
other quantities or devices that are critical to identifying the onset of the system problem which
the RAS is designed to mitigate.Analog quantities (usually,though not always,power levels)
are the most common functions used to identifywhen a scheme should be armed.If analog
quantities such as line power flows are the appropriate level detection criteria,the specific
quantities may be monitored by transducers,microprocessor-based relays,communications
processors,analog cards within programmable logic controllers,or other devices.
Often analog quantities or status at more than one location are required to determine when a
scheme should be armed.Use of SCADA and an EMS (Energy Management System)computer
to collect the data and perform the calculations is a common RAS application.Programmable
logic controllers,microprocessor-based relays and other IEDs are also commonly used to
perform these functions.
Both EMS computer and SCADA (remotely)or the scheme logic processor (locally or remotely)
are commonlyused for scheme arming at logic processing and/or action locations.Actual
scheme arming may be done either automatically or manually,dependingon the philosophy of
the entity and the specific characteristics of the scheme.If arming is automatic,the dispatcher
should at least be provided with indication of the arming status.
If arming is manual,written procedures,the EMS or logic processor shall provide the dispatcher
with a recommendation on when the scheme should be armed as well as arming status.For
EMS-calculated manual arming,the RAS designer can consider using a lookup table or similar
document that a dispatcher shall or can use as a manual backup.If there are choices on what
specific actions should be armed (e.g.trip loads at either station A or station B),the scheme shall
make an initial choice,which the dispatcher can override.Some utilities include the ability to
arm a scheme with a local switch from logic processing or at action locations.This is
13 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
acceptable,though most often used when the arming location is continuouslystaffed around the
clock,24/7/365,such as at a power plant or manned substation or the status of the switch is
brought to a continuouslystaffed location.
Detection and Initiating Devices
Detection and initiating devices must be designed to be as secure as possible.The following
discussion identifies several types of devices that have been used as disturbance detectors:
Line open status (event detectors),
Protective relay inputs and outputs (event and parameter detectors),
Transducer and IED (analog)inputs (parameter and response detectors),
Rate of change (parameter and response detectors).
Several methods to determine line open status are in common use,often in combination:
Auxiliaryswitch contacts from circuit breakers and disconnect switches (52b,89b),
Undercurrent detection (a low level indicates an outage),
Breaker trip bus monitoring,and
Other detectors such as angle,voltage,power,frequency,rate of change of these,out of
step,etc.
Circuit breaker or disconnect switch auxiliarycontacts (52b,89b)are often part of the outage
detection input to a logic circuit.Observe the followingprecautions when using these contacts:
Use of auxiliaryrelays as contact multipliersfor critical scheme detection 52b/89b
contacts must be done very carefully,especially if these contacts are used as the only or
primary line outage detection method.Make sure that loss of the auxiliary supply
voltage does not provide false indications to the RAS.Where possible,use the
breaker/switch contact directly for RAS outage detection.Whether directly or through
auxiliaryrelays,separate contacts should be used for inputs to redundant schemes (see
discussion below).
When a circuit breaker is out of service,disconnect switches open,and the breaker
subsequently closed,the 52b switch is no longer a reliable indicator of the availabilityof
the breakeras part of the RAS.The scheme logic must include accommodation for this
contingency.Commonly used methods include auxiliarycontacts on the disconnect
switches (89b)or a separate "maintenance","out of service",or "local/remote"(43)
control switch to provide the proper indications.
Logic must recognize line disconnect switches where used.If the line switches can be
operated remotely or automatically,the detection logic must be automatic.
14 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
Detection logic must be able to detect a line being open at either end (monitorboth ends
of the line).
Inadvertent bypassing of the 52b switches by personnel operating the maintenance /out-
of-service switch or failure of a complicated automatic scheme can cause a false RAS
operation.Supervision of the 52b logic by undercurrent or underpower can prevent such
false operations.
Auxiliaryswitches monitoring disconnect switch position (89b)should follow actual
switch blade position rather than just the operating mechanism.Operation of the
mechanism with the switch de-coupled could cause false operations similar to
inadvertent bypassing of breaker 52b contacts discussed above.
If manual transfer or maintenance switches are used in parallel with 52b breaker
auxiliary contacts,the manual switch position must be monitored by the local substation
annunciator,sequence of events recorder,or SCADA to reduce the possibility of leaving
the switch in the wrong position when the breaker is returned to service.
Undercurrent sensing may be used for outage detection.Loss of transmission line power flow is
occasionally used as a variation of undercurrent detection.Current detection may have the
advantage of being able to detect an open terminal at the far end of the line as well as locally
without a separate communication channel.Undercurrent detection is independentof auxiliary
and maintenance switch contacts.This detection method requires the followingprecautions:
The undercurrent level setting must be above the level of line charging current (including
the effects of any fixed or switched shunt reactors)and corona losses,but below
minimum line flows when both ends of the line are in service.
The minimum current may be quite small for short lines,if a high percentage of shunt
compensation is used,if power flow may reverse direction,or if the line is operated at a
lower voltage.This can make outage detection via undercurrent sensing alone
problematic.
Detection logic must be defeated when the undercurrent relay is out of service for
maintenance,testing,or other purposes.
Breaker trip bus monitoring is often used when scheme operating time requirements are very
short.The timing advantage arises because the logic signal initiation occurs when the circuit
breaker trip bus is energized,ahead of the operating time of the breakermechanism and auxiliary
switches or interruptionof the circuit breaker current.Depending on the rated voltage and
design of the breaker,this may save 1-5 cycles (17-80 milliseconds)in overall scheme operation.
This detection method requires the followingprecautions:
For current operated devices,breaker DC trip current should be monitored using a trip
indicating relay or similar device with an operating current value appropriate for the
specific circuit breaker.Since the trip indicating relay is in series with the trip coil,and
may not operate for open trip coil,trip coil monitoring is appropriateto identify failures
15 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
before failure-to-tripthe breaker.The trip coil failure alarm should be brought into the
EMS.
For voltage-operateddevices monitoring the breaker trip bus,pickup level of the device
and resistance must be carefullyconsidered to ensure that it is not inadvertentlyoperated
by "sneak circuits"such as the red indicating light.Due to this complication,a current-
operated detector is usuallypreferred over a voltage-operated detector.
For breakers with two trip coils,both coils should be monitored.
For breaker trips initiated by a protective relay or control switch,a separate contact
output of the relay or control switch may be used to detect line open status.
For most designs,undercurrent or 52b status detection may also be required in addition
to current or voltage schemes for breaker trip bus monitoring because the trip logic signal
only monitors the DC current flowingthrough the breaker trip coil (or the trip bus
voltage).Once the breaker opens,the coil current falls to zero and a separate detection
method must be used to recognize breaker status.
Voltage,power,frequency,or out-of-step relays may be used when those functions provide
reliable and secure methods of detecting the condition being monitored for the RAS.
Precautions often require more effort to ensure reliable operation than if other detection methods
can be used.
Power flow is often used to make RAS arming decisions,but is also occasionally used
for triggering decisions.
Voltage sensing (where needed)should monitor all three phases at the critical
transmission level.
Rate of change of voltage,current,power or frequency may be used,but with extreme
caution in determining the settings required to distinguish between local faults,
switching,and/or system problems which should initiate the RAS.
15
Out-of-step tripping (OST)may be used to interrupt pending instability.Studies must
be done to ensure that the settings will not result in tripping for recoverable swings and
must also address undesired tripping on out-of-step conditions outside of the given
component.These relays are usuallyapplied when there is enough time to trip "on the
way out"of the swing.If time is critical and tripping must be "on the way in,"then
transient recovery voltage across the tripping circuit breaker(s)must be evaluatedin
order to prevent re-strikes.Tripping "on the way in"requires a more precise setting to
prevent trips on recoverable swings and may require a higher breaker rating.
Out-of-step blocking (OSB)may supervise relay distance or overcurrent elements during
system swings if studies show that the impedance trajectory can penetrate into the reach
15oftherelays.The recommended application combines blocking all relay impedance
zones at locations where OST is not desired and allows tripping using the OST function
available in modern relays for unstable power swings at locations determined by system
studies.
16 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
16TheWECCwideareameasurementsystem(WAMS)is presently used only for system
monitoring.However studies by the WECC Disturbance Monitoring Work Group (and others)
show that such schemes can aid
Real time determination of transmission capacities,
Early detection of system problems,
Refinement of the planning,operation,and control processes.
While the WAMS is not presently applied for any RAS functions,its nature holds some promise
for both initiating remedial action and monitoring system response in future "wide area"RAS.
WAMS,if used in a RAS,may not require traditional arming and outage detection,but would be
parameter-or response-based.
Logic Processing
All RAS require some form of logic processing to determine the action to take when the scheme
is triggered.Required actions are always scheme dependent.Different actions may be required
at different arming levels or for different contingencies.Scheme logic may be achievableby
something as simple as wiring a few auxiliaryrelay contacts or by much more complex logic
processing.The designer shall choose a design to maximize reliability,minimize complexity,
provide for safe scheme testing,and allow for easy future modifications.
Platforms that have been used reliablyand successfully,include programmable logic controllers
(PLCs),personal computers (PCs),multi-function programmableprotective relays,remote
terminal units (RTUs),and logic processors.Single-functionrelays have been used historically
to implement RAS,but this approach is now less common except for very simple new
installations or minor additions to existing schemes.
Communications Channels
Communication channels used for sending and receiving logic or other information between
local and remote sites and/or transfer trip devices must meet at least the same criteria as for other
relaying protection communication channels.These requirements are outlined in
17CommunicationsSystemsPerformanceGuideforProtectiveRelayingApplications and
18CriticalCommunicationsCircuits-Guidelines for Design documents available on the WECC
web site.
The scheme logic must be designed so that loss of the channel,noise,or other channel failure
will not result in a false operation of the scheme.
It is highly desirable that the channel equipment and communications media (power line carrier,
microwave,optical fiber,etc)be owned and maintained by the RAS owner,or perhaps leased
17 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
from another WECC member familiar with the necessary reliability requirements.All channel
equipment must be monitored and alarmed to the dispatch center so that timely diagnostic and
repair action shall be taken place upon failure.
Leased telephonecircuits or pilotwire circuits on power system structures are likelyto lead to
unreliable operations.Such channels shall only be used when no other communications media
are available.Automatic channel testing and continuous monitoring are required if telephone
leased lines are used.
Communication channels shall be well labeled or identified so that the personnel workingon the
channel can readily identify the proper circuit.Channels between entities shall be identified
with a common name at all terminals.
Cyber Security
19NERCrecentlyapprovedpermanentstandards CIP-002-1 through CIP-009-1 to address both
physical and electronic security for critical cyber assets.These standards are intended to apply
across the spectrum of security concerns from identifying the assets,personnel,access to the
assets,and identifying,reporting on,and recovering from cyber attacks.While cyber security
issues are not unique to RAS,a brief summary is provided here.
The Standards define terms and identify critical cyber assets as having at least one of the
followingcharacteristics:
The cyber asset uses a routable protocol to communicate outside the electronic security
penmeter,or
The cyber asset uses a routable protocol within a control center,or
The cyber asset is dial-up accessible.
RAS applied to the bulk electric system will be critical assets under the definitions in these
Standards and will also be critical cyber assets,except in rare cases where computer-based
equipment and communication networks are not part of the scheme.RAS applied to systems
and facilities critical to system restoration or load shedding of 300 MW or more are also
included in the definitions.
Specific cyber security protection methods must be determinedby each utility,but applications
to protect RAS equipment should be similar to the facilities needed to protect energy control
centers and equipment protection relays.
RAS applied off the bulk electric system should also be treated as critical cyber assets if
connected into networked communications systems serving other critical cyber assets."
18 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
Transfer Trip Equipment
Transfer trip equipment for RAS applications shall meet the same hardware design and
reliability standards as for other communication-aided protection equipment applications.
Commonly used types of transfer trip equipment include FSK audio tone,FS carrier,relay-to-
relay digital,etc.Operating time must be compatible with the requirements for the specific
RAS.Security against false trips is often accomplished by the same methods as used in direct
transfer tripping applications,e.g.guard and trip frequencies shift in opposite directions.
Additional criteria can be found in reference 17.
Test Switches
The NERC/WECC Planning Standards related to test switches for RAS are similar to those for
other protection systems.The 1997 NERC and 2002 WECC RAS standards include the
followingguides:
G5.SPS [RAS]should be designed to minimize the likelihood of personnel error such as
incorrect operation and inadvertent disabling.Test switches should be used to eliminate
the necessity for removing or disconnecting wires during testing.
G6.The design of SPS [RAS]both in terms of circuitry and physical arrangement should
facilitate periodic testing and maintenance.Test facilities and procedures should be
designed such that they do not compromise the independence of redundant SPS [RAS]
groups.
Test and/or cutout switches for initiation,logic processing,tone communications,and action
circuits shall be designed as an integral part of the RAS at all locations where any of these
functions occur.Switches shall be readily accessible to operatingpersonnel for maintenance and
test purposes using a written procedure.The switches shall be labeled with a name that is short,
precise,and directly related to the remedial action scheme function.Common nomenclature
shall be used at all locations for a RAS involvingmore than one entity.
REDUNDANCY
RAS redundancyrequirements are similar to the requirements for other protection systems.
Redundancy is intended to allow removing one scheme followinga failure or for maintenance
while keeping full scheme capability in service with a separate scheme.Redundancy
requirements cover all aspects of the scheme design includingdetection,arming,power supplies,
telecommunications facilities and equipment,logic controllers (when applicable),and RAS
trip/close circuits.
19 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
Minimum Requirements
The Standards do not impose an absolute redundancy requirement.The need for redundancy
should be based on an evaluation of the system consequences for a failure of the scheme to
operate and the need to meet overall system reliability requirements.A single point of failure
within a RAS must not prevent the interconnectedtransmission system from meeting the system
performance requirements.It is the designer's /owner's responsibility to prove that failure of
non-redundant equipment for all credible scheme failures will still result in system performance
that is within the NERC/WECC Standards and MORC.The followingGuide from the 1997
NERC and 2002 WECC Standards further describes the intent:
Gl.Complete redundancyshould be considered in the design of an SPS [RAS]with
diagnostic and self-check features to detect and alarm when essential components fail or
critical functions are not operational.
To be an acceptable alternative to full redundancy,a non-redundantdesign must at least:
Provide adequate backup,such as by overtripping of a load shedding RAS when
communication channels to the load shed sites are not redundant.Overtripping shall not
expand the problem.
Monitor and alarm all critical RAS elements-especiallyones where single component
failure can defeat the RAS functionality.
Depending on the scheme design and objectives,the followingmay also be necessary:
o It is possible for the electric system to be adjusted so that the RAS need not be
armed and operation is not required for the critical outage(s).
o Adequate dispatcher training must be in place to immediately adjust the system
so that operation of available parts of the RAS will still meet the system
performance requirements of the Standards if any of these critical alarms occur,
e.g.arm alternate load shed sites.
NERC /WECC Standards and common utility practice allow a few protection systems to be
non-redundant.A partial list includes:
Station battery.The Standards require only that separately-fused DC control circuits be
used to supply otherwise-redundantprotective devices and that the battery/charger
system be alarmed to indicate failures.Some utilities do use separate batteries and
chargers,especially at higher system voltages,but this is not required by the Standards.
Potential sensing devices (PTs,CCVTs,optical).Voltage sensing for protection shall be
provided from separate secondary windings of voltage sensing devices,but separate
primaries are not always required.
Breaker failure protection is specifically exempted from a redundancyrequirement.See
the discussion below.
20 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
Microwave antenna towers.
Most protection schemes are designed with many redundantfeatures.Good utility industry
practice and the Standards encourage fully redundant RAS.However,the minimum requirement
for all systems is to provide adequate backup protection,the operation of which will not result in
violatingthe performance requirements.A simple example of a non-redundant protection
scheme with adequate backup is a distribution feeder protected by separate electro-mechanical
phase and ground relays.If any single relay fails or is out of service,at least one other relay can
still sense any possible feeder fault and initiate a breaker trip.A RAS example would overtrip
load if redundant communications facilities are not provided to the different load shed locations.
Acceptable conditions to avoid full redundancymight include emergency operating orders to
reduce flows on the critical system elements so that the RAS would not need to be armed,
resulting in (dispatcher modified)system conditions that no longer require RAS operation for the
critical contingency.Such emergency changes would have to be accomplished within 10
minutes for stability limited systems or 30 minutes for thermallylimited systems (WECC
20ReliabilityManagementSystem(RMS),III.E.5),regardless of any previouslyestablished
schedules or other contractual obligations.Depending on the anticipated severity,frequency,
and duration of system conditions that require dispatcher curtailments,the economics of the
situation will often encourage full scheme redundancy.
RAS logic processing will usuallyneed to be redundant to assure meeting minimum
performance requirements.The scheme designer must consider the power system effects if the
controller arming and/or actions do not match.This could result in either an unnecessary
scheme operation or failure to operate by one of the systems.Redundantlogic processors should
at least provide a "mismatch"alarm and the system operator should be provided with standing
orders describing appropriate subsequent procedures.
For large and complex RAS,economic scheduling issues are usuallyso important and the
consequences of scheme misoperations are so unacceptable that full scheme redundancyis the
rule.For example,some schemes use a logic processing design for the first scheme (RAS A)
that is a triplyredundant set of programmable logic controllers arranged in a two-of-three voting
scheme and the redundant scheme (RAS B)is a second triplyredundant set of programmable
logic controllers arranged in a separate two-of-three voting scheme.Arming information based
on line flows is provided from A and B sets of transducers or IEDs.The A and B schemes have
separate 52b and trip coil sensing at both ends of the critical line(s).To be fully redundant,
communications circuits must use independent communication paths,e.g.microwave and fiber-
optic.
If one controller or other critical component of an otherwise redundant scheme is not available,
the conditions under which the single remaining scheme may continue to control system
20operationsareprobablybestidentifiedinWECC's RMS Criteria Agreement.All of the RMS
specifically applies to identified WECC Paths and Section I specifically applies following
misoperations of RAS or equipment protection.However,the operating philosophy after
removing equipment from service is reasonably applicable for any facilities and whether or not a
21 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
misoperation or other failure has occurred.A summary of the pertinent paragraphs b,c,and d
says that:
If a fully functional scheme is not available,the facilities must be derated to a reliable
operating level.
This may require adjustment of the actual operating level.
The system may continue to operate at appropriatereduced levels at or below the "no
fully functional RAS available"rating indefinitely.
The system may be operated without derating on a single remaining non-redundantbut
fully functional scheme for up to 20 business days.
Some utilities are willing to continue otherwise normal operations with a single fully functional
RAS or protection scheme available during an outage of a redundantscheme,as allowed by the
RMS.Other utilities are unwillingto operate without a redundantRAS (or protection)available
for longer than would be required to switch a third "standby"system into service,or at reduced
facility ratings.Either operating philosophy is allowed by the RMS.However each utility
should be sure that the same philosophy is applied consistently within its system.
Breaker Failure
Failure of a circuit breaker to trip when called upon to trip by the RAS,even when equipped
with dual trip coils,is considered a credible failure.Followingare some common and
acceptable methods to remediate such a failure:
Over-operate RAS action,e.g.trip extra generationequivalent to the largest generator or
generationsite which may fail to trip.
Initiate breaker failure protection.Breaker failure action usuallyoperates additional
breakers to isolate the stuck breaker while still performing the RAS action.Any
additional tripping should not exacerbate the original power system problem that the
RAS is designed to solve (e.g.avoid tripping additional lines.Refer to the System
Performance summary at Table 1 of NERC Standard TPL-001-0 through TPL-004-0 and
the WECC MORC.)The breaker failure scheme can also add significantlyto the time
for a RAS to operate,which may not be acceptable for a high speed transient stability
RAS.
The scheme designer is not limited to these methods to address failure of a breaker to trip.
However,it should be shown that failure of a breakerto trip (or close)will still result in
acceptable system performance.
22 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
Communication Circuit Redundancy
Communications circuits must be redundant and diverse to provide assurance that the RAS can
continue to operate for loss of a single path or piece of equipment.For example,redundant
communications circuits would require separate channel banks powered by separately fused DC
circuits.
If both channels share the same microwave radio tower at a substation that is acceptable,but
sharing the same radio path to the next repeater site is acceptable only for systems which have
demonstrated extremely high reliability,perhaps a short "spur"hop into the "backbone"
communications system.The designer should evaluate actual circuit availability,especially if
17,18anyleasedtelephonecircuitsareused.Availabilityrequirements and communications
21circuitavailabilitycalculationmethods are addressed in the references.
Redundant communications circuits will usuallyneed to be on geographically diverse routes
where practical.As a protection example,if a specific line requires high speed tripping
protection,redundant communications circuits on geographically separate paths are often
specified,e.g.a power line carrier signal may be used along with a microwave path.A
configuration using optical fiber ground wire (OPGW)and power line carrier on the same line is
usuallyacceptable,but may not be preferred if more geographically diverse media alternatives
are available.These same path diversityconsiderations apply to RAS applications.
MONITORING and ALARMS
The Standards require adequate monitoring of all protection systems (includingRAS)so that
misoperations and failures can be identified and maintenance personnel can be dispatched in a
timely manner to remove failed equipment from service and make repairs.It is the responsibility
of the RAS designer /owner to ensure that monitoring is adequate so that appropriate alarms and
indications are provided to dispatchers from all RAS sites and equipment.It is especially vital
for the dispatcher to know if any parts of the RAS are not redundant,since failure of that
equipment would remove at least that part of the RAS from service.Failures within a non-
redundant RAS will generally require the dispatcher to adjust the system on an emergency basis
so that neither arming of the RAS nor operation of the failed part of the RAS is necessary.
20TheWECCReliabilityManagementSystem(RMS)specifically requires that any protection
system or RAS on a bulk power transmission path (BPTP)known or suspected to have
misoperated be corrected or removed from service within 22 hours.The remaining single
system may be used for all appropriateprotection,includingRAS,as long as the failed system is
repaired and returned to service within 20 business days.If a non-redundantprotection system
or RAS is removed from service and adequate backup is not available,the protected equipment
must be removed from service or system operation modified so that the RAS is not required until
the protection or RAS equipment is repaired.
22TheRASdesignerandoperatingpersonnelmusthaveavailableadequatetimestamping of
23 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
RAS functions for the operation of the scheme and its components to document and diagnose
operations as correct or incorrect.Scheme indication points may be categorized for this purpose
as either "status"or "operating"with different time stamping requirements for each.Time
resolution of 2-6 seconds (as might be provided through an EMS)for status points can be
satisfactory (faster time resolution is also acceptable).Operating points will require sequence of
events recorder(s)using time stamping to a resolution of one millisecond through GPS or similar
clocks.As many points as feasible should be monitored so that the performance of the RAS can
be evaluated.Minimum logging of scheme indication points shall include:
Status Points Operating Points
(time resolution 6 sec or less)(time resolution 1 msec)
Arming status,·Initiating device operation,
Status of operation or test switches,Tone equipment transmitter
Equipment self-diagnostics and operation,
annunciation,Tone equipment receiver
Indication when a manuallyarmed operation,
scheme should be armed or may be ·Tripping device operation.
disarmed,
Status of the equipment before and after
the RAS action e.g.breaker status.
RAS design and RAS operation are generally unique and often operate on different principles
than other protection systems.Monitoring and organizing the status and alarm data
appropriately can provide a helpful guide to operating personnel to control and diagnose scheme
operations.For example,many owners with significant numbers of RAS design specific screens
in their EMS to aid dispatchers in operating each RAS.Such screens may confirm scheme
availability,summarize the arming status of the scheme and status of each action location,allow
the dispatchers to arm or disarm the scheme,change locations to be armed for action,and list or
summarize any alarms and their impact on the scheme.
COORDINATION with PROTECTION,OTHER RAS,and CONTROL SYSTEMS
EquipmentProtection
Often the purposes of RAS and equipment protection are different enough that little or no
coordination,in the traditional sense used by protection engineers,may be necessary between
the functions of each.However,RAS operation that depends on functions that are performed by
protection relays will require a careful review.Protection /RAS interactions may include:
System configuration changes due to RAS operation that might affect protective relay
24 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
functions such as distance relay overcurrent supervision,breaker failure pickup,potential
source switching,or other functions.
If studies indicate that sustained low voltages in conjunctionwith elevated line flows
may be expected during RAS operation,confirm that any protection settings on affected
lines shall not cause cascading outages related to the low system voltages.This concern
was given recent visibilityby the 1996 WSCC disturbances and the resulting RWG paper
23"Application of Zone 3 Distance Relays on Transmission Lines"and by NERC's
24Recommendation8AZone3requirements resulting from the August 2003 eastern
North America disturbance.
Designated out-of-step tripping devices should be provided on all components at planned
system separation locations (out-of-step cut-planes).These devices should not operate on
recoverable swings and should be coordinated to prevent tripping outside of the actual
out-of-step cut-plane.
The WECC system has experiencedintensive synchronous swings and out-of-step
conditions resulting in cascading outages due to undesired operation of distance relay
protection.Out-of-step blocking features should be used for distance relays away from
identified out-of-step cut-planes if they may otherwise operate during system swings.
Another coordination example is a RAS that triggers action after an unsuccessful automatic
reclose attempt on a transmission line.The RAS time delay after sensing the line outage but
before initiating action must be longer than the breaker open interval,or the RAS action could be
triggered by a positive status indication that the reclosing function has locked out.Successful
single-or three-phase reclosing may allow temporary faults to clear and avoid the need for RAS
actions.An unsuccessful reclose attempt may still require remedial action.
Multiple Applicationsin a Single Device
Many of today's microprocessor relays,programmable logic controllers,and other logic
processors are highly flexible in allowing the user to program features necessary for specific
applications.Various devices may be useful for both equipment protection and RAS operation.
RAS functions could be easily programmed in available relays or logic controllers that are also
used for equipment protection.
Mixingequipment protection and RAS functions in the same device raises separate coordination
issues,especially related to operations and maintenance.Routine protection testing or changes
could impact the availability and operation of the RAS.Observe the followingprecautions if
protection and RAS functions are to be provided in the same device:
Undesired operation of equipment protection relays has historicallybeen an important
cause of major disturbances characterized by intense swings,low voltages,and out-of-
step conditions.The RAS is the next line of defense for the system.RAS security may
be significantlyimproved when RAS devices are separate from equipment protection
relays.
25 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
There should be some association between the protection and RAS functions,e.g.line
open status as a trigger for RAS action could be monitored by relays protecting that line
terminal and the status could be communicated over the same relay-to-relay
communication channel as is used for the line protection scheme.
The device must be clearlylabeled to identify the RAS functionality.
Procedures and/or monitoring must notify the dispatcher prior to any modifications or
testing in the device.
Procedures and/or monitoring must notify the dispatcher prior to the device being
removed from service.
Procedures and/or monitoring must identify the impact that the outage or modification
has on RAS operation.
Procedures for testing protection logic and RAS logic after software upgrades.
The effect of one scheme on the other,e.g.disabling one (protection)function may
disable the other (RAS)function.
Other Remedial Action Schemes
Separate RAS may share certain loads and/or generationto be shed when RAS action is
necessary.The scheme planners and designers need to closely examine such applications to be
certain that such "shared"action will not result in shedding less load or generation (or other
required action)than necessary for any credible contingencies.
Energy ManagementSystems
An EMS-basedRAS is a form of mixingcontrol and RAS functions in a single device.A
utility's EMS is more often used to provide dispatcher control commands,RAS arming
calculations,and monitoring,but is also occasionally used for logic processing and scheme
execution.Some RAS applications are not appropriatethrough the EMS,and even acceptable
applications must be done with more care than for most other EMS applications.
A significant technical limit on EMS applicability to RAS is primarily related to data scan time
between the EMS and remote RTUs (typically 2 to 4 seconds).The "round trip"of information
from sensing status and levels,determining required action,and executing the action must be
estimated to require at least 4 seconds (or twice the scan time).The followingprecautions must
be kept in mind in applying EMS-based RAS:
An EMS timing estimate of at least three to five times the scan time may provide an
acceptable margin.
The EMS cannot be fast enough to process logic and trigger RAS action to solve system
transient stability related problems.
Voltage control,thermal loading,or other problems that do not require action for at least
26 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
6-10 seconds or longer may be possible applications for an EMS-based RAS.
An EMS-basedRAS does not let the RAS owner avoid the scheme redundancy
requirements described above.
Other technical and operating issues that must be addressed for an EMS-based RAS include:
The EMS-basedRAS must operate correctlyeven during wide-scale system disturbances
that may tend to overburden the EMS with system operations and alarms.
Consider the RAS impact if the EMS is unavailable.
Even with an otherwise acceptable EMS-basedRAS,a redundant non-EMS-based RAS
may be required to ensure that the scheme operates properly even if the SCADA system
data fails to update,as happened in the August 2003 Northeast blackout.
The effects of loss of the DC source that powers the EMS must be considered.
Validation methods for the incoming data must be considered,e.g.compare flow at both
ends of a line and determine the appropriate response when a significant difference
occurs,such as applying advanced state estimation methods.As a control example,if the
EMS is used for automatic generation control,loss of telemetry data from an intertie or
generationplant could ramp other generators up or down when such a change is not
required.
Some operations and maintenance issues may be more difficult to address with an EMS-
based RAS than for a separate system design.For example:
o Routine programming updates of the EMS data bases must be done with special
attention to the effects on arming or triggering the RAS,or disabling it.
o Routine programming updates of the RTUs that include RAS functions must be done
with special attention to the affects on RAS operation.
o Routine field operations that usuallyhave no immediate effect,such as lifting wiring
or opening a test switch for a breaker status indication input to an RTU could trigger
RAS action if that action is dependent on the breaker status indication to the RTU.
The operational precautions listed above for mixing RAS and protection functions in a
single device must also be followed when implementing a RAS through an EMS.
OPERATIONS and TEST PROCEDURES
Planners,designers,and/or dispatchers must provide a description and operating procedures for
the RAS to guide operations and maintenance personnel in the proper operation of the scheme.
These descriptions and operating procedures will guide development of installation and test
procedures,aid interpretation of alarm and status messages,and help identify scheme operations
as correct or mcorrect.
The WECC normallyrequires annual testing of RAS applied on facilities listed in the Path
27 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
Catalog.WECC does not specify a test interval for most other protection schemes.Some
utilities include a successful scheme operation within the previous six months (or some other
specified period)as a successful scheme test.The owners of RAS that do not require WECC
review may determine the scheduled test intervals.
Usuallyroutine tests are easier to schedule when the RAS would not be armed due to system
conditions (such as low intertie flows).These tests should be end-to-end in the sense that the
scheme is manuallyarmed,the initiating outage (or other event)is manuallyperformed,and
logic,communications,and actions at all sites are monitored for correct operation.It is not
necessary to actuallydrop load or generation (if that is the RAS action)as long as an acceptable
alternate test procedure is available (such as prior transfer of targeted load to another circuit)to
prove the functionalityof the "action"breakers.
Some utilities design their schemes specifically to make testing for scheme initiation,logic,and
action fast,easy,safe,consistent,and nearly automatic from a single location through additional
logic and test or operations switches.Automated testing tends to work better for smaller
schemes because it is easier to define the worst case scenarios that are most critical to scheme
operation.
For large and complex schemes,it is especially important to identify critical scenarios in the test
procedures and test the RAS as a system,though it can be impractical to test all features of the
RAS over the full range of system operating conditions.The object in designing the test
procedure will be to identify and test the conditions for arming,detection,activation,and
completion that will cover the extreme system conditions for which the RAS is designed to
protect the system.
WECC REVIEW
The WECC has a formal review and approval process in place,as required by the NERC/WECC
Standards,to evaluate new and modified RAS.The Remedial Action Scheme Reliability
Subcommittee provides this review.The primaryfunction of the RASRS is to promote the
25reliabilityofRASwithinWECCbyprovidingamultidisciplinaryoverview:
For new and significantlymodified schemes.
As requested by technical committees.
For special technical problems regarding RAS outside the scope of other Subcommittees
and Work Groups.
Underfrequency load shedding schemes designed in compliance with the WECC Coordinated
UFLS plan,'safety nets,local RAS,and out of step protection normallyhave not required
further WECC review.
28 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
Remedial action schemes required to be reviewed through this WECC process are those for
which:
Failure would result in bulk transmission system performance in a neighboring entity
outside the limits of WECC performance requirements.
Failure would result in bulk transmission system performance outside the limits of
WECC performance requirements within a scheme owner's system if requested by the
owner or if deemed necessary by other Regional technical committees.
The WECC review shall be completed
Before the scheme is initiallyput into service.
Before significant modifications or extensions are made to an existing RAS:
o If the modifications involve new system simulation studies,
o If the scheme functionalitychanges,
o When new input or output locations are added or existing locations are removed,
o When a major component or system architecture change is required,
o Modifications will not result in scheme failure becoming a credible event,
o For retirement of a WECC-approved RAS.
If the RAS owner is not sure whether a change is significant enough to require WECC
review,the issues should be discussed with the Chair of the RAS ReliabilitySubcommittee.
The Chair,or at the Chair's discretion,all or part of the Subcommittee will decide whether
further review is needed.
In the event of certain types of scheme failure,e.g.correct scheme operation,but failure to
meet performance standards.
Minor modifications to existing RAS are not required to go through this formal review,but will
be documented by the owner through the annual WECC RMS program and the RAS catalog.
NERC/WECC Standards require a functional review at least every five years for each scheme.
This requirement can be met for a WECC-approved scheme by the owner's internal review and
confirmation through the RMS program that all scheme requirements are still satisfied,and no
changes in either requirements or implementation have occurred that require further review by
the RASRS.When a RAS has not required previous review by WECC or is not part of the
RMS,the NERC Standards will still apply.The owner should perform and document an internal
review as specified in the Standards.
6ThemostrecentversionoftheRASRS's review document is available on the WECC web site.
The RAS designer should fill out a copy of this document and submit it and other related
29 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
documentation to the Chair of the Subcommittee in preparation for scheme review.
Subcommittee review consists of a presentationby the owner's RAS design team and detailed
technical discussion of the RAS's features,includingany coordination with protection or other
schemes,and any limitations.Scheme approval by the RASRS and confirmation by WECC is
(intended)to be obtained before the owner can depend on the RAS to solve the problems for
which it was designed.
A preliminarydesign review by the RASRS may be feasible when time allows before the
scheme has to be in service.The RASRS and some scheme designers have found such
preliminaryreviews helpful.The designer often is able to more efficiently accommodate the
RASRS's concerns in the final scheme design and the RASRS can expeditethe final review and
approval.
30 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
System Problems Control Methods
(RAS Objectives)(Remedial Actions)
Generator Dropping
I
Overfrequency y Braking Resistor
Insertion R
e
Equipment Turbine Fast Valving
Overload -
Turbine Power
Angular Ramping
Instability e
Fast DC Trans /Link
Poor Oscillation -and Phase Shifter i'CControlDamping
n
System Separation tOutofStepr
o
Hydro,Gas Turbine,Underfrequency,Pumped Storage StartSlowFrequency
Recovery R
Load Dropping e
Voltage Generator Excitation
Instability Forcing e
Capacitor and Reactor
Undervoltage,Switching
Slow Voltage
Recovery Advanced Reactive r
Support (SVC,etc)C
oOvervoltage----n
Open-end Line Trip r
Loss of System iIntegritySystem/Load
Restoration Measures
FIGURE 1.Common RAS Objectives and Control Methods
31 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
REFERENCES [www addresses as given are subject to change or removal from the site]
1.WECC Relay Work Group,"Review of System Disturbances -2003,""Review of System
Disturbances -2002,""Review of 2000-2001 System Disturbances,"and "1998-99
WSCC Disturbance Report Review,"
http://www.wecc.biz/documents/library/RWGl2003 Disturbances RWG Report Final.p
df
Mtp:llwww.wecc.biz/documents/library/RWGl2002 WECC Disturbances Review 5-26-
2005 Clean-correct link2.pdf
http:llwww.wecc.biz/documents/library/RWGIRelay Work Group Review of 2000-
2001 Disturbances Aqenda Item X.pdf
http://www.wecc.biz/documents/library/RWGIRWG-Review WSCC Disturbances 1998-
99.pdf
2.North American Electric Reliability Council,"NERC Planning Standards,"September
1997
3.North American Electric Reliability Council,"Approved Standards",08/08/05.http://www.nerc.com/~filez/standards/Reliability Standards.html
4.WECC,RELIABILITY CRITERIA,Part I,NERC/WECC Planning Standards,"April 2005
http://www.wecc.biz/documents/library/procedures/CriteriaMaster.pdf
5.WECC,"RWG Installation and Maintenance Guide,3/7/2002
http://www.wecc.biz/documents/library/RWG/rwg_installation_and_maintenance_guide.
pdf
6."WECC Remedial Action Scheme Reliability Task Force Procedure to Submit a RAS for
Assessment by the Task Force -Revised by the RASTF in September 2001"
http://www.wecc.biz/documents/library/RAS/WECC_RAS_Approval_Procedure_9-
2001.pdf
7.Karlsson,Daniel and Xavier Waymel editors,"System Protection Schemes in Power
Networks,"CIGRE Task Force 38.02.19,June 2001
8.NPCC,"Special Protection System Criteria,"Document A-11,November 14,2002,
https://www.npcc.orqlpublicFiles/reliability/criteriaGuidesProcedures/newlA-11.pdf
9.MAAC,"MAAC Special Protection System Criteria,"Document A-3,June 29,2000,
http://www.maac-rc.orql
10.WECC,"WECC Coordinated Off-Nominal Frequency Load Shedding and
Restoration Plan,"revised December 5,2003
11.WECC,"Southern Island Load Tripping Plan,"July 22,1997
12.WECC,"Underfrequency Load Shedding Application Guide,"revised August3,
2004
32 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
13.WECC,"WECC Policy Regarding Extreme Contingencies and Unplanned
Events,"May 31,2002,http://www.wecc.bizldocuments/library/procedures/WECCPOLICY12.pdf
14.WECC,"Minimum Operating ReliabilityCriteria (MORC),"revised April 6,2005.
http:llwww.wecc.bizldocumentsliibrary/proceduresloperatinqlWECCReliability
Criteria MORC.pdf
15.IEEE Power System Relaying Committee,Work Group D6,"Power System and
Out-of-StepConsiderations on Transmission Lines,"July 19,2005,
http:llwww.pes-psrc.org/
16.WECC Disturbance Monitoring Work Group,"WSCC Plan for Dynamic
Performance and Disturbance Monitoring,"October 4,2004,
http:llwww.wecc.bizldocuments/library/disturbancelDMWG/WECCPlan.pdf
17.WECC,"Communications Systems Performance Guide for Protective Relaying
Applications,"November 21,2002.
http://www.wecc.bizldocuments/library/procedures/CommPerf Guide for Rela
vs.pdf
18.WECC,"Critical Communications Circuits -Guidelines for Design ,"revised
10/11/02,
http://www.wecc.biz/documents/library/TELCOM/design_ofcritical comm ckts
word2K rev 10-11-02.doc
19.North American Electric Reliability Council,"Critical Infrastructure Protection",
05/02/06,Standards CIP-002-1 through CIP-009-1,
ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-002-1.pdf
ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-003-1.pdf
ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-004-1.pdf
ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-005-1.pdf
ftp://www.nerc.com/pub/syslallupdllstandards/rs/CIP-006-1.pdf
ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-007-1.pdf
ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-008-1.pdf
ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-009-1.pdf
20.WECC,"RMS Criteria Agreement-Amended 05-01-05 ,"http:llwww.wecc.biz/documents/library/RMS/WECC_Criteria_AgreementFinal 0
7-01-05.pdf
21.WECC Critical Circuit AvailabilityCalculation Appendixrev.11-18-05,http:llwww.wecc.bizldocuments/library/TELCOM/WECC%20Critical%20Circuit%
20Availabiity%20Calculation%20Appendix%20rev.%2011-18-05.doc
22.WECC,"WECC Guideline for Time Synchronization of Protection,Control and
33 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix C-Remedial Action Scheme Design Guide,November 28,2006
Monitoring ,"http://www.wecc.biz/documents/standardslundergoing_comment/WECC_Guideli
ne_For_Time_Synchronizationof Protection Control &Monitoring.pdf
23.WECC,"Application of Zone 3 Distance Relays on Transmission Lines,"
September10,1997,
http://www.wecc.bizldocuments/library/RASlapplicationofzone3 distance rela
ys on transmission lines.pdf
24.North American Electric Reliability Council,"Board ApprovedBlackout
Recommendations -February 10,2004"
ftp:llwww.nerc.com/pub/syslall_updl/docs/blackout/BOARDAPPROVED BLAC
KOUT_RECOMMENDATIONS_021004.pdf
25.Vahid Madani,WECC,"Remedial Action Schemes Application and
ImplementationRequirements&Performance Assessment Measures,"October
25,2001.
http://www.wecc.biz/documents/library/RAS/RASRTF-Function-
October_2001.ppt
Approved By:
Approvinq Committee,Entity or Person Date
Operating Committee November 28,2006
Reformatted Document March 9,2011
Remedial Action Scheme Subcommittee June 6,2006
34 of 34
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
WECC Standard PRC-004-WECC-1 -Protection System and Remedial Action Scheme Misoperation
A.Introduction
1.Title:Protection System and Remedial Action Scheme Misoperation
2.Number:PRC-004-WECC-1
3.Purpose:Regional Reliability Standardto ensure all transmission and generation Protection
System and Remedial Action Scheme (RAS)Misoperations on Transmission Paths
and RAS defined in section 4 are analyzedand/or mitigated.
4.Applicability
4.1.Transmission Owners of selected WECC major transmission path facilities and RAS listed in
tables titled "Major WECC Transfer Paths in the Bulk Electric System"provided at
https://www.wecc.biz/Reliabilitv/TableMajorPaths4-28-08.pdf and "Major WECC Remedial
Action Schemes (RAS)"provided at
https://www.wecc.biz/Reliability/TableMajorRAS4-28-08.pdf.
4.2.GeneratorOwners that own RAS listed in the Table titled "Major WECC Remedial Action
Schemes (RAS)"provided at
https://www.wecc.biz/Reliability/TableMajorRAS4-28-08.pdf.
4.3.Transmission Operatorsthat operate major transmission path facilities and RAS listed in
Tables titled "Major WECC Transfer Paths in the Bulk Electric System"provided at
https://www.wecc.biz/Reliabilitv/TableMajorPaths4-28-08.pdf and "Major WECC Remedial
Action Schemes (RAS)"provided at
https://www.wecc.biz/Reliability/TableMajorRAS4-28-08.pdf.
5.Effective Date:On the first day of the second quarter following applicable regulatory approval.
B.Requirements
The requirementsbelow only apply to the major transmission paths facilities and RAS listed in the
tables titled "Major WECC Transfer Paths in the Bulk Electric System"and "Major WECC
Remedial Action Schemes (RAS)."
R.1.System Operatorsand System Protection personnel of the Transmission Owners and
GeneratorOwners shall analyze all Protection System and RAS operations.[Violation Risk
Factor:Lower][Time Horizon:Operations Assessment]
R1.1.System Operators shall review all tripping of transmission elements and RAS
operations to identify apparentMisoperations within 24 hours.
R1.2.System Protection personnel shall analyze all operations of Protection Systems and
RAS within 20 business days for correctness to characterizewhether a Misoperation
has occurred that may not havebeen identified by System Operators.
R.2.TransmissionOwnersand GeneratorOwners shall perform the following actions for each
Misoperation of the Protection System or RAS.It is not intended that Requirements R2.1
through R2.4 apply to Protection System and/or RAS actions that appear to be entirely
reasonableand correct at the time of occurrence and associated system performance is fully
compliant with NERC Reliability Standards.If the Transmission Owner or Generator Owner
later finds the Protection System or RAS operation to be incorrect through System Protection
personnelanalysis,the requirementsof R2.1 through R2.4 become applicable at the time the
Adopted by Board of Trustees:October 29,2008 1
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
WECC Standard PRC-004-WECC-1 -Protection System and Remedial Action Scheme Misoperation
Transmission Owner or GeneratorOwner identifies the Misoperation:
R2.1.If the Protection System or RAS has a Security-Based Misoperation and two or more
Functionally Equivalent Protection Systems (FEPS)or Functionally Equivalent RAS
(FERAS)remain in service to ensure Bulk Electric System (BES)reliability,the
Transmission Owners or GeneratorOwners shall remove from service the Protection
System or RAS that misoperated within 22 hours following identification of the
Misoperation.Repair or replacementof the failed Protection System or RAS is at the
Transmission Owners'and Generator Owners'discretion.[Violation Risk Factor:
High][Time Horizon:Same-dayOperations]
R2.2.If the Protection System or RAS has a Security-BasedMisoperation and only one
FEPS or FERAS remains in service to ensure BES reliability,the Transmission
Owner or Generator Owner shall perform the following.[Violation Risk Factor:
High][Time Horizon:Same-dayOperations]
R2.2.1.Following identification of the Protection System or RAS Misoperation,
TransmissionOwnersand GeneratorOwnersshall remove from service
within 22 hours for repair or modification the Protection System or RAS
that misoperated.
R2.2.2.The Transmission Owner or Generator Owner shall repair or replace any
Protection System or RAS that misoperatedwith a FEPS or FERAS within
20 business days of the date of removal.The Transmission Owner or
GeneratorOwner shall remove the Element from service or disable the
RAS if repair or replacement is not completed within 20 business days.
R2.3.If the Protection System or RAS has a Security-Based or Dependability-Based
Misoperation and a FEPS and FERAS is not in service to ensure BES reliability,
Transmission Owners or GeneratorOwners shall repair and place back in service
within 22 hours the Protection System or RAS that misoperated.If this cannot be
done,then Transmission Owners and Generator Owners shall perform the following.
[Violation Risk Factor:High][Time Horizon:Same-day Operations]
R2.3.1.When a FEPS is not available,the Transmission Owners shall remove the
associated Element from service.
R2.3.2.When FERAS is not available,then
2.3.2.1.The Generator Owners shall adjust generation to a reliable
operating level,or
2.3.2.2.Transmission Operators shall adjust the SOL and operatethe
facilities within establishedlimits.
R2.4.If the Protection System or RAS has a Dependability-Based Misoperation but has
one or more FEPS or FERAS that operatedcorrectly,the associated Element or
transmission path may remain in service without removing from service the
Protection System or RAS that failed,provided one of the following is performed.
R2.4.1.Transmission Owners or GeneratorOwners shall repair or replace any
Protection System or RAS that misoperatedwith FEPS and FERAS within
20 business days of the date of the Misoperation identification,or
R2.4.2.Transmission Owners or GeneratorOwners shall remove from service the
associated Element or RAS.[Violation Risk Factor:Lower][Time
Horizon:Operations Assessment]
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
R.3.Transmission Owners and Generation Owners shall submit Misoperation incident reports to
Adopted by Board of Trustees:October 29,2008 2
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
WECC Standard PRC-004-WECC-1 -Protection System and Remedial Action Scheme Misoperation
WECC within 10 business days for the following.[Violation Risk Factor:Lower][Time
Horizon:Operations Assessment]
R3.1.Identification of a Misoperation of a Protection System and/or RAS,
R3.2.Completion of repairs or the replacementof Protection System and/or RAS that
misoperated.
C.Measures
Each measure below applies directly to the requirementby number.
M1.Transmission Owners and Generation Owners shall have evidence that they reported and
analyzedall Protection System and RAS operations.
M1.1 Transmission Owners and Generation Owners shall have evidence that System
Operating personnel reviewed all operations of Protection System and RAS
within 24 hours.
M1.2 Transmission Owners and Generation Owners shall have evidence that System
Protection personnel analyzed all operations of Protection System and RAS for
correctness within 20 business days.
M2.Transmission Owners and GenerationOwners shall have evidence for the following.
M2.1 Transmission Owners and Generation Owners shall have evidence that they
removed the Protection System or RAS that misoperatedfrom service within 22
hours following identification of the Protection System or RAS Misoperation.
M2.2 Transmission Owners and Generation Owners shall have evidence that they
removed from service and repaired the Protection System or RAS that
misoperatedper measurements M2.2.1 through M2.2.2.
M2.2.1 Transmission Owners and Generation Owners shall have evidencethat
they removed the Protection System or RAS that misoperatedfrom
servicewithin 22 hours following identification of the Protection System
or RAS Misoperation.
M2.2.2 Transmission Owners and Generation Owners shall have evidencethat
they repaired or replaced the Protection System or RAS that misoperated
within 20 business days or either removed the Element from service or
disabled the RAS.
M2.3 The Transmission Owners and GenerationOwners shall have evidencethat they
repaired the Protection System or RAS that misoperated within 22 hours
following identification of the Protection System or RAS Misoperation.
M2.3.1 The Transmission Owner shall have evidencethat it removed the
associated Elementfrom service.
M2.3.2 The GeneratorOwners and Transmission Operatorsshall have
documentation describing all actions taken that adjusted generation or
SOLs and operatedfacilities within establishedlimits.
M2.4 Transmission Owners and Generation Owners shall have evidence that they
repaired or replacedthe Protection System or RAS that misoperatedincluding
documentation that describes the actions taken.
M2.4.1 Transmission Owners and Generation Owners shall have evidencethat
they repaired or replaced the Protection System or RAS that misoperated
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
within 20 business days of the misoperation identification.
Adopted by Board of Trustees:October 29,2008 3
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
WECC Standard PRC-004-WECC-1 -Protection System and Remedial Action Scheme Misoperation
M2.4.2 Transmission Owners and Generation Owners shall have evidence that
they removed the associated Elementor RAS from service.
M3.Transmission Owners and Generation Owners shall have evidence that they reported the
following within 10 business days.
M3.1 Identification of all Protection System and RAS Misoperations and corrective
actions taken or planned.
M3.2 Completion of repair or replacementof Protection System and/orRAS that
misoperated.
D.Compliance
1.Compliance Monitoring Process
1.1 Compliance MonitoringResponsibility
Compliance Enforcement Authority
1.2 Compliance MonitoringPeriod
Compliance Enforcement Authority may use one or more of the following methods to
assess compliance:
-Misoperation Reports
-Reports submitted quarterly
-Spot check audits conducted anytime with 30 days notice given to prepare
-Periodic audit as scheduled by the Compliance Enforcement Authority
-Investigations
-Other methods as provided for in the Compliance MonitoringEnforcement Program
1.2.1 The Performance-resetPeriod is one calendar month.
1.3 Data Retention
Reliability Coordinators,Transmission Owners,and Generation Owners shall keep
evidence for Measures M1 and M2 for five calendaryears plus year to date.
1.4.Additional Compliance Information
None.
2.Violation Severity Levels
R1
Lower Moderate High Severe
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
Adopted by Board of Trustees:October 29,2008 4
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
WECC Standard PRC-004-WECC-1 -Protection System and Remedial Action Scheme Misoperation
System Operating personnel System Operating personnel of System Protection personnel System Protection
of the Transmission Owner the Transmission Owner or of the Transmission Owner personnel of the
or Generator Owner did not Generator Owner did not and Generator Owner did Transmission Owner or
reviewthe Protection reviewthe Protection System not analyze the Protection Generator Owner did not
System Operation or RAS operation or RAS operation System operation or RAS analyze the Protection
operation within 24 hours within six business days.operation within 20 business System operation or RAS
but did reviewthe days but did analyze the operation within 25
Protection System Protection System operation business days.
Operation or RAS operation or RAS operation within 25
within six business days.business days.
R2.1 and R2.2.1
Lower Moderate High Severe
The Transmission Owner The Transmission Owner and The Transmission Owner The Transmission Owner
and Generator Owner did Generator Owner did not and Generator Owner did and Generator Owner did
not remove from service,remove from service,repair,not performthe removal not performthe removal
repair,or implement other or implement other from service,repair,or from service,repair,or
compliance measures for the compliance measures for the implement other compliance implement other
Protection System or RAS Protection System or RAS that measures for the Protection compliance measures for
that misoperated as required misoperated as required in less System or RAS that the Protection System or
within 22 hours but did than 24 hours but did perform misoperated as required in RAS that misoperated as
performthe requirements the requirements within 28 less than 28 hours but did required within 32 hours.
within 24 hours.hours.performthe requirements
within 32 hours.
R2.3
Lower Moderate High Severe
The Transmission Operator The Transmission Operator The Transmission Operator The Transmission
and Generator Owner did and Generator Owner did not and Generator Owner did Operator and Generator
not adjust generation to a adjust generation to a reliable not adjust generation to a Owner did not adjust
reliable operating level,operating level,adjust the reliable operating level,generation to a reliable
adjust the SOL and operate SOL and operate the facilities adjust the SOL and operate operating level,adjust the
the facilities within within established limits or the facilities within SOL and operate the
established limits or implement other compliance established limits or facilities within
implement other compliance measures for the Protection implement other compliance established limits or
measures for the Protection System or RAS that measures for the Protection implement other
System or RAS that misoperated as required in less System or RAS that compliance measures for
misoperated as required than 24 hours but did perform misoperated as required in the Protection System or
within 22 hours but did the requirements within 28 less than 28 hours but did RAS that misoperated as
performthe requirements hours.performthe requirements required within 32 hours.
within 24 hours.within 32 hours.
R2.2.2 and R2.4
Lower Moderate High Severe
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
Adopted by Board of Trustees:October 29,2008 5
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
WECC Standard PRC-004-WECC-1 -Protection System and Remedial Action Scheme Misoperation
The Transmission Owner The Transmission Owner and The Transmission Owner The Transmission Owner
and Generator Owner did Generator Owner did not and Generator Owner did and Generator Owner did
not performthe required performthe required repairs,not performthe required not performthe required
repairs,replacement,or replacement,or system repairs,replacement,or repairs,replacement,or
system operation operation adjustment to system operation adjustment system operation
adjustments to comply with comply with the requirements to comply with the adjustments to comply
the requirements within 20 within 25 business days but requirements within 28 with the requirements
business days but did did performthe required business days but did within 30 business days.
performthe required activities within 28 business performthe required
activities within 25 business days.activities within 30 business
days.days.
R3.1
Lower Moderate High Severe
The Transmission Owner The Transmission Owner and The Transmission Owner The Transmission Owner
and Generator Owner did Generator Owner did not and Generator Owner did and Generator Owner did
not report the Misoperation report the Misoperation and not report the Misoperation not report the
and corrective actions taken corrective actions taken or and corrective actions taken Misoperation and
or planned to comply with planned to comply with the or planned to comply with corrective actions taken or
the requirements within 10 requirements within 15 the requirements within 20 planned to comply with
business days but did business days but did perform business days but did the requirements within
performthe required the required activities within performthe required 25 business days.
activities within 15 business 20 business days.activities within 25 business
days.days.
R3.2
Lower Moderate High Severe
The Transmission Owner The Transmission Owner and The Transmission Owner The Transmission Owner
and Generator Owner did Generator Owner did not and Generator Owner did and Generator Owner did
not report the completion of report the completion of repair not report the completion of not report the completion
repair or replacement of or replacement of Protection repair or replacement of of repair or replacement
Protection System and/or System and/or RAS that Protection System and/or of Protection System
RAS that misoperated to misoperated to comply with RAS that misoperated to and/or RAS that
comply with the the requirements within 15 comply with the misoperated to comply
requirements within 10 business days of the requirements within 20 with the requirements
business days of the completion but did perform business days of the within 25 business days of
completion but did perform the required activities within completion but did perform the completion.
the required activities within 20 business days.the required activities within
15 business days.25 business days.
Version History -Shows ApprovalHistory and Summary of Changes in the Action Field
Version Date Action Change Tracking
1 April 16,2008 PermanentReplacement Standardfor
PRC-STD-001-1 and PRC-STD-003-1
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
Adopted by Board of Trustees:October 29,2008 6
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
WECC Standard PRC-004-WECC-1-Protection System and RemedialAction Scheme Misoperation
1 April 21,2011 FERC Order issued approving PRC-
004-WECC-1 (approval effective June
27,2011)
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1
Adopted by Board of Trustees:October 29,2008 7
Revised hyperlinks 11-7-2014
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013
WE CC
Document name Remedial Action Scheme Review and Assessment Plan
PRC-(012 through 014)-WECC-CRT-2
Regional Criterion
Category ()Regional Reliability Standard
(X )Regional Criterion
()Regional Business Practice
()Policy
()Guideline
()Report or other
()Charter
Document date September 17,2013
Adoptedlapproved by WECC Board of Directors
Date adoptedlapproved September 17,2013
Custodian (entity responsible for Standards
maintenance and upkeep)
Stored/filed Approved Regional Criteria
Previous namelnumber (if any)This document supersedes WECC-0055,PRC-012 through
014 WECC-CRT-1.The name has not been changed.
Status (X)in effect January 1,2014
Version Control
Version Date Action Change Highlights
1 6/22/2011 WECC Board approved Version 1 to meet
NERC FITB
requirements.
2 9/17/2013 WECC Board approved Version 2 to meet
Blackout
recommendations.
Adds more reporting
requirements.
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013
Remedial Action Scheme Review and Assessment Plan
PRC-(012 through 014)-WECC-CRT-2
WECC
A.Introduction
1.Title:Remedial Action Scheme Review and Assessment Plan
WECC Criterion
2.Number:PRC-012 through 14-WECC-CRT-2
3.Purpose:To:1)establish a documented Remedial Action Scheme (RAS)
review procedure to ensure compliance per PRC-012-0,2)
establish a RAS database per PRC-013-0,and 3)meet the
Regional ReliabilityOrganization /Reliability Assurer
requirements of PRC-014-0.
This regional criterion was developedpursuant to North American
Electric ReliabilityCorporation (NERC)ReliabilityStandards PRC-
012-0 (Special Protection System Review Procedure),PRC-013-0
(Special Protection System Database)and PRC-014-0 (Special
Protection System Assessment).Violation of this criterion may
result in a violation of the any of the above mentioned NERC
ReliabilityStandards.Violation of NERC ReliabilityStandards may
result in financial penaltiesimposed by NERC.
4.Applicability:
For purposes of this document,the ApplicableEntity designated in the
Reporting Party field of Attachment A to this document is the ApplicableEntity
for purposes of each Requirementwherein the "Reporting Party"is used as the
ApplicableEntity.The ApplicableEntity used in the Reporting Party field must
be selected from 4.1.through 4.3.below.
4.1 Transmission Owner
4.2 Generator Owner
4.3 Distribution Provider
4.4 Reliability Assurer (WECC)
Developedas WECC-0096 Page 2
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013
Remedial Action Scheme Review and Assessment Plan
PRC-(012 through 014)-WECC-CRT-2
5.Effective Date:January 1,2014
B.Requirements and Measures:
WR1.The Reliability Assurer (WECC)shall create and maintain a WECC Remedial
Action Scheme Database containing,at a minimum,the information described
on the WECC Remedial Action Scheme Information Sheet (AttachmentA).
WM1.The Reliability Assurer (WECC)shall produce the WECC Remedial
Action Scheme Database containing the information provided on the
WECC Remedial Action Scheme Information Sheet (AttachmentA)as
required in WR1.
WR2.Each Reporting Party shall completeand forward the data described in the
WECC Remedial Action Scheme Information Sheet (AttachmentA)to the
ReliabilityAssurer (WECC)no later than 90 days after the Effective Date of this
document.(PRC-012-0,R1.1;See also PRC-012-0,R1.2)
WM2.Each Reporting Party shall produce evidence that a completedWECC
Remedial Action Scheme Information Sheet (AttachmentA)required in
WR2:1)was submitted to the ReliabilityAssurer (WECC),2)by the
designatedReporting Party listed in the Reporting Party field of
Attachment A,and 3)was provided to the Reliability Assurer (WECC)no
later than 90 days after the Effective Date of this document.
Evidence may include but is not limited to a dated copy of database
information described in Attachment A including dated correspondence of
transmittal of the database information from the Reporting Party to the
ReliabilityAssurer (WECC).
WR3.The ReliabilityAssurer (WECC)shall designatethe Remedial Action Scheme
Reliability Subcommittee (RASRS),or its successor,as the entity responsible
for the WECC review procedure for proposed and existing RASs within the
Western Interconnection to meet the NERC performance requirements of TPL-
001 --TPL-003,or its successor and Regional criteria.(PRC-012-0,R.1.8)
WM3.The Reliability Assurer (WECC)shall produce evidence that it designated
the RASRS,or its successor,as the entity responsible for the review
procedure for proposed and existing RASs within the Western
Interconnection as required in WR3.
Evidence may include but is not limited to annotations in the minutes of
the Operating Committee or the RASRS,or correspondence between
Developedas WECC-0096 Page 3
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013
Remedial Action Scheme Review and Assessment Plan
PRC-(012 through 014)-WECC-CRT-2
WECC staff and either the chair of the Operating Committee or the
RASRS so indicating that designation.
WR4.Each Reporting Party shall use the process as established by the RASRS to
submit a RAS for review.
WM4.Each Reporting Party shall provide evidence that it used the process as
established by the RASRS to submit a RAS for review,in accordance
with WR4 above.
Evidence may include,but is not limited to,annotations in the minutes of
the Operating Committee or the RASRS,or correspondence between
WECC staff and either the chair of the Operating Committee or the
RASRS so indicating adherence to the process.
WR5.The ReliabilityAssurer (WECC)shall instruct the RASRS or its successor to
ensure that each RAS reviewed meets,at a minimum,the following:(PRC-012-
0,R1.8)
1)The LAPS and WAPS are designed so that a single componentfailure,when
the LAPS or the WAPS is intended to operate,does not preventany portion
of the interconnected transmission system within WECC from meeting the
performance requirements defined in NERC Reliability Standards TPL-001-
0,TPL-002-0,and TPL-003-0,or its successor.(PRC-012-0,R1.3.)
2)Inadvertent operation of the RAS meets the same performance requirement
(TPL-001-0,TPL-002-0,and TPL-003-0,or their successors)as that required
of the contingency for which it was designed,and does not exceed TPL-003-
0,or its successor.(PRC-012-0,R1.4)
3)The proposed RAS will coordinate with other protection and control systems
and applicable WECC emergency procedures.(PRC-012-0,R1.5)
WM5.The Reliability Assurer (WECC)shall produce evidence that it instructed
the RASRS (or its successor),to ensure that each RAS reviewed met,at
a minimum,each of the elements listed in WR5 above.
Evidence may include,but is not limited to,annotations in the minutes of
the Operating Committee or the RASRS,or correspondence between
WECC staff and either the chair of the Operating Committee or the
RASRS so indicating that designation.
Developedas WECC-0096 Page 4
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013
Remedial Action Scheme Review and Assessment Plan
PRC-(012 through 014)-WECC-CRT-2
WR6.The ReliabilityAssurer (WECC)shall designatethe Operating Committee (OC),
or its successor,as the entity responsible to approve the WECC review
procedure for proposed and existingRASs within the Western Interconnection,
based upon receipt of a positive recommendation of the RASRS.(PRC-012-0,
R.1.8)
WM6.The ReliabilityAssurer (WECC)shall produce evidence that it designated
the Operating Committee (OC),or its successor,as the entity responsible
to approve the review procedure for proposed and existing RASs within
the Western Interconnection,per WR6 above.
Evidence may include,but is not limited to,annotations in the minutes of
the Operating Committee or the RASRS,or correspondence between
WECC staff and either the chair of the Operating Committee or the
RASRS so indicating that designation.
WR7.The Reliability Assurer (WECC)shall instruct the RASRS,or its successor,to
review a RAS at the level of a WAPS,when requested to do so by the
Operating Committee.
WM7.The Reliability Assurer (WECC)shall produce evidence that it instructed
the RASRS,or its successor,to review a RAS at the level of a WAPS,
when requested to do so by the Operating Committee,per WR7 above.
Evidence must include production of the request and correspondence
between the ReliabilityAssurer (WECC)and the chair of the RASRS,or
its successor,indicating the content of the instruction.
WR8.Each Reporting Party shall review the WECC Remedial Action Scheme
Database for accuracy and report any changes (or lack thereof),modifications,
retirements or expansionsof its RAS to the ReliabilityAssurer,no later than
December 31 of each calendar year.(PRC-012-0,R1.2)
WMS.Each Reporting Party shall produce evidence that it:1)reviewed the
WECC Remedial Action Scheme Database in accordance with WR8,and
2)reported evidence of that review to the Reliability Assurer (WECC)
through the Reporting Party listed in the Reporting Party field of the
WECC Remedial Action Scheme Information Sheet (AttachmentA)no
later than December 31 of each calendar year.
Developedas WECC-0096 Page 5
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013
Remedial Action Scheme Review and Assessment Plan
PRC-(012 through 014)-WECC-CRT-2
Evidence may include,but is not limited to,reports describing the review
and the dates it took place,and correspondence between the Reporting
Party and the Reliability Assurer (WECC)reflecting the required content.
WR9.Each Reporting Party shall submit any additions,changes,modifications,
retirements,or expansionsof its RAS,to the RASRS or its successor,prior to
placing the RAS or its changes into service.
WM9.Each Reporting Party shall produce evidence that it submitted to the
RASRS all proposed RAS changes per WR9,prior to placing the RAS or
changes to an existing RAS into service.
Evidence may include but is not limited to:1)dated correspondence
between the Reporting Party and either the chair of the Operating
Committee or the chair of the RASRS describing the RAS in question and
its proposed date of service,or 2)production of studies run to establish
and update seasonal System Operating Limits impacting the RAS.
WR10.Each Transmission Owner,each Generation Owner,and each Distribution
Provider shall assess its RAS(s)for operation,coordination and effectiveness,
at least once each five years.
WM10.This Requirementis to ensure assessment takes place on a periodic
basis;reportinq of that assessment is addressed in WR11 and WM11.
Each Transmission Owner,each Generation Owner,and each
Distribution Provider shall produce evidence that it assessed its RAS(s)
per WR10,at least once each five years.
Evidence that the assessment was conducted includes,at a minimum,
production of a completedAttachment B of this document showing the
results of the WR10 assessment.
Evidence may also include but is not limited to:1)dated correspondence
between the Reporting Party and either the chair of the Operating
Committee or the chair of the RASRS describing the RAS in question and
its proposed date of service,or 2)production of studies run to establish
and update seasonal System Operating Limits impacting the RAS.
Developedas WECC-0096 Page 6
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013
Remedial Action Scheme Review and Assessment Plan
PRC-(012 through 014)-WECC-CRT-2
As to the completiondate,for example,if the most recent WR10
assessment took place in June 2007,the next required assessment will
be no later than June 2012.
WR11.Each Reporting Party shall report the RAS assessment,required in WR10
above,by sending a completedAttachment B of this criterion to the Reliability
Assurer (WECC)no later than December 31 of the calendar year in which the
assessment was completed.
WM11.This Requirementis to ensure reportinq takes place on a periodic basis;
assessment of the RAS(s)is addressed in WR10 and WM10.
Each Reporting Party shall produce evidence that it reported the results
of its RAS(s)assessment required under WR10 of this document,by
forwarding a completedversion of Attachment B of this document,to the
ReliabilityAssurer (WECC),no later than December 31 of the calendar
year in which the assessment was completed.
As to the completiondate,for example,if the most recent WR10
assessment took place in June 2007,the next required assessment will
be no later than June 2012,with reporting to WECC no later than
December 31,2012.
WR12.Each Reporting Party shall retain documentation to supportAttachment B data
for the most recent assessment study reported and provide that data to WECC
within 30 days upon request.
WM12.This Requirernentis to ensure data retention to supportthe assessment
summary reported under WR11 and Attachrnent B.
Each Reporting Party shall produce evidence that it retained the
documentation required in WR12,for the time period specified,and
where applicable,that it provided the specified data to WECC within the
prescribed period.
Evidence may include but is not limited to a dated copy of assessment
information supporting Attachment B including dated correspondence of
transmittal of the supporting information from the Reporting Party to the
ReliabilityAssurer (WECC).
Developedas WECC-0096 Page 7
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013
Remedial Action Scheme Review and Assessment Plan
PRC-(012 through 014)-WECC-CRT-2
Attachment A
WECC Remedial Action Scheme Information Sheet
This WECC Remedial Action Scheme Information Sheet is to be completedin accordance
with this document by the Reporting Party identified in accordance with the assignment
prioritization described in the Report Party Explanationfield of this Attachment.
Explanationsfor Attachment A are contained in the followingtable.
The reporting templateand instructions for filing of this Attachment can be obtained from the
WECC web site.
The contents of Attachment A constitute the minimum data included in the WECC RAS
Database.This document shall not be interpreted as prohibiting the expansionof the WECC
RAS Database to include information beyond that contained in Attachment A.
Remedial Action Scheme Information Sheet Explanations
Data Item Explanation
Reporting Party The Transmission Owner is the Reporting Party.
Where there is not a Transmission Owner that owns a portion of the
RAS,the Generator Owner becomes the Reporting Party.
Where there is not a Transmission Owner or a Generator Owner that
owns a portion of the RAS,the Distribution Provider becomes the
Reporting Party.
When applying the above prioritization,if multipleentities (e.g.multiple
Transmission Owners in the first described tier)own a portion of the
RAS,those multipleentities may designatea single entity from that
group to serve as the Reporting Party.If a single Reporting Party is
not designated,all of the entities of the specified prioritization tier
become responsible as the Reporting Party.
I =
RAS Name Provide the name by which the Reporting Party references the
scheme.
Developedas WECC-0096 Page 8
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013
Remedial Action Scheme Review and Assessment Plan
PRC-(012 through 014)-WECC-CRT-2
Classification WAPS (Wide Area Protection Scheme),LAPS (Local Area Protection
Scheme),or Safety Net (SN)as initially classified by the Transmission
Owner(s),Generator Owner(s)and Distribution Provider(s)that owns
all or part of an existing or proposed RAS as reported by the Reporting
Party.(Thatinitial classification is subjectto review by the RASRS.)
Major WECC RAS If this scheme is in WECC Reliability Standard PRC-STD-003,Table
3,Major WECC RAS List,enter the number from the list.If the
scheme is not on the Major WECC RAS List,enter NA.
Operating If the Transmission Owner(s),Generator Owner(s)and Distribution
Procedure Provider(s)that owns all or part of an existingor proposed RAS as
reported by the Reporting Party has a written operating procedure for
this scheme,provide the identifying procedure number or title.If no
operating procedure is available,enter NONE or NA.
Design Objectives Data required to describe Design Objectives-contingencies and
system conditions for which the scheme was designed.
Operation Data required describing Operation -The actions taken by the
scheme in response to Disturbance conditions.
Modeling Data required for adequateModeling -Information on detection logic
or relay settingsthat control operation of the scheme.
Original In Service Enter the year that the scheme originally went into service,not
Year including any subsequentupgrades or other modifications.If specific
records are not available,a best estimate such as "early 1980's"is
acceptable.
Recent Assessment Identify the group (typically the Transmission Owner(s),Generator
Group Owner(s)and Distribution Provider(s)that owns all or part of an
existingor proposed RAS as reported by the Reporting Party that
performed the most recent assessment of scheme operation,
coordination and effectiveness.
Recent Assessment Enter the date of the most recent assessment performed (mmlyyyy)
Date that evaluated scheme operation,coordination and effectiveness.
Developedas WECC-0096 Page 9
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013
Remedial Action Scheme Review and Assessment Plan
PRC-(012 through 014)-WECC-CRT-2
Attachment B
WECC RAS Initial or Periodic Assessment Summary
Information on Attachment B will be used by the RASRS to ensure proper analysis,operation,
coordination and effectiveness of the RAS.
Althoughthe content of Attachment A and Attachment B are both provided to WECC,it is only
the content of Attachment A that constitutes the minimum data to be contained in the WECC
RAS Database.This criterion shall not be interpreted as prohibiting the expansionof the
WECC RAS Database to include information beyond that contained in Attachment A.
RAS Name
Reporting Party
(The Reporting Party for this entry will alwaysbe
the same as the Reporting Party entry listed in the
Reporting Party field of Attachment A.)
Group Conducting this RAS Assessment
Assessment Date
Review the scheme purpose and impact to ensure
proper classification,is it (still)necessary,does it
serve the intended purposes,and does it continue
to meet current performance requirements.
This RAS assessment included the following:
Study Years
System Conditions
Contingencies analyzed
(select what applies)
N-1
N-1-1
N-2
Extreme
Date when the technical studies were completed
Does this RAS comply with NERC standards and
WECC Criteria?
Discuss any coordination problemsfound between
Developedas WECC-0096 Page 10
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013
Remedial Action Scheme Review and Assessment Plan
PRC-(012 through 014)-WECC-CRT-2
this RAS and other protection and control systems
during this (most recent)assessment.
Provide a Corrective Action Plan if this RAS was
found to be non-compliantor had coordination
problemsduring this (most recent)assessment
(should be NA for owner's initial assessment).
Developedas WECC-0096 Page 11
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix F-PRC-015-0
Standard PRC-015-0 -Special Protection System Data and Documentation
A.Introduction
1.Title:Special Protection System Data and Documentation
2.Number:PRC-015-0
3.Purpose:To ensure that all Special Protection Systems (SPS)are properly designed,meet
performance requirements,and are coordinated with other protection systems.To ensure that
maintenanceand testing programs are developed and misoperations are analyzed and corrected.
4.Applicability:
4.1.Transmission Owner that owns an SPS
4.2.Generator Owner that owns an SPS
4.3.Distribution Provider that owns an SPS
5.Effective Date:April 1,2005
B.Requirements
R1.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall
maintain a list of and provide data for existing and proposed SPSs as specified in Reliability
StandardPRC-013-0 Rl.
R2.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall
have evidence it reviewed new or functionallymodified SPSs in accordance with the Regional
Reliability Organization's proceduresas defined in Reliability StandardPRC-012-0_Rl prior
to being placed in service.
R3.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall
provide documentation of SPS data and the results of Studies that show compliance of new or
functionallymodified SPSs with NERC Reliability Standards and Regional Reliability
Organization criteria to affected Regional Reliability Organizations and NERC on request
(within 30 calendar days).
C.Measures
M1.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall
have evidence it maintains a list of and provides data for existing and proposed SPSs as defined
in Reliabili StandardPRC-013-0 Rl.
M2.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall
have evidence it reviewed new or functionallymodified SPSs in accordance with the Regional
Reliability Organization's proceduresas defined in Reliability StandardPRC-012-0_Rl prior
to being placed in service.
M3.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall
have evidence it provided documentation of SPS data and the results of studies that show
compliance of new or functionallymodified SPSs with NERC standards and Regional
Reliability Organization criteria to affected Regional Reliability Organizations and NERC on
request(within 30 calendardays).
D.Compliance
1.Compliance MonitoringProcess
1.1.Compliance MonitoringResponsibility
Adopted by NERC Board of Trustees:February8,2005 1 of 2
Effective Date:April 1,2005
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix F-PRC-015-0
Standard PRC-015-0 -Special Protection System Data and Documentation
Compliance Monitor:Regional Reliability Organization.
1.2.Compliance MonitoringPeriod and Reset Timeframe
On request (within 30 calendar days).
1.3.Data Retention
None specified.
1.4.Additional Compliance Information
None.
2.Levels of Non-Compliance
2.1.Level 1:SPS owners provided SPS data,but was incomplete according to the
Regional Reliability Organization SPS database requirements.
2.2.Level 2:SPS owners provided results of studies that show compliance of new or
functionallymodified SPSs with the NERC Planning Standards and Regional Reliability
Organization criteria,but were incomplete according to the Regional Reliability
Or anization roceduresfor Reliabili StandardPRC-012-0 Rl.8 P ty
2.3.Level 3:Not applicable.
2.4.Level 4:No SPS data was provided in accordancewith Regional Reliability
Organization SPS database requirements for Standard PRC-012-0_R1,or the results of
studies that show compliance of new or functionallymodified SPSs with the NERC
Reliability Standards and Regional Reliability Organization criteria were not provided in
accordance with Regional Reliability Organization proceduresfor Reliability Standard
PRC-012-0 Rl.
E.Regional Differences
1.None identified.
Version History
Version Date Action Change Tracking
0 April 1,2005 Effective Date New
Adopted by NERC Board of Trustees:February8,2005 2 of 2
Effective Date:April 1,2005
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix F-PRC-015-0
*FOR INFORMATIONAL PURPOSES ONLY *
Enforcement Dates:Standard PRC-015-0 -Special Protection System Data and Documentation
United States
Standard Requirement Enforcement Date inactive Date
PRC-015-0 All 06/18/2007
Printed On:December 15,2014,02:48 PM
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix G-PRC-017-0
Standard PRC-017-0 -Special Protection System Maintenance and Testing
A.Introduction
1.Title:Special Protection System Maintenance and Testing
2.Number:PRC-017-0
3.Purpose:To ensure that all Special Protection Systems (SPS)are properly designed,meet
performance requirements,and are coordinated with other protection systems.To ensure that
maintenanceand testing programs are developed and misoperations are analyzed and corrected.
4.Applicability:
4.1.Transmission Owner that owns an SPS
4.2.Generator Owner that owns an SPS
4.3.Distribution Provider that owns an SPS
5.Effective Date:April 1,2005
B.Requirements
R1.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall
have a system maintenance and testing program(s)in place.The program(s)shall include:
R1.1.SPS identification shall include but is not limited to:
R1.1.1.Relays.
R1.1.2.Instrument transformers.
R1.1.3.Communications systems,where appropriate.
R1.1.4.Batteries.
R1.2.Documentation of maintenanceand testing intervals and their basis.
R1.3.Summary of testing procedure.
R1.4.Schedule for system testing.
R1.5.Schedule for system maintenance.
R1.6.Date last tested/maintained.
R2.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall
provide documentation of the program and its implementation to the appropriate Regional
Reliability Organizations and NERC on request(within 30 calendar days).
C.Measures
M1.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall
have a system maintenance and testing program(s)in place that includes all items in Reliability
StandardPRC-017-0 Rl.
M2.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall
have evidence it provided documentation of the program and its implementation to the
appropriate Regional Reliability Organizations and NERC on request (within 30 calendar
days).
Adopted by NERC Board of Trustees:February8,2005 1 of 2
Effective Date:April 1,2005
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix G-PRC-017-0
Standard PRC-017-0 -Special Protection System Maintenance and Testing
D.Compliance
1.Compliance MonitoringProcess
1.1.Compliance MonitoringResponsibility
Compliance Monitor:Regional Reliability Organization.Each Region shall report
compliance and violations to NERC via the NERC Compliance Reporting process.
Timeframe:
On request (30 calendar days.)
1.2.Compliance MonitoringPeriod and Reset Timeframe
Compliance Monitor:Regional Reliability Organization.
1.3.Data Retention
None specified.
1.4.Additional Compliance Information
None.
2.Levels of Non-Compliance
2.1.Level 1:Documentation of the maintenance and testing program was incomplete,but
records indicate implementation was on schedule.
2.2.Level 2:Complete documentation of the maintenance and testing program was
provided,but records indicate that implementation was not on schedule.
2.3.Level 3:Documentation of the maintenance and testing program was incomplete,and
records indicate implementation was not on schedule.
2.4.Level 4:Documentation of the maintenance and testing program,or its
implementation,was not provided.
E.Regional Differences
1.None identified.
Version History
Version Date Action Change Tracking
0 April 1,2005 Effective Date New
Adopted by NERC Board of Trustees:February8,2005 2 of 2
Effective Date:April 1,2005
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix G-PRC-017-0
*FOR INFORMATIONAL PURPOSES ONLY *
Enforcement Dates:Standard PRC-017-0 -Special Protection System Maintenance and Testing
United States
Standard Requirement Enforcement Date inactive Date
PRC-017-0 All 06/18/2007 03/31/2027
Printed On:December 15,2014,02:50 PM
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
A.Introduction
1.Title:Protection System Maintenance
2.Number:PRC-005-2
3.Purpose:To document and implement programs for the maintenanceof all Protection
Systems affecting the reliability of the Bulk Electric System (BES)so that these Protection
Systems are kept in working order.
4.Applicability:
4.1.Functional Entities:
4.1.1 Transmission Owner
4.1.2 Generator Owner
4.1.3 Distribution Provider
4.2.Facilities:
4.2.1 Protection Systems that are installed for the purpose of detecting Faults on BES
Elements (lines,buses,transformers,etc.)
4.2.2 Protection Systems used for underfrequency load-shedding systems installed per
ERO underfrequency load-shedding requirements.
4.2.3 Protection Systems used for undervoltage load-shedding systems installed to
prevent system voltage collapse or voltage instability for BES reliability.
4.2.4 Protection Systems installed as a Special Protection System (SPS)for BES
reliability.
4.2.5 Protection Systems for generatorFacilities that are part of the BES,including:
4.2.5.1 Protection Systems that act to trip the generatoreither directly or via lockout
or auxiliary tripping relays.
4.2.5.2 Protection Systems for generatorstep-up transformers for generatorsthat are
part of the BES.
4.2.5.3 Protection Systems for transformers connecting aggregatedgeneration,
where the aggregatedgeneration is part of the BES (e.g.,transformers
connecting facilities such as wind-farms to the BES).
4.2.5.4 Protection Systems for station service or excitation transformers connectedto
the generatorbus of generatorswhich are part of the BES,that act to trip the
generatoreither directly or via lockout or tripping auxiliaryrelays.
5.Effective Date:See Implementation Plan
B.Requirements
R1.Each Transmission Owner,Generator Owner,and Distribution Provider shall establish a
Protection System Maintenance Program (PSMP)for its Protection Systems identified in
Section 4.2.[Violation Risk Factor:Medium][Time Horizon:Operations Planning]
1
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
The PSMP shall:
1.1.Identify which maintenancemethod (time-based,Component Type -Any one ofperformance-basedper PRC-005 Attachment A,or a
.the five specific elements of thecombination)is used to address each Protection .Protection System definition.System Component Type.All batteries associated
with the station de supply Component Type of a Protection System shall be included in a
time-basedprogram as described in Table 1-4 and Table 3.
1.2.Include the applicable monitored .Component -A componentis any individualComponentattributesappliedtoeachdiscretepieceofequipmentincludedinaProtectionSystemComponentType...Protection System,including but not limited toconsistentwiththemaintenanceintervals
..a protective relay or current sensingdevice.specified in Tables 1-1 through 1-5,The designation ofwhat constitutes a controlTable2,and Table 3 where monitoring is circuit component is very dependentupon howusedtoextendthemaintenanceintervals
-an entity performs and tracks the testing of thebeyondthosespecifiedforunmonitoredcontrolcircuitry.Some entities test theirProtectionSystemComponents.control circuits on a breaker basis whereas
R2.Each Transmission Owner,Generator Owner,others test their circuitry on a local zone of
and Distribution Provider that uses protection basis.Thus,entities are allowed
performance-basedmaintenanceintervals in its the latitude to designate their own definitions
PSMP shall follow the procedure establishedin ofcontrolcircuitcomponents.Another
PRC-005 Attachment A to establish and example ofwhere the entity has some
maintain its performance-basedintervals.discretion on determining what constitutes a
[Violation Risk Factor:Medium][Time single component is the voltage and current
Horizon:Operations Planning]sensingdevices,where the entity may choose
.either to designatea full three-phaseset ofR3.Each Transmission Owner,Generator Owner,
...such devices or a single device as a singleandDistributionProviderthatutilizestime-component.based maintenanceprogram(s)shall maintain
its Protection System Components that are included within the time-basedmaintenance
program in accordance with the minimum maintenance activities and maximum maintenance
intervals prescribed within Tables 1-1 through 1-5,Table 2,and Table 3.[Violation Risk
Factor:High][Time Horizon:Operations Planning]
R4.Each Transmission Owner,GeneratorOwner,and Distribution Provider that utilizes
performance-basedmaintenanceprogram(s)in accordancewith Requirement R2 shall
implement and follow its PSMP for its Protection
System Componentsthat are included within the UnresolvedMaintenance Issue -A
performance-basedprogram(s).[Violation Risk deficiency identified during a
Factor:High][Time Horizon:Operations maintenance activity that causes the
Planning]component to not meet the intended
R5.Each Transmission Owner,Generator Owner,and performance,cannot be corrected
Distribution Provider shall demonstrateefforts to during the maintenance interval,and
correct identified Unresolved Maintenance Issues.requiresfollow-upcorrective action.
[Violation Risk Factor:Medium][Time Horizon:
Operations Planning]
2
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
C.Measures
M1.Each Transmission Owner,Generator Owner and Distribution Provider shall have a
documentedProtection System Maintenance Program in accordance with Requirement Rl.
For each Protection System Component Type,the documentation shall include the type of
maintenancemethod applied (time-based,performance-based,or a combination of these
maintenancemethods),and shall include all batteries associated with the station de supply
Component Types in a time-basedprogram as describedin Table 1-4 and Table 3.(Part 1.1)
For Component Types that use monitoring to extend the maintenanceintervals,the responsible
entity(s)shall have evidence for each protection Component Type (such as manufacturer's
specifications or engineering drawings)of the appropriate monitored Component attributes as
specified in Tables 1-1 through 1-5,Table 2,and Table 3.(Part 1.2)
M2.Each Transmission Owner,GeneratorOwner,and Distribution Provider that uses performance-
based maintenanceintervals shall have evidencethat its current performance-based
maintenanceprogram(s)is in accordance with Requirement R2,which may include but is not
limited to Component lists,dated maintenancerecords,and dated analysis records and results.
M3.Each Transmission Owner,GeneratorOwner,and Distribution Provider that utilizes time-
based maintenanceprogram(s)shall have evidencethat it has maintained its Protection System
Components included within its time-basedprogram in accordance with Requirement R3.The
evidencemay include but is not limited to dated maintenancerecords,dated maintenance
summaries,dated check-off lists,dated inspection records,or dated work orders.
M4.Each Transmission Owner,GeneratorOwner,and Distribution Provider that utilizes
performance-basedmaintenanceintervals in accordance with Requirement R2 shall have
evidencethat it has implemented the Protection System Maintenance Program for the
Protection System Componentsincluded in its performance-basedprogram in accordance with
Requirement R4.The evidence may include but is not limited to dated maintenancerecords,
dated maintenance summaries,dated check-off lists,dated inspection records,or dated work
orders.
M5.Each Transmission Owner,GeneratorOwner,and Distribution Provider shall have evidence
that it has undertaken efforts to correct identified Unresolved Maintenance Issues in
accordance with Requirement R5.The evidencemay include but is not limited to work orders,
replacementComponent orders,invoices,project schedules with completed milestones,return
material authorizations (RMAs)or purchase orders.
D.Compliance
1.Compliance MonitoringProcess
1.1.Compliance Enforcement Authority
Regional Entity
1.2.Compliance Monitoringand Enforcement Processes:
Compliance Audit
Self-Certification
Spot Checking
Compliance Investigation
Self-Reporting
Complaint
3
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
1.3.Evidence Retention
The following evidence retention periods identify the period of time an entity is required
to retain specific evidence to demonstratecompliance.For instances where the evidence
retention period specified below is shorter than the time since the last audit,the
Compliance Enforcement Authority may ask an entity to provide other evidence to show
that it was compliant for the full time period since the last audit.
The Transmission Owner,Generator Owner,and Distribution Provider shall each keep
data or evidence to show compliance as identified below unless directed by its
Compliance Enforcement Authority to retain specific evidence for a longer period of time
as part of an investigation.
For Requirement Rl,the Transmission Owner,GeneratorOwner,and Distribution
Provider shall each keep its current dated Protection System Maintenance Program,as
well as any superseded versions since the preceding compliance audit,including the
documentation that specifies the type of maintenanceprogram applied for each Protection
System Component Type.
For Requirement R2,Requirement R3,Requirement R4,and Requirement R5,the
Transmission Owner,Generator Owner,and Distribution Provider shall each keep
documentation of the two most recent performances of each distinct maintenanceactivity
for the Protection System Component,or all performances of each distinct maintenance
activity for the Protection System Component since the previous scheduledaudit date,
whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all
requestedand submitted subsequent audit records.
1.4.Additional Compliance Information
None.
4
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
2.Violation Severity Levels
R1 The responsible entity's PSMP failed The responsible entity's PSMP The responsible entity's PSMP The responsible entity failed to
to specify whether one Component failed to specify whether two failed to include the applicable establish a PSMP.
Type is being addressed by time-Component Types are being monitoringattributes applied to each OR
based or performance-based addressed by time-based or Protection System Component Type The responsible entity failed tomaintenance,or a combination of performance-based maintenance,or consistent with the maintenance
both.(Part 1.1)a combination of both.(Part 1.1)intervals specified in Tables 1-1 specify whether three or more
OR through 1-5,Table 2,and Table 3 Component Types are being
addressed by time-based or
.where monitoringis used to extendTheresponsibleentity's PSMP failed performance-based maintenance,orthemaintenanceintervalsbeyondtoincludeapplicablestationbatteriesacombinationofboth.(Part 1.1).those specified for unmonitoredinatime-based program.(Part 1.1)Protection System Components.
(Part 1.2).
R2 The responsible entity uses NA The responsible entity uses The responsible entity uses
performance-based maintenance performance-based maintenance performance-based maintenance
intervals in its PSMP but failed to intervals in its PSMP but failed to intervals in its PSMP but:
reduce Countable Events to no more reduce Countable Events to no more 1)Failed to establish the technicalthan4%within three years.than 4%within four years·justification described within
Requirement R2 for the initial
use of the performance-based
PSMP
OR
2)Failed to reduce Countable
Events to no more than 4%
within five years
OR
3)Maintained a Segment with
less than 60 Components
OR
4)Failed to:
Annuallyupdate the list of
Components,
OR
5
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Annuallyperform
maintenance on the greater
of 5%of the segment
population or 3
Components,
OR
Annually analyze the
program activities and
results for each Segment.
R3 For Protection System Components For Protection System Components For Protection System Components For Protection System Components
included within a time-based included within a time-based included within a time-based included within a time-based
maintenance program,the maintenance program,the maintenance program,the maintenance program,the
responsible entity failed to maintain responsible entity failed to maintain responsible entity failed to maintain responsible entity failed to maintain
5%or less of the total Components more than 5%but 10%or less of the more than 10%but 15%or less of more than 15%of the total
included within a specific Protection total Components included within a the total Components included Components included within a
System Component Type,in specific Protection System within a specific Protection System specific Protection System
accordance with the minimum Component Type,in accordance Component Type,in accordance Component Type,in accordance
maintenance activities and maximum with the minimum maintenance with the minimum maintenance with the minimum maintenance
maintenance intervals prescribed activities and maximum activities and maximum activities and maximum
within Tables 1-1 through 1-5,Table maintenance intervals prescribed maintenance intervals prescribed maintenance intervals prescribed
2,and Table 3.within Tables 1-1 through 1-5,within Tables 1-1 through 1-5,Table within Tables 1-1 through 1-5,
Table 2,and Table 3.2,and Table 3.Table 2,and Table 3.
R4 For Protection System Components For Protection System Components For Protection System Components For Protection System Components
included within a performance-based included within a performance-included within a performance-based included within a performance-
maintenance program,the based maintenance program,the maintenance program,the based maintenance program,the
responsible entity failed to maintain responsible entity failed to maintain responsible entity failed to maintain responsible entity failed to maintain
5%or less of the annual scheduled more than 5%but 10%or less of the more than 10%but 15%or less of more than 15%of the annual
maintenance for a specific Protection annual scheduled maintenance for a the annual scheduled maintenance scheduled maintenance for a
System Component Type in specific Protection System for a specific Protection System specific Protection System
accordance with their performance-Component Type in accordance Component Type in accordance with Component Type in accordance
based PSMP.with their performance-based their performance-based PSMP.with their performance-based
PSMP.PSMP.
R5 The responsible entity failed to The responsible entity failed to The responsible entity failed to The responsible entity failed to
undertake efforts to correct 5 or undertake efforts to correct greater undertake efforts to correct greater undertake efforts to correct greater
fewer identifiedUnresolved than 5,but less than or equal to 10 than 10,but less than or equal to 15 than 15 identified Unresolved
6
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Requirement Lower VSL Moderate VSL High VSL Severe VSL
Number
7
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
E.Regional Variances
None
F.SupplementalReference Document
The following documentspresenta detailed discussion about determination of maintenanceintervals
and other useful information regarding establishmentof a maintenanceprogram.
1.PRC-005-2 Protection System Maintenance Supplementary Referenceand FAQ -July 2012.
Version History
Version Date Action Change Tracking
0 April 1,2005 Effective Date New
I December 1,1.Changed incorrect use of certain 01/20/05
2005 hyphens (-)to "en dash"(-)and "em
dash (-)."
2.Added "periods"to items where
appropriate.
3.Changed "Timeframe"to "Time Frame"
in item D,1.2.
la February 17,Added Appendix 1 -Interpretation Project 2009-17
2011 regarding applicabilityof standardto interpretation
protection of radially connected
transformers
la February 17,Adopted by Board of Trustees
2011
la September26,FERC Order issued approving interpretation
2011 of Rl and R2 (FERC's Order is effective as
of September26,2011)
1.la February 1,Errata change:Clarified inclusion of Revision under Project
2012 generator interconnection Facility in 2010-07
GeneratorOwner's responsibility
lb February 3,FERC Order issued approving Project 2009-10
2012 interpretation of Rl,R1.1,and Rl.2 Interpretation(FERC's Order dated March 14,2012).
Updated version from la to lb.
1.lb April 23,2012 Updated standard version to 1.lb to reflect Revision under Project
FERC approval of PRC-005-lb.2010-07
8
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
1.lb May 9,2012 PRC-005-1.lb was adoptedby the Board of
Trustees as part of Project 2010-07
(GOTO).
2 November 7,Adopted by Board of Trustees Complete revision,
20 12 absorbing maintenance
requirements from PRC-
005-lb,PRC-008-0,
PRC-011-0,PRC-017-0
2 October 17,Errata Change:The Standards Committee
2013 approved an errata change to the
implementation plan for PRC-005-2 to add
the phrase "or as otherwise made effective
pursuant to the laws applicable to such ERO
governmental authorities;"to the second
sentence under the "Retirement of Existing
Standards"section.
2 December 19,FERC Order issued approving PRC-005-2.
2013 (Order becomes effective 2/24/14.See
Implementation Plan for Compliance
details.)
9
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Table 1-1
Component Type -Protective Relay
Excluding distributed UFLS and distributed UVLS (see Table 3)
Maximum
Component Attributes Maintenance Maintenance Activities
Interval
For all unmonitored relays:
Verify that settings are as specified
For non-microprocessor relays:
Any unmonitored protective relay not having all the monitoringattributes 6 calendar Test and,if necessary calibrate
of a category below.years For microprocessor relays:
Verify operation of the relay inputs and outputs that are essential
to proper functioningof the Protection System.
Verify acceptable measurement of power system input values.
VerifyMonitoredmicroprocessorprotectiverelaywiththefollowing:
...Settings are as specified.Internal self-diagnosis and alarming (see Table 2).
.12 calendar Operation of the relay inputs and outputs that are essential toVoltage and/or current waveform sampling three or more times per .
.years proper functioningof the Protection System.power cycle,and conversion of samples to numeric values for
measurement calculations by microprocessor electronics.Acceptable measurement of power system input values.
Alarming for power supply failure (see Table 2).
For the tables in this standard,a calendar year starts on the first day of a new year (January 1)after a maintenance activity has been completed.
For the tables in this standard,a calendar month starts on the first day of the first month after a maintenance activity has been completed.
10
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Table 1-1
Component Type -Protective Relay
Excluding distributed UFLS and distributed UVLS (see Table 3)
Maximum
Component Attributes Maintenance Maintenance Activities
Interval
Monitoredmicroprocessor protective relay with preceding row attributes
and the following:
Ac measurements are continuously verifiedby comparison to an
independent ac measurement source,with alarming for excessive error Verify only the unmonitored relay inputs and outputs that are
(See Table 2).12 calendar essential to proper functioningof the Protection System.
Some or all binary or status inputs and control outputs are monitored
years
by a process that continuously demonstrates ability to performas
designed,with alarming for failure (See Table 2).
Alarming for change of settings (See Table 2).
11
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
4 calendar Verify that the communications system is functional.months
Any unmonitored communications system necessary for correct operation of
protective functions,and not havingall the monitoringattributes of a category Verify that the communications system meets performance
below.criteria pertinent to the communications technology applied (e.g.
6 calendar signal level,reflected power,or data error rate).years Verify operation of communications system inputs and outputs
that are essential to proper functioningof the Protection System.
Verify that the communications system meets performance
Any communications system with continuous monitoringor periodic criteria pertinent to the communications technology applied (e.g.
automated testing for the presence of the channel function,and alarming for 12 calendar signal level,reflected power,or data error rate).
loss of function (See Table 2).years Verify operation of communications system inputs and outputs
that are essential to proper functioningof the Protection System.
Any communications system with all of the following:
Continuous momtoring or periodic automated testing for the performance
of the channel using criteria pertinent to the communications technology
.Verify only the unmonitored communications system inputs andapplied(e.g.signal level,reflected power,or data error rate,and alarming 12 calendar ..
.outputs that are essential to proper functioningof the Protectionforexcessiveperformancedegradation).(See Table 2)years System
Some or all binary or status inputs and control outputs are monitored by a
process that continuously demonstrates ability to performas designed,
with alarming for failure (See Table 2).
12
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Table 1-3
Component Type -Voltage and Current Sensing Devices Providing Inputs to Protective Relays
Excluding distributed UFLS and distributed UVLS (see Table 3)
Maximum
Component Attributes Maintenance Maintenance Activities
Interval
Any voltage and current sensing devices not havingmonitoring Verify that current and voltage signal values are providedto the12calendaryearsattributesofthecategorybelow.protective relays.
Voltage and Current Sensing devices connected to microprocessor
relays with AC measurements are continuously verified by comparison No periodic
of sensing input value,as measured by the microprocessor relay,to an maintenance None.
independent ac measurement source,with alarming for unacceptable specified
error or failure(see Table 2).
13
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Table 1-4(a)
Component Type -Protection System Station dc Supply Using Vented Lead-Acid (VLA)Batteries
Excluding distributed UFLS and distributed UVLS (see Table 3)
Protection System Station de supply used only for non-BES interrupting devices for SPS,non-distributed UFLS systems,or non-distributed UVLS systems is
excluded (see Table 1-4(e)).
Maximum
Component Attributes Maintenance Maintenance Activities
Interval
Verify:
Station de supply voltage
4 Calendar Months Inspect:
Electrolyte level
For unintentional grounds
Verify:
Protection System Station de supply using Vented Lead-Acid Float voltage of battery charger
(VLA)batteries not havingmonitoringattributes of Table 1-
4(f).Battery continuity
Battery terminal connection resistance
18 Calendar Battery intercell or unit-to-unitconnection resistanceMonths
Inspect:
Cell condition of all individual battery cells where cells are visible -
or measure battery cell/unit internal ohmic values where the cells are
not visible
Physical condition of battery rack
14
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Table 1-4(a)
Component Type --Protection System Station dc Supply Using Vented Lead-Acid (VLA)Batteries
Excluding distributed UFLS and distributed UVLS (see Table 3)
Protection System Station de supply used only for non-BES interrupting devices for SPS,non-distributed UFLS systems,or non-distributed UVLS systems is
excluded (see Table 1-4(e)).
Maximum
Component Attributes Maintenance Maintenance Activities
Interval
Verify that the station battery can performas manufactured by
18 Calendar evaluating cell/unit measurements indicative of battery performance
Months (e.g.internal ohmic values or float current)against the station battery
baseline.
-or--or-
6 Calendar Years Verify that the station battery can performas manufactured by
conducting a performance or modifiedperformance capacity test of the
entire battery bank.
15
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Table 1-4(b)
Component Type -Protection System Station dc Supply Using Valve-RegulatedLead-Acid (VRLA)Batteries
Excluding distributed UFLS and distributed UVLS (see Table 3)
Protection System Station de supply used only for non-BES interrupting devices for SPS,non-distributed UFLS systems,or non-distributed UVLS systems is
excluded (see Table 1-4(e)).
Maximum
Component Attributes Maintenance Maintenance Activities
Interval
Verify:
4 Calendar Months Station de supply voltage
Inspect:
For unintentional grounds
Inspect6CalendarMonths
Conditionof all individualunits by measuring battery cell/unit
Protection System Station de supply with Valve Regulated internal ohmic values.
Lead-Acid (VRLA)batteries not havingmonitoringattributes Verif ·of Table 1-4(f).
Float voltage of battery charger
Battery continuity
18 Calendar
Months Battery terminal connection resistance
Battery intercell or unit-to-unit connection resistance
Inspect:
Physical condition of battery rack
16
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Table 1-4(b)
Component Type -Protection System Station dc Supply Using Valve-RegulatedLead-Acid (VRLA)Batteries
Excluding distributed UFLS and distributed UVLS (see Table 3)
Protection System Station de supply used only for non-BES interrupting devices for SPS,non-distributed UFLS systems,or non-distributed UVLS systems is
excluded (see Table 1-4(e)).
Maximum
Component Attributes Maintenance Maintenance Activities
Interval
Verify that the station battery can performas manufactured by
evaluating cell/unit measurements indicative of battery performance
6 Calendar Months (e.g.internal ohmic values or float current)against the station battery
-or-baseline.
-or-
3 Calendar Years Verify that the station battery can performas manufactured by
conducting a performance or modifiedperformance capacity test of the
entire battery bank.
17
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 --Protection System Maintenance
Table 1-4(c)
Component Type -Protection System Station dc Supply Using Nickel-Cadmium (NiCad)Batteries
Excluding distributed UFLS and distributed UVLS (see Table 3)
Protection System Station de supply used only for non-BES interrupting devices for SPS,non-distributed UFLS system,or non-distributed UVLS systems is
excluded (see Table 1-4(e)).
Maximum
Component Attributes Maintenance Maintenance Activities
Interval
Verify:
Station de supply voltage
4 Calendar Months Inspect:
Electrolyte level
For unintentional grounds
Verify:
.Float voltage of battery chargerProtectionSystemStationdesupplyNickel-Cadmium
(NiCad)batteries not havingmonitoringattributes of Table 1-Battery continuity
4(f).
18 Calendar Battery terminal connection resistance
Months Battery intercell or unit-to-unitconnection resistance
Inspect:
Cell condition of all individualbattery cells.
Physical condition of battery rack
Verify that the station battery can performas manufactured by
6 Calendar Years conducting a performance or modifiedperformance capacity test of the
entire batte bank.
18
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Table 1-4(d)
Component Type -Protection System Station dc Supply Using Non Battery Based Energy Storage
Excluding distributed UFLS and distributed UVLS (see Table 3)
Protection System Station de supply used only for non-BES interrupting devices for SPS,non-distributed UFLS system,or non-distributed UVLS systems is
excluded (see Table 1-4(e)).
Verify:
Station de supply voltage
4 Calendar Months Inspect:
For unintentional grounds
Any Protection System station de supply not using a battery
and not havingmonitoringattributes of Table 1-4(f).18 Calendar Months Inspect:
Conditionof non-battery based de supply
Verify that the de supply can performas manufactured when ac power6CalendarYearsisnotpresent.
19
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 --Protection System Maintenance
Table 1-4(e)
Component Type -Protection System Station dc Supply for non-BES Interrupting Devices for SPS,non-distributed UFLS,and non-
distributed UVLS systems
Maximum
Component Attributes Maintenance Maintenance Activities
Interval
Any Protection System de supply used for trippingonly non-
BES interruptingdevices as part of a SPS,non-distributed
UFLS,or non-distributed UVLS system and not having Verify Station de supply voltage.
monitoringattributes of Table 1-4(f).
20
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Any station de supply with high and low voltage monitoring ..No periodic verificationof station de supply voltage isandalarmingofthebatterychargervoltagetodetectcharger.
overvoltageand charger failure (See Table 2).required.
Any battery based station de supply with electrolyte level No periodic inspection of the electrolyte level for each cell is
monitoringand alarming in every cell (See Table 2).required.
Any station de supply with unintentional de ground monitoring No periodic inspection of unintentional de grounds is
and alarming (See Table 2).required.
Any station de supply with charger float voltage monitoring ..
..No periodic verificationof float voltage of battery charger isandalarmingtoensurecorrectfloatvoltageisbeingappliedon.
the station de supply (See Table 2).required.
Any battery based station de supply with monitoringand No periodic maintenance ...
fled No periodic verificationof the battery continuity is required.alarming of battery string continuity (See Table 2).speci
Any battery based station de supply with monitoringand ..
.No periodic verificationof the intercell and terminalalarmingoftheintercelland/or terminal connection detail connection resistance is required.resistance of the entire battery (See Table 2).
Any Valve Regulated Lead-Acid(VRLA)or Vented Lead-
Acid (VLA)station battery with internal ohmic value or float No periodic evaluation relativeto baseline of battery cell/unit
current monitoringand alarming,and evaluating present values measurements indicativeof battery performance is required to
relative to baseline internal ohmic values for every cell/unit verify the station battery can performas manufactured.
(See Table 2).
No periodic inspection of the condition of all individual units
Any Valve Regulated Lead-Acid(VRLA)or Vented Lead-by measuring battery cell/unit internal ohmic values of a
Acid (VLA)station battery with monitoringand alarming of station VRLA or Vented Lead-Acid (VLA)battery is
each cell/unit internal ohmic value (See Table 2).required.
21
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Trip coils or actuators of circuit breakers,interruptingdevices,or mitigating 6 calendar Verify that each trip coil is able to operate the circuit
devices (regardless of any monitoringof the control circuitry).years breaker,interrupting device,or mitigating device.
Electromechanical lockout devices which are directly in a trip path from the .6 calendar Verify electrical operation of electromechanical lockoutprotectiverelaytotheinterruptingdevicetripcoil(regardless of any .
..years devices.monitoringof the control circuitry).
.12 calendar Verify all paths of the control circuits essential for properUnmonitoredcontrolcircuitryassociatedwithSPS.years operation of the SPS.
..Verify all paths of the trip circuits inclusive of all auxiliaryUnmonitoredcontrolcircuitryassociatedwithprotectivefunctionsinclusiveof12calendar
..relays through the trip coil(s)of the circuit breakers or otherallauxiliaryrelays.years .interrupting devices.
Control circuitry associated with protective functions and/or SPS whose No periodic
..maintenance None.integrityis monitored and alarmed (See Table 2).specified
22
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Table 2 -Alarming Paths and Monitoring
In Tables 1-1 through 1-5 and Table 3,alarm attributes used to justify extended maximum maintenance intervals and/or reduced maintenance
activities are subject to the following maintenance requirements
Maximum
Component Attributes Maintenance Maintenance Activities
Interval
Any alarm path through which alarms in Tables 1-1 through 1-5 and Table 3 are
conveyed fromthe alarm origin to the location where corrective action can be
initiated,and not havingall the attributes of the "Alarm Path with monitoring"Verify that the alarm path conveys alarm signals tocategorybelow.12 Calendar Years a location where corrective action can be initiated.
Alarms are reported within 24 hours of detection to a location where corrective
action can be initiated.
Alarm Path with monitoring:
No periodicThelocationwherecorrectiveactionistakenreceivesanalarmwithin24hoursmaintenance None.for failureof any portionof the alarming path from the alarm origin to the specifiedlocationwherecorrectiveactioncanbeinitiated.
23
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Verify that settings are as specified
For non-microprocessor relays:
Test and,if necessary calibrate
Any unmonitored protective relay not havingall the monitoringattributes of a 6 calendar For microprocessor relays:category below.years
Verify operation of the relay inputs and outputs that are
essential to proper functioningof the Protection System.
Verify acceptable measurement of power system input
values.
Monitoredmicroprocessor protective relay with the following:Verify:
Internal self diagnosis and alarming (See Table 2)-Settings are as specified.
12 calendarVoltage and/or current waveformsampling three or more times per power years Operation of the relay inputs and outputs that are essential tocycle,and conversion of samples to numeric values for measurement proper functioningof the Protection System.
calculations by microprocessor electronics.
Acceptable measurement of power system input valuesAlarmingforpowersupplyfailure(See Table 2).
Monitoredmicroprocessor protective relay with preceding row attributes and
the following:
Ac measurements are continuously verifiedby comparison to an
independent ac measurement source,with alarming for excessive error
(See Table 2).12 calendar Verify only the unmonitored relay inputs and outputs that are
years essential to proper functioningof the Protection System.
Some or all binary or status inputs and control outputs are monitored by a
process that continuously demonstrates ability to performas designed,
with alarming for failure (See Table 2).
Alarming for change of settings (See Table 2).
24
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
Voltage and/or current sensing devices associated with UFLS or UVLS 12 calendar Verify that current and/or voltage signal values are providedto
systems.years the protective relays.
Protection System de supply for tripping non-BES interrupting devices used 12 calendar
only for a UFLS or UVLS system.years Verify Protection System de supply voltage.
Controlcircuitry between the UFLS or UVLS relays and electromechanical
lockout and/or tripping auxiliarydevices (excludes non-BES interrupting 12 calendar Verify the path fromthe relay to the lockout and/or tripping
device trip coils).years auxiliary relay (includingessential supervisory logic).
Electromechanical lockout and/or trippingauxiliary devices associated only
with UFLS or UVLS systems (excludes non-BES interruptingdevice trip 12 calendar Verify electrical operation of electromechanical lockout and/or
coils).years tripping auxiliarydevices.
Controlcircuitry between the electromechanical lockout and/or tripping
auxiliary devices and the non-BES interruptingdevices in UFLS or UVLS No periodic
systems,or between UFLS or UVLS relays (with no interposing maintenance None.electromechanical lockout or auxiliarydevice)and the non-BES interrupting specified
devices (excludes non-BES interruptingdevice trip coils).
No periodic
Trip coils of non-BES interruptingdevices in UFLS or UVLS systems.maintenance None.
specified
25
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
PRC-005 -Attachment A
Criteria for a Performance-Based Protection System Maintenance Program
Purpose:To establish a technical basis for initial and continued use of a performance-based
Protection System Maintenance Program (PSMP).
To establish the technical justificationfor the initial use of a performance-based PSMP:
1.Develop a list with a description of
Components included in each designated Segment -Protection Systems or componentsSegmentoftheProtectionSystemofaconsistentdesignstandard,or aComponentpopulation,with a m1mmum particularmodel or typefrom a singleSegmentpopulationof60Components·manufacturerthat typicallyshare other
2.Maintain the Components in each common elements.Consistent performance is
Segment according to the time-based expected across the entire populationofa
maximum allowable intervals established Segment.A Segment must contain at least
in Tables 1-1 through 1-5 and Table 3 sixty (60)individual components.
until results of maintenance activities for
the Segment are available for a minimum of 30 individual Components of the Segment.
3.Document the maintenance program activities and results for each Segment,including
maintenance dates and Countable Events
for each included Component.Countable Event -A failure ofa component
4.Analyzethe maintenance program requiringrepair or replacement,any condition
activities and results for each Segment to discovered during the maintenance activities in
determine the overall performance of the Tables 1-1 through 1-5 and Table 3 which requires
Segment and develop maintenance corrective action,or a Misoperation attributed to
hardwarefailure or calibration failure.intervals Misoperations due to product design errors,
5.Determine the maximum allowable software errors,relay settings differentfrom
maintenance interval for each Segment specified settings,Protection System component
such that the Segment experiences configuration errors,or Protection System
Countable Events on no more than 4%application errors are not included in Countable
of the Components within the Segment,Events.
for the greater of either the last 30
Components maintained or all Components maintained in the previous year.
To maintain the technical justificationfor the ongoing use of a performance-based PSMP:
1.At least annually,update the list of Protection System Components and Segments and/or
description if any changes occur within the Segment.
2.Perform maintenance on the greater of 5%of the Components (addressed in the
performance based PSMP)in each Segment or 3 individual Components within the
Segment in each year.
3.For the prior year,analyze the maintenance program activities and results for each
Segment to determine the overall performance of the Segment.
26
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix H-PRC-005-2
Standard PRC-005-2 -Protection System Maintenance
4.Using the prior year's data,determine the maximum allowable maintenance interval for
each Segment such that the Segment experiences Countable Events on no more than 4%
of the Components within the Segment,for the greater of either the last 30 Components
maintained or all Components maintained in the previous year.
5.If the Components in a Protection System Segment maintained through a performance-
based PSMP experience 4%or more Countable Events,develop,document,and
implement an action plan to reduce the Countable Events to less than 4%of the Segment
population within 3 years.
27
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix I-WECC Major RAS List-April 28,2008
Table
Major WECC Remedial Action Schemes (RAS)
Used in Standard PRC-004-WECC-1
(Revised September 19,2007)
Path Name*Path RAS
1.Alberta -British Path 1 Remedial actions are required to achieve the rated
Columbia transfer capability.Most involve tripping tie lines
for outages in the BCTC system.East to West:
For high transfers,generation tripping is required
north of the SOK cutplane in Alberta.
2.Northwest -British Path 3 Generator and reactive tripping in the BCTC
Columbia system to protect against the impact caused
by various contingencies during transfers
between British Columbia and the
Northwest.
3.West of Hatwai Path 6 Generator dropping (Libby,Noxon,
Lancaster,Dworshak);Reactor tripping
(Garrison);Trippingof Miles City DC link.
4.Montana to Northwest Path 8 Tripping Colstrip by ATR (NWMT);
Switching shunt reactors at Garrison
500 kV;Trippingthe back-to-back
DC tie at Miles City;Tripping
Libby,and Noxon generation by WM-RAS
(BPA).
5.Idaho to Northwest Path 14 Generator Runback at Hells Canyon;
Jim Bridgertrippingfor loss of Midpoint -
Summer Lake 500 kV line.
6.Midway-LosBanos Path 15 CDWR and PG&E pump load dropping
north of Path 15.PG&E service area load
dropping north of Path 15.PG&E service area
generation dropping south of Path 15.
7.Idaho Sierra Path 16 Automatic load shedding is required
when the Alturas line is open for loss of the
Midpoint-Humbolt345 kV line during high
Sierra system imports.
8.Bridger West Path 19 Jim Bridgertrippingfor delayed clearing and
multi-line faults;Addition of shunt
capacitors at Jim Bridger,Kinport and
Goshen and series capacitor bypassing at
Burns.
9.IPP DC Line Path 27 IPP Contingency Arming System trips one or
two IPP generating units.
10.TOTlA Path 30 Bonanza and Flaming Gorge
generation is tripped for loss of the
Bonanza-Mona 345 kV line to achieve rating
on TOTlA.
Page 1 of 3
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix I-WECC Major RAS List-April 28,2008
11.TOT2A Path 31 For the Montrose-Hesperus 345 kV line
outage with Nucla generation above 60 MW,
the parallel Montrose-Nucla 115 kV line is
automatically transfer tripped.
12.TOT2B Path 34 Trip Huntington generation for loss
of the Huntington-Pinto +Four Corners lines
when parallel lines are heavily loaded.
13.TOT5 Path 39 For an outage of the Hayden-Gore
Pass 230 kV line,the lower voltage parallel
path is tripped.
14.SDGE RAS Path 44 RAS used to meet reactive margin criteria
for loss of both San Onofre units.
15.SDGE -CFE Path 45 The purpose of the RAS is to
automatically cross-trip (transfer trip)
the Miguel-Tijuana 230kV following
the outage of ImperialValley -Miguel 500kV
line.
16.Southern New Mexico Path 47 For double contingencies on the 345
kV lines defined in the path,WECC
Operating Procedure EPE-1 is implemented.
17.Pacific DC Intertie Path 65 Northwest generator tripping;Series
capacitor fast insertion;mechanically
switched shunt capacitors
18.California -Oregon Intertie Path 66 Northwest generator tripping;Chief Jo
Brake insertion;Fort Rock Series Capacitor
insertion;Northern California generator and
pump load tripping;N.California series
capacitor bypassing,shunt reactor or
capacitor insertion;Initiation of NE\SE
Separation Scheme at Four Corners.
19.Meridian 500/230 kV Followingthe loss of the Meridian
Transformers**500/230kV transformers,RAS is used to
comply with WECC Standards under high load
conditions.
20.Northern-Southern Path 26 Remedial action required to achieve the
California rated transfer capability.Midway area
generation tripped for loss of any two of three
Midway-Vincent500 kV lines.
21.PNM Import Contingency Path 48 ICLSS is a centralized load shedding scheme
Load for low probabilityevents such as
Shedding Scheme (ICLSS)simultaneous outage of the Four Corners-
West Mesa (FW)345 kV and San Juan-B-A
(WW)345 kV lines,as well as any
unplanned disturbance affecting voltage in
the Northern New Mexico transmission
system.
Page 2 of 3
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix I-WECC Major RAS List-April 28,2008
22.Valley Direct Load Trip RAS is required for the loss of the Serrano-
(DLT)Valley 500 kV line.About 200 MW of
Valley load is tripped.
23.South of Lugo N-2 RAS RAS is required for the simultaneous double
line outage of any combination of the Lugo-
Mira Loma 1 (when looped),2,and 3 500
kV lines and the Lugo-Serrano (when de-
looped)500 kV line.
24.Lower Snake RAS The RAS is required to protect for the
double line outage of the Lower
Monumental-Little Goose 500-kV lines.
Generation is dropped at Little Goose and
Lower Granite Powerhouses as well as key
the WM RAS.An outage of the Little
Goose -Lower Granite 500 kV lines will
drop generation at Lower Granite
Powerhouse and key the Western Montana
RAS.
25.Palo Verde -COI Mitigation Path 66 Required to providefor safe operation of the
Scheme COI for the loss of two units at Palo Verde
Nuclear Generating Station (PVNGS).The
RAS protects the PVNGS and Palo Verde
Transmission System (PVTS)for faults at
Palo Verde and subsequent outage of the
Palo Verde -Westwing 500 kV lines.
26.Palo Verde/Hassayampa Provides protection to the PVNGS and the
PAS PVTS for faults at Palo Verde and
subsequent double line outage of the Palo
Verde to Westwing 500 kV lines.***
27.Sierra Pacific -PacifiCorp Path 76 Needed for loss of the 230 kV Malin-Hilltop
RAS line when heavilyloaded unless automatic
reclose is successful.The scheme closes the
Hilltop 345 kV line reactor if pre-outage
northbound flow is greater than 150 MW.
For pre-outage southbound flow greater than
235 MW the Hilltop 345 kV line trips and
the Hilltop 345 kV line reactors closes.
*For an explanation of terms,path numbers,and definition for
the paths refer to WECC's Path Rating Catalog.
**The Meridian 500/230 kV transformers are not included in the
Path Rating Catalog.The RAS associated with the Meridian
transformers is included in Table 3 because the failure of the
RAS may result in cascading.
***The Palo Verde/HassayampaRAS is designed to prevent
cascading problems throughoutthe WECC region.This scheme
is not Path related and is not used to protect any specific
WECC Path.
Page 3 of 3
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-002-5.1-Cyber Security -BES Cyber System Categorization
A.Introduction
1.Title:Cyber Security -BES Cyber System Categorization
2.Number:CtP-002-5.1
3.Purpose:To identify and categorize BES Cyber Systerns and their associated BES
Cyber Assets for the application of cyber security requirements commensurate with
the adverse impact that loss,compromise,or misuse of those BES Cyber Systems
could have on the reliable operation of the SES.Identification and categorization of
BES Cyber Systems support appropriate protection against compromises that could
lead to misoperation or instability in the BES,
4.Applicability:
4.L Functional Entities:For the purpose of the requîrements contained herein,the
following list of functional entities will be collectively referred to as "Responsible
Entities."For requirements in this standard where a specific functional entity or
subset of functional entities are the applicable entityor entities,the functional entity
or entities are specified explicitly.
4.1.1.Balancing Authority
4.1.2.Distribution Provider that owns one or more of the following Facîlities,systems,
and equipment for the protection or restoration of the BES:
4.1.2.1.Each underfrequencyload shedding (UFLS)or undervoltageload shedding
(UVL5}system that:
4.1.2.1.1.is part of a Load shedding prograrn that is subject to one or more
requirements in a NERC or Regional Reliabîlitystandard;and
4.1.2.1.2.performs automatic Load shedding under a common control system
owned by the Responsible Entity,without human operator initiation,
of 300 MW Or more,
4.1.2.2.Each Special Protection System or Remedial Action Scheme where the
Special Protection System or Remedial Action Scheme is subject to one or
more requirements in a NERCor Regional ReliabilityStandard.
4.1.2.3.Each Protection System (excluding UFLS and UVLS)that applies to
Transmission where the Protection System is subject to one or more
requirements in a NERCor Regional ReliabilityStandard.
4.1.2.4.Each Cranking Path and group of Elements meeting the initial switching
requirements from a Blackstart Resource up to and including the first
interconnection point of the starting station service of the next generation
unit(s)to be started.
4.1.3.Generator Operator
4.1.4.Generator Owner
Page l of 24
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
P-002-5.1-Cyber security -BES Cyber System Categorization
4.1.5.interchange Coordinator or InterchangeAuthority
4.1.6.Reliability Coordinator
4.1.7.Transmission Operator
4.1.8.Transmission Dwner
4.2.FacKitles:For the purpose of the requirementscontained heraîn,the following
Facilities,systems,and equipment owned by each Responsible Entity in 4.1 above
are those to which these requirements are applicable.For requirements in this
standard where a specific type of Facilities,system,or equipment or subset of
Facilities,systems,and equîpmentare applicable,these are specified explicitly.
4.2.1.D1stribution Provider:One or more of the following Facilities,systems and
equipment owned by the Distribution Provider for the protection or restoratlon
of the SES:
4.2.L1.Each UFLS or UVLS System that
4.2.1.1.1.Is part of a Load shedding program that is subject to one or more
requirements in a NERC or Regional ReliabilîtyStandard;and
4.2.1.1.2.performs automatic Load shedding under a common control system
owned by the Responsible Entity,without human operator initiation,
of 300 MW Or more.
4.2.1.2.Each Special Protection System or Remedial Action Scheme where the
Special Protection System or Remedial Action Scheme is subject to one or
more requirements in a NERC or Regional ReliabîlityStandard.
4.2.1.3.Each Protection System (excluding UFLS and UVLS)that applîes to
Transmîssion where the Protection System is subject to one or more
requirements in a NERC or Regional ReliabilityStandard.
4.2.1.4.Each Cranking Path and group of Elements meeting the initial switching
requirements from a Blackstart Resource up to and including the first
interconnection point of the starting station service of the next generation
unit(s)to be started.
4.2.2.Responsible Entitles listed in 4.1 other than Distribution Providers:
All BES Facilities.
4.2.3.Exemptions:The following are exempt from Standard CIP-002,5.1:
4.2.3.1,Cyber Assets at Facilîties regulated by the Canadian Nuclear Safety
Commission.
4.2.3.2.Cyber Assets associated with communication networks and data
communication links between discrete Electronic Security Perimeters.
Page 2 of 24
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-OD2-5.1-Cyber Security ---BES Cyber System Categorization
4.2.3.3.The systems,structures,and components that are regulated by the Nuclear
Regulatory Commission under a cyber securíty plan pursuant to 10 C.F.R.
Section 73.54.
4.23.4.For Distribution Providers,the systems and equipment that are not included
in section 4.2.1 above.
5.Effective Dates:
1 24 Months Minimurn -CIP-002-5.1shall become effective on the later of July 1,
2015,or the first calendar day of the ninth calender quarter after the effective
date of the order providingapplicable regulatory approval.
2.In those jurisdictions where no regulatory approval is required CIP-002-5.1shall
become effective on the first day of the ninth calendar quarter following Board
of Trustees'approval,or as otherwise made effective pursuant to the laws
applicable to such ERO governmental authorities.
6.Background:
This standard provides "brîghtdine"criteria for applicableResponsible Entities to
categorize their BES Cyber Systems based on the impact of their associated I¯acilities,
systems,and equipment,which,if destroyed,degraded,misused,or otherwise
rendered unavailable,would affect the reliableoperation of the Bulk Electric System.
Several concepts providethe basis for the approach to the standard.
Throughout the standards,unless otherwise stated,bulleted items in the
requírements are items that are linked with an "or,"and numbered items are items
that are linked with an "and."
Many references in the Applicability sectîon and the criteria in Attachment l of CIP-
002 use a threshold of 300 MW for UFLS and UVLS.This particularthreshold of 300
MW for UVLS and UFLS was provided in Version lof the CIP Cyber Security
Standards.The threshold remains at 300 MW since it is specifically addressing UVLS
and UFLS,which are last ditch efforts to save the Bulk Electric System.A review of
UFLS tolerances definedwithin regional reliability standards for UFLS program
requirementsto date indicates that the historical value of 300 MW represents an
adequate and reasonable threshold value for allowable UFLS operationaltolerances.
BE5 Cyber systems
One of the fundamental differences between Versions 4 and 5 of the CIP Cyber
Security Standards is the shîft from identifying Critical Cyber Assets to identifying BES
Cyber Systems.This change results from the drafting team's review of the NISTRisk
Management Framework and the use of an analogous term "information system"as
the target for categorizing and applyingsecurity controls.
Page 3 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-002-5.1-Cyber Security -BES Cyber System Categorization
version 4 Cyber Assets Version 5 Cyber Assets
CCA
ASSOci¡ited
Protected Cyber
.Assets
Non-GrMeal Cyber Asset
Within an ESP
//Ássociate
Electronic and
Monitoring
CI P 005-4 RL5and
in transitioning from Versîon 4 to Version 5,a BES Cyber System can be viewed simply
as a grouping of Critical Cyber Assets (as that term is used in Version 4}.The CIP Cyber
Security Standards use the "BES Cyber System"term primarily to providea higher levelforreferencingtheobjectofarequirement.For example,it becomes possible to
apply re4uirements dealingwith recovery and malware protection to a grouping
rather than individual Cyber Assets,and it becomes clearer in the requirement that
malware protection applies to the system as a whole and may not be necessary for
every îndîvidualdevice to comply.
Another reason for using the term "SES Cyber System"is to provide a convenient level
at which a Responsible Entity can organi2e their documented implementation of the
requirementsand compliance evidence.Responsible Entities can use the well-
developedconcept of a security plan for each BES Cyber System to document the
programs,processes,and plans in place to comply with security requirements.
It is left up to the Responsible Entity to determine the level of granularity at which to
identify a BES Cyber System within the qualificationsin the definition of BES Cyber
System.For example,the Responsible Entity might choose to view an entire plant
control system as a single BES Cyber system,or it might choose to view certain
components of the plant control system as distinct BES Cyber Systems.The
Responsible Entity should take into consideration the operational environment and
Page 4 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-002·5.1-Cyber Security -BES Cyber Systern Categorization
scope of management when defining the BES Cyber System boundaryin order to
maximize efficiency in secure operations.Defining the boundarytoo tightlymay result
in redundant paperwork and authorizatîons,while defining the boundarytoo broadly
could make the secure operation of the BES Cyber System difficult to monitor and
assess.
Reliable Operation of the BES
The scope of the CIP Cyber security Standards is restricted to SES Cyber Systems that
would impact the reliable operation of the SES.In order ta identify BES Cyber
Systems,Responsible Entities deterrnîne whether the BES Cyber Systems perform or
support any BES reliability function according to those reliability tasks identified for
their reliability function and the corresponding functional entity's responsibilities as
defined in its relationshipswith other functional entities in the NERC Functional
Model This ensures that the initial scope for considerationincludes only those BES
Cyber Systems and their associated BES Cyber Assets that perform or support the
reliable operation of the BES.The definition of BES Cyber Asset provides the basis for
this scoping.
Real-time Operations
One characteristic of the BES Cyber Asset is a real-time scoping characteristic.The
tirne horizon that is significant for BES Cyber Systems and BES Cyber Assets subject to
the application of these Version 5 CIP Cyber security standards is defined as that
which is rnaterial to real-time operationsfor the reliable operation of the BES.To
providea better defined time horizon than "Real-time,"BES Cyber Assets are those
Cyber Assets that,if rendered unavailable,degraded,or misused,would adversely
impact the reliable operation of the BES within 15 minutes of the activation or
exercise of the compromise.This time window must not include in its consideration
the activation of redundant SES Cyber Assets or BES Cyber Systems:from the cyber
security standpoînt,redundancy does not mitigate cyber security vulnerabilities.
CategorizationCriteria
The criteria defined in Attachrnent 1 are used to categorize BES Cyber Systems into
impact categories.Requirement 1 only requires the discrete identification of BES
Cyber Systems for those in the high impact and medium impact categories.All BES
Cyber Systems for Facilities not included in Attachment 1-ImpactRatlng Criteria,
Criteria 1.1to 1.4 and Criteria 2.1to 2.11 default to be low impact.
This general process of categorization of BES Cyber Systems based on impact on the
reliable operation of the BES is consistent with risk management approaches for the
purpose of application of cyber security requirements in the remainder of the Version
5 CIP Cyber Security Standards.
Electronic Access Control or MonitoringSystems,Physical Access Contro1Systems,
and Protected Cyber Assets that are associated with BES Cyber systems
Fage 5 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-002-5.1-Cyber Security -BES Cyber System Categorization
BES Cyber Systems have associated Cyber Assets,which,if compromised,pose a
threat to the SES Cyber system by virtue of:(a)their location wîtbin the Electronic
Security Perimeter (Protected Cyber Assets),or (b}the security control functîon they
perform (Electronic Access Control or Monitoring Systems and Physical Access Control
SystemsL These Cyber Assets înclude:
Electronic Access Control or MonitoringSystems ("EACMS")-Examples include:
Electronic Access Points,intermediate Systems,authentication servers (e.g.,
RADIUS servers,Active Directory servers,Certificate Authorities),security event
monitoring systems,and intrusion detection systems.
Physical Access Control Systems ("PACS")-Examples include:authentication
servers,card systems,and badge control systems.
Protected Cyber Assets ("PCA")-Examples may include,to the extent they are
within the ESP:file servers,ftp servers,time servers,I.AN switches,networked
printers,digital fault recorders,and emission rnonitorîngsystems.
B.Requirements and Measures
RL Each Responsible Entityshall implement a process that considers each of the
following assets for purposes of parts 1.1 through 13:[Violation Risk Factor:
High)[Time Horizon:Operations PIGuning]
LControl Centers and backup Control Centers;
ii.Transmission stations and substations;
lii.Generation resources;
iv.Systems and facilîties critical to system restoration,including Blackstart
Resources and Cranking Paths and iriitial switching requirements;
v.Special Protection Systems that support the reliable operation of the Bulk
Electric System;and
vi.For Distribution Providers,Protectîon Systems specified in Applicability
section 4.2 1above.
1.1.Identifyeach of the high impact BES Cyber Systems according to
Attachrnent 1,Section 1,if any,at each asset;
1.2.Identifyeach of the medium impact BES Cyber Systems according to
Attachment 1,Section 2,if any,at each asset;and
1.3.[dentify each asset that contains a low impact BES Cyber System
according to Attachment 1,Section 3,if any (a discrete list of low impact
BES Cyber Systems is not required).
M1.Acceptable evidence includes,but is not limited to,dated electronic or physical lists
required by Requirement R1,and Parts 1.1 and 1.2.
Page 6 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-002-5.1-Cyber Security -BES Cyber System Categorization
R2.The Responsible Entity shaih [Violation Risk Factor:Lower][Time Horizon:Operations
Planning)
2.1 Review the identifications in Requirement R1 and its parts (and update
them if there are changes identified)at least once every 15 calendar
months,even if it has no identifled items in Requirement R1,and
2.2 Have its CIP Senior Manageror delegate approve the identifications
required by Requirement R1at least once every 15 calendar months,
even if it has no identlfied items in Requirement R1.
M2.Acceptable evidence includes,but is not limited to,electronic or physical dated
records to demonstrate that the Responsible Entity has reviewed and updated,where
necessary,the identifications required in Requirement R1 and îts parts,and has had its
CIP Senior Manageror dategate approve the identifications required in Requirement
R1and its parts at least once every 15 calendar months,even if it has none identified
in Requirement R1 and its parts,as required by Requirement R2.
C.Compliance
1.Compliance MonitoringProcess:
1.L Compliance £nforcement Authority:
The Regional Entity shall serve as the compliance Enforcement Authority("CEA")
unless the applicable entity is owned,operated,or controlled by the Regional
Entity.In such cases the ERO or a Regional Entity approved by FERC or other
applicable governmentalauthority shall serve as the CEA.
1.2.Evidence Retention:
The following evIdence retention periods identify the period of time an entity is
required to retain specîfic evidence to demonstrate compliance.For instances
where the evidence retention period specified below is shorter than the time
since the last audit,the CEA may ask an entityto provideother evidence to show
that it was compliant for the full tîme period since the last audtt.
The Responsible Entity shall keep data or evidence to show cornpliance as
identified below unless directed by its CEAto retain specifîc evidence for a
longerperîod of time as part of an investigation:
Each Responsible Entity shall retain evIdence of each requirernent in this
standard for three calendar years.
If a Responsible Entity is found non-compliant,it shall keep information
related to the non-compliance until mitigatîon is complete and approved or
for the tîme specified above,whithever is longer.
Page7 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-002-5.1-Cyber Security -BES Cyber System Categorization
The CEA shall keep the last audit records and all requested and submitted
subsequent audit records.
1.3.Compliance Monitoring and Assessment Processes:
Compliance Audit
Self-Certification
Spot Checkîng
Compliance Investigation
Self-Reporting
Complaint
1.4.Additiorial Compliance information
None
Page 8 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-DO2-5.1-Cyber Security -BES Cyber System Categorization
2.Table of Compliance Elements
Al Operations itigh For Responsible For Responsible For Responsible For ResponsiblePlanningEntitieswithmoreËntitleswithmoreEntitieswithmoreEntitleswithmore
than a total of 40 BES than a total of 40 BES than a total of 40 BES than a total of 40 BES
assets in RequFrement assets in Requirement assets in Requirement assets in Requirement
R1,five percent er R1,more than five R1,more than 10 R1,more than 15
fewer BE5 assets have percent but less than percent but fess than percent of BES assets
not been considered or equal to 10 percent or equal to 15 percent have not been
according to of BES assets have not of SES assets have not considered,according
Requirement R1;been considered,been considered,to Requirement 81;
OR accord ina to according to
Requirement R1;Requirement R1;For Responsible For Responsible
Entities with a total of OR OR Entitles with a total of
40 or fewer BE5 assets,For Responslble For Responsible 40 or fewer BES assets,
2 or fewer BES assets Entitles with a total of Entities with a total of more than six BES
iri Requirement 81,40 or fewer BES assets,40 er fewer BES assets,assets in Requirement
have not been more than two,but more than four,but R1,have not been
considered according fewer than or equal to fewer than or equal to considered according
to Requirement R1;four BES assets in six BES assets in to Requirement R1;
OR Requirement R1,have Requlrement R1,have ggnotbeenconsiderednotbeenconsideredForResponsibleaccordingtoaccc<dingte For Responsible
Entities with more Requirement R1;Requirement R1;Entities with more
than a total of 100 than a total of 100
h1gh and medium OR high and medium
impact BES Cgr For Responsible For Responsible impact BE5 Cyber
½ge90f34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP402-S.1 -Cyber Securlty -BES Cyber System Categerlaatlon
a a ti
.a e -
systems,five percent Entities with more Entities w]th more Systems,more than 15
or fewer of identFfled than a total of 100 than a total of 100 percent of identified
BES Cyber Systems hlgh and medlem high or medium BES Cyber SystemshavenotbeenimpactSESCyberimpactSESOyberhavenotbeen
categorized or have Systems,more than Systems,more than 10 categorlted or have
been incorrectly five percent but less percent but less than been incorrectly
categorized at a lower than or equalto 10 cc equal to 15 percent categorized at a lower
category;percent of identified of Identified BES Cyber category;
OR BES Cyber Systems Systems have not been ORhavenotbeencategorizedorhaveForResponsiblecategorizedorhavebeenincorrectlyFor Responsible
Entlties wlth a total of been Incorrectly Categarlzed at a lower Entities with a total of100orfewerhighandcategorizedatalowercategory;100 or fewer hlgh andmediumimpactBEScategory;OR medium impact BES
Cyber Systems,five or Cyber Systems,more
fewer identified BES For Responsible than 15 identified BES
Cyber Systems have \"or Responsible Entitles with a total of Cyber Systems havenotbeencategorizedEntitieswithatotalof100orfewerhighornotbeencategarlzed
or have been 100 or fewer high and medium impact and or have been
incorrectly categorized medlum impact and BE$Cyber Assets,incorrectly categorlzed
at a lower category,BES Cyber Systems,more than 10 but less at a lower category.
OR morethan five btri less than or equal to 15 ogthanorequaFto10identífledBESCyberForResponsibleident½ied SES Cyber Assets have not been For ResponsibleEntitieswithmoreSystemshavenotbeencategorizedorhaveEntitieswithmorethanatotalof100categorizedorhavebeenincorrectlythanatotalof100
high and medium been incorrectly categorized at a lower high and medium
impact BES Cyber categorized at a lower impact BES Cyber
Page10of34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-002-5,1 -Cyber Security -BES Cyber System Categorizat3on
systems five percent category,category.Systems,more than 15
or fewer hlgh or OR OR percent of high or
medium BES Cyber medium impact BES
Systems have not been I or Responstble For Responsible Cyber Systems have
identified;Entities with more Entitles with more not been identified;than a total of 100 than a total of 100OR ORhighandmediumhighandmedium
For Responsible impact BES Cyber impact BES Cyber For Responsible
Entitles w1th a total of Systems,more than Systems,more than 10 Entitles with a total of
100 or fewer high and five percent but less percent but less than 100 or fewer high and
medium impact BES than or equal to 10 or equal to 15 percent medium impact BES
Cyber Systems,five or percent high or high or medium BES Cyber Systems,more
fewer hlgh or medium medium BES Cyber Cyber Systems have than 15 high of
SES Cyber Systems Systems have not been not been identified;medium impact BES
have not been identified;OR Cyber Systems have
identified.OR not been identifled.
For Responsible
For Responsible Entitles with a total of
Entitles with a total of 100 or fewer hlgh and
100 or fewer high and medium impact BES
medium impact BEs Cyber Systems,more
Cyber systems,more than 10 but less than
than five but less than or equal to 15 high or
or equal to 10 blgh or medlum 3ES Cyber
medkumBES Cyber Systems have not been
5ystems have not been identified.
identined.
Paiguof34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-002-5.1-Cyber Secur]ty -BES Cyber System Categorizatlon
R2 Operations Lower The Respons1ble Entity The Responsible Entity The Responsible Entity The Responsible EntityPlanningdidnotcompleteitsdidnotcompleteitsdidnotcompleteitsdidnotcompleteits
review and update for review and update for review and update for review and update fortheidentificationtheIdentificationtheIdentificationtheidentification
required for R1within requlted for RI within required for R1 within reguled for R1 within
15 calendar months 16 calendar months 17 calendar months 18 calendar months of
but lessthan or equal but less than or equal but less than or equal the prevlous review.
to 16 calendar months to 17 calender months to 18 calender months (R2.1)of the previous review,of the previous review.of the prevFous review OR(R2,1)(R2,1)(R2.1)
The Responsible EntityORORORfailedtocompleteitsTheResponsibleEntityTheResponsibleEntityTheResponsibleEntRyapprovalofthe
dld not complete its faiEed to complete its failed to complete its identlficationsapprovaloftheapprovaloftheapprovaloftherequiredbyR1 by the
identifications identifications identifications CIPSeniorManagererrequiredbyR1bytherequiredbyR1bytherequiredbyR1bythedelegateaccordingto
CIP Senior Manager or CIP Senior Manager of OPSenler Manager or Requirement R2 within
delegate aœording to delegate according to delegate according to 18 ealendar months ofRequtrementR2withinRequirementR2withinRequirement82withintheprevlousapproval.
15 calendar months 16 calender months 17 calendar months (R2.2)
but less than or equal but less than or equal but less than or equal
to 16 calendar months to 17 calendar months to 18 calendar months
of the previous of the previous of the previous
approval.R2.2}approval.R2.2)approval.(R2.2}
Page12cf34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-002-51-Cyber Security ---BES Cyber System Categorization
D.RegionalVariances
None.
L Interpretations
None.
A Associated Docunients
Wene.
PagrHof34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-002-5.1-Cyber security -BES Cyber System Categorization
CIP-002-5.1 -At.tachment 1
Impact Rating Criteria
The criteria defined in Attachment 1 do not constitute stand-alonecompliance requirements,
but are criteria characterlzing the level of impact and are referenced by requirements.
1.High Impact Rating (H)
Each BES Cyber System used by and located at any of the following:
1.1.Each Control Center or backup Control center used to perform the functional
obligations of the ReliabilityCoordinator.
1.2.Each Control Center or backup Control Center used to perform the functional
obligations of the Balancing Authority:1)for generation equal to or greater than an
aggregate of 3000 MW in a single Interconnection,or 2)for one or more of the assets
that meet criterion 2 3,2.6,or 2.9.
1.3.Each Control Center or backup Control Center used to perform the functional
obligations of the Transmission Operator for one or more of the assets that meet
criterion 2.2,2.4,2.5,2.7,2.8,2.9,or 2.10.
1.4 Each control Center or backup Control Center used to perform the functional
obligations of the Generator Operator for one or more of the assets that meet
criterion 2.1,2 3,2.6,or 2,9.
2.MetIlum Impact Rating (M)
Each SES Cyber System,not included in Section 1 above,associated with any of the following:
2.1.Commissioned generation,by each group of generating units at a single plant location,
with an aggregate highest rated net Real Power capability of the preceding 12
calendar months equal to or exceedirig 1500 MW in a single Interconnection.For each
group of generatingunits,the only BES Cyber Systems that meet this criterion are
those shared SES Cyber Systems that could,within 15 minutes,adversely impact the
reliable operation of any combination of units that in aggregate equal or exceed 1500
MW în a single Interconnection.
2.2.Each BES reactive resource or group of resources at a single location (excluding
generation Facilities)with an aggregate maximum Reactive Power nameplate rating of
1000 MVAR or greater (excluding those at generation Facilities).The only BES Cyber
Systems that meet this criterion are those shared BES Cyber Systems that could,
within 15 minutes,adversely impact the reliable operation of any combination of
resources that in aggregate equal or exceed 1000 MVAR.
Page 14 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
CIP-002-5.1-Cyber Security -BES Cyber System Categorization
2.3.Each generation Facility that its Plannîng Coordinatoror Transmission Planner
designates,and informs the GeneratorOwner or GeneratorOperator,as necessary to
avoicl an Adverse ReliabilityImpact in the Planning horizon of more than one year.
2.4.Transmission Facilities operated at 500 kV or higher.For the purpose of this crîterion,the collector bus for a generation plant is not considered a Transrnission Fatllity,but is
part of the generation interconnection Facility.
2.5.Transmission Facilities that are operating between 200 kV and 499 kV at a single
station or substation,where the station or substation is connected at 200 kV or hïgher
voltages to three or more other Transmission stations or substations and has an
"aggregate weighted value"exceeding 3000 according to the table below.The
"aggregate weighted value"for a single station or substation is determined by
summing the "weight value per line"shown in the table below for each incoming and
each outgoing BES Transmission Line that is connected to another Transmission
station or substation.For the purpose of this criterion,the collector bus for a
generation plant is not considered a Transmission Facility,but is part of the generation
interconnection Facility.
less than 200 kV (not applicable)(not applicable)
200 kV to 299 kV 700
300 kV to 499 kV 1300
500 kV and above 0
2.6.Generationat a single plant location or Transmission Facilities at a single station or
substation location that are identified by its ReliabilityCoordinator,Planning
Coordinator,or Transmission Planner as critical to the derîvationof Interconnection
Reliability Operating Limits (IROLs}and their associated contingencies.
2.7.Transmission Facilities identified as essential to meetîng Nuclear Plant Interface
Requirements.
2.8.Transmission Facilities,încludinggeneration interconnection Facilities,providing the
generation înterconnection required to connect generator outputto the Transrnission
Systems that,if destroyed,degraded,misused,or otherwise rendered unavailable,
would result in the loss of the generation Facilities identified by any Generator Owner
as a result of its application of Attachment 1,crîterion 2.1er 23,
2.9.Each Specîal Protection System (SPS),Remedial Action Scheme (RAS),or automated
switching System that operates BES Elements,that,if destroyed,degraded,misused or
otherwise rendered unavailable,would cause one or more interconnection Reliability
Operating Limits (IROLS)Violations for failure to operate as designed or cause a
reduction in one or more \ROLS if destroyed,degraded,misused,or otherwise
rendered unavailable.
Page 15 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
ClP-002-5.1-Cyber Security -BES Cyber System Categorization
2.10.Each system or group of Elernents that performs automatic Load shedding under a
common control system,without human operator initiation,of 300 MW or more
implementing undervoltage load shedding (UVLS)or underfrequencyload shedding
(UFLS)under a load shedding program that is subject to one or more requirements in
a NERC or regional reliability standard.
2.11.Each Control Center or backup Control Center,not alreadyincluded in High impact
Rating (H)above,used to perform the functional obligationsof the Generator
Operator for an aggregate highest rated net Real Power capability of the preceding 12
calendar months equal to or exceedîng 1500 MW in a single Interconnection.
2.12.Each Control Center or backup Control Center used to perform the functional
obligations of the Transmission Operator not included in High 1mpact Rating (H),
above.
2.13.Each Control Center or backup Control Center,not already included in High Impact
Rating (H)above,used to perform the functional obligationsof the Balancing
Authorityfor generation equal to or greater than an aggregate of 1500 MW in a single
interconnection.
3.Low impact Rating (L)
BES Cyber Systems not included in Sections 1or 2 above that am associated with any of the
following assets and that meet the applicability qualificationsin Section 4 -Applicability,part
4.2 -Facilities,of this standard:
3.1.Control Centers and backup Control Centers.
3.2.Transmission stations and substations.
3.3.Generation resources.
3.4.Systems and facilities critical to system restoration,including Blackstart Resources and
Cranking Paths and initial switching requirements,
3.5.Special ProtectionSystems that support the reliable operation of the Bulk Electric
System.
3.6.For Distribution Providers,Protection Systems specîfied in Applicabilitysection 4.2.1
above.
Page 16 of 24
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
Guidelines and Technical Basis
Section 4 -Scope of Applicability of the CIP Cyber security Standards
5ection "4.Applicability"of the standards provides important information for Responsible
Entities to determine the scope of the applicabilityof the CIP Cyber Security Requirements.
Section "4.1.Functional Entities"is a list of NERC functional entities to which the standard
applies.If the entityis registered as one or more of the functional entities listed in section 4.1,
then the NERC CIP Cyber Security Standards apply.Note that there is a qualification in section
4.1that restricts the applicability in the case of Distribution Providers to only those that own
certain types of systems and equipment listed in 4.2.
Section "4.2.Facilities"defines the scope of the Facilities,systems,and equipment owned by
the Responsible Entity,as qualified in section 4.1,that is subject to the requirements of the
standard.In additïon to the set of SES Facilities,Control Centers,and other systems and
equipment,the list includes the qualified set of systems and equipment owned by Distribution
Providers.Whîle the NERC 6tossary terrn "Facilities"ajready includes the BES characteristic,the
additlonal use of the term BES bere is meant to reinforce the scope of applicabilityof these
Facilities where it is used,especially in this applicability scoping section.This în effect sets the
scope of Facilities,systems,and equipment that is subject to the standards.This section is
especially significant in CIP-002-5.1 and represents the total scope of Facîlities,systems,andequipmenttowhichthecriteriainAttachment1apply.This is irnportant because it determines
the balance of these Facilities,systems,and equipment that are Low Impact once those thatqualifyunclertheHighandMediumImpactcategoriesarefilteredout.
For the purpose of identifying groups of I'acilities,systems,and equipment,whether by locatîon
or otherwise,the Responsible Entity identifíesassets as described in Requirement R10f CIP-
002-5.1 This îs a process famillar to Responsible Entities that have to cornpfy with versions 1,2,
3,and 4 of the CIP standards for Critical Assets.As in versions 1,2,3,and 4,Responsible Entities
may use substations,generation plants,anel Control Centers at single site locations as
identifiers of these groups of Facilities,systems,and equipment.
CI P-002-5.1
CIP-002-5.1requires that applicable Responsible Entities categorize their BES Cyber Systems
and associated BES Cyber Assets according to the criteria in Attachment 1.A BES Cyber Asset
includes in its definition,"...that if rendered unavailable,degraded,or misused would,within 15
minutes adversely impact the reliable operationof the BES."
The following provides guidance that a Responsible Entity may use to identify the BES Cyber
Systems that would be in scope.The concept of BES reliability operating service is useful in
providing Responsible Entîties with the option of a def]ned process for scoping those BES Cyber
Page 17 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guldelines and Technical Basis
Systems that would be subject to CIP-002-51 The concept includes a number of named BES
reliability operating services.These named services include:
Dynamic Responseto BES conditions
Balancing Load and 6eneration
ControllingFrequency (Real Power)
ControilîngVoltage (Reactive Power)
Managing Constraints
Monitoring &Control
Restoration of BES
Situational Awareness
Inter-Entity Real-Time Coordinationand Communication
Responsibility for the reliable operation of the BES is spread across all Entity Registrations.Eachentîtyregistrationhasitsownspecialcontributiontoreliableoperationsandthefollowing
discussion helps identify which entity registration,in the context of those functional entities to
which these CIP.standards apply,performs which reifabilîty operat1ng service,as a processto
identify BES Cyber Systems that would be in scope.The following provides guidance for
Responsible Entitles to determine applicable reliability operationsservices accordîng to their
Function Registration type.
Dynamic Response X X X X X X
Balancing Load &X X X X X X X
Generation
Controlling Frequency X X X
ControllingVoltage X X X X
ManagingConstraints X X X
Monitoring and Control X X
Restoration X X
Situatlon Awareness X X X X
Inter-Entitycoordination X X X X X X
Dynarnic Response
The Dynamic ResponseOperatingService includes those actions performed by SES Elements or
subsystems whîch are automatically triggered to initiate a response to a BES condition.These
actions are triggered by a sîngle element or control device or a combination of these elements
or devices in concert to perform an action or cause a condition in reaction to the triggering
action or condition.The types of dynamic responses that may be considered as potentially
having an impact on the BES are:
Page 18 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
Spinning reserves (contingency reserves)
=Provîding actual reserve generation when called upon (GO,GOP)
Monitoring that reserves are sufficient (BA)
Governor Response
=Control system used to actuate governor response (GO)
Protection Systems (transmission &generation)
Lînes,buses,transformers,generators (DP,TO,TOP,GO,GOP)
Zone protection for breaker failure (DP,TO,TOP)
Breaker protection (DP,TO,TOP)
Current,frequency,speed,phase (TO,TOP,GO,GOP)
Special Protection Systems or Remedial Action Schemes
Sensors,relays,and breakers,possibly software (DP,TO,TOP)
Under and Over Frequency relay protection (includes automatic load shedding)
Sensors,relays &breakers (DP)
Under and Over Voltage relay protection (includes automatic load sheciding)
Sensors,relays &breakers (DP)
Power System Stabiliters(GO}
Balancing Load and Generation
The Balancing Load and GenerationOperations Service includes activities,actions andconditionsnecessaryformonitoringandcontrollinggenerationandloadintheoperations
planning horizon and in real-tîme.Aspects of the Balancing Load and Generationfunctioninclude,but are not limited to:
Calculation of Area Control Error (ACE)
Field data sources (real time tie flows,frequencysources,tîme error,etc}(TO,TOP)
Software used to perform calculation (SA)
Dernand Response
=Ability to identify load change need (BA)
Ability to implement load changes (TOP,DP)
Manually Initiated Load shedding
=Ability to identify laad change need (BA)
Ability to implement load changes (TOP,DP)
Page 19 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
Non-spinning reserve (contingency reserve)
Know generation status,capability,ramp rate,start time (GO,BA)
Start units and provide energy (GOP)
controllingFrequency (Real Power)
The ControllingFrequency Operations Service includes activities,actions and condîtionswhich
ensure,in real time,that frequency remains within bounds acceptable for the reliability or
operabîlity of the BES.Aspects of the ControllingFrequency function include,but are limited
to:
Generation Control (such as AGC)
ACE,current generator output,ramp rate,unit characteristics (BA,GDP,GO)
Software to calculate unit adjustments (BA}
Transmit adjustments to individual units (GOP)
Unit controls implementing adjustments (GOP)
Regulation (regulatingreserves)
Frequency source,schedule (BA)
=Governor control system (GO)
ntrobing Voltage (Reactive Power)
The Controlling Voltage Operations Service includes activities,actions and conditions which
ensure,in real time,that voltage remaíns within bourids acceptable for the reliability or
operability of the BES.Aspects of the Controlling Voltagefunction include,but are not limited
to:
Automatic Voltage Regulation (AVR)
=Sensors,stator controlsystem,feedback (GO)
Capacitive resources
Status,control (manual or auto),feedback (TOP,TO,DP)
Inductive resources (transformer tap changer,or inductors)
Status,control (manual or autol,feedback (TOP,TO,DP)
Static VAR Compensators (SVC)
Status,computations,control (manual or auto),feedback (TOP TO,DP)
Page 20 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Techn]cal Basis
ManagingConstraints
ManagingConstraints includes activities,actions and conditions that are necessary to ensure
that elements of the BES operate within design ilmits and constraints established for the
reliability and operability of the BES.Aspects of the ManagingConstraints include,but are not
limited to:
AvailableTrarisfer Capability (ATC)(TOP)
laterchange schedules (TOP,RC)
Generation re-dispatch and unit commit (GOP)
Identifyand monitor SOL's &IROL's(TOP,RC)
Identifyand monitor Flow gates (TOP,RC)
Monitoringand Control
Monitoring and Control includes those activities,actions and conditions that provide
monitoríng and control of BES Elernents.An example aspect of the Control and Operationfunctionis:
All methods of operatingbreakers and switches
SCADA (TOP,GOP)
=Substation automation (TOP)
Restoration of BE5
The Restoration of BES Operations Service includes activities,actîons and conditions necessary
to go from a shutdown condition to an operatîngcondition deliveringelectric power without
external assistance.Aspects of the Restoration of BES function include,but are not limited to:
Restoration including planned cranking path
Through black start units (TOP,GOP)
Through tie lines (TOP,GOP)
Off-site power for nuclear facîlities.(TOP,TO,BA,RC,DP,GO,GOP)
Coordination (TDP,TO,BA,RC,DP,GO,GOP)
situational Awareness
The Situational Awareness function includes activities,actions and conditions established by
policy,directive or standard operating procedure necessary to assess the current conditîon of
the BES and anticipate effects of planned and unplannedchanges to conditions.Aspects of the
Situation Awareness function include:
Page 21 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
Monitorîng and alerting (such as EMS alarms}(TOP,GOP,RC,BA}
Change management (TOP,GOP,RC,BA)
Current Day and Next Day planning (TOP)
Contingency Analysis (RC)
Frequency monitoring (SA,RC)
Inter-EntlityCoordination
The Inter-Entity coordînatîon and communication function includes activitîes,actions,and
conditions established by policy,directive,or standard operating procedure necessaryfor the
coordination and communication between Responsible Entities to ensure the reliability and
operability of the BES.Aspects of the Inter-EntityCoordinationand Communication function
include:
Scheduled interchange (BA,TOP,GOP,RC)
Facility operational data and status (TO,TOP,60,GOP,RC,BA)
Operationaldîrectives (TOP,RC BA)
Applicabikty to Distribution Providers
It is expected that only Distribution Providers that own or operatefacilities that qualify in the
Applicabîlity section will be subject to these Version S Cyber security standards.Distribution
Providers that do not own or operate any facility that qualifiesare not subject to these
standards.The quellficationsare based on the requirements for registration as a Distribution
Provider and on the requirements applicable to Distribution Providers in NERC Standard EOP-
005.
Requirement R1:
Requirement R1implementsthe methodologyfor the categorization of BES Cyber Systems
according to their impact on the BES.Using the tradîtional risk assessment equation,it reduces
the measure of the risk to an impact (consequence)assessment,assuming the vulnerability
index of 1(the Systems are assumed to be vulnerable)and a probability of threat of 1(100
percent).The criteria in Attachment 1 provide a measure of the Irnpact of the BES assets
supported by these BES Cyber Systems,
Responsible Entities are required to identify and categori2e those BES Cyber Systems that have
hlgh and medium impact.BES Cyber Systems for BES assets not specified in Attachment 1,
Criteria 1.1-1.4 and Criteria 2.1-2.11default to low impact.
Page 22 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
Attachment 1
Overall Application
In the application of the criteria in Attachment 1,Responsible Entities should note that the
approach used is based on the impact of the BES Cyber System as measured by the bright-line
criteria defined in Attachment L
When the drafting team uses the term "Facilities",there îs some latitude to Responsible
Entities to determine included Facilities.The terrn Facility is defined in the NERC Glossary of
Terms as "A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g.,a Ilne,a generator,a shunt compensator,transformer,eted "in most cases,
the criteria refer to a group of Facilities in a given location that supports the reliable
operation of the BES.For example,for Transmission assets,the substation may be
designated as the group of Facilities.However,in a substation that includes equipment that
supports BES operationsalong with equipment that only supports Distribution operations,
the Responsible Entity may be better served to consider onlythe group of Facilities that
supports BES operation.In that case,the Responsible Entity may designate the group of
Facilities by location,wîth qualificationson the group of Facilities that supports retiable
operation of the SES,as the Facilities that are subject to the criteria for categorization of
BE5 Cyber Systems.GenerationFacilities are separatelydiscussed in the Generation section
below.In CIP-002-5.1,these groups of Facilities,systerns,and equiprnentare sometimes
designated as BES assets.For example,an identified BES asset may be a named substation,
generatingplant,or Control Center.Responsible Entities have flexibility in how they group
Facilities,systems,and equipment at a location.
In certain cases,a BES Cyber System may be categorized by meeting multiple criteria.In
such cases,the Responsible Entity may choose to document all criteria that result in the
categori2ation.This will avoid inadvertent miscategorization when it no longer meets one
of the criteria,but still meets another.
ft is recommanded that each BES Cyber System should be listed by only one Responsible
Entity.Where there is jointownership,it is advisable that the owning Responsible Entities
should formallyagree on the desîgnated Responsible Entity responsible for compliance with
the standards.
High Irnpact Rating (H)
This category includes those BES Cyber Systems,used by and at Control Centers {and the
associated data centers included in the definition of Control Centers),that perform the
functional obligationsof the Reliabiltty Coordinator (RC),Balancing Authority(BA),Transmission
Operator (TDP),or Generator Operator (GOP),as defined under the Tasks heading of the
applicable Function and the Relationship with Other Entities heading of the functional entity in
the NERC Functional Model,and as scoped by the qualification in Attachment 1,Criteria 1.1,
1.2,1.3 and 1.4.While those entities that have been registered as the above-named functional
entities are specifically referenced,it must be noted that there roay be agreements where some
Page 23 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
of the functional obligationsof a Transmission Operator may be delegated to a Transmission
Owner (TO).In these cases,BES Cyber Systems at these TO Control Centers that perform these
functîonalobligations would be subject to categorization as high impact.The criteria notably
specifically emphasize functional obligations,not necessarily the RC,BA,TOP,or GOP facilities.
One must note that the definition of Control Center specîfically refers to reliability tasks for RCs,
Bas,TOPs,and GOPs.A TO BES Cyber System în a TO facility that does not perform or does not
have an agreement with a TOP to perform any of these functional tasks does not meet thedefinitionofaControlCenter.However,if that BES Cyber System operates any of the facilities
that meet criteria in the Medium Impact category,that BES Cyber System would be categorized
as a Medium impact BES Cyber System.
The 3000 MW threshold defined in criterion 1,2 for BA Control Centers provides a sufficient
differentiation of the threshold defined for Medium Impact BA Control Centers.An analysis of
BA footprints shows that the majority of Bas with significant impact are covered under thiscriterion.
Additional thresholds as specified in the criteria apply for this category.
Medium Impact Rating (M)
Generation
The criteria in Attachment 1's medium impact category that generally apply to Generation
Owner and Operator (GO/GOP)Registered Entities are criteria 2.1,2.3,2.6,2.9,and 2.11.
Criterion 2.13 for BA control Centers is also included here.
Criterion 2.1designates as medium impact those BES Cyber Systerns that impact generation
with a net Real Power capability exceeding 1500 MW.The 1500 MW criterion îs sourced
partly from the Contingency Reserve requirements in NERC standard BAL-DO2,whose
purpose is "to ensure the Balancing Authorityis able to utili2e its Contingency Reserve to
balance resources and demand and return Interconnection frequency within defined limits
following a Reportable Disturbance."In particular,it requires that "as a minimum,the
Balancing Authorityor Reserve Sharing Group shall carry at least enough contingency
Reserve to cover the most severe single contingency."The drafting team used 1500 MW as
a number derîved from the most significant contingency Reservesoperated in various Bas
in all regions,
in the use of net Reat Power capability,the drafting team sought to use a value that could
be verified through existing requirements as proposed by NERC standard MOD-024 and
current development efforts in that area.
By using 1500 MW as a bright-line,the intent of the drafting team was to ensure that BES
Cyber Systems with common mode vulnerabilities that could result in the loss of 1500 MW
or more of generation at a single plant for a unit or group of units are adequatelyprotected.
Page 24 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
The drafting team also used additional time and value parameters to ensure the brightdines
and the values used to measure against them were relatively stable over the review period.
Hence,where multiple values of net Real Power capabîlity could be used for the Facilities'
qualification against these bright-lines,the highest value was used.
In criterion 23,the drafting team sought to ensure that BES Cyber Systems for those
generationFacîlities that have been designated by the Planning Coordinatoror
Transrnission Planner as necessary to avoid BES Adverse Reliabilityimpacts in the planning
horizon of one year or more are categorized as medium impact.In specifying a planning
horizon of one year or more,the intent is to ensure that those are uníts that are identified
as a result of a "long term"reliability planning,i.e that the plans are spanning an operating
period of at least 12 months:it does not mean that the operating day for the unit is
necessarîly beyondone year,but that the period that is being planned for is more than 1
year:it is specificaFly intendedto avoid designating generation that is required to be run to
remediate short term emergency reliability issues,These Facîlities may be designated as
"ReliabilityMust Run,"and this designation is distinct from those generation Facilities
designated as "must run"for market stabilization purposes.Because the use of the term
"must run"creates some confusion in many areas,the drafting team chose to avoid using
this term and instead drafted the requirement in more generic reliability language.In
particular,the focus on preventing an Adverse ReliabilityImpact dictates that these units
are designated as must run for reliability purposes beyond the local area.Those units
designated as must run for voltage support in the local area would not generally be given
this designation.In cases where there is no designated Planning Coordinator,the
Transmission Planner is included as the Registered Entity that performs this designation.
If it is determined through System studies that a unit must run in order to preserve the
reliability of the BES,such as due to a Category C3 contingency as defined in TPL-003,then
BES Cyber Systems for that unit are categorized as medium impact.
The TPL standards require that,where the studies and plans indicate additional actions,that
these studies and plans be communicated by the Planning Coordinator or Transmission
Rlanner In writing to the Regional Entity/RRO.Actions necessary for the implementation of
these plans by affected parties (generationowners/operators and Reliability Coordinators
or other necessary party)are usually formalized in the form of an agreement and/or
contract.
Criterion 2.6 includes BES Cyber Systems for those GenerationFacilities that have been
identified as critical to the derivation of IROLs and their associated contingencies,as
specified by FAC-014-2,EstabHsh and Communicate System Operating Limits,RS.1.1 and
RS.1.3.
IROLs roay be based on dynamic System phenomena such as instability or voltage collapse.
Derivation of these IROLs and their assecíated contingencies often considers the effect of
generation inertia and AVR response.
Page 25 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
Criterion 2.9 categorizes BES Cyber Systems for Special Protection Systems and Remedial
Action Schemes as medium împact.Special Protection Systems and Remedial Action
Schemes may be implernentedto prevent disturbances that would result in exceeding IROLs
if they do not providethe function required at the time it is requiredor if it operates
outsîde of the parameters it was designed for.Generation Owners and GeneratorOperators
which own BES Cyber Systems for such Systems and schemes designate them as medium
impact.
Criterion 2.11 categori2es as medium impact BES Cyber Systems used by and at Control
Centers that perform the functional obligationsof the GeneratorOperator for an aggregate
generationof 1500 MW or higher in a single interconnection,and that have not already
been included in Part 1.
Criterion 2.13 categorizes as medium impact those BA Control Centers that "control"1500
MW of generation or more in a single interconnection and that have not already been
included In Part 1 The 1500 MW threshold is consistent with the irnpact level and rationale
specified for Criterion 2.1.
Transmission
The SDTuses the phrases "Transmission Facilities at a single station or substation"and
"Transmission stations or substations"to recognize the existence of both stations and
substations.Many entities in industry consider o substationto be a location with physical
borders (i.e.fence,wall,etc.)that contains at least an autotransformer.Locations also exist
that do not contain autotransforrners,and many entities in industry referto those locotlons as
stations (or switchyards).Therefore,the SDTchose to use both "statlon"and "substation"to
refer to the locations where groups of Transmission Facilities exist.
Criteria 2.2,2.4 through 2.10,and 2.12 in Attachment 1 are the critería that are applicable
to Transmission Owners and Operators.In many of the criteria,the impact threshold is
definedas the capabiFity of the failure or compromise of a System to result in exceeding one
or more interconnection Reliability Operating Limits (IROl.5).Criterion 2.2 includes BES
Cyber Systems for those Facilities in Transmission Systems that provide reactive resources
to enhance and preserve the reliability of the BES.The nameplate value is used here
because there is no NERC requirement to verify actual capability of these Facilities.The
value of 1000 MVARs used in this criterion is a value deemed reasonable for the purpose ofdeterminingcríticality.
Críterion 2.4 includes BES Cyber Systems for any Transmission Facility at a substation
operated at 500 kV or higher.While the drafting team felt that Facilitîes operated at 500 kV
or higher did not require any further qualification for their role as components of the
Page 26 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
backbone on the interconnected BES,Facilities in the lower EHV range should have
additional qualifying criteria for inclusion in the medium impact category.
It must be notecl that if the collector bus for a generation plant (i.e.the plant is smaller in
aggregate than the threshold set for generation in Criterion 2.1)is operated at 500kV,the
collector bus should be considered a Generation Interconnection Facility,and not a
Transmission Facility,according to the "Final Report from the Ad Hoc Group for Generation
Requirements at the Transmission Interface."This collector bus would not be a facility for a
medium impact BES Cyber system because it does not signifícantly affect the 500kV
Transmission grid;it only affects a plant whîch is below the generationthreshoicL
Criterion 2.5 includes BES Cyber Systems for facilities at the lower end of BES Transmission
with qualifications for inclusion if they are deemed highly likely to have significant impact
on the BES.While the criterion has been specified as part of the rationale for requiring
protection for significant impact on the BES,the drafting team included,in this criterion,
additional qualifications that would ensure the required level of impact to the B£5,The
drafting team;
Excluded radial facilities that would only provide support for single generation
facilities.
Specified interconnection to at least three transmission statîons or substations to
ensure that the level of impact would be appropriate.
The total aggregated weighted value of 3,000 was derived from weighted values related to
three connected 345 kV lines and five connected 230 kV lines at a transmission statîon or
substation.The total aggregated weighted value is used to account for the true impact to
the BES,irrespective of lîne kV rating and mix of multiple kV rated lines.
Additionally,in NERC's document "Integrated Risk Assessrnent Approach -Refinement to
Severity Risk Index",Attachment 1,the report used an average MVA lîne loading based on
kV rating:
230 kV ->700 MVA
345 kV->1,300 MVA
500 kV ->2,000 MVA
765 kV ->3,000 MVA
In the terms of applicable Ifnes and connecting "other Transmission stations or substations"
determinations,the following should be considered:
For autotransformers in a station,Responsible Entities have flexîbîlityin determiníng
whether the groups of Facilities are considered a single substation or station
location or rnultiple substations or stations.In most cases,Responsible Entit[es
Page 27 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelînes and Technical Basis
would probably consider them as Facilities at a single substation or station unless
geographically dispersed.In these cases of these transformers being within the
"fence'of the substation or station,autotransformers may not count as separate
connections to other statîons.The use of common BES Cyber Systems may negate
any rationale for any consideration otherwise.In the case of autotransformersthat
are geographically dispersed from a station location,the calculation would take into
account the connections in and out of each station or substation location.
Multiple-point (or multiple-tap)lines are considered to contribute a single weight
value per line and affect the nornber of connections to other stations.Therefore,a
single 230 kV roultiple-point line between three Transmission stations or substations
would contribute an aggregated weighted value of ¯/00 and connect Transmission
Facilities at a single station or substation to two other Transmission stations or
substations.
Multiple lines between two Transmission stations or substations are considered to
contribute multiple weight values per line,but these multiple lines between the two
stations only connect one station to one other station.Therefore,twa 345 kV lines
between two Transmission stations or substations would contribute an aggregated
weighted value of 2600 and connect Transmission Facilities at a single station or
substation to one other Transmission station or substation,
Criterion 25s qualification for Transrnission Facilities at a Transmission station or
substation is based on 2 distinct conditions.
1.The first condition is that Transmission Facilities at a single station or substation
where that station or substation connect,et voltage levels of 200 kV or higher
to three (3)other stations or substations,to three other stations or substations.
This qualification is meant to ensure that connections that operate at voltages
of 500 kV or higher are included in the count of connections to other stations or
substations as well
2.The second qualification is that the aggregate value of all lines entering or
leaving the station or substatîon must exceed 3000.This qualification does not
include the considerationof lines operating at lower than 200 kV,or 500 kV or
higher,the latter already qualifyingas medium impact under criterion 2.4.:
there is no value to be assigned to fines at voltages of less than 200 kV or 500 kV
or higher in the table of values for the contribution to the aggregate value of
3000.
The Transmission Facilities at the station or substation must meet both qualificationsto be
considered as qualified under criterion 2 5.
Criterion 2.6 include BES Cyber Systems for those Transmission Facilities that have been
identified as critical to the derivatlon of IROLS and their associated contingencies,as
Page 28 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
specified by FAC-014-2,Establish and Communicate System Operating Limits,R5.1.1 and
RS.1.3.
Criterion 2./is sourced from the NUC-001 NERC standard,Requîrement R9.2.2,for the
support of Nuclear Facilities.IVUC-DO1 ensures that reliability of NPIR'sare ensured through
adequate coordination between the Nuclear Generator Owner/Operator and its
Transmission provider "for the purpose of ensuring nuclear plant safe operation and
shutdown."In particular,there are speelfic requirements to coordinate physical and cyber
security protection of these interfaces.
Criterion 2.8 designates as medium impact those BES Cyber Systems that impact
Transmission Facilities necessary to directly support generation that meet the criteria in
Criteria 2.1 (generation Facilities with output greater than 1500 MW)and 2.3 (generation
Facilities generaNy designated as "must run"for wide area reliability in the planning
horizon).The Responsible Entity can request a formal statement from the Generation
owner as to the qualification of generation Facilities connected to their TransmlSSIOn
systems.
Criterion 2.9 designates as medium impact those bis Cyber Systems for those Special
Protection Systems (SPS),Remedial Action Schemes (RAS),or automated switching Systems
installed to ensure BES operation within IROLs.The degradation,compromise or
unavailability of these BES Cyber Systems would result in exceeding IROLs îf they fail to
operate as designed.By the definition of IROL,the loss or compromise of any of these have
Wide Area impacts.
Criterion 2.10 designates as medium impact those BES Cyber Systems for Systems or
Elements that perform automatic Load shedding,without human operator initiation,of 300
MW or more.The SDT spent considerable time discussing the wording of Criterion 2.10,
and chose the term "Each"to represent that the criterion applied to a discrete System or
Facility.In the drafting of thîs criterion,the drafting team sought to include only those
Systems that did not require human operator initiation,and targeted în particular those
underfrequency load shedding (UFLS)Facilities and systems and undervoltage load
shedding (UVLS)systems and Elements that would be subject to a regional Load shedding
requirement to prevent Adverse Reliability Impact.These include automated UFLS systems
or UVLS systems that are capable of Load shedding 300 MW or more,It should be noted
that those qualifying systems which require a human operator to arm the system,but once
armed,trigger autornatically,are still to be considered as not requiring human operator
initiation and should be designated as medium impact.The 300 MW threshold has been
defined as the aggregate of the highest MW Load value,as defined by the appilcable
regional Load Shedding standards,for the preceding 12 months to account for seasonal
fluctuations.
This particular threshold (300 MW)was provided in GP,Version 1.The SDT believes that
the threshold should be lower than the 1500MW generation requirement since it is
specifically addressing UVLS and UFLS,which are last ditch efforts to save the Bulk Electric
Paµ29 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
System and hence requires a lower threshold.A review of UFLS tolerances defined within
regional reliability standards for UFLS program requirements to date indicates that the
historical value of 300 MW represents an adequate and reasonable threshold value for
allowable UFLS operational tolerances.
In ERCOT,the Load acting as a Resource ("LaaR")Demand Response Program is not part of
the regional Joad shedding program,but an ancillary services market.In general,similar
demand response programs that are not part of the NERC or regional reliability Load
shedding programs,but are offered as components of an ancillary services market do not
qualify under this criterion.
The language used in section 4 for UVLS and UFLS and in criterion 2.10 of Attachment 1 is
designed to be consîstent with requirements set in the PRC standards for UFLS and UVLS.
Criterion 2,12 categorizes as medium impact those BES Cyber Systems used by and at
Control Centers and associated data centers performing the functional obligations of a
Transmission Operator and that have not already been categorized as high impact.
Criterion 2.13 categorizes as Medium impact those BA Control Centers that "control"1500
MW of generation or more in a single Interconnection.The 1500 MW threshold is
consistent with the impact level and rationalespecified for Criterion 2.L
Low Impact Rating (L)
BES Cyber Systems not categorized in high impact or medium Impact default to low impact,
Note that low impact BES Cyber Systems do not require discrete identification.
Restoration Facilities
Several discussions on the CIP Version 5 standards suggest entitîes owning Blackstart
Resources and Cranking Paths might elect to remove those services to avoid higher
compliance costs.For example,one Reliability Coordinator reported a 25%reduction of
Blackstart Resources as a result of the Version 1 language,and there could be more entities
that make thîs choice under Version 5.
In response,the CIP Version 5 drafting team sought informal input from NERC's Operating
and Planning Committees.The committees indicate there has already been a reduction in
Blackstart Resources because of increased CIP compliance costs,environmental rules,and
other risks;continued inclusion within Version 5 at a category that would very significantly
increase compliance costs can result in further reduction of a vulnerable pool.
The drafting team moved from the categorization of restoration assets such as Blackstart
Resources and Cranking Paths as mediurn impact (as was the case in earlier drafts)to
categorization of these assets as low impact as a result of these consîderations.This will
not relieve asset owners of all responsibilities,as would have been the case in CIP-002,
Versions 1-4 (sînce only Cyber Assets with rautable connectivity which are essential to
Page 30 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
restoration assets are includeel in those versions).Under the low împact categorization,
those assets will be protected in the areas of cyber security awareness,physical access
control,and electronic access control,and they will have obligations regarding incident
response.This represents e net gain to bulk power system reliability,however,since many
of those assets do not meet criterîa for inclusion under Versions 1-4.
Weîghing the risks to overall BES reliability,the drafting team deterrnined that this re-
categorization represents the option that would be the least detrimental to restoration
function and,thus,overalt BES reliability.Removing Blackstart Resources and Cranking
Paths from medium impact promotes overall reliability,as the likely alternative is fewer
Blackstart Resources supportingtimely restoration when needed.
BES Cyber Systems for generation resources that have been designated as Blackstart
Resources In the Transmission Operator's restoration plan default to low impact.NERC
Standarcl EOP-005-2 requires the Transmission Operator to have a Restoration Plan and to
list its Blackstart Resources in its plan,as well as requirements to test these Resources.This
criterion desîgnates only those generation Blackstart Resources that have been designated
as such in the Transmission Operator's restoration plan.The glossary terrn Blackstart
Capability Plan has been retired.
Regarding concerns of communication to BES Asset Owners and Operators of their role in
the Restoration Plan,Transrnission Operators are required in NERC Standard EOP-005-2 to
"provide the entitîes identified in its approved restoration plan with a description of any
changes to their roles and specific tasks prior to the implementation date of the plan "
BES Cyber Systems for Facilities and Elements comprîsîng the Cranking Paths and meeting
the initial switching requirements from the Blackstart Resource to the first interconnection
point of the generation unit(s)to be started,as identified in the Transrnission Operator's
restoration plan,default to the category of low impact:however,these systems are
explicitly caFled out to ensure consideration for inclusîon in the scope of the version S CIP
standards.This requirement for inclusion in the scope îs sourced from requirements in
NERC standard EOP-005-2,which requires the Transmission Operator to include in its
Restoration Plan the cranking Paths and initial switching requirements from the Blackstart
Resource and the unit(s)to be started.
Distribution Providers may note that they may have BES Cyber Systems that must be scoped
in if they have Elements listed in the Transmission Operator's Restoration Plan that are
components of the Cranking Path.
Page 31ef 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guideliries and Technîcal Basis
Use Case:CIP Process Flow
The following CP use case process flow for a generator Operator/Owner was provided by a
participant in the development of the Version 5 standards and is providedhere as an exampleofaprocessusedtoidentîfyandcategorizeBESCyberSystemsandBESCyberAssets;review,
develop,and implement strategies to mitigate overall risks;and apply applicable security
controls.
Overview (Generation Facility)
Menufy &Caimportze BESCgsr iAssetsarmiBESCgarSystemsI¯"----------""-------i
Evalusta paterdia!Pitysical SectMig
PerfinetersEnginagringswisionetoreductImpactaBESCyberSystemhaaon
a FoollIV
Engineering revisions to reduce orr--¯¯^^¯¯¯¯"--'--------ohminata phydcal eraa¢
Evaluets BESCyber Assets and SESCybersystemsforExte¢nal Routablec....eu.ny
la=ury n==ireweenisurayEnginnedogrevisionstoreduceorPartmalaisandPigslaatAcomensilminabaExternetRoutableCanbeiSyntamsConnacilvilâ€
MenttFy final Electronic AccessPoirdsandElectonioAcesasCordrolSystems Apply securny ConWole based on
appilombHity
I
ING 0 revislain wil need to be reviamedintcastluetWesNes4 aparaklonansmistyimpammeste,emppen toquhamerna,undischnical Emaanene.
Page 32 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
Rationale:
During development of this standard,text boxes were embeddedwithin the standard to explain
the rationale for various parts of the standard.Upon BOTapproval,the text from the rationale
text boxes was moved to this section.
Rationalefor R1:
BES Cyber Systems at each site location have varyingImpact on the reliable operation of the
Bulk Electric System.Attachment 1 provides a set of "bright-line"criteria that the Responsible
Entity must use to identify these BES Cyber Systems in accordance with the impact on the BES.
BES Cyber Systems must be identified and categorized according to their impact so that the
appropriate measures can be applied,commensurate with their impact.These împact
categories will be the basis for the application of appropriate requirements in CIP-003-CIP-011
Rationalefor R2:
The lists required by Requirement R1ere reviewed on a periodic basis to ensure that all BES
Cyber Systems required to be categorîredhave been properly identified and categorized.The
miscategorization or non-categori2ationof a BES Cyber System can lead to the application of
inadequateor non-existent cyber security controls that can lead to compromise or misuse that
can affect the real-time operation of the BES.The CIP Senior Manager's approvalensures
proper oversight of the process by the appropriate Responsîble Entity personnel.
Version History
1 1/16/06 R3.2 -Change "Control Center"to 3/24/06
"control center."
2 9/30/09 Modifications to clarify the
requirementsand to bring the
compliance elements into conformance
with the latest guidelines for developing
compliance elements of standards.
Removal of reasonable business
Judgment.
Replaced the RRO with the RE as a
Responsible Entity.
Rewording of Effective Date.
Changed compliance monitor to
Compliance Enforcement Authorîty.
3 12/16/09 Updatedversion number from -2 to -3.Update
Page 33 of 34
PacifiCorp Procedure 304,Remedial Action Schemes
Appendix K-CIP 002 Version 5.1
Guidelines and Technical Basis
Approvedby the NERC Board of
Trustees.
3 3/31/10 Approved by FERC.
4 12/30/10 Modîfied to add specific criteria for Update
Critical Asset identification.
4 1/24/11 Approvedby the NERC Board of Update
Trustees.
5 11/26/12 Adopted by the NERC Board of Modîfied to
Trustees.coordinate with
other CIP
standards and to
revise format to
use RBS
Template.
5.1 9/30/13 Replaced "Devices"with "Systems"in a Errata
definition in background section.
5.1 11/22/13 FERC Order issued approving CIP-CO2-
5.1.
Page34 of 34