The URL can be used to link to this page

Home My WebLink About20171218PAC to Staff Attachment Utah_DPU 10.11a.pdfREMEDIAL ACTION SCHEMES Protection &Control Procedure No.304 Author:Flo Hausler Approval:Jack Vranish AuthoringDepartment:Reliability Standards ApprovedFile Location:DFS\PDXCO\SHRO4\Publications\FPP\RLY\PRO File Number-Name:304-RAS Procedure.docx RevisionNumber:0 RevisionDate:3/12/15 Document Security Category Confidential External Restricted Critical Infrastructure Information(CII) x Internal Revision Log 0 12/15/14 Initial issue 0A 3/12/15 Final Draft J:Publications FPP RLYiPRU3íW-RAS Procedure.docr.Rev.Q.3 12 15 The most current version ofthis document is posted to engineering s websites for relayforms,policies and procedures Modification ofthis document must be authorized by engineering publications.(503)813-5096. REMEDIAL ACTION SCHEMES Protection &Control Procedure No.304 Table of Contents 1 Definitions.............................................................................................................................1 2 Scope.....................................................................................................................................1 3 Types of RAS........................................................................................................................3 4 RAS Functional Design and ApprovalProcess.................................................................5 5 RAS Design and Construction ............................................................................................6 6 RAS Operating Procedure,Testing,and Commissioning................................................6 7 RAS Performance Assessment...........................................................................................7 8 R AS M is oper at i on Re porti ng ...............................................................................................7 9 RAS Maintenance and Testing Documentation.................................................................8 Appendices A.PAC-RAS-OVERVIEW-Yale_Run-Back B.Procedure to Submit an RAS for Assessment,October 28,2013 C.Remedial Action Scheme Design Guide,November 28,2006 D.PRC-004-WECC-1 E.PRC-(012 through014)-WECC-CRT-2 Regional Criterion,September 17,2013 F.PRC-015-0 G.PRC-017-0 H.PRC-005-2 I.WECC Major RAS List,April 28,2008 J.PacifiCorp SPS,June 24,2014 K.CIP 002 Version 5.1 Procedure for Implementing a New Remedial Action Scheme (RAS)or for Modifying an Existing RAS 1 Definitions The following definitions are from the NERC Glossary. 1.1 Special Protection Systems (also called Remedial Action Schemes) An automatic protection system designed to detect abnormal or predetermined system conditions,and to take corrective actions other than and/or in addition to the isolation of faulted components to maintain system reliability.Such action may include changes in demand,generation (MW and Mvar),or system configuration to maintain system stability,acceptable voltage,or power flows.An SPS does not include (a)underfrequency or undervoltage load shedding or (b)fault conditions that must be isolated or (c)out-of-step relaying (not designed as an integral part of an SPS). 1.2 Protection Systems Protective relays that respond to electrical quantities Communication systems necessary for the correct operation of protective functions Voltage and current sensing devices providing inputs to protective relays Station DC supply associated with protective functions (including station batteries battery chargers,and non-battery-based DC supply) Control circuitry associated with protective functions through the trip coil(s)of the circuit breakers or other interrupting devices 1.3 Misoperation Any failure of a protection system element to operate within the specified time when a fault or abnormal condition occurs within a zone of protection Any operation for a fault not within a zone of protection (other than operation as back-up protection for a fault in an adjacent zone that is not cleared within a specified time for the protection for that zone) Any unintentional protection system operation when no fault or other abnormal condition has occurred unrelated to on-site maintenance and testing activity 1.4 Unresolved Maintenance Issue A deficiency identified during a maintenance activity that causes the component to not meet the intended performance,cannot be corrected during the maintenance interval,and requires follow-up corrective action 2 Scope This document describes the procedure for implementing a new RAS or modifying an existing RAS for PacifiCorp-owned RAS.Following this procedure will assist in meeting the compliance requirements of NERC reliability standards listed below: /Publications FPP RLYPR 04-RAS Procedure doc Rev 0 /15 The inost current version of this docunicar is postec/to engineerin s websites or re/a ornis policies and procedures. Modi/ication o this docunient inust he authorized b en incering publicar ons.(503)8/3-5096.Page 1 of 8 2.1 PRC-004-WECC-1:PacifiCorp must review all operations of major RAS to identify apparent misoperations within 24 hours.Within 20 business days all operations of major RAS must be analyzed for correctness.Depending on the analysis of the misoperation,PacifiCorp is required to follow R2.1,R2.2,R2.3 or R2.4 of the standard.See Appendix D. 2.2 PRC-(012 through 014)-WECC-CRT-2 Regional Criterion:PacifiCorp was required to submit the data described in the WECC Remedial Action Scheme Information Sheet (Attachment A)to WECC by April 1,2014.WECC designated the Remedial Action Scheme Reliability Subcommittee (RASRS)as the entity responsible for the WECC review procedure for proposed and existing RAS within the Western Interconnection to meet the NERC performance requirements of TPL-001through TPL-003.PacifiCorp is required to follow the process established by the RASRS to submit a RAS for review.RASRS shall ensure that each RAS reviewed meets,at a minimum the following: The Local Area Protection Scheme (LAPS)and Wide Area Protection Scheme (WAPS)are designed so that a single component failure,when the LAPS or the WAPS is intended to operate,does not prevent any portion of the interconnected transmission system within WECC from meeting the performance requirements defined in NERC reliability standards TPL-001-0,TPL-002-0,and TPL-003-0 or its successor. Inadvertent operation of the RAS meets the same performance requirements (TPL-001-0,TPL-002-0,and TPL-003-0 or their successors)as that required of the contingency for which it was designed,and does not exceed TPL-003-0 or its successor The proposed RAS will coordinate with other protection and control systems and applicable WECC emergency procedures. 2.2.1 The Operating Committee (OC)will approve the WECC review procedure for proposed and existing RAS within the Western Interconnection based upon receipt of a positive recommendation of the RASRS. 2.2.2 RASRS will review a RAS at the level of a WAPS,when requested to do so by the OC. 2.2.3 PacifiCorp is required to review the WECC RAS database for accuracy and report any changes,modifications,retirements or expansions of its RAS to WECC no later than December 31 of each calendar year. 2.2.4 PacifiCorp is required to submit any additions,changes,modifications, retirements or expansions of its RAS to RASRS prior to placing the RAS or its changes into service. 2.2.5 PacifiCorp is required to assess its RAS for operation,coordination and effectiveness at least once each five years and report the RAS assessment by sending a completed Attachment B to WECC no later than December 31 of the calendar year in which the assessment was completed. 2.2.6 PacifiCorp is required to retain the documentation to support Attachment B data for the most recent assessment study reported and provide that data to WECC within 30 days upon request. /Publications FPP RLYPR 04-RAS Procedure doc Rev 0 /15 The inost current version of this docunicar is postec/to engineerin s websites or re/a ornis policies and procedures. Modi/ication o this docunient inust he authorized b en incering publicar ons.(503)8/3-5096.Page 2 of 8 2.3 PRC 015-PacifiCorp is required to maintain a list of all RAS that are owned by PacifiCorp and review new and modified RAS per WECC procedures.See Appendix F and Appendix J. 2.4 PRC 017-This standard covers the documentation of maintenance and testing programs.Documentation must include the following:Identification of all RAS components (relays,instrument transformers,communication systems and batteries);maintenance intervals and their basis;summary of testing procedures; schedules for maintenance and testing and date last tested/maintained.This standard is being phased out and the requirements are moving into PRC 005.See Appendix G. 2.5 CIP 002-Meet the cyber security standard for RAS that are part of an Interconnection Reliability Operating Limit (IROL)or RAS components at medium security substations that are Bulk Electric System Cyber Assets (BCA).See Appendix K. 2.6 2.6 PRC 005-PacifiCorp has chosen a time-based maintenance method and is required to maintain all PacifiCorp-owned protection system components related to RAS for both PacifiCorp-owned RAS and foreign-owned RAS per the time-based intervals.Effort to correct identified unresolved maintenance issues is also required. See Appendix H. 3 Types of RAS 3.1 The WECC remedial action classifications are as follows: 3.1.1 Wide Area Protection Scheme (WAPS):A remedial action scheme whose failure to operate would result in any of the following: o Violation of TPL -001-WECC-RBP-2 System Performance RBP o Maximum load loss greater or equal to 300 MW o Maximum generation loss greater or equal to 1000 MW 3.1.2 Local Area Protection Scheme (LAPS):A remedial action scheme whose failure to operate would not result in any of the following: o Violation of TPL -001-WECC-RBP-2 System Performance RBP o Maximum load loss greater than or equal to 300 MW o Maximum generation loss greater than or equal to 1000 MW 3.1.3 Safety Net (SN):A type of remedial action scheme designed to remediate TPL 004-0 (system performance following extreme events resulting in the loss of two or more BES elements),or other extreme events.Extreme events are identified by Planners from TPL -004-1. /Publications FPP RLTPRO (W-RAS Procedure cloc Rev 0 3 12 15 The most current version o this docunicar is posted to engineerin s webstres or re/a ornis policies and procedures. Modi/ication o this </ocuntent inust he authori-ed b en incering publicar ons.(5/8)8/3-5096.Page 3 of 8 These classifications only affect the level of detail required for scheme review by the RASRS.These classifications are used to focus the review effort on the larger schemes that can have more impact on system operations. 3.2 The use of a RAS is an acceptable practice to meet the system performance requirements as defined in reliability standards TPL-001-0,TPL-002-0,and TPL-003-0.Electric systems that rely on a RAS to meet these performance requirements must ensure that the RAS is highly reliable.Each RAS owner shall document the design and functional operation of new and modified RAS. 3.3 The following is a list of scheme types that NERC and WECC do not consider to be a RAS in and of themselves: Under-frequency or Under-voltage load shedding Locally-sensing devices applied on an element to protect it against equipment damage for non-fault conditions by tripping or modifying the operation of that element,such as,but not limited to,generator loss-of-field or transformer top-oil temperature Auto-reclosing schemes Locally-sensed and locally-operated series and shunt reactive devices,FACTS devices,phase-shifting transformers,variable-frequency transformers, generation-excitation systems,and tap-changing transformers Schemes that prevent high line voltage by automatically switching the affected line Schemes that automatically de-energize a line for non-fault operations when one end of the line is open Out-of-step relaying that is not designed as an integral part of an SPS Schemes that provide anti-islanding protection (e.g.,protect load from effects of being isolated with generation that may not be capable of maintaining acceptable frequency and voltages) Protection schemes that operate local breakers other than those on the faulted circuit to facilitate fault clearing,such as,but not limited to,opening a circuit breaker to remove infeed so protection at a remote terminal can detect a fault to reduce fault duty,or bus sectionalizing/splitting/break-up schemes Automatic sequences that proceed when manually initiated solely by an operator Sub-synchronous resonance (SSR)protection schemes Modulation of HVDC or SVC via supplementary controls such as angle damping or frequency damping applied to local or inter-area oscillations A protection system that includes multiple elements within its zone of protection, or that isolates more than the faulted elements because an interrupting device is not provided between the faulted element and one or more other elements /Publications FPP RLYPR 04-RAS Procedure doc Rev 0 /15 The inost current version o this docunicar is postec/to engineerin s websites or re/a ornis policies and procedures. Modi/ication o this docunient inust he authorized b en incering publicar ons.(503)8/3-5096.Page 4 of 8 4 RAS Functional Design and ApprovalProcess PacifiCorp's template "PAC-RAS-OVERVIEW"is the document that should be populated for all new and modified RAS.Appendix A has an example of a completed template.The following are the steps that planning is required to follow to initiate a new RAS or modify an existing RAS: 4.1 Section A RAS Purpose and Overview document is completed.If an existing RAS is being modified,the original RAS Purpose and Overview document should be used to document the changes that are being proposed. 4.2 Present and gain approval from EREV that the proposed RAS is the right solution. 4.3 The Planner is responsible for notifying all neighboring entities that may be affected by RAS. 4.4 Submit to WECC RASR group for approval.See WECC's Remedial Action Scheme Design Guide (Appendix C)and Procedure to Submit a RAS for Assessment Guideline (Appendix B)for information on requirements.For WAPS,some design will be required prior to submittal to RASR. 4.5 Schemes proposed for removal should also be submitted for approval by WECC RASR prior to removal. 4.6 Notify the design group once RASR approval has been gained and provide completed section A of PAC-RAS-OVERVIEW document to the design group. 4.7 Planning is responsible for maintaining the list of PacifiCorp-owned RAS and the foreign-owned RAS that PacifiCorp owns components of the RAS.Planning submits this list to WECC annually.This list is also provided to the PRC 017/PRC 005 standard owner as changes are made. /Publications FPP RLTPRO (W-RAS Procedure cloc Rev 0 3 12 15 The most current version of this docunicar is posted to engineering s webstres or re/a orms policies and procedures. Modi/ication o this </ocuntent must he authori-ed b en incering publicar ons.(5/8)8/3-5096.Page 5 of 8 5 RAS Design and Construction PacifiCorp's template "PAC-RAS-OVERVIEW"is the document that should be populated for all new and modified RAS.Appendix A has an example of a completed template.The following are the steps that Design is required to follow to implement a new RAS or modify an existing RAS: 5.1 Section B "RAS Design"and Section C "Monitoring"is completed.If an existing RAS is being modified,the original "RAS Design"and "Monitoring"should be used to document the changes that are being proposed. 5.2 Coordination with communications engineering is required,so communication design is included in Section B and communication settings are completed. 5.3 For WAPS,the design group may need to complete some of the design prior to submittal by planning to the RASR group.Coordination with planning on requirements for RASR submittal is required. 5.4 Review of design should be submitted to the planner to ensure original intent is being achieved. 5.5 Design is responsible for completing Appendices 1,2,4,and 5 of the template. 5.6 Design is responsible for ordering materials and providing construction support. 5.7 Design is responsible for relay settings. 5.8 Design shall forward the template completed through Section C to field technical support and may need to assist field technical support with Sections D,E,and Appendix 3 of the "PAC-RAS-OVERVIEW"document. 5.9 Design shall submit final "PAC-RAS-OVERVIEW"document to P8,PRC 017/PRC 005 standard owner and to grid operations. 5.10 If identified as required in the PSRAT scoping document,the design group shall provide training to grid operations,substation operations and others on the details of the RAS operation. 6 RAS Operating Procedure,Testing,and Commissioning PacifiCorp's template "PAC-RAS-OVERVIEW"is the document that should be populated for all new and modified RAS.Appendix A is an example of a completed template.The following are the steps that technical support is required to follow to initiate a new RAS or modify an existing RAS: 6.1 Section D,"RAS Operating Procedure"and Section E,"Commissioning, Maintenance and Testing"shall be completed.If an existing RAS is being modified, the original Sections D and E should be used to document the changes that are being proposed. 6.2 Appendix 3 RAS Associated Maintenance Test Form shall be completed by technical support.This will include the functional test documentation and any testing of devices that would not follow a standard relay test form.Technical support may request assistance from the design group for the functional test documentation. 6.3 Technical support is responsible for review of the maintenance and test forms once test results have submitted.This should be completed prior to placing RAS in- service. /Publications FPP RLYPR 04-RAS Procedure doc Rev 0 /15 The inost current version of this docunicar is postec/to engineerin s websites or re/a ornis policies and procedures. Modi/ication o this docunient inust he authorized b en incering publicar ons.(503)8/3-5096.Page 6 of 8 7 RAS Performance Assessment Appendix J includes a list of all PacifiCorp-owned RAS.Planning is responsible for maintaining this list and submitting any changes to WECC. 7.1 WECC requires that all RAS be assessed for operation,coordination,and effectiveness at least every five years for compliance with NERC and WECC standards and WECC criteria. 7.2 PacifiCorp typically performs System Operating Limit (SOL)studies,daily outage planning,real time contingency analysis,or similar studies.If any violations of performance of the RAS are discovered during these studies,a Corrective Action Plan (CAP)must be developed.CAP must include a resolution and timeline to fix.If CAP solutions involve significant modifications to RAS,then those modifications must be reviewed by the RASRS through the procedures described in Section 3. 7.3 Planning is required to update the WECC RAS database annuallywith any changes (new,modified or retired)to RAS that have gained approval from RASR. 8 RAS Mis-Operation Reporting WECC requires PacifiCorp to ensure all transmission and generation misoperations of "major"RAS are analyzed and/or mitigated.See Appendix I for the list of "major"WECC RAS.Technical support is responsible for performing this analysis and recommending the mitigation.This includes all accidental or unintended RAS operations that do not meet the expected performance or RAS failures to operate that result in system performance outside the expected levels. 8.1 Grid operations shall review all operations of "major"RAS to identify apparent mis- operations within 24 hours. 8.2 Technical support shall analyze all operations of "major"RAS within 20 business days for correctness to characterize whether a misoperation has occurred that may not have been identified by grid operations. 8.3 Depending on the type of misoperation of the "major"RAS,technical support is required to meet WECC PRC 004-WECC-1 requirements.This includes submitting to WECC within 10 business days,a misoperations incident report. /Publications FPP RLTPRO (W-RAS Procedure cloc Rev 0 3 12 15 The most current version of this docunicar is posted to engineerin s webstres or re/a orms policies and procedures. Modi/ication o this </ocuntent must he authori-ed b en incering publicar ons.(5/8)8/3-5096.Page 7 of 8 9 RAS Maintenance and Testing Documentation Relays,communication equipment,CT,PT,and batteries associated with a PacifiCorp- owned RAS,as identified in Section 4 of the "PAC-RAS-OVERVIEW"document,are required to be maintained per defined intervals as established in Policy _001. 9.1 Reliability standards is responsible for notifying maintenance planning of all devices that are to be labeled in SAP as part of a specific RAS so maintenance plans can be established.This should happen prior to in-service of the RAS. 9.2 Maintenance planning ensures that testing of the individual components of the RAS and the functional test of the overall RAS are maintained and tested per established intervals,provides an annual report documenting the current planned and actual maintenanceltest dates along with the established interval,and the previous planned and actual maintenanceltest dates. 9.3 RAS components owned by PacifiCorp but that are part of a RAS owned by another entity must be maintained and tested also.The other entity is responsible for reporting the dates and intervals to WECC and may request documentation of the maintenance and testing.Operations may be involved in testing a portion of the RAS. /Publications FPP RLTPRO 04-RAS Procedure ciocx Rev 0 3 12 15 The most current version o this docunicar is posted to engineering s websites or cela ornis policies and procedures. Modi/ication o this docuntent inust be authorized b en incering publications.(503)8/3-5096.Page 8 of 8 PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT RAS Name YALE RUN-BACK Document #PAC-RAS-OVERVIEW-1001 Document numbers maintained by P&C Engineering Revision 01.03 Document_revision.Template_revision Document Date 3/27/2014 The most recent date between the document revision date and the template revision date used Contributors Name Organization Chip Carter Transmission/Area Planning Michael Payne Protection &Control Engineering Robert Skimmyhorn Relay Support Jeff Littman Substation Operations Johnny Trumps Hydro Operations Engineering (PAC Energy) Revision Name Title Document Larry Frick Transmission/Area Planning Director Approvals Greg Stratton Protection &Control Engineering Manager Steve Leistner Relay Field Technical Support Manager Steve Henderson Substations Operations Director Erik Brookhouse Design Engineering Director Ali Shafaei Hydro Operations Engineering Director (PAC Energy) RAS Milestones Description Date RAS need,proposed operation,and classification identified April 24,2012 Executive agreement that RAS is required August 9,2012 RAS capital project funding approved August 9,2012 RAS capital project design start November 17th,2012 Initial Proposal to WECC RASRS November 2013 RAS capital project design complete January 8th,2013 Detailed RAS documentation to WECC RASRS (WAPS,SN only)N/A RAS capital project construction/testing complete February 28th,2013 Executive agreement to put RAS in service February 28th,2013 RAS put into service February 28th,2013 RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 1/26 PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -...------Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT Table of Contents Section Description Page (i)PacifiCorp RAS Document Revision History 3 (ii)PacifiCorp RAS Document Template Revision History 3 (iii)References 3 (iv)Information Required to Assess the Reliability of a RAS 4 A RAS Purpose and Overview 6 B RAS Design 10 C Monitoring 16 D RAS Operating Procedures 17 E Commissioning,Maintenance,and Testing 18 F Performance and Operational History 19 Appendix 1 RAS Associated Drawing List 20 Appendix 2 RAS Associated Relay Setting Order List 21 Appendix 3 RAS Associated Maintenance Test Form 22 Appendix 4 RAS Associated Equipment Subject to NERC PRC-017 Requirements 25 Appendix 5 RAS Associated Affected Apparatuses 26 RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 2/26 PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT (i)PACIFICORPRAS Document Revision History Rev Date Description of Change 00 12/31/2013 Initial draft of document.Completed after RAS put into service. 01 3/27/2014 Updated to current template format and additional information added. (ii)PACIFICORPRAS Document Template Revision History Rev Date Description of Change 00 2/27/2013 Initial draft of document template based on WECC Procedure to Submit a RAS for Assessment,dated August 2012. 01 3/25/2014 Updated draft of document template based on the WECC Procedure to Submit a RAS for Assessment,dated October 2013. 02 3/26/2014 Moved section G (this table)to front of document and minor formatting corrections. 03 3/27/2014 Removedthe previous section (i)the WECC Procedure to Submit a RAS for Assessment document and relabeling it as references.Put the table contents ahead of the revision history sections and renumbered first three sections.Added appendix 4 and appendix 5.Minor formatting changes. (iii)References Type Date Description WECC Guideline Oct 2013 (draft)Procedure to Submit a RAS for Assessment Note:the template used to create this PacifiCorp RAS Overview Document is based on the referenced WECC guideline. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 3/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT (iv)Information Required to Assess the Reliability of a RAS For all new or modified RAS,also provide information required by the WECC RAS initial or Periodic Assessment Summary as Attachment B of PRC-(012 thru 014)-WECC-CRT-2. 1 RAS Name Yale Run-Back 2 Reporting Party PacifiCorp 3 Group Conducting this RAS Assessment PacifiCorpTransmission/Area Planning 4 Assessment Date November 2012 5 Review the scheme purpose and impact to ensure proper classification a Is it (still)necessary? Yes b Does it serve the intended purpose? Yes c Does it continue to meet current performance requirements? Yes 6 The RAS assessment including Study Years The assessment was done with existing conditions,noting that the risk identified has been in place since 1958.With 310 MW of generation and two lines each with 176 MVA of capacity,loss of one line results in an overload of the surviving line.The problem is related to generation output,and not load or grid flow conditions,making future case analysis a moot point. 7 System conditions The condition that results in a TPL violation is during light load condition with the Merwin and Yale hydroelectric generation plants at maximum output,such as during spring run off or heavy local precipitation conditions. 8 Contingencies analyzed (indicate which applies:N-1,N-1-1,N-2,Extreme) With only two elements in the system,the N-1 condition poses the worst case situation where all of the generation is carried by one line only. 9 Date when the technical studies were completed April 24,2012 10 Does the RAS comply with NERC standards and adherence to WECC Criteria and TPL-001-WECC- RBP-2? Yes 11 Discuss any coordination problems found between this RAS and other protection and control systems during this (most recent)assessment. None 12 Provide a corrective Action Plan if this RAS was found to be non-compliant or had coordination problems during this (most recent)assessment (should be NA for owner's initial assessment). N/A 13 Provide the name and contact information of the person responsible for this RAS data submittal. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 4/26 PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT (iv)Information Required to Assess the Reliability of a RAS Jason Wilson PacifiCorpTransmission Planner 1407 West North Temple Salt Lake City,UT 84116 (801)220-4056 Jason.T.Wilson@PacifiCorp.com If a classification of LAPS is claimed by the Reporting Party,full scheme review by the RASRS is generally not required unless this classification is not agreed to by the RASRS.The Reporting party must provide adequate information for the RASRS to judge the proposed scheme classification.A scheme is a LAPS if all of these questions can be answered negatively. WECC TPL Regional Business Practice -WR3 violation? WECC TPL Regional Business Practice -WR1 or 2 external impact violation? Load at risk 2 300 MW? Generation at risk 2 1000 MW? If a full RASRS scheme review is not required (LAPS),the RAS owner is still responsible for meeting all of the requirements of PRC-(012 thru 014)-WECC-CRT-2.Specifically,the scheme must still satisfy requirements WR5.1-3 (single point of failure,inadvertent operation,and coordination). If a full RASRS review is required (for WAPS or SN),the following information,sections A -F must be submitted for review. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 5/26 PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT A.RAS PURPOSE AND OVERVIEW 1 Identifythe ownership of the RAS (the Reporting Party). PacifiCorp 2 Provide the name of the RAS,the purpose and the desired in-service date.Include the specific type of system problem(s)being solved,e.g.transient stability,thermal overload,voltage stability,etc. Name Yale Run-Back Purpose Prevent a line clearanceviolation or conductor damage of the Longview and Battleground lines connected to the Merwin Switching Station in the event of a sustained thermal overload of either line with the other line tripped out from a system event. Desired ISD 2/28/2013 3 Provide the owner's classification of the RAS as a LAPS,WAPS,or SN. LAPS 4 Provide the information required to populate the WECC RAS data base using the appropriate Excel spread sheet,PRC-013 template (available on the WECC web site). Scheme is already in PRC-013 database.No changes are required. 5 Provide the name(s)of person(s)within the owner's organization who is (are)responsible for the operation and maintenance of the RAS. Operation Jeff Littman 8111 NE Columbia Blvd Portland,OR 97218 Phone:(503)737-3301 Email:Jeff.Littman@PacifiCorp.com Maintenance Jeff Littman 8111 NE Columbia Blvd Portland,OR 97218 Phone:(503)737-3301 Email:Jeff.Littman@PacifiCorp.com 6 Provide a description of the RAS to give an overall understanding of the functionality and a map showing the location of the RAS.Identify other protection and control systems requiring coordination with the RAS.See "RAS Design",below,for additional information. The Yale Run-Rack Scheme is an automatic scheme located at the Merwin Switching Station.It consists of redundant SEL-751 relays connected to redundant current transformers.It is designed such that either relay sends a runback signal via Ethernet Modbus TCP/IP to the Yale Plant in the event of a sustained thermal overload of either the Longview line or the Battleground line.Each relay implements two overcurrent elements,one for summer line limits and the other for winter line limits,that are asserted based on calendar date.The runback signal automatically reducesthe generator output from the Yale plant until the overload condition is eliminated.A delay of 2 seconds from overload condition initiation to runback signal initiation has been added to avoid triggering a runback during a momentary line fault or other transient overload condition.If the runback scheme fails to eliminate the overload condition within 60 seconds of runback signal initiation,the scheme will trip breakers CB 2P26 and CB 2P27,isolating the Yale Plant from the Merwin Switching Station.No other protection and control systems require coordination with this RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 6/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes ----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT A.RAS PURPOSE AND OVERVIEW scheme. Ielen COUVCT-air North Portirind 7 Provide a single line drawing(s)showing all sites involved.The drawing(s)should provide sufficient information to allow RASRS members to assess design reliability,and should include information such as the bus arrangement,circuit breakers,the associated switches,etc.For each site,indicate RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 7/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT A.RAS PURPOSE AND OVERVIEW whether detection,logic,action,or a combination of these is present. 4|I scheme detection and logic is present at the Merwin Switching Station.Action occurs at both the Vlerwin Switching Station (breaker trip)and the Yale Plant (generation runback). BPA CARDWELL ARIBL LONGVIEW LINE INO LAKE LINE \No * I CB 2P27 MERWIN BATTLEGROUNDLINE VIEW CHELAT HIE YALE CHERRY GROVE TO PACW PORTLA.ND iite Detection Logic Action Vlerwin X X X lale X Cardwell (BPA) Ariel (Cowlitz County PUD) View (Clark Public Utilities) Chelatchie (Clark Public Utilities) RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 8/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -....-..--Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT A.RAS PURPOSE AND OVERVIEW Cherry Grove (Clark Public Utilities) 8 Indicate the type of system reliabilitystudies performed and a list of any that are in progress. A contingency study was performed to assess the risk of overloading either line.A transient stability analysis was performed to verify the necessity of the LAPS. 9 Provide a discussion of the impact to the WECC power grid,including other protection and control systems that result from the actions taken by the proposed RAS and from its failure to operate as expected.Does a failure to operate or a misoperation impact an Intertie Path?If yes,what Intertie Path? Other than the previously mentioned load and generation loss,neither intended operation, misoperation,nor failure to operate would have any impact to the WECC power grid,any other protection and control system,or any Intertie Path. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 9/26 PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -...----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT B.RAS DESIGN 1 Describe the design philosophy (e.g.failure is to be a non-credible event). The scheme will continue to perform its intended function even while experiencing any single point of failure. 2 Describe the design criteria. Failure of a single component,element or system will not jeopardize the successful operation of the scheme. 3 RAS Logic -Provide a description of the RAS Logic in the form of written text,flow charts,matrix logic tables,timing tables,etc.as appropriate and identifythe inputs and outputs.Provide appropriate diagrams and schematics. See the logic diagram below. TEST 59¶IN101 LTO3 NOg"RELAY NOTI a S OI\TEST |FATTLEGROUND LN L'ODOUS TCUT1021 , USH(L E LAKE LINE TRPPED CUT502 TRIP CB 2P27 LONGVIEW LN iCUTbO3 i BFL CB 2P26 4 RAS Logic Hardware -Provide a description of the logic hardware (relay,digital computer,etc.)and describe how the RAS logic function is achieved. Scheme logic is implemented using separate SEL-751 relays at the Merwin Switching Station.PLCs (Programmable Logic Controllers)at both the Merwin Switching Station and the Yale Plant are used to transmit the runback signal to the Yale Plant Hydro control Center.See the functional block diagram below. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 10/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT B.RAS DESIGN YALE RAS FlJNCTION BLOCK DIAGRAM REV3 MERWIN C YAL -MICROWAVE PLC I I MICROWAVE MICROWAVE I I PLC 172 16228.40 172 16.10 148 YLC MWC RAS INI ST MWC RAS 11A TRP ST MWC RAS 118 TRP ST MWC RAS 11A INI ST MWC RAS 118 INI ST MWC RAS 11A_NIT St MWC RAS 118 NtT ST YLC PLC 11A 118 17216.10141 SEL-751 SEL-751 ¯' RELAY RELAY17216.22871,172.1622872 YL1_GËN RAS_INI ST YL2 GËN RAS INI ST YL1 YL2 PLC PLC 172.16.10.139 172.16 10 140 Yale microwave digital output for Run-Back Initale isRelay11Aand118monilortheBaltiegroundLineandLongviewLineandconnected10adigitalenpulonIheniicrowavePLC.set a Run-Back Ini1sate stales (INI ST)when li had detected a Line Limit alarm >25 Yale Common PLC {YLC}monitors the RAS Initiale slatus Mewritt Common PLC (MWC)monitors the Run-Back Ittdsale stalus from the rmetowave PLC. (INI_ST)and Relay Noi In Test {NIT ST)from Relay i tA and 118 MWC energizes a digital oulput when it had detected Ihe Run·Back Initiale status Yale Generator 1 PLC (YL1)and Generator 2 PLC (YL2) (INI ST)and Relay Not in Test (NIT ST)from Relay 11A or 11B monitor the RA$Inttiale slatustromtheYLC PLC Relay 11A and 118 will ing breakers 2P26 and 2P27 if the Line Lamil alarm is not cleared after BOseconds MWC PLC will read the trip status from Relay 11A and 118 and will sel lhe trip alarm points MWC RAS 11A TRP STandMWC RAS 11B TRP ST. 5 Redundancy-Provide a discussion of the redundancy configuration and if appropriate,why redundancy is not provided.Include discussion of redundant: a Detection Separate SEL-751 relays with independent current transformers. b Power supplies,batteries and chargers Redundant power supplies,batteries,and chargers are not required.Battery and charger alarms are centrally monitored.In the event of a power supply or battery failure,generation at Merwin would automatically shut down. c Telecommunications (also mentioned in item 10d) Redundant communications paths are not required.In the event of a failure of the communications path,the scheme will trip CB 2P26 and CB 2P27 after 60 seconds from runback signal initiation.This will isolate the Yale Plant from the Merwin Switching Station. Since either line has capacity to carry the maximum output of the Merwin plant generation alone,there is no possibility of a line overload with the Yale Plant generation eliminated. d Logic controllers (if applicable) Separate SEL-751 relays.Redundant PLCs used in the communication path are not required (see section B.5.c above). e RAS trip circuits RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 11/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT B.RAS DESIGN The scheme runback ramp rate is set such that the Yale generators,if fully loaded,will fully unload in about 45 seconds.With the Yale generation eliminated,the remaining line would not be overloaded.In the event of a breaker trip failure,the runback would eliminate the overload condition.Both the breaker trip and the runback would haveto fail (double point failure)prior to a line clearanceviolation or conductor damage. 6 Arming -Describe how the RAS is armed (e.g.remotely via SCADA,locally,automatic,etc.). The scheme is always armed. 7 Detection -Define all inputs to the RAS for the scheme to perform its required purpose.Examples are provided below. a Devices needed to determine line-end-status such as circuit breaker (52 a/b contacts)and disconnect status NA b Protective relay inputs See B.7.b below. c Transducer and IED (intelligent electronic device)inputs (watts,vars,voltage,current) The SEL-751 relays monitor the A-phase line current for each line.The line thermal limit for each line is set using two instantaneous overcurrent elements. d Rate-of-change detectors (angle,power,current,voltage) NA e All other inputs (e.g.set points,time from a GPS clock and wide area measurements such as voltage angle between two stations) The winter limit elements are always enabled.Using the time input from a GPS clock as reference,the summer limit elements are enabled from April 1st to October 31st. f Provide details of other remote data gathering or control equipment NA 8 Coordination with Protection and control Systems.Describeall protection and control systems interactions with the RAS,in addition to the RAS inputs described in (7)above. a System configuration changes due to RAS operation do not adversely affect protective relay functions such as distance relay overcurrent supervision,breaker failure pickup,switching of potential sources,overexcitation protection activation,or other functions pertinent to the specific relays or protection scheme. Scheme operation does not affect protective relay functions or other protection schemes. b If studies indicate that transient or sustained low voltages are expected in conjunction with elevated line flows during or after RAS operation,confirm that any protection settings on affected lines will not cause cascading outages related to the low system voltages. Scheme operation will not result in low system voltage. c Potential adverse interactions with any other protection or control systems. This scheme does not adversely affect any protective or control systems. 9 Multifunction Devices.A multifunction device is a single device that is used to perform the function of a RAS in addition to protective relaying and/or SCADA simultaneously.It is important that other applications in the multifunction device do not compromise the functionalityof the RAS when the device is in service or when is being maintained. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 12/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT B.RAS DESIGN a Describe how the multifunction device is applied in the RAS. The multifunction devices used in this scheme are the following programmable logic controllers (PLC). Merwin Plant PLC -Receives the Yale runback command from SEL-751 relays then passes it on to the Merwin microwave. Yale Microwave PLC -Receives the Yale runback command from the Yale microwave then passes it on to the Yale plant PLC. Yale Plant PLC-Receives the Yale runback command from the Yale microwave PLC then passes it on to the Yale generator 1 and generator 2 PLCs. Yale Generator 1 PLC-UnloadsYale #1generatorwhen the Yale runback command is received from the Yale plant PLC. Yale Generator 2 PLC-Unloadsthe Yale #2 generator when the Yale runback command is received from the Yale plant PLC. b Show the general arrangement and describe how the multi-function device is labeled in the design and application,so as to identifythe RAS and other device functions. The PLCs are arranged as shown in the image in section B.4 (Yale Run-Back Scheme Function Block Diagram).There is no physical labeling on the PLCs to identify involvement in the Yale Run-Back scheme.Separate sections in the PLC program code identify portions of the Yale Run- Back logic. c Describe the procedures used to isolate the RAS function from other functions in the device. Portions of PLC logic for the Yale Run-Back scheme appear in their own sections.These sections are independent of PLC logic for other functions.Some portions of the PLC logic for the Yale Run-Back scheme are integrated with other sections of logic.The logic for communication and load shedding cannot be separated from these other functions. d Describe the procedures used when each multifunction device is removed from service and whether any other coordination with other protection is required. These PLCs are not removed from service without an outage of the associated generator.The normal outage process with a Compass notification would take place. e Describe how each multifunction device is tested,both for commissioning and during periodic maintenance testing,with regard to each function of the device. The PLCs involved in this system are existing and do not receive periodic maintenance testing. The health status for these PLCs is monitored by hydro SCADA system.Should a PLC fail the SCADA is configured to generate an alarm at the Hydro control Center (HCC). f Describe how overall periodic RAS functional and throughputtests are performed if multifunction devicesare used for both local protection and RAS. Periodic functional testing of the runback scheme as described in section E has no effect on the functionalityof any of the PLCs associated with this scheme. g Describe how upgradesto the multifunction device,such as firmware upgrades,are accomplished.How is the RAS function taken into consideration? PLC program logic updates are done as needed using remote access.Updates to other PLC logic will have no effect on the Yale Run-Back scheme.When the firmware is updated the PLC is taken out of service and the process as identified in B.9.d above is followed. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 13/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes ----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT B.RAS DESIGN 10 Te ecommunications a Provide a graphical display or diagram for each telecom path used in the proposed RAS scheme,including extent of redundancy employed.See references.Indicate ownership of the circuits,paths,and segments.Indicate responsibility for maintenance.If a telecom circuit utilizes a public network,describe monitoring and maintenance agreements including repair response,details of availability,and how possible change of ownership is addressed.Describe maintenance agreements and response commitments when the RAS communication utilizes multiple private systems. The communication path is arranged as shown in the image in section B.4 (Yale Run-Back Scheme Function Block Diagram).The communication path does not contain any redundancy. All equipment in the communication path is owned and maintained by PacifiCorp. b Describe and list the telecommunications media and electronic equipment (e.g.microwave radio,optical fiber cable,multiplex node,power line carrier,wire pair,etc.)including redundancy employed in each telecom path.For each of the paths and segments of the RAS, identifythe type of telecom equipment employed.For example,whether analog or digital licensed microwave radio,unlicensed spread spectrum radio,fiber optic SONET node,etc are applied. The communication path consists of the Merwin plant PLC,Merwin microwave,Yale Microwave,Yale microwave PLC,Yale plant PLC,Yale generator 1 PLC and Yale generator 2 PLC.The Merwin microwave and Yale microwave are connected on PacifiCorp Licensed microwave radio.The PLCs are connected to each other with network switches with Cat5 Ethernet cable. c Provide a description of common facilities used for each RAS telecom path and segment that are not specifically excluded from redundancy by the WECC critical communication circuit design guideline (e.g.towers,generators,batteries).Identifypaths or segments routed through common equipment chassis such as Digital cross-connect System,SONET node,or router.Identify physical media carried or supported by the same structure,such as a transmission line tower,pole structure,or duct bank.Discuss outside plant and inside plant routing diversity. Entire communication path is non-redundant. d Provide a discussion of communications system performance including,circuit or path quality in terms of availability.Provide details of reliability (e.g.,availability of 99.95%),and other supporting reliability information such as equipment age,history,maintenance,etc. Telecommunication reliabilityinformation is the average overall percentage,and not point-to- point information. Communications system performance is unknown. e Provide a discussion about performance of any non-deterministic communication systems used (such as Ethernet).If RAS performance is dependent upon successful operation through a non-deterministic communications system or path,then describe how timing and latency issues will be addressed and verified.Include timing and latency planning or management and verification for initial commissioning and in the event of network modifications or additions. Identifywhich industry standard is applied. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 14/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT B.RAS DESIGN PLC to PLC communications uses Modbus TCP/IP.These communication paths operate continuously at cycle rates of less than once a second.Should one of these communication paths fail an alarm will be generated at HCC.Total end to end communications latency is about 3 seconds.The latency is considered short enough to be negligible. f Acknowledge provision of appropriate high voltage entrance protection if wire pairs are used. Not applicable.Communication equipment not located in high voltage area. 11 Transfer Trip Equipment -Identifythe manufacturer and type (FSK audio tone,FS carrier,digital, etc.),and provide the logic configuration (dual channel,pilot tone,etc.).Identifywhether internal device medium is used;e.g."Relay-to-Relay"communication. Not applicable. 12 RemedialActions Initiated -Provide a functional description of the action(s)produced by the scheme and include a simplified one-line diagram of the RAS output to the end-device operated by the scheme. The runback signal automatically reduces the generator output from the Yale plant until the overload condition is eliminated.If the runback scheme fails to eliminate the overload condition within 60 seconds of runback signal initiation,the scheme will trip breakers CB 2P26 and CB 2P27, isolating the Yale Plant from the Merwin Switching Station.See the logic diagram in section B.3. 13 RemedialAction Schemes may haveelements such as engineering access,routable protocols,and sensitive design documentation included in the design that require compliance with the NERC CIP Standards.Utilities may handle CIP compliance differently.Please provide a high level overview of how your company's CIP Compliance Program requirements are incorporated into this RAS design. There are no CIP requirements for the telecommunications facilities involved with the Yale Run- Back scheme. The RASRS concern is that CIP compliance does not compromise the reliabilityof the RAS.RASRS will not assess compliance,validity or completeness of the owner's CIP program.The owner remains completely and solely responsible that its CIP program complies with NERC standards. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 15/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -...------Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT C.MONITORING 1 Provide details of RAS monitoring equipment and time resolution including station alarms,SCADA monitoring,and Sequence of Events Recorders. The relay failure alarms for the runback scheme relays are continuously monitored at cycle rates of less than once a second by the Hydro control Center.See section B.10.e for communication path failure alarm description. 2 Provide details of facilities monitored including: a Equipment self-diagnostics and annunciation Relay failure alarms continuously monitored by the Hydro control center. b Initiation locations Same as section C.2.a. c Logic facilities Same as section C.2.a. d Telecommunications A communications path failure of either path will generate an alarm at the Hydro control Center. e Transfer trip equipment There is no transfer trip equipment. f RAS actions Runback action and is monitored via SCADA at the Hydro control Center. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 16/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -....-..--Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT D.RAS OPERATING PROCEDURES Provide a summary of the operating procedures or the relevant Dispatch Instructions pertaining to this RAS during abnormal system conditions.Specifically addressthe operating procedures for the following situations: 1 The RAS operates incorrectly (failure to operate or false operation). Operators at HCC use manual SCADA control to run back load on the Yale generators. 2 One part of a redundant RAS system is unavailable so that complete redundancy is no longer assured. The appropriate maintenance staff is called in to investigate.No action is taken on the Yale generators. 3 Unscheduled,or unplanned and not coordinated,unavailability of the subject RAS (complete loss of RAS)impacts operation. The appropriate maintenance staff is called in to investigate.No action is taken on the Yale generators. 4 When a partial or total loss of input data required for arming decisions. The appropriate maintenance staff is called in to investigate.No action is taken on the Yale generators. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 17/26 PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT E.COMMISSIONING,MAINTENANCEAND TESTING 1 Describe the RAS commissioning and overall functional test procedure(s). Maintenance test procedure also used as commissioning and overall functional test procedure (see section E.2 below). 2 Describe the maintenance and test procedures including: a The provision of test switches and test facilities. All output test switches for breaker trip,breaker failure,and alarms are opened prior to testing.Test switches corresponding to specific functional tests are closed for the specific test step,and then reopened following completion of the test step.Dispatch and the plant control center are both contacted and clearance for testing is given prior to testing.The runback signal is isolated from the governors of the Yale generators prior to testing to avoid a generation runback during testing. b Preventive maintenance;both electrical and telecommunication. Visual inspection performed prior to maintenance testing. c Functional Testing,including system end-to-end checks. Following visual inspection and testing setup,an end-to-end functional test of the 11A relay is performed,verifying:trippingof CB 2P26,tripping of CB 2P27,and receipt of runback signal at the Yale plant.An end-to-end functional test of the 11B relay is then performed,verifying: tripping of CB 2P26,tripping of CB 2P27,and receipt of runback signal at the Yale plant.All overload conditions during functional testing are simulated for 3 seconds and 63 seconds to verify that terminating the overload condition within the 60-second runback window will prevent trippingthe breakers. d Provide the maintenance and test intervals,including any seasonal restrictions. The runback scheme will undergo maintenance testing every 4 years.No seasonal testing restrictions exist. e A copy of the Maintenance and Test Procedure(s). See Appendix 3. f A discussion of power system curtailment during maintenance and test activities. Power system curtailment is not required during maintenance and test activities. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 18/26 PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT F.PERFORMANCE AND OPERATIONAL HISTORY 1 Provide assurances that the overall performance and operating time of the RAS will meet the requirements identified in system studies. A dynamic thermal study was performed on both the Longview and Battleground lines. Calculations show that for worst case conditions,eliminating the overload condition within 90 seconds will avoid both a line clearance violation and conductor damage.This redundant design is assured to detect and eliminate an overload condition within 62 seconds by virtue of its superior hardware and excellent software.This responsetime is less than the 90 second response needed as determined by the planning study. 2 When using the existing equipment and components,such as the EMS,RAS controllers,and arming devices,address the following items as they pertain to the operational history of such equipment and procedures. a How long has the RAS been in operation and how many times has it operated? Section not applicable since this is a new scheme. b How many times has the RAS failed to operate when it should have?Provide details of causes and impacts. Not applicable. c How many times has it operated unnecessarily?Provide details of causes and impacts. Not applicable. d What modifications,if any,are planned as a result of b and c above? Not applicable. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 19/26 PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT APPENDIX 1 RAS Associated Drawing List * DRAWING#REV LOCATION TITLE 12280A01 30 MERWIN ONE LINE DIAGRAM KEY SHEET 12280A02 3 MERWIN SWITCHING STATION ONE LINE DIAGRAM 12280A03 1 MERWIN YALE RUN-BACK RELAY LOGIC 106372.001 5 MERWIN CURRENT SCHEMATIC CB 2P1 &2P3 106372.002 2 MERWIN CURRENT SCHEMATIC CB 2P2 &2P4 106372.003 3 MERWIN CURRENT SCHEMATIC CB 2P6 &2P8 106372.004 2 MERWIN CURRENT SCHEMATIC CB 2P26 &2P27 106372.005 6 MERWIN CURRENT SCHEMATIC PORTLAND &LONGVIEW LINES 108288.001 2 MERWIN PANEL LAYOUT &WIRING BREAKER FAILURE PANEL A 108288.002 2 MERWIN PANEL LAYOUT &WIRING BREAKER FAILURE PANEL A UPPER 108288.003 3 MERWIN PANEL LAYOUT &WIRING BREAKER FAILURE PANEL A LOWER 108288.004 2 MERWIN PANEL LAYOUT &WIRING BREAKER FAILURE PANEL B 108288.005 2 MERWIN PANEL LAYOUT &WIRING BREAKER FAILURE PANEL B UPPER 108288.006 3 MERWIN PANEL LAYOUT &WIRING BREAKER FAILURE PANEL B LOWER 108288.008 7 MERWIN PANEL LAYOUT &WIRING PANEL 2R ("C"BUS) 108288.009 6 MERWIN PANEL LAYOUT &WIRING PANEL 3R 108288.010 1 MERWIN PANEL LAYOUT &WIRING PANEL 2R 108288.011 1 Merwin PANEL LAYOUT &WIRING PANEL 3R 108547.013 4 MERWIN CONTROL SCHEMATIC BREAKER 2P26 108547.014 2 MERWIN CONTROL SCHEMATIC BREAKER FAILURE 2P26 108547.015 4 MERWIN CONTROL SCHEMATIC BREAKER 2P27 108547.016 3 MERWIN CONTROL SCHEMATIC BREAKER FAILURE 2P27 108547.017 4 MERWIN CONTROL SCHEMATIC PORTLAND LINE PANEL 2R 108547.018 3 MERWIN CONTROL SCHEMATIC KALAMA LINE PANEL 3R 161669.001 1 MERWIN CONTROL SCHEMATIC YALE RUN-BACK RELAY COMMUNICATIONS 163517.000 0 MERWIN DRAWING LIST *Drawing revisions as of document date.Current drawing revisions can be found in PacifiCorp's document management system. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 20/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT APPENDIX 2 RAS Associated Relay Setting List * ISSUE APP ID LOCATION APPARATUS DESCRIPTION ISSUED BY DATE SET BY SET DATE 33242 MERWIN 2P26,2P27 Yale Run-Back Scheme M.Payne 2/6/2013 D.Gillum 3/22/2013 *Relay setting order app ID,issued by,issue date,set by,and set date as of document date. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 21/26 PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -...----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT APPENDIX 3 RAS Associated Maintenance Test Form North Hydro Yale Run-Back Maintenance Test Form Version1 PacifiCorp Protection and Control Technical Services Form PCF-XXX The Person(s)responsible for the job shall print their names(s)below as verification that the work has been performed correctly and the form filled out accurately.Each responsible person shall list their identifying number (1,2,3,4,or 5)in the "signed by"columns next to the results of each of the tasks they perform. Responsible person 1:Phone Number:Date: Responsible person 2:Phone Number:Date: Responsible person 3:Phone Number:Date: Responsible person 4:Phone Number:Date: Responsible person 5:Phone Number:Date: Crew:Work Order: Purpose:Scheduled Corrective Commissioning _Other Equipment Identification PacifiCorp Equipment/SAP Number For results:A =acceptable,C =corrected,U =unacceptable,NA =not applicable to this equipment For items marked "C or U",provide a detailed explanation in the comments section Visual inspection Signed by Results 1.Switchyard configuration normal "A"or not normal "U" 2.All alarms identified and or cleared 3.Verify relay is in summer position (Apr 1-Oct 31)or winter position (Nov 1-Mar 31)as applicable Testing Setup Grid Operations Signed by Results 1.Safety tailgate 2.Dispatch contacted /clearance issued as needed 3.Save all history/settings from the relay prior to testing 4.Set relay to test position (Test SW 1;Open knife SW 1-2 &5-6) 5.Make sure the 43R reclosers are in the off (normal)position for 2P26 &2P27 6.Make sure that all trip,BFI and alarm outputs are c/o at the test sw's RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 22/26 PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -...----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT APPENDIX 3 RAS Associated Maintenance Test Form Hydro control center Signed by Results 1.Contact control center 2.Verify the run down signal is isolated from the generator governor 11A Functional test of relay tripping 2P26 Signed by Results 1.c/o LOR 86BF26 outputs 2.close test SW knife sw's to the 2P26 trip and BFI 3.inject a current above 50N2P (seasonal)and leave on for 63 seconds.2P26 and LOR should not trip 4.Close input 101 (Test SW 1;Open knife SW 1-2 &5-6)putting the relay to "not in test position" 5.inject a current above 50N2P (seasonal)and leave on for 3 seconds.2P26 and LOR does not trip 6.verify run down signal reached to where the generator governor was cut out 7.inject a current above 50N2P (seasonal)and leave on for 63 seconds.2P26 and LOR trips 8.reset LOR and close 2P26 9.open test SW knife sw's to the 2P26 trip and BFI (just monitor trip and BFI outputs from test sw) 10.force relay clock to seasonal change 11.inject current above 50N1P (seasonal)for 63 seconds.Trip &BFI outputs (monitored)should close 12.note:leave clock as is as you begin testing 2P27 11A Functional test of relay tripping 2P27 Signed by Results 1.c/o LOR 86BF27 outputs 2.close test SW knife sw's to the 2P27 trip and BFI 3.inject a current above 50P1P (seasonal)and leave on for 3 seconds.2P27 and LOR does not trip 4.verify run down signal reached to where the generator governor was cut out 5.inject a current above 50P1P (seasonal)and leave on for 63 seconds.2P27 and LOR trips 6.reset LOR and close 2P27 7.open test SW knife sw's to the 2P27 trip and BFI (just monitor trip and BFI outputs from test sw) 8.reset relay clock to normal 9.inject current above 50P2P (seasonal)for 63 seconds.Trip &BFI outputs (monitored)should close 10.Check that critical relay failure alarm and run down indication is operational (proper destination) 11B Functional test of relay tripping 2P26 Signed by Results 1.check c/o LOR 86BF26 outputs 2.close test SW knife sw's to the 2P26 trip and BFI 3.inject a current above 50P2P (seasonal)and leave on for 63 seconds.2P26 and LOR should not trip 4.Close input 101 (Test SW 1;Open knife SW 1-2 &5-6)putting the relay to "not in test position" RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 23/26 PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -....-..--Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT APPENDIX 3 RAS Associated Maintenance Test Form 5.inject a current above 50P2P (seasonal)and leave on for 3 seconds.2P26 and LOR does not trip 6.verify run down signal reached to where the generator governor was cut out 7.inject a current above 50P2P (seasonal)and leave on for 63 seconds.2P26 and LOR trips 8.reset LOR and close 2P26 9.open test SW knife sw's to the 2P26 trip and BFI (just monitor trip and BFI outputs from test sw) 10.force relay clock to seasonal change 11.inject current above 50P1P for 63 seconds.Trip &BFI outputs (monitored)should close 12.note:leave clock "as is"as you begin testing 2P27 11B Functional test of relay tripping 2P27 Signed by Results 1.check c/o LOR 86BF27outputs 2.close test SW knife sw's to the 2P27 trip and BFI 3.inject a current above 50N1P (seasonal)and leave on for 3 seconds.2P27 and LOR does not trip 4.verify run down signal reached to where the generator governor was cut out 5.inject a current above 50N1P (seasonal)and leave on for 63 seconds.2P27 and LOR trips 6.reset LOR and close 2P27 7.open test SW knife sw's to the 2P27 trip and BFI (just monitor trip and BFI outputs from test sw) 8.reset relay clock to normal 9.inject current above 50N2Pfor 63 seconds.Trip &BFI outputs (monitored)should close 10.Check that Critical relay failure alarm and run down indication is operational (proper destination) Completion of relay testing Signed by Results 1.Make sure all relay alarms are reset and no trip or BFI outputs are active 2.Make sure that relay clock is in normal setting 3.Return relay 11A and 11B back to as found condition 4.Notify dispatch and Hydro control Center 5.Upon successful completion of testing,relay is ready for service and released to operations Complete in-service testing once relay is in operation. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 24/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes -....-..--Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT APPENDIX 4 RAS Associated Equipment Subject to PRC-017 Requirements (including but not I mited to:relays,instrument transformers,communication equipment,batteries)* Location Type Description Merwin HE Plant Relays 11A/11B SEL-751 Multifunction Relays for CB 2P26/2P27 Merwin HE Plant Current Transformers #2,6,7,9,12,14,15,17,20,22,23,25,28,30,31,33 Merwin HE Plant Communications Merwin Hydro Plant Primary Control LAN Merwin HE Plant Batteries Merwin Plant Control House Battery *PRC-017 only lists these four types of items.However,examples of other potentially applicable PRC-017 items include:logic contro lers,control switches,SCADA controllers RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 25/26 Y PACIFICORP PacifiCorp Procedure 304,Remedial Action Schemes ----Appendix A-PAC-RAS-OVERVIEW-Yale_Run-Back PACIFICORP REMEDIAL ACTION SCHEME (RAS)OVERVIEW DOCUMENT APPENDIX 5 ItAS Associated Affected Apparatuses * Location Apparatus Description Merwin Lake 115kV Line CB 2P26/2P27 Merwin Battleground 115kV Line CB 2P3/2P4/2P8/2P27 Merwin Longview 115kV Line CB 2P1/2P2/2P6/2P26 *This list is intended to help with future capital project scoping and determine if a RAS may be impacted by the prospective project. RAS Name:Yale Run-Back 3/27/2014 Filename:304_Appendix A PAC-RAS-Overview-Yale_Run-Back-rev0103mod.docx Document #:PAC-RAS-OVERVIEW-1001-01.03 Page 26/26 PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 WECC Document name Procedure to Submit a RAS for Assessment Information Required to Assess the Reliability of a RAS Guideline Category ()Regional reliability standard ()Regional criteria ()Policy (X)Guideline ()Reportor other ()Charter Document date October 28,2013 Adoptedlapprovedby Operating Committee Date adoptedlapproved March 25,2014 Custodian (entity Remedial Action Subcommittee responsible for maintenance and upkeep) Stored/filed Physical location: Web URL: Previous namelnumber (if any) Status (X)in effect ()usable,minor formattingleditingrequired ()modification needed ()superseded by ()other ()obsoletelarchived PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 WECC Procedure to Submit a RAS for Assessment Information Required to Assess the Reliability of a RAS Guideline Revised:October 28,2013 Table of Contents Page INTRODUCTION 3 What is (and is not)a RAS?3 When is RAS Review Required?4 RAS Classifications 4 Periodic Assessments 9 WECC Remedial Action Scheme Database 9 Closed RASRS Scheme Review Sessions 10 Making a Submission to the RASRS for Scheme Review 10 INFORMATION REQUIRED to ASSESS the RELIABILITY of a RAS 12 A.RAS Purpose And Overview 12 B.RAS Design 13 C.Monitoring 16 D.RAS Operating Procedures 16 E.Commissioning,Maintenance And Testing 17 F.Performance And Operational History 17 G.Revision History 17 H.References 19 Attachment A.WECC RAS Database Information 20 Attachment B.WECC RAS Initial or Periodic Assessment Summary 22 PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 3/24 INTRODUCTION: This document provides a framework for the submission of a Remedial Action Scheme (RAS), also known as a Special Protection System (SPS),to the Remedial Action Scheme Reliability Subcommittee (RASRS)for evaluation and operation within the WECC.All RAS within WECC are required to be reviewed by the RASRS,per the PRC-(012 thru 014)-WECC-CRT-2 criterion (RAS Criterion).The RASRS will also perform detailed evaluation of a RAS at the request of appropriate WECC Committees even if such review may not have been otherwise required by the RAS Criterion. Generally,all elements of a RAS applied at any voltage level intended to remediate performance violations on the Bulk Electric System (BES)are subject to the NERC requirements for RAS.Minimum system performance requirements are identified in the TPL standards and WECC Criteria. What is (and is not)a RAS? WECC uses the NERC Glossary definition of Remedial Action Scheme (RAS),included here under NERC's commonly used term,Special Protection System (SPS), An automatic protection system designed to detect abnormal or predetermined system conditions,and take corrective actions other than and/or in addition to the isolation of faulted components to maintain system reliability.Such action may include changes in demand,generation (MW and Mvar),or system configuration to maintain system stability,acceptable voltage,or power flows.An SPS does not include (a)underfrequencyor undervoltageload shedding or (b)fault conditions that must be isolated or (c)out-of-step relaying (not designed as an integral part of an SPS).Also called Remedial Action Scheme. The NERC System Protection and Control and System Analysis and Modeling Subcommittees (SPCS and SAMS)developed a recent technical paper to,among other things,refine the definition of remedial action schemes.This paper includes more clarity for schemes that NERC does and does not consider to be RAS for its reliability /regulatory purposes.While this new definition is still only proposed,it does provide useful clarity on what types of facilities may not require review by the RASRS.Following is a list of scheme types that NERC (and WECC) does not consider to be RAS in and of themselves: a)Underfrequency or Undervoltage load shedding. b)Locally sensing devices applied on an element to protect it against equipment damage for non-fault conditions by tripping or modifying the operation of that element,such as,but not limited to,generator loss-of-field or transformer top-oil temperature. c)Autoreclosing schemes. d)Locally sensed and locally operated series and shunt reactive devices,FACTS devices,phase-shifting transformers,variable frequency transformers,generation excitation systems,and tap- changing transformers. e)Schemes that prevent high line voltage by automatically switching the affected line. RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 4/24 f)Schemes that automatically de-energize a line for non-fault operation when one end of the line is open. g)Out-of-step relaying that is not designed as an integral part of an SPS. h)Schemes that provide anti-islanding protection (e.g.,protect load from effects of being isolated with generation that may not be capable of maintaining acceptable frequency and voltage). i)Protection schemes that operate local breakers other than those on the faulted circuit to facilitate fault clearing,such as,but not limited to, opening a circuit breaker to remove infeed so protection at a remote terminal can detect a fault or to reduce fault duty,or bus sectionalizing/splitting/break-up schemes. j)Automatic sequences that proceed when manually initiated solely by an operator. k)Sub-synchronous resonance (SSR)protection schemes. I)Modulation of HVdc or SVC via supplementary controls such as angle damping or frequency damping applied to local or inter-area oscillations. m)A Protection System that includes multiple elements within its zone of protection,or that isolates more than the faulted element because an interrupting device is not provided between the faulted element and one or more other elements. When is RAS Review Required? Remedial action schemes are reviewed by WECC on the following occasions: 1)Prior to initial installation and commissioning. 2)Before significant modifications or extensions with possible impact to reliability or the intent of the scheme.A modification may be considered significant when it involves inputs,logic or outputs, major component changes, revision of the existing scheme architecture,or when a periodic assessment of operation,coordination,and effectiveness identifies that a scheme does not comply with NERC standards or WECC Criteria and the required Corrective Action Plan has identified appropriate modifications. Owners will separately inform all their neighbors who may be affected by a scheme that the scheme is being significantly modified. 3)In the event of failure of a scheme for which significant modifications will be necessary. For the purposes of RASRS review,failures shall be considered for such conditions as: accidental or unintended RAS operations that do not meet expected performance levels RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 5/24 RAS failures to operate that result in system performance outside the expected levels. 4)Removal of a scheme from service.Schemes proposed for removal should first be evaluated by the same Planning group (or appropriate successor group)as reviewed the original studies that resulted in the RAS installation or most recent modification. Examples include but are not limited to: Technical Studies Subcommittee (TSS)for schemes originally identified and reviewed through the WECC Three Phase Rating Process or the appropriate Planning Coordinator for Local Area Protection Schemes. Owners will separately inform all their neighbors who may be affected by a scheme that the scheme will be removed. RAS Classifications WECC uses the NERC RAS/SPS Glossary definition without adding exceptions or other attempts at clarification. The focus of the RASRS in reviewing a scheme includes these considerations,but it is slightly different.The NERC PRC standards identify system performance as the critical function. Acceptable system performance is described in the NERC Planning (TPL)Standards. Therefore schemes which are designed to result in system performance that meets the TPL standards are the schemes that the RASRS reviews. However,the PRC standards do provide WECC with flexibility in designing the review procedure.WECC uses this flexibility to provide more detailed reviews of RAS that may have a significant system performance impact.As an aid to identify the levels of impact,WECC classifies RAS as three types based on the scale of the event that the scheme is designed to remediate (generally in order of increasing event scale): Local Area Protection Scheme (LAPS):A Remedial Action Scheme (RAS)whose failure to operate would NOT result in any of the following: Violations of TPL-001-WECC-RBP-2 System Performance RBP Maximum load loss 2 300 MW, Maximum generation loss 2 1000 MW. Wide Area Protection Scheme (WAPS):A Remedial Action Scheme (RAS)whose failure to operate WOULD result in any of the following: Violations of TPL-001-WECC-RBP-2 System Performance RBP Maximum load loss 2 300 MW, Maximum generation loss 2 1000 MW. Safety Net (SN):A type of Remedial Action Scheme designed to remediate TPL-004-0 (System Performance Following Extreme Events Resulting in the Loss of Two or More Bulk Electric System Elements (Category D)),or other extreme events. RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 6/24 The titles of these classifications (local area,wide area)do retain a sense that a scheme may have some geographic basis.However,the actual definitions do not impose any specific geographic limits.The prospective new NERC definition of SPS closely follows these functional definitions (using "limited"and "significant"rather than "local"and "wide area"names),with the exception that WECC's Safety Net is further split into limited and significant versions of these "Planning"and "Extreme"schemes.These proposed NERC designations also intentionally de- emphasize geography as a factor in the scale and classification of a RAS. This classification method does not affect any NERC standards compliance requirements.The RAS type only affects the level of detail required for scheme review by the RASRS.The defintions are used to focus the review effort on the larger schemes that can have more impact on system operation.This is more effective for both the RASRS and individual WECC members whose schemes need review. The fact that a scheme may be fully redundant and therefore its failure can be judged not credible is not relevant to this classification.One functional method to draw the line between LAPS and WAPS is at the Transmission Planning study stage.The Planner may model "no RAS action"for the critical contingency,observe the modeled system performance,and judge the "local"versus "wide area"impact according to the bullets in the definitions.This may actually be the Planning case that originally identified the need for a RAS,even before the specific RAS functionality is identified. The WECC System Performance requirement WR3 (from the first bullet in the LAPS/WAPS definitions)applies both internal to a WECC Member system as well as between Member systems.This is unlike WR1 and WR2,which apply internally to a Member's system,or among Member systems that agree to the mutual impact.When the "both internal and external"WR3 requirement applies,then the RAS is classified as a WAPS. The Figure 1 flow chart outlines how to apply these definitions to determine which type applies to a specific RAS. RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 7/24 TPL-001-WECC-RBP-2 Extreme WECC TPL WR1 WR2,or TPL Event -N RBP --Ye Vio a n?N Ex rW 1 NOW 1MitigationViolation?Impact? Yes Yes WAPSYesNo Yes Yes Safety Net Load Loss Gen Loss >= >=300 MW N 1000 MW --Nog LAPS Figure 1.WECC Remedial Action Scheme type defintions. Historically WECC has concentrated review efforts on schemes that have larger system impact, (WAPS)even prior to adopting formal type definitions above.LAPS,while not being completely ignored,were reviewed generally only at the request of the owner or when some mis-operation raised scheme visibility within WECC. WAPS remain critically important to BES operation and still require detailed reviews.Review procedures for these schemes remain essentially unchanged.While a LAPS mis-operation will not result in a large-scale impact on the system,these schemes still require a level of WECC review to encourage reliability and document what the scheme does.Similarly,a SN may have a significant system impact,but does not have the same single point of failure requirement as a LAPS or WAPS.The overall WECC review process is outlined in Figure 2. RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 8/24 Local Area Wide Area Pratectlan Schernets Protecuon Scheme,LAPS SafetyNet,SN Scherne,WAPS Senedule Re.tem ihn!RASRS Cthair i SN or WAPS I owner pre.'idBE inf0tm3tlDn Required ...'tbr re".iew Yes owner presentationReview.To RASRS meeting i upon OC Request?SN WAPS Con1m DN Conlirm WAPS No systern systern perrbrrn ance performance for for single point of Owner prepares |RABRD enecks coordnation and failure,coordnation rEspODES to classtlicatlan ina erient and inadverten1 can ris operation operation TReutemsystemInmal RAGRSperliorrnanceforAssessmentsinglepointer railure,coordnation and inadvertenioperation Needs RASRS Cond donal RAGRS speames*Accepted conditions for 1011 ?acceptance Inmal RAGRS Work AcceptedAssessment FuEyAccepted RAGRS RASRS updates Accepted WECC PRC-D13 I y ,database No RAGRS enair NotmeE 101Ein3i $0Cumen131100WECCOpEf30DObyOWngt,IncludhgCornmrtteeatnextPRC-D15 data base1seneduledmeetirg Figure 2.WECC Remedial Action Scheme review process. WAPS are examined by the RASRS at the level of detail necessary to provide an "outside" review to ensure satisfying the requirements of PRC-012-0. RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 9/24 Safety Nets are generally reviewed at a slightly lower level of detail than WAPS because the TPL standard does not require that such extreme events actually be remediated.The RAS Criterion does not require the same single point of failure performance (PRC-012-0,R1.3)as LAPS or WAPS,but still requires that system performance for inadvertent operations (PRC- 012-0,R1.4 and RAS Criterion WR5.2)and coordination with other protection and control systems (PRC-012-0,R1.5 and RAS Criterion WR5.3)is satisfied. LAPS reviews are more limited.The RASRS will review the owner's classification and apparent conformance of the scheme to RAS Criterion WR5.1-3 (single point of failure, inadvertent operation,and coordination),and initial assessment.If the RASRS disagrees with the owner's classification,the RASRS will assign the appropriate classification and review the scheme at that level. The WECC review process is not intended to limit making urgent modifications to a scheme if necessary to maintain BES reliability.However,the reporting party is expected to submit any such urgent modifications to the RASRS for review expeditiously.Reviews of this nature should be rare,but a review generally can be scheduled via conference call on short notice when required. Periodic Assessments PRC-014 and PRC-(012 thru 014)-WECC-CRT -2 WR10 require that all RAS be assessed for operation,coordination,and effectiveness at least every five years for compliance with NERC and WECC standards and WECC Criteria. WECC recognizes that most,if not all members include RAS installed on their systems in System Operating Limit (SOL)studies,daily outage planning,real time contingency analysis (RTCA)or similar studies,typically at least annually.If any violations of performance requirements are discovered during SOL or other studies,a Corrective Action Plan (CAP)must be developed. Only the RAS owner is in a position to develop and follow through on such a CAP.The NERC Glossary only indicates that the CAP must identify a solution that will fix the identified problem(s)and a timetable when the solution(s)will be implemented.If the CAP solutions involve significant modifications to a RAS (see above),then those modifications must be reviewed by the RASRS through the procedures described in this document. The information that should be included in the assessment is based on the requirements of PRC-014-0 R3.1-5 and outlined in Attachment B.The same summary information is also needed for the initial review of a new RAS.The RAS database (below)keeps track of when the most recent assessment occurred,but WECC needs to review the owner's most recent assessment and summary within a 5-year schedule. WECC Remedial Action Scheme Database The PRC-013 standard and the RAS Criterion require that WECC create and maintain a database of all RAS within WECC.This database has been created and is maintained by the RASRS in the form of an Excel spreadsheet.The RAS Criterion Attachment A,WECC RAS Database Information,provides explanations of the contents of the database.This information is also included as Attachment A in this document.A template of the database with several examples is available on the WECC web site,PRC-013 RAS Template, RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 10/24 http://www.wecc.biz/committees/StandinqCommittees/OC/RASRS/RASRS%20Database%20Li brary/Forms/Allltems.aspx The owner (reporting party)for each new or modified RAS is required to fill in the database information in the template spreadsheet.The completed template should be submitted electronically as part of the material required for scheme review by the RASRS.Schemes scheduled for removal need simply include "SCHEME REMOVED"or a similar phrase in the description for the specific scheme. The RAS Criterion also requires annual reporting of any updated scheme information (if needed).This annual reporting should use the PRC-013 RAS Template or the current RAS Database (also available on the WECC web site with separate versions for each owner (reporting party)).This process is intended to keep the RAS database up to date. When a scheme has been reviewed and achieved either full or conditional acceptance by RASRS (as shown in Figure 2),the scheme data is incorporated in the WECC RAS database. The status of scheme conditions (if any)and full acceptance is tracked separately from the WECC RAS database. Closed RASRS Scheme Review Sessions Schemes reviewed by RASRS often include facilities classified as Critical Assets,and, depending on implementation,may contain Critical Cyber Assets,BES Cyber Assets or BES Cyber Systems as part of implementing the functionality that the RASRS reviews.The information which RASRS requests and reviews includes at least some aspects of operational procedures,incident response plans,and network topology or similar diagrams.It is also common for presentations to include some floor plan and equipment layout information in the form of pictures or diagrams. In addition,much of the scheme information requested and discussed is of greater sensitivity than the information specifically listed in the NERC CIP Critical Cyber Asset Information (CCAI) requirement and therefore is expected to be protected.This may include confidential, restricted,or other non-public documents.Some companies have a requirement that CCAl and other restricted information may only be transmitted with a nondisclosure agreement (NDA)in place.If information of this nature were omitted from the RASRS presentations and discussions,or if it were less detailed,the review process would be hampered and less effective. The RASRS Chair may propose a scheme review in closed session with appropriate notification in the publicly-posted meeting agenda before the RASRS meeting.The scheme owner may request that the RASRS review occur in closed session in time to provide adequate notice of the potential closed session.Closed sessions are subject to a 2/3 vote of RASRS members present.Participants in and observers of such closed session discussions,including RASRS members,may need to sign an appropriate NDA. Making a Submission to the RASRS for Scheme Review 1.Discuss the proposed RAS with the RASRS Chair.If the Chair,or the RASRS designee, determines that the documentation is sufficiently complete,a review will be scheduled at the next in-person meeting of the RASRS.If schedules require,a separate RASRS meeting may be scheduled (either in-person or via web/phone communications). RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 11/24 2.The presenter(s)will supply copies of the completed documentation,including the Information Required to Assess the Reliability of a RAS (following section of this document) to the RASRS members,to be received prior to the presentation date so members have sufficient time for review.The necessary mailing information may be requested from the RASRS Chair.Electronic copies are acceptable provided that the documents can be opened by using standard MS Office or Adobe *.pdf products,and provided that no special software tools are required.It is the responsibility of the presenter(s)to insure that all submitted materials,attachments,presentation material,and handouts are clearly legible. Electronic documents may also be submitted to the RASRS through the WECC web site, chair,or WECC staff. 3.The RAS will be included in the WECC RAS database on the WECC RASRS web site (but subject to limited access due to the sensitive nature of the data)for record purposes and for periodic review as part of the WECC/NERC certification process.The database is updated as new schemes are added or existing schemes are modified,retired,or expanded and as part of the annual review and periodic assessments by RAS owners (reporting parties) required by PRC-(012 thru 014)-WECC-CRT-2 . 4.Scheme modifications may include changes to the hardware,transfer levels,or any change with possible impact to the overall functionality,timing,or redundancy level approved at the time of the original submission for approval.The RAS applicant,participant,or owner -the "Responsible Party"--is required to prepare a summary of salient features of the RAS for inclusion in the database as part of the documents submitted for review. RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 12/24 Information Required to Assess the Reliabilityof a RAS For all new or modified RAS,also provide information required by the WECC RAS Initial or Periodic Assessment Summary as Attachment B of PRC-012 through 014 WECC-CRT-2 (included as Attachment B of this document):. 1)RAS Name 2)Reporting Party 3)Group Conducting this RAS Assessment 4)Assessment Date 5)Review the scheme purpose and impact to ensure proper classification,is it (still) necessary,does it serve the intended purpose,and does it continue to meet current performance requirements. 6)The RAS assessment including Study Years 7)System Conditions 8)Contingencies analyzed 9)Date when the technical studies were completed 10)Does the RAS comply with NERC standards and adherence to WECC Criteria and TPL- 001-WECC-RBP-2 11)Discuss any coordination problems found between this RAS and other protection and control systems during this (most recent)assessment. 12)Provide a Corrective Action Plan if this RAS was found to be non-compliant or had coordination problems during this (most recent)assessment (should be NA for owner's initital assessment) Provide the name and contact information of the person responsible for this RAS data submittal. If a classification of LAPS is claimed by the Reporting Party,full scheme review by the RASRS is generally not required unless this classification is not agreed to by the RASRS.The Reporting party must provide adequate information for the RASRS to judge the proposed scheme classification.A scheme is a LAPS if all of these questions can be answered negatively. WECC TPL Regional Business Practice WR3 violation? WECC TPL Regional Business Practice WR1 or 2 external impact violation? ·Load at risk 2 300 MW? Generation at risk 2 1000 MW? If a full RASRS scheme review is not required (LAPS),the RAS owner is still responsible for meeting all of the requirements of PRC-012 through 014 WECC-CRT-2.Specifically,the scheme must still satisfy requirements WR5.1-3 (single point of failure,inadvertent operation, and coordination). If a full RASRS review is required (for WAPS or SN),the following information,sections A -F must be submitted for review: A.RAS PURPOSE AND OVERVIEW RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 13/24 1)Identify the ownership of the RAS (the Reporting Party). 2)Provide the name of the RAS,the purpose and the desired in-service date.Include the specific type of system problem(s)being solved,e.g.transient stability,thermal overload,voltage stability,etc. 3)Provide the owner's classification of the RAS as a LAPS,WAPS,or SN. 4)Provide the information required to populate the WECC RAS database using the appropriate Excel spreadsheet,PRC-013 template (available on the WECC web site). The specific data required is also listed in Attachment A. 5)Provide the name(s)of person(s)within the owner's organization who is(are) responsible for the operation and maintenance of the RAS. 6)Provide a description of the RAS to give an overall understanding of the functionality and a map showing the location of the RAS.Identify other protection and control systems requiring coordination with the RAS.See "RAS Design",below,for additional information. 7)Provide a single line drawing(s)showing all sites involved.The drawing(s)should provide sufficient information to allow RASRS members to assess design reliability,and should include information such as the bus arrangement,circuit breakers,the associated switches,etc.For each site,indicate whether detection,logic,action,or a combination of these is present. 8)Indicate the type of system reliability studies performed and a list of any that are in progress. 9)Provide a discussion of the impact to the WECC power grid,including other protection and control systems that result from the actions taken by the proposed RAS and from its failure to operate as expected.Does a failure to operate or a misoperation impact an Intertie Path?If yes,what Intertie Path? B.RAS DESIGN 1)Describe the design philosophy (e.g.failure is to be a non-credible event). 2)Describe the design criteria (e.g.failure of a single component,element or system will not jeopardize the successful operation of the RAS). 3)RAS Logic -Provide a description of the RAS Logic in the form of written text, flow charts,matrix logic tables,timing tables,etc.as appropriate and identify the inputs and outputs.Provide appropriate diagrams and schematics. 4)RAS Logic Hardware -Provide a description of the logic hardware (relay,digital computer,etc.)and describe how the RAS logic function is achieved. 5)Redundancy -Provide a discussion of the redundancy configuration and if appropriate,why redundancy is not provided.Include discussion of redundant: RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 14/24 a)Detection. b)Power supplies,batteries and chargers. c)Telecommunications (also mentioned in item 10d). d)Logic controllers (if applicable). e)RAS trip circuits. 6)Arming -Describe how the RAS is armed (i.e.remotely via SCADA,locally, automatic,etc.). 7)Detection -Define all inputs to the RAS for the scheme to perform its required purpose.Examples: a)Devices needed to determine line-end-status such as circuit breaker (52 alb contacts)and disconnect status. b)Protective relay inputs. c)Transducer and IED (intelligent electronic device)inputs (watts,vars, voltage,current). d)Rate-of-change detectors (angle,power,current,voltage) e)All other inputs (e.g.set points,time from a GPS clock and wide area measurements such as voltage angle between two stations). f)Provide details of other remote data gathering or control equipment. 8)Coordination with Protection and Control Systems Describe all protection and control systems interactions with the RAS,in addition to the RAS inputs described in (7)above. a)System configuration changes due to RAS operation do not adversely affect protective relay functions such as distance relay overcurrent supervision, breaker failure pickup,switching of potential sources,overexcitation protection activation,or other functions pertinent to the specific relays or protection scheme. b)If studies indicate that transient or sustained low voltages are expected in conjunction with elevated line flows during or after RAS operation,confirm that any protection settings on affected lines will not cause cascading outages related to the low system voltages. c)Potential adverse interactions with any other protection or control systems. 9)Multifunction Devices. A multifunction device is a single device that is used to perform the function of a RAS in addition to protective relaying and/or SCADA simultaneously.It is important that other applications in the multifunction device do not compromise the functionality of the RAS when the device is in service or when is being maintained. a)Describe how the multifunction device is applied in the RAS. b)Show the general arrangement and describe how the multi-function device is labeled in the design and application,so as to identify the RAS and other device functions. c)Describe the procedures used to isolate the RAS function from other functions in the device. RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 15/24 d)Describe the procedures used when each multifunction device is removed from service and whether any other coordination with other protection is required. e)Describe how each multifunction device is tested,both for commissioning and during periodic maintenance testing,with regard to each function of the device. f)Describe how overall periodic RAS functional and throughput tests are performed if multifunction devices are used for both local protection and RAS. g)Describe how upgrades to the multifunction device,such as firmware upgrades,are accomplished.How is the RAS function taken into consideration? 10)Telecommunications. a)Provide a graphical display or diagram for each telecom path used in the proposed RAS scheme,including extent of redundancy employed.See references.Indicate ownership of the circuits,paths,and segments.Indicate responsibility for maintenance.If a telecom circuit utilizes a public network, describe monitoring and maintenance agreements including repair response, details of availability,and how possible change of ownership is addressed. Describe maintenance agreements and response commitments when the RAS communication utilizes multiple private systems. b)Describe and list the telecommunications media and electronic equipment (e.g.microwave radio,optical fiber cable,multiplex node,power line carrier, wire pair,etc.)including redundancy employed in each telecom path.For each of the paths and segments of the RAS,identify the type of telecom equipment employed.For example,whether analog or digital licensed microwave radio,unlicensed spread spectrum radio,fiber optic SONET node,etc are applied. c)Provide a description of common facilities used for each RAS telecom path and segment that are not specifically excluded from redundancy by the WECC critical communication circuit design guideline (e.g.towers, generators,batteries).Identify paths or segments routed through common equipment chassis such as Digital Cross-connect System,SONET node,or router.Identify physical media carried or supported by the same structure, such as a transmission line tower,pole structure,or duct bank.Discuss outside plant and inside plant routing diversity.See references. d)Provide a discussion of communications system performance including, circuit or path quality in terms of availability.Provide details of reliability (e.g.,availability of 99.95%),and other supporting reliability information such as equipment age,history,maintenance,etc.Telecommunication reliability information is the average overall percentage,and not point-to-point information.See references. e)Provide a discussion about performance of any non-deterministic communication systems used (such as Ethernet).If RAS performance is dependent upon successful operation through a non-deterministic RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 16/24 communications system or path,then describe how timing and latency issues will be addressed and verified.Include timing and latency planning or management and verification for initial commissioning and in the event of network modifications or additions.Identify which industry standard is applied. f)Acknowledge provision of appropriate high voltage entrance protection if wire pairs are used. 11)Transfer Trip Equipment -Identify the manufacturer and type (FSK audio tone, FS carrier,digital,etc.),and provide the logic configuration (dual channel,pilot tone,etc.).Identify whether internal device medium is used;e.g."Relay-to- Relay"communication. 12)Remedial Actions Initiated -Provide a functional description of the action(s) produced by the scheme and include a simplified one-line diagram of the RAS output to the end-device operated by the scheme. 13)Remedial Action Schemes may have elements such as engineering access, routable protocols,and sensitive design documentation included in the design that require compliance with the NERC CIP Standards.Utilities may handle CIP compliance differently.Please provide a high level overview of how your company's CIP Compliance Program requirements are incorporated into this RAS design. The RASRS concern is that CIP compliance does not compromise the reliability of the RAS.RASRS will not assess compliance,validity or completeness of the owner's CIP program.The owner remains completely and solely responsible that its CIP program complies with NERC standards. C.MONITORING 1)Provide details of RAS monitoring equipment and time resolution including station alarms,SCADA monitoring,and Sequence of Events Recorders. 2)Provide details of facilities monitored including a)Equipment self diagnostics and annunciation b)Initiation locations c)Logic facilities d)Telecommunications e)Transfer trip equipment f)RAS actions D.RAS OPERATING PROCEDURES FOR ABNORMAL SYSTEM CONDITIONS Provide a summary of the operating procedures or the relevant Dispatch Instructions pertaining to this RAS during abnormal system conditions.Specifically address the operating procedures for the following situations: 1)The RAS operates incorrectly (failure to operate or false operation). RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 17/24 2)One part of a redundant RAS system is unavailable so that complete redundancy is no longer assured. 3)Unscheduled,or unplanned and not coordinated,unavailability of the subject RAS (complete loss of RAS)impacts operation. 4)When a partial or total loss of input data required for arming decisions. E.COMMISSIONING,MAINTENANCE AND TESTING 1)Describe the RAS commissioning and overall functional test procedure(s). 2)Describe the maintenance and test procedures including: a)The provision of test switches and test facilities. b)Preventative maintenance;both electrical and telecommunication. c)Functional Testing,including system end-to-end checks d)Provide the maintenance and test intervals,including any seasonal restrictions. e)A copy of the Maintenance and Test Procedure(s). f)A discussion of power system curtailment during maintenance and test activities F.PERFORMANCE AND OPERATIONAL HISTORY 1)Provide assurances that the overall performance and operating time of the RAS will meet the requirements identified in system studies. 2)When using the existing equipment and components,such as the EMS,RAS controllers,and arming devices,address the following items as they pertain to the operational history of such equipment and procedures. a)How long has the RAS been in operation and how many times has it operated? b)How many times has the RAS failed to operate when it should have? Provide details of causes and impacts. c)How many times has it operated unnecessarily?Provide details of causes and impacts. d)What modifications,if any,are planned as a result of b and c above? G.REVISION HISTORY March 1999 Initial release April 2000 Approve by JGC -Added RAS Catalog Information January 2002 Incorporated RAS Operating Procedures for Abnormal System Conditions,as part of due process comments.Also,added References and Table of Contents section. April 2002 January 2002 Revision approved by the JGC August 2002 Changed WSCC to WECC and updated links in the Reference Section February 2005 References to the Remedial Action Scheme Reliability Task Force (RASRTF)have been changed to Subcommittee,in accordance with the updated Scope Statement.RAS Design section is updated to include latest concepts and technologies,address conditions where a multifunction device is shared for RAS and other critical functions such as local protection or SCADA,and the RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 18/24 latest telecommunication technologies such as SONET or Device- Device communications. March 2005 Approved by the OC April 2005 Approved by the WECC Board of Directors August 2012 Incorporated significant procedural changes related to the PRC(012 thru 014)-WECC -CRT -1 criterion and RAS type definitions. October 2013 Incorporated periodic assessment procedural changes related to the revised PRC-(012 thru 014)-WECC -CRT -2 criterion. RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 19/24 H.REFERENCES Remedial Action Scheme Reliability Subcommittee (RASRS)Charter http://www.wecc.biz/library/Documentation%20Categorization%20Files/Charters/OC/RASRS% 20Charter.pdf Remedial Action Schemes Application and Implementation Requirements and Performance Assessment Measures -October 25,2001 Power Point Presentation Before The PCCIOC/WMIC Joint Meeting - http://www.wecc.biz/committees/StandinqCommittees/OC/RASRS/Shared%20Documents/For ms/Allitems.aspx WECC Guidelines WECC,"Remedial Action Scheme Design Guide" http://www.wecc.biz/library/Documentation%20Categorization%20Files/Guidelines/Remedial%2 0Action%20Scheme%20Design%20Guide.pdf WECC,"Communications Systems Performance Guide for Protective Relaying Applications" http://www.wecc.biz/library/Documentation%20Categorization%20Files/Guidelines/Communicat ion%20System%20Performance%20Guide%20for%20Relays.pdf WECC,"Guidelines for the Design of Critical Communications Circuits" http://www.wecc.biz/library/Documentation%20Categorization%20Files/Guidelines/Guidelines% 20for%20the%20Desiqn%200f%20Critical%20Communications%20Circuits.pdf WECC Criteria WECC,"Remedial Action Scheme Review and Assessment Plan" PRC -(012 thru 014)-WECC -CRT -1 "RAS Criterion" http://www.wecc.biz/library/Documentation%20Categorization%20Files/Reqional%20Criteria/P RC-012%20throuqh%20014%20WECC-CRT- 1%20Remedial%20Action%20Scheme%20Criterion%20Effective%2010-1-2011.pdf TPL-001-WECC-RBP-2.1 http:llwww.wecc.bizllibrary/Documentation%20Categorization%20Files/Reqional%20Bu siness%20Practices/TPL-001-WECC-RBP-2.1.pdf NERC ReliabilityStandards and Technical Papers NERC,"Special Protection System Review Procedure" http://www.nerc.com/files/PRC-012-0.pdf NERC,"Special Protection System Database" http://www.nerc.com/files/PRC-013-0.pdf NERC,"Special Protection System Assessment" http://www.nerc.com/files/PRC-014-0.pdf NERC,Planning Committee "Special Protection Systems,"September 2012 RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 20/24 ATTACHMENT A WECC RAS Database Information The WECC Remedial Action Scheme Information and the associated Excel spreadsheet posted on the RASRS web site as PRC-013 template.xls is to be completed in accordance with this criterion by the Reporting Party designated by the Transmission Owner,the Generation Owner, and the Distribution Provider that owns an existing or proposed RAS for use within the Western Interconnection.Explanations for the Spreadsheet data are contained in the following table. In accordance with the Requirements of PRC-012 through 014 WECC-CRT-1,each Reporting Party is to provide the completed spreadsheet to those parties designated in the criterion as well as the Director of Operations for the Western Electricity Coordinating Council (WECC)and the Chair of the Remedial Action Scheme Reliability Subcommittee (RASRS). Remedial Action Scheme Database Information Sheet Explanations Data Item Explanation Reporting Party The Reporting Party is the primary contact designated by the Transmission Owner(s),Generator Owner(s)and Distribution Provider(s)that owns all or part of an existing or proposed RAS.The Reporting Party will usually be either:1)the entity that controls the scheme,2)the primary owner of the scheme or 3)the sole owner of the scheme. Scheme Name Provide the name by which the Reporting Party references the scheme. Classification WAPS (Wide Area Protection Scheme),LAPS (Local Area Protection Scheme),or Safety Net (SN)as initially classified by the Transmission Owner(s),Generator Owner(s)and Distribution Provider(s)that owns all or part of an existing or proposed RAS as reported by the Reporting Party.This initial classification is subject to review by the RASRS. Major WECC RAS If this scheme is in WECC Reliability Standard PRC-STD-003,Table 3, Major WECC RAS List,enter the number from the list.If the scheme is not on the Major WECC RAS List,enter NA. Operating Procedure If the Transmission Owner(s),Generator Owner(s)and Distribution Provider(s)that owns all or part of an existing or proposed RAS as reported by the Reporting Party has a written operating procedure for this scheme,provide the identifying procedure number or title.If no operating procedure is available,enter NONE or NA. Design Objectives Data required to describe Design Objectives -Contingencies and system conditions which the scheme was designed to mitigate. Operation Data required describing Operation -The actions taken by the scheme in response to disturbance conditions. Modeling Data required for adequate Modeling -Information on detection logic or relay settings that control operation of the scheme. Original In Service Enter the year that the scheme originally went into service,not Year including any subsequent upgrades or other modifications.If specific records are not available,a best estimate such as "early 1980's"is acceptable. RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 21/24 Recent Assessment Identify the group (typically the Transmission Owner(s),Generator Group Owner(s)and Distribution Provider(s)that owns all or part of an existing or proposed RAS as reported by the Reporting Party that performed the most recent assessment of scheme operation, coordination and effectiveness. Recent Assessment Enter the date of the Reporting Party's most recent assessment Date performed (mmlyyyy)that evaluated scheme operation,coordination and effectiveness. RASRS Review Date RASRS entry.Date of the most recent RASRS review of a Reporting Party's assessment (mmlyyyy). RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 22/24 Attachment B WECC RAS Initial or Periodic Assessment Summary Information on Attachment B will be used by the RASRS to ensure proper analysis, operation,coordination and effectiveness of the RAS. Althoughthe content of Attachment A and Attachment B are both provided to WECC,it is only the content of Attachment A that constitutes the minimum data to be contained in the WECC RAS Database.This criterion shall not be interpreted as prohibiting the expansionof the WECC RAS Database to include information beyond that contained in Attachment A. RAS Name Reporting Party (The Reporting Party for this entry will always be the same as the Reporting Party entry listed in the Reporting Party field of Attachment A.) Group Conducting this RAS Assessment Assessment Date Review the scheme purpose and impact to ensure proper classification,is it (still)necessary,does it serve the intended purposes,and does it continue to meet current performance requirements. This RAS assessment included the following: Study Years System Conditions Contingencies analyzed (select what applies) N-1 N-1-1 N-2 Extreme Date when the technical studies were completed Does this RAS comply with NERC standards and WECC Criteria? Discuss any coordination problems found between RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 23/24 this RAS and other protection and control systems during this (most recent)assessment. Provide a Corrective Action Plan if this RAS was found to be non-compliantor had coordination problemsduring this (mostrecent)assessment (should be NA for owner's initial assessment). RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix B-Procedure to Submit an RAS for Assessment,October 28,2013 Procedure to Submit a RAS for Assessment Page 24/24 Effective Period This document will remain in effect until revised by the RASRS and approved by the WECC Operating Committee and Board of Directors.The new version will then supersede this version. ApprovedBy: ApprovingCommittee,Entity or Person Date Remedial Action Scheme Reliability Subcommittee October 28,2013 Operating Committee March 25,2014 Board of Directors RAS Name Owner: Revision No.Submittal Date: PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 WECC Document name REMEDIAL ACTION SCHEME DESIGN GUIDE Category ()Regional Reliability Standard ()Regional Criteria ()Policy (x)Guideline ()Report or other ()Charter Document date June 6,2006 Adoptedlapproved by Operating Committee Date adoptedlapproved November 28,2006 Custodian (entity Remedial Action Scheme Subcommittee responsible for maintenance and upkeep) Stored/filed Physical location: Web URL: Previous namelnumber (if any) Status (x)in effect ()usable,minor formattinglediting required ()modification needed ()superseded by ()other ()obsoletelarchived) PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 WECC WECC Guideline: REMEDIAL ACTION SCHEME DESIGN GUIDE Date:June 6,2006 Contents EXECUTIVE SUMMARY .............................................................................ii I N TRODU CT10 N .........................................................................................1 PROBLEM RECOGNITION and DEFINITION ............................................2 Safety Net Schemes ..............................................................3 Common RAS Classifications ................................................4 Typical RAS Features ............................................................5 PHILOSOPHY and GENERAL DESIGN CRITERIA ....................................7 Logic ......................................................................................7 Hardware ...............................................................................7 Arming ...................................................................................7 Detection and Initiating Devices .............................................8 Logic Processing ...................................................................11 Communications Channels ....................................................11 Cyber Security .......................................................................11 Transfer Trip Equipment........................................................12 Test Switches ........................................................................12 REDUND A N CY ...........................................................................................1 2 Minimum Requirements.........................................................13 Breaker Failure ......................................................................15 Communication Circuit Redundancy ......................................15 MONITORING and ALARMS ......................................................................15 COORDINATION with PROTECTION,OTHER RAS, and CONTROL SYSTEMS ...............................................................16EquipmentProtection.............................................................16 MultipleApplicationsin a Single Device .................................17 Other Remedial Action Schemes ...........................................18 2 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 Energy ManagementSystems ...............................................18 OPERATIONS and TEST PROCEDURES .................................................19 WECC REVIEW ..........................................................................................19 FIGURE 1 Common RAS Objectivesand Control Methods ....................21 REFERENCES ............................................................................................22 3 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 EXECUTIVE SUMMARY Remedial action schemes (RAS),also known as special protection systems (SPS)or system integrityprotection systems (SIPS),have become more widely used in recent years to provide protection for power systems against problems not directlyinvolvingspecific equipment fault protection.The terms SPS and RAS are often used interchangeably,but WECC generally and this document specifically uses the term RAS. Economic incentives and other factors have led to increased electric transmission system usage, power transfer,and changes in historic usage patterns,both among regions and within individual utilities.New transmission construction has often lagged behind these changes,resulting in lower operating margins.The resulting system-wide problems usuallyrequire separate solutions than can be provided by equipment-specific protection schemes.Remedial action schemes are applied to solve single and credible multiple-contingencyproblems.These schemes have become more common primarily because they are less costly and quicker to permit,design,and build than other alternatives such as constructing major transmission lines and power plants. Remedial Action Schemes in WECC supplement ordinary protection and control devices (fault protection,reclosing,AVR,PSS,governors,AGC,etc)to prevent violations of the NERC/WECC ReliabilityCriteria for Category B and more severe events.RAS sense abnormal system conditions and (often)take pre-determined or pre-designedaction to prevent those conditions from escalating into major system disturbances.RAS actions minimize equipment damage and prevent cascading outages,uncontrolled loss of generation,and interruptions to customer electric service. This Guide is a revision of the 1991 WSCC "Guide for Remedial Action Schemes."The NERC and WECC Standards have changed significantlysince 1991.The Standards'changes were driven by the major WSCC outages in July and August 1996 with "reminders"from the outages in eastern North America and Italy in August and September 2003.These outages indicate that Standards compliance is necessary.This document is intended to help the RAS designer comply with these Standards.(The 1997 NERC and 2002 WECC Planning Standards Section III.F and 2005 NERC Standards PRC-012-0 through PRC-017-0 specifically apply to RAS). REMEDIAL ACTION SCHEME DESIGN GUIDE INTRODUCTION Remedial action schemes (RAS),also known as special protection systems (SPS)or system integrityprotection systems (SIPS),have become more widely used in recent years to provide protection for power systems against problems not directlyinvolvingspecific equipment fault protection.The terms SPS and RAS are often used interchangeably,but WECC generally and this document specifically uses the term RAS. Economic incentives and other factors have led to increased electric transmission system usage, power transfers,and changes in historic usage patterns,both among regions and within 4 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 individual utilities.New transmission construction has often lagged behind these changes, resulting in lower operating margins.The resulting system-wide problems usuallyrequire separate solutions than can be provided by equipment-specific protection schemes.Remedial action schemes are applied to solve single and credible multiple-contingencyproblems.These schemes have become more common primarily because they are less costly and quicker to permit,design,and build than other alternatives such as constructing major transmission lines and power plants. Remedial Action Schemes in WECC supplement ordinary protection and control devices (fault protection,reclosing,AVR,PSS,governors,AGC,etc)to prevent violations of the NERC/WECC ReliabilityCriteria for Category B and more severe events.RAS sense abnormal system conditions and (often)take pre-determined or pre-designedaction to prevent those conditions from escalating into major system disturbances.RAS actions minimize equipment damage and prevent cascading outages,uncontrolled loss of generation,and interruptions of customer electric service.Recent WECC experience with existing RAS has been good from the IviewpointofRASimpactsonmajorsystemdisturbances. This Guide is a revision of the 1991 WSCC "Guide for Remedial Action Schemes."The 2,3 4NERCandWECC Standards have changed significantlysince 1991.The Standards changes were driven by the major WSCC outages in July and August 1996 with "reminders"from the outages in eastern North America and Italy in August and September 2003.These outages indicate that Standards compliance is necessary.The 1997 NERC and 2002 WECC Planning Standards Section III.F and 2005 NERC Standards PRC-012-0 through PRC-017-0 specifically apply to RAS.This document is intended to help the RAS designer comply with these Standards. The 1991 Guide addressed design,operation,and maintenance of RAS.Appropriate installation and maintenance practices for all types of protection systems,includingRAS,are described 5separatelyinmoredetailintheRWGInstallation&Maintenance Guide.These issues are also addressed in detail during review of specific RAS by the WECC Remedial Action Scheme 6 7ReliabilitySubcommittee,(RASRS).The recent CIGRE report "System Protection Schemes 8inPowerNetworks"addresses many aspects of these schemes.The NPCC and (formerly) 9MAAC regional reliability councils also have SPS Design Guides,though these documents are generally less detailed than the CIGRE report or this Design Guide. The 1991 Guide devoted considerable discussion to organizational,project management,and inter-company coordination issues.While these issues remain highly important,they are not unique to developing and operating remedial action schemes and are no longer discussed here. Requirements for underfrequency load shedding (UFLS)schemes are not addressed in detail here.Theyare addressed separately by several WECC documents.10,11,12 These documents provide satisfactory design guidance.Therefore UFLS schemes designed in compliance with these WECC requirements have not normallyrequired further review by WECC as remedial action schemes. 5 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 PROBLEM RECOGNITION and DEFINITION The 1991 Guide identified actual or near instabilityduring actual events first in the list of ways to recognize a potential system problem.Other identified problem detection methods centered on system planning studies on a scale ranging from individual planners to the Reliability Council. The NERC and WECC Standards do not allow using historical events for initial detection of a problem,regardless of the solution,though events must be reviewed and the lessons learned must be applied appropriately.Standards require that appropriate studies be performed to evaluate all system configurations where operations are to occur.The system should not be operated in an un-studied configuration.Any significant problems identified in studies are to be avoided by operating the system in a safe configuration,for example by reducing intertie schedules,until additional facilities (includingRAS)can be installed to mitigate the problem. Simulation studies must resolve system-wide issues prior to beginning the specific RAS design. This Design Guide does not address these system-wide issues in detail.These issues should be documented separately,and may include but are not limited to: Critical contingencies,critical components/paths,limitingfactors, Security regions/nomograms, Remedies (mitigation/interruption/separation), Remedial action types and locations, Speed requirements, Control principles (opened/closed loop,predetermined/arbitrary disturbing events,etc), Economic justification, Critical system condition parameter identification (line/path flows,angles,voltages,fault severity,system component status,etc), Scheme architecture (local,centralized,hierarchical,distributed,device locations and interactions), Disturbing event indication principles (direct detection,system-response-based recognition), Analytical and logical conditions for remedial action types and amounts,arming settings for step-wise RAS systems, Margins to be applied to amounts of remedial action or to arming settings to cover system modeling and instrumentation inaccuracies, Algorithmsand programs for computerized RAS systems, Possible out-of-step cut-planes, Principles,locations and coordination of out-of-step tripping devices. 6 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 Principles and locations of out-of-step blocking functions A RAS solution will typically be considered when other operating and construction options are substantially more expensive or cannot be implemented in time to avoid problems identified by the initial studies.The studies should support and identify the need of the RAS and recommend the actions to be taken to mitigate the problem. The studies shall also identify system effects if the RAS misoperates,either by failing to take action when required or by taking action when action is not required.The system performance requirements for either type of failure shall meet the NERC/WECC Standards identified in Categories A,B,C,and D of Table 1 (Section I.A in NERC 1997 and WECC 2002 Standards or TPL-001-0 through TPL-004-0 in NERC 2005 Standards). An illustration of system problems that are candidates for RAS solutions,along with corresponding effective remedial actions is provided as Figure 1,Common RAS Objectives and Control Methods.Most of these control methods (remedial actions)are also described in section 2.5 of reference 7. Safety Net Schemes "Safety Net"system protection schemes have similar general characteristics and objectives as RAS.A safety net is intended to handle more severe disturbances resulting from extreme events.Such events are within or beyond Category D of Table 1 in the NERC/WECC Standards (multiple related outages). 4TheNERC/WECC Planning Standard I.G9 recognizes "that it is not practical (and in some cases not possible)to construct a system to withstand all possible extreme contingencies without cascading,[but]it is desirable to control or limit the scope of such cascading or system instability events and the significant economic and social impacts that can result." The safety net is intended to minimize the impact of extreme events when such impacts cannot be entirelyavoided.In part because of this change in objective,WECC does not normally require that the RASRS review safety net schemes.However,the scheme designer should consider whether the RAS requirements are still a prudent objective because the safety net may need to be converted to a RAS as system conditions continue to change. 13TheWECCPolicyRegardingExtremeContingenciesandUnplannedEvents states that "...the appropriate equipment,remedial action schemes,and operating procedures [must]provide for reliable system operation at all times....If,at any time,operating conditions exceed these secure conditions,immediate actions shall be taken to reduce stress on the system and return operation to safe and reliable levels."The safety net is intended to provide these immediate actions. Direct detection of events that cause insecure conditions is not always possible or necessary. Safety net actions can be initiated in response to other indications of insecure conditions.Out- of-step blocking and tripping and underfrequency load shedding are examples of response-based 7 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 safety nets.The response-based safety net should be supported by studies illustrating satisfactory speed,action magnitude,and coordination of the remedial actions.Some simplifications can be made in simulating the process part of returning the system to secure conditions. The WECC Policy anticipates application of a safety net with direct indication of the Category D disturbances if they have high probability (e.g.extreme disturbances that have actually occurred),or if a response-based safety net would not return the system to a secure state. Practically all types of RAS actions can be considered for such a "preventative"safety net, includingmore severe actions such as dropping firm load,system separation,etc.This type of safety net should be supported by the full range of system simulation studies. The Policy also emphasizes the importance of controlled (instead of cascading)system separation to provide stable and balanced operation of each island with the potential of faster re- synchronization.Fast reserve mobilization (e.g.automatic start of hydro generators)could be used in resource deficient islands.Generatortripping in resource surplus islands could be needed. A safety net scheme may not be used to establish facility ratings or transfer capabilities for interconnected system operations. Common RAS Classifications The followingdescriptions do not cover all possible RAS classifications,but do outline several common and convenient methods. One convenient method to classify RAS control principles is by the scheme input variables that detect system contingencies and disturbances: Event-based, Parameter-based, Response-based,or Combination of the above. Event-based schemes directlydetect outages and/or fault events and initiate actions such as generator/loadtripping to fully or partially mitigate the event impact.This open-loop type of control is commonly used for preventing system instabilities when necessary remedial actions need to be applied as quickly as possible. Parameter-based schemes measure variables for which a significant change confirms the occurrence of a critical event.This is also a form of open-loop control but with indirect event detection.The indirect method is mainlyused to detect remote switching of breakers (e.g.an opposite end of a line)and significant sudden changes which can cause instabilities,but may not be readily detected directly.To provide timely remedial action execution,the measured variables may include power,angles,etc.,and/or their derivatives. 8 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 Most event-and parameter-based schemes are triggered by a combination of events and parameters.These schemes initiate pre-planned actions based on studies of pre-defined system contingencies for a variety of conditions. Response-based schemes monitor system response during disturbances and incorporate a closed- loop process to react to actual system conditions.Response-based scheme action may be more finely calibrated to the magnitude of the disturbance,but usuallyis not fast enough to prevent instabilities followingsevere disturbances.UFLS,some types of UVLS,and some equipment unloading schemes could be interpreted as response-based closed-loop schemes.A response- based scheme can be used when gradual (e.g.step-by-step)increase of remedial action is acceptable. The Northeast Power Coordinating Council's (NPCC)2002 Criteria classified SPS [RAS] 8accordingtoimpactsonthesystem as: Type I:Scheme where failure or misoperations would have significant impact outside the local system, Type II:Scheme intended for extreme contingencies or other extreme causes where failure or misoperation would have significant impact outside the local system,and Type III:Scheme where failure or misoperations would not have significant impact outside the local system. WECC does not use an official RAS classification system,but the NPCC SPS Types correspond to the followingWECC terminology: RAS -A scheme needed to meet WECC performance requirements and operating standards.The scheme mitigates conditions that could affect the systems of multiple owners and may be used to establish facility ratings.This type of RAS requires WECC review by the RASRS.Similar to NPCC Type I. Example:Pacific AC Intertie RAS (the scheme is used to establish intertie ratings and affects multipleowners within WECC). Safety Net -A scheme used to provide a defense against extensive cascading or complete system collapse.This type of scheme has usuallynot required review by the WECC RASRS.Similar to NPCC Type II. Example:WECC Off Nominal FrequencyProgram (the program is not used to establish intertie ratings,compliance is required and may be audited by WECC and NERC,but a separate review of each owner's implementation is not required). Local RAS -A scheme used to meet an owner's performance requirements within that owner's system.This type of scheme does not usuallyrequire WECC review.Similar to NPCC Type III. 9 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 Example:Pacific Gas &Electric's San Francisco RAS (the scheme affects only part of PG&E's system). TypicalRAS Features Critical details of the RAS design and operating characteristics must be determined through appropriate studies.Among the more important recommendations and conclusions of these studies might be: Arming Criteria:Critical system conditions for which a step-wise RAS should be ready to take action when required. Initiating Conditions:The critical contingencies to initiate action if the scheme is armed. Parameter-based RAS detect changes in critical system conditions rather than directly detecting specific conditions. Action Taken:The minimum remedial action required for each contingency (when armed)and the maximum acceptable remedial action for each contingency (when pertinent) Time Requirements or Allowable Time:The maximum time allowable for the remedial action to be accomplished. Critical system conditions are often identified by one or more of the following: Generation patterns, Transmission line loadings, Load patterns, Reactive power reserves, System response as determined from the data provided by wide area measurement systems (WAMS),or Other unsustainable conditions identified by studies of system characteristics. For example,during lightlyloaded system conditions,a transmission line outage may not cause any reliability criteria violations,but during heavier loads,the same outage may result in generator instabilityor overloads on remaining facilities. Automatic single-phase or three-phase reclosing followingtemporary faults during stressed operating conditions may avoid the need to take remedial action.Appropriate RAS action may still be required if reclosing is unsuccessful. The RAS is designed to mitigate specific critical contingencies that initiate the actual system problems.There may be a single critical outage or there may be several critical single 10 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 contingency outages for which remedial action is needed.There may also be credible double or other multiplecontingencies for which remedial action is needed.Each critical contingency may require a separate arming level and different remedial actions. Various possible remedial actions are usuallyavailable to improve system performance.These may include but are not limited to: Islanding or other line tripping, Generatortripping, Load tripping (direct,underfrequency,undervoltage), Braking resistors, Static VAr control units, Capacitor and/or reactor switching, The minimum remedial action required is determinedthrough studies that define the boundary between acceptable and unacceptable system performance.Remedial action in addition to this minimum level often can result in further system performance improvements.At some higher action level,system performance standards may again be violated if system response approaches another part of the boundary (e.g.high voltage due to extra load shedding).However,some extra remedial action (safety margin)should be applied to ensure that at least the minimum action will still occur even for the worst-case credible scheme failure (typically a single component).While actions above the necessary "safety margin"do not create new violations, they may make the scheme more costly and complex,as well as result in a larger impact to customers (e.g.reduction of generating reserve,shed more load). The maximum time allowable to take action will change with the type of problem for which the RAS is a solution.Short-term angular and voltage stabilityproblems typically require the fastest response,as fast as a few cycles but usuallyless than one second.Actions to mitigate steady- state stabilityand slow voltage collapse problems may allow several seconds.Thermal overload problems could allow up to several minutes before action is required. Often sensing,logic processing,and corrective action will take place at different sites.A RAS senses system conditions,communicates to a logic processor programmed to determine the appropriate arming,determine corrective actions at each arming level and for each contingency, and initiate appropriate actions,usuallythrough communication links among remote sites.In this common configuration,RAS are critically dependent on high-speedtelecommunications, condition-sensing,arming,logic processing,and action equipment. Often system problems and their solution through RAS involve more than a single entity.The resulting RAS will require negotiations among the parties (includingtechnical specialists needed to implement the proposed RAS)identifyingthe conditions to be monitored,scheme logic,logic processing,and the actions to be taken.The NERC and WECC Standards provide the starting point to evaluate system performance.The WECC Minimum Operating ReliabilityCriteria 11 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 14(MORC)provides more detailed and specific rules to judge the acceptability of actual system performance under various conditions.These performance requirements must be met within the western interconnected systems.Detailed scheme design can begin after the discussions among parties reach a consensus. It can be acceptable for an entityto apply more rigorous,well-documented criteria to problems with a proposed RAS solution.However,the same criteria will need to apply to both the host utility's internal and third party applications,such as independentpower producers,transmission providers,or load serving entities,to avoid any perceived unequaltreatment of third parties by the RAS owner. PHILOSOPHY and GENERAL DESIGN CRITERIA In general,the design philosophy appropriate for a RAS is that all system performance criteria will still be met,even followinga single device or component failure within the RAS.As with other protection systems,this design objective is often met with a fully redundant system design. A fully redundant design will avoid the possibility of a single component failure that would jeopardize successful operation of the RAS.However,as described below,a fully redundant design is not always required to meet the performance criteria. Logic The operating requirements for any RAS are derived from the system simulation studies that identify the problem (e.g.loss of any of several specific lines during heavy export conditions would initiate out-of-step conditions on a remaining intertie),appropriate actions to mitigate the problem (e.g.generation tripping in the area that had been exporting before the outage),and the maximum time available to take action. Documentation of this scheme logic will direct the detailed implementation design,aid in necessary reviews,and assist personnel when installingand testing the scheme.The logic documentation may take the form of a written description,equations,flow charts,matrix logic tables,timing tables,logic diagrams,charts,etc,or a combination of formats.The documentation will also include all scheme inputs and outputs. Hardware Hardware used to implement a RAS shall meet the same standards that apply to other protection systems,includingbut not limited to: IEEE Power System Relaying Committee,"IEEE Standard Surge Withstand Capability (SWC)Tests for Protective Relays and Relay Systems Associated with Electric Power Apparatus,"IEEE/ANSI Standard C37.90.1-2002,IEEE Standard C37-90-2004. 12 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 IEEE Power System Relaying Committee,"IEEE Standard for Relays and Relay Systems Associated with Electric Power Apparatus,"IEEE/ANSI Standard C37.90-1989. IEEE Power System Relaying Committee,"IEEE Standard for Withstand Capability of Relay Systems to Radiated Electromagnetic Interference from Tranceivers,"ANSI/IEEE Standard C37.90.2-2004. Technology advances have provided the designer with many solution options.The designer will often have a choice among several platforms to build the RAS-multi-function or single- function relays,digital computer,programmable logic controller,etc. Arming Some,especially newer,RAS do not depend on a traditional arming concept.These systems are characterized by fast computations and detect critical changes in system conditions rather than specific pre-disturbance levels or status.In this sense,they are always "armed"and ready to initiate action when they detect a disturbance. However,many RAS monitor load,generation levels,voltage,frequency,breaker status,and/or other quantities or devices that are critical to identifying the onset of the system problem which the RAS is designed to mitigate.Analog quantities (usually,though not always,power levels) are the most common functions used to identifywhen a scheme should be armed.If analog quantities such as line power flows are the appropriate level detection criteria,the specific quantities may be monitored by transducers,microprocessor-based relays,communications processors,analog cards within programmable logic controllers,or other devices. Often analog quantities or status at more than one location are required to determine when a scheme should be armed.Use of SCADA and an EMS (Energy Management System)computer to collect the data and perform the calculations is a common RAS application.Programmable logic controllers,microprocessor-based relays and other IEDs are also commonly used to perform these functions. Both EMS computer and SCADA (remotely)or the scheme logic processor (locally or remotely) are commonlyused for scheme arming at logic processing and/or action locations.Actual scheme arming may be done either automatically or manually,dependingon the philosophy of the entity and the specific characteristics of the scheme.If arming is automatic,the dispatcher should at least be provided with indication of the arming status. If arming is manual,written procedures,the EMS or logic processor shall provide the dispatcher with a recommendation on when the scheme should be armed as well as arming status.For EMS-calculated manual arming,the RAS designer can consider using a lookup table or similar document that a dispatcher shall or can use as a manual backup.If there are choices on what specific actions should be armed (e.g.trip loads at either station A or station B),the scheme shall make an initial choice,which the dispatcher can override.Some utilities include the ability to arm a scheme with a local switch from logic processing or at action locations.This is 13 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 acceptable,though most often used when the arming location is continuouslystaffed around the clock,24/7/365,such as at a power plant or manned substation or the status of the switch is brought to a continuouslystaffed location. Detection and Initiating Devices Detection and initiating devices must be designed to be as secure as possible.The following discussion identifies several types of devices that have been used as disturbance detectors: Line open status (event detectors), Protective relay inputs and outputs (event and parameter detectors), Transducer and IED (analog)inputs (parameter and response detectors), Rate of change (parameter and response detectors). Several methods to determine line open status are in common use,often in combination: Auxiliaryswitch contacts from circuit breakers and disconnect switches (52b,89b), Undercurrent detection (a low level indicates an outage), Breaker trip bus monitoring,and Other detectors such as angle,voltage,power,frequency,rate of change of these,out of step,etc. Circuit breaker or disconnect switch auxiliarycontacts (52b,89b)are often part of the outage detection input to a logic circuit.Observe the followingprecautions when using these contacts: Use of auxiliaryrelays as contact multipliersfor critical scheme detection 52b/89b contacts must be done very carefully,especially if these contacts are used as the only or primary line outage detection method.Make sure that loss of the auxiliary supply voltage does not provide false indications to the RAS.Where possible,use the breaker/switch contact directly for RAS outage detection.Whether directly or through auxiliaryrelays,separate contacts should be used for inputs to redundant schemes (see discussion below). When a circuit breaker is out of service,disconnect switches open,and the breaker subsequently closed,the 52b switch is no longer a reliable indicator of the availabilityof the breakeras part of the RAS.The scheme logic must include accommodation for this contingency.Commonly used methods include auxiliarycontacts on the disconnect switches (89b)or a separate "maintenance","out of service",or "local/remote"(43) control switch to provide the proper indications. Logic must recognize line disconnect switches where used.If the line switches can be operated remotely or automatically,the detection logic must be automatic. 14 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 Detection logic must be able to detect a line being open at either end (monitorboth ends of the line). Inadvertent bypassing of the 52b switches by personnel operating the maintenance /out- of-service switch or failure of a complicated automatic scheme can cause a false RAS operation.Supervision of the 52b logic by undercurrent or underpower can prevent such false operations. Auxiliaryswitches monitoring disconnect switch position (89b)should follow actual switch blade position rather than just the operating mechanism.Operation of the mechanism with the switch de-coupled could cause false operations similar to inadvertent bypassing of breaker 52b contacts discussed above. If manual transfer or maintenance switches are used in parallel with 52b breaker auxiliary contacts,the manual switch position must be monitored by the local substation annunciator,sequence of events recorder,or SCADA to reduce the possibility of leaving the switch in the wrong position when the breaker is returned to service. Undercurrent sensing may be used for outage detection.Loss of transmission line power flow is occasionally used as a variation of undercurrent detection.Current detection may have the advantage of being able to detect an open terminal at the far end of the line as well as locally without a separate communication channel.Undercurrent detection is independentof auxiliary and maintenance switch contacts.This detection method requires the followingprecautions: The undercurrent level setting must be above the level of line charging current (including the effects of any fixed or switched shunt reactors)and corona losses,but below minimum line flows when both ends of the line are in service. The minimum current may be quite small for short lines,if a high percentage of shunt compensation is used,if power flow may reverse direction,or if the line is operated at a lower voltage.This can make outage detection via undercurrent sensing alone problematic. Detection logic must be defeated when the undercurrent relay is out of service for maintenance,testing,or other purposes. Breaker trip bus monitoring is often used when scheme operating time requirements are very short.The timing advantage arises because the logic signal initiation occurs when the circuit breaker trip bus is energized,ahead of the operating time of the breakermechanism and auxiliary switches or interruptionof the circuit breaker current.Depending on the rated voltage and design of the breaker,this may save 1-5 cycles (17-80 milliseconds)in overall scheme operation. This detection method requires the followingprecautions: For current operated devices,breaker DC trip current should be monitored using a trip indicating relay or similar device with an operating current value appropriate for the specific circuit breaker.Since the trip indicating relay is in series with the trip coil,and may not operate for open trip coil,trip coil monitoring is appropriateto identify failures 15 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 before failure-to-tripthe breaker.The trip coil failure alarm should be brought into the EMS. For voltage-operateddevices monitoring the breaker trip bus,pickup level of the device and resistance must be carefullyconsidered to ensure that it is not inadvertentlyoperated by "sneak circuits"such as the red indicating light.Due to this complication,a current- operated detector is usuallypreferred over a voltage-operated detector. For breakers with two trip coils,both coils should be monitored. For breaker trips initiated by a protective relay or control switch,a separate contact output of the relay or control switch may be used to detect line open status. For most designs,undercurrent or 52b status detection may also be required in addition to current or voltage schemes for breaker trip bus monitoring because the trip logic signal only monitors the DC current flowingthrough the breaker trip coil (or the trip bus voltage).Once the breaker opens,the coil current falls to zero and a separate detection method must be used to recognize breaker status. Voltage,power,frequency,or out-of-step relays may be used when those functions provide reliable and secure methods of detecting the condition being monitored for the RAS. Precautions often require more effort to ensure reliable operation than if other detection methods can be used. Power flow is often used to make RAS arming decisions,but is also occasionally used for triggering decisions. Voltage sensing (where needed)should monitor all three phases at the critical transmission level. Rate of change of voltage,current,power or frequency may be used,but with extreme caution in determining the settings required to distinguish between local faults, switching,and/or system problems which should initiate the RAS. 15 Out-of-step tripping (OST)may be used to interrupt pending instability.Studies must be done to ensure that the settings will not result in tripping for recoverable swings and must also address undesired tripping on out-of-step conditions outside of the given component.These relays are usuallyapplied when there is enough time to trip "on the way out"of the swing.If time is critical and tripping must be "on the way in,"then transient recovery voltage across the tripping circuit breaker(s)must be evaluatedin order to prevent re-strikes.Tripping "on the way in"requires a more precise setting to prevent trips on recoverable swings and may require a higher breaker rating. Out-of-step blocking (OSB)may supervise relay distance or overcurrent elements during system swings if studies show that the impedance trajectory can penetrate into the reach 15oftherelays.The recommended application combines blocking all relay impedance zones at locations where OST is not desired and allows tripping using the OST function available in modern relays for unstable power swings at locations determined by system studies. 16 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 16TheWECCwideareameasurementsystem(WAMS)is presently used only for system monitoring.However studies by the WECC Disturbance Monitoring Work Group (and others) show that such schemes can aid Real time determination of transmission capacities, Early detection of system problems, Refinement of the planning,operation,and control processes. While the WAMS is not presently applied for any RAS functions,its nature holds some promise for both initiating remedial action and monitoring system response in future "wide area"RAS. WAMS,if used in a RAS,may not require traditional arming and outage detection,but would be parameter-or response-based. Logic Processing All RAS require some form of logic processing to determine the action to take when the scheme is triggered.Required actions are always scheme dependent.Different actions may be required at different arming levels or for different contingencies.Scheme logic may be achievableby something as simple as wiring a few auxiliaryrelay contacts or by much more complex logic processing.The designer shall choose a design to maximize reliability,minimize complexity, provide for safe scheme testing,and allow for easy future modifications. Platforms that have been used reliablyand successfully,include programmable logic controllers (PLCs),personal computers (PCs),multi-function programmableprotective relays,remote terminal units (RTUs),and logic processors.Single-functionrelays have been used historically to implement RAS,but this approach is now less common except for very simple new installations or minor additions to existing schemes. Communications Channels Communication channels used for sending and receiving logic or other information between local and remote sites and/or transfer trip devices must meet at least the same criteria as for other relaying protection communication channels.These requirements are outlined in 17CommunicationsSystemsPerformanceGuideforProtectiveRelayingApplications and 18CriticalCommunicationsCircuits-Guidelines for Design documents available on the WECC web site. The scheme logic must be designed so that loss of the channel,noise,or other channel failure will not result in a false operation of the scheme. It is highly desirable that the channel equipment and communications media (power line carrier, microwave,optical fiber,etc)be owned and maintained by the RAS owner,or perhaps leased 17 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 from another WECC member familiar with the necessary reliability requirements.All channel equipment must be monitored and alarmed to the dispatch center so that timely diagnostic and repair action shall be taken place upon failure. Leased telephonecircuits or pilotwire circuits on power system structures are likelyto lead to unreliable operations.Such channels shall only be used when no other communications media are available.Automatic channel testing and continuous monitoring are required if telephone leased lines are used. Communication channels shall be well labeled or identified so that the personnel workingon the channel can readily identify the proper circuit.Channels between entities shall be identified with a common name at all terminals. Cyber Security 19NERCrecentlyapprovedpermanentstandards CIP-002-1 through CIP-009-1 to address both physical and electronic security for critical cyber assets.These standards are intended to apply across the spectrum of security concerns from identifying the assets,personnel,access to the assets,and identifying,reporting on,and recovering from cyber attacks.While cyber security issues are not unique to RAS,a brief summary is provided here. The Standards define terms and identify critical cyber assets as having at least one of the followingcharacteristics: The cyber asset uses a routable protocol to communicate outside the electronic security penmeter,or The cyber asset uses a routable protocol within a control center,or The cyber asset is dial-up accessible. RAS applied to the bulk electric system will be critical assets under the definitions in these Standards and will also be critical cyber assets,except in rare cases where computer-based equipment and communication networks are not part of the scheme.RAS applied to systems and facilities critical to system restoration or load shedding of 300 MW or more are also included in the definitions. Specific cyber security protection methods must be determinedby each utility,but applications to protect RAS equipment should be similar to the facilities needed to protect energy control centers and equipment protection relays. RAS applied off the bulk electric system should also be treated as critical cyber assets if connected into networked communications systems serving other critical cyber assets." 18 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 Transfer Trip Equipment Transfer trip equipment for RAS applications shall meet the same hardware design and reliability standards as for other communication-aided protection equipment applications. Commonly used types of transfer trip equipment include FSK audio tone,FS carrier,relay-to- relay digital,etc.Operating time must be compatible with the requirements for the specific RAS.Security against false trips is often accomplished by the same methods as used in direct transfer tripping applications,e.g.guard and trip frequencies shift in opposite directions. Additional criteria can be found in reference 17. Test Switches The NERC/WECC Planning Standards related to test switches for RAS are similar to those for other protection systems.The 1997 NERC and 2002 WECC RAS standards include the followingguides: G5.SPS [RAS]should be designed to minimize the likelihood of personnel error such as incorrect operation and inadvertent disabling.Test switches should be used to eliminate the necessity for removing or disconnecting wires during testing. G6.The design of SPS [RAS]both in terms of circuitry and physical arrangement should facilitate periodic testing and maintenance.Test facilities and procedures should be designed such that they do not compromise the independence of redundant SPS [RAS] groups. Test and/or cutout switches for initiation,logic processing,tone communications,and action circuits shall be designed as an integral part of the RAS at all locations where any of these functions occur.Switches shall be readily accessible to operatingpersonnel for maintenance and test purposes using a written procedure.The switches shall be labeled with a name that is short, precise,and directly related to the remedial action scheme function.Common nomenclature shall be used at all locations for a RAS involvingmore than one entity. REDUNDANCY RAS redundancyrequirements are similar to the requirements for other protection systems. Redundancy is intended to allow removing one scheme followinga failure or for maintenance while keeping full scheme capability in service with a separate scheme.Redundancy requirements cover all aspects of the scheme design includingdetection,arming,power supplies, telecommunications facilities and equipment,logic controllers (when applicable),and RAS trip/close circuits. 19 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 Minimum Requirements The Standards do not impose an absolute redundancy requirement.The need for redundancy should be based on an evaluation of the system consequences for a failure of the scheme to operate and the need to meet overall system reliability requirements.A single point of failure within a RAS must not prevent the interconnectedtransmission system from meeting the system performance requirements.It is the designer's /owner's responsibility to prove that failure of non-redundant equipment for all credible scheme failures will still result in system performance that is within the NERC/WECC Standards and MORC.The followingGuide from the 1997 NERC and 2002 WECC Standards further describes the intent: Gl.Complete redundancyshould be considered in the design of an SPS [RAS]with diagnostic and self-check features to detect and alarm when essential components fail or critical functions are not operational. To be an acceptable alternative to full redundancy,a non-redundantdesign must at least: Provide adequate backup,such as by overtripping of a load shedding RAS when communication channels to the load shed sites are not redundant.Overtripping shall not expand the problem. Monitor and alarm all critical RAS elements-especiallyones where single component failure can defeat the RAS functionality. Depending on the scheme design and objectives,the followingmay also be necessary: o It is possible for the electric system to be adjusted so that the RAS need not be armed and operation is not required for the critical outage(s). o Adequate dispatcher training must be in place to immediately adjust the system so that operation of available parts of the RAS will still meet the system performance requirements of the Standards if any of these critical alarms occur, e.g.arm alternate load shed sites. NERC /WECC Standards and common utility practice allow a few protection systems to be non-redundant.A partial list includes: Station battery.The Standards require only that separately-fused DC control circuits be used to supply otherwise-redundantprotective devices and that the battery/charger system be alarmed to indicate failures.Some utilities do use separate batteries and chargers,especially at higher system voltages,but this is not required by the Standards. Potential sensing devices (PTs,CCVTs,optical).Voltage sensing for protection shall be provided from separate secondary windings of voltage sensing devices,but separate primaries are not always required. Breaker failure protection is specifically exempted from a redundancyrequirement.See the discussion below. 20 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 Microwave antenna towers. Most protection schemes are designed with many redundantfeatures.Good utility industry practice and the Standards encourage fully redundant RAS.However,the minimum requirement for all systems is to provide adequate backup protection,the operation of which will not result in violatingthe performance requirements.A simple example of a non-redundant protection scheme with adequate backup is a distribution feeder protected by separate electro-mechanical phase and ground relays.If any single relay fails or is out of service,at least one other relay can still sense any possible feeder fault and initiate a breaker trip.A RAS example would overtrip load if redundant communications facilities are not provided to the different load shed locations. Acceptable conditions to avoid full redundancymight include emergency operating orders to reduce flows on the critical system elements so that the RAS would not need to be armed, resulting in (dispatcher modified)system conditions that no longer require RAS operation for the critical contingency.Such emergency changes would have to be accomplished within 10 minutes for stability limited systems or 30 minutes for thermallylimited systems (WECC 20ReliabilityManagementSystem(RMS),III.E.5),regardless of any previouslyestablished schedules or other contractual obligations.Depending on the anticipated severity,frequency, and duration of system conditions that require dispatcher curtailments,the economics of the situation will often encourage full scheme redundancy. RAS logic processing will usuallyneed to be redundant to assure meeting minimum performance requirements.The scheme designer must consider the power system effects if the controller arming and/or actions do not match.This could result in either an unnecessary scheme operation or failure to operate by one of the systems.Redundantlogic processors should at least provide a "mismatch"alarm and the system operator should be provided with standing orders describing appropriate subsequent procedures. For large and complex RAS,economic scheduling issues are usuallyso important and the consequences of scheme misoperations are so unacceptable that full scheme redundancyis the rule.For example,some schemes use a logic processing design for the first scheme (RAS A) that is a triplyredundant set of programmable logic controllers arranged in a two-of-three voting scheme and the redundant scheme (RAS B)is a second triplyredundant set of programmable logic controllers arranged in a separate two-of-three voting scheme.Arming information based on line flows is provided from A and B sets of transducers or IEDs.The A and B schemes have separate 52b and trip coil sensing at both ends of the critical line(s).To be fully redundant, communications circuits must use independent communication paths,e.g.microwave and fiber- optic. If one controller or other critical component of an otherwise redundant scheme is not available, the conditions under which the single remaining scheme may continue to control system 20operationsareprobablybestidentifiedinWECC's RMS Criteria Agreement.All of the RMS specifically applies to identified WECC Paths and Section I specifically applies following misoperations of RAS or equipment protection.However,the operating philosophy after removing equipment from service is reasonably applicable for any facilities and whether or not a 21 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 misoperation or other failure has occurred.A summary of the pertinent paragraphs b,c,and d says that: If a fully functional scheme is not available,the facilities must be derated to a reliable operating level. This may require adjustment of the actual operating level. The system may continue to operate at appropriatereduced levels at or below the "no fully functional RAS available"rating indefinitely. The system may be operated without derating on a single remaining non-redundantbut fully functional scheme for up to 20 business days. Some utilities are willing to continue otherwise normal operations with a single fully functional RAS or protection scheme available during an outage of a redundantscheme,as allowed by the RMS.Other utilities are unwillingto operate without a redundantRAS (or protection)available for longer than would be required to switch a third "standby"system into service,or at reduced facility ratings.Either operating philosophy is allowed by the RMS.However each utility should be sure that the same philosophy is applied consistently within its system. Breaker Failure Failure of a circuit breaker to trip when called upon to trip by the RAS,even when equipped with dual trip coils,is considered a credible failure.Followingare some common and acceptable methods to remediate such a failure: Over-operate RAS action,e.g.trip extra generationequivalent to the largest generator or generationsite which may fail to trip. Initiate breaker failure protection.Breaker failure action usuallyoperates additional breakers to isolate the stuck breaker while still performing the RAS action.Any additional tripping should not exacerbate the original power system problem that the RAS is designed to solve (e.g.avoid tripping additional lines.Refer to the System Performance summary at Table 1 of NERC Standard TPL-001-0 through TPL-004-0 and the WECC MORC.)The breaker failure scheme can also add significantlyto the time for a RAS to operate,which may not be acceptable for a high speed transient stability RAS. The scheme designer is not limited to these methods to address failure of a breaker to trip. However,it should be shown that failure of a breakerto trip (or close)will still result in acceptable system performance. 22 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 Communication Circuit Redundancy Communications circuits must be redundant and diverse to provide assurance that the RAS can continue to operate for loss of a single path or piece of equipment.For example,redundant communications circuits would require separate channel banks powered by separately fused DC circuits. If both channels share the same microwave radio tower at a substation that is acceptable,but sharing the same radio path to the next repeater site is acceptable only for systems which have demonstrated extremely high reliability,perhaps a short "spur"hop into the "backbone" communications system.The designer should evaluate actual circuit availability,especially if 17,18anyleasedtelephonecircuitsareused.Availabilityrequirements and communications 21circuitavailabilitycalculationmethods are addressed in the references. Redundant communications circuits will usuallyneed to be on geographically diverse routes where practical.As a protection example,if a specific line requires high speed tripping protection,redundant communications circuits on geographically separate paths are often specified,e.g.a power line carrier signal may be used along with a microwave path.A configuration using optical fiber ground wire (OPGW)and power line carrier on the same line is usuallyacceptable,but may not be preferred if more geographically diverse media alternatives are available.These same path diversityconsiderations apply to RAS applications. MONITORING and ALARMS The Standards require adequate monitoring of all protection systems (includingRAS)so that misoperations and failures can be identified and maintenance personnel can be dispatched in a timely manner to remove failed equipment from service and make repairs.It is the responsibility of the RAS designer /owner to ensure that monitoring is adequate so that appropriate alarms and indications are provided to dispatchers from all RAS sites and equipment.It is especially vital for the dispatcher to know if any parts of the RAS are not redundant,since failure of that equipment would remove at least that part of the RAS from service.Failures within a non- redundant RAS will generally require the dispatcher to adjust the system on an emergency basis so that neither arming of the RAS nor operation of the failed part of the RAS is necessary. 20TheWECCReliabilityManagementSystem(RMS)specifically requires that any protection system or RAS on a bulk power transmission path (BPTP)known or suspected to have misoperated be corrected or removed from service within 22 hours.The remaining single system may be used for all appropriateprotection,includingRAS,as long as the failed system is repaired and returned to service within 20 business days.If a non-redundantprotection system or RAS is removed from service and adequate backup is not available,the protected equipment must be removed from service or system operation modified so that the RAS is not required until the protection or RAS equipment is repaired. 22TheRASdesignerandoperatingpersonnelmusthaveavailableadequatetimestamping of 23 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 RAS functions for the operation of the scheme and its components to document and diagnose operations as correct or incorrect.Scheme indication points may be categorized for this purpose as either "status"or "operating"with different time stamping requirements for each.Time resolution of 2-6 seconds (as might be provided through an EMS)for status points can be satisfactory (faster time resolution is also acceptable).Operating points will require sequence of events recorder(s)using time stamping to a resolution of one millisecond through GPS or similar clocks.As many points as feasible should be monitored so that the performance of the RAS can be evaluated.Minimum logging of scheme indication points shall include: Status Points Operating Points (time resolution 6 sec or less)(time resolution 1 msec) Arming status,·Initiating device operation, Status of operation or test switches,Tone equipment transmitter Equipment self-diagnostics and operation, annunciation,Tone equipment receiver Indication when a manuallyarmed operation, scheme should be armed or may be ·Tripping device operation. disarmed, Status of the equipment before and after the RAS action e.g.breaker status. RAS design and RAS operation are generally unique and often operate on different principles than other protection systems.Monitoring and organizing the status and alarm data appropriately can provide a helpful guide to operating personnel to control and diagnose scheme operations.For example,many owners with significant numbers of RAS design specific screens in their EMS to aid dispatchers in operating each RAS.Such screens may confirm scheme availability,summarize the arming status of the scheme and status of each action location,allow the dispatchers to arm or disarm the scheme,change locations to be armed for action,and list or summarize any alarms and their impact on the scheme. COORDINATION with PROTECTION,OTHER RAS,and CONTROL SYSTEMS EquipmentProtection Often the purposes of RAS and equipment protection are different enough that little or no coordination,in the traditional sense used by protection engineers,may be necessary between the functions of each.However,RAS operation that depends on functions that are performed by protection relays will require a careful review.Protection /RAS interactions may include: System configuration changes due to RAS operation that might affect protective relay 24 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 functions such as distance relay overcurrent supervision,breaker failure pickup,potential source switching,or other functions. If studies indicate that sustained low voltages in conjunctionwith elevated line flows may be expected during RAS operation,confirm that any protection settings on affected lines shall not cause cascading outages related to the low system voltages.This concern was given recent visibilityby the 1996 WSCC disturbances and the resulting RWG paper 23"Application of Zone 3 Distance Relays on Transmission Lines"and by NERC's 24Recommendation8AZone3requirements resulting from the August 2003 eastern North America disturbance. Designated out-of-step tripping devices should be provided on all components at planned system separation locations (out-of-step cut-planes).These devices should not operate on recoverable swings and should be coordinated to prevent tripping outside of the actual out-of-step cut-plane. The WECC system has experiencedintensive synchronous swings and out-of-step conditions resulting in cascading outages due to undesired operation of distance relay protection.Out-of-step blocking features should be used for distance relays away from identified out-of-step cut-planes if they may otherwise operate during system swings. Another coordination example is a RAS that triggers action after an unsuccessful automatic reclose attempt on a transmission line.The RAS time delay after sensing the line outage but before initiating action must be longer than the breaker open interval,or the RAS action could be triggered by a positive status indication that the reclosing function has locked out.Successful single-or three-phase reclosing may allow temporary faults to clear and avoid the need for RAS actions.An unsuccessful reclose attempt may still require remedial action. Multiple Applicationsin a Single Device Many of today's microprocessor relays,programmable logic controllers,and other logic processors are highly flexible in allowing the user to program features necessary for specific applications.Various devices may be useful for both equipment protection and RAS operation. RAS functions could be easily programmed in available relays or logic controllers that are also used for equipment protection. Mixingequipment protection and RAS functions in the same device raises separate coordination issues,especially related to operations and maintenance.Routine protection testing or changes could impact the availability and operation of the RAS.Observe the followingprecautions if protection and RAS functions are to be provided in the same device: Undesired operation of equipment protection relays has historicallybeen an important cause of major disturbances characterized by intense swings,low voltages,and out-of- step conditions.The RAS is the next line of defense for the system.RAS security may be significantlyimproved when RAS devices are separate from equipment protection relays. 25 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 There should be some association between the protection and RAS functions,e.g.line open status as a trigger for RAS action could be monitored by relays protecting that line terminal and the status could be communicated over the same relay-to-relay communication channel as is used for the line protection scheme. The device must be clearlylabeled to identify the RAS functionality. Procedures and/or monitoring must notify the dispatcher prior to any modifications or testing in the device. Procedures and/or monitoring must notify the dispatcher prior to the device being removed from service. Procedures and/or monitoring must identify the impact that the outage or modification has on RAS operation. Procedures for testing protection logic and RAS logic after software upgrades. The effect of one scheme on the other,e.g.disabling one (protection)function may disable the other (RAS)function. Other Remedial Action Schemes Separate RAS may share certain loads and/or generationto be shed when RAS action is necessary.The scheme planners and designers need to closely examine such applications to be certain that such "shared"action will not result in shedding less load or generation (or other required action)than necessary for any credible contingencies. Energy ManagementSystems An EMS-basedRAS is a form of mixingcontrol and RAS functions in a single device.A utility's EMS is more often used to provide dispatcher control commands,RAS arming calculations,and monitoring,but is also occasionally used for logic processing and scheme execution.Some RAS applications are not appropriatethrough the EMS,and even acceptable applications must be done with more care than for most other EMS applications. A significant technical limit on EMS applicability to RAS is primarily related to data scan time between the EMS and remote RTUs (typically 2 to 4 seconds).The "round trip"of information from sensing status and levels,determining required action,and executing the action must be estimated to require at least 4 seconds (or twice the scan time).The followingprecautions must be kept in mind in applying EMS-based RAS: An EMS timing estimate of at least three to five times the scan time may provide an acceptable margin. The EMS cannot be fast enough to process logic and trigger RAS action to solve system transient stability related problems. Voltage control,thermal loading,or other problems that do not require action for at least 26 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 6-10 seconds or longer may be possible applications for an EMS-based RAS. An EMS-basedRAS does not let the RAS owner avoid the scheme redundancy requirements described above. Other technical and operating issues that must be addressed for an EMS-based RAS include: The EMS-basedRAS must operate correctlyeven during wide-scale system disturbances that may tend to overburden the EMS with system operations and alarms. Consider the RAS impact if the EMS is unavailable. Even with an otherwise acceptable EMS-basedRAS,a redundant non-EMS-based RAS may be required to ensure that the scheme operates properly even if the SCADA system data fails to update,as happened in the August 2003 Northeast blackout. The effects of loss of the DC source that powers the EMS must be considered. Validation methods for the incoming data must be considered,e.g.compare flow at both ends of a line and determine the appropriate response when a significant difference occurs,such as applying advanced state estimation methods.As a control example,if the EMS is used for automatic generation control,loss of telemetry data from an intertie or generationplant could ramp other generators up or down when such a change is not required. Some operations and maintenance issues may be more difficult to address with an EMS- based RAS than for a separate system design.For example: o Routine programming updates of the EMS data bases must be done with special attention to the effects on arming or triggering the RAS,or disabling it. o Routine programming updates of the RTUs that include RAS functions must be done with special attention to the affects on RAS operation. o Routine field operations that usuallyhave no immediate effect,such as lifting wiring or opening a test switch for a breaker status indication input to an RTU could trigger RAS action if that action is dependent on the breaker status indication to the RTU. The operational precautions listed above for mixing RAS and protection functions in a single device must also be followed when implementing a RAS through an EMS. OPERATIONS and TEST PROCEDURES Planners,designers,and/or dispatchers must provide a description and operating procedures for the RAS to guide operations and maintenance personnel in the proper operation of the scheme. These descriptions and operating procedures will guide development of installation and test procedures,aid interpretation of alarm and status messages,and help identify scheme operations as correct or mcorrect. The WECC normallyrequires annual testing of RAS applied on facilities listed in the Path 27 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 Catalog.WECC does not specify a test interval for most other protection schemes.Some utilities include a successful scheme operation within the previous six months (or some other specified period)as a successful scheme test.The owners of RAS that do not require WECC review may determine the scheduled test intervals. Usuallyroutine tests are easier to schedule when the RAS would not be armed due to system conditions (such as low intertie flows).These tests should be end-to-end in the sense that the scheme is manuallyarmed,the initiating outage (or other event)is manuallyperformed,and logic,communications,and actions at all sites are monitored for correct operation.It is not necessary to actuallydrop load or generation (if that is the RAS action)as long as an acceptable alternate test procedure is available (such as prior transfer of targeted load to another circuit)to prove the functionalityof the "action"breakers. Some utilities design their schemes specifically to make testing for scheme initiation,logic,and action fast,easy,safe,consistent,and nearly automatic from a single location through additional logic and test or operations switches.Automated testing tends to work better for smaller schemes because it is easier to define the worst case scenarios that are most critical to scheme operation. For large and complex schemes,it is especially important to identify critical scenarios in the test procedures and test the RAS as a system,though it can be impractical to test all features of the RAS over the full range of system operating conditions.The object in designing the test procedure will be to identify and test the conditions for arming,detection,activation,and completion that will cover the extreme system conditions for which the RAS is designed to protect the system. WECC REVIEW The WECC has a formal review and approval process in place,as required by the NERC/WECC Standards,to evaluate new and modified RAS.The Remedial Action Scheme Reliability Subcommittee provides this review.The primaryfunction of the RASRS is to promote the 25reliabilityofRASwithinWECCbyprovidingamultidisciplinaryoverview: For new and significantlymodified schemes. As requested by technical committees. For special technical problems regarding RAS outside the scope of other Subcommittees and Work Groups. Underfrequency load shedding schemes designed in compliance with the WECC Coordinated UFLS plan,'safety nets,local RAS,and out of step protection normallyhave not required further WECC review. 28 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 Remedial action schemes required to be reviewed through this WECC process are those for which: Failure would result in bulk transmission system performance in a neighboring entity outside the limits of WECC performance requirements. Failure would result in bulk transmission system performance outside the limits of WECC performance requirements within a scheme owner's system if requested by the owner or if deemed necessary by other Regional technical committees. The WECC review shall be completed Before the scheme is initiallyput into service. Before significant modifications or extensions are made to an existing RAS: o If the modifications involve new system simulation studies, o If the scheme functionalitychanges, o When new input or output locations are added or existing locations are removed, o When a major component or system architecture change is required, o Modifications will not result in scheme failure becoming a credible event, o For retirement of a WECC-approved RAS. If the RAS owner is not sure whether a change is significant enough to require WECC review,the issues should be discussed with the Chair of the RAS ReliabilitySubcommittee. The Chair,or at the Chair's discretion,all or part of the Subcommittee will decide whether further review is needed. In the event of certain types of scheme failure,e.g.correct scheme operation,but failure to meet performance standards. Minor modifications to existing RAS are not required to go through this formal review,but will be documented by the owner through the annual WECC RMS program and the RAS catalog. NERC/WECC Standards require a functional review at least every five years for each scheme. This requirement can be met for a WECC-approved scheme by the owner's internal review and confirmation through the RMS program that all scheme requirements are still satisfied,and no changes in either requirements or implementation have occurred that require further review by the RASRS.When a RAS has not required previous review by WECC or is not part of the RMS,the NERC Standards will still apply.The owner should perform and document an internal review as specified in the Standards. 6ThemostrecentversionoftheRASRS's review document is available on the WECC web site. The RAS designer should fill out a copy of this document and submit it and other related 29 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 documentation to the Chair of the Subcommittee in preparation for scheme review. Subcommittee review consists of a presentationby the owner's RAS design team and detailed technical discussion of the RAS's features,includingany coordination with protection or other schemes,and any limitations.Scheme approval by the RASRS and confirmation by WECC is (intended)to be obtained before the owner can depend on the RAS to solve the problems for which it was designed. A preliminarydesign review by the RASRS may be feasible when time allows before the scheme has to be in service.The RASRS and some scheme designers have found such preliminaryreviews helpful.The designer often is able to more efficiently accommodate the RASRS's concerns in the final scheme design and the RASRS can expeditethe final review and approval. 30 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 System Problems Control Methods (RAS Objectives)(Remedial Actions) Generator Dropping I Overfrequency y Braking Resistor Insertion R e Equipment Turbine Fast Valving Overload - Turbine Power Angular Ramping Instability e Fast DC Trans /Link Poor Oscillation -and Phase Shifter i'CControlDamping n System Separation tOutofStepr o Hydro,Gas Turbine,Underfrequency,Pumped Storage StartSlowFrequency Recovery R Load Dropping e Voltage Generator Excitation Instability Forcing e Capacitor and Reactor Undervoltage,Switching Slow Voltage Recovery Advanced Reactive r Support (SVC,etc)C oOvervoltage----n Open-end Line Trip r Loss of System iIntegritySystem/Load Restoration Measures FIGURE 1.Common RAS Objectives and Control Methods 31 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 REFERENCES [www addresses as given are subject to change or removal from the site] 1.WECC Relay Work Group,"Review of System Disturbances -2003,""Review of System Disturbances -2002,""Review of 2000-2001 System Disturbances,"and "1998-99 WSCC Disturbance Report Review," http://www.wecc.biz/documents/library/RWGl2003 Disturbances RWG Report Final.p df Mtp:llwww.wecc.biz/documents/library/RWGl2002 WECC Disturbances Review 5-26- 2005 Clean-correct link2.pdf http:llwww.wecc.biz/documents/library/RWGIRelay Work Group Review of 2000- 2001 Disturbances Aqenda Item X.pdf http://www.wecc.biz/documents/library/RWGIRWG-Review WSCC Disturbances 1998- 99.pdf 2.North American Electric Reliability Council,"NERC Planning Standards,"September 1997 3.North American Electric Reliability Council,"Approved Standards",08/08/05.http://www.nerc.com/~filez/standards/Reliability Standards.html 4.WECC,RELIABILITY CRITERIA,Part I,NERC/WECC Planning Standards,"April 2005 http://www.wecc.biz/documents/library/procedures/CriteriaMaster.pdf 5.WECC,"RWG Installation and Maintenance Guide,3/7/2002 http://www.wecc.biz/documents/library/RWG/rwg_installation_and_maintenance_guide. pdf 6."WECC Remedial Action Scheme Reliability Task Force Procedure to Submit a RAS for Assessment by the Task Force -Revised by the RASTF in September 2001" http://www.wecc.biz/documents/library/RAS/WECC_RAS_Approval_Procedure_9- 2001.pdf 7.Karlsson,Daniel and Xavier Waymel editors,"System Protection Schemes in Power Networks,"CIGRE Task Force 38.02.19,June 2001 8.NPCC,"Special Protection System Criteria,"Document A-11,November 14,2002, https://www.npcc.orqlpublicFiles/reliability/criteriaGuidesProcedures/newlA-11.pdf 9.MAAC,"MAAC Special Protection System Criteria,"Document A-3,June 29,2000, http://www.maac-rc.orql 10.WECC,"WECC Coordinated Off-Nominal Frequency Load Shedding and Restoration Plan,"revised December 5,2003 11.WECC,"Southern Island Load Tripping Plan,"July 22,1997 12.WECC,"Underfrequency Load Shedding Application Guide,"revised August3, 2004 32 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 13.WECC,"WECC Policy Regarding Extreme Contingencies and Unplanned Events,"May 31,2002,http://www.wecc.bizldocuments/library/procedures/WECCPOLICY12.pdf 14.WECC,"Minimum Operating ReliabilityCriteria (MORC),"revised April 6,2005. http:llwww.wecc.bizldocumentsliibrary/proceduresloperatinqlWECCReliability Criteria MORC.pdf 15.IEEE Power System Relaying Committee,Work Group D6,"Power System and Out-of-StepConsiderations on Transmission Lines,"July 19,2005, http:llwww.pes-psrc.org/ 16.WECC Disturbance Monitoring Work Group,"WSCC Plan for Dynamic Performance and Disturbance Monitoring,"October 4,2004, http:llwww.wecc.bizldocuments/library/disturbancelDMWG/WECCPlan.pdf 17.WECC,"Communications Systems Performance Guide for Protective Relaying Applications,"November 21,2002. http://www.wecc.bizldocuments/library/procedures/CommPerf Guide for Rela vs.pdf 18.WECC,"Critical Communications Circuits -Guidelines for Design ,"revised 10/11/02, http://www.wecc.biz/documents/library/TELCOM/design_ofcritical comm ckts word2K rev 10-11-02.doc 19.North American Electric Reliability Council,"Critical Infrastructure Protection", 05/02/06,Standards CIP-002-1 through CIP-009-1, ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-002-1.pdf ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-003-1.pdf ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-004-1.pdf ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-005-1.pdf ftp://www.nerc.com/pub/syslallupdllstandards/rs/CIP-006-1.pdf ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-007-1.pdf ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-008-1.pdf ftp:llwww.nerc.com/pub/syslallupdllstandards/rs/CIP-009-1.pdf 20.WECC,"RMS Criteria Agreement-Amended 05-01-05 ,"http:llwww.wecc.biz/documents/library/RMS/WECC_Criteria_AgreementFinal 0 7-01-05.pdf 21.WECC Critical Circuit AvailabilityCalculation Appendixrev.11-18-05,http:llwww.wecc.bizldocuments/library/TELCOM/WECC%20Critical%20Circuit% 20Availabiity%20Calculation%20Appendix%20rev.%2011-18-05.doc 22.WECC,"WECC Guideline for Time Synchronization of Protection,Control and 33 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix C-Remedial Action Scheme Design Guide,November 28,2006 Monitoring ,"http://www.wecc.biz/documents/standardslundergoing_comment/WECC_Guideli ne_For_Time_Synchronizationof Protection Control &Monitoring.pdf 23.WECC,"Application of Zone 3 Distance Relays on Transmission Lines," September10,1997, http://www.wecc.bizldocuments/library/RASlapplicationofzone3 distance rela ys on transmission lines.pdf 24.North American Electric Reliability Council,"Board ApprovedBlackout Recommendations -February 10,2004" ftp:llwww.nerc.com/pub/syslall_updl/docs/blackout/BOARDAPPROVED BLAC KOUT_RECOMMENDATIONS_021004.pdf 25.Vahid Madani,WECC,"Remedial Action Schemes Application and ImplementationRequirements&Performance Assessment Measures,"October 25,2001. http://www.wecc.biz/documents/library/RAS/RASRTF-Function- October_2001.ppt Approved By: Approvinq Committee,Entity or Person Date Operating Committee November 28,2006 Reformatted Document March 9,2011 Remedial Action Scheme Subcommittee June 6,2006 34 of 34 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 WECC Standard PRC-004-WECC-1 -Protection System and Remedial Action Scheme Misoperation A.Introduction 1.Title:Protection System and Remedial Action Scheme Misoperation 2.Number:PRC-004-WECC-1 3.Purpose:Regional Reliability Standardto ensure all transmission and generation Protection System and Remedial Action Scheme (RAS)Misoperations on Transmission Paths and RAS defined in section 4 are analyzedand/or mitigated. 4.Applicability 4.1.Transmission Owners of selected WECC major transmission path facilities and RAS listed in tables titled "Major WECC Transfer Paths in the Bulk Electric System"provided at https://www.wecc.biz/Reliabilitv/TableMajorPaths4-28-08.pdf and "Major WECC Remedial Action Schemes (RAS)"provided at https://www.wecc.biz/Reliability/TableMajorRAS4-28-08.pdf. 4.2.GeneratorOwners that own RAS listed in the Table titled "Major WECC Remedial Action Schemes (RAS)"provided at https://www.wecc.biz/Reliability/TableMajorRAS4-28-08.pdf. 4.3.Transmission Operatorsthat operate major transmission path facilities and RAS listed in Tables titled "Major WECC Transfer Paths in the Bulk Electric System"provided at https://www.wecc.biz/Reliabilitv/TableMajorPaths4-28-08.pdf and "Major WECC Remedial Action Schemes (RAS)"provided at https://www.wecc.biz/Reliability/TableMajorRAS4-28-08.pdf. 5.Effective Date:On the first day of the second quarter following applicable regulatory approval. B.Requirements The requirementsbelow only apply to the major transmission paths facilities and RAS listed in the tables titled "Major WECC Transfer Paths in the Bulk Electric System"and "Major WECC Remedial Action Schemes (RAS)." R.1.System Operatorsand System Protection personnel of the Transmission Owners and GeneratorOwners shall analyze all Protection System and RAS operations.[Violation Risk Factor:Lower][Time Horizon:Operations Assessment] R1.1.System Operators shall review all tripping of transmission elements and RAS operations to identify apparentMisoperations within 24 hours. R1.2.System Protection personnel shall analyze all operations of Protection Systems and RAS within 20 business days for correctness to characterizewhether a Misoperation has occurred that may not havebeen identified by System Operators. R.2.TransmissionOwnersand GeneratorOwners shall perform the following actions for each Misoperation of the Protection System or RAS.It is not intended that Requirements R2.1 through R2.4 apply to Protection System and/or RAS actions that appear to be entirely reasonableand correct at the time of occurrence and associated system performance is fully compliant with NERC Reliability Standards.If the Transmission Owner or Generator Owner later finds the Protection System or RAS operation to be incorrect through System Protection personnelanalysis,the requirementsof R2.1 through R2.4 become applicable at the time the Adopted by Board of Trustees:October 29,2008 1 Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 WECC Standard PRC-004-WECC-1 -Protection System and Remedial Action Scheme Misoperation Transmission Owner or GeneratorOwner identifies the Misoperation: R2.1.If the Protection System or RAS has a Security-Based Misoperation and two or more Functionally Equivalent Protection Systems (FEPS)or Functionally Equivalent RAS (FERAS)remain in service to ensure Bulk Electric System (BES)reliability,the Transmission Owners or GeneratorOwners shall remove from service the Protection System or RAS that misoperated within 22 hours following identification of the Misoperation.Repair or replacementof the failed Protection System or RAS is at the Transmission Owners'and Generator Owners'discretion.[Violation Risk Factor: High][Time Horizon:Same-dayOperations] R2.2.If the Protection System or RAS has a Security-BasedMisoperation and only one FEPS or FERAS remains in service to ensure BES reliability,the Transmission Owner or Generator Owner shall perform the following.[Violation Risk Factor: High][Time Horizon:Same-dayOperations] R2.2.1.Following identification of the Protection System or RAS Misoperation, TransmissionOwnersand GeneratorOwnersshall remove from service within 22 hours for repair or modification the Protection System or RAS that misoperated. R2.2.2.The Transmission Owner or Generator Owner shall repair or replace any Protection System or RAS that misoperatedwith a FEPS or FERAS within 20 business days of the date of removal.The Transmission Owner or GeneratorOwner shall remove the Element from service or disable the RAS if repair or replacement is not completed within 20 business days. R2.3.If the Protection System or RAS has a Security-Based or Dependability-Based Misoperation and a FEPS and FERAS is not in service to ensure BES reliability, Transmission Owners or GeneratorOwners shall repair and place back in service within 22 hours the Protection System or RAS that misoperated.If this cannot be done,then Transmission Owners and Generator Owners shall perform the following. [Violation Risk Factor:High][Time Horizon:Same-day Operations] R2.3.1.When a FEPS is not available,the Transmission Owners shall remove the associated Element from service. R2.3.2.When FERAS is not available,then 2.3.2.1.The Generator Owners shall adjust generation to a reliable operating level,or 2.3.2.2.Transmission Operators shall adjust the SOL and operatethe facilities within establishedlimits. R2.4.If the Protection System or RAS has a Dependability-Based Misoperation but has one or more FEPS or FERAS that operatedcorrectly,the associated Element or transmission path may remain in service without removing from service the Protection System or RAS that failed,provided one of the following is performed. R2.4.1.Transmission Owners or GeneratorOwners shall repair or replace any Protection System or RAS that misoperatedwith FEPS and FERAS within 20 business days of the date of the Misoperation identification,or R2.4.2.Transmission Owners or GeneratorOwners shall remove from service the associated Element or RAS.[Violation Risk Factor:Lower][Time Horizon:Operations Assessment] Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 R.3.Transmission Owners and Generation Owners shall submit Misoperation incident reports to Adopted by Board of Trustees:October 29,2008 2 Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 WECC Standard PRC-004-WECC-1 -Protection System and Remedial Action Scheme Misoperation WECC within 10 business days for the following.[Violation Risk Factor:Lower][Time Horizon:Operations Assessment] R3.1.Identification of a Misoperation of a Protection System and/or RAS, R3.2.Completion of repairs or the replacementof Protection System and/or RAS that misoperated. C.Measures Each measure below applies directly to the requirementby number. M1.Transmission Owners and Generation Owners shall have evidence that they reported and analyzedall Protection System and RAS operations. M1.1 Transmission Owners and Generation Owners shall have evidence that System Operating personnel reviewed all operations of Protection System and RAS within 24 hours. M1.2 Transmission Owners and Generation Owners shall have evidence that System Protection personnel analyzed all operations of Protection System and RAS for correctness within 20 business days. M2.Transmission Owners and GenerationOwners shall have evidence for the following. M2.1 Transmission Owners and Generation Owners shall have evidence that they removed the Protection System or RAS that misoperatedfrom service within 22 hours following identification of the Protection System or RAS Misoperation. M2.2 Transmission Owners and Generation Owners shall have evidence that they removed from service and repaired the Protection System or RAS that misoperatedper measurements M2.2.1 through M2.2.2. M2.2.1 Transmission Owners and Generation Owners shall have evidencethat they removed the Protection System or RAS that misoperatedfrom servicewithin 22 hours following identification of the Protection System or RAS Misoperation. M2.2.2 Transmission Owners and Generation Owners shall have evidencethat they repaired or replaced the Protection System or RAS that misoperated within 20 business days or either removed the Element from service or disabled the RAS. M2.3 The Transmission Owners and GenerationOwners shall have evidencethat they repaired the Protection System or RAS that misoperated within 22 hours following identification of the Protection System or RAS Misoperation. M2.3.1 The Transmission Owner shall have evidencethat it removed the associated Elementfrom service. M2.3.2 The GeneratorOwners and Transmission Operatorsshall have documentation describing all actions taken that adjusted generation or SOLs and operatedfacilities within establishedlimits. M2.4 Transmission Owners and Generation Owners shall have evidence that they repaired or replacedthe Protection System or RAS that misoperatedincluding documentation that describes the actions taken. M2.4.1 Transmission Owners and Generation Owners shall have evidencethat they repaired or replaced the Protection System or RAS that misoperated Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 within 20 business days of the misoperation identification. Adopted by Board of Trustees:October 29,2008 3 Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 WECC Standard PRC-004-WECC-1 -Protection System and Remedial Action Scheme Misoperation M2.4.2 Transmission Owners and Generation Owners shall have evidence that they removed the associated Elementor RAS from service. M3.Transmission Owners and Generation Owners shall have evidence that they reported the following within 10 business days. M3.1 Identification of all Protection System and RAS Misoperations and corrective actions taken or planned. M3.2 Completion of repair or replacementof Protection System and/orRAS that misoperated. D.Compliance 1.Compliance Monitoring Process 1.1 Compliance MonitoringResponsibility Compliance Enforcement Authority 1.2 Compliance MonitoringPeriod Compliance Enforcement Authority may use one or more of the following methods to assess compliance: -Misoperation Reports -Reports submitted quarterly -Spot check audits conducted anytime with 30 days notice given to prepare -Periodic audit as scheduled by the Compliance Enforcement Authority -Investigations -Other methods as provided for in the Compliance MonitoringEnforcement Program 1.2.1 The Performance-resetPeriod is one calendar month. 1.3 Data Retention Reliability Coordinators,Transmission Owners,and Generation Owners shall keep evidence for Measures M1 and M2 for five calendaryears plus year to date. 1.4.Additional Compliance Information None. 2.Violation Severity Levels R1 Lower Moderate High Severe Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 Adopted by Board of Trustees:October 29,2008 4 Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 WECC Standard PRC-004-WECC-1 -Protection System and Remedial Action Scheme Misoperation System Operating personnel System Operating personnel of System Protection personnel System Protection of the Transmission Owner the Transmission Owner or of the Transmission Owner personnel of the or Generator Owner did not Generator Owner did not and Generator Owner did Transmission Owner or reviewthe Protection reviewthe Protection System not analyze the Protection Generator Owner did not System Operation or RAS operation or RAS operation System operation or RAS analyze the Protection operation within 24 hours within six business days.operation within 20 business System operation or RAS but did reviewthe days but did analyze the operation within 25 Protection System Protection System operation business days. Operation or RAS operation or RAS operation within 25 within six business days.business days. R2.1 and R2.2.1 Lower Moderate High Severe The Transmission Owner The Transmission Owner and The Transmission Owner The Transmission Owner and Generator Owner did Generator Owner did not and Generator Owner did and Generator Owner did not remove from service,remove from service,repair,not performthe removal not performthe removal repair,or implement other or implement other from service,repair,or from service,repair,or compliance measures for the compliance measures for the implement other compliance implement other Protection System or RAS Protection System or RAS that measures for the Protection compliance measures for that misoperated as required misoperated as required in less System or RAS that the Protection System or within 22 hours but did than 24 hours but did perform misoperated as required in RAS that misoperated as performthe requirements the requirements within 28 less than 28 hours but did required within 32 hours. within 24 hours.hours.performthe requirements within 32 hours. R2.3 Lower Moderate High Severe The Transmission Operator The Transmission Operator The Transmission Operator The Transmission and Generator Owner did and Generator Owner did not and Generator Owner did Operator and Generator not adjust generation to a adjust generation to a reliable not adjust generation to a Owner did not adjust reliable operating level,operating level,adjust the reliable operating level,generation to a reliable adjust the SOL and operate SOL and operate the facilities adjust the SOL and operate operating level,adjust the the facilities within within established limits or the facilities within SOL and operate the established limits or implement other compliance established limits or facilities within implement other compliance measures for the Protection implement other compliance established limits or measures for the Protection System or RAS that measures for the Protection implement other System or RAS that misoperated as required in less System or RAS that compliance measures for misoperated as required than 24 hours but did perform misoperated as required in the Protection System or within 22 hours but did the requirements within 28 less than 28 hours but did RAS that misoperated as performthe requirements hours.performthe requirements required within 32 hours. within 24 hours.within 32 hours. R2.2.2 and R2.4 Lower Moderate High Severe Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 Adopted by Board of Trustees:October 29,2008 5 Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 WECC Standard PRC-004-WECC-1 -Protection System and Remedial Action Scheme Misoperation The Transmission Owner The Transmission Owner and The Transmission Owner The Transmission Owner and Generator Owner did Generator Owner did not and Generator Owner did and Generator Owner did not performthe required performthe required repairs,not performthe required not performthe required repairs,replacement,or replacement,or system repairs,replacement,or repairs,replacement,or system operation operation adjustment to system operation adjustment system operation adjustments to comply with comply with the requirements to comply with the adjustments to comply the requirements within 20 within 25 business days but requirements within 28 with the requirements business days but did did performthe required business days but did within 30 business days. performthe required activities within 28 business performthe required activities within 25 business days.activities within 30 business days.days. R3.1 Lower Moderate High Severe The Transmission Owner The Transmission Owner and The Transmission Owner The Transmission Owner and Generator Owner did Generator Owner did not and Generator Owner did and Generator Owner did not report the Misoperation report the Misoperation and not report the Misoperation not report the and corrective actions taken corrective actions taken or and corrective actions taken Misoperation and or planned to comply with planned to comply with the or planned to comply with corrective actions taken or the requirements within 10 requirements within 15 the requirements within 20 planned to comply with business days but did business days but did perform business days but did the requirements within performthe required the required activities within performthe required 25 business days. activities within 15 business 20 business days.activities within 25 business days.days. R3.2 Lower Moderate High Severe The Transmission Owner The Transmission Owner and The Transmission Owner The Transmission Owner and Generator Owner did Generator Owner did not and Generator Owner did and Generator Owner did not report the completion of report the completion of repair not report the completion of not report the completion repair or replacement of or replacement of Protection repair or replacement of of repair or replacement Protection System and/or System and/or RAS that Protection System and/or of Protection System RAS that misoperated to misoperated to comply with RAS that misoperated to and/or RAS that comply with the the requirements within 15 comply with the misoperated to comply requirements within 10 business days of the requirements within 20 with the requirements business days of the completion but did perform business days of the within 25 business days of completion but did perform the required activities within completion but did perform the completion. the required activities within 20 business days.the required activities within 15 business days.25 business days. Version History -Shows ApprovalHistory and Summary of Changes in the Action Field Version Date Action Change Tracking 1 April 16,2008 PermanentReplacement Standardfor PRC-STD-001-1 and PRC-STD-003-1 Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 Adopted by Board of Trustees:October 29,2008 6 Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 WECC Standard PRC-004-WECC-1-Protection System and RemedialAction Scheme Misoperation 1 April 21,2011 FERC Order issued approving PRC- 004-WECC-1 (approval effective June 27,2011) Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes --Appendix D-PRC-004-WECC-1 Adopted by Board of Trustees:October 29,2008 7 Revised hyperlinks 11-7-2014 PacifiCorp Procedure 304,Remedial Action Schemes Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013 WE CC Document name Remedial Action Scheme Review and Assessment Plan PRC-(012 through 014)-WECC-CRT-2 Regional Criterion Category ()Regional Reliability Standard (X )Regional Criterion ()Regional Business Practice ()Policy ()Guideline ()Report or other ()Charter Document date September 17,2013 Adoptedlapproved by WECC Board of Directors Date adoptedlapproved September 17,2013 Custodian (entity responsible for Standards maintenance and upkeep) Stored/filed Approved Regional Criteria Previous namelnumber (if any)This document supersedes WECC-0055,PRC-012 through 014 WECC-CRT-1.The name has not been changed. Status (X)in effect January 1,2014 Version Control Version Date Action Change Highlights 1 6/22/2011 WECC Board approved Version 1 to meet NERC FITB requirements. 2 9/17/2013 WECC Board approved Version 2 to meet Blackout recommendations. Adds more reporting requirements. PacifiCorp Procedure 304,Remedial Action Schemes Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013 Remedial Action Scheme Review and Assessment Plan PRC-(012 through 014)-WECC-CRT-2 WECC A.Introduction 1.Title:Remedial Action Scheme Review and Assessment Plan WECC Criterion 2.Number:PRC-012 through 14-WECC-CRT-2 3.Purpose:To:1)establish a documented Remedial Action Scheme (RAS) review procedure to ensure compliance per PRC-012-0,2) establish a RAS database per PRC-013-0,and 3)meet the Regional ReliabilityOrganization /Reliability Assurer requirements of PRC-014-0. This regional criterion was developedpursuant to North American Electric ReliabilityCorporation (NERC)ReliabilityStandards PRC- 012-0 (Special Protection System Review Procedure),PRC-013-0 (Special Protection System Database)and PRC-014-0 (Special Protection System Assessment).Violation of this criterion may result in a violation of the any of the above mentioned NERC ReliabilityStandards.Violation of NERC ReliabilityStandards may result in financial penaltiesimposed by NERC. 4.Applicability: For purposes of this document,the ApplicableEntity designated in the Reporting Party field of Attachment A to this document is the ApplicableEntity for purposes of each Requirementwherein the "Reporting Party"is used as the ApplicableEntity.The ApplicableEntity used in the Reporting Party field must be selected from 4.1.through 4.3.below. 4.1 Transmission Owner 4.2 Generator Owner 4.3 Distribution Provider 4.4 Reliability Assurer (WECC) Developedas WECC-0096 Page 2 PacifiCorp Procedure 304,Remedial Action Schemes Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013 Remedial Action Scheme Review and Assessment Plan PRC-(012 through 014)-WECC-CRT-2 5.Effective Date:January 1,2014 B.Requirements and Measures: WR1.The Reliability Assurer (WECC)shall create and maintain a WECC Remedial Action Scheme Database containing,at a minimum,the information described on the WECC Remedial Action Scheme Information Sheet (AttachmentA). WM1.The Reliability Assurer (WECC)shall produce the WECC Remedial Action Scheme Database containing the information provided on the WECC Remedial Action Scheme Information Sheet (AttachmentA)as required in WR1. WR2.Each Reporting Party shall completeand forward the data described in the WECC Remedial Action Scheme Information Sheet (AttachmentA)to the ReliabilityAssurer (WECC)no later than 90 days after the Effective Date of this document.(PRC-012-0,R1.1;See also PRC-012-0,R1.2) WM2.Each Reporting Party shall produce evidence that a completedWECC Remedial Action Scheme Information Sheet (AttachmentA)required in WR2:1)was submitted to the ReliabilityAssurer (WECC),2)by the designatedReporting Party listed in the Reporting Party field of Attachment A,and 3)was provided to the Reliability Assurer (WECC)no later than 90 days after the Effective Date of this document. Evidence may include but is not limited to a dated copy of database information described in Attachment A including dated correspondence of transmittal of the database information from the Reporting Party to the ReliabilityAssurer (WECC). WR3.The ReliabilityAssurer (WECC)shall designatethe Remedial Action Scheme Reliability Subcommittee (RASRS),or its successor,as the entity responsible for the WECC review procedure for proposed and existing RASs within the Western Interconnection to meet the NERC performance requirements of TPL- 001 --TPL-003,or its successor and Regional criteria.(PRC-012-0,R.1.8) WM3.The Reliability Assurer (WECC)shall produce evidence that it designated the RASRS,or its successor,as the entity responsible for the review procedure for proposed and existing RASs within the Western Interconnection as required in WR3. Evidence may include but is not limited to annotations in the minutes of the Operating Committee or the RASRS,or correspondence between Developedas WECC-0096 Page 3 PacifiCorp Procedure 304,Remedial Action Schemes Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013 Remedial Action Scheme Review and Assessment Plan PRC-(012 through 014)-WECC-CRT-2 WECC staff and either the chair of the Operating Committee or the RASRS so indicating that designation. WR4.Each Reporting Party shall use the process as established by the RASRS to submit a RAS for review. WM4.Each Reporting Party shall provide evidence that it used the process as established by the RASRS to submit a RAS for review,in accordance with WR4 above. Evidence may include,but is not limited to,annotations in the minutes of the Operating Committee or the RASRS,or correspondence between WECC staff and either the chair of the Operating Committee or the RASRS so indicating adherence to the process. WR5.The ReliabilityAssurer (WECC)shall instruct the RASRS or its successor to ensure that each RAS reviewed meets,at a minimum,the following:(PRC-012- 0,R1.8) 1)The LAPS and WAPS are designed so that a single componentfailure,when the LAPS or the WAPS is intended to operate,does not preventany portion of the interconnected transmission system within WECC from meeting the performance requirements defined in NERC Reliability Standards TPL-001- 0,TPL-002-0,and TPL-003-0,or its successor.(PRC-012-0,R1.3.) 2)Inadvertent operation of the RAS meets the same performance requirement (TPL-001-0,TPL-002-0,and TPL-003-0,or their successors)as that required of the contingency for which it was designed,and does not exceed TPL-003- 0,or its successor.(PRC-012-0,R1.4) 3)The proposed RAS will coordinate with other protection and control systems and applicable WECC emergency procedures.(PRC-012-0,R1.5) WM5.The Reliability Assurer (WECC)shall produce evidence that it instructed the RASRS (or its successor),to ensure that each RAS reviewed met,at a minimum,each of the elements listed in WR5 above. Evidence may include,but is not limited to,annotations in the minutes of the Operating Committee or the RASRS,or correspondence between WECC staff and either the chair of the Operating Committee or the RASRS so indicating that designation. Developedas WECC-0096 Page 4 PacifiCorp Procedure 304,Remedial Action Schemes Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013 Remedial Action Scheme Review and Assessment Plan PRC-(012 through 014)-WECC-CRT-2 WR6.The ReliabilityAssurer (WECC)shall designatethe Operating Committee (OC), or its successor,as the entity responsible to approve the WECC review procedure for proposed and existingRASs within the Western Interconnection, based upon receipt of a positive recommendation of the RASRS.(PRC-012-0, R.1.8) WM6.The ReliabilityAssurer (WECC)shall produce evidence that it designated the Operating Committee (OC),or its successor,as the entity responsible to approve the review procedure for proposed and existing RASs within the Western Interconnection,per WR6 above. Evidence may include,but is not limited to,annotations in the minutes of the Operating Committee or the RASRS,or correspondence between WECC staff and either the chair of the Operating Committee or the RASRS so indicating that designation. WR7.The Reliability Assurer (WECC)shall instruct the RASRS,or its successor,to review a RAS at the level of a WAPS,when requested to do so by the Operating Committee. WM7.The Reliability Assurer (WECC)shall produce evidence that it instructed the RASRS,or its successor,to review a RAS at the level of a WAPS, when requested to do so by the Operating Committee,per WR7 above. Evidence must include production of the request and correspondence between the ReliabilityAssurer (WECC)and the chair of the RASRS,or its successor,indicating the content of the instruction. WR8.Each Reporting Party shall review the WECC Remedial Action Scheme Database for accuracy and report any changes (or lack thereof),modifications, retirements or expansionsof its RAS to the ReliabilityAssurer,no later than December 31 of each calendar year.(PRC-012-0,R1.2) WMS.Each Reporting Party shall produce evidence that it:1)reviewed the WECC Remedial Action Scheme Database in accordance with WR8,and 2)reported evidence of that review to the Reliability Assurer (WECC) through the Reporting Party listed in the Reporting Party field of the WECC Remedial Action Scheme Information Sheet (AttachmentA)no later than December 31 of each calendar year. Developedas WECC-0096 Page 5 PacifiCorp Procedure 304,Remedial Action Schemes Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013 Remedial Action Scheme Review and Assessment Plan PRC-(012 through 014)-WECC-CRT-2 Evidence may include,but is not limited to,reports describing the review and the dates it took place,and correspondence between the Reporting Party and the Reliability Assurer (WECC)reflecting the required content. WR9.Each Reporting Party shall submit any additions,changes,modifications, retirements,or expansionsof its RAS,to the RASRS or its successor,prior to placing the RAS or its changes into service. WM9.Each Reporting Party shall produce evidence that it submitted to the RASRS all proposed RAS changes per WR9,prior to placing the RAS or changes to an existing RAS into service. Evidence may include but is not limited to:1)dated correspondence between the Reporting Party and either the chair of the Operating Committee or the chair of the RASRS describing the RAS in question and its proposed date of service,or 2)production of studies run to establish and update seasonal System Operating Limits impacting the RAS. WR10.Each Transmission Owner,each Generation Owner,and each Distribution Provider shall assess its RAS(s)for operation,coordination and effectiveness, at least once each five years. WM10.This Requirementis to ensure assessment takes place on a periodic basis;reportinq of that assessment is addressed in WR11 and WM11. Each Transmission Owner,each Generation Owner,and each Distribution Provider shall produce evidence that it assessed its RAS(s) per WR10,at least once each five years. Evidence that the assessment was conducted includes,at a minimum, production of a completedAttachment B of this document showing the results of the WR10 assessment. Evidence may also include but is not limited to:1)dated correspondence between the Reporting Party and either the chair of the Operating Committee or the chair of the RASRS describing the RAS in question and its proposed date of service,or 2)production of studies run to establish and update seasonal System Operating Limits impacting the RAS. Developedas WECC-0096 Page 6 PacifiCorp Procedure 304,Remedial Action Schemes Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013 Remedial Action Scheme Review and Assessment Plan PRC-(012 through 014)-WECC-CRT-2 As to the completiondate,for example,if the most recent WR10 assessment took place in June 2007,the next required assessment will be no later than June 2012. WR11.Each Reporting Party shall report the RAS assessment,required in WR10 above,by sending a completedAttachment B of this criterion to the Reliability Assurer (WECC)no later than December 31 of the calendar year in which the assessment was completed. WM11.This Requirementis to ensure reportinq takes place on a periodic basis; assessment of the RAS(s)is addressed in WR10 and WM10. Each Reporting Party shall produce evidence that it reported the results of its RAS(s)assessment required under WR10 of this document,by forwarding a completedversion of Attachment B of this document,to the ReliabilityAssurer (WECC),no later than December 31 of the calendar year in which the assessment was completed. As to the completiondate,for example,if the most recent WR10 assessment took place in June 2007,the next required assessment will be no later than June 2012,with reporting to WECC no later than December 31,2012. WR12.Each Reporting Party shall retain documentation to supportAttachment B data for the most recent assessment study reported and provide that data to WECC within 30 days upon request. WM12.This Requirernentis to ensure data retention to supportthe assessment summary reported under WR11 and Attachrnent B. Each Reporting Party shall produce evidence that it retained the documentation required in WR12,for the time period specified,and where applicable,that it provided the specified data to WECC within the prescribed period. Evidence may include but is not limited to a dated copy of assessment information supporting Attachment B including dated correspondence of transmittal of the supporting information from the Reporting Party to the ReliabilityAssurer (WECC). Developedas WECC-0096 Page 7 PacifiCorp Procedure 304,Remedial Action Schemes Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013 Remedial Action Scheme Review and Assessment Plan PRC-(012 through 014)-WECC-CRT-2 Attachment A WECC Remedial Action Scheme Information Sheet This WECC Remedial Action Scheme Information Sheet is to be completedin accordance with this document by the Reporting Party identified in accordance with the assignment prioritization described in the Report Party Explanationfield of this Attachment. Explanationsfor Attachment A are contained in the followingtable. The reporting templateand instructions for filing of this Attachment can be obtained from the WECC web site. The contents of Attachment A constitute the minimum data included in the WECC RAS Database.This document shall not be interpreted as prohibiting the expansionof the WECC RAS Database to include information beyond that contained in Attachment A. Remedial Action Scheme Information Sheet Explanations Data Item Explanation Reporting Party The Transmission Owner is the Reporting Party. Where there is not a Transmission Owner that owns a portion of the RAS,the Generator Owner becomes the Reporting Party. Where there is not a Transmission Owner or a Generator Owner that owns a portion of the RAS,the Distribution Provider becomes the Reporting Party. When applying the above prioritization,if multipleentities (e.g.multiple Transmission Owners in the first described tier)own a portion of the RAS,those multipleentities may designatea single entity from that group to serve as the Reporting Party.If a single Reporting Party is not designated,all of the entities of the specified prioritization tier become responsible as the Reporting Party. I = RAS Name Provide the name by which the Reporting Party references the scheme. Developedas WECC-0096 Page 8 PacifiCorp Procedure 304,Remedial Action Schemes Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013 Remedial Action Scheme Review and Assessment Plan PRC-(012 through 014)-WECC-CRT-2 Classification WAPS (Wide Area Protection Scheme),LAPS (Local Area Protection Scheme),or Safety Net (SN)as initially classified by the Transmission Owner(s),Generator Owner(s)and Distribution Provider(s)that owns all or part of an existing or proposed RAS as reported by the Reporting Party.(Thatinitial classification is subjectto review by the RASRS.) Major WECC RAS If this scheme is in WECC Reliability Standard PRC-STD-003,Table 3,Major WECC RAS List,enter the number from the list.If the scheme is not on the Major WECC RAS List,enter NA. Operating If the Transmission Owner(s),Generator Owner(s)and Distribution Procedure Provider(s)that owns all or part of an existingor proposed RAS as reported by the Reporting Party has a written operating procedure for this scheme,provide the identifying procedure number or title.If no operating procedure is available,enter NONE or NA. Design Objectives Data required to describe Design Objectives-contingencies and system conditions for which the scheme was designed. Operation Data required describing Operation -The actions taken by the scheme in response to Disturbance conditions. Modeling Data required for adequateModeling -Information on detection logic or relay settingsthat control operation of the scheme. Original In Service Enter the year that the scheme originally went into service,not Year including any subsequentupgrades or other modifications.If specific records are not available,a best estimate such as "early 1980's"is acceptable. Recent Assessment Identify the group (typically the Transmission Owner(s),Generator Group Owner(s)and Distribution Provider(s)that owns all or part of an existingor proposed RAS as reported by the Reporting Party that performed the most recent assessment of scheme operation, coordination and effectiveness. Recent Assessment Enter the date of the most recent assessment performed (mmlyyyy) Date that evaluated scheme operation,coordination and effectiveness. Developedas WECC-0096 Page 9 PacifiCorp Procedure 304,Remedial Action Schemes Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013 Remedial Action Scheme Review and Assessment Plan PRC-(012 through 014)-WECC-CRT-2 Attachment B WECC RAS Initial or Periodic Assessment Summary Information on Attachment B will be used by the RASRS to ensure proper analysis,operation, coordination and effectiveness of the RAS. Althoughthe content of Attachment A and Attachment B are both provided to WECC,it is only the content of Attachment A that constitutes the minimum data to be contained in the WECC RAS Database.This criterion shall not be interpreted as prohibiting the expansionof the WECC RAS Database to include information beyond that contained in Attachment A. RAS Name Reporting Party (The Reporting Party for this entry will alwaysbe the same as the Reporting Party entry listed in the Reporting Party field of Attachment A.) Group Conducting this RAS Assessment Assessment Date Review the scheme purpose and impact to ensure proper classification,is it (still)necessary,does it serve the intended purposes,and does it continue to meet current performance requirements. This RAS assessment included the following: Study Years System Conditions Contingencies analyzed (select what applies) N-1 N-1-1 N-2 Extreme Date when the technical studies were completed Does this RAS comply with NERC standards and WECC Criteria? Discuss any coordination problemsfound between Developedas WECC-0096 Page 10 PacifiCorp Procedure 304,Remedial Action Schemes Appendix E-PRC-(012 through 014)-WECC-CRT-2 Regional Criterion September 17,2013 Remedial Action Scheme Review and Assessment Plan PRC-(012 through 014)-WECC-CRT-2 this RAS and other protection and control systems during this (most recent)assessment. Provide a Corrective Action Plan if this RAS was found to be non-compliantor had coordination problemsduring this (most recent)assessment (should be NA for owner's initial assessment). Developedas WECC-0096 Page 11 PacifiCorp Procedure 304,Remedial Action Schemes Appendix F-PRC-015-0 Standard PRC-015-0 -Special Protection System Data and Documentation A.Introduction 1.Title:Special Protection System Data and Documentation 2.Number:PRC-015-0 3.Purpose:To ensure that all Special Protection Systems (SPS)are properly designed,meet performance requirements,and are coordinated with other protection systems.To ensure that maintenanceand testing programs are developed and misoperations are analyzed and corrected. 4.Applicability: 4.1.Transmission Owner that owns an SPS 4.2.Generator Owner that owns an SPS 4.3.Distribution Provider that owns an SPS 5.Effective Date:April 1,2005 B.Requirements R1.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall maintain a list of and provide data for existing and proposed SPSs as specified in Reliability StandardPRC-013-0 Rl. R2.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall have evidence it reviewed new or functionallymodified SPSs in accordance with the Regional Reliability Organization's proceduresas defined in Reliability StandardPRC-012-0_Rl prior to being placed in service. R3.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall provide documentation of SPS data and the results of Studies that show compliance of new or functionallymodified SPSs with NERC Reliability Standards and Regional Reliability Organization criteria to affected Regional Reliability Organizations and NERC on request (within 30 calendar days). C.Measures M1.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall have evidence it maintains a list of and provides data for existing and proposed SPSs as defined in Reliabili StandardPRC-013-0 Rl. M2.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall have evidence it reviewed new or functionallymodified SPSs in accordance with the Regional Reliability Organization's proceduresas defined in Reliability StandardPRC-012-0_Rl prior to being placed in service. M3.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall have evidence it provided documentation of SPS data and the results of studies that show compliance of new or functionallymodified SPSs with NERC standards and Regional Reliability Organization criteria to affected Regional Reliability Organizations and NERC on request(within 30 calendardays). D.Compliance 1.Compliance MonitoringProcess 1.1.Compliance MonitoringResponsibility Adopted by NERC Board of Trustees:February8,2005 1 of 2 Effective Date:April 1,2005 PacifiCorp Procedure 304,Remedial Action Schemes Appendix F-PRC-015-0 Standard PRC-015-0 -Special Protection System Data and Documentation Compliance Monitor:Regional Reliability Organization. 1.2.Compliance MonitoringPeriod and Reset Timeframe On request (within 30 calendar days). 1.3.Data Retention None specified. 1.4.Additional Compliance Information None. 2.Levels of Non-Compliance 2.1.Level 1:SPS owners provided SPS data,but was incomplete according to the Regional Reliability Organization SPS database requirements. 2.2.Level 2:SPS owners provided results of studies that show compliance of new or functionallymodified SPSs with the NERC Planning Standards and Regional Reliability Organization criteria,but were incomplete according to the Regional Reliability Or anization roceduresfor Reliabili StandardPRC-012-0 Rl.8 P ty 2.3.Level 3:Not applicable. 2.4.Level 4:No SPS data was provided in accordancewith Regional Reliability Organization SPS database requirements for Standard PRC-012-0_R1,or the results of studies that show compliance of new or functionallymodified SPSs with the NERC Reliability Standards and Regional Reliability Organization criteria were not provided in accordance with Regional Reliability Organization proceduresfor Reliability Standard PRC-012-0 Rl. E.Regional Differences 1.None identified. Version History Version Date Action Change Tracking 0 April 1,2005 Effective Date New Adopted by NERC Board of Trustees:February8,2005 2 of 2 Effective Date:April 1,2005 PacifiCorp Procedure 304,Remedial Action Schemes Appendix F-PRC-015-0 *FOR INFORMATIONAL PURPOSES ONLY * Enforcement Dates:Standard PRC-015-0 -Special Protection System Data and Documentation United States Standard Requirement Enforcement Date inactive Date PRC-015-0 All 06/18/2007 Printed On:December 15,2014,02:48 PM PacifiCorp Procedure 304,Remedial Action Schemes Appendix G-PRC-017-0 Standard PRC-017-0 -Special Protection System Maintenance and Testing A.Introduction 1.Title:Special Protection System Maintenance and Testing 2.Number:PRC-017-0 3.Purpose:To ensure that all Special Protection Systems (SPS)are properly designed,meet performance requirements,and are coordinated with other protection systems.To ensure that maintenanceand testing programs are developed and misoperations are analyzed and corrected. 4.Applicability: 4.1.Transmission Owner that owns an SPS 4.2.Generator Owner that owns an SPS 4.3.Distribution Provider that owns an SPS 5.Effective Date:April 1,2005 B.Requirements R1.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall have a system maintenance and testing program(s)in place.The program(s)shall include: R1.1.SPS identification shall include but is not limited to: R1.1.1.Relays. R1.1.2.Instrument transformers. R1.1.3.Communications systems,where appropriate. R1.1.4.Batteries. R1.2.Documentation of maintenanceand testing intervals and their basis. R1.3.Summary of testing procedure. R1.4.Schedule for system testing. R1.5.Schedule for system maintenance. R1.6.Date last tested/maintained. R2.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall provide documentation of the program and its implementation to the appropriate Regional Reliability Organizations and NERC on request(within 30 calendar days). C.Measures M1.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall have a system maintenance and testing program(s)in place that includes all items in Reliability StandardPRC-017-0 Rl. M2.The Transmission Owner,Generator Owner,and Distribution Provider that owns an SPS shall have evidence it provided documentation of the program and its implementation to the appropriate Regional Reliability Organizations and NERC on request (within 30 calendar days). Adopted by NERC Board of Trustees:February8,2005 1 of 2 Effective Date:April 1,2005 PacifiCorp Procedure 304,Remedial Action Schemes Appendix G-PRC-017-0 Standard PRC-017-0 -Special Protection System Maintenance and Testing D.Compliance 1.Compliance MonitoringProcess 1.1.Compliance MonitoringResponsibility Compliance Monitor:Regional Reliability Organization.Each Region shall report compliance and violations to NERC via the NERC Compliance Reporting process. Timeframe: On request (30 calendar days.) 1.2.Compliance MonitoringPeriod and Reset Timeframe Compliance Monitor:Regional Reliability Organization. 1.3.Data Retention None specified. 1.4.Additional Compliance Information None. 2.Levels of Non-Compliance 2.1.Level 1:Documentation of the maintenance and testing program was incomplete,but records indicate implementation was on schedule. 2.2.Level 2:Complete documentation of the maintenance and testing program was provided,but records indicate that implementation was not on schedule. 2.3.Level 3:Documentation of the maintenance and testing program was incomplete,and records indicate implementation was not on schedule. 2.4.Level 4:Documentation of the maintenance and testing program,or its implementation,was not provided. E.Regional Differences 1.None identified. Version History Version Date Action Change Tracking 0 April 1,2005 Effective Date New Adopted by NERC Board of Trustees:February8,2005 2 of 2 Effective Date:April 1,2005 PacifiCorp Procedure 304,Remedial Action Schemes Appendix G-PRC-017-0 *FOR INFORMATIONAL PURPOSES ONLY * Enforcement Dates:Standard PRC-017-0 -Special Protection System Maintenance and Testing United States Standard Requirement Enforcement Date inactive Date PRC-017-0 All 06/18/2007 03/31/2027 Printed On:December 15,2014,02:50 PM PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance A.Introduction 1.Title:Protection System Maintenance 2.Number:PRC-005-2 3.Purpose:To document and implement programs for the maintenanceof all Protection Systems affecting the reliability of the Bulk Electric System (BES)so that these Protection Systems are kept in working order. 4.Applicability: 4.1.Functional Entities: 4.1.1 Transmission Owner 4.1.2 Generator Owner 4.1.3 Distribution Provider 4.2.Facilities: 4.2.1 Protection Systems that are installed for the purpose of detecting Faults on BES Elements (lines,buses,transformers,etc.) 4.2.2 Protection Systems used for underfrequency load-shedding systems installed per ERO underfrequency load-shedding requirements. 4.2.3 Protection Systems used for undervoltage load-shedding systems installed to prevent system voltage collapse or voltage instability for BES reliability. 4.2.4 Protection Systems installed as a Special Protection System (SPS)for BES reliability. 4.2.5 Protection Systems for generatorFacilities that are part of the BES,including: 4.2.5.1 Protection Systems that act to trip the generatoreither directly or via lockout or auxiliary tripping relays. 4.2.5.2 Protection Systems for generatorstep-up transformers for generatorsthat are part of the BES. 4.2.5.3 Protection Systems for transformers connecting aggregatedgeneration, where the aggregatedgeneration is part of the BES (e.g.,transformers connecting facilities such as wind-farms to the BES). 4.2.5.4 Protection Systems for station service or excitation transformers connectedto the generatorbus of generatorswhich are part of the BES,that act to trip the generatoreither directly or via lockout or tripping auxiliaryrelays. 5.Effective Date:See Implementation Plan B.Requirements R1.Each Transmission Owner,Generator Owner,and Distribution Provider shall establish a Protection System Maintenance Program (PSMP)for its Protection Systems identified in Section 4.2.[Violation Risk Factor:Medium][Time Horizon:Operations Planning] 1 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance The PSMP shall: 1.1.Identify which maintenancemethod (time-based,Component Type -Any one ofperformance-basedper PRC-005 Attachment A,or a .the five specific elements of thecombination)is used to address each Protection .Protection System definition.System Component Type.All batteries associated with the station de supply Component Type of a Protection System shall be included in a time-basedprogram as described in Table 1-4 and Table 3. 1.2.Include the applicable monitored .Component -A componentis any individualComponentattributesappliedtoeachdiscretepieceofequipmentincludedinaProtectionSystemComponentType...Protection System,including but not limited toconsistentwiththemaintenanceintervals ..a protective relay or current sensingdevice.specified in Tables 1-1 through 1-5,The designation ofwhat constitutes a controlTable2,and Table 3 where monitoring is circuit component is very dependentupon howusedtoextendthemaintenanceintervals -an entity performs and tracks the testing of thebeyondthosespecifiedforunmonitoredcontrolcircuitry.Some entities test theirProtectionSystemComponents.control circuits on a breaker basis whereas R2.Each Transmission Owner,Generator Owner,others test their circuitry on a local zone of and Distribution Provider that uses protection basis.Thus,entities are allowed performance-basedmaintenanceintervals in its the latitude to designate their own definitions PSMP shall follow the procedure establishedin ofcontrolcircuitcomponents.Another PRC-005 Attachment A to establish and example ofwhere the entity has some maintain its performance-basedintervals.discretion on determining what constitutes a [Violation Risk Factor:Medium][Time single component is the voltage and current Horizon:Operations Planning]sensingdevices,where the entity may choose .either to designatea full three-phaseset ofR3.Each Transmission Owner,Generator Owner, ...such devices or a single device as a singleandDistributionProviderthatutilizestime-component.based maintenanceprogram(s)shall maintain its Protection System Components that are included within the time-basedmaintenance program in accordance with the minimum maintenance activities and maximum maintenance intervals prescribed within Tables 1-1 through 1-5,Table 2,and Table 3.[Violation Risk Factor:High][Time Horizon:Operations Planning] R4.Each Transmission Owner,GeneratorOwner,and Distribution Provider that utilizes performance-basedmaintenanceprogram(s)in accordancewith Requirement R2 shall implement and follow its PSMP for its Protection System Componentsthat are included within the UnresolvedMaintenance Issue -A performance-basedprogram(s).[Violation Risk deficiency identified during a Factor:High][Time Horizon:Operations maintenance activity that causes the Planning]component to not meet the intended R5.Each Transmission Owner,Generator Owner,and performance,cannot be corrected Distribution Provider shall demonstrateefforts to during the maintenance interval,and correct identified Unresolved Maintenance Issues.requiresfollow-upcorrective action. [Violation Risk Factor:Medium][Time Horizon: Operations Planning] 2 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance C.Measures M1.Each Transmission Owner,Generator Owner and Distribution Provider shall have a documentedProtection System Maintenance Program in accordance with Requirement Rl. For each Protection System Component Type,the documentation shall include the type of maintenancemethod applied (time-based,performance-based,or a combination of these maintenancemethods),and shall include all batteries associated with the station de supply Component Types in a time-basedprogram as describedin Table 1-4 and Table 3.(Part 1.1) For Component Types that use monitoring to extend the maintenanceintervals,the responsible entity(s)shall have evidence for each protection Component Type (such as manufacturer's specifications or engineering drawings)of the appropriate monitored Component attributes as specified in Tables 1-1 through 1-5,Table 2,and Table 3.(Part 1.2) M2.Each Transmission Owner,GeneratorOwner,and Distribution Provider that uses performance- based maintenanceintervals shall have evidencethat its current performance-based maintenanceprogram(s)is in accordance with Requirement R2,which may include but is not limited to Component lists,dated maintenancerecords,and dated analysis records and results. M3.Each Transmission Owner,GeneratorOwner,and Distribution Provider that utilizes time- based maintenanceprogram(s)shall have evidencethat it has maintained its Protection System Components included within its time-basedprogram in accordance with Requirement R3.The evidencemay include but is not limited to dated maintenancerecords,dated maintenance summaries,dated check-off lists,dated inspection records,or dated work orders. M4.Each Transmission Owner,GeneratorOwner,and Distribution Provider that utilizes performance-basedmaintenanceintervals in accordance with Requirement R2 shall have evidencethat it has implemented the Protection System Maintenance Program for the Protection System Componentsincluded in its performance-basedprogram in accordance with Requirement R4.The evidence may include but is not limited to dated maintenancerecords, dated maintenance summaries,dated check-off lists,dated inspection records,or dated work orders. M5.Each Transmission Owner,GeneratorOwner,and Distribution Provider shall have evidence that it has undertaken efforts to correct identified Unresolved Maintenance Issues in accordance with Requirement R5.The evidencemay include but is not limited to work orders, replacementComponent orders,invoices,project schedules with completed milestones,return material authorizations (RMAs)or purchase orders. D.Compliance 1.Compliance MonitoringProcess 1.1.Compliance Enforcement Authority Regional Entity 1.2.Compliance Monitoringand Enforcement Processes: Compliance Audit Self-Certification Spot Checking Compliance Investigation Self-Reporting Complaint 3 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance 1.3.Evidence Retention The following evidence retention periods identify the period of time an entity is required to retain specific evidence to demonstratecompliance.For instances where the evidence retention period specified below is shorter than the time since the last audit,the Compliance Enforcement Authority may ask an entity to provide other evidence to show that it was compliant for the full time period since the last audit. The Transmission Owner,Generator Owner,and Distribution Provider shall each keep data or evidence to show compliance as identified below unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation. For Requirement Rl,the Transmission Owner,GeneratorOwner,and Distribution Provider shall each keep its current dated Protection System Maintenance Program,as well as any superseded versions since the preceding compliance audit,including the documentation that specifies the type of maintenanceprogram applied for each Protection System Component Type. For Requirement R2,Requirement R3,Requirement R4,and Requirement R5,the Transmission Owner,Generator Owner,and Distribution Provider shall each keep documentation of the two most recent performances of each distinct maintenanceactivity for the Protection System Component,or all performances of each distinct maintenance activity for the Protection System Component since the previous scheduledaudit date, whichever is longer. The Compliance Enforcement Authority shall keep the last audit records and all requestedand submitted subsequent audit records. 1.4.Additional Compliance Information None. 4 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance 2.Violation Severity Levels R1 The responsible entity's PSMP failed The responsible entity's PSMP The responsible entity's PSMP The responsible entity failed to to specify whether one Component failed to specify whether two failed to include the applicable establish a PSMP. Type is being addressed by time-Component Types are being monitoringattributes applied to each OR based or performance-based addressed by time-based or Protection System Component Type The responsible entity failed tomaintenance,or a combination of performance-based maintenance,or consistent with the maintenance both.(Part 1.1)a combination of both.(Part 1.1)intervals specified in Tables 1-1 specify whether three or more OR through 1-5,Table 2,and Table 3 Component Types are being addressed by time-based or .where monitoringis used to extendTheresponsibleentity's PSMP failed performance-based maintenance,orthemaintenanceintervalsbeyondtoincludeapplicablestationbatteriesacombinationofboth.(Part 1.1).those specified for unmonitoredinatime-based program.(Part 1.1)Protection System Components. (Part 1.2). R2 The responsible entity uses NA The responsible entity uses The responsible entity uses performance-based maintenance performance-based maintenance performance-based maintenance intervals in its PSMP but failed to intervals in its PSMP but failed to intervals in its PSMP but: reduce Countable Events to no more reduce Countable Events to no more 1)Failed to establish the technicalthan4%within three years.than 4%within four years·justification described within Requirement R2 for the initial use of the performance-based PSMP OR 2)Failed to reduce Countable Events to no more than 4% within five years OR 3)Maintained a Segment with less than 60 Components OR 4)Failed to: Annuallyupdate the list of Components, OR 5 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Annuallyperform maintenance on the greater of 5%of the segment population or 3 Components, OR Annually analyze the program activities and results for each Segment. R3 For Protection System Components For Protection System Components For Protection System Components For Protection System Components included within a time-based included within a time-based included within a time-based included within a time-based maintenance program,the maintenance program,the maintenance program,the maintenance program,the responsible entity failed to maintain responsible entity failed to maintain responsible entity failed to maintain responsible entity failed to maintain 5%or less of the total Components more than 5%but 10%or less of the more than 10%but 15%or less of more than 15%of the total included within a specific Protection total Components included within a the total Components included Components included within a System Component Type,in specific Protection System within a specific Protection System specific Protection System accordance with the minimum Component Type,in accordance Component Type,in accordance Component Type,in accordance maintenance activities and maximum with the minimum maintenance with the minimum maintenance with the minimum maintenance maintenance intervals prescribed activities and maximum activities and maximum activities and maximum within Tables 1-1 through 1-5,Table maintenance intervals prescribed maintenance intervals prescribed maintenance intervals prescribed 2,and Table 3.within Tables 1-1 through 1-5,within Tables 1-1 through 1-5,Table within Tables 1-1 through 1-5, Table 2,and Table 3.2,and Table 3.Table 2,and Table 3. R4 For Protection System Components For Protection System Components For Protection System Components For Protection System Components included within a performance-based included within a performance-included within a performance-based included within a performance- maintenance program,the based maintenance program,the maintenance program,the based maintenance program,the responsible entity failed to maintain responsible entity failed to maintain responsible entity failed to maintain responsible entity failed to maintain 5%or less of the annual scheduled more than 5%but 10%or less of the more than 10%but 15%or less of more than 15%of the annual maintenance for a specific Protection annual scheduled maintenance for a the annual scheduled maintenance scheduled maintenance for a System Component Type in specific Protection System for a specific Protection System specific Protection System accordance with their performance-Component Type in accordance Component Type in accordance with Component Type in accordance based PSMP.with their performance-based their performance-based PSMP.with their performance-based PSMP.PSMP. R5 The responsible entity failed to The responsible entity failed to The responsible entity failed to The responsible entity failed to undertake efforts to correct 5 or undertake efforts to correct greater undertake efforts to correct greater undertake efforts to correct greater fewer identifiedUnresolved than 5,but less than or equal to 10 than 10,but less than or equal to 15 than 15 identified Unresolved 6 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Requirement Lower VSL Moderate VSL High VSL Severe VSL Number 7 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance E.Regional Variances None F.SupplementalReference Document The following documentspresenta detailed discussion about determination of maintenanceintervals and other useful information regarding establishmentof a maintenanceprogram. 1.PRC-005-2 Protection System Maintenance Supplementary Referenceand FAQ -July 2012. Version History Version Date Action Change Tracking 0 April 1,2005 Effective Date New I December 1,1.Changed incorrect use of certain 01/20/05 2005 hyphens (-)to "en dash"(-)and "em dash (-)." 2.Added "periods"to items where appropriate. 3.Changed "Timeframe"to "Time Frame" in item D,1.2. la February 17,Added Appendix 1 -Interpretation Project 2009-17 2011 regarding applicabilityof standardto interpretation protection of radially connected transformers la February 17,Adopted by Board of Trustees 2011 la September26,FERC Order issued approving interpretation 2011 of Rl and R2 (FERC's Order is effective as of September26,2011) 1.la February 1,Errata change:Clarified inclusion of Revision under Project 2012 generator interconnection Facility in 2010-07 GeneratorOwner's responsibility lb February 3,FERC Order issued approving Project 2009-10 2012 interpretation of Rl,R1.1,and Rl.2 Interpretation(FERC's Order dated March 14,2012). Updated version from la to lb. 1.lb April 23,2012 Updated standard version to 1.lb to reflect Revision under Project FERC approval of PRC-005-lb.2010-07 8 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance 1.lb May 9,2012 PRC-005-1.lb was adoptedby the Board of Trustees as part of Project 2010-07 (GOTO). 2 November 7,Adopted by Board of Trustees Complete revision, 20 12 absorbing maintenance requirements from PRC- 005-lb,PRC-008-0, PRC-011-0,PRC-017-0 2 October 17,Errata Change:The Standards Committee 2013 approved an errata change to the implementation plan for PRC-005-2 to add the phrase "or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities;"to the second sentence under the "Retirement of Existing Standards"section. 2 December 19,FERC Order issued approving PRC-005-2. 2013 (Order becomes effective 2/24/14.See Implementation Plan for Compliance details.) 9 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Table 1-1 Component Type -Protective Relay Excluding distributed UFLS and distributed UVLS (see Table 3) Maximum Component Attributes Maintenance Maintenance Activities Interval For all unmonitored relays: Verify that settings are as specified For non-microprocessor relays: Any unmonitored protective relay not having all the monitoringattributes 6 calendar Test and,if necessary calibrate of a category below.years For microprocessor relays: Verify operation of the relay inputs and outputs that are essential to proper functioningof the Protection System. Verify acceptable measurement of power system input values. VerifyMonitoredmicroprocessorprotectiverelaywiththefollowing: ...Settings are as specified.Internal self-diagnosis and alarming (see Table 2). .12 calendar Operation of the relay inputs and outputs that are essential toVoltage and/or current waveform sampling three or more times per . .years proper functioningof the Protection System.power cycle,and conversion of samples to numeric values for measurement calculations by microprocessor electronics.Acceptable measurement of power system input values. Alarming for power supply failure (see Table 2). For the tables in this standard,a calendar year starts on the first day of a new year (January 1)after a maintenance activity has been completed. For the tables in this standard,a calendar month starts on the first day of the first month after a maintenance activity has been completed. 10 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Table 1-1 Component Type -Protective Relay Excluding distributed UFLS and distributed UVLS (see Table 3) Maximum Component Attributes Maintenance Maintenance Activities Interval Monitoredmicroprocessor protective relay with preceding row attributes and the following: Ac measurements are continuously verifiedby comparison to an independent ac measurement source,with alarming for excessive error Verify only the unmonitored relay inputs and outputs that are (See Table 2).12 calendar essential to proper functioningof the Protection System. Some or all binary or status inputs and control outputs are monitored years by a process that continuously demonstrates ability to performas designed,with alarming for failure (See Table 2). Alarming for change of settings (See Table 2). 11 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance 4 calendar Verify that the communications system is functional.months Any unmonitored communications system necessary for correct operation of protective functions,and not havingall the monitoringattributes of a category Verify that the communications system meets performance below.criteria pertinent to the communications technology applied (e.g. 6 calendar signal level,reflected power,or data error rate).years Verify operation of communications system inputs and outputs that are essential to proper functioningof the Protection System. Verify that the communications system meets performance Any communications system with continuous monitoringor periodic criteria pertinent to the communications technology applied (e.g. automated testing for the presence of the channel function,and alarming for 12 calendar signal level,reflected power,or data error rate). loss of function (See Table 2).years Verify operation of communications system inputs and outputs that are essential to proper functioningof the Protection System. Any communications system with all of the following: Continuous momtoring or periodic automated testing for the performance of the channel using criteria pertinent to the communications technology .Verify only the unmonitored communications system inputs andapplied(e.g.signal level,reflected power,or data error rate,and alarming 12 calendar .. .outputs that are essential to proper functioningof the Protectionforexcessiveperformancedegradation).(See Table 2)years System Some or all binary or status inputs and control outputs are monitored by a process that continuously demonstrates ability to performas designed, with alarming for failure (See Table 2). 12 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Table 1-3 Component Type -Voltage and Current Sensing Devices Providing Inputs to Protective Relays Excluding distributed UFLS and distributed UVLS (see Table 3) Maximum Component Attributes Maintenance Maintenance Activities Interval Any voltage and current sensing devices not havingmonitoring Verify that current and voltage signal values are providedto the12calendaryearsattributesofthecategorybelow.protective relays. Voltage and Current Sensing devices connected to microprocessor relays with AC measurements are continuously verified by comparison No periodic of sensing input value,as measured by the microprocessor relay,to an maintenance None. independent ac measurement source,with alarming for unacceptable specified error or failure(see Table 2). 13 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Table 1-4(a) Component Type -Protection System Station dc Supply Using Vented Lead-Acid (VLA)Batteries Excluding distributed UFLS and distributed UVLS (see Table 3) Protection System Station de supply used only for non-BES interrupting devices for SPS,non-distributed UFLS systems,or non-distributed UVLS systems is excluded (see Table 1-4(e)). Maximum Component Attributes Maintenance Maintenance Activities Interval Verify: Station de supply voltage 4 Calendar Months Inspect: Electrolyte level For unintentional grounds Verify: Protection System Station de supply using Vented Lead-Acid Float voltage of battery charger (VLA)batteries not havingmonitoringattributes of Table 1- 4(f).Battery continuity Battery terminal connection resistance 18 Calendar Battery intercell or unit-to-unitconnection resistanceMonths Inspect: Cell condition of all individual battery cells where cells are visible - or measure battery cell/unit internal ohmic values where the cells are not visible Physical condition of battery rack 14 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Table 1-4(a) Component Type --Protection System Station dc Supply Using Vented Lead-Acid (VLA)Batteries Excluding distributed UFLS and distributed UVLS (see Table 3) Protection System Station de supply used only for non-BES interrupting devices for SPS,non-distributed UFLS systems,or non-distributed UVLS systems is excluded (see Table 1-4(e)). Maximum Component Attributes Maintenance Maintenance Activities Interval Verify that the station battery can performas manufactured by 18 Calendar evaluating cell/unit measurements indicative of battery performance Months (e.g.internal ohmic values or float current)against the station battery baseline. -or--or- 6 Calendar Years Verify that the station battery can performas manufactured by conducting a performance or modifiedperformance capacity test of the entire battery bank. 15 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Table 1-4(b) Component Type -Protection System Station dc Supply Using Valve-RegulatedLead-Acid (VRLA)Batteries Excluding distributed UFLS and distributed UVLS (see Table 3) Protection System Station de supply used only for non-BES interrupting devices for SPS,non-distributed UFLS systems,or non-distributed UVLS systems is excluded (see Table 1-4(e)). Maximum Component Attributes Maintenance Maintenance Activities Interval Verify: 4 Calendar Months Station de supply voltage Inspect: For unintentional grounds Inspect6CalendarMonths Conditionof all individualunits by measuring battery cell/unit Protection System Station de supply with Valve Regulated internal ohmic values. Lead-Acid (VRLA)batteries not havingmonitoringattributes Verif ·of Table 1-4(f). Float voltage of battery charger Battery continuity 18 Calendar Months Battery terminal connection resistance Battery intercell or unit-to-unit connection resistance Inspect: Physical condition of battery rack 16 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Table 1-4(b) Component Type -Protection System Station dc Supply Using Valve-RegulatedLead-Acid (VRLA)Batteries Excluding distributed UFLS and distributed UVLS (see Table 3) Protection System Station de supply used only for non-BES interrupting devices for SPS,non-distributed UFLS systems,or non-distributed UVLS systems is excluded (see Table 1-4(e)). Maximum Component Attributes Maintenance Maintenance Activities Interval Verify that the station battery can performas manufactured by evaluating cell/unit measurements indicative of battery performance 6 Calendar Months (e.g.internal ohmic values or float current)against the station battery -or-baseline. -or- 3 Calendar Years Verify that the station battery can performas manufactured by conducting a performance or modifiedperformance capacity test of the entire battery bank. 17 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 --Protection System Maintenance Table 1-4(c) Component Type -Protection System Station dc Supply Using Nickel-Cadmium (NiCad)Batteries Excluding distributed UFLS and distributed UVLS (see Table 3) Protection System Station de supply used only for non-BES interrupting devices for SPS,non-distributed UFLS system,or non-distributed UVLS systems is excluded (see Table 1-4(e)). Maximum Component Attributes Maintenance Maintenance Activities Interval Verify: Station de supply voltage 4 Calendar Months Inspect: Electrolyte level For unintentional grounds Verify: .Float voltage of battery chargerProtectionSystemStationdesupplyNickel-Cadmium (NiCad)batteries not havingmonitoringattributes of Table 1-Battery continuity 4(f). 18 Calendar Battery terminal connection resistance Months Battery intercell or unit-to-unitconnection resistance Inspect: Cell condition of all individualbattery cells. Physical condition of battery rack Verify that the station battery can performas manufactured by 6 Calendar Years conducting a performance or modifiedperformance capacity test of the entire batte bank. 18 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Table 1-4(d) Component Type -Protection System Station dc Supply Using Non Battery Based Energy Storage Excluding distributed UFLS and distributed UVLS (see Table 3) Protection System Station de supply used only for non-BES interrupting devices for SPS,non-distributed UFLS system,or non-distributed UVLS systems is excluded (see Table 1-4(e)). Verify: Station de supply voltage 4 Calendar Months Inspect: For unintentional grounds Any Protection System station de supply not using a battery and not havingmonitoringattributes of Table 1-4(f).18 Calendar Months Inspect: Conditionof non-battery based de supply Verify that the de supply can performas manufactured when ac power6CalendarYearsisnotpresent. 19 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 --Protection System Maintenance Table 1-4(e) Component Type -Protection System Station dc Supply for non-BES Interrupting Devices for SPS,non-distributed UFLS,and non- distributed UVLS systems Maximum Component Attributes Maintenance Maintenance Activities Interval Any Protection System de supply used for trippingonly non- BES interruptingdevices as part of a SPS,non-distributed UFLS,or non-distributed UVLS system and not having Verify Station de supply voltage. monitoringattributes of Table 1-4(f). 20 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Any station de supply with high and low voltage monitoring ..No periodic verificationof station de supply voltage isandalarmingofthebatterychargervoltagetodetectcharger. overvoltageand charger failure (See Table 2).required. Any battery based station de supply with electrolyte level No periodic inspection of the electrolyte level for each cell is monitoringand alarming in every cell (See Table 2).required. Any station de supply with unintentional de ground monitoring No periodic inspection of unintentional de grounds is and alarming (See Table 2).required. Any station de supply with charger float voltage monitoring .. ..No periodic verificationof float voltage of battery charger isandalarmingtoensurecorrectfloatvoltageisbeingappliedon. the station de supply (See Table 2).required. Any battery based station de supply with monitoringand No periodic maintenance ... fled No periodic verificationof the battery continuity is required.alarming of battery string continuity (See Table 2).speci Any battery based station de supply with monitoringand .. .No periodic verificationof the intercell and terminalalarmingoftheintercelland/or terminal connection detail connection resistance is required.resistance of the entire battery (See Table 2). Any Valve Regulated Lead-Acid(VRLA)or Vented Lead- Acid (VLA)station battery with internal ohmic value or float No periodic evaluation relativeto baseline of battery cell/unit current monitoringand alarming,and evaluating present values measurements indicativeof battery performance is required to relative to baseline internal ohmic values for every cell/unit verify the station battery can performas manufactured. (See Table 2). No periodic inspection of the condition of all individual units Any Valve Regulated Lead-Acid(VRLA)or Vented Lead-by measuring battery cell/unit internal ohmic values of a Acid (VLA)station battery with monitoringand alarming of station VRLA or Vented Lead-Acid (VLA)battery is each cell/unit internal ohmic value (See Table 2).required. 21 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Trip coils or actuators of circuit breakers,interruptingdevices,or mitigating 6 calendar Verify that each trip coil is able to operate the circuit devices (regardless of any monitoringof the control circuitry).years breaker,interrupting device,or mitigating device. Electromechanical lockout devices which are directly in a trip path from the .6 calendar Verify electrical operation of electromechanical lockoutprotectiverelaytotheinterruptingdevicetripcoil(regardless of any . ..years devices.monitoringof the control circuitry). .12 calendar Verify all paths of the control circuits essential for properUnmonitoredcontrolcircuitryassociatedwithSPS.years operation of the SPS. ..Verify all paths of the trip circuits inclusive of all auxiliaryUnmonitoredcontrolcircuitryassociatedwithprotectivefunctionsinclusiveof12calendar ..relays through the trip coil(s)of the circuit breakers or otherallauxiliaryrelays.years .interrupting devices. Control circuitry associated with protective functions and/or SPS whose No periodic ..maintenance None.integrityis monitored and alarmed (See Table 2).specified 22 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Table 2 -Alarming Paths and Monitoring In Tables 1-1 through 1-5 and Table 3,alarm attributes used to justify extended maximum maintenance intervals and/or reduced maintenance activities are subject to the following maintenance requirements Maximum Component Attributes Maintenance Maintenance Activities Interval Any alarm path through which alarms in Tables 1-1 through 1-5 and Table 3 are conveyed fromthe alarm origin to the location where corrective action can be initiated,and not havingall the attributes of the "Alarm Path with monitoring"Verify that the alarm path conveys alarm signals tocategorybelow.12 Calendar Years a location where corrective action can be initiated. Alarms are reported within 24 hours of detection to a location where corrective action can be initiated. Alarm Path with monitoring: No periodicThelocationwherecorrectiveactionistakenreceivesanalarmwithin24hoursmaintenance None.for failureof any portionof the alarming path from the alarm origin to the specifiedlocationwherecorrectiveactioncanbeinitiated. 23 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Verify that settings are as specified For non-microprocessor relays: Test and,if necessary calibrate Any unmonitored protective relay not havingall the monitoringattributes of a 6 calendar For microprocessor relays:category below.years Verify operation of the relay inputs and outputs that are essential to proper functioningof the Protection System. Verify acceptable measurement of power system input values. Monitoredmicroprocessor protective relay with the following:Verify: Internal self diagnosis and alarming (See Table 2)-Settings are as specified. 12 calendarVoltage and/or current waveformsampling three or more times per power years Operation of the relay inputs and outputs that are essential tocycle,and conversion of samples to numeric values for measurement proper functioningof the Protection System. calculations by microprocessor electronics. Acceptable measurement of power system input valuesAlarmingforpowersupplyfailure(See Table 2). Monitoredmicroprocessor protective relay with preceding row attributes and the following: Ac measurements are continuously verifiedby comparison to an independent ac measurement source,with alarming for excessive error (See Table 2).12 calendar Verify only the unmonitored relay inputs and outputs that are years essential to proper functioningof the Protection System. Some or all binary or status inputs and control outputs are monitored by a process that continuously demonstrates ability to performas designed, with alarming for failure (See Table 2). Alarming for change of settings (See Table 2). 24 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance Voltage and/or current sensing devices associated with UFLS or UVLS 12 calendar Verify that current and/or voltage signal values are providedto systems.years the protective relays. Protection System de supply for tripping non-BES interrupting devices used 12 calendar only for a UFLS or UVLS system.years Verify Protection System de supply voltage. Controlcircuitry between the UFLS or UVLS relays and electromechanical lockout and/or tripping auxiliarydevices (excludes non-BES interrupting 12 calendar Verify the path fromthe relay to the lockout and/or tripping device trip coils).years auxiliary relay (includingessential supervisory logic). Electromechanical lockout and/or trippingauxiliary devices associated only with UFLS or UVLS systems (excludes non-BES interruptingdevice trip 12 calendar Verify electrical operation of electromechanical lockout and/or coils).years tripping auxiliarydevices. Controlcircuitry between the electromechanical lockout and/or tripping auxiliary devices and the non-BES interruptingdevices in UFLS or UVLS No periodic systems,or between UFLS or UVLS relays (with no interposing maintenance None.electromechanical lockout or auxiliarydevice)and the non-BES interrupting specified devices (excludes non-BES interruptingdevice trip coils). No periodic Trip coils of non-BES interruptingdevices in UFLS or UVLS systems.maintenance None. specified 25 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance PRC-005 -Attachment A Criteria for a Performance-Based Protection System Maintenance Program Purpose:To establish a technical basis for initial and continued use of a performance-based Protection System Maintenance Program (PSMP). To establish the technical justificationfor the initial use of a performance-based PSMP: 1.Develop a list with a description of Components included in each designated Segment -Protection Systems or componentsSegmentoftheProtectionSystemofaconsistentdesignstandard,or aComponentpopulation,with a m1mmum particularmodel or typefrom a singleSegmentpopulationof60Components·manufacturerthat typicallyshare other 2.Maintain the Components in each common elements.Consistent performance is Segment according to the time-based expected across the entire populationofa maximum allowable intervals established Segment.A Segment must contain at least in Tables 1-1 through 1-5 and Table 3 sixty (60)individual components. until results of maintenance activities for the Segment are available for a minimum of 30 individual Components of the Segment. 3.Document the maintenance program activities and results for each Segment,including maintenance dates and Countable Events for each included Component.Countable Event -A failure ofa component 4.Analyzethe maintenance program requiringrepair or replacement,any condition activities and results for each Segment to discovered during the maintenance activities in determine the overall performance of the Tables 1-1 through 1-5 and Table 3 which requires Segment and develop maintenance corrective action,or a Misoperation attributed to hardwarefailure or calibration failure.intervals Misoperations due to product design errors, 5.Determine the maximum allowable software errors,relay settings differentfrom maintenance interval for each Segment specified settings,Protection System component such that the Segment experiences configuration errors,or Protection System Countable Events on no more than 4%application errors are not included in Countable of the Components within the Segment,Events. for the greater of either the last 30 Components maintained or all Components maintained in the previous year. To maintain the technical justificationfor the ongoing use of a performance-based PSMP: 1.At least annually,update the list of Protection System Components and Segments and/or description if any changes occur within the Segment. 2.Perform maintenance on the greater of 5%of the Components (addressed in the performance based PSMP)in each Segment or 3 individual Components within the Segment in each year. 3.For the prior year,analyze the maintenance program activities and results for each Segment to determine the overall performance of the Segment. 26 PacifiCorp Procedure 304,Remedial Action Schemes Appendix H-PRC-005-2 Standard PRC-005-2 -Protection System Maintenance 4.Using the prior year's data,determine the maximum allowable maintenance interval for each Segment such that the Segment experiences Countable Events on no more than 4% of the Components within the Segment,for the greater of either the last 30 Components maintained or all Components maintained in the previous year. 5.If the Components in a Protection System Segment maintained through a performance- based PSMP experience 4%or more Countable Events,develop,document,and implement an action plan to reduce the Countable Events to less than 4%of the Segment population within 3 years. 27 PacifiCorp Procedure 304,Remedial Action Schemes Appendix I-WECC Major RAS List-April 28,2008 Table Major WECC Remedial Action Schemes (RAS) Used in Standard PRC-004-WECC-1 (Revised September 19,2007) Path Name*Path RAS 1.Alberta -British Path 1 Remedial actions are required to achieve the rated Columbia transfer capability.Most involve tripping tie lines for outages in the BCTC system.East to West: For high transfers,generation tripping is required north of the SOK cutplane in Alberta. 2.Northwest -British Path 3 Generator and reactive tripping in the BCTC Columbia system to protect against the impact caused by various contingencies during transfers between British Columbia and the Northwest. 3.West of Hatwai Path 6 Generator dropping (Libby,Noxon, Lancaster,Dworshak);Reactor tripping (Garrison);Trippingof Miles City DC link. 4.Montana to Northwest Path 8 Tripping Colstrip by ATR (NWMT); Switching shunt reactors at Garrison 500 kV;Trippingthe back-to-back DC tie at Miles City;Tripping Libby,and Noxon generation by WM-RAS (BPA). 5.Idaho to Northwest Path 14 Generator Runback at Hells Canyon; Jim Bridgertrippingfor loss of Midpoint - Summer Lake 500 kV line. 6.Midway-LosBanos Path 15 CDWR and PG&E pump load dropping north of Path 15.PG&E service area load dropping north of Path 15.PG&E service area generation dropping south of Path 15. 7.Idaho Sierra Path 16 Automatic load shedding is required when the Alturas line is open for loss of the Midpoint-Humbolt345 kV line during high Sierra system imports. 8.Bridger West Path 19 Jim Bridgertrippingfor delayed clearing and multi-line faults;Addition of shunt capacitors at Jim Bridger,Kinport and Goshen and series capacitor bypassing at Burns. 9.IPP DC Line Path 27 IPP Contingency Arming System trips one or two IPP generating units. 10.TOTlA Path 30 Bonanza and Flaming Gorge generation is tripped for loss of the Bonanza-Mona 345 kV line to achieve rating on TOTlA. Page 1 of 3 PacifiCorp Procedure 304,Remedial Action Schemes Appendix I-WECC Major RAS List-April 28,2008 11.TOT2A Path 31 For the Montrose-Hesperus 345 kV line outage with Nucla generation above 60 MW, the parallel Montrose-Nucla 115 kV line is automatically transfer tripped. 12.TOT2B Path 34 Trip Huntington generation for loss of the Huntington-Pinto +Four Corners lines when parallel lines are heavily loaded. 13.TOT5 Path 39 For an outage of the Hayden-Gore Pass 230 kV line,the lower voltage parallel path is tripped. 14.SDGE RAS Path 44 RAS used to meet reactive margin criteria for loss of both San Onofre units. 15.SDGE -CFE Path 45 The purpose of the RAS is to automatically cross-trip (transfer trip) the Miguel-Tijuana 230kV following the outage of ImperialValley -Miguel 500kV line. 16.Southern New Mexico Path 47 For double contingencies on the 345 kV lines defined in the path,WECC Operating Procedure EPE-1 is implemented. 17.Pacific DC Intertie Path 65 Northwest generator tripping;Series capacitor fast insertion;mechanically switched shunt capacitors 18.California -Oregon Intertie Path 66 Northwest generator tripping;Chief Jo Brake insertion;Fort Rock Series Capacitor insertion;Northern California generator and pump load tripping;N.California series capacitor bypassing,shunt reactor or capacitor insertion;Initiation of NE\SE Separation Scheme at Four Corners. 19.Meridian 500/230 kV Followingthe loss of the Meridian Transformers**500/230kV transformers,RAS is used to comply with WECC Standards under high load conditions. 20.Northern-Southern Path 26 Remedial action required to achieve the California rated transfer capability.Midway area generation tripped for loss of any two of three Midway-Vincent500 kV lines. 21.PNM Import Contingency Path 48 ICLSS is a centralized load shedding scheme Load for low probabilityevents such as Shedding Scheme (ICLSS)simultaneous outage of the Four Corners- West Mesa (FW)345 kV and San Juan-B-A (WW)345 kV lines,as well as any unplanned disturbance affecting voltage in the Northern New Mexico transmission system. Page 2 of 3 PacifiCorp Procedure 304,Remedial Action Schemes Appendix I-WECC Major RAS List-April 28,2008 22.Valley Direct Load Trip RAS is required for the loss of the Serrano- (DLT)Valley 500 kV line.About 200 MW of Valley load is tripped. 23.South of Lugo N-2 RAS RAS is required for the simultaneous double line outage of any combination of the Lugo- Mira Loma 1 (when looped),2,and 3 500 kV lines and the Lugo-Serrano (when de- looped)500 kV line. 24.Lower Snake RAS The RAS is required to protect for the double line outage of the Lower Monumental-Little Goose 500-kV lines. Generation is dropped at Little Goose and Lower Granite Powerhouses as well as key the WM RAS.An outage of the Little Goose -Lower Granite 500 kV lines will drop generation at Lower Granite Powerhouse and key the Western Montana RAS. 25.Palo Verde -COI Mitigation Path 66 Required to providefor safe operation of the Scheme COI for the loss of two units at Palo Verde Nuclear Generating Station (PVNGS).The RAS protects the PVNGS and Palo Verde Transmission System (PVTS)for faults at Palo Verde and subsequent outage of the Palo Verde -Westwing 500 kV lines. 26.Palo Verde/Hassayampa Provides protection to the PVNGS and the PAS PVTS for faults at Palo Verde and subsequent double line outage of the Palo Verde to Westwing 500 kV lines.*** 27.Sierra Pacific -PacifiCorp Path 76 Needed for loss of the 230 kV Malin-Hilltop RAS line when heavilyloaded unless automatic reclose is successful.The scheme closes the Hilltop 345 kV line reactor if pre-outage northbound flow is greater than 150 MW. For pre-outage southbound flow greater than 235 MW the Hilltop 345 kV line trips and the Hilltop 345 kV line reactors closes. *For an explanation of terms,path numbers,and definition for the paths refer to WECC's Path Rating Catalog. **The Meridian 500/230 kV transformers are not included in the Path Rating Catalog.The RAS associated with the Meridian transformers is included in Table 3 because the failure of the RAS may result in cascading. ***The Palo Verde/HassayampaRAS is designed to prevent cascading problems throughoutthe WECC region.This scheme is not Path related and is not used to protect any specific WECC Path. Page 3 of 3 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-002-5.1-Cyber Security -BES Cyber System Categorization A.Introduction 1.Title:Cyber Security -BES Cyber System Categorization 2.Number:CtP-002-5.1 3.Purpose:To identify and categorize BES Cyber Systerns and their associated BES Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss,compromise,or misuse of those BES Cyber Systems could have on the reliable operation of the SES.Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES, 4.Applicability: 4.L Functional Entities:For the purpose of the requîrements contained herein,the following list of functional entities will be collectively referred to as "Responsible Entities."For requirements in this standard where a specific functional entity or subset of functional entities are the applicable entityor entities,the functional entity or entities are specified explicitly. 4.1.1.Balancing Authority 4.1.2.Distribution Provider that owns one or more of the following Facîlities,systems, and equipment for the protection or restoration of the BES: 4.1.2.1.Each underfrequencyload shedding (UFLS)or undervoltageload shedding (UVL5}system that: 4.1.2.1.1.is part of a Load shedding prograrn that is subject to one or more requirements in a NERC or Regional Reliabîlitystandard;and 4.1.2.1.2.performs automatic Load shedding under a common control system owned by the Responsible Entity,without human operator initiation, of 300 MW Or more, 4.1.2.2.Each Special Protection System or Remedial Action Scheme where the Special Protection System or Remedial Action Scheme is subject to one or more requirements in a NERCor Regional ReliabilityStandard. 4.1.2.3.Each Protection System (excluding UFLS and UVLS)that applies to Transmission where the Protection System is subject to one or more requirements in a NERCor Regional ReliabilityStandard. 4.1.2.4.Each Cranking Path and group of Elements meeting the initial switching requirements from a Blackstart Resource up to and including the first interconnection point of the starting station service of the next generation unit(s)to be started. 4.1.3.Generator Operator 4.1.4.Generator Owner Page l of 24 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 P-002-5.1-Cyber security -BES Cyber System Categorization 4.1.5.interchange Coordinator or InterchangeAuthority 4.1.6.Reliability Coordinator 4.1.7.Transmission Operator 4.1.8.Transmission Dwner 4.2.FacKitles:For the purpose of the requirementscontained heraîn,the following Facilities,systems,and equipment owned by each Responsible Entity in 4.1 above are those to which these requirements are applicable.For requirements in this standard where a specific type of Facilities,system,or equipment or subset of Facilities,systems,and equîpmentare applicable,these are specified explicitly. 4.2.1.D1stribution Provider:One or more of the following Facilities,systems and equipment owned by the Distribution Provider for the protection or restoratlon of the SES: 4.2.L1.Each UFLS or UVLS System that 4.2.1.1.1.Is part of a Load shedding program that is subject to one or more requirements in a NERC or Regional ReliabilîtyStandard;and 4.2.1.1.2.performs automatic Load shedding under a common control system owned by the Responsible Entity,without human operator initiation, of 300 MW Or more. 4.2.1.2.Each Special Protection System or Remedial Action Scheme where the Special Protection System or Remedial Action Scheme is subject to one or more requirements in a NERC or Regional ReliabîlityStandard. 4.2.1.3.Each Protection System (excluding UFLS and UVLS)that applîes to Transmîssion where the Protection System is subject to one or more requirements in a NERC or Regional ReliabilityStandard. 4.2.1.4.Each Cranking Path and group of Elements meeting the initial switching requirements from a Blackstart Resource up to and including the first interconnection point of the starting station service of the next generation unit(s)to be started. 4.2.2.Responsible Entitles listed in 4.1 other than Distribution Providers: All BES Facilities. 4.2.3.Exemptions:The following are exempt from Standard CIP-002,5.1: 4.2.3.1,Cyber Assets at Facilîties regulated by the Canadian Nuclear Safety Commission. 4.2.3.2.Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters. Page 2 of 24 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-OD2-5.1-Cyber Security ---BES Cyber System Categorization 4.2.3.3.The systems,structures,and components that are regulated by the Nuclear Regulatory Commission under a cyber securíty plan pursuant to 10 C.F.R. Section 73.54. 4.23.4.For Distribution Providers,the systems and equipment that are not included in section 4.2.1 above. 5.Effective Dates: 1 24 Months Minimurn -CIP-002-5.1shall become effective on the later of July 1, 2015,or the first calendar day of the ninth calender quarter after the effective date of the order providingapplicable regulatory approval. 2.In those jurisdictions where no regulatory approval is required CIP-002-5.1shall become effective on the first day of the ninth calendar quarter following Board of Trustees'approval,or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities. 6.Background: This standard provides "brîghtdine"criteria for applicableResponsible Entities to categorize their BES Cyber Systems based on the impact of their associated I¯acilities, systems,and equipment,which,if destroyed,degraded,misused,or otherwise rendered unavailable,would affect the reliableoperation of the Bulk Electric System. Several concepts providethe basis for the approach to the standard. Throughout the standards,unless otherwise stated,bulleted items in the requírements are items that are linked with an "or,"and numbered items are items that are linked with an "and." Many references in the Applicability sectîon and the criteria in Attachment l of CIP- 002 use a threshold of 300 MW for UFLS and UVLS.This particularthreshold of 300 MW for UVLS and UFLS was provided in Version lof the CIP Cyber Security Standards.The threshold remains at 300 MW since it is specifically addressing UVLS and UFLS,which are last ditch efforts to save the Bulk Electric System.A review of UFLS tolerances definedwithin regional reliability standards for UFLS program requirementsto date indicates that the historical value of 300 MW represents an adequate and reasonable threshold value for allowable UFLS operationaltolerances. BE5 Cyber systems One of the fundamental differences between Versions 4 and 5 of the CIP Cyber Security Standards is the shîft from identifying Critical Cyber Assets to identifying BES Cyber Systems.This change results from the drafting team's review of the NISTRisk Management Framework and the use of an analogous term "information system"as the target for categorizing and applyingsecurity controls. Page 3 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-002-5.1-Cyber Security -BES Cyber System Categorization version 4 Cyber Assets Version 5 Cyber Assets CCA ASSOci¡ited Protected Cyber .Assets Non-GrMeal Cyber Asset Within an ESP //Ássociate Electronic and Monitoring CI P 005-4 RL5and in transitioning from Versîon 4 to Version 5,a BES Cyber System can be viewed simply as a grouping of Critical Cyber Assets (as that term is used in Version 4}.The CIP Cyber Security Standards use the "BES Cyber System"term primarily to providea higher levelforreferencingtheobjectofarequirement.For example,it becomes possible to apply re4uirements dealingwith recovery and malware protection to a grouping rather than individual Cyber Assets,and it becomes clearer in the requirement that malware protection applies to the system as a whole and may not be necessary for every îndîvidualdevice to comply. Another reason for using the term "SES Cyber System"is to provide a convenient level at which a Responsible Entity can organi2e their documented implementation of the requirementsand compliance evidence.Responsible Entities can use the well- developedconcept of a security plan for each BES Cyber System to document the programs,processes,and plans in place to comply with security requirements. It is left up to the Responsible Entity to determine the level of granularity at which to identify a BES Cyber System within the qualificationsin the definition of BES Cyber System.For example,the Responsible Entity might choose to view an entire plant control system as a single BES Cyber system,or it might choose to view certain components of the plant control system as distinct BES Cyber Systems.The Responsible Entity should take into consideration the operational environment and Page 4 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-002·5.1-Cyber Security -BES Cyber Systern Categorization scope of management when defining the BES Cyber System boundaryin order to maximize efficiency in secure operations.Defining the boundarytoo tightlymay result in redundant paperwork and authorizatîons,while defining the boundarytoo broadly could make the secure operation of the BES Cyber System difficult to monitor and assess. Reliable Operation of the BES The scope of the CIP Cyber security Standards is restricted to SES Cyber Systems that would impact the reliable operation of the SES.In order ta identify BES Cyber Systems,Responsible Entities deterrnîne whether the BES Cyber Systems perform or support any BES reliability function according to those reliability tasks identified for their reliability function and the corresponding functional entity's responsibilities as defined in its relationshipswith other functional entities in the NERC Functional Model This ensures that the initial scope for considerationincludes only those BES Cyber Systems and their associated BES Cyber Assets that perform or support the reliable operation of the BES.The definition of BES Cyber Asset provides the basis for this scoping. Real-time Operations One characteristic of the BES Cyber Asset is a real-time scoping characteristic.The tirne horizon that is significant for BES Cyber Systems and BES Cyber Assets subject to the application of these Version 5 CIP Cyber security standards is defined as that which is rnaterial to real-time operationsfor the reliable operation of the BES.To providea better defined time horizon than "Real-time,"BES Cyber Assets are those Cyber Assets that,if rendered unavailable,degraded,or misused,would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise.This time window must not include in its consideration the activation of redundant SES Cyber Assets or BES Cyber Systems:from the cyber security standpoînt,redundancy does not mitigate cyber security vulnerabilities. CategorizationCriteria The criteria defined in Attachrnent 1 are used to categorize BES Cyber Systems into impact categories.Requirement 1 only requires the discrete identification of BES Cyber Systems for those in the high impact and medium impact categories.All BES Cyber Systems for Facilities not included in Attachment 1-ImpactRatlng Criteria, Criteria 1.1to 1.4 and Criteria 2.1to 2.11 default to be low impact. This general process of categorization of BES Cyber Systems based on impact on the reliable operation of the BES is consistent with risk management approaches for the purpose of application of cyber security requirements in the remainder of the Version 5 CIP Cyber Security Standards. Electronic Access Control or MonitoringSystems,Physical Access Contro1Systems, and Protected Cyber Assets that are associated with BES Cyber systems Fage 5 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-002-5.1-Cyber Security -BES Cyber System Categorization BES Cyber Systems have associated Cyber Assets,which,if compromised,pose a threat to the SES Cyber system by virtue of:(a)their location wîtbin the Electronic Security Perimeter (Protected Cyber Assets),or (b}the security control functîon they perform (Electronic Access Control or Monitoring Systems and Physical Access Control SystemsL These Cyber Assets înclude: Electronic Access Control or MonitoringSystems ("EACMS")-Examples include: Electronic Access Points,intermediate Systems,authentication servers (e.g., RADIUS servers,Active Directory servers,Certificate Authorities),security event monitoring systems,and intrusion detection systems. Physical Access Control Systems ("PACS")-Examples include:authentication servers,card systems,and badge control systems. Protected Cyber Assets ("PCA")-Examples may include,to the extent they are within the ESP:file servers,ftp servers,time servers,I.AN switches,networked printers,digital fault recorders,and emission rnonitorîngsystems. B.Requirements and Measures RL Each Responsible Entityshall implement a process that considers each of the following assets for purposes of parts 1.1 through 13:[Violation Risk Factor: High)[Time Horizon:Operations PIGuning] LControl Centers and backup Control Centers; ii.Transmission stations and substations; lii.Generation resources; iv.Systems and facilîties critical to system restoration,including Blackstart Resources and Cranking Paths and iriitial switching requirements; v.Special Protection Systems that support the reliable operation of the Bulk Electric System;and vi.For Distribution Providers,Protectîon Systems specified in Applicability section 4.2 1above. 1.1.Identifyeach of the high impact BES Cyber Systems according to Attachrnent 1,Section 1,if any,at each asset; 1.2.Identifyeach of the medium impact BES Cyber Systems according to Attachment 1,Section 2,if any,at each asset;and 1.3.[dentify each asset that contains a low impact BES Cyber System according to Attachment 1,Section 3,if any (a discrete list of low impact BES Cyber Systems is not required). M1.Acceptable evidence includes,but is not limited to,dated electronic or physical lists required by Requirement R1,and Parts 1.1 and 1.2. Page 6 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-002-5.1-Cyber Security -BES Cyber System Categorization R2.The Responsible Entity shaih [Violation Risk Factor:Lower][Time Horizon:Operations Planning) 2.1 Review the identifications in Requirement R1 and its parts (and update them if there are changes identified)at least once every 15 calendar months,even if it has no identifled items in Requirement R1,and 2.2 Have its CIP Senior Manageror delegate approve the identifications required by Requirement R1at least once every 15 calendar months, even if it has no identlfied items in Requirement R1. M2.Acceptable evidence includes,but is not limited to,electronic or physical dated records to demonstrate that the Responsible Entity has reviewed and updated,where necessary,the identifications required in Requirement R1 and îts parts,and has had its CIP Senior Manageror dategate approve the identifications required in Requirement R1and its parts at least once every 15 calendar months,even if it has none identified in Requirement R1 and its parts,as required by Requirement R2. C.Compliance 1.Compliance MonitoringProcess: 1.L Compliance £nforcement Authority: The Regional Entity shall serve as the compliance Enforcement Authority("CEA") unless the applicable entity is owned,operated,or controlled by the Regional Entity.In such cases the ERO or a Regional Entity approved by FERC or other applicable governmentalauthority shall serve as the CEA. 1.2.Evidence Retention: The following evIdence retention periods identify the period of time an entity is required to retain specîfic evidence to demonstrate compliance.For instances where the evidence retention period specified below is shorter than the time since the last audit,the CEA may ask an entityto provideother evidence to show that it was compliant for the full tîme period since the last audtt. The Responsible Entity shall keep data or evidence to show cornpliance as identified below unless directed by its CEAto retain specifîc evidence for a longerperîod of time as part of an investigation: Each Responsible Entity shall retain evIdence of each requirernent in this standard for three calendar years. If a Responsible Entity is found non-compliant,it shall keep information related to the non-compliance until mitigatîon is complete and approved or for the tîme specified above,whithever is longer. Page7 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-002-5.1-Cyber Security -BES Cyber System Categorization The CEA shall keep the last audit records and all requested and submitted subsequent audit records. 1.3.Compliance Monitoring and Assessment Processes: Compliance Audit Self-Certification Spot Checkîng Compliance Investigation Self-Reporting Complaint 1.4.Additiorial Compliance information None Page 8 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-DO2-5.1-Cyber Security -BES Cyber System Categorization 2.Table of Compliance Elements Al Operations itigh For Responsible For Responsible For Responsible For ResponsiblePlanningEntitieswithmoreËntitleswithmoreEntitieswithmoreEntitleswithmore than a total of 40 BES than a total of 40 BES than a total of 40 BES than a total of 40 BES assets in RequFrement assets in Requirement assets in Requirement assets in Requirement R1,five percent er R1,more than five R1,more than 10 R1,more than 15 fewer BE5 assets have percent but less than percent but fess than percent of BES assets not been considered or equal to 10 percent or equal to 15 percent have not been according to of BES assets have not of SES assets have not considered,according Requirement R1;been considered,been considered,to Requirement 81; OR accord ina to according to Requirement R1;Requirement R1;For Responsible For Responsible Entities with a total of OR OR Entitles with a total of 40 or fewer BE5 assets,For Responslble For Responsible 40 or fewer BES assets, 2 or fewer BES assets Entitles with a total of Entities with a total of more than six BES iri Requirement 81,40 or fewer BES assets,40 er fewer BES assets,assets in Requirement have not been more than two,but more than four,but R1,have not been considered according fewer than or equal to fewer than or equal to considered according to Requirement R1;four BES assets in six BES assets in to Requirement R1; OR Requirement R1,have Requlrement R1,have ggnotbeenconsiderednotbeenconsideredForResponsibleaccordingtoaccc<dingte For Responsible Entities with more Requirement R1;Requirement R1;Entities with more than a total of 100 than a total of 100 h1gh and medium OR high and medium impact BES Cgr For Responsible For Responsible impact BE5 Cyber ½ge90f34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP402-S.1 -Cyber Securlty -BES Cyber System Categerlaatlon a a ti .a e - systems,five percent Entities with more Entities w]th more Systems,more than 15 or fewer of identFfled than a total of 100 than a total of 100 percent of identified BES Cyber Systems hlgh and medlem high or medium BES Cyber SystemshavenotbeenimpactSESCyberimpactSESOyberhavenotbeen categorized or have Systems,more than Systems,more than 10 categorlted or have been incorrectly five percent but less percent but less than been incorrectly categorized at a lower than or equalto 10 cc equal to 15 percent categorized at a lower category;percent of identified of Identified BES Cyber category; OR BES Cyber Systems Systems have not been ORhavenotbeencategorizedorhaveForResponsiblecategorizedorhavebeenincorrectlyFor Responsible Entlties wlth a total of been Incorrectly Categarlzed at a lower Entities with a total of100orfewerhighandcategorizedatalowercategory;100 or fewer hlgh andmediumimpactBEScategory;OR medium impact BES Cyber Systems,five or Cyber Systems,more fewer identified BES For Responsible than 15 identified BES Cyber Systems have \"or Responsible Entitles with a total of Cyber Systems havenotbeencategorizedEntitieswithatotalof100orfewerhighornotbeencategarlzed or have been 100 or fewer high and medium impact and or have been incorrectly categorized medlum impact and BE$Cyber Assets,incorrectly categorlzed at a lower category,BES Cyber Systems,more than 10 but less at a lower category. OR morethan five btri less than or equal to 15 ogthanorequaFto10identífledBESCyberForResponsibleident½ied SES Cyber Assets have not been For ResponsibleEntitieswithmoreSystemshavenotbeencategorizedorhaveEntitieswithmorethanatotalof100categorizedorhavebeenincorrectlythanatotalof100 high and medium been incorrectly categorized at a lower high and medium impact BES Cyber categorized at a lower impact BES Cyber Page10of34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-002-5,1 -Cyber Security -BES Cyber System Categorizat3on systems five percent category,category.Systems,more than 15 or fewer hlgh or OR OR percent of high or medium BES Cyber medium impact BES Systems have not been I or Responstble For Responsible Cyber Systems have identified;Entities with more Entitles with more not been identified;than a total of 100 than a total of 100OR ORhighandmediumhighandmedium For Responsible impact BES Cyber impact BES Cyber For Responsible Entitles w1th a total of Systems,more than Systems,more than 10 Entitles with a total of 100 or fewer high and five percent but less percent but less than 100 or fewer high and medium impact BES than or equal to 10 or equal to 15 percent medium impact BES Cyber Systems,five or percent high or high or medium BES Cyber Systems,more fewer hlgh or medium medium BES Cyber Cyber Systems have than 15 high of SES Cyber Systems Systems have not been not been identified;medium impact BES have not been identified;OR Cyber Systems have identified.OR not been identifled. For Responsible For Responsible Entitles with a total of Entitles with a total of 100 or fewer hlgh and 100 or fewer high and medium impact BES medium impact BEs Cyber Systems,more Cyber systems,more than 10 but less than than five but less than or equal to 15 high or or equal to 10 blgh or medlum 3ES Cyber medkumBES Cyber Systems have not been 5ystems have not been identified. identined. Paiguof34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-002-5.1-Cyber Secur]ty -BES Cyber System Categorizatlon R2 Operations Lower The Respons1ble Entity The Responsible Entity The Responsible Entity The Responsible EntityPlanningdidnotcompleteitsdidnotcompleteitsdidnotcompleteitsdidnotcompleteits review and update for review and update for review and update for review and update fortheidentificationtheIdentificationtheIdentificationtheidentification required for R1within requlted for RI within required for R1 within reguled for R1 within 15 calendar months 16 calendar months 17 calendar months 18 calendar months of but lessthan or equal but less than or equal but less than or equal the prevlous review. to 16 calendar months to 17 calender months to 18 calender months (R2.1)of the previous review,of the previous review.of the prevFous review OR(R2,1)(R2,1)(R2.1) The Responsible EntityORORORfailedtocompleteitsTheResponsibleEntityTheResponsibleEntityTheResponsibleEntRyapprovalofthe dld not complete its faiEed to complete its failed to complete its identlficationsapprovaloftheapprovaloftheapprovaloftherequiredbyR1 by the identifications identifications identifications CIPSeniorManagererrequiredbyR1bytherequiredbyR1bytherequiredbyR1bythedelegateaccordingto CIP Senior Manager or CIP Senior Manager of OPSenler Manager or Requirement R2 within delegate aœording to delegate according to delegate according to 18 ealendar months ofRequtrementR2withinRequirementR2withinRequirement82withintheprevlousapproval. 15 calendar months 16 calender months 17 calendar months (R2.2) but less than or equal but less than or equal but less than or equal to 16 calendar months to 17 calendar months to 18 calendar months of the previous of the previous of the previous approval.R2.2}approval.R2.2)approval.(R2.2} Page12cf34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-002-51-Cyber Security ---BES Cyber System Categorization D.RegionalVariances None. L Interpretations None. A Associated Docunients Wene. PagrHof34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-002-5.1-Cyber security -BES Cyber System Categorization CIP-002-5.1 -At.tachment 1 Impact Rating Criteria The criteria defined in Attachment 1 do not constitute stand-alonecompliance requirements, but are criteria characterlzing the level of impact and are referenced by requirements. 1.High Impact Rating (H) Each BES Cyber System used by and located at any of the following: 1.1.Each Control Center or backup Control center used to perform the functional obligations of the ReliabilityCoordinator. 1.2.Each Control Center or backup Control Center used to perform the functional obligations of the Balancing Authority:1)for generation equal to or greater than an aggregate of 3000 MW in a single Interconnection,or 2)for one or more of the assets that meet criterion 2 3,2.6,or 2.9. 1.3.Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator for one or more of the assets that meet criterion 2.2,2.4,2.5,2.7,2.8,2.9,or 2.10. 1.4 Each control Center or backup Control Center used to perform the functional obligations of the Generator Operator for one or more of the assets that meet criterion 2.1,2 3,2.6,or 2,9. 2.MetIlum Impact Rating (M) Each SES Cyber System,not included in Section 1 above,associated with any of the following: 2.1.Commissioned generation,by each group of generating units at a single plant location, with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceedirig 1500 MW in a single Interconnection.For each group of generatingunits,the only BES Cyber Systems that meet this criterion are those shared SES Cyber Systems that could,within 15 minutes,adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW în a single Interconnection. 2.2.Each BES reactive resource or group of resources at a single location (excluding generation Facilities)with an aggregate maximum Reactive Power nameplate rating of 1000 MVAR or greater (excluding those at generation Facilities).The only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes,adversely impact the reliable operation of any combination of resources that in aggregate equal or exceed 1000 MVAR. Page 14 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 CIP-002-5.1-Cyber Security -BES Cyber System Categorization 2.3.Each generation Facility that its Plannîng Coordinatoror Transmission Planner designates,and informs the GeneratorOwner or GeneratorOperator,as necessary to avoicl an Adverse ReliabilityImpact in the Planning horizon of more than one year. 2.4.Transmission Facilities operated at 500 kV or higher.For the purpose of this crîterion,the collector bus for a generation plant is not considered a Transrnission Fatllity,but is part of the generation interconnection Facility. 2.5.Transmission Facilities that are operating between 200 kV and 499 kV at a single station or substation,where the station or substation is connected at 200 kV or hïgher voltages to three or more other Transmission stations or substations and has an "aggregate weighted value"exceeding 3000 according to the table below.The "aggregate weighted value"for a single station or substation is determined by summing the "weight value per line"shown in the table below for each incoming and each outgoing BES Transmission Line that is connected to another Transmission station or substation.For the purpose of this criterion,the collector bus for a generation plant is not considered a Transmission Facility,but is part of the generation interconnection Facility. less than 200 kV (not applicable)(not applicable) 200 kV to 299 kV 700 300 kV to 499 kV 1300 500 kV and above 0 2.6.Generationat a single plant location or Transmission Facilities at a single station or substation location that are identified by its ReliabilityCoordinator,Planning Coordinator,or Transmission Planner as critical to the derîvationof Interconnection Reliability Operating Limits (IROLs}and their associated contingencies. 2.7.Transmission Facilities identified as essential to meetîng Nuclear Plant Interface Requirements. 2.8.Transmission Facilities,încludinggeneration interconnection Facilities,providing the generation înterconnection required to connect generator outputto the Transrnission Systems that,if destroyed,degraded,misused,or otherwise rendered unavailable, would result in the loss of the generation Facilities identified by any Generator Owner as a result of its application of Attachment 1,crîterion 2.1er 23, 2.9.Each Specîal Protection System (SPS),Remedial Action Scheme (RAS),or automated switching System that operates BES Elements,that,if destroyed,degraded,misused or otherwise rendered unavailable,would cause one or more interconnection Reliability Operating Limits (IROLS)Violations for failure to operate as designed or cause a reduction in one or more \ROLS if destroyed,degraded,misused,or otherwise rendered unavailable. Page 15 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 ClP-002-5.1-Cyber Security -BES Cyber System Categorization 2.10.Each system or group of Elernents that performs automatic Load shedding under a common control system,without human operator initiation,of 300 MW or more implementing undervoltage load shedding (UVLS)or underfrequencyload shedding (UFLS)under a load shedding program that is subject to one or more requirements in a NERC or regional reliability standard. 2.11.Each Control Center or backup Control Center,not alreadyincluded in High impact Rating (H)above,used to perform the functional obligationsof the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceedîng 1500 MW in a single Interconnection. 2.12.Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator not included in High 1mpact Rating (H), above. 2.13.Each Control Center or backup Control Center,not already included in High Impact Rating (H)above,used to perform the functional obligationsof the Balancing Authorityfor generation equal to or greater than an aggregate of 1500 MW in a single interconnection. 3.Low impact Rating (L) BES Cyber Systems not included in Sections 1or 2 above that am associated with any of the following assets and that meet the applicability qualificationsin Section 4 -Applicability,part 4.2 -Facilities,of this standard: 3.1.Control Centers and backup Control Centers. 3.2.Transmission stations and substations. 3.3.Generation resources. 3.4.Systems and facilities critical to system restoration,including Blackstart Resources and Cranking Paths and initial switching requirements, 3.5.Special ProtectionSystems that support the reliable operation of the Bulk Electric System. 3.6.For Distribution Providers,Protection Systems specîfied in Applicabilitysection 4.2.1 above. Page 16 of 24 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis Guidelines and Technical Basis Section 4 -Scope of Applicability of the CIP Cyber security Standards 5ection "4.Applicability"of the standards provides important information for Responsible Entities to determine the scope of the applicabilityof the CIP Cyber Security Requirements. Section "4.1.Functional Entities"is a list of NERC functional entities to which the standard applies.If the entityis registered as one or more of the functional entities listed in section 4.1, then the NERC CIP Cyber Security Standards apply.Note that there is a qualification in section 4.1that restricts the applicability in the case of Distribution Providers to only those that own certain types of systems and equipment listed in 4.2. Section "4.2.Facilities"defines the scope of the Facilities,systems,and equipment owned by the Responsible Entity,as qualified in section 4.1,that is subject to the requirements of the standard.In additïon to the set of SES Facilities,Control Centers,and other systems and equipment,the list includes the qualified set of systems and equipment owned by Distribution Providers.Whîle the NERC 6tossary terrn "Facilities"ajready includes the BES characteristic,the additlonal use of the term BES bere is meant to reinforce the scope of applicabilityof these Facilities where it is used,especially in this applicability scoping section.This în effect sets the scope of Facilities,systems,and equipment that is subject to the standards.This section is especially significant in CIP-002-5.1 and represents the total scope of Facîlities,systems,andequipmenttowhichthecriteriainAttachment1apply.This is irnportant because it determines the balance of these Facilities,systems,and equipment that are Low Impact once those thatqualifyunclertheHighandMediumImpactcategoriesarefilteredout. For the purpose of identifying groups of I'acilities,systems,and equipment,whether by locatîon or otherwise,the Responsible Entity identifíesassets as described in Requirement R10f CIP- 002-5.1 This îs a process famillar to Responsible Entities that have to cornpfy with versions 1,2, 3,and 4 of the CIP standards for Critical Assets.As in versions 1,2,3,and 4,Responsible Entities may use substations,generation plants,anel Control Centers at single site locations as identifiers of these groups of Facilities,systems,and equipment. CI P-002-5.1 CIP-002-5.1requires that applicable Responsible Entities categorize their BES Cyber Systems and associated BES Cyber Assets according to the criteria in Attachment 1.A BES Cyber Asset includes in its definition,"...that if rendered unavailable,degraded,or misused would,within 15 minutes adversely impact the reliable operationof the BES." The following provides guidance that a Responsible Entity may use to identify the BES Cyber Systems that would be in scope.The concept of BES reliability operating service is useful in providing Responsible Entîties with the option of a def]ned process for scoping those BES Cyber Page 17 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guldelines and Technical Basis Systems that would be subject to CIP-002-51 The concept includes a number of named BES reliability operating services.These named services include: Dynamic Responseto BES conditions Balancing Load and 6eneration ControllingFrequency (Real Power) ControilîngVoltage (Reactive Power) Managing Constraints Monitoring &Control Restoration of BES Situational Awareness Inter-Entity Real-Time Coordinationand Communication Responsibility for the reliable operation of the BES is spread across all Entity Registrations.Eachentîtyregistrationhasitsownspecialcontributiontoreliableoperationsandthefollowing discussion helps identify which entity registration,in the context of those functional entities to which these CIP.standards apply,performs which reifabilîty operat1ng service,as a processto identify BES Cyber Systems that would be in scope.The following provides guidance for Responsible Entitles to determine applicable reliability operationsservices accordîng to their Function Registration type. Dynamic Response X X X X X X Balancing Load &X X X X X X X Generation Controlling Frequency X X X ControllingVoltage X X X X ManagingConstraints X X X Monitoring and Control X X Restoration X X Situatlon Awareness X X X X Inter-Entitycoordination X X X X X X Dynarnic Response The Dynamic ResponseOperatingService includes those actions performed by SES Elements or subsystems whîch are automatically triggered to initiate a response to a BES condition.These actions are triggered by a sîngle element or control device or a combination of these elements or devices in concert to perform an action or cause a condition in reaction to the triggering action or condition.The types of dynamic responses that may be considered as potentially having an impact on the BES are: Page 18 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis Spinning reserves (contingency reserves) =Provîding actual reserve generation when called upon (GO,GOP) Monitoring that reserves are sufficient (BA) Governor Response =Control system used to actuate governor response (GO) Protection Systems (transmission &generation) Lînes,buses,transformers,generators (DP,TO,TOP,GO,GOP) Zone protection for breaker failure (DP,TO,TOP) Breaker protection (DP,TO,TOP) Current,frequency,speed,phase (TO,TOP,GO,GOP) Special Protection Systems or Remedial Action Schemes Sensors,relays,and breakers,possibly software (DP,TO,TOP) Under and Over Frequency relay protection (includes automatic load shedding) Sensors,relays &breakers (DP) Under and Over Voltage relay protection (includes automatic load sheciding) Sensors,relays &breakers (DP) Power System Stabiliters(GO} Balancing Load and Generation The Balancing Load and GenerationOperations Service includes activities,actions andconditionsnecessaryformonitoringandcontrollinggenerationandloadintheoperations planning horizon and in real-tîme.Aspects of the Balancing Load and Generationfunctioninclude,but are not limited to: Calculation of Area Control Error (ACE) Field data sources (real time tie flows,frequencysources,tîme error,etc}(TO,TOP) Software used to perform calculation (SA) Dernand Response =Ability to identify load change need (BA) Ability to implement load changes (TOP,DP) Manually Initiated Load shedding =Ability to identify laad change need (BA) Ability to implement load changes (TOP,DP) Page 19 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis Non-spinning reserve (contingency reserve) Know generation status,capability,ramp rate,start time (GO,BA) Start units and provide energy (GOP) controllingFrequency (Real Power) The ControllingFrequency Operations Service includes activities,actions and condîtionswhich ensure,in real time,that frequency remains within bounds acceptable for the reliability or operabîlity of the BES.Aspects of the ControllingFrequency function include,but are limited to: Generation Control (such as AGC) ACE,current generator output,ramp rate,unit characteristics (BA,GDP,GO) Software to calculate unit adjustments (BA} Transmit adjustments to individual units (GOP) Unit controls implementing adjustments (GOP) Regulation (regulatingreserves) Frequency source,schedule (BA) =Governor control system (GO) ntrobing Voltage (Reactive Power) The Controlling Voltage Operations Service includes activities,actions and conditions which ensure,in real time,that voltage remaíns within bourids acceptable for the reliability or operability of the BES.Aspects of the Controlling Voltagefunction include,but are not limited to: Automatic Voltage Regulation (AVR) =Sensors,stator controlsystem,feedback (GO) Capacitive resources Status,control (manual or auto),feedback (TOP,TO,DP) Inductive resources (transformer tap changer,or inductors) Status,control (manual or autol,feedback (TOP,TO,DP) Static VAR Compensators (SVC) Status,computations,control (manual or auto),feedback (TOP TO,DP) Page 20 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Techn]cal Basis ManagingConstraints ManagingConstraints includes activities,actions and conditions that are necessary to ensure that elements of the BES operate within design ilmits and constraints established for the reliability and operability of the BES.Aspects of the ManagingConstraints include,but are not limited to: AvailableTrarisfer Capability (ATC)(TOP) laterchange schedules (TOP,RC) Generation re-dispatch and unit commit (GOP) Identifyand monitor SOL's &IROL's(TOP,RC) Identifyand monitor Flow gates (TOP,RC) Monitoringand Control Monitoring and Control includes those activities,actions and conditions that provide monitoríng and control of BES Elernents.An example aspect of the Control and Operationfunctionis: All methods of operatingbreakers and switches SCADA (TOP,GOP) =Substation automation (TOP) Restoration of BE5 The Restoration of BES Operations Service includes activities,actîons and conditions necessary to go from a shutdown condition to an operatîngcondition deliveringelectric power without external assistance.Aspects of the Restoration of BES function include,but are not limited to: Restoration including planned cranking path Through black start units (TOP,GOP) Through tie lines (TOP,GOP) Off-site power for nuclear facîlities.(TOP,TO,BA,RC,DP,GO,GOP) Coordination (TDP,TO,BA,RC,DP,GO,GOP) situational Awareness The Situational Awareness function includes activities,actions and conditions established by policy,directive or standard operating procedure necessary to assess the current conditîon of the BES and anticipate effects of planned and unplannedchanges to conditions.Aspects of the Situation Awareness function include: Page 21 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis Monitorîng and alerting (such as EMS alarms}(TOP,GOP,RC,BA} Change management (TOP,GOP,RC,BA) Current Day and Next Day planning (TOP) Contingency Analysis (RC) Frequency monitoring (SA,RC) Inter-EntlityCoordination The Inter-Entity coordînatîon and communication function includes activitîes,actions,and conditions established by policy,directive,or standard operating procedure necessaryfor the coordination and communication between Responsible Entities to ensure the reliability and operability of the BES.Aspects of the Inter-EntityCoordinationand Communication function include: Scheduled interchange (BA,TOP,GOP,RC) Facility operational data and status (TO,TOP,60,GOP,RC,BA) Operationaldîrectives (TOP,RC BA) Applicabikty to Distribution Providers It is expected that only Distribution Providers that own or operatefacilities that qualify in the Applicabîlity section will be subject to these Version S Cyber security standards.Distribution Providers that do not own or operate any facility that qualifiesare not subject to these standards.The quellficationsare based on the requirements for registration as a Distribution Provider and on the requirements applicable to Distribution Providers in NERC Standard EOP- 005. Requirement R1: Requirement R1implementsthe methodologyfor the categorization of BES Cyber Systems according to their impact on the BES.Using the tradîtional risk assessment equation,it reduces the measure of the risk to an impact (consequence)assessment,assuming the vulnerability index of 1(the Systems are assumed to be vulnerable)and a probability of threat of 1(100 percent).The criteria in Attachment 1 provide a measure of the Irnpact of the BES assets supported by these BES Cyber Systems, Responsible Entities are required to identify and categori2e those BES Cyber Systems that have hlgh and medium impact.BES Cyber Systems for BES assets not specified in Attachment 1, Criteria 1.1-1.4 and Criteria 2.1-2.11default to low impact. Page 22 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis Attachment 1 Overall Application In the application of the criteria in Attachment 1,Responsible Entities should note that the approach used is based on the impact of the BES Cyber System as measured by the bright-line criteria defined in Attachment L When the drafting team uses the term "Facilities",there îs some latitude to Responsible Entities to determine included Facilities.The terrn Facility is defined in the NERC Glossary of Terms as "A set of electrical equipment that operates as a single Bulk Electric System Element (e.g.,a Ilne,a generator,a shunt compensator,transformer,eted "in most cases, the criteria refer to a group of Facilities in a given location that supports the reliable operation of the BES.For example,for Transmission assets,the substation may be designated as the group of Facilities.However,in a substation that includes equipment that supports BES operationsalong with equipment that only supports Distribution operations, the Responsible Entity may be better served to consider onlythe group of Facilities that supports BES operation.In that case,the Responsible Entity may designate the group of Facilities by location,wîth qualificationson the group of Facilities that supports retiable operation of the SES,as the Facilities that are subject to the criteria for categorization of BE5 Cyber Systems.GenerationFacilities are separatelydiscussed in the Generation section below.In CIP-002-5.1,these groups of Facilities,systerns,and equiprnentare sometimes designated as BES assets.For example,an identified BES asset may be a named substation, generatingplant,or Control Center.Responsible Entities have flexibility in how they group Facilities,systems,and equipment at a location. In certain cases,a BES Cyber System may be categorized by meeting multiple criteria.In such cases,the Responsible Entity may choose to document all criteria that result in the categori2ation.This will avoid inadvertent miscategorization when it no longer meets one of the criteria,but still meets another. ft is recommanded that each BES Cyber System should be listed by only one Responsible Entity.Where there is jointownership,it is advisable that the owning Responsible Entities should formallyagree on the desîgnated Responsible Entity responsible for compliance with the standards. High Irnpact Rating (H) This category includes those BES Cyber Systems,used by and at Control Centers {and the associated data centers included in the definition of Control Centers),that perform the functional obligationsof the Reliabiltty Coordinator (RC),Balancing Authority(BA),Transmission Operator (TDP),or Generator Operator (GOP),as defined under the Tasks heading of the applicable Function and the Relationship with Other Entities heading of the functional entity in the NERC Functional Model,and as scoped by the qualification in Attachment 1,Criteria 1.1, 1.2,1.3 and 1.4.While those entities that have been registered as the above-named functional entities are specifically referenced,it must be noted that there roay be agreements where some Page 23 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis of the functional obligationsof a Transmission Operator may be delegated to a Transmission Owner (TO).In these cases,BES Cyber Systems at these TO Control Centers that perform these functîonalobligations would be subject to categorization as high impact.The criteria notably specifically emphasize functional obligations,not necessarily the RC,BA,TOP,or GOP facilities. One must note that the definition of Control Center specîfically refers to reliability tasks for RCs, Bas,TOPs,and GOPs.A TO BES Cyber System în a TO facility that does not perform or does not have an agreement with a TOP to perform any of these functional tasks does not meet thedefinitionofaControlCenter.However,if that BES Cyber System operates any of the facilities that meet criteria in the Medium Impact category,that BES Cyber System would be categorized as a Medium impact BES Cyber System. The 3000 MW threshold defined in criterion 1,2 for BA Control Centers provides a sufficient differentiation of the threshold defined for Medium Impact BA Control Centers.An analysis of BA footprints shows that the majority of Bas with significant impact are covered under thiscriterion. Additional thresholds as specified in the criteria apply for this category. Medium Impact Rating (M) Generation The criteria in Attachment 1's medium impact category that generally apply to Generation Owner and Operator (GO/GOP)Registered Entities are criteria 2.1,2.3,2.6,2.9,and 2.11. Criterion 2.13 for BA control Centers is also included here. Criterion 2.1designates as medium impact those BES Cyber Systerns that impact generation with a net Real Power capability exceeding 1500 MW.The 1500 MW criterion îs sourced partly from the Contingency Reserve requirements in NERC standard BAL-DO2,whose purpose is "to ensure the Balancing Authorityis able to utili2e its Contingency Reserve to balance resources and demand and return Interconnection frequency within defined limits following a Reportable Disturbance."In particular,it requires that "as a minimum,the Balancing Authorityor Reserve Sharing Group shall carry at least enough contingency Reserve to cover the most severe single contingency."The drafting team used 1500 MW as a number derîved from the most significant contingency Reservesoperated in various Bas in all regions, in the use of net Reat Power capability,the drafting team sought to use a value that could be verified through existing requirements as proposed by NERC standard MOD-024 and current development efforts in that area. By using 1500 MW as a bright-line,the intent of the drafting team was to ensure that BES Cyber Systems with common mode vulnerabilities that could result in the loss of 1500 MW or more of generation at a single plant for a unit or group of units are adequatelyprotected. Page 24 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis The drafting team also used additional time and value parameters to ensure the brightdines and the values used to measure against them were relatively stable over the review period. Hence,where multiple values of net Real Power capabîlity could be used for the Facilities' qualification against these bright-lines,the highest value was used. In criterion 23,the drafting team sought to ensure that BES Cyber Systems for those generationFacîlities that have been designated by the Planning Coordinatoror Transrnission Planner as necessary to avoid BES Adverse Reliabilityimpacts in the planning horizon of one year or more are categorized as medium impact.In specifying a planning horizon of one year or more,the intent is to ensure that those are uníts that are identified as a result of a "long term"reliability planning,i.e that the plans are spanning an operating period of at least 12 months:it does not mean that the operating day for the unit is necessarîly beyondone year,but that the period that is being planned for is more than 1 year:it is specificaFly intendedto avoid designating generation that is required to be run to remediate short term emergency reliability issues,These Facîlities may be designated as "ReliabilityMust Run,"and this designation is distinct from those generation Facilities designated as "must run"for market stabilization purposes.Because the use of the term "must run"creates some confusion in many areas,the drafting team chose to avoid using this term and instead drafted the requirement in more generic reliability language.In particular,the focus on preventing an Adverse ReliabilityImpact dictates that these units are designated as must run for reliability purposes beyond the local area.Those units designated as must run for voltage support in the local area would not generally be given this designation.In cases where there is no designated Planning Coordinator,the Transmission Planner is included as the Registered Entity that performs this designation. If it is determined through System studies that a unit must run in order to preserve the reliability of the BES,such as due to a Category C3 contingency as defined in TPL-003,then BES Cyber Systems for that unit are categorized as medium impact. The TPL standards require that,where the studies and plans indicate additional actions,that these studies and plans be communicated by the Planning Coordinator or Transmission Rlanner In writing to the Regional Entity/RRO.Actions necessary for the implementation of these plans by affected parties (generationowners/operators and Reliability Coordinators or other necessary party)are usually formalized in the form of an agreement and/or contract. Criterion 2.6 includes BES Cyber Systems for those GenerationFacilities that have been identified as critical to the derivation of IROLs and their associated contingencies,as specified by FAC-014-2,EstabHsh and Communicate System Operating Limits,RS.1.1 and RS.1.3. IROLs roay be based on dynamic System phenomena such as instability or voltage collapse. Derivation of these IROLs and their assecíated contingencies often considers the effect of generation inertia and AVR response. Page 25 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis Criterion 2.9 categorizes BES Cyber Systems for Special Protection Systems and Remedial Action Schemes as medium împact.Special Protection Systems and Remedial Action Schemes may be implernentedto prevent disturbances that would result in exceeding IROLs if they do not providethe function required at the time it is requiredor if it operates outsîde of the parameters it was designed for.Generation Owners and GeneratorOperators which own BES Cyber Systems for such Systems and schemes designate them as medium impact. Criterion 2.11 categori2es as medium impact BES Cyber Systems used by and at Control Centers that perform the functional obligationsof the GeneratorOperator for an aggregate generationof 1500 MW or higher in a single interconnection,and that have not already been included in Part 1. Criterion 2.13 categorizes as medium impact those BA Control Centers that "control"1500 MW of generation or more in a single interconnection and that have not already been included In Part 1 The 1500 MW threshold is consistent with the irnpact level and rationale specified for Criterion 2.1. Transmission The SDTuses the phrases "Transmission Facilities at a single station or substation"and "Transmission stations or substations"to recognize the existence of both stations and substations.Many entities in industry consider o substationto be a location with physical borders (i.e.fence,wall,etc.)that contains at least an autotransformer.Locations also exist that do not contain autotransforrners,and many entities in industry referto those locotlons as stations (or switchyards).Therefore,the SDTchose to use both "statlon"and "substation"to refer to the locations where groups of Transmission Facilities exist. Criteria 2.2,2.4 through 2.10,and 2.12 in Attachment 1 are the critería that are applicable to Transmission Owners and Operators.In many of the criteria,the impact threshold is definedas the capabiFity of the failure or compromise of a System to result in exceeding one or more interconnection Reliability Operating Limits (IROl.5).Criterion 2.2 includes BES Cyber Systems for those Facilities in Transmission Systems that provide reactive resources to enhance and preserve the reliability of the BES.The nameplate value is used here because there is no NERC requirement to verify actual capability of these Facilities.The value of 1000 MVARs used in this criterion is a value deemed reasonable for the purpose ofdeterminingcríticality. Críterion 2.4 includes BES Cyber Systems for any Transmission Facility at a substation operated at 500 kV or higher.While the drafting team felt that Facilitîes operated at 500 kV or higher did not require any further qualification for their role as components of the Page 26 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis backbone on the interconnected BES,Facilities in the lower EHV range should have additional qualifying criteria for inclusion in the medium impact category. It must be notecl that if the collector bus for a generation plant (i.e.the plant is smaller in aggregate than the threshold set for generation in Criterion 2.1)is operated at 500kV,the collector bus should be considered a Generation Interconnection Facility,and not a Transmission Facility,according to the "Final Report from the Ad Hoc Group for Generation Requirements at the Transmission Interface."This collector bus would not be a facility for a medium impact BES Cyber system because it does not signifícantly affect the 500kV Transmission grid;it only affects a plant whîch is below the generationthreshoicL Criterion 2.5 includes BES Cyber Systems for facilities at the lower end of BES Transmission with qualifications for inclusion if they are deemed highly likely to have significant impact on the BES.While the criterion has been specified as part of the rationale for requiring protection for significant impact on the BES,the drafting team included,in this criterion, additional qualifications that would ensure the required level of impact to the B£5,The drafting team; Excluded radial facilities that would only provide support for single generation facilities. Specified interconnection to at least three transmission statîons or substations to ensure that the level of impact would be appropriate. The total aggregated weighted value of 3,000 was derived from weighted values related to three connected 345 kV lines and five connected 230 kV lines at a transmission statîon or substation.The total aggregated weighted value is used to account for the true impact to the BES,irrespective of lîne kV rating and mix of multiple kV rated lines. Additionally,in NERC's document "Integrated Risk Assessrnent Approach -Refinement to Severity Risk Index",Attachment 1,the report used an average MVA lîne loading based on kV rating: 230 kV ->700 MVA 345 kV->1,300 MVA 500 kV ->2,000 MVA 765 kV ->3,000 MVA In the terms of applicable Ifnes and connecting "other Transmission stations or substations" determinations,the following should be considered: For autotransformers in a station,Responsible Entities have flexîbîlityin determiníng whether the groups of Facilities are considered a single substation or station location or rnultiple substations or stations.In most cases,Responsible Entit[es Page 27 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelînes and Technical Basis would probably consider them as Facilities at a single substation or station unless geographically dispersed.In these cases of these transformers being within the "fence'of the substation or station,autotransformers may not count as separate connections to other statîons.The use of common BES Cyber Systems may negate any rationale for any consideration otherwise.In the case of autotransformersthat are geographically dispersed from a station location,the calculation would take into account the connections in and out of each station or substation location. Multiple-point (or multiple-tap)lines are considered to contribute a single weight value per line and affect the nornber of connections to other stations.Therefore,a single 230 kV roultiple-point line between three Transmission stations or substations would contribute an aggregated weighted value of ¯/00 and connect Transmission Facilities at a single station or substation to two other Transmission stations or substations. Multiple lines between two Transmission stations or substations are considered to contribute multiple weight values per line,but these multiple lines between the two stations only connect one station to one other station.Therefore,twa 345 kV lines between two Transmission stations or substations would contribute an aggregated weighted value of 2600 and connect Transmission Facilities at a single station or substation to one other Transmission station or substation, Criterion 25s qualification for Transrnission Facilities at a Transmission station or substation is based on 2 distinct conditions. 1.The first condition is that Transmission Facilities at a single station or substation where that station or substation connect,et voltage levels of 200 kV or higher to three (3)other stations or substations,to three other stations or substations. This qualification is meant to ensure that connections that operate at voltages of 500 kV or higher are included in the count of connections to other stations or substations as well 2.The second qualification is that the aggregate value of all lines entering or leaving the station or substatîon must exceed 3000.This qualification does not include the considerationof lines operating at lower than 200 kV,or 500 kV or higher,the latter already qualifyingas medium impact under criterion 2.4.: there is no value to be assigned to fines at voltages of less than 200 kV or 500 kV or higher in the table of values for the contribution to the aggregate value of 3000. The Transmission Facilities at the station or substation must meet both qualificationsto be considered as qualified under criterion 2 5. Criterion 2.6 include BES Cyber Systems for those Transmission Facilities that have been identified as critical to the derivatlon of IROLS and their associated contingencies,as Page 28 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis specified by FAC-014-2,Establish and Communicate System Operating Limits,R5.1.1 and RS.1.3. Criterion 2./is sourced from the NUC-001 NERC standard,Requîrement R9.2.2,for the support of Nuclear Facilities.IVUC-DO1 ensures that reliability of NPIR'sare ensured through adequate coordination between the Nuclear Generator Owner/Operator and its Transmission provider "for the purpose of ensuring nuclear plant safe operation and shutdown."In particular,there are speelfic requirements to coordinate physical and cyber security protection of these interfaces. Criterion 2.8 designates as medium impact those BES Cyber Systems that impact Transmission Facilities necessary to directly support generation that meet the criteria in Criteria 2.1 (generation Facilities with output greater than 1500 MW)and 2.3 (generation Facilities generaNy designated as "must run"for wide area reliability in the planning horizon).The Responsible Entity can request a formal statement from the Generation owner as to the qualification of generation Facilities connected to their TransmlSSIOn systems. Criterion 2.9 designates as medium impact those bis Cyber Systems for those Special Protection Systems (SPS),Remedial Action Schemes (RAS),or automated switching Systems installed to ensure BES operation within IROLs.The degradation,compromise or unavailability of these BES Cyber Systems would result in exceeding IROLs îf they fail to operate as designed.By the definition of IROL,the loss or compromise of any of these have Wide Area impacts. Criterion 2.10 designates as medium impact those BES Cyber Systems for Systems or Elements that perform automatic Load shedding,without human operator initiation,of 300 MW or more.The SDT spent considerable time discussing the wording of Criterion 2.10, and chose the term "Each"to represent that the criterion applied to a discrete System or Facility.In the drafting of thîs criterion,the drafting team sought to include only those Systems that did not require human operator initiation,and targeted în particular those underfrequency load shedding (UFLS)Facilities and systems and undervoltage load shedding (UVLS)systems and Elements that would be subject to a regional Load shedding requirement to prevent Adverse Reliability Impact.These include automated UFLS systems or UVLS systems that are capable of Load shedding 300 MW or more,It should be noted that those qualifying systems which require a human operator to arm the system,but once armed,trigger autornatically,are still to be considered as not requiring human operator initiation and should be designated as medium impact.The 300 MW threshold has been defined as the aggregate of the highest MW Load value,as defined by the appilcable regional Load Shedding standards,for the preceding 12 months to account for seasonal fluctuations. This particular threshold (300 MW)was provided in GP,Version 1.The SDT believes that the threshold should be lower than the 1500MW generation requirement since it is specifically addressing UVLS and UFLS,which are last ditch efforts to save the Bulk Electric Paµ29 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis System and hence requires a lower threshold.A review of UFLS tolerances defined within regional reliability standards for UFLS program requirements to date indicates that the historical value of 300 MW represents an adequate and reasonable threshold value for allowable UFLS operational tolerances. In ERCOT,the Load acting as a Resource ("LaaR")Demand Response Program is not part of the regional Joad shedding program,but an ancillary services market.In general,similar demand response programs that are not part of the NERC or regional reliability Load shedding programs,but are offered as components of an ancillary services market do not qualify under this criterion. The language used in section 4 for UVLS and UFLS and in criterion 2.10 of Attachment 1 is designed to be consîstent with requirements set in the PRC standards for UFLS and UVLS. Criterion 2,12 categorizes as medium impact those BES Cyber Systems used by and at Control Centers and associated data centers performing the functional obligations of a Transmission Operator and that have not already been categorized as high impact. Criterion 2.13 categorizes as Medium impact those BA Control Centers that "control"1500 MW of generation or more in a single Interconnection.The 1500 MW threshold is consistent with the impact level and rationalespecified for Criterion 2.L Low Impact Rating (L) BES Cyber Systems not categorized in high impact or medium Impact default to low impact, Note that low impact BES Cyber Systems do not require discrete identification. Restoration Facilities Several discussions on the CIP Version 5 standards suggest entitîes owning Blackstart Resources and Cranking Paths might elect to remove those services to avoid higher compliance costs.For example,one Reliability Coordinator reported a 25%reduction of Blackstart Resources as a result of the Version 1 language,and there could be more entities that make thîs choice under Version 5. In response,the CIP Version 5 drafting team sought informal input from NERC's Operating and Planning Committees.The committees indicate there has already been a reduction in Blackstart Resources because of increased CIP compliance costs,environmental rules,and other risks;continued inclusion within Version 5 at a category that would very significantly increase compliance costs can result in further reduction of a vulnerable pool. The drafting team moved from the categorization of restoration assets such as Blackstart Resources and Cranking Paths as mediurn impact (as was the case in earlier drafts)to categorization of these assets as low impact as a result of these consîderations.This will not relieve asset owners of all responsibilities,as would have been the case in CIP-002, Versions 1-4 (sînce only Cyber Assets with rautable connectivity which are essential to Page 30 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis restoration assets are includeel in those versions).Under the low împact categorization, those assets will be protected in the areas of cyber security awareness,physical access control,and electronic access control,and they will have obligations regarding incident response.This represents e net gain to bulk power system reliability,however,since many of those assets do not meet criterîa for inclusion under Versions 1-4. Weîghing the risks to overall BES reliability,the drafting team deterrnined that this re- categorization represents the option that would be the least detrimental to restoration function and,thus,overalt BES reliability.Removing Blackstart Resources and Cranking Paths from medium impact promotes overall reliability,as the likely alternative is fewer Blackstart Resources supportingtimely restoration when needed. BES Cyber Systems for generation resources that have been designated as Blackstart Resources In the Transmission Operator's restoration plan default to low impact.NERC Standarcl EOP-005-2 requires the Transmission Operator to have a Restoration Plan and to list its Blackstart Resources in its plan,as well as requirements to test these Resources.This criterion desîgnates only those generation Blackstart Resources that have been designated as such in the Transmission Operator's restoration plan.The glossary terrn Blackstart Capability Plan has been retired. Regarding concerns of communication to BES Asset Owners and Operators of their role in the Restoration Plan,Transrnission Operators are required in NERC Standard EOP-005-2 to "provide the entitîes identified in its approved restoration plan with a description of any changes to their roles and specific tasks prior to the implementation date of the plan " BES Cyber Systems for Facilities and Elements comprîsîng the Cranking Paths and meeting the initial switching requirements from the Blackstart Resource to the first interconnection point of the generation unit(s)to be started,as identified in the Transrnission Operator's restoration plan,default to the category of low impact:however,these systems are explicitly caFled out to ensure consideration for inclusîon in the scope of the version S CIP standards.This requirement for inclusion in the scope îs sourced from requirements in NERC standard EOP-005-2,which requires the Transmission Operator to include in its Restoration Plan the cranking Paths and initial switching requirements from the Blackstart Resource and the unit(s)to be started. Distribution Providers may note that they may have BES Cyber Systems that must be scoped in if they have Elements listed in the Transmission Operator's Restoration Plan that are components of the Cranking Path. Page 31ef 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guideliries and Technîcal Basis Use Case:CIP Process Flow The following CP use case process flow for a generator Operator/Owner was provided by a participant in the development of the Version 5 standards and is providedhere as an exampleofaprocessusedtoidentîfyandcategorizeBESCyberSystemsandBESCyberAssets;review, develop,and implement strategies to mitigate overall risks;and apply applicable security controls. Overview (Generation Facility) Menufy &Caimportze BESCgsr iAssetsarmiBESCgarSystemsI¯"----------""-------i Evalusta paterdia!Pitysical SectMig PerfinetersEnginagringswisionetoreductImpactaBESCyberSystemhaaon a FoollIV Engineering revisions to reduce orr--¯¯^^¯¯¯¯"--'--------ohminata phydcal eraa¢ Evaluets BESCyber Assets and SESCybersystemsforExte¢nal Routablec....eu.ny la=ury n==ireweenisurayEnginnedogrevisionstoreduceorPartmalaisandPigslaatAcomensilminabaExternetRoutableCanbeiSyntamsConnacilvil† MenttFy final Electronic AccessPoirdsandElectonioAcesasCordrolSystems Apply securny ConWole based on appilombHity I ING 0 revislain wil need to be reviamedintcastluetWesNes4 aparaklonansmistyimpammeste,emppen toquhamerna,undischnical Emaanene. Page 32 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis Rationale: During development of this standard,text boxes were embeddedwithin the standard to explain the rationale for various parts of the standard.Upon BOTapproval,the text from the rationale text boxes was moved to this section. Rationalefor R1: BES Cyber Systems at each site location have varyingImpact on the reliable operation of the Bulk Electric System.Attachment 1 provides a set of "bright-line"criteria that the Responsible Entity must use to identify these BES Cyber Systems in accordance with the impact on the BES. BES Cyber Systems must be identified and categorized according to their impact so that the appropriate measures can be applied,commensurate with their impact.These împact categories will be the basis for the application of appropriate requirements in CIP-003-CIP-011 Rationalefor R2: The lists required by Requirement R1ere reviewed on a periodic basis to ensure that all BES Cyber Systems required to be categorîredhave been properly identified and categorized.The miscategorization or non-categori2ationof a BES Cyber System can lead to the application of inadequateor non-existent cyber security controls that can lead to compromise or misuse that can affect the real-time operation of the BES.The CIP Senior Manager's approvalensures proper oversight of the process by the appropriate Responsîble Entity personnel. Version History 1 1/16/06 R3.2 -Change "Control Center"to 3/24/06 "control center." 2 9/30/09 Modifications to clarify the requirementsand to bring the compliance elements into conformance with the latest guidelines for developing compliance elements of standards. Removal of reasonable business Judgment. Replaced the RRO with the RE as a Responsible Entity. Rewording of Effective Date. Changed compliance monitor to Compliance Enforcement Authorîty. 3 12/16/09 Updatedversion number from -2 to -3.Update Page 33 of 34 PacifiCorp Procedure 304,Remedial Action Schemes Appendix K-CIP 002 Version 5.1 Guidelines and Technical Basis Approvedby the NERC Board of Trustees. 3 3/31/10 Approved by FERC. 4 12/30/10 Modîfied to add specific criteria for Update Critical Asset identification. 4 1/24/11 Approvedby the NERC Board of Update Trustees. 5 11/26/12 Adopted by the NERC Board of Modîfied to Trustees.coordinate with other CIP standards and to revise format to use RBS Template. 5.1 9/30/13 Replaced "Devices"with "Systems"in a Errata definition in background section. 5.1 11/22/13 FERC Order issued approving CIP-CO2- 5.1. Page34 of 34