It has been three years and a few months since the North American Electric Reliability Council (NERC) Reliability Standards (Standards) became mandatory and noncompliance became subject to sanctions by the Federal Energy Regulatory Commission (FERC). You might assume that because we have had no further instances of widespread cascading outages that the Standards are working. You may also assume that—considering the database of documented noncompliance with the Standards—the industry as a whole is puzzled, unprepared, or negligent in carrying out its responsibility to keep the high-voltage electric grids reliable and secure. The truth likely lies somewhere in the middle.
The Standards themselves are undergoing constant revision and requests for interpretations. (Download the latest 1,093-page set of standards at http://www.nerc.com/files/Reliability_ Standards_Complete_Set.pdf.) A new Standards Development Process is also now in place to guide the development of new standards and accelerate the release process.
Every Registered Entity (including bulk power system owners, operators, and users) has probably experienced an audit, spot check, or completed the self-certification process at least once during the past three-plus years. No doubt each Registered Entity (RE) has stories, both good and bad, to tell about its experience. What follows is a short compendium of lessons learned from experience that may be helpful as you prepare for your next audit.
Attestations and Proving the Negative
Many Standards specify that the RE take a specific action in the event that certain events occur. However, in the absence of the triggering event, how will compliance be measured? This is accomplished through signed attestations by management that
- The triggering event has not occurred,
- Were it to occur in the future, the appropriate procedures are in place to direct the activities of the responding staff, and
- The responsibilities have been thoroughly addressed in periodic and ongoing training sessions.
These attestations have been endorsed by the NERC Compliance staff as perfectly acceptable evidence mechanisms to “prove the negative.”
Incorrect Assumptions by REs
Some REs complain that the evidence “bar” is raised from audit to audit without any changes to the Standard or new interpretations being incorporated. This is, of course, not true. If the Standard and accompanying requirements remain constant from audit to audit, and if no clarifying interpretations have been approved by FERC, and no relative Compliance Application Notices have been issued, then the type and degree of evidence that was deemed sufficient in the early audit must be sufficient in subsequent audits. The compliance threshold can’t be raised without a conforming change to the Standards.
The “Closet Audit”
REs seem to be reporting increasing concern about “closet audits.” Such REs seem to expect that the audit will consist of a joint review of the compliance evidence by the auditors and RE subject matter experts. Plans are made by the RE to go over the Reliability Standard Audit Worksheet responses and the evidence compiled for the audit. Instead, the auditors arrive, make a brief presentation about the process, and then take the evidentiary documents into a room to review in private. Although this method may be seen as rude, it is not necessarily wrong.
The lesson here is that the emphasis for evidence is on documentation. Ideally, no one should have to explain anything in an audit. All the evidence should be clear, complete, and exhibit the recommended document control features. The RE should be aware that an opportunity to explain a complex issue in an audit may not arise, at least not until a potential violation is alleged. To borrow a phrase from a memorable math course, the answer (or evidence, in this case) should be “intuitively obvious to the casual observer.”
“Summary” Means Summary
This approach to assessing compliance at first seems overly prescriptive and even a bit ridiculous. For example, if an RE can clearly and completely demonstrate that it has a robust and perhaps even best-in-class protection system maintenance and testing process but does not have a documented summary of what the process consists of, it will be in violation of PRC-005-1 Requirement 1.2. because the requirement mandates a summary.
You may argue that the components and processes are evident in the completed work orders and vendor reports, and that some of these reports constitute a summary. That is perhaps true conceptually, but your reports do not contain the word “summary.” The lesson here is to be vigilant of the terms used in the Standards and make sure those terms are incorporated into your processes and procedures.
Align Procedures with Audits
We have learned not to refer to anything in a procedure that cannot be reproduced in an audit. For example, if equipment manufacturer recommendations are cited as a factor in determining protection system maintenance and testing intervals, make sure that the manufacturer manuals, instructions, and maintenance guidelines are on hand and available.
Be Complete and Completely Obvious
As we move forward toward the even more detailed audits of the Critical Infrastructure Protection Standards, applying these lessons will help ensure that compliance evidence is complete and sufficient and that compliance is intuitively obvious.
—Contributed by (firstname.lastname@example.org), executive director of SPS ENERGY, a division of SPS Consulting Group Inc.