Chapter: 1 Introduction and Executive Summary

This course provides an overview of the Federal Energy Regulatory Commission’s (FERC’s) role in overseeing the reliable operation of the nation’s bulk power system, i.e., the interconnected electric grid. In order to understand FERC’s reliability program, it is use-ful to first understand the basic structure of how the bulk power system operates. Therefore, the course begins with an explanation of fundamental concepts and functions related to power system operations. The course then discusses FERC’s authority under section 215 of the Federal Power

Act (FPA) with regard to reliability and how FERC has implemented that authority, primarily focusing on the oversight of the development and enforcement of mandatory “Reliability Standards.” Reliability Standards impose requirements on the users, owners and operators of the bulk power system to as-sure that they fulfill their responsibilities in reliable grid operations, consistent with the basic engineering functions and concepts dis- cussed in the course. Finally, the role of the FERC-certified electric reliability organization or “ERO” and its relationship to FERC and electric industry stakeholders is discussed.

Under Part II of the FPA, FERC historically has regulated certain economic aspects of the public utility industry, such as the rates for sales by one utility to another in interstate commerce. Pursuant to the Energy Policy Act of 2005 (EPAct 2005), Congress expanded FERC’s role and jurisdiction under the FPA by adding a new section 215 pertaining to electric grid reliability. While FERC had previously addressed electric grid reliability in an indirect manner, such as allowing the cost recovery of public utility expenditures that address discrete reliability matters, new section 215 of the FPA tasked FERC with a direct role over an entire new field of activity.

Section 215 of the FPA also differs from other provisions in the FPA because it defines FERC’s jurisdiction in terms of “users, owners and operators” of the bulk power system. This term includes numerous entities that are excluded from most FERC economic regulation, such as federal power agencies, municipal utilities, and rural electric cooperatives. As a result, many entities typically not regulated by FERC had to familiarize themselves with the 2005 reliability legislation and comply with the new requirements. One commonality, however, with other provisions of Part II of the FPA is that section 215 delineates FERC’s jurisdiction in terms of the bulk power system, and expressly excludes facilities used in local distribution from the new reliability scheme.

Congress gave FERC authority to certify a non-governmental entity, referred to as the electric reliability organization, to develop and enforce mandatory “Reliability Standards.” Although Congress did not authorize FERC to write the Reliability Standards, it gave FERC the role of reviewing the Reliability Standards the electric reliability organization develops to ensure they are “just, reasonable, not unduly discriminatory or preferential, and in the public interest.” FERC must approve the electric reliability organization’s Reliability Standards before they can take effect in the United States. Section 215 of the FPA requires independence of the electric reliability organization from the users, owners and operators of the bulk power system. Yet, the statute also requires the electric reliability organization to assure “fair stakeholder representation” in selecting the electric reliability organization board of directors and other aspects of the electric reliability organization, such as committees.

A great amount has been accomplished since 2005. FERC has promulgated regulations defining the structure of the reliability program, certified the North American Electric Reliability Corporation (NERC) as the electric reliability organization, ap- proved eight “regional entities” that serve as regional compliance authorities, approved over 100 mandatory Reliability Standards that address many facets of maintaining and improving bulk power system reliability, issued directives and ordered standards to be developed as well as reviewed thousands of electric reliability organization compliance and enforcement actions.

The task, however, is not complete. Emerging reliability issues require a dynamic program that takes a proactive stance in ensuring ongoing grid reliability. Thus, in addition to maintaining vigilance on fundamentals of grid reliability – such as real-time balancing of load and resources, operating equipment within defined limits, adequate operator training, and tree trimming – emerging areas of concern such as cyber-security and changes in the nation’s resource mix continue to require FERC’s attention.

It is important to understand that in enacting section 215 of the FPA Congress did not “outlaw” blackouts; nor can FERC, the electric reliability organization or anyone else guarantee that blackouts will not occur. However, applying current knowledge and resources, FERC strives to implement its authority over the electric reliability organization and the Reliability Standards in a diligent manner to reduce the possibility of blackouts on the bulk power system.

Chapter: 2 Overview and History of the Electric Power System

Modern society has come to depend on reliable electricity as an essential resource for national security, health and welfare, communications, finance, transportation, food and water supply, heating, cooling, and lighting, computers and electronics, commercial enterprise, and even entertainment and leisure – in short, nearly all aspects of modern life. Providing reliable electricity is an enormously complex technical challenge: it involves real-time assessment, control and coordination of electricity production at thousands of generators, moving electricity across vast interconnected networks of transmission lines, and ultimately delivering the electricity to mil- lions of customers by means of extensive distribution networks.

It is these complexities that make the North American electric system such a great engineering achievement. This infrastructure represents more than $1 trillion in asset value, more than 211,000 miles of trans- mission lines operating at 230 kilovolts and greater, over 1.1 million megawatts of generating capability, and nearly 3,500 utility organizations serving over 334 million people whose total electricity demand exceeds 830 gigawatts (830,000 megawatts).

Structure of the North American Electric Power System

Each interconnection in the North American electricity system is essentially one large machine and comprises three main functions: generation, transmission, and distribution, each of which is discussed below. Electric generation (supply) creates electricity using various generating technologies with specific operating characteristics. The trans- mission system connects and transfers large amounts of power from generators to the distribution system, delivering electricity to population centers. The distribution system then routes electricity to individual customers, which are referred to as load. Together, these system parts are connected and operate in an electric balance.

The first electricity systems were independent of each other, serving local communities or regions. As North American electricity demand increased and systems grew, especially after World War II, the systems interconnected. The drivers of interconnection were both technical and economic. Justifications for expansion and interconnection were due to economies of scale, load factor (the ratio of average load

to the peak load for a period of time), and enhancement of reliability. First, the primary electric generators were large thermal plants fueled by coal. These systems have economies of scale, meaning that larger plants have lower per-unit production costs than small plants. Larger plants need a larger customer base, thus encouraging connections among service territories. Increased unit size is advantageous and provides incentives for utilities to connect enough customers so as to take full advantage of economies of scale. Second, by aggregating customers across regions, a higher load factor results, improving system operations. Third, the interconnection of many generators and customers across a wide region improves system reliability through the use of generation pooling which helps to ensure reliable electricity supply despite unexpected generation loss or outage. To this day, some service regions are referred to as “power pools.”2 In North America, there are four separate power grids or “interconnections” (See illustration below). The Eastern interconnection includes the eastern two-thirds of the continental United States and Canada from Saskatchewan east to the Maritime Provinces. In 2006, Québec’s trans- mission system was recognized as a full interconnection because it is not synchronized with neighboring systems. The Western interconnection includes the western third of the continental United States (excluding Alaska), the Canadian provinces of Alberta and British Columbia, and a portion of Baja California Norte, Mexico. The Electric Reliability Council of Texas (ERCOT) interconnection comprises most of the state of Texas. The four interconnections are electrically independent from each other except for a few small direct current (DC) ties. Within each interconnection, electricity is consumed the instant it is produced, flowing over transmission lines from generators to loads.

North American Grid

As shown in the chart below, the United States and Canada share an integrated electrical transmission network. Adding the Baja California region of Mexico, which also has interconnections with the United States, results in what is referred to as the North American interconnected transmission network.

FERC has certain authority over reliability for the portion of the bulk power system located in the United States. Canadian regulatory oversight of electric reliability rests primarily within the jurisdiction of the provinces. In Mexico, regulatory oversight rests with the Mexican Energy Regulatory Commission (Comision Reguladora De Energia or CRE).

These interconnected transmission networks provide economic benefits to each country by allowing electric utility companies to buy and sell power from each other, to save money and to share in the provision of support services that makes the delivery of energy possible. Over 30 international transmission lines are in use between the United States and Canada.

The electric interconnections between the countries also provide alternative power paths during emergencies, such as when a generator unexpectedly trips offline on a hot summer day. Thus, electric interconnections benefit reliability and resiliency of the bulk power system. However, these electrical interconnections can also result in certain vulnerabilities, as was demonstrated during the August 14, 2003 blackout. That blackout began in Ohio and rolled through eastern Canada, impacting its system, before cascading into New York and New England. By following a common set of operating protocols or Reliability Standards in both the United States and Canada, the vulnerabilities of shared interconnections are mitigated.

Generation

Generators are devices that produce electricity. Generators come in many forms and use different methods to convert a fuel or energy source into electricity. The table below shows the amount of generation capacity installed in the United States as of 2014. Natural gas, coal and nuclear energy make up the largest sources.

The various types of generation include:

• Thermal Power Plants: These plants burn fuel in a boiler, producing heat and converting water to steam at a high pressure and The steam is expanded through a turbine, which produces work to drive a generator. Steam plants may use coal, natural gas, oil, biomass, or various types of mineral or vegetative waste (such as by-products from fossil fuel refinement, wood, grasses, etc.) to produce electricity. Gas turbines are essentially natural-gas fired jet engines in which torque is produced to drive a generator. Gas turbines may be started within minutes whereas steam plants may require several hours to begin producing electricity.
• Combined Cycle: In a combined cycle power plant, fuel (typically natural gas) is burned in a gas turbine. A heat recovery system captures the exhaust heat from the turbine and uses that heat to raise steam temperature and pressure, which is expanded through a steam turbine. Both turbines drive electric generators. The heat recovery increases efficiency over a gas turbine or simple steam cycle plant.
• Cogeneration: A cogeneration plant is a simple steam generator that also produces steam for local Common in universities and industrial campuses, these types of power plants produce power and the steam is used for building heating and cooling and industrial applications. Cogeneration plants can have a very high thermal efficiency.
• Nuclear: These plants capture heat released during nuclear fission (or the splitting of uranium atoms) to create steam in a simple steam cycle. Nuclear plants typically operate continuously for 18 to 24 months before undergoing a scheduled maintenance break for refueling.
• Hydroelectric: Hydroelectric plants produce electrical power by passing flowing water through a turbine to drive a The two major types of hydroelectric facilities are impoundment and “run-of-river.” In an impoundment facility, a dam is used to store water, which is then released to drive a generator. In a “run-of-river” facility, a portion of the river’s flow is diverted to a generating station. Hydro- electric facilities are characterized by their high level of availability (given sufficient water levels) and controllability. Utilities balance power production of hydro plants on rivers with other uses, such as flood control, navigation, environ- mental regulations and recreation. Another type of hydro facility, pumped storage, pumps water to higher elevations during low demand hours so that it can be used to produce electricity during peak hours.
• Solar: There are two types of solar generators: photovoltaics and concentrated solar power. Photovoltaics use silicon wafers or non-silicon thin-film panels to convert sunlight directly into electricity and can often be found on homes, commercial buildings, or aggregated into large Concentrated solar power units use mirrors/lenses to focus solar rays toward a receiver where the light energy is concentrated to drive a simple steam cycle generating station.
• Wind: A typical wind turbine has three rotating blades atop a tall tower. The wind turns the blades, directly driving a generator. Units are often grouped together to form wind farms in areas with desirable wind characteristics. The grouping of wind turbines together improves the aggregate availability of the wind farm and its economic viability by harnessing different wind speeds and currents over a larger geographic area.
• Geothermal: These power plants use the heated reservoirs of steam that already exist far below the earth’s crust to provide Most people are familiar with “heat pumps” for residential and commercial heating and cooling that pump liquids through tubing in the ground. Utility-scale geothermal systems are open-loop and closed loop. Open-loop systems tap reservoirs of super-heated steam to drive a steam turbine. Closed-loop systems inject water into wells drilled in geothermal hot spots, which heats the water into steam, which is used to generate electricity.
• Biofuels: These power plants come in several Some use the methane gas by-product of the bacterial decomposition of manure or landfills as the fuel source that is burned to drive a turbine or a small steam-cycle plant. Other biomass plants use non-edible agricultural products and waste such as wood pulp, grasses, corn residue and forest thinnings as a fuel for a simple steam cycle plant.

Given their different fuel types and associated operating characteristics, generators are used to varying extents to serve customer demand or “load,” and generally fall into one of the following categories: base-load, load-following or peaking.

Base-load generation is traditionally comprised of generators that run almost continuously to serve a base level of demand that is typically present on the system due to everyday needs. Most often, nuclear plants, large thermal units, or hydroelectric plants are considered base-load generation. This type of generation is usually large, with respect to size and output, and operates within a steady range of production. For example, nuclear plants produce energy more than ninety percent of the time that they are in service. Due to economies of scale, large thermal fossil fuel plants also are often more economical to run and provide the system with added stability through their design. The large, rotating turbines in these base-load units create spinning mass, which contains kinetic energy known as inertia. Inertia is the momentum and energy built up in the turbines that resists changes due to changing loads by adding to or absorbing energy from the system. These large base-load units also tend to have longer start-up or shut-down times and must operate within a steady range of production. The run-of-river hydro plants, where available, are useful as base-load units because their energy source is constantly flowing. However, regional weather conditions can affect river flows and the amount of hydro-generation available.

Load-following generation is used when the demand for electricity is higher than the base level. Natural gas units have traditionally been used as intermedi- ate or load-following generation. Due to prevailing low prices of natural gas, these plants are increasing- ly used to serve base-load.

Units that can be called upon in a shorter time- frame, such as quick-responding gas combustion turbines, are utilized as peaking units during times of highest demand. While these units may have more operational flexibility, they may not be as economical to run due to their relatively lower efficiency and thus higher fuel and operating costs.

Operating reserves are the capability above firm system demand required to provide for changing demand levels and equipment and system failures.

System operators decide which generators to run based on their economic and operational characteristics or, in many regions, based on prices bid by competing generators. To minimize electricity production costs, system operators dispatch generation in order of cost (or bid) to meet load, unless reliability factors require otherwise. When load is at its peak, more expensive units generally are used to meet the increased demand and the overall cost goes up.

The amount of power needed to serve load constantly changes. System operators must schedule or “dispatch” production by the generators to meet constantly changing demands. Scheduling typically occurs on an hourly basis, and is then fine-tuned throughout the hour, sometimes through the use of automatic generation controls to continuously match generation to actual demand.

Transmission

The transmission function of the North American grid connects and transfers large amounts of power from generators to the distribution system via trans- mission lines, delivering electricity to population areas. Transmission lines are typically constructed using bundles of steel-reinforced copper or aluminum wires called “conductors” and are able to span great lengths with support from steel towers. The towers keep the lines suspended at a safe distance from trees or other objects, as well as maintain enough space between each conductor to keep the lines from connecting or arcing and to avoid mutual interference that could reduce transmission efficiency. Conductors are connected to the tower by insulators which prevent the flow of electricity into the tower. In addition to overhead towers, electricity can also be transmitted through underground or underwater cables, where the construction of a tower is not possible. A cable can include several conductors surrounded by an insulator.

Electricity is transmitted at high voltages. High volt- age transmission can range from 345 kilovolts to 765 kilovolts. In the United States, systems have different characteristics due to location, types of customer, proximity to population, and other considerations such as topography, geography or environmental conditions. Electricity from generators is “stepped up” from a lower voltage (10,000 to 25,000 volts) to higher voltages (i.e., 100,000 to 765,000 volts) for transportation in bulk over transmission lines.

Transmission at high voltage reduces the power losses associated with conductor heating and allows power to be shipped economically over long distances. This is because real losses on a power line are directly proportional to the product of the line resistance and the square of the load current. As the line resistance is relatively fixed per unit of distance (though may change slightly based on factors such as temperature or frequency), a high current will result in large losses. The amount of current required to transfer a given amount of power is inversely proportional to the voltage, thus doubling the voltage halves the current. The desired power level can still be maintained while minimizing line losses by increasing the voltage. As a result, the transmission system relies on higher voltages.

Transmission lines are interconnected at switching stations and substations to form a network of lines and stations that make up the power “grid.” Electricity flows through the interconnected network of transmission lines from the generators to the loads in accordance with the laws of physics in much the same way that water flows through a network of canals: along paths of least resistance. When the pow- er arrives near a load center, it is “stepped down” to lower voltages for distribution to customers.

The first central power plant in the United States, Thomas Edison’s Pearl Street Station in New York City, distributed direct current (DC) power. Today’s electricity transmission and distribution systems are primarily alternating current (AC) facilities. AC power became predominant because of the ease and low cost with which voltages in AC systems can be converted from one level to another. There are a number of modern high-voltage DC (HVDC) transmission links, but these are only a small part of the power grid.

Modern AC power systems are three phase, meaning that the system is comprised of three systems, each operating a third of a 360-degree cycle, 120 degrees, from the other two. Three phase systems have two principal benefits. First, in synchronous generators and motors, three-phase power permits constant torque on the rotor, thus reducing vibration and improving performance. Second, three-phase systems improve the economy of transmission. In principle, every electric circuit must have a return wire. How- ever, in three-phase systems, the sum of the delivered currents is zero, so no return wire is needed. In practice, the small amount of return current may be routed to the ground. This situation assumes that the currents are equal and exactly 120 degrees apart.

Real and Reactive Power

Power transferred along transmission lines consists of both “real” power and “reactive” power. The real power is the energy that is capable of performing work in electrical devices including industrial equipment, refrigerators, or toasters. Reactive power is needed to maintain the voltage as well as electric and magnetic fields in AC equipment, which includes air conditioners, motors, transmission lines, and other devices. Together, real power and reactive power comprise apparent power, which is measured in units of Volt-Amperes or kilo Volt-Amperes – kVA.

Reactive power cannot be transmitted as far as real power and instead must be replenished locally. Moreover, a deficit in reactive power causes voltage to drop. This is seen when the lights dim as an electric motor starts. While reactive power consumed by facilities or devices tends to cause the voltage to drop, it can also be produced or injected into the system to increase voltage in what is often referred to as “voltage support.” This is accomplished in a variety of ways, including by adjusting the reactive power output of generators or by activating capacitor banks or other power electronic equipment. If reactive power is not supplied promptly and in sufficient quantity, voltages decline, and in extreme cases a “voltage collapse” may result.

Transmission lines also face physical limitations based on their characteristics. Following the law of conservation of energy, the energy losses experienced in transmission (due to the resistance multi- plied by the current squared) are transformed into heat that cause lines to stretch and sag. This expansion can cause the line to come into contact with trees or other objects and cause a fault, or may lead to permanent physical changes and damage to the line. Thus transmission lines have thermal ratings that determine the maximum amount of electricity a line can safely conduct, thus limiting the amount of power that can be transferred. The thermal ratings can vary seasonally with the ambient temperature and with system conditions, such as normal (or continuous ratings) and emergency operation ratings. Emergency ratings may have a time limit associated with them such as a two-hour or four-hour rating. In addition, lines have voltage limits and other controls to make sure that generators and other elements at each end of the line are able to synchronize with the system when connecting. Because electricity flows freely and almost simultaneously across the power system, transmission lines may also have preset power transfer limits to avoid overloading other lines during certain system conditions.

Transformers and Substations

Transformers are devices that convert AC power from one voltage to another. Transformers are essentially a conductive core that facilitates the transfer of electric energy between two or more sets of line windings through magnetic fields. Transformers are used in electric power systems to convert voltages to a higher (“step-up”) or lower (“step- down”) voltage. For example, generators produce power at lower voltage levels and the power must be stepped up by transformers near the generation site before joining the transmission network.

AC current flowing through the source (primary) winding of a transformer creates an oscillating magnetic field within the conductive core and produces an induced voltage potential across the load (secondary) winding. This causes electrons to flow in the secondary winding and produces another AC current at the output. The strength of the voltage induced is dependent on the ratio of turns in the winding; if the number of turns is greater in the primary winding, then the resulting voltage will be smaller, or stepped down. If the number of turns is greater in the secondary winding, the resulting voltage will be greater, or stepped up. Various configurations can support multiple sets of windings, such as a third set of windings to provide local power. It is also possible to connect or “tap” the windings so that the number of turns used can be changed, thus controlling the resulting induced voltage as needed.

Transformers and associated equipment comprise the interface between two different transmission-level voltages, between generators and transmission, and between the transmission system and the distribution system. High voltage transformers, also referred to as “intertie banks,” deliver large amounts of power to highly populated areas or “load pockets” that may not have enough local generation. These large intertie banks are difficult and costly to replace because of their size, unique designs, and long manufacturing times. For these reasons, many utilities keep spare equipment on hand.

Transformers and other equipment needed to switch between voltage levels and multiple line terminals are contained within substations. Substations also contain a number of system control devices and protective elements that insulate electricity to keep equipment and people working within substations safe. Switches or circuit breakers are used to disconnect elements or portions of the system to isolate them, often for maintenance or to mitigate an unexpected disturbance on the line. Some switches take advantage of open air as an insulating medium when physically removing connections. This event often can result in arc flashes at high voltage levels as the conductors separate, though the arcs dissipate quickly once there is enough distance between contacts.

Switches may also be contained within a vacuum or in the presence of an inert gas, which both are better insulators than air. Additionally, circuit breakers are used to separate sections of the system when faults are detected. Bushings are insulated connectors for equipment, such as circuit breakers or transformers to conductors. Substations also house equipment used to maintain the voltage across the system such as the capacitor banks, reactors, and static-VAR compensators.

Distributions

The distribution system is generally comprised of sub-100kV lines that ultimately deliver power to customers, such as a home or business. Once power is generated and transferred over transmission lines to the vicinity of the load, the voltage must once again be lowered to move along the distribution lines.

This happens at a substation that uses transformers to step-down the voltage. From the substation, energy can be transferred either directly to the load or must be stepped down again. Some large industrial and commercial customers take service at intermediate voltage levels (12,000 to 115,000 volts), but most residential customers take their electrical service at 120 and 240 volts. Electric utilities ensure that this voltage stays within a specified range.

Other Equipment

Because the electric power system needs to perform continuously, efforts are taken to ensure that operations will continue during and after an undesired event. These events may often be the result of a lightning strike, or a tree or animal that has made contact with a line, causing a low-resistance connection that carries excessive current flows to unintended paths (often called a “short circuit” or “fault”).

To mitigate these events, protection systems that detect these high currents and other system problems and take automatic actions have been designed and deployed. The main purpose of these devices is to monitor and/or react to events and to minimize damage and maintain reliability. Collectively, these devices constitute the “protection system.”

Protection system devices are installed on the grid to protect and isolate the entire power system from trouble that emerges in isolated locations, while leaving as much of the grid as operational as possible. Protection systems can be viewed as having five principal components:

(1) current and voltage “transformers” measure currents and voltages and provide signals to relays;
(2) protective relays that sense faults and initiate a “trip” or disconnect;
(3) circuit breakers that open and/or close the line based on relay and other commands;
(4) batteries to provide power in case of power disconnection in the system; and
(5) communication channels to allow analysis of current and voltage at remote terminals of a line and allow remote tripping of equipment.

Relays and circuit breakers that isolate affected sections of a line are often the first line of defense. Relays monitor many aspects of the system, including: temperature, current, and voltage. Depending on the situation, a relay will “trip” a circuit breaker that takes a portion of the system out of service by disconnecting the line to protect the rest of the network. Often, relays will automatically “re-close,” meaning that they will reconnect after a preset delay under the assumption that the source of the fault is temporary. However, if the fault is still present, the relay will permanently remove the affected portion of the line from service until the fault can be resolved by maintenance crews. The application of these devices is designed to remove from service the smallest part of the system possible until restoration can be achieved. For redundancy, often there are secondary and tertiary back-up relays that are timed to watch for the clearing of a fault. If the system fault is still present after a set period of time, they will activate, though a larger portion of the line may then be out of service. Other relays will act to regulate the system characteristics within a certain range, or will trip if a prolonged over-current or over-voltage is detected.

Chapter: 3 Function and Concepts of Electric Power System Operations

Function and Concepts of Electric Power System Operations

The previous section discusses the structure of the North American electricity system and describes the three main functions (generation, transmission, and distribution) and how each interconnection within the system operates as essentially one big machine. Maintaining the reliability of the grid is a complex enterprise that requires trained and skilled opera- tors, sophisticated computers and communications, careful planning and design, and rigorous maintenance practices, including tree-trimming or “vegetation management,” and equipment maintenance. This section describes some of the aspects of reliably operating the grid. Reliable operation of the power grid is complex and demanding for two fundamental reasons:

• At present, it is difficult to store large quantities of electricity economically. Therefore, electricity must be produced the instant it is needed and
• The flow of AC electricity cannot be controlled like a liquid or gas by opening or closing a valve in a pipe, or switched like calls over a long-distance telephone Electricity flows freely along all available paths from the generators to the loads along the “path of least resistance.”

The unique characteristics of electricity mean that problems, when they arise, can spread and escalate very quickly if proper safeguards are not in place. Accordingly, through years of experience, the electric industry has developed a network of defensive strategies for maintaining reliability based on the assumption that equipment can and will fail unexpectedly on occasion. This principle is expressed by the requirement that the system must be operated at all times to ensure that it will remain in a secure condition (generally within emergency ratings for current and voltage and within established stability limits) following the unexpected loss of the most important generator or transmission facility (a “single largest contingency”). This is called the “N-1 criterion.” In other words, because a generator or line trip can occur at any time, the power system must be operated in a preventive mode. Use of the N-1 criterion means that the loss of the most important genera- tor or transmission facility does not jeopardize the remaining facilities in the system by causing them to exceed their emergency ratings or stability limits, which could lead to a cascading outage.

When a contingency does occur, system operators are required to identify and plan for the next contingencies based on the changed conditions. They must also promptly make any adjustments needed to ensure that if one of these contingencies were to occur, the system would still remain operational and safe. Generally, the system must be restored to normal limits as soon as practical but within no more than 30 minutes, and to a condition where it can once again withstand the next-worst single contingency without violating thermal, voltage, or stability limits. Most areas of the grid are operated to withstand the concurrent loss of two or more facilities (i.e., “N-2” or “N-3”). This may be done, for example, as an added safety measure to protect a densely populated metropolitan area or when lines share a common structure and could be affected by the same event (e.g., a single lightning strike).

Ensuring the reliability of a transmission grid involves several other key concepts, which are discussed below: Frequency Control – Balance of Generation and Load, Voltage Control – Maintaining Required Voltage Level, Power Flow and Stability Control, Short-Term and Long-Term Planning, Vegetation Management, Coordination and Communication, and Critical Infrastructure Protection.

Frequency Control – Balance of Generation and Load

The “frequency” of the AC power system in the United States is set at 60 cycles per second or 60 Hertz (Hz). Failure to match generation to demand causes the frequency of the power system to fluctuate higher or lower than the normal 60 Hz. When generation exceeds the load or demand to consume it, the system frequency increases; when there is less generation being produced than is needed to serve load, the frequency decreases. Random, small variations in frequency are normal, as loads constantly in- crease or decrease, and generators modify their out- put to follow the demand changes. However, large deviations in frequency can cause the rotational speed of generators to fluctuate, leading to vibrations that can cause damage to generator turbine blades and other equipment. Extremely low frequencies can trigger automatic under-frequency “load shed- ding” to enable frequency to increase, which takes sets of customers off-line to prevent a total collapse of the electric system. Such an imbalance of generation and demand can also occur when the system responds to major disturbances by disconnecting into separate “islands”; any such island may have an excess or a shortage of generation when compared to the demand within the island. The figure below presents the concept of frequency control in terms of maintaining the level of water in a tank.

Many processes in place help to maintain the system frequency at (or close to) 60 Hz. One inherent quality of the system is inertial energy, or momentum that resists sudden changes in speed. The large amounts of energy stored in rotating masses (such as the spinning turbines of generation plants) are resistant to changes in rotational speed. The inertia resists a decline in speed caused by a loss of generation, allowing control systems a brief opportunity to automatically produce more power from the remaining generators. This response often occurs in milliseconds. Conversely, when load is added to the system causing the frequency to decrease, rotational energy from the generator will be converted into electrical energy to serve the load and maintain a balance. To further control these rotational speeds, generators also have a device called a “governor.” The governor monitors the shaft speed of a genera- tor and either increases or decreases the amount of turbine-spinning force, by controlling the steam in- put to the turbine, to proportionally adjust the shaft speed back to the desired level. Governors on trucks or boats work exactly in the same manner, allowing only a steady and measured decrease or increase in drive train rotational velocity to prevent equipment damage and maintain safe operating practices. This frequency response occurs in a fraction of a second, before system operators are able to take action. For example, the sudden loss of a large generator in Kentucky can cause a frequency dip in the entire Eastern interconnection, from Miami up to Toronto, during which time all of the generators with automatic generation control mode in the interconnection will respond by incrementally increasing the amount of energy they produce to make up for the sudden loss of this one generator.

Voltage Control – Maintaining Required Voltage Level

As the load changes, so do the requirements for reactive power throughout the system. Reactive power sources, such as capacitor banks and generators, adjust to maintain voltages within a specified range for all system electrical equipment (e.g., stations, transmission lines, and customer equipment see previous “box” on Reactive Power Analogy). Most genera- tors have automatic voltage regulators that cause the reactive power output to increase or decrease based on system conditions, thus controlling voltage in an area. A system voltage schedule is set by the trans- mission operator and is designed to maintain the system within reliable operating limits. This schedule is done in advance so the transmission operator can convey voltage needs to area generators, and the generators can then be ready to respond based on their specific capabilities and requirements. When necessary, devices called reactors are used to contain excess reactive power by increasing the line reactance (the reactive component of impedance that absorbs or emits reactive power). Static VAR compensators and static synchronous compensators (also known as STATCOMs) are devices that inject and absorb reactive power and are used to maintain voltage by adjusting the impedance of the system.

Large deviations in voltage levels can have severe impacts. Low voltage can cause electric system in- stability or collapse and, at distribution voltages, can cause damage to motors and the failure of electronic equipment. Low voltage levels occur when there is a lack of reactive power, which can result from a load-driven surge of reactive power demand or when there are high reactive power losses due to heavy power transfers. At the other extreme, high voltages can exceed the insulation capabilities of equipment and cause dangerous electric arcs known as “flash- overs.” These conditions can occur when there is light loading on the system (e.g., less customer demand), causing an excess of reactive power that elevates the voltage beyond safe operating limits. Outages of reactive power equipment, transmission lines, or generators can also contribute to both under-and over-voltages.

Power Flow and Stability Control

Because the electric system is interconnected and dynamic, the system must be operated within electrical stability limits. Stability problems can develop very quickly – in time-frames ranging from milliseconds to minutes. Electricity system operators often describe events in terms of the number of “cycles” of alternating current that pass. One cycle is 1/60th of a second. The main concern is to ensure that gen- eration dispatch and the resulting power flows and voltages are such that the system is stable at all times. Stability limits, like thermal limits, are expressed as a maximum amount of electricity that can be safely transferred over transmission lines.

There are two types of stability limits. First, voltage stability limits are set to ensure that the unplanned loss of a line or generator (which may have been providing locally critical reactive power support, as described previously) will not cause voltages to fall to dangerously low levels. If voltage falls too low, it begins to collapse uncontrollably, at which point automatic relays either shed load or trip generators to avoid damage. Second, power (angle) stability limits are set to ensure that a fault or an unplanned loss of a line, transformer, or generator will not cause the remaining generators and loads being served to lose synchronism with one another (recall that all generators and loads within an interconnection must operate at or very near a common 60 Hz). Loss of synchronism with the common frequency means generators are operating out-of-step with one another. Even modest losses of synchronism can result in damage to generation equipment. Under extreme losses of synchronism, the grid may break apart into separate electrical islands; each island would begin to maintain its own frequency, determined by the load/ generation balance within the island.

Short-Term and Long-Term Planning

Reliable power system operation requires far more than monitoring and controlling the system in real-time. Thorough planning, design, maintenance, and analysis are required to ensure that the system can be operated reliably and within safe limits. Operations planning looks at day-ahead, week-ahead, seasonal and up to one year planning horizons. Short-term planning addresses one to five year planning horizons. Long-term planning focus- es on providing adequate generation resources and transmission capacity to ensure that in the future the system will be able to withstand severe contingencies without experiencing widespread, uncontrolled cascading outages.

A utility that serves retail customers must estimate future loads and, in some cases, arrange for adequate sources of supplies and plan adequate transmission or distribution infrastructure. Utilities must identify a range of possible contingencies and set correspond- ing expectations for system performance under several categories of possible events, ranging from every day “probable” events to “extreme” events that may involve substantial loss of customer load or generation in a widespread area. Utilities must also address requirements for voltage support and reactive power, disturbance monitoring, facility ratings, system modeling and data requirements, system protection and control, and system restoration.

System operators must take the steps described above to plan and operate a reliable power system. However, emergencies can still occur because of external factors such as severe weather, operator error, or equipment failures that exceed planning, design, or operating criteria. For these less frequent events, an operating entity maintains emergency procedures that address a credible range of emergency scenarios. System operators must be trained to recognize and take effective action in response to these emergencies. To deal with a system emergency that results in a blackout, such as the one that occurred on August 14, 2003, system operators must have procedures and capabilities to use “black start” generators, which are capable of restarting and synchronizing with no external power source, and to coordinate operations to quickly restore the system to a normal and reliable condition.

Vegetation Management

Vegetation management is critical to any utility company that maintains overhead energized lines because electric power outages can occur when trees, or portions of trees, grow or fall onto overhead electric power lines. While not all vegetation-related outages can be prevented (due to storms, high winds, etc.), some outages can be mitigated or prevented by managing the vegetation before it becomes a problem. Tree contact with a power line causes a fault, which signals the line’s relays to remove the line by interrupting the current flow. Direct physical contact is not necessary for a fault to occur. An electric arc can occur between a part of a tree and a nearby high-voltage conductor if a sufficient distance separating them is not maintained. Arcing distances vary based on such factors such as voltage, ambient temperature, and humidity conditions. Arcs can cause fires as well as faults and line outages. Most utilities have right-of-way and easement agreements allowing the utility to trim vegetation as needed along their lines to provide safe and reliable electric power. Electric utilities enter into easements or agreements with landowners to establish contractual rights regarding what can be pruned or removed in the transmission right-of-way. Transmission easements generally give the utility a great deal of control over the landscape, with rights to do whatever work is required to maintain the lines with adequate clearance through the control of vegetation.

FERC has approved a Reliability Standard on vegetation management, to reduce the risk of outages caused by inadequate tree trimming. This Reliability Standard, however, applies only to high voltage lines, typically 200 kilovolts and higher. Tree trimming for lower voltage lines generally falls under the jurisdiction of state or local authorities.

Coordination and Communication

Operating the electric system continuously at an optimal state requires that numerous entities communicate effectively in real-time to maintain the system balance between generation and load, stay within operating limits, and address issues that may arise.

This communication occurs both through interpersonal channels (telephone, radio, email) and auto- mated data exchange systems (e.g., links between neighboring transmission operators). The principal entities involved in coordination and communication include:

• Reliability coordinator: The entity that is the highest level of authority responsible for the reliable operation of the electric power system; it has a wide-area view, and has the operating tools, processes and procedures, including the authority to prevent or mitigate emergency op- erating situations in both next-day analysis and real-time operations. The Western interconnection and ERCOT interconnection each have one reliability coordinator, while the Eastern interconnection has 11 reliability
• Balancing authority: The entity that is initially responsible for maintaining the balance between generation and load within a “balancing authority area,” which is its defined electric Approximately 105 balancing authorities across the United States collectively make-up the areas where generation and load need to be kept in balance.
• Transmission operator: The entity that is responsible for the reliability of its “local” trans- mission system, and that operates or directs the operations of the transmission While some entities both own and operate transmission assets, others do not. Transmission opera- tors that do not own the transmission facilities have agreements with the owner to coordinate and operate those facilities. Approximately 315 transmission operators are registered with NERC to operate these “local” transmission systems across the United States.
• Generator operator: The entity that operates generating facilities and performs the functions of supplying energy and interconnected operations While some entities both own and operate generation assets, this is not always the case. Generator operators that do not own the generating facilities have agreements with the owner to coordinate and operate those facilities. Approximately 936 generation entities are registered with NERC across the contiguous United States. Many of these entities own more than one generator, and not all generators fall under NERC authority.

• Distribution provider: Provides and operates the “wires” between the transmission system and the end-use For those end-use customers who are served at transmission voltages, the transmission owner also serves as the distribution provider. Thus, the distribution provider is not defined by a specific voltage, but rather as performing the distribution function at any voltage. Approximately 393 entities are registered with NERC for this function across the United States.

The reliability coordinator typically has the highest level of authority, followed by the transmission operator and the balancing authority. These entities must maintain continuous communications with each of the appropriate entities, which also include neighboring entities that are affected by conditions within an operator’s area. Additionally, these entities must have plans to restore communications and establish an alternative communication capability.

Critical Infrastructure Protection

Physical Security

Physical security for the electric power system revolves around the protection of essential assets from physical harm. Different types of facilities present different physical security challenges. Centralized facilities that are normally manned, such as control centers, communication facilities, and corporate offices, present a different physical security challenge than do the decentralized and typically unmanned facilities, such as substations and transmission lines. While the more centralized nature of attend- ed facilities allows more focused and economical security measures, this advantage is balanced against the risks associated with the greater impact to the electric power system by a failure of that facility. As such, these centralized facilities need to use the most stringent security controls. Decentralized facilities, on the other hand, will often rely on automated security controls monitored from a different facility. This presents a different challenge to keep up to date with both automated security control technologies and communication technologies to ensure effective security for such facilities.

Physical security typically comprises at least six distinct concepts:

• Deter – visible physical security measures in- stalled to induce individuals to seek other, less secure targets.
• Detect – physical security measures installed to detect unauthorized intrusion and provide local and/or remote intruder alarms.
• Delay – physical security measures installed to delay an intruder’s access to a physical asset and provide time for incident assessment and response.
• Assess – the process of evaluating the legitimacy of an alarm and the procedural steps required to respond.
• Communicate – communication systems used to send and receive alarm/video signals and voice and data Also, includes the documented process to communicate detected intrusions.
• Respond – the immediate measures taken to assess, interrupt, and/or apprehend an intruder.

Cyber Security

For many years the control systems for utilities and industrial companies have operated in a stand-alone environment without computer or communication links to external information technology infrastructure. More recently, such stand-alone systems have been increasingly connected to both the corporate information technology environment and the external world via the Internet, and the electric power system is no exception to this trend. Computer and communication network interconnection brings with it the potential for cyber-attacks on these systems by adversaries. The problem is particularly important because such an attack can potentially affect several entities across the country simultaneously.

Controlling electronic access is one of the keys to preventing a successful cyber-attack. An adversary that can gain electronic access to a computer system may be able to gain control over that system and use it for his purposes. In today’s environment, many infrastructure control systems have an electronic pathway that leads to the outside world, which can create a potential for access that is vulnerable to exploitation by an adversary.

The potential solution to such cyber threats is a strong cyber security posture by entities that may be vulnerable to such attacks. A major challenge to preserve system protection is that computer and communication system architectures change, technology changes, and threats change, all of which means that defenses must change. Traditionally, threats can change faster than defenses. To meet or minimize these risks, one widely recognized cyber security strategy is “defense in depth.” This strategy involves layering of defense mechanisms in a way that discourages an attack and increases the potential that an entity will be alerted to an attack on it. While other strategies exist, defense in depth is a widely accepted, effective strategy to address cyber threats that is both comprehensive and flexible.

The development of a home security system provides a useful analogy for understanding the defense in depth strategy. For example, a home security system might include the following defenses:

(1) a motion sensor light that goes on whenever some- one gets close to the house,
(2) a video camera that records the approaches to the house,
(3) a door with a deadbolt lock and a chain,
(4) an alarm system that activates if a door or window is opened (along with decals notifying a potential intruder that the system exists), and
(5) a dog inside the house. Several of these items are designed to keep an intruder out, some are designed to activate if an intruder gains access, and some are designed to record the event if it occurs.

Each of these measures provides some degree of protection and, in combination, substantially increases the chances of successfully deterring a burglary.

Cyber defenses work in a similar manner. Some defenses, like firewalls, are designed to keep intruders out. Others, like intrusion detection systems, are designed to activate if someone gains access.

Still others, like audit logs, are designed to inform a computer operator whether another person has gained access. Information sharing, where entities voluntarily share information about attempted or successful access attempts with each other, is also a valuable security control. The combination of all of these technologies, and how they are combined and implemented, determines whether computer securi- ty personnel have effectively protected cyber assets.

Whereas grid operations usually involve readily measured quantities and activities, cyber security involves a careful balance of the technologies avail- able with the existing control equipment and the functions they perform. Compared to general grid operations, cyber security is in many ways as much, or even more, a matter of subjectively balancing physical and technical options rather than a purely objective task of achieving a single, steady, physical state. The task of balancing technical options for cybersecurity comes into play as one selects and combines various available technologies into a comprehensive architecture to protect the specific computer environment.

Major Blackouts and Responses

System failures, particularly when compounded with multiple problems, can result in cascading blackouts across multiple operating systems. System planners study such cascading disturbances and draw lessons from them to prepare their systems and avoid these problems in the future. Below is a description of some of the most severe cascading blackouts experienced in North America.

November 9, 1965: Northeast Blackout

On November 9, 1965, a blackout occurred in the northeastern United States and southeastern Ontario, Canada that affected 30 million people and interrupted more than 20,000 MW of electrical load for up to thirteen hours. This event is often referred to as “the Great Northeast Blackout,” mainly because this was one of the most significant blackout events of the time and affected major population centers such as New York City, Boston, and Toronto, as well as smaller or rural areas. Virtually all of New York, Connecticut, Massachusetts, Rhode Island, small segments of northern Pennsylvania and northeastern New Jersey, and substantial areas of Ontario, Canada, were affected.

The blackout was caused by the tripping of a 230 kV transmission line near Ontario, Canada, which caused several other heavily loaded lines also to fail. An initial protective relay tripped (due to incorrect settings) when a transmission line was overloaded. This also caused several other relays to operate on other transmission lines, which resulted in a power surge that overwhelmed the transmission system in western New York. Several generators also tripped off-line according to design because they were unable to transmit their power due to the overload- ed transmission lines. The resulting power swings caused a cascading outage that blacked out much of the Northeast.

Subsequent blackouts

Several other notable blackouts occurred through the years, but the November 1965 outage is significant due to the geographic size of the outages and underlying mechanical or human failures, rather than weather related causes. The July 13, 1977 New York City blackout occurred when two 345-kV lines on a common tower in Northern Westchester County, New York were struck by lightning and tripped out. With the loss of power imports ordinarily carried by these lines, generation in New York City was not sufficient to serve the load in the city, leading to load loss. The event affected nine million people, with 6,000 MW of load lost. Outages lasted for up to 26 hours.

A West Coast blackout occurred on December 22, 1982. This disturbance began when high winds caused the failure of a 500-kV transmission tower. This ultimately resulted in the loss of 12,350 MW of load and affected over 5 million people in the West.

On July 2-3, 1996, a 345-kV transmission line in Idaho sagged into a tree and tripped on July 2. A protective relay on a parallel transmission line detected the same fault and incorrectly tripped a second line. Similar conditions and initiating factors were present on July 3; however, as voltage began to collapse in the Boise, Idaho area, the operator dis- connected customers to maintain system integrity.

This event resulted in the loss of 11,850 MW of load and affected 2 million people in 14 states; Alberta and British Columbia in Canada; and Baja California Norte in Mexico. Outages lasted from a few minutes to several hours.

Another western interconnection blackout followed on August 10, 1996 when the transmission system from Canada south into California was heavily loaded with north-to-south power transfers. These flows were due to high Southwest demand caused by hot weather, leading to transmission lines sagging into untrimmed trees, causing the system to trip out. This resulted in the loss of over 28,000 MW of load and affected 7.5 million people in many of the same 14 states as the previous month’s event; Alberta and British Columbia in Canada; and Baja California Norte in Mexico. Outages lasted from a few minutes to as long as nine hours.

August 14, 2003: Midwest and Northeast US-Canadian Blackout

On August 14, 2003, the North American power grid experienced its largest blackout ever, impacting large portions of the Midwest and Northeast United States and Ontario, Canada. The outage affected an estimated 50 million people and 61,800 MW of electric load was lost in the states of Ohio, Michigan, Pennsylvania, New York, Vermont, Massachusetts, Connecticut, New Jersey and the Canadian province of Ontario. Although utilities successfully restored power to most customers within hours, some areas in the United States did not have power restored for several days. Parts of Ontario suffered rolling blackouts for up to two weeks before full power was restored. Estimates of total costs in the United States ranged between $4 billion and $10 billion; in Canada, gross domestic product was down 0.7 percent in August, there was a net loss of 18.9 million work hours, and manufacturing shipments in Ontario were down C$ 2.3 billion.

A combination of human error and equipment failures caused the August 14, 2003 blackout. A generating plant near Cleveland, Ohio tripped offline amid high heat and high electrical demand. The hot day also caused power lines to sag as power losses due to higher currents heated the lines. A transmission line in northern Ohio sagged into overgrown trees and tripped. Three other transmission lines sagged into trees and switched off, forcing other power lines to shoulder the extra burden. Normally, the problem would have activated an alarm in the control room but the alarm system failed. As designed, the power was diverted to other transmission lines, but they were not able to handle the increase. This, in turn, activated these lines’ relays which tripped lines and again diverted greater amounts of power to other transmission lines. For the next hour and a half, system operators tried to understand what was happening as load was shifting and transmission lines were overloading. Once the multiple line trips occurred, multiple generators also tripped out to prevent dam- age. The failures cascaded throughout southeastern Canada and eight northeastern states.

As with previous cross-border blackouts, the United States and Canadian governments conducted a joint-review into the events that occurred. A U.S. – Canadian Power System Outage Task Force, including personnel from FERC, carefully investigated the causes of the blackout and issued a detailed report that made recommendations on ways to reduce the possibility of recurrence.

The causes of the outages and the cascading significant load drops were many, but were summarized as the “3 Ts” – trees, tools and training. Overgrown trees had contacted multiple high-voltage transmission lines, tripping them out of service and thus increasing the load on the remaining lines that caused further sagging on additional lines, resulting in even more lines tripping. The system operators in the Midwest region at the time did not have the tools to make them aware of this chain of events, allowing the reliability problem to cascade further. The cascade continued onward as system operators did not have timely awareness of the events taking place. When they did begin to recognize the trouble, the system operators did not have adequate training on how to respond to the emergency conditions.

The report included 46 recommendations for the industry and entities to undertake, including that “the U.S. Congress should enact the reliability provisions…to make compliance with Reliability Standards mandatory and enforceable. If that could be done, many of the other recommended actions identified in the report could be accomplished readily in the course of implementing the legislation.”

Chapter: 4 NERC – From a Voluntary Council to Electric Reliability Organization with Mandatory Reliability Standards

Following the 1965 Northeast Blackout, the National Electric Reliability Council (the predecessor organization to the North American Electric Reliability Corporation and also referred to as NERC) was established to provide a means for coordinating among interconnected utilities to ensure that the interconnected transmission network in the United States was reliable, adequate and secure. Additional- ly, regional reliability organizations were formalized under NERC, as well as regional planning coordination guides, which NERC maintained. The utilities maintained and practiced voluntary operating criteria and guides. NERC successfully operated for numerous years as a voluntary organization, rely- ing on reciprocity, peer alignment, and the mutual self-interest of all involved to ensure the voluntary compliance with reliability requirements.

By 1981, NERC had expanded to include the inter- connected electric systems in Canada and its name was changed to the North American Electric Reliability Council to more accurately reflect the broader scope of NERC’s membership. As the electric industry evolved, the regional councils broadened their membership to include all segments of the electric industry: investor-owned utilities; federal power agencies; rural electric cooperatives; state, municipal and provincial utilities; independent power producers; power marketers; and end-use customers. Collectively, the members in the NERC regions account for virtually all the electricity supplied in the contiguous United States, Canada, and a portion of Baja California Norte, Mexico.

After the 2003 blackout, NERC’s role and responsibilities changed. Congress added section 215 to the FPA in 2005, which authorized the development of mandatory Reliability Standards by an independent electric reliability organization.

FERC established rules and regulations governing the formation and certification of an electric reliability organization in accordance with the reliability provisions of the newly enacted legislation. In April 2006, NERC filed an application with FERC for certification as the electric reliability organization. NERC also submitted 107 Reliability Standards to FERC for approval. The 107 proposed Reliability Standards were largely the existing voluntary proto- cols and guidelines repackaged to be the mandatory and enforceable Reliability Standards under the new statute. Concurrently with its FERC application, NERC made filings seeking comparable recognition from government authorities in Canada, including the provinces of British Columbia, Alberta, Saskatchewan, Manitoba, Ontario, Quebec, New Brunswick, and Nova Scotia, and the National En- ergy Board. Today, NERC is recognized as an electric reliability standards-setting organization in its role as the North American ERO.

FERC certified NERC as the electric reliability organization in July 2006 and, at the start of 2007, NERC reorganized as a corporation: the North American Electric Reliability Corporation. In March 2007, FERC approved 83 of NERC’s proposed 107 Reli- ability Standards, which were the first set of legally enforceable mandatory standards for the U.S. bulk power system, to become effective June 2007. For the remaining 24 proposed standards, FERC deter- mined that NERC must submit additional information. However, FERC held that NERC and the utilities should voluntarily comply with NERC’s non-approved standards as good utility practice while FERC continued to evaluate them.

FERC also approved delegation agreements by which NERC delegates its authority to monitor and enforce compliance with NERC Reliability Standards to the eight regional entities, with NERC continuing in an oversight role. Under NERC’s oversight, the regional entities perform certain aspects of the electric reliability organization functions through these delegation agreements. The delegation agreements with each regional entity address, among other things:

• Development of regional Reliability Standards
• Monitoring compliance with and enforcing mandatory Reliability Standards (both North American wide and regional), certification of registered entities, and registration of owners, operators and users of the bulk power system
• Reliability assessment and performance analysis
• Training and education
• Event analysis and reliability improvement
• Situation awareness and infrastructure security

Today, NERC is a not-for-profit international entity whose mission is to assure the reliability of the bulk power system in North America. NERC develops and enforces Reliability Standards; annually assesses seasonal and long-term reliability; monitors the bulk power system through system awareness; and educates, trains, and certifies industry personnel. NERC’s activities cover the users, owners, and operators of the bulk power system, which serves more than 334 million people. NERC-developed Reliability Standards apply in whole or part to more than 1,400 bulk power system users, owners and operators.

NERC and the eight regional entities are often referred to as the ERO Enterprise, which collectively brings together the leadership, experience, judgment, skills, and supporting technologies of NERC and the regional entities to fulfill the electric reliability organization’s statutory obligations to assure the reliability of the bulk power system.

Chapter: 5 The Energy Policy Act of 2005

FPA Section 215

Purpose and Scope 

Following the August 2003 blackout, Congress enacted the Energy Policy Act of 2005 (EPAct 2005), which President George W. Bush signed into law on August 8, 2005. Title XII of EPAct 2005 added a new section 215 to the FPA, titled “Electric Reliability.” Section 215 of the FPA does not prohibit or otherwise “outlaw” blackouts. Instead it authorizes FERC to certify an entity to operate as an in- dependent electric reliability organization to develop and enforce mandatory Reliability Standards that “provide for reliable opera- tion of the bulk power system,” subject to FERC oversight. More- over, the statute does not pertain to outages on the distribution system that may occur, for example, when a tree falls on a local distribution wire. Rather, section 215 of the FPA makes clear that the Reliability Standards are to address the reliable operation of the bulk power system so that “instability, uncontrolled separation, or cascading failures” will not occur as a result of a sudden disturbance. This mandatory approach replaces the electric industry’s voluntary protocols and guidelines for operating and planning the bulk power system that had been in place since the 1960s.

The statute contemplates an electric reliability organization that lever- ages the expertise of the industry in developing Reliability Standards. EPAct 2005 requires that the electric reliability organization have an independent governing board, without financial ties to the users, owners and operators of the bulk power system. At the same time, the electric reliability organization must have rules that provide for fair stakeholder representation in the selection of its directors, and there must be bal- anced decision-making in the electric reliability organization’s commit- tees. The electric reliability organization must provide “reasonable notice and opportunity for public comment, due process, openness, and balance of interests” in devel- oping Reliability Standards and otherwise exercising its duties.

The electric reliability organization develops and enforces Reliability Standards that provide for an “adequate level of reliability” of the interconnected transmission network.

FERC only approves Reliability Standards that are applicable to registered entities in the contiguous United States. Governmental organizations outside of the United States, but in North America, can also approve NERC’s standards for applicability in their respective countries. Under section 215 of the FPA, NERC develops the Reliability Standards, not FERC. Once NERC develops a Reliability Standard, FERC may approve the standard or remand the standard to NERC. FERC also has authority to direct NERC to develop a new or modified Reliability Standard that addresses a specific reliability matter. FERC does not have the authority to write a Reliability Standard.

FERC must approve a Reliability Standard before it may be enforced in the United States. An approved Reliability Standard may be enforced by NERC, and NERC’s enforcement of a Reliability Standard is subject to FERC’s review. FERC also may initiate a compliance action – including imposition of a penalty – independent of NERC.

In enacting section 215 of the FPA Congress did not “outlaw” blackouts; nor can FERC. Under section 215, the threshold for FERC approving one of NERC’s proposed Reliability Standards is if it is “just, reasonable, not unduly discriminatory or preferential, and in the public interest.” Moreover, section 215 requires FERC to “give due weight to the technical expertise of the Electric Reliability Organization with respect to the content of a proposed [Reliability Standard]………………………… ”

Definitions of Key Terms

 In enacting EPAct 2005, Congress added a number of new terms to the FPA. Of particular note are the definitions in section 215(a) of “bulk power system,” “reliability standard” and “reliable operation.”

“Bulk power system” means the facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof) and electric energy from generation facilities needed to maintain transmission system reliability. The term does not include facilities used in the local distribution of electric energy.

“Reliability Standard” means a requirement approved by FERC to provide for reliable operation of the bulk power system. The term includes requirements for the operation of existing bulk power system facilities and the design of planned additions or modifications to such facilities to the extent necessary to provide for reliable operation of the bulk power system, but the term does not include any requirement to enlarge such facilities or to construct new transmission capacity or generation capacity. The term also includes standards for cybersecurity protection.

“Reliable operation” means operating the elements of the bulk power system within equipment and electric system thermal, voltage, and stability limits so that instability, uncontrolled separation, or cascading failures of such system will not occur as a result of a sudden disturbance, including a cyberse- curity incident, or unanticipated failure of system elements.

Jurisdiction

The authority Congress gave FERC under section 215 of the FPA pertains to the bulk power system. As mentioned above, facilities used in the local distribution of electric energy are not included in the bulk power system. The statute also provides in section 215(i) that “Nothing in [section 215] shall be construed to preempt any authority of any State to take action to ensure the safety, adequacy, and reliability of electric service within that state,” as long as such action is not inconsistent with any Reliability Standard. Upon application by the electric reliability organization or another affected party, FERC has authority to determine whether a state action is inconsistent with a Reliability Standard and may stay the state action pending the determination.

Section 215(b) of the FPA also identifies the persons/ entities that are subject to FERC jurisdiction for purposes of bulk power system reliability. In particular, FERC has jurisdiction in the U.S. over the electric reliability organization and “regional entities” that receive delegated enforcement authority from the electric reliability organization (discussed later).

FERC also has jurisdiction over all owners, opera- tors, and users of the bulk power system, including state and municipal utilities, rural electric cooperatives, and federal entities, “for purposes of approving reliability standards … and enforcing compliance with [section 215 of the FPA].” All users, owners and operators of the bulk power system must comply with the mandatory Reliability Standards developed by the electric reliability organization and approved by FERC. Section 215 of the FPA does not apply to Alaska or Hawaii.

Electric Reliability Organization Certification

Section 215(c) of the FPA authorizes FERC to certify one entity as the electric reliability organization, which is responsible for the development and enforcement of mandatory Reliability Standards.

The statute sets forth the following criteria that any entity certified as the electric reliability organization must satisfy:

• The electric reliability organization must have the ability to develop and enforce Reliability Standards that provide for an adequate level of reliability of the bulk power system; and
• The electric reliability organization must have rules that provide for:
  • Independent governance: The electric reliability organization must be independent of owners, operators, and users of the bulk power system, while assuring fair stakeholder representation in selection of electric re- liability organization directors and balanced decision making in any electric reliability organization committee or subordinate organizational structure;
  • Dues and fees: The electric reliability organization must have rules to allocate equita- bly reasonable dues, fees, and other charges among end users for all activities under section 215 of the FPA;
  • Reliability Standards: The electric reliability organization must provide reasonable notice and opportunity for public comment, due process, openness, and balance of inter- ests in developing Reliability Standards and exercising other duties under the statute;
  • Enforcement: The electric reliability organization must provide fair and impartial procedures for enforcement of Reliability Standards; and
  • International recognition: After certification, the electric reliability organization will take appropriate steps to gain recognition in Mexico and Canada.

The electric reliability organization operates under organization rules, which are subject to FERC review. The electric reliability organization must submit proposed revisions to its rules to FERC for approval before they may take effect. FERC may propose a change to an electric reliability organization rule, which takes effect after notice and opportunity for public comment, and a finding by FERC that the change is “just, reasonable, not unduly discriminatory or preferential, [and] is in the public interest.”

The statute does not set a temporal limit on the electric reliability organization certification. Periodic “re-certification” is not required. However, pursuant to FERC regulation, the electric reliability organization must submit a periodic performance assessment (discussed later) to demonstrate that the electric reliability organization continues to satisfy the certification criteria on an ongoing basis. Further, FERC has stated that it may remove the electric reliability organization designation for cause “as a last resort after all other attempts to resolve a significant compliance matter have failed.”

Regional Entities

 Section 215(e)(4) of the FPA requires that FERC issue regulations authorizing the electric reliability orga- nization to enter into an agreement to delegate au- thority to a qualified regional entity for the purpose of proposing Reliability Standards to the electric reliability organization and enforcing them. (As dis- cussed later, FERC promulgated such regulations in Order No. 672, issued in 2006.) The regional entity must meet the same statutory criteria as the electric reliability organization (discussed above), except that the statute allows more flexibility for regional entity governance structure. While the electric reliability organization must have an independent board, a regional entity may have an independent board, a balanced stakeholder board or a combina- tion balanced stakeholder and independent board.

In addition, a delegation agreement must promote “effective and efficient administration of bulk power system reliability.” No delegation agreement may take effect until approved by FERC. By statute, the electric reliability organization and FERC must rebuttably presume that a proposal for a delegation agreement with a regional entity organized on an interconnection-wide basis promotes effective and efficient administration of bulk power system reli- ability and should be approved.

Reliability Standards Development and Approval

Section 215(d) of the FPA provides the process for the electric reliability organization to propose a Reliability Standard, subject to FERC review and approval. The electric reliability organization must file with FERC each Reliability Standard that it proposes to make effective and enforceable in the U.S. The statute provides that FERC may act on a proposed Reliability Standard “by rule or order,” meaning that FERC can address a standard by either initiating a rulemaking proceeding or by an adjudicatory order. Under either approach, FERC provides public notice and opportunity for comment when addressing a proposed standard.

The statute requires FERC to give “due weight” to the technical expertise of the electric reliability orga- nization or any regional entity organized on an interconnection-wide basis with respect to the content of a standard it proposes. Further, section 215(d) of the FPA provides that FERC is not to defer as to the effect of a standard on competition. If FERC disapproves a Reliability Standard, it cannot uni- laterally modify the Reliability Standard but must remand it to the electric reliability organization for further consideration. However, FERC may direct the electric reliability organization to submit a new or modified standard to address a specific reliability matter that FERC deems appropriate to carry out section 215 of the FPA.

Enforcement

Section 215(e) of the FPA authorizes the electric reliability organization, after notice and opportunity for hearing, to impose a penalty for a violation of a Reliability Standard, subject to review by FERC. Pursuant to the statute, the electric reliability organization may impose a penalty on an owner, operator, or user of the bulk power system if, after notice and an opportunity for a hearing, the electric reliability organization finds that the owner, operator, or user violated a Reliability Standard. A penalty must “bear a reasonable relation to the seriousness of the violation” and must take into account the efforts by the owner, operator, or user to remedy the violation in a timely manner (section 215(e)(6)).

The electric reliability organization must file notice and the record of the penalty proceeding with FERC. The alleged violator, or FERC on its own motion, has up to 30 days from the date of the filing to seek review of the penalty. If no timely review is initiated, the penalty may not take effect earlier than the 31st day after the electric reliability organization files the notice with FERC. Upon review, FERC may affirm, modify, or set aside the penalty.

In addition to reviewing penalties imposed by the electric reliability organization, FERC has inde- pendent authority to initiate a compliance action and may assess a penalty for violation of a Reliability Standard, separate from the electric reliability organization or a regional entity. Further, FERC may order compliance with a Reliability Standard and impose a penalty on an owner, operator, or user of the bulk power system if it finds that the owner, operator, or user has engaged in, or is about to engage in, activity that violates a Reliability Standard. As discussed later, in practice, FERC and the electric reliability organization have conducted joint investi- gations of significant bulk power system events.

FERC may also take appropriate action against the electric reliability organization or a regional entity with delegated enforcement authority to ensure compliance with a Reliability Standard or any FERC order regarding the electric reliability organization or the regional entity.

Reliability Reports

 Section 215(g) of the FPA requires that the electric reliability organization conduct periodic assessments of the reliability and adequacy of the bulk power system. While the electric reliability organization reports assess resource adequacy, FPA section 215(i) states that the electric reliability organization does not have the authority to set or enforce mandatory standards for adequacy or safety of electric facilities or services. The statute also makes clear that the electric reliability organization and FERC do not have the authority to require the construction of generation or transmission assets.

Regional Advisory Bodies

The statute allows for the establishment of one or more “regional advisory bodies,” for the purpose of providing advice to the electric reliability organization, a regional entity, or FERC regarding regional entity governance; whether a proposed Reliability Standard meets the statutory criteria for approval; the reasonableness of regional entity fees; and other responsibilities that FERC requests. FERC may defer to advice from a regional advisory body if it is organized on an interconnection-wide basis.

Section 215(j) of the FPA requires FERC to establish a regional advisory body upon petition of at least two-thirds of the states within a region that have more than one-half of their electric load served with- in the region. Each state participating in the adviso- ry body is to have one representative appointed by the governor. A regional advisory body may include representatives of agencies, states, and provinces outside the U.S.

To date, one regional advisory body has been established, the Western Interconnection Regional Advisory Body (WIRAB), which is organized on an interconnection-wide basis.

Chapter: 6 FERC Implementation of FPA Section 215

Certification of the Electric Reliability Organization and Procedures for the Establishment, Approval, and Enforcement of Reliability Standards 

In February 2006, FERC issued Order No. 672, in which FERC promulgated new Part 39 of its regulations to implement section 215 of the FPA, as required by EPAct 2005. The regulations address electric reliability organization certification, Reliability Standard development and enforcement, and NERC’s periodic reports and assessments.

Electric Reliability Organization Periodic Assessment 

To ensure that the electric reliability organization complies with the certification criteria on an on- going basis, FERC required the electric reliability organization to undergo a performance assessment three years after certification and every five years thereafter.

Specifically, in such an assessment, the Commission’s regulations require: (1) the electric reliability organization’s explanation of how it satisfies FERC’s regulations for maintaining an adequate level of reliability; (2) recommendations by regional entities, users, owners, and operators of the bulk power system, and other interested parties for improvement of the electric reliability organization’s operations, activities, oversight and procedures, and the electric reliability organization’s response to such recommendations; and (3) the electric reliability organization’s evaluation of the effectiveness of each regional entity, recommendations by the electric reliability organization, users, owners, and operators of the bulk power system, and other interested parties for improvement of the regional entity’s performance of delegated functions, and the regional entity’s response to such evaluation and recommendations. FERC may require the electric reliability organization to take follow-up actions to establish compliance with the statutory and regulatory qualifications for the electric reliability organization.

Electric Reliability Organization Funding 

FERC’s regulations specify procedures for funding the electric reliability organization in the United States. NERC’s annual business plan and budget for its U.S. operations are subject to FERC approval. NERC’s annual funding is provided through assess- ments to load-serving entities. These assessments are allocated on a net-energy-for-load basis.2 This means that NERC allocates costs based on those who benefit from a reliable bulk power system: the end users. NERC allocates its operating costs and those of the regional entities to “load-serving entities”- those owners, operators and users of the bulk power system responsible for delivering electricity to retail customers – based on how much net energy they need to meet their users’ energy requirements. Funds are then collected from these load-serving entities.

The regional entities’ funding requirements are addressed separately in their respective business plans and budgets, which also must be reviewed and approved by NERC and FERC. Regional entity as- sessments are also based on net-energy-for-load and billed to the load-serving entities within the regional entity’s geographical region or “footprint.”

NERC’s budget is based on a calendar year. Each August, NERC submits to FERC a combined filing consisting of NERC’s business plan and budget, as well as the business plan and budget for each of the eight regional entities. FERC addresses the business plan and budget filing enough in advance of the next calendar year to allow NERC and the regional entities to send out timely assessment notices to load-serving entities.

Certification of NERC as the Electric Reliability Organization

On July 20, 2006, FERC certified NERC as the electric reliability organization for the contiguous United States under section 215(c) of the FPA. FERC found that NERC satisfied the criteria to be the electric reliability organization responsible for developing and enforcing mandatory Reliability Standards for the United States. Further, FERC directed NERC to provide additional information and make specific revisions to its rules of procedure, bylaws, enforce- ment hearing procedures, and sanctions guidelines, which NERC filed in a series of subsequent compliance filings.

Governance: NERC is governed by an independent board of trustees, which has responsibility for approving Reliability Standards, electing and appointing officers, appointing committees, handling budgetary and financial matters, and overseeing all electric reliability organization programs. NERC’s bylaws require that the board include proportional representation from Canada and, when appropriate, Mexico. Membership in NERC is voluntary, free, and open to persons and entities with an interest in the reliable operation of the bulk power system. Each member is assigned to one of twelve member- ship sectors, which elect the representatives to the member representatives committee. The member representatives committee elects the board, votes on amendments to the bylaws, and provides advice to the board with respect to the budgets, business plans, funding mechanisms, proposed Reliability Standards, and other matters related to NERC’s operations.

Reliability Standard Development: Section 215(c) of the FPA requires NERC to have the ability to develop Reliability Standards that provide for an “ad- equate level of reliability of the bulk power system.” A more detailed description of the standards development process is below.

Enforcement: NERC’s compliance and enforcement tools include compliance audits, investigations, spot checks and other procedures for the identification, mitigation and assessment of penalties for non-compliance. NERC oversees the regional entities’ enforcement programs and appeals processes. NERC also has guidelines that set out factors NERC or a regional entity should consider to determine the appropriate penalty for a violation of a Reliability Standard.

Each Reliability Standard identifies the catego- ries of entities (such as balancing authorities and transmission operators) that must comply with the standard. To determine which entities are users, owners, or operators of the bulk power system that are required to comply with Reliability Standards, NERC has developed a “compliance registry,” which lists all of the registered users, owners and operators of the interconnected transmission network and the categories they are in. The registry is posted on the NERC website and updated monthly. NERC developed a “statement of compliance registry criteria” that delineates the selection criteria employed by NERC and the regional entities to determine which organizations should be registered as owners, operators, or users of the interconnected transmission network and the categories for which they should be registered and therefore included on the compliance registry. Details of the registry criteria are discussed in Section IV.

NERC Regional Entity Delegation: Under FPA section 215 authority, FERC developed regulations regarding the process for NERC to delegate author- ity to propose and enforce NERC Reliability Stan- dards to regional entities. NERC developed a pro forma delegation agreement that contains standard language that is included in each individual dele- gation agreement unless specifically amended for a particular regional entity. The pro forma agreement incorporates customized exhibits, which address such matters as regional entity Reliability Standard development procedures and regional enforcement program requirements.

Regional entities may not amend their regional entity rules without NERC and FERC approval. However, NERC may issue directives developed through a collaborative process, guidance, or directions to the regional entity regarding how it performs its delegated duties.

Activities that the electric reliability organization may delegate to a regional entity include, but are not limited to:

• Certification of bulk power system entities in accordance with the NERC rules of procedure.
• Registration of owners, operators, and users of the interconnected transmission network as responsible for compliance with requirements of Reliability Standards.
• Development of reliability assessments and performance analysis to ensure that data and information are collected, analyzed, provided to NERC in support of reliability assessments, and used for performance metrics and risk assessments.
• Conducting and coordination of event analysis with NERC and dissemination of lessons learned to the electric industry.
• Providing training and education to registered entities.
• Gathering and assessing situational awareness information provided by registered entities, and assisting NERC in monitoring current conditions and responding to events on the bulk power system.
• Collaboration with NERC to promote critical infrastructure protection of the bulk power system.

A delegation is effective only after FERC approves the delegation agreement. In April 2007, NERC entered into a separate delegation agreement with each of the eight regional entities. The most recently-filed delegation agreements provide for a five-year term ending on December 31, 2020. These agreements are subject to FERC re-evaluation and re-approval following the term. Currently, NERC has delegated authority to the following: Florida Reliability Coordinating Council (FRCC), Midwest Reliability Organization (MRO), Northeast Power Coordinating Council (NPCC), Reliability First Corporation (RFC), SERC Reliability Corporation (SERC), Southwest Power Pool RE (SPP), Texas Reliability Entity (TRE), and Western Electricity Coordinating Council (WECC).

FERC Oversight

FERC does not control or operate the electric grid. Rather, under section 215 Congress gave FERC a role over certification of the electric reliability organization and in the development and enforcement of Re- liability Standards. This role is conducted through oversight of the electric reliability organization and regional entities primarily by FERC’s Office of Elec- tric Reliability and the Office of Enforcement. In ad- dition, the Office of Energy Infrastructure Security helps identify, communicate and seek collaborative solutions to potential risks to the bulk power system from cyber attacks and physical threats.

Office of Electric Reliability

The Office of Electric Reliability helps FERC oversee NERC, the regional entities and their various activities. The Office of Electric Reliability is orga- nized into three divisions (Division of Engineering, Planning and Operations; Division of Compliance; and Division of Reliability Standards and Security) but the work between divisions overlaps and is often completed in cross-divisional teams with assigned leadership.

Reliability Standards: The Office of Electric Re- liability helps FERC oversee the development and review of Reliability Standards and helps ensure compliance with these standards by the users, owners, and operators of the bulk power system.

The Office of Electric Reliability monitors NERC’s Reliability Standard development. Office of Electric Reliability staff participate in NERC’s development process as “observers” and do not actively engage in drafting the language of a new or revised Reliability Standard. This regulatory staff also keeps channels of communication open with NERC, NERC standard drafting teams, and the regional entities with regard to any observations concerning the substance or clarity of a draft standard. Likewise, NERC apprises FERC staff regarding the timing and content of a draft Reliability Standard. These informal communications ensure that all are aware of the progress of a draft standard and that FERC staff concerns are considered in the drafting process, regardless of the ultimate outcome.

Once the drafting process is complete and a proposed Reliability Standard is approved by the NERC board, NERC submits the standard to FERC for approval.

Public notice and opportunity for comment is provided, and the Office of Electric Reliability reviews the proposed standard and comments provided in the proceeding. The staff then advises FERC Com- missioners on the proposed standard. FERC also has the authority to direct the electric reliability organization to develop a new or revised Reliability Stan- dard to address a specific matter, which may include a reliability risk to the bulk power system. NERC also issues interpretations of Reliability Standards language, which FERC also reviews.

Cyber Security: The Office of Electric Reliability oversees the electric reliability organization’s Critical Infrastructure Protection Reliability Standards and supporting activities. In addition, staff tracks and evaluates cyber incidents, participates in inter-agency activities, and monitors vendor activities dealing with security-related products.

Compliance: The Office of Electric Reliability also monitors and tracks the compliance of all registered entities with the approved Reliability Standards and works with the Office of Enforcement to investigate and resolve alleged violations of the standards. This activity includes monitoring mitigation plans and Notices of Penalty. The Office of Electric Reliability performs incident and alleged violation analyses and/or investigations following bulk power system incidents, in partnership with the Office of Enforcement, as appropriate. Gaps in standards may be identified through these compliance monitoring activities. The office also evaluates appeals of NERC’s registration decisions.

Event Analysis: The Office of Electric Reliability analyzes and monitors issues concerning the performance of the nation’s bulk power system, includ- ing real-time event reports, planning studies and longer-term assessments of resource adequacy and reliability. This work centers on providing technical support to FERC leadership as part of reviewing reliability-related filings with a focus on evaluating relevant engineering subject materials. These efforts also oversee and track the electric reliability organization’s performance metrics for its effectiveness.

Other Activities: In support of the agency’s broader mission, the Office of Electric Reliability actively supports the rates divisions of the Office of Energy Market Regulation, making certain that reliability-related cost recovery filings are evaluated for their engineering aspects and assessing potential impacts to the bulk power system. The office works with other FERC offices and external groups to evaluate issues that may impact bulk power system reliability and cost recovery options for potential solutions.

The Office of Electric Reliability can lead or join in periodic and unscheduled reviews and audits of the electric reliability organization, regional entities, and users, owners, and operators of the bulk power system to determine the effectiveness of their programs and their compliance with NERC’s Reliability Standards. The office also leads or joins in the analysis and any investigations concerning major blackouts on the bulk power system. During these reviews, the office considers whether addition- al or revised Reliability Standards are warranted to prevent the occurrence of the unwanted behavior or detrimental impacts to the bulk power system, or if other additional avenues to address the concerns might be appropriate.

The Office of Electric Reliability, in conjunction with the Office of General Counsel and Office of Enforcement, participate in the Trilateral Electric Reliability Oversight Group meetings, together with representatives of Canadian Federal and Provincial regulators, and Mexican government officials. Recognizing the need for a continent-wide coordinated framework for of the interconnected bulk power system, the Trilateral Group meets to discuss electric reliability matters of mutual interest.

The office will, when appropriate, suggest or direct long-term strategic research programs to identify emerging reliability and security issues and examine their implications for bulk power system planning, operations and FERC regulations.

Office of Energy Market Regulation 

FERC’s Office of Energy Market Regulation is responsible for reviewing electric reliability organization rules of procedure, bylaws, budgets, and business plans. It is also the lead office in reviewing the delegation agreements and NERC’s five-year electric reliability organization performance assessments.

Office of Enforcement 

Following EPAct 2005, FERC reorganized its enforcement activities to establish an Office of Enforcement (Enforcement) and included compliance with Re- liability Standards in its scope of activities. This office’s mission is to protect consumers through mar- ket oversight and surveillance; ensuring compliance with tariffs, rules, regulations, and orders; detecting, auditing, and investigating potential violations; and crafting appropriate sanctions for violations, including civil penalties and other measures.

Enforcement and the Office of Electric Reliability review events and incidents that occur on the bulk power system for possible Reliability Standard violations. Enforcement conducts joint or independent investigations of possible violations of the Reliability Standards, and conducts or participates in scheduled or unscheduled audits relating to compliance with the Standards. Any penalty proposed by Enforcement must be approved by FERC.

Enforcement Guidance

Enforcement’s activities are informed by FERC’s 2005 and 2008 Policy Statements on Enforcement. They are intended to place jurisdictional entities on notice of the consequences of violating the statutes, orders, rules, and regulations that FERC enforces. FERC subsequently crafted, with the input of public commenters, more detailed policy statements, rules, and orders to describe Enforcement’s policies and procedures.

Since EPAct 2005, FERC has held conferences and workshops on enforcement policy topics; initiated annual reports on Enforcement’s activities; and issued many settlement orders and show cause orders that further explain and define its approach to performing the enforcement role strengthened in EPAct 2005.

EPAct 2005 provides that persons and organizations that violate a Reliability Standard are subject to civil penalties of up to $1 million per day per violation, helping to ensure reliability of the nation’s bulk power system.

In 2010, FERC issued the Penalty Guidelines to provide greater fairness, transparency, and consistency in civil penalty determinations pursuant to EPAct 2005. The Penalty Guidelines use objective characteristics and a uniform set of factors weighted similarly for similar violations and similar violators. In determining a penalty under the Penalty Guide- lines, FERC considers the nature and seriousness of a violation and the violator’s efforts to remedy the violation in a timely manner. The Penalty Guidelines include a specific section relating to penalties for Re- liability Standard violations. In general, the Penalty Guidelines reduce possible penalties when a violator promptly self-reports its violation or implements an effective program to prevent and detect violations.

The Penalty Guidelines do not foreclose Enforcement staff’s ability to exercise discretion to close investigations or reviews of self-reports without sanctions, if appropriate, such as when insufficient evidence of a violation exists. Moreover, staff may close an investigation or review of a self-report with- out sanctions for violations that are relatively minor in nature and that result in little or no potential or actual harm.

Reliability Standard Violations 

Pursuant to the delegation agreements, NERC’s regional entities are the primary enforcers of the Reliability Standards, and NERC coordinates and reviews the regional entities’ compliance and enforcement activities. These activities may culminate in NERC’s filing with FERC of notices of penalty.

Over time, NERC has developed different “tracks” or processes for addressing non-compliance matters based in large part on the seriousness of risk posed by the non-compliance. For non-compliance matters that pose a greater risk to reliability, NERC or the regional entity will utilize a process that allows for more scrutiny. NERC provides transparency in the disposition of compliance matters, as they are posted on the NERC website and/or submitted in public filings with FERC.

In addition to these efforts by regional entities and the electric reliability organization, in a limited number of circumstances, FERC staff conducts its own analysis of occurrences on the bulk power system that may implicate Reliability Standards violations. FERC staff may conduct inquiries following serious system events, for example. FERC staff conducted three such inquiries in 2011, in conjunction with staff of NERC and regional entities. FERC staff also monitors potential violations of Reliability Standards based upon information that it collects or that regional entities report to NERC under the electric reliability organization Compliance Monitoring and Enforcement Program.

As a result, in some circumstances, FERC staff itself reviews potential violations. Included in these circumstances were the most significant system disturbance events since 2005 – the March 2008 Florida Blackout and the September 2011 Southwest Outage.

March 2008 Florida Blackout: The 2008 event was caused by a fault at a substation on the Florida Power & Light Co. (FPL) system in west Miami that rapidly cascaded, disabling dozens of transmission lines around the state. As a result, millions of consumers in Florida lost power for several hours. FPL paid a $25 million civil penalty under a settlement with staff of FERC and NERC of an investigation. FPL paid $10 million to NERC and $10 million to the United States Treasury and spent $5 million for reliability enhancements for its system to offset a penalty payment. FPL agreed to a broad program of remedial measures to enhance its system and operations, including specific compliance and training process improvements to help prevent future similar violations. Under a related settlement with FERC and NERC staff, the Florida Reliability Coordinating Council, in its capacity as reliability coordinator for the area of Florida affected by the blackout, paid a $350,000 civil penalty, split between NERC and the U.S. Treasury, and agreed to improve its operations to help prevent a future blackout. These settlements were FERC’s first civil penalty assessments for violations of Reliability Standards and its first joint enforcement effort with NERC.

September 2011 Southwestern Outage: The September 2011 Southwest cascading outage left more than five million people without power for up to 12 hours in Southern California, Arizona and Baja California Norte, Mexico. Staff of FERC and NERC conducted a joint inquiry and issued a detailed report in April 2012 on the event, recommending reliability improvements that focused on planning, coordination and situation awareness among reliability entities in the Western interconnection, as well as changes to relevant Reliability Standards. Enforcement then led investigations with the Office of Electric Reliability and NERC staff that resulted in settlements related to this event with seven entities: WECC in its capacity as reliability coordinator for the Western interconnection and Peak Reliability, WECC’s successor as reliability coordinator; Imperial Irrigation District; California Independent System Operator Corporation; Southern California Edison Company; Arizona Public Service Company; and the Western Area Power Administration (WAPA).

Collectively, these settlements assessed these entities, other than WAPA, $37.9 million in civil penal- ties for Reliability Standard violations related to the outage. Of this amount, $27.65 million was invested in reliability enhancement measures that go above and beyond mitigation of the violations and compliance with requirements of the Reliability Standards as offsets to possible penalty payments. These investments included WECC’s hiring of additional reliability coordinator personnel and Imperial Irrigation District’s installation of a utility-scale battery storage system. Each entity also agreed to mitigation and reliability activities and to submit to compliance monitoring. Penalty payments were split evenly between the United States Treasury and NERC.

Following other investigations, Enforcement has entered into settlements with bulk power system owners and operators regarding Reliability Standard violations, which FERC has approved. While most of these investigations did not involve unexpected losses of load, they addressed situations that posed potentially serious risk to bulk power system reliability. These settlements have imposed civil penal- ties and required mitigation efforts and compliance monitoring. Information on these settlements is available on FERC’s website. FERC staff generally conduct these investigations with NERC staff and, when appropriate, regional entity staff.

Enforcement’s audit staff, in conjunction with Office of Electric Reliability technical staff, has conducted, participated in, or observed numerous audits related to reliability. Some of these activities have related to compliance audits conducted by regional entities; others have involved various audits of registered entities, regional entities, and NERC. FERC staff coordinates its Reliability Standards enforcement activities with those of the regional entities and NERC.

Office of Energy Infrastructure Security 

The Office of Energy Infrastructure Security provides expertise and assistance to FERC to identify, communicate and seek solutions to potential risks to FERC-jurisdictional energy facilities from cyber attacks and physical threats such as electromagnetic pulses, including voluntary efforts beyond Reliability Standard compliance.

The Office of Energy Infrastructure Security formulates and makes recommendations for identifying, communicating and mitigating potential cyber and physical security threats and vulnerabilities to FERC-jurisdictional infrastructure. The office also provides assistance, expertise and advice, and under- takes collaborative engagement with other federal and state agencies, and the energy industry. This work includes, but is not limited to, participating in conferences, workshops, and classified briefings. The office conducts outreach with private sector owners, users, and operators of energy delivery systems regarding identification, communication, and mitigation of cyber and physical threats to energy facilities. The office works with other federal agencies, state agencies, national laboratories, vendors and universities to identify effective mitigation for new threats.

Chapter: 7 Role of the Electric Reliability Organization/NERC

This section describes how NERC has implemented programs to fulfill the role and responsibility of the electric reliability organization. Also described is how NERC interacts with FERC in fulfilling its role as the electric reliability organization. NERC’s programs, discussed below, include: (A) Reliability Standards Development; (B) Compliance and Enforcement; (C) Delegation to Regional Entities; and (D) Reliability and Adequacy Assessments.

Reliability Standards Development

NERC’s Standards Development Process 

Section 215(c)(1) of the FPA and section 39.3(b)(2)(iv) of FERC’s regulations require the electric reliability organization’s Reliability Standards development process to provide for reasonable notice and opportunity for public comment, due process, openness, and balance of interests.

In certifying NERC as the electric reliability organization, FERC approved NERC’s Reliability Standards development process. In 2003, the American National Standards Institute (ANSI) Executive Standards Council accredited NERC’s Reliability Standards development process. The following is a summary of the standards development process.

Procedures

The first step in NERC’s Reliability Standards development process is the submission by a person or entity of a request for a Reliability Standard, modification of a standard, or withdrawal of a standard using a “standard authorization request.” Any member or committee of NERC, a regional entity, or any person or entity directly and materially affected by the reliability of the bulk power system may request development, modification or withdrawal of a Reliability Standard. NERC issues a public notice of the standard authorization request with an opportunity for public comment. The standards committee will authorize development of the proposed standard if there is sufficient stakeholder consensus on the scope and justification of the Reliability Standard.

The standards committee appoints a Reliability Standard drafting team that has the technical expertise, competencies, and diversity of views that are necessary to develop the standard. Typically, a standard drafting team consists of electric industry volunteers, although volunteers outside industry (e.g., Federal or State government employees, or regional entity staff) with the necessary expertise may be appointed. Further, NERC assigns a “standards developer” from NERC staff to guide the drafting team and ensure that the drafting team follows NERC’s standards development process. The standard drafting team develops a draft Reliability Standard based on engineering and technical criteria and on actual data and lessons learned from operating incidents. All meetings of the drafting team are open and notice is provided to the public.

After the Reliability Standard has been drafted, the standards developer reviews it for consistency of quality and completeness, and to ensure the draft standard is within the scope and purpose identified in the standard authorization request. The draft Reliability Standard is then posted for public comment for at least 45 days. The standard drafting team may recommend to the standards committee that the draft Reliability Standard be field tested. Field testing, when practical, provides actual data that the drafting team can utilize to assess the effectiveness of a proposed Reliability Standard. The drafting team may also decide, on the basis of comments received, to revise the draft standard and post it for additional comments. Once the drafting team determines that the draft Reliability Standard is ready for balloting, the drafting team submits the draft Reliability Standard to the standards committee with a request to proceed to balloting. The standards committee reviews the draft Reliability Standard to ensure it is consistent with the standard authorization request and is compatible with existing Reliability Standards.

A ballot pool is formed during the first 30 days of the initial posting for ballot. A notice is sent to every member of the registered ballot body to establish a ballot pool to vote on the proposed Reliability Standard. Any member of the registered ballot body may elect to join the ballot pool for the proposed Reliability Standard. Members may cast an affirmative vote, a negative vote, or a negative vote with an explanation. Approval of a new Reliability Standard or revision to an existing Reliability Standard requires a quorum of at least 75 percent of the members of the ballot pool voting and a two-thirds majority of the weighted segment votes in the affirmative. The use of a weighted segment voting calculation ensures that there is a balance of interests in the development and approval of Reliability Standards.

If there are any negative votes in the ballot with reasons specified, the ballot pool will be presented with the proposed Reliability Standard again along with the reasons for the negative votes. All members of the ballot pool are given a chance to reconsider and change their vote. When a second ballot is conducted, its results determine the status of the Re- liability Standard, regardless of the outcome of the first ballot. New Reliability Standards or revisions to Reliability Standards approved by the ballot pool will be submitted to the NERC board of trustees for approval. The board considers the results of the balloting and dissenting opinions, as well as any advice offered by the member representatives committee. The NERC board must adopt or reject a proposed Reliability Standard and may not modify a proposed Reliability Standard. If the NERC board chooses not to adopt a proposed Reliability Standard, it must provide its reasons.

NERC’s standards development procedure allows a standard to be developed and approved in as little as four months; however, more complex standards requiring the development of new technical concepts, methods, and measures can take 12 to 15 months or longer to approve. After a proposed Reliability Standard receives board approval, NERC submits the proposed Reliability Standard to FERC for approval.

NERC also has a truncated process for development of an “urgently needed” Reliability Standard when delay could materially impact bulk power system reliability. Like all Reliability Standards, an urgently needed Reliability Standard must be adopted by the NERC board before being submitted to FERC for approval. The urgent action process allows a Reliability Standard to be approved by stakeholders and the NERC board within 60 days of receiving a proposal. A Reliability Standard approved under the truncated process is considered an interim standard with a termination date that cannot exceed one year from the approval date. This interim status prevents an urgent Reliability Standard from becoming a de facto permanent Reliability Standard.

Registered Ballot Body 

Any person or entity with a legitimate interest in the reliability of the bulk power system may join the registered ballot body and a ballot pool, whether or not that person or entity is a member of NERC. Proposed Reliability Standards are approved by the members of the registered ballot body that join a ballot pool for consideration of a particular draft standard. The segments of the registered ballot body are: (1) transmission owners; (2) regional transmission organizations and independent system operators; (3) load-serving entities; (4) transmission dependent utilities; (5) electric generators; (6) electricity brokers, aggregators and marketers; (7) large electricity end users; (8) small electricity end users, (9) federal, state, and provincial regulators or other government entities; and (10) regional reliability organizations. The registered ballot body process ensures fair representation (using proxy and weight- ed segment voting) of all views in the development of a Reliability Standard.

NERC Standards Committee 

The NERC standards committee provides oversight of the Reliability Standards development process to ensure stakeholder interests are fairly represented. The standards committee is a representative commit- tee consisting of two representatives of each segment of the registered ballot body. Standards committee members are elected for staggered two-year terms by their respective segments.

Criteria for Reliability Standards 

FERC, in Order No. 672, articulated a non-exclusive set of factors that FERC will consider in determining whether a proposed Reliability Standard satisfies the statutory threshold for approval. Specifically, a Reliability Standard should: (1) achieve a specific reliability goal and contain technically sound means to achieve the goal; (2) be developed initially by industry experts; (3) be based on sound engineering and technical criteria and on actual data and lessons learned from operating incidents; (4) be clear and unambiguous regarding what is required and who must comply; (5) include clear and understandable consequences for a violation, including the range of penalties; (6) contain a clear and objective measure of whether the entity is in compliance; and (7) achieve the goal effectively and efficiently.

NERC’s Reliability Standards incorporate the criteria by containing elements including a statement of purpose, requirements, measures, and compliance elements associated with each Reliability Standard. An example of a mandatory Reliability Standard, depicting these elements, is included as Appendix 3. The standards developer continuously monitors the Reliability Standard’s conformance to these criteria. NERC uses comments from stakeholders during the development of a standard to verify that the Reliability Standard meets the criteria. The resulting standard is reviewed by the standards committee prior to the Reliability Standard being sent to the NERC board for approval.

NERC’s Actions in Response to a Directive 

If FERC remands a Reliability Standard to NERC or directs NERC to develop a Reliability Standard, NERC develops a plan and timetable for modification or development of the Reliability Standard. In the rare instance that the NERC board determines that the standards process did not result in a standard that addresses a specific matter that is identified in a directive issued by FERC, then the NERC board can remand a draft Reliability Standard to the standards committee, with instructions; require a technical conference to discuss the directive; or direct the preparation of a draft Reliability Standard that will comply with the directive. NERC’s rules of procedure state that the NERC board has the authority to choose which one (or more) of the authorized alter- native actions is appropriate, but that it must, to the extent feasible, choose actions that seek to maximize stakeholder participation.

Modifications to Standards Since NERC’s Initial Submission 

NERC has proposed modifications to the Reliability Standards since the first 83 standards were approved. The modifications have included changes to fill gaps, add clarity or consolidate requirements for efficiency. NERC also has continued to modify the standards to transition to a more risk-based approach that results in less prescription on how to perform a reliability task. NERC labeled the initial Reliability Standards as “Version 0,” and each subsequent version of a standard is labeled Version 1, then Version 2, etc.

Chapter: 8 Reliability Standards Development

Today, NERC’s Reliability Standards program currently consists of about 117 separate standards and a Glossary of Terms Used in Reliability Standards. The standards are grouped into 14 topical categories, each designated with a three-letter code. For example, the “transmission operations” category is designated as “TOP” and the first in the series of TOP standards as TOP-001-1. Below, we discuss each category of standards.

Resource and Demand Balancing 

Resource and demand balancing (BAL) standards aim to ensure real-time balancing of generation and load to maintain frequency at or around 60 Hz. Requirements include ensuring that all facilities and load are electrically synchronized in each interconnection and included within a metered boundary of a balancing area so that the real-time balancing of resources and demand can actually be achieved. Back-up reserves (or contingency reserves) are needed to compensate for any unexpected loss of generation resources so that the system frequency can be returned to 60 Hz when a contingency occurs.

Generation that may unexpectedly trip (go off line) must be replaced by substitute generation or by pre- planned interruptible load. Metrics established in this category provide a way to measure the performance of balancing authorities.

Communications 

The communications (COM) standards require applicable entities operating the system to have adequate internal and external telecommunications facilities, back-up facilities and procedures to enable a necessary exchange of information. Communication channels must have necessary redundancy for security purposes. Personnel performing operations impacting the bulk power system must have equipment, facilities and interpersonal communications and must be adequately trained to effectively communicate when addressing real-time emergencies. This includes the use of three-part communication for issuing directives, i.e., when a directive is communicated, the recipient must repeat back the directive, followed by an affirmation or correction from the one giving the directive. This protocol, used in many industries, better ensures that communications are accurately understood.

Emergency  Preparedness  and Operations 

The emergency preparedness and operations (EOP) category of Reliability Standards address basic expectations for actions taken during system emergencies. The standards also address system restoration and reporting after a disturbance has occurred. More specifically, each transmission operator and balancing authority must develop an operating plan to mitigate operating emergencies and the plan must be coordinated within a reliability coordinator area. The reliability coordinator reviews the plans within its defined geographic boundary (known as the reliability coordinator area). System planning is performed in advance and with the intent of anticipating potential emergencies. When an emergency does occur, the reliability coordinator in the area primarily impacted plays a lead coordination role across an interconnection in order to resolve the emergency. The EOP standards also require system operators to have the capability to manually or automatically shed load in a timely manner to return the system to a stable condition. While shedding load, i.e., turning off the electricity for a group of customers, is a measure of last resort, at times such “controlled” shedding of load is the best means to mitigate the risk of an uncontrolled, cascading blackout.

Each transmission operator must have a system restoration plan to reestablish its electric system in a stable and orderly manner in the event of a partial or total shutdown of its system. Personnel must be trained to enable this restoration of load to occur, based on expected blackout conditions. Generation operators with blackstart resources (generating units that have the ability to be started without support from the rest of the bulk power system) must have established procedures related to the use of these units when called upon. Each transmission operator’s area must have a blackstart capability plan to ensure that the quantity and location of system blackstart generators are sufficient and can be execut- ed. These plans are rolled into larger regional system restoration plans.

Facilities Design, Connections, and Maintenance – Including Vegetation Management 

The facilities design, connections, and maintenance (FAC) standards address an assortment of facility connection and coordination requirements, documentation of facility ratings, and vegetation management (tree trimming) adjacent to transmission facilities. The FAC standards also address trans- mission line ratings used in system modeling and standardize transfer capabilities calculations.

Specifically, the FAC standards require system performance assessments to ensure that facilities can be interconnected to the bulk power system reliably under normal and contingency conditions. Other requirements include ensuring that facility ratings and transfer capabilities of transmission lines are based on rigorous engineering analysis. These requirements are intended to avoid adverse impacts to generation and transmission equipment from exceeding safe operating specifications.

Pursuant to Reliability Standard FAC-003 (Vegetation Management), entities that own bulk power system transmission facilities must maintain a trans- mission vegetation management program. FAC-003 does not apply to local distribution wires that serve residences and other local customers – such facilities are typically regulated by the States. FAC-003 sets minimum clearance distances between bulk power transmission lines and vegetation that is located be- neath or adjacent to the transmission lines. Further, the standard sets a minimum annual inspection cycle for transmission owners to inspect for trees or other vegetation that could fall into transmission lines.

As discussed earlier, vegetation falling into bulk power system transmission lines has been an initiating cause of numerous cascading blackouts, including the August 2003 blackout that preceded the enactment of EPAct 2005. NERC maintains records, published online quarterly, on outages caused by vegetation contact with transmission lines.

While vigilance with vegetation management is one necessary aspect of maintaining a reliable bulk pow- er system, tree trimming at times results in conflicts with nearby residents who prefer to maintain the aesthetics of local vegetation. FERC has developed a series of documents pertaining to vegetation management, intended to inform landowners on such matters, including: Why Tree Trimming is Necessary, Clearances Between Power Lines and Trees, and Landowner Rights.

Interchange Scheduling and Coordination 

The interchange scheduling and coordination (INT) standards detail the responsibilities for those involved in power flow when electricity is purchased and transmitted from a seller to a buyer across the bulk power system. Before the energy actually flows, specific information about the transaction must be identified in electronic labels, known as tags, to allow a reliability assessment of the projected flow. This information can also be used as a reference should the loading of transmission lines start to reach operating limits, when the tag information can be used be to strategically manage the schedules specifically contributing to the overload. This tagging of proposed energy transactions must occur across and within balancing authority boundaries or where any type of point-to-point transmission service is used.

Interconnection Reliability Operations and Coordination 

The interconnection reliability and coordination (IRO) standards detail the responsibilities and authorities of the reliability coordinators that oversee the bulk power system. A reliability coordinator monitors the interconnected transmission system across multiple local utilities. By virtue of this wide-area view, the reliability coordinator is best positioned to address an adverse  condition on the bulk power system. The reliability coordinator’s role is analogous to the role performed by air traffic controllers in the airline industry, particularly during emergencies.

The reliability coordinator and the transmission operator conduct next-day and current day reliability analyses to ensure the system can be operated in anticipated normal and contingency conditions. The transmission operator studies the forecasted use of the system compared to its limits, voltage, and stability conditions, and examines expected flows across critical transmission lines. The reliability coordinator provides oversight to this process and, if overloads occur on equipment or if other unexpected events occur, the reliability coordinator over- seeing each transmission operator can coordinate with neighboring transmission operators to assist in remedying the situation.

The reliability coordinator has authority under the IRO Reliability Standards to act or direct others to act, such as by issuing operating instructions to transmission operators to maintain system reliability and to prevent or mitigate emergency operating situations.

Modeling, Data, and Analysis 

The modeling, data, and analysis (MOD) category of standards is a collection of requirements intend- ed to standardize methodologies and system data needed for traditional transmission system operation and expansion planning, reliability assessment, and the calculation of available transfer capability. The MOD standards obligate entities to document, review and validate the transfer capability of the transmission system and, specifically, what must be considered and demonstrated when this trans- fer capability is calculated. The standards in this category are important for transmission information uniformity.

Good data and system models are essential for accurately simulating the performance of the bulk power system. Requirements in this category call for accurate data inputs that are necessary for this system modeling. The MOD standards require generators to provide accurate information on gross and net real power capability used for system operator models. Steady-state analysis is used to verify that voltages are maintained within limits, and to deter- mine the real and reactive load output and voltage controlling device adjustments necessary to balance generation and loads. Transmission providers and reliability coordinators are required to monitor any thermal limit exceedances on transmission lines as part of this analysis. Meanwhile, dynamic analyses are performed to study whether there are stability issues during line switching or when a disrupting event occurs.

Simulation Model

Nuclear 

The nuclear (NUC) category requires nuclear plant operators to coordinate operations and planning with the interconnecting transmission operator. The single standard in the NUC category requires written procedures for coordination between a nu- clear plant operator and the transmission provider that must address any outages scheduled or transmission limits or conditions that may potentially impact the nuclear plant.

Personnel Performance, Training, and Qualifications 

The personnel performance, training, and qualifications (PER) standards impose obligations on personnel performance, training, operating personnel credentials and qualifications for various registered entities. Entities must maintain suitably trained and qualified personnel for positions that impact the reliable operation of the bulk power system. Specific requirements call for training programs for all operating personnel who either have the primary responsibility, directly or through communication with others, for real-time operation of the bulk power system or who are directly responsible for complying with the Reliability Standards.

Protection and Control 

The protection and control (PRC) category specifies obligations for a range of matters related to the protection and control of the bulk power system. Protection systems are designed to detect faults and isolate faulted elements on the system, thereby limiting the severity and range of system disturbances and preventing possible damage to protected elements. The failure of a protection system has the potential to create and has resulted in major outages and cascading events. Protection systems take and act on real-time electrical measurements, such as current, voltage, and frequency. These systems need to be set to recognize certain measurements as indicating a fault and, from that set-point, send a signal to an interrupting device such as a circuit breaker to disconnect the element from the rest of the system. The PRC standards deal with matters including the testing and maintenance programs for this equipment. Requirements include the need to analyze and correct any misoperations of the equipment.

Since supply (generation) and demand (load) need to be balanced at all times, any significant departure from operating limits for frequency or voltage will impact the system. Under normal operating conditions, there are slight changes of frequency or voltage when generation or load suddenly increases or decreases. If a large imbalance occurs between load and generation – where frequency or voltage change significantly – the bulk power system is designed to restore the balance. Due to such a mismatch in supply and load, if under-frequency or under-voltage conditions occur on the bulk power system, the PRC standards require the protection equipment to be set up to recognize the problem and isolate it to one area. This is done to prevent the spread of the problem to a much larger footprint and also prevent uncontrolled cascading events. This protection and control is also needed to prevent or minimize dam- age to transmission, distribution, and generation equipment.

The PRC standards also call for the installation of disturbance monitoring equipment and support capabilities. This equipment serves an important function of reading and recording events on the bulk power system. The recording mechanism is vital to timely and accurate modeling and analysis of system events that occur. The use of models with accurate data allows a timely and complete recreating of system events or disruptions so problems can be understood and addressed.

Other PRC requirements ensure that power swings are stable. Power swings are oscillations in power flows on an electric system due to an event or disturbance, such as a fault or loss of generation or load. Power swings occur most commonly when a fault and faulted facilities are quickly removed from the system, typically within one-tenth of a second from detection, and the system and affected generators stabilize within several seconds. Dynamic but stable power swings occur when the system recovers from a disturbance and achieves transient stability, typically within zero to three seconds, and then returns to a steady state over a longer period of time, typically within three to thirty seconds or even minutes.

Prior to the system returning to a new steady state operating condition, it can exhibit power swings that may decrease rapidly or increase in magnitude. When the power swings decrease, the system will be able to achieve a new stable operating status.

Transmission Operations 

The primary reliability goal of the transmission operations (TOP) standards is to ensure that the transmission system is operated within safe operating limits. Also, transmission operators have the authority and must have the capability to take appropriate actions or direct the actions of others to return the transmission system to normal conditions following an emergency. The TOP standards aim to ensure that reliability coordinators and transmission operators work together and with other functional entities when managing transmission line and other equipment limits.

The TOP standards require that transmission opera- tors develop operating plans to meet dynamic changes to the system. These plans include scheduled and unscheduled changes in system configuration, different demand patterns, varying generation dispatch and interchange schedules. Unscheduled changes to system configuration and generation dispatch are referred to as contingencies (defined as the loss of a transmission circuit, generator, single DC pole, or transformer). Following a single contingency, the TOP standards require adjustments to the system to compensate for the contingency as soon as possible but no later than 30 minutes after the contingency occurs. This time period is to ensure that the system is returned to a secure operating state, so it can withstand the next contingency without causing instability, uncontrolled separation or cascading out- ages. When a contingency occurs that impacts the system, the matter must receive swift attention, with appropriate entities addressing the overload before additional equipment is damaged or the problem further escalates, e.g., further overloading, equipment damage or load loss.

Transmission  Planning 

The transmission planning (TPL) category is intend- ed to ensure that the transmission system is planned and designed to meet an appropriate and specific set of reliability criteria. One TPL standard specifically describes conditions that must be considered when making planning assessments. The standard ensures that the system is studied for an array of system conditions and contingencies (i.e., loss of line, transformer, generator, etc.) to determine the need for system upgrades or reinforcements so that any underlying weaknesses or deficiencies can be identified. Another TPL standard also requires studying the performance of the system for a variety of scenarios. Such scenarios would typically simulate a range of generation dispatches, including generator outages; a range of demand levels; a range of transactions; and a range of transmission outages. The simulations determine the most severe set of system conditions. Studies must anticipate these possible system conditions so there is lead time to purchase and install equipment if necessary to resolve any identified problems. The studies would also potentially identify generators that must run to remove local transmission constraints, or, alternatively, identify the inability to deliver generation to load due to insufficient transmission capacity. The studies must also include long term and short-term (including seasonal and stressed case) studies.

When the system studies indicate an inability to meet performance requirements specified in the TPL standards, the transmission planner must develop a “corrective action plan” that addresses how the performance requirements will be met. This plan could result in the development of operating procedures; or it could involve the installation, modification, or retirement of transmission or generation facilities.

Voltage and Reactive Control 

The voltage and reactive control (VAR) category of standards aims to ensure that voltage levels, reactive flows, and reactive resources are monitored and controlled within limits in real-time to protect equipment. Adequate voltage and reactive power levels are essential for keeping the power system robust to respond to hourly energy demands. For instance, a major imbalance between reactive power consumption and supply will lead to voltage col- lapse and cascading power outages. This has been a common cause of major power outages worldwide. Transmission owners are required to have sufficient reactive resources within their area to protect voltage levels under normal and contingency conditions, and maintain system and interconnection voltages within established limits. These voltage and reactive services are provided by traditional generators, with more recent contributions from newer technologies owned by transmission customers and transmission owners.

Critical Infrastructure Protection 

Critical infrastructure protection (CIP) standards provide requirements to protect the bulk power system from cyber and physical attacks on critical infrastructure.

Cybersecurity: The CIP standards require users, owners, and operators of the bulk power system to identify and categorize cyber systems based on “bright-line” criteria for the application of cyber se- curity requirements commensurate with the adverse impact that loss, compromise, or misuse of those cyber systems could have on the reliable operation of the interconnected transmission network. Once these assets are identified, the CIP standards require that the responsible entities establish plans, protocols, and controls to safeguard physical and electron- ic access to these systems, train personnel on security matters, report security incidents, and be prepared for recovery actions.

A new set of CIP standards, Version 5, effective beginning July 1, 2016, introduces a tiered approach, so that assets are identified as High, Medium or Low risk to bulk power system reliability if compromised. Required protections are commensurate with the applicable risk level. Documented and regular reviews of these protection programs are required.

Entities must also document and implement a cyber security policy that addresses electronic security perimeters, security patch management, and incident response planning.

Physical Security: Reliability Standard CIP-014 addresses physical security. The standard requires entities to identify and protect transmission stations and their associated primary control centers that, if rendered inoperable or damaged as a result of a phys- ical attack, would result in instability, uncontrolled separation, or cascading within an interconnection. The standard requires entities to determine what facilities are critical, assess the critical facilities for vulnerabilities, and implement a plan to mitigate vulnerabilities.

Geomagnetic Disturbance 

A recent addition to the Reliability Standards ad- dresses geomagnetic disturbances. Geomagnetic disturbance events occur when the sun emits charged particles that interact with, and cause changes in, the magnetic fields of the Earth. A geomagnetic disturbance may induce currents that cause trans- former hot-spot heating or damage, loss of reactive power sources, increased reactive power demand, and protection system misoperation, the combination of which may result in blackout of the electric grid. Although major geomagnetic disturbances are infrequent, they have the potential to significantly impact reliable operation of the bulk power system under certain conditions.

Pursuant to Reliability Standard EOP-010-1, owners and operators of the bulk power system are required to develop and implement operational procedures to mitigate effects from these geomagnetic disturbances. In addition, Reliability Standard TPL-007-1 establishes requirements for certain registered entities to assess the vulnerability of their transmission systems to geomagnetic disturbance events. Applicable entities that do not meet certain performance requirements, based on the results of their vulnerability assessments, must develop a plan to achieve the performance requirements.

Chapter: 9 NERC Compliance and Enforcement

NERC and the regional entities have a program for ongoing monitoring of compliance with Reliability Standards by the users, owners, and operators of the bulk power system. The eight regional entities, based on authority granted by the delegation agreements in place, carry out compliance monitoring and enforcement activities on behalf of NERC. NERC oversees the regional programs and seeks to ensure their consistency and fairness. NERC and the eight regional entities monitor compliance through a number of methods, including regularly scheduled compliance audits, random spot checks, compliance investigations, and a complaint process.

The focus of NERC’s compliance program is to improve the reliability of the bulk power system in North America by fairly and consistently enforcing compliance with NERC Reliability Standards. Specifically, the program is designed to ensure that the right practices are in place so that the likelihood and severity of future system disturbances are substantially reduced, while recognizing that no Reliability Standards or enforcement process can fully prevent all such disturbances.

Below, we discuss two aspects of compliance: (1) compliance registry, and (2) addressing non-compliance matters pursuant to NERC’s Compliance Monitoring and Enforcement Program.

Criteria for Registered Entities 

FERC regulations require each user, owner, and operator to register with the electric reliability organization and the regional entity for each region within which it uses, owns or operates bulk power system facilities. NERC developed a registration process that identifies and registers the entities that are responsible for compliance with one or more Re- liability Standards. NERC identified the following twelve reliability functions, necessary for the reliable operation of the electric grid:

• Reliability Coordinator (RC)
• Balancing Authority (BA)
• Planning Authority (PA)
• Transmission Planner (TP)
• Transmission Operator (TOP)
• Transmission Service Provider (TSP)
• Transmission Owner (TO)
• Resource Planner (RP)
• Distribution Provider (DP)
• Generator Owner (GO)
• Generator Operator (GOP) and
• Reserve Sharing Group (RSG)

NERC and the regional entities identify and register entities that perform these functions, applying certain “de minimis” thresholds set forth in a Registry Criteria document. Each Reliability Standard contains an “applicability” provision that sets forth one or more of the above reliability functions. An entity is responsible to comply with the Reliability Standards with applicability provisions that correspond to the functions for which the entity is registered. In this way, the compliance registration program ensures that the proper entities are registered and that each entity knows which Reliability Standards are applicable to it.

Registered organizations included on the compliance registry are responsible for knowing the content of and for complying with all Reliability Standards. The compliance registry is posted on the NERC website and updated monthly. New entities are added to the registry and others are “deregistered” for some or all functional categories, as the activities and functions of entities change over time. NERC provides notice of registration or deactivation to all organizations when they are included or removed from the compliance registry.

Delegation and Sharing of Compliance Tasks 

An entity may delegate reliability tasks to third parties; however, the entity is still responsible for compliance. For example, a registered entity can delegate “responsibility” for completion of a task (e.g., relay testing), but the registered entity is still responsible for complying with the relevant standard. NERC facilitates the delegation of reliability tasks by establishing rules that permit “coordinated functional registration” and “joint registration organizations.”

A coordinated functional registration is a written agreement pursuant to which two or more entities agree to a division of compliance responsibility for one or more Requirements or Reliability Standards. The parties must submit the agreement to NERC and the relevant regional entities, identifying points of contact and clearly specifying the entities’ respective compliance responsibilities. The entity point of contact informs the applicable regional entity of any changes to an existing coordinated functional registration, and the regional entity notifies NERC of each such revision. Coordinated functional registrations are posted on NERC’s website.

A joint registration organization may be used by a joint action agency, generation and transmission cooperative or similar organization to accept compliance responsibility on behalf of its members. Under this process, a “central” organization registers as responsible for compliance for itself and collectively on behalf of its members. Each member within a central organization may separately register to be accountable for a particular reliability function defined by the Reliability Standards. In all cases, NERC and the regional entities will hold the registered “central” entity accountable for compliance responsibilities and any violations. While a registered entity may delegate the performance of a task required by a Reliability Standard to another entity, the registered entity may not delegate its responsibility for ensuring the task is completed. In addition to registering as an entity responsible for all functions that it performs itself, multiple entities may each register using a coordinated functional registration for one or more Reliability Standards and/or for one or more requirements within a particular Reliability Standard applicable to a specific function.

Appeals of Registry Decisions 

NERC’s rules of procedure include a process for an entity to appeal its registration. For example, an entity may believe that it should not be included on the compliance registry because it does not believe it performs a particular reliability function for which it was registered. The entity must first seek a review of the registry decision from the NERC Board of Trustees Compliance Committee. If unsuccessful with the Board, the entity may then petition FERC to review the registry determination.

Additional Certification 

Entities providing certain reliability functions deemed particularly crucial to the reliability of the bulk power system not only must be registered but also must meet or exceed certain minimum criteria demonstrating that the entity is capable of performing these functions. These critical functions are: reliability coordinator, balancing authority, and transmission operator. Certification ensures that an entity seeking to perform any of these functions has the tools, processes, training, and procedures to meet the requirements or sub-requirements of all of the Reliability Standards applicable to that function. The decision to certify an entity is a collaborative decision between NERC and the regional entity.

The certification process must be completed with- in nine months of the application acceptance date unless otherwise agreed by all parties involved in the process and approved by NERC. After an entity has been certified, the applicable regional entity notifies all entities as to the date that the entity may begin its operation as a certified entity. The entity must commence operation within 12 months of certification. Failure to begin operation within the 12-month period requires the entity to reapply for certification.

An entity may need to obtain certification or re-certification when it experiences changes to its footprint or operational challenges, organizational restructuring that could impact bulk power system reliability, or a change to entity ownership requiring major operating procedure changes, such as the relocation of control centers, or replacement of a Supervisory Control and Data Acquisition/Energy Management System (SCADA/EMS) that controls or monitors the flow of electricity.

Monitoring and Enforcement 

Section 215 of the FPA requires the electric reliability organization and regional entities to have the ability to enforce Reliability Standards that provide for an adequate level of reliability of the bulk power system and to provide fair and impartial procedures for enforcement of these standards. When certifying NERC as the electric reliability organization, FERC required NERC to establish and implement an enforcement program under its rules of procedure. FERC found that the enforcement function includes both proactive compliance efforts by the electric re- liability organization and regional entities, as well as after-the-fact investigations and penalty assessments. The compliance function includes audits, best practices programs that prepare entities for compliance with Reliability Standards, and remedial actions that bring a registered entity into compliance. NERC and the regional entities also may assess monetary and non-monetary penalties, in conjunction with or after action to bring a registered entity into compliance.

FERC has approved a detailed Compliance Monitoring and Enforcement Program (CMEP), proposed by NERC, which is Appendix 4C to NERC’s rules of procedure. The CMEP sets forth procedures under which NERC and the regional entities implement their compliance and enforcement functions in the U.S. portion of the bulk power system. Among other topics, the CMEP includes detailed procedures for how staff of regional entities and NERC conduct compliance audits, spot checks, and compliance investigations. The CMEP specifies procedures for handling complaints, self-reports of possible violations, and registered entities’ self-certifications whether they are in compliance with applicable Reliability Standards. Procedural rules included in the CMEP also address how staff of regional entities and NERC impose a penalty, consider a mitigation plan a registered entity submits to bring itself into compliance, enter into a settlement, and issue a re- medial action directive to require a registered entity to become compliant. The CMEP specifies requirements for regional entity reports about enforcement matters to NERC, and NERC’s subsequent reports of the matters to FERC, and establishes data retention requirements for NERC and regional entities on CMEP matters. Procedural rules for contested hearings relating to possible violations of Reliability Standards also appear in the CMEP.

Sanction Guidelines 

FERC has approved NERC’s Sanction Guidelines as Appendix 4B to NERC’s rules of procedure. This document sets out the processes and principles to be followed, and factors to be considered, when NERC or a regional entity determines penalties or sanctions. The Sanction Guidelines establish a three-step process for determining a penalty for a particular violation. First, a regional entity or NERC staff determines a base penalty amount, taking into consideration: (1) the violation risk factor that reflects the expected or potential impact to bulk power system reliability for a violation of the applicable requirement and (2) a violation severity level based on the extent to which the registered entity was out of compliance with that requirement. The base pen- alty amount can range from $0 to $1 million. In the second step, the regional entity or NERC determines whether to increase or decrease the base penalty amount by considering factors such as the violator’s compliance history, cooperation in the enforcement process, self-disclosure of the violation, voluntary corrective actions, and the violator’s internal compliance program. In the third step, the violator’s financial ability to pay a penalty may reduce the penalty, and a determination that the violator made an economic choice to violate may require the viola- tor to disgorge any unjust enrichment or economic benefits resulting from the violation.

Significantly, the Sanction Guidelines also state that in settlements of possible violations, regional entities and NERC can supersede any corresponding penalties or sanctions that would otherwise be deter- mined pursuant to these guidelines. In practice, this provision has encouraged settlements by regional entities and NERC with registered entities to resolve Reliability Standard violations without engaging in contested proceedings.

Notices of Penalty 

Under FPA section 215, NERC must file with FERC a notice of penalty (NOP) for each penalty that NERC or a regional entity assesses against a registered entity. If, within 30 days of an NOP’s filing, FERC does not review the NOP on its own motion, or the registered entity does not appeal the NOP, it becomes final on the 31st day. The vast majority of NOPs result from settlements rather than con- tested penalty determinations. Since 2008, FERC has reviewed one NOP on its own motion, and two appeals of an NOP by the entity being penalized. In each review, FERC affirmed the penalty.

FERC initially emphasized that NERC must file an NOP for violation of a Reliability Standard with a full discussion of the underlying facts and reasons supporting a penalty determination. Violations of Reliability Standards increased as regional entities began implementing the CMEP by starting compliance audits in 2007 and, again, after the CIP Reliability Standards addressing cybersecurity became enforceable in the U.S. beginning in 2008. A backlog of pending enforcement matters under the CMEP resulted. NERC then requested that, for certain types of violations that posed minimal risk to bulk power system reliability, FERC accept NOPs that did not include such a full record. NERC reasoned, and FERC agreed, that NERC’s ability to file abbreviated forms of NOPs could speed up processing of possible violations by regional entities and NERC, thereby reducing the backlog of unresolved possible violations. Currently, NERC files most NOPs as elements of a Spreadsheet Notice of Penalty (SNOP) that NERC files in an Excel spreadsheet format. NERC continues to file more significant Notices of Penalty in the original NOP format, known now as a Full NOP.

FERC’s acceptance of abbreviated filing formats for NOPs itself did not completely reduce the backlog of possible violations in the CMEP process. NERC proposed a Find, Fix, and Track (FFT) process under which NERC would submit determinations on minimal risk violations in an informational filing, not an NOP. FFT matters would not constitute penalties for violations of Reliability Standards. In 2012, FERC approved NERC’s FFT proposal with conditions, specifying that FFTs would be subject to reopening within 60 days of submission for FERC review; that they must, at least initially, pose only minimal risk to the BPS; and that FFTs would be included in a registered entity’s compliance history.

After FERC approved the FFT process, which NERC justified on the basis that it and regional entities used too many resources to process low-risk Reliability Standard violations, NERC sought to align further the electric reliability organization’s compliance efforts with the risk posed by particular violations. In 2014, NERC asked FERC to approve its Reliability Assurance Initiative, under which NERC and regional entities would transition to a risk-based approach for compliance monitoring and enforce- ment. The Reliability Assurance Initiative’s premise was that a risk-based approach to these functions would benefit reliability by focusing electric reliability organization efforts on higher-risk issues while still identifying, correcting, and tracking lesser risk issues. NERC proposed to tailor compliance efforts by: (1) identifying and prioritizing bulk power system-wide risks; (2) reviewing inherent risks applicable to each individual registered entity through use of an inherent risk assessment process; (3) obtaining additional insight on a voluntary basis on risks posed by individual registered entities through an internal controls evaluation on how their internal controls detect, correct and mitigate their risks determined by the inherent risk assessment; and (4) determining, based on the three previous steps, the frequency and type of compliance monitoring tools a regional entity would apply to each registered entity for which it is responsible. Also, NERC proposed that it submit to FERC information about “compliance exceptions” – minimal-risk, fully-mitigated in- stances of noncompliance that would not warrant a penalty but instead be resolved as an exercise of enforcement discretion. Finally, NERC proposed that a particular registered entity be allowed to “self- log” possible violations rather than self-report them to its regional entity, upon approval by the regional entity and NERC. A regional entity would review the registered entity’s self-logged items periodically, using a presumption that each item would be eligible for treatment as a compliance exception.

In 2015, FERC approved NERC’s implementation of the Reliability Assurance Initiative and found reasonable its overall goal to focus electric reliability organization and industry compliance resources on high-risk issues that matter more to reliability. FERC imposed several conditions on Reliability Assurance Initiative implementation, including: NERC must publicly post compliance exceptions on its website; and NERC must file an annual report on the progress of the Reliability Assurance Initiative program.

NERC now refers to the electric reliability organization’s “risk-based compliance and enforcement program” rather than the Reliability Assurance Initiative.

Reliability and Adequacy Assessments

NERC conducts independent assessments of the overall (existing and planned) electric generation and transmission reliability (adequacy and operating reliability) of the interconnected North American bulk power system. NERC also assesses and reports on the key issues, risks, and uncertainties that affect or have the potential to affect the reliability of exist- ing and future electric supply and transmission.

The adequacy and reliability of the bulk power system is evaluated by NERC through identifying, analyzing and projecting trends in electric customer demand, supply, and transmission and their impacts on reliability. NERC investigates, assesses, and reports on the potential impacts of new and evolving electricity market practices, integration of new technology resources and loads, change in resource mix, new or proposed regulatory procedures, and new or proposed legislation (e.g., environmental requirements). NERC has discretion regarding the number and type of periodic assessments that are to be conducted. NERC also conducts special reliability assessments from time to time as circumstances warrant.