The Standards Based Integration Company Systems Integration Specialists

Introductions 2 l Who am I? l Who are you? l What do you

Outline 3 l RAS Overview l History of CRAS l CRAS Benefits l SCE

The Standards Based Integration Company Systems Integration Specialists Company, Inc. RAS Overview © Copyright

RAS Overview l l l 5 Remedial Action Scheme A RAS is a type of Special Protection System (SPS) which disconnects excessive load and/or generation to maintain system reliability in case of a major contingency Customer demands for power are always expanding Disconnecting the load and/or generation prevents the transmission lines from melting and/or the generators from being damaged Due to the high cost and long lead time to build redundant transmission lines, many utilities are using RASs to handle the ever increasing loads © Copyright 2012 SISCO, Inc.

RAS Example l l l 6 Consider a corridor with three transmission lines. The corridor flow is x MW In the past, the lines would be sized at x/2 so that if one line failed (an n-1 contingency), the other two lines could carry the failed line’s power As power demands increase, either new transmission lines must be built or reserve capacity of the lines must be utilized When the reserve capacity of the lines is used to carry normal power flow, very rapid action needs to be taken in the case of a contingency That rapid action is a Remedial Action Scheme to disconnect load or generation © Copyright 2012 SISCO, Inc.

Remedial Action Schemes at SCE l l l 7 Currently, SCE has 17 RASs, most of which are distributed over the major import corridors With the passage of recent California laws, California utilities must reach 33% renewable generation by 2020. This means that grid interconnection requests from renewable resources have increased dramatically To enable the interconnection of the new generation, there will be a proliferation of new RASs in the next few years Currently, RASs are distributed and localized © Copyright 2012 SISCO, Inc.

Distributed Remedial Action Schemes l l l 8 Each existing RAS operates in an isolated environment without having information about other system conditions, including the actions and arming status of other RASs in the same region. This could result in uncoordinated operations. This will only get worse when more RASs are added. Individual RAS logic controllers are limited in the number of logic steps they can contain. As RASs become more complex due to the increasing connection requests, this limits the effectiveness of a given RAS and can lead to overshedding. Since the RAS are distributed, managing, upgrading and testing the remote RAS requires travel to the physical location of the logic controller, which is typically located in the relay room of the substation most central to the RAS. © Copyright 2012 SISCO, Inc.

Typical RAS Architecture Field Information (2 -10 second scan) State Estimator Arming Point Calc Arming Point and RAS Control Time from field change to arming point change > 5 minutes. Executes ~5 minutes Communication Aggregator Communication latency approximately 20 msec. Logic latencies 10 -20 msec. Average worst case RAS performance ~ 40 msec 9 © Copyright 2012 SISCO, Inc.

Distributed RAS l Typically implemented in a proprietary fashion l Limited Capability § Logic typically implemented in relays q Scan-based u logic execution If exceeded in one relay, need to split function and use multiple relays q Limited amount of logic q Limited amount of communication capability u l 10 Extra hardware required to increase communications Arming signals sent from Arming logic programmed based upon planning tables and sent EMS through RTU every 5 minutes, typically – too long! © Copyright 2012 SISCO, Inc.

The Standards Based Integration Company Systems Integration Specialists Company, Inc. History of CRAS ©

The very beginning… l l l 12 During an IEC 61850 training class, SISCO was asked to put an Remedial Action Scheme “architecture” together GE shared with SISCO the CRAS architectures at PG&E and Salt River SISCO provided the initial architecture to GE GE sent initial proposal to SCE. Many iterations of questions / answers This is an architecture that leverages established technology to fulfill the requirements © Copyright 2012 SISCO, Inc.

CRAS: Salt River and PG&E architectures (Simplified) Control Center Logic Processor Observations: High Hardware Costs Modbus Gateway Hardwired I/O GOOSE Latencies throughout Difficult to maintain and diagnose System availability issues Mirror Bits Substation Performance degradations / scalability issues Single vendor solution based on proprietary communications 13 © Copyright 2012 SISCO, Inc.

Salt River and PG&E architectures (Simplified) Control Center Logic Processor Observations: High Hardware Costs Modbus Gateway Hardwired I/O GOOSE Mirror Bits Substation 14 © Copyright 2012 SISCO, Inc.

Salt River and PG&E architectures (Simplified) Control Center Observations: Logic Processor Modbus Gateway Hardwired I/O Latencies throughout GOOSE Mirror Bits Substation 15 © Copyright 2012 SISCO, Inc.

Initial Objectives of SISCO’s vision of CRAS l Multiple Vendor support based upon standardized communications Selected IEC 61850 and GOOSE in particular l Remove latency bottlenecks to achieve maximum performance Allowed architecture to support direct communication to field devices l Increase availability and ease of maintenance l Provide a proposed technological solution that is “low-risk” Demonstrated that performance criteria could almost be met with off-the-shelf software l Provide an environment where other data sources could be integrated to allow distribution of intelligence into the substation (e. g. a true Smart. Grid) Selection of architecture that allows multiple different data sources to be integrated. 16 © Copyright 2012 SISCO, Inc.

Additionally l l 17 Design needed to allow EMS to control execution and receive status. Initially modeled as Control Center to Control Center exchange via ICCP Decided that maximum speed of algorithm execution was needed in order to maximize hardware utilization. § Looked at “soft-plc” technology: still scan-based and most lack prioritization of tasks. Wanted something that could handle a large number of events and execute algorithms based upon change of events and not scan/time based execution. Desired to have historical capture. © Copyright 2012 SISCO, Inc.

SCE team impact on requirements l Reinforced: Performance, performance… § Set time allotment for event to mitigation action to 50 msec q q l Dictated something event-driven not scan-based Need to support multi-threading and high priority tasking Testability § SISCO wasn’t familiar with the once a year test requirement or WECC requirements. 18 © Copyright 2012 SISCO, Inc.

The UAP began development targeted to: l l l 19 Distributed intelligence for Intelligrid type of substation automation functions (e. g. potentially autonomous substations). Needed to have a wide variety of “SCADA” type of interfaces. Wanted to be a fast logic capability that could potentially perform predictive analysis/pro-active action instead of reaction. Wanted local history to determine normal system operation and the ability to correlate to past events. Needed data mining capability. © Copyright 2012 SISCO, Inc.

Basic Architecture…An Analytic Platform Scalability Optimum Performance Architectures are the same, deployments are different.

Also allows: Scalability and Performance determined by Historian and its architecture. 21 © Copyright

Took EMS training, simulation, and diagnostics approach l l l 22 Needed a mechanism to allow training, process improvements, testing, and validation. EMS systems have “embedded” historians that allow post -event/operation forensics. Simulation tool should be able to extract information from historian and replay it as if real-time. © Copyright 2012 SISCO, Inc.

Historian Requirements l Large number of points/tags l Eventing of data must be supported

The pieces and vision of the Unified Analytic Platform e. DNA Scenario Player The UAP is a high-speed application development / execution platform. The actual UAP functionality is determined by its configuration and the Analytics that are developed / installed. 24 © Copyright 2012 SISCO, Inc.

The Standards Based Integration Company Systems Integration Specialists Company, Inc. CRAS Benefits © Copyright

CRAS Benefits General § Based on standard communications protocol: IEC 61850 § Uses standard off the shelf software § Architecture allows scalability § Event based processing allows good performance § UAP communicates directly with field devices § RASs can see all measurements in system § RASs can accommodate complex requirements § Configuration and testing can be performed locally 26 © Copyright 2012 SISCO, Inc.

CRAS Benefits General § Supports single RAS automated testing § Maintenance is centralized – no need to travel to remote substations § Maintenance is more robust – RASs progress through Development, QA and Production systems § Supports WECC required annual test § 12 -way redundancy 27 © Copyright 2012 SISCO, Inc.

More CRAS Benefits Input Processing § UAP contains an Input Conditioner that reads both of the redundant field measurements (A & B) and processes them both to present the ‘best’ value to the RASs. § If one measurement quality is bad, the other measurement is used. § The maximum of two power flows measurements is presented to the RAS. § Power flows are smoothed to bypass momentary spikes. § Alerts are raised if the two values differ by more than a preset amount, if both measurements are bad, if values are out of range, etc. § Supports test values 28 © Copyright 2012 SISCO, Inc.

More CRAS Benefits Historian § Complete process historization § Captures all field measurements, all processing of input values, all test values, all values presented to RAS, all RAS output values including mitigation commands § Values of all six UAP pairs are captured § Historic values can be replayed for analysis or simulation 29 © Copyright 2012 SISCO, Inc.

More CRAS Benefits Simulation § Can replay live events using historical data § Can generate any event scenario § GOOSEBlaster can generate GOOSE data for testing or simulating high load conditions 30 © Copyright 2012 SISCO, Inc.

The Standards Based Integration Company Systems Integration Specialists Company, Inc. SCE CRAS Project ©

Back in 2007 l First UAP Demo at SCE l South of Lugo N-1 Contingency (SOLRAS) l Used PI Historian l PI Historian simulated EMS graphics and commands l Demonstrated 4 millisecond RAS processing l 32 UAP updated to support dual inputs and testability in 2009 demo © Copyright 2012 SISCO, Inc.

In 2011 l l 33 Proof of concept demonstrated in July 2011 Demo included XA/21 system, redundant UAPs, redundant network communications to A and B GE relays and actual measurements Measurements simulated South of Lugo N-1 Contingency (SOLRAS) Project awarded to GE in late 2011. SISCO subcontracted to provide UAPs and RAS development. CISCO subcontracted to provide network infrastructure. © Copyright 2012 SISCO, Inc.

General Goals l l l 34 Enhance grid stability by utilizing state of the art protection, control and data transmission Replace the 17 existing distributed RAS with CRAS Provide the ability of meeting future CRAS needs in a robust, timely and cost effective manner © Copyright 2012 SISCO, Inc.

Specific Goals l Design, install and test two RAS schemes § Kramer § El Nido / El Segundo l l l 35 Design, install and test the communications network to the substations to support the two RAS schemes Integrate the monitoring and mitigation relays that support the above RAS and which are located at the substations with the communications network and centralized RAS controllers Design, install and test Development, QA and Production CRAS systems © Copyright 2012 SISCO, Inc.

Hardware Capacity Requirements l Provide hardware that will support SCE’s RAS needs for the next five years § 30 RAS analytics § 200 contingencies § 120 substations § 480 monitoring relays (includes A and B relays) § 300 mitigations relays (includes A and B relays) 36 © Copyright 2012 SISCO, Inc.

Software Capacity Requirements l Provide software that will support SCE’s RAS needs for the next fifteen years § 100 RAS analytics § 1000 contingencies § 250 substations § 1000 monitoring relays (includes A and B relays) § 1000 mitigations relays (includes A and B relays) 37 © Copyright 2012 SISCO, Inc.

Performance Requirements l l Time between occurrence of contingency and mitigation action must be less than or equal to 50 milliseconds Time budget is: § 2 msec - monitor relay processing § 11 msec - serialization and router/switch latency § 4 msec - controller (UAP) processing § 9 msec - serialization and router/switch latency § 2 msec - mitgation relay processing § 4 msec - output contact/breaker trip time l 38 Leaves 17. 8 msec for SCE communication delays (microwave hops and other transmissions) © Copyright 2012 SISCO, Inc.

Availability Requirements l CRAS production system as a whole is to provide 99. 9999% availability. The CRAS production system includes § Primary and backup Central Controller System (CCS) A at GCC and the primary and backup CCS B at AGCC § Network communication system § Monitoring and mitigation relays § EMS screens § ICCP link between EMS and CCS 39 l Available means able to mitigate a contingency l Not all system components need to be functioning © Copyright 2012 SISCO, Inc.

Security Requirements l Cyber security must be integrated into system design, communication network and controllers § NERC CIP compliant remote access to the CRAS substations § CRAS system shall comply with the relevant subcategories of NERC CIP standards CIP-003, CIP-005, CIP-007 and CIP-009. l 40 User accounts to support user name/password authentication or two-factor authentication l Antivirus, spyware and other malware detection systems l All log on and change requests are logged © Copyright 2012 SISCO, Inc.

Monitoring Requirements l EMS is integrated with CCS § Operators can view RAS parameters on EMS displays § Operators can steer RAS actions, including enabling/disabling RASs and contingencies substituting/overriding values, tagging out IEDs l l 41 CCS alarms displayed on EMS All measurements, RAS outputs, alarms and events are saved in CRAS historian and corporate historian © Copyright 2012 SISCO, Inc.

Test Requirements l Support relays in test mode § Test bit was deprecated by IEC 61850 committee § Added test data bit to indicate relay in test mode l l 42 Can put RAS in test mode and it will use test data. Otherwise test data is considered bad quality Support WECC annual test © Copyright 2012 SISCO, Inc.

Development Requirements l l l 43 Provide tools to develop, maintain and test current and future RAS Architecture includes Development, QA and Production systems New RAS or RAS modifications are developed and unit tested on the Development system Then RAS or RAS modifications are thoroughly tested in the production-like QA environment Once tested, they can be put on the production system © Copyright 2012 SISCO, Inc.

Configuration Management and Maintenance Requirements l l 44 Source code, scripts, analytics, and configurations will be delivered in Clear. Case Procedures for building CRAS systems from Clear. Case will be provided Tools will be provided so that the System Administrator can support staging, configuration management and maintenance across the production, QA, and development systems. The System Administrator must be able to rollback the CRAS system and application configuration and data to a known date/time. © Copyright 2012 SISCO, Inc.

The Standards Based Integration Company Systems Integration Specialists Company, Inc. System Architecture © Copyright

System Architecture 46 © Copyright 2012 SISCO, Inc.

GCC Systems l Operations A (Redundant) l Quality/Test B (Non-Redundant) l Development (2 instances, Non-Redundant) l 47 Database/Display Development (2 instances, Non. Redundant) © Copyright 2012 SISCO, Inc.

AGCC Systems l 48 Operations B (Redundant) © Copyright 2012 SISCO, Inc.

At GE’s Melbourne Facility l 49 Remote Support System (Redundant) © Copyright 2012 SISCO,

Substation Architecture 50 © Copyright 2012 SISCO, Inc.

Substation Architecture l l 51 Communication system is fully redundant Have A side relays,

The Standards Based Integration Company Systems Integration Specialists Company, Inc. Operations Systems A and

Operations Systems 53 l Two completely duplicated Operations System l Operations System A is

Operations System (Conceptual) Operations “Conceptual” because it doesn’t show redundancies 54 © Copyright 2012

Existing XA/21 EMS System l l Primary operational interface for CRAS Operator can see status of each RAS and interact with it: § Enable/disable a RAS § Change arming levels § Enable/disable particular contingencies § Enable/disable certain mitigations 55 © Copyright 2012 SISCO, Inc.

XA/21 CCS System l l Alternate operational interface for CRAS Operator can see status of each RAS and interact with it: § Enable/disable a RAS § Change arming levels § Enable/disable particular contingencies § Enable/disable certain mitigations l 56 Can initiate testing of a particular RAS © Copyright 2012 SISCO, Inc.

UAP Controller l l 57 GOOSE interface reads/writes IEC 61850 messages to/from relays Processes measurements (e. g. line flows, loads, generation) l Detects contingencies l Issues mitigation requests l Verifies mitigation has taken place l Special analytic performs annual test © Copyright 2012 SISCO, Inc.

e. DNA Historian l l 58 UAP sends all GOOSE inputs, intermediate data, mitigation actions to e. DNA pre- and post- event data streams RAS steering input from XA/21 Operational history is short term (30 days) © Copyright 2012 SISCO, Inc.

Oracle RDBMS l l 59 XA/21 alarm and event data Oscillography data from GE

Corporate Historian l l 60 Corporate e. DNA and Oracle data have seven-year retention Receives pre and post event data from Operational Historian l XA/21 alarm and event data l Oscillography data from relays © Copyright 2012 SISCO, Inc.

The Standards Based Integration Company Systems Integration Specialists Company, Inc. CRAS Redundancy and Availability

Availability - Requirements l l l 62 System A can use data from System B when System A data is unavailable and vice versa CRAS production system shall be 99. 9999% available CRAS System A and System B shall each be 99. 9% available Aggregate of CRAS components shall be 99. 5% available – the sum of all component down time shall be added to calculate Down Time Aggregate of CRAS devices shall be 99. 0% available – the sum of all component down time shall be added to calculate Down Time © Copyright 2012 SISCO, Inc.

CRAS Intra-site Redundancy 63 © Copyright 2012 SISCO, Inc.

CRAS Redundancy l CRAS system has extremely high availability l No single point of failure (either hardware or software) l At each site (GCC and AGCC): § Redundant CCS XA/21 systems § Three sets of redundant UAP controllers § Clustered e. DNA historians § Clustered Oracle RDBMS systems l 64 Failover is automatic. Failback is manual © Copyright 2012 SISCO, Inc.

CRAS Redundancy at both GCC and AGCC 65 © Copyright 2012 SISCO, Inc.

CRAS XA/21 Redundancy l One XA/21 instance is active at any one time l The other XA/21 system is in standby mode l Backup automatically takes over if primary system fails l 66 UAP controllers continue to operate even if all XA/21 systems fail © Copyright 2012 SISCO, Inc.

UAP Controller Redundancy l Three primary UAP controllers § each has an independent backup UAP controller § backup automatically takes over if its primary fails l l l 67 All six primary UAPs at GCC and AGCC are always running All six primary UAP controllers all receive A and B GOOSE data and run the same RAS analytics All six primary UAP controllers all output mitigation requests Mitigation relays “count the vote” and perform the mitigation if a majority vote is received (i. e. two or more) CRAS system can still mitigate with only two of six UAP controllers running. The two CRAS must be on the same side, A or B. © Copyright 2012 SISCO, Inc.

e. DNA Redundancy l l l 68 e. DNA historian is clustered and contains at least two e. DNA servers that can respond to requests Storage devices are RAID 10 so that disk storage cannot be a single point of failure e. DNA historian manages the cluster internally so that it appears as one historian to the UAP © Copyright 2012 SISCO, Inc.

Oracle RDBMS Redundancy l l 69 Oracle RDBMS has a Real Application Cluster (RAC) architecture RAC architecture means that there are multiple Oracle servers running that can write to the mirrored database files so there is no single point of failure © Copyright 2012 SISCO, Inc.

SAN Storage l l 70 SAN is Storage Area Network - a high-speed subnetwork of shared storage devices Storage devices are Raid 10 – Mirrored drives with striping for higher performance Includes hot spares which are used to automatically replace and rebuild a failed drive 5. 3 TB of storage © Copyright 2012 SISCO, Inc.

CRAS Inter-site Redundancy 71 © Copyright 2012 SISCO, Inc.

CRAS Inter-site Redundancy l l 72 GCC Operations system is completely duplicated at AGCC Only one of the GCC and AGCC XA/21 EMS systems is active at a time. If GCC XA/21 EMS fails, the XA/21 EMS at AGCC can steer the RASs Three UAP controllers at both GCC and AGCC are active for a total of six. Both sets of UAPs receive GOOSE messages and can mitigate Mitigation will occur if there is a two of three vote from either side © Copyright 2012 SISCO, Inc.

Communication Availability Requirements l l 73 Communication system must meet 99. 95% end-toend availability A and B sides are independent and each contributes to availability. If only one side is communicating the communication system is available. © Copyright 2012 SISCO, Inc.

Communication Availability Assumptions l The availability calculations in the next slides assume the following mean time to replace: § Control center equipment – 2 hours § Aggregation layer equipment – 4 hours § Substation equipment – 6 hours 74 © Copyright 2012 SISCO, Inc.

Communication Availability by Component l 75 Given the MTBF below, the availability of the

Communication Availability Summary l The communication system availability can be summarized below l 76

The Standards Based Integration Company Systems Integration Specialists Company, Inc. GCC Quality / Test

Quality / Test A (Redundant) – GCC Only l l Used to test new or modified configurations and RASs before installing them on the Operations System Mirror image of Operations System: § Redundant XA/21 CCS § Three sets of redundant UAP controllers (six total) § Redundant e. DNA historians § Two Oracle RDBMS in a cluster l 78 Communications network includes the core and aggregation layers and the edge network for one substation © Copyright 2012 SISCO, Inc.

Quality / Test B (Non -Redundant) – GCC Only l l Used to test new or modified configurations and RASs before installing them on the Operations System Same as Operations System except non-redundant: § One XA/21 CCS § Three UAP controllers § One e. DNA historian § One Oracle RDBMS l 79 Communications network includes the core and aggregation layers and the edge network for one substation © Copyright 2012 SISCO, Inc.

The Standards Based Integration Company Systems Integration Specialists Company, Inc. GCC Development Systems ©

Development Systems l Used to develop new or modified configurations and RASs l Two separate systems. Each has: § One XA/21 CCS with Oracle § Three UAP controllers § One e. DNA historian l 81 Also have servers for Kickstart, Clearcase, UAP builds, etc. © Copyright 2012 SISCO, Inc.

Database / Display Development Systems l Used to develop new or modified database configurations

Master Edit Process 83 © Copyright 2012 SISCO, Inc.

Master Edit Process l l Promoted to Development system l Tested in Quality/Test system l Installed in Production environment l 84 Changes are made at the Database and Display system Process is orderly and controlled and the user only has to enter the modifications once © Copyright 2012 SISCO, Inc.

The Standards Based Integration Company Systems Integration Specialists Company, Inc. Melbourne Support System ©

Melbourne Support System l Located at GE’s facility in Melbourne, FL l Used for remote support l Consists of § One XA/21 CCS § Three UAP controllers § One e. DNA historian § One Oracle RDBMS l 86 Also have servers for Clearcase and UAP builds © Copyright 2012 SISCO, Inc.

The Standards Based Integration Company Systems Integration Specialists Company, Inc. Communications Architecture © Copyright

Communication Architecture 88 © Copyright 2012 SISCO, Inc.

EMS – CRAS Platform Communications l EMS to CRAS Platform communications § RAS steering commands § Sending data (e. g. measurements) unavailable to the RAS l CRAS Platform to EMS communications § RAS status and intermediate values § IED and IED communication status l l 89 Communications between EMS XA/21 and CRAS XA/21 are via ICCP Communications between CRAS XA/21 and UAPs are via Web Services © Copyright 2012 SISCO, Inc.

Communications Components 90 © Copyright 2012 SISCO, Inc.

Core Network Communications Components l Routers and switches create three isolated LANs for § GOOSE A traffic § GOOSE B traffic § Maintenance traffic l 91 Utility Server provides access to the relays for corporate users © Copyright 2012 SISCO, Inc.

Substation Communications Components – Switches and Routers l l 92 Substation switches and routers are used to isolate A and B traffic Provide two isolated LANs for GOOSE messaging and an additional LAN for maintenance © Copyright 2012 SISCO, Inc.

Substation Communications Components - Relays l l 93 Monitoring relays collect fast sampling power system measurements, e. g. line flows and breaker status Monitoring relays are redundant (A&B) Mitigation relays receive control commands from the CRAS system and immediately trip generating units or loads There is one mitigation relay for each side (A&B) with 3 signals (one per redundant UAP pair) going into each one. Two of three signals on either side must be commanded to trip before the trip action will occur © Copyright 2012 SISCO, Inc.

GOOSE Communications l l 94 Fast Ethernet transport Layer-2 IEC 61850 GOOSE messages for high speed measurement and control GOOSE messages are high priority (line statuses and mitigations) and low priority (line flows and other measurements) Different VLANs are used for high and low priority messages Heartbeats are sent by the relays and the UAPs so that other elements know that they are alive and reachable © Copyright 2012 SISCO, Inc.

Communication Paths 95 © Copyright 2012 SISCO, Inc.

Aggregation Layer Communications Components l l 96 Substation components are considered the edge network The aggregation layer exists at a regional level Communication components at the GCC and AGCC are considered the core network. Components at aggregation level consolidate communications from regional substations so that the number of connections to the core network remains manageable after all substations are rolled into CRAS project © Copyright 2012 SISCO, Inc.

The Standards Based Integration Company Systems Integration Specialists Company, Inc. Communication Performance © Copyright

Communication Performance Requirements l l 98 Response time must be less than or equal to 50 milliseconds from time event is detected to time mitigation action is taken To calculate message transit time, must know length of message © Copyright 2012 SISCO, Inc.

GOOSE Header Size l 99 The GOOSE header structure below gives the GOOSE message

GOOSE Data Size l 100 The number of analog and status values transmitted will

GOOSE Frame Size l 101 Before leaving the relay, Ethernet and VLAN overhead must

GOOSE Packet Size l 102 WAN encapsulation overhead is added to the GOOSE frame

Communication Latency Event Through UAP With the previous packet sizes, the latency of the

Communication Latency From UAP to Trip With the previous packet sizes, the latency of the GOOSE message from the UAP to the trip is l l 104 Total is 32. 178 msec for a grand total of 32. 2 msec © Copyright 2012 SISCO, Inc.

SCE Communication Time l With a message latency of 32. 2 msec and a

The Standards Based Integration Company Systems Integration Specialists Company, Inc. Use Case © Copyright

Operator Disables RAS Use Case l Pre Event Conditions § All systems and equipment are operating normally § All RASs are enabled § No RASs are armed § No contingencies are in effect 107 © Copyright 2012 SISCO, Inc.

Operator Disables RAS – Normal Flow 1. An XA/21 operator with appropriate permissions selects the Kramer RAS Operational Status from the RAS Detail display 2. The XA/21 operator selects the Control Options tab for the Kramer RAS Operational Status 3. The XA/21 operator selects the Disable state from Control Options tab for the Kramer RAS Operational Status 4. The XA/21 operator selects Execute from Control Options tab for the Kramer RAS Operational Status 108 © Copyright 2012 SISCO, Inc.

Operator Disables RAS – Normal Flow 5. The Disable message is sent to all UAPs on A & B sides 6. The Disable control request for Kramer RAS Operational Status by XA/21 operator is logged as an event at CRAS and EMS 7. The Disable request is received at all UAPs on A & B sides 8. All UAPs disable the Kramer RAS which prevents mitigation requests being issued by the Kramer RAS 9. The primary UAPs send the Disable request and the success status to the e. DNA historian 109 © Copyright 2012 SISCO, Inc.

Operator Disables RAS – Normal Flow 10. New Kramer RAS status on all UAPs is sent to the XA/21 consoles 11. Commanded Change of State events are generated for each status change at the XA/21 consoles 12. New Kramer RAS status is displayed on XA/21 consoles 13. An XA/21 operator with appropriate permissions selects the Kramer RAS Operational Status from the RAS Detail display 14. The XA/21 operator selects the Control Options tab for the Kramer RAS Operational Status 110 © Copyright 2012 SISCO, Inc.

Operator Disables RAS – Normal Flow 15. The XA/21 operator selects the Enable state from Control Options tab for the Kramer RAS Operational Status 16. The XA/21 operator selects Execute from Control Options tab for the Kramer RAS Operational Status 17. The Enable message is sent to all UAPs on A & B sides 18. The Enable control request for Kramer RAS Operational Status by XA/21 operator is logged as an event at CRAS and EMS 19. The Enable request is received at all UAPs on A & B sides 111 © Copyright 2012 SISCO, Inc.

Operator Disables RAS – Normal Flow 20. All UAPs enable the Kramer RAS which re-enables the issuing of mitigations by the Kramer RAS 21. The primary UAPs send the Enable request and the success status to the e. DNA historian 22. New Kramer RAS status on all UAPs is sent to the XA/21 consoles 23. Commanded Change of State events are generated for each status change at the XA/21 consoles 24. New Kramer RAS status is displayed on XA/21 consoles 112 © Copyright 2012 SISCO, Inc.

Operator Disables RAS Use Case l Post Event Conditions § All systems and equipment are operating normally § All RASs are enabled § No RASs are armed § No contingencies are in effect 113 © Copyright 2012 SISCO, Inc.

The Standards Based Integration Company Systems Integration Specialists Company, Inc. Group Quiz © Copyright

Operator Disables RAS Use Case l Pre Event Conditions § All systems and equipment are operating normally § All RASs are enabled § No RASs are armed § No contingencies are in effect 115 © Copyright 2012 SISCO, Inc.

Operator Disables RAS – Alternate Flow 1. An XA/21 operator with appropriate permissions selects the Kramer RAS Operational Status from the RAS Detail display A) Operator does not have permissions to change RAS state on XA/21 console B) Operator has permission on XA/21 but not on UAP 2. The XA/21 operator selects the Control Options tab for the Kramer RAS Operational Status 3. The XA/21 operator selects the Change from Control Options tab for the Kramer RAS Operational Status C) The XA/21 operator selects the Change Arming Level tab D) The XA/21 operator selects the Disable Contingency tab 116 © Copyright 2012 SISCO, Inc.

Operator Disables RAS – Alternate Flow 4. The XA/21 operator selects Execute from Control Options tab for the Kramer RAS Operational Status 5. The Disable message is sent to all UAPs on A & B sides 6. The Disable control request for Kramer RAS Operational Status by XA/21 operator is logged as an event at CRAS and EMS 7. The Disable request is received at all UAPs on A & B sides E) The Disable message is not received by the A 1 UAP F) UAP A 1 fails just after it receives the Disable message 117 © Copyright 2012 SISCO, Inc.

Operator Disables RAS – Alternate Flow 8. All UAPs disable the Kramer RAS which prevents mitigation requests being issued by the Kramer RAS 9. The primary UAPs send the Disable request and the success status to the e. DNA historian 10. New Kramer RAS status on all UAPs is sent to the XA/21 consoles 11. Commanded Change of State events are generated for each status change at the XA/21 consoles 12. New Kramer RAS status is displayed on XA/21 consoles 118 © Copyright 2012 SISCO, Inc.

Operator Disables RAS – Alternate Flow 13. An XA/21 operator with appropriate permissions selects the Kramer RAS Operational Status from the RAS Detail display 14. The XA/21 operator selects the Control Options tab for the Kramer RAS Operational Status 15. The XA/21 operator selects the Enable state from Control Options tab for the Kramer RAS Operational Status 16. The XA/21 operator selects Execute from Control Options tab for the Kramer RAS Operational Status 17. The Enable message is sent to all UAPs on A & B sides 119 © Copyright 2012 SISCO, Inc.

Operator Disables RAS – Alternate Flow 18. The Enable control request for Kramer RAS Operational Status by XA/21 operator is logged as an event at CRAS and EMS 19. The Enable request is received at all UAPs on A & B sides 20. All UAPs enable the Kramer RAS which re-enables the issuing of mitigations by the Kramer RAS 21. The primary UAPs send the Enable request and the success status to the e. DNA historian 22. New Kramer RAS status on all UAPs is sent to the XA/21 consoles 120 © Copyright 2012 SISCO, Inc.

Operator Disables RAS – Alternate Flow 23. Commanded Change of State events are generated for each status change at the XA/21 consoles 24. New Kramer RAS status is displayed on XA/21 consoles 121 © Copyright 2012 SISCO, Inc.