Passenger Rail Transportation Security Regulations: SOR/2020-222

Canada Gazette, Part II, Volume 154, Number 22

Registration
SOR/2020-222 October 6, 2020

RAILWAY SAFETY ACT

P.C. 2020-779 October 2, 2020

Her Excellency the Governor General in Council, on the recommendation of the Minister of Transport, pursuant to subsection 18(2.1)^{footnote a} of the Railway Safety Act ^{footnote b}, makes the annexed Passenger Rail Transportation Security Regulations.

Passenger Rail Transportation Security Regulations

Interpretation

Definitions

1 The following definitions apply in these Regulations.

host company means a railway company that authorizes a passenger company to operate on its railway. (compagnie hôte)
passenger company means a company whose operations include the transport of passengers by railway. (compagnie de transport de voyageurs)
small passenger company means a passenger company that transported fewer than 60,000 passengers in one of the two previous calendar years. (petite compagnie)
train means all the pieces of railway equipment that are joined together and that move as a unit for the transport of passengers. (rame ferroviaire)

PART 1

Security Awareness Training

Security awareness training program

2 (1) A passenger company and host company must have a security awareness training program that promotes a culture of vigilance with respect to passenger rail transportation security.

Program training topics

(2) The security awareness training program must cover the following topics:

(a) a description of the main security risks related to passenger rail transportation;
(b) any potential threats and other security concerns related to passenger rail transportation and how to recognize them;
(c) the actions to be taken to deal with potential threats and other security concerns; and
(d) any measures of the passenger company or host company that are designed to enhance passenger rail transportation security.

Prescribed persons

(3) The passenger company or host company must ensure that any person employed by, and any person acting on behalf of, the company and who have any of the following duties relating to the transport of passengers, as well as the direct supervisors of those persons, undergo security awareness training:

(a) operating, maintaining or inspecting railway equipment or railway works;
(b) controlling the dispatch or movement of railway equipment;
(c) ensuring the security of railway equipment and railway works;
(d) loading or unloading goods to or from railway equipment;
(e) interacting with the public for the purposes of railway transportation; or
(f) ensuring compliance with its security processes, including those set out in their security plan.

Provision of training

(4) The passenger company or host company must ensure that security awareness training is provided to the person

(a) within 90 days after the day on which this section comes into force, unless the person has received equivalent security awareness training before that day;
(b) within 90 days after the day on which the person initially assumed any of the duties referred to in subsection (3) with that company, if the duties were assigned to that person after the day on which this section comes into force; and
(c) on a recurrent basis at least once every three years after the day on which the person completed their previous training, including any equivalent security awareness training received before the day on which this section comes into force.

Supervision

(5) The passenger company or host company must ensure that, until the person undergoes the security awareness training, the person performs their duties under the supervision of a person who has undergone that training.

Training records

(6) The passenger company or host company must ensure that a training record is kept for each person who has undergone security awareness training and that the record

(a) is kept up to date;
(b) includes the person’s name and details of their most recent training, including the date, duration and the title of the training, the delivery method and the name of the provider of the training;
(c) includes the title and the date of any previous security awareness training taken by the person; and
(d) is retained for at least two years after the day on which the person ceases to be employed by, or ceases to act on behalf of, the company.

Retention of training materials

(7) The passenger company or host company must ensure that a copy of the most recent awareness training materials is kept.

PART 2

Coordination and Reporting

Rail security coordinator

3 (1) A passenger company and host company must have, at all times, a rail security coordinator or an acting rail security coordinator.

Contact information

(2) The passenger company and host company must provide the Minister with

(a) the name and job title of the rail security coordinator or acting rail security coordinator; and
(b) the 24-hour contact information for the rail security coordinator or acting rail security coordinator.

Duties — passenger company

(3) The passenger company must ensure that the rail security coordinator or acting rail security coordinator

(a) coordinates security matters within the passenger company;
(b) acts as the principal contact between the passenger company and the Minister with respect to security matters; and
(c) coordinates communications between the passenger company, the host company, law enforcement and emergency response agencies with respect to security matters.

Duties — host company

(4) The host company must ensure that the rail security coordinator or acting rail security coordinator

(a) acts as the principal contact between the host company and the Minister with respect to security matters related to passenger rail transportation on its railway; and
(b) coordinates communications between the host company, passenger companies that operate on its railway, law enforcement and emergency response agencies with respect to security matters related to passenger rail transportation on its railway.

Security Reporting

4 (1) A passenger company or host company must report to the Transport Canada Situation Centre, by any direct means of communication established and communicated by the Centre, any threat or other security concern that results or may result in an unlawful interference with passenger rail transportation. The report must be made as soon as feasible but no later than 24 hours after the occurrence of the threat or other security concern.

Threats and other security concerns

(2) Threats and other security concerns include

(a) any interference with the work of a train crew or service personnel;
(b) any bomb threats, either specific or non-specific;
(c) any report or discovery of a suspicious item;
(d) any suspicious activity observed on, inside or near railway equipment or railway works used by that company;
(e) the discovery, seizure or discharge of a weapon, explosive substance or incendiary device on, inside or near railway equipment or railway works used by that company;
(f) any sign of tampering with railway equipment or railway works;
(g) any information relating to the possible surveillance of railway equipment or railway works; and
(h) any suspicious person, circumstance or object that the passenger company or host company considers to be a threat or other security concern.

Information to be provided

(3) The information provided must include, to the extent known, the following:

(a) the passenger company’s or host company’s name and contact information, including its telephone number and email address;
(b) the name of the person who is making the report on behalf of the passenger company or host company and the person’s title and contact information, including their telephone number and email address;
(c) any information that identifies any train that is affected by the threat or other security concern, including its itinerary and line or route position;
(d) any information that identifies any railway equipment or railway works that is affected by the threat or other security concern;
(e) a description of the threat or other security concern, including the date and time that the passenger company or host company became aware of it;
(f) the names of the persons involved in the threat or other security concern, and any other information related to those persons, if the disclosure of those names and that information is permitted; and
(g) the source of any threat information or other security concern, if its disclosure is permitted.

Follow-up information

(4) The passenger company or host company must provide to the Transport Canada Situation Centre any information referred to in subsection (3) that was not previously reported, as soon as it becomes known.

Avoidance of double reporting — other company

(5) The passenger company or host company is not required to make a report under this section if the same threat or other security concern has been reported by another company under this section.

Provision of information — passenger company

(6) A passenger company that operates on a host company’s railway must, as soon as feasible, notify the host company if the passenger company becomes aware of a threat or other security concern that could impact the operations of the host company.

Provision of information — host company

(7) A host company must, as soon as feasible, notify a passenger company that operates on its railway if the host company becomes aware of a threat or other security concern that could impact the operations of the passenger company.

PART 3

Security Inspections

Security inspections

5 (1) For the purposes of this section, car means a piece of railway equipment that is used for passenger rail transportation and includes a baggage car, a dining car, a sleeping car, a lounge car, an observation car, the locomotive and any freight car that can be subjected to a walk-through inspection.

Process

(2) A passenger company must establish and document a process with respect to security inspections, including

(a) a procedure for conducting security inspections;
(b) a method for determining whether security has been compromised;
(c) a method for determining whether additional security inspections are necessary if, having regard to the circumstances, security could be compromised;
(d) a method for addressing the situation, if security has been compromised, before the train enters into service; and
(e) a method for preventing unauthorized interference with the train after the inspection and until passengers board the train.

Inspection

(3) In order to ensure that there are no security concerns related to passenger rail transportation, a passenger company must ensure that security inspections consist of both a ground-level visual inspection of the exterior of the train and an inspection of the interior of each car and are carried out in accordance with the process set out in subsection (2).

Time of inspection

(4) The passenger company must ensure that a security inspection is carried out before the train enters service for the day. In all cases, the inspection must be carried out before passengers board the train.

Additional inspections

(5) The passenger company must ensure that additional security inspections are carried out after the train enters service for the day, if it is determined, in accordance with the method referred to in paragraph (2)(c), that they are necessary.

Protection of train

(6) When the security inspection is carried out before passengers board the train, the passenger company must ensure that the train is protected from unauthorized interference from the start of the security inspection until passengers board the train.

Signs of tampering, suspicious objects and other things

(7) If signs of tampering or the presence of a suspicious object or any other thing that raises security concerns is discovered during the security inspection, the passenger company must determine whether security has been compromised.

Compromise of security

(8) If it is determined that security has been compromised, the passenger company must ensure the situation is resolved before allowing the train to enter into service.

Records

(9) The passenger company must keep a record of each security inspection and ensure that the record contains the following information:

(a) the time and date of the inspection;
(b) the information identifying the train that was inspected;
(c) the name of the person who conducted the inspection;
(d) the details of any signs of tampering, suspicious objects or other things that raise security concerns; and
(e) the measures taken to resolve the situation, if the company determined that security was compromised.

Retention period

(10) The passenger company must retain the record for three years after the day on which the security inspection is conducted.

PART 4

Security Risk Assessment

Security risk assessment

6 (1) A passenger company, other than a small passenger company, must conduct a security risk assessment of its network and operations that are related to passenger rail transportation in Canada that identifies, describes, assesses and prioritizes security risks and that

(a) is based on the following elements:
- (i) current security threats, including security threat information received from a federal department or agency and threats or immediate threats identified in an instrument made by an inspector under section 31 of the Railway Safety Act or by the Minister under section 33 or 39.1 of that Act;
- (ii) operations, railway equipment, railway works and other assets that are deemed critical and that most require protection from acts and attempted acts of unlawful interference with passenger rail transportation;
- (iii) security vulnerabilities, including those identified during daily operations, in security reports made under section 4, during security inspections carried out under section 5 and during security exercises carried out under section 9; and
- (iv) potential impacts, including a decrease in public safety and security, loss of life, damage to property or the environment, disruption of rail transportation and financial and economic loss;
(b) identifies, for each risk, the likelihood that the risk will occur and the severity of the impact that it could have if it occurs; and
(c) identifies potential safeguards intended to mitigate the risks identified.

Report

(2) The security risk assessment must be documented in a report within 30 days after the day on which the assessment is completed and the report must

(a) indicate the date of completion of the assessment; and
(b) contain all the information referred to in subsection (1).

Subsequent risk assessments

(3) A passenger company, other than a small passenger company, must conduct a new security risk assessment within three years after the date of completion of the current security risk assessment, or any assessment that is carried out before the day on which this section comes into force and that meets the requirements of this section.

Review

(4) A passenger company, other than a small passenger company, must review its security risk assessment within seven days after the day on which

(a) there is a change in circumstances that is likely to adversely affect passenger rail transportation security;
(b) an instrument that identifies a threat or an immediate threat to passenger rail transportation security that is not described in the assessment is made by an inspector under section 31 of the Railway Safety Act or by the Minister under section 33 or 39.1 of that Act; or
(c) the company identifies a significant security vulnerability that is not described in the assessment.

Periodic review

(5) A passenger company, other than a small passenger company, must review its security risk assessment at least once every 12 months. A new risk assessment conducted under subsection (3) or a review conducted under subsection (4) is a review for the purposes of this subsection.

Requirements for review

(6) As part of a review referred to in subsection (4) or (5) — with the exception of a new risk assessment referred to in subsection (5) — a passenger company, other than a small passenger company, must

(a) identify, describe, assess and prioritize any new security risks in accordance with subsection (1); and
(b) document the review in the report on the current security risk assessment, including the date of the review, the reason for the review under subsection (4) or (5) and any new risks that have been identified, their priority level and the potential security safeguards, if applicable.

PART 5

Security Plan

Security plan — objectives

7 (1) A passenger company, other than a small passenger company, must have and implement a security plan that contains measures to be taken to prevent, detect, mitigate, respond to and recover from acts or attempted acts of unlawful interference with passenger rail transportation.

Strategy

(2) In order to meet the objectives of subsection (1), the security plan must set out

(a) a risk management strategy that addresses the risks prioritized as medium or higher in the company’s most recent security risk assessment and all other risks that require remedial action; and
(b) additional safeguards that are intended to mitigate heightened risk conditions in a graduated manner.

Requirements

(3) The security plan must

(a) be in writing;
(b) identify, by job title, a senior manager responsible for the plan’s overall development, approval and implementation;
(c) describe the organizational structure, identify the departments that are responsible for implementing the plan or any portion of it and identify each position whose incumbent is responsible for implementing the plan or any portion of it;
(d) describe the security duties of each identified department and position;
(e) set out a process for notifying each person who is responsible for implementing the plan or any portion of it when the plan or that portion of it must be implemented;
(f) set out a program for the security awareness training required under section 2 and the components of the security plan training referred to in section 8, including a method to ensure that persons who undergo the security plan training acquire the knowledge and skills required under subsection 8(3);
(g) set out a process with respect to security risk assessments required under section 6, including
- (i) a procedure for conducting security risk assessments, and
- (ii) a method for assessing and prioritizing the risk;
(h) set out a process with respect to remedial actions that are part of the risk management strategy referred to in subsection (2), including
- (i) a method for identifying security risks that require remedial action, and
- (ii) a method for implementing remedial actions and for evaluating their effectiveness;
(i) set out a process for selecting and implementing additional safeguards required under paragraph (2)(b);
(j) describe the remedial actions, including their effectiveness in reducing or eliminating the risks, and the additional safeguards that are part of the risk management strategy referred to in subsection (2);
(k) set out the process with respect to security inspections referred to in subsection 5(2);
(l) set out a process with respect to security exercises referred to in section 9, including procedures for conducting security exercises;
(m) set out a process for responding to threats and other security concerns, including procedures for communicating and coordinating with the host company, if applicable;
(n) set out a process for reporting threats and other security concerns;
(o) set out a process for reviewing the security plan;
(p) include the report on the most recent security risk assessment required under section 6; and
(q) set out a policy on limiting access to security-sensitive information and set out measures for the sharing, storing and destruction of that information.

Implementation — remedial actions and safeguards

(4) A passenger company, other than a small passenger company, must implement the remedial actions and additional safeguards referred to in subsection (2), in accordance with the security plan.

Timelines — remedial actions

(5) A passenger company, other than a small passenger company, must establish timelines for implementing each remedial action and for evaluating its effectiveness in reducing or eliminating the risks.

Effectiveness — remedial actions

(6) A passenger company, other than a small passenger company, must evaluate the effectiveness of each remedial action that has been implemented in reducing or eliminating the risks.

New remedial action

(7) If the remedial action is not effective in reducing or eliminating some of the risks, the passenger company must identify additional remedial actions or a new remedial action to address those risks.

Security plan management

(8) A passenger company, other than a small passenger company, must

(a) make available to each person who is responsible for implementing the security plan the portions of the security plan that are relevant to the duties of that person;
(b) review the security plan at least once every 12 months after the day on which this section comes into force;
(c) amend the security plan if it does not reflect the most recent security risk assessment;
(d) amend the security plan if deficiencies that could adversely impact the security of passenger rail transportation are identified in the security plan, including those identified during the security exercises;
(e) conduct a comprehensive review of the security plan within three years after the day on which this section comes into force and subsequently within three years from the date of completion of the last comprehensive review;
(f) notify the persons referred to in paragraph (a) of any amendments to the relevant portions of the security plan; and
(g) provide a copy of the security plan to the Minister within 30 days after the day on which this section comes into force or after a comprehensive review is conducted under subsection (e), and a copy of the amended portions of the security plan within 30 days after an amendment is made under paragraph (c) or (d).

Security plan training

8 (1) A passenger company, other than a small passenger company, must ensure that the following persons employed by, or acting on behalf of, the company undergo training on the components of the security plan referred to in paragraphs 7(3)(c) to (e), (g), (m), (n) and (q), and any other components that are relevant to the person’s duties:

(a) persons responsible for the development and implementation of the plan or any portion of it; and
(b) any other person with duties referred to in paragraph 7(3)(d) and for whom the training is considered necessary to ensure the effective implementation of the security plan.

Provision of training

(2) A passenger company, other than a small passenger company, must ensure that the training is provided to those persons

(a) within 90 days after the day on which this section comes into force, unless those persons have received equivalent training on the security plan before that day;
(b) within 90 days after the day on which those persons initially assume the duties referred to in subsection (1), if their duties are assigned after the day on which this section comes into force; and
(c) on a recurrent basis at least once every three years after the day on which those persons completed their previous training, including any equivalent training on the security plan received before the day on which this section comes into force.

Knowledge and skills

(3) A passenger company, other than a small passenger company, must ensure that persons, on completion of the training, have acquired the knowledge and skills required to carry out the duties referred to in subsection (1).

Supervision

(4) A passenger company, other than a small passenger company, must ensure that, until those persons complete the training, they perform their duties under the close supervision of a person who has completed the training on the overall security plan.

Training on amended plan

(5) A passenger company, other than a small passenger company, that amends its security plan in a way that significantly affects the security duties of a person referred to in subsection (1) must ensure that, within 30 days after the day on which the amendments are implemented, the person is provided with training on the amendments.

Training records

(6) A passenger company, other than a small passenger company, must keep a training record for each person who has undergone the security plan training and must ensure that the record

(a) is kept up to date;
(b) contains the person’s name and details of the most recent training they received under subsections (1) and (5), including the date, duration and title of the training and the components of the security plan that were covered;
(c) contains the title and the date of any previous security plan training taken by the person; and
(d) is retained for at least two years after the day on which the person ceases to be employed by, or ceases to act on behalf of, that company.

Retention of training materials

(7) A passenger company, other than a small passenger company, must ensure that a copy of the most recent training materials is kept.

PART 6

Security Exercises

Operations-based security exercise

9 (1) A passenger company, other than a small passenger company, must carry out, at least once every five years after the day on which section 7 comes into force or, in the case of a passenger company created after the day on which section 7 comes into force, within five years after the day of its creation, an operations-based security exercise that is designed to address acts or attempted acts of unlawful interference with passenger rail transportation and that tests

(a) the effectiveness of the security plan and its implementation with respect to
- (i) the elements of the risk management strategy that are relevant to the scenario selected for the exercise,
- (ii) the additional safeguards set out in the security plan that are relevant to the scenario selected for the exercise, and
- (iii) the process for responding to threats and other security concerns; and
(b) the proficiency of persons in performing security duties that are relevant to the scenario selected for the exercise.

Deemed — security exercises

(2) The implementation of safeguards in response to a heightened risk condition may be considered an operations-based security exercise if it tests

(a) the effectiveness of the security plan and its implementation with respect to
- (i) the elements of the risk management strategy that are relevant to the heightened risk condition,
- (ii) the additional security safeguards set out in the security plan that are relevant to the heightened risk condition, and
- (iii) the process for responding to the heightened risk condition; and
(b) the proficiency of persons in performing security duties that are relevant to responding to the heightened risk condition.

Notice

(3) A passenger company, other than a small passenger company, must give the Minister 45 days’ notice of any operations-based security exercise that it plans to carry out.

Discussion-based security exercise

(4) A passenger company, other than a small passenger company, must carry out a discussion-based security exercise at least once every year after the day on which section 7 comes into force or, in the case of a passenger company created after the day on which section 7 comes into force, from the day of its creation, in order to address acts or attempted acts of unlawful interference with passenger rail transportation and that tests the effectiveness of the security plan with respect to

(a) the elements of the risk management strategy that are relevant to the scenario selected for the exercise;
(b) the additional safeguards set out in the security plan that are relevant to the scenario selected for the exercise; and
(c) the process for responding to security threats or other security concerns.

Notice

(5) A passenger company, other than a small passenger company, must give the Minister 45 days’ notice of any discussion-based security exercise that it plans to carry out.

Deemed

(6) An operations-based security exercise carried out under subsection (1) or referred to in subsection (2) is considered to be a discussion-based security exercise.

Participants

(7) A passenger company, other than a small passenger company, must ensure, to the extent possible, that persons with security duties that are relevant to the scenario selected for the exercise participate in the exercise referred to in subsection (1) or (4). In addition, the company must invite host companies and law enforcement and emergency response agencies to participate in the exercise, if their participation is relevant to the scenario.

Records

(8) A passenger company, other than a small passenger company, must create a record of each exercise carried out under subsections (1), (2) and (4) within 30 days after the date of the exercise and must ensure that the record contains the following information:

(a) the date of the exercise;
(b) the names of participants;
(c) a list of the companies and agencies that were invited;
(d) a description of the exercise scenario or, in the case of the exercise referred to in subsection (2), a description of the heightened risk condition;
(e) a description of the results of the exercise with respect to the elements tested in accordance with subsection (1), (2) or (4), as applicable; and
(f) a description of potential actions to address deficiencies that were identified during the exercise and that could adversely impact the security of passenger rail transportation.

Retention period

(9) A passenger company, other than a small passenger company, must ensure the record of each exercise is retained for three years after the date of the exercise.

Actions

(10) A passenger company, other than a small passenger company, must implement any action to address deficiencies that were identified during the exercise and that could adversely impact the security of passenger rail transportation.

Coming into Force

Registration

10 (1) Subject to subsections (2) to (4), these Regulations come into force on the day on which they are registered.

Three months after registration

(2) Sections 2 and 5 come into force on the day that, in the third month after the month in which these Regulations are registered, has the same calendar number as the day on which they are registered or, if that third month has no day with that number, the last day of that third month.

Nine months after registration

(3) Sections 6 and 7 come into force on the day that, in the ninth month after the month in which these Regulations are registered, has the same calendar number as the day on which they are registered or, if that ninth month has no day with that number, the last day of that ninth month.

Fifteen months after registration

(4) Sections 8 and 9 come into force on the day that, in the fifteenth month after the month in which these Regulations are registered, has the same calendar number as the day on which they are registered or, if that fifteenth month has no day with that number, the last day of that fifteenth month.

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Executive summary

Issues: Passenger rail systems are important to the economic and social well-being of Canadians, and the extensive and accessible nature of these systems makes them vulnerable to unlawful interference. Attempts have been made to target passenger rail transportation in Canada and the United States (U.S.), and attacks in Spain, the United Kingdom, Russia, China and Belgium have resulted in significant loss of life and property damage. Regulatory intervention is necessary to ensure that passenger railway companies address the risk of potential attacks.
Description: The Passenger Rail Transportation Security Regulations (the Regulations) will require passenger railway and host companies^{footnote 1} to effectively manage their security risks by implementing risk-based security practices, including security awareness training, security risk assessments, security plans, security plan training, designation of a rail security coordinator, security inspections, security exercises and security incident reporting.
Rationale: The Regulations will require that passenger railway and host companies engage in security planning processes and risk management activities that will increase the likelihood that potential security incidents will be detected and prevented, and the consequences of such incidents will be mitigated. The Regulations are expected to result in total costs of $9,660,944 over 10 years for passenger railway and host companies under federal jurisdiction as well as for the Government of Canada.

To recognize the different operating environments and risk profiles, the Regulations will have fewer compliance requirements for small passenger railway companies, which will yield significant savings for these operators — roughly $156,000 over a 10-year time frame.

Issues

The passenger rail sector has unique security vulnerabilities due to its inherent open design and extensive networks. The current approach to managing security risks, through a voluntary Memorandum of Understanding (MOU) on Railway Security, is similar to the Regulations; however, the MOU only targets rail transportation in general, and does not specifically address the risks related to passenger rail operations. Furthermore, some federally regulated passenger railway companies are not currently participating in the MOU given that membership and compliance with the MOU is voluntary. Therefore, regulations are necessary to ensure that the passenger rail sector implements measures to address security risks.

Background

Passenger rail systems are important to the economic and social well-being of Canadians. A number of passenger railway companies operate in Canada, with three categories of rail service that vary in network size, geographic location and passenger numbers: intercity passenger rail, urban transit (including commuter, light rail and subway), and tourist rail, some of which are seasonal. As of 2019, there were 16 passenger railway companies under federal jurisdiction and 7 federal freight railway companies that host passenger railway companies on their networks. These include the major intercity railways and some transit and tourist passenger railways when they operate on federally regulated railway lines.

Passenger rail systems typically operate on a vast, open network with multiple public access points. In some cases, these systems connect to multimodal stations, operate on and are adjacent to freight rail networks transporting dangerous goods in major urban centres, and move millions of passengers daily. These characteristics make passenger rail systems vulnerable to security incidents, which could result in significant harm to both people and property.

Although there is no specific security threat to passenger rail systems in Canada at this time, security assessments conducted by the Government of Canada indicate that improvements can be made to passenger rail systems to protect against unlawful interference. As well, international events in which there have been attacks on rail systems have underscored the need for enhanced security precautions.

To date, Transport Canada (TC) and the rail industry have been working together through a voluntary framework to strengthen rail security, in part through a Memorandum of Understanding with the Railway Association of Canada (the “TC-RAC MOU on Railway Security” or the “MOU”) and its member signatories.^{footnote 2} The MOU outlines security components such as the development of security plans, conducting exercises, training and awareness, record keeping and reporting security incidents to TC’s Situation Centre.^{footnote 3}

The United States implemented basic passenger rail security regulations following the terrorist attacks on September 11, 2001, with requirements that passenger railroad carriers report potential threats and significant security concerns to the government^{footnote 4} and designate a rail security coordinator who serves as the primary security contact with the U.S. Transportation Security Administration (TSA), and coordinates “security practices and procedures with appropriate law enforcement and emergency response agencies.”^{footnote 5} In 2020, the TSA introduced new requirements that mandate security training for surface transportation employees including passenger rail personnel.^{footnote 6}

Objective

The objectives of the Regulations are to

support the Government of Canada’s overall mission to promote a safe, secure, efficient and environmentally responsible transportation system;
increase the likelihood that attempted security-related interference with passenger rail transportation is detected and prevented; and
mitigate the impacts of acts or attempted acts of security-related interference.

Description

The Regulations will address passenger rail system risks using a management-based approach that will require passenger and host railway companies to implement security processes to effectively manage their identified security risks. This approach will allow railway companies the flexibility to adopt security practices and measures that are best suited to their operations and adapt to a changing risk environment. Specific elements of the proposed Regulations include

1. Security awareness training;
2. Rail security coordinator;
3. Security reporting;
4. Security inspections;
5. Security risk assessment;
6. Security plan;
7. Security plan training; and
8. Security exercises.

The Regulations will also require passenger railway and host companies to keep records to document their compliance with these requirements.

1. Security awareness training

Persons employed by passenger and host railway companies, and persons acting on behalf of such companies, who have specific duties related to the transport of passengers will be required to undergo recurrent training on basic security topics every three years. Such basic security topics will include security risks related to passenger rail transportation, how to recognize potential threats and other security concerns, the actions to be taken by personnel in response to potential threats and other security concerns, and the company’s specific security measures and procedures.

2. Rail security coordinator

Passenger and host railway companies will be required to have a rail security coordinator to coordinate security practices within their companies, to act as the principal contact for security-related activities and communications between the company and the Minister of Transport, and to coordinate communication between the company, other passenger or host railway companies, law enforcement and emergency response agencies.

3. Security reporting

Passenger railway and host companies will be required to report potential threats and other security concerns to TC’s Situation Centre as soon as feasible, but no later than 24 hours after the occurrence of the threat or other security concern. Follow-up information about the incident will also be reportable as soon as it becomes known. The Regulations will provide a list of reportable threats and concerns (e.g. bomb threats, reports or discoveries of suspicious items, signs of tampering with rail equipment or railway works).

4. Security inspections

Passenger railway companies will be required to carry out a ground-level visual security inspection of the exterior of the passenger train and inspections of the interior of each car prior to entering service for the day. A passenger railway company may complete its security inspection as required at any time prior to entering service for the day, as long as it keeps the train secure after the inspection and until passengers board the train. The purpose of the inspection will be to detect any suspicious object, person or circumstance that could endanger the security of rail transportation. Additional inspections could be undertaken after the passenger train enters service for the day, if necessary under the security plan.

5. Security risk assessment

A passenger railway company, other than a small passenger company (i.e. a passenger company that transported fewer than 60 000 passengers in one of the two previous calendar years), will be required to conduct a security risk assessment of its network and operations that identifies, describes, assesses and prioritizes rail security risks. The assessment will be based on key elements, including current security threats, critical assets, security vulnerabilities, and the potential impacts of a successful act of unlawful interference. The risk assessment will identify, for each risk, the likelihood that the risk will occur, the severity of potential impacts if it occurs, and potential security safeguards to mitigate the identified risks. In addition, large passenger railway companies will be required to review their security risk assessments at least every 12 months, and conduct a new assessment no more than three years after their current assessment was finalized.

6. Security plan

A passenger railway company, other than a small passenger company, will be required to implement a security plan that aims to prevent, detect, mitigate, respond to and recover from acts or attempted acts of unlawful interference with passenger rail transportation. Security plans will be required to include a risk-management strategy that addresses the risks identified and prioritized in the company’s security risk assessment, and additional security safeguards that are intended to mitigate heightened risk conditions. The Regulations will set out general elements that must be included in each railway company’s security plan, including a program for security awareness and security plan training, a process for conducting security risk assessments, remedial actions and safeguards, security inspections, security exercises and security incident reporting. Large passenger railway companies will be required to review their security plans at least once every 12 months and conduct a comprehensive review of their plan at least once every three years. The annual review will include assessing whether the plan addresses any new risks identified during the most recent security risk assessment (e.g. annual review of risk assessment). The comprehensive review will be based on the new risk assessment that passenger railway companies are required to conduct every three years.

7. Security plan training

A passenger railway company with a security plan will be required to ensure that an employee who has responsibilities related to the development and implementation of the plan, or has security duties according to the plan, undergoes training on key elements of the security plan and any other relevant portions of the plan as it relates to their role. The company will also be required to ensure that the employee has the knowledge and skills to implement the portion of the plan that they are responsible for, and to carry out their security roles and responsibilities. Training will also be required on a recurrent basis (at least once every three years) and when there are significant amendments made to the plan.

8. Security exercises

A passenger railway company, other than a small passenger company, will be required to carry out operations-based security exercises (every five years) and discussion-based security exercises (every year) that will test the effectiveness of their security plans. A discussion-based exercise will not be required in a year when an operations-based exercise is conducted. Typically, an operations-based security exercise is a simulated security incident in which the railway company could perform the tasks expected of them in a real emergency. In contrast, a discussion-based security exercise generally simulates a security incident facilitated via participant discussions and not directly through operational activities.

Implementing compliance flexibilities for passenger railway and host companies combined with a phased-in approach

The Regulations will include compliance flexibilities, to ensure that required security measures are commensurate with company operations and risk profiles. As illustrated in Table 1 below, large passenger railway companies will be required to comply with the full suite of requirements described above. Small passenger railway companies (i.e. passenger railway companies that transported fewer than 60 000 passengers in one of the two previous calendar years) will not be required to comply with security risk assessment, security planning and security exercise requirements. Host companies will not be required to comply with security risk assessment, security planning, security exercises and security inspection requirements.

Moreover, TC is employing a phased-in approach to allow railway companies the time to implement the Regulations. For example, some of the requirements will come into force on a staggered basis — 3, 9 and 15 months after registration respectively.

Table 1: Application of the Passenger Rail Transportation Security Regulations
Requirement	Large Passenger Railway Companies	Small Passenger Railway Companies	Host Railway Companies	Length of Time After Registration Before Coming into Force
1. Security awareness training	Yes	Yes	Yes	3 months
2. Rail security coordinator	Yes	Yes	Yes	Registration day
3. Security reporting	Yes	Yes	Yes	Registration day
4. Security inspections	Yes	Yes	No	3 months
5. Security risk assessment	Yes	No	No	9 months
6. Security plan	Yes	No	No	9 months
7. Security plan training	Yes	No	No	15 months (i.e. 6 months after security plan requirements come into force)
8. Security exercises	Yes	No	No	15 months (i.e. 6 months after security plan requirements come into force)

Regulatory development

Consultation

Initial consultation

Throughout fall 2016 and winter 2017, TC engaged stakeholders at initial consultation sessions hosted by TC. Participating stakeholders included the Railway Association of Canada (RAC), a number of railway companies under federal jurisdiction, urban transit, provincial railway companies, law enforcement personnel and a number of provincial representatives. TC also distributed draft policy recommendations for the proposed Regulations for stakeholder comment.

During these initial consultation sessions and discussions, TC shared its preliminary thinking in terms of regulatory approach and provided stakeholders with the opportunity to offer their input and suggestions on the proposed Regulations. Stakeholders expressed their general support for TC’s proposal to enhance passenger rail security through regulation.

To add greater detail and incorporate input received at these consultation sessions and from subsequent written comments from stakeholders, TC developed a refined draft of the proposed Regulations, which included changes to a number of elements within the requirements.

Following the distribution to stakeholders of a refined draft of the proposed Regulations in summer 2017, TC received and responded to written comments and questions from stakeholders. Additional consultations were also held at various locations across Canada.

Prepublication in the Canada Gazette, Part I

The proposed Regulations and RIAS were published in the Canada Gazette, Part I, on April 13, 2019, followed by a 30-day public comment period. Several comments were received from RAC on behalf of its members. TC subsequently met with RAC to discuss the comments and provide clarity on a number of policy issues that were raised. The comments were taken into consideration in the further development of the Regulations. As a result, modifications were made, including the following:

Security exercises: The frequency of operations-based exercises was adjusted from every three years to every five years in response to industry concerns about the significant time and cost associated with conducting operations-based exercises. However, the discussion-based exercises will still be required on an annual basis.
Security inspections: TC adjusted the regulatory language in recognition that inspections could be conducted by a third party for the passenger railway company. The new wording provides flexibility so that passenger railway companies need only ensure that inspections are carried out rather than having to do the inspections themselves.

Modern treaty obligations and Indigenous engagement and consultation

In accordance with the Cabinet Directive on the Federal Approach to Modern Treaty Implementation, an analysis was undertaken to determine whether the proposal is likely to give rise to modern treaty obligations. This assessment examined the geographic scope and subject matter of the proposal in relation to modern treaties in effect. No modern treaty obligations were identified as a result of this analysis.

Instrument choice

In light of the inherent vulnerability of the open passenger rail system, the ongoing security threat and the significant negative impacts that a potential security incident could have, TC considered a number of options to strengthen the security of Canada’s passenger rail system, including

1. maintaining the status quo;
2. developing one regulatory regime that would apply to railway companies under federal jurisdiction regardless of whether they are a small or large passenger railway company, or a host company; and
3. implementing management-based security requirements for regulated entities to develop and implement security measures that are commensurate with their individual operations and risk profiles.

Option 1 — Maintaining the status quo

TC considered maintaining its voluntary approach and working with companies to help them meet the existing MOU’s commitments and promote a more secure surface and intermodal transportation system. This approach would have continued to have limited effectiveness because of the MOU’s voluntary nature (i.e. not all railway companies under federal jurisdiction participate in the MOU), the fact that the MOU does not have an enforcement mechanism, and because the MOU does not specifically address passenger rail systems. Maintaining a voluntary approach would therefore have been characterized by continued security gaps.

Option 2 — Developing one regulatory regime for all railway companies under federal jurisdiction

TC considered developing passenger railway security regulations that would have placed identical regulatory requirements on all companies, regardless of whether they were a large passenger railway company, small passenger railway company or host company. Such an approach would have placed a disproportionate cost on smaller passenger railway companies and host companies, some of which have different risks than larger passenger railway companies. Such a regulatory approach may have impacted the ability of smaller passenger railway companies to operate and also impeded their ability to become and remain compliant with the Regulations. Under such an approach, TC would have also needed to develop an expanded oversight and enforcement regime to ensure compliance, adding more costs to the Government of Canada with minimal incremental risk reduction.

Option 3 — Developing management-based security requirements (approved option)

Based on an analysis of the options, TC considered management-based security regulations for passenger railway and host companies to be the most appropriate and effective option at this time. These Regulations will provide regulated entities with the flexibility to develop and implement security measures that are commensurate with their individual operations and risk profiles, while also improving the ability of railway companies to prevent, detect, mitigate, respond to and recover from potential security incidents.

The Regulations are based on key requirements outlined in the MOU, therefore compliance costs are expected to be reduced for MOU signatories. To help minimize the compliance burden further, less burdensome requirements will apply to small passenger railway companies and host companies. Large passenger railway companies will be required to comply with the full suite of regulatory requirements (see Table 1 above).

Regulatory analysis

Benefits and costs

Cost valuation

Framework for evaluating the costs

The costing approach identifies, quantifies and monetizes, where possible, the incremental costs of the Regulations. The time period used to evaluate the incremental costs is 10 years (2019–2028). All the dollar figures are presented in 2017 Canadian dollars (2017 Can$) with a discount rate of 7% used to derive the costs in present values. The incremental variable costs have been examined in both the baseline and regulatory scenarios.

Baseline scenario

At present, there are 21 railway companies (8 small passenger railway companies, 8 large passenger railway companies and 5 host railway companies)^{footnote 7} that will be directly affected by the requirements. Of the 21 companies captured by the Regulations, 16 (including 3 small passenger companies, all 8 large passenger companies and all 5 host companies) are signatories to the TC-RAC MOU on Railway Security.

This MOU provides a voluntary approach to deal with rail security matters across Canada. Some of its key requirements include conducting risk assessments, developing security plans based on the identified risks, conducting exercises, training employees and reporting incidents.

The Regulations include the key elements from the MOU as well as a requirement to carry out security inspections. It is expected that there will be no or minimal incremental costs associated with the inspection requirement, as pre-trip inspections are already required for many companies for safety purposes under the Railway Safety Act.

Since the Regulations are primarily based on the requirements outlined in the MOU, and to account for those activities already undertaken, the cost of compliance (number of companies and employees) has been reduced by 75% for MOU signatories.

Regulatory scenario and incremental changes

The analysis assumes that the incremental costs associated with the additional requirements will be minimal for the MOU signatories. Those MOU signatories will bear about 25% of the incremental costs, compared to the non-MOU signatories.

For non-MOU signatories (five small passenger railway companies), the Regulations will also include compliance flexibilities, resulting in minimal compliance cost. Overall, it is estimated that small passenger railway companies will experience on average 31% incremental changes from the baseline. Large passenger railway companies will bear 25% in cost changes while host railway companies will face 11% cost changes on average from the baseline.

Incremental costs to industry

Passenger and host railway companies will bear both compliance and administrative costs. Incremental costs will be incurred for the following elements of the Regulations: security awareness training; security risk assessment; security plan development and training; rail security coordinator; security inspections; security exercises, security incident reporting; and administrative requirements (e.g. record keeping).

1. Compliance costs

1.1 Costs associated with the security awareness training requirement

TC anticipates that 50% of the estimated total employees working for the 21 federally regulated companies will be affected. The present value of the total costs of awareness training over the 10-year period is estimated at $19,409 for small passenger railway companies, $113,217 for large passenger railway companies and $47,443 for host railway companies.

1.2 Costs associated with the rail security coordinator requirement

To fulfill their duties, it is estimated that a large passenger railway company’s rail security coordinator will require an estimated 72 hours per year, and both a small passenger railway company and a host company’s rail security coordinator will require an estimated 36 hours per year respectively. Therefore, the present value over the 10 years of the compliance costs associated with this requirement is estimated at $84,330 for small passenger railway companies, $56,220 for large passenger railway companies, and $14,055 for host companies.

1.3 Costs associated with the security reporting requirement

It is assumed that on average a small passenger railway company and a host railway company will report threats or other security concerns five times a year while a large passenger railway company will produce an estimated 20 incident reports annually. Assuming the time spent to prepare a report is one hour, the present value of the costs for reporting incidents is estimated at $11,712, $15,617 and $1,952 for small, large and host railway companies respectively.

1.4 Costs associated with the security inspections requirement

Negligible costs will be associated with this requirement since this requirement could be added to inspections that are already required for passenger railway companies for safety purposes under the Railway Safety Act.

1.5 Costs associated with the security risk assessment requirement

It is assumed that 50 hours and 15 hours are required respectively for development of the initial risk assessment and for the risk assessment review and update. The overall present value of the costs for risk assessments over the 2019–2028 period is estimated at approximately $18,027.

1.6 Costs associated with the security plan requirement

Companies will require an estimated 50 hours in 2019 to develop the plan and an estimated 15 hours to review and update it in the second through tenth year. Costs associated with the security plan development, review and update are expected to be $15,349 over the 10-year period.

1.7 Costs associated with the security plan training requirement

It is assumed that on average each company will need an estimated 15 hours to develop the security plan training program and an estimated 1.5 hours once every three years for employee training. The present value of the total estimated costs of the security plan training requirement over the 10 years is estimated at $69,489.

1.8 Costs associated with the security exercises requirement

Assuming 100 employees of a large passenger railway company will be involved in such exercises, the present value of the costs for exercises is expected to be $44,944.

The present value of the total compliance costs of the Regulations to affected passenger railway companies and host companies is estimated at $511,764, including $115,451 to small passenger railway companies, $332,863 to large passenger railway companies, and $63,450 to host railway companies.

2. Administrative costs

In addition to compliance costs, two requirements will cause additional administrative burden^{footnote 8} to companies, including record keeping and reporting. The present value of the administrative burden costs are estimated at $17,051, which include $1,382 for small passenger railway companies, $12,471 for large passenger railway companies and $3,651 for host railway companies. Table 2 below presents the present value of the compliance and administrative costs that the Regulations will impose on industry.

Table 2: Costs to railway companies over 10 years (2017 Can$, 7% discount rate)
Requirement / Type of Cost Incurred by the Industry	Small Passenger Companies	Large Passenger Companies	Host Companies	Total
Security awareness training	$19,409	$113,217	$47,443	$180,069
Rail security coordinator	$84,330	$56,220	$14,055	$154,605
Security reporting	$11,712	$15,617	$1,952	$29,281
Security inspections	$0	$0	$0	$0
Security risk assessment	$0	$18,027	$0	$18,027
Security plan	$0	$15,349	$0	$15,349
Security plan training	$0	$69,489	$0	$69,489
Security exercises	$0	$44,944	$0	$44,944
Total compliance costs	$115,451	$332,863	$63,450	$511,764
Total administrative costs (record keeping and reporting)	$1,382	$12,471	$3,198	$17,051
Total	$116,833	$345,334	$66,648	$528,814

Note: Cost estimate totals may not add up due to rounding.

Incremental costs to the Government of Canada

Costs of the Regulations to the Government of Canada are mainly for compliance monitoring and enforcement. The Government of Canada will also incur costs to develop and provide ongoing support for the Regulations. Costs will also be incurred for training inspectors.

1. Compliance monitoring and enforcement

Inspectors qualified to perform railway security inspections will be expected to provide oversight to ensure compliance once the Regulations come into force. Inspectors will also engage in compliance promotion activities, and develop and distribute guidance and regulatory materials, as required.

The present value of the compliance monitoring and enforcement costs is estimated at $7,719,116 between 2019 and 2028.

2. Regulatory development and support

To provide policy and regulatory development and ongoing support for these Regulations, TC has asked for resources which are estimated at $916,430 over the 2019–2028 period of analysis.

3. Training

Training is required to support inspectors to ensure that they have the skills and knowledge to conduct their compliance monitoring and enforcement duties. The total training costs (in present value) will be approximately $496,581 over 10 years.

Table 3: Costs to government over 10 years (2017 Can$, 7% discount rate)
Type of Costs Incurred by the Government	Cost (Present Value)
Enforcement and compliance costs	$7,719,116
Regulatory administration costs	$916,430
Training costs	$496,581
Total	$9,132,128

Benefit valuation

The regulatory regime is expected to have a positive impact on public security. It is expected to promote a more aware, alert, prepared and proactive regulated community that would be better able to prevent, detect, mitigate, respond to and recover from terrorist incidents. The Regulations are intended to improve industry’s resilience, minimizing the consequences (loss of life, property damage, environmental damage and reduced international trade flows) should an incident occur.

As with the analysis of other security regulations, it is very difficult to quantify the associated benefits of the Regulations, given that both the probability and the impact (baseline and regulated options) are subjective and uncertain.

The sections below highlight the qualitative and non-monetized benefits derived from enhancing the security of passenger rail transportation in Canada.

Improved security perception

An improved perception of security may have positive effects on passengers, leading to reductions in social costs. The improved feeling of well-being may lead to lower stress and anxiety among the population, which in turn may contribute to lower levels of physical and mental illness. This benefit could correspond to a reduction in health care spending. Therefore, the perception of a high level of security has both direct and indirect benefits for individuals as well as society.

Avoided property damage

By averting or mitigating catastrophic events, property damage both to rail infrastructure and to third party property will be avoided, including damage to railway tracks, stations, and surrounding buildings. Buesa et al. (2006)^{footnote 9} found that the damage caused to houses in the 2004 Madrid attack was estimated to be roughly 1.27 million euros and the cost of replacement of the rail material was estimated to be 17 million euros.

Other qualitative benefits

Should the Regulations help to prevent catastrophic events, emergency service costs could be avoided. These costs include, but are not limited to, the services and opportunity costs of police officers, firefighters, ambulances and emergency room staff. Other avoided costs include delays to the rail industry and possibly other modes of transportation, and a loss of productivity to the affected sectors. Buesa et al. (2006) revealed that the loss of productivity from the 2004 Madrid attack was valued at roughly 2.37 million euros.^{footnote 9}

Cost-benefit statement

Summary of costs and benefits

Over the 2019–2028 period of analysis, the total costs to the Government of Canada for implementing the Regulations and to industry for complying with the Regulations will be $9,660,944. The Regulations will reduce the risk of fatalities and injuries, but still not be justified on the basis of the reduction of these risks alone. Other benefits of the Regulations include avoided property damage, improved security perception, and avoided emergency service. The summary of the costs and the benefits of the regulatory regime is presented in Table 4 and Table 5 below.

1. Monetized costs

Number of years: 10 (2019 to 2028)
Base year for costing: 2019
Dollar value: 2017
Discount rate: 7%

Table 4: Monetized costs (2017 Can$, 7% discount rate)
Impacted Stakeholder	Description of Cost	Base Year 2019	Annual Average 2020–2027	Final Year 2028	Total (Present Value)	Annualized Value
Government	Enforcement and compliance	$1,024,571	$767,241	$556,619	$7,719,116	$1,099,029
	Regulatory administration	$121,943	$91,020	$66,329	$916,430	$130,479
	Training	$80,000	$47,908	$33,316	$496,581	$70,702
Industry	Compliance	$128,098	$39,827	$65,050	$511,764	$72,864
Industry	Administration	$5,428	$1,097	$2,846	$17,051	$2,428
All stakeholders	Total costs	$1,360,040	$947,093	$724,160	$9,660,944	$1,375,501

2. Monetized benefits

The benefits related to the Regulations could not be monetized. A break-even analysis was performed to estimate how reducing the risk of fatalities and injuries would benefit Canadians in the context of the Regulations. The break-even analysis found that the Regulations would not be justified on the basis of the reduction of these risks alone.

Table 5: Summary of monetized costs and benefits (2017 Can$, 7% discount rate)
Impact	Base Year 2019	Annual Average 2020–2027	Final Year 2028	Total (Present Value)	Annualized Value
Total costs	$1,360,040	$947,093	$724,160	$9,660,944	$1,375,501
Total benefits	$0	$0	$0	$0	$0
Net impact	($1,360,040)	($947,093)	($724,160)	($9,660,944)	($1,375,501)

3. Quantified (non-$) and qualitative impacts

Increased perception of security for Canadians.
Avoided property damage to the rail infrastructure and to third party property and infrastructure, including environmental damage.
Avoided emergency costs: police officers, firefighters, ambulances, paramedics, and emergency room staff.
Avoided subsequent health care costs.
Avoided delays the rail industry and in other transportation modes.
Avoided loss in productivity due to the disruption in transportation of services.

Distributional impacts

A distributional analysis was performed to identify how the costs of the Regulations will potentially affect regulated companies and consumers.

1. Impacts by sector

The Regulations are expected to impose an additional annualized cost of $75,291 to passenger railway companies and host companies. Table 6 shows that the incremental costs are not distributed homogeneously. The incremental costs borne by a large passenger railway company is about three times the costs imposed on a small passenger railway company or a host railway company. Since these additional costs represent a small fraction of the total operational costs of the rail sector, it is not expected that they would have a detrimental impact among Canadian railway companies.

Table 6: Cost distribution by sector and by company (2017 Can$, 7% discount rate)
Cost Distribution	Small Passenger Companies	Large Passenger Companies	Host Companies	Total by Sector /Average by Company
By sector	$16,634	$49,168	$9,489	$75,291
By company	$2,079	$6,146	$1,898	$3,374

2. Impacts on consumers

Despite the costs noted above, it is expected that the impact on consumers will be negligible as the incremental costs of the Regulations only represent a small fraction of the total operational costs of the rail sector.

Small business lens

The Regulations will introduce a risk-based approach to passenger rail security. It is assumed that all eight small passenger railway companies, which will be subject to the Regulations, are small businesses. In consideration of reducing compliance costs to their operations, the small companies will not be required to comply with the following requirements: security risk assessment, security plan, security plan training, and security exercises. TC considered an initial option that would have required that all affected railway companies, large and small passenger, and host companies, comply with all of the elements identified above, resulting in significant additional costs for small businesses. See tables below for details.

Small business lens summary

Number of small businesses impacted: 8
Number of years: 10 (2019 to 2028)
Base year for costing: 2019
Dollar value: 2012
Discount rate: 7%

Table 7: Compliance costs (2012 Can$, 7% discount rate)
Activity	Annualized Value	Present Value
Total compliance cost	$10,500	$73,800

Table 8: Administrative costs (2012 Can$, 7% discount rate)
Activity	Annualized Value	Present Value
Total administrative cost	$400	$2,700

Table 9: Total compliance and administrative costs (2012 Can$, 7% discount rate)
Totals	Annualized Value	Present Value
Total cost (all impacted small businesses)	$10,900	$76,500
Cost per impacted small business	$1,362	$9,562

One-for-one rule

The Regulations will include record keeping and reporting requirements that will increase the administrative burden costs incurred by the affected passenger railway companies and host companies. Therefore, the Regulations are considered to be an “IN” under the Government of Canada’s one-for-one rule, and are estimated to result in an annualized increase in administrative costs of $1,419, or $68 per business (in 2012 Can$).

Record keeping

It is estimated that 50% of the 13 660 (6 830) employees of passenger railway companies and host companies are required to undergo security awareness training once every three years from the coming into force of the Regulations. It is estimated that it would take five minutes per employee to document each employee’s name, a description of the training received and the date and duration of the training.

For large passenger railway companies only, administrative costs are also associated with the record keeping of the information on employees who participate in the security plan training and exercises. It is estimated that 20% of the 9 240 (1 848) employees of large passenger railway companies will be affected by the security plan training requirement once every three years. As previously assumed, five minutes would be needed to record each employee’s name, a description of the training received and the date and duration of the training. Additionally, each of the large passenger railway companies will have an estimated one person spend one day per year to record the security exercises conducted.

Reporting the contact information of the designated rail security coordinator

It is assumed that each of the estimated 21 companies captured by the Regulations will need an average of 10 minutes to prepare and submit the name of the designated rail security coordinator and other relevant information to TC. Whenever there is a replacement of the rail security coordinator, the updated information will have to be submitted to TC. It is assumed that a change of this nature will occur once every three years.

Regulatory cooperation and alignment

Two U.S. passenger railway companies operate in Canada, and both are signatories to the TC-RAC MOU on Railway Security. Furthermore, the Canadian freight rail system is integrated with the U.S. system (e.g. four host railways operate freight services across the Canada-U.S. border).

Following the terrorist attacks on September 11, 2001, the U.S. implemented basic passenger rail security regulations. These regulations include requiring operators to report security concerns to the government and to designate a rail security coordinator who serves as the primary security contact with the U.S. Transportation Security Administration (TSA). This individual also coordinates security practices and procedures with appropriate law enforcement and emergency response agencies. In 2020, the TSA introduced new requirements that mandate security training for surface transportation employees, including passenger rail personnel.

To date, however, the U.S. has not introduced measures comparable to the security risk assessment, planning, exercises and inspection requirements in the existing TC-RAC MOU on Railway Security and the Regulations. TC officials have met with officials from the TSA on a number of occasions to learn about their passenger rail regulatory regime and to explain Canada’s chosen approach of using the TC-RAC MOU on Railway Security as the basis for its regulations.

Regulating the main elements of the MOU is not expected to put Canadian railway companies at a disadvantage relative to their U.S. counterparts. Given that the Regulations will mandate what is already standard practice for many Canadian railway companies (and U.S. passenger railroad carriers operating in Canada), compliance costs will represent a small fraction of the total operational costs of the rail sector. Furthermore, competitiveness issues are not expected to arise given that U.S. passenger railroad carriers operating within Canada are required to follow Canadian regulations.

Strategic environmental assessment

In accordance with the Cabinet Directive on the Environmental Assessment of Policy, Plan and Program Proposals, a preliminary scan concluded that a strategic environmental assessment is not required.

Gender-based analysis plus

No gender-based analysis plus (GBA+) impacts have been identified for the Regulations.

Rationale

Strategic risk and threat assessments conducted by the Government of Canada indicate that Canada’s passenger rail system remains vulnerable to acts of unlawful interference, and the potential adverse impacts of such attacks are significant. The TC-RAC MOU on Railway Security is voluntary, with no enforcement mechanism, and does not focus on passenger railways specifically nor does it include all passenger railway companies under federal jurisdiction. The Regulations will strengthen the security of Canada’s passenger rail system and mitigate these risks.

The specific requirements of the Regulations are generally consistent with the elements outlined in the TC-RAC MOU on Railway Security with which stakeholders are well versed (e.g. security training, security risk assessment, security plan reviews, updates and renewals on an ongoing basis, security exercises). Therefore, introducing regulatory requirements that are already standard practice among industry stakeholders is expected to result in implementation efficiency and effectiveness.

The security requirements will impose administrative and compliance costs for passenger railway and host companies in the amount of $528,814. The potential administrative and compliance burden has been intentionally offset by designing the Regulations to align with the TC-RAC MOU on Railway Security with which most of the passenger railway and host companies are already complying. The Regulations were also designed using primarily management-based requirements that will provide regulated entities with the flexibility to develop and implement security measures that are commensurate with their individual operations and risk profiles.

Furthermore, the Regulations will introduce less burdensome requirements for small passenger and host companies where security risks are recognized to be lower. The Government of Canada will incur administration and enforcement costs of $9,132,043, resulting in total costs of $9,660,944. Notwithstanding that the benefits of the Regulations could not be monetized, given the potentially catastrophic impact of a successful act of unlawful interference with passenger rail, and the expectation that the Regulations will meaningfully mitigate the risk and impact of such an act, the Regulations are expected to result in a significant overall benefit to Canadians.

Implementation, compliance and enforcement, and service standards

Implementation

TC’s overall objective is to implement a fair and equitable compliance and enforcement regime for the Regulations using a graduated approach that allows industry to take corrective actions before resorting to enforcement actions. However, where compliance is not achieved on a voluntary basis or where there are flagrant violations, enforcement action could be sought through judicial sanction (indictment or summary conviction) in accordance with section 41 of the Railway Safety Act.

TC is ready to implement, deliver and oversee the Regulations. The Department will use a national network of surface and intermodal security inspectors to oversee compliance with the Regulations, and is currently developing guidance and training programs to ensure the inspectors will be adequately prepared to oversee this new regime and facilitate industry compliance. The Department will work with Government of Canada partners to enhance efficiency and minimize the impact on passenger and host railway companies.

Compliance and enforcement

Inspectors will provide regulatory oversight to ensure compliance and identify any non-compliance with the Regulations. Inspectors will provide ongoing oversight, guidance and education to passenger and host railway companies, and will schedule inspections using a risk-based approach. Current risk methodology will be reviewed and elements will be incorporated to support, align and produce a passenger rail security risk assessment methodology. Inspection frequency and scope will be determined by the outcome of the risk assessments. Inspections will be at determined intervals; however, inspectors will have the flexibility to conduct random and for-cause inspections, as deemed appropriate.

Service standards

TC will continue its engagement with industry through established railway safety and security fora and various industry associations, building on past collaborations with industry stakeholders and previously developed voluntary codes of practice. TC will also conduct education and awareness activities to support industry and to facilitate implementation and compliance, and will develop guidance materials, as required.

Finally, the coming-into-force dates of the Regulations will be staggered, with provisions coming into force on registration day, and 3, 9 and 15 months after registration, to give passenger and host railway companies the time to implement the requirements and to facilitate compliance.

Contact

Kim Benjamin
Director General
Intermodal Surface, Security and Emergency Preparedness
Transport Canada
Ottawa, Ontario
K1A 0N5
Email: tc.simsregulations-reglementsstti.tc@tc.gc.ca

Footnotes

Footnote a

S.C. 1999, c. 9, s. 12

Return to footnote a referrer

Footnote b

R.S., c. 32 (4th Supp.)

Return to footnote b referrer

Footnote 1

A host company is a railway company that authorizes a passenger company to operate on its railway.

Return to footnote 1 referrer

Footnote 2

Under the MOU, operators develop and implement appropriate security practices, based on identified risks. TC works with MOU signatories and conducts oversight and monitoring activities to help industry meet the terms and conditions of the MOU and promote a more secure rail transportation system.

Return to footnote 2 referrer

Footnote 3

When transportation emergencies and disasters occur, Canadians depend on TC, the transportation industry, and the federal government to provide essential services. The national Transport Canada Situation Centre (TCSC) is the Department’s 24/7 reporting hub for stakeholders and industry (Marine, Surface, and Aviation) as part of various regulatory requirements for transportation safety and security. As required through the Federal Emergency Response Plan (FERP), the TCSC is the coordinating body for TC’s emergency response function to emergencies and disasters, ensuring timely information sharing for safety and security issues with key partners internal and external to TC. Regional centres are located in Moncton, Montréal, Toronto, Winnipeg, and Vancouver.

Return to footnote 3 referrer

Footnote 4

49 C.F.R. §1580.203

Return to footnote 4 referrer

Footnote 5

49 C.F.R. §1580.201

Return to footnote 5 referrer

Footnote 6

49 C.F.R. §1582

Return to footnote 6 referrer

Footnote 7

As of 2019, there were 16 passenger railway companies under federal jurisdiction and 7 federal freight railway companies that host passenger railway companies on their networks. Two freight railway companies operate a tourist passenger service on each of their networks, in addition to acting as host railways to passenger companies. For the purposes of the cost-benefit analysis, these two railways have been only counted once as passenger companies and not as host companies.

Return to footnote 7 referrer

Footnote 8

More details of the administrative costs to industry are provided in the “One-for-one rule” section.

Return to footnote 8 referrer

Footnote 9

Buesa et al., (2006). The economic cost of March 11: measuring the direct economic cost of the terrorist attack on March 11, 2004 in Madrid, Working paper, No. 54. February 2006.

Return to footnote 9 referrer