Canada Gazette, Part I, Volume 153, Number 15: Passenger Rail Transportation Security Regulations

April 13, 2019

Statutory authority
Railway Safety Act

Sponsoring department
Department of Transport

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Executive summary

  • Issues: Passenger rail systems are important to the economic and social well-being of Canadians, and the extensive and accessible nature of these systems makes them vulnerable to unlawful interference. Although there have been no successful attempts of unlawful interference on the Canadian rail transportation system, attempts have been made to target passenger rail transportation in Canada and the United States (U.S.), and attacks in Spain, the United Kingdom, Russia, China and Belgium have resulted in significant loss of life and property damage. Regulatory intervention is necessary to ensure that passenger railway companies address the risk of potential attacks.
  • Description: The proposed Passenger Rail Transportation Security Regulations (the proposed Regulations) would require passenger railway and host footnote 1 companies to effectively manage their security risks by implementing risk-based security practices, including security awareness training, security risk assessments, security plans, security plan training, the designation of a rail security coordinator, security inspections, security exercises and security incident reporting.
  • Cost-benefit statement: The proposed Regulations would require that passenger railway and host companies engage in security planning processes and risk management activities that would increase the likelihood that potential security incidents would be detected and prevented, and the consequences of an incident would be mitigated. The proposed Regulations are expected to result in total costs of $9,669,318 over 10 years for passenger railway and host companies under federal jurisdiction and the Government of Canada.
  • “One-for-One” Rule: The proposed Regulations would result in incremental annualized administrative burden costs of $1,419 for affected passenger railway companies and host companies, and are therefore considered to be an “IN” under the “One-for-One” Rule.
  • Small business lens: To recognize the different operating environments and risk profiles, the proposed Regulations would include streamlined compliance requirements for small passenger railway companies, which would yield significant savings for these operators — roughly $156,000 over a 10-year time frame.
  • Domestic and international coordination and cooperation: The United States currently requires that passenger railroad carriers have a rail security coordinator and that security incidents be reported. The proposed Regulations would prescribe additional measures beyond the U.S. requirements; however, the proposed approach is not expected to put Canadian railway companies at a disadvantage relative to their U.S. counterparts, given that similar requirements already exist under the voluntary Memorandum of Understanding (MOU) on Railway Security footnote 2 between Transport Canada (TC) and the Railway Association of Canada (RAC), and that U.S. passenger railroad carriers operating in Canada would be bound by the proposed Regulations.

Background

Passenger rail systems are important to the economic and social well-being of Canadians. A number of passenger railway companies operate in Canada, with three categories of rail service that vary in network size, geographic location and passenger numbers: intercity passenger rail, urban transit (including commuter, light rail and subway), and tourist rail, some of which are seasonal. As of early 2019, there were 16 passenger railway companies under federal jurisdiction and 7 federal freight railway companies that host passenger railway companies on their networks.

Passenger rail systems typically operate on a vast, open network with multiple public access points. In some cases, these systems connect to multimodal stations, operate on and are adjacent to freight rail networks transporting dangerous goods in major urban centres and move millions of passengers daily. These characteristics make passenger rail systems vulnerable to security incidents, which carry risks to human health and safety as well as risks of property damage.

Although there is no specific threat to passenger rail systems in Canada at this time and there have been no successful attempts of unlawful interference in Canada, recent assessments conducted by the Government of Canada indicate that improvements can be made to passenger rail systems to protect against unlawful interference. International events in which there have been attacks on rail systems have also underscored the need for enhanced security precautions.

To date, Transport Canada and the rail industry have been working together through a voluntary framework to strengthen rail security, in part through a Memorandum of Understanding with the Railway Association of Canada and its member signatories (TC-RAC MOU on Railway Security). footnote 3 The MOU outlines security components, such as developing security plans, conducting exercises and security awareness training, record keeping and reporting security incidents to TC’s Situation Centre. footnote 4 Currently, 26 RAC members, 11 of which operate passenger rail services, have signed on to meet the terms and conditions of this MOU.

The United States implemented basic passenger rail security regulations following the terrorist attacks on September 11, 2001, with requirements that passenger railroad carriers report potential threats and significant security concerns to the government and designate a rail security coordinator who serves as the primary security contact with the U.S. Transportation Security Administration (TSA), and who coordinates “security practices and procedures with appropriate law enforcement and emergency response agencies.” footnote 5

Issues

The passenger rail sector has unique security vulnerabilities due to its inherent open design and extensive networks.

The current approach to managing security risks, through the TC-RAC MOU on Railway Security, has limitations. The MOU only targets rail transportation in general, and does not specifically focus on passenger rail operations. Furthermore, some federally regulated passenger railway companies are not currently participating in the MOU, and compliance with the MOU is voluntary. There is no enforcement mechanism. Therefore, regulations are necessary to ensure that the passenger rail sector employs measures to address security risks.

Objectives

The objectives of the proposed Regulations are to

Description

The proposed Regulations would address passenger rail system risks primarily using a management-based approach that would require passenger and host railway companies to implement security processes to effectively manage their identified security risks. This approach would give railway companies the flexibility to adopt security practices and measures that are unique to their operations and adapt to a changing risk environment. Specific elements of the proposed Regulations include

  1. Security awareness training;
  2. Security risk assessment;
  3. Security plan;
  4. Security plan training;
  5. Rail security coordinator;
  6. Security inspections;
  7. Security exercises; and
  8. Security reporting.

The proposed Regulations would also require passenger railway and host companies to report and keep records to document their compliance with these requirements.

1. Security awareness training

Persons employed by passenger and host railway companies, and persons acting — directly or indirectly — on behalf of the company, and who have specific duties related to the transport of passengers, would be required to undergo recurrent training on basic security topics every three years (e.g. security risks related to passenger rail transportation, how to recognize potential threats and other security concerns, the actions to be taken by personnel in response to potential threats and other security concerns, and the company’s security measures and procedures).

2. Security risk assessment

A passenger railway company, other than a small passenger company (i.e. a passenger company that transported fewer than 60 000 passengers in one of the two previous calendar years), would be required to conduct a security risk assessment of its network and operations that identifies, describes, assesses and prioritizes rail security risks. The assessment would be based on key elements, including current security threats, critical assets, security vulnerabilities, and the potential impacts of a successful act of unlawful interference. The risk assessment would identify, for each risk, the likelihood that the risk will occur, the severity of potential impacts if it occurs, and potential security safeguards to mitigate the identified risks. Companies would be required to review their security risk assessments at least every 12 months, and conduct a new assessment no more than three years after the current assessment was finalized.

3. Security plan

A passenger railway company, other than a small passenger company, would be required to implement a security plan that aims to prepare for, detect and prevent, respond to and recover from acts or attempted acts of unlawful interference with passenger rail transportation. Security plans would be required to include a risk management strategy that addresses the risks identified and prioritized in the company’s security risk assessment, and additional security safeguards that are intended to mitigate heightened risk conditions. The proposed Regulations would set out general elements that must be included in each railway company’s security plan, including a program for security awareness and security plan training, a process for conducting security risk assessments, remedial actions and safeguards, security inspections, security exercises and security incident reporting. Companies would be required to review their security plans at least once every 12 months and conduct a comprehensive review of the plan at least once every three years. The annual review would include assessing whether the plan addresses any new risks identified during the most recent security risk assessment (e.g. annual risk assessment). The comprehensive review would be based on the new risk assessment that passenger railway companies are required to conduct every three years.

4. Security plan training

A passenger railway company with a security plan would be required to ensure that any employee who is mainly responsible for the development and implementation of the plan, or has security duties according to the plan, undergoes training on key elements of the security plan and any other relevant portions of the plan as it relates to their role. The company would also be required to ensure that the employee has the knowledge and skills to implement that portion of the plan that they are responsible for, and to carry out their security roles and responsibilities. Training on a recurrent basis, at least once every three years, would also be required, and when there are significant amendments made to the plan.

5. Rail security coordinator

Passenger and host railway companies would be required to have a rail security coordinator to coordinate security practices within their companies, act as the principal contact for security-related activities and communications between the company and the Minister of Transport, and coordinate communication between the company, other passenger or host railway companies, law enforcement and emergency response agencies.

6. Security inspections

Passenger railway companies would be required to carry out a ground-level visual security inspection of the exterior of the passenger train and the interior of each car prior to the train entering service for the day. In other words, a passenger company could complete its security inspection as required at any time prior to the train entering service for the day, as long as it keeps the train secure after the inspection until passengers board the train. The purpose of the inspection would be to detect any suspicious object, person or circumstance that could endanger the security of rail transportation. Additional inspections could be undertaken after the passenger train enters service for the day, if necessary under the security plan.

7. Security exercises

A passenger railway company, other than a small passenger company, would be required to carry out “operations-based” (every three years) and “discussion-based” (every year) security exercises that would test the effectiveness of their security plans (a discussion-based exercise would not be required in a year when an operations-based exercise is conducted). Typically, an “operations-based” security exercise is a simulated security incident in which the railway company could perform the tasks expected of them in a real emergency. In contrast, a “discussion-based” exercise generally simulates a security incident facilitated via participant discussions and not directly through operational activities.

8. Security reporting

Passenger railway and host companies would be required to report potential threats and other security concerns to the TC Situation Centre as soon as feasible, but no later than 24 hours after the occurrence of the threat or other security concern. Follow-up information about the incident would also be reportable as soon as it becomes known. The proposed Regulations would provide a list of reportable threats and concerns (e.g. bomb threats, reports or discoveries of suspicious items, signs of tampering with rail equipment or railway works).

Implementing compliance flexibilities for passenger railway and host companies combined with a phased-in approach

The proposed Regulations would include compliance flexibilities, to ensure that required security measures are commensurate with company risk profiles and operational requirements. As illustrated in Table 1 below, large passenger railway companies would be required to comply with the full suite of requirements described above. Small passenger railway companies would not be required to comply with a security risk assessment, security planning and security exercise requirements. Host companies would not be required to comply with a security risk assessment, security planning, security exercises and security inspection requirements.

Moreover, TC is proposing a phased-in approach to allow railway companies the time to implement the proposed Regulations. For example, some of the proposed requirements would come into force on a staggered basis — 3, 9 and 15 months after registration, respectively.

Table 1: Application of the proposed Passenger Rail Transportation Security Regulations
Proposed Requirements Large Passenger Railway
Companies
Small Passenger Railway Companies Host Railway Companies Length of Time After Registration Before
Coming into Force
1. Security awareness training Yes Yes Yes 3 months
2. Security risk assessment Yes No No 9 months
3. Security plan Yes No No 9 months
4. Security plan training Yes No No 15 months
(i.e. 6 months after security plan requirements come into force)
5. Rail security coordinator Yes Yes Yes Registration day
6. Security inspections Yes Yes No 3 months
7. Security exercises Yes No No 15 months
(i.e. 6 months after security plan requirements come into force)
8. Security reporting Yes Yes Yes Registration day

Regulatory and non-regulatory options considered

In light of the inherent vulnerability of the open passenger rail system, the ongoing potential security threat and the significant negative impacts that a potential security incident could have, TC considered a number of options to strengthen the security of Canada’s passenger rail system, including

Option 1 — Maintaining the status quo

TC considered maintaining its voluntary approach and working with companies to help them meet the existing MOU commitments and promote a more secure surface and intermodal transportation system. This approach would have limited effectiveness given the MOU’s voluntary nature (e.g. no enforcement mechanism) and its confined scope that does not specifically target passenger rail systems. Furthermore, since not all railway companies under federal jurisdiction choose to participate in the existing MOU, a voluntary approach may therefore be characterized by continued security gaps.

Option 2 — Developing one regulatory regime for all railway companies under federal jurisdiction

TC considered developing passenger railway security regulations that would place identical regulatory requirements on all passenger companies, regardless of whether they are a large passenger, small passenger or host company. Such an approach would place a disproportionate cost on smaller companies, some of which may face risks that differ from those carried by larger companies. This may potentially impact their ability to operate and impede their ability to become and remain compliant with the proposed Regulations. Under this approach, TC would also need to develop an expanded oversight and enforcement regime to ensure compliance, adding more costs to the Government of Canada with minimal incremental risk reduction.

Option 3 — Implementing management-based security requirements (proposed option)

Based on an analysis of the options, TC considers management-based security regulations for passenger railway and host companies to be the most appropriate and effective option at this time. These proposed Regulations would provide regulated entities with the flexibility to develop and implement security measures that would be commensurate with their individual risk profiles and operational requirements, while improving the ability of railway companies to prepare for, detect, prevent, mitigate, respond to and recover from potential security incidents.

The proposed Regulations would be based on key requirements outlined in the MOU, which are expected to reduce compliance costs for current MOU signatories. To help minimize the compliance burden further, less burdensome requirements would apply to small passenger railway companies and host companies. Large passenger railway companies would be required to comply with the full suite of regulatory requirements, whereas small railway companies would be expected to comply with fewer requirements, while still being required to address risks (see Table 1 above).

Benefits and costs

Cost valuation

1. Framework for evaluating costs

The costing approach identifies, quantifies and monetizes, where possible, the incremental costs of the proposed Regulations. The time period used to evaluate the incremental costs is 10 years (2019–2028). All the dollar figures are presented in 2017 Canadian dollars (2017 Can$) with a discount rate of 7% used to derive the costs in present values. The incremental variable costs have been examined in the baseline and regulatory scenarios.

2. Baseline scenario

At present, there are 21 railway companies (8 small passenger railway companies, 8 large passenger railway companies and 5 host railway companies) footnote 6 that would be directly affected by the proposed requirements. Of the 21 companies captured by the proposed Regulations, 16 (including 3 small passenger companies, all 8 large passenger companies and all 5 host companies) are signatories to the TC-RAC MOU on Railway Security.

This MOU provides a voluntary approach to dealing with rail security matters across Canada. Some of its key requirements include conducting risk assessments, developing security plans based on the identified risks, conducting exercises, training employees and reporting incidents.

The proposed Regulations include the key elements from the MOU as well as a requirement to carry out security inspections. It is expected that there would be little or no incremental costs associated with the inspection requirement, as pre-trip inspections are already required for many companies for safety purposes under the Railway Safety Act.

Since the proposed Regulations are primarily based on the requirements outlined in the MOU, and to account for those activities already undertaken, the cost of compliance (number of companies and employees) has been reduced by 75% for MOU signatories.

3. Regulatory scenario and incremental changes

The analysis assumes that the incremental costs associated with the additional requirements would be minimal for the MOU signatories. Those MOU signatories would bear about 25% of the incremental costs, compared to the non-MOU signatories.

For non-MOU signatories (five small passenger railway companies), the proposed Regulations would also include compliance flexibility, resulting in minimal compliance costs. Overall, it is estimated that small passenger railway companies would experience, on average, a 31% incremental change from the baseline. Large passenger railway companies would bear a 25% change in costs, while host railway companies would face, on average, an 11% change in costs from the baseline.

4. Incremental costs to industry

Passenger and host railway companies would bear compliance and administrative costs. Incremental costs would be assumed for the following elements of the proposed Regulations: security awareness training, security risk assessment, security plan development and training, the designation of a rail security coordinator, security inspections, exercises, security incident reporting, and administrative requirements (e.g. record keeping).

4.1 Incremental compliance costs
Costs associated with the security awareness training requirement

Under the proposed Regulations, a passenger or host company must ensure that persons employed by and persons acting — directly or indirectly — on behalf of the company, and who have certain duties outlined in the proposed Regulations that involve the transport of passengers, would be required to complete an estimated one hour of training, occurring every three years, on basic security topics. TC anticipates that 50% of the estimated total employees working for the 21 federally regulated companies would be affected. The present value of the total costs of awareness training over the 10-year period is estimated at $19,409 for small passenger railway companies; $113,217 for large passenger railway companies; and $47,443 for host railway companies.

Costs associated with the security risk assessment requirement

Large passenger railway companies would be required, once every three years, to conduct a security risk assessment of their network and operations that identifies, describes, assesses and prioritizes rail security risks. It is assumed that 50 hours and 15 hours are required respectively for development of the initial risk assessment and for the risk assessment review and update. The overall present value of the costs for risk assessments over the 2019–2028 period is estimated at approximately $18,027.

Costs associated with the security plan requirement

Large passenger railway companies would be required to implement a security plan that aims to prepare for, detect and prevent, respond to and recover from acts or attempted acts of unlawful interference with passenger railway transportation. It includes a risk management strategy that addresses the risks identified and prioritized in the company’s security risk assessment, and scalable measures for times of heightened risk. Companies would require an estimated 50 hours in 2019 to develop the plan and an estimated 15 hours to review and update it in the second through tenth years. Costs associated with the security plan development, review and update are expected to be $15,349 over the 10-year period.

Costs associated with the security plan training requirement

A passenger railway company with a security plan would be required to ensure that any employee who is mainly responsible for the development and implementation of the plan, or has security duties according to the plan, undergoes training on key elements of the security plan and any other relevant portions of the plan as it relates to their role. The company would also be required to ensure that the employee has the knowledge and skill to implement that portion of the plan that they are responsible for, and to carry out their security roles and responsibilities. Training on a recurrent basis, at least once every three years, would also be required, and when there are amendments made to the plan. It is assumed that, on average, each company would need an estimated 15 hours to develop the security plan training program and an estimated 1.5 hours once every three years for employee training. The present value of the total estimated costs of the security plan training requirement over the 10 years is estimated at $69,489.

Costs associated with the rail security coordinator requirement

Passenger and host railway companies would be required to have a rail security coordinator to coordinate security practices within their companies, act as the primary contact for security-related activities and communications between the company and the Minister of Transport, and coordinate communication between the company, other passenger or host companies, law enforcement and emergency response agencies. To fulfill their duties, it is estimated that a large passenger railway company’s rail security coordinator would require approximately 72 hours per year, and both a small passenger railway company and a host company’s rail security coordinator would require approximately 36 hours per year respectively. Therefore, the present value, over the 10 years, of the compliance costs associated with this requirement is estimated at $84,330 for small passenger railway companies; $56,220 for large passenger railway companies; and $14,055 for host companies.

Costs associated with the security inspections requirement

Passenger railway companies would be required to carry out a ground-level visual security inspection of the exterior of the passenger train and the interior of each car prior to the train entering service for the day. The purpose of the security inspection would be to detect any suspicious object, person or circumstance that could endanger the security of railway transportation. Negligible costs would be associated with this requirement, since this requirement could be added to inspections that are already required for passenger railway companies for safety purposes under the Railway Safety Act.

Costs associated with the security exercises requirement

Large passenger railway companies would be required to carry out “operations-based” (every three years) and “discussion-based” (every year) security exercises that would test the effectiveness of their security plans. A discussion-based exercise would not be required in a year when an operations-based exercise is conducted. Assuming 100 employees of a large passenger railway company would be involved in such exercises, the present value of the costs for exercises is expected to be $51,342.

Costs associated with the security reporting requirement

Passenger railway and host companies would be required to report potential threats and other security concerns to TC’s Situation Centre as soon as feasible, but no later than 24 hours after the occurrence of the threat or other security concern. Follow-up information about the incident would also be reportable as soon as it becomes known. It is assumed that, on average, a small passenger railway company and a host railway company would report threats or other security concerns five times a year, while a large passenger railway company would produce an estimated 20 incident reports annually. Assuming the time spent to prepare a report is one hour, the present value of the costs for reporting incidents is estimated at $11,712, $15,617 and $1,952 for small, large and host railway companies, respectively.

The present value of the total compliance costs of the proposed Regulations for affected passenger railway companies and host companies is estimated at $518,161, including $115,451 for small passenger railway companies, $339,260 for large passenger railway companies, and $63,450 for host railway companies.

4.2 Administrative costs

In addition to compliance costs, two requirements would increase the administrative burden on companies, footnote 7 including record keeping and reporting. The present value of the administrative burden costs is estimated at $19,026, which includes $1,567 for small passenger railway companies, $13,809 for large passenger railway companies and $3,651 for host railway companies. Table 2 below presents the present value of the compliance and administrative costs that the proposed Regulations would impose on industry.

Table 2: Costs to railway companies over 10 years (2017 Can$, 7% discount rate) footnote *
Industry Requirements Small Passenger Companies Large Passenger Companies Host Companies Total
Security awareness training $19,409 $113,217 $47,443 $180,069
Security risk assessment $0 $18,027 $0 $18,027
Security plan $0 $15,349 $0 $15,349
Security plan training $0 $69,489 $0 $69,489
Rail security coordinator $84,330 $56,220 $14,055 $154,605
Security exercises $0 $51,342 $0 $51,342
Security incident reporting $11,712 $15,617 $1,952 $29,281
Security inspections $0 $0 $0 $0
Total compliance costs $115,451 $339,260 $63,450 $518,161
Total administrative costs
(record keeping and reporting)
$1,567 $13,809 $3,651 $19,026
Total $117,018 $353,069 $67,101 $537,188
5. Incremental costs to the Government of Canada

Costs of the proposed Regulations to the Government of Canada are mainly for compliance monitoring and enforcement. The Government of Canada would also incur costs to develop and provide ongoing support for the proposed Regulations. Costs would also be incurred for training inspectors.

5.1 Compliance monitoring and enforcement

Inspectors qualified to perform railway security inspections would be expected to provide oversight to ensure compliance once the proposed Regulations come into force. Inspectors would also engage in compliance promotion activities, and develop and distribute guidance and regulatory materials, as required.

The present value of the compliance monitoring and enforcement costs is estimated at $7,719,120 between 2019 and 2028.

5.2 Regulatory development and support

To provide policy and regulatory development and ongoing support for these proposed Regulations, TC has asked for resources, which are estimated at $916,429 over the 2019–2028 period of analysis.

5.3 Training

Training is required to support inspectors in order to ensure that they have the skills and knowledge to conduct their compliance monitoring and enforcement duties. The total training costs (in present value) would be approximately $496,581 over 10 years.

Table 3: Costs to Government over 10 years
(2017 Can$, 7% discount rate)
Type of Costs Incurred by the Government Costs
(Present Value)
Enforcement and compliance costs $7,719,120
Regulatory administration costs $916,429
Training costs $496,581
Total $9,132,130

Benefit valuation

The proposed Regulations are expected to have a positive impact on public security. They are expected to promote a more aware, alert, prepared and proactive regulated community that would be better able to detect, prevent, respond to and recover from terrorist incidents. The proposed Regulations are intended to improve industry’s resilience and to minimize the consequences should an incident occur (minimizing loss of life, property damage, environmental damage and reduced international trade flows).

As with the analysis of other security regulations, it is very difficult to quantify the associated benefits of the proposed Regulations, given that both the probability and the impact (baseline and regulated options) are subjective and uncertain.

The sections below highlight the qualitative and non-monetized benefits derived from enhancing the security of passenger rail transportation in Canada.

Improved security perception

An improved perception of security may have positive effects on passengers, leading to reductions in social costs. The improved feeling of well-being may lead to lower stress and anxiety among the population, which in turn may contribute to lower levels of physical and mental illness. This benefit could correspond to a reduction in health care spending. Therefore, the perception of a high level of security has both direct and indirect benefits for individuals as well as society.

Avoided property damage

By averting or mitigating catastrophic events, property damage both to rail infrastructure and third party property would be avoided, including damage to railway tracks, stations, and surrounding buildings. Buesa et al. footnote 8 found that the damage caused to houses in the 2004 Madrid attack was estimated to be roughly 1.27 million euros and the cost of replacement of the rail material was estimated to be 17 million euros.

Other qualitative benefits

Should the proposed Regulations help to prevent catastrophic events, emergency service costs could be avoided. These costs include, but are not limited to, the services and opportunity costs of police officers, firefighters, ambulances and emergency room staff. Other avoided costs include delays to the rail industry and possibly other modes of transport, and a loss of productivity for the affected sectors. Buesa et al. revealed that the loss of productivity from the 2004 Madrid attack was valued at roughly 2.37 million euros. footnote 9

Cost-benefit statement

1. Summary of costs and benefits

Over the 2019–2028 period of analysis, the total costs to the Government of Canada for implementing the proposed Regulations and to industry for complying with the proposed Regulations would be $9,669,318. The proposal would reduce the risk of fatalities and injuries, but would still not be justified on the basis of the reduction of these risks alone. Other benefits from the proposed Regulations include avoided property damage, improved security perception, and avoided use of emergency services. The summary of the costs and the benefits of the regulatory proposal is presented in Table 4 below.

Table 4: Summary of benefits and costs (2017 Can$)
Costs and Benefits
(in Thousands of Dollars)
2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 Present Value (Over 10 Years,
7% Discount Rate)

Monetized costs

Costs to industry to comply with the proposed Regulations

Compliance 124 29 27 119 27 27 119 27 27 121 518.161
Administrative 5 0 0 5 0 0 5 0 0 5 19.026
Costs to Government to implement the proposed Regulations
Enforcement and compliance 1,025 1,025 1,053 1,023 1,023 1,023 1,023 1,023 1,023 1,023 7,719.120
Regulatory administration 122 122 122 122 122 122 122 122 122 122 916.429
Training 80 80 61 61 61 61 61 61 61 61 496.581
Total costs 1,356 1,255 1,264 1,331 1,234 1,234 1,331 1,234 1,234 1,332 9,669.318
Break-even analysis
  • Reduced risk of fatalities and injuries, but the proposed Regulations would not be justified on the basis of the reduction of these risks alone.
Qualitative benefits
  • Increased perception of security.
  • Avoided property damage to the rail infrastructure and to third party property and infrastructure and avoided environmental damage.
  • Avoided emergency costs: police officers, firefighters, ambulances, paramedics, and emergency room staff.
  • Avoided subsequent health care costs.
  • Avoided delays the rail industry and in other transportation modes.
  • Avoided loss in productivity due to the disruption in transportation of services.

Note: Undiscounted values, except where otherwise indicated.

2. Distributional impacts

A distributional analysis was performed to identify how the costs of the proposed Regulations would potentially affect regulated companies and consumers.

Impacts by sector

The proposed Regulations are expected to impose an additional annualized cost of $76,483 to passenger railway companies and host companies. Table 5 shows that the incremental costs are not distributed homogeneously. The incremental costs borne by a large passenger railway company are about three times the costs imposed on a small passenger railway company or a host railway company. Since these additional costs represent a small fraction of the total operational costs of the rail sector, it is not expected that they would have a detrimental impact among Canadian railway companies.

Table 5: Cost distribution by sector and by company (in 2017 Can$, 7% discount rate)
Cost Distribution Small Passenger Companies Large Passenger Companies Host Companies Total by Sector / Average by Company
By sector $16,661 $50,269 $9,554 $76,483
By company $2,083 $6,284 $1,911 $3,642
Impacts on consumers

Despite the costs noted above, it is expected that the impact on consumers would be negligible as the incremental costs of the proposal only represent a small fraction of the total operational costs of the rail sector.

“One-for-One” Rule

The proposed Regulations would include record-keeping and reporting requirements that would increase the administrative burden costs carried by the affected passenger railway companies and host companies. Therefore, the proposed Regulations are considered to be an “IN” under the Government of Canada’s “One-for-One” Rule, and are estimated to result in an annualized increase in administrative costs of $1,419, or $68 per business (in 2012 Can$).

Record keeping

It is estimated that 50% of the 13 660 (6 830) employees of passenger railway companies and host companies are required to undergo security awareness training once every three years from the coming into force of the proposed Regulations. It is estimated that it would take five minutes per employee to document each employee’s name, a description of the training received and the date and duration of the training.

For large passenger railway companies only, administrative costs are also associated with the record keeping of the information on employees who participate in the security plan training and exercises. It is estimated that 20% of the 9 240 (1 848) employees of large passenger railway companies would be affected by the security plan training requirement once every three years. As previously assumed, five minutes would be needed to record each employee’s name, a description of the training received and the date and duration of the training. Additionally, each of the large passenger railway companies would have an estimated one person spend one day per year to record the security exercises conducted.

Reporting the contact information of the designated rail security coordinator

It is assumed that each of the estimated 21 companies affected by the proposed Regulations would need an average of 10 minutes to prepare and submit the name of the designated rail security coordinator and other relevant information to TC. Whenever there is a replacement of the coordinator, the updated information will have to be submitted to TC. It is assumed that a change of the security coordinator would occur once every three years.

Small business lens

The proposed Regulations would introduce a risk-based approach to passenger rail security. It is assumed that all eight small passenger railway companies, which would be subject to the proposal, are small businesses. In order to reduce compliance costs of operations of small companies, these companies would not be required to comply with the following requirements: security risk assessment, security plan, security plan training, and security exercises. TC considered an initial option that would have required all affected passenger railway companies, large and small, and host railway companies to comply with all of the elements identified above, resulting in significant additional costs for small businesses (see Table 6).

Table 6: Small business lens analysis (2012 Can$, 7% discount rate)
Items for Each Option Flexible Option Initial Option
Short description The proposed requirements

All railway companies, including small passenger railway companies,
would be required to comply with the following additional requirements:

  • Security risk assessment
  • Security plan
  • Security plan training
  • Security exercises
Number of affected small businesses 8 8
Costs Annualized Value ($2012) Present Value
($2012)
Annualized Value ($2012) Present Value
($2012)
Compliance costs $10,500 $73,800 $31,900 $224,400
Administrative costs $400 $2,700 $1,100 $8,100
Total costs $10,900 $76,500 $33,100 $232,500
Average cost per small business $1,361 $9,562 $4,137 $29,059

The present value of the total costs to all small businesses is estimated at $76,500 over a 10-year period, as compared to $232,500 in the case where a flexible option is not considered. Therefore, the flexible option incorporated into the proposed Regulations is estimated to result in a decrease in costs to small businesses, estimated at $156,000, or $19,497 per small business over a 10-year time frame.

Consultation

Throughout fall 2016 and winter 2017, TC engaged stakeholders at initial consultation sessions hosted by TC. Participating stakeholders included the RAC, a number of railway companies under federal jurisdiction, urban transit companies, provincial railway companies, law enforcement personnel and a number of provincial representatives. TC also distributed draft policy recommendations for the proposed Regulations for stakeholder comment.

During these initial consultation sessions and discussions, TC shared its preliminary thoughts in terms of regulatory approach and provided stakeholders with the opportunity to offer their input and suggestions on the proposed Regulations. Stakeholders expressed their general support for TC’s proposal to enhance passenger rail security through regulation.

To add greater detail and to respond to input received at these consultation sessions and from subsequent written comments from stakeholders, TC developed a revised draft of the proposed Regulations, which included changes to a number of elements, including the following:

Following the distribution to stakeholders of a revised draft of the proposed Regulations in summer 2017, TC received written comments and questions from stakeholders. Additional consultations were also held at various locations across Canada, including the following:

Stakeholders communicated their general support for the proposed Regulations, and appreciated the opportunity to provide feedback and be involved in the regulatory development process prior to prepublication in the Canada Gazette, Part I. Some of the written and verbal comments sought clarity with respect to the proposed requirements (i.e. security inspections) or inquired about implementation matters such as timelines, guidance material and TC’s plans for an oversight program. In response, TC emphasized that its oversight program is under development, and guidance is expected to be provided by TC regional inspectors to support regulatory compliance. Other comments focused on specific proposed requirements, which resulted in changes to the proposed Regulations, including the following:

Regulatory cooperation

The Canadian freight rail system is integrated with the U.S. system (e.g. four host railways operate freight services across the Canada–U.S. border). With regard to passenger rail, two U.S. railway companies operate in Canada, and both are signatories to the TC-RAC MOU on Railway Security.

Following the terrorist attacks on September 11, 2001, the United States implemented basic passenger rail security regulations. These regulations include requiring operators to report security concerns to the government and to designate a rail security coordinator who serves as the primary security contact with the United States Transportation Security Administration (TSA). This individual also coordinates security practices and procedures with appropriate law enforcement and emergency response agencies.

The United States has considered additional risk-based passenger rail security regulations, but to date has not introduced measures comparable to the security training, assessment, planning, exercises and inspection requirements in the existing TC-RAC MOU on Railway Security and the proposed Regulations. TC officials have met with officials from the U.S. TSA on a number of occasions to learn about its passenger rail regulatory regime, and to explain Canada’s proposed approach of using the TC-RAC MOU on Railway Security as the basis for its own regulations.

Regulating the main elements of the MOU is not expected to put Canadian railway companies at a disadvantage relative to their U.S. counterparts. Given that the proposed Regulations would mandate what is already standard practice for many Canadian railway companies (and U.S. passenger railroad carriers operating in Canada), compliance costs would represent a small fraction of the total operational costs of the rail sector. Furthermore, competitiveness issues are not expected to arise given that U.S. passenger railroad carriers operating within Canada are required to follow Canadian regulations.

Rationale

Strategic risk and threat assessments conducted by the Government of Canada indicate that Canada’s passenger rail system remains vulnerable to acts of unlawful interference, and the potential adverse impacts of such attacks are significant. The current TC-RAC MOU on Railway Security is voluntary, with no enforcement mechanism, and is confined in scope, as it does not focus on passenger railways specifically nor does it include all passenger and host railway companies under federal jurisdiction. The proposed Regulations would strengthen the security of Canada’s passenger rail system and mitigate these risks.

The specific requirements of the proposed Regulations, except for the “security inspections,” are generally consistent with the elements outlined in the TC-RAC MOU on Railway Security with which stakeholders are well versed (e.g. security training, security risk assessment, security plan reviews, updates and renewals on an annual and three-year basis, security exercises). Introducing regulatory requirements that are already standard practice among industry stakeholders is therefore expected to result in implementation efficiency and effectiveness.

The proposed security requirements would impose administrative and compliance costs on passenger railway and host companies in the amount of $537,188. The potential administrative and compliance burden has been intentionally offset by designing the proposed Regulations to align with key requirements in the existing TC-RAC MOU on Railway Security to which most of the passenger railway and host companies are signatories. The proposed Regulations were also designed using primarily management-based requirements that would provide regulated entities with the flexibility to develop and implement security measures that are commensurate with their individual risk profiles and operational requirements that are suitable for their unique operations and risks.

Furthermore, the proposed Regulations would introduce less burdensome requirements for small passenger and host companies where security risks are recognized to be lower. The Government of Canada would incur administration and enforcement costs of $9,132,130, resulting in total costs of $9,669,318. Notwithstanding that the benefits of the proposal could not be monetized, given the potentially catastrophic impact of a successful act of unlawful interference with passenger rail, and the expectation that the proposed Regulations would meaningfully mitigate the risk and impact of such an act, the proposed Regulations are expected to result in a significant overall benefit to Canadians.

Implementation, enforcement and service standards

TC is following a phased-in approach to allow companies the time to implement the proposed Regulations. Some of the proposed requirements would come into force on a staggered basis — 3, 9 and 15 months after registration, respectively. In the past, TC has also collaborated with industry stakeholders to develop voluntary codes of practice and other guidance materials on conducting security risk assessments, developing and maintaining security plans, conducting security exercises, and employee training and awareness. These materials have had distribution beyond the MOU signatories and currently remain available from TC while the Department develops passenger rail–specific guidance materials for industry prior to the proposed Regulations coming into force.

Regionally located inspectors with security expertise are also available to support and reach out to railway and host companies prior to and after the coming into force dates. TC is currently developing guidance and training programs to ensure security inspectors are adequately prepared to oversee this new program and to facilitate industry compliance. TC also aims to conduct education and awareness activities to support industry and to support regulatory implementation and compliance.

It is TC’s policy on enforcement matters to use a graduated approach that allows industry to take corrective actions before resorting to enforcement actions. However, where compliance is not achieved on a proactive basis or where there is serious non-compliance, enforcement action could be sought through prosecution (indictment or summary conviction) as per paragraph 41 of the Railway Safety Act.

TC intends to use a national network of surface security inspectors to oversee compliance with the proposed Regulations using a risk-based approach. Inspection frequency and scope would be determined based on the outcome of risk assessments. Inspections would be conducted at determined intervals; however, inspectors would have the flexibility to conduct random and for-cause inspections, as deemed appropriate.

Contact

Kim Benjamin
Director General
Intermodal Surface, Security and Emergency Preparedness
Transport Canada
Place de Ville, Tower B
112 Kent Street
Ottawa, Ontario
K1A 0W8
Email: tc.simsregulations-reglementsstti.tc@tc.gc.ca

PROPOSED REGULATORY TEXT

Notice is given that the Governor in Council, pursuant to subsection 18(2.1) footnote a of the Railway Safety Actfootnote b, proposes to make the annexed Passenger Rail Transportation Security Regulations.

Interested persons may make written representations concerning the proposed Regulations within 30 days after the date of publication of this notice. All such representations must cite the Canada Gazette, Part I, and the date of publication of this notice, and be addressed to Kim Benjamin, Director General, Intermodal Surface, Security and Emergency Preparedness, Department of Transport, Place de Ville, Tower B, 112 Kent Street, Ottawa, Ontario K1A 0W8 (email: tc.simsregulations-reglementsstti.tc@tc.gc.ca).

Ottawa, April 4, 2019

Jurica Čapkun
Assistant Clerk of the Privy Council

Passenger Rail Transportation Security Regulations

Interpretation

Definitions

1 The following definitions apply in these Regulations.

PART 1

Security Awareness Training and Security Risk Assessment

Security awareness training program

2 (1) A passenger company and host company must have a security awareness training program that promotes a culture of security vigilance with respect to passenger rail transportation security.

Program training topics

(2) The security awareness training program must cover the following topics:

Prescribed persons

(3) The passenger company or host company must ensure that any person employed by, and any person acting — directly or indirectly — on behalf of, the company and who have any of the following duties relating to the transport of passengers, including the direct supervisors of those persons, undergo security awareness training:

Provision of training

(4) The passenger company or host company must ensure that security awareness training is provided to the person

Supervision

(5) The passenger company or host company must ensure that, until the person undergoes the security awareness training, the person performs their duties under the close supervision of a person who has undergone that training.

Training records

(6) The passenger company or host company must ensure that a training record is kept for each person who has undergone security awareness training and that the record

Retention of training materials

(7) The passenger company or host company must ensure that a copy of the most recent awareness training materials is kept.

Security risk assessment

3 (1) A passenger company, other than a small passenger company, must conduct a security risk assessment of its network and operations that are related to passenger rail transportation in Canada that identifies, describes, assesses and prioritizes security risks and that

Report

(2) The security risk assessment must be documented in a report within 30 days after the day on which the assessment is completed and the report must

Subsequent risk assessments

(3) A passenger company, other than a small passenger company, must conduct a new security risk assessment within three years after the date of the report on the current security risk assessment, including any assessment that was carried out before the day on which these Regulations come into force and that meets the requirements of these Regulations.

Review

(4) A passenger company, other than a small passenger company, must review its security risk assessment as soon as feasible if

Periodic review

(5) A passenger company, other than a small passenger company, must review its security risk assessment at least once every 12 months. A new risk assessment conducted under subsection (3) or a review conducted under subsection (4) is a review for the purposes of this subsection.

Requirements for review

(6) As part of a review referred to in subsection (4) or (5) — with the exception of a new risk assessment referred to in subsection (5) — a passenger company, other than a small passenger company, must

PART 2

Security Plan and Security Plan Training

Security plan — objectives

4 (1) A passenger company, other than a small passenger company, must have and implement a security plan that contains measures to be taken to prepare for, detect, prevent, respond to and recover from acts or attempted acts of unlawful interference with passenger rail transportation.

Strategy

(2) In order to meet the objectives of subsection (1), the security plan must set out

Requirements

(3) The security plan must

Implementation — remedial actions and safeguards

(4) A passenger company, other than a small passenger company, must implement the remedial actions and additional safeguards referred to in subsection (2), in accordance with the security plan.

Timelines and effectiveness — measures

(5) A passenger company, other than a small passenger company, must establish timelines for implementing each remedial action and evaluate its effectiveness in reducing or eliminating the risks.

New remedial action

(6) If the remedial action is not effective in reducing or eliminating some of the risks, the passenger company must identify additional remedial actions or a new action to address those risks.

Security plan management

(7) A passenger company, other than a small passenger company, must

Security plan training

5 (1) A passenger company, other than a small passenger company, must ensure that the following persons employed by, or acting — directly or indirectly — on behalf of, that company undergo training on the components of the security plan referred to in paragraphs 4(3)(c) to (e), (g), (m) and (n), and any other components that are relevant to the person’s duties:

Provision of training

(2) A passenger company, other than a small passenger company, must ensure that the training is provided to those persons

Knowledge and skills

(3) A passenger company, other than a small passenger company, must ensure that persons, on completion of the training, have acquired the knowledge and skills required to carry out the duties referred to in subsection (1).

Supervision

(4) A passenger company, other than a small passenger company, must ensure that, until those persons complete the training, they perform their duties under the close supervision of a person who has completed the training on the overall security plan.

Training on amended plan

(5) A passenger company, other than a small passenger company, that amends its security plan in a way that significantly affects the security duties of a person referred to in subsection (1) must ensure that, within 30 days after the day on which the amendments are implemented, the person is provided with training on the amendments.

Training records

(6) A passenger company, other than a small passenger company, must keep a training record for each person who has undergone the security plan training and must ensure that the record

Retention of training materials

(7) A passenger company, other than a small passenger company, must ensure that a copy is kept of the most recent training materials.

PART 3

Coordination, Inspection and Security Exercises

Rail security coordinator

6 (1) A passenger company and host company must have, at all times, a rail security coordinator or an acting rail security coordinator.

Contact information

(2) The passenger company and host company must provide the Minister with

Duties — passenger company

(3) The passenger company must ensure that the rail security coordinator or acting rail security coordinator

Duties — host company

(4) The host company must ensure that the rail security coordinator or acting rail security coordinator

Security inspection

7 (1) For the purposes of this section, car means a piece of railway equipment that is used for passenger rail transportation and includes a baggage car, a dining car, a sleeping car, a lounge car, an observation car, the locomotive and any freight car that can be subjected to a walk-through inspection.

Visual inspection

(2) In order to ensure that there are no security concerns related to passenger rail transportation, a passenger company must carry out security inspections that consist of both a ground-level visual inspection of the exterior of the train and an inspection of the interior of each car.

Time of inspection

(3) The passenger company must carry out a security inspection before the train enters service for the day. In all cases, the inspection must be carried out before passengers board the train.

Additional inspections

(4) The passenger company must carry out additional security inspections after the train enters service for the day, if they are provided for in the security plan.

Protection of train

(5) When the security inspection is carried out before passengers board the train, the passenger company must ensure that the train is protected from unauthorized interference from the start of the security inspection until passengers board the train.

Signs of tampering, suspicious items and other security concerns

(6) If the passenger company discovers signs of tampering, a suspicious item or the presence of other security concerns during the security inspection, it must determine whether security has been compromised.

Compromise of security

(7) If the passenger company determines during the security inspection that security has been compromised, it must resolve the situation before releasing the train for service.

Records

(8) The passenger company must keep a record of each security inspection and ensure that the record contains the following information:

Retention period

(9) The passenger company must retain the record for three years after the day on which the security inspection is conducted.

Operations-based security exercise

8 (1) A passenger company, other than a small passenger company, must carry out, at least once every three years after the day on which section 4 comes into force or, in the case of a passenger company created after the day on which section 4 comes into force, within three years after the day of its creation, an operations-based security exercise that is designed to address acts or attempted acts of unlawful interference with passenger rail transportation and that tests

Deemed — security exercises

(2) The implementation of safeguards in response to a heightened risk condition may be considered an operations-based security exercise if it tests

Notice

(3) A passenger company, other than a small passenger company, must give the Minister 30 days’ notice of any operations-based security exercise that it plans to carry out.

Discussion-based security exercise

(4) A passenger company, other than a small passenger company, must carry out a discussion-based security exercise at least once every year after the day on which section 4 comes into force or, in the case of a passenger company created after the day on which section 4 comes into force, from the day of its creation, in order to address acts or attempted acts of unlawful interference with passenger rail transportation and that tests the effectiveness of the security plan with respect to

Exception

(5) An operations-based security exercise carried out under subsection (1) or referred to in subsection (2) is considered to be a discussion-based security exercise for the purposes of subsection (4).

Participants

(6) A passenger company, other than a small passenger company, must ensure that persons with security duties that are relevant to the scenario selected for the exercise participate in the exercise referred to in subsection (1) or (4). In addition, the company must invite host companies and law enforcement and emergency response agencies to participate in the exercise, if their participation is relevant to the scenario.

Records

(7) A passenger company, other than a small passenger company, must create a record of each exercise carried out under subsections (1), (2) and (4) within 30 days after the date of the exercise and must ensure that the record contains the following information:

Retention period

(8) A passenger company, other than a small passenger company, must ensure the record of each exercise is retained for three years after the date of the exercise.

Actions

(9) A passenger company, other than a small passenger company, must implement any action to address deficiencies that were identified during the exercise and that could adversely impact the security of passenger rail transportation.

PART 4

Security Reporting Requirements

Report

9 (1) A passenger company or host company must report to the Transport Canada Situation Centre, by any direct means of communication established and communicated by the Centre, any threat or other security concern that results or may result in an unlawful interference with passenger rail transportation. The report must be made as soon as feasible but no later than 24 hours after the occurrence of the threat or other security concern.

Threats and other security concerns

(2) Threats and other security concerns include

Information to be provided

(3) The information provided must include, to the extent known, the following:

Follow-up information

(4) The passenger company or host company must provide to the Transport Canada Situation Centre any information referred to in subsection (3) that was not previously reported, as soon as it becomes known.

Avoidance of double reporting — other company

(5) The passenger company or host company is not required to make a report under this section if the same threat or other security concern has been reported by another company under this section.

Provision of information — passenger company

(6) A passenger company that operates on a host company’s railway must, as soon as feasible, notify the host company if the passenger company becomes aware of a threat or other security concern that could impact the operations of the host company.

Provision of information — host company

(7) A host company must, as soon as feasible, notify a passenger company that operates on its railway if the host company becomes aware of a threat or other security concern that could impact the operations of the passenger company.

Coming into Force

Registration

10 (1) Subject to subsections (2) to (4), these Regulations come into force on the day on which they are registered.

Three months after registration

(2) Section 2 and subsections 7(2), (3) and (5) to (9) come into force on the day that, in the third month after the month in which these Regulations are registered, has the same calendar number as the day on which they are registered or, if that third month has no day with that number, the last day of that third month.

Nine months after registration

(3) Sections 3 and 4 and subsection 7(4) come into force on the day that, in the ninth month after the month in which these Regulations are registered, has the same calendar number as the day on which they are registered or, if that ninth month has no day with that number, the last day of that ninth month.

Fifteen months after registration

(4) Sections 5 and 8 come into force on the day that, in the fifteenth month after the month in which these Regulations are registered, has the same calendar number as the day on which they are registered or, if that fifteenth month has no day with that number, the last day of that fifteenth month.