Canada Gazette, Part I, Volume 153, Number 15: Passenger Rail Transportation Security Regulations

April 13, 2019

Statutory authority
Railway Safety Act

Sponsoring department
Department of Transport

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Executive summary

Background

Passenger rail systems are important to the economic and social well-being of Canadians. A number of passenger railway companies operate in Canada, with three categories of rail service that vary in network size, geographic location and passenger numbers: intercity passenger rail, urban transit (including commuter, light rail and subway), and tourist rail, some of which are seasonal. As of early 2019, there were 16 passenger railway companies under federal jurisdiction and 7 federal freight railway companies that host passenger railway companies on their networks.

Passenger rail systems typically operate on a vast, open network with multiple public access points. In some cases, these systems connect to multimodal stations, operate on and are adjacent to freight rail networks transporting dangerous goods in major urban centres and move millions of passengers daily. These characteristics make passenger rail systems vulnerable to security incidents, which carry risks to human health and safety as well as risks of property damage.

Although there is no specific threat to passenger rail systems in Canada at this time and there have been no successful attempts of unlawful interference in Canada, recent assessments conducted by the Government of Canada indicate that improvements can be made to passenger rail systems to protect against unlawful interference. International events in which there have been attacks on rail systems have also underscored the need for enhanced security precautions.

To date, Transport Canada and the rail industry have been working together through a voluntary framework to strengthen rail security, in part through a Memorandum of Understanding with the Railway Association of Canada and its member signatories (TC-RAC MOU on Railway Security). ^{footnote 3} The MOU outlines security components, such as developing security plans, conducting exercises and security awareness training, record keeping and reporting security incidents to TC’s Situation Centre. ^{footnote 4} Currently, 26 RAC members, 11 of which operate passenger rail services, have signed on to meet the terms and conditions of this MOU.

The United States implemented basic passenger rail security regulations following the terrorist attacks on September 11, 2001, with requirements that passenger railroad carriers report potential threats and significant security concerns to the government and designate a rail security coordinator who serves as the primary security contact with the U.S. Transportation Security Administration (TSA), and who coordinates “security practices and procedures with appropriate law enforcement and emergency response agencies.” ^{footnote 5}

Issues

The passenger rail sector has unique security vulnerabilities due to its inherent open design and extensive networks.

The current approach to managing security risks, through the TC-RAC MOU on Railway Security, has limitations. The MOU only targets rail transportation in general, and does not specifically focus on passenger rail operations. Furthermore, some federally regulated passenger railway companies are not currently participating in the MOU, and compliance with the MOU is voluntary. There is no enforcement mechanism. Therefore, regulations are necessary to ensure that the passenger rail sector employs measures to address security risks.

Objectives

The objectives of the proposed Regulations are to

• support the Government of Canada’s overall mission to promote a safe, secure, efficient and environmentally responsible transportation system;
• increase the likelihood that attempted security-related interference with passenger rail transportation will be detected and prevented; and
• mitigate the impacts of acts or attempted acts of unlawful interference.

Description

The proposed Regulations would address passenger rail system risks primarily using a management-based approach that would require passenger and host railway companies to implement security processes to effectively manage their identified security risks. This approach would give railway companies the flexibility to adopt security practices and measures that are unique to their operations and adapt to a changing risk environment. Specific elements of the proposed Regulations include

1. Security awareness training;
2. Security risk assessment;
3. Security plan;
4. Security plan training;
5. Rail security coordinator;
6. Security inspections;
7. Security exercises; and
8. Security reporting.

The proposed Regulations would also require passenger railway and host companies to report and keep records to document their compliance with these requirements.

1. Security awareness training

Persons employed by passenger and host railway companies, and persons acting — directly or indirectly — on behalf of the company, and who have specific duties related to the transport of passengers, would be required to undergo recurrent training on basic security topics every three years (e.g. security risks related to passenger rail transportation, how to recognize potential threats and other security concerns, the actions to be taken by personnel in response to potential threats and other security concerns, and the company’s security measures and procedures).

2. Security risk assessment

A passenger railway company, other than a small passenger company (i.e. a passenger company that transported fewer than 60 000 passengers in one of the two previous calendar years), would be required to conduct a security risk assessment of its network and operations that identifies, describes, assesses and prioritizes rail security risks. The assessment would be based on key elements, including current security threats, critical assets, security vulnerabilities, and the potential impacts of a successful act of unlawful interference. The risk assessment would identify, for each risk, the likelihood that the risk will occur, the severity of potential impacts if it occurs, and potential security safeguards to mitigate the identified risks. Companies would be required to review their security risk assessments at least every 12 months, and conduct a new assessment no more than three years after the current assessment was finalized.

3. Security plan

A passenger railway company, other than a small passenger company, would be required to implement a security plan that aims to prepare for, detect and prevent, respond to and recover from acts or attempted acts of unlawful interference with passenger rail transportation. Security plans would be required to include a risk management strategy that addresses the risks identified and prioritized in the company’s security risk assessment, and additional security safeguards that are intended to mitigate heightened risk conditions. The proposed Regulations would set out general elements that must be included in each railway company’s security plan, including a program for security awareness and security plan training, a process for conducting security risk assessments, remedial actions and safeguards, security inspections, security exercises and security incident reporting. Companies would be required to review their security plans at least once every 12 months and conduct a comprehensive review of the plan at least once every three years. The annual review would include assessing whether the plan addresses any new risks identified during the most recent security risk assessment (e.g. annual risk assessment). The comprehensive review would be based on the new risk assessment that passenger railway companies are required to conduct every three years.

4. Security plan training

A passenger railway company with a security plan would be required to ensure that any employee who is mainly responsible for the development and implementation of the plan, or has security duties according to the plan, undergoes training on key elements of the security plan and any other relevant portions of the plan as it relates to their role. The company would also be required to ensure that the employee has the knowledge and skills to implement that portion of the plan that they are responsible for, and to carry out their security roles and responsibilities. Training on a recurrent basis, at least once every three years, would also be required, and when there are significant amendments made to the plan.

5. Rail security coordinator

Passenger and host railway companies would be required to have a rail security coordinator to coordinate security practices within their companies, act as the principal contact for security-related activities and communications between the company and the Minister of Transport, and coordinate communication between the company, other passenger or host railway companies, law enforcement and emergency response agencies.

6. Security inspections

Passenger railway companies would be required to carry out a ground-level visual security inspection of the exterior of the passenger train and the interior of each car prior to the train entering service for the day. In other words, a passenger company could complete its security inspection as required at any time prior to the train entering service for the day, as long as it keeps the train secure after the inspection until passengers board the train. The purpose of the inspection would be to detect any suspicious object, person or circumstance that could endanger the security of rail transportation. Additional inspections could be undertaken after the passenger train enters service for the day, if necessary under the security plan.

7. Security exercises

A passenger railway company, other than a small passenger company, would be required to carry out “operations-based” (every three years) and “discussion-based” (every year) security exercises that would test the effectiveness of their security plans (a discussion-based exercise would not be required in a year when an operations-based exercise is conducted). Typically, an “operations-based” security exercise is a simulated security incident in which the railway company could perform the tasks expected of them in a real emergency. In contrast, a “discussion-based” exercise generally simulates a security incident facilitated via participant discussions and not directly through operational activities.

8. Security reporting

Passenger railway and host companies would be required to report potential threats and other security concerns to the TC Situation Centre as soon as feasible, but no later than 24 hours after the occurrence of the threat or other security concern. Follow-up information about the incident would also be reportable as soon as it becomes known. The proposed Regulations would provide a list of reportable threats and concerns (e.g. bomb threats, reports or discoveries of suspicious items, signs of tampering with rail equipment or railway works).

Implementing compliance flexibilities for passenger railway and host companies combined with a phased-in approach

The proposed Regulations would include compliance flexibilities, to ensure that required security measures are commensurate with company risk profiles and operational requirements. As illustrated in Table 1 below, large passenger railway companies would be required to comply with the full suite of requirements described above. Small passenger railway companies would not be required to comply with a security risk assessment, security planning and security exercise requirements. Host companies would not be required to comply with a security risk assessment, security planning, security exercises and security inspection requirements.

Moreover, TC is proposing a phased-in approach to allow railway companies the time to implement the proposed Regulations. For example, some of the proposed requirements would come into force on a staggered basis — 3, 9 and 15 months after registration, respectively.

Table 1: Application of the proposed Passenger Rail Transportation Security Regulations

Proposed Requirements	Large Passenger Railway Companies	Small Passenger Railway Companies	Host Railway Companies	Length of Time After Registration Before Coming into Force
1. Security awareness training	Yes	Yes	Yes	3 months
2. Security risk assessment	Yes	No	No	9 months
3. Security plan	Yes	No	No	9 months
4. Security plan training	Yes	No	No	15 months (i.e. 6 months after security plan requirements come into force)
5. Rail security coordinator	Yes	Yes	Yes	Registration day
6. Security inspections	Yes	Yes	No	3 months
7. Security exercises	Yes	No	No	15 months (i.e. 6 months after security plan requirements come into force)
8. Security reporting	Yes	Yes	Yes	Registration day

Regulatory and non-regulatory options considered

In light of the inherent vulnerability of the open passenger rail system, the ongoing potential security threat and the significant negative impacts that a potential security incident could have, TC considered a number of options to strengthen the security of Canada’s passenger rail system, including

• (1) maintaining the status quo;
• (2) developing one regulatory regime that would apply to railway companies under federal jurisdiction regardless of whether they are a small or large passenger railway company, or a host company; and
• (3) implementing management-based security requirements for regulated entities to develop and implement security measures that are commensurate with their individual risk profiles and operational requirements.

Option 1 — Maintaining the status quo

TC considered maintaining its voluntary approach and working with companies to help them meet the existing MOU commitments and promote a more secure surface and intermodal transportation system. This approach would have limited effectiveness given the MOU’s voluntary nature (e.g. no enforcement mechanism) and its confined scope that does not specifically target passenger rail systems. Furthermore, since not all railway companies under federal jurisdiction choose to participate in the existing MOU, a voluntary approach may therefore be characterized by continued security gaps.

Option 2 — Developing one regulatory regime for all railway companies under federal jurisdiction

TC considered developing passenger railway security regulations that would place identical regulatory requirements on all passenger companies, regardless of whether they are a large passenger, small passenger or host company. Such an approach would place a disproportionate cost on smaller companies, some of which may face risks that differ from those carried by larger companies. This may potentially impact their ability to operate and impede their ability to become and remain compliant with the proposed Regulations. Under this approach, TC would also need to develop an expanded oversight and enforcement regime to ensure compliance, adding more costs to the Government of Canada with minimal incremental risk reduction.

Option 3 — Implementing management-based security requirements (proposed option)

Based on an analysis of the options, TC considers management-based security regulations for passenger railway and host companies to be the most appropriate and effective option at this time. These proposed Regulations would provide regulated entities with the flexibility to develop and implement security measures that would be commensurate with their individual risk profiles and operational requirements, while improving the ability of railway companies to prepare for, detect, prevent, mitigate, respond to and recover from potential security incidents.

The proposed Regulations would be based on key requirements outlined in the MOU, which are expected to reduce compliance costs for current MOU signatories. To help minimize the compliance burden further, less burdensome requirements would apply to small passenger railway companies and host companies. Large passenger railway companies would be required to comply with the full suite of regulatory requirements, whereas small railway companies would be expected to comply with fewer requirements, while still being required to address risks (see Table 1 above).

Benefits and costs

Cost valuation

1. Framework for evaluating costs

The costing approach identifies, quantifies and monetizes, where possible, the incremental costs of the proposed Regulations. The time period used to evaluate the incremental costs is 10 years (2019–2028). All the dollar figures are presented in 2017 Canadian dollars (2017 Can$) with a discount rate of 7% used to derive the costs in present values. The incremental variable costs have been examined in the baseline and regulatory scenarios.

2. Baseline scenario

At present, there are 21 railway companies (8 small passenger railway companies, 8 large passenger railway companies and 5 host railway companies) ^{footnote 6} that would be directly affected by the proposed requirements. Of the 21 companies captured by the proposed Regulations, 16 (including 3 small passenger companies, all 8 large passenger companies and all 5 host companies) are signatories to the TC-RAC MOU on Railway Security.

This MOU provides a voluntary approach to dealing with rail security matters across Canada. Some of its key requirements include conducting risk assessments, developing security plans based on the identified risks, conducting exercises, training employees and reporting incidents.

The proposed Regulations include the key elements from the MOU as well as a requirement to carry out security inspections. It is expected that there would be little or no incremental costs associated with the inspection requirement, as pre-trip inspections are already required for many companies for safety purposes under the Railway Safety Act.

Since the proposed Regulations are primarily based on the requirements outlined in the MOU, and to account for those activities already undertaken, the cost of compliance (number of companies and employees) has been reduced by 75% for MOU signatories.

3. Regulatory scenario and incremental changes

The analysis assumes that the incremental costs associated with the additional requirements would be minimal for the MOU signatories. Those MOU signatories would bear about 25% of the incremental costs, compared to the non-MOU signatories.

For non-MOU signatories (five small passenger railway companies), the proposed Regulations would also include compliance flexibility, resulting in minimal compliance costs. Overall, it is estimated that small passenger railway companies would experience, on average, a 31% incremental change from the baseline. Large passenger railway companies would bear a 25% change in costs, while host railway companies would face, on average, an 11% change in costs from the baseline.

4. Incremental costs to industry

Passenger and host railway companies would bear compliance and administrative costs. Incremental costs would be assumed for the following elements of the proposed Regulations: security awareness training, security risk assessment, security plan development and training, the designation of a rail security coordinator, security inspections, exercises, security incident reporting, and administrative requirements (e.g. record keeping).

4.1 Incremental compliance costs

Costs associated with the security awareness training requirement

Under the proposed Regulations, a passenger or host company must ensure that persons employed by and persons acting — directly or indirectly — on behalf of the company, and who have certain duties outlined in the proposed Regulations that involve the transport of passengers, would be required to complete an estimated one hour of training, occurring every three years, on basic security topics. TC anticipates that 50% of the estimated total employees working for the 21 federally regulated companies would be affected. The present value of the total costs of awareness training over the 10-year period is estimated at $19,409 for small passenger railway companies; $113,217 for large passenger railway companies; and $47,443 for host railway companies.

Costs associated with the security risk assessment requirement

Large passenger railway companies would be required, once every three years, to conduct a security risk assessment of their network and operations that identifies, describes, assesses and prioritizes rail security risks. It is assumed that 50 hours and 15 hours are required respectively for development of the initial risk assessment and for the risk assessment review and update. The overall present value of the costs for risk assessments over the 2019–2028 period is estimated at approximately $18,027.

Costs associated with the security plan requirement

Large passenger railway companies would be required to implement a security plan that aims to prepare for, detect and prevent, respond to and recover from acts or attempted acts of unlawful interference with passenger railway transportation. It includes a risk management strategy that addresses the risks identified and prioritized in the company’s security risk assessment, and scalable measures for times of heightened risk. Companies would require an estimated 50 hours in 2019 to develop the plan and an estimated 15 hours to review and update it in the second through tenth years. Costs associated with the security plan development, review and update are expected to be $15,349 over the 10-year period.

Costs associated with the security plan training requirement

A passenger railway company with a security plan would be required to ensure that any employee who is mainly responsible for the development and implementation of the plan, or has security duties according to the plan, undergoes training on key elements of the security plan and any other relevant portions of the plan as it relates to their role. The company would also be required to ensure that the employee has the knowledge and skill to implement that portion of the plan that they are responsible for, and to carry out their security roles and responsibilities. Training on a recurrent basis, at least once every three years, would also be required, and when there are amendments made to the plan. It is assumed that, on average, each company would need an estimated 15 hours to develop the security plan training program and an estimated 1.5 hours once every three years for employee training. The present value of the total estimated costs of the security plan training requirement over the 10 years is estimated at $69,489.

Costs associated with the rail security coordinator requirement

Passenger and host railway companies would be required to have a rail security coordinator to coordinate security practices within their companies, act as the primary contact for security-related activities and communications between the company and the Minister of Transport, and coordinate communication between the company, other passenger or host companies, law enforcement and emergency response agencies. To fulfill their duties, it is estimated that a large passenger railway company’s rail security coordinator would require approximately 72 hours per year, and both a small passenger railway company and a host company’s rail security coordinator would require approximately 36 hours per year respectively. Therefore, the present value, over the 10 years, of the compliance costs associated with this requirement is estimated at $84,330 for small passenger railway companies; $56,220 for large passenger railway companies; and $14,055 for host companies.

Costs associated with the security inspections requirement

Passenger railway companies would be required to carry out a ground-level visual security inspection of the exterior of the passenger train and the interior of each car prior to the train entering service for the day. The purpose of the security inspection would be to detect any suspicious object, person or circumstance that could endanger the security of railway transportation. Negligible costs would be associated with this requirement, since this requirement could be added to inspections that are already required for passenger railway companies for safety purposes under the Railway Safety Act.

Costs associated with the security exercises requirement

Large passenger railway companies would be required to carry out “operations-based” (every three years) and “discussion-based” (every year) security exercises that would test the effectiveness of their security plans. A discussion-based exercise would not be required in a year when an operations-based exercise is conducted. Assuming 100 employees of a large passenger railway company would be involved in such exercises, the present value of the costs for exercises is expected to be $51,342.

Costs associated with the security reporting requirement

Passenger railway and host companies would be required to report potential threats and other security concerns to TC’s Situation Centre as soon as feasible, but no later than 24 hours after the occurrence of the threat or other security concern. Follow-up information about the incident would also be reportable as soon as it becomes known. It is assumed that, on average, a small passenger railway company and a host railway company would report threats or other security concerns five times a year, while a large passenger railway company would produce an estimated 20 incident reports annually. Assuming the time spent to prepare a report is one hour, the present value of the costs for reporting incidents is estimated at $11,712, $15,617 and $1,952 for small, large and host railway companies, respectively.

The present value of the total compliance costs of the proposed Regulations for affected passenger railway companies and host companies is estimated at $518,161, including $115,451 for small passenger railway companies, $339,260 for large passenger railway companies, and $63,450 for host railway companies.

4.2 Administrative costs

In addition to compliance costs, two requirements would increase the administrative burden on companies, ^{footnote 7} including record keeping and reporting. The present value of the administrative burden costs is estimated at $19,026, which includes $1,567 for small passenger railway companies, $13,809 for large passenger railway companies and $3,651 for host railway companies. Table 2 below presents the present value of the compliance and administrative costs that the proposed Regulations would impose on industry.

Table 2: Costs to railway companies over 10 years (2017 Can$, 7% discount rate) ^{footnote *}

Industry Requirements	Small Passenger Companies	Large Passenger Companies	Host Companies	Total
Security awareness training	$19,409	$113,217	$47,443	$180,069
Security risk assessment	$0	$18,027	$0	$18,027
Security plan	$0	$15,349	$0	$15,349
Security plan training	$0	$69,489	$0	$69,489
Rail security coordinator	$84,330	$56,220	$14,055	$154,605
Security exercises	$0	$51,342	$0	$51,342
Security incident reporting	$11,712	$15,617	$1,952	$29,281
Security inspections	$0	$0	$0	$0
Total compliance costs	$115,451	$339,260	$63,450	$518,161
Total administrative costs (record keeping and reporting)	$1,567	$13,809	$3,651	$19,026
Total	$117,018	$353,069	$67,101	$537,188

5. Incremental costs to the Government of Canada

Costs of the proposed Regulations to the Government of Canada are mainly for compliance monitoring and enforcement. The Government of Canada would also incur costs to develop and provide ongoing support for the proposed Regulations. Costs would also be incurred for training inspectors.

5.1 Compliance monitoring and enforcement

Inspectors qualified to perform railway security inspections would be expected to provide oversight to ensure compliance once the proposed Regulations come into force. Inspectors would also engage in compliance promotion activities, and develop and distribute guidance and regulatory materials, as required.

The present value of the compliance monitoring and enforcement costs is estimated at $7,719,120 between 2019 and 2028.

5.2 Regulatory development and support

To provide policy and regulatory development and ongoing support for these proposed Regulations, TC has asked for resources, which are estimated at $916,429 over the 2019–2028 period of analysis.

5.3 Training

Training is required to support inspectors in order to ensure that they have the skills and knowledge to conduct their compliance monitoring and enforcement duties. The total training costs (in present value) would be approximately $496,581 over 10 years.

Table 3: Costs to Government over 10 years
(2017 Can$, 7% discount rate)

Type of Costs Incurred by the Government	Costs (Present Value)
Enforcement and compliance costs	$7,719,120
Regulatory administration costs	$916,429
Training costs	$496,581
Total	$9,132,130

Benefit valuation

The proposed Regulations are expected to have a positive impact on public security. They are expected to promote a more aware, alert, prepared and proactive regulated community that would be better able to detect, prevent, respond to and recover from terrorist incidents. The proposed Regulations are intended to improve industry’s resilience and to minimize the consequences should an incident occur (minimizing loss of life, property damage, environmental damage and reduced international trade flows).

As with the analysis of other security regulations, it is very difficult to quantify the associated benefits of the proposed Regulations, given that both the probability and the impact (baseline and regulated options) are subjective and uncertain.

The sections below highlight the qualitative and non-monetized benefits derived from enhancing the security of passenger rail transportation in Canada.

Improved security perception

An improved perception of security may have positive effects on passengers, leading to reductions in social costs. The improved feeling of well-being may lead to lower stress and anxiety among the population, which in turn may contribute to lower levels of physical and mental illness. This benefit could correspond to a reduction in health care spending. Therefore, the perception of a high level of security has both direct and indirect benefits for individuals as well as society.

Avoided property damage

By averting or mitigating catastrophic events, property damage both to rail infrastructure and third party property would be avoided, including damage to railway tracks, stations, and surrounding buildings. Buesa et al. ^{footnote 8} found that the damage caused to houses in the 2004 Madrid attack was estimated to be roughly 1.27 million euros and the cost of replacement of the rail material was estimated to be 17 million euros.

Other qualitative benefits

Should the proposed Regulations help to prevent catastrophic events, emergency service costs could be avoided. These costs include, but are not limited to, the services and opportunity costs of police officers, firefighters, ambulances and emergency room staff. Other avoided costs include delays to the rail industry and possibly other modes of transport, and a loss of productivity for the affected sectors. Buesa et al. revealed that the loss of productivity from the 2004 Madrid attack was valued at roughly 2.37 million euros. ^{footnote 9}

Cost-benefit statement

1. Summary of costs and benefits

Over the 2019–2028 period of analysis, the total costs to the Government of Canada for implementing the proposed Regulations and to industry for complying with the proposed Regulations would be $9,669,318. The proposal would reduce the risk of fatalities and injuries, but would still not be justified on the basis of the reduction of these risks alone. Other benefits from the proposed Regulations include avoided property damage, improved security perception, and avoided use of emergency services. The summary of the costs and the benefits of the regulatory proposal is presented in Table 4 below.

Table 4: Summary of benefits and costs (2017 Can$)

Costs and Benefits (in Thousands of Dollars)	2019	2020	2021	2022	2023	2024	2025	2026	2027	2028	Present Value (Over 10 Years, 7% Discount Rate)
Monetized costs Costs to industry to comply with the proposed Regulations
Compliance	124	29	27	119	27	27	119	27	27	121	518.161
Administrative	5	0	0	5	0	0	5	0	0	5	19.026
Costs to Government to implement the proposed Regulations
Enforcement and compliance	1,025	1,025	1,053	1,023	1,023	1,023	1,023	1,023	1,023	1,023	7,719.120
Regulatory administration	122	122	122	122	122	122	122	122	122	122	916.429
Training	80	80	61	61	61	61	61	61	61	61	496.581
Total costs	1,356	1,255	1,264	1,331	1,234	1,234	1,331	1,234	1,234	1,332	9,669.318
Break-even analysis Reduced risk of fatalities and injuries, but the proposed Regulations would not be justified on the basis of the reduction of these risks alone.
Qualitative benefits Increased perception of security. Avoided property damage to the rail infrastructure and to third party property and infrastructure and avoided environmental damage. Avoided emergency costs: police officers, firefighters, ambulances, paramedics, and emergency room staff. Avoided subsequent health care costs. Avoided delays the rail industry and in other transportation modes. Avoided loss in productivity due to the disruption in transportation of services.

Note: Undiscounted values, except where otherwise indicated.

2. Distributional impacts

A distributional analysis was performed to identify how the costs of the proposed Regulations would potentially affect regulated companies and consumers.

Impacts by sector

The proposed Regulations are expected to impose an additional annualized cost of $76,483 to passenger railway companies and host companies. Table 5 shows that the incremental costs are not distributed homogeneously. The incremental costs borne by a large passenger railway company are about three times the costs imposed on a small passenger railway company or a host railway company. Since these additional costs represent a small fraction of the total operational costs of the rail sector, it is not expected that they would have a detrimental impact among Canadian railway companies.

Table 5: Cost distribution by sector and by company (in 2017 Can$, 7% discount rate)

Cost Distribution	Small Passenger Companies	Large Passenger Companies	Host Companies	Total by Sector / Average by Company
By sector	$16,661	$50,269	$9,554	$76,483
By company	$2,083	$6,284	$1,911	$3,642

Impacts on consumers

Despite the costs noted above, it is expected that the impact on consumers would be negligible as the incremental costs of the proposal only represent a small fraction of the total operational costs of the rail sector.

“One-for-One” Rule

The proposed Regulations would include record-keeping and reporting requirements that would increase the administrative burden costs carried by the affected passenger railway companies and host companies. Therefore, the proposed Regulations are considered to be an “IN” under the Government of Canada’s “One-for-One” Rule, and are estimated to result in an annualized increase in administrative costs of $1,419, or $68 per business (in 2012 Can$).

Record keeping

It is estimated that 50% of the 13 660 (6 830) employees of passenger railway companies and host companies are required to undergo security awareness training once every three years from the coming into force of the proposed Regulations. It is estimated that it would take five minutes per employee to document each employee’s name, a description of the training received and the date and duration of the training.

For large passenger railway companies only, administrative costs are also associated with the record keeping of the information on employees who participate in the security plan training and exercises. It is estimated that 20% of the 9 240 (1 848) employees of large passenger railway companies would be affected by the security plan training requirement once every three years. As previously assumed, five minutes would be needed to record each employee’s name, a description of the training received and the date and duration of the training. Additionally, each of the large passenger railway companies would have an estimated one person spend one day per year to record the security exercises conducted.

Reporting the contact information of the designated rail security coordinator

It is assumed that each of the estimated 21 companies affected by the proposed Regulations would need an average of 10 minutes to prepare and submit the name of the designated rail security coordinator and other relevant information to TC. Whenever there is a replacement of the coordinator, the updated information will have to be submitted to TC. It is assumed that a change of the security coordinator would occur once every three years.

Small business lens

The proposed Regulations would introduce a risk-based approach to passenger rail security. It is assumed that all eight small passenger railway companies, which would be subject to the proposal, are small businesses. In order to reduce compliance costs of operations of small companies, these companies would not be required to comply with the following requirements: security risk assessment, security plan, security plan training, and security exercises. TC considered an initial option that would have required all affected passenger railway companies, large and small, and host railway companies to comply with all of the elements identified above, resulting in significant additional costs for small businesses (see Table 6).

Table 6: Small business lens analysis (2012 Can$, 7% discount rate)

Items for Each Option	Flexible Option		Initial Option
Short description	The proposed requirements		All railway companies, including small passenger railway companies, would be required to comply with the following additional requirements: Security risk assessment Security plan Security plan training Security exercises
Number of affected small businesses	8		8
Costs	Annualized Value ($2012)	Present Value ($2012)	Annualized Value ($2012)	Present Value ($2012)
Compliance costs	$10,500	$73,800	$31,900	$224,400
Administrative costs	$400	$2,700	$1,100	$8,100
Total costs	$10,900	$76,500	$33,100	$232,500
Average cost per small business	$1,361	$9,562	$4,137	$29,059

The present value of the total costs to all small businesses is estimated at $76,500 over a 10-year period, as compared to $232,500 in the case where a flexible option is not considered. Therefore, the flexible option incorporated into the proposed Regulations is estimated to result in a decrease in costs to small businesses, estimated at $156,000, or $19,497 per small business over a 10-year time frame.

Consultation

Throughout fall 2016 and winter 2017, TC engaged stakeholders at initial consultation sessions hosted by TC. Participating stakeholders included the RAC, a number of railway companies under federal jurisdiction, urban transit companies, provincial railway companies, law enforcement personnel and a number of provincial representatives. TC also distributed draft policy recommendations for the proposed Regulations for stakeholder comment.

During these initial consultation sessions and discussions, TC shared its preliminary thoughts in terms of regulatory approach and provided stakeholders with the opportunity to offer their input and suggestions on the proposed Regulations. Stakeholders expressed their general support for TC’s proposal to enhance passenger rail security through regulation.

To add greater detail and to respond to input received at these consultation sessions and from subsequent written comments from stakeholders, TC developed a revised draft of the proposed Regulations, which included changes to a number of elements, including the following:

• Security awareness training: TC adjusted its initial policy recommendation for this requirement by
  • limiting the scope of application so that prescribed persons (i.e. those with duties related to rail equipment and railway works, who interact with the public and who comply with the company’s security processes, including those set out in the security plan) would be provided with security awareness training, instead of all employees;
  • extending the time within which security awareness training is to be provided to a person from 30 to 90 days from when this requirement comes into force or from when they initially assume their duties; and
  • recognizing equivalent security awareness training received by employees prior to the coming into force of this requirement.
• Security risk assessment: wording was added to recognize previous security assessments conducted before the proposed Regulations come into force and that meet the requirements of the proposed Regulations.
• Security plan: details were added about requiring large passenger railway companies to implement remedial and additional security safeguards, as required.
• Security plan training: TC adjusted its initial policy recommendation for this requirement by
  • recognizing equivalent training on a company’s security plan that is conducted before the coming into force of this requirement.
• Security inspection: TC adjusted its initial policy recommendation for this requirement by
  • clarifying that a passenger railway company must carry out additional security inspections, other than prior to the train entering service for the day, if necessary under the security plan.
• Security exercises: TC adjusted its initial policy recommendation for this requirement by
  • reducing the number of days within which a passenger railway company would be required to give the Minister of Transport notice of an upcoming exercise, from 60 to 30 days; and
  • clarifying that persons with security duties that are relevant to the scenario selected for the exercise would be required to participate, and not all personnel with security responsibilities.

Following the distribution to stakeholders of a revised draft of the proposed Regulations in summer 2017, TC received written comments and questions from stakeholders. Additional consultations were also held at various locations across Canada, including the following:

• Montréal, Quebec, July 2017;
• Vancouver, British Columbia, July 2017;
• Ottawa, Ontario, August 2017;
• Montréal, Quebec, September 2017; and
• Winnipeg, Manitoba, November 2017.

Stakeholders communicated their general support for the proposed Regulations, and appreciated the opportunity to provide feedback and be involved in the regulatory development process prior to prepublication in the Canada Gazette, Part I. Some of the written and verbal comments sought clarity with respect to the proposed requirements (i.e. security inspections) or inquired about implementation matters such as timelines, guidance material and TC’s plans for an oversight program. In response, TC emphasized that its oversight program is under development, and guidance is expected to be provided by TC regional inspectors to support regulatory compliance. Other comments focused on specific proposed requirements, which resulted in changes to the proposed Regulations, including the following:

• Security plan training: TC adjusted its initial policy recommendation for this requirement by
  • requiring employees to undergo training on key elements of the security plan and any other relevant portions of the plan as it relates to their role instead of the entire plan.
• Administrative requirement on record keeping for security awareness training, security plan training and exercises: TC adjusted its initial policy recommendation for this requirement by
  • specifying that records must be kept, but not at an exact location such as the company’s head office.
• Security reporting: TC adjusted its initial policy recommendation for this requirement by
  • clarifying that passenger railway and host companies would be required to report potential threats and other security concerns to the TC Situation Centre as soon as feasible, but no later than 24 hours following the incident. Follow-up information about the incident would also be reportable as soon as it becomes known, and provisions would be made for follow-up disclosure with the TC Situation Centre by means other than telephone (i.e. email).

Regulatory cooperation

The Canadian freight rail system is integrated with the U.S. system (e.g. four host railways operate freight services across the Canada–U.S. border). With regard to passenger rail, two U.S. railway companies operate in Canada, and both are signatories to the TC-RAC MOU on Railway Security.

Following the terrorist attacks on September 11, 2001, the United States implemented basic passenger rail security regulations. These regulations include requiring operators to report security concerns to the government and to designate a rail security coordinator who serves as the primary security contact with the United States Transportation Security Administration (TSA). This individual also coordinates security practices and procedures with appropriate law enforcement and emergency response agencies.

The United States has considered additional risk-based passenger rail security regulations, but to date has not introduced measures comparable to the security training, assessment, planning, exercises and inspection requirements in the existing TC-RAC MOU on Railway Security and the proposed Regulations. TC officials have met with officials from the U.S. TSA on a number of occasions to learn about its passenger rail regulatory regime, and to explain Canada’s proposed approach of using the TC-RAC MOU on Railway Security as the basis for its own regulations.

Regulating the main elements of the MOU is not expected to put Canadian railway companies at a disadvantage relative to their U.S. counterparts. Given that the proposed Regulations would mandate what is already standard practice for many Canadian railway companies (and U.S. passenger railroad carriers operating in Canada), compliance costs would represent a small fraction of the total operational costs of the rail sector. Furthermore, competitiveness issues are not expected to arise given that U.S. passenger railroad carriers operating within Canada are required to follow Canadian regulations.

Rationale

Strategic risk and threat assessments conducted by the Government of Canada indicate that Canada’s passenger rail system remains vulnerable to acts of unlawful interference, and the potential adverse impacts of such attacks are significant. The current TC-RAC MOU on Railway Security is voluntary, with no enforcement mechanism, and is confined in scope, as it does not focus on passenger railways specifically nor does it include all passenger and host railway companies under federal jurisdiction. The proposed Regulations would strengthen the security of Canada’s passenger rail system and mitigate these risks.

The specific requirements of the proposed Regulations, except for the “security inspections,” are generally consistent with the elements outlined in the TC-RAC MOU on Railway Security with which stakeholders are well versed (e.g. security training, security risk assessment, security plan reviews, updates and renewals on an annual and three-year basis, security exercises). Introducing regulatory requirements that are already standard practice among industry stakeholders is therefore expected to result in implementation efficiency and effectiveness.

The proposed security requirements would impose administrative and compliance costs on passenger railway and host companies in the amount of $537,188. The potential administrative and compliance burden has been intentionally offset by designing the proposed Regulations to align with key requirements in the existing TC-RAC MOU on Railway Security to which most of the passenger railway and host companies are signatories. The proposed Regulations were also designed using primarily management-based requirements that would provide regulated entities with the flexibility to develop and implement security measures that are commensurate with their individual risk profiles and operational requirements that are suitable for their unique operations and risks.

Furthermore, the proposed Regulations would introduce less burdensome requirements for small passenger and host companies where security risks are recognized to be lower. The Government of Canada would incur administration and enforcement costs of $9,132,130, resulting in total costs of $9,669,318. Notwithstanding that the benefits of the proposal could not be monetized, given the potentially catastrophic impact of a successful act of unlawful interference with passenger rail, and the expectation that the proposed Regulations would meaningfully mitigate the risk and impact of such an act, the proposed Regulations are expected to result in a significant overall benefit to Canadians.

Implementation, enforcement and service standards

TC is following a phased-in approach to allow companies the time to implement the proposed Regulations. Some of the proposed requirements would come into force on a staggered basis — 3, 9 and 15 months after registration, respectively. In the past, TC has also collaborated with industry stakeholders to develop voluntary codes of practice and other guidance materials on conducting security risk assessments, developing and maintaining security plans, conducting security exercises, and employee training and awareness. These materials have had distribution beyond the MOU signatories and currently remain available from TC while the Department develops passenger rail–specific guidance materials for industry prior to the proposed Regulations coming into force.

Regionally located inspectors with security expertise are also available to support and reach out to railway and host companies prior to and after the coming into force dates. TC is currently developing guidance and training programs to ensure security inspectors are adequately prepared to oversee this new program and to facilitate industry compliance. TC also aims to conduct education and awareness activities to support industry and to support regulatory implementation and compliance.

It is TC’s policy on enforcement matters to use a graduated approach that allows industry to take corrective actions before resorting to enforcement actions. However, where compliance is not achieved on a proactive basis or where there is serious non-compliance, enforcement action could be sought through prosecution (indictment or summary conviction) as per paragraph 41 of the Railway Safety Act.

TC intends to use a national network of surface security inspectors to oversee compliance with the proposed Regulations using a risk-based approach. Inspection frequency and scope would be determined based on the outcome of risk assessments. Inspections would be conducted at determined intervals; however, inspectors would have the flexibility to conduct random and for-cause inspections, as deemed appropriate.

Contact

Kim Benjamin
Director General
Intermodal Surface, Security and Emergency Preparedness
Transport Canada
Place de Ville, Tower B
112 Kent Street
Ottawa, Ontario
K1A 0W8
Email: tc.simsregulations-reglementsstti.tc@tc.gc.ca

PROPOSED REGULATORY TEXT

Notice is given that the Governor in Council, pursuant to subsection 18(2.1) ^{footnote a} of the Railway Safety Act^{footnote b}, proposes to make the annexed Passenger Rail Transportation Security Regulations.

Interested persons may make written representations concerning the proposed Regulations within 30 days after the date of publication of this notice. All such representations must cite the Canada Gazette, Part I, and the date of publication of this notice, and be addressed to Kim Benjamin, Director General, Intermodal Surface, Security and Emergency Preparedness, Department of Transport, Place de Ville, Tower B, 112 Kent Street, Ottawa, Ontario K1A 0W8 (email: tc.simsregulations-reglementsstti.tc@tc.gc.ca).

Ottawa, April 4, 2019

Jurica Čapkun
Assistant Clerk of the Privy Council

Passenger Rail Transportation Security Regulations

Interpretation

Definitions

1 The following definitions apply in these Regulations.

• host company means a railway company that authorizes a passenger company to operate on its railway. (compagnie hôte)
• passenger company means a company whose operations include the transportation of passengers by railway. (compagnie de transport de voyageurs)
• small passenger company means a passenger company that transported fewer than 60,000 passengers in one of the two previous calendar years. (petite compagnie)
• train means all the pieces of railway equipment that are joined together and that move as a unit for the transport of passengers. (rame ferroviaire)

PART 1

Security Awareness Training and Security Risk Assessment

Security awareness training program

2 (1) A passenger company and host company must have a security awareness training program that promotes a culture of security vigilance with respect to passenger rail transportation security.

Program training topics

(2) The security awareness training program must cover the following topics:

• (a) a description of the main security risks related to passenger rail transportation;
• (b) any potential threats and other security concerns related to passenger rail transportation and how to recognize them;
• (c) the actions to be taken to deal with potential threats and other security concerns; and
• (d) any measures of the passenger company or host company that are designed to enhance passenger rail transportation security.

Prescribed persons

(3) The passenger company or host company must ensure that any person employed by, and any person acting — directly or indirectly — on behalf of, the company and who have any of the following duties relating to the transport of passengers, including the direct supervisors of those persons, undergo security awareness training:

• (a) operating, maintaining or inspecting railway equipment or railway works;
• (b) controlling the dispatch or movement of railway equipment;
• (c) ensuring the security of railway equipment and railway works;
• (d) loading or unloading goods to or from railway equipment;
• (e) interacting with the public for the purposes of railway transportation; or
• (f) ensuring compliance with its security processes, including those set out in their security plan.

Provision of training

(4) The passenger company or host company must ensure that security awareness training is provided to the person

• (a) within 90 days after the day on which this subsection comes into force, unless the person has received equivalent security awareness training before that day;
• (b) within 90 days after the day on which the person initially assumed any of the duties referred to in subsection (3) with that company, if the duties were assigned to that person after the day on which this subsection comes into force; and
• (c) on a recurrent basis at least once every three years after the day on which the person completed their previous training, including any equivalent security awareness training received before the day on which this subsection comes into force.

Supervision

(5) The passenger company or host company must ensure that, until the person undergoes the security awareness training, the person performs their duties under the close supervision of a person who has undergone that training.

Training records

(6) The passenger company or host company must ensure that a training record is kept for each person who has undergone security awareness training and that the record

• (a) is kept up to date;
• (b) includes the person’s name and details of their most recent training, including the date, duration, course title, delivery method and name of the provider of the training; and
• (c) is retained for at least two years after the day on which the person ceases to be employed by, or ceases to act — directly or indirectly — on behalf of, the company.

Retention of training materials

(7) The passenger company or host company must ensure that a copy of the most recent awareness training materials is kept.

Security risk assessment

3 (1) A passenger company, other than a small passenger company, must conduct a security risk assessment of its network and operations that are related to passenger rail transportation in Canada that identifies, describes, assesses and prioritizes security risks and that

• (a) is based on the following elements:
  • (i) current security threats, including security threat information received from a federal department or agency and threats or immediate threats identified in an instrument made by an inspector under section 31 of the Railway Safety Act or by the Minister under section 33 or 39.1 of that Act,
  • (ii) operations, railway equipment, railway works and other assets that are deemed critical and that most require protection from acts and attempted acts of unlawful interference with passenger rail transportation,
  • (iii) security vulnerabilities, including those identified during daily operations, during security inspections carried out under section 7, during security exercises carried out under section 8 and in security reports made under section 9, and
  • (iv) potential impacts, including a decrease in public safety and security, loss of life, damage to property or the environment, disruption of rail transportation and financial and economic loss;
• (b) identifies, for each risk, the likelihood that the risk will occur and the severity of the impact that it could have if it occurs; and
• (c) identifies potential safeguards intended to mitigate the risks identified.

Report

(2) The security risk assessment must be documented in a report within 30 days after the day on which the assessment is completed and the report must

• (a) indicate the date of completion of the assessment; and
• (b) contain all the information referred to in subsection (1).

Subsequent risk assessments

(3) A passenger company, other than a small passenger company, must conduct a new security risk assessment within three years after the date of the report on the current security risk assessment, including any assessment that was carried out before the day on which these Regulations come into force and that meets the requirements of these Regulations.

Review

(4) A passenger company, other than a small passenger company, must review its security risk assessment as soon as feasible if

• (a) a change in circumstances is likely to adversely affect passenger rail transportation security;
• (b) an instrument made by an inspector under section 31 of the Railway Safety Act or by the Minister under section 33 or 39.1 of that Act identifies a threat or an immediate threat to passenger rail transportation that is not described in the assessment; or
• (c) the company identifies a significant security vulnerability that is not described in the assessment.

Periodic review

(5) A passenger company, other than a small passenger company, must review its security risk assessment at least once every 12 months. A new risk assessment conducted under subsection (3) or a review conducted under subsection (4) is a review for the purposes of this subsection.

Requirements for review

(6) As part of a review referred to in subsection (4) or (5) — with the exception of a new risk assessment referred to in subsection (5) — a passenger company, other than a small passenger company, must

• (a) identify, describe, assess and prioritize any new security risks in accordance with subsection (1); and
• (b) document the review in the report on the current security risk assessment, including the date of the review, the reason for the review under subsection (4) or (5) and any new risks that have been identified, their priority level and the potential security safeguards, if applicable.

PART 2

Security Plan and Security Plan Training

Security plan — objectives

4 (1) A passenger company, other than a small passenger company, must have and implement a security plan that contains measures to be taken to prepare for, detect, prevent, respond to and recover from acts or attempted acts of unlawful interference with passenger rail transportation.

Strategy

(2) In order to meet the objectives of subsection (1), the security plan must set out

• (a) a risk management strategy that addresses the risks prioritized as medium or high in the company’s most recent security risk assessment and all other risks that require remedial action; and
• (b) additional safeguards that are intended to mitigate heightened risk conditions in a graduated manner.

Requirements

(3) The security plan must

• (a) be in writing;
• (b) identify, by job title, a senior manager responsible for the plan’s overall development, approval and implementation;
• (c) describe the organizational structure, identify the departments that are responsible for implementing the plan or any portion of it and identify each position whose incumbent is responsible for implementing the plan or any portion of it;
• (d) describe the security duties of each identified department and position;
• (e) set out a process for notifying each person who is responsible for implementing the plan or any portion of it when the plan or that portion of it must be implemented;
• (f) set out a program for the security awareness training required under section 2 and the components of the security plan training referred to in section 5, including a method to ensure that persons who undergo the security plan training acquire the knowledge and skills required under subsection 5(3);
• (g) set out a process with respect to security risk assessments required under section 3, including
  • (i) a procedure for conducting security risk assessments, and
  • (ii) a method for assessing and prioritizing the risk;
• (h) set out a process with respect to remedial actions that are part of the risk management strategy referred to in subsection (2), including
  • (i) a method for identifying security risks that require remedial action, and
  • (ii) a method for implementing remedial actions and for evaluating their effectiveness;
• (i) set out a process for selecting and implementing additional safeguards required under paragraph (2)(b);
• (j) describe the remedial actions, including their effectiveness in reducing or eliminating the risks, and the additional safeguards that are part of the risk management strategy referred to in subsection (2);
• (k) set out a process with respect to security inspections referred to in section 7, including
  • (i) a procedure for conducting security inspections,
  • (ii) a method for determining whether security has been compromised,
  • (iii) a method for determining whether additional security inspections are necessary if, having regard to the circumstances, security could be compromised,
  • (iv) a method for addressing the situation, if that security has been compromised, before releasing the train into service, and
  • (v) a method for preventing unauthorized interference with the train after the inspection until passengers board the train;
• (l) set out a process with respect to security exercises referred to in section 8, including procedures for conducting security exercises;
• (m) set out a process for responding to threats and other security concerns, including procedures for communicating and coordinating with the host company, if applicable;
• (n) set out a process for reporting threats and other security concerns;
• (o) set out a process for reviewing the security plan;
• (p) include the report on the most recent security risk assessment required under section 3; and
• (q) set out a policy on limiting access to security-sensitive information and set out measures for the sharing, storing and destruction of that information.

Implementation — remedial actions and safeguards

(4) A passenger company, other than a small passenger company, must implement the remedial actions and additional safeguards referred to in subsection (2), in accordance with the security plan.

Timelines and effectiveness — measures

(5) A passenger company, other than a small passenger company, must establish timelines for implementing each remedial action and evaluate its effectiveness in reducing or eliminating the risks.

New remedial action

(6) If the remedial action is not effective in reducing or eliminating some of the risks, the passenger company must identify additional remedial actions or a new action to address those risks.

Security plan management

(7) A passenger company, other than a small passenger company, must

• (a) make available to each person who is responsible for implementing the security plan the portions of the security plan that are relevant to the duties of that person;
• (b) review the security plan at least once every 12 months after the day on which this section comes into force;
• (c) amend the security plan if it does not reflect the most recent security risk assessment;
• (d) amend the security plan if deficiencies that could adversely impact the security of passenger rail transportation are identified in the security plan, including those identified during the security exercises;
• (e) conduct a comprehensive review of the security plan within three years after the day on which this section comes into force and subsequently within three years from the date of completion of the last comprehensive review;
• (f) notify the persons referred to in paragraph (a) of any amendments to the relevant portions of the security plan; and
• (g) provide a copy of the security plan to the Minister within 30 days after the day on which this section comes into force or after a comprehensive review is conducted under subsection (e), and a copy of the amended portions of the security plan within 30 days after an amendment is made under paragraph (c) or (d).

Security plan training

5 (1) A passenger company, other than a small passenger company, must ensure that the following persons employed by, or acting — directly or indirectly — on behalf of, that company undergo training on the components of the security plan referred to in paragraphs 4(3)(c) to (e), (g), (m) and (n), and any other components that are relevant to the person’s duties:

• (a) persons mainly responsible for the development and implementation of the plan or any portion of it; and
• (b) any other person with duties referred to in paragraph 4(3)(d) and for whom the training is considered necessary to ensure the effective implementation of the security plan.

Provision of training

(2) A passenger company, other than a small passenger company, must ensure that the training is provided to those persons

• (a) within 90 days after the day on which this subsection comes into force, unless those persons have received equivalent training on the security plan before that day;
• (b) within 90 days after the day on which those persons initially assume the duties referred to in subsection (1), if their duties are assigned after the coming into force of this subsection; and
• (c) on a recurrent basis at least once every three years after the day on which those persons completed their previous training, including any equivalent training on the security plan received before the day on which this subsection comes into force.

Knowledge and skills

(3) A passenger company, other than a small passenger company, must ensure that persons, on completion of the training, have acquired the knowledge and skills required to carry out the duties referred to in subsection (1).

Supervision

(4) A passenger company, other than a small passenger company, must ensure that, until those persons complete the training, they perform their duties under the close supervision of a person who has completed the training on the overall security plan.

Training on amended plan

(5) A passenger company, other than a small passenger company, that amends its security plan in a way that significantly affects the security duties of a person referred to in subsection (1) must ensure that, within 30 days after the day on which the amendments are implemented, the person is provided with training on the amendments.

Training records

(6) A passenger company, other than a small passenger company, must keep a training record for each person who has undergone the security plan training and must ensure that the record

• (a) is kept up to date;
• (b) contains the person’s name and details of the most recent training they received under subsections (1) and (5), including the date, the duration, the course title, the delivery method, the components of the security plan that were covered and the name of the provider of the training;
• (c) contains information related to the title and the date of any previous training taken by the person; and
• (d) is retained for at least two years after the day on which the person ceases to be employed by, or ceases to act — directly or indirectly — on behalf of, that company.

Retention of training materials

(7) A passenger company, other than a small passenger company, must ensure that a copy is kept of the most recent training materials.

PART 3

Coordination, Inspection and Security Exercises

Rail security coordinator

6 (1) A passenger company and host company must have, at all times, a rail security coordinator or an acting rail security coordinator.

Contact information

(2) The passenger company and host company must provide the Minister with

• (a) the name and job title of the rail security coordinator or acting rail security coordinator; and
• (b) the 24-hour contact information for the rail security coordinator or acting rail security coordinator.

Duties — passenger company

(3) The passenger company must ensure that the rail security coordinator or acting rail security coordinator

• (a) coordinates security matters within the passenger company;
• (b) acts as the principal contact between the passenger company and the Minister with respect to security matters; and
• (c) coordinates communications between the passenger company, the host company, law enforcement and emergency response agencies with respect to security matters.

Duties — host company

(4) The host company must ensure that the rail security coordinator or acting rail security coordinator

• (a) acts as the principal contact between the host company and the Minister with respect to security matters related to passenger rail transportation on its railway; and
• (b) coordinates communications between the host company, passenger companies that operate on its railway, law enforcement and emergency response agencies with respect to security matters related to passenger rail transportation on its railway.

Security inspection

7 (1) For the purposes of this section, car means a piece of railway equipment that is used for passenger rail transportation and includes a baggage car, a dining car, a sleeping car, a lounge car, an observation car, the locomotive and any freight car that can be subjected to a walk-through inspection.

Visual inspection

(2) In order to ensure that there are no security concerns related to passenger rail transportation, a passenger company must carry out security inspections that consist of both a ground-level visual inspection of the exterior of the train and an inspection of the interior of each car.

Time of inspection

(3) The passenger company must carry out a security inspection before the train enters service for the day. In all cases, the inspection must be carried out before passengers board the train.

Additional inspections

(4) The passenger company must carry out additional security inspections after the train enters service for the day, if they are provided for in the security plan.

Protection of train

(5) When the security inspection is carried out before passengers board the train, the passenger company must ensure that the train is protected from unauthorized interference from the start of the security inspection until passengers board the train.

Signs of tampering, suspicious items and other security concerns

(6) If the passenger company discovers signs of tampering, a suspicious item or the presence of other security concerns during the security inspection, it must determine whether security has been compromised.

Compromise of security

(7) If the passenger company determines during the security inspection that security has been compromised, it must resolve the situation before releasing the train for service.

Records

(8) The passenger company must keep a record of each security inspection and ensure that the record contains the following information:

• (a) the time and date of the inspection;
• (b) the information identifying the train that was inspected;
• (c) the name of the person who conducted the inspection;
• (d) the details of signs of tampering, a suspicious item or the presence of other security concerns, if any; and
• (e) the measures taken to resolve the situation, if the company determined that security was compromised.

Retention period

(9) The passenger company must retain the record for three years after the day on which the security inspection is conducted.

Operations-based security exercise

8 (1) A passenger company, other than a small passenger company, must carry out, at least once every three years after the day on which section 4 comes into force or, in the case of a passenger company created after the day on which section 4 comes into force, within three years after the day of its creation, an operations-based security exercise that is designed to address acts or attempted acts of unlawful interference with passenger rail transportation and that tests

• (a) the effectiveness of the security plan and its implementation with respect to
  • (i) the elements of the risk management strategy that are relevant to the scenario selected for the exercise,
  • (ii) the additional safeguards set out in the security plan that are relevant to the scenario selected for the exercise, and
  • (iii) the process for responding to threats or other security concerns; and
• (b) the proficiency of persons in performing security duties that are relevant to the scenario selected for the exercise.

Deemed — security exercises

(2) The implementation of safeguards in response to a heightened risk condition may be considered an operations-based security exercise if it tests

• (a) the effectiveness of the security plan and its implementation with respect to
  • (i) the elements of the risk management strategy that are relevant to the heightened risk condition,
  • (ii) additional security safeguards set out in the security plan that are relevant to the heightened risk condition, and
  • (iii) the process for responding to the heightened risk condition; and
• (b) the proficiency of persons in performing security duties that are relevant to responding to the heightened risk condition.

Notice

(3) A passenger company, other than a small passenger company, must give the Minister 30 days’ notice of any operations-based security exercise that it plans to carry out.

Discussion-based security exercise

(4) A passenger company, other than a small passenger company, must carry out a discussion-based security exercise at least once every year after the day on which section 4 comes into force or, in the case of a passenger company created after the day on which section 4 comes into force, from the day of its creation, in order to address acts or attempted acts of unlawful interference with passenger rail transportation and that tests the effectiveness of the security plan with respect to

• (a) the elements of the risk management strategy that are relevant to the scenario selected for the exercise;
• (b) the additional safeguards set out in the security plan that are relevant to the scenario selected for the exercise; and
• (c) the process for responding to threats or other security concerns.

Exception

(5) An operations-based security exercise carried out under subsection (1) or referred to in subsection (2) is considered to be a discussion-based security exercise for the purposes of subsection (4).

Participants

(6) A passenger company, other than a small passenger company, must ensure that persons with security duties that are relevant to the scenario selected for the exercise participate in the exercise referred to in subsection (1) or (4). In addition, the company must invite host companies and law enforcement and emergency response agencies to participate in the exercise, if their participation is relevant to the scenario.

Records

(7) A passenger company, other than a small passenger company, must create a record of each exercise carried out under subsections (1), (2) and (4) within 30 days after the date of the exercise and must ensure that the record contains the following information:

• (a) the date of the exercise;
• (b) the names of participants;
• (c) a list of the companies and agencies that were invited;
• (d) a description of the exercise scenario or, in the case of the exercise referred to in subsection (2), a description of the heightened risk condition;
• (e) a description of the results of the exercise with respect to the elements tested in accordance with subsection (1), (2) or (4), as applicable; and
• (f) a description of potential actions to address deficiencies identified during the exercise that could adversely impact the security of passenger rail transportation.

Retention period

(8) A passenger company, other than a small passenger company, must ensure the record of each exercise is retained for three years after the date of the exercise.

Actions

(9) A passenger company, other than a small passenger company, must implement any action to address deficiencies that were identified during the exercise and that could adversely impact the security of passenger rail transportation.

PART 4

Security Reporting Requirements

Report

9 (1) A passenger company or host company must report to the Transport Canada Situation Centre, by any direct means of communication established and communicated by the Centre, any threat or other security concern that results or may result in an unlawful interference with passenger rail transportation. The report must be made as soon as feasible but no later than 24 hours after the occurrence of the threat or other security concern.

Threats and other security concerns

(2) Threats and other security concerns include

• (a) any interference with the work of a train crew or service personnel;
• (b) any bomb threats, either specific or non-specific;
• (c) any report or discovery of a suspicious item;
• (d) any suspicious activity observed on, inside or near railway equipment or railway works used by that company;
• (e) the discovery, seizure or discharge of a weapon, explosive substance or incendiary device on, inside or near railway equipment or railway works used by that company;
• (f) any sign of tampering with railway equipment or railway works;
• (g) any information relating to the possible surveillance of railway equipment or railway works; and
• (h) any suspicious person, circumstance or object that the passenger or host company considers to be a threat or other security concern.

Information to be provided

(3) The information provided must include, to the extent known, the following:

• (a) the passenger company’s or host company’s name and contact information, including its telephone number and email address;
• (b) the name of the person who is making the report on behalf of the passenger company or host company and the person’s title and contact information, including their telephone number and email address;
• (c) any information that identifies any train that is affected by the threat or other security concern, including its itinerary and line or route position;
• (d) any information that identifies any railway equipment or railway works that is affected by the threat or other security concern;
• (e) a description of the threat or other security concern, including the date and time that the passenger company or host company became aware of it;
• (f) the names of the persons involved in the threat or other security concern, and any other information related to those persons, if the disclosure of those names and that information is permitted; and
• (g) the source of any threat information or other security concern, if its disclosure is permitted.

Follow-up information

(4) The passenger company or host company must provide to the Transport Canada Situation Centre any information referred to in subsection (3) that was not previously reported, as soon as it becomes known.

Avoidance of double reporting — other company

(5) The passenger company or host company is not required to make a report under this section if the same threat or other security concern has been reported by another company under this section.

Provision of information — passenger company

(6) A passenger company that operates on a host company’s railway must, as soon as feasible, notify the host company if the passenger company becomes aware of a threat or other security concern that could impact the operations of the host company.

Provision of information — host company

(7) A host company must, as soon as feasible, notify a passenger company that operates on its railway if the host company becomes aware of a threat or other security concern that could impact the operations of the passenger company.

Coming into Force

Registration

10 (1) Subject to subsections (2) to (4), these Regulations come into force on the day on which they are registered.

Three months after registration

(2) Section 2 and subsections 7(2), (3) and (5) to (9) come into force on the day that, in the third month after the month in which these Regulations are registered, has the same calendar number as the day on which they are registered or, if that third month has no day with that number, the last day of that third month.

Nine months after registration

(3) Sections 3 and 4 and subsection 7(4) come into force on the day that, in the ninth month after the month in which these Regulations are registered, has the same calendar number as the day on which they are registered or, if that ninth month has no day with that number, the last day of that ninth month.

Fifteen months after registration

(4) Sections 5 and 8 come into force on the day that, in the fifteenth month after the month in which these Regulations are registered, has the same calendar number as the day on which they are registered or, if that fifteenth month has no day with that number, the last day of that fifteenth month.