Below is a discussion paper I submitted to the Journal of Bridge Engineering (published by the American Society of Civil Engineers) that, for whatever reason, never made it to the ASCE publishing office (I am still slightly upset by this).  Basically, this piece provides commentary and suggestions on a peer-reviewed paper submitted by Mr. James C. Ray of the Engineering Research & Development Center of the US Army Corps of Engineers (a GREAT place to work, by the way).  The citation for the original paper is as follows:

• Ray,  J. C. (2007). “Risk-Based Prioritization of Terrorist Threat Mitigation Measures on Bridges.” Journal of Bridge Engineering, Vol. 12, No. 2, pp. 140-146.  doi:10.1061/(ASCE)1084-0702(2007)12:2(140).

I think James Ray is a good guy, and I had the privilege to work with him and his shop on a number of occasions in the past.  So I figured why not spend some time carefully reading his paper and offering my own thoughts.  The entire discussion piece follows below:

<<Discussion Begins Below – slightly modified from the original given I had the luxury of time>>

Risk analysis for malicious anthropic events has become a high-interest, and quite contentious, topic since the tragic events of 2001, which has led to an increased awareness of the problem and spurred enormous interest within the academic and professional communities on how to effectively and defensibly assess and manage the risk associated with these types of events.  The author’s [Mr. James Ray's] recent contribution toward developing a risk-based prioritization methodology for terrorist threat mitigation measures on bridges brings to bear some of the important aspects a bridge owner must consider when assessing terrorism-related risks, and for this the author must be commended.  We hope that the ideas from this paper spur wider advances in the application of risk based methodologies for protecting bridge assets, among other things.

As a potential direction for improvement, the methodology could be adapted to a probabilistic framework so as to facilitate quantitative benefit-cost analysis.  Take, for example, the general expression for security risk analysis that provides the philosophical basis for most security risk assessment methodologies:

Risk = Threat x Vulnerability x Consequence (Eq. 1)

Equation 1 states that security risk is defined as the combination (not strictly a product) of threat, vulnerability, and the ensuing consequences.  That is, risk is a multidimensional concept.  The quantification of security risk can be achieved by interpreting Eq. 1 in an appropriate mathematical framework, the most widely accepted being probability theory.

The author proposes to adapt the interpretation of Eq. 1 used by AASHTO highway vulnerability assessment methodology (AASHTO 2003).  This approach facilitates a relatively rapid and inexpensive assessment of risk to bridge assets that can be used to identify critical bridge elements and develop candidate proposals for mitigating risk.  However, this attractive quality comes at the expense of departing from a sound probabilistic framework, which means that the risk estimated by this methodology lacks meaningful units (such as annual loss in dollars or fatalities) and mathematical correctness.  If the intent is to allocate a fixed budget reserved for the sole purpose of decreasing risk (i.e., the money is there and must be spent), this is a non-issue so long as the relative risk accurately represents the “true” proportion attributed to different bridge elements and threats.  In contrast, if the intent is to use these results to justify a request for funds to decrease risk, meaningful measures of risk and benefit are necessary to determine whether (1) certain risks are unacceptable in the first place, and (2) expenditures are cost-effective from a risk reduction standpoint.  Defensible answers to these questions require that Eq. 1 be interpreted in a probabilistic framework.

Fortunately, the proposed methodology as presented can be made to fall inline with a probabilistic framework provided certain modifications are made.  A simple high-level interpretation of Eq. 1 in a probabilistic framework would express the risk, R, for a specific threat type against a certain bridge element as:

R = P_AP_S|AC (Eq. 2)

where P_A is the probability of attack in a specified time period for a given combination of threat type and critical element, P_S|A is the probability of the adversary successfully damaging the element given attack (as a function of security measures and hardness of target), and C describe the consequences or impact of a successful attack measured in meaningful units such dollars or casualties per event.

The following is an attempt to integrate the author’s model into the probabilistic model in Eq. 2.  For clarity, Table 1 provides a summary of the author’s model parameters with suggested symbols and interpretations, where the letters “O,” “V,” and “I ” are used in lieu of the more traditional “P” to emphasize which part of the author’s risk equation each attribute belongs to.  Based on the definitions provided by the author for the attributes in Table 1, Eq. 3 can now be rewritten as:

R = (O_A x O_C|A x O_T|A,C) x (O_S|A,C,T x V_D|A,C,T,S) x (w_DI_D + w_TI_T)  (Eq. 3)

where in comparison with Eq. 3, P_A = (O_A x O_C|A x O_T|A,C), P_S|A = (O_S|A,C,T x V_D|A,C,T,S), and C = (w_DI_D + w_TI_T).  Since the author already interprets the values for each parameter on a scale of zero to one, the guidance offered in his original paper still holds with risk recast in terms of probability theory.  The loss conversion factors w_i (i = D or T) are used to bring values for each consequence type to consistent, meaningful units.  For example, if risk is measured in dollars and the economic loss per day of outage of the component is $100,000 per day, w_D = 1 and w_T = $100,000/day (with I_T measured in days).  Note that I_S and the span ratio S_R were deliberately omitted from Eq. 3 since, to our knowledge, the effects of structural importance and length of span is already captured by the values for repair cost and time out of service.  Also, I_H was omitted since, in most cases, this parameter is a matter of perception and does not have a clear, tangible value (though it can be easily included if such a value can be established).

It would be interesting to see how the results of the case study presented in Table 3 of the paper differ under the proposed revision in Eq. 3, and I would not be surprised if the rank order of scenarios based on risk is similar, if not the same, as that generated by the author’s methodology.  However, the advantage of interpreting Eq. 1 in a probabilistic framework is that the results facilitate meaningful benefit-cost analysis, where the benefit is defined in units that can be rationally compared with the costs to implement a given risk mitigation strategy. Moreover, leveraging a probabilistic framework lends a bit more credibility to the model as it aligns better with how risk is traditionally estimated.

Table 1: Summary of the author’s model attributes with variable names

Send article as PDF to