U.S. Department of Transportation
Federal Highway Administration
1200 New Jersey Avenue, SE
Washington, DC 20590

Skip to content U.S. Department of Transportation/Federal Highway AdministrationU.S. Department of Transportation/Federal Highway Administration


<< Previous Contents Next >>

Recommendations for Bridge and Tunnel Security

Section 5 Planning, Design, and Engineering Recommendations

Because of its heterogeneity in size and operations and the multitude of owners and operators nationwide, the transportation infrastructure network in the United States is highly resilient, flexible, and responsive.[14] Unfortunately, the sector is fractionated and regulated by multiple jurisdictions at state, federal, and sometimes local levels. The size and pervasive nature of the U.S. transportation infrastructure poses significant protection challenges.[20] However, these protection challenges can be mitigated through technical collaboration and coordination.

5.1 Review and Prioritization Process

A process is necessary for prioritizing all bridges and tunnels with respect to their vulnerability in terms of their criticality of the ability to deter, deny, detect, delay, and defend against terrorist attacks. In addition, a risk assessment model must be developed as a framework for evaluating alternatives for thwarting attack.

Several agencies have developed methods for identifying and prioritizing critical transportation assets, and these methods share many commonalities. The prioritization procedure outlined in the AASHTO's methodology uses a set of critical asset factors to identify assets that are important to achieving an agency's mission. Next, the AASHTO methodology assesses the vulnerability of these critical assets to terrorist attack based on target attractiveness (potential casualties and symbolic value); accessibility (access controls and physical security); and expected damage (including environmental hazards).[21] The TSA approach determines relative risk as a function of relative target attractiveness (an assessment of the target's importance and consequences); relative likelihood of occurrence (an assessment by TSA Intelligence of the likelihood of occurrence, as compared to the other scenarios); and vulnerability (a measure of how likely the terrorist is to achieve the threatening act given that an attempt is made). Relative risk is re-calculated based upon the implementation of a suite of countermeasures, including the implementation of people, procedures, and/or technology to reduce vulnerability.[22]


The panel considered and rejected several options:

  1. Do nothing, which the panel found unacceptable under post-September 11th threats.
  2. (Have states conduct their own assessment using prioritization and risk assessment methodologies of their own choice. This is unacceptable because federal funds will be required to meet countermeasure needs and the federal government will need a common, uniform, and consistently applied methodology to compare needs.
  3. The federal government conducts assessment throughout all the states. This is unacceptable because it does not take into account states' operating needs, and the states are much more knowledgeable in assessing their own bridge and tunnel assets.

Because national prioritization of funding will be required, the process of evaluating proposals to enhance bridge and tunnel security must be a joint effort by federal and state agencies and other owners and operators.

The large number of bridges (600,000) and tunnels (500) lends itself to a two-tier approach: prioritization and risk assessment. The first tier, prioritization, is typically most efficiently done in two steps. The first step is a data-driven approach, such as that used by the Texas Department of Transportation (TxDOT), for ranking bridges using common criteria.[23] The National Bridge Inventory (NBI) provides much of the data needed for this step. In the second step of prioritization, additional data comes from owners and operators familiar with specific characteristics of the facilities and the services they provide. In this first tier ranking, prioritization of bridges and tunnels should be based on characteristics such as the following:

  • Potential for mass casualty based on Average Daily Traffic (ADT) and associated peak occupancies
  • Criticality to emergency evacuation and response to emergencies
  • Military or defense mobilization
  • Alternative routes with adequate available capacity
  • Potential for extensive media exposure and public reaction; symbolic value (to what extent does the facility represent ideals and values that are important to the American public, also visual symbolism, e.g., "signature bridges")
  • Mixed-use bridges and tunnels where highway and rail are co-located
  • Potential for collateral damage (land, marine, rail), including collateral property and utilities
  • Maximum single span length as it relates to the time required to replace the facility
  • Commercial vehicle vs. passenger vehicle mix and volume as a surrogate for economic impact
  • Bridge or tunnel dimensions (as a surrogate for replacement time/cost)
  • Significance of revenue streams (e.g., tolls, fares) associated with the facility[24]
  • Bridges and tunnels at international border crossings

The second tier is a risk assessment of high priority bridges taken from the first tier (prioritization) to determine vulnerabilities and evaluate countermeasures to deter attack and/or mitigate damages. The risk, R, to the facility is determined following an approach similar to that developed for seismic retrofit and can be expressed as follows:[25]

R = O x V x I


O = Occurrence: In the general form of the risk equation, this factor is hazard oriented and will change with the nature of the hazard. In the context of this report, the occurrence factor approximates the likelihood that terrorists will attack the asset. It includes target attractiveness (from the perspective of the threat), level of security, access to the site, publicity if attacked, and the number of prior threats. Input into this factor typically comes from the law enforcement and intelligence communities familiar with threat and operational security measures.

V = Vulnerability: In the general form of the risk equation, vulnerability is an indication of how much the facility or population would be damaged or destroyed based on the structural response to a particular hazard. In the context of this report, vulnerability is the likely damage resulting from various terrorist threats (weapon type and location). It is a measure of expected damage, outcome of the event, expected casualties, and loss of use, all features of the facility itself. Input into this factor typically comes from engineering analysis and expertise.

I = Importance: Importance is a characteristic of the facility, not the hazard. In principle, importance is the same for any hazard. Importance is an indication of consequences to the region or nation in the event the facility is destroyed or unavailable. Is the facility on an evacuation or military mobilization route; is it likely to be used by first responders to emergencies; what is its historic and associated significance; what is its peak occupancy? Input into this factor typically comes from owners, operators, users, and beneficiaries of the facilities, often governmental sources, and will use factors similar to those used in the first tier prioritization.

This formula properly expresses the interaction among the three factors. Dominant factors magnify risk; negligible factors diminish it. Other formulas, such as models that add the factors, fail to account for their interactive effects. For example, in the absence of a threat ('O'=Ø), the risk should be zero as this model provides; additive models would have a residual risk. In the multiplicative model, eliminating any one factor to zero (or near zero) reduces the risk to near zero (e.g., low importance leads to low risk regardless of other factors).

The countermeasures that reduce the risk associated with an asset may be designed to reduce the occurrence factor (e.g., make the asset less accessible); the vulnerability factor (e.g., harden the facility to reduce damage); or the importance factor (e.g., add redundant facilities to reduce dependence on the asset).

A case study illustrating application of this risk assessment approach to bridges and tunnels is provided in Appendix C.


The panel recommends a state identification and prioritization of bridges and tunnels, followed by a federal re-prioritization for federal funding based on the following:

Near-term (3-6 months):
  1. FHWA determines and promulgates a methodology for reviewing bridges and tunnels with respect to their risk and vulnerability in terms of their ability to detect, deny, delay, and defend against terrorist attacks. Methodologies that may be considered should be developed and include the AASHTO Guide for Highway Vulnerability Assessment, the Texas DOT methodology, and others.
  2. Using methodology promulgated by the FHWA similar to that described above, states should prioritize their bridges and tunnels and submit prioritized lists of their most critical bridges and tunnels to FHWA.
  3. FHWA/AASHTO should oversee the development of an immediate, near-, and mid-term cost-benefit methodology based on probabilistic risk assessment for implementing countermeasures. Within the framework of probabilistic risk assessment of the kind that has been adopted for seismic retrofit programs, consideration should be given to existing methodologies.
Mid-term (6-12 months):
  1. FHWA takes states' priority lists of critical bridges and tunnels and develops a national list of critical bridges and tunnels.
  2. States use the risk assessment methodology to develop a countermeasures plan using a cost-benefit ratio as a metric and provide costs for implementing countermeasures for each of their critical bridges and tunnels to FHWA.
Long-term (12-18 months):
  1. FHWA, in collaboration with DHS/TSA and other agencies, seeks new appropriations from Congress to implement a national bridge and tunnel countermeasure program. FHWA begins allocating funds to the highest priority bridges and tunnels as identified by the states and other owners/operators in accordance with accepted risk assessment methodologies.
  2. Non-state DOT bridge and tunnel owners begin implementing countermeasures consistent with federal security standards using appropriate funding sources, including federal sources where applicable.
  3. FHWA in coordination with AASHTO develops and implements modifications to existing bridge and tunnel inspection programs to evaluate conformance to federal security standards.
  4. States implement countermeasures with funding as available. One source recommends an initial sum of at least $1.5 billion to address near-term security measures.[26]

5.2 Research and Development


The analysis of current structural components and their behavior to blast loads is recognized by the panel as key to understanding the proper and most efficient ways to mitigate terrorist attacks through structural design and retrofit. Table 2 lists key structural bridge components that the panel considered.

Table 2. Critical Bridge Components
Suspension and Cable Stayed Bridges
  • Suspender ropes, stay cables
  • Tower leg
  • Main cable
  • Orthotropic steel deck
  • Reinforced and pre-stressed bridge decks
  • Cable saddle
  • Approach structures
  • Connections
  • Anchorage
  • Piers
Truss Bridges
  • Suspended span hangers
  • Continuous and cantilever hold-down anchorages
  • Compression chords or diagonals
  • Connections
  • Decks
  • Piers
Arch Bridges
  • Tension-tie
  • Connections
  • Decks
  • Piers
Multi-girder/Freeway Overpass Bridges
  • Decks
  • Connections
  • Piers

The goal of the R&D initiatives recommended here is to create empirically validated computational tools, design methods, and hardening technologies to assist in "designing for the terrorist attack." The recommendations have one or more short-term and long-term elements and all are directed to FHWA, AASHTO, and other government-sponsored research activities, including universities and federal laboratories. Additionally, these five recommendations are interrelated and interdependent and should be pursued simultaneously:

  1. Assess performance of critical elements under credible loads (including load reversals)

    Short-term (within the next year):

    • Synthesize current state of knowledge for component properties and modeling

    Long-term (more than one year):

    • Establish the load structure and load interaction
    • Start component experiments; recommend large-scale testing using real materials, components, and connections under comparable strain rates
    • Conduct comparative parameter studies of typical components and materials
  2. Validate and calibrate computational methods and modeling with experiments to better understand structural behavior from blast loads

    Short-term (within the next year):

    • Pull together and examine studies and research that have already been conducted on bridge and tunnel elements and components
    • Investigate transferability of seismic design

    Long-term (more than one year):

    • Develop a predictive round robin analysis of actual blast experiments on bridge and tunnel components
    • Test critical components, such as suspender ropes, stay cables, concrete and steel decks, side loads on towers, and box sections, for testing and blast performance
  3. Validate and calibrate computational methods and modeling with experiments to better understand structural behavior from thermal loads

    Short-term (within the next year):

    • Pull together and examine studies and research that have already been conducted on bridge and tunnel elements and components

    Long-term (more than one year):

    • Evaluate various mitigation fire effects in tunnels, double deck bridges, and overpass bridges
  4. Determine the residual functionality of bridge and tunnel systems and their tolerance for extreme damage

    Short-term (within the next year):

    • Examine bridges and tunnels compromised in wars and after demolition attempts

    Long-term (more than one year):

    • Determine progressive collapse potential of various bridge and tunnel systems
  5. Develop mitigation measures and hardening technologies

    Short-term (within the next year):

    • Assess existing hardening technologies and the applicability to bridges and tunnels

    Long-term (more than one year):

    • Develop new materials and new design methodologies

In addition to these R&D recommendations, the BRP suggests AASHTO work with university engineering institutions to develop R&D programs for students and bridge professionals to address security concerns. The panel recommends that DHS work jointly with industry and state and local governments to explore and identify potential technology solutions and standards that will support analysis and afford better and more cost-effective protection against terrorism. [27]

5.3 Design Criteria


The acceptability of a threat is the criterion for determining how to design for the threat. Performance level design is based stating assumptions and setting expectations and goals. These factors could include threats, casualties, damage, and recovery. To set a performance level design criteria, the design process must first be described, taking into account the potential threats to the existing or planned bridge or tunnel. The panel recommends that bridge and tunnel owners and operators use the following six-step process:[28]

  1. Use previously determined "R," the risk for each bridge or tunnel, whether existing or planned, determined using the R = OVI model.
    1. Determine Threats. There are several potential threats that exist. The first and most serious is a precision demolition attack. If carried out, this attack will destroy or seriously damage the bridge or tunnel. Therefore, this threat must be mitigated so that it will not be allowed to happen. Other threats to consider are conventional explosives, collision, and fire. Their potential magnitude is presented in Table 3.
      Table 3. Magnitude of Treats

      Threat Type Largest Possible Highest Probability
      Conventional explosives Truck*: 20,000 lbs
      Barge: 40,000 lbs
      Car bomb**: 500 lbs
      Collision to structure (i.e., the size of a vehicle that could collide with a structure) Truck: 100,000 lbs GVW
      Water vessel: depends on waterway
      Truck: H-15
      Water vessel: (see AASHTO spec. LRFD on vessel impact)
      Fire Largest existing fuel or propane tank
      Largest fuel vessel or tanker
      Gasoline truck (3S-2)
      Fuel barge
      Chemical/biological/HAZMAT These threats exist; however, the panel is not qualified to quantify them. Therefore other experts should assess these threats in this way.

      *Largest possible conventional explosive - for a truck, based on largest truck bomb ever detonated internationally by a terrorist act. For a barge, based on the assumption that it is the largest explosive that could pass by unnoticed by current security at place at major waterways.

      **The size of an explosive charge that can be concealed within the trunk of an automobile without being visually detected when inspecting the automobile.

    2. Determine the Consequence. Based on the potential threats to the bridge or tunnel, the owner must decide the potential consequences if carried out.
  2. Determine the acceptability of consequences. If the consequences are acceptable, then the owner may decide to do nothing.
  3. If the consequences are unacceptable, then one of two options exists:
    1. Mitigate the Threat. Generally, these actions can be taken in the short term (3-6 month range). Owners should take measures to lessen the attractiveness or deny access through technology, operational procedures, and physical measures.
    2. Mitigate the Consequence. These actions fall into the mid- to long-term time frame. Reduce the damage and resulting loss of life, property, functionality, and economic viability through design, engineering, and operational strategies.

    This step in the process requires detailed engineering analysis, vulnerability assessments, and statistical analysis of specific facilities and postulated threats to those facilities.

  4. Estimate the cost of mitigating the threat or consequence.
  5. Recalculate the R=OVI based on the recommended mitigation approach to determine the risk reduction achieved.
    1. Assets that receive a high R score should be categorized as a "high priority" structure. Steps should be taken to mitigate the largest possible threat in this situation. Designs should be performed so that in the event of this threat there would be no irreparable damage and the structure could return to operable condition in 30 days. Higher probability threats should be designed so that in event of threat there is not loss of service.
    2. Assets that receive a low R score should be categorized as a "low priority" structure. The criteria for these structures in the event of the largest possible threat is that total loss is acceptable. The destruction of these low priority assets will not be devastating to the region because of alternative routes, size, economic implications, and socio-political messages. Higher probability threats should be designed so that in the event of threat there is minimal loss of service.
  6. Compare the costs and benefits (risk reduction) of varying mitigation combinations and strategies under designated analysis scenarios. In determining the cost and benefits associated with various mitigation strategies and countermeasures, the analysis should include cost related to increased user cost and potential environmental/energy cost effects if the facility were destroyed or seriously damaged.

As an alternative possibility for acceptability criteria guidance, the bridge owner may consider what sort of time frame it can handle for loss of service. For example, if the time frame is 13 days, then the bridge owner can determine what sort of threat type (from car, boat, etc., or size of explosives) could potentially do this damage, and mitigate for this threat.

The recommendations for design criteria are based on various mitigating strategies. Owners have the choice to mitigate the threat (preventing terrorists facility access), mitigate the consequence effect (lessening the effect from an attack), or apply both options.

The following are examples of approaches to mitigate threats:

  • Establishing a secure perimeter using physical barriers
  • Inspection surveillance, detection and enforcement, closed circuit television (CCTV)
  • Visible security presence
  • Minimize time on target

The following are examples of approaches to mitigate consequences:

  • Create Standoff Distance. The first level of mitigating terrorist attacks should be to incorporate sufficient standoff distances from primary structural components. Providing standoff distance is highly recommended. There are three basic approaches to blast resistant design: increasing standoff distances; structural hardening of members; or higher acceptable levels of risk. Often, utilizing a percentage of each strategy is optimal.
  • Add Design Redundancy. Structural systems that provide great redundancy among structural components will help limit collapse in the event of severe structural damage from unpredictable terrorist acts.
  • Hardening/Strengthening the Elements of the Structure. Structural retrofitting and hardening priority should be assigned to critical elements that are essential to mitigating the extent of collapse. Secondary structural elements should be dealt with to minimize injury and damage.
  • Develop an Accelerated Response and Recovery Plan. Alternative routes and evacuation plans should be known and established.

FHWA, in collaboration with AASHTO and TSA, should use the countermeasures development and evaluation methods described in this section to assess countermeasure effectiveness. Typical countermeasures to be considered are shown below and in Appendix A. Countermeasures should be ranked and implemented based on the cost-benefit analysis approach described here.

5.4 Technology Development And Dissemination

The overall objectives in the area of technology development and dissemination are to: (1) develop a bridge and tunnel security technical program, including cost estimates and resources; and (2) develop an educational curriculum for students and bridge professionals.


The panel has determined that a sufficient body of knowledge exists to assemble an interim structural assessment/design guide based on the following:

  • Existing blast software
  • Strain-rate based constitutive laws or resistance adjustments
  • Ductility/deformation limits
  • Existing plastic design of steel and Ultimate Strength Design (USD) of concrete, adjusted as indicated in (1), (2), and (3) above
  1. FHWA and AASHTO, in collaboration with the USACE and DHS/TSA and others, collect and synthesize existing information, analyses, and case studies and prepare interim findings to support quantitative analysis of blast effects, structural response, and countermeasures cost-effectiveness. These findings should include points of contact (agencies, firms, and individuals) with specific expertise in bridge and tunnel blast analysis.
  2. The panel recommends that AASHTO and FHWA endorse The National Pooled Fund Project, TPF-5(056), Design of Bridges for Security, TxDOT Project No. 0-4569, August 15, 2002.
  3. The BRP recommends that AASHTO work with university engineering institutions to develop an educational curriculum for students and bridge professionals to address security concerns. AASHTO should consider supporting the "Educational Bridge" program sponsored by the National Society of Professional Engineers (NSPE) in collaboration with TISP though which universities are being encouraged to integrate infrastructure security into their curricula.

[14] The BRP recognizes that the AASHTO Guide to Highway Vulnerability Assessment for Critical Asset Identification and Protectionis the current methodology and acknowledges it as a starting point for prioritizing bridges and tunnels; however, prioritization of bridges and tunnels requires more specific criteria and methods, such as those recommended later in this report.

[20] Transportation choke points (e.g., bridges and tunnels, inter-modal terminals, border crossings, and highway interchanges) present unique protection challenges. Overall understanding of infrastructure choke points is limited. Common criteria for identifying critical choke points are therefore difficult to establish. We must undertake a comprehensive, systematic effort to identify key assets, particularly those whose destruction or disruption would entail significant public health and safety consequences or significant economic impact. . . . A major reason for this lack of synchronization within the sector is a paucity of funds to promote communication among industry members and facilitate cooperation for joint protection planning efforts. As a result, the sector as a whole has neither a coherent picture of industry-wide risks, nor a set of appropriate security criteria on which to baseline its protection planning efforts, such as what conditions constitute threats for the sector, or standards for infrastructure protection or threat reduction. The sector's diverse and widely distributed constituency complicates this situation. The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, The Office of the United States White House, Washington D.C., 2003.

[21] A Guide to Highway Vulnerability Assessment for Critical Asset Identification and Protection, prepared for AASHTO by Science Applications International Corporation, under NCHRP Project 20-7/151B, May 2002.

[22] Briefing to the FHWA/AASHTO Blue Ribbon Panel on Bridge and Tunnel Security presented by Tom Reilly, Transportation Security Administration, Department of Homeland Security, March 27, 2003.

[23] "Transportation Security Update," briefing presentation by Tom Rummel, P.E., Project Development Section, Bridge Division, Texas Department of Transportation, February 2003.

[24] Revenue streams associated with facilities may not make them attractive targets, but their loss could seriously affect the economic viability of entities that depend on revenue derived from them to maintain continuity of operations.

[25] The proposed approach is consistent with the approach suggested by the TSA and with approaches currently used by entities that have completed or are performing risk assessments.

[26] National Needs Assessment for Ensuring Transportation Infrastructure Security, prepared by Douglas B. Ham and Stephen Lockwood, Parsons Brinckerhoff, for the American Association of State Highway and Transportation Officials (AASHTO) Transportation Security Task Force as part of NCHRP Project 20-59, Task 5, October 2002.

[27] One recommendation related to transportation infrastructure is to "harden industry infrastructure against terrorism through technology. DHS will work jointly with industry and state and local governments to explore and identify potential technology solutions and standards that will support analysis and afford better and more cost effective protection against terrorism." The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, The Office of the United States White House, Washington D.C., 2003.

[28] See Appendix C for a case study of the application of this design methodology.

<< Previous Contents Next >>
Updated: 06/25/2013
Federal Highway Administration | 1200 New Jersey Avenue, SE | Washington, DC 20590 | 202-366-4000