VAA (Vulnerability Assessment and Analysis) is a decision support methodology that identifies and prioritizes vulnerabilities in critical equipment and systems to deliver safe and reliable operations. It works by conducting facilitated brainstorming sessions and interviews with engineering and operations staff to produce a substantial amount of information. This information is then analyzed, categorized, and prioritized to establish a list of vulnerabilities for subsequent study using methods like FMEA, fault trees, and SIL analysis. The purpose is to validate risks identified in the initial assessment and obtain more detailed information to inform risk reduction actions. VAA can be applied to any process during any phase and provides a comprehensive final report documenting the identified vulnerabilities and prioritized action plan.

1. VULNERABILITY
ASSESSMENT AND
ANALYSIS (VAA)

2. What is VAA?
Decision
support
methodology
to help identify
and prioritize
defects for
elimination.
What is VAA?

3. Identifies critical
equipment
and/or systems
What is VAA?

4. Identifies key
vulnerabilities to
deliver safe and
reliability
operations
What is VAA?

5. Establishes a prioritized defect
list for subsequent functional
review and remediation
What is VAA?

6. How does VAA work?
Based on a
Hazop style
brainstormin
g approach

7. How does VAA work?
Involves small
groups of
engineering and
operating staff,
plus individual
interviews

8. How does VAA work?
Produces a
substantial
amount of
information

9. What’s the purpose of VAA?
To analyze,
categorize,
and prioritize
vulnerabilities

10. And then what happens?
More
detailed
information is
obtained in
subsequent
studies
FMEA
Fault Trees
SIL
Level of Protection
Analysis

11. Why?
To validate the
risk issues
raised in the
qualitative
Hazop review

12. An over-arching methodology
VAA can be
used on any
process during
any phase

13. An integrated approach
When
vulnerabilities
are discovered
that are not
immediately
manageable
…the action
items flow into
the appropriate
secondary
methodology

14. Classical Hazop
methodology
Team of senior
representatives
e.g. design,
project, operating
staff
Understanding of
the process
under study,
condition of
equipment &
consequences of
failure
VAA is a blend

15. Typical output

16. Methodology
1) Pre-Assessment
2) Facilitated Assessment & Analysis
3) Post Assessment Phase

17. Pre-Assessment
- Identifying the VAA objectives
- Determining measures of success
- Finalizing what elements of the
methodology will be included
- Ensuring access to information
- Developing an assessment schedule

18. Pre-Assessment
Objectives and
measures of
success must
be tailored to
the organization
and its needs

19. Possible objectives could include:
- Identify all critical vulnerabilities
- Identify and rank all key assets based on
a common “vulnerability maturity
matrix”
- Develop the business case for making
vulnerability reduction investments
- Enhance awareness / make VAA an
integral part of business strategy

20. Facilitated
Assessment
and Analysis

21. VAA Facilitation Workflow

22. Facilitated Assessment and Analysis
VAA starts with the
fullest description
of the system /
process and then
questions every
part of it

23. Post Assessment
- Ranking vulnerabilities by risk category
- Prioritizing assessment recommendations
- Developing an action plan
- Capturing lessons learned and best
practices
- Conducting periodic assessments to
report progress

24. Post Assessment
Risk mitigation
activities that are
low cost or result in
cost savings
should get special
attention

25. Post Assessment
Other
vulnerabilities
might require
further assessment
using quantitative
methods in order
to identify
appropriate risk
reduction actions

26. Deliverables
The VAA process
delivers a
comprehensive
report
documenting the
study, resulting
assessment and
identified actions

27. Deliverables
A typical report may include:
- Visual representation of vulnerabilities
and criticalities
- Identification of vulnerabilities by
system or area
- Vulnerability by category
- Prioritized action list
- Action by type

31. Summary
VAA is an over-
arching
methodology
designed to expose
and discover
vulnerabilities across
a wide segment of
possible impacts

32. Summary
FMEA, Risk
Assessment, and
RCM have a
purpose
But that purpose is
best served after the
VAA
When VAA
comes 1st it
delivers focus
more broadly on
consequences
from all parts of
the system or
process

33. About ARMS Reliability
Since 1995, ARMS Reliability has been at the forefront
of proactive asset management strategies for a range
of blue chip companies throughout the world
Through a unique blend of consulting, education and
software solutions, we enable our clients to make
better decisions to improve asset reliability.
www.armsreliability.com