Applying the Theory of Reliability to the Assessment of Hazard, Risk and Safety in a Hydrologic System: A Case Study in the Upper Sola River Catchment, Poland

: River basin safety issues and hazards arising from extreme hydrological and meteorological events pose signiﬁcant risks to human life and can entail economic and ﬁnancial losses. In this study, the practical aspects of reliability theory linked to reliability engineering, and the associated mathematical tools used to describe technical systems, were applied to explore the structural reliability of a quasi-natural system—a portion of the Upper Sola River catchment in Poland. As part of this study, methods such as the Fault Tree Method (FTM), Event Tree Method (ETM), Risk Matrix and Ranking Method for assessing hazard, risk and losses connected with the occurrence of such events are suggested to improve ﬂood risk management and enhance the capacity to safeguard against such events by improving current ﬂood protection protocols in accordance with EC Flood Directives. ﬂood-related consequences for human health, natural cultural heritage activity.


Introduction
In force since 26 November 2007, flood protection directives within the European Union (EU) are outlined in the Flood Directive on the assessment and management of flood risks [1], which sets goals, suggests activities and provides methods to reduce the adverse effects of floods. However, the implementation of the directive's recommendations has proven to be a major challenge for a number of nations within the European Community. The concept of flood risk combines the probability of flooding (threat or hazard), and the related potential negative consequences with respect to human health and life, the environment, cultural heritage and economic activities. These consequences reflect the management of the affected area (exposure), the vulnerability of the elements managed within the flood event, and the ability of local communities to combat the threat and reality of floods (sensitivity or resilience). Flooding risk is a function of hazard, exposure and sensitivity to flooding, key factors in determining, respectively, the magnitude and areal extent of extreme events' impacts, land-use within the geographic area of the event's impact, and the resilience of people and objects to event occurrence. For hydrological systems, the object reliability function, ( ), is a well-characterized measure that represents the probability of meeting the requirement of proper operation. where: is time, the moment failure occurs, (. ) the probability of non-failure occurrence up to time ti, and the duration of object function without failure i.
Expressing an exceedance probability with respect to the range [0, 1] through a non-increasing function, ( ) takes on a value of = 1.0 at time = 0, and indicates the object is functioning well (i.e., usable). Conversely, if ≤ , the object is unfit for operation. Accordingly, the probability of object failure to time ti is as follows: where: ( ) is a cumulative distribution function, otherwise known as the object failure function, and ( ) + ( ) = 1, ( ) = 1 − ( ) or ( ) = 1 − ( ).
More about measures of reliability theory one can find practically in every book or article concerning this subject for example in [18,25,26] and later on in Section 4.

The Reliability Structure of a Hydrologic System (Reliability Block Diagram)
In the case of a complex object such as a hydrological system, it is important to determine the reliability of the object according to its structure and elements (reliability block diagram). In a model of a complex object, the reliability structure often takes on a mixed form composed of various structures.

Mixed Structure of a Hydrologic System
Typically, a mixed (composite) structure includes serial elements connected with elements operating in parallel ( Figure 2). For hydrological systems, the object reliability function, R(t), is a well-characterized measure that represents the probability of meeting the requirement of proper operation. where: t is time, t i the moment failure occurs, P(.) the probability of non-failure occurrence up to time t i , and τ the duration of object function without failure i.
Expressing an exceedance probability with respect to the range [0, 1] through a non-increasing function, R(t) takes on a value of R 0 = 1.0 at time t = 0, and indicates the object is functioning well (i.e., usable). Conversely, if τ ≤ t, the object is unfit for operation. Accordingly, the probability of object failure to time t i is as follows: where: is a cumulative distribution function, otherwise known as the object failure function, and More about measures of reliability theory one can find practically in every book or article concerning this subject for example in [18,25,26] and later on in Section 4.

The Reliability Structure of a Hydrologic System (Reliability Block Diagram)
In the case of a complex object such as a hydrological system, it is important to determine the reliability of the object according to its structure and elements (reliability block diagram). In a model of a complex object, the reliability structure often takes on a mixed form composed of various structures.

Mixed Structure of a Hydrologic System
Typically, a mixed (composite) structure includes serial elements connected with elements operating in parallel ( Figure 2). . Reliability structure (reliability block diagram) of the Sola River catchment's hydrological system up to the Zywiec post. This structure reflects system function and element reliability and does not represent the actual location of system elements.
Assuming the time independence of the failure-free operation of a mixed structure's individual elements, the mixed structure of a hydrological system including the river valley's retention and one levee and one polder ( Figure 2) yields an ( ) and ( ) calculated as: serial structure and parallel structure where, i is the element number, where i = 1, river valley retention; i = 2, levee; and i = 3, polder ( Figure 2), ( ) is the failure function of the i th element, and ( ) is the reliability function of the i th element.
For the specific case shown in Figure 2, the equations for ( ) and ( ) can be written, respectively, as: In the case of some objects, such as hydrological systems, a reliability structure can be created by elements treated as events that can appear in the object, in addition to elements physically existing in the object. Accordingly, a convenient way to graphically represent and analyze the object's reliability structure is the Fault Tree Method (FTM).

The Fault Tree Method (FTM) in the Reliability Analysis of Hydrological Systems
In assessing complex object reliability, if its elements-in particular its physical elements-are known, then a model of reliability for such an object is easily presented in qualitative form as a Assuming the time independence of the failure-free operation of a mixed structure's individual elements, the mixed structure of a hydrological system including the river valley's retention and one levee and one polder ( Figure 2) yields an R(t) and F(t) calculated as: serial structure and parallel structure where, i is the element number, where i = 1, river valley retention; i = 2, levee; and i = 3, polder ( Figure 2), F i (t) is the failure function of the i th element, and R i (t) is the reliability function of the i th element.
For the specific case shown in Figure 2, the equations for R(t) and F(t) can be written, respectively, as: In the case of some objects, such as hydrological systems, a reliability structure can be created by elements treated as events that can appear in the object, in addition to elements physically existing in the object. Accordingly, a convenient way to graphically represent and analyze the object's reliability structure is the Fault Tree Method (FTM).

The Fault Tree Method (FTM) in the Reliability Analysis of Hydrological Systems
In assessing complex object reliability, if its elements-in particular its physical elements-are known, then a model of reliability for such an object is easily presented in qualitative form as a structure of reliability ( Figure 2) and quantitatively using measures of reliability (Equations (3)-(8)). For more complex hydrological systems, an FTM model can be used where the mathematical description of failure takes the form of probabilities of so-called top events and basic events. A top event is an undesirable event leading to object failure, e.g., high flows leading to flooding, while a basic (original) event is an event or failure the cause of which is not considered (e.g., heavy rainfall, sudden rise in hibernal air temperature with a heavy snow cover over a large area of the catchment, frozen soil, levee status, retention reservoir filled to capacity, high soil moisture content in catchment area, etc.).
One of the advantages of describing the reliability of the object structure using FTM ( Figure 3) is the possibility of placing the probabilities of occurrence of individual events on tree branches, leading up to the top event, thereby allowing a quantitative analysis of object reliability.
The probabilities P(A i ) of undesirable events A i found in FTM are dependent on the time (t) of failure occurrence (e.g., of the undesirable event) and are equal to: where, R l (t) is the reliability function of reliability of the l th element of the object, in which the l th failure, F l (t) appeared at time t.
Water 2018, 10, x FOR PEER REVIEW 6 of 24 structure of reliability ( Figure 2) and quantitatively using measures of reliability (Equations (3)-(8)). For more complex hydrological systems, an FTM model can be used where the mathematical description of failure takes the form of probabilities of so-called top events and basic events. A top event is an undesirable event leading to object failure, e.g., high flows leading to flooding, while a basic (original) event is an event or failure the cause of which is not considered (e.g., heavy rainfall, sudden rise in hibernal air temperature with a heavy snow cover over a large area of the catchment, frozen soil, levee status, retention reservoir filled to capacity, high soil moisture content in catchment area, etc.). One of the advantages of describing the reliability of the object structure using FTM ( Figure 3) is the possibility of placing the probabilities of occurrence of individual events on tree branches, leading up to the top event, thereby allowing a quantitative analysis of object reliability.
The probabilities P(Ai) of undesirable events Ai found in FTM are dependent on the time (t) of failure occurrence (e.g., of the undesirable event) and are equal to: where, ( ) is the reliability function of reliability of the l th element of the object, in which the l th failure, ( ) appeared at time t. For the hydrological system shown in Figure 3, the probability p(A) of top event A (flooding occurrence) can be calculated as follows (see also Section 4):  All probabilities should be estimated by use of expert knowledge, i.e. team of specialists from different fields of interest (e.g., Ranking method, see Section 4) or through statistical methods if sufficient data exists to perform statistical calculations.
Based on estimated probabilities p(A i ), the value of the reliability function R l (t) of the l th element of the hydrological system, in which failure F l (t) occurred as a result of undesirable events occurring at time t (Equation (9)), the reliability or failure of the entire hydrological system can be calculated.

Definition of Risk
Both the definition and mode of assessment of risk varies widely in the literature from different scientific domains [26][27][28][29][30][31][32][33][34][35][36]. While the term risk is often used interchangeably with that of uncertainty, these are two distinct concepts: Uncertainty most commonly refers to a state in which future possibilities and chances are unknown; risk refers to decision-making in situations of uncertainty. Negative associations tied to the term risk due to its allusion to a lack of safety, impedes its social acceptance. Generally, the concept of risk is a complement to the closely related concept of safety.
Given that a (hydrological) system's safety level can be quantified, one hydrological system and its elements can be deemed safer than another. Given that a functioning hydrological system implies a certain level of risk, its level of safety can be assessed through its level of risk. The three categories of risk or levels of safety (e.g., acceptable, tolerable and inacceptable) have fuzzy boundaries, determined through qualitative rather than quantitative methods of risk assessment. The level of risk tolerance should be the lowest in accordance with the principle of As Low as Reasonably Practicable (ALARP) [13,37]. The level of tolerable risk depends primarily on the legal provisions in force, policies adopted for the environment and cultural goods, as well as on the approval of the local communities according to their unique cultural traditions and ethical values. The European Union Flood Directive [1,38] defined the risk of flooding as the combined probability of flood occurrence and the potential, negative flood-related consequences for human health, natural environment, cultural heritage and economic activity.

Qualitative and Quantitative Assessment of Risk
The qualitative analysis of risk in a probabilistic sense involves the identification of threats and assessment of the sequence of events leading to an undesirable event, i.e., an extreme hydrological event. Such an analysis can be performed by the Event Tree Method (ETM) [24,39], a graphical representation of a chronological scenario of events that have a significant impact on the system's operation, but are ultimately caused by an initiating or 'basic hazardous event'. This approach assumes that for system failure to occur one undesirable event is not sufficient, but rather a series of events is required.
In contrast to block diagrams of system structure and the FTM, ETM is not used to describe an system's reliability structure (e.g., physical elements or undesirable events), but rather for risk analysis. Nevertheless, risk analysis does require knowledge of system structure, so it is reasonable to combine the two methods to comprehensively describe an system's operation and its elements. Therefore, in creating a hydrological system's event tree, all elements of such a system and their interrelations should be considered.
After building an event tree to represent foreseeable secondary event scenarios, a probability can be assigned to every secondary event branch, allowing the probability of entire sequences of events leading to object failure to be calculated. In this way, a quantitative model of threat (risk) induced by an initial event can be generated.
In the concepts of FTM and ETM presented in this paper, the reliability function (and/or failure function) and the extent of risk are considered in a probability domain, as described below.

Relationship between Measures of Hydrological Risk and Measures of Reliability (Failure)-Threat and Losses
While the concepts are defined in fundamentally different ways, a close relationship exists between measures of risk, reliability (failure)-threat (hazard) and losses, and can be written as: Drawn from the relationship between the hydrological system's object failure function, F(t), and its object reliability function, R(t), the probability of occurrence of an undesirable event p(A) = p i (Figure 4), is quantified in terms of the undesirable event 'A' causing losses greater or equal to l. The relationship in Equation (11), between measures of hydrological risk M HR , failure F (reliability R)-threat and losses T, can be expressed mathematically as: where, is a measure of risk of emergence of losses l in the hydrological system at time t of the system's functioning, F(t) is the system failure function-probability of occurrence of event A at time t, R(t) is the system reliability function-probability of non-occurrence of event A at time t, T(l) is the probability that the occurrence of an undesirable event A causes losses greater or equal to l, is the probability of occurrence of the undesirable event, A, viewed as a measure of failure F(t) (or reliability R(t)) of the hydrological system, P[L(t) ≥ l \ A] is the probability of occurrence of losses greater or equal to l under the condition that undesirable event A occurred. It serves as the measure of threat of the occurrence of losses in the hydrological system resulting from its malfunctioning.
Equation (12) shows that the risk of occurrence of loss within the hydrological system depends not only on undesirable event A, which creates the threat of occurrence of losses, but also on the failure or reliability of the complete system or its elements. Failure of the system or its elements has a direct impact on the possibility of occurrence of losses and their magnitude, i.e., T(l) in Equation (12). The level of risk also depends to a large extent on the system's readiness to counteract a threat, both before and after its occurrence. Emergency and risk management systems include the monitoring/forecasting of extreme hydro-meteorological events, implementation of warning systems and involvement of fire departments and medical emergency systems. Factors influencing the safety of hydrological systems fall into two main categories: (i) Those relating to the reliability of operation of the system and its elements, and those related to the failure-free functioning of risk management systems, and (ii) those associated with the occurrence of undesirable events. Even if a complex object's elements show low reliability, the object can still be safe if in the planning, design and operational phases, engineers have ensured that potential damage does not generate large risks.
The proposed approach (Equation (12)) differs from the classical approach because it accounts for the probabilistic nature of losses, not only the size of losses in the form of a single value, and simultaneously takes into consideration the reliability (or failure) of the structure of the hydrological system as a probability of threat. Accordingly, hydrological risk should be expressed by a unit of probability, and not by a unit of losses expressed in monetary units and/or as a number of human victims. In the new approach, rather than calculating the extent of losses based on the configuration of the terrain, flood water velocity, flood timing, volume, and depth, land-use, nature of the resident human population, and value of human property, the probability of occurrence of losses equal to or exceeding a certain assumed value (magnitude) is considered. Accordingly, the hydrological system failure function or the hydrological system reliability function is expressed as the probability of occurrence or non-occurrence of the undesirable event. Given knowledge regarding the reliability of the system, as illustrated in a block diagram, and a description of the system developed using FTM, one can build an event tree (ETM). This graphical representation of the foreseeable course-of-events brought on by the occurrence of the initialization event allows the assignment to specific branches of the event tree of probabilities of occurrence for every secondary event's occurrence. Then the probability of the entire sequence of secondary events leading to the failure of the system can be calculated ( Figure 4). One can thereby create (build) a quantitative (probability) model of risk induced by the occurrence of the initialization event.
Water 2018, 10, x FOR PEER REVIEW 9 of 24 one can build an event tree (ETM). This graphical representation of the foreseeable course-of-events brought on by the occurrence of the initialization event allows the assignment to specific branches of the event tree of probabilities of occurrence for every secondary event's occurrence. Then the probability of the entire sequence of secondary events leading to the failure of the system can be calculated ( Figure 4). One can thereby create (build) a quantitative (probability) model of risk induced by the occurrence of the initialization event.

Identification of Risk
The probability of an individual incident's occurrence is assessed and then the sequence of events leading to system failure is calculated. Using an event tree, a given sequence's probability of occurrence and level of risk (RL) can be calculated. This allows one to create a system risk model, which by considering possible system element failures and their mutual relationships (e.g., intermediate events, secondary events), evaluates the risk of losses resulting from the occurrence of a given undesirable event.
A system's risk level, ( ) , in response to k undesirable events can be expressed as: where, m is the number of secondary events sequences, n is the number of secondary events in the j th sequence, ( ) is the probability of occurrence of the j th sequence caused by the occurrence of the k th undesirable event, ( ) is the probability of occurrence of the i th secondary event in the j th sequence caused by the k th undesirable event ( ) is the risk level associated with the j th sequence of secondary events caused by occurrence of the k th undesirable event.

Identification of Risk
The probability of an individual incident's occurrence is assessed and then the sequence of events leading to system failure is calculated. Using an event tree, a given sequence's probability of occurrence and level of risk (RL) can be calculated. This allows one to create a system risk model, which by considering possible system element failures and their mutual relationships (e.g., intermediate events, secondary events), evaluates the risk of losses resulting from the occurrence of a given undesirable event.
A system's risk level, RL (k) , in response to k undesirable events can be expressed as: where, m is the number of secondary events sequences, n is the number of secondary events in the j th sequence, p (kj) is the probability of occurrence of the j th sequence caused by the occurrence of the k th undesirable event, p (kj) i is the probability of occurrence of the i th secondary event in the j th sequence caused by the k th undesirable event RL (kj) is the risk level associated with the j th sequence of secondary events caused by occurrence of the k th undesirable event.
The overall risk to the system from all sequences of secondary events arising from an undesirable event is given in Equation (13), and represents the risk which may arise when considering a particular scenario of secondary events seen as the most likely threat posed by m occurrences of an undesirable event.
For the part of Sola River catchment system in Zywiec, the event tree, which considers measures of risk level for this object (Figure 4), can be used to calculate the risk associated with initial event IE in the form of heavy rainfall, as: where Because numbered sequences j = 1, 3 and 4 do not lead to interruption of levee function and attendant flooding disaster, measures of risk level for these sequences are equal to zero (i.e., RL (1) = RL (3) = RL (4) = 0); therefore Equation (15) takes on the form: Both the measure of risk level, RL (2) of sequence no. 2 initiated by initial event IE, as well as probabilities of every secondary event, p 1 , p 2 and p 3 , would be estimated by experts or statistical methods (see Section 4).

Methodology
Hydrological system safety depends primarily on procedures and regulations related to extreme hydrological event (e.g., floods) risk management. These should be included in plans of hydrological system security, which we propose should be a part of the flood risk management plans implemented under the Flood Directive. In doing so, the following methodology should be followed: i Identification of threat formation mechanisms, i.e., threats in the form of a surplus (flooding) of surface water in three environments: Canals of rivers, natural and artificial (man-made) reservoirs and periodically on the catchment area. In the example of the Sola River catchment at the Zywiec post (Section 4), the maximum flows from winter and summer seasons causing floods were identified as threat in Zywiec town and its surroundings. ii Determination of defense mechanisms appropriate for specific types of threats, i.e., taking into account technical and non-technical activities, what should be done? For instance, in the case of a huge flood, technical flood protection infrastructure can be installed for flood reduction. This include retention reservoirs with constant flood reserve, dry reservoirs and polders with locks and spillways as well as objects preventing flooding outside the intended area, i.e., levees, dry reservoirs and polders without locks, channels of relief and maintenance and adjustment of the riverbed capacity. Non-technical flood protection activities can include hydrological education about extreme events, information on the occurrence of risks of flood, appropriate land-use planning, insurance as well as legal and institutional systems. iii Identification of the reliability structure of a hydrological system, i.e., creating a reliability block diagram (see Figure 2) on the basis of existing objects in the studied system. The measures of the reliability analysis can be evaluated: Reliability function R(t) (Equations (1)-(8), (21) and (26)) and failure function F(t) (Equations (1)- (8)), function of failure intensity λ(t) (Equation (25)), function of cumulative intensity of failures Λ(t) (Equation (29)) and the expected value of time the system functions without failure ET (Equations (27) and (28)). The reliable structure of the hydrologic system can be described by the FTM as a probabilistic model of the system (see Figure 3 and Equations (9) and (10)). iv Qualitative risk assessment and prioritizing risk levels of identified threats, using ETM as a probabilistic model of risk occurrence in the hydrologic system (Section 2). v Quantitative risk assessment by evaluation probability of threat and consequences of their occurrence, using ETM (see Figure 4 and Equations (13)- (20), (43) and (44)). vi Evaluation of hydrologic risk measures of the entire system and its particular elements of flood protection infrastructure. The hydrologic risk measure M HR (Equations (11), (12), (22), (24) and (47)) and Safety Guarantee Indicator (SGI) (Equation (45)) and Flood Risk Indicator (FRI) (Equation (46)) should be estimated. vii Evaluation of risk of losses in the hydrologic system using FTM and ETM probabilistic models (Equations (30)- (33) and (40)  Conditions of outflow from its drainage area are closely related to its hypsometry. Maximum flow series from winter and summer seasons over a monitoring period of 1956 to 2012 (t = 57 years) were used for calculations. Using the analysis of heterogeneity employed in [40], both winter and summer season series of maximum flows were identified a statistically homogeneous ones.

Place and Data for Case Study
The calculation of maximum annual floods with a T-year return period (exceedance probability p) followed the Alternative Events Method [40,41] using English version of FFA Software by [42].
The Maximum Credible Flood (MCF) is the largest flood which may occur under extreme conditions conducive to the simultaneous occurrence of the Maximum Credible Precipitation (P MC ) and extremely favorable conditions for run-off, i.e., the smallest possible loss of surface waters depending on local physiographic conditions and catchment land-use patterns. Arising from a P MC event, the peak discharge at the catchment outlet during an MCF (Q MCF p ) event was calculated [43]. Therefore, the Q MCF p represents the upper limit of flooding which may occur in a catchment where P MC fell. The value of P MC is defined as the theoretically greatest precipitation within a duration of minutes, hours, days, etc. which is physically possible to occur over a given area, under given geographical conditions and in each season. The P MC is therefore an upper limit of precipitation depth and is determined based on physical characteristics of precipitation formation mechanisms. Water 2018, 10, x FOR PEER REVIEW 12 of 24  Table 1. Under economic criteria for flood protection, the boundary flow of river flooding which may result in flooding losses, , was adopted. According to the catchment's topography and land-use, was deemed equivalent to: (i) The maximum flow not causing flood losses, , (ii) the mean flow of annual maximum floods periods for a given observation period, , or the = % i.e., the maximum flood with probability of exceedance p = 50%.  Table 1. Under economic criteria for flood protection, the boundary flow of river flooding which may result in flooding losses, Q b , was adopted. According to the catchment's topography and land-use, Q b was deemed equivalent to: (i) The maximum flow not causing flood losses, Q a f , (ii) the mean flow of annual maximum floods periods for a given observation period, Q AMF , or the Q T=2 max = Q 50% max i.e., the maximum flood with probability of exceedance p = 50%.
For the period of 1956-2012, Q AMF = 354.5 m 3 s −1 , and Q 50% max = Q T=2 max = 285 m 3 s −1 at the catchment outlet (Zywiec monitoring station). In this example, the set of undesirable events was limited to the largest annual floods monitored at Zywiec between 1956 and 2012 ( Figure 6). Therefore, for the accepted threshold Q b = Q a f = Q AMF = 354.5 m 3 s −1 , the number of largest undesirable events, which might result in losses was calculated [n(l, t) = 21]. This represents the number of floods, during 57 years of operation of the Sola River catchment's hydrological system, which potentially could have caused losses greater or equal to l. For Q b = Q a f = Q 50% max = 285 m 3 s −1 , the number of undesirable events resulting in losses was equal to 27. The largest undesirable events are understood as floods, whose peak flows were the biggest over a given year. This means that all the largest undesirable events, N, total 57, since the peak flows of maximum annual floods are considered over 57 years. These are the peak flows of all maximal floods whose values are equal or exceed Q AMF min = 92.6 m 3 s −1 .

General Measures of Reliability, Failure, Risk and Safety
For all occurrences of yearly maximal floods in the observation period (N = 57) and ( , ) = 21 maximal floods that could cause losses of l (system failure), the reliability function R(t) for the hydrological system is given as: Qaf =354.5 m 3 s -1 Qaf Figure 6. Annual peak flows for Zywiec post on the Sola River during 1956-2012.

General Measures of Reliability, Failure, Risk and Safety
For all occurrences of yearly maximal floods in the observation period (N = 57) and n(l, t) = 21 maximal floods that could cause losses of l (system failure), the reliability function R(t) for the hydrological system is given as: where, is the number of events that cause system failure, and N is the total number of events of the phenomenon affecting the system.
In the present case, R(t) = 0.63 and therefore the failure function F(t) = 1 − R (t) = 0.37. This indicates that the Sola River catchment area above the Zywiec post, given its physico-geographical properties, land-use, etc., functioned reliably in only 63% of occasions when undesirable events occurred, i.e., in 37% of occurrences of the biggest floods with the potential to cause losses from 1956 to 2012, the system was unreliable. This represents a general evaluation of the reliability structure of the Sola River catchment's hydrological system, without considering the reliability properties of the elements that compose it.
The general and empirical hydrologic risk measure, M HR , of maximal floods can be approximately given as: where, n(l, t) is the number of undesirable events that occurred at time t of system function and caused losses greater or equal to l, N is the number of all events occurring at time t.
Accordingly, is M HR = 0.37. The above-said measure can provide insight into potential risk, expressing the probability of occurrence of losses L(t) not less than l in the period t = 57 years of system functioning. However, the hydrological risk measure should be calculated using Equation (12); its reliable assessment is much more complex. The threshold value l of losses is not explicitly adopted for this example, but can be specified depending on type of losses (human individual or collective or economic).
In order to check the impact of the adoption of threshold Q b on the system's R(t) and F(t) and risk, M HR , caused by maximal floods, the same calculation for Q b = Q af = Q max50% = 285 m 3 s −1 was performed, for which the number of biggest undesirable events that may cause losses was equal to n(l,t) = 27, and R(t) = 0.53 and F(t) = 0.47 and M HR = 0.47. Obviously, with a reduction in the threshold Q b , the risk of losses as a result of extreme flood occurrence increases, and the Sola River catchment's reliability of operation decreases. The adoption of a given threshold level, under which phenomena will be judged as undesirable events, has a significant impact on the assessment of the hydrological system's failure, and consequently on its safety.
The town of Zywiec's flood protection infrastructure consists of a levee, which protects the city from flooding. The levee is a class II construction intended for flood protection and was designed for a flood Q d = Q T=100 max = Q 1% max according to Polish design standards [44]. The town of Zywiec had 31815 residents on 31 December, 2015 [45]. For the purposes of this example, it was estimated that 10% of the population lived in areas at risk of flooding in the event of destruction or overflow of the levee. Therefore, the number of endangered people, nhr, was 3182. It was also estimated that the population living in areas at risk, might suffer losses in category l 5 -fatalities as a result of undesirable event A. Should the levee fail or overflow, the n l5 = 43 would be the number of potential deaths. The number n A of all occurrences of event A is equal to the number of flood appearances, where peak flow is greater than the design flood Q d = Q 1% max = 1243 m 3 s −1 , for which the levee was designed and built. Thus far, over the period of 1956-2012, only one flood with Q 56−12 p = 1250 m 3 s −1 was greater than the design flood, Q d , then n A = 1. Accordingly, the probability that casualties, L, is greater than or equal to l in category l 5 is: In addition, accordingly, the measure of the hydrological risk of the occurrence of fatalities as a result of event A is given as: These indicators and measures give the overall picture of possible threats connected with the occurrence of big floods and the local flood protection existing in the form of a levee in Zywiec.
Using the following formula for the function of intensity of damage (failure), λ(t), is given as: where, n(t, t + ∆t) is the number of events causing system failure within the time interval from t to t + ∆t, ∆t is the width of the time interval, is the number of events impacting the system at time t minus the number of events causing system failure within the time interval from t to t + ∆t, i.e., the number of events impacting the system at the beginning of each period ∆t [N(t = 0) = N], N is the total number of events affecting the system throughout the period of its operation.
The value of λ(t) for the hydrological system under study was calculated for intervals of ∆t = 10 years (Table 2).
For the hydrological system studied, the failure intensity can be approximated as a λ(t) value that is constant in time and equal to the mean intensity λ(t) = λ = 7.7 × 10 −3 y −1 .
If λ and λt are small, they can be used to approximate the reliability function: R(t) ≈ 1 − λt ≈ 0.56, and the failure function: F(t) ≈ λt ≈ 0.44. Approximate values of reliability and failure functions are close to calculated values of these functions for floods defined by threshold of Q b = Q a f = Q 50% max = 285 m 3 s −1 .
The reliability function R(t) for consecutive decades of the observation period of 1956-2012 were calculated as (Table 3): The analysis of Equation (26) and the results of calculations reported in Table 2 show that R(t) depends on the duration that the hydrological system functions and the failure intensity λ(t). At a constant value of λ(t), the system's reliability depends on the adopted time of its functioning, and it becomes increasingly unreliable as the time the system continues to function increases. However, when λ(t) decreases, a system's R(t) grows, and the failure intensity of the hydrological system can be reduced by taking actions that reduce the occurrence and impact of extreme hydrological events. These are activities related to land-use within the catchment area, increasing the catchment's capacity for retention both in the catchment area and in the riverbed (river valley retention), as well as construction of flood protection infrastructure, e.g., water reservoirs, polders, etc. If the river catchment does not naturally restore its potentiality of retention and man does not take any action to improve protection against flooding and reducing flood risk through specific activities, mainly in the field of technical flood protection, hydrological systems will lose their functional reliability within a certain time (decreasing value of reliability function over time at constant failure intensity ( Table 2)). However, this does not happen because, despite the occurrence of initial events (e.g., heavy rainfall or sudden increases of air temperature in spring in the presence of thick snow cover), not all floods-although they are undesirable events-cause failure of the hydrological system by flooding. Values of the reliability function for the Sola River catchment at the Zywiec station for respective decades are relatively large (Table 2), averaging 0.930.
The expected value of time the system functions without failure, ET, is given as: Thus, for λ = 7.7 × 10 −3 [y −1 ], ET = λ −1 ∼ = 130 years, a value not credible in view of the occurrence of failure during the 57 years of Sola River system monitoring. A better measure of the time of hydrological system function would be the cumulative damage intensity, Λ(t), given as: which for λ = 7.7 × 10 −3 y −1 is Λ(t) = 0.439 year −1 . Accordingly, the expected time of the system operating without failure for the Sola River watershed at Zywiec, is ET = 1 Λ(t) = 2 years 4 months.

Fault Tree and Event Tree Methods for Quantitative Estimation Threat and Risk
To illustrate the employment of Fault Tree and Event Tree Methods in the evaluation of safety and reliability of hydrological system functioning, it was assumed for purposes of this example, that the structure of reliability of the Sola River watershed above Zywiec consisted of retention by the river valley, as well as a levee and polder (Figure 2). This structure can be described using FTM (Figure 3), in which the following basic undesirable events were identified: A 11 -river bed heavily developed, A 12 -bad river regulation, A 13 -too small a spacing of levee. The latter caused undesirable event A 1 -lack of river valley retention, as well as basic events A 21 -catastrophic flood, A 22 -bad technical condition of levee and A 23 -polder misuse. All these together were the cause of occurrence of undesirable event A 2 -insufficient security of protected land when exposed to flooding.
Events A 1 and A 2 (Figure 3), which together led to the occurrence of top event A (i.e., flooding in the town of Zywiec) call for the calculation of the probability of occurrence in the case of a serially structured system: where: P A ss i is the probability of event A i at the entrance to a logical sum that describes the serial structure of system in terms of reliability.
While in the case of a parallel structure: where: is the probability of event A i at the entrance to a logical product that describes the parallel structure of the system in terms of reliability.
The probability of occurrence of the top event for the system structures presented in Figures 2 and 3 is then: where Without prior knowledge of the probabilities of their occurrence, the probabilities of individual basic undesirable events A 11 , A 12 and A 13 as well as A 21 , A 22 and A 23 , were ranked by a group of five experts using the Ranking Method. Based on measured data and using statistical methods, the head of the team of five experts estimated the probability of events A 12 and A 21 as p(A 12 ) = 0.03 and p(A 21 ) = 0.001. These events were denoted B 1 and B 2 and used to calibrate the equation: where, a 0 and a 1 are calibration coefficients, p A i,j is the probability of undesirable basic event A ij , where p(A 12 ) ≡ p(B 1 ) and p(A 21 ) ≡ p(B 2 ) (Table 3), pos is the mean position of the event in the ranking (Table 3).
To calculate a 0 and a 1 in this case, we know from Table 3 that p(A 12 ) ≡ p(B 1 ) = 0.03, p(A 21 ) ≡ p(B 2 ) = 0.001, pos B 1 ≡A 12 = 1.6, and pos B 2 ≡A 21 = 5.0. Accordingly, we can write: log[p(B 1 )] = 1.6a 0 + a 1 (35) log[p(B 2 )] = 5.0a 0 + a 1 (36) Rearranging and substituting we obtain: Substituting the value of a 0 in Equation (36), we obtain: The probability of the top event, p(A) = 0.049 was obtained by inserting into Equation ( The value of the reliability function R(t), for the hydrological system with the structure presented in Figure 2 is calculated as: The reliability function of hydrological system element j, R j (t), can be estimated from the estimated probabilities p(A i ), as can the failure function, F j (t): This value of R(t) is close in value to that of R(t) obtained for subsequent decades of the observation period of maximum floods at Zywiec (Table 2).
A qualitative and quantitative identification of threat and related risk of flooding as result of levee breakage at Zywiec was made using ETM ( Figure 4). The risk level of the hydrological system, RL, was then calculated (Equations (15) and (20)): where SGI and FRI are defined, respectively, as Safety Guarantee Indicator and Flood Risk Indicator. Considering the flood protection infrastructure and flooding risk in Zywiec, they are calculated as [43]: Accordingly, the received risk level RL appears to be small. A higher level of risk to the system is not equivalent to a rise of losses in it upon failure. Generally, it can be assumed that the higher the level of risk, the greater the probability of a shift from a state of risk into a state of system losses. Nevertheless, losses may be zero even at a high risk level and greater than zero even if the risk level is small. Everything depends on the reliability properties of the elements from which the hydrological system is built and the nature of the undesirable event.
The measure of loss risk in a hydrological system as per Equation (12) is: It should be noted that the system under study was highly reliable (R(t) = 0.951); its failure function was estimated at only 4.9%, i.e., the low level of the risk of losses in this occurrence yields a low probability of losses in this system.

Qualitative Method of Risk Assessment
On the basis of the magnitude of the probability of occurrence of an undesirable event and the category of losses and risk matrix (Tables 4-7), the level of risk with respect to the safety needs of the concerned hydrological system-for which the probability of occurrence of an undesirable top event A, i.e., flooding, is p(A) = 0.049-is unlikely to lead to significant losses. It can be assumed as a tolerable level of controlled risk, i.e., tolerable only when the costs of its reduction are adequate to an established given level of safety, i.e., level of heavy individual losses or light collective losses and/or economic losses within the range of 10 4 -10 5 Euros. One should keep in mind that when determining weights of scale of the probability category (Table 4) in the process of a quantitative assessment of probability (frequency) of undesirable event occurrence, the average return period T must be considered and associated with the probability of exceedance p, i.e., the probability of achieving or exceeding the value of p in each year the hydrological system functions.
The values of scales in Tables 4, 5 and 7 are contractual and may be accepted depending on current legal, social and economic conditions, i.e., depending on the adopted policy on safety including protection of the natural environment and cultural goods (property) and approval by potentially affected communities.   Depending on the difference between the level of risk arising from potential threat and the level of unacceptable risk adopted in accordance with ALARP principles, methods for risk assessment adequate to the size of threats should be applied. If the difference is smaller, the chosen method of risk assessment should be more accurate. In cases of major threats and small differences, the principle should be to apply quantitative methods such as ETM (Figure 4). In the case of a significant difference between the unacceptable level of risk and level of risk arising from a potential small threat, qualitative methods can be used, e.g., Risk Matrix (Table 6).

Summary and General Conclusions
An attempt to provide a mathematical description of the reliable functioning of a river catchment was undertaken using reliability engineering tools drawn from practical aspects of reliability and safety theory. The river catchment was treated as a hydrological system, in which various kinds of threats could arise from interactions between objects (elements) that together constitute the system and affect human safety and the environment in which man functions. Relationships between these elements were described from the point of view of extreme hydrological events occurring in a river catchment, i.e., flooding as result of extreme meteorological events.
Extreme hydrological phenomena leading to flooding were treated as undesirable events from the point of view of human safety (e.g., threat to life, health and property), and as a manifestation of the hydrological system's lack of fitness for reliable operation. Mechanisms of extreme hydrological threats and the technical and non-technical measures to meet them should be identified first. The hydrological system's reliability structure should then be specified and described by a mathematical model. A Fault Tree Method was proposed which would allow for a probabilistic description of undesirable events occurring in a hydrologic system. Using an Event Tree Method to develop a hydrological system reliability model, one can evaluate probability of threats and related risk resulting from extreme hydrological events. Measures of reliability and threats were used to make a quantitative assessment of risk probability. Having identified the measure of risk of hydrological extreme events, one can manage it, i.e., knowingly (consciously, deliberately) diagnose and control this risk to ensure the safety of people and the hydrological system itself [38].
Threats occurring within the hydrological system can be of natural origin or of anthropogenic origin. The occurrence of natural hazards is independent of man and, in principle, man can only monitor and attempt to mitigate their effects. While the presence of anthropogenic hazards is associated with human activities in the river valley and in the catchment area, humans also build all sorts of technical objects. Therefore, these threats can largely be controlled and their risk of occurrence may be managed. In the case of natural hazards, including extreme hydrological and meteorological events, managing risk is much more difficult.
Safety and reliability of river catchment operation and its application to flood protection depends on comprehensive and sustainable human activities in the riverbed and catchment area; i.e., investments in water engineering infrastructure undertaken by humans, civil objects infrastructure (spatial planning) and land-use of catchment area (development of natural catchment retention and river valley retention). Poorly planned investments, particularly in the field of technical defense against floods, will deteriorate effectiveness of flood protection instead of improve it, and will thereby generate social costs in addition to investment costs, which may significantly exceed potential benefits and cause the level of protection against flooding to fall below public expectations.
It should be stressed that the approach to flood risk assessment proposed in the present paper should be considered as complementary to the procedures outlined in the Flood Directive. The intention of the authors is not to replace methods currently in use, but rather to present a different perspective on the evaluation of hazard, risk and reliability of the hydrological system itself as a whole and its elements separately, as affected by extreme events such as floods. As all calculations are made in the probability domain, they do not take into account the time, velocity and depth of flooding, as is done in the classical approach, which is very important when losses are assessed. However, the proposed approach answers the following crucial questions: What is (i) the probability of flooding, taking into account the structure of the particular hydrological system (reliability block diagram), (ii) the possible risk of secondary events and of the peak event engendered by the initial event, and (iii) what is the probability of occurrence of losses equal to or greater than a certain threshold value that decision-makers and affected community agree on. According to the Flood Directive's so-called classical (traditional) approach: Flood risk means the combination of the probability of a flood event and of the potential adverse consequences, and the f lood hazard maps, shall cover the geographical areas which could be flooded according to the following scenarios: (i) Floods of low probability, or extreme event scenarios; representing, as per [46], areas where the probability of flooding is low and is ≤0.2% (return period T = 500 years), or there is a non-zero probability of occurrence of extreme events in the area; (ii) floods with a medium probability (likely return period ≥ 100 years); areas where the probability of floods is average and is 1% (T = 100 years); (iii) floods with a high probability, where appropriate; areas where the probability of flooding is high and is 10% (T = 10 years).
The approach proposed in the present paper considers not only the probability of an initial event but also the probabilities of secondary events that lead to failure of hydrological system elements and that of the whole system. In the first stage of analysis (termed initialization) the initial event is identified, i.e., the event that can potentially trigger scenarios of secondary events leading to system failure. At this stage, the analysis also considers the conditions that must be met for the initial event to occur. In a further stage, termed 'response', all possible (probable) scenarios (sequences) of events are analyzed, regardless of whether they lead to failure of the system or not. In a third stage, termed 'implications', the probability of losses caused by the lack of efficiency of the system and its elements is assessed. Finally, the last stage consists of a risk assessment that allows for recognition of risk in quantitative terms (in a probabilistic sense). Therefore, the authors' opinions presented in the present paper fit into a holistic approach to flood-reliable operation of a hydrologic system and its elements [36].