EdSett100

Tuc:Tuc, IMHO, that is not a single point failure. Surely, we must only consider single failures in risk analysis, otherwise a whole stack of "what ifs" will combine to stop us flying. An example of this concept might be this: we must accept the possibility of an engine failing in flight, so we have engine failure drills and we go flying. However, if we consider that the engine will not only fail, but explode as well and send shrapnel into an adjacent fuel tank which will then catch fire, which we cannot extinguish, such that the aircraft will crash, we might view the aircraft as unsafe. If so we don't fly it. Thats not acceptable risk analysis, surely?

The point I'm trying to make is that a massive electrical fault is one failutre that we guard against with all of our protective devices and drills. We should not formally analyse further any what ifs regarding subesequent failures of the protective devices and further what-ifs, such as a leaking fuel pipe nearby.

We have to draw the line at single point failures. ie. What is the consequence of a failure of one item in a zone with other systems operating normally in that zone? eg, what is the consequence of a fuel coupling failure such that the fuel will leak onto an adjacent hot pipe, that is working at its normal temperature? Thats a valid risk assessment question.

I suggest, for example, that an invalid risk assessment would be:

What is the consequence to the aircraft if a 200V cable terminal on a 3 phase alternator was to corrode to breaking point, creating massive sparks and consequent voltage imbalance which is then not detected within the time that the voltage sensor is rated to activate within, so that the sparks continue for another second or two and ignite a possible simultaneous fuel leak from a nearby fuel pump? IMHO we must not consider these daisy chain scenarios in airworthiness decisions.

Regards
Ed