The June 12, 2025, catastrophic crash of Air India flight AI171 has emerged as a case study in how a concealed single point of failure within the electrical architecture of a modern aircraft can cascade into multiple system losses that culminate in disaster. Registration VT-ANB, a Boeing 787-8 Dreamliner, initiated a rapid sequencing of electrical and control anomalies linked by aviation engineers to a degraded core network the earlier classification by Boeing and regulators being “medium risk.”
1. The Hidden Vulnerability in the 787 Core Network
At the heart of the probe is the Boeing 787’s Common Core System and its Common Data Network, a high-integrity ARINC 664/AFDX Ethernet backbone that interlinks more than 50 aircraft systems. The architecture hosts critical flight computers in twin Common Computing Resource cabinets, with General Processing Modules running functions from thrust management to bus power control. Cybersecurity company IOActive warned in 2020 that the CCS design could act as a catastrophic single point of failure. Boeing’s operational notes to carriers, though, downplayed a core network fault as affecting only “minor” functions such as the airport map or flight deck printer-whereas ignoring its direct links with flight control modules and the Full Authority Digital Engine Control.
2. Pre-Crash Electrical and Component Failures
In the 48 hours preceding the accident, VT-ANB recorded three major electrical failures and 11 minor component malfunctions. On June 9, maintenance flagged a core network fault under Category C MEL, allowing 10 days for rectification. The following day, the NGS-which is critical for inerting fuel tanks-failed, marked as Category A MEL. Hours before the crash, the stabiliser-trim motor and sensors malfunctioned, both tied to the same 235V AC power domain fed by the engine-mounted Variable Frequency Starter Generators. Fifteen minutes before takeoff, dual Bus Power Control Unit faults and Electronic Flight Bag failures were recorded, indicating instability in the C1/C2 TRU lines that supply 28V DC to flight instrument buses.
3. How BPCU Faults Can Trigger RAT Deployment
The BPCUs are the electrical “traffic cops” that direct generator output to the appropriate buses and isolate faults. When power is lost on both C1/C2 TRU channels, the RAT deploys as an emergency source of hydraulic and limited electrical power. In AI171’s case, RAT deployment occurred within seconds of liftoff-somewhat before the aircraft cleared the airport perimeter wall-suggesting an already-collapsed electrical system, rather than a response to engine shutdown. Aviation Herald editor Simon Hradecky points out RAT spin-up takes ~6 seconds, placing the initiating disturbance at ~1:38:40 IST, two seconds after takeoff.
4. FADEC Fuel Cutoff without Pilot Command
The FADEC interprets loss or invalidity of the “RUN” signal from the fuel control switches as a shutdown command. In the 787, these signals travel via Remote Data Concentrators over the CDN to both FADEC channels. It is possible for an electrical transient or corruption of data in the core network to cause FADEC to initiate fuel cutoff even when the physical switch is untouched. Flight deck audio includes one pilot asking “why did you cut off?” and the other denying action. FDR data indicates the switches transitioned to CUTOFF one second apart followed by auto-relight attempts-consistent with a signal-level failure.
5. Architecture Weaknesses and Redundancy Limits
Unlike federated avionics, the 787’s integrated modular avionics run several functions of different criticalities on shared hardware using VxWorks 653 partitioning. While the software is separated, the physical hardware power buses and data paths have single points of failure in common. The FAA previously mandated directives on CDN vulnerabilities, such as a loss of stale-data monitoring after 51 days of continuous power, which may allow invalid flight-critical data to be processed without annunciation. This interconnectedness, designed to reduce wiring and weight, allows a single electrical fault to ripple across domains.
6. Fleet-Wide Electrical Fragility
Post-crash, Air India grounded three 787-8s for extended heavy checks at MRO hubs in Jordan, Abu Dhabi, and Mumbai. Beginning in June 2025, the airline’s 787 fleet has had several serious events: AI310 returned to Hong Kong after takeoff, AI117 saw uncommanded RAT deployment on approach to Birmingham, and AI154 diverted to Dubai after autopilot failure. Globally, LATAM LA603 reported RAT deployment, while United UA108 reported an in-flight engine shutdown. Boeing acknowledges 31 uncommanded RAT deployments since the launch of the Dreamliner, most related to shuttle valve misalignment in the RAT stow actuator.
7. Regulatory and Manufacturer Risk Minimization
The categorization of the core network fault as CAT C MEL by Boeing and accepted by the FAA and India’s DGCA implied no immediate grounding, despite its role as the aircraft’s “digital spine.” This forms a parallel with the case of the 737 MAX MCAS, relying on a single AoA sensor in violation of redundancy norms. In both cases, critical vulnerabilities were undisclosed or reframed as minor, thereby limiting the operators’ response. Past advisories from the FAA regarding the disengagement of fuel control switch lock were non-mandatory, while no service bulletin made the modification to the RAT shuttle valve mandatory.
8. Physical Evidence of Electrical Origin
The aft Enhanced Airborne Flight Recorder, located near the intact APU, was destroyed by clean-burning thermal exposure lacking soot consistent with an electrical arc or metallic combustion rather than a fuel fire. Another hallmark of localized electrical damage was the failure of the Emergency Locator Transmitter to activate. ACARS fault codes logged at 13:38 IST showed both forward and aft avionics power buses down, with FADEC warnings indicating invalid airspeed data a condition that could trigger protective fuel cutoff logic.
The AI171 sequence-core network degradation, BPCU instability, RAT deployment before engine shutdown, FADEC-triggered fuel cutoff without pilot input-shows how a single compromised electrical backbone of a “more-electric” aircraft can defeat multiple layers of redundancy. For aviation safety professionals and engineers, this underscores the need for transparent risk classification, hardware-level isolation in integrated architectures, and rigorous fleet-wide monitoring of electrical health data.
