Exclusive | Do Lion Air, Air India 171 crashes flag Boeing design flaw?

This exclusive two-part investigative report by The Federal examines possible parallels between the crashes of Boeing 737 MAX 8 (Lion Air and Ethiopian Airlines) and the recent Air India 171 crash involving a Boeing 787 Dreamliner.

Part-I of the investigation focuses on a potential design flaw in the Dreamliner’s Common Core System (CCS), a digital backbone that controls all major systems. Like the earlier MCAS failure, the CCS may represent a single point of failure, as evidenced by the simultaneous loss of multiple subsystems in the Air India crash. Our conclusion suggests that the crash may have stemmed from systemic digital failure rather than pilot error. Read on.

Over six years ago, faulty sensors killed 346 people on board Lion Air Flight 610 and Ethiopian Airlines Flight 302 because of a design flaw in the Boeing 737.

What if we told you that there might be a similar design flaw in the Boeing Dreamliner 787, that crashed in Ahmedabad on June 12, killing 260 people? That it probably suffered a failure in its core network — which fits all the facts present in the Aircraft Accident Investigation Bureau’s (AAIB) preliminary report. And not just a design flaw, but the same smoking gun — a single-point-of-failure system?

So, what’s a core network? And what does a single-point-of-failure mean for a machine in the skies? Let’s try answering those questions by first looking at the Lion Air and Ethiopian Airlines tragedies.

Earlier tragedies

Sometime prior to 2015, Boeing inserted a software patch into its legacy 737 architecture — a design lineage dating back to the 1960s, which had been continuously upgraded rather than fully redesigned, in part to avoid triggering costly new pilot training requirements. That software patch was a flight control system known as MCAS, or Manoeuvring Characteristics Augmentation System.

Also read | Ahmedabad plane crash: A rare tragedy for the Boeing 787 Dreamliner

In October 2018, nearly 190 people died in the Lion Air Flight 610 crash. The official investigation later found that MCAS repeatedly pushed the nose of the plane down based on faulty sensor data, and that Boeing had failed to properly disclose or train pilots on the system, contributing directly to the crash.

Why? Because MCAS relied on just one angle-of-attack sensor, a device that measures how sharply the plane’s nose is tilted compared to the air flowing around it. If that angle gets too steep, the wings can’t generate enough lift, and the plane can stall — meaning it may start losing altitude or control even if the engines are still running. The sensor’s job is to warn the system when the nose is pointed dangerously high.

Major design flaw

This was a major design flaw. In aviation, every safety-critical system is expected to have backups, be it sensors, control computers, or hydraulics, so that if one fails, another kicks in.

But MCAS had no such redundancy, no backup sensor or alternative input to cross-check whether the first one was giving accurate data. So, when that single sensor, which was meant to counteract a “nose-up tendency,” which was a tendency of the 737 MAX to naturally tilt upwards during flight due to its larger, repositioned engines that altered the plane’s aerodynamic balance, failed, MCAS kept forcing the aircraft’s nose down, again and again.

The sensor is supposed to ensure that the aircraft stays aerodynamically balanced. If it senses the plane is pitching up dangerously, it activates MCAS to push the nose down to prevent a stall, but with only one sensor, a false reading can trigger dangerous corrections.

Tragic plunge

Despite Indian captain Bhavye Suneja's best efforts, the Lion Air plane ultimately plunged into the Java Sea. It had taken off from Jakarta on October 29, 2018, and crashed 13 minutes later. The pilots struggled with a runaway stabiliser trim, when the system kept trimming the aircraft nose-down, even though they weren’t asking for it. They were repeatedly overridden by MCAS, but were not told MCAS even existed. Boeing hadn’t documented it in the flight manual. All 189 people on board died.

This was soon followed by the tragedy of Ethiopian Airlines Flight 302, which crashed in March 2019 — killing another 157 people. The root cause? Same system. Same flaw. In total, 346 people died because of one vulnerable sensor.

Also read | Exclusive: Not pilot error? Missing black box data, a clue to systems failure or FADEC collapse

When the world realised that MCAS had a single-point-of-failure design, where one small malfunction could cause a catastrophic failure because there was no backup, the alarm bells rang. Something that should never happen in a modern aircraft had been approved by the US Federal Aviation Administration (FAA).

A digital collapse?

Now imagine a different kind of catastrophe. Not one sensor failing, but potentially an entire system silently collapsing.

What if we told you the spine of Boeing’s fully-automated jet, the 787 Dreamliner, had a problem? And that spine was the aircraft’s core network, officially known as the Common Core System (CCS). The system that connects and controls everything: flight data, engine logic, cockpit displays, avionics, power distribution, satellite communication, and the black boxes. It’s the digital nervous system of the Dreamliner.

What if it failed? And 260 people paid the price?

According to the AAIB summary of AI-171 cockpit recordings, just after the engines lost power, one pilot questioned the shutdown of the fuel switch, and the other appeared to deny initiating it. That moment, unfolding in the seconds after both engines went dead, has since become central to the debate over whether this was truly pilot error, or the sign of something far more systemic.

One network to rule them all?

The crash of the Air India 171, a Boeing 787-8 Dreamliner flying from Ahmedabad to London Gatwick, may represent the first fatal crash involving a fully automated Boeing jet, where pilot error or mechanical failure seems unlikely. And where the only remaining explanation, as per the AAIB’s own findings, is a sudden, systemic digital failure.

And at the centre of this digital collapse is what Boeing calls the CCS or, as the AAIB report more blandly describes it, the “core network.”

Also read | Exclusive | AI-171 crash triggered by fuel switches or engine failure?

The same way Boeing’s 737 MAX MCAS relied on one sensor to rule them all, the 787 Dreamliner relies on one central nervous system to run them all. As Tolkien put it in the popular book Lord of the Rings: “One ring to rule them all.” In this case, one network; and its failure, maybe the only theory that explains why so many subsystems failed simultaneously:

♦ The RAT (Ram Air Turbine) deployed midair, indicating loss of electrical power.

♦ The aft EAFR (flight data recorder) failed to capture any data.

♦ ACARS and SATCOM data (aircraft datalink systems) is omitted from AAIB report

♦ The ELT (emergency locator transmitter or crash beacon alerter) never activated.

In short: the backup power, flight data recording, automated messaging, satellite comms, and crash beacon, all failed at once.

Boeing built redundancies whereas Airbus firewalled

Fly-by-wire was pioneered by Airbus, which built the first fully electronic flight control system with firewalls. These are literal digital walls between its core systems. For the uninitiated, fly-by-wire replaces mechanical cables and pulleys with computers that convert pilot inputs into digital signals.

Airbus literature shows that it designed its systems in segmented domains, so if one domain collapses, the others stay alive. If the main flight computer fails, the backup systems for engines, wings, or tail can still function independently.

Boeing took a different approach. It built the 787 Dreamliner with a CCS, a unified digital brain that connects everything: flight controls, FADEC (engine logic), avionics, ACARS, SATCOM, ELT, power systems, and even the black boxes. Everything reports back to the same digital backbone. Does it mean, if that spine fails, the entire body can go limp?

Watch | Air India Ahmedabad AI-171 crash: Was it Boeing, not the pilots?

Boeing maintains that the CCS is built with multiple layers of redundancy, including dual Common Computing Resource (CCR) cabinets, independent data buses, and partitioned software domains. In simple terms, that means using two separate processor hubs (the CCRs), isolating digital traffic on separate communication lines (the buses), and keeping flight-critical and non-critical software systems in sealed-off digital compartments.

FAA approval

The FAA approved the 787’s core network or CCS architecture during its type certification process, issuing special airworthiness conditions as early as January 2008 to account for the aircraft’s then-unprecedented use of integrated digital networks. At the time, the belief was that Boeing’s layered redundancies, including dual CCR cabinets, independent buses, and software partitioning, would be sufficient to prevent single-point failures.

But over the years, both cybersecurity researchers (like those at IOActive) and the FAA itself have flagged theoretical weaknesses.

In 2020, the FAA issued fresh guidance acknowledging that while the 787’s design is physically and logically redundant (i.e., it has backup hardware and software systems that are supposed to take over if the main ones fail), its deep integration of systems could still lead to common-mode failures, data corruption, or unpredictable interactions—vulnerabilities not fully addressed by legacy certification standards.

In simpler terms, even though the Dreamliner is built with multiple layers of backups—like twin computers or parallel wiring—the fact that many of these systems are interconnected and share data pathways means a single fault (like a corrupted sensor input or software glitch) could affect multiple systems at once. This is known as a common-mode failure.

Think of it like having two GPS apps on your phone to navigate. Seems redundant, but if both rely on the same faulty satellite data or a shared corrupted map update, they’ll both guide you the wrong way. That’s the kind of risk the FAA was pointing to with deeply integrated aircraft like the 787.

Software vulnerabilities

The 2019 IOActive findings challenged Boeing’s entire premise of safe digital compartmentalisation. Researchers discovered software vulnerabilities that could allow one system to bleed into another, undermining the claim that critical and non-critical functions inside the CCS were truly segregated.

Also read | Celebi, barred from Indian airports, has been under security lens for long

They also cautioned that Boeing's reliance on CCR cabinets, which are the aircraft’s central computing hubs, while modular and theoretically isolated – had not been rigorously tested on real, in-service aircraft.

In other words, Boeing’s redundancy may exist on paper. But the safety assumptions that rested on it hadn’t been battle-tested. Until Air India 171.

Aft-EAFR, another single-point-of-failure

But it wasn’t just the core network. Boeing also made the flight data architecture a single point of failure.

In most Airbus jets, there are two separate Electronic Aircraft Flight Recorders (EAFRs) (popularly known as black boxes). One in the forward section (or nose) and one in the aft (or tail). And both come with independent battery backups. That redundancy ensures that if a fire or power failure hits one unit, the other can still record critical flight data and cockpit voice.

But on the 787, only the forward EAFR has a battery backup. The aft EAFR is dependent entirely on aircraft power. If that power goes out or the unit is damaged by heat, as it was in the Air India 171 crash, vital data is simply lost.

Boeing's opaqueness

Even more troubling is how opaque Boeing remains after such failures. Airbus, by contrast, routinely releases clear post-crash reconstructions of FADEC inputs, mode transitions, and thrust commands. Boeing is seen to often withhold or redact such data, citing proprietary software or legal concerns, making it harder for investigators and the public to understand what really went wrong inside the engines.

So, even if data loss had not happened with the aft EAFR, we might still be left with many missing pieces in the puzzle of AI 171.

Part 2: How did the machine fail? A chilling sequence of possibilities

The copy has been updated: We earlier erroneously stated that only aft-EAFR stores FADEC logic. But since then, it has come to our attention that both the AAIB report and Boeing literature support the fact that both EAFRs record the same flight parameters. We regret the error.

(Disclaimer: The AAIB has not yet released its final report on the AI-171 crash. All the technical scenarios presented here are based on preliminary information and remain hypotheses. Airlines routinely conduct both scheduled and precautionary checks, especially following major incidents. Sources emphasised to The Federal that such checks are standard procedure and do not, by themselves, indicate any confirmed fault in the system.)