The Peninsula Foundation

Author: Rachel Chitra

  • Part 2 – Air India 171’s Final Transmissions point to FADEC cutting Fuel, Leading to Crash

    Part 2 – Air India 171’s Final Transmissions point to FADEC cutting Fuel, Leading to Crash

    This article (part 2 and final) and part 1, published earlier, are part of the investigative analysis by journalist Rachel Chitra on the Air India-171 crash in Ahmedabad last June.  The analysis is tentative, based on information the journalist accessed. The tentative analysis and likely conclusions are entirely those of the author and do not reflect in any way the position or views of the TPF  –  TPF Editorial Team.

     

    In the previous part 1, we discussed how core network degradation likely caused the failure of multiple components. Like “the one ring to rule them all” in The Lord of the Rings, the core network is the one system that connects some 22 flight-critical and 28 flight-non-critical systems, and yet it was flagged only “medium risk” thanks to Boeing certification for the 787.

    Now we piece together the final pieces of the jigsaw puzzle — the ACARS fault codes, core network failure, and the FADEC misinterpretation that likely triggered TCMA fuel cutoff mid-air. The moment the airplane’s digital system killed itself.

    By Rachel Chitra

    The morning, everything went dark

    On June 12, when Air India flight AI-171 started rolling at 1:37:37 PM IST and lifted off from Ahmedabad, no one had any reason to suspect anything was wrong. Mothers were settling children into their seats, flight attendants Lamnunthem Singson and Nganthoi Kongbrailatpam had secured the galley latches, and two experienced pilots, Captain Sumeet Sabharwal and First Officer Clive Kunders, guided the Boeing 787 to the runway for what should have been a routine afternoon flight to London.

    But disaster struck shortly after liftoff at 1:38:39 PM IST.

    Three seconds into takeoff at 1:38:42 IST, AI 171’s systems were screaming… “247450002 597…252490002 597…252390002 597…,” as per data from two independent sources.

    Strings of fault codes. Indicating that major systems, including flight control computers, were going down, taking dozens of subsystems and a bunch of sensors in their wake.

    Systems failing faster than pilots could run a checklist

    Three seconds into takeoff, when the pilots were trying to make sense of what was happening, the “Master caution” light would’ve flashed in their faces; directly in front of them on the glareshield panel.

    On the flight, warning display or EICAS (engine indicating and crew alerting system) amber messages should’ve started queuing faster than any human eye could read.

    Messages like “ELEC SYS,” “BUS ISLN,” “GEN OFF BUS”, “RAT DEPLOYED”, “SPOILERS”, “STAB TRIM,”…and then the loss of flight critical data….“AIR DATA SYS”  “ALT DISAGREE,” “MACH DISAGREE,” “CAS DISAGREE,” “CABIN ALT AUTO,” “PACK,” “ZONE TEMP” “DATA COM” “BAT DISCH.”

    But they likely didn’t. Because the plane’s fault reporting system itself had faulted.

    A stroke mid-sky: the cockpit blackout

    Then whole sections of the cockpit display would have frozen on their last readings as the computing and power backbone feeding EICAS collapsed — a sudden, system-wide blackout, like a stroke cutting off blood flow in the brain.

    Cockpit lights would’ve flickered.

    And EICAS’s prophecy would’ve turned true in two seconds when the pilots heard a sickening sound…. the sound of the left engine spooling down; and before the plane could yaw with the asymmetric thrust…the right engine winding down as well. And in the eerie silence filling the cockpit, they wouldn’t have been able to hear the loud, rackety sound of the Ram Air Turbine (RAM) spinning in the air.

    Computers Rebooted, Went to Ground Mode in the Sky

    But the RAM, the only working generator at that point on the plane, housed roughly 23 metres away from the cockpit in the 56.7 metre long body of the 787-8, would need a few more seconds to start generating hydraulic power and even more time to supply electrical power to feed critical flight instruments.

    Capt Sumeet and First Officer Clive wouldn’t have known, but the Flight Control Computers (FCC) likely had gone into reboot.

    And while rebooting, the logic deep inside the computers would have silently flipped to its fail-safe “ground mode,” before it started up, analysed and flipped back to “air mode.”

    Yet in the face of the most bizarre and unprecedented of circumstances.

    Two men still did their duty.

    Captain Sumeet. The man who took over the aircraft. Started APU. Attempted relight.

    And First Officer Clive, who ably assisted him, who ran checklists. Called ATC, who declared “Mayday.”

    Engines Dead at 625 Feet — Pilots Still Fought to Bring the Jet Back

    At that point, dual engine failure at a height of only 625 feet above sea level (minus Ahmedabad airport elevation of 190 feet) leaves a very narrow margin for relit attempts to have worked, even if they could have.

    But both pilots did try, even as the brutal reality of their situation must have hit them like a speeding truck.

    The AAIB report says the auxiliary power unit (APU) inlet door had started opening 17 seconds (1:38:54 IST) before the crash. And if it was opening, it could’ve only been the action of the pilots; only they would’ve switched on the auxiliary power, said flight engineers across airlines. Reason being the plane’s auto start logic would’ve been inhibited given the electric arc and the nature of some of the faults underway, which we discussed in part 1 of the investigation.

    If the hand on APU start was pilot’s — Suicide theory falls flat on its face

    And it’s not just flight engineers, even pilots say the same. “If they were faced with blank screens….at that point more than a memory item from a checklist, the immediate concern of the pilots would’ve been to get the plane’s power back on, and they’d have certainly turned on the APU,” says Sam Thomas, president, Air Line Pilots Association (ALPA).

    Even though AAIB in its preliminary report seems to hint it was the system that triggered the APU with this line: “The APU Inlet Door began opening at about 1:38:54 IST, consistent with the APU Auto Start logic.”

    “But then if it turns out it was manual action; that the pilots were doing their best to save the plane, it doesn’t fit the whole pilot suicide theory, does it?” asks an Air India pilot.

    And here lies the crux of AI 171, where billions are at stake. If you could blame the pilots and not the plane; then more than 1,100 Dreamliners could continue to fly across the globe.

    When AI 171 spent more time on the runway than in air

    At 1:19:12 PM IST, AAIB reports that Air Traffic Control (ATC) queried if AI 171 required the full length of the runway. Pilot monitoring Captain Sumeet likely told ATC they needed the full length of Runway 23. Standard for a heavy, long-haul Dreamliner on a hot day.

    Sometime in that crucial minute between runway roll, takeoff and flight, at 1.38 PM IST, an ACARS code (163600003) shows that there seems to have been a problem with the left and right thrust reversers and their locking sensors, which are the devices that tell the jet’s engine computer FADEC whether the engine’s rear doors are properly sealed for forward thrust.

    AI 171’s 62-second roll: when the engine chose safety over speed

    If the thrust reverser doors aren’t fully sealed, hot exhaust air could leak forward into the engine’s intake, disrupting smooth airflow and causing the engine to lose power or stall. So, to ward against that, FADEC will limit thrust.

    Possibly a reason why AI 171 spent more time on the runway than in air. “It took 62 seconds on the runway. A clean takeoff roll should take only 40-42 seconds,” says Capt Amit Singh, the petitioner in the Air India case in the Supreme Court, and a commercial airline pilot.

    The difference isn’t trivial: it points to an airplane struggling to reach take-off speed.

    Acceleration on ground vs in air

    And this becomes clearer when one looks at the acceleration data. Aviation Herald editor and electronics engineer Simon Hradecky said, “The AAIB report states that between 08:08:35-42 UTC (1:38:35-42 PM IST) the aircraft accelerated from 155 to 180 knots IAS. That’s an acceleration of almost 4 knots a second in air versus acceleration of 2.6 knots a second on the ground.”

    Normally, as the plane’s nose begins rising at about 3° per second, lift increases, drag rises sharply, and the aircraft naturally stops accelerating the way it did on the runway. But AI 171 did the opposite. It shot up. Hradecky adds, “the aircraft will still accelerate at takeoff…however, at a much slower pace…in about the range of acceleration on the ground. Certainly not at nearly 4 knots a second.”

    Explaining further, he says, once the aircraft begins rotating at about 3° per second, induced drag should rise quickly, even while the aircraft is still on the ground. As the nose comes up and the lift vector tilts further backwards, that induced drag begins to grow and can exceed the drag the tyres were producing. At the same time, as the wings generate more lift, weight is progressively removed from the tyres, so tyre drag falls away until it becomes zero at unstick. But this reduction in tyre drag is replaced by increasing induced drag as lift builds.

    He adds that there is another reason acceleration should slow after liftoff. As the aircraft accelerates vertically into the climb, it needs more lift than just enough to balance its weight. A G-load of +1G would merely hold vertical speed constant; to increase climb rate, the aircraft needs more than that. But as lift increases, induced drag rises too, further limiting acceleration until the aircraft settles into a stable climb.

    So while an aircraft does continue to accelerate after becoming airborne, Hradecky says that under normal conditions, this is usually only at around one knot per second, so long as the pitch remains reasonably below the climb angle and the aircraft is still rotating at about 3 degrees per second. Only once the aircraft reaches that climb angle does airspeed stop increasing, with thrust and drag coming into balance.

    That is why, Hradecky says, an acceleration of 4 knots per second once airborne, especially sustained over seven seconds from 155 to 180 knots IAS, is unrealistic in normal operations. In his view, it indicates that almost immediately after liftoff, the crew were already dealing with an abnormal situation, and the pitch did not increase as per SOP; instead, the pitch angle was unusually low. This, he says, is also supported by the CCTV video, which appears to show a small pitch-down within a second after becoming airborne, after which the pitch does not increase again. Without being able to measure the pitch angle precisely from the CCTV footage, and with no such data published in the preliminary report, Hradecky estimates the aircraft may have been at around 9 degrees of pitch rather than the roughly 15 degrees that would be more normal.

    The aircraft accelerating faster after getting airborne than it did across the length of the runway is a telltale fingerprint of something holding the jet back; something like maybe the reversers (ACARS code 163600003), say, pilots and engineers. The AAIB report mentions the physical position of the reverser levers, “that they were bent but in the stowed position.” But AAIB doesn’t mention its digital position recorded in the black box or enhanced airborne flight recorders (EAFR).

    Seconds after liftoff, AI 171’s power grid collapse

    The aircraft lifted off at 1:38:39 PM IST, as per AAIB. With multiple electrical faults already unfolding, power transients were almost inevitable.

    Reverse-engineering the fault sequence, engineers say it’s likely the trigger for RAT deployment happened one second after liftoff at 1:38:40 PM IST. And RAT deployed two seconds later at 1:38:42 PM IST.

    In part 1, we discussed how a high-voltage inverter could’ve arced and struck the forward and aft avionics bays (ACARS codes 247450002, 252490002, 252390002, 247460002). Now, this would likely have resulted in a power loss and a reboot of all three flight control computers (FCCs) by 1:38:43 PM IST, four seconds into takeoff. And the possibility of all three flight control computers rebooting mid-air, the FAA warned about as early as 2016, as per a Seattle Times report. To ward off against the eventuality, the FAA recommends a 21-day power cycle. Air India did not respond to whether such a 21-day power cycle was performed by the airline’s maintenance staff or the maintenance arm, Air India Engineering Services Ltd (AIESL).

    A jet in the sky — with systems flipped to “on ground”

    So that second 1:38:43 PM IST, when all three flight control computers rebooted, nearly every flight parameter on the plane — Weight-on-Wheels, thrust reversers, flaps, spoilers, landing gear, stabiliser trim — would’ve gone to their fail-safe mode, which would be “on ground.” And a second or two later, the rebooted flight computers would’ve analysed data, realised the true position and gone back to “in air” mode.

    “Air-ground logic is based on several parameters, so not only WoW.  For example, thrust reversers and ground spoilers may only work when WoW is TRUE “on ground”, radio altitude is below a certain altitude, and wheel speed is not zero,” says Joe Jacobsen, a former aerospace engineer with Boeing and deputy director with Foundation for Aviation Safety. He adds, “The details differ for different aircraft models.”

    And now let’s see how that power loss and subsequent flight computer reboot would’ve affected each component on board. Let’s start with the landing gears.

    FO Cliver raised gear, power cut likely stopped it halfway

    If First Officer Clive had commanded gear “UP” at 1:38:42 PM IST, the gear would’ve started retracting, and then milliseconds into the command, it would’ve stopped had the plane faced a major power disruption. Given that the plane was already reporting operational errors in the hydraulic right pump (HYDIF Right) 15 minutes before takeoff at 1:23 IST. And the left hydraulic pump’s primary electrical path was R2, which would put it directly in the line of fire when the high-voltage inverter of the CMSC R2 line arced, as we discussed in part 1.

    Possible sequence of events:

    • The AAIB report notes that the landing gear lever was found in the “DOWN” position, but this refers to its physical state post-crash and post-fire. Not the blackbox or EAFR recording.
    • If three seconds into takeoff, First Officer Clive commanded the gear “UP,” EAFR will record the command.
    • And if three seconds into takeoff, there was a power disruption, EAFR will also record its after-effects. And the gear retraction stopping halfway.

    With logic flipped to ground: spoilers can deploy, reversers can arm

     At the fourth second into takeoff at 1:38:43 PM IST, if the flight control computers had rebooted its logic would’ve flipped to fail-safe mode, which is “on ground.”

    Now, if the systems think the plane is landing (“on ground”), the flat panels on the top surface of an aircraft’s wings, called the spoilers, will auto deploy. The intention is to create drag and disrupt the airflow so that the aircraft slows down safely and stays on the runway.

    In the air, spoilers are inhibited from deploying, as doing so would break the smooth airflow around the wings and cause the plane to stall. But on AI 171, spoilers likely auto-deployed because the flight computers rebooted and, for a second, went into “ground” mode.

    The Reverser–Spoiler Double Blow

    Remember the thrust reverser faults (1636000030) we discussed earlier that could have resulted in FADEC limiting thrust on the runway? Well, if the flight computers go from “in air” to “on ground,” then thrust reversers would go from “stowed” to “idle reverse.” At takeoff, engines direct airflow backwards to propel the aircraft forward. But if the thrust reversers were in “idle reverse”, they would redirect airflow in the opposite direction, providing a gentle braking effect, like when the plane needs to land and slow down on the runway.

    If both the spoilers and thrust reversers were deployed mid-air, even briefly, the aircraft would have faced an immediate loss of lift and forward thrust — a double blow that could stall the jet within seconds of take-off.

    The AAIB report says, “The reverser levers were bent but were in the ‘stowed’ position.” Engineers say this must be taken as proof of pilot integrity as their intentions, at least — going by AAIB’s photographs and words — were clearly for the reversers to stay “stowed.” They also note that the AAIB reports refer to the physical position of the reverser levers, not their digital position, as captured by the black box or EAFR.

     AAIB quotes EAFR—just not for the “on ground”-logic-systems

    Engineers say it must be noted that when the data supports a neutral interpretation, like with flap angle, airspeed, AAIB quotes the black box or EAFR. When the data would clarify whether the aircraft entered ground-mode before impact—nose pitch, landing gear, reverser levers, TO/GA, autothrottle—the report relies on describing their physical positions post-crash. “The digital capture for the very systems that determine ‘air’ versus ‘ground,’ for whether there was a stall, for whether the fly-by-wire automated jet went into manual mode — are all conspicuously absent,” says an engineer.

    The AAIB report also omits many crucial timestamps, such as when the first fuel cut-off occurred, when the relight attempts began, and when the engine fan speed reached idle. Timings that crucially can shed light on the behaviour of the engine computers or FADECs, more than AAIB’s words, which are vague.

    AAIB report on FADEC behaviour on AI 171

    “When fuel control switches are moved from CUTOFF to RUN while the aircraft is in flight, each engine’s full authority dual engine control (FADEC) automatically manages a relight and thrust recovery sequence of ignition and fuel introduction,” says the AAIB.

    FADEC is the plane’s full authority digital engine control. But AAIB refers to it as “full authority dual engine control” on page 15 of its report. Lawyers say this mistake — saying “dual” for “digital” and other wordings — in a sentence talking about how FADEC managed a “relight and thrust recovery sequence” could give AAIB “plausible deniability” if tomorrow it came to light that FADEC’s behaviour was different on AI 171.

    In that paragraph, the report describes events such as fuel switches moving back to “RUN” and the APU inlet door opening, with precise timestamps from EAFR. And then…” it does sound as if the AAIB report is referencing how the FADEC procedure should work rather than explaining exactly what did happen on 171…underscoring the need for an independent evaluation of the actual FDR and any ACARS data to understand what was actually occurring with the automated systems,” says US attorney Michael Andrews, who is representing the families of the victims from the AI 171 crash.

    When automation can pull the plug

    So what did the engine computer FADEC really do on that plane? According to Boeing training manuals, if the plane switches to “on ground” logic in the air, the engine computers’ FADEC can initiate a fuel cutoff. If the conditions for something obtuse, called TCMA or thrust control malfunction accommodation, were met.

    What is this TCMA? And why did Boeing design it?

    Few phases of flight are as critical as takeoff, when both engines are at full power, and the aircraft is still on the ground. In this phase, there’s almost no time or room to correct an error before the plane hits the aircraft perimeter wall, nearby buildings, or other planes.

    TCMA: FADEC’s Watchdog

    To prevent accidents on the ground, Boeing and its subcontractors GE Aerospace and Safran designed TCMA — a protection circuit and software logic — for FADEC to prevent dangerous thrust.

    When it comes to the question of how much engine power to command, passengers would be surprised to learn it isn’t the pilots but FADEC that calls the shots. Engine computer FADEC continuously compares the pilot’s commanded thrust with the engine’s actual output and calculates whether the thrust is accelerating or decelerating as expected. If the system detects that the thrust is inconsistent with the commands, the FADEC interprets this as a thrust control malfunction. In that case, it automatically shuts off fuel to the engine.

    1:38:44 PM IST: Second AI 171 Likely Entered TCMA Kill Zone

    As per TCMA patent documents and Boeing literature, for a TCMA event, all of the following conditions must be true:

    • Airplane is on the ground
    • Airspeed is less than 200 knots
    • Altitude is less than 17,500 feet
    • Selected N1 (engine fan speed) is more than the TCMA threshold

    And in AI 171’s case, at 1:38:44 PM IST, four of these conditions were likely met.

    • Airplane is on the ground = Flight computers rebooted, logic went to “on ground”
    • Airspeed is less than 200 knots
    • Altitude is less than 17,500 feet = maximum altitude reached was around 435 feet, going by ADS-B transponder data minus Ahmedabad airport elevation
    • Selected engine fan speed (N1) is more than the threshold = possible given the takeoff thrust

    So how did FADEC see TCMA engine’s actual fan speed (N1) as incompatible with the commanded takeoff thrust? Why did it sense danger?

    On data recorded in the black box, AAIB says, “EAFR data revealed that the thrust levers remained forward (takeoff thrust) until the impact.”

    AAIB’s statement is actually proof of pilots’ integrity, say engineers, “as it shows pilots’ intention – that they kept the thrust in forward from takeoff to crash.” Engineers also say AAIB’s statement that throttles were in “forward”, along with GE documents, can point to a different story.

    Inside the Boolean Gating Trap: FADEC’s Blind Spot

    Older GE engines had a logic condition (Boolean gating) of “AND.” Meaning throttles “AND” thrust reversers have to be in “idle” for TCMA activation. But pilots found that inconvenient, as for certain ground manoeuvres during taxiing and initial rollouts, they keep the thrust levers in forward and the reverser levers in idle.

    So, for newer GEnx engines developed by GE Aerospace in partnership with Safran, the logic condition was changed from “AND” to “OR,” according to sources at GE and Air India. Meaning either throttle “OR” thrust reversers can be in “idle” for TCMA to activate if FADEC feels thrust is not proportional to airspeed.

    And on AI 171, we do know that there was both a thrust reverser fault (163600003) and flight control computers likely rebooted; and thrust reverser status could’ve gone to fail-safe mode of “idle reverse.”

    So then AI 171 had throttles in forward and thrust reversers, likely in “idle reverse”, so some TCMA conditions were met. But TCMA would also require engine speed (N1) to be disproportionate to airspeed data. So what was happening on AI 171 that caused FADEC to believe the engine thrust was dangerously high?

    Airspeed data failure on AI 171

    The whole series of ACARS codes accessed and sent to Boeing was topped off with “EM12R0.” EM12R0 indicates a disagreement in airspeed data. Now, on an average day with 1,100 Dreamliners in the sky, nearly 80-100 Dreamliners can fly with this code with no harm, as it just indicates one of the channels for air speed calculation disagreed with another. But on AI 171, it could’ve proved disastrous given some of the other failures underway.

    EM12R0 indicates engine monitoring (EM) on channel 12; i.e., the total air temperature (TAT) probe fell to zero (R=0), meaning its inputs were no longer considered valid. This brings us then to the question of whether FADEC got calibrated airspeed (CAS) on AI 171? Was a failure to get CAS the reason for the whole series of failures, topped off by “EM12R0”?

    True airspeed: Lion Air 610 crash investigation vs AAIB report

    In crash investigations such as Air France 447 and Lion Air 610, authorities published the IAS (indicated airspeed), CAS (calibrated airspeed), and TAS (true airspeed). In contrast, the AAIB report in every reference to airspeed only mentions IAS: “take-off decision speed V1 153 kts IAS…maximum recorded airspeed of 180 Knots IAS.”

    Now, one mystery in AAIB’s discussion of indicated airspeed (IAS) is: what was the engine computer FADEC getting? Because FADEC does not accept a raw value like IAS. It only accepts calculated values like CAS and Mach, which represent the aircraft’s speed relative to sound. While IAS requires only pitot tubes to be operational, calculated values like CAS and Mach require additional components, such as the total air temperature probe (TAT), to be operational as well.

    Now, before roll, the engine computer FADEC needs valid feeds, including calibrated airspeed (CAS), to set thrust. So at 1:37:35 PM IST — two seconds before roll — FADEC has to have a valid CAS from the flight computers via the core network for it to set thrust.

    At this point, the system is not dependent on the TAT probes, but on an inlet cabin temperature probe. This is because the external TAT probe is an aspirated probe, meaning it needs airflow – the plane doesn’t start using it till it crosses 50 knots.

    Frozen Airspeed: FADEC voting logic, the pathway to TCMA Activation

    At about 1:37:56 UTC, the aircraft crossed 50 knots. And that’s when AI 171 must have switched to using its external TAT probe.

    FADEC in normal mode will not accept a single feed for airspeed data, in case it’s false or invalid. FADEC will use voting logic for airspeed data. It will vote on multiple feeds and accept only if two or more readings are consistent.

    FADEC takes calibrated airspeed (CAS) data from multiple feeds (internal T12 TAT probe + FCM L + FCM R + FCM C). Only if two or more feeds are consistent will it accept their value. If not, then FADEC will latch onto “last known good value.”

    So, for calibrated airspeed (CAS), FADEC might have latched on to “last known good value” of around 176 knots at 1:38:41 PM IST, or 50 knots at 1:37:56 PM IST. With the first timestamp being, if we assume flight computers lost TAT readings only after a power disruption caused by an electric arc. And the second timestamp, if we assume flight computers lost TAT readings at the handover point on roll, when the system stopped using the cabin probe and switched to external TAT once the plane crossed 50 knots.

    Triple Redundancy on Paper—TAT A Single-Point Failure in Reality

    Now the normal assumption would be that each flight computer has its own TAT probe, so that each of the three flight computers has its own data source, i.e., three TAT probes. The 787 has three pitot tubes and two angle-of-attack sensors.

    But in reality, the 787 has mapped all its three flight computers to the same single external TAT probe. So even though the 787 looks like it has triple redundancy for airspeed data on paper. In reality, each FADEC obtains its airspeed data from its own internal TAT and the three flight computers (FCM L, FCM R, and FCM C).

    But if all three flight computers reboot at the same time or the TAT probe failed earlier, FADEC will latch onto the last known good calibrated airspeed (CAS) value, which could have been 176 knots or 50 knots. When FADEC’s own internal TAT probe (T12) showed the correct reading of the plane as it accelerated to 187–191 knots IAS at 1:38:43 PM IST, four seconds after liftoff, FADEC will assume its own probe is wrong, generating the ACARS error code “EM12R0.”

    A likely catastrophic logic error by FADEC, leading to the death of 260 people.

    The last few seconds on AI 171

    No altitude. No thrust. No starter power. Capt Sumeet would’ve sensed this reality as early as the 15-16th second into liftoff.

    As he was toggling the fuel switches back to RUN for a relight attempt, he’d have known the truth. The plane couldn’t be saved.

    But he and First Officer Kunders still did their best.

    Capt Sumeet attempted a relight. Started the APU.

    First Officer Clive communicated with ATC. Called out “MAYDAY MAYDAY MAYDAY” at 1:39:05 PM IST.

    The pilots likely never even received the “Pull up, Pull up” terrain warnings.

    Against the deafening silence of blacked-out systems, the only sounds Capt Sumeet and First Officer Clive would’ve heard were passenger screams and ATC’s responses — as the ground closed in on them.

    (Disclaimer: The AAIB has not yet released its final report on the AI-171 crash. All the technical scenarios presented here are based on preliminary information and evidence submitted to India’s Parliament and Supreme Court, and remain hypotheses. Also, the ACARS codes mentioned in the story are not a direct map to maintenance faults listed in Boeing’s Fault Isolation Manual, since maintenance faults are 7-8-digit strings. The 9-digit ACARS string is only partially recognisable to engineers as it is Boeing’s proprietary code. For this story on conditions of anonymity, we have spoken to pilots plus flight and design engineers for airlines and Boeing in India, Europe and the US; and for details on actuators, sensors, structural engineering, logic paths to IT, mechanical, electrical and electronics engineers from India who are Boeing subcontractors)

     

    Feature Image: www.livelaw.in

     

  • Part 1 – Air India 171 Crash: NO-GO Fault & Electric Arc

    Part 1 – Air India 171 Crash: NO-GO Fault & Electric Arc

    Air India crash: How AI 171 had NO-GO faults and still flew; leading to electrical cascade, systems failure

    There is exclusive evidence that Air India 171 reported multiple NO-GO faults 15 minutes before takeoff and was still allowed to fly. Faults that likely resulted in an electric arc on the plane; as a high voltage inverter reached its thermal and dielectric limit, frying the emergency beacon, tail blackbox and knocking out the flight computers and avionics rack – a situation that ultimately could’ve led to engine computer FADEC getting corrupted data and cutting off fuel mid-air.

     

    AI 171 was one of the shortest flights in aviation history. 32 seconds in total. From takeoff to crash.

    A deadly tragedy that claimed the lives of 260. While everyone is familiar with the names of the pilots – Capt Sumeet Sabharwal and First Officer Cliver Kunders. On duty that afternoon of June 12, 2025, were also Air India 171 crew members like Shradha Dhavan, Aparna Mahadik, Saineeta Chakravarty, Nganthoi Sharma Kongbrailatpam, Deepak Pathak, Maithili Patil, Irfan Shaikh, Lamnunthem Singson, Roshni Rajendra Songhare and Manisha Thapa. Their names — representative of the ethnic diversity and cultural richness of India; just as much as the passenger list represented the broader global connect on that fateful day.

    All of them boarded the flight, unaware that AI 171’s systems had likely begun unraveling. Months, days earlier. Deep beneath their feet; inside the aircraft’s labyrinth of wires and power buses.

    The first domino: a failing core network

    On June 9, 2025, maintenance staff logged that the plane’s core network was degrading, as per the Aircraft Accident Investigation Bureau (AAIB) preliminary report. But because Boeing in its operations notes to airlines minimised the damage an inoperative core network could do; maintenance marked the core network as medium-risk (can be fixed in 10 days). And this core network connected about 22 flight critical systems, including FADEC; apart from 28 other more mundane functionalities like the plane’s air conditioning. And later in this article, we’ll show how this was the more important fault and how it connects to all the other failures that followed.

    But prior to core network degradation, the plane was already reporting cabin and cargo related faults in the weeks prior to the crash, as per the AAIB report. Engineers say this points to an intermittent electrical integrity fault affecting the common core cabinets and network interfaces — i.e., the shared platform that hosts cabin and cargo functions and flight critical systems. Now this could be because of electrical fault in the power conditioning module (PCM) — essentially the core cabinet’s internal power supply — which provides regulated electrical power to the aircraft’s network hardware, including the the data traffic router or ARINC 664 Cabinet Switch (ACS) and the the copper-to-fibre signal converter Fibre Optic Translator (FOX).

    And it’s first victim was the common data network (CDN) or core network on June 9 (marked “medium-risk” or CAT C MEL), followed by a fire inerter, a stabilizer motor trim unit and then all three of the plane’s flight control modules by crash day.

    Now let’s take a closer look at the second domino in the chain of failures. On June 10, the plane’s fire inerter or nitrogen generation system (NGS) — which prevents fires in the fuel tanks by depleting oxygen and replacing it with nitrogen — faulted. It was marked as “high risk” (CAT A MEL) and was likely physically inhibited by maintenance.

    (Credit: Federal published content)

    In technical terms, the AAIB report notes that the core network got marked a CAT C MEL or “medium-risk,” while the fire inerter got a CAT A MEL or “high-risk.” MELs or minimum equipment lists are the faults with which a plane is allowed to fly, provided it fixes these issues within a specified number of days. And on the day of the crash, Air India had 7 more days to fix the core network issue (till June 19, 2025) and 8 more days to fix the fire inerter issue, as per the AAIB report.

    But the issues kept piling up and then there was a third domino. On June 12, the day of the crash, the stabilizer motor unit and sensors faulted and had to be replaced on the previous morning flight (AI 423 Delhi to Ahmedabad), as per reports.

    D-Day: A jet in fault mode, a cockpit left blind

    The plane’s condition kept deteriorating.

    On June 12, 2025, the day of the crash, 15 minutes before takeoff; at 1.23 PM IST, the aircraft’s ACARS logs started streaming… “BPCU OPS…FCM OPS…CMCF OPS…GPM OPS….HYDIF OPS….”

    “OPS” in Boeing maintenance parlance is “Operations” — shorthand for a detected operational fault. And AI 171 didn’t have one, but multiple operational faults, according to data shared by two independent sources. Malfunctions serious enough to disrupt electrical power stability and data flow across the length and breadth of the 120-tonne carbon-fiber leviathan.

    (Graphic by Capt Amit Singh)

    A NO-GO plane that still flew

    And not just operational faults, but NO-GO items as well. Regulations don’t permit planes to fly with faults as severe as these. So how did AI 171 still fly with no one being the wiser?

    Rewind to three days earlier, on June 9, when the jet’s core network was marked an active fault. This core network once it starts degrading can also impact the function of the systems that report faults — the Aircraft Condition Monitoring Function (ACMF), the Central Maintenance Computing Function (CMCF), and even the pilots’ Electronic Flight Bags (EFBs).

    Boeing’s internal note itself mentions this possibility, saying, “an inoperative core network could impair the ACARS transmission of faults to the cockpit tablets or EFBs.”

    By June 12, the day of the crash, the timing of the failures had turned vicious. The NO-GO faults were occurring at the exact moment the systems responsible for reporting NO-GO faults were themselves failing. The fault-reporting chain went dark.

    So when maintenance signed off on the jet at 12:10 PM IST and when the pilots performed their checks at 1:23 PM IST — the critical faults or NO-GO items simply never appeared.

    So maintenance didn’t know. Pilots didn’t know. But Boeing would’ve known. And so would Air India.

    The ACARS ring that bound them all: Boeing, Air India, SITA, Inmarsat

    As the plane kept sending out warnings — upstream, Boeing and Air India were seeing everything. Like Sauron’s unblinking eye, they were receiving a ring of real-time data from the aircraft’s digital datalink, ACARS.

    That ring formed a tight closed loop: carried by Air India’s sub-contractor SITA, relayed over satellite provider Inmarsat, and delivered to Air India’s operations centre in Gurugram and Boeing’s data monitoring hub in Belleville, Illinois, US.

    At 1:23 PM IST, that ring flashed three sets of NO-GO warnings. ACARS told everyone in the loop that AI 171’s left and right bus power control units (BPCUs), the computers that act as traffic controllers for electrical power, had entered fault mode, unable to keep the left and right 115-volt AC buses in sync. Meaning the airplane’s two main power highways were falling out of phase, a condition that can cause surges, flickers, or even short-circuits across systems.

    The domino effect: Flight computers, processors fall one by one

    Next, all three flight control modules (FCMs) left, right and centre began reporting operational errors. These are the units at the heart of the 787’s fly-by-wire system. They take instructions from the flight computers and translate pilot inputs into precise movements of the stabilizer, ailerons, and spoilers.

    And it doesn’t stop there. Two general processor modules (GPMs) also faulted. These were the 787’s backstage processors; running key software, performing calculations that feed flight management and crew alerting and the nerve-centre for fault detection and reporting.

    Taken together — the out-of-phase power buses, failing flight control modules, and glitching GPMs — AI 171 wasn’t dealing with a single fault but a system-wide degradation. As pilot Rajneesh S puts it, “Aviation outcomes emerge from complex, tightly coupled systems… failures rarely stem from a single decision or individual lapse.”

    And yet, the plane was cleared for takeoff at 1:25:15 PM IST.

    The plane’s pilots — Capt Sumeet Sabharwal and First Officer Clive Kunders, unaware of what was happening inside, guided the plane to the runway. Started roll and lifted-off at 1:38:39 PM IST.

    A surge, an arc, a cascade of collapse

    Now, takeoff is always the most electrically demanding phase of flight — all four power channels, bus control units, and hydraulic pumps draw maximum load as the plane transitions from ground to airborne mode.

    For AI 171, that surge became catastrophic. And core network degradation could’ve caused an electric arc. Now we’ll show you how AI 171’s systems could’ve arced by tracing the failure chain back to what happened on the previous flight of VT-ANB.

    “Gremlins” in VT-ANB; blank screens to blackout

     

    A few hours before the crash, passenger Akash Vatsa — seated aboard the same aircraft VT-ANB on its previous flight (AI 423) from Delhi to Ahmedabad— recorded a short video complaining that the air-conditioning and in-flight entertainment weren’t working, and that even the crew call buttons were dead. Post-crash when he posted the video, viewers mocked him —  calling him a fussy traveller who didn’t understand aircraft systems. But Akash was perhaps unknowingly documenting the first public evidence of a deep electrical failure spreading through VT-ANB’s core.

    Trolled for it; but 787’s Architecture vindicated Akash

    “I was badly trolled, people said I was just doing it to gain publicity; linking the inflight entertainment with air conditioning makes no sense and neither it has anything to do with the crash…I was told a non-working AC and inflight entertainment is very common in Air India,” Akash Vatsa told this reporter.

    But turns out Akash was right. On the 787, the in-flight entertainment, cabin climate control, and crew communication panels are not isolated luxuries; they share both power and data on the aircraft’s core network. The same core network that connects 22 flight critical systems including the pathways to engine computer FADEC.

    So in a scenario that resembles Lewis Caroll’s Alice in Wonderland, engineers say Boeing has created its own electrical hard-to-believe architecture, where the air conditioning, a non-flight critical system, sits ensconced on a network with other flight critical systems.

    And one of the cabin air conditioning’s compressors was sharing the same power source — a high voltage inverter, managed by a common motor system controller (CMSC R2) on the R2 line — as the fire inerter (NGS), marked “high-risk” two days earlier. The same R2 line which on the same flight also saw its right horizontal stabilizer electric motor control unit (EMCU) and stabilizer sensors fail during the descent phase, before landing.

    R2: The Rogue Power Lane

    So when the cabin air conditioning’s cabin air compressor (CAC) is in a bad power domain experiencing power surges and voltage spikes  — it can result in fluctuating air conditioning as Akash and other passengers on Flight 423 (VT-ANB) experienced.

    Below is the power path mapping from the right engine’s variable frequency starter generator (VFSG) to the high-voltage drive used by the fire inerter (NGS) and the right compressor (CAC); and to the power conversion system (PCS) to the right stabilizer motor (EMCU) and sensors.

    Power paths:

    R2 235 V AC main bus → ATRU R2 → ±270 V HVDC → CMSC R2  → NGS/ CAC-R2 / Hyd L EMP

    L2/R2 235 V AC main bus  → PCS (115 V/±130 V/28 V) → right stabilizer EMCU (115 V/±130 V) → right stabilizer sensors (28 V)

    This shows the cluster of failing components — be it the fire inerter (NGS), stabilizer motor (EMCU) or the air-conditioning compressor (CAC) — were all on the R2 line.

    Line 26: Legacy of the “Terrible Teens”

    The problems faced by Air India’s Dreamliner AT-VNB have their origin in the ‘Terrible Teens,’ say experts. In aviation parlance, the “Terrible Teens” refers to a cluster of early-build 787s that came off the assembly line with serious manufacturing defects, requiring heavy rework; becoming notorious inside the industry for persistent quality problems.

    “You see VT ANB (AI 171) was only the twenty sixth 787 built (line #26) , and back then the 787 factory in Everett, Washington was known to be having a lot of manufacturing quality issues,” Ed Pierson told the reporter.

    He said one area of particular concern was the aircraft’s electrical wiring interconnect system (EWIS). “Over the years, we’ve seen some very dangerous EWIS practices across multiple Boeing programs — not just the 737, but the 787 as well. Fatigued employees, skipped installation plans, poor electrical bonding and grounding, improperly installed wire bundles, unqualified staff performing electrical work, rushed functional systems testing, and the removal of long-standing quality inspections— all of this can create latent defects in a variety of aircraft systems that can be extremely difficult to troubleshoot,” said Pierson. He adds, “These flaws often produce those frustrating ‘No Fault Found’ or ‘Could Not Duplicate’ maintenance reports. In the military, we used to call them gremlins.”

    Was Fire inerter a victim to power transients?

    And if we rewind a little here, we can see how the first gremlin may have been the fire inerter. Remember how two days before the crash on June 10, maintenance engineers had marked the fire inerter (NGS) a high-risk fault?

    Well this fire inerter (NGS) is designed to prevent explosions by flooding the 787’s fuel tanks with nitrogen-enriched air and depleting its flammable vapour i.e. “live” oxygen. To feed that flow, the NGS uses a compressor and a high-voltage inverter, controlled by a common motor system controller (CMSC R2). And this high-voltage power line (CMSC R2 ±270 V) also feeds a cabin air compressor (CAC) and hydraulic electric motor pump (L) in the aft power distribution bay. The same compressor (CAC) whose faults were visible to the passengers above when the air-conditioning fluctuated on the previous flight (AI 423).

    Where cooling failure becomes combustion risk

    Now comes the most inconspicuous but dark horse fault of all on the crash flight. In the tail section there is an aft zonal dryer, a small unit that removes moisture from the ventilation air around the fire inerter (NGS), compressor and its cooling ducts.

    On AI 171, this started showing abnormal readings at 1.23 PM IST, 15 minutes before takeoff, as per data from two independent sources.

    This would lead to moisture building in the aft bay; a sharp rise in humidity as the dryer isn’t removing water vapor. Condensation risk increases as droplets can form on wiring, high voltage inverters, raising the risk of short circuits or even an arc. And the cooling efficiency also drops as the moisture load would make the environmental control system (ECS) work harder and reduce heat removal margin from electronics.

    Water turns fire: How aft-bay moisture caused electrical failure

    Given what Ed Pierson and other whistleblowers have said about Boeing’s practises and improper bonding of the electric wiring interconnected system (EWIS) — a latent EWIS defect could also play in.

    So 15 minutes before takeoff and 2 minutes before taxi clearance, it’s possible the AI 171’s aft high voltage system was in an unstable state. With cooling faltering, heat building up, moisture settling in and the twin power buses (BPCUs) slipping out of phase, the airplane’s systems were likely reaching their tipping point.

    Zonal dryer turns tail into heat zone: The first ripple in AI 171’s core

    And then they seemed to have tipped over. As per data from the sources the “aft zonal dryer” anomaly seen at 1:23 PM IST likely escalated into a full-blown failure after takeoff at 13:38:39 IST.

    Flight logs accessed show an ACARS message (167280002) shows that there was a failure on the aft zonal dryer’s control feedback path in the integrated cooling system (ICS) that connects to the aircraft’s core data network. Or in other words the moisture-removal or dehumidification loop in the tail section likely failed.

    High voltage inverter drives turns metal-melting arc source

    When the aft zonal dryer fails, humidity rises and the insulation margin inside the high-voltage inverter, controlled by CMSC R2, drops sharply. If the BPCUs are also faulting, power quality can swing violently and protection may not isolate the inverter when it should. At the same time, a degraded core network can delay or corrupt trip commands, keeping the inverter energised even as its insulation environment is collapsing. And loads such as cabin air compressors for the air conditioning would likely put more stress on the inverter precisely as the insulation environment was most vulnerable.

    Under these stacked conditions, the high voltage inverter would possibly become increasingly vulnerable. As the heat builds up it is likely the inverter reached its thermal and dielectric threshold limits — meaning its cooling and insulation could no longer contain the voltage.

    “When that happens the inverter will discharge through nearby wiring harnesses a sustained electrical arc, a plasma-level short that can melt metal and vaporize insulation,” said a flight engineer, who did not want to be named.

    The surge that reached the Dreamliner’s nerve center

    So if a high voltage inverter arced; then this burst of energy would’ve sent transients —  sharp voltage spikes — surging back through the airplane’s 28-volt and 115-volt power buses, rippling through the core network, the data-power spine that links almost every system on the 787.

    And it looks like it did — because ACARS fault codes (252490002, 167280002) indicate that this arc likely hit the forward electronics and electrical bay. And they were probably hit harder than they normally would have because of the existing faults before takeoff.

    When two power lines fail, two others carry the plane — until they don’t

    At 1.23 PM IST, 15 minutes before takeoff, when the system began throwing up processor (GPM), fault monitoring system (CMCF), power controller (BPCU faults) this would have impacted the power routing of flight critical systems.

    The plane has two engine generators (left and right VFSGs) supplying power to four lines — L1, L2, R1 and R2. Given the nature of the faults, the system would have first decided to route flight critical components away from L1 as this line had multiple faults (GPM Left 1 + CMCF Left + BPCU Left) and would have been identified as an unclean source of energy. The next line that would’ve been marked as suspect would have been R1 as this too had faults (GPM Right 4 + BPCU Right). Leaving L2 and R2 as the lines that were probably being used most by the flight critical components on the plane. If L2 or R2 were the components’ secondary electrical path.

    The arc that hit the heart: the R2 power-line arc

    But these two lines L2 and R2 were also seeing components faulting. At 1.23 PM, 15 minutes before takeoff, the right hydraulic electric motor‑driven pump on the L2 line was faulting (HYDIF RIGHT OPS). And as we discussed earlier the R2 line had already seen the fire-inerter (NGS), stabilizer motor (EMCU) and air conditioning compressor (CAC) failing.

    So given more than normal components might be mapped on to the L2 and R2 lines – an arc on the R2 line could’ve had far more impact than normal as it hit the forward and aft avionics bay.

    Once forward and tail avionics are hit they can begin spitting corrupted data and degraded voltage states. And those kinds of faults can bleed directly into FADEC logic. If FADEC sees invalid or contradictory control signals — it can try to “protect the engine” by limiting thrust during takeoff roll. And more dangerously — if this happens once airborne — FADEC could decide to shut the engines.

    When power source for cooling systems starts the fire

    The irony could not be more brutal. If the above interpretation is true the power sources for systems designed for cooling and to prevent fires — appears to have ignited the airplane’s electrical core instead. The high voltage inverter of the fire inerter and airconditioning likely arced to structure, burning through the aft equipment frame, cooking the wiring of the emergency distress beacon (ACARS code 252490002), crippling the auxiliary power unit (APU), charring the tail blackbox (aft EAFR), cutting the anti-collision strobe lights and starting a blackout that killed half the aircraft’s avionics and its lines to the engines.

    The scenario of the plane’s ELT and EAFR getting knocked out by an electric arc is consistent with the AAIB report, which says, “the Emergency Locator Transmitter (ELT) was not activated during this event…..the (aft) EAFR had impact and thermal damages to the housing. The wires were protruding from the housing and the connectors were burnt.”

    Boeing Papers Admit: Single Fault Can Trigger 787 Cascade

    This possibility of an arc on the R2 line cascading across multiple systems is admitted by Boeing in an internal document, where it states, “The loss of a single component within the common core system (CCS) can affect multiple systems.” And on AI 171, the component failing  – if it can be called that – was the core network. The host of the central computers, CCS, flight control computers and the command arm of the power controllers or BPCUs.

    Boeing itself states that the 787’s architecture “differs from the traditional aircraft system, where each individual system requires its own dedicated communications route…the 787 architecture reduces the amount of wiring, hardware and overall weight of the airplane…and in this architecture, individual component failures can impact multiple systems.

    Neither Boeing, Air India, DGCA India, AAIB, or other regulatory agencies like EASA have responded to request for comment.

    What Boeing didn’t design for: emergency power failing before engines

    And then comes an event that could star in Ripley’s “Believe it or Not” as this plane seems to have had its emergency power fail before the engines did. An ACARS fault code (163840003) could indicate the APU’s control unit was also hit in the power transient.

    But even if one didn’t go by the fault code but just by logic and Boeing literature, then again the emergency power or auxiliary power unit (APU) will not function until it can clearly determine a stable high-voltage source. And on AI 171, the APU likely didn’t have that.

    The power gatekeeping BPCUs had started faulting and the core network was degraded —  meaning commands to isolate a failing unit would get delayed or corrupted. So in this deck of cards, when one of the high voltage inverters arcs, with no clean high-voltage source, the 787 can auto-inhibit APU start. Because Boeing’s design philosophy was that loading a heavy consumer like the APU starter motor onto an unverified rail risks accelerating the collapse. What it wasn’t budgeting for was an electric failure that possibly first crippled the emergency power, before it triggered dual engine failure, say engineers.

    The APU That ‘Looked Fine’

    But going by the AAIB report, you wouldn’t think anything was amiss with the APU. As AAIB report states, “ÄPU was recovered intact…APU inlet door began opening at 08:08:54 UTC.”

    Engineers say APU inlet door opening was probably a result of manual action by Captain Sumeet; and not system-driven as the 787 is unlikely to auto-start in the middle of a surge on the high-voltage drive line.

    Faults treated in isolation hid electrical failure behind 787 crash

    So going back in time, the fire inerter (NGS) being identified as an active fault on June 10 seems to have been the alarm siren for a deeper electrical problem on the plane. In hindsight the engineers say the crash itself may have never had happened had the NGS and stabilizer motor problem not been seen in isolation as Boeing’s fault isolation manual (FIM) asked engineers to do.

    If Boeing and the airline had given engineers more authority, leeway and time when it came to dealing with faults, engineers say they are certain that the root cause would have been identified. That it was likely a bad power domain that had impacted the fire inerter, stabilizer motor unit and finally the high voltage inverter — triggering an arc that likely hit the forward avionics rack and inputs to engine computer FADEC — possibly resulting in engine shutdown and ultimately the plane crash.

     

    And the end of the hopes and dreams of scores of people; people like Shradha Dhavan, Aparna Mahadik, Saineeta Chakravarty, Nganthoi Sharma Kongbrailatpam, Deepak Pathak, Maithili Patil, Irfan Shaikh, Lamnunthem Singson, Roshni Rajendra Songhare and Manisha Thapa — Air India’s crew who’d probably participated in safety demonstrations a minute or two earlier.

    (Disclaimer: The AAIB has not yet released its final report on the AI-171 crash. All the technical scenarios presented here are based on preliminary information, evidence submitted in India’s Parliament and Supreme Court and remain hypotheses. Also the ACARS codes mentioned in the story are not a direct map to maintenance faults as listed in Boeing’s Fault Isolation Manual; as maintenance faults are 7-8 digit strings. The 9-digit ACARS string is only partially recognisable to engineers as its proprietary code of Boeing.  For this story on conditions of anonymity we have spoken to pilots and flight engineers in India, Europe and US; and for details on actuators, sensors, structural engineering and logic paths to IT, mechanical, electrical and electronic engineers from India, working for firms that are Boeing sub contractors.)

     

     

     

  • The Catastrophe of Air India 171: An Inquiry Meant to Improve Safety — and an AAIB Report That Doesn’t

    The Catastrophe of Air India 171: An Inquiry Meant to Improve Safety — and an AAIB Report That Doesn’t

    The crash of Boeing 787 Dreamliner of Air India 171 flight (Ahmedabad to London), minutes after takeoff, led to the death of all onboard, save for the miraculous escape of one passenger. Over the last two decades, a series of accidents and failures has put a big question mark on Boeing’s work ethic and the reliability and safety of its planes. The Expose on the Boeing 737 Max fiasco have effectively driven Boeing’s reputation into the mud. The accident investigation into the AI-171 has raised a maelstrom of doubts, questions, and protests over the investigation’s reliability, as the preliminary report indirectly insinuated possible pilot error. This resembles Boeing’s influence in earlier investigations of accidents involving the 737 Max.

    Rachel Chitra is an investigative journalist who has worked at outlets such as Reuters, Forbes, and The Times of India, and was a Reuters Fellow (2021). Her reporting has uncovered issues with PM Cares Fund, CAA, migrant deaths during the COVID-19 lockdown, among other issues. Her investigative work has been cited by media outlets such as the BBC and GIJN, the Opposition in Parliament, and submitted as evidence before the Supreme Court. She has recently published a four-part investigative series for The Federal and an in-depth analysis for Frontline on the Air India 171 crash and its safety implications. This article raises very pertinent observations on India’s aviation safety.

    In the 15-page preliminary report, AAIB refers to fuel, fuel quantity, fuel control switches, fuel cut-off, or fuel-related behaviour at least 19 times, repeatedly steering interpretation toward a fuel-switch narrative.

     

    Nearly everyone on board Air India flight AI-171 died within seconds after take-off.

    In 32 seconds – one of the shortest flights in history.

    AI 171’s crew included Roshni Songhare, Saineeta Chakravarty, Shradha Dhavan, Aparna Mahadik, Maithili Patil, Manisha Thapa, Nganthoi Kongbrailatpam Sharma, Lamnunthem Singson, along with Deepak Pathak and Irfan Shaikh — men and women who had trained for years for a life in aviation. Many at the very beginning of their careers. Their goals, dreams and ambition – gone in 32 seconds like it was for the passengers on board – the elderly, infants, couples, entire families.

    The deadliest aviation disaster in India’s history, and the first fatal crash of a Boeing 787 Dreamliner.

    When tragedies of this scale occur, aviation investigations exist for one reason: to establish what failed, so it cannot happen again. Not to assign blame. Not to protect reputations. But to interrogate systems with enough honesty that future lives are spared.

    Yet six months after the crash, the official preliminary report into AI-171 raises a more disturbing possibility: that the investigation itself may be structured to prevent the most dangerous safety question from ever being asked.

    That question is this: Did the aircraft’s engine computer FADEC command a fuel cutoff seconds after liftoff — because flight computers went to “on ground” logic in the air?

    That question begins with a single line buried in the report’s take-off sequence.

    At 08:08:39 UTC, Air India flight AI-171 left the ground.

    The Aircraft Accident Investigation Bureau (AAIB) states this explicitly in its preliminary report: “The aircraft air/ground sensors transitioned to air mode, consistent with liftoff at 08:08:39 UTC.”

    That sentence is the most important technical fact in the entire document.
    And it is never returned to again.

    Every subsequent line of the AAIB report is structured to ensure the reader does not ask the only question that matters after 08:08:39 UTC:

    Did the aircraft remain in “air mode” digitally after liftoff — or did it revert to “on-ground” logic while physically airborne?

    The AAIB report does not answer this question. It does not even acknowledge that it exists.

    And this matters because the engine computer — FADEC — is permitted to command a hard fuel cutoff only under two circumstances: engine overspeed protection, or Thrust Control Malfunction Accommodation (TCMA) — a protection mode that gets triggered only if the aircraft’s systems believe it is on the ground.

    TCMA is activated only when four conditions are simultaneously met: the aircraft is classified as on ground, airspeed is below 200 knots, altitude is below 17,500 feet, and commanded thrust (selected N1) exceeds a defined threshold.

    AI-171 met every one of those conditions seconds after liftoff — if, as the evidence suggests, its flight-control logic briefly reverted from air mode to on-ground mode while the aircraft was physically airborne. And if AI 171 did meet TCMA conditions, it becomes highly likely that this plane had a FADEC-commanded fuel cutoff.

    So now let’s go into how the AAIB’s narrative is hard at work to steer us away from the possibility of such an occurrence by looking first at the take-off sequence.

    How the real sequence begins — before the narrative takes over

    The AAIB’s own timeline establishes a clean, uneventful take-off sequence:

    • 08:08:33 UTC — V1 reached at 153 knots IAS
    • 08:08:35 UTC — Vr reached at 155 knots IAS
    • 08:08:39 UTC — air/ground sensors transition to air mode (liftoff)

    Up to this point, there is no anomaly. The aircraft is airborne, committed to flight, and operating within normal take-off parameters.

    Everything that follows occurs after the aircraft is already in the air.

    “Maximum recorded airspeed”: the first linguistic sleight of hand

    The AAIB then writes:

    “The aircraft achieved the maximum recorded airspeed of 180 knots IAS at about 08:08:42 UTC…”

    This line does two things simultaneously:

    1. It introduces the phrase “maximum recorded”, not “maximum achieved.”
    2. It uses IAS, a pilot-facing parameter, not the true air speed (TAS) or calibrated airspeed (CAS) — which is the calculated/synthesised value used by FADEC to command thrust with fuel control.

    In an aircraft still at take-off thrust, basic physics dictates that acceleration cannot stop instantaneously. As Newton’s First Law of Motion states: “An object will remain at rest or in uniform motion unless acted upon by an external force.”

    At the point in time, the AAIB identifies as the aircraft’s “maximum recorded airspeed” — 180 knots IAS at about 08:08:42 UTC — no such external braking force is identified. Even if fuel flow were interrupted at that instant, the aircraft’s mass and momentum would require it to continue accelerating briefly, not plateau abruptly.

    A sudden halt at a “maximum recorded” value, therefore, is not evidence of the plane’s true “top airspeed.” It is more consistent with interrupted recording, logic disturbance, or power loss due to an electrical failure — precisely the kind of upstream event the AAIB does not interrogate. Instead, the report immediately pivots away.

    The pivot: fuel becomes the “event”

    The very next sentence reads:

    “…and immediately thereafter, the Engine 1 and Engine 2 fuel cutoff switches transitioned from RUN to CUTOFF position one after another with a time gap of 01 sec.”

    From this moment on, the report’s framing is locked.

    Fuel is now the main actor.

    In the 15-page preliminary report, AAIB refers to fuel, fuel quantity, fuel control switches, fuel cut-off, or fuel-related behaviour at least 19 times, repeatedly steering interpretation toward a fuel-switch narrative.

    This matters because fuel is downstream in a modern fly-by-wire aircraft. Fuel flow is not an independent cause; it is something commanded — by pilots, by automation, or by protection logic.

    And the report never interrogates the command path that resulted in fuel cutoff.

    Was it the fuel getting cut off? Or the autothrottle?

    Immediately after describing the fuel cutoff switches, the AAIB inserts a single paraphrased cockpit line:

    “In the cockpit voice recording, one of the pilots is heard asking the other why did he cut off. The other pilot responded that he did not do so.”

    The transcript does not say fuel.
    It does not say switch.
    It does not say engine.

    “Cutoff” is an effect, not a system.

    But by placing this sentence directly beneath the fuel-switch paragraph — after saturating the report with fuel references — the AAIB ensures that the reader supplies the missing noun.

    And readers think there was a fuel switch being cut off – when, for all we know, First Officer Clive Kunders could have been referring to the autothrottle, given the pre-existing electrical failures on the flight. And his question could’ve very well have been “Why did it cut off? – the “it” was lost in the blizzard of chimes and warnings from EICAS.

    So when the AAIB report gives us a paraphrased sentence about the cockpit conversation without context and data, it becomes damning. And as a petition in the Supreme Court puts it – “it’s narrative framing, not real evidence.”

    A Flight-Control Failure the AAIB Leaves Out — By Design

    Independent reporting and maintenance records show that AI-171 had already experienced a flight-critical failure two hours before the crash — one that directly involves the electrical architecture that the AAIB avoids examining.

    What the AAIB report also ensures is that the reader does not know that this aircraft did not enter take-off roll in a clean, stable flight-control state.

    Independent reporting and maintenance records show that AI-171 had already experienced a flight-critical failure two hours before the crash — one that directly involves the electrical architecture that the AAIB avoids examining.

    On the aircraft’s previous flight, AI 423 Delhi to Ahmedabad, AAIB report says, “the crew logged a Pilot Defect Report (PDR) for the status message “STAB POS XDCR” — a failure involving the stabilizer position transducer…troubleshooting was carried out “as per the FIM” by Air India’s on-duty Aircraft Maintenance Engineer, and the aircraft was released back to service at 06:40 UTC (12.10 PM IST).”

    What the report does not say — but what maintenance logs make clear — is that it wasn’t just a problem with the transducer or sensor – but with the entire right horizontal stabilizer electric motor control unit (EMCU). The entire unit failed and had to be replaced along with its wiring and sensors.

    And as per the maintenance log, this condition was detected by all three Flight Control Modules (FCMs). In other words, a flight-critical component under FCM command failed, was troubleshot, and the aircraft was returned to service.

    Then comes more crucial evidence, where again AAIB preserves a blanket silence.

    Precisely 15 minutes before take-off at 1:23 PM IST (7:53 UTC), all three Flight Control Modules (FCMs) – left, right and centre – started reporting faults, as per data from the plane’s satellite transmissions or ACARS data.

    That context is essential because this evidence has been presented to the Supreme Court. This aspect is discussed in an interview with Barkha Dutt on Mojo Story, where the sequence of pre-existing electrical and flight-control faults was publicly laid out. This was also summarised on LinkedIn.

    And this is where the Indian media should ask itself why aviation-safety evidence is being left to circulate on LinkedIn? What are the forces at play that prevent the publication of this evidence as front-page news?

    Why do we celebrate Netflix’s Downfall: The Case Against Boeing without imbibing its most uncomfortable lesson? That the reckoning happened only because Ethiopia bypassed Washington and took the black boxes to Europe, straight to EASA and Airbus. Today, the AAIB has done the exact opposite — flying to Washington in December to sit with the NTSB and Boeing for spectral analysis of the cockpit audio.

    If Ethiopia had done what India did, it’s highly doubtful there would be any Netflix film today about Boeing. And it’s also highly doubtful that Indian pilot Bhavye Suneja and his Ethiopian counterparts, Yared Getachew and Ahmednur Mohammed Omar would’ve been vindicated.

    Because in crashes, it’s not just evidence that matters – but the location. Where is the evidence getting interpreted? As this can be the deciding factor in whether the truth emerges at all.

    In today’s vacuum of reporting on the Air India crash, manufacturers and operators are winning by default — not because the evidence is weak, but because it is not being examined or amplified.

    And you can see this broader failure of scrutiny play out in the AAIB’s own preliminary report — not through what is stated, but through what is selectively reported.

    How the AAIB Curates Evidence to Signal ‘Nothing Went Wrong’

    The most revealing part of the AAIB report is not what it says, but when it chooses to quote digital data and when it avoids it.

    When digital data supports “normal flight,” AAIB quotes EAFR

    • Flap handle: “Firmly seated in the 5-degree flap position, consistent with a normal take-off flap setting…position was confirmed from EAFR.”

    • Thrust levers: “Both thrust levers were found near the aft (idle) position. However, the EAFR data revealed that the thrust levers remained forward (take-off thrust) until the impact.”

    These citations do important narrative work. They tell the reader:

    • configuration was normal,
    • thrust was commanded,
    • no stall,
    • no obvious mishandling.

    When digital data would expose air/ground logic, AAIB stops quoting EAFR

    Now compare that to how the report handles systems that determine ground vs air logic:

    • “The landing gear lever was in DOWN position.”
    • “The reverser levers were in the stowed position.”
    • “The wiring from the TO/GA switches and autothrottle disconnect switches were visible, but heavily damaged.”

    These are physical post-crash descriptions, not digital states.

    The report does not quote:

    • digital gear logic,
    • reverser command status,
    • TO/GA engagement state,
    • autothrottle logic state,
    • flight-control mode transitions.

    Yet these are precisely the parameters that would reveal whether the aircraft temporarily reverted to “on-ground” logic while airborne.

    The AAIB report by giving us EAFR data on thrust levers in forward and not EAFR data on “thrust reversers” is playing on the information asymmetry. Because not many people, even in the aviation world, are aware that GE and Safran changed the Boolean gating condition on the 70 GEnx engines (left engine GEnx-1B70/75/P2 and right engine GEnx-1B70/P2) to “OR”.

    For these engines, either forward thrust “OR” thrust reversers can be in “IDLE” for TCMA to activate.

    So, in its desire to divert attention away from the possibility of a TCMA-driven FADEC cutoff, what the AAIB report has inadvertently ended up doing is proving pilot innocence with its selective referencing of black box data. Because if “thrust” was in forward from take-off till crash – it clearly proves pilot integrity and pilot intent; no matter what the system decided otherwise.

    Why “on-ground logic in the air” explains the entire sequence

    Boeing flight-control computers are known to reboot under certain electrical fault conditions. And the FAA warned about this possibility as early as 2016. On reboot, systems enter a fail-safe default state — on-ground logic — before reassessing air/ground status.

    If this occurs after liftoff:

    • autothrottle and TO/GA can disengage,
    • thrust-logic protections can be triggered,
    • FADEC can command fuel reduction or cutoff under TCMA
    • cockpit indications can freeze or reset.

    This is not speculation. It is documented system behaviour.

    And it is the only mechanism that coherently explains:

    • normal liftoff at 08:08:39,
    • sudden loss of thrust logic seconds later,
    • asymmetric engine recovery
    • a cockpit exchange centred on “cutoff”
    • Seemingly “normal” pitch attitude and configuration with catastrophic energy loss.

    RAT: Precision – where safe, Vagueness – where dangerous

    Now, let’s look at how the report mentions emergency power, i.e. the behaviour of the Ram Air Turbine (RAT). The AAIB states that the RAT hydraulic pump began supplying hydraulic power at 08:08:47 UTC — a precise timestamp.

    Yet the AAIB does not give the time for when the RAT deployed, noting only that it appears on CCTV “during the initial climb immediately after lift-off.” In this dark fairytale, time seems selectively unavailable: CCTV footages have no timestamps, the EAFR remembers only some RAT functions but not others. And the moment when RAT started generating electrical power is when AAIB would like us to believe the EAFR turned human and suffered from short-term amnesia.

    The omission of the RAT deployment timestamp is crucial. As in the normal course of events, emergency power, i.e. the RAT, would deploy after the main engines failed. But if RAT deployed when engines were still running, that shows this plane has some underlying electrical disturbance. It also points more towards systems failure than pilot error.

    So, the AAIB uses precision when it does not threaten the fuel narrative. Vagueness appears when it might.

    FADEC: When the AAIB report stops investigating and starts teaching

    After documenting the switch transitions and relight attempts, the AAIB writes:

    “When fuel control switches are moved from CUTOFF to RUN while the aircraft is inflight, each engine’s full authority dual engine control (FADEC) automatically manages a relight…”

    This sentence is not investigative. It is protective.

    Rather than stating what FADEC actually did on AI-171, the report retreats into training manual language, describing how FADEC typically functions — and even mislabeling it as “dual” rather than “digital.” The effect is deliberate: it allows the AAIB to discuss FADEC without committing to any factual finding about its behaviour in this crash.

    In a case now before the Supreme Court, that distinction matters. By giving a generic system description for a specific event, the AAIB has plausible deniability.

    If evidence later emerges that FADEC commanded the fuel cutoff, AAIB can shield itself in the Supreme Court by arguing that it never asserted how FADEC behaved on AI 171 but only talked about how it is designed to behave. This rhetorical move shields the engine-control system from scrutiny at precisely the point where it needs the most investigation.

    This is not a neutral drafting choice. It is how responsibility is deferred without being denied.

    The concealment pattern is quite clear, as the AAIB report:

    • States the aircraft entered air mode at 08:08:39 UTC.
    • Never examines whether it stayed there.
    • Uses EAFR data when it supports “normal take-off”.
    • Avoids EAFR data when it would expose air/ground logic
    • Documents that the aft EAFR’s wiring and connectors were charred — despite the tail section being largely intact — yet offers no causal analysis whatsoever
    • Withholds any forensic findings on soot or residue from the aft EAFR, even though such analysis could distinguish between post-impact fire and a pre-impact electrical arc — a distinction central to determining whether a systems failure occurred before dual engine shutdown
    • Repeats fuel references to steer interpretation
    • Inserts an ambiguous cockpit conversation
    • Substitutes system description for system behaviour when discussing FADEC.
    • Concludes with “no recommended actions” for manufacturers.

    This is not a neutral omission. It is narrative architecture.

    Conclusion: The Human Cost of What This Report Is Written to Hide

    Once the aircraft is acknowledged to be airborne at 08:08:39 UTC, every downstream question should interrogate system logic continuity. The AAIB report does not do that.

    And this is not an abstract failure.

    It has a human face.

    That face belongs to 88-year-old Pushkaraj Sabharwal — a former senior official of India’s Directorate General of Civil Aviation. He gave a lifetime of service to an institution that’s today failed his son – Captain Sumeet Sabharwal; with an AAIB report that’s high on omission and as high on “weaponising selective disclosure of data” – as he puts it.

    At 88, Mr. Sabharwal should have been at peace; in retirement. Instead, he is in court, fighting.

    Fighting not only for his dead son, but also for First Officer Clive Kunders and for the 258 other families who lost a loved one in the first fatal crash of a Dreamliner.

    After 30 years with the DGCA, he knows better than us how accident investigations are supposed to work. And he is asking the right questions. The hard ones like “Why is AAIB giving Boeing and GE a seat at the very table investigating their planes and equipment? Why give them a clean chit?”

    As a former DGCA official, he knows when questions are being avoided, when systems are being protected, and when language is being used to create deniability rather than truth.

    He is watching a preliminary report used to shape public perception before facts are fully disclosed.

    And he is fighting it. Because, as he says, this is about data and due process.
    It is about whether the truth still matters when it is inconvenient.

    Accident investigation is not a bureaucratic exercise. It is a nation’s promise to the dead that their lives will mean something — that lessons will be learned honestly, and that safety will not be sacrificed, as he says to “commercial interests.”

    For India — a founding member of the International Civil Aviation Organisation — this is not acceptable.

    Unless India corrects the course of its investigation, AI-171 will be remembered not only as a catastrophic systems failure in flight, but as a catastrophic failure on the ground — in the very institutions entrusted with the truth.

    For 260 families, this is not justice.
    For global aviation, this is not safety.

    As there are still 1,100 Dreamliners with the same electrical architecture that continue to fly unreviewed and unexamined.

    Because among the people who had faith and trust in India’s aviation regulator to keep our skies safe – were Roshni Songhare, Saineeta Chakravarty, Shradha Dhavan, Aparna Mahadik, Maithili Patil, Manisha Thapa, Nganthoi Kongbrailatpam Sharma, Lamnunthem Singson, Deepak Pathak and Irfan Shaikh – the crew of AI 171 who’d engaged in flight safety demonstrations just a few minutes before the crash.

     

    Feature Image Credit: thenewsminute.com