At 09:32 local time (01:32 UTC) on 7 October 2008, an Airbus A330-303 aircraft, registered VH-QPA, departed Singapore (SIN) on a scheduled passenger transport service to Perth (PER), Australia. On board flight QF72 were 303 passengers, nine cabin crew and three flight crew. At 12:40:28, while the aircraft was cruising at 37,000 ft, the autopilot disconnected. That was accompanied by various aircraft system failure indications. At 12:42:27, while the crew was evaluating the situation, the aircraft abruptly pitched nose-down. The aircraft reached a maximum pitch angle of about 8.4 degrees nose-down, and descended 650 ft during the event. After returning the aircraft to 37,000 ft, the crew commenced actions to deal with multiple failure messages. At 12:45:08, the aircraft commenced a second uncommanded pitch-down event. The aircraft reached a maximum pitch angle of about 3.5 degrees nose-down, and descended about 400 ft during this second event. At 12:49, the crew made a PAN emergency broadcast to air traffic control, and requested a clearance to divert to and track direct to Learmonth. At 12:54, after receiving advice from the cabin crew of several serious injuries, the crew declared a MAYDAY. The aircraft subsequently landed at Learmonth Airport, WA (LEA) at 13:50. At least 110 of the 303 passengers and nine of the 12 crew members were injured; 12 of the occupants were seriously injured and another 39 received hospital medical treatment. Most of the injuries involved passengers who were seated without their seatbelts fastened. CONTRIBUTING SAFETY FACTORS: – There was a limitation in the algorithm used by the A330/A340 flight control primary computers for processing angle of attack (AOA) data. This limitation meant that, in a very specific situation, multiple AOA spikes from only one of the three air data inertial reference units could result in a nose-down elevator command. [Significant safety issue] – When developing the A330/A340 flight control primary computer software in the early 1990s, the aircraft manufacturer’s system safety assessment and other development processes did not fully consider the potential effects of frequent spikes in the data from an air data inertial reference unit. [Minor safety issue] – One of the aircraft’s three air data inertial reference units (ADIRU 1) exhibited a data-spike failure mode, during which it transmitted a significant amount of incorrect data on air data parameters to other aircraft systems, without flagging that this data was invalid. The invalid data included frequent spikes in angle of attack data. Including the 7 October 2008 occurrence, there have been three occurrences of the same failure mode on LTN-101 ADIRUs, all on A330 aircraft. [Minor safety issue] – The LTN-101 air data inertial reference unit involved in the occurrence (serial number 4167) also had a previous instance of the data-spike failure mode, indicating that it probably contained a marginal weakness in its hardware, which reduced the resilience of the unit to some form of triggering event. – For the data-spike failure mode, the built-in test equipment of the LTN-101 air data inertial reference unit was not effective, for air data parameters, in detecting the problem, communicating appropriate fault information, and flagging affected data as invalid. [Minor safety issue] – The air data inertial reference unit manufacturer’s failure mode effects analysis and other development processes for the LTN-101 ADIRU did not identify the data-spike failure mode. CONTRIBUTING SAFETY FACTORS: – There was a limitation in the algorithm used by the A330/A340 flight control primary computers for processing angle of attack (AOA) data. This limitation meant that, in a very specific situation, multiple AOA spikes from only one of the three air data inertial reference units could result in a nose-down elevator command. [Significant safety issue] – When developing the A330/A340 flight control primary computer software in the early 1990s, the aircraft manufacturer’s system safety assessment and other development processes did not fully consider the potential effects of frequent spikes in the data from an air data inertial reference unit. [Minor safety issue] – One of the aircraft’s three air data inertial reference units (ADIRU 1) exhibited a data-spike failure mode, during which it transmitted a significant amount of incorrect data on air data parameters to other aircraft systems, without flagging that this data was invalid. The invalid data included frequent spikes in angle of attack data. Including the 7 October 2008 occurrence, there have been three occurrences of the same failure mode on LTN-101 ADIRUs, all on A330 aircraft. [Minor safety issue] – The LTN-101 air data inertial reference unit involved in the occurrence (serial number 4167) also had a previous instance of the data-spike failure mode, indicating that it probably contained a marginal weakness in its hardware, which reduced the resilience of the unit to some form of triggering event. – For the data-spike failure mode, the built-in test equipment of the LTN-101 air data inertial reference unit was not effective, for air data parameters, in detecting the problem, communicating appropriate fault information, and flagging affected data as invalid. [Minor safety issue] – The air data inertial reference unit manufacturer’s failure mode effects analysis and other development processes for the LTN-101 ADIRU did not identify the data-spike failure mode.