D8 Safety / SMS · P1 runtimes

Safety surfaces

Just-culture firewall live
Identity boundaryM17 just-culture firewall

Cedar policy + JSON Schema redactions

Forbidden surface0 leaks · adversarial-tested

Probes run on every redacted projection

Audit chainP05 append-before-publish

Two sibling projections: SMS · AVSEC

M17 / M18 · post-flight ingest

FDM exceedance detection

Flight-data-monitoring exceedances are detected automatically against the SMS rule set. Every exceedance hits the just-culture firewall before any name reaches a desk.

  • Connector cadencepost-flight
  • Detection rulesetM17 + Annex 13
  • Privacy boundaryM17 firewall (Cedar)
contract boundservice pendingservices/p14-sms/src/fdm_exceedance.rs

M17 · Threat & Error Management

TEM register · active management

Threat & Error Management entries are first-class. Every TEM has an owning manager, an oldest-review SLA, and a public completeness check (zero stale > 12 months).

  • Oldest review SLA≤ 12 months
  • Completeness gate100% covered
  • AuthorityP05 audit + manager assertion
contract boundservice shippedservices/p14-sms/src/tem.rs

M18 · Aviation Security

AVSEC runtime

Security events (M18) emit on a separate jurisdictional contract with classified-payload stripping. AVSEC and SMS are sibling boundaries — neither can read into the other.

  • Topic familyaxiom.avsec.v0
  • Payload classredacted-only
  • Sibling boundaryM17 SMS firewall
contract boundservice shippedservices/p14-sms/src/avsec.rs

FDM exceedance feed · last 24h

Recent exceedances

10 events
EventAircraftPhaseTypeSeverityIdentity
FDM-26050813-019CS-AXPApproachHigh rate of descent < 1000 ftClass BSealed
FDM-26050813-016CS-AXMTake-offRotation rate exceedanceClass CSealed
FDM-26050812-104CS-AXRCruiseMach overspeed transientClass CSealed
FDM-26050812-091CS-AXSApproachUnstable approach > 500 ftClass BSealed
FDM-26050812-087CS-AXOLandingHard landing > 1.8gClass CSealed
FDM-26050812-072CS-AXNTake-offTail clearance margin lowClass CSealed
FDM-26050812-058CS-AXUClimbSpeed brake during climbClass DSealed
FDM-26050812-041CS-AXQApproachLate landing configClass CSealed
FDM-26050812-029CS-AXWLandingBounced landingClass DSealed
FDM-26050812-014CS-AXTCruiseRAT deployment transientClass CSealed

TEM register · oldest review at top

Active threats & errors

8 entries · 4 need review
TEMCategoryOwnerLast reviewNext reviewState
TEM-2025-041Adverse weather (LIRF arrivals)m8 Safety2026-04-222026-07-22Active
TEM-2025-038Runway incursion (LPPT)m8 Safety2026-04-152026-07-15Active
TEM-2026-006Crew fatigue · long-haulm6 Crew2026-03-302026-06-30Active
TEM-2026-011De-icing co-ordinationm5 Flight Ops2026-03-122026-06-12Active
TEM-2026-014Cabin fire reporting lagm8 Safety2026-02-282026-05-28Review due
TEM-2026-019EFB offline reconcile driftm5 Flight Ops2026-02-122026-05-12Review due
TEM-2026-022Bird strike clusters · LPPRm8 Safety2026-01-292026-04-29Reopen
TEM-2026-027FOD post-construction · LPPT 03m5 Flight Ops2026-01-182026-04-18Reopen

Privacy guarantees

  • Reporter identity sealed before any record reaches a triage queue
  • Adversarial leak probes run on every M17 redacted projection
  • AVSEC and SMS write to separate audit projections — no cross-read
  • FDM exceedances cite Annex 13 + operator SMS rules, not vendor heuristics
  • Just-culture firewall validator passes adversarial test suite
Safety surfaces | AXIOM