Cedar policy + JSON Schema redactions
D8 Safety / SMS · P1 runtimes
Safety surfaces
Probes run on every redacted projection
Two sibling projections: SMS · AVSEC
M17 / M18 · post-flight ingest
FDM exceedance detection
Flight-data-monitoring exceedances are detected automatically against the SMS rule set. Every exceedance hits the just-culture firewall before any name reaches a desk.
- Connector cadencepost-flight
- Detection rulesetM17 + Annex 13
- Privacy boundaryM17 firewall (Cedar)
M17 · Threat & Error Management
TEM register · active management
Threat & Error Management entries are first-class. Every TEM has an owning manager, an oldest-review SLA, and a public completeness check (zero stale > 12 months).
- Oldest review SLA≤ 12 months
- Completeness gate100% covered
- AuthorityP05 audit + manager assertion
M18 · Aviation Security
AVSEC runtime
Security events (M18) emit on a separate jurisdictional contract with classified-payload stripping. AVSEC and SMS are sibling boundaries — neither can read into the other.
- Topic familyaxiom.avsec.v0
- Payload classredacted-only
- Sibling boundaryM17 SMS firewall
FDM exceedance feed · last 24h
Recent exceedances
| Event | Aircraft | Phase | Type | Severity | Identity |
|---|---|---|---|---|---|
FDM-26050813-019 | CS-AXP | Approach | High rate of descent < 1000 ft | Class B | Sealed |
FDM-26050813-016 | CS-AXM | Take-off | Rotation rate exceedance | Class C | Sealed |
FDM-26050812-104 | CS-AXR | Cruise | Mach overspeed transient | Class C | Sealed |
FDM-26050812-091 | CS-AXS | Approach | Unstable approach > 500 ft | Class B | Sealed |
FDM-26050812-087 | CS-AXO | Landing | Hard landing > 1.8g | Class C | Sealed |
FDM-26050812-072 | CS-AXN | Take-off | Tail clearance margin low | Class C | Sealed |
FDM-26050812-058 | CS-AXU | Climb | Speed brake during climb | Class D | Sealed |
FDM-26050812-041 | CS-AXQ | Approach | Late landing config | Class C | Sealed |
FDM-26050812-029 | CS-AXW | Landing | Bounced landing | Class D | Sealed |
FDM-26050812-014 | CS-AXT | Cruise | RAT deployment transient | Class C | Sealed |
TEM register · oldest review at top
Active threats & errors
| TEM | Category | Owner | Last review | Next review | State |
|---|---|---|---|---|---|
TEM-2025-041 | Adverse weather (LIRF arrivals) | m8 Safety | 2026-04-22 | 2026-07-22 | Active |
TEM-2025-038 | Runway incursion (LPPT) | m8 Safety | 2026-04-15 | 2026-07-15 | Active |
TEM-2026-006 | Crew fatigue · long-haul | m6 Crew | 2026-03-30 | 2026-06-30 | Active |
TEM-2026-011 | De-icing co-ordination | m5 Flight Ops | 2026-03-12 | 2026-06-12 | Active |
TEM-2026-014 | Cabin fire reporting lag | m8 Safety | 2026-02-28 | 2026-05-28 | Review due |
TEM-2026-019 | EFB offline reconcile drift | m5 Flight Ops | 2026-02-12 | 2026-05-12 | Review due |
TEM-2026-022 | Bird strike clusters · LPPR | m8 Safety | 2026-01-29 | 2026-04-29 | Reopen |
TEM-2026-027 | FOD post-construction · LPPT 03 | m5 Flight Ops | 2026-01-18 | 2026-04-18 | Reopen |
Privacy guarantees
- Reporter identity sealed before any record reaches a triage queue
- Adversarial leak probes run on every M17 redacted projection
- AVSEC and SMS write to separate audit projections — no cross-read
- FDM exceedances cite Annex 13 + operator SMS rules, not vendor heuristics
- Just-culture firewall validator passes adversarial test suite
