Re: OT: Traffic Light Control (was Re: First real-world SCADA attack in US)

[Owen DeLong <owen () delong com>]

> >                     but that's not the only risk. When the traffic
> > signal is failing, even if it's failing with dark or red in every
> > direction, the intersection becomes more dangerous. Not as dangerous
> > as conflicting greens, 
>
> By 2 or 3 orders of magnitude, usually; the second thing they teach you
> in driver ed is "a dark traffic signal is a 4-way stop".

I'm not so sure that's true. (The 2-3 orders of magnitude part). When I worked ambulance, we responded to a lot more 
collisions in 4-way stop intersections and malfunctioning (dark or flashing red) signal intersections than we did in 
intersections with conflicting greens. A whole lot ore, like none of the conflicting greens and many of the others.

As such, I'd say that the probability of a conflicting green occurring and causing an injury accident is pretty low 
even with (relatively) modern digital signal controllers.

> >                        but more dangerous than a properly operating
> > intersection. If we can eliminate 1000 failures without conflicting
> > greens, at the cost of one failure with a conflicting green, it might
> > be a net win in terms of safety.
>
> The underlying issue is trust, as it so often is.  People assume (for
> very good reason) that crossing greens is completely impossible.  The
> cost of a crossing-greens accident is *much* higher than might be
> imagined; think "new Coke".

Sorry, I have trouble understanding how you draw a parallel between a crossing greens accident and new coke.

Yes, people assume a crossing greens situation is completely impossible. People assume a lot of very unlikely things 
are completely impossible. Many people think that winning the lottery is completely impossible for them. A fraction of 
those people choose not to play on that basis, rendering that belief basically true. Even with modern 
software-controlled signaling, crossing greens events are extremely uncommon. So much so that I have never actually 
encountered one.

> > Modern intersections are often considerably more complicated than a
> > two phase "allow N/S, then allow E/W, then repeat" system. Wiring relays
> > to completley avoid conflict in that case is very complex, and,
> > therefore, more error prone. Even if a properly configured relay
> > solution is more reliable than a properly configured solid-state
> > conflict-monitor solution, if the relay solution is more likely to be
> > misconfigured, then there's not necessarily a net win.
>
> Sure.  But we have no numbers on either side.

I will say that the relative complexity of configuring the software systems vs. wiring a relay based system to 
correctly protect a modern complex intersection would make the relay system inherently significantly less likely to 
have completely protected logic. In fact, it might even be electrically impossible to completely protect the logic in 
some modern intersection configurations because they don't make relays with that many poles.

Conversely, the software configuration interface is pretty well abstracted to the level of essentially describing the 
intersection in terms of source/destination pairs and paths crossed by each pair. Short of a serious bug in the overall 
firmware or the configuration compiler (for lack of a better term), I'd say that such gross errors in the configuration 
of the conflict monitor are pretty unlikely. Indeed, the history of traffic light malfunctions with digital controllers 
would seem to bear this out. The safety record appears to be pretty good.

So rare, in fact, that traffic light malfunctions do not appear in a list of traffic accident causes that totaled more 
than 99% of traffic accidents when I added up the percentages. I can only assume that since light malfunctions overall 
are not a statistically significant fraction of accidents, conflicting greens must represent an even smaller and more 
insignificant fraction.

> > Cost is an object. If implementing a solid state controller is less
> > expensive (on CapEx and OpEx basis) than a relay-based controller, then
> > it might be possible to implement traffic signals at four previously
> > uncontrolled intersections, instead of just three. That's a pretty big
> > safety win.
>
> See above about whether people trust green lights to be safe.

People trust cars to be safe. What is your point?

Owen