Re: OT: Traffic Light Control (was Re: First real-world SCADA attack in US)

[Jay Ashworth <jra () baylink com>]

----- Original Message -----
> From: "Owen DeLong" <owen () delong com>

> > >                     but that's not the only risk. When the traffic
> > > signal is failing, even if it's failing with dark or red in every
> > > direction, the intersection becomes more dangerous. Not as
> > > dangerous as conflicting greens,
> >
> > By 2 or 3 orders of magnitude, usually; the second thing they teach
> > you in driver ed is "a dark traffic signal is a 4-way stop".
>
> I'm not so sure that's true. (The 2-3 orders of magnitude part). When
> I worked ambulance, we responded to a lot more collisions in 4-way
> stop intersections and malfunctioning (dark or flashing red) signal
> intersections than we did in intersections with conflicting greens. A
> whole lot ore, like none of the conflicting greens and many of the
> others.

Well, sure: what's the *incidence* of conflicting greens?

I wasn't suggesting that the incidence of accidents would be any different
between conflicting greens and other types of failures (though my intuition
is that it would be higher), but that's swamped by how often the condition
actually occurs, which, appears to require someone physically running a
truck into the control box, or a chain of 5 or 6 failures in cascade to 
occur, based on other postings on this thread.

> As such, I'd say that the probability of a conflicting green occurring
> and causing an injury accident is pretty low even with (relatively)
> modern digital signal controllers.

Yup, it does appear that's true.

> > >                        but more dangerous than a properly operating
> > > intersection. If we can eliminate 1000 failures without conflicting
> > > greens, at the cost of one failure with a conflicting green, it
> > > might be a net win in terms of safety.
> >
> > The underlying issue is trust, as it so often is. People assume (for
> > very good reason) that crossing greens is completely impossible. The
> > cost of a crossing-greens accident is *much* higher than might be
> > imagined; think "new Coke".
>
> Sorry, I have trouble understanding how you draw a parallel between a
> crossing greens accident and new coke.
>
> Yes, people assume a crossing greens situation is completely
> impossible. People assume a lot of very unlikely things are completely
> impossible. Many people think that winning the lottery is completely
> impossible for them. A fraction of those people choose not to play on
> that basis, rendering that belief basically true. Even with modern
> software-controlled signaling, crossing greens events are extremely
> uncommon. So much so that I have never actually encountered one.

Me neither.

This does not forbid me from speculating on it. :-)

> I will say that the relative complexity of configuring the software
> systems vs. wiring a relay based system to correctly protect a modern
> complex intersection would make the relay system inherently
> significantly less likely to have completely protected logic. In fact,
> it might even be electrically impossible to completely protect the
> logic in some modern intersection configurations because they don't
> make relays with that many poles.

That's a possibility, certainly.  It seems an interesting masters project
for an electrical engineer.  How many zeros can you get into the p number?
 
> Conversely, the software configuration interface is pretty well
> abstracted to the level of essentially describing the intersection in
> terms of source/destination pairs and paths crossed by each pair.
> Short of a serious bug in the overall firmware or the configuration
> compiler (for lack of a better term), I'd say that such gross errors
> in the configuration of the conflict monitor are pretty unlikely.
> Indeed, the history of traffic light malfunctions with digital
> controllers would seem to bear this out. The safety record appears to
> be pretty good.

Yes, but I was aiming more for failure conditions than mis-programming
conditions.
 
> So rare, in fact, that traffic light malfunctions do not appear in a
> list of traffic accident causes that totaled more than 99% of traffic
> accidents when I added up the percentages. I can only assume that
> since light malfunctions overall are not a statistically significant
> fraction of accidents, conflicting greens must represent an even
> smaller and more insignificant fraction.

No kidding.  That's pleasant to hear.
 
Cheers,
- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274