[146815] in North American Network Operators' Group
Re: OT: Traffic Light Control (was Re: First real-world SCADA attack
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Nov 22 15:40:51 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <27628410.3767.1321989994469.JavaMail.root@benjamin.baylink.com>
Date: Tue, 22 Nov 2011 12:37:17 -0800
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>=20
>> but that's not the only risk. When the traffic
>> signal is failing, even if it's failing with dark or red in every
>> direction, the intersection becomes more dangerous. Not as dangerous
>> as conflicting greens,=20
>=20
> By 2 or 3 orders of magnitude, usually; the second thing they teach =
you
> in driver ed is "a dark traffic signal is a 4-way stop".
>=20
I'm not so sure that's true. (The 2-3 orders of magnitude part). When I =
worked ambulance, we responded to a lot more collisions in 4-way stop =
intersections and malfunctioning (dark or flashing red) signal =
intersections than we did in intersections with conflicting greens. A =
whole lot ore, like none of the conflicting greens and many of the =
others.
As such, I'd say that the probability of a conflicting green occurring =
and causing an injury accident is pretty low even with (relatively) =
modern digital signal controllers.
>> but more dangerous than a properly operating
>> intersection. If we can eliminate 1000 failures without conflicting
>> greens, at the cost of one failure with a conflicting green, it might
>> be a net win in terms of safety.
>=20
> The underlying issue is trust, as it so often is. People assume (for
> very good reason) that crossing greens is completely impossible. The
> cost of a crossing-greens accident is *much* higher than might be
> imagined; think "new Coke".
>=20
Sorry, I have trouble understanding how you draw a parallel between a =
crossing greens accident and new coke.
Yes, people assume a crossing greens situation is completely impossible. =
People assume a lot of very unlikely things are completely impossible. =
Many people think that winning the lottery is completely impossible for =
them. A fraction of those people choose not to play on that basis, =
rendering that belief basically true. Even with modern =
software-controlled signaling, crossing greens events are extremely =
uncommon. So much so that I have never actually encountered one.
>> Modern intersections are often considerably more complicated than a
>> two phase "allow N/S, then allow E/W, then repeat" system. Wiring =
relays
>> to completley avoid conflict in that case is very complex, and,
>> therefore, more error prone. Even if a properly configured relay
>> solution is more reliable than a properly configured solid-state
>> conflict-monitor solution, if the relay solution is more likely to be
>> misconfigured, then there's not necessarily a net win.
>=20
> Sure. But we have no numbers on either side.
>=20
I will say that the relative complexity of configuring the software =
systems vs. wiring a relay based system to correctly protect a modern =
complex intersection would make the relay system inherently =
significantly less likely to have completely protected logic. In fact, =
it might even be electrically impossible to completely protect the logic =
in some modern intersection configurations because they don't make =
relays with that many poles.
Conversely, the software configuration interface is pretty well =
abstracted to the level of essentially describing the intersection in =
terms of source/destination pairs and paths crossed by each pair. Short =
of a serious bug in the overall firmware or the configuration compiler =
(for lack of a better term), I'd say that such gross errors in the =
configuration of the conflict monitor are pretty unlikely. Indeed, the =
history of traffic light malfunctions with digital controllers would =
seem to bear this out. The safety record appears to be pretty good.
So rare, in fact, that traffic light malfunctions do not appear in a =
list of traffic accident causes that totaled more than 99% of traffic =
accidents when I added up the percentages. I can only assume that since =
light malfunctions overall are not a statistically significant fraction =
of accidents, conflicting greens must represent an even smaller and more =
insignificant fraction.
>> Cost is an object. If implementing a solid state controller is less
>> expensive (on CapEx and OpEx basis) than a relay-based controller, =
then
>> it might be possible to implement traffic signals at four previously
>> uncontrolled intersections, instead of just three. That's a pretty =
big
>> safety win.
>=20
> See above about whether people trust green lights to be safe.
>=20
People trust cars to be safe. What is your point?
Owen
