I saw something I never expected to see on the way home yesterday evening — a set of traffic lights that had failed with all of them showing green.
By the time I arrived at the junction in question, there were police cars with their lights flashing all over the place, policemen standing in all four branches of the intersection, and a number of cars (or pieces thereof) piled up at the sides of the road.
That must be a horrible experience — entering a junction brimming with confidence that you have a green light, and meeting cars coming from your right and left whose drivers also think they have right of way.
I remember them waffling on about this at university — how to design systems so that they always fail into a known state. As I recall, they used traffic lights as an example, with the design being such that they would always fail to all red; never to all green.
But that was 35+ years ago now and — like so many other things — it's faded from my mind. Let's assume the simplest case of two roads crossing at 90 degrees (North-South and East-West).
Do you remember how to create this sort of design such that it will only fail with both directions red (or off)? And can you conceive how the lights I saw yesterday evening had managed to fail with both directions green?
43 thoughts on “How can traffic lights fail all green?”
“Many years ago (1990 or so) I worked at a company that made many things – including traffic lights.nnThe system ran on micros, but the final decoding was done by some EPROMs which was programmed up to suite the actual set of lights. The EPROMs prevented
“We used those EPROM decoders for all sorts of things, including state machines and such.nnHeck, we even had a “GPU” for drawing to a vector display (radar console) that used that approach.n”
“”And can you conceive how the lights I saw yesterday evening had managed to fail with both directions green?”nnI'm prety sure this can be achieved with very low effort by using a computer and some software. Is it really so in US that the lights turn(o
“Yes — we used them for a bunch of things, from simple lookup tables to state machines and beyond. It's amazing how much we achieved with so litte LOL”
“”Easy answer: someone did not do their job properly. Accounts for probably 95% of cases like this?”nnYou're turning into a cynic (which is not to say that you aren't right :-)”
“”Is it really so in US that the lights turn(or they are supposed to turn)red upon failure? At least here in Nordic Countries lights start to blink orange upon failure or loss of control”nnActually, now you mention it, you may be right — I think the
“I think the most important thing is that the circuit that monitors for illegal states MUST be totally separate from the main control. Furthermore, if this circuit triggers, the ONLY pattern it can generate is a safe one, i.e. flashing red on all sides or
“Out of all the systems on the planet, traffic lights must count amongst the most researched and the most used, so how could the ones I saw possibly fail to all green?”
“”How can traffic lights fail all green?”nnThe controller is just one part of the system. The wiring is another. Let's not rule out the possibility that the red and green lamp wiring was reversed by the installer.nnInstaller: “After I installed the
“Testing is not enough but is required. Source code inspections catch the most problems. The majority of embedded systems ship with only 50% of logic paths tested, especially now that we have million line of code (LOC)+ systems. “
“”…especially now that we have million line of code (LOC)+ systems.”nnI remember working with large systems with tiny memories circa 1980 — if's someone had said “million lines of code” we'd have laughed our socks off — how things have changed…
“One possibility that occurred to me is that ambulance/fire/police vehicles have some sort of device to turn the lights in their path to green. What happens if say an ambulance and a fire truck approach the intersection at the same time going in differen
“Any such “green light” decision making should only choose what green lights get set.nnIt is still up to the lockout mechanism to only choose one green light.n”
“Max, we are surrounded by “how could they do that” bugs.nnPretty much every leap year (one coming next year) serves up a crop of leap year bugs.nnLook at the patriot missile bug… how is it possible anyone coded that? How is it possible testing did
“Well, someone might have reconfigured the system when you weren't looking! :-)nnMy intent was mainly to point out that it was the system that failed, and the controller is just one part of the system.”
“Reminds me of a vaguely amusing story of Zimbabwe (actually it was still Rhodesia then). In the “thriving” town of Gwelo (now Gweru) there was a single traffic light (“robot” in southern Africa) in the middle of town. In those days it was the lights m
“Hi Max, I can remember when all the signal logic on London Underground was relay logic with mechanical interlocking frames. Even after the paranoid, some said, testing the signals when through at design stage, some of the installed interlocking frames had
“”Look at the patriot missile bug… how is it possible anyone coded that? How is it possible testing did not find that?”nnIt's terrifying when you come to think about it…”
“Speaking of “how could they do that” bugs… I recently read about a software bug with the Boeing 787 aircraft. It seems that all of the generators have the capability of simultaneously failing in the off position.nnAccording to the FAA: “If the four
“”I recently read about a software bug with the Boeing 787 aircraft.”nnI heard about that one also — I cannot conceive how that got build into the system.”
“Well nobody tested the generators running for 284 days non-stop.nnWhat was more astounding was the Patriot missile bug. That manifests in less than 24 hours.”
“In my part of the world (St. Louis, MO) the traffic light systems seem to be controlled by PLCs–I'm not sure which brand. I would think that the kind of fail safe modes that can be programmed may depend a lot on what the particular PLC allows.”
“I can't immediately find the regulations to give you a precise interval, but transport aircraft have to undergo periodic inspections, during which time it would be insanity not to shut down the systems. (Not to mention shutting down the machine between fl
“Such systems are (should be :)) built with functional safety in mind. There was a safe state designed in the traffic lights for sure. nI'm convinced there're no simple answers here. Be it a software error (even PLCs are progammable) or a HW failure, it w
“Has anyone considered that the all green light problem might be the consequence and not the cause? As in, some wires got shorted and/or others cut by some of the piled up cars Clide mentions he saw.nClide, did you have a view of the lights for longh eno
“Who is this man called Clide? (asks “Clive 'Max' Maxfield”) LOLnnIn answer to your question — they were green north-south for a long, long time as the trickle of traffic was allowed through by the police — then once I'd turned east, they stayed gree
“Yes, Clive, sorry about that. It took me about 5 hours to write that post as I'm putting out a few fires in the lab (metaforically), and at some point I changed my writing from “you” to “he”…nBut in return to the problem at hand and considering som
“Elevators are other everyday used devices that require robust failsafe mechanisms. Last year in the city I live in, an elevator in a very new building started to uncontrollably go up and crashed into the ceiling:nhttps://www.youtube.com/watch?v=vHzu6G
“”Maybe a failsafe camera mounted on each traffic light that sees at least a few of the other traffic lights?”nnThat's a very interesting idea — especially since the deployment of embedded vision is poised to start ramping up exponentially… “
“Max: “And can you conceive how the lights I saw yesterday evening had managed to fail with both directions green?” Easy answer: someone did not do their job properly. Accounts for probably 95% of cases like this?”
“”The power of accurate observation is commonly called cynicism by those who have not got it.” George Bernard ShawnnSo you're telling me I am turning into an accurate observer? :-)”
“Flashing orange was certainly the norm in Zimbabwe (that's if the lights go wrong when the electricity is actually on… 🙂 and I think in Australia.nnI did a PLC (Programmable Logic Controller) course recently and one thing we had to do was design a P
“Also in Gweru is Boggies Clock. This was erected in 1928 by a Mrs Jean Boggie in remembrance of her late husband. There is also a local newspaper called the Gweru times. A local joke has it that The Gweru Times may be observed on the four unsychronised
“It's easy enough to do lockouts even with a uC based system. Simply put good old relays on the outputs (or use contacts on existing relays – which would probably be there to drive 110/240V lamps) such that the supply for one direction's green causes the
You must verify your email address before signing in. Check your email for your verification email, or enter your email address in the form below to resend the email.
Please confirm the information below before signing in.
{* #socialRegistrationForm *}
{* firstName *}
{* lastName *}
{* displayName *}
{* emailAddress *}
By clicking "Sign In", you confirm that you accept our terms of service and have read and understand privacy policy.
{* /socialRegistrationForm *}
Almost Done
Please confirm the information below before signing in. Already have an account? Sign In.
“Many years ago (1990 or so) I worked at a company that made many things – including traffic lights.nnThe system ran on micros, but the final decoding was done by some EPROMs which was programmed up to suite the actual set of lights. The EPROMs prevented
“That sounds about right. I seem to recall the EPROM approach now you mention it.”
“We used those EPROM decoders for all sorts of things, including state machines and such.nnHeck, we even had a “GPU” for drawing to a vector display (radar console) that used that approach.n”
“For micros driving GPIOs, the firmware needs unit tests to verify this state can't be reached. “
“”And can you conceive how the lights I saw yesterday evening had managed to fail with both directions green?”nnI'm prety sure this can be achieved with very low effort by using a computer and some software. Is it really so in US that the lights turn(o
“Yes — we used them for a bunch of things, from simple lookup tables to state machines and beyond. It's amazing how much we achieved with so litte LOL”
“”Easy answer: someone did not do their job properly. Accounts for probably 95% of cases like this?”nnYou're turning into a cynic (which is not to say that you aren't right :-)”
“”Is it really so in US that the lights turn(or they are supposed to turn)red upon failure? At least here in Nordic Countries lights start to blink orange upon failure or loss of control”nnActually, now you mention it, you may be right — I think the
“I think the most important thing is that the circuit that monitors for illegal states MUST be totally separate from the main control. Furthermore, if this circuit triggers, the ONLY pattern it can generate is a safe one, i.e. flashing red on all sides or
“Out of all the systems on the planet, traffic lights must count amongst the most researched and the most used, so how could the ones I saw possibly fail to all green?”
“”How can traffic lights fail all green?”nnThe controller is just one part of the system. The wiring is another. Let's not rule out the possibility that the red and green lamp wiring was reversed by the installer.nnInstaller: “After I installed the
“But I go through that light every day and it's worked until now…”
“Testing is not enough but is required. Source code inspections catch the most problems. The majority of embedded systems ship with only 50% of logic paths tested, especially now that we have million line of code (LOC)+ systems. “
“”…especially now that we have million line of code (LOC)+ systems.”nnI remember working with large systems with tiny memories circa 1980 — if's someone had said “million lines of code” we'd have laughed our socks off — how things have changed…
“One possibility that occurred to me is that ambulance/fire/police vehicles have some sort of device to turn the lights in their path to green. What happens if say an ambulance and a fire truck approach the intersection at the same time going in differen
“Max , we still laugh. tense laughter.”
“Any such “green light” decision making should only choose what green lights get set.nnIt is still up to the lockout mechanism to only choose one green light.n”
“Max, we are surrounded by “how could they do that” bugs.nnPretty much every leap year (one coming next year) serves up a crop of leap year bugs.nnLook at the patriot missile bug… how is it possible anyone coded that? How is it possible testing did
“Well, someone might have reconfigured the system when you weren't looking! :-)nnMy intent was mainly to point out that it was the system that failed, and the controller is just one part of the system.”
“yes, I agree. Clearly, in addition to whatever else happened there was a design flaw that allowed more than one green light.n”
“Reminds me of a vaguely amusing story of Zimbabwe (actually it was still Rhodesia then). In the “thriving” town of Gwelo (now Gweru) there was a single traffic light (“robot” in southern Africa) in the middle of town. In those days it was the lights m
“Hi Max, I can remember when all the signal logic on London Underground was relay logic with mechanical interlocking frames. Even after the paranoid, some said, testing the signals when through at design stage, some of the installed interlocking frames had
“”Well, someone might have reconfigured the system when you weren't looking! :-)”nnThe little scamps — you turn your back for a minute and…”
“”Look at the patriot missile bug… how is it possible anyone coded that? How is it possible testing did not find that?”nnIt's terrifying when you come to think about it…”
“”… Zimbabwe (was Rhodesia) … Gwelo (now Gweru) … traffic light (robot)…”nnStop! You're making my head hurt! LOL “
“Speaking of “how could they do that” bugs… I recently read about a software bug with the Boeing 787 aircraft. It seems that all of the generators have the capability of simultaneously failing in the off position.nnAccording to the FAA: “If the four
“”I recently read about a software bug with the Boeing 787 aircraft.”nnI heard about that one also — I cannot conceive how that got build into the system.”
“Well nobody tested the generators running for 284 days non-stop.nnWhat was more astounding was the Patriot missile bug. That manifests in less than 24 hours.”
“In my part of the world (St. Louis, MO) the traffic light systems seem to be controlled by PLCs–I'm not sure which brand. I would think that the kind of fail safe modes that can be programmed may depend a lot on what the particular PLC allows.”
“I can't immediately find the regulations to give you a precise interval, but transport aircraft have to undergo periodic inspections, during which time it would be insanity not to shut down the systems. (Not to mention shutting down the machine between fl
“Just wanted to say those were some very cool pics David.”
“Such systems are (should be :)) built with functional safety in mind. There was a safe state designed in the traffic lights for sure. nI'm convinced there're no simple answers here. Be it a software error (even PLCs are progammable) or a HW failure, it w
“”Now money come to play: budgets for design, implementation and thorough testing are limited.”nnIt was always thus :-)”
“Has anyone considered that the all green light problem might be the consequence and not the cause? As in, some wires got shorted and/or others cut by some of the piled up cars Clide mentions he saw.nClide, did you have a view of the lights for longh eno
“Who is this man called Clide? (asks “Clive 'Max' Maxfield”) LOLnnIn answer to your question — they were green north-south for a long, long time as the trickle of traffic was allowed through by the police — then once I'd turned east, they stayed gree
“Yes, Clive, sorry about that. It took me about 5 hours to write that post as I'm putting out a few fires in the lab (metaforically), and at some point I changed my writing from “you” to “he”…nBut in return to the problem at hand and considering som
“Elevators are other everyday used devices that require robust failsafe mechanisms. Last year in the city I live in, an elevator in a very new building started to uncontrollably go up and crashed into the ceiling:nhttps://www.youtube.com/watch?v=vHzu6G
“”Maybe a failsafe camera mounted on each traffic light that sees at least a few of the other traffic lights?”nnThat's a very interesting idea — especially since the deployment of embedded vision is poised to start ramping up exponentially… “
“Max: “And can you conceive how the lights I saw yesterday evening had managed to fail with both directions green?” Easy answer: someone did not do their job properly. Accounts for probably 95% of cases like this?”
“”The power of accurate observation is commonly called cynicism by those who have not got it.” George Bernard ShawnnSo you're telling me I am turning into an accurate observer? :-)”
“Flashing orange was certainly the norm in Zimbabwe (that's if the lights go wrong when the electricity is actually on… 🙂 and I think in Australia.nnI did a PLC (Programmable Logic Controller) course recently and one thing we had to do was design a P
“Also in Gweru is Boggies Clock. This was erected in 1928 by a Mrs Jean Boggie in remembrance of her late husband. There is also a local newspaper called the Gweru times. A local joke has it that The Gweru Times may be observed on the four unsychronised
“It's easy enough to do lockouts even with a uC based system. Simply put good old relays on the outputs (or use contacts on existing relays – which would probably be there to drive 110/240V lamps) such that the supply for one direction's green causes the