[magmastonealex]

Generally no, this is something from fiction.

I'm mostly familiar with North American traffic signal control, and in those traffic cabinets there is a device known as an "MMU" (Malfuction Management Unit) which acts as a safety monitor for the rest of the traffic cabinet.

That device will catch so-called "conflicts" (two conflicting directions green at the same time) and put the intersection into a fail-safe state (usually flashing red/yellow lights).

There are of course some edge cases where this is technically possible (as long as the cabinet door is open in CalTrans TEES cabinets, you can actually remove the MMU entirely and do whatever you want), and I'm not familiar with safety mechanisms used in other localities.

(Note: I work in the industry, not for any of the companies in this article, and my views are my own).

[SoftTalker]

In the old timer-and-cam based systems I also believe this was electrically impossible. IIRC the green light in one direction was grounded through the green light in the crossing direction. So it was impossible for both of them to be on at the same time.

[mcswell]

Fiction... indeed, science fiction. There was a short story (I believe in Analog) in the 1960s about this, later amplified by the author into a book.

But getting to your real point, about the use of an MMU safety monitor: I'm sure this works. But I confess, the first thing I thought about when I read that was Cloudstrike's explanation of their pre-release testing mechanism: running "validation checks" on the content, rather than running the actual software. Had they actually run their release, they would surely have detected the bug, since it apparently bricked every single Windows machine that downloaded it.

[EvanAnderson]

> I'm mostly familiar with North American traffic signal control, and in those traffic cabinets there is a device known as an "MMU" (Malfuction Management Unit) which acts as a safety monitor for the rest of the traffic cabinet.

Presumably the logic for this MMU could be implemented in strictly electrical components (relays or such). That would give me the most comfort (since its functionality would be, literally hard-wired).

I worry that some enterprising manufacturer, out to save a few bucks, would implement this functionality in a microcontroller with firmware that could be updated remotely.

Does the standard specify the functionality of the MMU must be hard-wired, or at the very least not able to be changed without physical access?

[magmastonealex]

Unfortunately those fears are well-founded.

The majority of MMUs on the market that I have had a close look at implement safety-critical functionality on a microcontroller with updatable firmware. Some can even be updated over IP. I haven't had the opportunity to dig into if those firmware upgrades are signed or otherwise integrity-protected.

The standard unfortunately does not specify a functional safety standard or other measures to ensure absolute safety.

In theory it would be possible to implement it in discrete logic (or an FPGA or other formally-verifiable process), but as far as I know no manufacturer has done so (I'd love to be wrong!)

[megous]

How about switching lights in quick succession, enough to cause real-world issue, but avoiding the direct conflict?

[magmastonealex]

Now you start to get into the differences between the various standards :)

In NEMA TS2 (and the more modern ITE ATC), the MMU does enforce a yellow clearance time - you need the light to turn yellow for a period of time before a conflicting phase goes green. Usually this is a few seconds. Changing phases rapidly would likely confuse drivers, but in _theory_ shouldn't cause a collision if people respect yellows.

(believe it or not, in some localities a "red clearance" time - all red - is not required and lights will go from yellow in one direction to green in another.)

In CalTrans TEES, I do not believe the standard calls for the MMU to enforce clearance times - the attack you describe would potentially be possible.

[rootusrootus]

> (believe it or not, in some localities a "red clearance" time - all red - is not required and lights will go from yellow in one direction to green in another.)

This was definitely true in the past, I feel like the concept of a 'red clearance time' is something that only became common within the last 5-10 years. Do you think it has become (with rare exceptions) ubiquitous at this point?

[magmastonealex]

I'd like to think it's become ubiquitous - it has been a while since I've seen a signal without a red clearance configured.

However, the Federal Highway Administration in the US (which sets guidelines, but most states define actual rules at the state level) still says in their Signal Timing Manual [1]

> The use of a red clearance interval is optional, and there is no consensus on its application or duration. [...] there may not be safety benefits associated with increased red clearance intervals.

and goes on to describe how it has negative traffic flow implications.

so I suspect at least some agencies out there still are not using them.

[1]: https://ops.fhwa.dot.gov/publications/fhwahop08024/chapter5....

[pests]

I feel like my area (where I've lived my whole life) does not have red clearance interval. It's not something Ive paid attention to before.

I'm sure it's proper driving technique but I feel it's ingrained in my head to give a couple seconds when a red turns into a green for all cross traffic to finish / anyone who runs the light. It's a common thing around me and I don't think it would be happening as much if an all-red period was implemented.

[0xffff2]

I moved up to Oregon for a few years during/after the pandemic. I can say from experience that the entire state consistently did not have red clearance times at least up to when I left in late 2023.

[mcswell]

"...if people respect yellows." Of course they respect yellows! Yellow means "go faster so you can make it through the intersection."