Real Fail Safe

One of the most important considerations when designing traffic signals is that they be “fail safe”. If something fails, it should go to a safe condition. Of course, that operation should be maintained throughout the life of the installation.

In the old days, this form of operation was often a simple interlocking operation of the relays used to control the signals. If the main street was green, the side street was forced to red. With the advent of the use of microprocessors and other solid state electronics in traffic signal systems and as the systems become more complex with more than just the two directions being controlled, sometimes the old idea of fail safe operation gets lost. New intersections often control eight or more movements with all sorts of adaptive timing. Still, it’s vitally important that the system fail in a safe condition.

Nothing can be assumed, especially that the manufacturer has designed and tested everything to that standard. There should be a full test of all new devices to assure they work as expected.

Here are a couple of the types of design errors that need to be checked for:

When microprocessors began to be used in signal monitors, it was assumed that everything was working well with simple tests of the monitor that applied a voltage to conflicting inputs and the monitor tripped. As it turns out, this test failed on at least two counts. The test facility uses a different form of power than is used in the street and that a street light circuit might short and cause the conflicting input.

The later happened during an installation. Street lights are usually 240 volt while the traffic signals are on a 120 volt circuit. In actuality, the power at the signal is just like the residential power at your home. It’s a split 240/120 circuit which is actually a two phase circuit with the peak voltage on each phase 180 degrees out of phase. The manufacturer programmed the conflict monitor to only look at the one phase of the power, the one the monitor was powered by. The problem was that one lead of the street light circuit was on the opposite phase that was not monitored. That power could, and did turn on a green light without the monitor detecting it.

This failure was noticed by a very alert inspector and reported. In the shop, the system was tested and worked perfectly, even when an out of phase voltage was applied. This pointed out the other failure. In the shop, the building is powered by three phase power; each leg is 120 degrees out of phase. This difference allowed the system to work. Evidently, the manufacturer had similar power in his plant.

As it happened, we had two systems under test in our shop from different manufacturers. Both systems had the same problem. One manufacturer reprogrammed his monitor and then the system worked properly. The other manufacturer didn’t see it as a problem but replaced the monitors in his systems with older analog devices which then made his system acceptable to us. Unfortunately, that manufacturer continued to sell the monitors that we rejected for years thereafter. We never accepted any other equipment from that manufacturer.

Another place where microprocessors seem to have reduced the old fail safe ideal is that old controllers had circuitry within themselves that prevented conflicting signal conditions. Back in the really old days, it was in the real circuit design, later in the old transistor and integrated circuit days there was similar circuitry. With the microprocessor controllers, the “circuitry” is in the firmware or programming. How many customers look at the code to see if the manufacturer really made any such consideration? And if they did, are they as effective as real electronic circuitry. Often, the answer to either or both may be a no. How do you know? Now, the only form of conflict monitoring is usually a single device, the failsafe of conflict monitor, as described in the first item. It seems that some other form of protection from conflicting signals might be in order, either another monitor or better yet a separate interlock device that doesn’t have to do sophisticated monitoring like minimum voltage input, missing reds, yellow duration etcetera, just a simple last ditch monitoring of conflicting greens, just for old times sake, and just in case.

My feeling is, if something can go wrong, it will. I just hate for it to happen on my watch! That’s one reason I’m glad I no longer have a watch.