Although we are used to a world where just about everything is controlled by a computer of some sort or another, and even very simple things are controlled by an tiny chip containing some sort of custom logic, it was not that long ago where control was effected by systems built out of ladder logic implemented in magnetic relays. Modern programmable logic controllers (PLCs) are still programmed in ladder logic, but don’t directly implement it as hard wired logic. Indeed if you take a lift in any building older than a few decades the lift will be controlled by relays. Traffic lights were no different. One nice thing about ladder logic is that it is simple enough that you can formally prove correctness, a very valuable feature where safety is critical. What a system composed of electromechanical devices can’t do is provide a really good guarantee against arbitrary failure of a component. Anyone who has worked in a building with older lifts will know the bizarre failures and quirks a fault in the controller can create.
One of the most weird failures I ever saw was on a very hot day (40 C plus) and was a set of lights that were working perfectly, just at about 20 times too fast. It would take a matter of seconds for them to cycle through an entire sequence.
Even simple logic based systems can glitch and get into what is an illegal state. Whilst you might be able to prove that you can never get into such a state from any other state, a power supply glitch, nearby lightning strike, or similar can drop the system into such a state. Everyone has experienced some simple (non computerised) device that locks up, or otherwise fails to work properly, but works fine after a power reset. Proving that in all possible states the system will behave safety is even harder.
Formally proving correctness of a pure software implementation is always going to be very difficult, if only due to the sheer complexity of the toolchain, but as the requirements grow the difficulty rises exponentially.
The other problem is that failures are not just confined to the controller. In the times of incandescent lamps lamp life was limited by the number of turn on cycles, with the thermal shock on the filament doing the damage. So lamp controllers would provide a soft start, or keep a residual current through the filament to keep it warm. All adding ever more possible failures that could light up a lamp without the sequencing controller actually commanding it.
All of which leads to the nature of the conflict detectors. They need to be more robust and reliable than the controller they oversee, and they need to be as independent of those controllers as possible.