Patriot Missile Defense:

The US Response to the Patriot’s Deadly Software Bug

Nick Pafundi
CSC 300-01
January 4, 2010

Abstract
Fatal Defect by Ivars Peterson gives many examples of software causing physical and
financial harm to people. Medical devices, defense equipment, and financial software
have all failed, causing harm and death to hundreds of people.
The Patriot Missile system, designed in 1969 and produced in 1976, is a defensive
weapon used by the United States and other allied countries. The Patriot Missile sys-
tem uses a combination of high-performance radar and interceptor missiles to perform
anti-ballistic missions and defend the airspace in critical military installations.
In 1991, a software bug was found in the Patriot Missile system. This bug –
a software timing issue – caused the Patriot Missile to miscalculate trajectories of
airborne threats, therefore not intercepting them properly. Because of this bug, there
was at least one case where many soldiers died because a Scud missile was fired into a
military base without being intercepted.
The Israelis had identified this problem and informed the United States Army,
but the US Army continued using the Patriot Missile System without attempting to
resolve the issue or informing the Patriot users. A few days later, a Scud missile hit
a US Army barracks in Dhahran, Saudi Arabia, killing twenty-eight soldiers. The US
Army’s response to finding the bug in the Patriot Missile system was unethical under
many principles, as this paper will discuss.
Contents
1 Facts 3

2 Issue 6

3 Importance 6

4 Arguments 7
4.1 Ethical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.1.1 No Expectation of Scud Interception . . . . . . . . . . . . . . . . . . 7
4.1.2 No Expectation of Extended Operation . . . . . . . . . . . . . . . . . 7
4.1.3 “IDF Should Have Done More” . . . . . . . . . . . . . . . . . . . . . 7
4.2 Unethical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.2.1 Prior Knowledge of Bug from Israeli Defense Force . . . . . . . . . . 8
4.2.2 United States Army Incompetence . . . . . . . . . . . . . . . . . . . 8
4.2.3 Deaths Caused by Patriot Missile Bug . . . . . . . . . . . . . . . . . 8

5 Analysis 9
5.1 Software Engineering Code of Ethics . . . . . . . . . . . . . . . . . . . . . . 9
5.1.1 Introduction: SE Code of Ethics . . . . . . . . . . . . . . . . . . . . . 9
5.1.2 No Expectation of Scud Interception . . . . . . . . . . . . . . . . . . 10
5.1.3 United States Army Incompetence . . . . . . . . . . . . . . . . . . . 11
5.1.4 Deaths Caused by Patriot Missile Bug . . . . . . . . . . . . . . . . . 12
5.1.5 Conclusions from the SE Code of Ethics . . . . . . . . . . . . . . . . 13
5.2 Utilitarianism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.2.1 Introduction: Utilitarianism . . . . . . . . . . . . . . . . . . . . . . . 14
5.2.2 Deaths Caused by Patriot Bug and Prior Knowledge of Bug from IDF 14
5.2.3 Scud Interception Rate . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.2.4 Cost of Life vs Cost of Fixing the Problem . . . . . . . . . . . . . . . 16
5.2.5 Conclusions from Utilitarianism . . . . . . . . . . . . . . . . . . . . . 18
5.3 Deontology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.3.1 Introduction: Deontology . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.3.2 Prior Knowledge of Bug from IDF: Negative Formulation . . . . . . . 18
5.3.3 Prior Knowledge of Bug from IDF: SE Code by Deontology . . . . . . 19
5.3.4 Conclusions from Deontology . . . . . . . . . . . . . . . . . . . . . . 20

6 Conclusion 21
1 Facts

The Patriot Missile is a long-range surface-to-air air-defense system with the primary
mission of protecting United States and allied troops from enemy aircraft and missiles. 1 The
Patriot Missile system was originally designed in the late 1970’s as an antiaircraft weapon,
but later modified to also protect against cruise missiles and short range ballistic missiles. 2;3
The Patriot Missile system consists of multiple parts, which together form a cohesive defense
platform. 4
The Patriot Missile contains a ground radar which scans the airspace above for airborne
threats, such as enemy planes or missiles. A control computer inside the Patriot’s control
station “obtains target information from the system’s radar,” and uses the data to “identify,
track, and intercept” these threats. 4 After validating that a threat exists, the Patriot enters
a “tracking” mode that only scans a specific area for the threat, known as the “range gate.” 4
If the threat leaves this range gate, the Patriot will not be able to properly track the threat. 4
Army Officials have stated that Patriot Missiles have successfully intercepted 24 of 85
Scud missiles, and an even higher percentage of enemy aircraft, 5 though other sources claim
only 77 Scud engagements. 6 During the Gulf War, the Patriot’s primary mission was to
shoot down incoming Iraqi Scud or “Al-Hussein” missiles launched at United States troops,
allied troops, and civilians in Israel and Saudi Arabia. 2 The United States Army claimed an
interception success rate of 70% in Saudi Arabia and 40% in Israel 2;3 , but “the Army did
not collect performance data during Operation Desert Storm that would permit an absolute
determination of how many of its targets the Patriot killed or failed to kill because it was
operating in a war zone rather than on a test range.” 3
The General Accounting Office of the United States produced a report that the Pa-
triot Missile system was intended to be a mobile defense platform to protect against Soviet
medium- and high-altitude aircraft and cruise missiles traveling at speeds up to MACH 2
(1500mph). Scud missiles fly at approximately MACH 5 (3750 mph), so the United States
Army relied on operational experience of Patriot users and other intelligence sources to mod-

3
ify the Patriot system to provide the capability to intercept these missiles. 4 These changes
were designed and incorporated in Patriot Missile systems in less than one week. 3 Prior to
the Gulf War, the Patriot Missile system had never been tested in combat, nor against Scud
missiles. 2;4
The Patriot was intended to be constantly relocated to avoid detection by enemy aircraft,
never staying in one place for more than a few hours. During the Gulf War, some Patriot
Missile batteries (groups of multiple Patriot Missiles and controllers) in Saudi Arabia were
left operational in one location, Dhahran, Saudi Arabia, for many days. 4 Operators were not
trained as thoroughly as expected, and some operators caused Patriots to malfunction by
“pressing the wrong buttons.” 7;8
The Israeli Defense Forces (IDF) recorded and analyzed data while using the Patriot Mis-
sile system, and found an anomaly in data they collected. 4 The IDF data indicated a loss
of system accuracy “after the system had been running for 8 consecutive hours”; this data
was promptly sent to the US Army. 4 This inaccuracy occurred when the system time (an
integer) and velocity (a whole number) were converted to real numbers for tracking calcula-
tions. Converting these numbers required high precision, but the registers in the computer
could only store 24 bits of data, resulting in a loss of accuracy. As the “uptime” (time the
system was in operation) of the system increased, the precision of the calculation decreased
dramatically. 4 The IDF noticed that after eight hours of operation (28,800 seconds), the
calculated time would be 28799.9725, an inaccuracy of .0275 seconds. 4
Due to the system’s inaccuracy, the range gate calculated by the Patriot is off by approx-
imately seven meters after one hour. This inaccuracy increases as a function of time, and
after eight hours of continuous operation, the range gate will have shifted by 55 meters (a
20% shift). A target must be near the center of this range gate to properly be tracked and
intercepted, and a shift in the range gate would cause a target to be off-center. 4
The data of this inaccuracy was received by the United States Army on February 11,
1991. 4 When this intelligence was received, US Army officials said “they believed the Israeli

4
experience was atypical – they assumed other Patriot users were not running their systems
for 8 or more hours at a time.” 4 Because of this, the US Army did not immediately alert
Patriot users of the software bug. 4
A software update was necessary for the Patriot’s Scud missile tracking to be more
accurate, and the Army implemented the fix five days after the data was released; February
16, 1991. In addition, the data provided by the IDF identified a temporary solution to the
problem – restarting the Patriot’s control computer would reset the system time to zero,
which would cause the inaccuracy to be zero. If the control computer was restarted every
eight hours, the inaccuracy would be small enough that the Patriot could still track incoming
Scud missiles. 4 Though a patch was created and a temporary solution was identified, Army
officials did not release this patch, nor did they send a message to Patriot users informing
them of the problem or temporary solution. 4
On February 21, 1991 (ten days after the original problem had been identified, and five
days after the patch was created), the Patriot Project Office sent a message to Patriot users.
The message stated that “very long run times” could cause a shift in the range gate, resulting
in the “target being offset.” The message told users that an update would be sent that
could improve the system’s targeting, but there was no mention of what constituted a “very
long run time.” 4 Army officials did not provide more information or guidance, under the
assumption that Patriot systems would not be in one location for extended periods of time. 4
Therefore, Patriot users did not know that restarting control computers would temporarily
fix this problem; a solution that takes sixty to ninety seconds to perform. 4
Six Patriot Missile batteries protected the air fields and sea ports of Dhahran, Saudi
Arabia. The Dhahran Air Base was under the protection of Alpha Battery. On February 25,
1991, Alpha Battery had been in operation for over 100 consecutive hours. The inaccuracy
of the time calculation caused the range gate to be shifted by 687 meters. Consequently,
Alpha Battery did not engage a Scud missile fired at the Air Base. This Scud struck a United
States Army barracks, killing twenty-eight American soldiers. 4

5
 On February 26, 1991, one day after the attack, the modified software arrived in Dhahran. 4

2 Issue

Was the United States Army’s response to the 1991 bug found in the Patriot Missile code
ethical?

3 Importance

Determining whether or not the response by the United States to the bug found in the
Patriot Missile system was ethical is important for a couple reasons. First, software engineers
are commonly asked to create safety-critical software when it may not be possible to do so. 8
Software engineers still attempt to implement these “impossible” jobs because they believe it
is possible or they do not fully understand the specification. 9 The United States Army wanted
the Patriot to have functionality to intercept Scud missiles, and wanted this functionality to
be implemented quickly. 4 Knowing the effect this decision had on the United States Army
can show us whether this decision was ethical or unethical, and the results can then be used
to make future decisions.
Additionally, the United States response to the bug had large implications, especially to
the soldiers who died in the Scud attack. If the United States Army had taken an ethical
course of action, these soldiers may not have been killed in the attack. After determining
the ethicality of the US Army’s response to the bug, their decision can be used as a basis
to help judge future decisions in related areas. Because software played a big role in these
decisions, the unethicality of the US response may translate to unethical software practices,
which may have been the root cause of death for the twenty-eight soldiers.

6
4 Arguments

4.1 Ethical

4.1.1 No Expectation of Scud Interception

There are multiple arguments that display the ethicality of the United States response to
the 1991 Patriot Missile software bug. First, when the Patriot Missile system was created,
it had the primary mission of targeting soviet high- and medium-altitude aircraft and cruise
missiles flying at relatively slow speeds of MACH 2 (approximately 1500 mph). At the time,
there was no expectation that the Patriot would be used to intercept Scud missiles, which
fly two and a half times faster, approximately 3750 mph. 4

4.1.2 No Expectation of Extended Operation

The Patriot Missile system was not created to intercept Scud missiles, but rather it
was intended to be used as a mobile defense platform. To avoid detection, the Patriot was
expected to stay in one position for only a short period of time, no more than a few hours. 4
The Patriot Missile system in Dhahran, Saudi Arabia had been operational for more than
100 hours without moving, which was not intended. 4

4.1.3 “IDF Should Have Done More”

Another argument states that the Israeli Defense Forces should have done more to in-
form the United States Army about the urgency of repairing the software. The IDF sent
intelligence to the United States Army on February 11, 1991. This intelligence contained
data that clearly displayed the inaccuracy in the Patriot Missile, however the IDF did not
follow up with the United States Army to try to correct the problem. 4

7
4.2 Unethical

4.2.1 Prior Knowledge of Bug from Israeli Defense Force

The United States response may also be considered unethical after looking at different
facts. Two weeks prior to the Dhahran incident, the United States Army received intelligence
from the Israeli Defense Force stating that there was a lack of accuracy when the Patriot
Missile was operational for extended periods of time. 4 Additionally, it was known that re-
booting the Patriot every eight hours would reset the system clock, effectively reducing the
inaccuracy. The United States had this information, but did not act to correct the issue
immediately. 4

4.2.2 United States Army Incompetence

When the United States Army received Israeli intelligence consisting of bug data collected
on multiple Israeli Patriot Missiles, the US Army said they “believed the Israeli experience
was atypical.” 4 They assumed operators of other Patriot Missiles were not running their
systems for 8 or more hours at a single time. Because of this, the US Army didn’t immediately
alert Patriot users of the flaw. Not a single message was sent to the users for six days, and
even then the tone of the message did not convey urgency to Patriot users 4

4.2.3 Deaths Caused by Patriot Missile Bug

Finally, though there have been many reported incidents with the Patriot Missile sys-
tem 10 , only one is known to have resulted in the death of twenty-eight soldiers in the United
States Army. 4 If these soldiers were only killed due to a software error in the Patriot Missile
system, their death is unacceptable and may be considered unethical.

8
5 Analysis

To determine the ethicality of the United States Army’s response to the Patriot Missile
software bug, a variety of arguments and analyses will be presented. The Software Engi-
neering Code of Ethics will be examined, in addition to both Utilitarian and Deontological
ethical principles. After appropriate arguments are provided, a conclusion will be drawn
from the results.

5.1 Software Engineering Code of Ethics

5.1.1 Introduction: SE Code of Ethics

In this section, multiple arguments will be analyzed using the Software Engineering Code
of Ethics. Each subsection will explain an argument and its ethicality under the guidance of
the Software Engineering Code of Ethics. The SE Code of Ethics contains many important
ethical responsibilities that software engineers should have taken into account when creating
the Patriot Missile system. 11 Additionally, the Preamble of the SE Code of Ethics explains
that managers of software engineers are also morally bound by the SE Code of Ethics. 11 This
section (5.1) will use the term “software engineer” in reference to software engineers and their
managers, whether or not the managers are software engineers themselves. As the Preamble
of the SE Code states, software engineers and their managers are equally responsible to
uphold the SE Code of Ethics. 11
Some responsibilities may have been overlooked when implementing patches and updates
in the Patriot Missile system (prior to 1991), and this section will look at each of these
points. Finally, a conclusion regarding the ethicality of the United States response to finding
the 1991 Patriot Missile bug will be determined using the SE Code of Ethics as a guide.

9
5.1.2 No Expectation of Scud Interception

The Patriot Missile was not intended to be used as a Scud Interceptor. 4 The Dhahran
incident only occurred because a Scud missile could not be tracked properly by a Patriot
Missile battery. 4 Some might argue that because the Patriot was not originally intended to
intercept Scud missiles, the fact that it did not protect Dhahran from a Scud is unfortunate,
but not the fault of the US Army.
Though this argument seems valid, it is still flawed under the SE Code of Ethics. Point
3.15 of the SE Code states that software engineers are obligated to “treat all forms of software
maintenance with the same professionalism as new development.” 11 Additionally, software
engineers should “ensure adequate testing, debugging, and review of software...” (3.10) 11
The United States Army requested the capability of Scud interception to be added to the
Patriot, and the software to add such functionality was implemented within one week. 3 This
update may be considered “software maintenance,” while the original engineering (hardware
and software) of the Patriot Missile system was “new development.” Because of the one-week
period in which this update was created and implemented, it is unlikely that there would
have been adequate time for testing, and the “software maintenance” (the update) would
not have received the same professionalism as new development. (The Patriot Missile system
was created over a period of many years, contrasted with a one-week safety-critical update.)
If this update had received adequate testing, the US Army would have possibly noticed the
timing bug earlier, and corrected it before this safety-critical update was implemented on
Patriot batteries that were actively protecting US troops.
Furthermore, the second point in the SE Code of Ethics (1.02) states that a software
engineer should “moderate the interests of the software engineer, the employer, the client,
and the users with the public good.” 11 This moderation is necessary when each party is
interested in different results, especially if they do not align with the “public good.” In
this case, the “public” consists of soldiers and civilians that the Patriot Missile is actively
protecting, and the “public good” is the well-being of those people. The software engineers,

10
in this case the engineers hired by the US Army, had a responsibility to moderate, with
their primary focus being the well-being of the public. In the case of the Patriot Missile,
the United States Army (the “employers”) and software engineers did not have primary
operational experience in intercepting Scud missiles, or knowledge of whether the Patriot
Missile system would have the capability to intercept these missiles. 4 The US Army needed
the Scud interception functionality to be added in a timely manner, but the SE Code explains
that software engineers should be just as (if not more) concerned with public safety than
their employers requests. 3;11 Specifically, the engineers should have explained to the US
Army that the Army’s request (to implement the Scud interception functionality in such a
short time frame) was not advisable, as there would not be adequate time for testing the
upgraded software. Not testing the software is not in line with the “public good,” because
the thousands of lives protected by the Patriot system are dependent on the safety-critical
software. The fact that the software was updated in one week shows that there was likely not
ample time to thoroughly test the upgrade. 3 Because the “public good” must come first, the
software engineers should have requested more time to work on a solution; if there was not
enough time to test the upgrade, this good was not moderated with the needs of employers.

5.1.3 United States Army Incompetence

Sections 1.04 and 1.05 of the SE Code of Ethics state that software engineers should be
concerned with public safety. Point 1.04 states that software engineers have an obligation
to “disclose to appropriate persons . . . any actual or potential danger to the user, [or] the
public . . . that they reasonably believe to be associated with software. . .” 11 Breaking
this point apart, some terms must be defined. For our purposes, “actual” danger can be
defined as a known danger that can harm the public good and can be caused by the Patriot’s
software or resulting from its use. “Potential” danger is any possible danger to the public
that may occur from use of the Patriot’s software. People that have a need to know whether
the software is dangerous may be considered “appropriate persons,” such as Patriot users and

11
the public that is under protection by the Patriot. If working properly, the Patriot Missile
system can save lives by eliminating threats. However, no defensive weapon is foolproof, and
therefore all potential hazards of the Patriot’s software should have been explained to users
of the system, as well as anyone that this weapon could affect. 7
The United States Army Patriot Office was informed of the bug in the Patriot Missile
software, yet they did not immediately inform Patriot users of the issue. 4 Though the US
Army did eventually inform Patriot users of this bug, the information was sent out six days
after it was received, and the US Army displayed no urgency in the message. 4 The message
sent to Patriot users stated that “very long run times could cause a shift in the range gate,
resulting in the target being offset.” 4 The message did not contain any information on what
constituted a “very long run time,” because they believed that the users would not run a
Patriot system for an extended period of time (eight or more hours). 4
The fact that this message was sent out six days after the intelligence was received,
compounded by the fact that it did not adequately inform users of the seriousness of the
issue, showed the United States Army’s incompetence in sending out necessary information.
The United States Army had information regarding a serious timing bug in the Patriot Missile
code. 4 The users of the Patriot Missile were not informed of the bug, as point 1.04 of the SE
Code mandates, and they continued using the Patriot Missile system under the impression
that they would be protected from airborne threats. Because the software engineers and
US Army did not disclose the potential danger of the Patriot Missile system to the users of
the system (as required by point 1.04 of the SE Code), this incompetence can be considered
unethical.

5.1.4 Deaths Caused by Patriot Missile Bug

If the Patriot Missile software had been adequately tested, the timing bug may have
been found earlier, and the US Army may have been able to fix the issue before attempting
to implementing it into Patriot Missile batteries that were already protecting US troops

12
in combat. As described in the previous section, points 1.04 and 1.05 of the SE Code of
Ethics obligate software engineers to inform the public about potential dangers in software. 11
More importantly, point 3.10 states that software engineers are required to “ensure adequate
testing, debugging, and review of software...” 11 The US Army did not find this bug when
they tested the patch, as described in Section 5.1.2, yet the IDF found this bug by simply
recording a small amount of data when the Patriot is in use, 4 something that should have
been done in the testing stage. This shows a lack of testing by the US Army’s software
engineers. Additionally, as stated in Section 5.1.3, the US Army did not inform Patriot Users
of the timing bug in the system. Point 1.04 of the SE Code of Ethics makes it explicitly
clear that software engineers are required to disclose all potential dangers of a system to the
public (and in this case, the users of the Patriot Missile). 11 Because the US Army didn’t
inform the Patriot users of the bug, the soldiers in Dhahran may have felt secure, but the
Patriot system was not protecting them as intended. 4 Both the lack of testing and the fact
that the US Army did not immediately inform Patriot users of the bug are breaches of the
SE Code of Ethics, and should be considered unethical. These unethical breaches of the
Software Engineering Code of Ethics may have lead to the deaths of twenty-eight US Troops
in Dhahran, Saudi Arabia.

5.1.5 Conclusions from the SE Code of Ethics

Using the Software Engineering Code of Ethics to analyze three important arguments
for the ethicality of the United States response to the 1991 bug found in the Patriot Missile
system, the response by the United States looks unethical. Though the Patriot was not
initially expected to intercept Scud missiles, the United States requested this functionality,
and did so too quickly to perform ample software testing. Additionally, the lack of commu-
nication between the US Army and Patriot users, coupled with the death of twenty-eight
United States Army soldiers, are shown to be unethical when looking at the first principle
of the SE Code of Ethics: public good.

13
5.2 Utilitarianism

5.2.1 Introduction: Utilitarianism

Utilitarianism can be described as “the ethical doctrine that virtue is based on utility.” 12
In other words, an action should be based upon its contribution of happiness or pleasure as
summed among all people in society. In this section, the ethical principle of Utilitarianism
will be used to analyze applicable arguments stated earlier in this paper. Looking at these
arguments from a Utilitarian perspective will provide insight to the ethicality of the US
response to the bug found in the Patriot Missile code in 1991.

5.2.2 Deaths Caused by Patriot Bug and Prior Knowledge of Bug from IDF

The Utilitarian perspective promotes happiness for the many rather than happiness for
the few. Because of this, if there is a machine that can save thousands of lives, but it happens
to kill one person, a Utilitarian could consider the machine ethical. The Patriot Missile is a
defense weapon that has been hailed as effective against aircraft, cruise missiles, and ballistic
missiles (such as the Scud). 3 During the Gulf War, the Patriot claimed a success rate of 70%
in Saudi Arabia, and 40% in Israel. 3 Though the exact number of threats intercepted by the
Patriot are unknown, there is recorded evidence of at least 77 Patriot Missile engagements. 6
Using this as our base value (though this is likely much lower than the actual number of
engagements), we can take 40% of this number (the lower of the two accuracies listed above),
which translates to successful interceptions of at least 31 threats.
On February 25, 1991, a known bug in the Patriot Missile software caused the system to
fail to track a Scud missile, which hit a US Army barracks and killed twenty-eight Amer-
icans. 4 This known bug was found by the Israeli Defense Forces approximately two weeks
earlier, yet the Patriot Missile system was still in use. The American forces in Dhahran,
Saudi Arabia didn’t realize that the Patriot that was protecting them had a software bug
that would cause it to fail. The United States Army had knowledge of the Patriot’s flaw, but

14
they also knew that shutting down or recalling the Patriot system would leave US troops
vulnerable to airborne threats. Because of this, the United States Army did not convey the
urgency of the situation to Patriot users, believing they would still be safe, even under a
flawed system.
Using the numbers above, we can estimate the number of lives saved by the Patriot
Missile system. If the 31 threats calculated above had hit US Army bases, and twenty-eight
soldiers were killed each time (as they were in the Dhahran incident), 868 American soldiers
would have lost their lives had the Patriot Missile system not been protecting them. If any
of these threats had been carrying a nuclear warhead, this number would be increased many
times over.
From a Utilitarian perspective, the lives that were potentially saved by the Patriot Missile
(868 or many more) far outweigh the ones that it didn’t save (28). Though the Patriot had
a known bug, if all batteries had been recalled or forced to shut down, many more lives
would have been taken than only those in Dhahran. The United States Army came to this
conclusion as well, or else they would have immediately shut down or recalled all Patriot
systems when the bug was found. In this way, the stance taken by the US Army can be
considered ethical under Utilitarian principles.

5.2.3 Scud Interception Rate

The US Army stated that the Patriot was 70% effective in Saudi Arabia, and 40% effective
in Israel. 3 However, after a ten-month investigation by the House Government Operations
subcommittee on Legislation and National Security, it was concluded that there was “little
evidence to prove that the Patriot hit more than a few Scuds.” 2 In the previous section,
it was concluded that the US response to the Patriot missile bug was ethical because the
number of lives saved far outweighs the number of lives lost due to the Patriot bug. However,
because the investigation of the Patriot revealed that there was little evidence proving that
it adequately protected US troops, this conclusion may be incorrect.

15
 A study performed by the Committee on Government Relations “found no convicting
evidence . . . that any Scud warhead was destroyed by a Patriot.” 6 If it is true that not
a single Scud was destroyed by a Patriot missile, than whether or not this bug was found,
it is very improbable that the Patriot in Dhahran would have protected the barracks at
all. Operating a safety-critical defense weapon that cannot perform its intended mission,
protecting US and allied troops, may be considered unethical, but is outside the scope of
this paper. Whether or not the Patriot performed its intended action against Scud missiles,
it did have a high success rate against other threats, such as aircraft and cruise missiles. 3
Because of this, the Patriot still saved many lives, as discussed in Section 5.2.2. Had the
United States shut down the Patriot system to fix the bug, or had they warned users sooner,
it is unlikely that the outcome in this instance would have changed – the 28 soldiers would
have likely still died. However, other US troops (such as the 868 described above) would not
have been protected against other threats, such as aircraft and cruise missiles. Therefore,
from a Utilitarian perspective, the US Army’s response is still ethical, whether or not the
Patriot performed its intended purpose against Scud missiles. It is very likely that even if
the bug had not existed, the twenty-eight soldiers would have died; informing users of the
bug would not have saved additional lives.

5.2.4 Cost of Life vs Cost of Fixing the Problem

Utilitarian concepts can be applied to this situation financially as well. The US Army did
not immediately inform Patriot users of the bug, and did not patch it for even longer. 4 The
estimated cost of training a new US Army soldier from the moment they enter a recruiter’s
office until they are on active duty is between $35,000 and $50,000. 13 In the United States,
the average salary for a software engineer is $86,000. 14 Breaking down this salary per day, an
average software engineer makes approximately ($86, 000/yr)/(365days/yr)) = $235.62/day.
As stated above, there were two weeks between the time that the US Army was informed
of the change and the time that the patch arrived in Dhahran. 4 Because the exact number

16
of hours spent working on this patch is unknown, we will assume that 100% of this time was
spent implementing the patch. (This is very unlikely, however we know that no more than
100% of two weeks could be spent working on this, so we can assume the “worst-case” of the
full two weeks.)
Additionally, the exact number of engineers that worked on this patch are unknown, so
we will assume a team size of 50 engineers. (Experience says that most software engineering
teams are between five and nine people, so this is very unlikely, and can be considered
“worst-case.”
Finally, because $235.62/day is the average salary of one US software engineer, we will
triple this to get a “worst-case” salary for an engineer (i.e. a very high salary), in case these
engineers were making much more than the average. $235.62/day ∗ 3 = $706.86/day.
Multiplying the above “worst-case” numbers will give us a worst-case cost, or “financial
utility”, of fixing the patriot missile bug: (14days ∗ 50engineers ∗ $706.86/engineer/day) =
$494, 802.00. Because each of the values used was worst-case, it is likely that the cost of
implementing this patch was no more than $494,802.
Using the training costs of a US Army recruit above (taking the lowest possible number;
$35,000) and multiplying that by the number of soldiers that were killed due to the Dhahran
Patriot malfunctioning (28 soldiers), we get a cost of $980,000. This value does not take into
account the cost of a soldiers life, only the cost of training (the soldier’s “financial utility”).
This shows that the financial utility of the soldiers that died in Dhahran was nearly twice
as much as the cost to fix the bug. It is important to note that these numbers are worst-
case, and that the soldiers’ utility does not take into account the cost of a soldier’s life, and
therefore it would likely be an even larger difference in cost. Because the utility of a soldier
is substantially higher than the cost of patching the Patriot Missile bug, the Utilitarian
conclusion in this case is that the United States Army was unethical for not immediately
informing users of the Patriot bug, nor immediately fixing the problem.

17
5.2.5 Conclusions from Utilitarianism

If 868 soldiers are alive because of the Patriot Missile, but 28 are dead, Utilitarian princi-
ples say that the utility of the 868 “saved” lives outweighs the utility of the 28. Additionally,
it is likely that the Patriot Missile system did not work as intended against Scud missiles,
so if the US Army had shut down or recalled Patriot systems when the bug was found, the
28 soldiers would not have been saved, and more would have likely died (the 868). Looking
at this, the US Army’s response to the bug seems ethical.
Financially, we get a different outcome. The cost of fixing the bug was at most $494,802.
The cost of training 28 soldiers is at least $980,000 (not including the “cost of life”). The
financial utility of the soldiers that were killed is much higher than than the cost of fixing
the bug, and because the US Army did not act immediately to fix this bug, their response
was unethical.

5.3 Deontology

5.3.1 Introduction: Deontology

Deontological principles rest on the fact that some choices are morally forbidden. 15 An
act itself is looked at rather than the good or bad that it may produce. In deontology, the
outcome is not involved in the ethicality of an act. 15 In this section, the ethical principle of
deontology will be used to analyze the ethicality of the United States response to the Patriot
Missile bug found in 1991.

5.3.2 Prior Knowledge of Bug from IDF: Negative Formulation

The US Army received data that distinctly showed a flaw in the Patriot Missile code on
February 11, 1991. 4 It was not until the 21st that the Patriot Missile Office sent a message
to users informing them of the flaw, and they did not inform users of the temporary solution
of rebooting the Patriot every eight hours to reset the system time to zero. 4

18
 According to Peter Singer’s A Companion to Ethics, “deontological constraints are usually
negatively formulated as ‘Thou shalt nots’ or prohibitions” 16 Singer says that according to
deontological principles, “lying” and “failing to tell the truth” are very different things, and
that “lying is wrong” (while telling the truth is good) but “withholding a truth which another
needs may be perfectly permissible.” 16 Singer then explains that lying would be considered
unethical, but withholding the truth has no ethical effect – it is neither moral or immoral
according to deontology. 16
The US Army did not lie to Patriot users about the temporary solution to the bug,
rather, they withheld “a truth which another need[ed]” 16 The US Army withheld information
that the Patriot users should have known. According to Singer, telling the truth in this
situation would be considered good (or ethical), but withholding this information would not
be considered unethical. Instead, withholding this information had no ethical consequence
in this situation – it was a neutral act. 16

5.3.3 Prior Knowledge of Bug from IDF: SE Code by Deontology

Under deontology, the inherent “rightness” of an act is based on conformity with a moral
norm. 15 As morality differs depending on location and circumstance, the deontologist would
base the ethicality of acts on moral norms in the given setting. The Software Engineer-
ing Code of Ethics is the ethical and moral standard for practicing software engineering. 11
Therefore, when an ethical situation arises, and when this situation relates to software engi-
neering, the SE Code of Ethics must be used to deontologically determine the ethicality of
the given situation.
The conclusion in the previous section says that the US Army’s decision to withhold
information from Patriot users was neutral, with no ethical ramifications. We determined
that not withholding information would have been “good.” but withholding information was
not inherently “bad.” However, as stated in Section 5.1.3 above, point 1.04 of the SE Code
of Ethics requires disclosure “to appropriate persons . . . any actual or potential danger to

19
the user, [or] the public . . . that they reasonably believe to be associated with software.
. .” 11 The US Army did not inform the public about the potential danger (the bug) in the
Patriot Missile system. 4
Because the flaw in the Patriot was a software bug, the SE Code may be used as a
basis for the deontological analysis of this issue, as determined above. We can conclude that
the US Army withholding this information is in violation of section 1.04 of the SE Code of
Ethics, and therefore is deontologically unethical. Because of this, it is accurate to say that
had the US Army not withheld information, it would have been “good,” and withholding
information would have been unethical, or “bad” according to deontology.

5.3.4 Conclusions from Deontology

The deontological perspective forbids certain acts based on their unethicality. 15 When
looking at the US Army’s response to the Patriot Missile bug found in 1991, we can see that
the Army responded unethically in the given situation, due to the fact that they disobeyed
the SE Code of Ethics. As determined in the previous section, the SE Code can be used as
a basis for deontological analyses, and in this case the US Army ignored section 1.04 of the
SE Code. Though looking purely at the US Army’s response – withholding information that
was needed by Patriot users – shows us that though there was no ethical wrongdoing, it was
also not “ethical;” it just had no negative effect. However, because we can use the SE Code
of Ethics to determine ethicality for software problems under deontology, and we know that
section 1.04 was ignored, we can conclude that it was an unethical decision.

20
6 Conclusion

When the US Army was informed of a timing bug in the Patriot Missile system in
1991, they responded by fixing the bug, but not until two weeks after they received the
intelligence. 4 Because of this, twenty-eight US Army soldiers were killed in Dhahran, Saudi
Arabia when a Patriot lost tracking on an incoming Scud missile, which ended up hitting
an Army barracks. 4 Using various ethical guidelines, it has been shown that the US Army’s
response to finding this bug was unethical.
Under the guide of the Software Engineering Code of Ethics, the unethicality of the US
Army’s response to this bug is displayed by their disregard for multiple SE Code principles.
The US Army’s software engineers did not moderate the needs of the client, employer, and
users with the public good (SE Code 1.02), and because of this, twenty-eight soldiers died.
Had the US Army taken more time for testing (SE Code 3.10), they would have determined
this bug existed before updating all Patriot systems with the flawed patch. 4;11 Additionally,
the US Army did not disclose the potential danger of the Patriot system, so users and the
public were uninformed of the flaw (SE Code 1.04 and 1.05). Finally, the development of the
patch created for the Patriot Missile system was not given “the same professionalism as new
development” (SE Code 3.15). Had the Software Engineering Code of Ethics been taken into
account rather than ignored, it is likely the timing bug would have been discovered and the
lives of twenty-eight US soldiers may not have been taken. This displays the unethicality of
the US Army’s response under the principles set forth in the SE Code of Ethics.
Utilitarian principles say that the utility of the 868 lives potentially saved by the patriot
missile outweighs the utility of the 28 killed by a bug in the Patriot’s code. Looking at this
point alone, it seems like the US Army’s response (not informing users and not recalling or
shutting down Patriot Missile batteries) was ethical. However, financial utility comes to a
different conclusion. The cost of fixing the bug was at most $494,802 (Section 5.2.4). The
cost of training 28 US Army soldiers is at least $980,000. This does not take into account
the cost of life or damages done by ending a soldiers life. Because the financial utility of 28

21
soldiers is almost twice as high as the cost of fixing the bug, the US Army’s response of not
immediately fixing the bug (or informing users) can be considered unethical. Because it was
possible to fix the bug (and therefore it was not necessary to shut down or recall all Patriot
systems), the above conclusion (that the US Army’s response was ethical) is not accurate. If
the Army had acted ethically, the 868 lives would have still been saved, but the 28 soldiers
who died due to this bug may also have not been killed.
Because we can use the SE Code of Ethics as a basis for deontology when referring to
software engineering, such as this case, and because it has been shown that the US Army
ignored many SE Code principles, it can be concluded that the US Army’s response to
the bug was deontologically unethical. Section 5.3.3 explained that using the SE Code
as a deontological basis for this case was allowable, and because the US Army withheld
information (which point 1.04 of the SE Code forbids), their response was unethical. In
addition, Section 5.3.2 explained that not withholding this information would have been the
ethical course of action.
Each of the above points shows that the United States Army’s response to the 1991
bug found in the Patriot Missile Code is unethical. This unethicality is seen in both the
US Army’s lack of responsiveness to sharing necessary information, as well as their lack of
professionalism in attempting to update the Patriot without adequate testing.

22
References

[1] “Patriot missile air defence system - army technology.” [Online]. Available:
http://www.army-technology.com/projects/patriot/

[2] A. Simon, “The patriot missile. performance in the gulf war reviewed,”
http://www.cdi.org/issues/bmd/patriot.html. [Online]. Available: http://www.cdi.
org/issues/bmd/patriot.html

[3] “Operation desert storm: Data does not exist to conclusively say how well patriot
performed,” US GAO. [Online]. Available: http://www.fas.org/spp/starwars/gao/
b250335.htm

[4] “Patriot missile defense: Software problem led to system failure at dhahran, saudi
arabia,” United States General Accounting Office, Tech. Rep. IMTEC-92-26, Feb.
1992. [Online]. Available: http://www.gao.gov/products/IMTEC-92-26

[5] “Patriot: The missile that missed,” New Scientist, Apr. 1992. [Online]. Available: http:
//www.newscientist.com/article/mg13418171.600-patriot-the-missile-that-missed.html

[6] T. A. Postol and G. N. Lewis, “Postol/Lewis review of army’s study on patriot

effectiveness.” [Online]. Available: http://www.fas.org/spp/starwars/docops/pl920908.
htm

[7] S. A. Hildreth, “Evaluation of U.S. army assessment of patriot antitactical

missile effectiveness in the war against iraq,” Apr. 1992. [Online]. Available:
http://www.fas.org/spp/starwars/congress/1992 h/h920407h.htm

[8] I. Peterson, Fatal Defect : Chasing Killer Computer Bugs. New York: Vantage Books,
1996.

[9] J. Kruger, “Unskilled and unaware of it: How difficulties in recognizing one’s own incom-

23
 petence lead to inflated Self-Assessments,” Journal of Personality and Social Psychology,
vol. 77, no. 6, pp. 1121–1134, 1999.

[10] J. S. Clair, “US: the fatal flaws in the patriot missile system,” Apr. 2003. [Online].
Available: http://www.corpwatch.org/article.php?id=11110

[11] “Software engineering code of ethics.”

[12] “Definition of utilitarianism.” [Online]. Available: http://dictionary.reference.com/

browse/utilitarianism

[13] L. D. L. Thomas II, “Is the U.S. army a business?” Dec. 2004. [Online]. Available:
http://www.military.com/NewContent/0,13190,120304 ArmyBusiness-P1,00.html

[14] “Software engineer salaries in united states.” [Online]. Available: {http://www.indeed.

com/salary/q-Software-Engineer-l-United-States.html}

[15] “Deontological ethics,” Nov. 2007. [Online]. Available: http://plato.stanford.edu/

entries/ethics-deontological/#DeoOblObeLaw

[16] P. Singer, A Companion to Ethics. Wiley-Blackwell, Jun. 1993. [Online]. Available:

http://books.google.com/books?id=17i10ZZu8O4C&pg=PA208&lpg=PA208&dq=
deontology+on+withholding+information&source=bl&ots=q5-A4vydzd&sig=
sWGcM2q4LikLozVo9OFBlxMLEf0&hl=en&ei=s-QRS-bBIo-IsgPa9ciKDw&sa=
X&oi=book result&ct=result&resnum=1&ved=0CAgQ6AEwAA#v=onepage&q=
&f=false

24 LATEX