Carnegie Mellon University
18-849b Dependable Embedded Systems
Spring 1998
Authors: Chris Inacio


Embedded systems are often called on to perform safety critical tasks in aide of, or independent to, human operators. Creating these systems, as in all engineering disciplines, causes engineers to consider their actions and the ethical implications of the systems they create. Engineering as a profession encourages the view that the public good must outweigh all other factors when determining the course of action for an engineer. Unfortunately, not all situations are morally well defined and engineers will be called upon by themselves, their company, or society to make profound, or more often, personally conflicting decisions.

In this section we will discuss some possible conflicts that may occur in everyday engineering along with some possible situations that may not occur in everyday engineering. Every engineer will have at least some morally perplexing events in their career. We will discuss some resources that may be of use to engineers as a reference. In the end we will conclude with a brief overview and the realization that ethics are as personal as each engineer's moral code.

Related Topics:



Ethics are of special importance to practicing professionals, including engineers.  Professions such as doctors, teachers, lawyers, and engineers have a greater responsibility to society to do their jobs ethically.  In order to accomplish this though, it is important to understand what ethics really means.  The actions that society finds acceptable versus the actions which society does not accept create the ethics by which a member of society must abide.  From this definition, ethical action on the part of engineer can be partially simplified, (as it is in most codes of ethics from engineering organizations,) as the simple mandate that an engineer's greatest responsibility is to the public good.  The following discussion is centered around what responsibility comes with being an engineer, the challenges an engineer faces, and some resources for helping an engineer fulfill his responsibility to do the public good.

To further motivate the discussion of ethics, we will present some more in depth discussion on just what ethics is, including some alternate definitions.  We will then present some hypothetical situations in which the right and wrong are not so clearly defined.  Concluding the discussion, we will talk about some existing engineering and related fields codes of ethics, and what help they may be to the practicing engineer.

Key Concepts

These two definitions give a lot of insight into the complexity of what makes up ethics.  In order to understand ethics, we must accept the responsibility and accountability of our actions.  Further, we must have a right and wrong, a moral code.  Most religions have a moral code of conduct, and most cultures have a minimum code of conduct also.  In the case of society's code of conduct, its laws, it is usually a reflection of the moral values of a super majority of its population.  Moral codes define our rights and wrongs, and are usually cultural specific.  This combination, of determining right and wrong and being responsible for our actions, creates the standards for ethical behavior.

Unfortunately, knowing what is right and wrong may not always be that simple.  Most of the time, knowing the right thing to do is easy.  Engineers are faced with many ethical decisions every day, and most often the morally right answer is simple.  For many engineers, this simply involves being honest and upright.  There are times, however, when knowing what the right thing to do is not so simple, and the responsibility to society may not be enough of a guide.  When these occasions occur, and we demonstrate some hypothetical ones, some based on real life problems, the answers aren't so simple and the resources we discuss may be helpful.

Examples and Resources

Is Lying Wrong? (Or Orderly Dissent)

How wrong is it to lie?  Take the hypothetical situation where you are in charge of the software for the launch of a rocket that will put a satellite into space.  The launch director requires that various people, including you and a meteorologist "sign off" on launching the rocket.  The weather is very overcast, and lightning has been detected in the distance.  The meteorologist gives the "OK" to launch the rocket.  You, however, have serious doubts that the weather is suitable for a launch, but you are not a meteorologist.  The software checks all complete successfully, and the software is in perfect working condition for launch.  Do you make something up that says the software is not ready to delay for another day with better weather?  Do you say yes the software is "OK" and go for launch? [Ward90]

It is important to have process in organizations which encourage objections to bad decisions, but still allow decisions to be made and progress following those decisions.  For example, the US military allows subordinates to ask "Are you sure?" to an order to give the superior officer the opportunity to rethink the decision.  If the officer says yes, the order must be carried out, but the simple questioning of the order is not insubordinance.  This allows the safety of the organization to be increased by allowing dissenting opinions without causing work to come to a standstill.

You say "yes" to the rocket launch.  The range officer, the person responsible to make sure the rocket doesn't deviate too far from its course and leave the rocket launch area, is forced to destruct the rocket as it quickly takes the wrong trajectory.  Later investigation determines that the rocket was indeed hit by lightning. [Ward90]  The satellite and the rocket were both lost costing hundreds of millions or billions of dollars.  In the end, which would have been worse, lying and saving the rocket and satellite, or not lying and having the rocket and satellite be destroyed?

Designing Safety Critical Devices

How much is the cost of saving a life?  Embedded engineers are often called to design systems which are safety critical.  For example, another hypothetical engineer is designing a medical system.  This medical system administers medication to an intravenous drip at a specified amount and for a specified period of time.  You are the engineer on the design of the control system for this medication system.  You have added many safety screens to the user interface in order to make sure that the doctor or nurse has appropriately set the dosage.  You also add a safety feature in which the device stops working after a certain period of time to make sure that it has been calibrated in order to not deliver the incorrect dosage.  Your manager puts a lot of pressure on you to remove the extra safety time-out.  He believes that the company could sell more units if the safety lock out wasn't installed in the unit; the unit would cost less, and the users won't have to confront a possibly annoying time out.  What do you do?  Do you remove the lockout and simply advise in the documentation to calibrate the unit periodically?  What if you know that the unit will drift out of calibration eventually?  What happens if you leave the safety lock out in the device, and it stops working when it is supposed to be delivering medication to a patient?  It is difficult, especially when creating safety critical systems, to know what is the right thing to do.

Non Safety Critical Systems, Are There Any?

There are many systems which engineers design which are not primarily safety critical, but are secondarily safety critical systems.  For example, what if you are the design engineer for a pager system, and you know that the pager system is not 99% reliable, that it occasionally loses pages.  The company you work for makes a sale of the system to a local hospital.  You know that surgeons and doctors will be relying on the pager system in order to get to the correct patients when an emergency happens in order to save their lives.  The system was never designed to be used in order to save lives.  What do you do?  Will you try to stop the sale of the system?  What if it means your job and many millions of dollars to the company that hired you?  It is important for engineers to realize that even systems that aren't envisioned for use in safety critical systems will be used in a safety critical system may be used in a safety critical system.  The design of almost any embedded system may be used in a situation in which the loss of property or lives may result.

Real World Examples and Codes of Ethics

What if you are an engineer placed in the position of signing off on a safety critical system, such as an antilock brake controller, and you have your doubts about whether the system should actually be built due to some possible flaws? [Unger98]  Many engineering societies, including IEEE and ASME have codes of ethics which they require their members to abide.  The ACM also has a code of ethics for its members and the ACM and IEEE have recently produced a code of ethics for software engineers.  All of these various societies make their first priority that an engineer's first responsibility is to the public good.  The codes of ethics then go on to enumerate other moral rules which their members must abide by, including honesty and integrity. [ACM92] [IEEE90]

The codes of ethics from the various professional societies have some interesting similarities and even more interesting differences.  Primarily, various codes of possible interest to the reader all stress the same first principle, obligation to the public good or society.  The IEEE Code of Ethics, (see [IEEE90] for more information,) is relative short and direct.  The IEEE Code of Ethics does not give an explanation, details, or implications of its set of ten rules.  The ACM Code of Ethics and Professional Conduct, (see [ACM92] for more information,) is a large complex set of rules which offers full and detailed explanations of its rules.  In fact, the ACM rules go into too much explanation, often offering times when it is acceptable to break the rules, including breaking the law.  The ACM rules, however, do stress that if a member decides to violate the rules (or break the law,) that he must accept the responsibility of his actions.  The most lucid code, with practical examples and discourse on the rules is by a joint task force of the ACM and IEEE.  The Software Engineering Code of Ethics and Professional Practice is the clearest with the most detail. [ACM/IEEE99]  The software engineering rules are simple so that they do not get mired down in the particularly gray arrays of ethics while still offering sufficient guidance for engineers with a dilemma.  It is a good practice for all engineers to be familiar with their relevant code of ethics.

These codes of ethics may provide some moral guidance, but they are not the final answer in ethical dilemmas.  Members of the ethics committees may be willing to talk to you anonymously, but they cannot help you professionally or legally.  It is important to know that in general, the professional societies will not defend their members.  The professional members may help prosecute their members, and force their members from their societies, but it is very unlikely that they will come to your defense.  So while you may find some unofficial consoling from your respective professional society, do not expect official help from them.

The professional societies can be a big aide to the practicing engineer though.  Professional societies often create standards and guidelines for designing many components in systems.  By using these standards, it is very difficult to hold an engineer responsible for incorrect standards.  Standards are considered to be the best practice known, and by using these practices, an engineer gains some protection from the society at large without the society's explicit support.

Relationship to other topics

Profits and Business Models and Social and Legal Concerns

It is important to have an ethical organization in order to have ethical engineers.  For example, Ford after having discovered that the ill fated Pinto may cath fire in an accident, decided not to change the design of the car.  Ford had decided, from a business and legal perspective, that the value of a human life, was cheaper than the design change.  Ford later realized that the cost of goodwill and brand image was much more expensive than the cost of a human life for them.  While this example relates how Ford made a single design decision, it is important to understand the relationship between the organization and the engineer.  An engineer in an organization that can make an ethical decision not to change an unsafe design will not support an engineer trying to add cost to a design simply for safety's sake.


Every engineer will be faced with an ethical dilemma sometime during his working career.  Engineers also make ethical decisions every day during the regular course of engineering work.  It is important that engineers strive to make their systems functionally correct and safe.  While no person can solve all ethical dilemmas, it is important to know that there is support and resources available for engineers in need.  Rarely in any engineer's career is there an incident like the Challenger disaster where the explosion of a launch vehicle with people on board occurs, but it is always a possibility.  Because engineers create systems which have a profound effect on society, they are responsible to society to make their very best efforts at safe and ethical design.

Annotated Reference List

A good online resource with the codes of ethics of very many professional organizations.

Loose Ends

Go To Project Page