■I mm LIBRARY OF THE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN 510.84 Ije
(Y,Z,) 3> . . . } . In addition, if then, X: = {({Y r Y 2 ,...}, Z) r ({Y r Y 2 ,...}, Z) 2> ...}. (See Figure 10). Note in particular that if Y has no descendants, then Y: = {(Item) r (Item) 2 ,...} and is what is referred to as an item array. A pair of functions will be necessary to facilitate the pres- entation of the DDL. The first of these, DESC, makes it possible to describe each node. The first operand is a node and the second is an ordered n- tuple to be associated with the first operand as direct de- scendants (see Figure 11). For example, the operation 26 Y 2 Y 5 Y k Y 5 Y 6 Figure 10. Structural and Graphic Representations of v 2 ,...},Z) r ({Y r Y 2 , : = {((Y r Y ,...},Z) 1 ,({Y 1 , Y ,...} X) 2" }. 27 NODE DESC-1 DESC-2 DESC-n DESC(NODE, ( DESC -1, DESC -2, . . ., DESC-n) ) Figure 11. A Graphic Representation of the DESC Function. DESC (K, (L,M,N)) produces the following relationship: K: = (L,M,N,). Similarly DESC (M, (Item)) results in: M: = (Item). The following sequence of operations: DESC (A, (B,C)) DESC (C, (D,E,)) DESC (B, (Item)) produces: A: = (B,C)): = (B, (D,E)): = ((Item), (D,E)). From the above statement about the node A, one can discern that A.B is an item and A.C.E is a relation which exists in this structure. 28 Another function which will be used is ARRAY. Its single op- erand is a node. The effect of the function is that its operand is des- ignated as being iterative. Therefore, as an example, the operation ARRAY (X) would allow the statement to be made: X: = {X,, X^» a-,.../. The two operations ARRAY (A) DESC (A, (Item) specifies that A is an item array. With the two functions that have been presented, the graph may be constructed to describe the relationships between parts of the data- base and data types can be designated as iterative for convenient ref- erence. To illustrate the uses of each function, let us construct a simple family tree structure. The database will encompass all descendants of a particular pair of people. The node which gives rise to the struc- ture, the entry point, will be called TREE and defined thusly: DESC (TREE, (MOTHER, FATHER, CHILDREN)). (See Figure 12). The mother and father are not structural, and therefore stated as: DESC (MOTHER, (Item)) DESC (FATHER, (Item)). The children, however, may have descendants and develop structures of their own. So they are defined: ARRAY (CHILDREN) DESC (CHILDREN, (CHILD, SPOUSE, CHILDREN)). 29 MOTHER TREE FATHER CHILDREN Figure 12. A Graph of DESC(TREE, (MOTHER, FATHER, CHILDREN)). In addition: DESC (CHILD, (Item)) DESC (SPOUSE, (Item)). (See Figure 13). Note that the definition of CHILDREN is recursive. By the meaning which has been given to the functions, it would indicate that the relationship TREE. CHILDREN. CHILDREN. SPOUSE is possible. In the database, if the data existed, one would reference the first child's second child's spouse by TREE. CHILDREN(1 ).CHILDREN(2). SPOUSE. The levels of indexing occur at nodes which are operands of the ARRAY oper- ation. The statements of the DDL are designed to utilize the given functions in such a way that the database design becomes easier and more convenient and to help in creating the internal garaphic representa- tion. There are two basic statements, DATABASE and SET. The conceptual TREE 30 MOTHER CHILD CHILDREN CHILDREN CHILD SPOUSE CHILDREN TREE MOTHER CHILD SPOUSE Figure 13. Structural and Graphic Representations of DESC(TREE, (MOTHER, FATHER, CHILDREN)) DESC(CHILDREN, (CHILD, SPOUSE, CHILDREN)) 31 purpose of the DATABASE command is to create an entry point into a struc- ture desiqned to meet the needs of a certain set of users. The SET is the structure building statement capable of molding the relationships which are necessary. The form of the DATABASE statement is as follows: DATABASE: (, ,. . . , ) Its functional equivalent is given below: DESC (, ,. . . , )). (See Figure 14). In essence, a name is associated with a particular route of access to the database. As was shown previously, a descendant may be referenced through the entry name. Such statements, along with those defining the nature of the descendants, will describe all modes of acquiring data. No descendant may be specified as an entry name also, this violating the intentional use of an entry point. entry -name desc-1 desc-2 desc-n Figure 14. A Graphic Representation of the DATABASE statement 32 The SET statement is of the form: SET: , ,..., (,. . . ) Its functional equivalent is given below: ARRAY () ARRAY () DESC (, ( )). DESC (, (,..., )). Because this statement is the only method of describing data structures other than the DATABASE command, it is evident that all struc- tures below the entry point level are potentially a set of iterations. However, this is not a problem from the user standpoint, since the single data type without multiple copies may be considered a single iteration of the structure. The user will manipulate the data according to his wishes and extra, unnecessary capabilities should not be detrimental to his use of the database. Notice that the SET provides the ability for defining like structures under different names. Certainly this could be accomplished using several SET statements; however, implications may be derived from this form of the SET according to implementation and will be discussed subsequently. 33 Data names which have been referenced in DATABASE or SET statements and yet have not been designated as an entry or set name, are implicitly defined according to the functions (where X is such a data name): ARRAY (X) DESC (X, (item)) and thus are item arrays. This is also equivalent to SET: X( ). Let us construct an example which will show how the statements presented might be used to describe the medical database. First, con- sider the view of the physician wishing to access individual patient records. The following statements establish the root of this structure and basic formation of the record index: DATABASE: MEDRECS (RECORDS) SET: RECORDS (ID, HX, PX, LABS, MEDS, SUMMARY, PROBLIST). (See Figure 15). The data name ID represents patient identifying data, HX the patient history, PX physical examination data, LABS initial lab- oratory results, MEDS previous medications, SUMMARY the record summary, and PROBLIST the problem list. Of these, only PROBLIST is a structure and thus the only one to be defined as a set name. The problem list may be described as follows: SET: PROBLIST (PROBDESC, PROGNOTES). (See Figure 16). PROBDESC represents the problem description and PROGNOTES the vector of progress notes associated with each problem. To define the 34 RECORDS PROBLIST SUMMARY Figure 15. A Partial Graph of an Example Medical Record Definition. PROBLIST PROBDESC Figure 16. A Partial Graph of an Example Problem List Definition. latter, another SET statement must be included: SET: PROGNOTES (S,0,A,P) (See Figure 17). The descendant list here refers to the S-O-A-P format of the progress note. Under this description of the database, the sub- jective segment of the third progress note of the second problem in 35 PROGNOTES SO A P Figure 17. A Graph of an Example Progress Note Definition, the fourth record is referenced MEDRECS.REC0RDS(4).PR0BLIST(2). PROGNOTES (3).S(1). Although it may be intended that S be a single data item, it is implicitly an item array. From this point on the first element of array data may be called either by the subscripted name or by the name alone. Therefore, in the above example, both S(l) and S are acceptable. Let us imagine a user who wishes to investigate the progress notes which exist in the database without a need for knowledge of other data related to progress notes, such as the problem list. The SET statement previously given as: SET: PROGNOTES (S,0,A,P) is modified to: SET: ALLNOTES, PROGNOTES (S,0,A,P). In addition, the statement: DATABASE: INSPECT (ALLNOTES) is included. As data of this form is added to the database, it is cre- ated under both the names ALLNOTES and PROGNOTES. The former name al- lows an easier access to the data, for example INSPECT. ALLN0TES(1 5), but without the advantages of the structure which pinpoints the data's membership in the organization of the record system. The set of progress 36 notes may also be organized under different criteria, and reside in structures unrelated to record organization. Another option on both the DATABASE and SET statements is the "LOCKS" suffix and allows for security controls over any particular type of data. The complete form of each of the statements of the DDL is: DATABASE: (,. . . , ) [LOCKS] SET: ,..., (,. . . , ) [LOCKS]. The effect, in either case, is to associate an additional de- scendant with the node, one which is a data item, specially created for a security lock list. This lis provides certain types of access for various users over the data structure which is defined in the statement specifying LOCKS. The following set of DDL gives a possible specification for a family patient record system: DATABASE: MEDRECS (FAMILIES, RECORDS) LOCKS SET SET SET SET SET SET SET SET (See Figure 18. ) FAMILIES (FAMRECS, FAMINFO) RECORDS, FAMRECS (ID, HX, LABS, SUBREC) ID ( ) LOCKS HX ( ) LOCKS LABS ( ) LOCKS SUBREC (PX, MEDS, SUMMARY, PROBLIST) LOCKS PROBLIST (PROBDESC, PROGNOTES) PROBNOTES (S,0,A,P) 37 RECORDS PROBDESC SO A P Figure 18. A Graph of an Example Medical Record Definition. 38 This view of the database allows records to be included in a family, although they may belong to the set RECORDS also. Various parts of the record may be secured separately so that different users of the record may access only the regions which they are authorized for. 39 III. DATA MANIPULATION A DDL has been presented for the description of a database, its structure and the relationships between the data which belong to it. It is necessary, with this organizational scheme, to reference all elements of data precisely. The data management system utilizes the advantages of the organization when performing basic manipulative oper- ations. This system must directly interface with the database. The functions which comprise the interaction form the central module of the program set using the data. Among the tasks of the module are the input and output of data to disk storage from/to user areas. In an interactive environment, where each terminal must have attached work regions, input/output functions are designed to pass data between user- specified locations and memory chosen by the data manager. A large set of buffers must be available, and subsets allocated to a user task. Therefore, each user is working with an assigned array of buffers plus his work space. More specifically, the application program deals with the data management system and thus provides the user interface. While this type of program uses only its work space directly, the data manager needs the buffer array for a greater efficiency in processing service requests. However, in order to reference user-accumulated data, all attached memory areas will be envisioned as an array denoted by the symbol "#." Certain operations may be done specifically at the request of the application program. These are the data manipulation functions 40 which deal directly with user buffers and database elements and struc- tures. To illustrate what types of operations should be possible for the using program set, an "assignment" type statement will be necessary. The form of the statement will be: target «- value. The target repre- sents some location in the database structure or data buffer area where some form of data is to be placed; the "value" is that form, denoted by a similar notation as the target, except that it must designate existing information as opposed to a hypothetical position in the structure. The symbol "$" will be used as the last created index in an array, as this numeric value must necessarily be available for continued addition to indexed sets. Also, besides being able to discuss specific indices, positions between members of an array are important for insertions and must be referenced. The signs "+" and "-" will make it possible to ad- dress these locations; for example, "2+" will denote the slot after mem- ber two (and before three), and likewise "1-" refers to a place in the array immediately before the existing first member. It is clear that since this notation does not represent previously created data, such symbols will only be seen on the target side of the assignment statement. The above conventions will make it possible to discuss the basic func- tions required by the accessing routines for the dynamic structuring and modification of the database. Let us first consider a hypothetical database description, and show how data may be added to it, and manipulated: DATABASE: ADATA (AA, AB, AC) 41 SET: AA, BA, (XI, X2, X3) SET: AB (Yl, Y2) SET: BB (Zl, Z2) DATABASE: BDATA (BA, BB) SET: X2 (X20) (See Figure 19). Note that the ordering of the DDL statements is unimportant. It seems natural to first discuss the creation of data elements to the database. The application program through its interaction with the user, accumulates some amount of data it wishes to be known as a single item. Several variables, the state of the database, the identity of the user, the stage of interaction which the user is in, all affect the placement of that item and the name or names which will be associ- ated with the data. The following is an example of the operation to be performed: ADATA.AA (2). XI ($+) <- #(3) Specifically, the notation says that the third user work space is to be stored as the last member of the item array XI in the second AA struc- ture. An address is set in the XI array to point to the actual disk storage location. Naturally, the statement assumes that two members of the set AA have been created. If there was yet no XI entry in the structure, the "$+" would signify the creation of the first member. The target is, of course, the position of an item, as it must be in the create process since a buffer is the value. The statement: 42 ADATA X20 BDATA Figure 19. A Graph of an Example Database Construction, ADATA.AC (3-) *■ #(1) puts the new member between entries two and three in AC. Again, it is assumed that there are at least three items in AC. At the point of creation, number three becomes four, four becomes five, etc. Now con- sider: ADATA.AB (2+).Y2 «- #(2) Although it is an item again being added, this time it is to a struc- ture not yet existing. Therefore, there is no question as to the value of indices below the new level, they must be one. Another example of this is: 43 ADATA.AA (1-J.X2.X20 *■ #(1) A similar function to the create is the write. This is the process of taking data from work areas and overwriting existing data items. For example: ADATA.AC (2) *■ #(2) Note the absence of any "+" or "-"; these symbols would cause the cre- ation of new data formations. The meaning is that the second work space is to be written onto ADATA.AC (2) which has been previously created. Another write operation might be: ADATA.AA ($).X1 ($) <- #(2) Characteristic of the write is the fact that the target is again the location of an item and the value is a work space. Also a necessary function of data management in its interaction with using programs, is the read. It is the user's only method of re- trieving the data which he stores. Naturally, he can only recall items; that is, his work area is unstructured and unsuitable for any data but the simple elements. One such read statement might be: #(4) <- ADATA.AC (2) The effect is to take the data from the second element of AC and put it in the fourth work buffer. Another example: #(1) *■ ADATA.AA (2). XI ($) 44 The final manipulative operation is that of "relinking." The user can refer to the same physical storage location according to more than one name only by linking the item to other positions in the data- base after creation. Consider the following: ADATA.AC (1-) «- #(1) ADATA.AA (2+).Xl <- #(1) If the two operations were performed consecutively, the result would be two separate identical items in disk storage. Therefore, in order for this particular location to be known by both ADATA.AC (1) and ADATA.AA (3). XI, these statements are adequate: ADATA.AC (1-) «- #(1) ADATA.AA (2+).Xl «- ADATA.AC (1) A similar relinking accomplishes a replacement of existing data, and is much like the write. For example: ADATA.AA (1).X1 +■ ADATA.AA (1).X3 The difference is that no new structure or item has been created. Struc- tures may also be relinked, as the following illustrates: ADATA.AA (1 + ) <- BDATA.BA (2) ADATA.AA (3) «• BDATA.BA (1) The structures on both sides are of the same form and therefore the oper- ation is meaningful. Notice, in fact, that AA and BA belong to the same SET specification. Because of this, resolving that the two sides are structurally equivalent is relatively easy. However, consider this statement: 45 ADATA.AB (2) <■ BDATA.BB (3) Inspection of the sample DDL shows that each side has the same form, despite the fact that they are not in the same SET statement. More complicated database description, though, might cause expensive over- head of form checking. Moreover, if sets do not represent naturally alike data, then no such relinking (that of structures not of one SET) should be done. This is a problem which must be considered during implemen- tation. When like forms are defined by the same SET statement, the structure may be defined but once and pointed to by all set names. This creates the easy verification ability which was discussed earlier. A special meaning might be given to the first set name specified in the statement. If horizontal access is to be an important capability, this name might reference a master index of all structures (in the SET). This convention would cause a create of the form ($+) <- (last created index), i f 1 whenever a member of was cre- ated. Possibly not every set should have such a master index, and an additional syntactic change should be incorporated to specify a special name. Now consider the example DDL given at the end of the last chap- ter. Assume that the program set utilizing this database is similar to that of the MIS on PLATO described earlier. After the physician logs on the system, he must choose either to create a patient record, or ac- cess an old one. In the former case, he will go on to supply identifying 46 data, and the program which accepts this information performs the fol- lowing: MEDRECS. RECORDS ($+).ID + #(1) The operation not only stores the identifying data but also creates a new entry in the RECORDS set. Suppose that the user continues on into the history program. Here several history items may be created and re- trieved, such as: MEDRECS. RECORDS ($).HX ($+) *■ #(1) MEDRECS. RECORDS ($).HX ($+) *■ #(2) #(3) +■ MEDRECS. RECORDS ($).HX (1) The physical examination would call for similar operations. During prob- lem entry, the program might request the following for the specification of a subjective part of a progress note: MEDRECS. RECORDS ($) .SUBREC.PROBLIST ($) .PROBNOTES ($+).S -*- #(1) This is, indeed, cumbersome notation. And, in implementation, an easier method of reference is necessary. In addition, each level of structure must access an index list to locate descendants. In light of these things, it seems advantageous to be able to step down level by level keeping indices as they are passed. At the same time, if address vectors were also kept, when steps are made upward to change indices, the ad- dresses are there for accessing other descendants. If the above process is redone using this scheme, the physician first creates the patient re- cord with a new function which "loads" the set. Thus it will be called a LOAD and the first operation will look like: 47 LOAD MEDRECS. RECORDS ($+) This establishes the position in the database up to the RECORDS level. Then, to supply the identifying data: ID ($+) «- #(1) HX ($+) *■ #(2) #(3) + HX (1) Before the user gets to the point of executing the next given example, the following might be done: LOAD SUBREC.PROBLIST ($+) This creates a new problem entry and the subjective note may be submitted: PROGNOTES ($+).S *■ #(1) Now if the physician decides to change to a different problem, the pro- gram might execute: LOAD PROBLIST (2) All the structures attached to the previously referenced problem are aborted, awaiting operations such as: PROGNOTES (1).0 «- #(2) At this point, PROGNOTES for problem two are loaded, until something like: PROBDESC +■ #(3) Then PROBDESC replaces PROGNOTES and 0. At times, it may be necessary to manipulate structures which are not loaded, and yet save all loaded arrays in anticipation of fur- ther use. In the above example, after the physician had created the 48 record, he might have decided to add the record to some family set. The program might initiate: FAMILIES (lO).FAMRECS ($+) <- RECORDS ($) This operation would abort the RECORDS structure, and it would have to once again be retrieved for subsequent processing. So, to circumvent this, certain load functions will be done with a save of the array until it is explicitly unloaded. Two new operations then are needed LOADtSAVE and UNLOAD. And, to again follow the procedure of adding the record to a family: LOAD-SAVE MEDRECS. RECORDS ($+) FAMILIES (lO).FAMRECS ($+) <- RECORDS ($) UNLOAD FAMILIES The final unload aborts the FAMILIES index. Certainly if too many arrays are saved and not reloaded, an overflow of available array space will occur. The program set on PLATO which makes up the MIS, directly re- lates to the structure of the medical record. As the user proceeds deeper into the record, successive loads may be done, allowing each pro- gram to work at its own level without excessive overhead. This necessi- tates greater coordination between program modules. Upon entry to the problem list module the instruction LOAD SUBREC.PROBLIST would be executed under the assumption that the above structure had been loaded. 49 In order to minimize the loading operations, some items or structures might be designated as being only single copies (not arrays) as an additional deviation from the DDL specification. For instance, the structure SUBREC is only intended to occur once for each record, and therefore it is unpractical to cause an extra load for that level. Implementation Considerations To accomplish all of the data manipulation operations, the data manager must be able to internally follow the structure to address actual data on disk. Table organization is important in facilitating the process. The table consists of three basic entities: the name list, the structure list, and descendant pointers. Each entry in the name list is an alphanumeric name and a pointer into the structure list if the name has been entered in a SET or DATABASE statement. Each member of the structure list denotes the type (DATABASE OR SET) and points to a vector of descendants, each of which in turn points into the name table for the name of the descendant. Given any name, it can be deter- mined if that name is a structure by checking for a pointer back into the structure list or for a descendant pointer from the structure list. Likewise, it is possible to check for correct descendant specifications by following the loop from name to structure to descendants to names. Names which are listed in a single SET form a somewhat different entry in the structure list. The first one given will set up pointers as usual, but the others instead of pointing to a distinct descendant 50 vector, will point to the first name's vector. This will closely con- nect the names of a SET statement; checks for like structures can be done by comparing pointers to descendant vectors. Along with the data description table, there must be a table of addresses for the descendants of each entry name defined in a DATA- BASE statement. These addresses point to disk space allocated as arrays of addresses of further descendants. Each such address vector is as long as there are members in the array, and an entry in the vector is as many addresses as there are descendants to that particular set name. It is this type vector which is loaded during execution. At these times, very large arrays become impossible or impractical to load completely. In this case, the capability must exist for loading the array partially while unknown to the user. Then for access to other portions of the array, another partial load must be done. In addition to the functions discussed for database modifi- cation and retrieval, the using program must have available a system of status flags. With checks on these flags, certain pertinent infor- mation can be learned for processing, including error signals and the state of the database. Present indices of loaded arrays, range of pos- sible values, and security status should also be acquired through the system. 51 IV. SUMMARY Health care is indeed a large and growing industry. It places a great demand on our national resources, be they human, technological, or otherwise. If the nation is to fulfill its commitments for compre- hensive medical care, it must responsibly and efficiently utilize all such resources. Over recent decades, the computer has come into view as an aid to a spectrum of applications. Its computational powers were apparent at its birth, many years ago. Since that time, the computer has evolved through advances in electronics, and systems have been con- ceived for the processing of more than just numbers—information. The very generality of the concept of dealing with information, storing, translating, and retrieving it, lent usefulness to a nearly inexhaustible list of disciplines. And now, many uses are being realized, others investigated. Among the latter is the medical information system. Many years ago, the medical record could have been stored on the computer. However, in its nonstructured form, there was no advantage over paper methods, and was, in fact, costlier. Research done at the University of Illinois has demonstrated that the record keeping process can be cost- effective on a PLATO-like system. In addition, recent advances in re- cord organization have improved the data gathering and retrieval process in patient care. With the structured problem-oriented medical record, the physician's clerical functions become systematized, leading to more complete patient data. The hierarchical nature of the data is natural for computer programming and presentation. The PLATO system, 52 in particular, can graphically display portions of data, further illus- trating advantages of automation. Through physical access to the ter- minal, the physician may acquire elements of an entire database, bypassing tedious manual filing. And, if properly used, facilities for touch input can reduce the time that the user requires for entering various parts of the record, and possibly create a more acceptable atmosphere for inter- action at a terminal. This man-machine interface is an important sub- ject under investigation particularly relevant to medical record computerization. Physician acceptance of any system is an undeniable criterion during development. It is just this fact which requires health care personnel participation in the research. Input from physicians and nurses at operational testing sites can be invaluable. The means and environment exist for an adequate medical infor- mation system. The great advances in medical record keeping have in- spired research for such a system. Establishment of the initial data- base for the patient marks the creation of the record. With the knowledge that the physician acquires from laboratory tests, a patient history, a physical examination, and the patient interview, he can formulate a list of problems upon which he must take action. It has always been an important task of the physician to discern what observations may be symptomatic and what may be diagnosed from symptoms. The problem-ori- ented medical record only proposes a method of organization. Yet, it may be sufficient, in itself, to improve the quality of health care delivery. With an increasing number of specialists, a clear, precise record, more easily understood by a multitude of viewers, is definitely 53 in need. The problem list provides an index into the record, and a great deal can be learned from a cursory glance. The physician takes his knowledge of the patient, and uses his training and experience to initiate a plan for treatment or tests. Certainly, more data is gener- ated, and thus, the cycle begins-- the evolution of the record by the continued addition of progress notes. The structure of the patient record leads us to believe that we can more formally organize the medical database to best serve the corps of interested users. It is clearly evident that not everyone wishes to deal with every facet of the record, or even the record itself, as it is thought of conventionally. Nor is it wise to allow semirestricted access to confidential information. Therefore, the criteria for data- base organization must be capabilities of flexible modes of access and security of all levels of structure. Naturally, this includes methods of forming the problem-oriented record. The MIS project partially meets the requirements. Vertical accessibility is possible for the physician, nurse, and clerical personnel, who desire data associated with an individual. Programming allows pieces of the record to be re- lated together, but no internal structure is maintained beyond a sep- aration of identifying and medical data. Security is leveled at the two areas distinctly and by user group. It should be the function of the database management system to impose a structure on the data, thereby leaving items for user-defined data only. Also, all operations involving the basic management of 54 the disk memory should be transparent to the user. A proposal has been made for describing the medical database. All segments of data are stored according to the nature of their content by a particular name. According to the descendant relationships which can be defined, a referencing convention has been described. In addition, structures may be iterated for sets of like data. The system allows the applica- tion program to generally handle data which is relevant to its purposes and not need to concern itself with the more basic maintenance functions, The data description language makes it possible to specify what the database will look like to a system which is designed to operated on any structure described thusly. The using programs also have available a set of transactions which may be made with elements of the database. These actually consti- tute the interface between programs and the data management system. The functions allow for the storage and retrieval of user-accumulated data from and to work buffer areas. Security, another necessary quality of the system, may be required at any hierarchical level of data. The method of individuals belonging to groups, as implemented in the MIS project, appears to be a viable means of categorizing potential users for security classifi- cation. The health data collection process is one for which the phy- sician and related personnel are largely responsible; therefore, patient data generally originates in the medical record. Proper formation of 55 this documentation betters our chances for complete and responsible treatment. If computers are to be instrumental in bringing about the utilization of technological tools by the medical profession, then the correct weight of efficient record keeping must be merged with a sufficient amount of natural organizational database characteristics, to produce a smooth, practical information system which has the approval of those who directly interface with it. 56 LIST OF REFERENCES 1. Weed, H. R. , "Biomedical Engineering in Health-Care Delivery," IEEE TRANSACTIONS ON BIOMEDICAL ENGINEERING, Vol. BME-20, No. 3, pp. 161-164, May 1973. 2. Ball, M. J., "Medical Data Processing in the United States," HOS- PITAL FINANCIAL MANAGEMENT, Vol. 28, No. 1, pp. 10-30, January 1974. 3. Williams, B. T., "Source Interactive Medical Information System." A grant application for the Regional Health Resource Center. June 1974. 4. Grabieli, E. R. , "Computerization of Clinical Records," Vol. 1, Ch. 3, pp. 1-5, Grune & Stratton, Inc., 1970. 5. Weed, L. L., "Medical Records, Medical Education, and Patient Care," pp. 3-123, The Press of Case Western Reserve University, 1971. 6. Sandlow, L. J. and P. G. Bashook, "Problem Oriented Medical Re- cords (Self-Instruction Handbook)," pp. 2-30, Michael Reese Med- ical Center, 1974. 7. Harmon, L. D., "Some Problems and Priorities in Health-Care Tech- nology," IEEE TRANSACTIONS ON BIOMEDICAL ENGINEERING, Vol. BME-20, No. 3, pp. 216-220, May 1973. 8. Saltzer, J. H., "Protection and the Control of Information Sharing in Mul tics," COMMUNICATIONS OF THE ACM, Vol. 17, No. 7, pp. 388- 402, July 1974. 57 APPENDIX The following documentation has been copied from specifica- tions for the Patient Record Manager which reside on-line on PLATO. The data management system of the medical information system is pre- sented in detail. The figures are reproductions of their PLATO screen appearance. The Patient Record Manager Version 2.3 System Specifications by David Mueller Robert Rush David Fumento June 26, 1975 14.14.25. Part I. General Overview 1. Introduction and Goals The Patient Record Manager (PRM) is the component of the Med- ical Information System (MIS) which is responsible for the storage and management of patient records. Specifically, the PRM 1) creates and maintains the patient record on permanent storage, 2) inserts data into the record as instructed by the input components of the MIS, and 3) re- trieves information from the record as instructed by the output compo- nents of the MIS. Access is vertical by patient record rather than horizontal by data item. The PRM must meet sets of criteria imposed by the nature of the medical record, by PLATO, and by other components of the MIS. First, the PRM should be able to maintain records which can expand to any size and maintain their security, confidentiality, and integrity. The PRM is responsible for storing and retrieving all data in the patient record, but it is not responsible for maintaining the relationships between the various data items. It should give as rapid a response as possible and should allow for record reorganization based on use patterns. The PRM must operate within the constraints imposed by PLATO. It should require as little duplicated code as possible. Further, it should make the best use of the algorithms used by PLATO to allocate system resources such as CPU, ECS, and the disk channel in order to a- chieve adequate response. Within the constraints imposed by the MIS, the PRM must use no more than 1,000 words of storage for i/o buffers and work and status variables, and should use no more than 6,000 words of combined common and condensed binary code. Since the structure and access patterns for the medical record are presently a topic of research, the PRM should be flexible enough to allow for changing approaches. It is also desirable to be able to insert with relative ease routines to monitor the pattern of use of the record. Finally, straight-forward, simple procedures for accessing the PRM are desirable. This report describes the components of the PRM which attempt to meet these requirements. First, a general overview of the PRM is given, followed by detailed descriptions of each component. 2. Record Security We believe that at least two record security problems must be handled. The first is the use of the MIS to gain unauthorized access to the records. To combat this, the PRM will provide site checks in the router to restrict the lesson to specified terminals. In addition, passwords will be required to enter the system. Finally, the PRM pro- vides "by-record" access control so that otherwise valid users may be denied access to certain records. Each user is assigned a twelve bit user number and a twelve bit user group number. Each record has associated with it a table containing an entry for each user group recognized by the system. Each entry gives the level of access for that group to that record, as described in section 7.1.1. This method allows greater ease in creating and changing access rights, and results in a shorter access control list. The second security problem involves bypassing the patient re- cord system entirely and reading the data files directly. PLATO provides a minimal amount of protection in the form of code words attached to the file. This is sufficient to prevent casual browsing through the files, but is an inadequate defense against determined attempts to read the files. Not only may the code words be broken, but the code word system may be bypassed entirely as is done when system changes are made to lessons. Therefore, in addition to placing inspect and change codes on all lessons and data files, the records themselves might be enciphered. Each record would have associated with it a cipher key, which must be used to decipher the record. The cipher keys would be kept in the Master Patient Directory, which is itself enciphered. The Master Directory's cipher key would be changed and the Directory reciphered as often as is necessary to protect the patient cipher keys. This level of security may be more than the users are willing to pay for, and, since most of the data is encoded by dictionaries, a trivial level of enciphering is already employed. Therefore, the initial releases of version II will not employ ciphering and ciphering will possi- bly be introduced in later releases. 3. Flow of Control The PRM has been divided into four major components: 1) the Sign-On Component (SOC), 2) the Master Directory Component (MDC), 3) the Item Management Component (IMC), and 4) the User Service Component (USC). These are described in greater detail in section 5.1. Briefly, however, the SOC is responsible for identifying and validating terminal users and the MDC for allowing the terminal user to create new records and access old ones. The IMC and the USC as a package provide data storage and re- trieval functions to the applications lessons, the IMC executing the functions and the USC providing the interface. The way in which the above components fit together is important to understanding the overall structure of the PRM. What follows is an overview of the sequence of operations carried out by each component, with descriptions of what the terminal user sees and what the applications programmer must do. 3.1 General Overview (see Figure 1) The terminal user will see the following sequence of operations. Using the SOC, he will identify himself to the MIS. After verifying that he is a valid user, the SOC will exit to the MDC to either access a patient record or create a new one. The user then has the option of entering or reviewing medical data in the record using the IMC, the USC, and the ap- plications programs. At any time he may return to the MDC to request another record. ' ' '.J —I Ti " l._.l i h ill t- iD ■ ■-• 4-' +> V'\ ti V > LL ct: t/H 4- 1 C " Ti V i- +j its i 1 Q. Q:': 1 i'll'l i. .i i l TJ :;:. q'j ill'l 41 (0 i r i £ Q... Ill JZ -r-t 4' 4-' ill f i i '1.1 • r-t 1. 4- 1 4-' & 0) i~ 3 3.2. User Sign-On (see Figure 2) The identification and validation of terminal users is based on the following structure. The users are divided into user groups not mutually exclusive. All members of a single group have the same access to the same set of patient records. Thus, each user has a user number and a group number associated with his name. Access to the records is based on group number while trace information is based on user number. This is described in greater detail in section 4.1. The user first sees a copywrite statement for the MIS. Then, if his terminal is not designated to the auto-sign-on, he is asked to select his group from a list of groups and his name from a list of users in his group. Selection may be made either by touch or by keyboard entry. If only one choice is possible on either of these pages, the choice is assumed and the page is skipped. If the terminal is designated to be auto-sign-on, the prespec- ified selections are made and the user is asked to fill in the unspeci- fied selections. In any case, the user must enter a password and is then taken to the MDC to select a record. The user may also go to a page listing options available to unidentified users. 3.3. Opening Patient Records (see Figure 3) After entering a valid password in the SOC, the user is asked for the PIN of the record he desires. Based on this, the Master Directo- ry is searched. Three outcomes are possible: 1) the record may not Open Pat l ent Record J_ r"'i Hr""" U 3 4- 1 U J c in. Ld ip 1. j i~ n>. — rt^r**" \- . ^' l III I 1 V ■. ■ 1— 1 ■+-' ■+■' '■ ■' Cl 4-' . n iji 41 £ r-l in 4.i C CO V. s. X X X X ■v. X .. X 4-' r 'i i"i 4' "i 3 K U J drt X / 4- 1 / - r-4 L J a P □ C\J CT> V o mi £ i- u a.' 4-' !- 4-' iri u'J iTi Mil x- ■-* U it! 1- ^ "0 'i 1 'l- lll i. > il i a.i + iT'i LJ 'I' T 1 1* "l c V 4-' 4-» • i-H 1 1 4- 1 aj Cl —i o a.' in '1.1 N JQ T5 ■ '- 1 iTi £1 «— i (— • ■Hi Hi 4-' 4-' V H.I ■- • +> L r ' £ 10 • •-« ">. CO .-•• \ CO 0) $- exist, 2) the record may exist but the user does not have access, or 3) the record may exist and the user does have access. In the first two cases, the user is informed of the situation and allowed to re-enter the PIN. If the record does not exist and the user does have access, then the brief data page for the record is displayed. At this point the user has the options of 1) editing the data page, 2) editing more data, 3) changing access rights, 4) proceeding with the open, or 5) exiting all of these subject to his own access rights. If he edits the data page, the results may be stored by proceeding or ignored by exiting. If the user desires to proceed system control blocks are obtained for him and he proceeds into the record. 3.4. Create Record (see Figure 4) After selecting the create record option on the PIN request page the user's group is established as the owner of the record. This sets up a predefined access control list for the record. The user is then taken to the brief data page. The patient name is required at this point, and other data may be entered as desired. The user may also branch to a page which allows him to alter the access control list, or to a page listing more ID. On each of the three data pages he may abort the entire procedure. Upon completion of either the brief data page, the more data page, or the access control page, the user may order the record created. u v v v £ £- b.O iD iTi ill 4- 1 iTi , 4- 1 - +J r 1 f t i i t >. { , OH Ml ill |i hj itl i ) I \ OJ \ \ \ \ \ Hi "0 4-' i- iTi ( J ill n k~ i U iD £ 4-' irj irj 1' 4 n |] i U T5 c OJ +> 4-' ■-< u 4-' a.' o .— . 'w' •I' w a.i m T? h Hi fti — " _& iD' iD 4J —, (— 1J 4-' I' P l i-H I I 0) O) At this point a Patient Index Number (PIN) is assigned to the record, and the Master Directory and Patient Directory entries are created and ini- tialized. The user may now elect to enter medical data or exit. If the choice is to open the record, system control bocks are obtained and ini- tialized and the user is sent into the record. 3.5. The Item Manager and User Service Components (see Figure 5) The Item Manager Component is called by the applications program using the facilities of the User Service Component. This component con- sists of an interrupt routine and a collection of interface routines, one for each function provided by the Item Manager. The applications program calls an interface routine for the particular function it desires. This routine, after setting function dependent variables, calls the interrupt routine, which sets the interrupt variables and signals that an interrupt is present. The IMC consists of a driver and a collection of routines for performing the IMC functions. Upon receiving the interrupt signal, the driver determines which user is requesting service and what service is desired. It then calls the appropriate routine to actually do the work and, upon its completion, signals completion to the interrupt routine in the USC. The interrupt routine, which has been waiting for this signal, now transfers data from IMC buffer to the applications program's data space and returns control to the calling routine. Should a disk error I— 1 ! "'••, r V ':• ■ i-h Q •■— 1 i—l 1- 3 H.t o en li k 1 1 ; i/i n ^ — + £ a.' V 4-' a. t i< U LL CO U1 CM CM f CM CM iS! S| iS| VI *-• VI *-" VI VI ii ii ii ii ii ii i*. ii £ vi C £- C C C C C C VI C VI £ VI VI CM CO <-• *-" y i- i' i X 1- Q u fj o r"i LL ■ rH O .. Q_ IX. 4-' 'U-I •l.i ( i ill • f— 1 r U'J iTCi V T5 "U 4-' i- Cl —• 4-' u 1- o U 'X £ E £ E u 4-i 4-' C I-H I— I ■is m i' ii' 4-' U — ' 4-' 4-» 4- 1 a.' J- 1' >; 1J ii Q U Q Ld CD Q. a." U it i— • Cl LL cu S- type of service offered by the Record Manager. We assume that these operations can be divided into a class of common operations and a class of much more infrequent operations. The more common operations include Get Item, Put Item, Lock Item, Unlock Item, and Create Item, with the last being the operation least frequently used. The infrequent class in- cludes the rest of the operations in Figure 6. This gives a rough aver- age of one disk access per call. Assuming that PLATO allows an average of one disk access every 15 seconds to each individual terminal, the IMC would be capable of handling an average of one disk access or call every 15 seconds for all users. Thus, if four users were on, they would be limited to one call each minute. Three users would be limited to one call every 45 seconds, two users to one call every 30 seconds, and one user to one call every 15 seconds, on the average. The figures given here are estimates only, so we intend to measure several parameters in order to make any changes necessary to ensure adequate service. At present, we plan to collect means and standard deviations on the number of disk accesses per call to the IMC, the number of disk accesses per Get Item, the number of disk accesses per unit time in the IMC, and the CPU usage per unit time. Other para- meters may be measured as needed. Part II. Component Descriptions 6. The Sign-On Component 6.1. User-Group Structure As described in section 3.2, the terminal users are divided into groups. These groups are not mutually exclusive, and may consist of as few as one user. Each group is assigned a number when it is entered into the system tables. This number is associated with the user when he signs on, and is used by the PRM to determine the user's access level to a re- cord. Each user is also assigned a number when his name is entered into the system tables. There is only one number assigned to a user, regardless of what group(s) he is in. This number is associated with the user at the time he signs in, and is used by the PRM to provide trace information. This structure provides several advantages. Since access rights are based on groups of users rather than individuals, initializing and changing access codes is fast and easy. A great degree of flexibility is maintained, however, since a group may consist of a single user. Thus, if access control is desired for individual users, these users may be defined as single user groups. Furthermore, since a user may be in differ- ent groups, he may be granted different access levels to different sets of records. This structure is implemented as a set of three tables. One, called the user table (see Figure 7), contains the user names, user num- bers, and user passwords. The second, called the group table (see Figure 8), contains the group names, group numbers, and group templates. This last field is a template used by the PRM to initialize record access lists; if group i is the owner of the record, then the template for group i will be used as the initial access list for the record. The last table defines the relationship between users and groups (see Figure 9). If user number i is a member of group j, then one of the entries in the relation table will be (i,j). While the group and user tables are unordered, the relation table is ordered by group number. This ordering makes it easy to access all the members of a particular group, which is the present scheme in the SOC. However, the same structure could be used fairly easily to obtain all groups containing a particular user, if a change in the SOC is de- sired. Finally, to provide an auto-sign-on facility, an auto-sign-on table is kept (see Figure 10). This table relates station numbers to user and group numbers. An entry is made for each station which has an auto-sign-on capability. The group number, or the user number or both numbers may be associated with the station; if one is omitted, it must be filled in at the time of sign-on. Each of these four tables is implemented as a set of parallel segmented vectors, one vector for each field. The same index is used to reference each vector, thus giving a complete entity. , M'l f_j ~T5 i, J i; 3 4-' i - i • i-i i- o t Q ]._ i"i !— CO V 3 O z ri 'l-i £ 5_ iri CO 1.0 4-' '*- r r fc. ■ ^H i;"j V Cl OJ L J '1' Li. 'I 1 CD j -U _ .* -U — ' J** _' !t t o E Q c C E C\J £ 13 !*-. 3 t _i £- Zi O -i_ (J) ji - (3 ■ ,= — '■!> Z i.O i i' fc. i' -H t_ f i' V r V i- 55 ■-* 4' r j V 1* *t OJ o III _Q •OJ in d in d i.i.i lZ hi £ i ■*1 i — j i J j — i •"'■■J «~r ji— ji— .jl~ jll— *"" ' 3 ^ 10 4-» *- L- ■ S- • i— « S- ■V *— V i»— V t- ct: u LL "■ a; U -J o o 'X (I M u"i Q: (_) f u 1- i— i X ( 1 Q£ _.-* LJ ll_'J _l ^ i;"~;i U X' X \- y~ X i;_j V Q U X U h- Lu i— i H H _l ";- d i_i Qi CO X OJ ». U O 2- u „.•* x: n l_ co I Q o i tr U H- 1 _j i— i . _J h- ( r l X ■X Lt' : Ld LI i;~|i Q: I o tL \-i LL O'.i L. fl _l i— i \\ \\ Ld CO Q E / b; '•••:'' M £■"' h- Or _J LJ X ( ) _l z~ c ~: hH l__ HH a: / Qi CO X *;— hH 0_ & u ■ .— < i- C -■" ■4-' J Itl *~ ID Q !L ill a.i LL '■ •' LL ■;!;- _ k. _ u _■■■-. r -i— ^^— -Li •—* 1 •*- -I-' 4-' ■ —< Q « — i i * !- cz .+■' iTi iTi -j— ■ iri r— 1 V a." -I-' N Lj_ -< I x -I-' '~ ■ — i V Hi ~>: , — i O ~i •—< I V id' ~i r— '--' "~* i»~ O «— t ■ c Q h- U"l '> Q: t— t ,-H jZ *y CD • iD • U r -W *— 1 'l 1 — 1 h""i 'U Q: .' 4-' ■ — i fh OJ T. Tj *— r-H i-|fl i;*.i ■— ( V J^ III i;_;> 1— - 1 i r i 1 — 1 »H r "i > — j Ld u. 22 T'i — C I~ ''-*-* ■ p-i r* '■♦-< r > o ■ >-l (U m* lil D D D D «T5 -2 u CO CO .o 'I' V (0 — H.i •1.1 > 00 (0 «u Q [ii in u Zi a. in n 1 in ~i iri o Ld CO CO n Ld l-H ■ r-l l*"*l t" CO h r— * Ld M i—* (- a: ■X o CO Cti '-+-* ".■- Q_ ,■• CO 0_ V cr L±l )~* Q +J Or Q o Ci ct: '+-) fjl ■ S- and sensitive information. For security reasons this information belongs in the Master Directory entry for that patient. It is necessary to ob- tain this entry for any access to the patient record. In addition, there are certain functions available to the terminal user which involve only the Master Directory. The content of the Master Directory entry can be logically divided into three distinct sets of data: 1) the system control data, 2) the patient identifying data, and 3) the patient sensitive data. A discussion of the structure of the Master Directory will include a de- scription of the scheme to address Master Directory entries and the or- ganization of data within the entries. 7.1.1. System Control Information Included in this subset of the entry are pieces of data which are needed by user routines for system chores, but which are not personal in nature. The following are fields which belong to this group: Cipher key 60 bits Access Control 3 bits per user Link to item list 15 bits Trace information 60 bits The cipher key is used in ciphering the record by means of a method uti- lizing the logical difference operation. The access control field is a three-bit pattern for each po- tential user group. The field assigns to each user group a type of access Figure 16 lists the possible patterns and their meanings. Owner access allows the user to modify the patient record and, in addition, the access V i.O i.O a.' o II iti ?! '3 •rj U"3 — ' •"• T3 ITI ill 1 — 1 lj£l i^t ■^-1 T— 1 O +■' i.O lO V 1 — 1 fl5 o iri 4-' q 4-' iti •iti I'D — r-r "jrr 'i' 1 1 4-i ,..- H illi o • ,—1 it '1.1 ii3 •+-■ iti 'Ii (' ifi (0 1i ll"l o i.O V •ti u i- iti V C —> '■-■ _► "^ o a.' 1' mi (52 +-' i i iti hi if l V (Jl llj 41 mi m 4-' 1.0 io Q •ti li iD () V iti 'I' IX iri 'I' LI. iti iti Oil a.i i iTi ly mi id in r ;i U vo a; s- cn control bits for other users of that record. Read-write access to any part of the record allows modification of that part by the user, the single exception being permanent data items. The Item List is the backbone structure of the medical record for a particular patient and it is necessary that the Master Directory point ahead to this list connecting all parts of the patient record. The trace information, for the purposes of this discussion, will be the user number of the creator of the record, the date and time of creation, the user number of the last user to access this record and the date and time of access. This field could become several words long if more information is needed. Another link field in the system control information which con- tains a link to a special second page of sensitive data which may be de- fined at some future date. This data is medical data and is considered to be sensitive, but not of an identifying nature. This extension may also require some type of access control. For a system with 20 groups, an assumption which will be main- tained throughout this discussion, the system control information is four words long. 7.1.2. Patient Identifying Data The second page of patient sensitive data will not be discussed further because its content is still largely undefined. Those items which tend to identify the patient, the so-called "identifying data," will be detailed here. Several of the fields, such as the patient's name, contain variable-length information which is padded on the right with null char- acters. Figure 17 lists the fields belonging to the identifying data. These fields represent a maximum of 64 words. The exact arrangement of data is not a problem here since, as will be shown, there is some extra space, in fact, very little compaction is possible. 7.1.3. Master Directory Structure A path to the patient record must begin in the Master Directory Index (Figure 18). This index is a list of the disk addresses of all Master Directory physical blocks. Since each physical block represents four entries, the index entry actually points to records 0, 4, 8, ... And addresses for other record entries must be computed as offsets into the physical block addressed by the preceeding multiple of 4. Specifi- cally, the n element in the index list represents record number 4n and the address A of any record number i is found by, A = index (int[i/4]) + 80 (i - int[i/4]) words. As was mentioned before, each 80 word entry is logically divided into a four-word system control block and 64 words of identifying data, leaving 12 words as yet unassigned. The Directory Index uses one word per four index entries and four records per index entry. Therefore, allowing for 1,000 patient records, the list will need less than 63 words. 7.2. The Master Directory Component Modules The MDC may be viewed as a collection of modules each accessed I t J III III III "P T5 75 T7 T 1 h'i i.i i • t' t* l L I I l l i*— i»— &- +- *- -T- -T - •^ 43 CM III in I.I.I ~T> 7) '<".'> 10 i.i "J "0 £_ £_ £_ 4- 1 4- 1 S- r"j T'i Q ■ »-h i— t ;f i ~\ i "s '. J '. j "1 *-i ro Lf, i£i ^t i • CO CM Ml UJ ■ ■ ■ "O "0 hi \f) 'III' I II _l_l l.l O ' H '~' 3 • 3 3 3 3 _Li aj 1 1 .i -i — i i—i -i — i i" "i ■ O i' I (":i V 0) "7^1 —i Q :' h'i 1 1 Q i t ( j 3 i 1—1 H- ) CL (J) Z ft i o V O ll l '1.1 '1.1 F-l Q 4- 1 ii -... i~ t i r&4 4-' g 'U _H i~ CD • pH Q '^CZZ-- / / / 0.11 0.1 1 au O.0 !i.. i i 1 ■ **■ l~ ■ i-H i-H ■ r-4 • r-( '+■1 Ifl '.|...| 'Hi '■■♦— t iTi '4-i ifl .,-, 4 j ■rl 4„< ■ I-H 4- 1 ■-( 4.' 4-' ID ..}...' ill 4-' iti 4-' iTi £ L j 1 I i 1, LJ 1- Q 4.1 q.' "U •U r 'i i 1 'i r 't i" 'i i— i 1 1 (— t h~ 1 __i , — | i— i r— 1 k £ f r" !L c !- £ 4-' i-' if) 4-' o 4-' £ ^r-H i_ rH 1- • r-t 1- — 4' Q 4 .i l| > ■V 4-' U *tTj (_) iT'l 1. .1 H) U (d l_ s[ 5 .. L_ £ U L .. *~ C! i<— L_ *- V Ill if) 'ii I.' 4-' '- 1 .4' '■+H 4-' ■^H 4-' <+* i.O c III 1 1.0 C 10 c >. H M -•'\ 1— H :\ hh !' CO CO CO CO by interrupts. The interrupts are generated by touching the routing boxes at the top and bottom of the screen. Each module continues to perform its task until one of the interrupts is recognized. Depending on the module executing, the sequence in which it is executing, and the interrupt, control is passed to another module. The first module does not regain control until its interrupt is recognized. Each of the modules is discussed below. 7.2.1. PIN Request Page (see Figure 19) This module is responsible for retrieving a Master Directory entry during the open patient record sequence. It obtains the PIN from the terminal user, reads the corresponding Master Directory entry, and checks the user's access rights. If an entry does not exist for this user or if the user does not have access, he is informed of the situation and allowed to either reenter the PIN or exit. If the entry does exist and the user does have access, then he is sent to the display data page. The user may also ask to create a patient record, in which case he is again routed to the brief ID page, except that the mode is changed to one of inputting data. 7.2.2. Brief ID Page Display (see Figure 20) A subset of the patient identifying data is displayed to the user so that he may quickly confirm the record as the record he requested. The user may change any data element by touching the screen where the element appears and entering the change. U.I CO □ Ld L0 D V en I— LJ U D CO i 1 1 1 (U Ld ':-:' i- Q: V 3 CD Ld c J T5 •r— u My £,.J i U- •: r i C3 a: ■ i—i i r i r-.j l'"~'l CO -X L LL. IE L.0 O' C£| CO fill iTi iTi □ D 7.2.3. More ID Page Display The remainder of the patient identifying data is displayed to the user for verification, input, or modification. Again, he may edit some data element by touching its position on the screen and then entering the change. 7.2.4. Change Access Rights Module This module allows the user to change the access rights to the record if he has the right to do so. The user is given a list of the groups and their current access rights and allowed to alter these. He may also specify a new record owner. If he does so, the access template belonging to the new owner is copied into the record's access vector. The present user keeps his original level of access until he closes the record. 7.2.5. Store Data Module When completing the creation of a patient record a PIN is assigned to the record and displayed to the user, and the Master Directory entry is written out. Space is obtained for the Item List and the Item List is initialized and written out. The user is then given the option of either opening the record or going back to the record assignment page. 7.2.6. Complete Open Module When completing the open record sequence, the module first checks the access rights to the medical data. If access is granted, the routine reserves control blocks. Finally, it sets the user's router variables and goes to the option selected by the user. 8. The Item Manager Component 8.1 . Router Common Router common is the basic communications area for the Record Manager. Here are kept all the data structures which allow applications lessons to access records once they have been opened. These data struc- tures are divided into four general structures: 1) the Patient Directo- ries (PD), 2) the User Banks (UB), 3) the Item Data Buffers (IDB), and 4) the System Status and Statistics Tables (see Figure 21). 8.1.1. The Patient Directory One PD exists for each record which is open (see Figure 22). It is initialized by the MDC, and contains record status information and the Record's Block List and Item List. All of this is read from the disk The status information includes the record's cipher key (currently not used), pointers to the lists of free space in the record, the length of the free space lists, and the actual number of items present (see Figure 23). The Block List serves as a translation table between the logical block numbers stored with the other item information and the physical block numbers required to read the data. It contains one entry for each physical block assigned to the record; each 15-bit entry gives the physical block number associated with the corresponding logical block. i.O 'U .— . • i— ' .— . 10 , — Jl i- X V- « n"i O .— . x CJ .'I- 1 .— .. 3 — Ifl U"J ifi 4-' itj '•+•■1 i.O 4-' 4-' "0 M «TS iti a.i ( ) HJ •!+...( T5 : IT) 1.0 J_ C V 4-' n"i a.' ~1 c. •+-'. "* ii5 mi i. 10 t_ i.O . CQ Ct U.I 4-' 3 CD i.O Cj ^ ■..' ■ i— i cy rS iri "y '•*-» i- Q £• --,..,. £ 4- 1 1" r i' EZ **H t* ;i o r" 'S' HJ CO a-. 'I' a.i ~i 3 4J . 3 V '■£' 4-' CO ifl 3 4-' CD £ +> *"H ip ~0 "~" _j .1— 1 iS| dl u\ ,:■:. '•_.•• -■ : \ !*- 00 • csj ■ ■— i CO Li CO IT) co 4-' CO iri -•' ol CVJ i.O ~i 1.0 4-' .— .. 4-> ..->. ..— ., Ci.fi •-. 1.0 ifi 10 io to -P i.O iD l0 4 ' 4-' r "i — T> i.O ( ;i i — t T'i ■ r-l 1.0 . CO il _J t- ■ r-» c L. fc. CD i; j o _J l'"l I, ,1 V- 1* *l 3 M 3 3 . -C • 3 c i;";i c. Q c (j Q 3 1- 'Si 01 wD ifi iEJ ifi 1 1 ' — ' — * CM 4- 1 a. 4-' •£• 4.1 Li. i' CD w .HH CM 4- 1 '•-■■' 4j '•--■'' o. • • ' — .-. "0 4-' ad *-* t- lO JJ _l 1.0 v •- • i- • f— 1 4-' i.6 -£i i]j ■+., -=> _l S! a.i tj — . ■j _J T— 1 -H t- -Q _£ IA • ~ |Z o | T- M ~ 3 Lfl ~ --'' ST., o *-' in Q_ *S> w f 4-' ' ^r 4-' Si 7? 4_> ^H • £1 Hi •'•♦-< 3 i— » • .J iss 4- 1 _l •r— 1 (0 10 — ' 4-' • ~* .— . - .-— . _i m .3 10 ,— , fc. 4- 1 HH 75 4-' 10 1.1 TJ - H HH li ■ 1—* Jl' 4-' -P J- jD ifi l'"j 4-.' iS) 75 +J ,--. C <•-« ~i u.O f £■ i.O ..Sj •»h 3 u-i r? LA T— 1 ijl ■:+..., T ; ; H • ■-< 'jO 4-' •-* .—. +> _J lfl u.i) csi "$_ 1.0 ..Q 1. 3 '— ■ •_l U"J i- +■' t- 75 4-' ' i— ■ * £ _J Si V T5 ■* 't' S- ij'jl J •r— 1 4-J S- JJ 4-' ■_-• C -1 — « 3 LA 1 — 1 .— . ,,_ ' 'S '■— •■ *io Q. S '-' DL ^ r" 4J • *"■ f-H 4-' Si 7J hii »-• c C 4_. ..•-. 10 J^ ■ i— i HI C„ 3 _l «sj ' 4-' 4- 1 _J r—t [0 m .-. U'J •—• 4J - m 4-' " -l _J 1.0 t. j_ 4-' lfl 4-' i ■ r-4 4 J Li "•■ 7? 4.1 4 .i .,■■, C _0 u-, r o O.ij f_ 1.0 .ii •»H _^£ T" i ■ , i -.; u-. C '•+-■< ■ , .1 o " - ▼—i Hi o ~ ;::; - 1 &■!' Q_ la Q_ isi oo _.j -~ ; - CO CM Q C (_ Ji •:■•,! 3 t -j L_ S- zs 8.1.3. The Item Data Buffers The IDBs are used as I/O buffers. When a block is needed from disk, the IDB allocation table is searched. If the block is found, no read is necessary. Otherwise, the allocation table is searched to find an empty IDB, and, if none is found, the one currently used by the sta- tion making the request is used. In either case, the block is read into storage and put in the IDB selected. Since one IDB may be assigned to each user, there must be at least as many IDBs as there are UBs. 8.1.4. The System Status Information The System Status Information includes IDB and PD allocation tables, the disk allocation bitmap, a buffer used to contain items while they are being extended, and miscellaneous information (see Figure 27). The miscellaneous information includes the station number of the pseudo- terminal and looks for the initialization routines. These are used to prevent users from entering the system before initialization is complete. The IDB and PD allocation tables are both 15-bit segmented vectors. Entries in both tables are pointers to the disk block from which the cor- responding buffer was filled. The bitmap contains one bit for each block available in the database. The bit is if the block has not been assigned and 1 if it has. Statistics are kept to measure system performance. Current data collected are listed in Figure 28. U.I 1.0 — — 1 r— — ■ --'-■■—' — 3 i 'i ____ ■ £ i.O .— . .— V IN Q , 1.0 Q 1.0 U'i |Z Tji • i-» 1.0' "H T> ■ r-< ( j &.. "T5 mi J_ 4-' V XI 4-' 'U £ 4-' r o LJ y _Q 3 • 1—4 3 4- 1 3 4" Q irj ^? 1— 1 mi 4-' • f-H (J CO i — i h- i— < [— ££i iti '25 OJ Sj i.O ■— •■ . — i f .-H »H 4- 1 U"i '-••J 1 -H • 4' CSJ s- 4" 4-' -o ij 10 3 1.0 - -h 4-' m l.O ■ «-H ■ r-t V !L- U '■_.' *~ U'l (J £ o cz t- Ifl j- !»- +' *— « 8.1.5. Length of Router Common The length of router common may be calculated from the following formulas: Common length = Length of system status and statistics + Number of UBs x (Length of UB + Length of PD + Length of IDB) + (Number of IDBs - Number of UBs) x Length of IDB. Length of system status and statistics = Overhead + Length of PD allocation buffer + Length of IDB allocation table + Length of statis- tics + Length of bitmap + Length of extend buffer. Length of UB = UB overhead + Number of parameters. Length of PD = PD overhead + Length of Block List + Length of Item List + Length of Attach Tables. Length of Block List = Floor (Number of blocks in list x Block List Entry Length) + 1. Length of Item List = Number of items x Length of IIW. Length of Attach Tables = Ceil (Number of items x (Length of Attach Flag + Length of Attach Bit )). Current values of these constants are given in Figure 29. Note that the following relation must hold: # of IDBs > # of UBs. 8.2. Router Variables Several parameters are stored in router variables. These var- iables are available to the applications lesson and to the USC, and are listed in Figure 30. U'l 1.0 i.O i.O i.O _L0 (0 10 U"J U".l yg ll'l i.O ll'l in M'l IJ"I T-i r ;* T, -n T5 7 ) r "i 7*' 7} '...• -Tl X5 T? T? T5 tji T5 T3 T7 171 >, ^ '*- i- jt. U~ U &. ^ k t- t- .- c i- t- c *— t' 1-- iv- i»— ,"-, i' '\ l' ) ij .."} Q o r'j o Q o o Q i~'\ C) ITi ■o a-. LT. a-' 1" GO iS| Iff CO 2 3 Si '■£" 3 T5; iSi CM CM CO a-. 1 H *-< CM •■£> — • CM - , r--- CM V ifi H C ■ (— I 4-' II i.O II II 1.0 Zi 4-' iri 11 ii ii ii r— * "ifi -I- 1 i.o Q 1.0 V 'D r -- ~i "13 Q (j 4-' 4- 1 OJ h- 1.0 «— 1 .-H _J 1 — 1 _J i r Q OD (J O Q ■ r-H 4-' CO Oil i~ r~ _J OJ V V 1.0 "n ■ — i , — i 1.0 l'~> c t ,_ ( \ i. i r^, ^ *•> *:_ i.O ~i c i — i 'I r-H Ijji a) t;";i V ■fi 'TJ CZ (J ,*— (j r ) Q *— 4-' •ii :. Q LJ 4-' ■ r-H Q OJ6 c 4 ' r, i-.l ,J - "i)j J 'J dj) . 'Oft •'■*; / o.i) 0.(1 U.l) Oil ■Li— i 0.0 ijl) 0i) hl'l O.O 0/1 Oil i:n) w ■4h '-♦— ( Oil i-_ i 1 c !*- r > C i™" * c |Z '"•' c C c c .-■ 1-. W- C c o o £ 4. ' .H OJ 11 V U D V D 'Li a) D a) V aj V V •I) V V ^ ; H* .. . . i J _J # _J .. 1 .... 1 . J # _j _J _j _.l .. i 1 1 _J .J # # _J ai C71 GUI QJ OJ UJ t- •D *r CM III III 4-' 'L> 4-' o 4-' i "i iti Cj ifj S- itf. i- i.O iti 1- • itj 4J C" Ci • 1— 1 -P (J) '— •' iO • 1-4 CD S3 T — I Si CO CO 1— I i-H i— 4 iT5 CD V 1.0 4-' M in a.' • .-•• t f o CO '-»~i J,.. i*— Q • Ii i' i i' i ■i 1 CD £ M u V CI a: 3 en C 4-' CO Ii - ' "0 r~~i 4-' ■ r-4 r— 1 iTTt 4- 1 C III J< £ c ij m C s< i-H >. -j . ,-i • r-i ■ i-H t-H Performing Organization Rept. No. Performing Organization Name and Address University of Illinois at Urbana-Champaign Department of Computer Science Urbana, IL 61801 10. Project/Task/Work Unit No. 11. Contract /Grant No. . Sponsoring Organization Name and Address University of Illinois at Urbana-Champaign Department of Computer Science Urbana, IL 61801 13. Type of Report & Period Covered M.S. Thesis - 1975 14. . Supplementary Notes . Abstracts Record keeping in a medical environment is discussed and a proposal is made for the organization of data in a medical database. A data description language is presented to facilitate the organization, and processes for data manipulation are described. Specifications for the data management system in use by the MIS are included. . Key Words and Document Analysis. 17a. Descriptors b. Identifiers/Open-Ended Terms c. COSAT1 Fie Id /Group • Availability Statement 19. Security Class (This Report) UNCLASSIFIED 21. No. of Pages 20. Security Class (This Page UNCLASSIFIED 22. Price IR M NTIS-35 ( 10-70) USCOMM-DC 40329-P7 1 <-:riQ m ■« ? .? %