■I
mm
LIBRARY OF THE
UNIVERSITY OF ILLINOIS
AT URBANA-CHAMPAIGN
510.84
Ije
(Y,Z,) 3> . . . } .
In addition, if
then,
X: = {({Y r Y 2 ,...}, Z) r ({Y r Y 2 ,...}, Z) 2> ...}.
(See Figure 10). Note in particular that if Y has no descendants, then
Y: = {(Item) r (Item) 2 ,...}
and is what is referred to as an item array.
A pair of functions will be necessary to facilitate the pres-
entation of the DDL. The first of these, DESC, makes it possible to
describe each node. The first operand is a node and the second is an
ordered n- tuple to be associated with the first operand as direct de-
scendants (see Figure 11). For example, the operation
26
Y 2 Y 5 Y k
Y 5 Y 6
Figure 10. Structural and Graphic Representations of
v 2 ,...},Z) r ({Y r Y 2 ,
: = {((Y r Y ,...},Z) 1 ,({Y 1 , Y ,...}
X)
2"
}.
27
NODE
DESC-1
DESC-2
DESC-n
DESC(NODE, ( DESC -1, DESC -2, . . ., DESC-n) )
Figure 11. A Graphic Representation of the
DESC Function.
DESC (K, (L,M,N))
produces the following relationship:
K: = (L,M,N,).
Similarly
DESC (M, (Item))
results in:
M: = (Item).
The following sequence of operations:
DESC (A, (B,C))
DESC (C, (D,E,))
DESC (B, (Item))
produces:
A: = (B,C)): = (B, (D,E)): = ((Item), (D,E)).
From the above statement about the node A, one can discern that
A.B is an item and A.C.E is a relation which exists in this structure.
28
Another function which will be used is ARRAY. Its single op-
erand is a node. The effect of the function is that its operand is des-
ignated as being iterative. Therefore, as an example, the operation
ARRAY (X)
would allow the statement to be made:
X: = {X,, X^» a-,.../.
The two operations
ARRAY (A)
DESC (A, (Item)
specifies that A is an item array.
With the two functions that have been presented, the graph may
be constructed to describe the relationships between parts of the data-
base and data types can be designated as iterative for convenient ref-
erence. To illustrate the uses of each function, let us construct a
simple family tree structure. The database will encompass all descendants
of a particular pair of people. The node which gives rise to the struc-
ture, the entry point, will be called TREE and defined thusly:
DESC (TREE, (MOTHER, FATHER, CHILDREN)).
(See Figure 12). The mother and father are not structural, and therefore
stated as:
DESC (MOTHER, (Item))
DESC (FATHER, (Item)).
The children, however, may have descendants and develop structures of
their own. So they are defined:
ARRAY (CHILDREN)
DESC (CHILDREN, (CHILD, SPOUSE, CHILDREN)).
29
MOTHER
TREE
FATHER
CHILDREN
Figure 12. A Graph of DESC(TREE, (MOTHER,
FATHER, CHILDREN)).
In addition:
DESC (CHILD, (Item))
DESC (SPOUSE, (Item)).
(See Figure 13). Note that the definition of CHILDREN is recursive.
By the meaning which has been given to the functions, it would indicate
that the relationship TREE. CHILDREN. CHILDREN. SPOUSE is possible. In
the database, if the data existed, one would reference the first child's
second child's spouse by TREE. CHILDREN(1 ).CHILDREN(2). SPOUSE. The
levels of indexing occur at nodes which are operands of the ARRAY oper-
ation.
The statements of the DDL are designed to utilize the given
functions in such a way that the database design becomes easier and
more convenient and to help in creating the internal garaphic representa-
tion. There are two basic statements, DATABASE and SET. The conceptual
TREE
30
MOTHER
CHILD
CHILDREN
CHILDREN
CHILD SPOUSE
CHILDREN
TREE
MOTHER
CHILD SPOUSE
Figure 13. Structural and Graphic Representations of
DESC(TREE, (MOTHER, FATHER, CHILDREN))
DESC(CHILDREN, (CHILD, SPOUSE, CHILDREN))
31
purpose of the DATABASE command is to create an entry point into a struc-
ture desiqned to meet the needs of a certain set of users. The SET is
the structure building statement capable of molding the relationships
which are necessary.
The form of the DATABASE statement is as follows:
DATABASE: (, ,. . . , )
Its functional equivalent is given below:
DESC (, ,. . . , )).
(See Figure 14). In essence, a name is associated with a particular
route of access to the database. As was shown previously, a descendant
may be referenced through the entry name. Such statements, along with
those defining the nature of the descendants, will describe all modes
of acquiring data. No descendant may be specified as an entry name also,
this violating the intentional use of an entry point.
entry -name
desc-1 desc-2 desc-n
Figure 14. A Graphic Representation of the DATABASE statement
32
The SET statement is of the form:
SET: , ,..., (,. . . )
Its functional equivalent is given below:
ARRAY ()
ARRAY ()
DESC (, ( )).
DESC (, (,..., )).
Because this statement is the only method of describing data
structures other than the DATABASE command, it is evident that all struc-
tures below the entry point level are potentially a set of iterations.
However, this is not a problem from the user standpoint, since the single
data type without multiple copies may be considered a single iteration
of the structure. The user will manipulate the data according to his
wishes and extra, unnecessary capabilities should not be detrimental to
his use of the database.
Notice that the SET provides the ability for defining like
structures under different names. Certainly this could be accomplished
using several SET statements; however, implications may be derived from
this form of the SET according to implementation and will be discussed
subsequently.
33
Data names which have been referenced in DATABASE or SET
statements and yet have not been designated as an entry or set name,
are implicitly defined according to the functions (where X is such a
data name):
ARRAY (X)
DESC (X, (item))
and thus are item arrays. This is also equivalent to
SET: X( ).
Let us construct an example which will show how the statements
presented might be used to describe the medical database. First, con-
sider the view of the physician wishing to access individual patient
records. The following statements establish the root of this structure
and basic formation of the record index:
DATABASE: MEDRECS (RECORDS)
SET: RECORDS (ID, HX, PX, LABS, MEDS, SUMMARY, PROBLIST).
(See Figure 15). The data name ID represents patient identifying data,
HX the patient history, PX physical examination data, LABS initial lab-
oratory results, MEDS previous medications, SUMMARY the record summary,
and PROBLIST the problem list. Of these, only PROBLIST is a structure
and thus the only one to be defined as a set name. The problem list
may be described as follows:
SET: PROBLIST (PROBDESC, PROGNOTES).
(See Figure 16).
PROBDESC represents the problem description and PROGNOTES the
vector of progress notes associated with each problem. To define the
34
RECORDS
PROBLIST
SUMMARY
Figure 15. A Partial Graph of an Example Medical
Record Definition.
PROBLIST
PROBDESC
Figure 16. A Partial Graph of an Example Problem
List Definition.
latter, another SET statement must be included:
SET: PROGNOTES (S,0,A,P)
(See Figure 17). The descendant list here refers to the S-O-A-P format
of the progress note. Under this description of the database, the sub-
jective segment of the third progress note of the second problem in
35
PROGNOTES
SO A P
Figure 17. A Graph of an Example Progress Note Definition,
the fourth record is referenced MEDRECS.REC0RDS(4).PR0BLIST(2). PROGNOTES
(3).S(1). Although it may be intended that S be a single data item, it
is implicitly an item array. From this point on the first element of
array data may be called either by the subscripted name or by the name
alone. Therefore, in the above example, both S(l) and S are acceptable.
Let us imagine a user who wishes to investigate the progress
notes which exist in the database without a need for knowledge of other
data related to progress notes, such as the problem list. The SET
statement previously given as:
SET: PROGNOTES (S,0,A,P)
is modified to:
SET: ALLNOTES, PROGNOTES (S,0,A,P).
In addition, the statement:
DATABASE: INSPECT (ALLNOTES)
is included. As data of this form is added to the database, it is cre-
ated under both the names ALLNOTES and PROGNOTES. The former name al-
lows an easier access to the data, for example INSPECT. ALLN0TES(1 5),
but without the advantages of the structure which pinpoints the data's
membership in the organization of the record system. The set of progress
36
notes may also be organized under different criteria, and reside in
structures unrelated to record organization.
Another option on both the DATABASE and SET statements is the
"LOCKS" suffix and allows for security controls over any particular
type of data. The complete form of each of the statements of the DDL
is:
DATABASE: (,. . . , ) [LOCKS]
SET: ,..., (,. . . , ) [LOCKS].
The effect, in either case, is to associate an additional de-
scendant with the node, one which is a data item, specially created for
a security lock list. This lis provides certain types of access for
various users over the data structure which is defined in the statement
specifying LOCKS.
The following set of DDL gives a possible specification for a
family patient record system:
DATABASE: MEDRECS (FAMILIES, RECORDS) LOCKS
SET
SET
SET
SET
SET
SET
SET
SET
(See Figure 18. )
FAMILIES (FAMRECS, FAMINFO)
RECORDS, FAMRECS (ID, HX, LABS, SUBREC)
ID ( ) LOCKS
HX ( ) LOCKS
LABS ( ) LOCKS
SUBREC (PX, MEDS, SUMMARY, PROBLIST) LOCKS
PROBLIST (PROBDESC, PROGNOTES)
PROBNOTES (S,0,A,P)
37
RECORDS
PROBDESC
SO A P
Figure 18. A Graph of an Example Medical Record
Definition.
38
This view of the database allows records to be included in a
family, although they may belong to the set RECORDS also. Various parts
of the record may be secured separately so that different users of the
record may access only the regions which they are authorized for.
39
III. DATA MANIPULATION
A DDL has been presented for the description of a database,
its structure and the relationships between the data which belong to
it. It is necessary, with this organizational scheme, to reference all
elements of data precisely. The data management system utilizes the
advantages of the organization when performing basic manipulative oper-
ations. This system must directly interface with the database. The
functions which comprise the interaction form the central module of the
program set using the data. Among the tasks of the module are the
input and output of data to disk storage from/to user areas. In an
interactive environment, where each terminal must have attached work
regions, input/output functions are designed to pass data between user-
specified locations and memory chosen by the data manager. A large set
of buffers must be available, and subsets allocated to a user task.
Therefore, each user is working with an assigned array of buffers plus
his work space. More specifically, the application program deals with
the data management system and thus provides the user interface. While
this type of program uses only its work space directly, the data manager
needs the buffer array for a greater efficiency in processing service
requests. However, in order to reference user-accumulated data, all
attached memory areas will be envisioned as an array denoted by the
symbol "#."
Certain operations may be done specifically at the request of
the application program. These are the data manipulation functions
40
which deal directly with user buffers and database elements and struc-
tures. To illustrate what types of operations should be possible for
the using program set, an "assignment" type statement will be necessary.
The form of the statement will be: target «- value. The target repre-
sents some location in the database structure or data buffer area where
some form of data is to be placed; the "value" is that form, denoted by
a similar notation as the target, except that it must designate existing
information as opposed to a hypothetical position in the structure. The
symbol "$" will be used as the last created index in an array, as this
numeric value must necessarily be available for continued addition to
indexed sets. Also, besides being able to discuss specific indices,
positions between members of an array are important for insertions and
must be referenced. The signs "+" and "-" will make it possible to ad-
dress these locations; for example, "2+" will denote the slot after mem-
ber two (and before three), and likewise "1-" refers to a place in the
array immediately before the existing first member. It is clear that
since this notation does not represent previously created data, such
symbols will only be seen on the target side of the assignment statement.
The above conventions will make it possible to discuss the basic func-
tions required by the accessing routines for the dynamic structuring
and modification of the database.
Let us first consider a hypothetical database description, and
show how data may be added to it, and manipulated:
DATABASE: ADATA (AA, AB, AC)
41
SET: AA, BA, (XI, X2, X3)
SET: AB (Yl, Y2)
SET: BB (Zl, Z2)
DATABASE: BDATA (BA, BB)
SET: X2 (X20)
(See Figure 19).
Note that the ordering of the DDL statements is unimportant.
It seems natural to first discuss the creation of data elements
to the database. The application program through its interaction with
the user, accumulates some amount of data it wishes to be known as a
single item. Several variables, the state of the database, the identity
of the user, the stage of interaction which the user is in, all affect
the placement of that item and the name or names which will be associ-
ated with the data. The following is an example of the operation to be
performed:
ADATA.AA (2). XI ($+) <- #(3)
Specifically, the notation says that the third user work space is to be
stored as the last member of the item array XI in the second AA struc-
ture. An address is set in the XI array to point to the actual disk
storage location. Naturally, the statement assumes that two members of
the set AA have been created. If there was yet no XI entry in the
structure, the "$+" would signify the creation of the first member.
The target is, of course, the position of an item, as it must be in the
create process since a buffer is the value. The statement:
42
ADATA
X20
BDATA
Figure 19. A Graph of an Example Database Construction,
ADATA.AC (3-) *■ #(1)
puts the new member between entries two and three in AC. Again, it is
assumed that there are at least three items in AC. At the point of
creation, number three becomes four, four becomes five, etc. Now con-
sider:
ADATA.AB (2+).Y2 «- #(2)
Although it is an item again being added, this time it is to a struc-
ture not yet existing. Therefore, there is no question as to the value
of indices below the new level, they must be one. Another example of
this is:
43
ADATA.AA (1-J.X2.X20 *■ #(1)
A similar function to the create is the write. This is the
process of taking data from work areas and overwriting existing data
items. For example:
ADATA.AC (2) *■ #(2)
Note the absence of any "+" or "-"; these symbols would cause the cre-
ation of new data formations. The meaning is that the second work space
is to be written onto ADATA.AC (2) which has been previously created.
Another write operation might be:
ADATA.AA ($).X1 ($) <- #(2)
Characteristic of the write is the fact that the target is again the
location of an item and the value is a work space.
Also a necessary function of data management in its interaction
with using programs, is the read. It is the user's only method of re-
trieving the data which he stores. Naturally, he can only recall items;
that is, his work area is unstructured and unsuitable for any data but
the simple elements. One such read statement might be:
#(4) <- ADATA.AC (2)
The effect is to take the data from the second element of AC and put it
in the fourth work buffer. Another example:
#(1) *■ ADATA.AA (2). XI ($)
44
The final manipulative operation is that of "relinking." The
user can refer to the same physical storage location according to more
than one name only by linking the item to other positions in the data-
base after creation. Consider the following:
ADATA.AC (1-) «- #(1)
ADATA.AA (2+).Xl <- #(1)
If the two operations were performed consecutively, the result would be
two separate identical items in disk storage. Therefore, in order for
this particular location to be known by both ADATA.AC (1) and ADATA.AA
(3). XI, these statements are adequate:
ADATA.AC (1-) «- #(1)
ADATA.AA (2+).Xl «- ADATA.AC (1)
A similar relinking accomplishes a replacement of existing data, and is
much like the write. For example:
ADATA.AA (1).X1 +■ ADATA.AA (1).X3
The difference is that no new structure or item has been created. Struc-
tures may also be relinked, as the following illustrates:
ADATA.AA (1 + ) <- BDATA.BA (2)
ADATA.AA (3) «• BDATA.BA (1)
The structures on both sides are of the same form and therefore the oper-
ation is meaningful. Notice, in fact, that AA and BA belong to the
same SET specification. Because of this, resolving that the two sides
are structurally equivalent is relatively easy. However, consider this
statement:
45
ADATA.AB (2) <■ BDATA.BB (3)
Inspection of the sample DDL shows that each side has the same form,
despite the fact that they are not in the same SET statement. More
complicated database description, though, might cause expensive over-
head of form checking. Moreover, if sets do not represent naturally alike
data, then no such relinking (that of structures not of one SET) should
be done. This is a problem which must be considered during implemen-
tation.
When like forms are defined by the same SET statement, the
structure may be defined but once and pointed to by all set names. This
creates the easy verification ability which was discussed earlier. A
special meaning might be given to the first set name specified in the
statement. If horizontal access is to be an important capability, this
name might reference a master index of all structures (in the SET).
This convention would cause a create of the form ($+) <- (last created index), i f 1 whenever a member of was cre-
ated. Possibly not every set should have such a master index, and an
additional syntactic change should be incorporated to specify a special
name.
Now consider the example DDL given at the end of the last chap-
ter. Assume that the program set utilizing this database is similar to
that of the MIS on PLATO described earlier. After the physician logs
on the system, he must choose either to create a patient record, or ac-
cess an old one. In the former case, he will go on to supply identifying
46
data, and the program which accepts this information performs the fol-
lowing:
MEDRECS. RECORDS ($+).ID + #(1)
The operation not only stores the identifying data but also creates a
new entry in the RECORDS set. Suppose that the user continues on into
the history program. Here several history items may be created and re-
trieved, such as:
MEDRECS. RECORDS ($).HX ($+) *■ #(1)
MEDRECS. RECORDS ($).HX ($+) *■ #(2)
#(3) +■ MEDRECS. RECORDS ($).HX (1)
The physical examination would call for similar operations. During prob-
lem entry, the program might request the following for the specification
of a subjective part of a progress note:
MEDRECS. RECORDS ($) .SUBREC.PROBLIST ($) .PROBNOTES ($+).S -*- #(1)
This is, indeed, cumbersome notation. And, in implementation, an easier
method of reference is necessary. In addition, each level of structure
must access an index list to locate descendants. In light of these
things, it seems advantageous to be able to step down level by level
keeping indices as they are passed. At the same time, if address vectors
were also kept, when steps are made upward to change indices, the ad-
dresses are there for accessing other descendants. If the above process
is redone using this scheme, the physician first creates the patient re-
cord with a new function which "loads" the set. Thus it will be called
a LOAD and the first operation will look like:
47
LOAD MEDRECS. RECORDS ($+)
This establishes the position in the database up to the RECORDS level.
Then, to supply the identifying data:
ID ($+) «- #(1)
HX ($+) *■ #(2)
#(3) + HX (1)
Before the user gets to the point of executing the next given example,
the following might be done:
LOAD SUBREC.PROBLIST ($+)
This creates a new problem entry and the subjective note may be submitted:
PROGNOTES ($+).S *■ #(1)
Now if the physician decides to change to a different problem, the pro-
gram might execute:
LOAD PROBLIST (2)
All the structures attached to the previously referenced problem are
aborted, awaiting operations such as:
PROGNOTES (1).0 «- #(2)
At this point, PROGNOTES for problem two are loaded, until something
like:
PROBDESC +■ #(3)
Then PROBDESC replaces PROGNOTES and 0.
At times, it may be necessary to manipulate structures which
are not loaded, and yet save all loaded arrays in anticipation of fur-
ther use. In the above example, after the physician had created the
48
record, he might have decided to add the record to some family set.
The program might initiate:
FAMILIES (lO).FAMRECS ($+) <- RECORDS ($)
This operation would abort the RECORDS structure, and it would have to
once again be retrieved for subsequent processing. So, to circumvent
this, certain load functions will be done with a save of the array until
it is explicitly unloaded. Two new operations then are needed LOADtSAVE
and UNLOAD. And, to again follow the procedure of adding the record to
a family:
LOAD-SAVE MEDRECS. RECORDS ($+)
FAMILIES (lO).FAMRECS ($+) <- RECORDS ($)
UNLOAD FAMILIES
The final unload aborts the FAMILIES index. Certainly if too many arrays
are saved and not reloaded, an overflow of available array space will
occur.
The program set on PLATO which makes up the MIS, directly re-
lates to the structure of the medical record. As the user proceeds
deeper into the record, successive loads may be done, allowing each pro-
gram to work at its own level without excessive overhead. This necessi-
tates greater coordination between program modules. Upon entry to the
problem list module the instruction
LOAD SUBREC.PROBLIST
would be executed under the assumption that the above structure had been
loaded.
49
In order to minimize the loading operations, some items or
structures might be designated as being only single copies (not arrays)
as an additional deviation from the DDL specification. For instance,
the structure SUBREC is only intended to occur once for each record,
and therefore it is unpractical to cause an extra load for that level.
Implementation Considerations
To accomplish all of the data manipulation operations, the
data manager must be able to internally follow the structure to address
actual data on disk. Table organization is important in facilitating
the process. The table consists of three basic entities: the name list,
the structure list, and descendant pointers. Each entry in the name
list is an alphanumeric name and a pointer into the structure list if
the name has been entered in a SET or DATABASE statement. Each member
of the structure list denotes the type (DATABASE OR SET) and points to
a vector of descendants, each of which in turn points into the name
table for the name of the descendant. Given any name, it can be deter-
mined if that name is a structure by checking for a pointer back into
the structure list or for a descendant pointer from the structure list.
Likewise, it is possible to check for correct descendant specifications
by following the loop from name to structure to descendants to names.
Names which are listed in a single SET form a somewhat different entry
in the structure list. The first one given will set up pointers as
usual, but the others instead of pointing to a distinct descendant
50
vector, will point to the first name's vector. This will closely con-
nect the names of a SET statement; checks for like structures can be
done by comparing pointers to descendant vectors.
Along with the data description table, there must be a table
of addresses for the descendants of each entry name defined in a DATA-
BASE statement. These addresses point to disk space allocated as arrays
of addresses of further descendants. Each such address vector is as
long as there are members in the array, and an entry in the vector is
as many addresses as there are descendants to that particular set name.
It is this type vector which is loaded during execution. At these times,
very large arrays become impossible or impractical to load completely.
In this case, the capability must exist for loading the array partially
while unknown to the user. Then for access to other portions of the
array, another partial load must be done.
In addition to the functions discussed for database modifi-
cation and retrieval, the using program must have available a system
of status flags. With checks on these flags, certain pertinent infor-
mation can be learned for processing, including error signals and the
state of the database. Present indices of loaded arrays, range of pos-
sible values, and security status should also be acquired through the
system.
51
IV. SUMMARY
Health care is indeed a large and growing industry. It places
a great demand on our national resources, be they human, technological,
or otherwise. If the nation is to fulfill its commitments for compre-
hensive medical care, it must responsibly and efficiently utilize all
such resources. Over recent decades, the computer has come into view as
an aid to a spectrum of applications. Its computational powers were
apparent at its birth, many years ago. Since that time, the computer
has evolved through advances in electronics, and systems have been con-
ceived for the processing of more than just numbers—information. The
very generality of the concept of dealing with information, storing,
translating, and retrieving it, lent usefulness to a nearly inexhaustible
list of disciplines. And now, many uses are being realized, others
investigated. Among the latter is the medical information system. Many
years ago, the medical record could have been stored on the computer.
However, in its nonstructured form, there was no advantage over paper
methods, and was, in fact, costlier. Research done at the University of
Illinois has demonstrated that the record keeping process can be cost-
effective on a PLATO-like system. In addition, recent advances in re-
cord organization have improved the data gathering and retrieval process
in patient care. With the structured problem-oriented medical record,
the physician's clerical functions become systematized, leading to
more complete patient data. The hierarchical nature of the data is
natural for computer programming and presentation. The PLATO system,
52
in particular, can graphically display portions of data, further illus-
trating advantages of automation. Through physical access to the ter-
minal, the physician may acquire elements of an entire database, bypassing
tedious manual filing. And, if properly used, facilities for touch input
can reduce the time that the user requires for entering various parts
of the record, and possibly create a more acceptable atmosphere for inter-
action at a terminal. This man-machine interface is an important sub-
ject under investigation particularly relevant to medical record
computerization. Physician acceptance of any system is an undeniable
criterion during development. It is just this fact which requires health
care personnel participation in the research. Input from physicians
and nurses at operational testing sites can be invaluable.
The means and environment exist for an adequate medical infor-
mation system. The great advances in medical record keeping have in-
spired research for such a system. Establishment of the initial data-
base for the patient marks the creation of the record. With the knowledge
that the physician acquires from laboratory tests, a patient history,
a physical examination, and the patient interview, he can formulate a
list of problems upon which he must take action. It has always been an
important task of the physician to discern what observations may be
symptomatic and what may be diagnosed from symptoms. The problem-ori-
ented medical record only proposes a method of organization. Yet, it
may be sufficient, in itself, to improve the quality of health care
delivery. With an increasing number of specialists, a clear, precise
record, more easily understood by a multitude of viewers, is definitely
53
in need. The problem list provides an index into the record, and a
great deal can be learned from a cursory glance. The physician takes
his knowledge of the patient, and uses his training and experience to
initiate a plan for treatment or tests. Certainly, more data is gener-
ated, and thus, the cycle begins-- the evolution of the record by the
continued addition of progress notes.
The structure of the patient record leads us to believe that we
can more formally organize the medical database to best serve the corps
of interested users. It is clearly evident that not everyone wishes
to deal with every facet of the record, or even the record itself, as it
is thought of conventionally. Nor is it wise to allow semirestricted
access to confidential information. Therefore, the criteria for data-
base organization must be capabilities of flexible modes of access and
security of all levels of structure. Naturally, this includes methods
of forming the problem-oriented record. The MIS project partially
meets the requirements. Vertical accessibility is possible for the
physician, nurse, and clerical personnel, who desire data associated
with an individual. Programming allows pieces of the record to be re-
lated together, but no internal structure is maintained beyond a sep-
aration of identifying and medical data. Security is leveled at the
two areas distinctly and by user group.
It should be the function of the database management system to
impose a structure on the data, thereby leaving items for user-defined
data only. Also, all operations involving the basic management of
54
the disk memory should be transparent to the user. A proposal has
been made for describing the medical database. All segments of data
are stored according to the nature of their content by a particular
name. According to the descendant relationships which can be defined,
a referencing convention has been described. In addition, structures
may be iterated for sets of like data. The system allows the applica-
tion program to generally handle data which is relevant to its purposes
and not need to concern itself with the more basic maintenance functions,
The data description language makes it possible to specify what the
database will look like to a system which is designed to operated on
any structure described thusly.
The using programs also have available a set of transactions
which may be made with elements of the database. These actually consti-
tute the interface between programs and the data management system.
The functions allow for the storage and retrieval of user-accumulated
data from and to work buffer areas.
Security, another necessary quality of the system, may be
required at any hierarchical level of data. The method of individuals
belonging to groups, as implemented in the MIS project, appears to be
a viable means of categorizing potential users for security classifi-
cation.
The health data collection process is one for which the phy-
sician and related personnel are largely responsible; therefore, patient
data generally originates in the medical record. Proper formation of
55
this documentation betters our chances for complete and responsible
treatment. If computers are to be instrumental in bringing about the
utilization of technological tools by the medical profession, then
the correct weight of efficient record keeping must be merged with a
sufficient amount of natural organizational database characteristics,
to produce a smooth, practical information system which has the approval
of those who directly interface with it.
56
LIST OF REFERENCES
1. Weed, H. R. , "Biomedical Engineering in Health-Care Delivery,"
IEEE TRANSACTIONS ON BIOMEDICAL ENGINEERING, Vol. BME-20, No. 3,
pp. 161-164, May 1973.
2. Ball, M. J., "Medical Data Processing in the United States," HOS-
PITAL FINANCIAL MANAGEMENT, Vol. 28, No. 1, pp. 10-30, January
1974.
3. Williams, B. T., "Source Interactive Medical Information System."
A grant application for the Regional Health Resource Center.
June 1974.
4. Grabieli, E. R. , "Computerization of Clinical Records," Vol. 1,
Ch. 3, pp. 1-5, Grune & Stratton, Inc., 1970.
5. Weed, L. L., "Medical Records, Medical Education, and Patient
Care," pp. 3-123, The Press of Case Western Reserve University,
1971.
6. Sandlow, L. J. and P. G. Bashook, "Problem Oriented Medical Re-
cords (Self-Instruction Handbook)," pp. 2-30, Michael Reese Med-
ical Center, 1974.
7. Harmon, L. D., "Some Problems and Priorities in Health-Care Tech-
nology," IEEE TRANSACTIONS ON BIOMEDICAL ENGINEERING, Vol. BME-20,
No. 3, pp. 216-220, May 1973.
8. Saltzer, J. H., "Protection and the Control of Information Sharing
in Mul tics," COMMUNICATIONS OF THE ACM, Vol. 17, No. 7, pp. 388-
402, July 1974.
57
APPENDIX
The following documentation has been copied from specifica-
tions for the Patient Record Manager which reside on-line on PLATO.
The data management system of the medical information system is pre-
sented in detail. The figures are reproductions of their PLATO screen
appearance.
The Patient Record Manager
Version 2.3
System Specifications
by
David Mueller
Robert Rush
David Fumento
June 26, 1975
14.14.25.
Part I. General Overview
1. Introduction and Goals
The Patient Record Manager (PRM) is the component of the Med-
ical Information System (MIS) which is responsible for the storage and
management of patient records. Specifically, the PRM 1) creates and
maintains the patient record on permanent storage, 2) inserts data into
the record as instructed by the input components of the MIS, and 3) re-
trieves information from the record as instructed by the output compo-
nents of the MIS. Access is vertical by patient record rather than
horizontal by data item.
The PRM must meet sets of criteria imposed by the nature of
the medical record, by PLATO, and by other components of the MIS. First,
the PRM should be able to maintain records which can expand to any size
and maintain their security, confidentiality, and integrity. The PRM
is responsible for storing and retrieving all data in the patient record,
but it is not responsible for maintaining the relationships between the
various data items. It should give as rapid a response as possible and
should allow for record reorganization based on use patterns.
The PRM must operate within the constraints imposed by PLATO.
It should require as little duplicated code as possible. Further, it
should make the best use of the algorithms used by PLATO to allocate
system resources such as CPU, ECS, and the disk channel in order to a-
chieve adequate response. Within the constraints imposed by the MIS,
the PRM must use no more than 1,000 words of storage for i/o buffers
and work and status variables, and should use no more than 6,000 words
of combined common and condensed binary code.
Since the structure and access patterns for the medical record
are presently a topic of research, the PRM should be flexible enough to
allow for changing approaches. It is also desirable to be able to insert
with relative ease routines to monitor the pattern of use of the record.
Finally, straight-forward, simple procedures for accessing the PRM are
desirable.
This report describes the components of the PRM which attempt
to meet these requirements. First, a general overview of the PRM is given,
followed by detailed descriptions of each component.
2. Record Security
We believe that at least two record security problems must be
handled. The first is the use of the MIS to gain unauthorized access to
the records. To combat this, the PRM will provide site checks in the
router to restrict the lesson to specified terminals. In addition,
passwords will be required to enter the system. Finally, the PRM pro-
vides "by-record" access control so that otherwise valid users may be
denied access to certain records.
Each user is assigned a twelve bit user number and a twelve bit
user group number. Each record has associated with it a table containing
an entry for each user group recognized by the system. Each entry gives
the level of access for that group to that record, as described in
section 7.1.1. This method allows greater ease in creating and changing
access rights, and results in a shorter access control list.
The second security problem involves bypassing the patient re-
cord system entirely and reading the data files directly. PLATO provides
a minimal amount of protection in the form of code words attached to the
file. This is sufficient to prevent casual browsing through the files,
but is an inadequate defense against determined attempts to read the
files. Not only may the code words be broken, but the code word system
may be bypassed entirely as is done when system changes are made to
lessons.
Therefore, in addition to placing inspect and change codes on
all lessons and data files, the records themselves might be enciphered.
Each record would have associated with it a cipher key, which must be
used to decipher the record. The cipher keys would be kept in the Master
Patient Directory, which is itself enciphered. The Master Directory's
cipher key would be changed and the Directory reciphered as often as is
necessary to protect the patient cipher keys.
This level of security may be more than the users are willing
to pay for, and, since most of the data is encoded by dictionaries, a
trivial level of enciphering is already employed. Therefore, the initial
releases of version II will not employ ciphering and ciphering will possi-
bly be introduced in later releases.
3. Flow of Control
The PRM has been divided into four major components: 1) the
Sign-On Component (SOC), 2) the Master Directory Component (MDC), 3) the
Item Management Component (IMC), and 4) the User Service Component (USC).
These are described in greater detail in section 5.1. Briefly, however,
the SOC is responsible for identifying and validating terminal users and
the MDC for allowing the terminal user to create new records and access
old ones. The IMC and the USC as a package provide data storage and re-
trieval functions to the applications lessons, the IMC executing the
functions and the USC providing the interface.
The way in which the above components fit together is important
to understanding the overall structure of the PRM. What follows is an
overview of the sequence of operations carried out by each component, with
descriptions of what the terminal user sees and what the applications
programmer must do.
3.1 General Overview (see Figure 1)
The terminal user will see the following sequence of operations.
Using the SOC, he will identify himself to the MIS. After verifying that
he is a valid user, the SOC will exit to the MDC to either access a patient
record or create a new one. The user then has the option of entering or
reviewing medical data in the record using the IMC, the USC, and the ap-
plications programs. At any time he may return to the MDC to request
another record.
' ' '.J
—I Ti "
l._.l
i h
ill t- iD
■ ■-• 4-'
+> V'\
ti V >
LL ct: t/H
4- 1
C " Ti
V i-
+j
its i 1
Q. Q:':
1
i'll'l
i. .i i
l TJ
:;:. q'j
ill'l
41
(0
i r i £
Q...
Ill
JZ -r-t
4' 4-'
ill
f
i i
'1.1
• r-t
1.
4- 1
4-'
&
0)
i~
3
3.2. User Sign-On (see Figure 2)
The identification and validation of terminal users is based
on the following structure. The users are divided into user groups not
mutually exclusive. All members of a single group have the same access
to the same set of patient records. Thus, each user has a user number
and a group number associated with his name. Access to the records is
based on group number while trace information is based on user number.
This is described in greater detail in section 4.1.
The user first sees a copywrite statement for the MIS. Then,
if his terminal is not designated to the auto-sign-on, he is asked to
select his group from a list of groups and his name from a list of users
in his group. Selection may be made either by touch or by keyboard entry.
If only one choice is possible on either of these pages, the choice is
assumed and the page is skipped.
If the terminal is designated to be auto-sign-on, the prespec-
ified selections are made and the user is asked to fill in the unspeci-
fied selections. In any case, the user must enter a password and is
then taken to the MDC to select a record. The user may also go to a
page listing options available to unidentified users.
3.3. Opening Patient Records (see Figure 3)
After entering a valid password in the SOC, the user is asked
for the PIN of the record he desires. Based on this, the Master Directo-
ry is searched. Three outcomes are possible: 1) the record may not
Open
Pat l ent
Record
J_ r"'i
Hr"""
U 3
4- 1 U J
c in.
Ld ip
1. j
i~ n>.
— rt^r**"
\- . ^' l
III
I 1
V
■. ■ 1— 1
■+-' ■+■'
'■ ■' Cl
4-' .
n iji
41 £
r-l in
4.i C
CO
V.
s.
X
X
X
X
■v.
X
.. X
4-'
r 'i i"i
4' "i
3 K
U J drt
X
/
4- 1
/
- r-4
L
J
a
P
□
C\J
CT>
V
o
mi
£ i-
u a.' 4-'
!- 4-'
iri u'J
iTi
Mil
x- ■-*
U it! 1-
^
"0 'i 1 'l-
lll i. > il i
a.i +
iT'i
LJ 'I' T
1
1* "l
c
V
4-'
4-»
• i-H
1 1
4- 1
aj
Cl
—i
o
a.'
in
'1.1
N JQ
T5 ■ '- 1 iTi
£1 «— i (— •
■Hi Hi
4-' 4-' V
H.I ■- • +>
L r ' £ 10
• •-« ">.
CO
.-•• \
CO
0)
$-
exist, 2) the record may exist but the user does not have access, or 3)
the record may exist and the user does have access. In the first two
cases, the user is informed of the situation and allowed to re-enter the
PIN.
If the record does not exist and the user does have access,
then the brief data page for the record is displayed. At this point the
user has the options of 1) editing the data page, 2) editing more data,
3) changing access rights, 4) proceeding with the open, or 5) exiting
all of these subject to his own access rights. If he edits the data page,
the results may be stored by proceeding or ignored by exiting. If the
user desires to proceed system control blocks are obtained for him and
he proceeds into the record.
3.4. Create Record (see Figure 4)
After selecting the create record option on the PIN request
page the user's group is established as the owner of the record. This
sets up a predefined access control list for the record.
The user is then taken to the brief data page. The patient
name is required at this point, and other data may be entered as desired.
The user may also branch to a page which allows him to alter the access
control list, or to a page listing more ID. On each of the three data
pages he may abort the entire procedure.
Upon completion of either the brief data page, the more data
page, or the access control page, the user may order the record created.
u
v v v
£ £- b.O
iD iTi
ill 4- 1 iTi
, 4- 1 - +J
r 1
f
t
i
i
t
>.
{ ,
OH
Ml ill
|i hj
itl i )
I
\
OJ
\
\ \
\ \
Hi "0
4-' i-
iTi ( J
ill n
k~
i U iD
£ 4-'
irj irj
1' 4
n
|] i
U
T5
c
OJ
+>
4-' ■-<
u
4-'
a.'
o
.— .
'w'
•I'
w
a.i m
T? h Hi
fti — " _&
iD' iD
4J —, (—
1J 4-'
I' P l i-H I I
0)
O)
At this point a Patient Index Number (PIN) is assigned to the record, and
the Master Directory and Patient Directory entries are created and ini-
tialized. The user may now elect to enter medical data or exit. If the
choice is to open the record, system control bocks are obtained and ini-
tialized and the user is sent into the record.
3.5. The Item Manager and User Service Components (see Figure 5)
The Item Manager Component is called by the applications program
using the facilities of the User Service Component. This component con-
sists of an interrupt routine and a collection of interface routines, one
for each function provided by the Item Manager. The applications program
calls an interface routine for the particular function it desires. This
routine, after setting function dependent variables, calls the interrupt
routine, which sets the interrupt variables and signals that an interrupt
is present.
The IMC consists of a driver and a collection of routines for
performing the IMC functions. Upon receiving the interrupt signal, the
driver determines which user is requesting service and what service is
desired. It then calls the appropriate routine to actually do the work
and, upon its completion, signals completion to the interrupt routine in
the USC.
The interrupt routine, which has been waiting for this signal,
now transfers data from IMC buffer to the applications program's data
space and returns control to the calling routine. Should a disk error
I— 1
! "'••,
r
V
':• ■ i-h
Q
•■— 1 i—l
1- 3
H.t o
en li
k
1 1 ;
i/i
n
^
— + £
a.'
V
4-'
a. t i<
U LL
CO U1 CM CM
f CM CM iS! S| iS| VI *-• VI *-" VI VI
ii ii ii ii ii ii i*. ii £ vi C £-
C C C C C C VI C VI £ VI VI
CM CO <-• *-"
y i-
i' i
X
1-
Q
u
fj
o
r"i
LL
■ rH
O
..
Q_
IX.
4-'
'U-I
•l.i ( i
ill
• f— 1
r
U'J iTCi
V
T5
"U
4-'
i-
Cl
—• 4-'
u
1-
o
U 'X
£ E £ E
u 4-i 4-' C I-H I— I
■is m i' ii'
4-' U — ' 4-' 4-» 4- 1
a.' J- 1' >; 1J ii
Q U Q Ld CD Q.
a."
U
it
i— •
Cl
LL
cu
S-
type of service offered by the Record Manager. We assume that these
operations can be divided into a class of common operations and a class
of much more infrequent operations. The more common operations include
Get Item, Put Item, Lock Item, Unlock Item, and Create Item, with the
last being the operation least frequently used. The infrequent class in-
cludes the rest of the operations in Figure 6. This gives a rough aver-
age of one disk access per call.
Assuming that PLATO allows an average of one disk access every
15 seconds to each individual terminal, the IMC would be capable of
handling an average of one disk access or call every 15 seconds for all
users. Thus, if four users were on, they would be limited to one call
each minute. Three users would be limited to one call every 45 seconds,
two users to one call every 30 seconds, and one user to one call every
15 seconds, on the average.
The figures given here are estimates only, so we intend to
measure several parameters in order to make any changes necessary to
ensure adequate service. At present, we plan to collect means and
standard deviations on the number of disk accesses per call to the IMC,
the number of disk accesses per Get Item, the number of disk accesses
per unit time in the IMC, and the CPU usage per unit time. Other para-
meters may be measured as needed.
Part II. Component Descriptions
6. The Sign-On Component
6.1. User-Group Structure
As described in section 3.2, the terminal users are divided into
groups. These groups are not mutually exclusive, and may consist of as
few as one user. Each group is assigned a number when it is entered into
the system tables. This number is associated with the user when he signs
on, and is used by the PRM to determine the user's access level to a re-
cord.
Each user is also assigned a number when his name is entered
into the system tables. There is only one number assigned to a user,
regardless of what group(s) he is in. This number is associated with
the user at the time he signs in, and is used by the PRM to provide trace
information.
This structure provides several advantages. Since access rights
are based on groups of users rather than individuals, initializing and
changing access codes is fast and easy. A great degree of flexibility is
maintained, however, since a group may consist of a single user. Thus,
if access control is desired for individual users, these users may be
defined as single user groups. Furthermore, since a user may be in differ-
ent groups, he may be granted different access levels to different sets
of records.
This structure is implemented as a set of three tables. One,
called the user table (see Figure 7), contains the user names, user num-
bers, and user passwords.
The second, called the group table (see Figure 8), contains the
group names, group numbers, and group templates. This last field is a
template used by the PRM to initialize record access lists; if group i
is the owner of the record, then the template for group i will be used as
the initial access list for the record.
The last table defines the relationship between users and groups
(see Figure 9). If user number i is a member of group j, then one of the
entries in the relation table will be (i,j).
While the group and user tables are unordered, the relation
table is ordered by group number. This ordering makes it easy to access
all the members of a particular group, which is the present scheme in the
SOC. However, the same structure could be used fairly easily to obtain
all groups containing a particular user, if a change in the SOC is de-
sired.
Finally, to provide an auto-sign-on facility, an auto-sign-on
table is kept (see Figure 10). This table relates station numbers to
user and group numbers. An entry is made for each station which has an
auto-sign-on capability. The group number, or the user number or both
numbers may be associated with the station; if one is omitted, it must
be filled in at the time of sign-on.
Each of these four tables is implemented as a set of parallel
segmented vectors, one vector for each field. The same index is used
to reference each vector, thus giving a complete entity.
,
M'l
f_j
~T5
i, J
i; 3
4-'
i -
i
• i-i
i-
o
t
Q
]._ i"i
!—
CO
V
3
O z
ri 'l-i
£
5_ iri
CO
1.0
4-'
'*-
r
r
fc.
■ ^H
i;"j
V
Cl
OJ
L J
'1'
Li. 'I 1
CD
j
-U
_ .*
-U
— '
J**
_' !t t
o
E
Q
c
C
E
C\J
£
13
!*-.
3
t
_i
£- Zi
O
-i_
(J)
ji -
(3
■ ,= —
'■!> Z
i.O
i
i'
fc.
i'
-H
t_
f
i'
V
r
V
i- 55
■-*
4'
r j
V
1* *t
OJ
o
III _Q
•OJ
in
d
in
d
i.i.i
lZ
hi £
i
■*1
i
— j
i
J
j — i
•"'■■J
«~r
ji—
ji—
.jl~
jll—
*"" '
3
^
10
4-»
*-
L-
■
S-
• i— «
S-
■V
*—
V
i»—
V
t-
ct:
u
LL
"■
a;
U
-J
o
o
'X
(I
M
u"i
Q:
(_)
f
u
1-
i— i
X
( 1
Q£
_.-*
LJ
ll_'J
_l ^
i;"~;i
U
X'
X \-
y~
X
i;_j
V
Q
U X
U
h-
Lu
i— i H
H
_l
";-
d
i_i Qi
CO
X
OJ
».
U O
2-
u
„.•*
x:
n l_
co
I
Q
o
i
tr
U
H- 1
_j
i— i
. _J
h-
( r l
X
■X
Lt' :
Ld
LI
i;~|i
Q:
I
o
tL
\-i
LL
O'.i
L.
fl
_l
i— i
\\ \\
Ld
CO
Q
E
/
b;
'•••:''
M
£■"'
h-
Or
_J
LJ
X
( )
_l
z~
c
~:
hH
l__
HH
a:
/
Qi
CO
X
*;—
hH
0_
&
u
■ .— <
i-
C
-■"
■4-'
J
Itl
*~
ID
Q
!L
ill
a.i
LL
'■ •'
LL
■;!;-
_
k.
_
u
_■■■-.
r -i—
^^—
-Li
•—*
1
•*-
-I-'
4-'
■ —<
Q
« — i
i *
!-
cz
.+■'
iTi
iTi
-j—
■ iri
r— 1
V
a."
-I-'
N
Lj_
-<
I
x
-I-'
'~
■ — i
V
Hi
~>:
, — i
O
~i
•—<
I
V
id'
~i
r—
'--'
"~*
i»~
O
«— t
■
c
Q
h-
U"l
'>
Q:
t— t
,-H
jZ
*y
CD
•
iD
•
U
r
-W
*—
1 'l
1
— 1
h""i
'U
Q:
.'
4-'
■ — i
fh
OJ
T.
Tj
*—
r-H
i-|fl
i;*.i
■— (
V
J^
III
i;_;>
1— - 1
i
r i
1 — 1
»H
r "i
>
— j
Ld
u.
22
T'i
—
C
I~
''-*-*
■ p-i
r*
'■♦-<
r >
o
■ >-l
(U
m*
lil
D D D D
«T5
-2
u
CO
CO
.o
'I'
V (0
— H.i
•1.1
> 00
(0 «u
Q
[ii
in
u
Zi
a.
in
n 1 in
~i iri
o
Ld
CO
CO
n
Ld
l-H
■ r-l
l*"*l
t"
CO
h
r— *
Ld
M
i—*
(-
a:
■X
o
CO
Cti
'-+-*
".■-
Q_
,■•
CO
0_
V
cr
L±l
)~*
Q
+J
Or
Q
o
Ci
ct:
'+-)
fjl
■
S-
and sensitive information. For security reasons this information belongs
in the Master Directory entry for that patient. It is necessary to ob-
tain this entry for any access to the patient record. In addition, there
are certain functions available to the terminal user which involve only
the Master Directory. The content of the Master Directory entry can be
logically divided into three distinct sets of data: 1) the system control
data, 2) the patient identifying data, and 3) the patient sensitive data.
A discussion of the structure of the Master Directory will include a de-
scription of the scheme to address Master Directory entries and the or-
ganization of data within the entries.
7.1.1. System Control Information
Included in this subset of the entry are pieces of data which
are needed by user routines for system chores, but which are not personal
in nature. The following are fields which belong to this group:
Cipher key 60 bits
Access Control 3 bits per user
Link to item list 15 bits
Trace information 60 bits
The cipher key is used in ciphering the record by means of a method uti-
lizing the logical difference operation.
The access control field is a three-bit pattern for each po-
tential user group. The field assigns to each user group a type of access
Figure 16 lists the possible patterns and their meanings. Owner access
allows the user to modify the patient record and, in addition, the access
V
i.O
i.O
a.'
o
II
iti
?!
'3
•rj
U"3 — '
•"•
T3
ITI ill
1 — 1
lj£l
i^t
■^-1
T— 1
O
+■'
i.O
lO
V
1 — 1
fl5
o
iri
4-'
q
4-'
iti
•iti
I'D
— r-r
"jrr
'i'
1 1
4-i
,..- H
illi
o
• ,—1
it
'1.1
ii3
•+-■
iti
'Ii
('
ifi
(0
1i
ll"l
o
i.O
V
•ti
u
i-
iti
V
C
—>
'■-■
_►
"^
o
a.'
1'
mi
(52
+-'
i i iti
hi
if l
V
(Jl
llj
41
mi
m
4-'
1.0
io
Q
•ti
li
iD
()
V
iti
'I'
IX
iri
'I'
LI.
iti
iti
Oil
a.i
i
iTi
ly
mi
id
in
r ;i
U
vo
a;
s-
cn
control bits for other users of that record. Read-write access to any
part of the record allows modification of that part by the user, the
single exception being permanent data items.
The Item List is the backbone structure of the medical record
for a particular patient and it is necessary that the Master Directory
point ahead to this list connecting all parts of the patient record.
The trace information, for the purposes of this discussion,
will be the user number of the creator of the record, the date and time
of creation, the user number of the last user to access this record and
the date and time of access. This field could become several words long
if more information is needed.
Another link field in the system control information which con-
tains a link to a special second page of sensitive data which may be de-
fined at some future date. This data is medical data and is considered
to be sensitive, but not of an identifying nature. This extension may
also require some type of access control.
For a system with 20 groups, an assumption which will be main-
tained throughout this discussion, the system control information is four
words long.
7.1.2. Patient Identifying Data
The second page of patient sensitive data will not be discussed
further because its content is still largely undefined. Those items
which tend to identify the patient, the so-called "identifying data,"
will be detailed here.
Several of the fields, such as the patient's name, contain
variable-length information which is padded on the right with null char-
acters. Figure 17 lists the fields belonging to the identifying data.
These fields represent a maximum of 64 words. The exact arrangement of
data is not a problem here since, as will be shown, there is some extra
space, in fact, very little compaction is possible.
7.1.3. Master Directory Structure
A path to the patient record must begin in the Master Directory
Index (Figure 18). This index is a list of the disk addresses of all
Master Directory physical blocks. Since each physical block represents
four entries, the index entry actually points to records 0, 4, 8, ...
And addresses for other record entries must be computed as offsets into
the physical block addressed by the preceeding multiple of 4. Specifi-
cally, the n element in the index list represents record number 4n and
the address A of any record number i is found by,
A = index (int[i/4]) + 80 (i - int[i/4]) words.
As was mentioned before, each 80 word entry is logically divided into a
four-word system control block and 64 words of identifying data, leaving
12 words as yet unassigned. The Directory Index uses one word per four
index entries and four records per index entry. Therefore, allowing for
1,000 patient records, the list will need less than 63 words.
7.2. The Master Directory Component Modules
The MDC may be viewed as a collection of modules each accessed
I
t
J
III III III
"P T5 75 T7 T 1 h'i i.i i
• t' t* l L I I l l
i*— i»— &- +- *- -T- -T -
•^ 43 CM
III in I.I.I
~T> 7) '<".'> 10 i.i "J "0
£_ £_ £_ 4- 1 4- 1 S-
r"j T'i Q ■ »-h i— t ;f i
~\ i "s '. J '. j "1
*-i ro Lf, i£i ^t i
• CO
CM
Ml UJ
■ ■ ■ "O "0 hi \f)
'III' I II _l_l
l.l O ' H '~'
3 • 3 3 3 3 _Li aj
1 1 .i -i — i i—i -i — i
i" "i ■ O i' I
(":i
V
0)
"7^1
—i
Q
:'
h'i
1 1
Q
i t
( j
3
i
1—1
H- )
CL
(J)
Z ft
i o
V
O ll l
'1.1 '1.1
F-l
Q
4- 1
ii
-...
i~
t i
r&4
4-'
g
'U
_H
i~
CD
• pH
Q
'^CZZ--
/
/
/
0.11
0.1 1
au
O.0
!i..
i
i 1 ■
**■
l~
■ i-H
i-H
■ r-4
• r-(
'+■1 Ifl
'.|...|
'Hi
'■■♦— t
iTi
'4-i ifl
.,-, 4 j
■rl
4„<
■ I-H
4- 1
■-( 4.'
4-' ID
..}...'
ill
4-'
iti
4-' iTi
£ L j
1
I i
1,
LJ
1- Q
4.1
q.'
"U
•U
r 'i
i 1 'i
r 't
i" 'i
i— i
1 1
(— t
h~ 1
__i
, — |
i— i
r— 1
k £
f
r"
!L
c
!- £
4-'
i-'
if)
4-'
o
4-'
£ ^r-H
i_
rH
1-
• r-t
1- —
4'
Q
4 .i
l| >
■V
4-'
U *tTj
(_)
iT'l
1. .1
H)
U (d
l_
s[ 5 ..
L_
£ U
L ..
*~
C!
i<—
L_ *-
V
Ill
if)
'ii
I.'
4-' '- 1
.4'
'■+H
4-'
■^H
4-' <+*
i.O c
III
1
1.0
C
10 c
>. H
M
-•'\
1— H
:\ hh
!'
CO
CO
CO
CO
by interrupts. The interrupts are generated by touching the routing
boxes at the top and bottom of the screen. Each module continues to
perform its task until one of the interrupts is recognized. Depending
on the module executing, the sequence in which it is executing, and the
interrupt, control is passed to another module. The first module does
not regain control until its interrupt is recognized. Each of the modules
is discussed below.
7.2.1. PIN Request Page (see Figure 19)
This module is responsible for retrieving a Master Directory
entry during the open patient record sequence. It obtains the PIN from
the terminal user, reads the corresponding Master Directory entry, and
checks the user's access rights. If an entry does not exist for this
user or if the user does not have access, he is informed of the situation
and allowed to either reenter the PIN or exit. If the entry does exist
and the user does have access, then he is sent to the display data page.
The user may also ask to create a patient record, in which case he is
again routed to the brief ID page, except that the mode is changed to one
of inputting data.
7.2.2. Brief ID Page Display (see Figure 20)
A subset of the patient identifying data is displayed to the
user so that he may quickly confirm the record as the record he requested.
The user may change any data element by touching the screen where the
element appears and entering the change.
U.I
CO
□
Ld
L0
D
V
en
I—
LJ
U
D
CO
i
1 1 1
(U
Ld
':-:'
i-
Q:
V
3
CD
Ld
c J
T5
•r—
u
My
£,.J
i
U-
•: r i
C3
a:
■ i—i
i r i r-.j
l'"~'l
CO
-X
L
LL.
IE L.0
O'
C£|
CO
fill
iTi
iTi
□ D
7.2.3. More ID Page Display
The remainder of the patient identifying data is displayed to
the user for verification, input, or modification. Again, he may edit
some data element by touching its position on the screen and then entering
the change.
7.2.4. Change Access Rights Module
This module allows the user to change the access rights to the
record if he has the right to do so. The user is given a list of the
groups and their current access rights and allowed to alter these. He
may also specify a new record owner. If he does so, the access template
belonging to the new owner is copied into the record's access vector.
The present user keeps his original level of access until he closes the
record.
7.2.5. Store Data Module
When completing the creation of a patient record a PIN is assigned
to the record and displayed to the user, and the Master Directory entry
is written out. Space is obtained for the Item List and the Item List is
initialized and written out. The user is then given the option of either
opening the record or going back to the record assignment page.
7.2.6. Complete Open Module
When completing the open record sequence, the module first checks
the access rights to the medical data. If access is granted, the routine
reserves control blocks. Finally, it sets the user's router variables
and goes to the option selected by the user.
8. The Item Manager Component
8.1 . Router Common
Router common is the basic communications area for the Record
Manager. Here are kept all the data structures which allow applications
lessons to access records once they have been opened. These data struc-
tures are divided into four general structures: 1) the Patient Directo-
ries (PD), 2) the User Banks (UB), 3) the Item Data Buffers (IDB), and
4) the System Status and Statistics Tables (see Figure 21).
8.1.1. The Patient Directory
One PD exists for each record which is open (see Figure 22).
It is initialized by the MDC, and contains record status information and
the Record's Block List and Item List. All of this is read from the disk
The status information includes the record's cipher key (currently not
used), pointers to the lists of free space in the record, the length of
the free space lists, and the actual number of items present (see Figure
23). The Block List serves as a translation table between the logical
block numbers stored with the other item information and the physical
block numbers required to read the data. It contains one entry for each
physical block assigned to the record; each 15-bit entry gives the
physical block number associated with the corresponding logical block.
i.O
'U
.— .
• i— ' .— .
10
, —
Jl
i- X
V-
«
n"i O .— .
x
CJ
.'I- 1
.— ..
3 — Ifl
U"J
ifi
4-' itj
'•+•■1
i.O
4-' 4-' "0
M «TS
iti
a.i
( ) HJ
•!+...(
T5 :
IT) 1.0 J_
C V
4-'
n"i
a.'
~1
c.
•+-'. "*
ii5
mi
i.
10
t_ i.O
. CQ
Ct
U.I 4-' 3
CD i.O
Cj
^
■..'
■ i— i cy
rS
iri
"y
'•*-»
i-
Q £•
--,..,.
£ 4- 1 1"
r i'
EZ
**H
t* ;i
o
r"
'S'
HJ CO a-.
'I'
a.i
~i
3
4J . 3
V
'■£'
4-' CO
ifl 3
4-'
CD
£
+>
*"H
ip ~0 "~"
_j
.1— 1
iS|
dl u\
,:■:.
'•_.••
-■ : \ !*-
00 •
csj
■ ■— i CO
Li
CO IT)
co
4-' CO
iri -•'
ol
CVJ
i.O
~i
1.0
4-'
.— ..
4-> ..->.
..— .,
Ci.fi •-.
1.0
ifi
10
io to
-P
i.O
iD l0
4 '
4-'
r "i
— T>
i.O
( ;i
i — t T'i
■ r-l
1.0
. CO
il
_J t-
■ r-»
c
L. fc.
CD
i; j
o
_J
l'"l
I, ,1
V-
1* *l
3
M 3
3 .
-C • 3
c
i;";i
c.
Q
c
(j
Q
3
1-
'Si
01
wD
ifi iEJ
ifi
1 1
' — '
— * CM
4- 1
a.
4-' •£•
4.1
Li.
i'
CD w
.HH
CM
4- 1 '•-■■'
4j
'•--■''
o.
•
• '
— .-.
"0 4-'
ad *-* t-
lO JJ
_l 1.0
v •- •
i-
• f— 1
4-'
i.6 -£i
i]j ■+., -=>
_l S!
a.i tj — .
■j
_J
T— 1
-H t- -Q
_£ IA
• ~
|Z o
| T- M
~ 3 Lfl
~ --''
ST.,
o *-'
in
Q_ *S> w
f
4-' '
^r
4-' Si 7?
4_> ^H
•
£1
Hi •'•♦-< 3
i— » •
.J iss
4- 1
_l
•r— 1
(0
10
— '
4-' • ~* .— .
-
.-— .
_i m
.3
10
,— ,
fc. 4- 1
HH 75
4-'
10
1.1 TJ - H
HH li
■ 1—*
Jl'
4-'
-P J- jD
ifi
l'"j
4-.' iS) 75
+J ,--.
C
<•-« ~i
u.O f £■
i.O ..Sj
•»h 3 u-i
r?
LA
T— 1
ijl ■:+..., T ; ;
H
• ■-< 'jO
4-' •-* .—.
+> _J
lfl
u.i) csi "$_
1.0 ..Q
1. 3 '— ■
•_l U"J
i- +■'
t- 75
4-'
' i— ■ *
£
_J Si
V T5 ■*
't' S-
ij'jl
J
•r— 1
4-J S- JJ
4-'
■_-•
C -1
— « 3 LA
1 — 1
.— .
,,_ '
'S
'■— •■
*io
Q. S '-'
DL ^
r"
4J
•
*"■
f-H
4-' Si 7J
hii »-• c
C
4_. ..•-.
10 J^
■ i— i
HI C„ 3
_l «sj '
4-'
4- 1
_J
r—t
[0 m .-.
U'J
•—•
4J - m
4-' " -l
_J
1.0
t.
j_
4-'
lfl
4-' i
■ r-4
4 J Li "•■ 7?
4.1
4 .i .,■■,
C _0 u-,
r o
O.ij f_
1.0 .ii
•»H _^£ T" i
■ , i -.;
u-.
C '•+-■<
■ , .1
o " -
▼—i
Hi o ~ ;::; -
1 &■!'
Q_ la
Q_ isi
oo
_.j
-~ ; -
CO
CM
Q
C
(_ Ji
•:■•,!
3
t -j
L_
S-
zs
8.1.3. The Item Data Buffers
The IDBs are used as I/O buffers. When a block is needed from
disk, the IDB allocation table is searched. If the block is found, no
read is necessary. Otherwise, the allocation table is searched to find
an empty IDB, and, if none is found, the one currently used by the sta-
tion making the request is used. In either case, the block is read into
storage and put in the IDB selected. Since one IDB may be assigned to
each user, there must be at least as many IDBs as there are UBs.
8.1.4. The System Status Information
The System Status Information includes IDB and PD allocation
tables, the disk allocation bitmap, a buffer used to contain items while
they are being extended, and miscellaneous information (see Figure 27).
The miscellaneous information includes the station number of the pseudo-
terminal and looks for the initialization routines. These are used to
prevent users from entering the system before initialization is complete.
The IDB and PD allocation tables are both 15-bit segmented vectors.
Entries in both tables are pointers to the disk block from which the cor-
responding buffer was filled. The bitmap contains one bit for each block
available in the database. The bit is if the block has not been assigned
and 1 if it has.
Statistics are kept to measure system performance. Current data
collected are listed in Figure 28.
U.I
1.0
— — 1
r— — ■ --'-■■—'
—
3
i 'i
____
■
£
i.O
.— .
.—
V
IN
Q
,
1.0
Q
1.0
U'i
|Z
Tji
• i-»
1.0'
"H T>
■ r-<
( j
&..
"T5
mi
J_
4-'
V
XI
4-' 'U £
4-'
r
o
LJ
y _Q 3
• 1—4
3
4- 1
3
4"
Q
irj
^?
1— 1
mi
4-'
• f-H
(J
CO
i — i
h-
i— < [— ££i
iti
'25
OJ
Sj
i.O
■— •■
. — i
f
.-H »H
4- 1
U"i
'-••J
1
-H
•
4'
CSJ
s-
4"
4-'
-o
ij
10
3
1.0
-
-h
4-'
m
l.O
■ «-H
■ r-t
V
!L-
U
'■_.'
*~
U'l
(J
£
o
cz
t-
Ifl
j-
!»-
+'
*— «
8.1.5. Length of Router Common
The length of router common may be calculated from the following
formulas:
Common length = Length of system status and statistics + Number
of UBs x (Length of UB + Length of PD + Length of IDB) + (Number of IDBs -
Number of UBs) x Length of IDB.
Length of system status and statistics = Overhead + Length of
PD allocation buffer + Length of IDB allocation table + Length of statis-
tics + Length of bitmap + Length of extend buffer.
Length of UB = UB overhead + Number of parameters.
Length of PD = PD overhead + Length of Block List + Length of
Item List + Length of Attach Tables.
Length of Block List = Floor (Number of blocks in list x Block
List Entry Length) + 1.
Length of Item List = Number of items x Length of IIW.
Length of Attach Tables = Ceil (Number of items x (Length of
Attach Flag + Length of Attach Bit )).
Current values of these constants are given in Figure 29. Note that the
following relation must hold:
# of IDBs > # of UBs.
8.2. Router Variables
Several parameters are stored in router variables. These var-
iables are available to the applications lesson and to the USC, and are
listed in Figure 30.
U'l
1.0
i.O
i.O
i.O
_L0
(0
10
U"J
U".l
yg
ll'l
i.O
ll'l
in
M'l
IJ"I
T-i
r ;*
T,
-n
T5
7 )
r "i
7*'
7}
'...•
-Tl
X5
T?
T?
T5
tji
T5
T3
T7
171
>,
^
'*-
i-
jt.
U~
U
&.
^
k
t-
t-
.-
c
i-
t-
c
*—
t'
1--
iv-
i»—
,"-,
i' '\
l' )
ij
.."}
Q
o
r'j
o
Q
o
o
Q
i~'\
C)
ITi
■o
a-.
LT.
a-'
1"
GO
iS|
Iff
CO
2
3
Si
'■£"
3
T5;
iSi
CM
CM
CO
a-.
1 H
*-<
CM
•■£>
— •
CM
- ,
r---
CM
V
ifi
H
C
■ (— I
4-'
II
i.O
II
II
1.0
Zi
4-'
iri
11
ii
ii
ii
r— *
"ifi
-I- 1
i.o
Q
1.0
V
'D
r --
~i
"13
Q
(j
4-'
4- 1
OJ
h-
1.0
«— 1
.-H
_J
1 — 1
_J
i
r
Q
OD
(J
O
Q
■ r-H
4-'
CO
Oil
i~
r~
_J
OJ
V
V
1.0
"n
■ — i
, — i
1.0
l'~>
c
t
,_
( \
i. i
r^,
^
*•>
*:_
i.O
~i
c
i — i
'I
r-H
Ijji
a)
t;";i
V
■fi
'TJ
CZ
(J
,*—
(j
r )
Q
*—
4-'
•ii
:.
Q
LJ
4-'
■ r-H
Q
OJ6
c
4 '
r,
i-.l
,J -
"i)j
J 'J
dj)
. 'Oft
•'■*;
/ o.i)
0.(1
U.l)
Oil
■Li— i
0.0
ijl)
0i)
hl'l
O.O
0/1
Oil
i:n)
w
■4h
'-♦— (
Oil
i-_
i
1
c
!*-
r >
C
i™"
*
c
|Z
'"•'
c
C
c
c
.-■
1-.
W-
C
c
o
o
£
4. '
.H
OJ
11
V
U
D
V
D
'Li
a)
D
a)
V
aj
V
V
•I)
V
V
^
;
H*
.. .
. i
J
_J
#
_J
.. 1
.... 1
. J
#
_j
_J
_j
_.l
.. i
1
1
_J
.J
#
#
_J
ai
C71
GUI
QJ
OJ
UJ
t-
•D
*r
CM
III
III
4-'
'L>
4-'
o
4-'
i "i
iti
Cj
ifj
S-
itf.
i-
i.O
iti
1- •
itj
4J
C"
Ci
• 1— 1
-P
(J)
'— •'
iO
• 1-4
CD
S3
T — I
Si
CO
CO
1— I
i-H
i— 4
iT5
CD
V
1.0
4-'
M
in
a.'
• .-•• t
f
o
CO
'-»~i
J,..
i*—
Q
•
Ii
i' i
i' i
■i 1
CD
£
M
u
V
CI
a:
3
en
C
4-'
CO
Ii
- '
"0
r~~i
4-'
■ r-4
r— 1
iTTt
4- 1
C
III
J<
£
c
ij
m
C
s<
i-H
>. -j
. ,-i
• r-i
■ i-H
t-H
Performing Organization Rept.
No.
Performing Organization Name and Address
University of Illinois at Urbana-Champaign
Department of Computer Science
Urbana, IL 61801
10. Project/Task/Work Unit No.
11. Contract /Grant No.
. Sponsoring Organization Name and Address
University of Illinois at Urbana-Champaign
Department of Computer Science
Urbana, IL 61801
13. Type of Report & Period
Covered
M.S. Thesis - 1975
14.
. Supplementary Notes
. Abstracts
Record keeping in a medical environment is discussed and a proposal is made
for the organization of data in a medical database. A data description
language is presented to facilitate the organization, and processes for data
manipulation are described. Specifications for the data management system
in use by the MIS are included.
. Key Words and Document Analysis. 17a. Descriptors
b. Identifiers/Open-Ended Terms
c. COSAT1 Fie Id /Group
• Availability Statement
19. Security Class (This
Report)
UNCLASSIFIED
21. No. of Pages
20. Security Class (This
Page
UNCLASSIFIED
22. Price
IR M NTIS-35 ( 10-70)
USCOMM-DC 40329-P7 1
<-:riQ m
■«
?
.?
%